[Samba] samba 2.2.8 + ldap with samba3.0 schema
Hi, is it safe to run samba 2.2.x with ldap server that has samba3 schema ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] gpedit.msc as centralized policy for 2k/xp clients in domain
I found this from http://charon.minilab.bdeb.qc.ca/anonym/nt/2000/ads/TTGW2KGP_Vol1through4.pdf I would like to figure out how to do this gpedit.msc+AD+gpc+gpt magic for win2k/xp with linux+samba(2.2/3.0/tng)+openldap and is it possible at all? Thanks. Although GPOs provide significantly more policy features than NT 4.0 System Policy provides, GPOs are stored and processed differently than NT 4.0 System Policy is. In NT 4.0, the System Policy file (often called ntconfig.pol) is stored in the Netlogon share on domain controllers within an NT 4.0 domain. When an NT 4.0 user logs onto a workstation in an NT 4.0 domain, the system reads the System Policy file from the Netlogon share, then sets registry values that are specific to a computer, user, or user group according to the policy file. NT 4.0 allows only a single policy file to be processed at a given time. NT 4.0 System Policy could apply to a specific computer (or all computers), a specific user (or all users), or an NT 4.0 domain global group. In contrast, GPOs are composed of two parts: the Group Policy Container (GPC), which is stored within Active Directory (AD), and the Group Policy Template (GPT), which is stored within the replicated SYSVOL folder on all AD domain controllers in a domain. Whereas System Policy is processed only when a user logs onto an NT 4.0 workstation, GPOs are processed at both machine startup (at which point machine-specific policy is processed) and user logon (at which point user-specific policy is processed). Again, in contrast to System Policies, you can define a virtually unlimited number of GPOs within an AD domain (though practically speaking, large numbers of GPOs will take a long time to process). And, whereas System Policies apply to individual users, individual computers, and NT security groups, GPOs are processed only by AD users and computers. However, AD security groups composed of either machines or users can filter GPOs' effects. This filtering capability, in conjunction with the ability to have multiple GPOs processed by a given user or computer, can provide much greater policy flexibility than is available in NT 4.0. Figure 1.2 shows an example of how you can use security groups to filter the effects of a GPO. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
gpedit.msc as centralized policy for 2k/xp clients in domain
I found this from http://charon.minilab.bdeb.qc.ca/anonym/nt/2000/ads/TTGW2KGP_Vol1through4.pdf I would like to figure out how to do this gpedit.msc+AD+gpc+gpt magic for win2k/xp with linux+samba(2.2/3.0/tng)+openldap and is it possible at all? Thanks. Although GPOs provide significantly more policy features than NT 4.0 System Policy provides, GPOs are stored and processed differently than NT 4.0 System Policy is. In NT 4.0, the System Policy file (often called ntconfig.pol) is stored in the Netlogon share on domain controllers within an NT 4.0 domain. When an NT 4.0 user logs onto a workstation in an NT 4.0 domain, the system reads the System Policy file from the Netlogon share, then sets registry values that are specific to a computer, user, or user group according to the policy file. NT 4.0 allows only a single policy file to be processed at a given time. NT 4.0 System Policy could apply to a specific computer (or all computers), a specific user (or all users), or an NT 4.0 domain global group. In contrast, GPOs are composed of two parts: the Group Policy Container (GPC), which is stored within Active Directory (AD), and the Group Policy Template (GPT), which is stored within the replicated SYSVOL folder on all AD domain controllers in a domain. Whereas System Policy is processed only when a user logs onto an NT 4.0 workstation, GPOs are processed at both machine startup (at which point machine-specific policy is processed) and user logon (at which point user-specific policy is processed). Again, in contrast to System Policies, you can define a virtually unlimited number of GPOs within an AD domain (though practically speaking, large numbers of GPOs will take a long time to process). And, whereas System Policies apply to individual users, individual computers, and NT security groups, GPOs are processed only by AD users and computers. However, AD security groups composed of either machines or users can filter GPOs' effects. This filtering capability, in conjunction with the ability to have multiple GPOs processed by a given user or computer, can provide much greater policy flexibility than is available in NT 4.0. Figure 1.2 shows an example of how you can use security groups to filter the effects of a GPO.
[Samba] NT sends empty username to 3.0a21
Hi, I have samba 3.0a21 running and NT 4.0 WS clients. All workstations were previously in Samba 2.2 domain , so now I upgraded to samba 3.0a22 and just changed domain name (workstation = XXX) and rejoined workstations by changing domain name in every WS. To look at the log it seems like NT WS sends empty username? *** ldapsam_search_one_user: searching for:[((uid=)(objectclass=sambaAccount))] *** check_password: Authentication for user [] - [] FAILED with error NT_STATUS_NO_SUCH_USER Joining the domain is OK. Also when I log into WS locally and them map some share with my username/pwd it works OK. But logging in with same username fails. Most bizarre thing is that I was testing samba30a21+ldap+pam_ldap+nss_ldap last week in my home and NT 4.0 WS logging worked.. So probably it's not samba fault. But I'm completly out of ideas, anyone can help? P.S. I put level 10 log in the end, hoping that helps.. == log.klass13 == [2003/03/08 15:21:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/08 15:21:43, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2003/03/08 15:21:43, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2003/03/08 15:21:43, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2003/03/08 15:21:43, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(641) ldapsam_search_one_user: searching for:[((uid=)(objectclass=sambaAccount))] [2003/03/08 15:21:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/08 15:21:43, 3] auth/auth_sam.c:check_sam_security(391) Couldn't find user '' in passdb file. [2003/03/08 15:21:43, 2] auth/auth.c:check_ntlm_password(273) check_password: Authentication for user [] - [] FAILED with error NT_STATUS_NO_SUCH_USER [2003/03/08 15:21:43, 3] smbd/error.c:error_packet(113) error packet at smbd/sesssetup.c(829) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2003/03/08 15:21:43, 3] smbd/process.c:timeout_processing(1073) end of file from client [2003/03/08 15:21:43, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/08 15:21:43, 2] smbd/server.c:exit_server(534) Closing connections [2003/03/08 15:21:43, 3] smbd/connection.c:yield_connection(61) Yielding connection to [2003/03/08 15:21:43, 3] smbd/server.c:exit_server(574) Server exit (normal exit) LEVEL 10 LOG: [2003/03/08 15:34:43, 10] lib/util.c:dump_data(1761) [000] 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 .PC NETW ORK PROG [010] 52 41 4D 20 31 2E 30 00 02 58 45 4E 49 58 20 43 RAM 1.0. .XENIX C [020] 4F 52 45 00 02 4D 49 43 52 4F 53 4F 46 54 20 4E ORE..MIC ROSOFT N [030] 45 54 57 4F 52 4B 53 20 31 2E 30 33 00 02 4C 41 ETWORKS 1.03..LA [040] 4E 4D 41 4E 31 2E 30 00 02 57 69 6E 64 6F 77 73 NMAN1.0. .Windows [050] 20 66 6F 72 20 57 6F 72 6B 67 72 6F 75 70 73 20 for Wor kgroups [060] 33 2E 31 61 00 02 4C 4D 31 2E 32 58 30 30 32 00 3.1a..LM 1.2X002. [070] 02 4C 41 4E 4D 41 4E 32 2E 31 00 02 4E 54 20 4C .LANMAN2 .1..NT L [080] 4D 20 30 2E 31 32 00 M 0.12. [2003/03/08 15:34:43, 3] smbd/process.c:switch_message(676) switch message SMBnegprot (pid 5262) [2003/03/08 15:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/08 15:34:43, 5] auth/auth_util.c:debug_nt_user_token(481) NT user token: (NULL) [2003/03/08 15:34:43, 5] auth/auth_util.c:debug_unix_user_token(500) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2003/03/08 15:34:43, 5] smbd/uid.c:change_to_root_user(218) change_to_root_user: now uid=(0,0) gid=(0,0) [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [PC NETWORK PROGRAM 1.0] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [XENIX CORE] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [MICROSOFT NETWORKS 1.03] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [LANMAN1.0] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [Windows for Workgroups 3.1a] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [LM1.2X002] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [LANMAN2.1] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [NT LM 0.12] [2003/03/08 15:34:43, 6] param/loadparm.c:lp_file_list_changed(2318) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Sat Mar 8 15:34:20 2003 [2003/03/08 15:34:43, 6] param/loadparm.c:lp_file_list_changed(2318) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Sat Mar 8 15:34:20 2003 [2003/03/08 15:34:43, 10] smbd/negprot.c:get_challenge(40) get challenge: creating
NT sends empty username to 3.0a21
Hi, I have samba 3.0a21 running and NT 4.0 WS clients. All workstations were previously in Samba 2.2 domain , so now I upgraded to samba 3.0a22 and just changed domain name (workstation = XXX) and rejoined workstations by changing domain name in every WS. To look at the log it seems like NT WS sends empty username? *** ldapsam_search_one_user: searching for:[((uid=)(objectclass=sambaAccount))] *** check_password: Authentication for user [] - [] FAILED with error NT_STATUS_NO_SUCH_USER Joining the domain is OK. Also when I log into WS locally and them map some share with my username/pwd it works OK. But logging in with same username fails. Most bizarre thing is that I was testing samba30a21+ldap+pam_ldap+nss_ldap last week in my home and NT 4.0 WS logging worked.. So probably it's not samba fault. But I'm completly out of ideas, anyone can help? P.S. I put level 10 log in the end, hoping that helps.. == log.klass13 == [2003/03/08 15:21:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/08 15:21:43, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2003/03/08 15:21:43, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2003/03/08 15:21:43, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2003/03/08 15:21:43, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(641) ldapsam_search_one_user: searching for:[((uid=)(objectclass=sambaAccount))] [2003/03/08 15:21:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/08 15:21:43, 3] auth/auth_sam.c:check_sam_security(391) Couldn't find user '' in passdb file. [2003/03/08 15:21:43, 2] auth/auth.c:check_ntlm_password(273) check_password: Authentication for user [] - [] FAILED with error NT_STATUS_NO_SUCH_USER [2003/03/08 15:21:43, 3] smbd/error.c:error_packet(113) error packet at smbd/sesssetup.c(829) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2003/03/08 15:21:43, 3] smbd/process.c:timeout_processing(1073) end of file from client [2003/03/08 15:21:43, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/08 15:21:43, 2] smbd/server.c:exit_server(534) Closing connections [2003/03/08 15:21:43, 3] smbd/connection.c:yield_connection(61) Yielding connection to [2003/03/08 15:21:43, 3] smbd/server.c:exit_server(574) Server exit (normal exit) LEVEL 10 LOG: [2003/03/08 15:34:43, 10] lib/util.c:dump_data(1761) [000] 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 .PC NETW ORK PROG [010] 52 41 4D 20 31 2E 30 00 02 58 45 4E 49 58 20 43 RAM 1.0. .XENIX C [020] 4F 52 45 00 02 4D 49 43 52 4F 53 4F 46 54 20 4E ORE..MIC ROSOFT N [030] 45 54 57 4F 52 4B 53 20 31 2E 30 33 00 02 4C 41 ETWORKS 1.03..LA [040] 4E 4D 41 4E 31 2E 30 00 02 57 69 6E 64 6F 77 73 NMAN1.0. .Windows [050] 20 66 6F 72 20 57 6F 72 6B 67 72 6F 75 70 73 20 for Wor kgroups [060] 33 2E 31 61 00 02 4C 4D 31 2E 32 58 30 30 32 00 3.1a..LM 1.2X002. [070] 02 4C 41 4E 4D 41 4E 32 2E 31 00 02 4E 54 20 4C .LANMAN2 .1..NT L [080] 4D 20 30 2E 31 32 00 M 0.12. [2003/03/08 15:34:43, 3] smbd/process.c:switch_message(676) switch message SMBnegprot (pid 5262) [2003/03/08 15:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/08 15:34:43, 5] auth/auth_util.c:debug_nt_user_token(481) NT user token: (NULL) [2003/03/08 15:34:43, 5] auth/auth_util.c:debug_unix_user_token(500) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2003/03/08 15:34:43, 5] smbd/uid.c:change_to_root_user(218) change_to_root_user: now uid=(0,0) gid=(0,0) [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [PC NETWORK PROGRAM 1.0] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [XENIX CORE] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [MICROSOFT NETWORKS 1.03] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [LANMAN1.0] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [Windows for Workgroups 3.1a] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [LM1.2X002] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [LANMAN2.1] [2003/03/08 15:34:43, 3] smbd/negprot.c:reply_negprot(427) Requested protocol [NT LM 0.12] [2003/03/08 15:34:43, 6] param/loadparm.c:lp_file_list_changed(2318) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Sat Mar 8 15:34:20 2003 [2003/03/08 15:34:43, 6] param/loadparm.c:lp_file_list_changed(2318) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Sat Mar 8 15:34:20 2003 [2003/03/08 15:34:43, 10] smbd/negprot.c:get_challenge(40) get challenge: creating
[Samba] how to delete profiles after user logout ( win 2000/xp)
Hi How could I set up 2000/xp workstations so that after domain user logs out , his profile gets removed from workstation machine? I know how to do it under NT (poledit) , but I havent found way to solve it with 2k/xp .. John -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] security = server and password server sometimes rejectspassword
Hi, I have two samba servers, PDC (3.0a21) , which has only [netlogon] share and FSERVER (samba 2.2.5), which uses PDC as password server and also shares out [homes] and [profile] . Time to time it happens that when I log in from WS I get error message that \\fserver\profiles can't be accessed. And when I look into FSERVER log then it complains: password server PDC rejected the password. but I know that password is right , because i typed it right and also I could log on into WS (but profile loading does not work). And in logon script \\fserver\homes is mapped as U: drive, but time-to-time this does'nt work either and logon script windows prompts me for password , and when I type right password there it rejects it. My PDC gets all user information from Ldap (nsswitch also lives 100% on ldap), so maybe it's just some kind of timeout accessing infomation from LDAP/ ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [Fwd: samba 30alpha21 + NT4/2K WS-s]
Third problem is locally stored profiles. How I could make such set up that when user logs out from WS , then WS would copy changed profile back to server and delete it from WS ? It's question of security and hard disk space.. you can do that with a setting in gpedit.msc don't remember which one but i think i'll be obvious. but is it possible to establish central sec policy/configuration for all nt4/w2k/xp/98 workstations? i've heard something about working with nt4, so that every time users logs on , nt4 ws retreives policy from [netlogon]... but can anoyone explain in more details ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [Fwd: samba 30alpha21 + NT4/2K WS-s]
On Fri, 2003-02-28 at 13:09, [EMAIL PROTECTED] wrote: [netlogon] share is like that: [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = no writable = no browseable = yes public = yes this is what i'm using ... [netlogon] path = /etc/samba/netlogon write list = root guest ok = Yes nt acl support = No do you have scriptPath set in ldap? i don't use logon scripts so i'm not sure you need it - just an idea. yes, when I put scriptPath: START.BAT in ldap then it works and START.BAT gets executed. but why it doesnt find it when in smb.conf logon script = START.BAT ? get_domain_user_groups: primary gid of user [john] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that i get that sometimes - i just ignore it... btw it still comlpains same thing although I added users primary group to Domain Users and Users group? whats the catch? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [Fwd: samba 30alpha21 + NT4/2K WS-s]
On Fri, 2003-02-28 at 13:09, [EMAIL PROTECTED] wrote: [netlogon] share is like that: [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = no writable = no browseable = yes public = yes this is what i'm using ... [netlogon] path = /etc/samba/netlogon write list = root guest ok = Yes nt acl support = No do you have scriptPath set in ldap? i don't use logon scripts so i'm not sure you need it - just an idea. yes, when I put scriptPath: START.BAT in ldap then it works and START.BAT gets executed. but why it doesnt find it when in smb.conf logon script = START.BAT ? get_domain_user_groups: primary gid of user [john] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that i get that sometimes - i just ignore it... btw it still comlpains same thing although I added users primary group to Domain Users and Users group? whats the catch?