Re: [Samba] XP SP2 not running sambaLogonScript:
You might also disable offline files on the Windows PC. I've seen where this will cache a copy of the NETLOGON share, and then run the cached copy (if it exists) rather than the recently modified real one. I've also seen where it doesn't run the script because the cache copy of NETLOGON doesn't contain the file (even though the real NETLOGON does). Jonathan Johnson www.backupcheckup.com Helmut Hullen wrote: Hallo, Adam, Du (awilliam) meintest am 25.04.08: I can't get my Windows PCs to run sambaLogonScript: as declared in openldap 2.3.39 and samba 3.0.28a. In LDAP for a user I have: sambaLogonScript: \\tester\netlogon\scripts\testersamba.bat Script name: without path The path is defined in [netlogon] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SERIOUS PROBLEM - Root Account Locked
Do you have a process (like a service or scheduled task) running on a client machine as user 'root' with an incorrect cached password? Jon Johnson Sutinen Consulting, Inc. www.sutinen.com Jason Baker wrote: My root account keeps getting locked out automatically. I am running Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have accounts set to lock after 8 un-successful login attempts. I zeroed out the bad password count, and then in less than a few seconds the account gets locked again and a /pdbedit -Lv -u root /yields the following: Unix username:root Logon time: 0 Logoff time: never Kickoff time: never Password last set:Wed, 01 Jan 1969 03:00:00 EST Password can change: Wed, 08 Jan 1969 03:00:00 EST Password must change: never Last bad password : Wed, 08 Aug 2007 13:51:14 EDT Bad password count : 8 If I enter w on the command line, it only shows that two (authorized) users are logged into the server. So I'm confident that no one from the outside is attempting to log in as root. Below is my conf file. If I go into LDAP Account Manager and unlock the account, it will stay unlocked for a few minutes (or seconds), then it is locked out again. With the account lock I cannot join machines to the domain, nor change domain permissions for users and groups. Any suggestions would be helpful. [global] unix charset = LOCALE workgroup = glastendernet netbios name = aster server string = Glastender Domain Controller running %v interfaces = eth1, lo, tun+ bind interfaces only = yes os level = 255 preferred master = yes local master = yes domain master = yes security = user time server = yes username map = /etc/samba/smbusers wins support = yes encrypt passwords = yes pam password change = yes name resolve order = wins bcast hosts winbind nested groups = no passdb backend = ldapsam:ldap://aster.glastender.com ldap passwd sync = Yes ldap suffix = dc=glastender,dc=com ldap admin dn = cn=Manager,dc=glastender,dc=com ldap ssl = no ldap group suffix = ou=Groups ldap user suffix = ou=People ldap machine suffix = ou=People ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://aster.glastender.com idmap uid = 1-2 idmap gid = 1-2 map acl inherit = yes add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u #delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g #delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x %u %g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g %g %u domain logons = yes log file = /var/log/samba/log.%m log level = 0 syslog = 0 max log size = 50 #smb ports = 139 445 smb ports = 139 hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0 192.168.100.0/255.255.255.0 # User profiles and home directories logon drive = U: logon path = \\%L\profiles\%U logon script = %U.bat large readwrite = no read raw = no write raw = no printcap name = /etc/printcap load printers = no printing = template shell = /bin/false winbind use default domain = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SERIOUS PROBLEM - Root Account Locked
This sounds like you have 'root = Administrator' in your /etc/samba/smbusers file. Is the password you are using for Administrator *different* from what is set for root in Samba (smbpasswd root to change)? That could be the issue. Note that typically, Linux and Samba use different password databases, so even though they map the same user name, the passwords may be different. Jon Johnson Sutinen Consulting, Inc. www.sutinen.com From: Jason Baker [mailto:[EMAIL PROTECTED] Sent: Wed 8/8/2007 1:51 PM To: Jonathan Johnson Cc: samba@lists.samba.org Subject: Re: [Samba] SERIOUS PROBLEM - Root Account Locked Do you have a process (like a service or scheduled task) running on a client machine as user 'root' with an incorrect cached password? No actually, this is what seems to be happening: I log into a windows xp pro workstation as Administrator and browse the network. I double-click on a network share, in this case a samba computer called HENBANE. If I view pdbedit -Lv -u root from another computer while I'm doing this, I can watch the bad login count rise from 0 to 8. I then get a message that pops up on the Windows workstation that says something to the effect of account locked. I added guest account = nobody to my smb.conf file and now I can browse the HENBANE share after being prompted for a username and password, but the bad password count for root now shows 2, and it rises higher each time I access a share that requires a username and password. Jason Baker IT Coordinator Glastender Inc. 5400 North Michigan Road Saginaw, Michigan 48604 USA 800.748.0423 Phone: 989.752.4275 ext. 228 Fax: 989.752. www.glastender.com http://www.glastender.com/ -BEGIN GEEK CODE BLOCK- Version: 3.1 GIT$ d- s: a C++$ LU+++$ P+ L++L !E--- W+++ N o? K? w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- r+++ y+++ --END GEEK CODE BLOCK-- Jonathan Johnson wrote: Do you have a process (like a service or scheduled task) running on a client machine as user 'root' with an incorrect cached password? Jon Johnson Sutinen Consulting, Inc. www.sutinen.com http://www.sutinen.com/ Jason Baker wrote: My root account keeps getting locked out automatically. I am running Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have accounts set to lock after 8 un-successful login attempts. I zeroed out the bad password count, and then in less than a few seconds the account gets locked again and a /pdbedit -Lv -u root /yields the following: Unix username:root Logon time: 0 Logoff time: never Kickoff time: never Password last set:Wed, 01 Jan 1969 03:00:00 EST Password can change: Wed, 08 Jan 1969 03:00:00 EST Password must change: never Last bad password : Wed, 08 Aug 2007 13:51:14 EDT Bad password count : 8 If I enter w on the command line, it only shows that two (authorized) users are logged into the server. So I'm confident that no one from the outside is attempting to log in as root. Below is my conf file. If I go into LDAP Account Manager and unlock the account, it will stay unlocked for a few minutes (or seconds), then it is locked out again. With the account lock I cannot join machines to the domain, nor change domain permissions for users and groups. Any suggestions would be helpful. [global] unix charset = LOCALE workgroup = glastendernet netbios name = aster server string = Glastender Domain Controller running %v interfaces = eth1, lo, tun+ bind interfaces only = yes os level = 255 preferred master = yes local master = yes domain master = yes security = user time server = yes username map = /etc/samba/smbusers wins support = yes encrypt passwords = yes pam password change = yes name resolve order = wins bcast hosts winbind nested groups = no passdb backend = ldapsam:ldap://aster.glastender.com ldap passwd sync = Yes ldap suffix = dc=glastender,dc=com ldap admin dn = cn=Manager,dc=glastender,dc=com ldap ssl = no ldap group suffix = ou=Groups ldap user suffix = ou=People
Re: [Samba] BUG? 'valid users' doesn't allow groups from trusted domains
Additional information below. Jonathan Johnson wrote: It appears that you cannot include groups from trusted domains in the 'valid users =' directive on a share. Here is the scenario as I experienced it (names have been changed to protect the innocent): Configuration: - Samba 3.0.21b as a member server in a real NT4 domain (security = domain) called 'NTDOMAIN' - NTDOMAIN has a two-way trust with Windows 2003 Active Directory domain 'ADSDOMAIN' - User 'fred' has an account on NTDOMAIN (NTDOMAIN+fred) and is a member of the 'sales' group on NTDOMAIN (@NTDOMAIN+sales) - User 'wilma' has an account on ADSDOMAIN (ADSDOMAIN+wilma) and is a member of the 'sales' group on ADSDOMAIN (@ADSDOMAIN+sales) If the share 'salesforce' has a 'valid users =' line in it, members of the trusting domain have no access by group; they can only access it if their accounts are specified explicitly. For example: [salesforce] path = /data/salesforce valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales then fred will have access to the salesforce share, but wilma will not, even though her group has been granted access to the share. If I specify wilma's account explicitly: [salesforce] path = /data/salesforce valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales, ADSDOMAIN+wilma then wilma will be able to access the share. It appears that adding a group from a trusted domain doesn't achieve what I hope to accomplish. Now, I have not tried this with all possible combinations: both domains NT, both domains ADS, etc. ad infinitum. I just don't have the resources. Is this a bug or is it by design? If you folks think it's a bug, then I'll submit it as a bug report. If I'm misunderstanding something, please enlighten me or point me to the appropriate docs. -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com More information: wbinfo -u -g --domain=NTDOMAIN reveals the list of domain users groups from NTDOMAIN. wbinfo -u -g --domain=ADSDOMAIN returns the error 'Error looking up domain users' (or groups, if only -g is spec'd) wbinfo --getdcname=ADSDOMAIN returns 'ADSDOMAIN+ADSSERVER', the domain and name of the ADS server. If I specify credentials (either in NTDOMAIN or ADSDOMAIN) using --set-auth-user, the results are exactly the same. The 'getent' command returns similar results, but IS able to resolve users in ADSDOMAIN but not groups: getent group NTDOMAIN+sales will return the list of users in that group. However, the similar command: getent group ADSDOMAIN+sales returns nothing, not even an error. Interestingly, the command getent passwd ADSDOMAIN+wilma will return a result such as this: ADSDOMAIN+wilma:x:10213:10034::/home/ADSDOMAIN/wilma:/bin/false Interesting. Does this indicate a bug in wbinfo, getent, some Samba bug, or a combination of all three? Oh, yes, this is on Ubuntu 5.10 Breezy Badger. Yes, I know it's old. -Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain member, security = ADS|domain and trusts with NT4
After extensive testing, the answer I come up with is yes, and no. Jonathan Johnson wrote: I presently have a Samba server (3.0.21b) set up as a member server in an NT4 domain (with a real Windows NT4 PDC). We are migrating to an Active Directory domain (with a real Windows 2003 domain controller). We have set up a two-way trust between the old NT4 domain CLUNKY and the new ADS domain SLEEK (aka sleek.local). The Samba server is a member of the CLUNKY domain (security = domain) and authentication is against the PDC for the CLUNKY domain. How can I ensure that users in both CLUNKY and SLEEK can access the Samba server? Will joining the Samba server to SLEEK with security = ADS allow this? Will Samba honor the domain trust? If a share is not restricted with valid users =, then the user in SLEEK can access the share on the Samba server in CLUNKY. However, if you have restrictions on the share such as valid users = @CLUNKY+sales, CLUNKY+fred then the user 'fred' in the SLEEK domain will NOT be able to access. You can grant SLEEK+fred access by modifying: valid users = @CLUNKY+sales, CLUNKY+fred, SLEEK+fred so it appears that you can add users in trusted domains to the 'valid users =' directive. However, groups of trusted domains don't work: valid users = @CLUNKY+sales, @SLEEK+sales If 'fred' is a member of the group SLEEK+sales, fred will NOT have access (assuming the Samba server is in the CLUNKY domain). -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] BUG? 'valid users' doesn't allow groups from trusted domains
It appears that you cannot include groups from trusted domains in the 'valid users =' directive on a share. Here is the scenario as I experienced it (names have been changed to protect the innocent): Configuration: - Samba 3.0.21b as a member server in a real NT4 domain (security = domain) called 'NTDOMAIN' - NTDOMAIN has a two-way trust with Windows 2003 Active Directory domain 'ADSDOMAIN' - User 'fred' has an account on NTDOMAIN (NTDOMAIN+fred) and is a member of the 'sales' group on NTDOMAIN (@NTDOMAIN+sales) - User 'wilma' has an account on ADSDOMAIN (ADSDOMAIN+wilma) and is a member of the 'sales' group on ADSDOMAIN (@ADSDOMAIN+sales) If the share 'salesforce' has a 'valid users =' line in it, members of the trusting domain have no access by group; they can only access it if their accounts are specified explicitly. For example: [salesforce] path = /data/salesforce valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales then fred will have access to the salesforce share, but wilma will not, even though her group has been granted access to the share. If I specify wilma's account explicitly: [salesforce] path = /data/salesforce valid users = @NTDOMAIN+sales, @ADSDOMAIN+sales, ADSDOMAIN+wilma then wilma will be able to access the share. It appears that adding a group from a trusted domain doesn't achieve what I hope to accomplish. Now, I have not tried this with all possible combinations: both domains NT, both domains ADS, etc. ad infinitum. I just don't have the resources. Is this a bug or is it by design? If you folks think it's a bug, then I'll submit it as a bug report. If I'm misunderstanding something, please enlighten me or point me to the appropriate docs. -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain member, security = ADS|domain and trusts with NT4
I presently have a Samba server (3.0.21b) set up as a member server in an NT4 domain (with a real Windows NT4 PDC). We are migrating to an Active Directory domain (with a real Windows 2003 domain controller). We have set up a two-way trust between the old NT4 domain CLUNKY and the new ADS domain SLEEK (aka sleek.local). The Samba server is a member of the CLUNKY domain (security = domain) and authentication is against the PDC for the CLUNKY domain. How can I ensure that users in both CLUNKY and SLEEK can access the Samba server? Will joining the Samba server to SLEEK with security = ADS allow this? Will Samba honor the domain trust? -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Very slow initial opening MS-Word and MS-Excel files from Samba
Please review the Samba HOWTO, chapter 10, Common Errors where it discusses this issue. http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id350945 Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com Aaron Kincer wrote: Also, as others have mentioned, Windows and its applications can have long memories about servers contacted in the past. For example, the list of recently opened files. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Migrating from NT4 PDC to Windows 2003 ADS; Samba as member server
Here's the situation. We've got an old NT4 domain (not a Samba domain in NT 4 mode) which we'll call CRUSTY. There is of course an NT4 PDC and several NT4 BDCs. We have some Linux/Samba file servers (Samba 3.0.1) that are member servers (security = domain) of the NT4 domain. We also have several NT4 BDCs and about 200 workstations of varying vintage (2000, XP) in several facilities around the world on a WAN. We are *migrating* to a new Active Directory 2003 domain called SHINY (I am assuming this will imply security = ADS). We don't wish to *upgrade* the NT4 domain. We would like to do the migration a little at a time rather than all at once in order to preserve our sanity. How can we establish a domain trust so that a Samba server that is joined to the CRUSTY domain will allow access for users that are authenticated against the SHINY domain? Is there a better way? (I can RTFM, but I need to know where to look.) -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Move local profile to domain profile.
OK, I haven't done this with ROAMING profiles, but I've done it so many times with locally-stored profiles I think I can do it in my sleep. (The following is not written for the novice user.) Consider the following scenario: user Fred Flintstone has a local account FRED on the Windows XP Professional worstation FREDSCOMPUTER. You have already joined FREDSCOMPUTER to the BEDROCK domain, and Fred has been given an account in the BEDROCK domain called FFLINTSTONE (note, I'm using caps so it's easy to read in my example). 1. Log into FREDSCOMPUTER with admin rights, but not as FRED. Use NTBACKUP (the built-in backup utility), make a backup of Documents and Settings\Fred (or wherever his local-account profile happens to be stored). This is for bone-headed admins like me who will probably screw something up. NTBACKUP is suggested because it's fairly easy to used (read: quick) and will preserve permissions. 2. Assign permissions (recursively) to Documents and Settings\Fred that allow BEDROCK\FFLINTSTONE full access. 3. Load the registry hive Documents and Settings\Fred\NTUSER.DAT and assign permissions similarly. (I typically use REGEDIT, or REGEDT32 on Windows 2000 and earlier.) 4. Unload the reigstry hive or reboot the computer. 5. Log in as BEDROCK\FFLINTSTONE. This will create a new profile for Fred; make a note of the path where the profile is stored. This profile folder will be deleted shortly, but this step is necessary to create a registry key. Log out, and log back in as a local admin. 6. Open the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Under here you will see numerous keys named by the SIDs of users who have logged in. One of these will correspond with the BEDROCK\FFLINTSTONE account. Since you are using Samba, you can (rather conveniently, I might add) use pdbedit -L -v fflintstone to find out the SID. Otherwise, you can look thru until you find the one for which the ProfileImagePath value corresponds with the path noted in step 5, above. Modify the value for ProfileImagePath to correspond to the path to FRED's profile that you backed up in step 1. 7. Delete the profile folder noted in step 5. You won't be needing it anymore. 8. Log in as BEDROCK\FFLINTSTONE and you should be logged into the domain, but still using FRED's old profile. Now here's how I would handle it if the domain profile was a roaming profile: temporarily disable the roaming profile configuration for BEDROCK\FFLINTSTONE before doing the above. After doing the above steps, convert the domain local profile to a domain roaming profile. -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com Jason Baker wrote: So far I haven't found an automated way. I just log in to the domain as the user, which creates the roaming profile on the network. Then log out, log in to the local machine as admin and copy the contents of My Documents, Desktop and Application Data (all from Documents and Settings/username) from the local profile to the roaming profile. Then log back in to the domain as the user and all the desktop icons and user settings should be there. Just remember to delete the local profile to avoid confusion. *Jason Baker */IT Coordinator/ *Glastender Inc.* 5400 North Michigan Road Saginaw, Michigan 48604 USA 800.748.0423 Phone: 989.752.4275 ext. 228 Fax: 989.752. www.glastender.com http://www.glastender.com -BEGIN GEEK CODE BLOCK- Version: 3.1 GIT$ d- s: a C++$ LU+++$ P+ L++L !E--- W+++ N o? K? w !O M !V PS PE- Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h--- r+++ y+++ --END GEEK CODE BLOCK-- On 3/14/2007 6:57 PM, Dennis McLeod wrote: Ok, I got the W2K3 resource kit tool to move my local profile to my domain profile (moveuser.exe). Didn't really work that cleanly. Even though I used the /k (keep the local account), it didn't really. It seemed to change the permissions on MOST of the files. It didn't really move the files either. It's just pointed my profile (or parts of it) to the existing folder. Can't really go back now. It didn't do My Documents and lower. I had to log out, log is as domain administrator, and take ownership of those files. Even then, it lost some of my passwords (which is ok with me). Does anyone have a nice CLEAN way to migrate the local profile to a domain profile? (something automated, perhaps...) How about using the right click on My computer on the desktop, advanced tab, User Profiles button, and copy to. Has anyone tried that? I supposed I'll need to re-image my machine and try it... Dennis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Slow browsing, File Open dialog
I offer this for your consideration: In chapter 10, section Common Errors of the official HOW-TO ( http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id321003 ) there is some discussion about slow network browsing. I just ran across an interesting article by Mark Russinovich (a Windows guru, founder of SysInternals, now working for Microsoft) concerning delayed File - Open dialogs in Windows Vista. The article, dated Nov. 26, 2006 can be found here: http://blogs.technet.com/markrussinovich/archive/2006/11/27/532465.aspx -Jon Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] howto upgrade/transfer samba domain-user + domain-group data to a new windows 2003 active directory domain?
On 12/6/2006 5:18 PM, Chris Smith wrote: On Wednesday 06 December 2006 16:46, Urs Rau wrote: Alternatively, I would also welcome any suggestions that would allow us to use microsoft outlook shared calendaring If you really want microsoft outlook shared calendaring then you need Exchange Server as well, and you get vendor lock-in at no extra charge. And, as Michael Schurter wrote in another reply: Group Policy Management in Samba: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/PolicyMgmt.html Not necessary to go with Exchange. There are other Exchange-like options out there for Linux. Personally, I like CommuniGate Pro from Stalker Software www.stalker.com but it's a commercial product. You might also check out www.open-xchange.com or opengroupware.org (I have no experience with either). If you do decide to go to Windows Server 2003, you'll want to use the Active Directory Migration Tool which is included on the Windows Server 2003 installation CD for migrating your user and computer accounts to the Windows ADS domain. Please search the Samba archives for ADMT or Active Directory Migration Tool under my authorship; I've written extensively about it and don't care to sound like a broken record. -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] slow profiles
On 10/25/2006 7:32 AM, Felipe Augusto van de Wiel wrote: On 10/10/2006 08:22 AM, Lluís Forns Puigmartí escreveu: Hello, I am new to Samba and I have to administrate a server working ok; but some users have huge profiles (about 10Gb), and each login takes really long. I think the problem exists because each login all the profile is download, and at logout it is upload. Is there a way to use all the profile from the server? I have you can modify all of this by changing: [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders] AppData=%USERPROFILE%\Datos de programa Cookies=%USERPROFILE%\Cookies ... .. to [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders] AppData=P:\Profile\Datos de programa Cookies=P:\Profile\Cookies ... .. am I right? is there a way to make all this changes without using regedit on each user?. Yes, there are a few options on that matter, please check the Official HOWTO, chpater of Desktop Profile Management. :) http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html thanks a lot and excuse me for my poor English Kind regards, Following is in regards to email and roaming profiles: If your users are using an email client (other than Outlook) in conjunction with a POP3 mail server, their mailbox files can be taking up a HUGE amount of space. These files seem to be changed every time the email client is opened; therefore, they must be synchronized each logout and login. If Outlook Express' INBOX.MBX (or any other mailbox) file is large, it will take a very long time to synchronize. Outlook Express does not permit you to place the mailbox store anywhere other than the local machine, however, you CAN place it outside the user's profile. Of course, this partially defeats the promise of roaming profiles. My recommendation for networks where POP3 is used is to either switch to Outlook (which allows you to store the Outlook Data File - .pst - on a network share), some other client that allows for network-share-based mailbox files, or switch to an IMAP or Exchange based system. -Jon Johnson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Slow browsing
On 10/17/2006 12:41 PM, sim wrote: Hi, I have recently set up an old machine as a linux fileserver (Intel 815E board with 512MB ram and PIII 800mhz). I am running the latest Fedora Core 5 with the version of samba 3 that ships with that and am exposing a single share for my software raid (4x400gb PATA seagate drives, running from two siig ATA cards so each drive has its own channel) I also have a buffalo 1.0tb terastation network storage drive that runs samba configured as raid 5 , though I am not sure of the version of samba it is running, though I believe it is a 2.0 version My wife also has a G5 mac running the latest OSX version, setup to use samba but it is on a different workgroup. Everything is hooked up via 100 base wired ethernet. When browsing from my XP pro desktop the file server computer icon shows up very quickly but when I browse to a share on the machine it takes about 30 seconds to display the shares. This behavior continues as I access files on the share. All the other shares from the terastation and mac etc appear almost immediately. I ping'ed all my machines from all my other machines and the network speed to and from the server seems the same as to and from the other machines so it doesn't seem to be a network issue to me. The power went of this morning and that shut down the linkstation and mac. Usually they are always on and so are powered up when the linux server comes up, but that situation was reversed this morning, and the linux server was booted first. I now noticed that there was a delay browsing to the terastation and that the linux shares appeared almost immediately. However the delay was not as bad as the original delay on the linux server (only about 5-10 seconds). Do multiple instances of samba servers cause browsing issues like that? I am using user level security. Is there something else going on causing the slow browsing? If there is some incompatibility with multiple servers how can I rectify it? Thanks for any help Simon Please review the Official Samba-3 HOWTO and Reference Guide, Chapter 10 Network Browsing, section Common Errors, subsection Browsing of shares and directories is very slow. Also check out Invalid Cached Share References Affect Network Browsing just below that. http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2590200 -Jon Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Migration NT4 domain to Samba/LDAP howto
On 10/18/2006 5:56 AM, Veronica Hill wrote: On 18 Oct 2006, at 22:28, Paul van Noort wrote: Thanks for the help.. I got some reading matter for the upcoming fall holiday ;-) Questions so far that come to mind are: My current Windows 2003 server must stay! It is the Application server: can Samba act as a PDC with this machine in its domain? Or will win2003 try to take over. It is just a member server.. Not a BDC. It can be a domain member server in a samba domain. Remember that the samba domain is an NT4 style one Can i map the current users on my NT domain to LDAP users on my LDAP directory. These users have an a-mail account and password in place! Will this cause headaches? Possibly although this will be quite a project for you. You may not be able to use the generic smbldap scripts to vampire the users out of your old NT4 domain. I would suggest taking a copy of your ldap databases and then running a vampire to a brand new server with it being set up as a master ldap server. It may be that the smbldap-tools will add the relevant samba parts to your already existing ldap users, as long as the ldap users have the same usernames as your nt4 users. Bye Veronica If you wish to use your LDAP mail server as the authentication server, be aware that this will involve expanding the LDAP schema to include the fields necessary (things like login scripts, SIDs, profiles, logon hours, etc.). No, I can't tell you how to do it, because LDAP is way over my head. -Jon Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Researching possible windows solutions...
I assume you mean an implementation of Samba? I haven't heard of one, but maybe there is. I take it that you don't want to learn UNIX, and don't want to pay for Microsoft Windows Server Client Access Licenses? :-) Read your EULA for Windows XP; it may specifically prohibit this sort of implementation. I don't know, I've never read it. I just clicked I Accept. This would necessitate turning off the server service in Windows, otherwise it would conflict with Samba. -Jon On 10/4/2006 7:38 AM, Josserand, Jesse wrote: Does anyone know of an implementation that runs on Windows Server 2003 or XP? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Choosing Domain vs. Workgroup
On 9/19/2006 9:01 AM, David Dyer-Bennet wrote: On 9/19/06, Felipe Augusto van de Wiel [EMAIL PROTECTED] wrote: On 09/18/2006 12:08 PM, David Dyer-Bennet escreveu: I thought I wanted to set up my Solaris file-server as domain controller for my small home network, but the more I look at it the less I'm sure. Plus I'm having trouble doing it :-). [snip] And some of the machines are running XP home, since that's what came on at least one of the laptops. And one of them is a Mac. AFAIK, WinXP Home is not allowed to join domains. That's what I've read, as well. I was trolling for confirmation, kinda. That's not to say that XP Home cannot communicate with a Samba domain as a workgroup member. You'll just have to maintain user security information separately on the Home machines, you won't be able to take advantages of the features of a domain. (Remember, a domain is just a workgroup with centralized security management.) Likewise, the Mac will have its own security database, unless you can figure out how to make it use kerberos authentication against the Samba domain (theoretically possible if you are running OS X). With more than a few machines, user management is a nightmare on XP Home. Also, for NTFS filesystem security, XP Home is missing the GUI tools. The security features are there, you just have to use CACLS from the command line and that gets ugly. -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba still remembers the old domain name i used for testing
'slocate tdb' may reveal the location of more tdb files. -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com [EMAIL PROTECTED] On 7/27/2006 3:59 AM, éric le hénaff wrote: thanks for a so quick answer. yes i deleted secrets.tdb. that's what is strange! the server is a debian sarge box and puts tdb files all over the place. i deleted files in /var/lib/samba , /var/cache/samba , .var/run/samba and checked in all config files that the testing domain wasnt mentionned any more. Michael Gasch a écrit : éric le hénaff wrote: hello i tried to do a fresh start with erasing all tdb files but when i restart samba it still remembers the old domain name i used for testing net getlocalsid gives domain B and should give domain A. how to fix it ? thank you did you delete secrets.tdb? greez -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.14 and w2k3 terminal server / strange logon problem / is this in general possible
On 8/2/2006 3:52 AM, Josef Schauer wrote: I try to logon to the DOMAIN ISARLBERG like this: username: josef password: X Domain: ISARLBERG After getting the error, I can see this in the eventlog: Tried credentials: ISARLBERG/josef Effective used credentials OBELIX/josef OBELIX is the NETBIOS name of the samba server. What does 'pdbedit -L -v josef' reveal on the Samba server? It sounds almost like the user account for josef might have been created before the Samba server was converted to a domain controller; in this case, that account will be considered a local account on the Samba server instead of a domain account. If this is the case, then you may find it easiest to remove the user account and recreate it. This of course poses issues with user profiles -- josef's user profile will likely be associated with OBELIX/josef instead of ISARLBERG/josef, and once you successfully log in to the domain, a new user profile will be created for ISARLBERG/josef. There are ways of overcoming this; if you experience this issue feel free to write me back and I'll explain how to fix it. It's not that difficult -- it involves replacing ACLs on the profile, user registry hive (NTUSER.DAT), and modifying a registry entry in the HKLM hive. -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Proposed update to documentation
I propose an addition to the documentation: in the official HOWTO, chapter 4, under Common Errors: Problem: User account is authenticated against server's NetBIOS name rather than domain name When I try to log in to the DOMAIN, the eventlog shows 'tried credentials DOMAIN/username; effective credentials SERVER/username' Usually this is due to a user or machine account being created before the Samba server is configured to be a domain controller. Accounts created before the server becomes a domain controller will be local accounts and authenticated as a member in the SERVER domain, much like local user accounts in Windows 2000 and later. Accounts created after the Samba server becomes a domain controller will be domain accounts and will be authenticated as a member of the DOMAIN domain. This can be verified by issuing the command 'pdbedit -L -v username'. The line to consider is Domain: if it reports DOMAIN then the account is a domain account, if it reports SERVER then the account is a local account. The easiest way to resolve this is to remove and recreate the account; however this may cause problems with established user profiles. You can also use 'pdbedit -u username -I DOMAIN'; you may also have to change the User SID and Primary Group SID to match the domain. Josef Schauer wrote: Hi Jonathan. What does 'pdbedit -L -v josef' reveal on the Samba server? It sounds almost like the user account for josef might have been created before the Samba server was converted to a domain controller; in this case, that account will be considered a local account on the Samba server instead of a domain account. If this is the case, then you may find it easiest to remove the user account and recreate it. Your guess was wright. The user josef was considered as a local account. I deleted the user josef with pdbedit -x josef and created a new user with pdbedit -a josef. Nothing else had to be done ;-) I spend two days on solving this problem ;-( With your suggestion the issue was solved in a few minutes 8-) Thx Josef -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba as a time server (newby question): time not updated
On 6/21/2006 4:41 AM, Thomas Heiligenmann wrote: Ivan Teliatnikov schrieb: On Tue, 2006-06-20 at 08:21 -0500, Adam Williams wrote: Sorry I haven't followed the thread, but if you use netlogon script, you can put in it net time \\server /set /yes I do use netlogon and the line is in the script. It starts working ONLY if the use who logs in has escalated (PowerUser or Admin) privileges on the machine, this is not possible because we use DOMAIN authentication. I still cannot understand why it does not work? Do you I need to change permissions on each client to allow non-admin users to change time? IIRC yes - you have to add 'SeSystemTimePrivilege' to the users. Under nt40 it's accessible under UserManager, there's also a command line tool named ntrights.exe, or you could try Samba's rpcclient... Setting the system time is, by default, a right reserved to members of the local Administrators and Power Users groups on the local machine. (Note that Domain Admins is a member of the local Administrators group.) This can be changed in group policy under Windows 2000/XP. In the group policy editor, look under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. The policy name is Change the system time. This right can be assigned by domain group policy (though I'm not sure how to globally apply group policy in a Samba domain). It can also be assigned on Windows NT systems, but at the moment I can't recall how. As far as the Windows Time service that is included with Windows 2000 and later goes, be aware that it synchronizes to an Internet-based time server only once a week. In a Windows 2000 (or later) domain, the Windows Time service synchronizes with the domain controller. For a discussion of the Windows Time service, please see this Microsoft link: http://technet2.microsoft.com/WindowsServer/en/Library/a0fcd250-e5f7-41b3-b0e8-240f8236e2101033.mspx (Note: this link discusses Windows Server 2003, but I believe it mostly applies to XP and 2000 systems as well.) I have found that synchronizing once a week is sometimes not often enough -- a computer's clock can drift considerably in that time (I have seen anywhere from 1/2 sec per day to several seconds per day). For some applications, especially where the systems are in a regulated environment such as securities trading, this is far too much drift to be acceptable. A very useful utility I have found to improve this is Tom Horsley's NTPTime, which is an NTP client. You can download it here: http://home.att.net/~Tom.Horsley/ntptime.html As others have suggested, on your Samba server, be sure to run an NTP server. Configuring it can be daunting, so don't give up too easily. Once configured, it will keep the clock on your Samba server very accurate. Then configure your workstations and other servers to synchronize against the Samba server (instead of an Internet server, to keep the load on those servers down). -Jon Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Removing Samba+LDAP, replacing W2k3+AD
So my question is this: Can I bring up a Windows 2k3 machine as a member server in the Samba domain. Promote it to become an AD Domain Controller in mixed mode - retaining the domain SID, user and machine accounts and such so that I do not have to touch my workstations Oh, that sounds like an exercise in banging your head against the wall. I have done similar migrations. You will want to use Microsoft's Active Directory Migration Tool. You'll also want to investigate the moveuser.exe utility available from Microsoft. Both can be downloaded from Microsoft.com. I've written extensively on the forums how to use these to go from Samba to ADS; search for it. Keywords to look for: * Active Directory Migration Tool * ADMT * Jonathan Johnson (hey! That's me!) * moveuser or moveuser.exe (may or may not be useful) The big advantage of ADMT is that it will migrate user permissions and profiles such that the migration is relatively transparent to the users. Once you've found read the documentation, feel free to drop me a line if you have any more questions. (If it's obvious to me that you didn't read the docs, I might not respond. :-) -Jonathan Johnson [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] [PATCH] Pet peave then-than
It's spelled peeve, not peave. Sorry, couldn't resist. :-) -Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wood Sent: Monday, June 05, 2006 9:40 AM To: samba@lists.samba.org Subject: [Samba] [PATCH] Pet peave then-than -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Integrating W2k3 Terminal Services w/Samba
I can't remember if I've done this or not, but here's how I would proceed: 1. Create a Samba domain group called Terminal Services Users 2. Assign users who need TS access to that group 3. Assign that group to the local Remote Desktop Users group on the terminal server One gotcha is that Microsoft requires a SEPARATE Windows 2003 server to act as a license server to TS (it can be any Win 2003 server you have kicking around; the load is light). However, Active Directory is not required, neither are domain logons for that matter. TS works just fine with locally-defined users. We have a couple of installations where the license server is installed in a virtual machine on a Linux server to avoid purchasing extra hardware. Another gotcha is in the licensing. The sales lackeys will attempt to sell you per-device (or maybe it's per-server) licensing, because that makes them and Microsoft richer. For greater flexibility, you might want to go to the per-user licensing model. The difference is that per-device will lock out a license for up to 6 months -- that license can only be used for a connection from the specific device that first gained the license (if the device does not connect for 6 months, then the license is released). In the per-user model, the licenses are transient and are per *connected* user; if you have 5 per-user licenses, then any 5 people can be connected simultaneously. Per-device licensing is beneficial when you have a large number of users connecting from a limited number of devices; per-user is beneficial when you have a limited number of people connecting from a large number of devices. (In case you haven't got the hint, I'm telling you to specifically ASK for PER-USER licenses. I believe -- and I could be wrong -- that per-user can be converted to per-device, but not the other way around.) -Jon Johnson Sutinen Consulting, Inc. www.sutinen.com Collins, Kevin wrote: I've got a Samba (3.0.14a) controlled domain that contains 1 Windows 2003 Server as a member server. I've been thinking about using Terminal Services from that machine to allow roaming users (ie, those outside of the office) to connect to our network and get work done. My only concern at this point how to deal with the lack of an Active Directory and still allow Terminal Services to function. I've done some searching and even ran across a post that said at least one person had it working. I'm not concerned about roaming profiles, I just want the connectivity. No, I haven't tried to make any og this happen, I'm just asking if someone out there already has it working. And if so, how much of a headache it was to get working. Thanks in advance. -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc. Please note my new email address: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Need Solaris 8 Version that Works with AccessCheck()
Posted on behalf-- Subject: Need Solaris 8 Version that Works with AccessCheck() From: Gary Warren [EMAIL PROTECTED] Date: Mon, 15 May 2006 14:30:21 -0500 To: samba@lists.samba.org I am having a problem verifying permissions from a Windows machine using AccessCheck() through a Samba share with files residing on a Solaris 8 workstation. Is there a version of Samba that is known to work with AccessCheck() queries from Windows? The version of Samba I have currently is 3.0.10. This is the latest version that I found from SUN freeware for Solaris 8. I would like to try the very latest version, 3.0.22, but is says it is for Solaris 9. Does the fact that it is for Solaris 9 mean that it will not work on Solaris 8? Is there a version of 3.0.22 anywhere for Solaris 8? Thank you in advance for your help. Gary Warren Ternion Corporation E-Mail: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming Profiles
On 5/25/2006 12:04 AM, Morné du Plessis wrote: I am using Mandrake 9.2, Samba 2.4 version as a PDC. How do I enable the roaming profiles on the server via /etc/samba/smb.conf? Please note that the Samba 2 series is considered obsolete and no longer supported. The documentation for Samba 3 should be roughly similar. Be aware that there are many pitfalls when using roaming profiles: workstations should be very similar if not identical in setup and software; Outlook Express kills roaming profiles; learn how to redirect certain paths to network drives so they don't need to be sync'd with roaming profiles; etc. When you upgrade to Samba 3, you will find this documented in the The Official Samba-3 HOWTO and Reference Guide, http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ The section you will wish to read is Chapter 26 (Desktop Profile Management). http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html Next time, PLEASE read the fine manual before posting a question with well-documented answers. We won't do your homework for you. --Jon Johnson Sutinen Consulting, Inc. www.sutinen.com (360) 270-9317 cell -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] I need your help about Microsoft pleaseeeee
On 5/16/2006 4:26 PM, William Tran wrote: Dear JimCould you please help me out with a couple questions here ? 1. Which Administrative tool would you use to manage a user account in Active Directory ? 2. Define roaming profile and its advantages ?3. With administrator rights , how can you access a user's hard drive from your workstation without the use of shared folders ? Thanks alot in advance. Best Regards, W Tran Did you REALLY mean to post this in the Samba forum? If not, then I hope I've done you a favor by alerting you that your message did not reach the intended recipient. This looks like you are asking us to do your homework for you. We won't. Do your own research, you might learn something useful. You have made other errors in your post: 1. Your subject line does not describe the problem accurately (it indicates the YOU have the problem, not your Samba installation) 2. Your questions have nothing to do with Samba, per se. They can, I'm sure, be answered by properly formatted Web searches or by reading Microsoft Windows Administration texts. 3. Your message is poorly formatted. Judicious use of white space (hint: use a few carriage returns) is a good thing. Best of luck to you on your exams. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] poor performance - multiuser fileserver database (ms-access)
Sorry, I deleted a bunch of the original posts with a trigger happy delete finger, so I might've missed something in the discussion. One thing that I've found affects the performance of Windows network browsing -- and it has nothing to do with Samba -- is stale connections to servers and shares that no longer exist. On the workstation, check out the following: * Look in My Network Places and remove any shortcuts that point to servers/shares that no longer exist * Delete any drive mappings to nonexistent shares * Look in the registry at the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints. Under this key will be a bunch of keys; some of them will be named in the form of ##server#share. DELETE any of these so-named keys that refer to nonexistent shares/servers. The problem is that certain products, including Microsoft Office, Excel, (and I guess) Access will, whenever you attempt to open a file, try to index all of these cached network locations, even if it's not the folder that it's ultimately trying to open up. When it runs across a cached location that no longer exists, it will hang while waiting for a response from the server. If the server no longer exists, you can end up waiting several seconds to several minutes until Explorer times out in its search for the server. --Jon Johnson Sutinen Consulting, Inc. www.sutinen.com (360) 270-9317 cell On 5/10/2006 4:42 AM, daniel arjona wrote: Samba: 3.014a-Debian OS: Debian 3.1 Release 1 Sarge [global] workgroup = REVLON netbios name = FILE_SRV security = user encrypt passwords = yes passwd program = /usr/bin/passwd %u unix password sync = yes socket options = IPTOS_LOWDELAY TCP_NODELAY hosts deny = ALL hosts allow = 172.18.40. 127.0.0.1 debug level = 1 create mask = 0777 directory mask = 0775 read raw = no write cache size = 262144 # new setups oplocks = yes veto oplock files = /*.mdb/*.MDB/ server string = Samba %v [shares] comment = Data path = /home/shares valid user = darjona pc01 pc02 pc03 pc04 pc05 pc06 pc07 pc08 pc09 pc10 writable = yes printable = no browseable = yes Daniel Arjona Net Admin GENCO Distribution Systems http://www.genco.com/ 8740 Robert Fulton Dr Columbia, MD 21046 Ph: 410-872-0875 X12 Fax: 410-872-0877 [EMAIL PROTECTED] Jeremy Allison [EMAIL PROTECTED] To: daniel arjona [EMAIL PROTECTED] cc: samba@lists.samba.org 05/09/2006 02:43 Subject: Re: [Samba] poor performance - multiuser fileserver database (ms-access) PM Please respond to Jeremy Allison On Tue, May 09, 2006 at 02:40:32PM -0400, daniel arjona wrote: I have a file server running with Samba over Debian Sarge 3.1 R1. This File server store MDB and XLS files. Could anybody give me an optimal setup for my samba server (smb.conf). Actually, the performance is very poor. What version of Samba is this ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migration from NT4 to W2K3 AD
On 3/1/2006 7:09 AM, [EMAIL PROTECTED] wrote: Are there any gotcha's. I am currently using winbindd and very successfully integrating my Samba boxes with the NT4 domain structure. The admin who is doing the migration (A corporate person not used to Linux at all) is already nervous about the migration since it involves Linux. Usernames are not supposed to change..but, the authentication domain is going to be a completely new one. If the domain is going to be a completely new one, let's hope that your admin is using the Active Directory Migration Tool from Microsoft, as that will make his job a whole lot easier. If the ADMT is used, it has the ability to preserve SID history (an exercise for the reader to find out what that means) which is helpful in some circumstances. Also, the ADMT provides tools for migrating Windows workstations; those tools migrate ACLs on shares and the filesystem, user rights, and move the workstation to the new domain. Now on to the Linux/Samba portion of things... There is an inherent issue in migrating to a new domain: SIDs. They WILL change. If you are using ACLs on your Linux filesystem, or if your Samba server caches user account information from the domain controller, you may run into issues there with the SID and with the user's logon domain being the old one. Nevertheless, you'll have to disjoin the old domain and rejoin the new one, updating your smb.conf, resolv.conf, hosts file, etc. to reflect the new environment. I have performed NT4/PDC-Win2k3/ADS migrations before (using ADMT), and even Samba/PDC-Win2k3/ADS migrations using ADMT, but none of those environments have included Samba/member servers, so this is uncharted territory for me. It's probably something I need to learn about. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Any upcoming Samba classes?
Back in June of 2004, I attended a Samba workshop in Seattle, WA conducted by John H. Terpstra of the Samba team. This class covered installation of Samba and conversion from an NT4 to Samba domain. I thought the class was very informative and helpful in not just understanding Samba, but it increased my understanding of Windows Domain Control too. I was wondering if there are any plans for future Samba workshops? Another member of our company would like to gain experience from experts like JHT, and I could certainly use a refresher course. Thanks, JHT! --Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] windows env variable for USERDOMAIN is wrong
You said... Just a guess, but this might have been an issue because I created some users before I made Samba a PDC. (since I think this is why I had the name wrong, it's really my prob :) Yup, I've run into a similar situation. The Samba server was running in workgroup mode (not domain controller) for quite some time before it was converted to a domain controller. After that change, when I'd log in with pre-DC accounts, the userdomain would be the name of the samba server, not the domain. To fix it, I converted the passdb backend from tdbsam to smbpasswd then back again. --Jon Johnson Sutinen Consulting, Inc. www.sutinen.com (360) 270-9317 cell Greg Fischer wrote: I am not logged in locally. I checked for that. I did, however, find a cure... since it's a new install with new user accts, I just deleted the samba account and recreated it. (not the unix acct) smbpasswd -x username smbpasswd -a username The user then had the domain name set correctly for USERDOMAIN. And this didnt affect the XP profile. (since this fixed it, I have to assume this is a Samba prob) Just a guess, but this might have been an issue because I created some users before I made Samba a PDC. (since I think this is why I had the name wrong, it's really my prob :) Thanks for the help. Greg On 12/18/05, Doug VanLeuven [EMAIL PROTECTED] wrote: Greg Fischer wrote: Hi all, I just setup my Samba PDC. Mostly everything works, but I am wondering why on some clients, they have the wrong USERDOMAIN environment variable. (when you run 'set' in win xp cmd) The domain name is MEIDLING, and the user and computer are joined ok. But in set, it shows USERDOMAIN as the Server name. Which is MAIN. How do I change that? As far as I know, when the environment variable USERDOMAIN is set to the machine name, it means you have logged in locally to the machine instead of on the domain. Not a samba problem. Regards, Doug -- Greg Fischer 1st Byte Solutions http://www.1stbyte.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Error in documentation: Samba 3 By Example: Chapter 5 - Making Users Happy in re: Outlook
Chapter 5 of Samba 3 By Example ( http://www.samba.org/samba/docs/man/Samba-Guide/happy.html ) states thusly: - Configuration of MS Outlook to Relocate PST File Microsoft Outlook can store a Personal Storage file, generally known as a PST file. It is the nature of email storage that this file grows, at times quite rapidly. So that users' email is available to them at every workstation they may log onto, it is common practice in well-controlled sites to redirect the PST folder to the users' home directory. Follow these steps for each user who wishes to do this. Note It is presumed that Outlook Express has been configured for use. Launch Outlook Express 6. Click Tools-Options-Maintenance-Store Folder-Change. Follow the on-screen prompts to relocate the PST file to the desired location. - First, it should be noted that the above documentation is confusing, as it first mentions Outlook then mentions Outlook Express. I recommend updating the documentation: Configuration of MS Outlook to Relocate PST File Microsoft Outlook can store a Personal Folders file, generally known as a PST file. It is the nature of email storage that this file grows, at times quite rapidly. So that users' email is available to them at every workstation they may log onto, it is common practice in well-controlled sites to redirect the PST folder to the users' home directory. Follow these steps for each user who wishes to do this. To redirect the Outlook PST file in Outlook 2003 (older versions of Outlook are slightly different), follow these steps: 1. Close Outlook. 2. From the control panel, launch the Mail icon 3. Click Email Accounts 4. Make a note of the location of the PST file(s). From this location, move the files to the desired location. 5. Add a new data file, selecting the PST file in the desired location. Give this entry (not the filename) a different name such as Personal Folders - on server 6. Close the Data Files window and click Email Accounts. 7. Select View or Change existing email accounts then click Next 8. Change the Mail Delivery Location to the new data file. 9. Go back to the Data Files window and delete the old data file entry. Note that you may have to remove and reinstall Outlook Address Book (Contacts) entries, otherwise the user may be unable to retrieve contacts when addressing a new email message. NOTE: Outlook Express store files are quite different from Outlook store files. Outlook Express store files can not be redirected to network shares (the options panel won't allow it), but they can be moved to folders outside the user's profile, or excluded from synchronization with the roaming profile. While it is possible to redirect the data stores by editing the registry, experience has shown that data corruption and loss of messages will result. Like Outlook store files, Outlook Express store files can become quite large, and when used with roaming profiles can result in excruciatingly long login and logout times while the stores are synchronized. For this reason, it is recommended not to use Outlook Express in a roaming profiles environment. To expand on the last note about Outlook Express -- using OE's tools (as described in the confusing documentation above) will allow you to change the location where the OE store files are kept. However, it will only permit you to change it to a local drive. This path is stored in the registry. I have attempted to change to a network path via the registry, which indeed does take, but I've run into problems. It seems that Outlook Express expects very fast response when reading these files. If there is any lag at all, such as you might find across a network, it assumes the files are unavailable and creates new, blank store files. Old messages are effectively lost, and cannot be retrieved without the use of third-party mailbox recovery tools. If you ask me, that's sloppy and irresponsible programming on Microsoft's part -- but then again, maybe it's intentional to force you to buy Outlook. -- --Jon Johnson Sutinen Consulting, Inc. www.sutinen.com (360) 270-9317 cell -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] HOW TO: Migrating users' locally-stored profiles from one domain or workgroup to a new domain
I read the fine manual (Samba HOWTO and Reference Guide, ch. 26) and discovered that there's a Windows Resource Kit (2000 and later) tool that does this: moveuser.exe It's amazing what you learn when you stop and read the directions. ;-) --Jon Johnson Sutinen Consulting, Inc. www.sutinen.com Jonathan Johnson wrote: Migrating Users Profiles When Changing Domain Affiliation: A Primer snip -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Migrating W2K Workstation to Samba Domain
I'm sorry, I can't help you with the issue of forcing Samba to use local profiles. I should be able to help you, but at the moment I'm rusty on that and I have a headache. But what I CAN help you with, once you get over the issue of roaming vs. local profiles, is how to make sure the users get their old profiles. In this example, let us consider the user account fred. The issue is that when you move the workstation to the new Samba domain, Windows will attempt to create a new profile for the user fred, because the user's SID will have changed (unless you have used 'net rpc vampire' to extract the SIDs from the AD domain). Windows doesn't know you by your name (fred), it knows you by your SID (big long ugly string of characters), just like the bank does. So fred logs in to the Samba domain, and all his settings, desktop, documents, etc. are GONE. What is the poor, embattled administrator to do? The answer lies in the registry, a few keys that associate a SID with a user profile directory. Here's how to fix it. After joining the workstation to the new domain, login as fred. A new profile folder will be created, something like \Documents and Settings\fred.newdomain (note that Fred's old profile was something like \Documents and Settings\fred). Hint: you can determine the profile folder by right-clicking the Start button and clicking Explore (not Explore All). Now log out. Log in to the workstation with an account that has local administrative rights. It helps if this account also has domain admin rights, but it absolutely must have local admin rights. Find Fred's original profile folder, and apply permissions to it such that the user fred in the new domain has full rights to it. (You should see existing permissions of OLDDOMAIN\fred has full rights. You need to add NEWDOMAIN\fred.) Make sure you apply these rights to all child objects. Do the same for any other folders on this workstation that fred might've been given specific rights to. (You can skip this step if the filesystem is FAT32.) Now open the registry editor (regedt32 on Windows 2000 or earlier; regedit ONLY in XP.). Under the HKEY_USERS hive, load the hive \Documents and Settings\fred\ntuser.dat. Note that this is fred's original profile registry hive. Similarly to how you just assigned rights to the profile folder, assign the rights to fred's registry hive. AFTER ASSIGNING RIGHTS, YOU MUST UNLOAD THE HIVE OR RESTART THE WORKSTATION or else Fred won't be able to log on. Go to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Under this key, you will see several keys named for the user SIDs for profiles on this machine. Locate the key corresponding to fred's SID in the NEW domain. Change the value for ProfileImagePath to reflect the path to fred's original profile*.* Close the registry editor. Assign any other rights, such as local administrator, to fred's new domain account. REBOOT THE WORKSTATION. Log in as fred, to the new domain. You should get fred's original desktop and have access to his documents. WARNING: changes made in the registry editor are immediate. There is no undo. Use caution. ~Jon Johnson Sutinen Consulting, Inc. www.sutinen.com (360) 270-9317 cell Michael Urban wrote: My message dated: Mon, 12 Dec 2005 10:16:14 EST I am replacing a W2K AD server with a Samba server. The server has a single W2K Workstation client, in a public area and used by a dozen or so different users. When I join the workstation to the Samba domain, it complains that it cannot load a roaming profile (in the W2K AD domain, it used local profiles), and it does not create a new local profile, instead using a temporary profile. Obviously a permission problem somewhere. What is the exact problem, and what is the solution? I am still at sea on this. To clarify things a bit more, users of this workstation (under the W2K server) have local profiles, not floating profiles. I would like to let them continue to have local profiles, even if it proves impossible to let them use their old ones due to permission problems. However, even removing their directories from C:\Documents and Settings does not help - Windows does not create a new one for them (as all the documentation I have read led me to believe it would).o logon path= logon home= does not seem to affect this situation. It still seems to try to get a floating profile, fails, and then makes a local profile in TEMP. Hasn't anyone performed this sort of migration before? What other information can I provide (or try to glean from log files) to get this sorted out? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] HOW TO: Migrating users' locally-stored profiles from one domain or workgroup to a new domain
Migrating Users Profiles When Changing Domain Affiliation: A Primer I. Introduction NOTE: This applies to Windows NT-based systems with locally-stored user profiles. Windows 9x and Me do not manage user profiles in the same way. Quite often we find the need to change a workstation's affiliation, either from a workgroup (that is, the workstation is not in a domain environment) to a domain, from one domain to another, or perhaps we need to remove a workstation from a domain and have it rely on local user authentication. The problem is that in any of these scenarios, established users finds that they have lost access to their locally stored profiles; a new profile is created for them when they log in to the new domain. They need to re-establish the icons on their desktops, they need to re-establish rights on that computer, and they need to copy their personal files (i.e., My Documents) from the old profile to the new one. This is a recipe for a headache and ill feelings toward the network administrator. The traditional solution has been to use roaming profiles, but this is not always convenient or practical, and sometimes something breaks and that tactic doesn't work. There is another method that I've developed which seems to work pretty well. It involves messing with permissions and the registry, so caveat administrator. II. Active Directory Migration Tool: The Microsoft Way Microsoft provides the Active Directory Migration Tool (ADMT) for migrating user accounts, groups, and machine accounts from one domain to another as an installable tool from the Windows Server 2003 CD. You can also download it from Microsoft; go to http://download.microsoft.com/ and search for ADMT. I have used it on several occasions for migrating accounts between Windows domains (NT to 2003, 2000 to 2003, and even Samba to 2003). I do not believe it would work for migrating from a Windows domain to a Samba domain, but I've never tried it. Perhaps some intrepid administrators would like to try it out with the early versions of Samba 4. One of the significant advantages of using ADMT is that in addition to migrating user, group, and machine accounts, it will dispatch to each workstation during the computer migration phase an agent which translates user profiles. In my observations, ADMT performs the following tasks when migrating a machine account (assuming that user accounts have been first migrated with the preserve SID history option): 1. File system rights are translated. This especially applies to user profile folders. 2. File sharing rights are tanslated. 3. Registry hive rights are translated. This especially applies to individual NTUSER.DAT registry hives (the core of the user profile), so that the migrated user has full access to his or her original profile. 4. User rights and groups are translated. If a user was a member of the local administrators group, the user will remain so in the new domain. 5. User is mapped to profle. For machines with numerous user profiles, or for a network with a large number of workstations, ADMT saves the administrator a lot of time, as these tasks are fully automated. Since we are using Samba, we can't use ADMT to translate user rights and migrate these items to the new domain. We must do this manually. III. Manual Migration of Local User Profiles from Domain to Domain or from Workgroup to Domain Before joining the workstation to the new domain, it is helpful to document the location of the profile folder of the user account we wish to migrate. This is easily done from a command shell by typing 'echo %userprofile%'. It is also helpful to note what local groups the user is a member of, such as administrators. Once you have joined the worstation to the new domain, log in to the new domain as the user you wish to migrate. At this time, a new profile will be created. Make a note of this profile's folder location. The profile folder will be deleted in a later step, but by logging in this way we have created the registry entry that defines the user's profile in the new domain. Log out. Now, log in to the workstation as a local administrator. It is helpful if the account also has domain admin priviledges. Assign rights to the user's old domain local profile folder: add the user's new domain account to filesystem security. Be sure to reset permissions on child objects so subfolders and contents will have the proper permissions. Similarly, assign rights to any shares on this workstation that have specific permissions applied. Launch the registry editor. In Windows 2000 or NT, you must use regedt32, not regedit. In Windows XP, use regedit. Under HKEY_USERS, load the user's old domain profile registry hive. This will be the NTUSER.DAT file located in the profile folder you noted at the beginning of this exercise. Assign permissions to this newly loaded hive such that the user's new domain account has full access. Be sure to apply this to all child objects. You may be presented with an
Re: [Samba] Migration from Windows 2003 server to samba 3
To my knowledge, it's not possible to migrate the passwords from Windows to Samba, and vice-versa. This is because Windows and Linux both use one-way hashes to encrypt the password; there's no way to decrypt the password. Unfortunately, Windows and Linux use different algorithms to encrypt the password, so you can't just copy the encrypted password between systems, like you could if you were going Windows-to-Windows or Linux-to-Linux. What I'd recommend is assigning the passwords on paper ahead of time, getting them out to people with appropriate instructions , and then requiring the password be changed at the first logon once you go live with it. (Sample instructions: You have been assigned the temporary password of RgYx7e# -- you must use this temporary password on or after such-and-such date; after this date your old password WILL NOT WORK. When you log in with the temporary password on or after such-and-such date, you will be required to change it before you will gain access to your desktop. After you change the password you will use the new password you create from then on -- your old password and the temporary password will no longer work) If I'm wrong, I hope I'll be corrected. ~Jonathan M.R.Niranjan wrote: Hi all I have windows 2003 server with Active directory users , there are about 500 users. I have an Linux Server with Redhat Enterprise Linux Advanced server 3 With samba 3.0 installed in . I would like to migrate all active directory users to samba 3.0 making it a primary domain controller and shut down the Windows system. But I would like to know, how do I migrate users passwords from Active directory to samba 3.0. I would like to retain the same username and Passwords as in windows. So how do get the passwords from windows to samba 3.0 Regards Niranjan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Please help me with migration to MS Windows 2003
Replying on list so others may help or benefit... Arne, It's been a while since I've done one of these migrations, but here's a couple of things to try: - Make sure the clients' primary DNS server is an Active Directory Integrated DNS (in a single-DC environment, the DNS is usually the same machine as the W2K3 domain controller) - In the clients' Advanced TCP/IP parameters, make sure that the DNS Suffix for this connection is BLANK - From a workstation, make sure you can log into the SAMBA domain with the username Administrator, AND THAT you have administrative rights to all domain and local resources with that login. - Turn on auditing in the destination domain. This can be done with the domain group policy editor. - Read the Microsoft Knowledge Base Article 322970 -- http://support.microsoft.com/kb/322970 -- How to Troubleshoot Inter-Forest sIDHistory Migration with ADMTv2 Hope this helps. --Jon Johnson [EMAIL PROTECTED] www.sutinen.com Arne Roolfs wrote: Hello Jon, you posted a description how to migrate from a Samba 3 domain to a MS Windows 2003 Server domain at the samba mailing list. I try to do, but when enabling SID migration I get an error: Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. Ein angebenes Recht ist nicht vorhanden. The last sentence says something like Access is Denied.. I use the account administrator which is mapped to the root-account at the Samba 3 domain. I also tried to use sidhist.vbs from the ClonePrincipal package and it also explains about the missing TcpipClientSupport. How can I solve this problem, what might be wrong? Please help, thanks Arne -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Performance issues
I have seen performance issues where a Windows client (Explorer) takes a while to display a file listing on a remote computer, but then it accesses it just fine. Generally speaking, this is the opposite of what you describe, but it could be related. In investigating this, the problem (not the symptom, the actual problem) turned out to be invalid shortcuts to network shares. These invalid shortcuts are left behind from when a server or share once existed on the network but has since been removed. When initially browsing the network, Windows attempts to access all the remote shares it knows about BEFORE displaying any listings, rather than accessing the remote share only if the user requests it. This seems to be especially problematic with Microsoft Word and Excel when opening documents. There are several places to look for these stale or invalid shares: 1. My Network Places -- Open this up, and delete any shortcuts that point to remote servers or shares that no longer exist. It's actually safe to delete ALL of the network shortcuts (named like Someshare on someserver (servername)). Usually these are created automatically. 2. My Computer -- Disconnect (remove) any network drive mappings that point to nonexistent shares or servers. 3. Desktop -- same thing as My Network Places; remove any invalid shortcuts to network shares. I don't think that these cause a problem as described above, but it can't hurt to remove them. 4. Registry -- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints (MountPoints2 in XP or later) -- there may be subkeys in the form of ##server#share. Delete any keys that point to nonexistent servers or shares. Lastly, if you are using Windows XP or later, disable Automatically search for network folders and printers. To do so, open My Computer, click Tools - Folder Options, View tab, and it's in there. When enabled, Windows will fill up your My Network Places with shortcuts to any network shares it finds, and will fill up your Printers folder with Auto printers. Note that each of these things are on a PER PROFILE basis. You will need to check each Windows user login for these issues. I can't guarantee that this will solve your problem, but since you mention that you've replaced a server, there's a good chance that there are some stale invalid shortcuts lying around. It could be that Windows periodically is going out there looking for these nonexistent shares, and in the process interrupts your connection. Hey, it's worth a shot. --Jonathan Johnson Ryan Wright wrote: List, I apologize for the newbie nature of this post; I am sure there is an easy answer somewhere, but I've tried all the search terms I can think up and can't find it. I have some video archived on a White Box 4 machine. I watch it on a Windows XP box in the other room by mapping a drive to a Samba share. Seemingly at random, my video stream will halt due to an inability to receive data from the server. If I pause for a few seconds and resume, everything is usually fine. This generally happens only once or twice per hour, but it's annoying. The video is not huge. We're talking ~350MB xvid files, 45 minutes each (compressed network TV shows). The Samba server used to be a Windows 2000 Server and the same video files worked perfectly from there. Network is gigabit on the server side, 100mbit on the client side - though even wireless should be able to stream these files. Virtually no traffic on the network (just my computers and they mostly sit idle unless I'm using them). I saw this problem again last night when copying ~10GB worth of files from another XP box to the Samba share. The copy stopped a couple of times, telling me the network path no longer existed, but after clicking OK I could still browse the share just fine. It's like an intermittant, very temporary glitch. Stats: White Box Linux 4 (kernel 2.6.9-5) Samba 3.0.10-1.4E Relevant smb.conf: [global] workgroup = WRIGHT netbios name = SATURN server string = Saturn security = domain idmap uid = 15000-2 idmap gid = 15000-2 winbind use default domain = Yes encrypt passwords = yes password server = jupiter jupiter is a Win2k server PDC. Any advice would be greatly appreciated. -Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating from samba to win 2k3 pdc
I've used Microsoft's Active Directory Migration Tool with reasonably good success to migrate user and machine accounts from Samba to ADS. ADMT is able to retrieve the passwords from a Windows NT domain, but to my knowledge, NOT from a Samba domain. ADMT is on your Windows 2K3 CD. Some gotchas with regard to migration of workstations: 1) The local Administrator password on the workstations (and the Administrator password on the old domain) MUST be the same as the Administrator password on the new domain 2) Do not have users logged into the computer when migrating workstations 3) On the workstation, make sure there is no DNS Suffix specified 4) There is something else but I can't remember it off the top of my head. Search the archives -- I've posted on this before. --Jonathan Johnson Ross McInnes wrote: Yes I know it's a bad thing, but due to several issues I am moving from a samba pdc to a windows 2k3 pdc But, im keeping samba as the file store, ive sorted it so that samba will talk to the w2k3 pdc and auth using winbindd etc that's nps. But, I need to get the users and passwords off the linux/samba server and onto the w2k3 server... Any ideas? Password crackers/hax methods accepted! Either that or it's a reset over 2000 users passwords job (my poor fingers) Many thanks Ross -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba - XP performance problem
I can't say that this will apply in your situation, but I've seen where having stale connections to non-existent servers can cause a performance issue when browsing. Here's a couple of things to try: 1) Remove any shortcuts to non-existent network locations -- this applies to broken mapped drives, shortcuts on the desktop and in My Documents, and shortcuts in My Network Places 2) Look in the registry at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 (or ...\MountPoints) -- Under this key, there will be several subkeys. Some of these are in the form of ##Server##Share -- if there are any of these that refer to nonexistent servers or shares, remove them. DO NOT remove any of the other keys, else your system might not boot properly. This key is seems to be the Windows version of the /etc/fstab file. Nevertheless, I'm glad to see that you found something interesting. Hopefully, your research will help the developers solve some other nagging problems! --Jonathan Johnson David Beck wrote: Hello There, After having googled the whole internet for days I decided to go public with this issue. The result of my google queries so far is that there are plenty of others with the very same problem I have and noone posted a reasonable answer to this: Using Samba 3 with XP gets bad performance. I tested this on Tru64 5.1b and FreeBSD 5.3 with the very same symptoms. The throughput bw XP and Samba goes up and down. It starts transfering with a reasonable speed and after having transfered around 16 megs it slows down. I tried many configuration options regarding locking, tcp settings, xmit size and every combination that could make any sense for me. Then I gave up with this configuration mess as I could lower the performnce easily, but the performance jittering was the same. Now a few notes before I continue: I tested the FreeBSD server on the loopback interface and the file write speed was around 43 Megs that is close to the disks maximum. I also tested the XP machine with a Windows server and the write performnce was around 10 Megs on a 100Mbit link. In addition to that the FreeBSD machine is at my home and the Tru64 and the Windows server are where I work. I'm pretty sure that this is not a network issue. After spending a lot of time with investigation I decided to go deeper in this issue. I installed ethereal to capture the traffic and compare the results bw XP-Windows and XP-Tru64. The test was to copy 50Meg file to both servers and capture the packets. To my surprise the conversation was quite different. XP-Windows (excerpt): - nt create and x - trans2: query file info internal - set file info - tcp data stream... XP-Samba (excerpt): - nt create and x - trans2: query file info internal - (query file info + write and x request) many times, incresing offset, one byte length - tcp data stream In case of XP-Samba, the last two steps are repeated many times. Large part of the effective bandwith is filled with query file info and 1 byte writes. The packet data can be downloaded from these links: http://dbeck.beckground.hu/download/xp-samba.bz2 http://dbeck.beckground.hu/download/xp-win.bz2 I also made a screenshot of a bandwith monitor to show what I mean by performance jittering: http://dbeck.beckground.hu/download/samba-performance-write.PNG http://dbeck.beckground.hu/download/samba-performance-read.PNG Please note that the original packet log for the 50 Meg file was very large, so I kept only the interesting parts. Last, could anyone there, Samba and SMB wizards help me, how to solve this performance issue? Thank you in advance, David. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Slow browsing from Win2k and WinXP
See David Beck's post Samba - XP performance problem dated 8/8 and my reply dated 8/9. --Jonathan Johnson Chuck Theobald wrote: Hi, I have Samba 3.0.14a + OpenLDAP 2.2.24 installed on Solaris 8 as a PDC for serving files only (no profiles, no printing). Performance of network browsing is slow in Windows 2000 and XP, taking 10-15 seconds to open and display the contents of a folder. The same browsing activity from a Mac works fine with no unacceptable delays. I'm trying to sell Samba here, but these delays are not helping. Any suggestions on diagnosing this would be appreciated. smb.conf to follow. Thanks, Chuck lauterbur{23}# bin/testparm Load smb config files from /usr/local/samba/lib/smb.conf Processing section [homes] Processing section [netlogon] Processing section [profiles] Processing section [staff] Processing section [public] Processing section [office-admin] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions # Global parameters [global] workgroup = LCNI server string = Lauterbur Server passdb backend = ldapsam:ldap://lauterbur.uoregon.edu password level = 8 username level = 8 log level = 10 winbind:10 log file = /export/samba/log/smblog.%m max log size = 500 add user script = /usr/local/samba/sbin/smbldap-useradd -m %u delete user script = /usr/local/samba/sbin/smbldap-userdel %u add group script = /usr/local/samba/sbin/smbldap-groupadd -p %g delete group script = /usr/local/samba/sbin/smbldap-groupdel %g add user to group script = /usr/local/samba/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/samba/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/samba/sbin/smbldap-usermod -g %g %u add machine script = /usr/local/samba/sbin/smbldap-useradd -w -i %u logon path = logon drive = H: logon home = domain logons = Yes os level = 33 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=smbadmin,ou=People,dc=lcni,dc=uoregon,dc=edu ldap delete dn = Yes ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=lcni,dc=uoregon,dc=edu ldap ssl = start tls ldap user suffix = ou=People admin users = chuck create mask = 0660 directory mask = 0770 inherit acls = Yes [homes] comment = Home Directories read only = No browseable = No [netlogon] comment = Domain Logon path = /usr/local/samba/lib/netlogon browseable = No [profiles] comment = Roaming Profiles path = /usr/local/samba/lib/profiles read only = No create mask = 0600 directory mask = 0700 browseable = No [staff] comment = Lauterbur Staff Share path = /vxfsvol/staff read only = No [public] comment = Lauterbur Public Share path = /vxfsvol/public read only = No [office-admin] comment = Office Administrative Share path = /vxfsvol/home/staff/office-admin read only = No lauterbur{24}# Chuck Theobald System Administrator The Robert and Beverly Lewis Center for Neuroimaging University of Oregon P: 541-346-0343 F: 541-346-0345 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] missing domain
Ryan Verner wrote: On Thu, 2005-07-28 at 09:55 +1000, ashley maher wrote: I have a samba 3 install with 14 new xp pro clients. 13 of these I was able to join to the domain without any problems. (ie create machine accounts) The 14th required a warranty repair and I went to put it onto the domain recently (several weeks intervening). Tried removing the machine account from the Samba server, changing the XP client's computer name to something else, etc? I had a similar problem yesterday with a Windows XP Pro x64 (64-bit, based on Server 2003 kernel, I think) system. It seemed to be looking for a listing of the domain controller in DNS (even though my Samba server is performing WINS and TCP/IP on the workstation specified the Samba server as a WINS server), for which bind on my Linux/Samba server does not have the Active-Directory style entries that would include DC entries. So with only one half-tested example to go by, it seems that the latest incarnations of Windows ignore WINS and only care about AD-integrated DNS, at least when trying to join a domain. It's nice of Microsoft to go toward standards; unfortunately they also embrace, extend, extinguish. The further they go, the more DNS looks like WINS. (How do you create AD-style entries in bind? A Google search might be in order, I haven't looked.) As it turns out, the plotter I needed to connect to didn't have 64-bit drivers, so I ended up blowing it away and reinstalling XP Pro SP2 (32-bit) on the box. Will connect it in tomorrow and see if it sees the domain. If it doesn't, I'm not too concerned, as we've been working as a workgroup instead of a domain; being a small shop with 5 PCs it's not a big deal. --Jonathan Johnson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Remote shutdown+poweroff of W2K server
2000. More information on Resource Kits here: http://www.microsoft.com/windows/reskits/ --Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] task scheduler in Samba ?
Gerald (Jerry) Carter wrote: I looked into this some more. It's works a little differently than I initially thought. The registry paths are used to detect the presence of the task scheduling agent on the remote host. The actual jobs are simply stored as files. In my mind this would fit pretty well as just a ~/cron directory for a given user. For example, it I run a job as jerry, then the job script would be stored in ~jerry/cron and a crontab entry would be made in /var/spool/cron/jerry. I'm still thinking this over. The other detail is to figure out the file format used to present the job properties dialog to Windows. This is probably already decoded somewhere (similar to *lnk files or something). FYI/FWIW, on my Windows XP machine, the jobs in the local task scheduler are binary files located in the hidden folder %SYSTEMROOT%\Tasks\ with a filename extension of .job. This folder is one of those special folders that Windows Explorer displays differently. You can't copy files into or out of this folder using Explorer, nor can you view any files other than .job files. To copy into, out of, or list the contents of this folder, you're pretty much stuck with a command shell. To display the properties of a scheduled task, the library mstask.dll is used. Some of the relevent registry keys (an incomplete list) used are: HKEY_CLASSES_ROOT\.job HKEY_CLASSES_ROOT\JobObject (Note, there are several other similarly named keys) HKEY_CLASSES_ROOT\CLSID\{148BD520-A2AB-11CE-B11F-00AA00530503} HKEY_CLASSES_ROOT\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503} Also, you may find the command line interface to the task scheduler, schtasks.exe, useful. Documentation can be found here: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/schtasks.mspx Hope this helps you the developers, Jerry. Maybe you already knew all this. :-) --Jonathan Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Painless migration from 2.2.x on old server to 3.0.x on newserver needed ASAP
John H Terpstra wrote: On Tuesday 19 July 2005 13:50, Chris wrote: The new question is ... how does one convert from smbpasswd totdbsam? In your smb.conf [global] set: passdb backend = tdbsam smbpasswd Then execute: pdbedit -i smbpasswd -e tdbsam Then edit smb.conf to: passdb backend = tdbsam Then prove that it worked by executing: pdbedit -Lw All accounts should be listed. - John T. I know this doesn't apply in Chris's case, since he's already set up with domain security (as a domain controller), but I just wanted to warn everyone reading this who might be contemplating an upgrade to make sure your server is in domain mode BEFORE migrating from smbpasswd to tdbdsam. (I do not know the implications of migrating from server A in tdbsam to server B in tdbsam.) Otherwise, you might end up with some verrry strange browsing and authentication problems. I know I sure did. :-) The problems are a product of the user logon domain being set to the server's NetBIOS name instead of the domain's NetBIOS name in tdbsam. Of course, that can be fixed by migrating from tdbsam to smbpasswd then back, following the above example. Many thanks to JHT for pointing this simple fix out to me. --Jonathan Johnson Sutinen Consulting, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain .vs workgroup
A domain is really just a workgroup with additional security features. Samba makes no differentiation between workgroups and domains in terms of the name; the difference between a workgroup and a domain (and whether a Samba installation appears as a workstation, a member server, or a domain controller) is determined by the security settings. In any case, the workgroup parameter applies to BOTH workgroups and domains and is pretty much required. Be aware that this is the NetBIOS name of the workgroup/domain, not the FQDN. For example, if you are joining a Windows 2003 domain with a NetBIOS (aka Pre-Windows 2000) domain of FLINTSTONE and an FQDN of flintstone.local, in your smb.conf you would put workgroup = FLINTSTONE. Case shouldn't matter, but I always use all caps, as that is the standard which Microsoft uses. --Jonathan Johnson Chris Aitken wrote: Hello, For the workgroup name in smb.conf, we do not have workgroups, only a domain name. How do I handle this.? Use it anyhow. We have a domain here (called SVS), but in the smb.conf: Workgroup = SVS HTH Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Migrating domain from Samba 3 to Windows 2003 (here's how to do it)
Ben S. wrote: Hi Jonathan, I saw your post in the linux.samba newsgroups with the above topic heading. Looking through the posts I could not see any replies. We also have a customer with the exact same requirements, and I though that I would quickly ping you to see if you had any luck with migration. Any experiences of suggestion are appreciated in advance, Ben Yes, I successfully migrated from Samba 3 to Windows 2003. I used the Active Directory Migration Tool from Microsoft; it's on the Windows Server 2003 CD (I don't remember exactly where, but look for ADMT). There are a few things that will make the ADMT fail, so be aware of them: 1) Set up a DNS server that's authoritative for your new 2003 domain (this will typically be in the first domain controller, but doesn't have to be). Then in your servers' and workstations' TCP/IP configuration, add it as the first DNS server. Also, make sure that DNS suffix for this connection is blank. This setting is in the advanced TCP/IP properties DNS tab; in 98, in the DNS tab, leave the domain blank. If it's not blank, things will fail. 2) Migrate user accounts before migrating machine accounts. You will be able to preserve SID history, so that users will have the same rights as before. Migrating from Samba to 2003, you won't be able to migrate passwords as you would if you were running an NT domain to begin with. 3) The domain administrator passwords of the old and new domain, and the local administrator passwords of the workstations MUST be the same. This is not required for user migration, but machine account migration will fail if they are not. 4) Disable any firewalls (inc. the Windows firewall) on any workstations that will be migrated. 5) ADMT supports test modes. Always test before running, and resolve any issues before proceeding! Note that a test will ALWAYS fail, because it can't actually migrate the accounts yet. You'll have to look for other errors besides these. 6) When migrating machine accounts, file security can be updated on the migrated workstations to match the new domain IF you chose to preserve SID history. This means your user profiles will also be migrated. If you manually create user accounts without migration, SID history will not be preserved and file security won't be migrated; you'll have to manually do it at the workstation after the migration. Here's a link to a post I made on the subject: http://lists.samba.org/archive/samba/2005-April/103743.html Good luck. It won't be painless, but in general, the process went smoother than I had hoped for. The first time I did it was actually a Windows NT4 to Windows 2003 domain migration, and including troubleshooting (learning the above) took about four hours for 13 workstations and one domain controller. Knowing the above, it probably would have taken only two hours. Later on, I successfully migrated a domain from Samba 3 to Windows 2003. The ADMT also seems to work for migrating to/from Small Business Server domains, which do not support trusts. -- --Jon Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] pdbedit and profiles
I had the same issue. To resolve, I had to convert from smbpasswd to tdbsam for my passdb backend (wasn't running LDAP). This is because smbpasswd does NOT support the extended parameters you see in pdbedit. Then I was able to change the parameters. tdbsam is a better passdb backend than smbpasswd (more configurable), it just won't let you use a text editor on the file. ;-) From a post by John Terpstra ( http://lists.samba.org/archive/samba/2003-October/075558.html ): If you have your accounts in smbpasswd and you want to migrate them to tdbsam: In smb.conf: passdb backend = smbpasswd, tdbsam Execute: pdbedit -i smbpasswd -e tdbsam And so on. After migration you can delete the backend that you no longer need to use from the passdb backend parameter line. --Jonathan Johnson Dominic Iadicicco wrote: For a test I tried to do this: pdbedit -u ya-1 -p=cybserver\\netlogon It spewed out this : Unix username:ya-1 NT username: Account Flags:[U ] User SID: S-1-5-21-4008386108-3466510086-266964780-2002 Primary Group SID:S-1-5-21-4008386108-3466510086-266964780-2003 Full Name: Home Directory: HomeDir Drive: Logon Script: logon.bat Profile Path: \\cybserver\profile\ya-1 Domain: CYBRARYN Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set:Sat, 04 Jun 2005 11:29:34 GMT Password can change: Sat, 04 Jun 2005 11:29:34 GMT Password must change: Mon, 18 Jan 2038 22:14:07 GMT Last bad password : 0 Bad password count : 0 Logon hours : FF as you can see the profile path is not correct. and I check that the ya-1 user was a vaild smb user. I can log on to the domain with them and write to shares and use different domain resources. And as far as why it does show the NT username I dont know. On 6/14/05, Collen [EMAIL PROTECTED] wrote: What error do you get returned ?? (if none, boost your debug level in the conf) can samba read/write to the passwd backend? what does not work ? (coz here it does work).. Greets. Collen Dominic Iadicicco wrote: I am using the standard smbpasswd, I think thats a backend. On 6/13/05, Tom Skeren [EMAIL PROTECTED] wrote: Dominic Iadicicco wrote: That did not work. What passdb are you using? LDAP TDB? On 6/13/05, Collen [EMAIL PROTECTED] wrote: pdbedit -u username -p=server\\path Collen. Dominic Iadicicco wrote: Hello all, Could someone give me the command line to edit the profile path of a users? I have tried this with no results. pdbedit -u someuser -p server\\path There has to be better documentation. -- --Jon Johnson Sutinen Consulting, Inc. www.sutinen.com (360) 270-9317 cell -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Minimal Samba
From: John H Terpstra [EMAIL PROTECTED] [global] workgroup='your-workgroup' [homes] If your workgroup=WORKGROUP (the windows default) that line can be omitted, but you need at least one parameter in the [global] stanza. For the rest, please refer to chapter 1 of the book Samba-3 by Example, 2nd Edition downloadable from http://www.samba.org/samba/docs/Samba-Guide.pdf Chapter 1 provides 3 simple network configurations that work. The above configuration is not very useful, but it answers your question precisely. FWIW, the default workgroup name of later versions of Windows XP Home is MSHOME; not sure what it is for XP Pro or Server 2003. workgroup=WORKGROUP was the default back in the Win9x and NT days. The moral of the story is double-check this on all your machines, because you never know when some brain-dead sysadmin (such as People Like Me(tm)) has changed it then forgotten that it was changed, or assumed it was changed when it wasn't. -- --Jon Johnson Sutinen Consulting, Inc. www.sutinen.com (360) 270-9317 cell -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Adding a Windows Server down the road
One more thing I forgot to mention when using ADMT: it helps if your client workstations' DNS server is set to be the one that's authoritative for the new domain. Things might work OK thru WINS/NetBIOS name resolution, but I've had to do the DNS thing, too. --Jon Johnson Sutinen Consulting, Inc. www.sutinen.com On Tue, 19 Apr 2005, Andrew Debnar wrote: John, Thanks I also tested and this worked great. Now I get to do Linux. Thanks, Andrew -Original Message- From: Jonathan Johnson [mailto:[EMAIL PROTECTED] Sent: Thursday, April 14, 2005 3:19 AM To: [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Adding a Windows Server down the road John H Terpstra wrote: On Wednesday 13 April 2005 11:46, Josh Kelley wrote: Andrew Bartlett wrote: What's wrong with running the windows server as a domain member. There is no way to import users (well, their passwords are the tricky part) from Samba into AD that I know of. Microsoft provides the Active Directory Migration Tool (ADMT). As one of its features, it's supposed to let you import users from a NT 4 domain. Since a Samba server runs an NT 4 domain, any chance that ADMT would work? I'm guessing no, for the same reason that a Samba PDC can't take an NT 4 BDC, but I thought that I'd mention it as a possibility and see if anyone knew if it would work. Why don't you do a test installation of ADS and try it. Please let me know what happens. I'd appreciate your help in documenting this process to spare others from having to ask. - John T. Been there, done that, and can say YES, it works. I had to do this when a customer wanted to move to Exchange (don't ask me WHY! :-) ) and thus required migration to a Windows 2003 Active Directory domain. There are a few gotchas to be aware of: 1. Administrator password must be THE SAME on the Samba server, the 2003 ADS, and the local Administrator account on the workstations. This is not documented. (Perhaps this goes without saying, but there needs to be an account called Administrator in your Samba domain, with full administrative (root) rights to that domain.) 2. In the Advanced/DNS section of the TCP/IP settings on your Windows workstations, make sure DNS suffix for this connection field is blank. This is not documented. 3. Because you are migrating from Samba, user passwords cannot be migrated. You'll have to reset everyone's passwords. (If you were migrating from NT4 to ADS, you could migrate passwords as well.) 4. I don't know how well this works with roaming profiles; I've only used this with local profiles. 5. Disable the Windows Firewall on all workstations. Otherwise, workstations won't be migrated to the new domain. This is not documented. 6. When migrating machines, always test first (using ADMT's test mode) and satisfy all errors before committing the migration. Note that the test will always fail, because the machine will not have been actually migrated. You'll need to interpret the errors to know whether the failure was due to a problem, or simply due to the fact that it was just a test. There are some significant benefits of using the ADMT, besides just migrating user accounts. 1. You can also migrate workstations remotely. You can specify that SIDs be simply added instead of replaced, giving you the option of joining a workstation back to the old domain if something goes awry. The workstations will be joined to the new domain. 2. Not only are user accounts migrated from the old domain to the new domain, but ACLs on the workstations are migrated as well. Like SIDs, ACLs can be added instead of replaced. 3. Locally stored user profiles on workstations are migrated as well, presenting almost no disruption to the user. Saved passwords will be lost, just as when you administratively reset the password in Windows ADS. 4. The ADMT lets you test all operations before actually performing the migration. You can migrate accounts and workstations individually or in batches. User accounts can be safely migrated all at once (since no changes are made on the original domain); I recommend migrating only one or two workstations as a test before committing them all. I'm fairly impressed with the Active Directory Migration Tool. It sure made my job easier, both times I used it (once migrating from NT4 to ADS 2003; second time from Samba 3 to ADS 2003). The three gotchas that I labeled not documented are things that tripped me up, but (thankfully) I was able to resolve. ADMT can be found on the Windows 2003 CD. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https
Re: [Samba] creating user problems under samba 3
John H Terpstra wrote: On Friday 15 April 2005 13:15, Victor Medina wrote: Hi all!! I am using Samba 3 (3.0.4) and SuSE SLES 9. I am having troubles trying to create new users and machines accounts on the newly created domain. Could somebody answer me why i am receiving this error messages? Also, have you followed the Samba documentation? The best document for comparing your configuration with the official recommendations is the book Samba-3 by Exampe available from Amazon.Com or by downloading from: http://www.samba.org/samba/docs/Samba-Guide.pdf This book is currently being updated. All my test work is done with SLES 9. linuxserv:~ # smbpasswd -m -a testmachine Failed to initialise SAM_ACCOUNT for user testmachine$. Failed to modify password entry for user testmachine$ linuxserv:~ # smbpasswd -a testmachine New SMB password: Retype new SMB password: tdb_update_sam: Failing to store a SAM_ACCOUNT for [testmachine] without a primary group RID Failed to add entry for user testmachine. Failed to modify password entry for user testmachine You might need to do: linuxserv:~ # useradd -M testmachine$ to create the machine account in the Unix password database (usu. /etc/passwd) before attempting to add it to the Samba password database. Note that the -M option prevents the creation of a home directory and other default files, and the $ is required for machine accounts. Note also when adding machine accounts to Samba, the $ is automatically appended so you should NOT include it. Likewise for users, you may need to do: linuxserv:~ # useradd someuser Now that being said, it's also possible to use LDAP for all of your authentication, which would eliminate the need for adding machine and user accounts to the Unix password database. Heck, it would elminate the need FOR a unix password database. Don't ask me how (as I've never done it), but a fellow by the name of John H. Terpstra has written an excellent book on the subject, see above. ;-) ~Jonathan Johnson [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain controller with a conflict name
Tom Skeren wrote: Andrew Bartlett wrote: On Wed, 2005-04-13 at 16:41 -0700, Ephi Dror wrote: Did you mean that Yes, there is a way to prevent joining a domain with using another server name or did you mean Yes that IT must make sure the name is unique and no computer with this name is already part of this domain when joining a domain. This is the sole responsibility of the IT department. Like windows, Samba will use the name it is given. It is not possible to reliably determine the difference between a machine that is rejoining the domain (say after catastrophic hardware failure, or simply an failure in the trust account) and a duplicate machine, elsewhere in the domain. True. However, if a machine named say SA1 is up and connected, and another SA1 shows up, a network error should occur. Especially if a WINS server is up. Again, this is the responsibility of the network administrator. That's why a password is required to join a domain, so those who don't know the password (read: your users) can't mess up your network. As an administrator, it's your responsibility to make sure that a network name conflict does not occur, by knowing if there's a machine with THAT NAME on the network already. In a purely Windows world, a naming conflict will be detected on the network as soon as the second machine boots up. You'll get a message on screen to the effect of another computer with this name exists on the network. Since Samba works a little differently, you won't see a message like this unless you look in the logs (and your logging is set to an appropriate level). This brings to mind two ideas for improving Samba: - As part of its startup routine, Samba should check to see if there are any naming conflicts and refuse to start if there are (returning an error to the console so you know WHY it's not starting). Of course, if the other machine with that name is presently not on the network, no error would occur. An option could be added to allow operation where naming conflicts could occur, though the use of this option would be discouraged. - As part of the 'net join' routine, Samba should check to see if the domain controller already has an account by that computer name, and if so, present a warning and a prompt to continue. ('A computer account with the name SAMBA already exists in the domain ABMAS. Replace account? (y/n) [n]') This would give Samba (even more) functionality that Windows doesn't do, and the administrator a sanity check before screwing something up. The default behaviour (if the admin just hits enter) should be to either re-ask the question, or assume no and not replace the account. If the answer is no then an error stating failure to join the domain should appear. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Problems with Excel MS Word files (EVEN - still ANY ideas?)
Jeremy Allison wrote: On Tue, Apr 12, 2005 at 11:58:40AM -0400, Nathan Vidican wrote: Since applying the two patches you emailed me (one for cpu load, one for MS Excel issues): All is working fine now except MS Word; don't know if it's entirely related or a separate issue all together, but figured I'd post the details and see if you can think of anything; here's the behaior: Word (apparently) creates a ~384somerandomnamefile.tmp when a user saves, the actual file they opened goes to 0 bytes, their smbd process goes to 100% CPU load, MS Word locks up. We forcefully kill their smbd process, rename the ~whatever.tmp file to their original whatever.doc file, restart their PC (else word acts up stupid), and we're good to go... Until the next time it happens. Apparently random files, and varyinf users/network segments as before. Excel, powerpoint, etc not locking up nor causing similar issues at all anyore - just MS Word. I think it might have something to do with the autosave feature, or some sort of option in word making it create/deal with the tmp files but I really don't understand or know the bahavior well enough to fix it entirely on my own. Help? Can you get me a debug level 10 log on this ? I'm currently working on ACL behaviour with MS-Office. Jeremy. You might want to take a look at these two Microsoft Knowledge Base articles: Long delay in the display of file names from the Open dialog box in Office XP http://support.microsoft.com/kb/818792 The File Open dialog box does not automatically select the first available document in an Office 2003 program http://support.microsoft.com/kb/832889 I don't know exactly what your problem is, but the above articles may keep you from chasing the wrong horse. :-) ~Jonathan Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Adding a Windows Server down the road
John H Terpstra wrote: On Wednesday 13 April 2005 11:46, Josh Kelley wrote: Andrew Bartlett wrote: What's wrong with running the windows server as a domain member. There is no way to import users (well, their passwords are the tricky part) from Samba into AD that I know of. Microsoft provides the Active Directory Migration Tool (ADMT). As one of its features, it's supposed to let you import users from a NT 4 domain. Since a Samba server runs an NT 4 domain, any chance that ADMT would work? I'm guessing no, for the same reason that a Samba PDC can't take an NT 4 BDC, but I thought that I'd mention it as a possibility and see if anyone knew if it would work. Why don't you do a test installation of ADS and try it. Please let me know what happens. I'd appreciate your help in documenting this process to spare others from having to ask. - John T. Been there, done that, and can say YES, it works. I had to do this when a customer wanted to move to Exchange (don't ask me WHY! :-) ) and thus required migration to a Windows 2003 Active Directory domain. There are a few gotchas to be aware of: 1. Administrator password must be THE SAME on the Samba server, the 2003 ADS, and the local Administrator account on the workstations. This is not documented. (Perhaps this goes without saying, but there needs to be an account called Administrator in your Samba domain, with full administrative (root) rights to that domain.) 2. In the Advanced/DNS section of the TCP/IP settings on your Windows workstations, make sure DNS suffix for this connection field is blank. This is not documented. 3. Because you are migrating from Samba, user passwords cannot be migrated. You'll have to reset everyone's passwords. (If you were migrating from NT4 to ADS, you could migrate passwords as well.) 4. I don't know how well this works with roaming profiles; I've only used this with local profiles. 5. Disable the Windows Firewall on all workstations. Otherwise, workstations won't be migrated to the new domain. This is not documented. 6. When migrating machines, always test first (using ADMT's test mode) and satisfy all errors before committing the migration. Note that the test will always fail, because the machine will not have been actually migrated. You'll need to interpret the errors to know whether the failure was due to a problem, or simply due to the fact that it was just a test. There are some significant benefits of using the ADMT, besides just migrating user accounts. 1. You can also migrate workstations remotely. You can specify that SIDs be simply added instead of replaced, giving you the option of joining a workstation back to the old domain if something goes awry. The workstations will be joined to the new domain. 2. Not only are user accounts migrated from the old domain to the new domain, but ACLs on the workstations are migrated as well. Like SIDs, ACLs can be added instead of replaced. 3. Locally stored user profiles on workstations are migrated as well, presenting almost no disruption to the user. Saved passwords will be lost, just as when you administratively reset the password in Windows ADS. 4. The ADMT lets you test all operations before actually performing the migration. You can migrate accounts and workstations individually or in batches. User accounts can be safely migrated all at once (since no changes are made on the original domain); I recommend migrating only one or two workstations as a test before committing them all. I'm fairly impressed with the Active Directory Migration Tool. It sure made my job easier, both times I used it (once migrating from NT4 to ADS 2003; second time from Samba 3 to ADS 2003). The three gotchas that I labeled not documented are things that tripped me up, but (thankfully) I was able to resolve. ADMT can be found on the Windows 2003 CD. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a domain controller with a conflict name
Tom Skeren wrote: Jonathan Johnson wrote: Again, this is the responsibility of the network administrator. That's why a password is required to join a domain, so those who don't know the password (read: your users) can't mess up your network. As an administrator, it's your responsibility to make sure that a network name conflict does not occur, by knowing if there's a machine with THAT NAME on the network already. Yes, that's all fine and good, except when the boss allows some visiting dignitary to plug his laptop into the ethernet port in the conferernce room, etc. Ah, office politics. So this means, to avoid offending the visiting dignitary, we cannot ask him to rename his machine, but rather we must rename our domain controller? :-) I suppose for this reason, it's good to have public access ports and wireless access points on a firewalled subnet. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: PDC Shows up as a domain - Resolved
I'm guessing this happened: You are using passdb backend = tdbsam. You converted from one security mode (standalone) to another (domain controller) AFTER creating those users. The users that were created before the Samba server was configured as a domain controller exhibited the problem, and the ones created after did not. When you'd log in as a pre-domain-configuration user, you'd see the PDC listed as an empty domain in My Network Places. In addition, you probably had some strange authentication errors. Had you done a 'pdbedit -L -v' you would have seen that some users' logon domain was the PDC; others had the domain SOC listed. You might have noticed that the ones listing the PDC were pre-domain users, the ones listing SOC were created post-domain configuration. You see, this bit me once. :-) I eventually figured out what happened, but didn't know an easy way to fix it, so ended up recreating the users (and also restoring their SIDs, because I didn't want to screw up their local profiles -- wasn't using roaming profiles). Shortly thereafter, I took a course from the venerable John H. Terpstra, who pointed out that I could have simply converted my passdb temporarily from tdbsam to smbpasswd and back again, and this would have fixed it all very quickly while maintaining the SIDs. Of course, had I any policy settings in place, these would have needed to be recreated, but that would be easier than recreating SIDs. I'm happy that you were able to fix it, yet thought you (and the rest of the Samba community) might like to hear of my experience and understanding of the problem so that it can be avoided in the future. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com Charles McLaughlin wrote: I noticed that this didn't affect all users, so I deleted the users and added them again using smbpasswd and that fixed this problem. Charles Charles McLaughlin wrote: Hello, My Samba server acting as a PDC shows up as an empty domain on my Windows clients under My Network Places. My PDC is called PDC and my domain is called SOC. I see PDC and SOC in My Network Places. Another strange problem is when I use the Windows Server Manager tool from servtools.exe, it says Cannot find the Primary DC for PDC. Why is it looking for the PDC and not the Domain? My settings are below in case that helps. Thanks, Charles --- # Global parameters [global] workgroup = SOC passdb backend = tdbsam passwd chat = *New*Password* %n\n*Re-enter*new*password* %n\n *Password*changed* username map = /etc/samba/smbusers log level = 2 log file = /var/log/samba/%m max log size = 50 name resolve order = wins bcast hosts time server = Yes add user script = /usr/sbin/useradd -m '%u' delete user script = /usr/sbin/userdel -r '%u' add group script = /usr/sbin/groupadd '%g' delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u' logon path = logon home = domain logons = Yes preferred master = Yes wins support = Yes [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes locking = No [profiles] comment = Profile Share path = /home/samba/profiles read only = No profile acls = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC: Logging out from Windows XP SP2 takes a long time
If your users are using Outlook Express or Outlook, it might be trying to synchronize the associated files. If your users are wont to store large quantities of email, thes files can be rather huge. As the files change every time you open OE or Outlook, they must then be synchronized. I have seen OE Inbox files grow to several hundred megabytes, as well as the Outlook PST file. Note that the Outlook PST file can be stored on a network share, eliminating the need to synchronize it. However, Outlook Express files MUST be on a local drive. (I have tried moving them to a network share and ended up losing data. It's like Microsoft has written a routine to guarantee that it won't work.) You must either prevent the OE identity from being synchronized, or move the directory to a folder on the local machine which is not synchronized. For this reason, Outlook Express is NOT RECOMMENDED in a roaming profiles environment, as the OE identity cannot be on a network share and synchronizing the files is an excercise in masochism. For your information: * OE identies are usually found in [%USERPROFILE%\Local Settings\Application Data\Identities\{IDENTITY}\Microsoft\Outlook Express\*.dbx] * Registry entry for OE store location: REG_EXPAND_SZ, [HKCU\Identities\{IDENTITY}\Software\Microsoft\Outlook Express\5.0\Store Root] * Outlook PST files are usually found in [%USERPROFILE\Local Settings\Application Data\Microsoft\Outlook\*.pst] * You may also want to consider the Windows Address Book, which is a .WAB file. The registry entry that describes the path to the WAB file is REG_SZ, [HKCU\Software\Microsoft\WAB\WAB4\Wab File Name\(Default)] ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com Dag Sverre Seljebotn wrote: I have samba set up as primary domain controller, and have problems with my Windows XP SP2 machines. Logging in is quick, but most of the time (nine out of ten times) the logout process takes a long time - I do end up rebooting, but once I let it stay and it took a whole hour before it was logged out. It seems to act the same way for all users. Possible sources already eliminated: - I have disabled the synchronization of My Documents (which was also taking a long time), and have instead configured My Documents to sit on a mounted SMB homes share. Though the problems were present before this change as well (ie it was not the synchronization that was taking the time, if Windows' messages are correct). - The profile share is not the same as the homes share (because the documentation stated that that would create problems). Anyone? I'm running Samba 3.0.10-Debian. // Dag Sverre Seljebotn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Browsing Problems
You might also try: [global] os level = 65 This seems to ensure that the Samba box will win browser elections. Be sure to read the man page (help button in SWAT, if you're so inclined). ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com Andrea Venturoli wrote: micheletto wrote: have yuo tried to say no in domian master? No, I didn't. In fact I'd like it to be a domain master. I only think it has memorized about this 192.168.100.5 somewhere and I need to force samba to forget about it. bye Thanks av. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] POSSIBLE RESOLUTION: Extremely slow during browsing some directories (MS KB Articles)
A colleague ran across this Microsoft (lack of) Knowledge Base article: Long delay in the display of file names from the Open dialog box in Office XP http://support.microsoft.com/kb/818792 which lists a hotfix available from Microsoft. Also, on some Microsoft discussion lists, there's been some experience that the presence of an invalid/disconnected mapped drive can impact the issue, or the presence of a large number of files/folders in the folder being browsed.. In addition, there's another article: The File Open dialog box does not automatically select the first available document in an Office 2003 program http://support.microsoft.com/kb/832889 which contains this tidbit of wisdom (and references article 818792): If the AutoSelect feature is enabled in the *Open* dialog box, and you view a folder on a network share that contains many files and folders, you may experience a delay of two to five minutes before the *Open* dialog box is populated and the first available Office 2003 document is selected. In reading these two articles, I get the sense that in Office XP (Office 2002) it's a feature not a bug and that in Office 2003, it was a buggy feature so we disabled it by default. Even though it's supposed to be disabled in 2003, you might want to double-check the registry hack mentioned in 818792, maybe setting DisableAutoSelect to 1 just to be sure. --Jonathan Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] Jonathan Johnson wrote: David Rankin wrote: I am seeing the exact same problem and I can confirm that a reboot of Win XP helps the problem temporarily. (this is my laptop so it is restarted regularly) It seems something is getting cached or stuck somewhere after XP is up and running for a while that is causing the 30 second delay descending down the directory tree when using the file-open dialog from MS office applications. David, For what it's worth, I've experienced very similar behavior with a Novell server in the back end. Unfortunately, I don't know enough about Novell, and there isn't a Samba server on this particular network that I can use for troubleshooting. I mainly wanted to let you know that it's not just a Samba problem, but perhaps some optimization that Microsoft has used to make sure that their server OS works better. We can always suspect that, can't we? In my situation, browsing works fine with explorer but not in the file open dialog in MS Office apps. Just like you experienced. In regards to Linwei Cheng's original problem, I have to ask, is there a machine account in the /etc/passwd file? For one of my customers who has a Samba box that authenticates against a true Windows Active Directory server, I found that I needed to add local machine accounts to the Linux user database (/etc/passwd) in order to get reasonable performance. The Samba logs were full of messages whining about user MACHINE$ not existing. Now, I might have solved this by adding winbind to the hosts entry in /etc/nsswitch.conf, but I didn't think of that. It works now, so why fix it? --Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Extremely slow during browsing some directories
David Rankin wrote: I am seeing the exact same problem and I can confirm that a reboot of Win XP helps the problem temporarily. (this is my laptop so it is restarted regularly) It seems something is getting cached or stuck somewhere after XP is up and running for a while that is causing the 30 second delay descending down the directory tree when using the file-open dialog from MS office applications. David, For what it's worth, I've experienced very similar behavior with a Novell server in the back end. Unfortunately, I don't know enough about Novell, and there isn't a Samba server on this particular network that I can use for troubleshooting. I mainly wanted to let you know that it's not just a Samba problem, but perhaps some optimization that Microsoft has used to make sure that their server OS works better. We can always suspect that, can't we? In my situation, browsing works fine with explorer but not in the file open dialog in MS Office apps. Just like you experienced. In regards to Linwei Cheng's original problem, I have to ask, is there a machine account in the /etc/passwd file? For one of my customers who has a Samba box that authenticates against a true Windows Active Directory server, I found that I needed to add local machine accounts to the Linux user database (/etc/passwd) in order to get reasonable performance. The Samba logs were full of messages whining about user MACHINE$ not existing. Now, I might have solved this by adding winbind to the hosts entry in /etc/nsswitch.conf, but I didn't think of that. It works now, so why fix it? --Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Browsing with duplicate names in multiple workgroups/subnets and multihome machines
You can see by the subject I've got an ugly problem. Even though I don't have a Samba server anywhere near the network in question, nobody understands browsing as well as the folks on the Samba team. :-) Here's the situation: I've got two workgroups, FLINTSTONE and RUBBLE which are on physically separate networks. FLINTSTONE has a Windows 2003 Active Directory domain controller; RUBBLE is a simple workgroup. All workstations are either Windows 2000 or Windows XP Professional. There is no routing between these networks. However, there are two workstations which are multihomed. More on that in a minute. Here's the logic (illogic?) of the network: Segment 1: * FLINTSTONE domain * PEBBLES (Windows 2003 Small Business Server Active Directory domain controller) * FRED Windows XP Pro workstation (multi-homed to Segment 2, member of FLINTSTONE) * WILMA Windows XP Pro workstation (also multi-homed to Segment 2, member of FLINTSTONE) Segment 2: * RUBBLE workgroup * BETTY Windows 2000 Pro workstation (single-homed, member of RUBBLE) * BARNEY Windows 2000 Pro workstation (single-homed, member of RUBBLE) * FLINTSTONE Windows 2000 Pro workstation (single-homed, member of RUBBLE) The reason that FRED and WILMA are multi-homed is that they both must be able to access the workstations in the RUBBLE workgroup on Segment 2. As you can see, we've got a name conflict: a workstation named the same as the domain. This is, apparently, causing browsing problems for the multi-homed workstations. Unfortunately, it's not as simple as renaming the FLINTSTONE workstation to BAM-BAM. This network on Segment 2 was set up by another vendor (who, we might add, seems to be rather clueless about Windows networking), and they are afraid to change the name for fear of what it would break. That vendors requirements do not allow routing to other networks. This network is the automation system for a radio station, and it cannot go down. The domain of Segment 1 cannot be changed, as Small Business Server doesn't allow that. At this point, I'm not really seeking solutions, but perhaps a technical explanation of what might go on in this situation. Even if there were no naming conflicts, what are the implications of having two multi-homed non-routing Windows machines on common networks? --Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] U/G to 3.0.11, need explanation of log messages (Was: Re: Trying to resolve issues on samba-3.0.11)
Changed the subject to something more meaningful that might get noticed by someone who knows. The original subject is too vague and generic. See my comments below about logfile name and guest on authenticate. Other questions left to others to answer. ~Jonathan Yannick Bergeron wrote: Recently, we undertook to upgrade our samba server 2.2.8a towards version 3.0.11. There remain however still some issues which I try to regulate or to understand. OS: AIX 4.3.3 CC: ibmcxx 3.6.6 1: Software caused connection abort in log.smbd On every connection, I've the following error in my log. What could be the problem? [2005/02/14 16:43:22, 0] smbd/server.c:open_sockets_smbd(388) open_sockets_smbd: accept: Software caused connection abort 2: logfile name The name of the log files are supposed to be log.hostname but some of them are log.ip How could this be possible? everything is ok with samba 2.2.8a in smb.conf log file = /usr/local/samba/var/log.%m I've noticed this too. Not sure why. Perhaps the first time a client connects, Samba uses the machine name, then for subsequent activity in that session it's using the resolved IP? Are the log.name files generated by smbd while the log.ip files are generated by nmbd? I don't really know. Regardless, I'd strongly urge you to change the log file to %m.log instead of log.%m, as log rotation scripts (see man logrotate) can be confused by having it your way. You end up with log.%m.0 and then log.%m.0.0 then log.%m.0.0.0 and so on, the logs never really get rotated properly. ~Jonathan 3: guest on authenticate On every authentication, the guest account (nobody) is trying to authenticate, the connection is refused, then it's trying with the username. We would like the guest account to never be used. in smb.conf map to guest = Never guest account = nobody guest only = No guest ok = No in a log.hostname file [2005/02/14 16:43:22, 0] smbd/password.c:user_ok(386) rejected user nobody:3004-302 Your account has expired; please see the system administrator. I would guess this is happening on the client side, not the Samba side. Your Windows machine may be first trying guest before trying username. ~Jonathan 4: Is there a way to know what is the OS of the client (logfile? which debug level? which debug message?) If anyone is able to answer or explain me one of those issues :) thanx Yannick Bergeron [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Migrating domain from Samba 3 to Windows 2003
At the risk of being called a turncoat and traitor in Sambaland, I ask, how do I migrate from a Samba 3 domain to a Windows 2003 Active Directory domain? A customer has determined that they wish to use the groupware features of Microsoft Exchange. They already have the licenses they need, so there's no point in convincing them that Samba will be cheaper or that some Linux-based solution will work. This of course requires Active Directory (although I would not be surprised if a subscriber to this list proves me wrong), and by extension, migrating their existing Samba 3 domain. Of course, it would be easy to just create a new domain. Since this customer has only 6 machine accounts and 7-10 user accounts, it's not a big deal to recreate them. However, one must remember that creating new users in a new domain means that user profiles will be lost since the profile (read: NTUSER.DAT) is tied to the SID of the user. New domain = new SIDs. It's possible but tedious and risky with unpredictable results (due to permissions, again tied to the SID) to migrate user profiles. A domain migration would be much smoother, if possible, especially for an administrator dealing with hundreds or thousands of user and machine accounts. Here is how I imagine doing it. The customer has two new servers (hardware), one of which will be a replacement for the existing Samba box (which handles file storage and sharing), the other of which will be the Windows 2003 AD server. I will make a copy of the existing Samba 3 domain to one new box, and install Windows 2003 in the other new box. These boxes will be at this point disconnected from the production network, leaving it intact and unchanged for now. This lets us make mistakes on the new systems without affecting their production network. Configure the Samba server so it looks like an NT 4 server (how?). Join the Windows 2003 server as a member server to the Samba 3 domain. Run the Active Directory installation wizard to migrate the domain, elevating the Windows 2003 server to an Active Directory server. Take the Samba 3 server offline, rebuild it, joining it to the new W2K3/AD domain as a simple file server. Any reason this won't work? Your experiences? Your wisdom? One final question: Can Exchange 2003 be made to authenticate against a Samba domain? I would expect not, since a Samba domain is mostly an NT4 equivalent and Exchange 2003 requires a domain at least at AD2000 functional level. Maybe AD2003 functional level. ~Jonathan Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Puzzle -- Logon/Login from Windows XP
[EMAIL PROTECTED] wrote: So my question is, how can those 100 users logon to the Samba server from ANY workstation without having an account on the Windows XP workstation that matches their username/password on the Samba server? Either set up the Samba server as a domain controller and join the workstations to that domain, or if the workstations are part of another domain, join the Samba server to that domain and use winbind for authentication. This is explained in detail in the documentation. Isn't there a way to get the Samba server to ask for a username and password when the user clicks on the name of the Samba server in Explorer? Short answer: if the workstation already has a connection (mapped drive, cached connection, RPC connection, etc.) to this server, then no. Long answer: a limitation of Windows is that when you connect via SMB to a remote server, all connections to that server must use the same credentials. If you are connected to \\sambaserver\datafiles as the user *nigel* and wish to connect to \\sambaserver\frederick (which is accessible only to the user *frederick*), the Windows workstation attempts to connect as *nigel*. In order to connect as *frederick* you must break all connections to that server. Simply put, you cannot make two connections to a server from one workstation with two different sets of credentials. I haven't investigated the interaction between Windows workstation and Windows server versus between Windows workstation and Samba server, in terms of *when* you are asked for a password. When you click on the server name in Network Neighborhood / My Network Places, when are you presented with the login prompt? When you click on the server name? Or when you click on the share name under that server? Your Samba server may be presenting you with the share names, if you've configured it to map unknown users to a particular user or guest. This may be confusing your workstation into thinking that it's already authenticated to the Samba server, so you don't get the login prompt. Point of clarification: when I say workstation I mean the one you are at, attempting to connect remotely to the server. The server CAN be another Windows XP workstation with shared files. The workstation is the client, the server is the host that's sharing the files. Don't confuse the terminology with proprietary branding and product naming. --Jon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passdb requires /etc/passwd entry?
Apologies if this has already been answered, but I'd like to share my understanding, in too many words. The reason that the user must exist in a user database (such as /etc/passwd) accessible to the underlying system (such as Linux) is that in order to read and set permissions on the files, Linux -- and any other file sharing protocols, such as SMB, AppleTalk, XFS, NFS, NDS, etc., must know the user's login ID. Because the permissions are set in the filesystem, not an abstract access control list by the second-level software (such as Samba), the user must be identifiable to any software which may request access. Therefore, it is up to the kernel to control this access, and it needs to have a way to veryify that the user is indeed a valid user. With Samba, traditionally there have been two user databases: the Samba password database (smbpasswd) which Samba uses for authentication, and the unix password database (/etc/passwd and its brothers, /etc/shadow and /etc/group). The reason that Samba can't use /etc/passwd is because /etc/passwd has no facility for storing SIDs and GIDs. This however does not prevent the unix kernel from using an authentication facility that does store this information. It is very possible now to configure both Samba and unix to authenticate against the same LDAP directory server, along with your mail server, your secure web server, your virtual private network, your building security system, your telephone, and your photocopier, achieving the holy grail of single sign-on. I will leave the implementation of this as an exercise for the reader. --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] (360) 270-9317 cell On Tue, 27 Jul 2004, Cal Heldenbrand wrote: Greetings everyone, I have a question about the smbpasswd encrypted database and /etc/passwd -- why does the passdb backend require an entry in /etc/passwd? Is it possible to create samba encrypted users without a /etc/passwd entry? I have a samba PDC setup that is mainly just a login server, then a separate server for $HOME's. I have all of my PAM configs setup to remotely authenticate to another server with 8000+ users, then pam_smbpass migrates passwords to the PDC. The HOME server automatically creates $HOME directories, and uses winbind for UID mappings against my PDC. The problem is the password migration in smbpass won't work without an /etc/passwd entry, and I don't want to potentially have to add 8000 users from a constantly changing database. Is there any workaround for this? I've noticed in the source that the check for this is done in passdb/passdb.c approx line 947 if (!NT_STATUS_IS_OK(pdb_init_sam_new(sam_pass, user_name, 0))) But this is in the function local_password_change() -- If this is modifying the smbpasswd database, why would it need to check /etc/passwd? Is this just a sanity check, or do I have my samba configs incorrect? Call me naive, but could I just comment out this section of code and see what happens? Thanks for any help in advance, --Cal Heldenbrand ___ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Moving Profiles
I've done this many times. More than I care to admit. :-) Here's an archive of a previous post that I made on the subject: http://lists.samba.org/archive/samba/2004-June/087799.html You'll also want to read this afterthought: http://lists.samba.org/archive/samba/2004-June/087800.html My instructions are basically the same, but more detailed; one VERY important thing you will need to do is manually edit the user's registry hive to change paths (see the first link for instructions). Also, you'll need to join the domain and log in with the new username BEFORE migrating the profile, as WinNT/2K/XP will create a new profile with an unused folder name for a new logon. This means that if you log in for the first time as 'fred' and there is no 'fred' profile, a profile named 'fred' will be created. If there IS a 'fred' profile, or even an empty folder named 'fred', then the new profile will be named 'fred.DOMAIN' or 'fred.000'. If there's already a 'fred.DOMAIN' or 'fred.000' folder, then the new profile will be named 'fred.DOMAIN.000' or 'fred.001' and so on. It's messy, but NT et al is paranoid about destroying data in this context. As for diabling roaming profiles, see the 'Logon Path' parameter: http://us2.samba.org/samba/docs/man/smb.conf.5.html#LOGONPATH hint: include 'Logon Path =' (no paramaters) to disable roaming profiles altogether. --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] On Tue, 6 Jul 2004, Mark Lidstone wrote: There are 7 users, but I was planning on having to visit each machine separately anyway. That's basically what I was looking at doing, but you're right - doing it after joining the machine to the domain seems to make more sense. On a bit of a side note - does anyone know if it's possible to turn off roaming profiles at the Samba server end? On Windows it's an option you can set on a per-user basis, which is pretty handy. For instance, we have a couple of user accounts for testing software, and it's good to know that if something goes really screwy with the account's registry, we only have to clean it off the computer it went wrong on. -Original Message- From: Hamish [mailto:[EMAIL PROTECTED] Sent: 06 July 2004 10:03 To: Mark Lidstone I guess there are not too many users to move over? (also that you are using win2k/xp) There is a way to move the profiles *after* they have been joined to the PDC. Log in to the machine with the new username, this will create a new profile, log out immediately. Log in as an admin account (but not the addministrator that the users were using) Right click my computer properties advanced user profiles settings. Select the old account and click copy to.. choose the new user folder in documents and settings (this will warn that there is alreadyy a profile there and it will be cleared just ok it. The last bit to do is change permission to use (or something very similar) change this to the new username (make sure you put it in the format DOMAIN\user) - this will copy the profile flawlessly to the new user, a bit slow if there are a number of them, but less than 5 or so and its a good fix. Hope that helps, H Mark Lidstone wrote: Hi everyone, I'm about to install a Samba PDC in a network that previously was working as a workgroup. All the users have been logging into their local machines as administrator and all with the same password. What I would really like to do is to move their profiles with them, but as they are all using the same username and the like I can see this is going to cause problems. So far I have been thinking about doing the following: 1) Create a second administrator account on each machine 2) Login as the second administrator and copy the administrator profile to another folder, renamed for the new user's username (e.g. Documents and Settings\Administrator - Documents and Settings\DOMAIN.username) 3) Change ownership/permissions on the new profile folder to match that of the new user I'm also planning on making sure that roaming profiles are disabled using the LocalProfile registry key that Michael Lueck recently posted about on here. Users will have a network-home folder that will be backed up which should be plenty enough for them. Can anyone point out what problems this will cause? I think there is going to be an issue with the registry, is the SID in there somewhere? How can I reset it? Is there a better way of doing this? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 Win95 interoperability
On Tue, 29 Jun 2004, Andrew Bartlett wrote: On Mon, 2004-06-28 at 16:20, Tomás Polák wrote: lanman auth = no This is the cause of the inability to connect from Win95/98 machines. These clients only support Lanman authentication, and so have been locked out of this server. Andrew Bartlett Not sure this is on point, but check out the Active Directory Client Extensions, that may allow to you connect your Win95 machines with all the necessary security options set on the server. My experience is that this client is required to connect Win95 to Windows Server 2003; your mileage with Samba may vary. I understand it provides NT LanMan v2 authentication. http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp The Win9x client isn't available for download; it's on the Win2K Server CD under the CLIENTS folder (but not on the Server 2003 CD). --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 3.0.4 : cannot join domain with w2k clients.
On Fri, 25 Jun 2004, HM wrote: Hello all. I'm trying since a few jours to get my w2k clients join my domain, managed by my samba 3.0.4 PDC, without success. I can browse the server, share files with it with my station, but i can't join the domain. When i try to, i get the following message (sorry for the poor translation) : The following error occurred while trying to join domain 'SLS' : Failed to open a session : username unknown or invalid password. Just a hunch: from a command line on the w2k box, issue net use * /delete and try joining again. -Jon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Windows 95, encrypted passwords, and secure channel communications
First of all, let me say I know it's been fixed in Samba 3. That's for those of you who think I'm talking about the requiresignorseal registry hack in Windows XP. I'm not. I ran into an issue when using Windows 95 clients with a Windows 2003 server. (Why not Samba? The customer needs terminal services for some windows-only programs.) Because Windows 2003, by policy, implements tighter security including encrypted passwords and communications, Windows 95 will NOT communicate with a Windows 2003 server. (If I'm wrong about the encrypted passwords, someone please correct me.) David Lechnyr's Unofficial Samba HOW-TO states in part, Windows 95 doesn't use encrypted passwords, so this option must be disabled in your smb.conf to support these clients... Verify that your smb.conf file includes the parameter encrypt passwords = yes unless you are using Win95/Win95a or have disabled encrypted passwords in your other Windows clients (not a good idea). It turns out that Microsoft provided a patch for Windows 95, 98, and NT4 called Active Directory Client Extension which provides NTLM version 2 authentication. At least under Windows 2003 it seems to work, allowing my Win95 clients access to the 2003 server. I'm wondering if this patch will work on Windows 95 against a Samba server, allowing one to leave encrypted passwords = yes set. I don't have an available testbed to try it on right now. More info: http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp Note: the ADCE for 9x is on the Windows 2000 CD, but not the Windows 2003 CD, and is not downloadable from Microsoft. --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Recording CDs from Samba shares (was: [Samba] Very dumb question)
On Tue, 22 Jun 2004, Mário Gamito wrote: Hi, Maybe this is crayziness, but... is there a way through some smb.conf script, or any other mean than installing a graphical interface in the server, as my users are lobying me :P, to a user of a domain records a data CD with data from the Samba shares ? Warm regards, Mário Gamito Mário, It appears that you have a CD recorder on your Samba server, and you wish to allow your Samba domain users to record data CDs with data from Samba shares? If I understand correctly, you want to avoid having your users work from the Samba server console. Please correct me if I have misunderstood. --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] testparm -s
On Fri, 18 Jun 2004 [EMAIL PROTECTED] wrote: Unknown parameter encountered: passdb backend Was this a typo in the email or is this exactly what you have in the smb.conf file? There should be an equal sign between the words. Gary, passdb backend is the name of the parameter, not the parameter and value. Matthew -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba Should be 'passdb backend = (something)' where (something) is smbpasswd, tdbsam, ldap, etc. ~~Jonathan Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to keep local profiles when joining domain?
On Wed, 16 Jun 2004, Nash Computer Technology wrote: However, we are now in the final stages of deploying a Samba server to replace the Novell one. The Samba server is configured as a Primary Domain Controller, and seems to be working fine. We do not wish to use roaming profiles, so the profiles will be held locally on each PC. unsure how to join the new domain, such that the existing profiles (eg desktop layout, applications, etc etc) are retained for each user. When we simply change the PC properties to join the domain, we lose the users settings. This method is unreasonable for more than a few users, due to the time involved, but it has worked for me. 1. Make a note of the user's profile directory. I'll assume it is in C:\Documents and Settings\mike 2. Log in to the PC in question as a LOCAL Administrator, other than Mike. 3. Make a copy of Mike's profile, just in case things get screwed up royally. It's a good idea to use ntbackup for this (if you're dealing with XP, it can be installed from the CD) so you don't lose the ACLs. 4. Rename Mike's profile to something like C:\Documents and Settings\Mike.temp 5. Join the workstation to the domain and reboot as prompted. 6. Log into NEWDOMAIN as Mike. A new profile for Mike will be created, hopefully it will be C:\Documents and Settings\Mike, but make a note of whatever the path is. 7. Log out Mike and log in as the local or domain administrator again. 8. DELETE the new profile that was just created. (You did make a note of it's exact name, didn't you? If you didn't, go back to step 6.) 9. RENAME Mike's old profile from Mike.temp to C:\Documents and Settings\Mike (Or whatever the path created in step 6 was) 10. Change the ACLs (security descriptors) on this profile to allow NEWDOMAIN\Mike full access to the folder and all child entries. 11. If the path of the profile that was created in step 6 DOES NOT match the original path of the profile, your job just got a lot harder. Skip to step 13. 12. You should now be able to log in as NEWDOMAIN\Mike and have all his profile back. Thank your chosen diety you were able to make the new profile use the same path as the old profile, and skip the rest of these steps and go on to the next workstation. 13. While you're still logged in as an administrator, open up regedit. Load the registry hive C:\Documents and Settings\(new path)\NTUSER.DAT 14. EDIT the registry, replacing all instances of the old path with the new path. Make sure you also check for instances of 8.3 munged names. There will be WAY TOO MANY of these; I've found that sections of the registry can be exported to a text file with can then be search-replaced. Maybe there's a registry tool out there that makes this easy; I haven't found it. 15. BEFORE YOU CLOSE REGEDIT, be sure to UNLOAD the hive you loaded in step 13. Otherwise, Mike will not be able to log on. 16. You should now be able to log in as Mike. If things are totally screwed up, well, that's why you made a backup, right? Yes, I've actually done this. Several times. It's only fairly easy if you can make the new profile use the same path as the old profile. That's why we renamed the old profile first. There may be a way to temporarily use roaming profiles and the User Profiles tool in the system properties, along with Samba tools on the UNIX end to accomplish the same thing in a quicker, easier manner, but I haven't investigated that. ~~Jonathan Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to keep local profiles when joining domain?
You may also want to read these Microsoft Knowledge Base articles: How to Migrate User Profiles to Windows 2000 http://support.microsoft.com/default.aspx?scid=kb;en-us;234548 How to Create and Copy Roaming User Profiles in Windows http://support.microsoft.com/default.aspx?scid=kb;en-us;142682 HOW TO: Create a Roaming User Profile in Windows 2000 http://support.microsoft.com/default.aspx?scid=kb;en-us;302082 What you may want to do is temporarily migrate the user profile from a local to a roaming profile using the information in these articles, then change the profile mode back to local in the System Properties / User Profiles module. --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] (360) 270-9317 cell -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ssh tunnelling with putty
On Tue, 15 Jun 2004, Paul Krash wrote: Hi Brian! Brian Johnson wrote: Could someone provide some help tunnelling a connection through a ssh pipe using putty on a windows 98 client to a samba server? OK, ssh goes through port 22, mapping a drive requires ports 137 and 139 (tcp and udp) to be open and routable by Windows RPC client. I would suggest configuring The Microsoft VPN adapter to attach to the server, then map your drive to samba. You will have to have the VPN configured on the server (and both routers). I am assuming (ah!!!) that you are trying to reach the samba server from outside the host network. Of course, the point of tunnelling is to allow one to connect to a particular remote port (such as 137 and 139) when only ssh is available. This works by creating a listening port of your choice on the Windows machine, which PuTTY forwards via SSH to a remote machine of your choice. Where this breaks down for SMB is when you realize that there is already a listening service on ports 137 and 139: the windows server service (or whatever it's euivalent is in 9x -- file and printer sharing, I guess). That means that no matter how you try to connect to the remote machine, all you're gonna get is your own computer. Now, there may be a way around it: for your local port, specify something on the order of 127.0.0.5:137. For your remote port, specify 137 on the remote IP address. This is sort of like the loopback adapter but (hopefully) Windows isn't already listening on that IP address to port 137. You may then be able to reach the remote computer by the address 127.0.0.5. I haven't tried this, so your mileage may vary. But I think it's worth a shot. Now, you won't be able to browse the remote network, but maybe someone else knows a better way. --Jonathan Johnson [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Different domains
On Mon, 14 Jun 2004 [EMAIL PROTECTED] wrote: Can users/computer be part of different Domains? I've noticed that the user/computer needs that DC Sid in it. I would like for users/computers to be part of different Domains at any given time. Is this possible and how within the same ldap entry. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba I'm certain I'll be corrected if I'm wrong, but a workstation can have an account in only one domain. A user can be listed in multiple domains, but then you have the issue of password synchronization: the user can change their password on the domain that their workstation has an account on, but this will not propagate to the other domain. If the user 'fred' has an account in DOMAIN02 but not in DOMAIN01, fred cannot log into a workstation that has been joined to DOMAIN01. You may want to investigate domain trusts. This allows workstations and users from one domain access to resources on another domain with a minimum of fuss once it's configured. Note that if you are dealing with domains of different versions (i.e., DOMAIN01 is Windows NT PDC/BDC and DOMAIN02 is Windows 2003 ADS), then the higher-version domain MUST NOT be configured in native mode, but in a compatibility mode. If one domain is a Small Business Server domain, you can forget about it, Microsoft has made it impossible. THAT BEING SAID, I have a customer who has two domains: their workstations are in an NT-style domain (Small Business Server) and their terminal server is in a Windows 2003 ADS domain. Because they have the same user name and password in both domains, they can access resources in either domain from either domain. Because one is SBS, I cannot set up a domain trust. Note that Windows 9x/Me doesn't truly reside in a domain (since it does not participate in domain security); at logon, a user can specify any domain they wish. I realize that this does not address Samba specifically, but I believe it still applies. --Jonathan Johnson [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: v3.0.4-5 (Debian Sid) not Samba 3.0.5 - Can't change password
On Mon, 14 Jun 2004, Laurent CARON wrote: Greg Folkert wrote: I had a very similar problem. My only fix I could actually find was to completely remove all of the generated samba files (the .tbd files and such) with samba and winbind not running. Then removing all the machine accounts out of /etc/passwd, basically cleaning up to look just like just installed and never run yet Then starting joining the machines again, then using a script to generate the samba users from /etc/passwd... setting policies proper and since then (two weeks ago) haven't had any problems. Unfortunately it is a live environment I can't remove the accounts :( I'll try on a test environment There's a possibility that your password database (or another .tdb database) may be corrupt. Not saying it is, just saying it could be. Cleaning up the database is *very* easy: 1. Shut down smbd and nmbd (very important! see not below) 2. Go to each of the directories containing samba-related .tdb files (i.e., /etc/samba ; /var/cache/samba or /var/lib/samba ; etc.) and issue 'tdbbackup *' 3. This will create backup copies of your .tdb databases. Part of the backup process is that it creates clean backups -- any entries that are not quite right will be cleaned up or removed. 4. Restart Samba. As part of the startup process, Samba will detect the clean .tdb files and use them if it detects that the real .tdb are corrupt. 5. Check to make sure that all users are where they should be (hint: 'pdbedit -Lw' -or- 'pdbedit -Lv'). Recreate any users that have been blown away; they've been removed because of corruption. It's very important that Samba NOT be running when you back up your tdb .files. Otherwise, you can not guarantee clean backups. Even if you've done 'service samba stop' or 'rcsamba stop'; do a 'ps -ax' to MAKE SURE smbd and nmbd are not running. As per a tip I received from John Terpstra, it's a good idea to backup these files (using tdbbackup) before starting Samba, every time. --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain problem with NT4 Samba 3.0.2a
The first thing that jumps out at me is the line beginning with Domain=[WORKGROUP] in the results of 'smbclient -L moon. It appears to me that in looking for the browse list, your user may be attempting to authenticate against the local smbpasswd database instead of authenticating against the PDC or BDC. A bug, a feature, or a misunderstanding? I don't know. Have you joined this server to the domain? You'll want to read this section of the Samba 3 HOWTO if you haven't already: http://us2.samba.org/samba/docs/man/howto/domain-member.html#domain-member-server This section says to use Security = DOMAIN instead of Security = SERVER, and explains why. Looking at your smb.conf, it looks like you're on the right track. I'd recommend investigating winbind to create users on the fly when auth'd against the domain controller. As samba still requires a local user database, winbind and appropriate scripts will automatically maintain this local user database for you. And, of course, there's always the recommendation to go with Samba 3.0.4 (or 3.0.5 if it's out soon). --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] On Thu, 10 Jun 2004, Spike Burkhardt wrote: All, I really need some help. I'm putting samba up on a new windows domain called SIERRA. I'm using Samba 3.0.2a on Solaris 8. I'm barely knowledgeable on Windows NetBIOS... but am good with Solaris. The status is that I've got the daemons running and working normally. I have 1 desktop with 1 PDC 1 BDC in the SIERRA domain. On the desktop, I can see both DC's but not the samba server. As a non-priviledged account, when I issue a smbclient -L moon I get the following output: moon:/home/burkharr smbclient -L moon Password: Anonymous login successful Domain=[SIERRA] OS=[Unix] Server=[Samba 3.0.2a] Sharename Type Comment - --- rcbtest Disk Spike's testing IPC$ IPC IPC Service (Samba 3.0.2a) ADMIN$IPC IPC Service (Samba 3.0.2a) Domain=[WORKGROUP] OS=[SunOS 5.8 sun4u] Server=[LAN Manager 2.1] tree connect failed: ERRSRV - ERRbadpw (Bad password - name/password pair in a Tree Connect or Session Setup are invalid.) NetBIOS over TCP disabled -- no workgroup available When I issue the same command substituting localhost for moon I get the following output: moon:/home/burkharr smbclient -L localhost Password: Anonymous login successful Domain=[SIERRA] OS=[Unix] Server=[Samba 3.0.2a] Sharename Type Comment - --- rcbtestDisk Spike's testing IPC$ IPC IPC Service (Samba 3.0.2a) ADMIN$IPC IPC Service (Samba 3.0.2a) Anonymous login successful Domain=[SIERRA] OS=[Unix] Server=[Samba 3.0.2a] Server Comment ---- EPN32-237 MOON Samba 3.0.2a ROHAN SHADOWFAX WorkgroupMaster ---- SIERRAMOON Notice that I don't get any NetBIOS errors which makes sense because I'm not going out on the network. Here's my smb.conf file: moon:/home/burkharr more /apps/samba/lib/smb.conf # Global parameters [global] workgroup = SIERRA netbios name = moon security = SERVER encrypt passwords = Yes password server = rohan shadowfax wins server = 172.22.2.251 password level = 8 #admin log = Yes log level = 1 log file = /var/samba/log/log.%m create mask = 775 [rcbtest] comment = Spike's testing path = /dbd00/spike valid users = @webadmin force group = webadmin create mask = 740 writeable = Yes Any thoughts? Thanks for your help. spike -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] transfering users from PDC to print/file server
You want to look into the winbind options. Winbind allows you to authenticate users against an external server (say, a Windows or Samba server). --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] (360) 270-9317 cell On Sat, 5 Jun 2004, abebe lsslp wrote: I have a Samba PDC server running on Fedora Core. I also have 3 samba print servers and 1 samba file server setup on RedHat 9 machines. How do I make my RedHat file and print servers to get user information from the PDC so I don't have to set up users on every single server? I appreciate your help! Ambex - Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Changing user SID or Domain (doesn't work)
I'll start off with my question: how do you change a user's SID? When I issue the command: [EMAIL PROTECTED] root]# pdbedit -u testuser -U \ S-1-5-21-4000410194-515421893-615041212-2006 I see testuser:516:Test User [EMAIL PROTECTED] root]# Then, I do pdbedit -Lv testuser and it still shows the old SID. Now, I'll give you a little background. Previously, this server (NetBIOS name of SERVER) had Samba 2.2.7 on it, functioning as a member of the workgroup AEC, using local security and passdb backend = smbpasswd. I upgraded to Samba 3.0.3 (now 3.0.4), coverted the passdb to tdbsam, THEN changed it to be a domain controller (there was no domain controller on this network previously). When I issue pdbedit -Lv I see that those accounts created before the server became a PDC list Domain: SERVER. Those accounts created after becoming a PDC list Domain: AEC. This is a problem, because although a user can log in to a workstation using the domain AEC, once logged in it thinks they are logged into the domain SERVER. This causes domain browsing issues (it can't find a domain controller for the domain SERVER), there appears a phantom domain SERVER in Network Neighborhood, we have problems assigning security because the windows machine cannot get a SID for SERVER\testuser, etc. If I issue net config workstation on the XP workstation, it shows the user login domain as SERVER. Ultimately, I'd like to be able to just change the Domain for each user to be correct. Since I could not find any way to do this, I thought I would just recreate the account and change back to the old SID. (Recreating the account with a new SID will cause even more headaches, because there is a fairly complex security structure) HELP! I guess the moral of the story is to convert to PDC mode before moving accounts from smbpasswd to tdbsam. If there were a way to just change the domain using pdbedit, that would be wonderful, but any solution will be appreciated. --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Phantom workgroup
I have a Samba 3.0.4 server configured as a PDC. NetBIOS name of the server is SERVER; name of the workgroup is AEC. Problem is that there's now a phantom workgroup called SERVER when I try to browse the network. Since there's no clients configured in this workgroup, any attempts to browse this workgroup fail. When I attempt to use User Manager for Domains (usrmgr.exe, from SRVTOOLS) from a Win2K or XP client, I am first presented with the error message, Could not find domain controller for this domain. Would you like to select another domain to administer? I suspect it is first trying to connect to a DC on the phantom workgroup, SERVER. In the Select Domain dialog box, both AEC and SERVER appear as domains. I can select AEC and it works. --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] Global section of smb.conf follows [global] workgroup = AEC netbios name = SERVER server string = PowerWave Server PDC update encrypted = Yes null passwords = Yes obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication* unix password sync = Yes log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd '%u' delete user script = /usr/sbin/userdel '%u' add group script = /etc/samba/bin/smbgroupadd '%g' delete group script = /etc/samba/bin/smbgroupdel '%g' add user to group script = /usr/bin/gpasswd -a '%u' '%g' delete user from group script = /usr/bin/gpasswd -d '%u' '%g' set primary group script = /usr/sbin/usermod -g '%g' '%u' add machine script = /usr/sbin/adduser -n -g machines -c Machine -s /bin/false -M '%u' logon path = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no add share command = /usr/sbin/modify_samba_config.pl change share command = /usr/sbin/modify_samba_config.pl delete share command = /usr/sbin/modify_samba_config.pl printing = lprng print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j lppause command = lpc hold '%p' %j lpresume command = lpc release '%p' %j queuepause command = lpc stop '%p' queueresume command = lpc start '%p' ;;end of smb.conf global section -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] FYI - Why RPMs are important
Of course, you can download the source RPM, then issue rpmbuild --rebuild samba-3.0.4-1.src.rpm then you'd have your very own RPM sitting in /usr/src/redhat/RPMS/i386/ which you could then install as you say below. This is, of course, assuming you have all the appropriate compilers and utilities installed. However, you'll be pleased to have this link: http://us1.samba.org/samba/ftp/bin-pkgs/RedHat/RPMS/i386/8.0/ which is one of the many mirrors where binaries for RedHat 8.0 are found. I just check and as of 9:28 PM PDT the 3.0.4 binary was present. --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] On Thu, 13 May 2004, Josh Skains wrote: Someone emailed me directly when I was asking about the 8.0 RPMs, and why I didn't just compile it. Due to the production nature of our servers which run practially 24/7, I can do an rpm -Uhv samba.rpm and then do an smb restart with very little impact. If I move to non-rpm versions, I am forced to compile first, remove the RPM, which is a longer downtime, then install Samba and then turn Samba back on. Just FYI. *shrug* JMS -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problems with password policy in Samba 3.0.4
Have an issue with password policy in Samba 3.0.4 with tdbsam password backend on RedHat 8.0. This issue was observed with an up-to-date Windows XP client, NT's SRVTOOLS on Windows 2000. I can set password policy (expiration, length, etc.) using usrmgr.exe from the Windows NT Server Tools. After setting policy, when I execute 'pdbedit -Lv someuser', it does not display the correct Password Must Change UNTIL the user's password is changed, either with smbpasswd or CTRL-ALT-DEL on the user's workstation. For example, using usrmgr.exe, I set policy that passwords must expire in 90 days. I unchecked Password Never Expires for the user in question. When I did 'pdbedit -Lv username', it still showed that the expiration was Mon Jan 18, 2038. Upon changing the password using CTRL-ALT-DEL from the user's XP workstation, the password was successfully changed. Executing 'pdbedit -Lv username' now displays the correct expiration, 90 days from now. Likewise, if I set Password Never Expires (in usrmgr.exe) for this user, the pdbedit still displays a password expiration 90 days from now. I have not tested to see if the password will expire when policy demands if the wrong date is displayed in pdbedit. Another question: is the password expiration date relative to the system date/time of the Samba server or of the Windows client? --Jon Johnson Sutinen Consulting, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC change password issue
On Tue, 11 May 2004, Ron Liu wrote: Hi there I had samba PDC (Version 2.2.7a) running on RH 9.0 ( 2.4.20-8 #1). There are about 50+ win2k PCs and member servers. Everything has been working nicely for almost 6 month untill recently. I noticed that recently when users try to change domain password by Ctrl-Alt-Del from win2k wkstation, the windows will give an error message saying The system cannot change your password now because the domain mydomain is not available, However, the password actually does changed regardless the error message. It seems, there is no problem in login, accessing network resources etc. However, the error message is irritating, and I do see some error messages on the samba server log. It happens to all the users as far as I know. If you had read the discussions here in recent days, you would have known that: * After applying the recent Microsoft patches, you can no longer change your password using CTRL-ALT-DEL and that: * Samba 2.2.9 and 3.0.4 were just released to resolve this issue. I suggest going to www.samba.org and reading the mailing list archives, then downloading and installing these latest versions. And please, before posting, search thru the archives to see if your question has been asked -- and answered -- first. I don't mean to flame you, I want you to understand that failure to do your homework will make everyone ignore you. If you don't have time to search the archives, I'm sorry, but people won't be very willing to help. Hope this helps. --Jonathan Johnson Sutinen Consulting, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Server name appears as domain name
I've got a Samba 3.0.4 server running on RedHat 8.0 as a PDC. It's the only domain controller on the network, and the only WINS server on the network. The problem is, when I browse the network neighborhood, I see the NetBIOS name of the server (SERVER) appear as a workgroup/domain (though there are no hosts listed in this phantom domain). It also appears as a computer under the AEC domain. All computers on the network are either in the workgroup AEC or domain members of AEC. When I attempt to use User Manager for Domains (usrmgr.exe, from SRVTOOLS) from a Win2K or XP client, I am first presented with the error message, Could not find domain controller for this domain. Would you like to select another domain to administer? I suspect it is first trying to connect to a DC on the phantom domain, SERVER. In the Select Domain dialog box, both AEC and SERVER appear as domains. I have been having some problems that come and go that seem to be related to browsing, domain group SIDs, and so forth. I suspect that whatever is causing the netbios hostname appear as a domain may be the root cause. I suspect it's a domain browsing / nmbd / WINS issue, but I'm stumped as to where the problem lies. I've tried clearing the NetBIOS cache (using nbtstat -R) then restarting the workstation to no effect. The wins.dat database looks normal to me. Below is the global section of smb.conf: [global] workgroup = AEC netbios name = SERVER server string = PowerWave Server PDC update encrypted = Yes null passwords = Yes obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication* unix password sync = Yes log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd '%u' delete user script = /usr/sbin/userdel '%u' add group script = /etc/samba/bin/smbgroupadd '%g' delete group script = /etc/samba/bin/smbgroupdel '%g' add user to group script = /usr/bin/gpasswd -a '%u' '%g' delete user from group script = /usr/bin/gpasswd -d '%u' '%g' set primary group script = /usr/sbin/usermod -g '%g' '%u' add machine script = /usr/sbin/adduser -n -g machines -c Machine -s /bin/false -M '%u' logon path = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no add share command = /usr/sbin/modify_samba_config.pl change share command = /usr/sbin/modify_samba_config.pl delete share command = /usr/sbin/modify_samba_config.pl printing = lprng print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j lppause command = lpc hold '%p' %j lpresume command = lpc release '%p' %j queuepause command = lpc stop '%p' queueresume command = lpc start '%p' --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] (360) 270-9317 cell -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Browse lists 3.0.x
I've found that 9x/Me clients don't always show up in browse lists if they are not sharing files or printers, or if file and printer sharing isn't installed. Make sure they are all in the same workgroup or domain. If some are in a domain and some are in a workgroup, give the domain and workgroup the same name. Without going into a technical explanation of the difference between domains and workgroups, suffice to say that if they have the same name, your life will be easier. Another question: do you have firewalling on any of these computers? I've found that software firewalls can cause strange problems with network browsing. --Jonathan Johnson Sutinen Consulting, Inc. = On Mon. May 10, Alan Munday wrote: I have a mixed network with both XP and ME clients. I'm going round in circles trying to find out why half the machines, that is half the XP and half the ME, don't show up in the browse lists. I have searched through the archives and, while I can see similar problems, I did not find a solution to this one. Can someone give me some pointers to a solution please? Thanks Alan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Problem upgrading to 3.0.4 and ArcServe
On Tue, 11 May 2004, Dan Shadix wrote: On Monday 10 May 2004 08:00 pm, Guillermo Borgobello wrote: Since I had upgraded from Samba 3.0.0 to 3.0.4 I have problems with ArcServe to connect to the share. Arcserve is running on a NT 4.0 box, everytime I try to connect to the samba share it says me authenticacion failed. When I browse the share from windows explorer I have not problems. Sorry, the ArcServe says me access denied Guillermo Are you logged in as the ArcServe user when you test it manually? To clarify: ArcServe may be running under different credentials than the user you are logged in as on the NT 4.0 box. It's common for backup software to run or have services running under alternate credentials; this allows non-administrators to perform backup and restore operations. Make sure that the username ArcServe is using has permissions on your Samba box. To find out what this is, you can go to your Services control panel applet, and look at the startup properties for the ArcServe services, or if an event in your task scheduler starts ArcServe, check the credentials there. That reminds me of another thing: I've found that on Windows NT 4.0, when changing automatically from daylight to standard time or vice versa, it is often necessary to re-enter the passwords for each event in the task scheduler. A very strange bug, but a bug nonetheless. --Jonathan Johnson Sutinen Consulting, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Script repository?
On Fri, 7 May 2004, RRuegner wrote: sorry if you have samba loaded from a linux distro, you have enough examples for a normal setup included, what description do you need for i.e useradd , man useradd tells you everything you need. for a standart setup you only need normal linux system funktions no magic is here, and no special scripting. This is another case i. example with ldap , but you will find examples in the sources too, what more do you need? Not every distro comes with example scripts. Some of the native *nix tools don't provide exactly the behaviour that Samba expects. add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd -r %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/bin/gpasswd -a %u %g delete user from group script = /usr/bin/gpasswd -d %u %g set primary group script = /usr/sbin/usermod -g '%g' '%u' see here for suse 9 linux , all normal system parameters with expansion from samba which you can find in man smb.conf It's great that SuSE 9 provides scripts and docs, but not every distro is so thoughtful. :-) dont forget tweaking setups is one of the great thing with open source, it pushed my computer knowledge , in my opinion it is not very usefull setting up server without having understand how it works ( this is the way of many so called ms certfullieifhavecreatedtheinternetadmins , sorry for the others which exist too ) play with the code ask for help , have fun , have community , struggle with users and coders this is what open source made off and makes it stronger than everything others Please don't take this as a personal attack, but I'd like to point out that you started with you have enough examples for a normal setup included.. then finish off with tweaking setups is one of the great thing with open source. That's exactly what I wanted to do by suggesting a Samba Script Repository. Everyone will find some need to tweak and adjust their scripts since it's not one-size-fits-all. If you're looking for that custom tweak, why not be able to see if someone else has already done it? Not all of us are not scripting experts. This is what's great about Samba -- rather than assuming or forcing you to do something a certain way, the Samba team has, by providing the *script= options in smb.conf, allowed you to do it your way. I just discovered that /usr/bin/gpasswd exists on my system. Would have been nice if somewhere in the documentation it told me that it's what I want to use for add user script and delete user script; this is the first I've EVER heard of this utility, so a big thank-you goes out to Robert. --Jonathan Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Script repository?
Does anyone know of a place where I can find sample scripts for use with Samba? Looking thru smb.conf we have these options: add user script delete user script add group script delete group script add user to group script delete user from group script set primary group script add machine script shutdown script abort shutdown script logon script There are probably others that I'm missing. For some of these options, standard *nix tools suffice. For example, add user script = /usr/sbin/useradd -m %u works fine for most installations. However, sometimes the default *nix tool behavior isn't quite what you want. For example, add user to group script = /usr/sbin/usermod -G %g %u will add a user to the specified (Unix) group, BUT it will remove the user from any non-specified (Unix) groups. [As an aside: how do these scripts relate to the tdbsam smbpasswd backend?] Sometimes, users may want to do more than what the *nix tool offers. It would be nice if there was some place where there was an archive of scripts that others have created so that the rest of us don't have to reinvent the wheel. If you know of it, let us know. --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] (360) 270-9317 cell -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] SWAT drops quoted text in options
Having a little trouble with SWAT in Samba 3.0.3. When an option in smb.conf contains quotes, for example: add group script = /path/to/addgroupscript %g SWAT will, upon parsing smb.conf, display add group script = /path/to/addgroupscript and committing it causes the quoted portion to be dropped in smb.conf. Note that anything in double quotes (or, rather, after the first double quote) is dropped. Using single quotes seems to be OK. In some instances, placing items in quotes is necessary to avoid breaking things when an item contains spaces. This problem appears to be with SWAT and not Samba itself. Perhaps the documentation should say a little more clearly that single quotes are preferable to double quotes when using SWAT? I found this in the archives, is it something that needs to be revisited by the Samba team?: List: samba Subject:[Samba] [PATCH] Display of quoted parameters in Swat From: dj () 4ict ! com Date: 2002-04-24 8:34:00 Hello, There is a problem with Swat and it's handling of quoted strings. I've tested this on the latest released version of Samba (2.2.3a). Problem description: When you put quoted strings into the smb.conf file they are not displayed in swat. For example : valid users = @DOM+Domain Users in smb.conf will result in @ in swat. The reason for this is that the in the html form created by swat the value of the form item (textfield) is also quoted using . So the result, for example value=@DOM+Domain Users is wrongly parsed by the browsers. Fix: I replaced the quotes in the swat code with ' quotes, the resulting html now is value='@DOM+Domain Users' and is correctly parsed by the browsers. I've tested this on Linux with Mozilla 0.9.9, Netscape 4.7 and KDE4s 2.2 Konquerer. And on Windows 2K Prof with Mozilla 0.9.9 and IE (5.5 I think). They all worked fine in displaying and editing quoted and non-quoted parameter values. Remarks: When ' is used to quote parameters values this fix won't work of course. So either we add to the smb.conf documentation that is the only legal character to quote and test this. Or we add extra code to swat that parses quote characters from smb.conf to html coded chars (quote;) and back, but i haven't had a change to test if this would work. As stated, the diff included is against the 2.2.3a sourcecode, and is for the source/web/swat.c file. Or the fix could be done manually by changing the character to '. Regards, Tim -- [swat.c.diff (TEXT/PLAIN)] 185c185 printf(input type=text size=40 name=\parm_%s\ value=\%s\, --- printf(input type=text size=40 name=\parm_%s\ value=\'%s\', --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] (360) 270-9317 cell -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Slow logoff with roaming profiles (Answers!)
I've found that with roaming profiles enabled, some users experience extremely slow logoffs when using NT/XP/2000. I've discovered that this is usually due to very large email folders in the user's profile. OUTLOOK: As Outlook saves ALL messages in a single .pst file, any activity in Outlook will result in the .pst file being changed and therefore needing to be synchronized with the profile stored on the server at the next logoff. If the file is very large, this can take a horribly long time. A few solutions are available: * Use a Microsoft Exchange server or equivalent * Move the user's .pst file to another location outside of the profile, either on the local hard disk or a network share (Note: don't put it in the My Documents folder) * Use IMAP instead of POP3. * Force your users to delete old messages -- and empty their trash. Except for the last, these solutions move the message store outside the user's profile, so it doesn't need to be sync'd to the server with the profile. Realize that placing it elsewhere on the local drive will prevent it from being backed up with the server. OUTLOOK EXPRESS: Outlook Express operates similarly, except that it creates files for each folder. Any activity in Outlook Express will likely change multiple folders (typically, Sent Items, Outbox, Inbox, and Deleted Items) which must then be synchronized at the next logoff. Unfortunately, Outlook Express does not permit you to move the message store to a network share. Your only choice here is to move it elsewhere on the local drive. If you wish to back it up, you'll need some kind of script or remote agent to sync it to the server perhaps once a day or so when the user is away. (Think rsync and sync2nas.) Alternately, you could use IMAP. OTHERS: I haven't investigated other clients, but I'm assuming most of them will let you specify the location of the message store. That is left as an exercise for the reader. :-) NOTES ON IMAP As for IMAP clients, I've found that Mozilla is tops, followed closely by Netscape. Outlook Express works OK but is a pain to configure it to run smoothly, and Outlook just plain sucks as an IMAP client. Some of you may have external POP3 servers that won't permit you to use IMAP. Since you are presumeably running Samba on a *nix machine, you could install an IMAP daemon on that server and use a program such as fetchmail to periodically retrieve email, then have the users' IMAP clients communicate with your Samba server. Note that there may be other issues that cause slow logoffs, but this it one that I've found to be a major culprit. --Jon Johnson Sutinen Consulting, Inc. ADDITIONAL KEYWORDS: log off logon path -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] HOWTO is missing TOC
Saw that a new version (12 Nov) of Samba-HOWTO-Collection.pdf was posted on the docs page. It's missing the Table of Contents. 23 Sep version has the TOC. It's also somewhat larger (462pp); has something been removed from the 12 Nov version (404pp)? link: http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf --Jon Johnson -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Client accessing Samba doesn't authenticate against Active Directory
When a Windows client attempts to browse shares on a Samba 3.0 server authenticating against a Windows 2003 Active Directory domain, it requests credentials. Typing in user name and password fails. Basically, I can't see even see the shares. If I give username/password for a user in smbpasswd, then I can browse the Samba server. Configuration info: ADS server: LICENSE ADS server IP: 192.168.254.201 ADS domain/realm: 3KINGSINC.LOCAL Windows Server 2003 Samba server: DATASERVER Samba server IP: 192.168.254.250 RedHat Linux 9, Samba 3.0.0, krb5 1.3.1 successfully joined this to ADS domain Client: TS Client IP: 192.168.254.202 Windows Server 2003 is a member server in ADS domain - Output of wbinfo -t: checking the trust secret via RPC calls failed error code was NT_STATUS_UNSUCCESSFUL (0xc001) Could not check secret - Output of klist: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 11/12/03 14:18:01 11/13/03 00:18:05 krbtgt/[EMAIL PROTECTED] renew until 11/13/03 14:18:01 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached - Output of kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]:passwd [EMAIL PROTECTED] samba]# - Output of kadmin: Authenticating as principal administrator/[EMAIL PROTECTED] with password. kadmin: Client not found in Kerberos database while initializing kadmin interface - Output of kadmin -p [EMAIL PROTECTED]: Authenticating as principal [EMAIL PROTECTED] with password. Password for [EMAIL PROTECTED]:passwd kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface - Output of smbclient -L license -U Administrator Password:passwd Sharename Type Comment - --- E$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share ADMIN$ Disk Remote Admin SYSVOL Disk Logon server share C$ Disk Default share Server Comment ---- DATASERVER File Storage (BG Samba Server) LICENSE TS WorkgroupMaster ---- 3 KINGS 3-I1FQNAK3OL85P 3KINGSINCLICENSE - Output of smbclient -L dataserver -U Administrator Password: session setup failed: NT_STATUS_NO_LOGON_SERVERS - Output of smbclient -k -L license [EMAIL PROTECTED] [2003/11/12 16:03:45, 0] libsmb/clientgen.c:cli_receive_smb(121) SMB Signature verification failed on incoming packet! session setup failed: Server packet had invalid SMB signature! - Interesting lines of /var/log/samba/log.192.168.254.202: [2003/11/12 14:00:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! (message is repeated twice) - Interesting lines of /var/log/samba/log.winbindd: [2003/11/12 15:54:55, 1] libsmb/smb_signing.c:signing_good(227) signing_good: SMB signature check failed on seq 1! [2003/11/12 15:54:55, 0] libsmb/clientgen.c:cli_receive_smb(121) SMB Signature verification failed on incoming packet! - Interesting lines of /var/log/messages: Nov 12 15:52:43 dataserver winbindd[21960]: [2003/11/12 15:52:43, 0] libsmb/clientgen.c:cli_receive_smb(121) Nov 12 15:52:43 dataserver winbindd[21960]: SMB Signature verification failed on incoming packet! - Content of smb.conf: # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2003/11/12 14:18:40 # Global parameters [global] workgroup = 3KINGSINC realm = 3KINGSINC.LOCAL server string = File Storage (BG Samba Server) security = ADS password server = license.3kingsinc.local log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd -d/home/%D/%U %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g dns proxy = No ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No - Interesting lines of nsswitch.conf: passwd:
Re: [Samba] XP Home and Samba? and: two network cards?
On Mon, 3 Nov 2003, John H Terpstra wrote: If both network cards are installed in your Samba server, then each network card must be configured for a different subnet. For example: Card IP Address Network --- -- --- eth0 192.168.0.1 192.168.0.0/24 eth1 192.168.1.0 192.168.1.0/24 To pick a nit, 192.168.1.0 is not a valid IP Address; it is the network address. 192.168.1.255 would be the broadcast address; everything in between would be valid. You, of all people, should know that, John. :-) --Jon Johnson -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OT: Why are so many using Samba to authenticate as PDC??
We all know about cost. Are there any TECHNICAL reasons for running Samba? Have you found it to be superior to Windows NT or 2000 Server in some way? Are you using it for the challenge of *something different*? Are you hoping to 'advance the state of the art'? Just a few questions to get your brain cells moving, that's all. Personally, some things I like about Samba: * Remote administration is far easier, especially from non-M$ platforms (web interfaces, command line config file editing, no stinkin' registry with undocumented values * Share-level options that are only global in Windows * Provides *nix filesystem access to Windows clients * Ability to have multiple SMB servers in one machine * Ability to rename your PDC (Although this may screw things up!) --Jon On Sat, 21 Jun 2003, marvc wrote: I need to get some feedback on some good reasons for incorporating Samba into a corporate environment that runs mostly Microsoft, but also Sun, and some linux systems. Can anyone here that have used Samba for more than a few months elaborate on some of their reasons for choosing to use Samba? Advantages and disadvantages are also welcomed. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ok, so oplocks: good or bad?
OK, I don't have a strong understanding of oplocks, but I'm sure someone will correct me where I go wrong. Overgeneralization #1: Disabling oplocks is ALWAYS a safe thing to do. Overgeneralization #2: Oplocks provide a performance boost by allowing the workstation (ws1) to cache a copy of the file locally and set an oplock. This way, the ws1 can assume it has exclusive access and doesn't need to read/write to/from the server for every operation. Occasionally, the ws1 syncs the cached copy with the server copy. When another workstation (ws2) requests access to the file, the server asks the ws1 to break the oplock. Ws1 then syncs the cache with the server, and tells the server that it's released the oplock. The server then tells ws2 it can access the file. If ws1 has the file open for read (not write), ws2 can open the file for read without breaking any oplocks. Overgeneraliztion #3: With oplocks disabled, the workstation must always ask for an exclusive lock before writing to the file, and does not cache a copy. Another workstation can't access the file until the first workstation releases it. Exactly what goes on when things go wrong (server doesn't ask for oplock break; workstation doesn't release oplock, etc.) I can't tell you. As for the meaning of your errors, I haven't a clue. --Jon P.S. -- My philosophy is that if you ask a question and no one answers, tell a lie as gospel truth and everyone will. On 20 Jun 2003, Mark Roach wrote: I have been searching for info on this and haven't found an authoritative answer. From what I have read, oplocks are good because they increase connection speeds, but they are bad because they don't really work, but they actually do work, but they only work in some cases, etc etc. so, here's my problem and my question together: I get tons of these messages every day (over a thousand a day) [2003/06/20 08:19:42, 0] smbd/oplock.c:request_oplock_break(1011) request_oplock_break: no response received to oplock break request to pid 22335 on port 35010 for dev = 2b00, inode = 688540, file_id = 256210 [2003/06/20 08:19:42, 0] smbd/open.c:open_mode_check(652) open_mode_check: exlusive oplock left by process 22335 after break ! For file UHG/Local Settings/Temporary Internet Files/Content.IE5/desktop.ini, dev = 2b00, inode = 688540. Deleting it to continue... is this an indication that I should disable oplocks, or is disabling oplocks a foolish, unsafe thing to do, or is there just some other problem I need to fix to allow me to keep using oplocks? Very confused. -Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to share the tape drive in samba server for windowsuser
I'm assuming you want to give your users the ability to backup and restore files at their will. If you're looking to share the tape drive so you can use Windows' native backup utility to write directly to the tape, sorry -- can't be done with Samba. This is because a tape drive is not seen by the system as a disk drive; the software wants to communicate directly with the drive. A tape drive is a sequential, exclusive access device, not a random access device. That means that only one process can read/write to the drive at a time, and the tape is written/read from front to back. First way to go about it is to create a share on the Samba server where the Windows users can create backup files (the backup utility will allow you to do this), then have the Samba server back this share up to tape then deletes the backup files. This isn't really ideal, because it's not getting written to tape right away, and there's no easy way for the user to restore from tape. A better way is to use a client/server backup solution which has a backup server running on the Linux box, and backup clients running on the Linux box and all the workstations. When a user wants to run a backup or restore job, the appropriate tape is placed in the drive on the Linux server, then they use the client to submit the job. The advantage here is that multiple jobs can be submitted simultaneously and they are queued; once they reach the top of the queue, the job runs, backing up the files from the workstation. A quick search reveals this software to look at: NovaNet (www.network-backup.com), Arkeia (www.arkeia.com), NetVault Workgroup Edition (www.bakbone.com), (Veritas BackupExec not available for Linux,) anyone know of open-source, multi-platform network-aware backup software? Arkeia Light is a free version for Linux that also supports two clients ( http://www.arkeia.com/arkeialight.html ). I'm not aware of any software that creates a virtual tape drive that can be seen by Windows' native backup software as a tape device. --Jon On Wed, 18 Jun 2003, Sathi wrote: Hello All, I have installed RedHat Linux-9 and configured has domian controller for windows users. I have HP's tape drive in this Machine. Is it possible to share this tape drive to all the windows users to this tape drive using Samba? Regards, Sathi -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to share the tape drive in samba server for windowsuser
Also check out Sync2Nas ( http://sync2nas.sourceforge.net/ ) and rsync ( http://rsync.samba.org/ ). --Jon On Wed, 18 Jun 2003, Jonathan Johnson wrote: A better way is to use a client/server backup solution which has a backup server running on the Linux box, and backup clients running on the Linux box and all the workstations. When a user wants to run a backup or restore job, the appropriate tape is placed in the drive on the Linux server, then they use the client to submit the job. The advantage here is that multiple jobs can be submitted simultaneously and they are queued; once they reach the top of the queue, the job runs, backing up the files from the workstation. A quick search reveals this software to look at: NovaNet (www.network-backup.com), Arkeia (www.arkeia.com), NetVault Workgroup Edition (www.bakbone.com), (Veritas BackupExec not available for Linux,) anyone know of open-source, multi-platform network-aware backup software? Arkeia Light is a free version for Linux that also supports two clients ( http://www.arkeia.com/arkeialight.html ). I'm not aware of any software that creates a virtual tape drive that can be seen by Windows' native backup software as a tape device. --Jon On Wed, 18 Jun 2003, Sathi wrote: Hello All, I have installed RedHat Linux-9 and configured has domian controller for windows users. I have HP's tape drive in this Machine. Is it possible to share this tape drive to all the windows users to this tape drive using Samba? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Drive letter map to Samba using ssh or scp?
OK, what I want to do is access files on my Samba server remotely. Currently, I can use WinSCP, but this isn't ideal because it is more like an FTP client, where you have to download a file, edit it, upload it. I could set up a VPN (using open source software), but these can be kind of a headache to get working (I've done it before) and they don't necessarily support multiple simultaneous connections. I could set up an SSH tunnel, but this is awkward and I don't want to teach (l)users how to do this (getting them to type anything from a command line -- correctly -- is like herding cats or pushing a rope). I want realtime access -- that is, open/save files from an application using the standard API's but have the files on the remote system instead of my local workstation. Shouldn't there be someway of using SSH or SCP to transparently connect to a Samba share, and have the share appear as a drive letter? I envision a GUI that prompts for an internet hostname, an SSH user/pass; a Samba server name and Samba user/pass. Done properly, the SSH server could be on the LAN, and allow you to connect to ANY smb server (Window inc.) on the LAN. Logging in using this UI sets up an SSH tunnel automatically, presents a list of available shares; you can then select one and a drive letter to map it to. A configuration could be saved so that the connection is made automatically when the user logs in to his own workstation. Basically, I guess, this would be a GUI for SSH tunnels. OK, so maybe this is getting awfully close to VPN. But since SSH is already there and would require no additional setup, wouldn't there be easy way to take advantage of it? Anyone done anything like this? I don't want to reinvent the wheel if I don't have to. --Jon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Wish list
In some future version of the Samba help file, it would be nice if for each option the equivalent (if applicable) Windows registry or group policy setting could be listed. This would be helpful when working with the Miscrosoft knowledge base, or when setting up a Windows NT/2K server to behave similarly to Samba. I know that for myself, I have found that Samba provides a solution for a problem (and is documented) but since the docs don't list a Windows equivalent, I can't fix Windows. --Jon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
OT: Mail rules (was: Re: [Samba] Auto-away replies)
Unfortunately, many people set their MUA's (Outlook/Express) mail rules filter to provide the vacation message, then leave it running when they're gone. Others set the rule and close Outlook, then when they get back from vacation and download all their messages everyone gets a vacation message even thogh they're back. Outlook/Express do not allow you to create custom rules like Where the Precedence line contains list do not send vacation message. These people are broken and cannot be fixed. :-P At the very least, they should set a rule where the subject contains samba don't send vacation message. Or something like that. For those with the ability so set proper rules, the following two header fields appear in EVERY message from the samba list and can be used for custom filter sets: Precedence: list List-Id: General questions regarding Samba samba.lists.samba.org The Precedence line should be used to prevent vacation messages from being sent. The List-Id can be used to direct these messages into an appropriate mailbox folder. --Jon On Thu, 5 Jun 2003, Mark Ferlatte wrote: Dan Shadix said on Thu, Jun 05, 2003 at 01:22:54PM -0600: The problem is that the messages from this list come addressed From: each person instead of the list. There's no way to set up the vacation message to know that the message is from a list (at least on our server). Then your server is broken. The Unix vacation program has been able to notice list email and not reply to it since 1983. Each message to the list provides more than enough information (List headers, etc) for an automated process to notice that this is a mailing list, and not reply to it. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba