[Samba] Samba 4 internal DNS and reverse zones
Hi All, I currently have another thread open on squid authentication with Samba 4 and am going to try authenticating against kerberos instead of NTLM. According to the docs for the web filter I'm using, it's essential for Kerberos to be able to resolve reverse DNS so I've spent the last weekend trying to get this working. Various different documents and howtos exist but none of them worked out of the box. The Samba wiki suggests creating the zones with the RSAT DNS tool and various people I've come across have commented that from that point onwards records were added by Windows clients joining. I couldn't get this working so I tried the script on Michael Kuron's site as it threw up messages about GSS failing before DHCP server would eventually hang. While it ran, it would add entries consisting of the mac address as it failed to pick up the name of the machine. Is there an easy way to achieve this or do I carry on plugging away with the script? Should, as come people have claimed, reverse entries just happen if you manually create zones. It's tricy to get a definitive answer on this and where people claim it's worked, they don't seem to advertise the method. Thanks, Julian http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ -- Borden Grammar School, Avenue of Remembrance, Sittingbourne, Kent, ME10 4DB. Tel: 01795 424192 This e-mail is from Borden Grammar School Trust. This e-mail, together with any files transmitted with it, are confidential, and are intended solely for the use of the individual or entity to whom they are addressed. Any unauthorised dissemination or copying of this e-mail or its attachments, and any use or disclosure of any information contained in them, is strictly prohibited, and may also be illegal. If you are not the intended recipient you must not use, disclose, distribute, copy, print or relay this e-mail. Please note that any views expressed by an individual within this e-mail, do not necessarily reflect the views of the Borden Grammar School Trust. Borden Grammar School Trust has taken reasonable precautions to ensure no viruses are present in this e-mail, the Academy cannot accept responsibility for any loss or damage arising from the use of this e-mail and/or files attached. Registered office: Borden Grammar School, Avenue of Remembrance, Sittingbourne, Kent, ME10 4DB Registered in England: 07827591 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 and squid ntlm auth
Hi List, Looking for assistance with a squid authentication problem against Samba 4. The squid proxy we're using worked fine on our old Samba 3 domain with 500+ users but keeps freezing on our new Samba 4 domain. I've joined the proxy using net ads join and the samba 4 network is a clean build as we wanted to leave any baggage from the old one behind. What we now have is a situation where Samba 4 authenticates squid using NTLM perfectly up until around 120 users are using it. Once we get above 120, it starts to down and as we approach 140 it dies altogether. At this point, we restart samba and it works perfectly well for a period of about 5 minutes with the 140+ users connected at which point it will either slow to a crawl then fall over or sometimes will just fall over. The network has three Samba 4 Domain controllers. replication works across the three and at any given time, they are running at around 25% CPU load and consuming around 500MB of RAM. All three are 3GHz, quad core Xeons with between 4 and 12GB of RAM. The odd thing is that at no point when Samba seems to be hanging, do we lose access to shares on our fileserver and I also have Owncloud authenticating via a read only LDAP proxy which is caching. The really odd thing is that I'm not seeing any obvious messages on either squid, the samba 3 install or the DCs that points towards any major problem. Given the numbers issue, I thought maybe I was hitting a ulimit wall but the hard and soft limits are both unlimited. Does anyone have a similar setup and any info on where to go from here, i.e. which logs to check, etc.? The OS details are as follows: DC1 and DC1 - centos 6.4 Samba 4.0.10 (compiled from source) with internal DNS DC3 - Debian Squeeze with Samba 4.0.10 (compiled from source) with Bind 9.8 with dlz Squid proxy - Debian squeeze with Squid 2.7 Stable 9.2 from .deb package Clients Windows 7 XP SP3 Cheers, Julian -- Borden Grammar School, Avenue of Remembrance, Sittingbourne, Kent, ME10 4DB. Tel: 01795 424192 This e-mail is from Borden Grammar School Trust. This e-mail, together with any files transmitted with it, are confidential, and are intended solely for the use of the individual or entity to whom they are addressed. Any unauthorised dissemination or copying of this e-mail or its attachments, and any use or disclosure of any information contained in them, is strictly prohibited, and may also be illegal. If you are not the intended recipient you must not use, disclose, distribute, copy, print or relay this e-mail. Please note that any views expressed by an individual within this e-mail, do not necessarily reflect the views of the Borden Grammar School Trust. Borden Grammar School Trust has taken reasonable precautions to ensure no viruses are present in this e-mail, the Academy cannot accept responsibility for any loss or damage arising from the use of this e-mail and/or files attached. Registered office: Borden Grammar School, Avenue of Remembrance, Sittingbourne, Kent, ME10 4DB Registered in England: 07827591 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 with LDAP proxy in DMZ
Hi All, I'm setting up a Samba AD domain which works perfectly with the WIn 7 server tools and so far everything is going fine. What has me stumped is setting up an LDAP proxy in our DMZ against which I can authenticate our email and web services. I've got port 389 open on my main Samba 4 DC and if I use the domain administrator account to bind the proxy, everything works. In order to give a degree of separation however, I've created a user called ldapbindacc and have used the server remote admin tools to delegate control of the directory server to that user with read only access to user and group details. When I try to access the directory using this account, I get the following error message (the password is definitely correct): # ldapsearch -LLL -H ldap://127.0.0.1 -b 'dc=bordengrammar,dc=kent,dc=sch,dc=uk' -D 'cn=ldapbindacc,cn=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk' -W '(sAMAccountName=Test.User)' Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE As I'm moving fro Samba 3 to 4, my AD knowledge is limited so I've been patching things together from various howto's. Has anyone succeeded in this who can give me some tips. Thanks, Julian -- Borden Grammar School, Avenue of Remembrance, Sittingbourne, Kent, ME10 4DB. Tel: 01795 424192 This e-mail is from Borden Grammar School Trust. This e-mail, together with any files transmitted with it, are confidential, and are intended solely for the use of the individual or entity to whom they are addressed. Any unauthorised dissemination or copying of this e-mail or its attachments, and any use or disclosure of any information contained in them, is strictly prohibited, and may also be illegal. If you are not the intended recipient you must not use, disclose, distribute, copy, print or relay this e-mail. Please note that any views expressed by an individual within this e-mail, do not necessarily reflect the views of the Borden Grammar School Trust. Borden Grammar School Trust has taken reasonable precautions to ensure no viruses are present in this e-mail, the Academy cannot accept responsibility for any loss or damage arising from the use of this e-mail and/or files attached. Registered office: Borden Grammar School, Avenue of Remembrance, Sittingbourne, Kent, ME10 4DB Registered in England: 07827591 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can not logon to domain
On 02/01/12 12:50, sa...@printflow.eu wrote: Hi all, After new year I started to getting error when trying to logon to domain. On XP machine I get The system connot log you on now because the domain DOMAIN is not available. On Win7 Trust Relationship Between Workstation and Domain Fails Everything worked well before Christmass; I don't remember any (relevant) changes. I'm getting this error in log: netlogon_creds_server_check failed. Rejecting auth request from client COMPUTER machine account COMPUTER$ After reading some googled solution nothing seems be relevant for me ... I tried to enable WINS - nothing. I set new machine joining it without problem, but now can not logon. Samba version 3.5.11 (Ubunutu 11.10) Ldap: 2.4.25 Machines: WinXP and Win7 For moment we setup local account to login, but profile is not loaded - as expected - what is kind of blocking. Note: I have two PDC on net. One works ok (debian testing), other not (ubuntu). Do you mean you have two PDCs or a primary DC and a backup DC. As I understand it, you can't have multiple Primary Domain Controllers on Samba. PDC is enabled if you have both Domain Logons and Domain Master set to yes. You can demote on to BDC by setting Domain Master to no. Also, only one can the WINS server. Adding the IP of the WINS server to the network settings on the clients may make it work although it shouldn't be necessary. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cross subnet browsing + OpenVPN
Sorry about the delay, family emergency to deal with. browse sync shares the info across them. I tried putting the specific IP addresses of the local master browsers into the browse sync but it still doesn't seem to spread everything across all the subnets. From what I understand, the remote announce tells the WINS server to broadcast across the remote subnets and remote On 06/07/10 13:50, t...@tms3.com wrote: SNIP Hi All, I'm having a problem with cross subnet browsing and name resolution across an openvpn tunnel. i've found quite a few people who've had the same on mail lists but none of their fixes have worked. The spec of the setups at both ends of the tunnel are as follows: remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM remote browse sync = 192.168.1.255 192.168.2.255 This looks odd to me. remote announce = wins server ip/DOMNAME remote browse sync = wins server ip NEEDED in both smb.conf wins server = wins server ip Can't remember default for this setting so enhanced browsing = Yes in both smb.conf DHCP should point clients to headoffice for WINS. WINS proxy is not useful. OS - CentOS 5.5 Samba Version 3.5.4 OpenVPN Version 2.0.9-1 Each server is configured in gateway mode with two NICS, one to the lan and the other to a modem/router. The first machine, HEADOFFICE, has an internal IP address of 192.168.0.1 and an external of 192.168.10.4. The second machine, REMOTE1, has an internal address of 192.168.1.254 and an external of 192.168.20.4. On openVPN, I have configured client to client and routes and iroutes to allow machines on each network to ping machines at the other end as well as the server IP's. So far so good and I can ping any machine on either subnet from anywhere and get a reply. The servers are configured as Samba servers with the HEADOFFICE machine working as a PDC, DMC and WINS server and the REMOTE1 machine configured as a BDC and WINS proxy. In order to maintain logon facilities in the event of broadband failure, I have replicated the LDAP server from HEADOFFICE to REMOTE1 and updates and password changes propogate successfully from one site to the other. If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it works perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet fails on name resolution while entering \\192.168.1.254\ brings up Windows Explorer and a list of shares. I've included the remote browse entries in smb.conf on the PDC and have WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP back to the WINS server. Port scanning the internal IP of each machine from the oher end of the tunnel returns a full set of open ports for the services I'm using but no IP. If anyone can spot what I'm doing wrong I'd be grateful. Thanks. smb.conf - HEADOFFICE ### Included 2nd subnet for second remote site in browse sync [ global] workgroup = NEWDOM netbios name = HEADOFFICE security = user enable privileges = yes interfaces = 192.168.0.1 127.0.0.1 # hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0 194.168.2.0/255.255.255.0 127.0.0.1 remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM remote browse sync = 192.168.1.255 192.168.2.255 wins support = yes name resolve order = wins hosts bcast username map = /etc/samba/smbusers server string = Samba Server %v encrypt passwords = Yes ldap ssl = no unix password sync = yes ldap passwd sync = no passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing *\nNew password* %n\n *Retype new password* %n\n # public = yes # browseable = yes # lm announce = yes # browse list = yes # auto services = yes log level = 3 syslog = 0 log file = /var/log/samba/log.%U max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 local master = Yes domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=Manager,dc=newdom,dc=ldm ldap suffix = dc=newdom,dc=ldm ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script
[Samba] Cross subnet browsing + OpenVPN
Hi All, I'm having a problem with cross subnet browsing and name resolution across an openvpn tunnel. i've found quite a few people who've had the same on mail lists but none of their fixes have worked. The spec of the setups at both ends of the tunnel are as follows: OS - CentOS 5.5 Samba Version 3.5.4 OpenVPN Version 2.0.9-1 Each server is configured in gateway mode with two NICS, one to the lan and the other to a modem/router. The first machine, HEADOFFICE, has an internal IP address of 192.168.0.1 and an external of 192.168.10.4. The second machine, REMOTE1, has an internal address of 192.168.1.254 and an external of 192.168.20.4. On openVPN, I have configured client to client and routes and iroutes to allow machines on each network to ping machines at the other end as well as the server IP's. So far so good and I can ping any machine on either subnet from anywhere and get a reply. The servers are configured as Samba servers with the HEADOFFICE machine working as a PDC, DMC and WINS server and the REMOTE1 machine configured as a BDC and WINS proxy. In order to maintain logon facilities in the event of broadband failure, I have replicated the LDAP server from HEADOFFICE to REMOTE1 and updates and password changes propogate successfully from one site to the other. If I try to access HEADOFFICE from REMOTE1 and REMOTE1's subnet it works perfectly but trying to access REMOTE1 from HEADOFFICE and its subnet fails on name resolution while entering \\192.168.1.254\ brings up Windows Explorer and a list of shares. I've included the remote browse entries in smb.conf on the PDC and have WINS Proxying set up on the BDC but I can't get it to push REMOTE1's IP back to the WINS server. Port scanning the internal IP of each machine from the oher end of the tunnel returns a full set of open ports for the services I'm using but no IP. If anyone can spot what I'm doing wrong I'd be grateful. Thanks. smb.conf - HEADOFFICE ### Included 2nd subnet for second remote site in browse sync [ global] workgroup = NEWDOM netbios name = HEADOFFICE security = user enable privileges = yes interfaces = 192.168.0.1 127.0.0.1 # hosts allow = 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0 194.168.2.0/255.255.255.0 127.0.0.1 remote announce = 192.168.2.255/NEWDOM 192.168.1.255/NEWDOM remote browse sync = 192.168.1.255 192.168.2.255 wins support = yes name resolve order = wins hosts bcast username map = /etc/samba/smbusers server string = Samba Server %v encrypt passwords = Yes ldap ssl = no unix password sync = yes ldap passwd sync = no passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing *\nNew password* %n\n *Retype new password* %n\n #public = yes #browseable = yes #lm announce = yes #browse list = yes #auto services = yes log level = 3 syslog = 0 log file = /var/log/samba/log.%U max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 local master = Yes domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=Manager,dc=newdom,dc=ldm ldap suffix = dc=newdom,dc=ldm ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' [shared] comment = shared directory path = /dat browseable = yes read only = no create mask = 0660 directory mask = 0770 smb.conf - REMOTE1 # [global] workgroup = NEWDOM netbios name = REMOTE1 security = user enable privileges = yes interfaces = 192.168.1.254 127.0.0.1 #hosts allow = 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 10.8.0.0/24 127.0.0.1 wins server = 192.168.0.1 wins proxy = yes username map = /etc/samba/smbusers name resolve order = wins bcast hosts server string = Samba
[Samba] Samba multi-site advice request please
Hi all, I am looking at setting up a multi-site office and need to put a plan forward. The site consists of one head office and several branch office and my plan so far is this: In head office, one Samba PDC. Each branch office will have a local BDC that also stores files local to the branch, hopefully cutting down the day to day traffic across the VPN. The VPN I plan to use is OpenVPN in bridge mode in order to allow broadcasts e.g. WINS etc., to traverse the connections. All the servers will have their own LDAP server and all will be synced to keep the authentication consistent and reduce VPN traffic. Each site will have it's own DNS, the PDC being the master and the BDCs slaves. The low number of machines involved mean I can set the clients to use their local DNS. The whole plot will be required to run across 2mb SDSL as this is all the budget will stretch to. Every other proposal has involved server 2008 and terminal services but I really want to go down the Linux/Samba route. Is there anyone out there that has successfully pulled this off and can give me some advice? I've spent a few hours searching Google but their doesn't seem to be any definite info/howtos. thanks, Julian PB -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] One way Samba
A quick look through shows hosts allow = 127. 192.77.0. and the interface is bound to 192.168.77.0/24. Add the 168 to the entry in the hosts allowed line and it should work. Cheers, Jools On Wed, 2009-12-02 at 22:49 -0800, wino_pilot wrote: I am running Samba 2:3.3.2 on a Kubuntu 9.04 Linux box. With the configuration file below the linux box can see and retrieve shared files on all 5 of my windows boxes. However, none of the windows boxes can see the linux shares as they are defined in the smb.conf below. The linux box shows up in the windows network neighborhood as Mercury1 but when I try to open it to show the shares I get the message \\Mercury1 is not accessible. . The network paath was not found. Can anyone help? Please. [global] netbios name = Mercury1 server string = Samba file and print server workgroup = MNET security = user hosts allow = 127. 192.77.0. interfaces = 127.0.0.1/8 192.168.77.0/24 bind interfaces only = yes remote announce = 192.168.77.255 remote browse sync = 192.168.77.255 printcap name = cups load printers = yes cups options = raw printing = cups guest account = smbguest log file = /var/log/samba/samba.log max log size = 1000 null passwords = no username level = 6 password level = 6 encrypt passwords = yes unix password sync = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no preferred master = no domain logons = no os level = 33 logon drive = m: logon home = \\%L\homes\%u logon path = \\%L\profiles\%u logon script = %G.bat time server = no name resolve order = wins lmhosts bcast wins support = yes wins proxy = no dns proxy = no preserve case = yes short preserve case = yes client use spnego = no client signing = no client schannel = no server signing = no server schannel = no nt pipe support = yes nt status support = yes allow trusted domains = no obey pam restrictions = yes enable spoolss = yes client plaintext auth = no disable netbios = no follow symlinks = no update encrypted = yes pam password change = no passwd chat timeout = 120 hostname lookups = no username map = /etc/samba/smbusers smb passwd file = /etc/samba/smbpasswd passwd program = /usr/bin/passwd '%u' passwd chat = *New*password* %n\n *ReType*new*password* %n\n *passwd*changed*\n add user script = /usr/sbin/useradd -d /dev/null -c 'Samba User Account' -s /dev/null '%u' add user to group script = /usr/sbin/useradd -d /dev/null -c 'Samba User Account' -s /dev/null -g '%g' '%u' add group script = /usr/sbin/groupadd '%g' delete user script = /usr/sbin/userdel '%u' delete user from group script = /usr/sbin/userdel '%u' '%g' delete group script = /usr/sbin/groupdel '%g' add machine script = /usr/sbin/useradd -d /dev/null -g sambamachines -c 'Samba Machine Account' -s /dev/null -M '%u' machine password timeout = 120 idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind use default domain = yes winbind separator = @ winbind cache time = 360 winbind trusted domains only = yes winbind nested groups = no winbind nss info = no winbind refresh tickets = no winbind offline logon = no [homes] comment = Home Directories path = /home read only = no available = yes browseable = yes writable = yes guest ok = no public = no printable = no share modes = no locking = no [netlogon] comment = Network Logon Service path = /home/netlogon read only = no available = yes browseable = yes writable = no guest ok = no public = no printable = no share modes = no locking = no [profiles] comment = User Profiles path = /var/samba/profiles read only = no available = yes browseable = no writable = yes guest ok = no public = no printable = no locking = no create mode = 0600 directory mask = 0700 [printers] comment = All Printers path = /var/spool/samba browseable = yes writable = no guest ok = no public = no printable = yes share modes = no locking = no [pdf-documents] path = /home/pdf-documents comment = Converted PDF Documents available = yes browseable = yes writeable = yes guest ok = yes [pdf-printer] path = /tmp comment = PDF Printer Service printable = yes guest ok = yes use client driver = yes printing = bsd print command = /usr/bin/gadmin-samba-pdf %s %u lpq command = lprm command = [Book] path = /media/FreeAgent/Drive/Book comment = Book Chapters valid users = jon admin users = jon read only = no available = yes browseable = yes writable = yes guest ok = no public = no printable = no share modes = no locking = no [Photos] path = /media/FreeAgent/Drive/Photos comment = All Photos valid users = jon admin users = jon read only = no available = yes browseable = yes writable = yes guest ok = no public = no printable = no share modes = no locking = no -- View this message in context: http://old.nabble.com/One-way-Samba-tp26621707p26621707.html
Re: [Samba] Domain Administrator problems - SOLVED
Nice one. rpc rights sorted it out straight away. Should have RTFM'd a bit more ;) Cheers, Jools On Wed, 2008-02-06 at 09:04 -0600, Adam Williams wrote: you still have to grant toni priviliges. http://us1.samba.org/samba/docs/man/Samba-Guide/happy.html#id353033 Julian Pilfold-Bagwell wrote: Hi All, I have a tdbsam backend on Samba PDC and am trying to set a user up as a domain admin. I read that instead of the old admin users line in smb.conf you now use net groupmap to map unix groups to NT groups. I have a user called toni in unix group admins and have run: net groupmap add rid=512 ntgroup=Domain Admins unixgroup=admins running: net groupmap list gives: Domain Admins (S-1-5-21-2201139836-2091317229-5964732158-512) - admins which is the correct sid for the domain, but doing domain admin like things, e.g. gpedit, changing network settings etc., on an XP client leads to warnings that toni is not an administrator. Is there something I've missed? Setup is Centos 5.1, Samba 3.0.25 and smbusers maps root to administrators. Thanks, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain Administrator problems
Hi All, I have a tdbsam backend on Samba PDC and am trying to set a user up as a domain admin. I read that instead of the old admin users line in smb.conf you now use net groupmap to map unix groups to NT groups. I have a user called toni in unix group admins and have run: net groupmap add rid=512 ntgroup=Domain Admins unixgroup=admins running: net groupmap list gives: Domain Admins (S-1-5-21-2201139836-2091317229-5964732158-512) - admins which is the correct sid for the domain, but doing domain admin like things, e.g. gpedit, changing network settings etc., on an XP client leads to warnings that toni is not an administrator. Is there something I've missed? Setup is Centos 5.1, Samba 3.0.25 and smbusers maps root to administrators. Thanks, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Logging logins with preexec and Samba/LDAP
Hi all, I had the following line in my smb.conf with which to log access to the home share when users logged in: preexec = /bin/echo \%u logged in to %m at %T\ /var/log/samba/logons.log Since updating to LDAP however, it's stopped working and I suspect that smbldap cant handle the % substitutions for user, machine and time. Has anyone else run into this problem? If so, any help with the solution would be handy. Thanks, -- Julian Pilfold-Bagwell, Network Manager, Borden Grammar School, Sittingbourne, Kent, ME10 1EY. Tel: 01795 424192 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Logging logins with preexec and Samba/LDAP
Mac wrote: Date: Mon, 01 Oct 2007 13:22:25 +0100 From: Julian Pilfold-Bagwell [EMAIL PROTECTED] To: Samba mail List samba@lists.samba.org Subject: [Samba] Logging logins with preexec and Samba/LDAP I had the following line in my smb.conf with which to log access to the home share when users logged in: preexec = /bin/echo \%u logged in to %m at %T\ /var/log/samba/logons.log Since updating to LDAP however, it's stopped working and I suspect that smbldap cant handle the % substitutions for user, machine and time. Has anyone else run into this problem? If so, any help with the solution would be handy. Did you upgrade Samba recently? (perhaps at the same time as adding LDAP?) The way things like preexec are handled changed in about 3.0.24 or 25. I can help if that looks like it might be the issue. Mac Assistant Systems Administrator @nibsc.ac.uk [EMAIL PROTECTED] Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime) Hiya, Yup, I upgraded to 3.0.24 at the same time. How's it changed? Thanks, Julian -- Julian Pilfold-Bagwell, Network Manager, Borden Grammar School, Sittingbourne, Kent, ME10 1EY. Tel: 01795 424192 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Logging logins with preexec and Samba/LDAP
Mac wrote: Hi there, Date: Mon, 01 Oct 2007 14:36:26 +0100 From: Julian Pilfold-Bagwell [EMAIL PROTECTED] Subject: Re: [Samba] Logging logins with preexec and Samba/LDAP Yup, I upgraded to 3.0.24 at the same time. How's it changed? It was documented (just about) in the release notes. As the result of a security problem, the way all external commands are invoked has been tightend up. Annyoingly I think 'testparm' doesn't tell you this. In essence, you can't use any meta characters in the invocation at all. So your \'s will cause the command to be ignored by Samba. The fix is (in general) to write a tiny shell script that does the right thing. Here's an example from our smb.conf:- [mydocs] ;root preexec = if [ ! -d /n17/profiles/%u/My Documents ] ;\ ; then { mkdir -p /n17/profiles/%u/My Documents ;\ ; chown -R %u /n17/profiles/%u ; \ ; chmod -R 0700 /n17/profiles/%u ;} ; \ ; fi root preexec = /usr/local/bin/samba-mkdir %u My Documents The ;-ed lines are what we used to use. Now we use the samba-mkdir script. We had to write the samba-mkdir script which looks like this:- #!/bin/sh u=${1:?must_specify_user_name} d=${2:?must_specifiy_directory_to_create} dir=/n17/profiles/$u/$d if [ ! -d $dir ] then mkdir -p $dir chown -R $u $dir chmod -R 0700 $dir fi which, as you can see, does much the same thing. We included a tiny bit of error checking (the $ : ? thing) just in case anyone ever tried to run the script outside of Samba. Does this help? Mac Assistant Systems Administrator @nibsc.ac.uk [EMAIL PROTECTED] Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime) Thanks very much both of you. I'll post a copy of the working script along with a SOLVED header when I get it going. Many thanks again, All the best, Julian PB -- Julian Pilfold-Bagwell, Network Manager, Borden Grammar School, Sittingbourne, Kent, ME10 1EY. Tel: 01795 424192 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] RE: migrating samba to new hardware and different OS
Volker Lendecke wrote: On Sun, Aug 26, 2007 at 03:12:30PM +0200, Andrew Jeremy Gargan wrote: write list = @agroup, auser, another user Fedora bug. Change the @ to +. Volker Hiya, It's not just a Fedora bug it's a change in the way that Samba handles permissions. If you check the release notes you'll find that instead of @Domain Admins for example, you now use a + and, in certain circumstances, the NT domain name. The example above would therefore go from @Domain Admins to +DOMAIN\Domain Admins and a user e.g. fred goes from fred to DOMAIN\fred. Substitute DOMAIN for your actual NT domain obviously but you should find this cures all the ills. I was caught out by this one so I make sure I always read the release notes before upgrading now. BTW, I think the change occured around version 3.0.8. Cheers, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windows XP joining Samba/LDAP domain problem (User cannot be found) [SOLVED]
To anyone out there who's having problems joining their Samba/LDAP domain with XP here's a solution. The main symptom is that the XP join domain gui returns a user cannot be found error. The setup that I experienced this on was configured and managed using the smbldap-tools package. Usual disclaimer applies if it fails to work, you are responsible for backing up your installation and no responsibility will be accepted for anything. The problem arose after I configured my servers to use the Computers organisational unit in LDAP (ou=Computers) to store host names. The process of a Windows/Samba domain member joining a Samba domain is a two stage one as each Samba client has to have a matching Posix account in the LDAP directory. After clicking OK on the client the server first creates the POSIX entry and then adds the SambaSam attributes. For whatever reason, when the ou=Computers entry was used, smbldap-tools added the POSIX entry into the Computers ou but then tried to read it back out from the Users ou. As the entry was non-existent in Users it cannot add the Samba attributes to the POSIX side and hence windows declares user cannot be found. Some Googling revealed that you can store machine accounts in ou=Users so the solution I found was as follows: 1) Stop LDAP and Dump the directory into an ldif file using slapcat -l /root/userdump.ldif 2) Open the LDIF file in a text editor and use search and replace to change all machine account entries from ou=Computers to ou=Users. Note that at the top of your ldif file there's an entry that adds the Computers organisational unit. Do not change this. You can probably delete it but personally I just left it as it was. An easy way to only change the machine name entries is to search for $,ou=Computers and replace it with $,ou=Users as the computer name entries end with $ and will match this pattern. 3) Backup your directory databases using cp -R /var/lib/ldap /root (adjust to match your distro but this works on Redhat/Mandriva). You can also create a second backup using the slapcat command and dumping the ldif file to a safe place. 4) Delete the files in the LDAP database directory, in the above case rm -f /var/lib/ldap/* ,and then check the directory to make sure it's empty ls -la /var/lib/ldap. If you had a DB_CONFIG file in there, copy it back from the backup directory. 5) Run slapadd -v -l /root/userdump.ldif to add the modified ldif file back into LDAP. The -v forces slapadd into versbose mode so you should see all the entries scrolling up the screen as they're added. 6) Change ownership of the ldap directory and it's newly created databases to user/group ldap using chown -R ldap.ldap /var/lib/ldap . If you don't do this the server will bitch horribly when you try to start it. 7) Restart your ldap server . You should now find that the XP client says welcome to the whatever domain when you click OK. As I say, it worked for me after I'd spent hours searching for a solution without finding one. Good Luck!! Cheers, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smbldap-tools problem
Hi All, I've been trying to run smbldaptools from a PDC using a seperate LDAP server but can't join new machines to the domain. I've just noticed that the smbldap.conf file has two entries that declare the pathways to slappasswd and smbpasswd. Does anyone with in-depth knowledge of smbldap tools know if it's possible to run the scripts on a machine that isn't the PDC? Cheers, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Profiles with an LDAP backend being overridden
Hi All, I've got LDAP running as the backend to Samba 3.0.24 and am trying to set the profile directories to mandatory for one group of users and roaming for another. To this end I'm using the sambaProfilePath in LDAP but it's getting overridden by something that's setting it to %u. As a result of this, when I log out of an account which points to the mandatory profile, it creates a new profile with the users username. There's nothing in the smb.conf that refers to a profile directory so I'm assuming this is a default. Is there any way of forcing Samba to follow the LDAP path? Cheers, jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain and local user permissions
Hi all, I have a question regarding the seperation of domain and local permissions. I have a Samba PDC and BDC setup with three member servers authenticating from them. I've set all the boxes up to use nss_ldap for the Posix side so that all the groupmapping between domain and unix groups across the servers is consistent. All seems to be fine but I can't find any info about setting domain user permissions. When I create a folder or file, I can view the permissions in the Windows properties but these show the owner to be Unix User\username instead of Domain User\username in Windows. I can set the permissions correctly via Windows but pre Samba 3.0.8 (as shown in the docs), chowning a file in Linux would show as a change to the Windows domain account. Is MMC the easiest way to set domain user permissions with the new setup or can I do it easily from a Linux terminal. Thanks, Julian PB -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Correct method to Join Domain ????
Mike Rushton wrote: I am testing w/ a PC loaded w/ Centos 5 and Samba (whatever version it came with) I have not had any luck with connecting WinXP clients to it (or anything for that matter) I think my problems stem from not joining the domain correctly. What is the proper method for Win XP or WIn 2K . When I get a chance I am gonna connect a PC to my test network. To join a domain, you would need (at least for NT) Name of Domain Admin account Password for admin account A unique Network Name for the PC. And you typically (at least thru XP) right click on the Computer Icon, Properties Network and Join the domain or change machine name to get on. What do you do for Limux / Samba ??? You need, root account, ??? root password ??? Uniique machine name ??? Do you try to join domain is same manner or is there a config file you got to edit ??? Any help or advice is welcome. Hiya, You need this document: http://samba.org/samba/docs/man/Samba-Guide/unixclients.html#wdcsdm There's also additional info in the samba docs at samba.org. Particularly useful are Samba 3 by example and the Samba 3 Howto. Cheers, jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Join Linux client to Samba PDC domain
Matt wrote: Now I want the same thing in a different environment CentOS Samba PDC in domain mode and LDAP Windows XP and Vista clients joined to the Samba domain Linux File Server (which I don't know how to configure) So I want all the Windows clients to be able to access the shares on my LInux File Server but I want my CentOS Samba PDC to handle the authentication with Singel-Sign-On style. How would I configure my Linux Files server? security = domain, server, or? Thanks, Henrik Hi Henrik, I just did a similar thing setting up an AIX file server with a Linux-based Samba PDC. I'm pretty sure you want to set the Linux file server up as a domain member server: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html You're right on with security=domain. Then you just have to add the LDAP admin stuff to the samba config and secrets database (i.e. smbpasswd -w [LDAP admin passwd goes here], net rpc getsid [domain name here], net rpc join -Uroot%[password goes here]) and a few other config steps outlined in the link I put above... Hopefully that gets you started int he right direction. -Matt Hiya, You need this document: http://samba.org/samba/docs/man/Samba-Guide/unixclients.html#wdcsdm There's also additional info in the samba docs at samba.org. Particularly useful are Samba 3 by example and the Samba 3 Howto. Cheers, jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain and Unix permissions
Hi all, I have a question about setting permissions on files and folders in Samba versions that differentiate between the two. Groups are mapped via net groupmap indicating that setting the UNIX group permissions on a directory will be mapped across to the relevant NT Group but how are UNIX users mapped. I ask because on my LDAP backended Samba 3.0.23c server I can access folders when the Windows XP properties box says their owned by unix user fred (Unix User/fred) when logged in to an XP box as (NTDOMAIN/fred). Are the two automatically mapped to each other via Samba/LDAP or do I have to set ACLs up using smbcacls? I've read the relevant sections in the By Example and Howto guides but would like clarification before continuing. Cheers, jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't create workstation account
Hi all, Found this thread while searching for the problem you have and have found a cure that works for me. Whenever joining the domain from a Windows XP machine it was only creating the Posix side of the account and not the sambaSamAccount that's required for a successful account creation. Found the following in another thread from 2005. Basically, change your add machine script in smb.conf from: smbldap-useradd -w %u to smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false %m -d sets the home directory of the machine user to non-existant (/dev/null) -c sets the gecos and may not be strictly necessary (haven't tried without) -s disables sets a non-existent login shell and most importantly, %m sets the account name to the correct machine name parameter, not user name. Ironically, if I now run: smbldap-usershow jpb-laptop$ after successfully connecting my laptop to the domain, I get no entry returned. Slapcat'ing my ldap database however, shows the machine account with all the correct Samba and Posix entries and logins work fine. Let me know if this works for you and post it as [Solved] if it does. Cheers, Jools Sascha Bieler wrote: `/usr/sbin/smbldap-useradd -w blackhawk$' gave 9 The command smbldap-useradd exit with exit code 9, which means error. It should exit with error 9, try running something like this: I know, but this means just that account is created and normally it will be overwritten. If I have a look inside ldap I see: dn: uid=blackhawk$,ou=Computers,dc=audio,dc=de objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount cn: blackhawk$ sn: blackhawk$ uid: blackhawk$ uidNumber: 1016 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer structuralObjectClass: inetOrgPerson entryUUID: 7f9e7c88-9be3-102b-9a0c-c98dc3a52409 creatorsName: cn=admin,dc=audio,dc=de createTimestamp: 20070521123527Z entryCSN: 20070521123527Z#01#00#00 modifiersName: cn=admin,dc=audio,dc=de modifyTimestamp: 20070521123527Z /usr/sbin/smbldap-useradd -w test123$ and see if there is an error No error and account is added like this: dn: uid=blackhawk$,ou=Computers,dc=audio,dc=de objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount cn: blackhawk$ sn: blackhawk$ uid: blackhawk$ uidNumber: 1017 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer structuralObjectClass: inetOrgPerson entryUUID: a4194154-9c85-102b-9a0f-c98dc3a52409 creatorsName: cn=admin,dc=audio,dc=de createTimestamp: 20070522075607Z entryCSN: 20070522075607Z#01#00#00 modifiersName: cn=admin,dc=audio,dc=de modifyTimestamp: 20070522075607Z While doing net join from running BDC it works, also debian 4.0. Don't really know what I've done wrong. Thanks for helping and thinking! Sascha -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Permissions across servers
Hi all, I have a problem that I stumbled across a solution for on a list while searching for something else but can't find again. It's down to permissions propogating from a Samba PDC across member servers. I'm using 3.0.28c which according to the release notes uses the +Domain\group notation for declaring permissions in smb.conf. I am at the following position: LDAP/Samba on the PDC works and I can su to a UNIX/LDAP users account on the CLI. Getent passwd returns all the users and getent groups returns all the groups. wbinfo -u and -g work as they should and net groupmap list returns groupmappings consitent across all the servers. If I use Windows security properties on XP however I get (Unix User\User). Both the PDC and the member servers are soined to the domain and have the domain SID in smb.conf. So the question really, is when setting unix permissions on files on the member server, how do you differentiate between UNIX and Domain users. The closest I've found to a solution in the last two days was someone with the same question who got the answer this has been covered elsewhere so I won't for over it again. I'm not being lazy, I have been looking and I'd appreciate the help. Cheers, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wbinfo on a PDC
Hi again, The problem I have is that I have a PDC and a member server but the permissions don't seem to propogate from one to another. If I run getent passwd and group I get all the users and groups from the UNIX/LDAP backend and if I run net groupmap list I get identical group mappings on all my servers. wbinfo -u -g return the correct NT user and group lists on the member server but return an error when run on the PDC. I really need to know whether wbinfo should return anything on the PDC or whether being a PDC means it's all handled behind the scenes by Samba and the error message is redundant. Cheers, jools Marc Muehlfeld wrote: Hi, simo schrieb: On domain controllers it will not return anything except trusted domains accounts if you have any trust set up. What is the reason behind this? I have two domains and the users of both domains have to access shares on each other DC. When I start winbind on one PDC, I have the accounts of the other domain on it. But then my local accounts aren`t working again (ldap backend). On member server I have the accounts of both domains. Any way to configure this? Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/LDAP PDC and member servers
Hi All, I have a problem with permissions following a migration from tdbsam to LDAP. As I understand it from the documentation, each member server on the domain needs to have 2 SIDs, a domain SID and a local machine SID. After migrating the server to ldap, users can still login and desktops and servers can still connect so the machine accounts are fine but I've lost access to shares on member servers. I've set the smb.conf to obtain the unix user and group info from the LDAP server and the conditions are met: 1) I can su to a UNIX account on any machine 2) wbinfo -u g return full and correct user group listsings. 3) net groupmap list on all servers returns identical map lists 4) logging into any server and running id username produces identical user and group id's I have 777 as permissions on the share and its parent directory and I have tried valid users, read list and write list with @Group and +NTDomain\groupname with no success. The only member server I can access shares on is one that has the same SID for local and machine although users and groups show up as SERVERNETBIOSNAME\group. It states in the documentation that each member server has different domain and machine SIDs but does that include the PDC. Given that the PDC itself has to be joined to the NT Domain with net rpc join I suspect that's the case but I haven't found anything confirming it. Can anyone elaborate? Cheers, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP PDC migration gone wrong.
Hi All, I have a problem following the migration of my PDC's backend from tdbsam to LDAP. We started out with a PDC called SMB1 which ran with a tdbsam backend. I used pdbedit to convert it to LDAP and built a new server onto which the LDIF file was loaded. Samba was then setup to use the LDAP server as a backend. So far so good, Samba runs against LDAP and I was able to add 60 new XP client machines to the network without any problems. The problem starts however when trying to access Samba domain member servers that have been connected since the PDC upgrade. I go through the process of adding the servers to the domain by setting the domain SID on the member server using setdomainsid and using net rpc join -U admin -S SMB5 to join the domain. The latter command brings up joined domain BGS and after restarting samba and winbind, wbinfo -u and wbinfo -g both return correct lists of users and groups. Getent passwd and getent group both return full lists of users and groups from the UNIX/LDAP side suggesting that nss and pam and successfully communicating with smb5. The problems start when trying to access shares configured on the member server. If the ownership of the file is set to testuser who is a member of the pupils group, testuser can access it. If the owner is set to admin and the file is grouped to pupils, no-one in the pupils group can access it even with the group perms set to rwx. I suspect that as owner/users can access shares but groups can't that group mapping is stuffed. My questions are therefore as follows. 1) can I set up smb.conf on member servers to access LDAP directly and abandon winbind. I have two additional seperate networks/NT Domains accessing the net via an NTLM_AUTH authenticated squid proxy so I don't know how this will affect them. 2) The domain SID and machine SID on the PDC are the same. Is this correct? winbind on the PDC returns error looking up domain users. I'm quite restricted in what I can try as I have 300 people accessing their shares on the PDC and don't want to make things any worse than they are. 3) net groupmap on the member servers creates a mapping between NT Domain and UNIX users but the SIDs are local domain sids and group permissions seem to fail. Should the Sids in groupmap be local or domain? Basically, I'm getting confused. Everything worked fine on TDBsam backends and I need help and clarification. Cheers, jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] wbinfo on a PDC
Hi all, When running winbind on an LDAP authenticated Samba domain controller should it return lists from wbinfo -u wbinfo or does this not happed on controllers? All I get is Error looking up domain users and I need to know if this a feature or a problem. Cheers, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wbinfo on a PDC
Hiya, My situation is that I have a PDC with LDAP and samba and a member server with samba/winbind. I can get a full NT user and group listing from the member server using wbinfo but the PDC returns the error message. Both give the same results when getent passwd and group are run and net groupmap list produces identical groupmaps but the shares on the member are inaccessable from client PCs. All I really need to know is whether wbinfo -u -g will produce a list or users or groups on the PDC if it is correctly functioning or whether the fact that it's a PDC makes wbinfo redundant. Is the failure to produce a list a fault or a feature ;) Cheers, Jools Marc Muehlfeld wrote: Hi, simo schrieb: On domain controllers it will not return anything except trusted domains accounts if you have any trust set up. What is the reason behind this? I have two domains and the users of both domains have to access shares on each other DC. When I start winbind on one PDC, I have the accounts of the other domain on it. But then my local accounts aren`t working again (ldap backend). On member server I have the accounts of both domains. Any way to configure this? Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba / Winbind / LDAP - Can't access shares
Hi All, I have the following setup. Samba/LDAP PDC, Samba BDC, Samba member server, Win2K member server, 300 Win XP Client PCs. I can access the shares on the PDC from all Win XP clients. I can access the shares on the Win2K member server from all XP clients, I can't however access any of the shares on the Samba BDC or Samba member server from the XP clients. LDAP is working fine and PAM/LDAP/NSS are working fine. Getent works for users and groups on all samba servers and net groupmap list provides identical group mapping across all samba servers. I can do things like chmod user.Domain Admins and it works. I can use setfacl and generate acls with Domain groups in them and it works but I cannot access the shares on the Samba servers from anywhere on the network. wbinfo works on the samba member server but cannot lookup users and groups when run on the PDC and BDC. OS's are Mandriva 2007 and Ubuntu Edgy. Samba version is 3.0.23d. All machines names are resolvable via nmblookup and nslookup and I've been through every document and howto I can find as well as loads of Google searches but have not managed to resolve it yet. All help gratefully received. Cheers, Jools SMB Conf's are as follows: PDC: [global] # General Options for domain workgroup = BGS netbios name = SMB5 server string = Samba Server %v log file = /var/log/samba/%m.log max log size = 50 # hosts allow = 172.20.0. 172.20.1. 172.20.2. 127. map to guest = bad user security = user encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd # unix password sync = Yes # pam password change = yes # passwd program = /usr/bin/passwd '%u' # passwd chat = *Nadmin1*UNIX*password* %n\n *Re*ype*nadmin1*UNIX*password* %n\n \ # *passwd:*all*authentication*tokens*updated*successfully* # username map = /etc/samba/smbusers include = /etc/samba/smb.conf.%m wins support = yes # wins server = 127.0.0.1 dns proxy = no dos charset = 850 unix charset = ISO8859-1 admin users = BGS\admin3 BGS\admin1 BGS\admin2 +BGS\Domain Admins log level = 10 # winbind separator = + # winbind enum users = yes # winbind enum groups = yes idmap uid = 1-2 idmap gid = 1-2 # winbind use default domain =yes # Tune Samba and detrmine its priority in the Domain socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # remote announce = 172.20.0.255 172.20.1.255 172.20.2.255 172.20.3.255 local master = yes domain logons = yes wins support = yes os level = 254 domain master = yes preferred master = yes name resolve order = wins lmhosts bcast # Set the paths to the various resources on the Domain domain logons = yes logon script = %G.bat logon path = \\%L\Profiles\%U # Define the interaction between smbldap tools and the server's LDAP backend # ldap password sync = yes unix password sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *Nadmin1*password* %n\n *Retype*nadmin1*password* %n\n add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add group script = /usr/sbin/smbldap-groupadd '%g' /usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}' delete group script = /usr/sbin/smbldap-groupdel '%g' add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false '%u' # Allow members of Domain Admins to add machine accounts enable privileges = yes # Define ID backend structure # passdb backend = smbpasswd guest # passdb backend = tdbsam:/etc/samba/passdb.tdb passdb backend = ldapsam:ldap://localhost # In case of compatibility issues # Use the samba2 LDAP schema: # passdb backend = ldapsam_compat:ldaps://ldap.mydomain.com smbpasswd guest idmap backend = ldap:ldap://localhost ldap admin dn = cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk # ldap ssl = start_tls #ldap port = 389 ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk ldap machine suffix = ou=Hosts ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap # Example for AD-ish layout: # ldap machine suffix = cn=Computers # ldap user suffix = cn=Users # ldap group suffix = cn=Groups # ldap idmap suffix = cn=Idmap # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes veto files =
[Samba] Permissions on Domain Admin created files
Hi All, I have a PDC that serves 800 users all of whom have their own home directory. From time to time, members of the Domain Admins group scan pages for the users and save them into the users home directories but the permissions for the file are created with the admin as owner. Is there any way of forcing ownership of a file or directory to the owner of the home folder rather than the admin who created the file. Cheers, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] cracking smbpasswd
Hi all, I'm currently migrating from tdbsam to LDAP and want to restructure my setup at the same time. I can get the SIDs for the user and machine accounts using pdbedit -Lv | grep SID but I have 800 users so I don't want to reset their passwords. So far, I've dumped the contents of the tdbsam database into an smbpasswd backup file and am running john-the-ripper across it. It's succeeding in cracking the passwords but they only come out at max 8 characters and in capitals. Has anyone got any experience with JTR and smbpasswd? All advice gratefully received, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] tdbsam to LDAP
Hi All, I've found a script for migrating posix accounts to LDAP but does anyone know of a script for migrating tdbsam to LDAP? Cheers, Julian -- J. Pilfold-Bagwell Borden Grammar School Avenue of Remembrance Sittingbourne Kent ME10 4DB (+44) 1795 424192 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Adding machines and machine based logins
Hi All, I am hoping to set up machine based logins on our Samba server (3.0.21c/RedHat EL4). I have the following lines in the global section to my smb.conf: [global] add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u passdb backend = tdbsam:/etc/samba/passdb.tdb add user script = /usr/sbin/useradd -m %u add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g \ machines %u and use tdbsam as the password backend. I've only just noticed though that any machine accounts that have been created during the first attachment to the domain in Windows are not coming out in the machines group. These machines have a primary group that is the same as the machine name and I don't want to change them in case it has an adverse effect. So, the question here is that if i change the primary group of the machines from say machine1$ to machines will that affect anything when I change the login scripts e.g. from loginscript.bat to login.%m and will deleting the existing primary group of a machine affect the info stored in tdbsam. Also, any ideas why add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g \ machines %u is not setting the machines group to machines? Thanks Jools -- J. Pilfold-Bagwell Borden Grammar School Sittingbourne -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] OpenLDAP and Samba - password expiration.
Hi all, I have a Samba PDC with an LDAP backend. Yesterday, I tried to add a new machine to the network and received the following message: The following error occurred attempting to join the domain: The password of this user has expired Not a problem I thought, and then ran smbldap-usermod -e 2010-12-30 00:00:00 root to extend the password date. If I now try to connect a machine with the root account I receive an error user doesn't exist. If I go to a machine that's already connected to the network and log in as root it lets me in and I can see root's home directory and access the shares. I have the ldif file backed up so I can restore myself back to the initial state whenever I like. Any suggetions would be gratefully received regarding how I can get around this one. Thanks in advance, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC, LDAP and permissions
Hi all, I have a Samba PDC running on OpenSuSe 10 with LDAP as the backend and am running Mandriva 2006 as a member server with a few shares for users. The PDC seems OK and I've added the member using the instructions in the Samba example documents and I'm at the following point: OpenLDAP is running on the PDC itself. I can login to Linux as any LDAP user account suggesting that NSS Ldap is functioning correctly. Running getent passwd and getent group on the PDC provide a user and group list confirming I can set user and group ownership on any file or folder to a valid LDAP SambaSAM account and set permissions accordingly and these persmissions have the appropriate effect on user's access. The PDC's name is SMB1, the Domain is BGS. If I run net getlocalsid and net getlocasid BGS on the PDC I receive the same SID in the both cases. Smbldap-tools from Idealx.org works fine and I can add, modify and delete user's accounts from the command line without problems. The whole LDAP setup is from the idealx.org example Onto the member server (SMB2)... I've only got one domain so I'm not using Winbind relying instead on the LDAP database on the PDC. The server will authenticate UNIX users and getent returns complete user and group lists. Smb.conf uses ldapsam as the idmap backend and the second server successfully works as a BDC taking logins from clients on the network. There are three users listed as Domain Admins. If any of these users logs into a client and selects a folder or file from a shared directory on the BDC and opens the permissions tab in properties the permission on a folder shows as SMB2\Domain Admins instead of BGS\Domain Admins. If you printscreen the window as the client resolves the SID's however, the SID/RID of the SMB1/Domain Admins group is the same as the SID from the PDC (BGS/Domain Admins). If a domain admin tries to set permission on a folder, it accepts the changes but they vanish from the check boxes after it's been OK'd. The modified permissions do appear in the advanced tab though. Is there a reason for the difference in Domain names? Does it matter if the SIDs are the same? Have I missed out an important setlocalsid command? Help please, I'm getting stressed ;) Cheers, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] cupsaddsmb
Hi all, I'm trying to add printers with cupsaddsmb on Samba 3.0.20 (Mandrake Linux) with an LDAP backend. I've followed the howto on the samba page and have the error: result was WERR_INVALID_PRINTER_NAME generated when I run it. So far I've Googled for the solution but nothing listed has helped. The full set of errors are as follows: Cupsaddsmb returns: [EMAIL PROTECTED] etc]# cupsaddsmb -H SMB1 -h localhost -U BGS\\root -v -a Password for BGS\root required to access SMB1 via SAMBA: Running command: rpcclient SMB1 -N -U'BGS\root%xx' -c 'setdriver HPCLaJet2550 HPCLaJet2550' result was WERR_INVALID_PRINTER_NAME rpcclient enumprinters returns: [EMAIL PROTECTED] etc]# rpcclient -N -Uroot%xx -c enumprinters localhost flags:[0x80] name:[\\h2lptserver\pdf-gen] description:[\\h2lptserver\pdf-gen,,PDF Generator (only valid users)] comment:[PDF Generator (only valid users)] flags:[0x80] name:[\\h2lptserver\HPLaserjet2300] description:[\\h2lptserver\HPLaserjet2300,,HP LaserJet 2300] comment:[HP LaserJet 2300] flags:[0x80] name:[\\h2lptserver\HPCLaJet2550] description:[\\h2lptserver\HPCLaJet2550,hp color LaserJet 2550 PCL 6,HP Color LaserJet 2550] comment:[HP Color LaserJet 2550] smb.conf is: [global] workgroup = BGS server string = Samba Server %v printcap name = cups load printers = yes printcap cache time = 60 #printing = cups log file = /var/log/samba/%m.log max log size = 50 log level = 3 map to guest = bad user security = domain password server = SMB1 encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 10 idmap backend = ldap:ldap://172.20.0.101 ldap admin dn = cn=Administrator,dc=mydomain,dc=sch,dc=uk ldap suffix = dc=mydomain,dc=sch,dc=uk name resolve order = wins lmhosts bcast wins server = 172.20.0.101 dns proxy = no dos charset = 850 unix charset = ISO8859-1 # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes # vfs objects = fake_perms [printers] comment = All Printers path = /var/spool/samba browseable = no # to allow user 'guest account' to print. guest ok = yes public = yes writable = no printable = yes create mode = 0700 printer admin = adm,root,fred,bert,joe # = # print command: see above for details. # = #print command = lpr-cups -P %p -o raw %s -r # using client side printer drivers. print command = lpr-cups -P %p %s # using cups own drivers (use generic PostScript on clients). #use client driver = yes [print$] path = /etc/samba/drivers browseable = yes guest ok = yes inherit permissions = yes writeable = yes write list = @Domain Admins @adm root fred,bert,joe [pdf-gen] path = /var/tmp guest ok = No printable = Yes comment = PDF Generator (only valid users) printing = bsd #print command = /usr/share/samba/scripts/print-pdf file path win_path recipient IP print command = /usr/share/samba/scripts/print-pdf %s %H //%L/%u %m %I %J lpq command = /bin/true Thanks all, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba SIDs
Hiya, Yep, that was my first thought but I noticed that there are two SIDs relating to the server, the machine SID and the Domain SID. Originally, when I migrated from NT I used net getlocalsid domain to pull the domain SID into secrets.tdb. If I then ran net getlocalsid domain the migrated sid would show. If I run setlocalsid and insert the domain sid into it it's the machine sid that gets set. The new (incorrect) domain sid stays the same. I get the feeling that I'm being overcautious but I have 700 users hanging of this one and at the moment they can all log in albeit we can't add/remove users etc. If I change the SID and it goes completely tits I think they may all be at the door with pitchforks and torches ;) Anyway I suspect I'm missing something really obvious (as usual that damn wood's hiding the trees again) Cheers,, Jools On Sunday 20 Nov 2005 02:29, Craig White wrote: On Sat, 2005-11-19 at 23:32 +, Julian Pilfold-Bagwell wrote: Hi all, I need help to clear a bit of confusion regarding SIDs on Samba servers. I had my PDC collapse on Thursday which wasn't too much of a problem as I had everything backed up but I'm now in the position that I have a mismatched Domain SID. If I run net getlocalsid I get the sid for the server (called smb0) and net get local sid domain returns the sid for the Domain. I need to recover the original domain SID but setlocalsid changes the SID for the machine. As it is, people can log onto the domain but I can't set up any new accounts or change user details with smbldap-tools. sounds like all you need to do is run 'net setlocalsid S-1..' with the SID the same as the PDC that collapsed Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA PDC Howto LDAP
More info on Samba/LDA is available here: http://www.idealx.org/prj/samba/smbldap-howto.en.html On Saturday 19 Nov 2005 00:08, Jeff Gamsby wrote: Here is some info on how to setup a SAMBA PDC and BDC with an LDAP backend http://www.cxro.lbl.gov/index.php?content=comp_services/samba_ldap_pdc_howt o.htm -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba SIDs
Hi all, I need help to clear a bit of confusion regarding SIDs on Samba servers. I had my PDC collapse on Thursday which wasn't too much of a problem as I had everything backed up but I'm now in the position that I have a mismatched Domain SID. If I run net getlocalsid I get the sid for the server (called smb0) and net get local sid domain returns the sid for the Domain. I need to recover the original domain SID but setlocalsid changes the SID for the machine. As it is, people can log onto the domain but I can't set up any new accounts or change user details with smbldap-tools. Any help appreciated, Cheers, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Critical collapse of Samba/LDAP - Help Please
Hi all, For the last fortnight I've had a Samba PDC running OpenLDAP 2.3.6 and Samba 3.0.20 running without problem on a 700 user network. Today however, we were setting up mandatory profiles when the whole thing ground to halt. I suspect hardware failure and plan to work tonight to restore the network for the morning. I backed up the LDAP database using Slapcat backup.ldif and have set the LDAP server up on a new machine with the ldif loaded which seems fine so far. What I'd like to know is how do I save the Samba server settings to avoid having to log all the machines onto the network again. Shortly after setting the PDC up I backed up /etc/samba, /var/lib/samba and /var/cache/samba, ran net getlocalsid domain and extracted the Domain SID from the server so I have it stored in a file on a CD-R but is this all I need to restore to the new Samba box? The original PDC is still running but not well and Samba won't run on it (nmbd hangs). I plan to run a forensic to find out what happened but I need to get the whole plot up again first. Irony is that a BDC and LDAP slave were next on the things to do list but at least I have the files backed up ;) Cheers all, Jools -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Multiple Login scripts
Hi all, Just a quick question about login scripts for a large number of users who change rooms a lot. I have several rooms each with a printer, and nearly a thousand users divided into two main groups - pupils and teachers who change rooms on a routine basis. Is it possible to set up multiple login scripts that would be executed in sequence i.e. run by user is %u, and machine is %m is it possible to say run %u to set up shares followed by %m to set up the right printers for the room their in? Thanks in advance... Cheers, Jpb -- Julian Pilfold-Bagwell Borden Grammar School Avenue of Remembrance Sittingbourne Kent ME10 4DB Tel: (+44)1795 424192 ext 121 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] RPC Vamp + caps
Hi all, Am using RPC Vampire to pull accounts from an NT4 PDC to a Linux box. The unit is connected as a BDC and vampire succeeds in extracting accounts on the NT box but only those which match the UNIX password parameters e.g. lower case and staring with a letter. Unfortunately, there are about 500 NT accounts that are witrh four digit numbers or are capitalised. I used a spreadsheet to drop the usernames to lower case and put an l in from the numerical usernames to get them to work on Linux. I have generated an smbusers file mapping the nam,es across in the form: linux name = nt name e.g. l1000 = 1000 l1001 = ... fred = FRED etc. but when vampire ruins it doesn't seem to see the usermap file. I have the username map = /etc/samba/smbusers in smb.conf and vampire does everything it should other than these accounts. Any ideas please? Thanks, Julian PB Borden Grammar School -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Vampire and smbusers map file
Hi All, I've solved the capital letter NT username problem from the earlier post but still can't get Vampire to pull across accounts with numerical IDs (about 700 of them). Does vampire allow the mapping of UNIX to NT ID's during the transfer or am I stuffed. Thanks, Joolz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire
Ok folks, here goes: We have an old NT4 machine that we wish to replace as the PDC on our network. In it's place, we've got a dual xeon box with Mandrake LE2005 and Samba 3.0.13-2 and I'm currently trying to draw the accounts over with vampire. I'm using tdbsam as a backend. I've been through several readme's and howto's and have created all the UNIX accounts, mapped unix groups to Windows groups etc and the NT4 server sees it as a BDC. When I run: net rpc getsid -S NTserver -W SCHOOL -Uuser%password (and the credentials aren't the real ones there) I get: Storing SID S-1-5-WHATEVER-THE-SID-IS for Domain SCHOOL in secrets.tdb If I then run: net rpc vampire -S NTServer -W SCHOOL -Uuser%password it returns could not retrieve domain trust secret Running smb4k I can log into the domain controller and browse all the shares including the admin only ones so I'm sure that that name/password combination is fine. One other thing is that I get the reply Error domain join verification (reused connection) when I run net rpc join blah blah but according to the nmbd log it is functioning as a BDC - Problem? Also, I can find no way of seeing whether or not the SID was copied into the secrets.tdb file. Is there a way? The smb.conf is as shown below: [global] workgroup = SCHOOL netbios name = LINUXSERVER server string = Samba Server %v log file = /var/log/samba/log.%m max log size = 50 log level = 3 hosts allow = xxx.xxx.xxx.xx, xxx.xxx.xxx.xx security = user encrypt passwords = yes passdb backend = tdbsam unix password sync = Yes passwd program = /usr/bin/passwd '%u' passwd chat = *New*UNIX*password* %n\n *Re*ype*new*UNIX*password* %n\n \ *passwd:*all*authentication*tokens*updated*successfully* socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 remote announce = xxx.xxx.xxx.xx, xxx.xxx.xxx.xx domain logons = Yes local master = No domain master = No preferred master = No os level = 22 enable privileges = yes name resolve order = bcast lmhost wins add user script = /usr/sbin/useradd -s /bin/false '%u' delete user script = /usr/sbin/userdel '%s' add user to group script = /usr/bin/gpasswd -a '%u' '%g' delete user from group script = /usr/bin/gpasswd -d '%u' '%g' set primary group script = /usr/sbin/usermod -g '%g' '%u' add group script = /usr/sbin/groupadd %g getent group '%g'|awk -F: '{print $3}' delete group script = /usr/sbin/groupdel '%g' add machine script = /usr/sbin/useradd -d /dev/null -g machines -c machine account -s /bin/false %u logon path = \\%L\Profiles\%G logon script = %G.bat logon drive = n: logon home = \\xen\%u wins support = no wins server = xxx.xxx.xxx.xx dns proxy = no -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: cupsaddsmb problem
Hi guys, Thanks for the replies, I just removed the cups-common-1.1-23 package from my box and installed v 1.1.21-0.rc1.7.4 from rpmseek.com. Ran Cupsaddsmb and it worked perfectly first time. Funnily enough 1.1.21 was the version that I first used with point and print on Mandrake 10 and it worked then. Anyway, cheers again, I'll post a report on the CUPS mailing list, all the best, Julian On Friday 13 May 2005 20:21, A Yagi wrote: Thank you for posting this info. I was having exactly the same problem with cupsaddsmb (cups version 1.1.22). Somehow I managed to get it to work by excuting individual commands of cupsaddsmb step by step mannually. Hope the problem is fixed in a future version of cups. Akemi Bruno Guerreiro wrote: Hi, I think that that is more of a cups problem rather than Samba's. I'm having the same problem with cups-1.1.22-0.rc1.8.5 on FC3. cupsaddsmb is adding only the NT4/win9x drivers (if they exist in Samba). Using the cupsaddsmb from cups-1.1.20-11.6 works like a charm. -Original Message- From: Julian Pilfold-Bagwell [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 13 de Maio de 2005 11:39 To: samba@lists.samba.org Subject: [Samba] cupsaddsmb problem Hi all, I have a problem with adding point and print to a print server. The server details are as follows: 700MHz Celeron + 384MB RAM Mandriva LE2005 (Mandrake 10.2) Samba 3.0.13-2mdk CUPS 1.1.23 cups drivers 10.2-0.11 gimpprint-cups 2-1.1.23-11 foomatic 3.0.2-1 The server is bound to an NT4 based domain (to be replaced with Linux/Samba in the summer) and winbind works fine with wbinfo -u and -g returning a full list of users and groups. Cups works fine printing from Linux clients but when I run cupsaddsmb to deliver the drivers to the XP client machines it fails to copy the files to the named folder. Running the command gives the output below: [EMAIL PROTECTED] printers]# cupsaddsmb -U jpb -h localhost HPLaserJet5L Password for jpb required to access localhost via SAMBA: [EMAIL PROTECTED] printers]# Running it in verbose mode only gives the following: [EMAIL PROTECTED] printers]# cupsaddsmb -U jpb -h localhost -v HPLaserJet5L Password for jpb required to access localhost via SAMBA: Running command: rpcclient localhost -N -U'jpb%pwchanged' -c 'setdriver HPLaserJet5L HPLaserJet5L' Succesfully set HPLaserJet5L to driver HPLaserJet5L. the final line of which suggests it's worked but the drivers aren't copied to the /var/lib/samba/printers folder and the clients can't find the drivers when p+p is tried. Cheers, Julian PB -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] cupsaddsmb problem
Hi all, I have a problem with adding point and print to a print server. The server details are as follows: 700MHz Celeron + 384MB RAM Mandriva LE2005 (Mandrake 10.2) Samba 3.0.13-2mdk CUPS 1.1.23 cups drivers 10.2-0.11 gimpprint-cups 2-1.1.23-11 foomatic 3.0.2-1 The server is bound to an NT4 based domain (to be replaced with Linux/Samba in the summer) and winbind works fine with wbinfo -u and -g returning a full list of users and groups. Cups works fine printing from Linux clients but when I run cupsaddsmb to deliver the drivers to the XP client machines it fails to copy the files to the named folder. Running the command gives the output below: [EMAIL PROTECTED] printers]# cupsaddsmb -U jpb -h localhost HPLaserJet5L Password for jpb required to access localhost via SAMBA: [EMAIL PROTECTED] printers]# Running it in verbose mode only gives the following: [EMAIL PROTECTED] printers]# cupsaddsmb -U jpb -h localhost -v HPLaserJet5L Password for jpb required to access localhost via SAMBA: Running command: rpcclient localhost -N -U'jpb%pwchanged' -c 'setdriver HPLaserJet5L HPLaserJet5L' Succesfully set HPLaserJet5L to driver HPLaserJet5L. the final line of which suggests it's worked but the drivers aren't copied to the /var/lib/samba/printers folder and the clients can't find the drivers when p+p is tried. The smb.conf is shown below: [global] workgroup = SCHOOL server string = A1-lptserver netbios name = A1-lptserver security = domain encrypt passwords = Yes password server = NTServer public = yes browseable = yes lm announce = yes browse list = yes auto services = yes log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 unix charset = ISO8859-15 os level = 20 local master = No domain master = No preferred master = no dns proxy = No idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/false winbind use default domain = yes hosts allow = 10.88.8. 10.88.9. 10.88.10. 10.88.11. 127. remote announce = 10.88.8.255 load printers = yes printcap name = cups [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes public = yes write list = bm,ew,jpb,@Domain Users,@adm [printers] comment = All Printers path = /var/spool/samba browseable = yes public = yes printer admin = bm ew jpb root @Domain Users guest ok = yes printable = yes create mode = 0700 and the permissions are set as follows on the /var/lib/samba/printers folder: drwxrwxr-x 7 root domain admins 4096 May 10 15:13 printers/ with the same on the subdirectories. jpb, bm and ew are named as allowed users in the write list and all three are also members of the domain admins group. Any help with this greatly appreciated. I get the feeling that it's something really obvious that I'm overlooking but I've been going round in circles and can't see the wood for the trees. Cheers, Julian PB -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba