[Samba] Win XP logon issues
Jeffrey D. Means wrote: when trying to log on to my samba server (3.0a24 with LDAP) I get a message about the domain not being available or the machine account is not available. In the event log this is what the Netlogon service reports about the error. --- The domain of this computer, MEANSPC has been downgraded from Windows 2000 or newer to Windows NT4 or older. The computer cannot function properly in this case for authentication purposes. This computer needs to rejoin the domain. The following error occurred: There are currently no logon servers available to service the logon request. --- Did you ever solve your problem? I have exactly the same message. But my problem occur when I migrated XP clients from a Win2K/AD to a Samba/PDC of the same domain name. This is a correct message because the domain did downgraded to NT4 stile. The question is how does it find the Logon Servers, what registry parameter to twist to make it locate NT4 style LOGON Servicers? Please send me mail directly at [EMAIL PROTECTED] -- Kang Sun -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] XP Client: Domain Downgraded from Win2K+ to NT4-
Greetings! I am currently running Win2K/AD domain with compatible mode. I managed to run the vampie procedure to migrate all credentials (SIDs and passwords) to Samba/PDC with OpenLDAP backend. The existing XP clients logon to the under the Samb/PDC domain without re-join the domain because they expect to locate the domain in Win2K/AD way. Here is the Event View message from NetLOGON The domainof this computer, AB has been downgraded from Windows 2000 or newer to Windows NT4 or older. This computer cannot funtion prpoerly in this case for authetication purposes. This computer needs to rejoin the domain. The following error occurred: There are currently no logon servers available to service the logon request. logon server is avaialbe (the same Samba/PDC) because a new XP client can join and logon to the domain with no problem. The question is how to twist the registry parameter(s) so the existing XP clients will look for a NT4 or orlder style domain? According to MS Q314861. NT4 uses discovery to find its domain ... Any information and suggestion are appreciated. Please response to [EMAIL PROTECTED] -- Kang Sun -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: migrating a windows NT domain to samba on redhat linux
Samba-3 by Example by John H. Terpstra Kashif Awan [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello Gurus!!! I am running a windows NT domain with a PDC and a BDC. I want to migrate this domain to samba on redhat linux . Somebody please tell me some goods docs about how to migrate NT domain. Thanks in advance. Regards __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: XP Can't Join Domain
Paul Gienger [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I found the problem! It turned out to be an ldap problem after all. I had added the machine account to ou=Computers as detailed in most of the Samba/LDAP documentation. However, Samba was looking for the machine account in ou=People. This is actually a well known (to people that read this list for more than a couple weeks) bug in the design of samba. I could swear I got it working once on a linux box without reconfiguring pam_nss, but I could be wrong. This error has been corrected on one of later release, say 3.0.6, am I right? -- Kang -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] W2K and WNT work but not WXP after migration
Greetings! As suggested, I tried the samba-3.0.6. After migration, I got user's passwords work and groups properly populated I have three VM machines running NT, 2000, and XP respectively, after migration, NT and 2000 are still in the domain and authenticate users properly. However, the XP machine complains it cannot find the domain: The system cannot log you on now because the domain domainname is not available. Apparently, the domain is working properly because the other two VM machines find the domain promptly and the XP mahince can sign-off and rejoin the domain without problem. What I can think of are 1. XP machine password is not migrated properly. 2. XP requres more than NT and 2000 to recognize the domain. 3. Something simple was not set properly for XP. I disjoin the XP from the domain and rejoin it to domain again. I notice the some difference other than the obvious sambaNTPassword. Notes that start with ## are my comments. Could you please suggest what I should try next? Thanks! diff from pdbedit -Lw wxp$ 41c43 WXP$:1989::46680F1DBC75618E481BC846807B98AD:[W ]:LCT-41349858: --- WXP$:1989:WXP$## TOTALLY different format == diff from smbldap-usershow wxp$ 13,14d12 sambaNTPassword: 46680F1DBC75618E481BC846807B98AD sambaPwdLastSet: 1093965912 17a16,19 sambaPwdCanChange: 1093978279 ## Added field sambaPwdMustChange: 2147483647 ## Added field sambaNTPassword: E51265172C0B33B6ADF9F2B8A9AE5070 sambaPwdLastSet: 1093978279 diff from pdbedit -Lv wxp$ === 35,36c37,38 Password last set:Tue, 31 Aug 2004 11:25:12 GMT Password can change: 0 --- Password last set:Tue, 31 Aug 2004 14:51:19 GMT Password can change: Tue, 31 Aug 2004 14:51:19 GMT ## different format --- Kang Sun On Fri, 08/13/2004 05:19 PM, Andrew Bartlett wrote: I would look at issues such as the domain sid, and machine's sid for it's machine account. Samba does not read the LM password. (Except in a buggy case solved by Samba 3.0.4). I always suggest trying with the current code, so grab current SVN and retry. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Why both LMPass and NTPass: Migration Issue
Greetings! I am back to work the vampire migration issues. It looks like the computers sambaNTPasswords where migrated correctly but the sambaLMPasswords were not! And it seems to be Windows 2000 system only uses sambaNTPasswords while Windows XP systems using more than NTPassword. For Windows 2000 client, any domain user can login into the system without any problem. With Windows XPs and I got he Domain is not Availabe error. However, they can sign off the domain and rejoin the domain without problems. Does Windows XP systems need sambaLMPassword? Did I narrorwed down the problem a little? -- Kang Eric J Bennett [EMAIL PROTECTED] 07/26/2004 08:41 PM To Paul Gienger [EMAIL PROTECTED] cc Kang Sun [EMAIL PROTECTED], [EMAIL PROTECTED] Subject Re: [Samba] Samba/LDAP/PDC Questions -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Attempting vampire here when everything else works results in user accounts being created in the LDAP directory (and with a slight ugly hackish modification to the idealx smbldap-useradd script, posix accounts being created) and NTLM password hashes being set in the LDAP tree, and computer accounts being created *but* here is the catch, the NTLM password hashes for computer accounts are not created. So if we think of it as a four step process; 1. Create user accounts *OK* 2. Set user account password hashes *OK* 3. Create Machine accounts *OK* 4. Set Machine account password hashes *FAIL* Of course I'm not bothering to mention the other stuff that it does cause it's all a bit of black magic to me, but you get the general idea, it creates user groups as well and associates the appropriate accounts with the appropriate groups and handles the Unix UID / GID mapping to the NT equivalent security information. I'm trying to get more information on the entire process to provide debug logs to the samba team et al, but I've just been flat out on other stuff in the meantime which unfortunately has a higher priority than this at the moment, but I'll endeavour to get the diagnostic info asap, if someone else wanted to do it before me though, I assume the interesting stuff would be; smbd -d 10 -i smbd.log 21 tcpdump packet capture of traffic between NT PDC and Linux vampire process strace -f net rpc vampire -S pdc -U administrator%password vampire.log 21 And try to make sure you're not broadcasting your password hashes in potentially public bug logs. ^^ What I can tell you from looking at the process so far, is that the NT PDC is *definitely* providing machine account password hashes, it just appears that whatever samba should be doing with them, it is not. Best of luck Regards Eric J Bennett Paul Gienger wrote: | I'm not at all experienced with the vampire command, but I believe it is | supposed to bring passwords over. Perhaps someone can interject here | who does know what they're talking about??? | | (note: bringing back on list from an accidental, i suspect, pm) | | Kang Sun wrote: | | | Hello Paul, | | I have questions on migration. Some other people like Eric | Bennet and Mike Brodbelt posted the similar questions. But I cannot | find a definite answer to this question: would vampiring using | samba/ldap/smbldap-tools actually migrates passwords at all? | | If the add user/machine script from smb.conf is the only | tool vampiring process is calling, it certainly won't create password. | Below are the conversation between me and Mike. I hope you can help us. | | -- Kang | | Kang Sun wrote: | Hello Mike, | | I did similar things and have similar problems. | I looked at the ldap database, the migration did nothing but get all | the | names of users and machines. | If the smbldap-* scripts are the only things vampire process is | calling, I | don't see how would it would get anything else. | | Agreed, although when migrating with a tdbsam backend, the vampire | process will populate the tdbsam with NT passwords and suchlike, but | also runs the useradd scripts to add the posix users, so I thought that | there may be some other data that Samba puts into LDAP directly, not via | invoking the scripts. | | The documentation from John Terpstra's book (available online at | http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828 ) | suggests that the process should work with an LDAP backend, but I'm | currently at a loss to see howm and I'm unable to replicate this, even | on a test network, with various versions of the Idealx smbldap-tools. It | doesn't appear to work as advertised at the moment. | | After vampiring, | | 1. All the computer accounts and user accounts (posixAccount as | well) are | created just like being created by by smbldap-useradd, with the default | parameters as defined in the smbldap.conf or smbldap_config.pm, eg, | profiles, logon scripts, etc, user name, etc. | | Yes, this seems to work when run from the command line. Vampiring seems
[Samba] LDAP-based NIS server .vs. NIS migration to LDAP?
Greetings! I tried to post this question to openldap group but somehow my post never showed up there. Anyway, I built PDC using Samba3 and OPENLDAP and now like to integrade NIS service to it. I searched the net there are quite a few guides on how to replace NIS with LDAP. However, in our environment, we have almost all sorts of Unix platforms, e.g. Linux (mainly Redhat), Solaris, HPUX, AIX, IRIS, and plus some pretty old OS versions. They are all NIS clients now but I don't expect they can all be easily converted to to be authenticated against LDAP. For instance, I don't think all of them have pam and nss ready. I thought it would be easier if I can somehow build the NIS Server using LDAP and maintain all NIS slaves and clients as they are, I would have an easy mirgration path while achieving the goal of centralizing authentication/administration of the enterprise-wide accounts on LDAP server. Any comments, suggestions, guidances are deeply appreciated. Sincerely yours, --- Kang Sun -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Joining Domain
I think with Samba2 you still need to turn off one of the paramenters in the registery. I don't remember the name exactly something about sign or seal. -- Kang [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] tware.com... [EMAIL PROTECTED] (gbengadada) Sent by: [EMAIL PROTECTED] 29.07.2004 11:42 To: [EMAIL PROTECTED] cc: Subject:[Samba] Joining Domain Good Day, I downloaded samba-2.2.9, installed and configuted it on a Solaris 5.7 system. I have configured it as a PDC, however whenever i try to join the domain i have created, Windows ask that i enter a username and password authorized to join systems to the domain. Normally with a Windows 2000 server entering the administrators username and password will do it, however I get this error message: The following error occured attempting to join the domain sambadomain.net: Logon failure:unknown user name or bad password. How can i correct this error. If you try to use Administrator for joining machine to domain you should have a User Administrator on Unix-side with uid=0. And don't forget to add Administrator to smbpasswd if you use this file as backend. Then it should work. Thanks for your anticipated co-operation No problem. Christian --- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: explain me exactly about ldap
I don't how much you know about Samba or LDAP. Any way, Use samba to be an authenticator for Windows and Window Users, you need a Unix accounts for each machine and user. In the old day, these are store in /etc/password and some other flat files. With ldap as a backend, you store everything (Unix account and windows account) in a directory and there are tools like smdldap-tools to synchronize the creations of both types of accounts and mapping between them. LDAP also make samba-BDC possible because you can have a second LDAP server that BDC associate with. Hope this helps. -- Kang Cristhian Nunez [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi i wanna know exactly the principal functions of ldap, if is posible send me a example because im not very clear about this protocol with samba. thanks in advance Cristhian Dominican Republic -- No basta saber, se debe también aplicar. No es suficiente querer, se debe también hacer(Goethe, Johann Wolfgang von). Saludos Cristhian Nunez AGB-CDI Dominicana Abraham Lincoln #154 Edf. Comarno 1er Piso, Mata Hambre Santo Domingo, Rep. Dom. AGB Cambio, Cambia tu a AGB Nuevos numeros : (809)620- y (809)947-2727 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba PDC Problem
If you tried different configurations for testing, it might ends up with inconsistent SIDs. net getlocalsid will show what SID samba thinks and see if it is the consistent with your users accounts' SID or administrators SID in LDAP server. If not, then you know where your problem is. If all your accounts in ldap has consistent SID but the samba SID is different, the easist fix is net setlocalsid domain part of SID from LDAP Another consideration, have you join your PDC server into your domain? I know it is wired but your PDC will not be in your LDAP unless you join it into the domain. I don't know if this has anything to do with your problem. The last one is well-documented: on XP you need to set certain registry parameter, which I don't rember now, to zero. Hope this helps. -- Kang Kiryl Hakhovich [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hey Michael, thanks for a quick response. When i try to use BCHECKUP\Administrator it says The parameter is incorrect and does not work with ldap at all. (BCHECKUP is my domain name) I guess something wacky about my configs? Thanks. Michael Wray wrote: Sounds like Samba SID doesn't match SID being sent by XP workstation, which btw is what is being sent, not USERNAME Administrator. TO make sure it works for Admin's user name send sambamachinename\Administrator as the username...then the sid's should match. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kiryl Hakhovich Sent: Monday, July 26, 2004 10:45 AM To: [EMAIL PROTECTED] Subject: [Samba] Samba PDC Problem Hello guys, I have a Samba 3.0.4 on FC2, it has LDAP backend. Machine authenticate users with no problem. However when i try to add XP client to domain, from that workstation, it asking for Administrator password to join to the Domain and them says Login failure: unknown user name or bad password. And at the same time record does inserts into the LDAP!? I can see it right after i got message on the screen about error. Now here is a part from server log: -- Jul 26 11:34:13 fileserver smbd[27897]: [2004/07/26 11:34:13, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1587) Jul 26 11:34:13 fileserver smbd[27897]: ldapsam_add_sam_account: SID 'S-1-5-21-299320441-2527492060-3102699668-3000' already in the base, with samba attributes Jul 26 11:34:13 fileserver smbd[27897]: [2004/07/26 11:34:13, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2267) Jul 26 11:34:13 fileserver smbd[27897]: could not add user/computer kiryha$ to passdb. Check permissions? -- Note: i can login to linux server with name 'Administrator' and have root's privileges, since ldap has uid 0 for Administrator. smb.conf has line admin users = Administrator What do i missing? Any ideas? Thank you! Sincerely, Kiryl Hakhovich. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba3 - LDAP - USRMGR.EXE
Just a hunch, I didnot test myself. In your smb.conf, did you set the add user script to add posix account as well as Windows account? If so, there might be a problem. From what I read and understand, the script suppose to add Posix account only, and samba will add the Windows account. If the Windows account is added by the add user script, then Samba has to delete it or modify it, which it might not have the previlege or some error comes up that does not mean what it says. Hope this helps! -- Kang Sun [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] tware.com... Hello, have some little problems adding user to domain with USRMGR.EXE My System runs on SuSE 9.1 (2.6.5-7.75-default), samba-3.0.4, smbldap-tools-0.8.5, openldap2-2.2.6 If I try to add a new user with USRMGR.EXE I get an error Access denied, but if I look into LDAP the new user was correctly added to LDAP. If I confirm the error-message and then cancel the NEW USER Window and typing F5 for refreshing the USRMGR. I can see the new user. By doubble-clicking the new User I am able to make any modification to the User without any error. What could be the problem ? Here is a part of /var/log/messages that Jul 27 12:36:25 samba3 smbd[2149]: [2004/07/27 12:36:25, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1573) Jul 27 12:36:25 samba3 smbd[2149]: ldapsam_add_sam_account: User 'i1' already in the base, with samba attributes Jul 27 12:36:25 samba3 smbd[2149]: [2004/07/27 12:36:25, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2267) Jul 27 12:36:25 samba3 smbd[2149]: could not add user/computer i1 to passdb. Check permissions? if you need more logs or sambalog with special loglevel just tell me. The same problem exists when joining a machine to DOMAIN. On first try = Access denied but correctly added to LDAP On second try = Welcome to DOMAIN Thanks for any help. Christian Wittmer - Büro/Office: +49 (0) 6227/385-120 Email: [EMAIL PROTECTED] InterComponentWare AG Otto-Hahn-Strasse 3 69190 Walldorf Zentrale/Main: +49 (6227) 385-100 http://www.intercomponentware.com http://www.lifesensor.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Migration, which password?
Greetings!
It is premature for me to send out a success procedure for migration
yesterday. I overlooked things and I appologize for to this group.
Anyway, after migration, computers, users, groups are all created and
filled up with the correct membership. However, I still have the same
problem with machine password and user password. Further looking into the
detail, it looks like samba/ldap does not use LM/NT password for
authentication but expect userPassword, which I assume is posix account
password and did not exist on the original NT4 server.
Here is my account entry after the migration:
==
dn: uid=ksun,ou=Users,dc=ab,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: ksun
sn: ksun
uid: ksun
uidNumber: 1870
gidNumber: 513
homeDirectory: /u/ksun
loginShell: /bin/tcsh
gecos: System User
description: System User
userPassword: {crypt}x
sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
sambaLogonTime: 1090859130
sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
sambaPwdLastSet: 1069686468
sambaAcctFlags: [NU ]
===
It looks like the migration does create LM password and NT password.
However, I cannot log in to my account unless I change my password.
This is how my account look like after smbldap-passwd ksun to the
original password:
-
dn: uid=ksun,ou=Users,dc=ab,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: ksun
sn: ksun
uid: ksun
uidNumber: 1870
gidNumber: 513
homeDirectory: /u/ksun
loginShell: /bin/tcsh
gecos: System User
description: System User
sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
sambaLogonTime: 1090859130
sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
sambaAcctFlags: [U]
sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
sambaPwdLastSet: 1090946249
sambaPwdMustChange: 1094834249
userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q==
--
Look at the difference of these two outputs:
+++
12d11
userPassword: {crypt}x
16a16
sambaAcctFlags: [U]
18,19c18,20
sambaPwdLastSet: 1069686468
sambaAcctFlags: [NU ]
---
sambaPwdLastSet: 1090946249
sambaPwdMustChange: 1094834249
userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q==
+++
Surprisingly, the neither NT nor LM passwords changed. The different is
the userPassword, which I assume is the Posix account password, which does
not exist in the old NT PDC at all! Of course the migration won't have the
right password.
I do have ldap passwd sync = Yes in my smb.conf file, questions are:
1. Why samba/ldap authenticate using posix password instead of LM/NT
passwords?
2. Does it synchronize the userPassord password to the NT/LM password or
the otherway around?
3. When does the synchronization happens or being triggered?
4. Is there a way of manually copy the LM/NT password to userPassword
field?
The other difference is the change of the sambaAcctFlag: [U] instead
of [NU ]. I wonder if that changes anything.
Thanks!
-- Kang
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Migration, which password?
Woa! I actually did the migration correct, it is just a matter of enabling
login ON!!!
I enabled the Administrator login and the my login, and I can acutally login
into the domain! Thank you very much!!! But I wonder why it is not turned on
during and/or after the vampiring process by default.
Further more, I manually copied the shadow password field and insert into
the userPassword field prefixed with {Crypt} and I can also login to the
Unix account!!!
The only obstacle left is the the vampiring process did not seem to set
Machine account password hashes correctly. It is an known problem but no
solution yet according to Eric Bennett. I wonder if there is a way to get
the Machine account password hashes directly from NT PDC and just stick into
the sambaNTpassword fiel, like what I did with the userPassword field.
-- Kang Sun
Umberto Zanatta [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Il mar, 2004-07-27 alle 19:22, Kang Sun ha scritto:
Greetings!
It is premature for me to send out a success procedure for
migration
yesterday. I overlooked things and I appologize for to this group.
Anyway, after migration, computers, users, groups are all created
and
filled up with the correct membership. However, I still have the same
problem with machine password and user password. Further looking into
the
detail, it looks like samba/ldap does not use LM/NT password for
authentication but expect userPassword, which I assume is posix account
password and did not exist on the original NT4 server.
No, it doesn't.
Your account was disabled by [NU]; When you had modify it by smbldap,
your account flags
changed in [U].
LDAP backend doesn't require unix account, but smbldap-tools does samba
and posix account together.
NT Password is managed by different way; you can't do unixpass-ntpass
and viceversa.
You should do:
# smbpasswd -e userid
and userid will be enable.
# smbpasswd -d userid
and userid will be disable.
regards.
Here is my account entry after the migration:
==
dn: uid=ksun,ou=Users,dc=ab,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: ksun
sn: ksun
uid: ksun
uidNumber: 1870
gidNumber: 513
homeDirectory: /u/ksun
loginShell: /bin/tcsh
gecos: System User
description: System User
userPassword: {crypt}x
sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
sambaLogonTime: 1090859130
sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
sambaPwdLastSet: 1069686468
sambaAcctFlags: [NU ]
===
It looks like the migration does create LM password and NT password.
However, I cannot log in to my account unless I change my password.
This is how my account look like after smbldap-passwd ksun to the
original password:
--
--
-
dn: uid=ksun,ou=Users,dc=ab,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: ksun
sn: ksun
uid: ksun
uidNumber: 1870
gidNumber: 513
homeDirectory: /u/ksun
loginShell: /bin/tcsh
gecos: System User
description: System User
sambaSID: S-1-5-21-72881033-379349262-1855928443-5162
sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-513
sambaLogonTime: 1090859130
sambaLMPassword: D2C0998710B6D0D260086A4D2CF0CF0E
sambaAcctFlags: [U]
sambaNTPassword: 0457C29D84903BB202DDD57B9958F67A
sambaPwdLastSet: 1090946249
sambaPwdMustChange: 1094834249
userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q==
--
--
--
Look at the difference of these two outputs:
+++
12d11
userPassword: {crypt}x
16a16
sambaAcctFlags: [U]
18,19c18,20
sambaPwdLastSet: 1069686468
sambaAcctFlags: [NU ]
---
sambaPwdLastSet: 1090946249
sambaPwdMustChange: 1094834249
userPassword: {MD5}oL1Na14I3VPzA6/fq8Wx5Q==
+++
Surprisingly, the neither NT nor LM passwords changed. The different
is
the userPassword, which I assume is the Posix account password, which
does
not exist in the old NT PDC at all! Of course the migration won't have
the
right password.
I do have ldap passwd sync = Yes in my smb.conf file, questions
are:
1. Why samba/ldap authenticate using posix password instead of LM/NT
passwords?
2. Does it synchronize the userPassord password to the NT/LM
password or
the otherway around?
3. When does the synchronization happens or being triggered?
4. Is there a way of manually copy the LM/NT password to
userPassword
field?
The other difference is the change of the sambaAcctFlag
Re: [Samba] Samba/LDAP/PDC Questions
Hello Eric,
I just want to make sure we are on the same page.
After vampiring, I got all the user accounts, computer accounts,
groups, and membership created correctly.
For somereason, the login is disabled. Once I do smbpasswd -e
userid, I am able to login to that account with the right password. So
the NT password migratted OK.
smbPassword field only contains '{Crypt}x' but once I copied the
hashed password from NIS map to that field prefixed with {Crypt}, I
can also login to the Unix account.
All together it means that I have ways to make sure the user
authentication will work fine with Windows and Unix login. But at what
point and in what way the password synchronization work and in what
direction?
The only remaining obatacle is that the computer authentication failed.
The comptuer cannot loginto the doamin unless I rejoin it to the domain. I
think this is where you failed also.
I wonder if there is anyway to get all the computer account hash in text
format from the original NT PDC and just write script to stick the hash to
the corresponding smbNTPassword field, just like what I did with the
userPassword field. Any suggestion.
Finally, I did get some kind of smbNTPassword during vampiring, does it
at least look right? Is there anyway I can compare it to the original on
the NT Server? Here is my machine account looks like:
Thanks!
--- Kang Sun
dn: uid=KSUN$,ou=People,dc=ab,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: KSUN$
sn: KSUN$
uid: KSUN$
uidNumber: 1801
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
sambaSID: S-1-5-21-72881033-379349262-1855928443-4737
displayName: KSUN$
sambaLogonTime: 1090863161
sambaNTPassword: BCE2D22F8B6638F72008CA16CDEA1F4D
sambaPwdLastSet: 1089841247
sambaAcctFlags: [W ]
gidNumber: 1000
sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-515
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Attempting vampire here when everything else works results in user
accounts being created in the LDAP directory (and with a slight ugly
hackish modification to the idealx smbldap-useradd script, posix
accounts being created) and NTLM password hashes being set in the LDAP
tree, and computer accounts being created *but* here is the catch, the
NTLM password hashes for computer accounts are not created.
So if we think of it as a four step process;
1. Create user accounts *OK*
2. Set user account password hashes *OK*
3. Create Machine accounts *OK*
4. Set Machine account password hashes *FAIL*
Of course I'm not bothering to mention the other stuff that it does
cause it's all a bit of black magic to me, but you get the general idea,
it creates user groups as well and associates the appropriate accounts
with the appropriate groups and handles the Unix UID / GID mapping to
the NT equivalent security information.
I'm trying to get more information on the entire process to provide
debug logs to the samba team et al, but I've just been flat out on other
stuff in the meantime which unfortunately has a higher priority than
this at the moment, but I'll endeavour to get the diagnostic info asap,
if someone else wanted to do it before me though, I assume the
interesting stuff would be;
smbd -d 10 -i smbd.log 21
tcpdump packet capture of traffic between NT PDC and Linux vampire process
strace -f net rpc vampire -S pdc -U administrator%password vampire.log
21
And try to make sure you're not broadcasting your password hashes in
potentially public bug logs. ^^
What I can tell you from looking at the process so far, is that the NT
PDC is *definitely* providing machine account password hashes, it just
appears that whatever samba should be doing with them, it is not.
Best of luck
Regards
Eric J Bennett
Paul Gienger wrote:
| I'm not at all experienced with the vampire command, but I believe it is
| supposed to bring passwords over. Perhaps someone can interject here
| who does know what they're talking about???
|
| (note: bringing back on list from an accidental, i suspect, pm)
|
| Kang Sun wrote:
|
|
| Hello Paul,
|
| I have questions on migration. Some other people like Eric
| Bennet and Mike Brodbelt posted the similar questions. But I cannot
| find a definite answer to this question: would vampiring using
| samba/ldap/smbldap-tools actually migrates passwords at all?
|
| If the add user/machine script from smb.conf is the only
| tool vampiring process is calling, it certainly won't create password.
| Below are the conversation between me and Mike. I hope you can help us.
|
| -- Kang
|
| Kang Sun wrote:
| Hello Mike,
|
| I did similar things and have similar problems.
| I looked at the ldap database, the migration did nothing but get all
| the
| names of users and machines.
| If the smbldap-* scripts are the only things vampire process is
| calling, I
| don't see how would it would get anything else.
|
| Agreed, although when migrating
[Samba] Re: NT domain migration to LDAP/SAMBA (password migration)
Previous question was regarding the passwords was not migrated ...
Well, I find one error, at least that was what happened to me.
In the smb.conf file, I had
add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m %u
while it should have been
add user script = /var/lib/samba/sbin/smbldap-useradd.pl -m %u
The add user script only suppose to add a posix account. The windows account
is migrated and mapped to that posix account.
with -a option on, a windows account is also created together with the
Posix account. The migration failed because a windows account, with all the
default atrributes from smbldap.conf, already exists.
I hope this helps to others with similar problems.
-- Kang
Mike Brodbelt [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Kang Sun wrote:
Hello Mike,
I did similar things and have similar problems.
I looked at the ldap database, the migration did nothing but get all
the names of users and machines.
If the smbldap-* scripts are the only things vampire process is
calling, I don't see how would it would get anything else.
Agreed, although when migrating with a tdbsam backend, the vampire
process will populate the tdbsam with NT passwords and suchlike, but
also runs the useradd scripts to add the posix users, so I thought that
there may be some other data that Samba puts into LDAP directly, not via
invoking the scripts.
The documentation from John Terpstra's book (available online at
http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828)
suggests that the process should work with an LDAP backend, but I'm
currently at a loss to see howm and I'm unable to replicate this, even
on a test network, with various versions of the Idealx smbldap-tools. It
doesn't appear to work as advertised at the moment.
After vampiring,
1. All the computer accounts and user accounts (posixAccount as well)
Kang Sun wrote:
Hello Mike,
I did similar things and have similar problems.
I looked at the ldap database, the migration did nothing but get all
the
names of users and machines.
If the smbldap-* scripts are the only things vampire process is
calling, I
don't see how would it would get anything else.
Agreed, although when migrating with a tdbsam backend, the vampire
process will populate the tdbsam with NT passwords and suchlike, but
also runs the useradd scripts to add the posix users, so I thought that
there may be some other data that Samba puts into LDAP directly, not via
invoking the scripts.
The documentation from John Terpstra's book (available online at
http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828)
suggests that the process should work with an LDAP backend, but I'm
currently at a loss to see howm and I'm unable to replicate this, even
on a test network, with various versions of the Idealx smbldap-tools. It
doesn't appear to work as advertised at the moment.
After vampiring,
1. All the computer accounts and user accounts (posixAccount as well)
are created just like being created by by smbldap-useradd, with the
default parameters as defined in the smbldap.conf or
smbldap_config.pm, eg, profiles, logon scripts, etc, user name, etc.
Yes, this seems to work when run from the command line. Vampiring seems
to throw up some errors that I've not tracked down yet though.
2. Users lost its domain membership. Every user accounts are now
belonging to Domain Users group. No one in Domain Admins group
except Administrator.
The migration process must have done more than just calling these
smbldap-tools scripts, but I just don't see the effect.
What do you see if you do
smbldap-usershow userid or machinename$ ?
# smbldap-usershow detritus
dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk
objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSAMAccount
cn: rwind
sn: rwind
uid: rwind
uidNumber: 1006
gidNumber: 513
homeDirectory: /home/rwind
loginShell: /bin/bash
gecos: System User
description: System User
userPassword: {crypt}x
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: System User
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-2704678572-2069052080-1039482078-3012
sambaLMPassword: XXX
sambaPrimaryGroupSID: S-1-5-21-2704678572-2069052080-1039482078-513
sambaProfilePath: \\TALITHA\profiles\rwind
sambaHomePath: \\TALITHA\home\rwind
sambaHomeDrive: M:
sambaNTPassword: XXX
# smbldap-usershow quirm$
dn: uid=quirm$,ou=Computers,dc=acu,dc=ac,dc=uk
objectClass: top,inetOrgPerson,posixAccount
cn: quirm$
sn: quirm$
uid: quirm$
uidNumber: 1013
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
or smbldap-groupshow groupid ?
# smbldap-groupshow Domain Admins
dn: cn=Domain Admins,ou=Groups,dc=acu,dc=ac,dc=uk
objectClass: posixGroup,sambaGroupMapping
gidNumber: 512
cn
[Samba] Migration NT4 PDC to Smb3/LDAP/TOOLS: A Success Procedure
will not be migrated. 3. Clean up all the previous ldap and samba entries. rm -rf /var/lib/ldap/*# clean up the ldap database rm -f /var/cache/samba/*# clean up the cached samba entries. rm -f /etc/samb/*.tdb# clean up the all exiting tdb Note: ** Cleaning up is needed whenever you change your configuration, otherwise you will have unexpected result. ** 4. Get your Domain SID as instructed net rpc getsid -S PDC server -W Real domain Also run smbpasswd -w not24get Run tdbdump /etc/samba/secrets.tdb to see what is in this tdb. 5. Preload the database Refer to Example 8.3.1 With several trial I realized that I need to reploaded a few more entries to make the migration work! In addtion to the entries suggested, I made additional entries. *** replace the domain part of SID with the SID you obtain from above step *** dn: ou=Users,dc=ab,dc=com objectClass: top objectClass: organizationalUnit ou: Users structuralObjectClass: organizationalUnit Note: This is needed since we hold all users in Users group dn: cn=Domain Admins,ou=Groups,dc=ab,dc=com objectClass: posixGroup objectClass: sambaGroupMapping cn: Domain Admins gidNumber: 512 structuralObjectClass: posixGroup entryUUID: d5c6a642-736b-1028-828a-f4f139c67fb5 sambaSID: S-1-5-21-72881033-379349262-1855928443-512 sambaGroupType: 2 displayName: Domain Admins description: Designated administrators of the domain entryCSN: 2004072616:23:12Z#0x0002#0# Note: smbtools assuming the Domain Admins group is mapped to GID 512. Without this entry, the migration will create a Domain Admins group with a random GID dn: cn=Domain Users,ou=Groups,dc=ab,dc=com objectClass: posixGroup objectClass: sambaGroupMapping cn: Domain Users gidNumber: 513 structuralObjectClass: posixGroup entryUUID: d792f890-736b-1028-828b-f4f139c67fb5 sambaSID: S-1-5-21-72881033-379349262-1855928443-513 sambaGroupType: 2 displayName: Domain Users description: All domain users entryCSN: 2004072616:23:15Z#0x0002#0# Note: smbldap-tools expected all Domain Users being mapped to GID 513. ** This entry is important, or you will get Group 513 does not exist error during migration. ** dn: cn=Domain Guests,ou=Groups,dc=ab,dc=com objectClass: posixGroup objectClass: sambaGroupMapping cn: Domain Guests gidNumber: 514 structuralObjectClass: posixGroup entryUUID: d95eacaa-736b-1028-828c-f4f139c67fb5 creatorsName: cn=Manager,dc=ab,dc=com createTimestamp: 20040726162318Z sambaSID: S-1-5-21-72881033-379349262-1855928443-514 sambaGroupType: 2 displayName: Domain Guests description: All domain guests entryCSN: 2004072616:23:18Z#0x0002#0# Note: I am not sure how important this is. dn: uid=Administrator,ou=Users,dc=ab,dc=com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount cn: Administrator sn: Administrator uid: Administrator uidNumber: 0 gidNumber: 512 homeDirectory: /u/Administrator loginShell: /bin/tcsh gecos: System User structuralObjectClass: inetOrgPerson entryUUID: eb4d3030-736b-1028-8296-f4f139c67fb5 sambaSID: S-1-5-21-72881033-379349262-1855928443-500 sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-512 description: Built-in account for administering the computer/domain sambaLogonTime: 1090857052 sambaLogoffTime: 981830074 sambaLMPassword: A97D5AFE0D3EF79944CBCFC86460DB9E sambaNTPassword: 015B5326F969E4741241A45F1C734BAD sambaPwdLastSet: 1052497723 sambaAcctFlags: [UX ] entryCSN: 2004072616:23:49Z#0x0001#0# Note: smbldap-tools expects Administrator account has UID 0 and GID 512. Without this entry, the migration process will create an unprivileged Administrator account. 6. Now run the preload slapadd -v -l preload.LDIF Note: ldap daemon should be up at this point. chown ldap:ldap /var/lib/ldap/* Note: This chnage the owner and group to ldap. /etc/init.d/ldap start 7. Join your server into domain net rpc join BDC -S PDC Server -W REAL domain -U Administratoradmin passwd Note, samba should not run at this time. Otherwise you will get Cannot Set Creds error. 8. Vampiring net rpc vampire -S PDC server -U administrator%admin passwd Note, samba should not run at this time. Otherwise you will get Cannot Set Creds error. Let me know if I missed any step. Good luck! --- Kang Sun -- To unsubscribe from this list go to the following URL
[Samba] Re: samba PDC
something like net rpc join -W domainname -U Administrator%password -- KS my diva [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] hi...mailers i have s PDC server. and i have two client using windows and Linux. In windows client no problem but in Linux client i have the problem. so...how to join linux client in my PDC server? i need help because this is my project. thanks.. regards Rian - Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: NT domain migration to LDAP/SAMBA
Hello Mike, I did similar things and have similar problems. I looked at the ldap database, the migration did nothing but get all the names of users and machines. If the smbldap-* scripts are the only things vampire process is calling, I don't see how would it would get anything else. After vampiring, 1. All the computer accounts and user accounts (posixAccount as well) are created just like being created by by smbldap-useradd, with the default parameters as defined in the smbldap.conf or smbldap_config.pm, eg, profiles, logon scripts, etc, user name, etc. 2. Users lost its domain membership. Every user accounts are now belonging to Domain Users group. No one in Domain Admins group except Administrator. The migration process must have done more than just calling these smbldap-tools scripts, but I just don't see the effect. What do you see if you do smbldap-usershow userid or machinename$ ? or smbldap-groupshow groupid ? -- Kang Sun Mike Brodbelt [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I'm attempting to migrate an NT4 domain to Samba3, and getting quite frustrated with stuff that seems not to work as advertised. I'd appreciate any help. I've set up an OpenLDAP server, and Samba 3, configured it as a BDC, and tried running net rpc vampire. This all works, and Samba does the appropriate stuff to try and populate the LDAP database. The scripts I've got configured are:- add user script = /usr/local/sbin/smbldap-useradd -a -m '%u' delete user script = /usr/local/sbin/smbldap-userdel '%u' add group script = /usr/local/sbin/smbldap-groupadd -p '%g' delete group script = /usr/local/sbin/smbldap-groupdel '%g' add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/local/sbin/smbldap-useradd -w '%u' All the scripts are from the IdealX tools, version 0.8.5. I've set up the directory, and run smbldap-populate against it first, to check all is OK. When I symlink all the smbldap scripts to a test rig that just prints how it was called to a log file, and then run vampire, I get this:- Command line: /usr/local/sbin/smbldap-groupadd.pl -p Domain Admins Command line: /usr/local/sbin/smbldap-groupadd.pl -p Domain Users Command line: /usr/local/sbin/smbldap-groupadd.pl -p Domain Guests Command line: /usr/local/sbin/smbldap-groupadd.pl -p Wizards Command line: /usr/local/sbin/smbldap-groupadd.pl -p Watchmen Command line: /usr/local/sbin/smbldap-useradd.pl -a -m Administrator Command line: /usr/local/sbin/smbldap-useradd.pl -a -m Guest Command line: /usr/local/sbin/smbldap-useradd.pl -w WYRMBERG$ Command line: /usr/local/sbin/smbldap-useradd.pl -a -m rwind Command line: /usr/local/sbin/smbldap-useradd.pl -a -m nogg Command line: /usr/local/sbin/smbldap-useradd.pl -a -m gwax Command line: /usr/local/sbin/smbldap-useradd.pl -a -m carrott Command line: /usr/local/sbin/smbldap-useradd.pl -a -m detritus Command line: /usr/local/sbin/smbldap-useradd.pl -a -m tfairy Command line: /usr/local/sbin/smbldap-useradd.pl -w UBERWALD$ Command line: /usr/local/sbin/smbldap-useradd.pl -w quirm$ Command line: /usr/local/sbin/smbldap-useradd.pl -w TALITHA$ Command line: /usr/local/sbin/smbldap-groupadd.pl -p Account Operators Command line: /usr/local/sbin/smbldap-groupadd.pl -p Administrators Command line: /usr/local/sbin/smbldap-groupadd.pl -p Backup Operators Command line: /usr/local/sbin/smbldap-groupadd.pl -p Guests Command line: /usr/local/sbin/smbldap-groupadd.pl -p Print Operators Command line: /usr/local/sbin/smbldap-groupadd.pl -p Replicator Command line: /usr/local/sbin/smbldap-groupadd.pl -p Server Operators Command line: /usr/local/sbin/smbldap-groupadd.pl -p Users This is all being done on a test domain, with fake users at the moment, before I try a real environment. From the command line, I can add users and groups using the commands above, and all seems to work. Yet, when I actually try the vampire with the real scripts in place, I get errors like this:- Creating unix group: 'Wizards' Creating unix group: 'Watchmen' Creating account: Administrator /usr/local/sbin/smbldap-useradd: user Administrator exists Could not create posix account info for 'Administrator' Creating account: Guest Could not create posix account info for 'Guest' Creating account: WYRMBERG$ Could not create posix account info for 'WYRMBERG$' Creating account: rwind Could not create posix account info for 'rwind' Why do I get this Could not create posix account info message, and what does it mean? Also, running pdbedit -Lw after vampiring generates:- Administrator:4294967295::XX XX:[U ]:LCT-: nobody:65534:NO PASSWORDX:NO PASSWORDX:[NU
[Samba] Re: Samba Multiple Subnets
smb.conf can have the following statements that might help you. interfaces = eth0, lo bind interfaces only = Yes -- Kang Honey Bajaj [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have installed Samba 3.0.5 pre1 as PDC and two domain member servers with winbind which is catering to two subnets containing only windows 9x clients, the samba PDC is also configured as Wins server. The PDC and the member servers are in the same subnet i.e. 192.168.1.0/24, and the other subnet 192.168.2.0/24 is seperated by a linux router, now how can I make the windows 9x clients to domain logon from the second subnet (192.168.2.0/24) which only contains windows 9x clients, I have added the wins server address on all the clients in both the sunbets, but from the second subnet my windows 9x clients are unable to logon to domain. Please suggest me some solution. Thanks, Honey -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Problem with Authnication from NT
I have the same problem. The log file said: # [2004/07/20 21:46:47, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1512) # ldapsam_update_sam_account: failed to modify user with uid = king$, error: modify/delete: sambaPrimaryGroupSID: no such value (Success) # [2004/07/20 21:46:49, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(271) # ldapsam_delete_entry: Entry must exist exactly once! I tried 'smbldap-useradd -w King$'. It does not seem to add Add the SambaSID. # smbldap-useradd -w king$ # smbldap-usershow king$ dn: uid=king$,ou=Computers,dc=sunix,dc=com objectClass: top,inetOrgPerson,posixAccount cn: king$ sn: king$ uid: king$ uidNumber: 1023 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer Forcing creating a Samba account with option -a give me an error: # smbldap-useradd -a -w king$ Can't call method get_value on an undefined value at /usr/sbin/smbldap-useradd line 152, DATA line 283. Using pdbedit also has problems: # pdbedit -a -m -u king ldapsam_add_sam_account: failed to modify/add user with uid = king$ (dn = uid=king$,ou=Computers,dc=sunix,dc=com) Unable to add machine! (does it already exist?) I started to think the add machine script must be wrong or something. Please help somebody. -- Kang Hi Samba Guru's... I have a problem connecting from a windows NT workstation to Samba server. It is working fine for Windows XP and Windows 2000. Samba not logging any information about that Windows NT m/c. Here i am giving the smb.conf file. Please try to help me to work it for Win NT also. Here is my Configuration file. Thanks in advance for any help. # Global Parameters [global] netbios name = avengr03 workgroup = avengr03 map to guest = Bad User passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password %n\n *passwd:*all*authentication*tokens*updated*sucessfully* # Debug Logging Information Log Level = 2 max log size = 1000 # log file = /var/log/samba/samba.log.%m socket options = TCP_NODELAY IPTOS_LOWDELAY wins support = yes # Networking configuration Options Hosts Allow = *.*.*.* [Proj1] comment = Proj1 directory path = /engr/proj1 read only = No valid users = @tec,pvasireddy,pbuenros,dan,dsteffen,scollins [Proj2] comment = Proj2 directory path = /engr/proj2 read only = No valid users = @tec,pvasireddy,pbuenros,dan,dsteffen,scollins -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: Samba/LDAP/PDC Questions
Hello Paul, Thank you for the help. Now I am back to my original question: I cannot add NT4 machine to the samba domain! I tried to use the Identification changes from NT4 system to sign into the domain, it said The machine account for this computer does not exist or is anaccessible. The log file said: [2004/07/20 21:46:47, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1512) ldapsam_update_sam_account: failed to modify user with uid = king$, error: modify/delete: sambaPrimaryGroupSID: no such value (Success) [2004/07/20 21:46:49, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(271) ldapsam_delete_entry: Entry must exist exactly once! I tried 'smbldap-useradd -w King$'. It does not seem to add the SambaSID. # smbldap-useradd -w king$ # smbldap-usershow king$ dn: uid=king$,ou=Computers,dc=sunix,dc=com objectClass: top,inetOrgPerson,posixAccount cn: king$ sn: king$ uid: king$ uidNumber: 1023 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer Forcing creating a Samba account with option -a give me an error: # smbldap-useradd -a -w king$ Can't call method get_value on an undefined value at /usr/sbin/smbldap-useradd line 152, DATA line 283. Using pdbedit also has problems: # pdbedit -a -m -u king ldapsam_add_sam_account: failed to modify/add user with uid = king$ (dn = uid=king$,ou=Computers,dc=sunix,dc=com) Unable to add machine! (does it already exist?) I started to think the add machine script must be wrong or something. -- Kang -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Problem with Authnication from NT
OK, I just figured out how to do it. My NT4 workstation is called king. Use 'smbldap-useradd -w king' to add the posixAccount: king$. Then use 'smbpasswd -a -m king' to add the samba account. You will have # smbldap-usershow king$ dn: uid=king$,ou=Computers,dc=sunix,dc=com objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount cn: king$ sn: king$ uid: king$ uidNumber: 1025 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer sambaSID: S-1-5-21-1242048156-3479289135-3828126537-3050 sambaPrimaryGroupSID: S-1-5-21-1242048156-3479289135-3828126537-2031 displayName: king$ sambaPwdCanChange: 1090385089 sambaPwdMustChange: 2147483647 sambaLMPassword: FE250117FB90641FAAD3B435B51404EE sambaNTPassword: 0FBD58B776542B3CB589E0D8F686A3A7 sambaPwdLastSet: 1090385089 sambaAcctFlags: [W ] Then loginto NT4 and change its identification from workgroup to domain, without creating new account. Hope this works for you guys, too! --- Kang Kang Sun [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have the same problem. The log file said: # [2004/07/20 21:46:47, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1512) # ldapsam_update_sam_account: failed to modify user with uid = king$, error: modify/delete: sambaPrimaryGroupSID: no such value (Success) # [2004/07/20 21:46:49, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(271) # ldapsam_delete_entry: Entry must exist exactly once! I tried 'smbldap-useradd -w King$'. It does not seem to add Add the SambaSID. # smbldap-useradd -w king$ # smbldap-usershow king$ dn: uid=king$,ou=Computers,dc=sunix,dc=com objectClass: top,inetOrgPerson,posixAccount cn: king$ sn: king$ uid: king$ uidNumber: 1023 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer Forcing creating a Samba account with option -a give me an error: # smbldap-useradd -a -w king$ Can't call method get_value on an undefined value at /usr/sbin/smbldap-useradd line 152, DATA line 283. Using pdbedit also has problems: # pdbedit -a -m -u king ldapsam_add_sam_account: failed to modify/add user with uid = king$ (dn = uid=king$,ou=Computers,dc=sunix,dc=com) Unable to add machine! (does it already exist?) I started to think the add machine script must be wrong or something. Please help somebody. -- Kang Hi Samba Guru's... I have a problem connecting from a windows NT workstation to Samba server. It is working fine for Windows XP and Windows 2000. Samba not logging any information about that Windows NT m/c. Here i am giving the smb.conf file. Please try to help me to work it for Win NT also. Here is my Configuration file. Thanks in advance for any help. # Global Parameters [global] netbios name = avengr03 workgroup = avengr03 map to guest = Bad User passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password %n\n *passwd:*all*authentication*tokens*updated*sucessfully* # Debug Logging Information Log Level = 2 max log size = 1000 # log file = /var/log/samba/samba.log.%m socket options = TCP_NODELAY IPTOS_LOWDELAY wins support = yes # Networking configuration Options Hosts Allow = *.*.*.* [Proj1] comment = Proj1 directory path = /engr/proj1 read only = No valid users = @tec,pvasireddy,pbuenros,dan,dsteffen,scollins [Proj2] comment = Proj2 directory path = /engr/proj2 read only = No valid users = @tec,pvasireddy,pbuenros,dan,dsteffen,scollins -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: Samba/LDAP/PDC Questions
OK, I just figured out how to do it. My NT4 workstation is called king. Use 'smbldap-useradd -w king' to add the posixAccount: king$. Then use 'smbpasswd -a -m king' to add the samba account. You will have # smbldap-usershow king$ dn: uid=king$,ou=Computers,dc=sunix,dc=com objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount cn: king$ sn: king$ uid: king$ uidNumber: 1025 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer sambaSID: S-1-5-21-1242048156-3479289135-3828126537-3050 sambaPrimaryGroupSID: S-1-5-21-1242048156-3479289135-3828126537-2031 displayName: king$ sambaPwdCanChange: 1090385089 sambaPwdMustChange: 2147483647 sambaLMPassword: FE250117FB90641FAAD3B435B51404EE sambaNTPassword: 0FBD58B776542B3CB589E0D8F686A3A7 sambaPwdLastSet: 1090385089 sambaAcctFlags: [W ] Then loginto NT4 and change its identification from workgroup to domain, without creating new account. Thanks anyway! == Kang Sun [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello Paul, Thank you for the help. Now I am back to my original question: I cannot add NT4 machine to the samba domain! I tried to use the Identification changes from NT4 system to sign into the domain, it said The machine account for this computer does not exist or is anaccessible. The log file said: [2004/07/20 21:46:47, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1512) ldapsam_update_sam_account: failed to modify user with uid = king$, error: modify/delete: sambaPrimaryGroupSID: no such value (Success) [2004/07/20 21:46:49, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(271) ldapsam_delete_entry: Entry must exist exactly once! I tried 'smbldap-useradd -w King$'. It does not seem to add the SambaSID. # smbldap-useradd -w king$ # smbldap-usershow king$ dn: uid=king$,ou=Computers,dc=sunix,dc=com objectClass: top,inetOrgPerson,posixAccount cn: king$ sn: king$ uid: king$ uidNumber: 1023 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer Forcing creating a Samba account with option -a give me an error: # smbldap-useradd -a -w king$ Can't call method get_value on an undefined value at /usr/sbin/smbldap-useradd line 152, DATA line 283. Using pdbedit also has problems: # pdbedit -a -m -u king ldapsam_add_sam_account: failed to modify/add user with uid = king$ (dn = uid=king$,ou=Computers,dc=sunix,dc=com) Unable to add machine! (does it already exist?) I started to think the add machine script must be wrong or something. -- Kang -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Profiles
In the smb.conf there should be a session called [profiles], it specifies the paht=/var/samba/profiles/%U or something similar and I read somewhere the mode to that directory has to be 1777. Hope this helps. -- Kang B.Rumsey [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all, I have just installed Suse 9.1 and samba 3.02a. I have set samba up as a PDC. I am able to log into it but windows complains about not being able to find the profile. I have created the dir /var/lib/samba/profiles/ and the users folders. 1: Where can I find the windows default profile? 2: Can this be edited (default win profile )? Thanks in advance Barry -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
