Hi. reading docs i found
THIS pdbedit -P "minimum password age" -C 5184000 (limit for validity of the password set for 60 days) pdbedit -P "maximum password age" -C 7776000 (maximum period for validity of the password set for 90 days) after u set ur policies restart samba and cofirm policies/informations make to user: pdbedit -L -v samba_user AND THIS -P account-policy Display an account policy Valid policies are: minimum password age, reset count minutes, disconnect time, user must logon to change password, password history, lockout duration, min password length, maximum password age and bad lockout attempt. i hope that helps you! Att, Losnak, André. ---------- Mensagem encaminhada ---------- From: Marcelo Terres <[email protected]> To: [email protected] Date: Fri, 5 Feb 2010 16:02:24 -0200 Subject: [Samba] Domain account policies Hi. I'm using samba 3.4.3. if I set my domain account policies with pdbedit (for example: min password length 8, password history 4 and maximum password age 90 days), is it possible to change this default policies for some users ? Thanks, Marcelo H. Terres [email protected] ****************************** ********** ICQ: 6649932 MSN: [email protected] Jabber: [email protected] http://twitter.com/mhterres http://identi.ca/mhterres **************************************** http://mundoopensource.blogspot.com/ http://www.propus.com.br Sent from Porto Alegre, RS, Brazil 2010/2/5 <[email protected]> > Send samba mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.samba.org/mailman/listinfo/samba > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of samba digest..." > > Today's Topics: > > 1. Windows 7 samba domain trust relatioshiop (John Drescher) > 2. Re: Windows 7 samba domain trust relatioshiop (John Drescher) > 3. Re: windows 7 machine account fails to authenticate against > samba PDC (graham) > 4. Domain account policies (Marcelo Terres) > 5. Claimed Zero Day exploit in Samba. (Jeremy Allison) > 6. Re: smbpasswd issue in a migration. > (=?us-ascii?Q?Gabriel_Burgos_Informatica?=) > 7. using RPCS printer driver for a P&P printer (Richard Gansterer) > 8. winbind: only domains option/patch (Julian Regel) > 9. IPv6 name resolution problem (Ernesto Silva) > 10. Re: 3.3 and 3.4 compile failure on dbwrap (Jeff Block) > > > ---------- Mensagem encaminhada ---------- > From: John Drescher <[email protected]> > To: samba <[email protected]> > Date: Fri, 5 Feb 2010 11:56:47 -0500 > Subject: [Samba] Windows 7 samba domain trust relatioshiop > I have upgraded both my PDC and BDC to samba-3.4.5 and restarted > samba. Then I applied the registry changes to windows 7 aslisted in > the wiki. Anyways I joind the domain without problems but when I go to > login I get a trust relationship error. > > In my eventlog I see the following: > > The session setup to the Windows NT or Windows 2000 Domain Controller > \\VS_LDAP1 for the domain RADIMG failed because \\VS_LDAP1 does not > support signing or sealing the Netlogon session. Either upgrade the > Domain controller or set the RequireSignOrSeal registry entry on this > machine to 0. > > > \\VS_LDAP1 is the BDC if that matters. I am using a ldap domain with ssl > off. > > I tried against the wiki advice to set the RequireSignOrSeal to 0 but > that gave me a different error: > > This computer could not authenticate with \\VS_LDAP1, a Windows domain > controller for domain RADIMG, and therefore this computer might deny > logon requests. This inability to authenticate might be caused by > another computer on the same network using the same name or the > password for this computer account is not recognized. If this message > appears again, contact your system administrator. > > Any ideas where to start. > -- > John M. Drescher > > > > ---------- Mensagem encaminhada ---------- > From: John Drescher <[email protected]> > To: samba <[email protected]> > Date: Fri, 5 Feb 2010 12:24:48 -0500 > Subject: Re: [Samba] Windows 7 samba domain trust relatioshiop > On Fri, Feb 5, 2010 at 11:56 AM, John Drescher <[email protected]> > wrote: > > I have upgraded both my PDC and BDC to samba-3.4.5 and restarted > > samba. Then I applied the registry changes to windows 7 aslisted in > > the wiki. Anyways I joind the domain without problems but when I go to > > login I get a trust relationship error. > > > > In my eventlog I see the following: > > > > The session setup to the Windows NT or Windows 2000 Domain Controller > > \\VS_LDAP1 for the domain RADIMG failed because \\VS_LDAP1 does not > > support signing or sealing the Netlogon session. Either upgrade the > > Domain controller or set the RequireSignOrSeal registry entry on this > > machine to 0. > > > > > > \\VS_LDAP1 is the BDC if that matters. I am using a ldap domain with ssl > off. > > > > I tried against the wiki advice to set the RequireSignOrSeal to 0 but > > that gave me a different error: > > > > This computer could not authenticate with \\VS_LDAP1, a Windows domain > > controller for domain RADIMG, and therefore this computer might deny > > logon requests. This inability to authenticate might be caused by > > another computer on the same network using the same name or the > > password for this computer account is not recognized. If this message > > appears again, contact your system administrator. > > > > Any ideas where to start. > > Cancel that. User error. I forgot to restart samba on the BDC so it > was still running the old version.. > > -- > John M. Drescher > > > > ---------- Mensagem encaminhada ---------- > From: graham <[email protected]> > To: [email protected] > Date: Fri, 05 Feb 2010 17:45:02 +0000 > Subject: Re: [Samba] windows 7 machine account fails to authenticate > against samba PDC > a slight change in the log entries now, as below. > I don't know why (I don't think I've changed anything), but there is an > extra log entry showing the host is in the passdb, but getpwnam() is > failing. > However, the machine name is definitely in /etc/passwd. > Can anyone cast any light on this apparent inconsistency, or what I might > do to diagnose the problem further? > > > [2010/02/05 17:19:16, 0] > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client WIN7HOST machine account WIN7HOST$ > *[2010/02/05 17:19:23, 1] auth/auth_util.c:577(make_server_info_sam) > User WIN7HOST$ in passdb, but getpwnam() fails!* > [2010/02/05 17:19:23, 0] auth/auth_sam.c:355(check_sam_security) > check_sam_security: make_server_info_sam() failed with > 'NT_STATUS_NO_SUCH_USER' > > > > > > graham wrote on 03/02/2010 17:09: > >> Hello all, >> >> I've added my windows7 client to the domain (samba running as pdc), >> having applied the registry changes identified here >> (http://wiki.samba.org/index.php/Windows7). >> >> Partial success - domain users can login and see shares etc, BUT: >> >> 1 - the registry settings in ntlogon/NTConfig.POL are not applied. Am I >> right in thinking that windows 7 ignores this policy? >> And if so I therefore need to put the appropriate registry settings into >> a logon script? >> >> >> 2 - every time a domain user logs in to the windows7 host smbd reports >> an error: >> >> [2010/02/02 19:07:51, 0] >> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) >> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting >> auth request from client WIN7HOST machine account WIN7HOST$ >> [2010/02/02 19:07:52, 0] auth/auth_sam.c:355(check_sam_security) >> check_sam_security: make_server_info_sam() failed with >> 'NT_STATUS_NO_SUCH_USER' >> >> This only occurs for the windows7 client (not XP clients). >> What does this mean, is it a problem, and how do I fix it?! >> >> >> 3 - periodic errors reported by nmbd: >> Packet send failed to 192.168.10.8(138) ERRNO=Operation not permitted >> >> That's the ipaddress of the windows7 client. >> Actually, looking back in the logs I see this has occasionally happened >> for all but one of the xp clients too. >> Again, what does this error mean, is it a problem, how would I fix it? >> >> >> 4 - windows7 client bombards the server on port 389 (ldap) >> No idea why, no other (xp) clients do this. I'm guessing it /might/ be >> part of question 2 above ,ie. maybe the win7 client is trying to >> authenticate against ldap?? >> >> rgds all, >> graham. >> >> > > > > > ---------- Mensagem encaminhada ---------- > From: Marcelo Terres <[email protected]> > To: [email protected] > Date: Fri, 5 Feb 2010 16:02:24 -0200 > Subject: [Samba] Domain account policies > Hi. > > I'm using samba 3.4.3. > > if I set my domain account policies with pdbedit (for example: min password > length 8, password history 4 and maximum password age 90 days), is it > possible to change this default policies for some users ? > > Thanks, > > Marcelo H. Terres > [email protected] > **************************************** > ICQ: 6649932 > MSN: [email protected] > Jabber: [email protected] > http://twitter.com/mhterres > http://identi.ca/mhterres > **************************************** > http://mundoopensource.blogspot.com/ > http://www.propus.com.br > Sent from Porto Alegre, RS, Brazil > > > > ---------- Mensagem encaminhada ---------- > From: Jeremy Allison <[email protected]> > To: [email protected], [email protected], [email protected] > Date: Fri, 5 Feb 2010 10:17:22 -0800 > Subject: [Samba] Claimed Zero Day exploit in Samba. > Claimed Zero Day exploit in Samba. > > A user named "kcopedarookie" posted what they claim to > be a video of a zero-day exploit in Samba on youtube > yesterday here: > > http://www.youtube.com/watch?v=NN50RtZ2N74&aia=true > > The video shows modifications to smbclient allowing > /etc/passwd to be downloaded from a remote server. > > The issue is actually a default insecure configuration > in Samba. > > Quick FAQ: What do I do ! > ------------------------- > > Set: > > wide links = no > > in the [global] section of your smb.conf and restart > smbd to eliminate this problem. > > Longer FAQ: The real issue > -------------------------- > > The problem comes from a combination of two features in > Samba, each of which on their own are useful to Administrators, > but in combination allow users to access any file on the system > that their logged in username has permissions to read (this is > not a privilege escalation problem). > > By default Samba ships with the parameter "wide links = yes", > which allows Administrators to locally (on the server) add > a symbolic link inside an exported share which SMB/CIFS clients > will follow. > > As an example, given a share definition: > > [tmp] > path = /tmp > read only = no > guest ok = yes > > The administrator could add a symlink: > > $ ln -s /etc/passwd /tmp/passwd > > and SMB/CIFS clients would then see a file called "passwd" > within the [tmp] share that could be read and would allow > clients to read /etc/passwd. > > If the "wide links" parameter is set to "no", any attempt > to read this file will fail with an "access denied" error. > > The problem occurs as Samba allows clients using the UNIX > extensions (which are also turned on by default) to create > symlinks on remotely mounted shares on which they have write > access that point to any path on the file system. > > This is by design, as applications running on UNIX clients > may have good reasons to create symlinks anywhere on the > filesystem they have write access that point to local files > (such as /etc/passwd). > > UNIX clients will resolve these links locally, but Windows > clients will resolve them on the server. It is this combination > that causes the problem. > > All future versions of Samba will have the parameter > "wide links" set to "no" by default, and the manual > pages will be updated to explain this issue. > > > > ---------- Mensagem encaminhada ---------- > From: "Gabriel Burgos Informatica" <[email protected]> > To: <[email protected]>, <[email protected]> > Date: Fri, 5 Feb 2010 00:48:17 -0300 > Subject: Re: [Samba] smbpasswd issue in a migration. > Hi, thank you for answer, in the new server tells (8.04), > > r...@server:~# which -a smbpasswd > /usr/bin/smbpasswd > > r...@server:~# ls -l /usr/bin/smbpasswd > -rwxr-xr-x 1 root root 1307112 2007-02-05 22:14 /usr/bin/smbpasswd > > In the ubuntu 5.10 (original server), > > > r...@sever:~# which -a smbpasswd > /usr/bin/smbpasswd > /usr/bin/X11/smbpasswd > > r...@sever:~# ls -l /usr/bin/smbpasswd > -rwxr-xr-x 1 root root 1307112 2007-02-05 22:15 /usr/bin/smbpasswd > > > Thanks, > > g. > > -----Mensaje original----- > De: [email protected] [mailto:[email protected]] > En > nombre de Helmut Hullen > Enviado el: viernes, 05 de febrero de 2010 04:10 a.m. > Para: [email protected] > Asunto: Re: [Samba] smbpasswd issue in a migration. > > Hallo, Gabriel, > > Du meintest am 04.02.10: > > > My problem is when I try to change an user?s password. To change from > > the original server a password I use the command smbpasswd ?user? and > > it works; but when I try to do the same in the new server I get this > > error bash: /usr/bin/smbpasswd no such file or directory exist. > > What tells > > which -a smbpasswd > ls -l /usr/bin/smbpasswd > > > > I try to change the password with passwd but then it doesn?t allow me > > to log on a windows?s terminal with the new password. > > That's simple: "passwd" changes (only) the Linux password, and > "smbpasswd" only changes the Samba password. > > Viele Gruesse! > Helmut > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > ---------- Mensagem encaminhada ---------- > From: Richard Gansterer <[email protected]> > To: [email protected] > Date: Fri, 05 Feb 2010 17:38:57 +0100 > Subject: [Samba] using RPCS printer driver for a P&P printer > Hi, > > I'm wondering if anyone has had experience with using RPCS printer > drivers in a P&P printer share. > Installing the driver onto samba went without a problem (followed the > Samba howto "chapter 21: Add Printer Wizard Driver Installation") but > after that, every time i try to access the printer properties > it takes sometimes minutes to open or just doesn't come up at all (same > behavior when i open the properties locally on the installed printer or > directly on the server as a printer admin). So i either can't > set up any default printer properties or it takes so long that its not > worth the waiting time (if the properties windows shows up, every action > i do in there will also have such a long delay). > > I can't find any error/denied or similar messages (or simply smth that > would stand out of the usual) in the log files (loglevel 3). I can > install the drivers on the > WS by hand and use samba just for the printer queue fine (per-machine > printer). But since i will have to install more printers i wanted to use > the point&print method since it saves a lot of hassle. > > The printer is a NRG DSc424 and im using Windows XP. The same thing > works fine with the official PCL6 drivers and i might have to settle for > that in the end but the RPCS drivers give a better quality. > It's not a permission problem either, using either root or a user with > the SePrintOperatorPrivilege right (also it would probably show up in > the log files otherwise). > > If anyone knows what the cause for those delays might be (even if its > just that RPCS is simply slow in combination with samba) i'd be really > happy to know. :) > > Thanks > Richard > > > > ---------- Mensagem encaminhada ---------- > From: Julian Regel <[email protected]> > To: [email protected] > Date: Fri, 5 Feb 2010 09:26:20 -0800 (PST) > Subject: [Samba] winbind: only domains option/patch > Hi. > > In January 2009 a patch was sent to this list that introduced the "winbind: > only domains" option to smb.conf ( > http://lists.samba.org/archive/samba-technical/2009-January/062706.html). > This provides the inverse of "winbind: ignore domains" and the creator of > the patch explained that this was more useful (to him) that having to > explicitly exclude domains. > > Can anyone confirm if this patch was accepted, and if so, what version of > Samba supports winbind: only domains? > > If the patch has not been accepted, is there a particular reason why not? > > Thanks > > JR > > > > > > > ---------- Mensagem encaminhada ---------- > From: Ernesto Silva <[email protected]> > To: [email protected] > Date: Fri, 5 Feb 2010 16:40:40 -0200 > Subject: [Samba] IPv6 name resolution problem > Hi, I'm trying to set up a small network over IPv6. It will have IPv4 too > but the dhcp server may not work and Ubuntu (9.04) automatically configure > a > .local domain IPv6 addresses, so I must run the samba server and clients > over IPv6. > > Only one machine will act as a server, but samba is up and running in all > of > them. > > The problem is that smbclient can't resolve the server's name, my probes > from the client follows: > > ping6 -Ieth0 ipv6_server_address works fine > smbclient -L ::1 works fine > smbclient -L ipv6_client_address works fine > smbclient -L client_name.local fails with NT_STATUS_BAD_NETWORK_NAME > > smbclient -L ipv6_server_address fails with NT_STATUS_INVALID_HANDLE > smbclient -L server_name.local fails with NT_STATUS_BAD_NETWORK_NAME > > As I mentioned both client and server IPv6 addresses are in local scope: > fe80:0:0:0:x:x:x:x/64 > > I'm also using avahi-daemon with IPv6 enabled and my nsswitch.conf host's > line is: > > hosts: files mdns_minimal [NOTFOUND=return] mdns dns > > An strace reveals this: RESOLVE-HOSTNAME-IPV4, but not IPV6 apparently. > > Any ideas? > Best regards, > Ernesto. > > > > ---------- Mensagem encaminhada ---------- > From: "Jeff Block" <[email protected]> > To: [email protected] > Date: Fri, 05 Feb 2010 10:47:47 -0800 > Subject: Re: [Samba] 3.3 and 3.4 compile failure on dbwrap > On 2/5/10 6:23 AM, "Gaiseric Vandal" <[email protected]> wrote: > > I also have problems using this gcc bundled with the Sun freeware tools > > (/usr/sfw/bin/gcc.) I had more luck with using gcc from > > sunfreeware.com. In hindsight I think it may have just been a matter > > of setting CPPFLAGS and LDFLAGS correctly. You may also find that the > > samba build on sunfreeware meets your needs. (zfs support seems lacking > > - which shouldn't matter for solaris 9, and you may still need to > > compile the nss_winbind modules.) > > > > I also installed OpenLDAP from Sunfreeware.com. The Solaris native ldap > > client does not seem to have full functionality for Active Directory > > support (may not be an issue for you.) I think Sun compiles Samba > > using a Mozilla LDAP SDK. > > > > This is how I ended up compiling Samba using Sunfreeware GCC. > > > > #PATH=/usr/swf/bin:/usr/ccs/bin:$PATH > > #PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH > > #LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH > > #LD_LIBRARY_PATH=/usr/local/samba-3.4.5:$LD_LIBRARY_PATH > > #export LD_LIBRARY_PATH > > > > #export CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include > > -I/usr/include" > > #export LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib > > -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib" > > > > #./configure --prefix=/usr/local/samba-3.4.5 > > --with-shared-modules=vfs_zfsacl > > --with-privatedir=/etc/samba/private --with-lockdir=/var/samba/locks > > --with-configdir=/etc/samba --enable-nss-wrapper > > > > #make > > #make install > > > > I think I may need to have manually copied nss_winbind.so.1 file to > > /usr/local/samba-3.4.5/lib > > > > > > On 02/04/10 17:51, Jeff Block wrote: > >> > >> I'm having problems compiling a newer version of samba (3.3.x or 3.4.x) > on > >> solaris 9. We are currently running 3.0.23d and have been putting off > >> upgrading for far to long. > >> > >> I've tried gcc and sun studio 12 cc with the same issues when it comes > to > >> compiling dbwrap.c. I can't seem to find anything on google that's > related > >> to my issue. > >> > >> Here's my configure line when using gcc: > >> > >> ./configure --prefix=/netopt --with-automount \ > >> --with-configdir=/usr/local/samba --localstatedir=/var/log/samba \ > >> --infodir=/netopt/share/info --mandir=/netopt/share/man \ > >> --with-privatedir=/usr/local/samba/private --with-krb5=/netopt \ > >> --with-libiconv=/netopt --with-utmp --with-winbind CC=gcc \ > >> CFLAGS='-I/netopt/include' LD=gcc LDFLAGS='-L/netopt/lib -R/netopt/lib' > \ > >> --with-syslog-facility=local7 > >> > > >> When it finally gets to compiling dbwrap.c, here's what I see: > >> > >> Compiling lib/dbwrap.c > >> lib/dbwrap.c:58:46: macro "fetch" passed 4 arguments, but takes just 1 > >> lib/dbwrap.c: In function `dbwrap_fallback_parse_record': > >> lib/dbwrap.c:58: warning: assignment makes integer from pointer without > a > >> cast > >> lib/dbwrap.c:186:38: macro "store" passed 3 arguments, but takes just 2 > >> lib/dbwrap.c: In function `dbwrap_store': > >> lib/dbwrap.c:186: error: incompatible types in assignment > >> lib/dbwrap.c:196:41: macro "fetch" passed 4 arguments, but takes just 1 > >> lib/dbwrap.c: In function `dbwrap_fetch': > >> lib/dbwrap.c:196: warning: comparison between pointer and integer > >> The following command failed: > >> gcc -I../lib/zlib -I/netopt/include -I/netopt/include -I. > >> -I/opt/src/freeware/samba-3.4.5/source3 > >> -I/opt/src/freeware/samba-3.4.5/source3/iniparser/src -Iinclude > -I./include > >> -I. -I. -I./../lib/replace -I./../lib/talloc -I./../lib/tevent > >> -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. -DHAVE_CONFIG_H > >> -I/netopt/include -D_LARGEFILE_SOURCE -D_REENTRANT > -D_FILE_OFFSET_BITS=64 > >> -I/netopt/include -DLDAP_DEPRECATED -DSUNOS5 > >> -I/opt/src/freeware/samba-3.4.5/source3/lib -I.. -I../source4 > >> -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -c lib/dbwrap.c -o > lib/dbwrap.o > >> make: *** [lib/dbwrap.o] Error 1 > >> > >> > Thanks for the advice, but unfortunately I'm still having problems. > > I am using a compiled version of gcc (3.4.3). > > My LDFLAGS and CFLAGS are: > CFLAGS='-I/netopt/include' LDFLAGS='-L/netopt/lib -R/netopt/lib' > This is generally what I use as /netopt is basically our /usr/local. I'm > not sure why /usr/lib would need to be added here. Isn't that just > implied? > > I added --enable-nss-wrapper and made sure that ssl libs could be found > (which you specifically added to your FLAGS) but I'm still getting a > failure > on dbwrap.c. > > I'm wondering if there is some lib or something that needs to be updated on > my end. But, I'm not sure how to determine what that is. > > Thanks for any further help on this. > > Jeff > > > > > > _______________________________________________ > samba mailing list > [email protected] > https://lists.samba.org/mailman/listinfo/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
