[Samba] What is going on with my samba?

[Roger Eisenecher]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi List!!!


Please spend my some light on my problem!

I'm using samba 3.0.13 in a large environement because we had problems
with the normal tdb-passwd backend we reinstalled our environement with
samba and we are using now the ldap backend. For our administrative
tasks we are using the smbldap-tools from idealx. We are not very happy
with this solution because we have some effects we do not like and we do
not know why they happen:

* Some machines produces a smabaSID which already exist for another
machine when the try to join the domain. How are the sambaSIDs determined?

* Users suddenly couldn't log on to the domain and I do not know why.
Usually a password reset solves the problem: For your reference here I
have a such an account which could not log in:

- --
BBWdata:~ # smbldap-usershow 95FeYuekseldi
dn: uid=95FeYuekseldi,ou=ia2005b,ou=Users,dc=bbw-informatik,dc=private
objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount
cn: Fevzi Yuekseldi (IA2005b)
sn: 95FeYuekseldi
uid: 95FeYuekseldi
uidNumber: 1531
gidNumber: 1029
homeDirectory: /home/students/ia2005b/95FeYuekseldi
loginShell: /bin/bash
gecos: Fevzi Yuekseldi (IA2005b)
description: Fevzi Yuekseldi (IA2005b)
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: Fevzi Yuekseldi (IA2005b)
sambaSID: S-1-5-21-3654624081-408594837-1692793938-4062
sambaPrimaryGroupSID: S-1-5-21-3654624081-408594837-1692793938-3059
sambaLogonScript: netlogon.bat
sambaHomeDrive: Z:
sambaLMPassword: 98E3A020CE037532C98AA516A07044E4
sambaAcctFlags: [U]
sambaNTPassword: 6E5795E3B2C1AAECE939D8F20B9586DE
sambaPwdLastSet: 1124683686
sambaPwdMustChange: 1275883686
userPassword: {SSHA}Cpf7K+MTWKrPf8Tx7TV74wkn2hprYXNn
- --

We are using OpenLdap 2.2.6 (LDAP server supplied with SuSE 9.1
Professional).

Any suggestions are welcome ;-)

kindly regards
rOger

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDKmbLpF3l9rYt4bARArt0AJ9sKPifrPZ0y8llbKKR+ZqGGc0mMACfVsA/
86wHi5j06R/cbtGGRx3glWk=
=gDsZ
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Delay to join a domain successfully

[Tomasz Chmielewski]

Lapin(c) schrieb:

Hi team,

I'm running samba 3.0.4 on AIX 4.3.3 and HP-UX 11.00 without any problems
except the following :
On HP-UX 11.00, when I try to join a machine to a domain, it first insert
all POSIX entries in the LDAP backend but rejects the junction. The
machine account could not be found. Waiting for a while and relaunching
the join command, the junction just works fine.

Having exactly the same configuration on AIX, the junction works perfectly
instantly.

I tried to investigate around ldapclientd.rc which is present on HP-UX
exclusively but there is no improvment even reducing cache parameters
(size and TTL).

Has anyone faced this behaviour ?


yes.
if you're using smbldap-tools, using -t option (for example -t 30) 
solved the problem for me.



--
Tomek
http://wpkg.org
Automated software installation and upgrades
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Re: Authentication against AD?

[Ernest Keller]

Hi,

I get exactly the same.
'kinit -U[username]%[password] works 100%; 'klist' shows my kerberos
ticket(s); I set up my krb5.conf as per the examples in Samba 3 by
Example-HOWTO; I joined the domain 100% with 'net ads join -U
[username]%[password]', but:

 wbinfo -u just gives me "Error looking up domain users."
 wbinfo -g gives me a listing of all the ADS groups  <-- working 100%?

 'getent passwd' gives me a listing of all local users, but no domain /
ADS users
 'getent group' gives me the local groups, but no ADS groups (just hangs
a while after local groups and then probably times out)

I only have a small office file & print server (about 12 users), so I
got around this by using local accounts and manually mapping them to the
corresponding domain users (/etc/samba/smbusers - local username =
[DOMAIN]/[domain username]) and using 'username map =
/etc/samba/smbusers' in smb.conf .

Here is my config:

[global]
   realm = COMPANY.COM
   security = ADS
   password server = kdc.company.com
   idmap uid = 1-100
   idmap gid = 1-100
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   winbind separator = /

   unix password sync = yes

   workgroup = COMPANY-COM
   interfaces = eth0 lo
   bind interfaces only = yes
   netbios name = SERVER

   name resolve order = wins hosts bcast
   dns proxy = no

   domain logons = no
   preferred master = no
   domain master = no
   local master = yes

   os level = 33

   max log size = 1024
   log level = 2
   log file = /var/log/samba/samba-new.log
   syslog = 1

   guest account = smbguest
   username level = 50
   username map = /etc/samba/smbusers
   encrypt passwords = yes
   password level = 20

   client use spnego = yes

   wins server = x.x.x.x

   preserve case = yes
   short preserve case = yes
   case sensitive = no
   hide dot files = yes
   hide unreadable = yes
   hide special files = yes

   map to guest = never

I also repeatedly get the following in
/var/log/samba/log-wb.COMPANY-COM:

   [2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
 cli_rpc_open failed on pipe \lsarpc to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer
   [2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
 cli_rpc_open failed on pipe \NETLOGON to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer

Service smb status gives:

   smbd (pid 21371 21233) is running...
   nmbd (pid 14018) is running...

Service winbind status gives:

   winbindd (pid 8991 8370 8367 8366) is running...

I'm running Samba 3.0.20 on Linux Fedora Core 4

Although we can work, any help to get the proper domain authentication
working would be greatly appreciated.

TIA

Ernest

> Dimitri Yioulos wrote:
> >On Thursday 15 September 2005 3:32 pm, you wrote:
> >>
> >>
> >>Ok I think I have found my problem.  I need to find a way to map 
> >>Samba to an active directory common name:
> >>
> >>%> net ads join -U"Administrator" "cn=users,dc=domain,dc=com"  
> >>(example, I know the syntax is incorrect)
> >>
> >>As far as I can tell it is hard coded in the net ads join routine to

> >>tack on the ou=users vs. cn=users, anyone shed some light on this?
> >
> >Uh, I must be missing something here. This is a pretty 
> >straightforward  set-up, right?  You want to join this Samba box to a

> >Win2k3 server for
> > file- or print-serving purposes?  I've always felt that you get a 
> >basic  set-up working first, then start to get fancy.
> >
> >AFAIK:
> >
> >1. kinit [EMAIL PROTECTED]
> >(You'll be prompted for a password.  My systems simply return me to a

> >prompt if I'm successful.) 2. net ads join -U 
> >[EMAIL PROTECTED] (Again, you'll be prompted for a password.

> >Info about the machine joining  the AD is returned)
> >
> >Beyond this, someone else will have to help out.
> >
> >Best,
> >
> >Dimitri
>
> Yeah this works, I can get my krb creds:
>
> [EMAIL PROTECTED]:~> kinit [EMAIL PROTECTED] Password for 
> [EMAIL PROTECTED]:
> [EMAIL PROTECTED]:~> klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: [EMAIL PROTECTED]
>
> Valid starting ExpiresService principal
> 09/15/05 14:12:30  09/16/05 00:11:16  krbtgt/[EMAIL PROTECTED]
> renew until 09/16/05 14:12:30
>
>
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
>
> And this works as well:
>
> [EMAIL PROTECTED]'s password:
> [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405)
>   ads_add_machine_acct: Host account for odin-newb already exists - 
> modifying old account Using short domain name -- DOMAIN.COM Joined 
> 'ODIN-NEWB' to realm 'DOMAIN.COM'
>
> But when testing, using wbinfo -u or getent I am getting only the 
> local passwd accounts.
>
> [EMAIL PROTECTED]:~> wbinfo -u
> Error looking up domain users
>
> And here is where my accounts need to be authenticted from
>
> LDAP://server.domain.com/CN=Users,DC=server,DC=domain,DC=com
>
> Note the CN=Users

Re: [Samba] incorrect shared access to the file - samba oplock bug?

[Jeremy Allison]

On Thu, Sep 15, 2005 at 03:31:49PM +0400, Jablonovsky Alexander wrote:
> I have tried to read a file from a Windows machine, at time this file 
> being written from a Linux machine with Samba (constantly reading 
> constantly growing file) and got a strange behavior. After reading some 
> number of bytes ReadFile() starts to return 0 bytes read (EOF). Seeking 
> and even closing/reopening the file doesn't help - only the old snapshot 
> of the file can be read. Touching the file from other program like 
> Explorer has effect - Windows refreshes the file to it's current state.

oplocks - either use kernel oplocks or turn off oplock support in Samba.
Also to do this correctly you need byte range lock coordination between
the reading and writing app.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ldap guest account mapping looks broken

[Eric A. Hall]

On 9/1/2005 1:18 AM, Eric A. Hall wrote:

> Guest access does not appear to be working correctly, and it looks
> like the problem is due to guest not getting mapped into the LDAP
> query correctly.
> 
> Specifically, I can login with local account, join workstation to the
> domain, browse shares, and everything else that requires
> authentication, but cannot login to domain nor browse the domain in
> explorer or anything else that requires guest access.

...

> Judging from these lines in the log.smbd file:
>
> | [2005/09/01 01:00:02, 4] lib/smbldap.c:smbldap_open(869)
> |   The LDAP server is succesfully connected
> | [2005/09/01 01:00:02, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1335)
> |   ldapsam_getsampwnam: Unable to locate user [] count=0
>
> and the detailed output from ldap log file:
>
> | Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH
> | base="dc=labs,dc=ntrg,dc=com" scope=2 deref=0
> | filter="(&(?=undefined)(objectClass=sambaSamAccount))"
>
> it would indeed appear that the "(?=undefined)" LDAP search filter is
> being generated by pdb_ldap.c but a grep through that file doesn't return
> any obvious hits

Found the problem. Some gremlin (probably one of the Samba config tools I
tried using) had added "auth methods = sam" to the smb.conf file. The
"guest" method was not listed so it wasn't being processed.

The man page for smb.conf is pretty clear about explaining this. Would be
good if the logger could spit up a statement too, like "guest processing
is not enabled" or the like.

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba-3.0.9-1.3E.3 - Winbind loses connection to active directory

[mwestern]

Hi People,

samba-3.0.9-1.3E.3 joined to AD domain, running winbind on RHEL 3

The Problem - Every now and then samba seems to 'lose' the domain - i.e.
wbinfo -u/g will not list users/groups but after a couple of goes it
does eventually list them and then generally it's all ok.  While this is
happening users are prompted for a username/password to access the box
(normally just lets them straight in).  Seems to randomly happen but
sometimes notable when samba/winbind is restarted.  Sometimes it appears
to automagically fix itself.

What could be causing this?



[global]
workgroup = AUSTRALIA
server string = Linux Box
printcap name = /etc/printcap
load printers = yes
cups options = raw
log file = /var/log/samba/smbd.log
max log size = 50
security = ADS
   realm = 
   winbind uid = 1-2
   winbind gid = 1-2
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   winbind separator = +
   template shell = /bin/bash
   template homedir = /home/%U
   encrypt passwords = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no

   force create mask = 0775
   force directory mask = 0774


Nsswitch.conf includes winbind for user/group auth.
Winbind is set to restart with smb.




Regards
Matthew
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] 10x the traffic but only when _executing_, pizza offered

[Leon Brooks]

On Friday 16 September 2005 08:34, Leon Brooks wrote:
> There is no perceptible speed difference serving from a muscly
> hardware-RAIDed-SCSI dual-CPU gig-of-RAM server or my el-crappo
> AOpen laptop. 

smb.conf from said laptop (for 3.1) attached, plus a comment-stipped 
version.

BTW, to clarify: the reward offered is two large pizzas or one 
Sizzlers-or-near-equiv meal for info which solves the basic problem, 
and three pizzas for a greased-weasel solution. I'll contact y'all 
off-list to arrange that.

Cheers; Leon

-- 
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/   Member, Perth Linux User Group
http://slpwa.asn.au/Member, Linux Professionals WA
http://osia.net.au/ Member, Open Source Industry Australia
http://linux.org.au/Member, Linux Australia

# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors. 
#
#=== Global Settings =
[global]

# 1. Server Naming Options:
# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = LEON

# netbios name is the name you will see in "Network Neighbourhood",
# but defaults to your hostname
  netbios name = Leon

# server string is the equivalent of the NT Description field
   server string = Samba Laptop %v

# Message command is run by samba when a "popup" message is sent to it.
# The example below is for use with LinPopUp:
; message command = /usr/bin/linpopup "%f" "%m" %s; rm %s

# 2. Printing Options:
# CHANGES TO ENABLE PRINTING ON ALL CUPS PRINTERS IN THE NETWORK
# (as cups is now used in linux-mandrake 7.2 by default)
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   printcap name = cups
   load printers = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx, cups
   printing = cups

# Samba 2.2 supports the Windows NT-style point-and-print feature. To
# use this, you need to be able to upload print drivers to the samba
# server. The printer admins (or root) may install drivers onto samba.
# Note that this feature uses the print$ share, so you will need to 
# enable it below.
# printer admin = @ 
   printer admin = @adm
# This should work well for winbind:
#   printer admin = @"Domain Admins"

# 3. Logging Options:
# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba31/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Set the log (verbosity) level (0 <= log level <= 10)
# log level = 3

# 4. Security and Domain Membership Options:
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page. Do not enable this if (tcp/ip) name resolution does
# not work for all the hosts in your network.
#   hosts allow = 192.168.1. 192.168.2. 127.

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
#  guest account = pcguest
# Allow users to map to guest:
  map to guest = bad user

# Security mode. Most people will want user level security. See
# security_level.txt for details.
   security = user
# Use password server option only with security = server or security = domain
# When using security = domain, you should use password server = *
#   password server = 
#   password server = *

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
#  password level = 8
#  username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
# Encrypted passwords are required for any use of samba in a Windows NT domain
# The smbpasswd file is only required by a server doing authentication, thus
# members of a domain do not need one.
  encrypt passwords = yes
  smb passwd file = /etc/samba31/smbpasswd

# The following are needed to allow password changing from Windows to
# also update the Linux system password.
# NOTE: Use these with

Re: [Samba] visitor access to folders and files on Samba

[Jiann-Ming Su]

On 9/15/05, Bill Groves <[EMAIL PROTECTED]> wrote:
> Hi,
> > I have a small office here at the college. there are three xp computers
> > and a samba server.
> > I apparently have set up the smb.conf file correctly as all of us can
> > access each ones folders and files.
> > From time to time I have students and visiting "fireman" drop by and
> > ask for information.
> > What lines of code would I put into smb.conf to allow any visiting
> > student or "fireman" to acess the info that I want them to have from the
> > 2 secretaries machines?
> > I have made some attempts on my own, but have not had any success. My
> > Linux skills are pretty much limited to a desktop setup, and the Samba
> > box is running Redhat 8.0.
> > Any pointers you can send along would be greatly appreciated.
> 

On the shares that you've defined, add "guest ok = yes".  You may want
to "man smb.conf" to get the exact syntax for the version you are
running.  Global options "map to guest" and "guest account" may also
be relevant.
-- 
Jiann-Ming Su
"I have to decide between two equally frightening options. 
 If I wanted to do that, I'd vote." --Duckman
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Issues compiling related to LDAP libraries

[Alan Dotts]

I am trying to compile Samba version 3.0.20 for use on a SunFire 880 
server running SunOS 5.9 / Solaris 9.


The compile fails because the include files in the LDAP library do 
not have certain macros required by Samba.The specific error is 
included below.


My questions are:
Has anyone else had issues compiling for SunOS?
and
Does anyone know what version of the LDAP libs I should get?

Thanks,
Alan Dotts



Using FLAGS =  -O -D_SAMBA_BUILD_  -Iinclude 
-I/home/awdotts/samba-3.0.20/source/include 
-I/home/awdotts/samba-3.0.20/source/ubiqx  -I. -D_LARGEFILE_SOURCE 
-D_REENTRANT -D_FILE_OFFSET_BITS=64 -I/home/awdotts/samba-3.0.20/source

  LIBS = -lsendfile -lsec -lgen -lresolv -lsocket -lnsl -ldl -liconv
  LDSHFLAGS = -G  -lthread
  LDFLAGS = -lthread
  PIE_CFLAGS =
  PIE_LDFLAGS =
Compiling passdb/pdb_nds.c
passdb/pdb_nds.c: In function `pdb_nds_update_login_attempts':
passdb/pdb_nds.c:849: error: `LDAP_OPT_X_TLS_HARD' undeclared (first 
use in this function)

passdb/pdb_nds.c:849: error: (Each undeclared identifier is reported only once
passdb/pdb_nds.c:849: error: for each function it appears in.)
passdb/pdb_nds.c:850: error: `LDAP_OPT_X_TLS' undeclared (first use 
in this function)

make: *** [passdb/pdb_nds.o] Error 1

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] visitor access to folders and files on Samba

[Bill Groves]

Hi,
I have a small office here at the college. there are three xp computers 
and a samba server.
I apparently have set up the smb.conf file correctly as all of us can 
access each ones folders and files.
From time to time I have students and visiting "fireman" drop by and 
ask for information.
What lines of code would I put into smb.conf to allow any visiting 
student or "fireman" to acess the info that I want them to have from the 
2 secretaries machines?
I have made some attempts on my own, but have not had any success. My 
Linux skills are pretty much limited to a desktop setup, and the Samba 
box is running Redhat 8.0.

Any pointers you can send along would be greatly appreciated.


Thanks in advance,
Prof. Wiliam Groves
Orange Coast College



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Delay to join a domain successfully

[Lapin(c)]

Hi team,

I'm running samba 3.0.4 on AIX 4.3.3 and HP-UX 11.00 without any problems
except the following :
On HP-UX 11.00, when I try to join a machine to a domain, it first insert
all POSIX entries in the LDAP backend but rejects the junction. The
machine account could not be found. Waiting for a while and relaunching
the join command, the junction just works fine.

Having exactly the same configuration on AIX, the junction works perfectly
instantly.

I tried to investigate around ldapclientd.rc which is present on HP-UX
exclusively but there is no improvment even reducing cache parameters
(size and TTL).

Has anyone faced this behaviour ?

Many thanks for your help.

The attachment is a loglevel 10 on server side.

-- 
Fred LacombeLinagora S.A.
Open Source Project Manager30, rue Saint Augustin
  Tel. : +33 (0)1 58 18 68 28
  Fax. : +33 (0)1 58 18 68 29-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] incorrect shared access to the file - samba oplock bug?

[Jablonovsky Alexander]

I have tried to read a file from a Windows machine, at time this file 
being written from a Linux machine with Samba (constantly reading 
constantly growing file) and got a strange behavior. After reading some 
number of bytes ReadFile() starts to return 0 bytes read (EOF). Seeking 
and even closing/reopening the file doesn't help - only the old snapshot 
of the file can be read. Touching the file from other program like 
Explorer has effect - Windows refreshes the file to it's current state.


The file is opening from Windows as follow:
	CreateFile(file_name, GENERIC_READ, FILE_SHARE_WRITE,			   	 
(LPSECURITY_ATTRIBUTES)NULL, OPEN_EXISTING, 	FILE_ATTRIBUTE_HIDDEN, 
(HANDLE)NULL))

Samba v. 2.2.7a, Linux kernel v. 2.4.20, oplock parameters - default.
The effect is same in Windows 98 and XP.

Please help!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SaMBa raises 10x the traffic but only when _executing_, pizza offered

[Leon Brooks]

Customer is running a Delphi app talking to an MS-SQL-Server through 
Microsoft ADO. The SQL stuff is reasonably chatty but not a problem.

Whenever the program is run or a significant feature is used, it 
generates much SMB traffic -- roughly 10x as much from a SaMBa (3.1 or 
3.0) server as from a W2k or w2k3 server. As you might imagine, this 
makes the app run very slowly.

This happens with one user or with many. The ?mbd processes aren't 
raising a sweat, a few % of CPU at most. Samba delivers (and accepts) 
data at up 9.8MB/s sustained to smbclient over a 100Mb/s link, and 
delivers 2MB images to XP in an eyeblink, so it's not a fundamental 
networking failure. There is no perceptible speed difference serving 
from a muscly hardware-RAIDed-SCSI dual-CPU gig-of-RAM server or my 
el-crappo AOpen laptop.

This DID NOT HAPPEN with their old Novell file server using Novell's 
networking protocols. The application provider also has another site 
running the app on a Citrix server but from a separate file server, 
with no speed problems. That makes it look very much like a cacheing or 
similar issue. The amount of SMB traffic involved is roughly 4x the 
size of the application.

I've tried with and without oplocks, with different levels of buffering, 
different OS levels, all sorts of config performance tweaks and they 
make no perceptible difference vs minimalist changes OOtB.

It's interesting that despite delivering only 10%-ish as much traffic, 
responsiveness from the w2k3 server is only about 20% better than from 
any Samba server. The app is blindingly fast in comparison if run from 
the local disk, but the customer doesn't want to have to maintain 
40-odd local copies of the app, and the basic problem would still lurk.

Initially, we tested with a version of the app which was compressed 
(12MB => 4MB) with BlinkInc's Shrinker, but later testing involved an 
uncompressed version. That did run perceptibly faster, but it was an 
incremental improvement, not the revolution that we need.

There is a an Ethereal capture up at http://samba.cyberknights.com.au/ 
if you're interested in seeing for yourself. This is taken from an XP 
workstation (*.158) talking to a 2k3 server (*.4) and them my laptop 
running Samba (*.108). The traffic to *.100 is the SQL server and 
everything else is pretty much irrelevant.

The capture shows the workstation starting the app, making an initial 
query, then doing a find on a product number, then closing down. This 
is done first to the 2k3 server then Samba.

Trimming the requests down from ~50MB to ~5MB would probably make the 
app "fast enough" but there's extra brownie points (and a meal at your 
local Sizzlers or near equivalent, maybe a couple of pizzas) for enough 
clues to make it all run like a greased otter. (-:

Cheers; Leon

--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/   Member, Perth Linux User Group
http://slpwa.asn.au/Member, Linux Professionals WA
http://osia.net.au/ Member, Open Source Industry Australia
http://linux.org.au/Member, Linux Australia
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] getent & winbindd on FreeBSD 5.4

[Doug Sampson]

I'm trying to get a FreeBSD 5.4 server to join a NT4 domain as a member
domain server using winbindd. I've compiled Samba with WinBIND support, ACL
Support, Syslog support, UTMP support, SMB PAM module, and with installed
POPT library.

I've reviewed Chapter 20 of TOSHARG and implemented a good portion of it
into our smb.conf file but am having trouble making the 'getent' command
work. Running Samba 3.0.20.1. The 'getent' command is found in
/usr/compat/linux/usr/bin/.

I can join the domain fine and execute 'wbinfo -u' with the expected domain
user listing as well as with the 'wbinfo -g' command. However when I attempt
to execute 'getent passwd' it shows only the local user accounts. Executing
'getent group' also produces only the local groups.

It seems the getent command that comes with the linux_base port on FreeBSD
5.4 may or may not be working. I am unable to verify it though. Doing a
'tdbdump winbind_cache.tdb' reveals that the users are being enumerated but
without a corresponding *nix user id. I don't know if the tdbsam is supposed
to reveal such information. TOSHARG states that for getent to work, the
nsswitch.conf must be properly configured. Mine is as follows:

# /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
hosts: files winbind wins dns
networks: files
shells: files


NSSwitch depends on PAM modules for authentications so here's my login file:

#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM configuration for the "login" service
#

# auth
authsufficient  pam_winbind.so
authsufficient  pam_unix.so use_first_pass
authrequiredpam_stack.soservice=system-auth
authrequiredpam_nologin.so  no_warn
authsufficient  pam_self.so no_warn
authinclude system

# account
account sufficient  pam_winbind.so
account requiredpam_stack.soservice=system-auth
account include system

# session
session requiredpam_stack.soservice=system-auth 
session include system

# password
passwordrequiredpam_stack.soservice=system-auth 
passwordinclude system


# smb.conf
[global]
workgroup = DSP
server string = Samba Server
security = DOMAIN
passdb backend = tdbsam
log file = /var/log/samba/log.%m
max log size = 50
os level = 33
local master = No
dns proxy = No
wins server = 192.168.1.1
idmap uid = 15000-2
idmap gid = 15000-2
template homedir = /usr/home/%D/%U
template shell = /bin/bash
winbind separator = +
hosts allow = 192.168.1., 192.168.2., 127.

[homes]
comment = Home Directories
read only = No
browseable = No

[MacData]
comment = Production Data
path = /data
valid users = @DSP+PRODUCTION
read only = No
create mask = 0765


The odd thing is- there's no /etc/pam.d/samba file even though I specified
that the PAM samba module be installed. Is my PAM whacked?

Also, I am unsure if I need to map users to NT account using a text file
similar to /etc/smb/smbusers or some file similar to that? When I execute
'pw groupshow DSP+PRODUCTION', the log.smbd shows this:
[2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_tdbopen(195)
  Unable to open/create TDB passwd
[2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(488)
  pdb_getsampwrid: Unable to open TDB rid database!

log.wb-DSP shows this:
[2005/09/15 16:17:24, 0] rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700)
  rpc_pipe_bind failed

I'm a newb so would appreciate any advice!

~Doug

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Authentication against AD?

[Dimitri Yioulos]

On Thursday 15 September 2005 4:17 pm, you wrote:
> Dimitri Yioulos wrote:
> >On Thursday 15 September 2005 3:32 pm, you wrote:
> >>
> >>
> >>Ok I think I have found my problem.  I need to find a way to map Samba
> >>to an active directory common name:
> >>
> >>%> net ads join -U"Administrator" "cn=users,dc=domain,dc=com"  (example,
> >>I know the syntax is incorrect)
> >>
> >>As far as I can tell it is hard coded in the net ads join routine to
> >>tack on the ou=users vs. cn=users, anyone shed some light on this?
> >
> >Uh, I must be missing something here. This is a pretty straightforward
> > set-up, right?  You want to join this Samba box to a Win2k3 server for
> > file- or print-serving purposes?  I've always felt that you get a basic
> > set-up working first, then start to get fancy.
> >
> >AFAIK:
> >
> >1. kinit [EMAIL PROTECTED]
> >(You'll be prompted for a password.  My systems simply return me to a
> > prompt if I'm successful.)
> >2. net ads join -U [EMAIL PROTECTED]
> >(Again, you'll be prompted for a password. Info about the machine joining
> > the AD is returned)
> >
> >Beyond this, someone else will have to help out.
> >
> >Best,
> >
> >Dimitri
>
> Yeah this works, I can get my krb creds:
>
> [EMAIL PROTECTED]:~> kinit [EMAIL PROTECTED]
> Password for [EMAIL PROTECTED]:
> [EMAIL PROTECTED]:~> klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: [EMAIL PROTECTED]
>
> Valid starting ExpiresService principal
> 09/15/05 14:12:30  09/16/05 00:11:16  krbtgt/[EMAIL PROTECTED]
> renew until 09/16/05 14:12:30
>
>
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
>
> And this works as well:
>
> [EMAIL PROTECTED]'s password:
> [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405)
>   ads_add_machine_acct: Host account for odin-newb already exists -
> modifying old account
> Using short domain name -- DOMAIN.COM
> Joined 'ODIN-NEWB' to realm 'DOMAIN.COM'
>
> But when testing, using wbinfo -u or getent I am getting only the local
> passwd accounts.
>
> [EMAIL PROTECTED]:~> wbinfo -u
> Error looking up domain users
>
> And here is where my accounts need to be authenticted from
>
> LDAP://server.domain.com/CN=Users,DC=server,DC=domain,DC=com
>
> Note the CN=Users, vs. OU=Users, I will go read the RFC to see if I can
> get more info on this.

So, you're not authenticating against ADS?  If you are, are you sure the 
winbind daemon is running?

Dimitri
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Minimum User Rights For "net ads join"

[John H Terpstra]

On Thursday 15 September 2005 14:40, eric roseme wrote:
> I have seen a number of cases where unix/linux administrators do not
> have access to Windows Administrator rights to execute "net ads join".
> Here is the result of testing that I have done to determine what the
> minimum set of user rights is.
...
> JT - I have written a user's guide for this process.  Let me know if you
> would like to use it however you see fit.

Sure. Please email it to: [EMAIL PROTECTED]

Thanks.

- John T.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Minimum User Rights For "net ads join"

[eric roseme]

I have seen a number of cases where unix/linux administrators do not 
have access to Windows Administrator rights to execute "net ads join". 
Here is the result of testing that I have done to determine what the 
minimum set of user rights is.


Case 1:  Adding the object to the domain and joining the domain with 
"net ads join"


In this case, an ordinary user "member of Domain Users" can add and join 
 by having an Administrator assign the user special rights to the 
Computers container (or equivalent).  This is done by:

1.  Users and Computers MMC, Advanced Features View
2.  Right click Computers container and select Properties
3.  Choose Security tab, add a new user to the container
4.  Click Advanced, select the new user, click Edit
5.  Clear all rights, add back only "Create Computer Objects"
6.  OK to exit out

The user can now add and join the computer object using "net ads join -U 
 username".



Case 2:  Add object using "Users and Computers" MMC, join using "net ads 
join".


This method is required when a custom schema is used and "net ads join" 
cannot find the correct container to add the computer.  Note that 
sometimes the UseraccountControl attribute will populate with a value 
that denies krb5 authentication, and the attribute must be populated 
manually.

1.  Users and Computers MMC, Advanced Features View
2.  Add the computer object using the MMC.  Do not select "Windows
2000 compatible".
3.  Right click on the new computer object (note that this is
different from the container in Case 1)and select Properties.
4.  Click Advanced, then Add, and add the user to Security Settings.
5.  Highlight the username, then select Edit.
7.  Select "Full Control" - this will autoselect all Permissions.
8.  Unselect those that we do not need:
Full Control
Create All Child Objects
Delete All Child Objects
(all items thru)
Delete All Shared Folder Ob
9.  OK to exit out.

The user can now join and modify the existing computer object using "net 
ads join -U username".



Caveats:

1.  "net ads leave -U username" does not work, even with Administrator.
2.  Several other "net ads" commands do not work.
3.  The ntSecurityDescriptor is not correctly processed (ldap.c accounts
for this and adds the object anyway, and issues a warning)

JT - I have written a user's guide for this process.  Let me know if you 
would like to use it however you see fit.



Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] smbstatus -b shows bogus connections

[Oliver Schulze L.]

Hi,
I have samba 3 (samba-3.0.10-1.4E) on RHEL4.1.
I have updated from RH9 and samba 2.x

The 'smbstatus -b' command shows connections that does not
exists. For example, a user connects to their windows XP session
and then disconnects. But smbstatus -b shows that the user still connected
even if that user have used only 10 minutes the cliente PC.

I think it should be a problem with .tdb files.

Is this normal?

Thanks
Oliver

--
Oliver Schulze L.
<[EMAIL PROTECTED]>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] AIX 5.1 Samba libiconv.so.2

[Joseph Madrinkian]

I try starting Samba but I get the error message 

 

"Dependant Module /usr/local/lib/libiconv.a(libiconv.so.2) could not be
loaded.

Member libiconv.so.2 could not be found in the archive"

 

I have the library file lbiconv.a 

I tried doing an: ar a libiconv.a libiconv.so.2

 

The member libiconv.so.2 is not being added to the library file.

 

Any help would be appreciated.

 

Thanks



Notice: This transmission is for the sole use of the intended recipient(s) and 
may contain information that is confidential and/or privileged.  If you are not 
the intended recipient, please delete this transmission and any attachments and 
notify the sender by return email immediately.  Any unauthorized review, use, 
disclosure or distribution is prohibited.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Authentication against AD?

[Dimitri Yioulos]

On Thursday 15 September 2005 3:32 pm, you wrote:
> 
>
> Ok I think I have found my problem.  I need to find a way to map Samba
> to an active directory common name:
>
> %> net ads join -U"Administrator" "cn=users,dc=domain,dc=com"  (example,
> I know the syntax is incorrect)
>
> As far as I can tell it is hard coded in the net ads join routine to
> tack on the ou=users vs. cn=users, anyone shed some light on this?

Uh, I must be missing something here. This is a pretty straightforward set-up, 
right?  You want to join this Samba box to a Win2k3 server for file- or 
print-serving purposes?  I've always felt that you get a basic set-up working 
first, then start to get fancy.

AFAIK:

1. kinit [EMAIL PROTECTED]
(You'll be prompted for a password.  My systems simply return me to a prompt 
if I'm successful.)
2. net ads join -U [EMAIL PROTECTED]
(Again, you'll be prompted for a password. Info about the machine joining the 
AD is returned)

Beyond this, someone else will have to help out.

Best,

Dimitri
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Authentication against AD?

[Jason Gerfen]

Jason Gerfen wrote:




Ok I think I have found my problem.  I need to find a way to map Samba 
to an active directory common name:


%> net ads join -U"Administrator" "cn=users,dc=domain,dc=com"  
(example, I know the syntax is incorrect)


As far as I can tell it is hard coded in the net ads join routine to 
tack on the ou=users vs. cn=users, anyone shed some light on this?



Some output from strace

%> strace -o tmp net ads join -U "Admin" "users"

write(6, "0C\2\1\5c>\4\36ou=users,dc=SCL,dc=UTAH"..., 69) = 69  <-- here 
is the hard coded ou, I am not 100% familiar with the LDAP RFC but on a 
windows Active Directory there are CN and OU containers

select(1024, [6], [], NULL, {15, 0})= 1 (in [6], left {14, 999000})
read(6, "0\204\0\0\0\222\2\1", 8)   = 8
read(6, "\5e\204\0\0\0\211\n\1 \4\25DC=scl,DC=utah,DC=ed"..., 144) = 144
rt_sigaction(SIGALRM, {SIG_IGN}, {0x535000, [ALRM], SA_RESTORER, 
0x2b95ff00}, 8) = 0


Anyone shed some light here?  I need a way to overwrite that OU 
parameter to a CN...


--
Jason Gerfen
Student Computing Labs, University Of Utah
[EMAIL PROTECTED]

J. Willard Marriott Library
295 S 1500 E, Salt Lake City, UT 84112-0860
801-585-9810

"My girlfriend threated to
leave me if I went boarding...
I will miss her."
~ DIATRIBE aka FBITKK

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Authentication against AD?

[Jason Gerfen]

Ok I think I have found my problem.  I need to find a way to map Samba 
to an active directory common name:


%> net ads join -U"Administrator" "cn=users,dc=domain,dc=com"  (example, 
I know the syntax is incorrect)


As far as I can tell it is hard coded in the net ads join routine to 
tack on the ou=users vs. cn=users, anyone shed some light on this?


--
Jason Gerfen
Student Computing Labs, University Of Utah
[EMAIL PROTECTED]

J. Willard Marriott Library
295 S 1500 E, Salt Lake City, UT 84112-0860
801-585-9810

"My girlfriend threated to
leave me if I went boarding...
I will miss her."
~ DIATRIBE aka FBITKK

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Winbind trouble when on the DC

[Adam Tauno Williams]

I have a situation where I want to do some authentication via ntlm_auth on my
DC.  I've tested this on my test box (a domain member) and it works perfectly.

On domain member -
tor:~ # /usr/bin/ntlm_auth --username=adam --domain=BACKBONE --password=
NT_STATUS_OK: Success (0x0)

On domain controller -
littleboy:~ # /usr/bin/ntlm_auth --username=adam --domain=BACKBONE
--password=**
Reading winbind reply failed! (0x01)
:  (0x0)

But winbindd is running an "wbinfo -p" says the winbind daemon is OK.

I can "wbinfo -u" and "wbinfo -g" to list domain users and groups on any member
server and it as quick as lightening.  But on the domain controller is just
pukes with a "Error looking up domain groups" message.  The domain controller
is working perfectly for ~200 XP and 2000 boxes.  It is just the winbind stuff
does not work locally.

Anyone have any ideas?

DC is SuSe9.2 running Samba 3.0.20 with OpenLDAP backend.

The logs for winbind look like -
[2005/09/15 06:02:50, 6] nsswitch/winbindd.c:new_connection(596)
  accepted socket 19
[2005/09/15 06:02:50, 10] nsswitch/winbindd.c:process_request(325)
  process_request: request fn INTERFACE_VERSION
[2005/09/15 06:02:50, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(460)
  [0]: request interface version
[2005/09/15 06:02:50, 10] nsswitch/winbindd.c:process_request(325)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2005/09/15 06:02:50, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
  [0]: request location of privileged pipe
[2005/09/15 06:02:50, 6] nsswitch/winbindd.c:new_connection(596)
  accepted socket 20
[2005/09/15 06:02:50, 10] nsswitch/winbindd.c:process_request(325)
  process_request: request fn LIST_GROUPS
[2005/09/15 06:02:50, 3] nsswitch/winbindd_group.c:winbindd_list_groups(811)
  [0]: list groups
[2005/09/15 06:02:50, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2005/09/15 06:02:50, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526)
  get_sam_group_entries: Failed to enumerate domain local groups!
[2005/09/15 06:02:50, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2005/09/15 06:02:50, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526)
  get_sam_group_entries: Failed to enumerate domain local groups!

NSS is working perfectly as well as I can "id {username}" and instantly get back
user information and all group memberships.

Global configuration
--
[global]
   workgroup = BACKBONE
   server string = OpenLDAP DSA/DC
   printing = CUPS
   netbios name = barbel
   netbios aliases = littleboy
   keepalive = 0
   guest account = pcnet
   add machine script = /usr/bin/mono /usr/local/bin/cifsaddmachine.exe %u
   security = user
   encrypt passwords = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
   local master = yes
   os level = 200
   domain master = yes
   preferred master = yes
   domain logons = yes
   logon script = %G.bat
   logon path = \\BARBEL\PROFILES\%U
   logon drive = f:
   logon home = \\SARDINE\HOMEDIR
   wins support = yes
   wins hook = /usr/bin/mono /usr/local/bin/wins_update.exe
   name resolve order = wins host
   dns proxy = yes
   map to guest = Bad User
   passdb backend = ldapsam:ldap://localhost/
   ldap ssl = no
   ldap admin dn =
uid=CIFSDC,ou=System,ou=Accounts,ou=Entities,ou=SAM,o=Morrison Industries,c=US
   ldap suffix = o=Morrison Industries,c=US
   ldap group suffix = ou=Groups,ou=Entities,ou=SAM
   ldap user suffix = ou=Accounts,ou=Entities,ou=SAM
   ldap machine suffix = ou=System,ou=Accounts,ou=Entities,ou=SAM
   idmap backend = ldap:ldap://localhost
   ldap idmap suffix = ou=idMap,ou=CIFS,ou=SubSystems
   idmap uid = 4-5
   idmap gid = 4-5
   winbind use default domain = yes
   username map = /etc/samba/username.map
   remote announce = 192.168.10.255/BACKBONE
   deadtime = 15
   log level = 2 winbind:10
   log file = /var/log/samba/log.%m
   ldap passwd sync = yes
   include = /etc/samba/smb.conf.%m
   host msdfs = yes
   cups server = crew
   cups options = raw
   enable privileges = yes
   load printers = no

-- 
Adam Tauno Williams - http://www.whitemice.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] LDAP search failed: Size limit exceeded

[Eric A. Hall]

On 9/15/2005 12:49 PM, Michael Christian wrote:
> Hi list. I've decided to try and tackle this one piece at a time.
> 
> Does anyone know why I would get the following error:
> [EMAIL PROTECTED] ~]# net groupmap list 
> [2005/09/15 12:44:08, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2458)
> ldapsam_setsamgrent: LDAP search failed: Size limit exceeded
> [2005/09/15 12:44:08, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2523)
> ldapsam_enum_group_mapping: Unable to open passdb
> 
> I seem to have some size related issue concerning Groups...

I don't know what the problem is but I can give some pointers.

Queries that return ~everything can overwhelm participants, so LDAP has
the ability to limit the amount of data returned, either with "paged"
answer sets, or size limits, or both. "Size limit exceeded" is a typical
LDAP error when the size limit has been exceeded.

I'm pretty sure that Samba's LDAP interface understands paged results (my
server is down for maintenance right now or I'd check), but maybe your
LDAP server doesn't. Are you using a fairly recent OpenLDAP RPM package or
something else?

Actually my guess/assumption is that your queries are poorly formed and
poorly rooted, and as a result your searches are matching everything in
the directory. Make sure you set the proper suffixes in smb.conf so that
searches are constrained to the correct search base.

Weren't you reporting similar problems with PAM? Frankly I'd start there
if I were you, since it seems to be a problem with all of your LDAP
searches everywhere. Find the support list for your server and start with
them is best advice I can give.

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Roaming profile : taking forever to login /log off

[FM]

Except when you have multiple vendors and different hardware

Natxo Asenjo wrote:



On 9/15/05, *Lorenzo Cerini* <[EMAIL PROTECTED] 
> wrote:


Unlucky you need to use gpedit.msc on every client.


well, that's why god invented disc-images. Just make an xp isntallation 
you are happy with, and deploy its image on the rest of workstations :)


regards,
J.I.Asenjo


--
Frederic Medery
System Administrator

LexUM, University of Montreal
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SSO Samba/AD integration

[Brian Atkins]

I added 'template shell = /bin/bash' and now 'getent passwd' shows the
proper shell extensions.  However, login still fails.  I tried multiple
methods to include the AD domain name in the login id:

DOMAIN\username
DOMAIN.FQDN\username
DOMAIN+username
DOMAIN.FQDN+username

and none work.  The logs show:

# more log.winbindd
[2005/09/15 13:37:46, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'gdm' does not exist
[2005/09/15 13:38:18, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
  user 'batkins' does not exist
[2005/09/15 13:38:18, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
  user 'batkins' does not exist
...

# more log.nmbd
[2005/09/15 13:39:06, 0] nmbd/nmbd_namequery.c:query_name_response(101)
  query_name_response: Multiple (2) responses received for a query on
subnet 10.10.59.97 for name UNICITY<1d>.
  This response was from IP 10.10.57.99, reporting an IP address of
192.168.211.1.
[2005/09/15 13:39:06, 0] nmbd/nmbd_namequery.c:query_name_response(101)
  query_name_response: Multiple (3) responses received for a query on
subnet 10.10.59.97 for name UNICITY<1d>.
  This response was from IP 10.10.57.212, reporting an IP address of
223.1.1.128.

However, I don't see anything related to a failed login attempt... 
Curiouser and curiouser...


Bruno Guerreiro wrote:

>Hi,
>/bin/false prevents a user from logging to the machine, while allowing it to
>athenticate... You can use shares which are located in your samba server,
>access via FTP,etc. Just can't logon to the machine itself
>Not sure about this one ( don't use AD), but have you tried setting this:
>
>template shell = (whatever shel you want normally /bin/bash)
>
>
>>From man smb.conf:
>
>   template shell (G)
>  When filling out the user information for a Windows NT user,
>the winbindd(8) daemon uses this parameter to fill in the login shell  for
>that
>  user.
>
>  No default
>
>
>Best Regards,
>Bruno Guerreiro
>
>
>  
>
>>-Original Message-
>>From: Brian Atkins [mailto:[EMAIL PROTECTED]
>>Sent: quinta-feira, 15 de Setembro de 2005 14:04
>>To: samba@lists.samba.org
>>Subject: [Samba] SSO Samba/AD integration
>>
>>
>>OK, I'm certain that this topic has been beat to death, but I need some
>>assistance.  I am trying to migrate to a SSO for the majority of our
>>workstations and servers within our organization.  I am 
>>currently trying
>>to integrate a Gentoo Linux workstation to authenticate to the AD
>>server.  Once I get the process nailed down, I'll be moving on 
>>to bigger
>>and better things...
>>
>>Prior to starting, I already had Samba installed and was able to share
>>files with Windows based boxes, though only through a guest account. 
>>Since yesterday, I have installed openLDAP with mit-krb5 and Samba
>>support enabled.  I modified smb.conf, nsswitch.conf, and /etc/hosts in
>>accordance with a document I located on the Gentoo site.  It was pretty
>>straight forward, nothing earth-shattering.  Once Samba was restarted
>>(with windbind), I was able to use kinit to join the domain
>>successfully, and can now get user and group listings using the 'getent
>>[passwd|group]' commands.  However, when I try signing into the
>>workstation using an AD account, the login is denied.  What gives? 
>>
>>Here are my basics:
>>
>>nsswitch.conf:
>>--
>>passwd:  compat winbind
>>shadow:  compat
>>group:   compat winbind
>>
>># passwd:db files nis
>># shadow:db files nis
>># group: db files nis
>>
>>hosts:   files dns winbind
>>networks:files dns
>>
>>services:db files
>>protocols:   db files
>>rpc: db files
>>ethers:  db files
>>netmasks:files
>>netgroup:files
>>bootparams:  files
>>
>>automount:   files
>>aliases: files
>>
>>
>>hosts
>>-
>>...
>>10.10.57.124tlcdcm.UNICITY.TLCDELIVERS.COM  tlcdcm UNICITY
>>10.10.57.140tlcdcm2.UNICITY.TLCDELIVERS.COM tlcdcm2
>>10.10.56.111web-backupws.UNICITY.TLCDELIVERS.COMweb-backupws
>>...
>>
>>smb.conf
>>
>>[global]
>>  netbios name = briansrapier
>>  socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>>  idmap uid = 1-2
>>  idmap gid = 1-2
>>  winbind enum users = yes
>>  winbind gid = 1-2
>>  workgroup = UNICITY
>>  os level = 20
>>  winbind enum groups = yes
>>  password server = *
>>  preferred master = no
>>  winbind separator = +
>>  max log size = 50
>>  log file = /var/log/samba3/log.%m
>>  encrypt passwords = yes
>>  dns proxy = no
>>  realm = UNICITY.TLCDELIVERS.COM
>>  security = ADS
>>  wins server = 10.10.57.124
>>  wins proxy = no
>>...
>>
>>Doing a 'getent passwd' returns users similar to:
>>...
>>UNICITY+cfedeles:x:10172:1:NAME:/home/UNICITY/cfedeles:/bin/false
>>UNICITY+tevans:x:10173:1:NAME:/home/UNICITY/tevans:/bin/false
>>UNICITY+mbare:x:10174:1:NAME:/home/UNICITY/mbare:/bin/false
>>...
>>
>>But also lists computer accounts as well:
>>...
>>UNICITY+imd-gsanchez$:x:10539:10004:IMD-GSANC

Re: [Samba] Permissions not recursive on win2K?

[Shawn Wright]

On 11 Aug 2005 at 14:40, samba@lists.samba.org wrote:

> Way back on Mar 10 2004, I wrote this: 
> 
> == 
> Perhaps this is a known problem, and if so, hopefully it is fixed 
> in 3.x: 
> 
> Win2K SP4 clients, Samba 2.2.8a servers on Linux using ACL 
> support with 
> XFS filesystem (Redhat SGI-XFS build, and Mandrake 9.2). 
> 
> Adding/editing an ACL for an NT domain group (or user) to a 
> folder on samba, and 
> attempting to apply permissions to all subdirs and files only 
> goes one 
> level deep when using the win2k standard gui tool. ie: Only 
> ACLS for the 
> selected folder and files in top level are touched. Problem does 
> not occur 
> when using an NT4 client. Interestingly, using the NT4 security 
> dialog on 
> win2k (by way of the RSHXMENU powertoy for NT) works fine 
> on win2K.  
> 
> Is this a known issue? I can provide conf and debug output if 
> necessary, 
> but I assumed someone else must have seen this already (and 
> fixed it? :-) 
> == 
> 
> Then, I got this reply: 
> 
> >On 24 Mar 2004 at 9:13, Gerald (Jerry) Carter wrote: 
> >  
> > Yup.  It is fixed in 3.0 what what I remember.  Jeremy worked 
> on it. 
> 
> Eventually I got around to upgrading the affected servers to 
> 3.0.11, but  the problem persists, and I didn't have time to dig 
> into it. Now I need to  replace two samba servers, and would 
> like to resolve this issue. I've now  read the release notes from 
> 3.0.12 to 3.0.20RC2 and couldn't find  mention of a fix.  

I am now running 3.0.14a, but the permissions recursion problem still exists. 
Each time I apply permissions to a tree using the Win2K GUI, the addition or 
removal of an ACL will move exactly one level deeper than before.  I
n other words, if the tree is 4 levels deep, it will take 3 passes of the 
operation before the ACL change appears in the 4th level. This long 
standing problem is seriously limiting our migration to samba. Can 
someone please tell me if this has been fixed in 3.0.20?

I have offered configs, debug, etc. and the offer still stands. I just want to 
see this problem fixed, and can't believe it is not affecting more users. 

For the record, here is the environment:
Mandrake 10.1 with ACL support on XFS
The share used for testing the issue is the "home" share.
PDC is running NT4 SP6a
Client used for setting ACLs running Win2K SP4, tested using GUI, cacls, 
and xcacls.

Build options:
./configure --with-winbind --with-acl-support --with-quotas --
sbindir=/usr/sbin --bindir=/usr/bin --localstatedir=/var/log/samba  --with-
swatdir=/usr/share/swat --with-lockdir=/var/cache/samba --with-
configdir=/etc/samba --with-piddir=/var/run

conf file:
[global]
workgroup = SHAWNIGAN
netbios name = ADMIN3
server string = ADMIN3 Server
winbind uid = 1-2
winbind enum users = yes
winbind gid = 1-2
winbind separator = +
winbind enum groups = yes
disable spoolss = yes
unix password sync = no
max xmit = 65535
hosts allow = 10. 72.2.0.
dns proxy = no
oplocks = yes
inherit permissions = yes
debug level = 1
security = domain
getwd cache = yes
log level = 3
read raw = yes
write raw = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY 
SO_RCVBUF=16384 SO_SNDBUF=16384
wins server = 72.2.0.5 72.2.0.4
create mask = 0700
domain master = no
map to guest = never
null passwords = no
encrypt passwords = yes
template shell = /bin/false
dead time = 0
password level = 0
password server = *
directory mask = 0700
preferred master = no

[homes]
comment = Staff Home Directories
browseable = no
writable = yes
available = yes
public = no
create mask = 2700
inherit permissions = yes
nt acl support = no
force group = "shawnigan+domain users"
force security mode = 0777
path = /home/staff/%U


[home]
comment = Homes
browseable = yes
writable = yes
available = yes
public = no
only user = no
path=/home 
valid users = @"shawnigan+domain admins"
admin users = @"shawnigan+domain admins"

[sysroot]
comment = sysroot
valid users = @"shawnigan+domain admins"
admin users = @"shawnigan+domain admins"
writeable = yes
path = /
hosts allow =10.4. 72.2.0.

[staffhome]
comment = Staff Homes - Web Access
browseable = yes
writable = yes
available = yes
public = no
only user = no
path=/home/staff
valid users = @"shawnigan+domain admins","shawnigan+Apache-
Internal"
admin users = @"shawnigan+domain admins"



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Shawn Wright, I.T. Manager
Shawnigan Lake School
http://www.sls.bc.ca
[EMAIL PROTECTED]


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mail

[Samba] LDAP search failed: Size limit exceeded

[Michael Christian]

Hi list. I've decided to try and tackle this one piece at a time.

Does anyone know why I would get the following error:
[EMAIL PROTECTED] ~]# net groupmap list 
[2005/09/15 12:44:08, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2458)
ldapsam_setsamgrent: LDAP search failed: Size limit exceeded
[2005/09/15 12:44:08, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2523)
ldapsam_enum_group_mapping: Unable to open passdb

I seem to have some size related issue concerning Groups...

-- 
Michael S. Christian Jr.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] delete user script

[Larry McElderry]

As a follow up,  changing the "ldap delete dn = no" did allow the 
smbldap-userdel script to work, but of course, now it leaves the
ldap posix entries.

I guess I'm just going to have to write my own script.

-Original Message-
From: Larry McElderry [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 15, 2005 11:04 AM
To: Samb Mail List
Subject: RE: [Samba] delete user script


Yes,
ldap delete dn = Yes

Actually,  everything is deleted (except home directories).

But you gave me an idea.  I reset ldap delete dn to No and retested.  I still 
get the numerous "Connection to LDAP server failed"
messages,  but the delete user script now executes.

So apparently, ldapsam does it's deleting before calling the delete user script.

Larry

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Bruno Guerreiro
Sent: Thursday, September 15, 2005 10:47 AM
To: '[EMAIL PROTECTED]'; Samb Mail List
Subject: RE: [Samba] delete user script


Hi,
In order to have samba deleting everything from ldap you must have:

ldap delete dn = yes
By default it's no.

Are you sure everything is working correctly?
It seems that samba isn't even able to connecto to the LDAP server.
Another thing. Do you belong to the administrators group?

Best Regards,
Bruno Guerreiro


>-Original Message-
>From: Larry McElderry [mailto:[EMAIL PROTECTED]
>Sent: quinta-feira, 15 de Setembro de 2005 16:37
>To: Samb Mail List
>Subject: [Samba] delete user script
>
>
>Does anyone know what the unix UID is deleting a user in USRMGR?
>
>I'm using Samba with ldap and while I can create users just
>fine with usrmgr (logged in as myself,  but when I delete a user, it
>seems to have trouble running my "delete user script"
>
>My samba log shows:
>[2005/09/15 10:19:42, 1] lib/smbldap.c:another_ldap_try(1011)
>  Connection to LDAP server failed for the 15 try!
>[2005/09/15 10:19:43, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2005/09/15 10:19:43, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2763)
>  ldapsam_setsamgrent: LDAP search failed: Timed out
>[2005/09/15 10:19:43, 0]
>passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2828)
>  ldapsam_enum_group_mapping: Unable to open passdb
>[2005/09/15 10:19:43, 0] rpc_server/srv_samr_nt.c:smb_delete_user(3810)
>  smb_delete_user: Running the command
>`/etc/samba/smbldap/smbldap-userdel -r 'test'' gave 6
>[2005/09/15 10:19:43, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>
>The ldap server is setup to allow my uid full access to the
>database.  Is it possible that the ldap record is deleted before the
>delete script is called?
>
>Using Sambe 3.0.14a
>SMB.CONF excerpt
>add user script = /etc/samba/smbldap/smbldap-useradd -m '%u'
>delete user script = /etc/samba/smbldap/smbldap-userdel -r '%u'
>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] delete user script

[Larry McElderry]

Yes,
ldap delete dn = Yes

Actually,  everything is deleted (except home directories).

But you gave me an idea.  I reset ldap delete dn to No and retested.  I still 
get the numerous "Connection to LDAP server failed"
messages,  but the delete user script now executes.

So apparently, ldapsam does it's deleting before calling the delete user script.

Larry

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Bruno Guerreiro
Sent: Thursday, September 15, 2005 10:47 AM
To: '[EMAIL PROTECTED]'; Samb Mail List
Subject: RE: [Samba] delete user script


Hi,
In order to have samba deleting everything from ldap you must have:

ldap delete dn = yes
By default it's no.

Are you sure everything is working correctly?
It seems that samba isn't even able to connecto to the LDAP server.
Another thing. Do you belong to the administrators group?

Best Regards,
Bruno Guerreiro


>-Original Message-
>From: Larry McElderry [mailto:[EMAIL PROTECTED]
>Sent: quinta-feira, 15 de Setembro de 2005 16:37
>To: Samb Mail List
>Subject: [Samba] delete user script
>
>
>Does anyone know what the unix UID is deleting a user in USRMGR?
>
>I'm using Samba with ldap and while I can create users just
>fine with usrmgr (logged in as myself,  but when I delete a user, it
>seems to have trouble running my "delete user script"
>
>My samba log shows:
>[2005/09/15 10:19:42, 1] lib/smbldap.c:another_ldap_try(1011)
>  Connection to LDAP server failed for the 15 try!
>[2005/09/15 10:19:43, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2005/09/15 10:19:43, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2763)
>  ldapsam_setsamgrent: LDAP search failed: Timed out
>[2005/09/15 10:19:43, 0]
>passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2828)
>  ldapsam_enum_group_mapping: Unable to open passdb
>[2005/09/15 10:19:43, 0] rpc_server/srv_samr_nt.c:smb_delete_user(3810)
>  smb_delete_user: Running the command
>`/etc/samba/smbldap/smbldap-userdel -r 'test'' gave 6
>[2005/09/15 10:19:43, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>
>The ldap server is setup to allow my uid full access to the
>database.  Is it possible that the ldap record is deleted before the
>delete script is called?
>
>Using Sambe 3.0.14a
>SMB.CONF excerpt
>add user script = /etc/samba/smbldap/smbldap-useradd -m '%u'
>delete user script = /etc/samba/smbldap/smbldap-userdel -r '%u'
>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba Version 3.0.14a : user right access problem

[MULLER Pierre (CS)]

Hello,

J meet an user access problem with the Samba Version 3.0.14a 

For giving the right access for one share name to one user name,
J must put this user name in the access netgroup of the UNIX Serveur,
Because the only username in smb.conf is not enough .

Why ? Is it an other method ?
Is it possible to give the right only in smb.conf

Regards

Pierre

Email : [EMAIL PROTECTED]





This message and any files transmitted with it are legally privileged and 
intended for the sole use of the individual(s) or entity to whom they are 
addressed. If you are not the intended recipient, please notify the sender by 
reply and delete the message and any attachments from your system. Any 
unauthorised use or disclosure of the content of this message is strictly 
prohibited and may be unlawful.

Nothing in this e-mail message amounts to a contractual or legal commitment on 
the part of EUROCONTROL unless it is confirmed by appropriately signed hard 
copy.

Any views expressed in this message are those of the sender.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] delete user script

[Bruno Guerreiro]

Hi, 
In order to have samba deleting everything from ldap you must have:

ldap delete dn = yes
By default it's no.

Are you sure everything is working correctly?
It seems that samba isn't even able to connecto to the LDAP server.
Another thing. Do you belong to the administrators group?

Best Regards,
Bruno Guerreiro


>-Original Message-
>From: Larry McElderry [mailto:[EMAIL PROTECTED]
>Sent: quinta-feira, 15 de Setembro de 2005 16:37
>To: Samb Mail List
>Subject: [Samba] delete user script
>
>
>Does anyone know what the unix UID is deleting a user in USRMGR?
>
>I'm using Samba with ldap and while I can create users just 
>fine with usrmgr (logged in as myself,  but when I delete a user, it
>seems to have trouble running my "delete user script"
>
>My samba log shows:
>[2005/09/15 10:19:42, 1] lib/smbldap.c:another_ldap_try(1011)
>  Connection to LDAP server failed for the 15 try!
>[2005/09/15 10:19:43, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2005/09/15 10:19:43, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2763)
>  ldapsam_setsamgrent: LDAP search failed: Timed out
>[2005/09/15 10:19:43, 0] 
>passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2828)
>  ldapsam_enum_group_mapping: Unable to open passdb
>[2005/09/15 10:19:43, 0] rpc_server/srv_samr_nt.c:smb_delete_user(3810)
>  smb_delete_user: Running the command 
>`/etc/samba/smbldap/smbldap-userdel -r 'test'' gave 6
>[2005/09/15 10:19:43, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>
>The ldap server is setup to allow my uid full access to the 
>database.  Is it possible that the ldap record is deleted before the
>delete script is called?
>
>Using Sambe 3.0.14a
>SMB.CONF excerpt
>add user script = /etc/samba/smbldap/smbldap-useradd -m '%u'
>delete user script = /etc/samba/smbldap/smbldap-userdel -r '%u'
>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Change Domain Password on Linux Client with winbind and PAM ?!?

[Michael Gasch]

hi list,

does anyone have a working installation to be able to change windows nt 
domain passwords on a linux client, which is joined the domain (by net 
rpc join)?


authentication of domain users via pam_winbind.so works great but 
changing passwords seems to have no effect:


[EMAIL PROTECTED] passwd
[EMAIL PROTECTED]

root can change his password.
if you need config files, just let me know!

thx in advance...

--
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Authentication against AD?

[Dimitri Yioulos]

On Thursday 15 September 2005 11:21 am, you wrote:
> 
>
> >Oops, obviously these lines are uncommented (how'd I do that?):
> >
> >idmap uid = 1-2
> >idmap gid = 1-2
> >
> >Dimitri
>
> Odd, here is what I am getting when I do a net groupmap list:
>
> System Operators (S-1-5-32-549) -> -1
> Domain Admins (S-1-5-21-2000478354-789336058-725345543-512) -> -1
> Replicators (S-1-5-32-552) -> -1
> Guests (S-1-5-32-546) -> -1
> Domain Users (S-1-5-21-2247000946-2623471383-2375109730-513) -> -1
> Domain Users (S-1-5-21-2000478354-789336058-725345543-513) -> -1
> Power Users (S-1-5-32-547) -> -1
> Print Operators (S-1-5-32-550) -> -1
> Administrators (S-1-5-32-544) -> -1
> Domain Guests (S-1-5-21-2000478354-789336058-725345543-514) -> -1
> Domain Admins (S-1-5-21-2247000946-2623471383-2375109730-512) -> -1
> Account Operators (S-1-5-32-548) -> -1
> Domain Guests (S-1-5-21-2247000946-2623471383-2375109730-514) -> -1
> Backup Operators (S-1-5-32-551) -> -1
> Users (S-1-5-32-545) -> -1
>
> So this is a good indication I am a member server, but the startup logs
> are still indicating this as a logon server.  Am I running the wrong
> command to join the domain?
>
> %> net ads join -U"admin" "ad_container_name"

Try "net ads join -U Nameusedwithkinit(e.g. Your Win2k3 
Administrator)@MYDOMAIN.COM"

Dimitri
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] delete user script

[Larry McElderry]

Does anyone know what the unix UID is deleting a user in USRMGR?

I'm using Samba with ldap and while I can create users just fine with usrmgr 
(logged in as myself,  but when I delete a user, it
seems to have trouble running my "delete user script"

My samba log shows:
[2005/09/15 10:19:42, 1] lib/smbldap.c:another_ldap_try(1011)
  Connection to LDAP server failed for the 15 try!
[2005/09/15 10:19:43, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2005/09/15 10:19:43, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2763)
  ldapsam_setsamgrent: LDAP search failed: Timed out
[2005/09/15 10:19:43, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2828)
  ldapsam_enum_group_mapping: Unable to open passdb
[2005/09/15 10:19:43, 0] rpc_server/srv_samr_nt.c:smb_delete_user(3810)
  smb_delete_user: Running the command `/etc/samba/smbldap/smbldap-userdel -r 
'test'' gave 6
[2005/09/15 10:19:43, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..

The ldap server is setup to allow my uid full access to the database.  Is it 
possible that the ldap record is deleted before the
delete script is called?

Using Sambe 3.0.14a
SMB.CONF excerpt
add user script = /etc/samba/smbldap/smbldap-useradd -m '%u'
delete user script = /etc/samba/smbldap/smbldap-userdel -r '%u'



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Oddities with DFS

[dpk]

General information about our Samba server configuration:

- Server is a domain member and passes authentication to a domain that 
also has trust relationships


- UNIX passwd/group lookups are performed via NIS

- Running Debian Sarge, Samba 3.0.14a

The problem scenario is this:

- If I map a share, i.e. \\samba\home, then map the dfs root 
\\samba\dfs, I get "Access Denied" to all shares mapping back to the 
Samba server, including a DFS pointer to \\samba\home.


Samba logs:

[2005/09/15 11:25:56, 0] auth/auth_domain.c:domain_client_validate(199)
  domain_client_validate: unable to validate password for user [my 
user] in domain [my domain] to Domain controller \\[my server]. Error 
was NT_STATUS_WRONG_PASSWORD.


On the domain controller side, the following event is logged:

09/15 11:25:56 [LOGON] SamLogon: Transitive Network logon of [my 
domain]\[my user] from \\[my client] (via [my server]) Entered
09/15 11:25:56 [LOGON] SamLogon: Transitive Network logon of [my 
domain]\[my user] from \\[my client] (via [my server]) Returns 0xC06A


However, if I map \\samba\dfs first OR if I use 
\\samba.fully-qualified.domain.name\dfs in either order, I don't 
received the error.  Any explanation for this behavior and possible 
remedies to fix it other than the other scenarios?


Thanks,
Dennis


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Authentication against AD?

[Jason Gerfen]

Oops, obviously these lines are uncommented (how'd I do that?):

idmap uid = 1-2
idmap gid = 1-2

Dimitri
 


Odd, here is what I am getting when I do a net groupmap list:

System Operators (S-1-5-32-549) -> -1
Domain Admins (S-1-5-21-2000478354-789336058-725345543-512) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Users (S-1-5-21-2247000946-2623471383-2375109730-513) -> -1
Domain Users (S-1-5-21-2000478354-789336058-725345543-513) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Domain Guests (S-1-5-21-2000478354-789336058-725345543-514) -> -1
Domain Admins (S-1-5-21-2247000946-2623471383-2375109730-512) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Guests (S-1-5-21-2247000946-2623471383-2375109730-514) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1

So this is a good indication I am a member server, but the startup logs 
are still indicating this as a logon server.  Am I running the wrong 
command to join the domain?


%> net ads join -U"admin" "ad_container_name"


--
Jason Gerfen

"My girlfriend threated to
leave me if I went boarding...
I will miss her."
~ DIATRIBE aka FBITKK

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba AIX libldap.a

[Joseph Madrinkian]

I just installed Samba 3.0.40 on AIX 5.1 and when I try to start SMBD I
get the error message 

 

"Cannot load module libldap.a(libldap.so.2)"

 

Does anyone know what I need to do?

 

Thanks



Notice: This transmission is for the sole use of the intended recipient(s) and 
may contain information that is confidential and/or privileged.  If you are not 
the intended recipient, please delete this transmission and any attachments and 
notify the sender by return email immediately.  Any unauthorized review, use, 
disclosure or distribution is prohibited.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] sambaSIDList attribute

[Christian Sengstock]

Hi,
i'm using samba 3.0.14a with an openldap 2.2.24 as the userdata
backend. From time to time i get the following entry in the messages
logfile:

Sep 15 12:44:37 myserver slapd[8112]: <= bdb_equality_candidates:
(sambaSIDList) index_param failed (18)
Sep 15 12:44:37 atlas last message repeated 2 times

Anyone knows what the "sambaSIDList" attribute is for? I can't find
this entry in my ldap ("ldapsearch -D ... -b ... | grep sambaSIDList")
but the attribute is defined in the samba3.schema (suse92enterpr).

I populated the ldap with the "smbldap-tools" and use them to manage
the user accounts. Maybe it has something to do with that?
Anyone else got this error?

Regards, Chris
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] SSO Samba/AD integration

[Bruno Guerreiro]

Hi,
/bin/false prevents a user from logging to the machine, while allowing it to
athenticate... You can use shares which are located in your samba server,
access via FTP,etc. Just can't logon to the machine itself
Not sure about this one ( don't use AD), but have you tried setting this:

template shell = (whatever shel you want normally /bin/bash)


>From man smb.conf:

   template shell (G)
  When filling out the user information for a Windows NT user,
the winbindd(8) daemon uses this parameter to fill in the login shell  for
that
  user.

  No default


Best Regards,
Bruno Guerreiro


>-Original Message-
>From: Brian Atkins [mailto:[EMAIL PROTECTED]
>Sent: quinta-feira, 15 de Setembro de 2005 14:04
>To: samba@lists.samba.org
>Subject: [Samba] SSO Samba/AD integration
>
>
>OK, I'm certain that this topic has been beat to death, but I need some
>assistance.  I am trying to migrate to a SSO for the majority of our
>workstations and servers within our organization.  I am 
>currently trying
>to integrate a Gentoo Linux workstation to authenticate to the AD
>server.  Once I get the process nailed down, I'll be moving on 
>to bigger
>and better things...
>
>Prior to starting, I already had Samba installed and was able to share
>files with Windows based boxes, though only through a guest account. 
>Since yesterday, I have installed openLDAP with mit-krb5 and Samba
>support enabled.  I modified smb.conf, nsswitch.conf, and /etc/hosts in
>accordance with a document I located on the Gentoo site.  It was pretty
>straight forward, nothing earth-shattering.  Once Samba was restarted
>(with windbind), I was able to use kinit to join the domain
>successfully, and can now get user and group listings using the 'getent
>[passwd|group]' commands.  However, when I try signing into the
>workstation using an AD account, the login is denied.  What gives? 
>
>Here are my basics:
>
>nsswitch.conf:
>--
>passwd:  compat winbind
>shadow:  compat
>group:   compat winbind
>
># passwd:db files nis
># shadow:db files nis
># group: db files nis
>
>hosts:   files dns winbind
>networks:files dns
>
>services:db files
>protocols:   db files
>rpc: db files
>ethers:  db files
>netmasks:files
>netgroup:files
>bootparams:  files
>
>automount:   files
>aliases: files
>
>
>hosts
>-
>...
>10.10.57.124tlcdcm.UNICITY.TLCDELIVERS.COM  tlcdcm UNICITY
>10.10.57.140tlcdcm2.UNICITY.TLCDELIVERS.COM tlcdcm2
>10.10.56.111web-backupws.UNICITY.TLCDELIVERS.COMweb-backupws
>...
>
>smb.conf
>
>[global]
>   netbios name = briansrapier
>   socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>   idmap uid = 1-2
>   idmap gid = 1-2
>   winbind enum users = yes
>   winbind gid = 1-2
>   workgroup = UNICITY
>   os level = 20
>   winbind enum groups = yes
>   password server = *
>   preferred master = no
>   winbind separator = +
>   max log size = 50
>   log file = /var/log/samba3/log.%m
>   encrypt passwords = yes
>   dns proxy = no
>   realm = UNICITY.TLCDELIVERS.COM
>   security = ADS
>   wins server = 10.10.57.124
>   wins proxy = no
>...
>
>Doing a 'getent passwd' returns users similar to:
>...
>UNICITY+cfedeles:x:10172:1:NAME:/home/UNICITY/cfedeles:/bin/false
>UNICITY+tevans:x:10173:1:NAME:/home/UNICITY/tevans:/bin/false
>UNICITY+mbare:x:10174:1:NAME:/home/UNICITY/mbare:/bin/false
>...
>
>But also lists computer accounts as well:
>...
>UNICITY+imd-gsanchez$:x:10539:10004:IMD-GSANCHEZ:/home/UNICITY/
>imd-gsanchez_:/bin/false
>UNICITY+imd-sharepoint$:x:10553:10004:IMD-SHAREPOINT:/home/UNIC
>ITY/imd-sharepoint_:/bin/false
>UNICITY+imd-alucchiani$:x:10559:10004:IMD-ALUCCHIANI:/home/UNIC
>ITY/imd-alucchiani_:/bin/false
>...
>
>However, 'getent group' works just fine:
>...
>UNICITY+Exchange Domain Servers:x:10025:
>UNICITY+Exchange Enterprise Servers:x:10026:
>UNICITY+Trainers:x:10027:UNICITY+sblizzard,UNICITY+jedgell,UNICITY+jime
>...
>
>The '/bin/false' login shell in the passwd schema leads me to 
>believe that is where the problem lies, but I am not sure what 
>to do to fix it.
>
>Thanks for the input.
>
>-- 
>Brian Atkins
>
>"An adventure is never an adventure 
>when it's happening.  Challenging
>experiences need time to ferment, 
>and an adventure is simply physical 
>and emotional discomfort recollected 
>in tranquility." -- Tim Cahill
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Data migration using net rpc share migrate

[Gibbs, Simon]

Hi,

I've been looking at this for a while now and still don't seem to be able to
migrate the ACL's.

I can confirm Samba has ACL support built in:
# smbd -b | grep ACL
   HAVE_SYS_ACL_H
   HAVE_POSIX_ACLS
I can also amend/create ACL's on the Samba share via Windows Explorer.

I've checked ownership/permissions of the share Build$ and files within it
and they all belong to the user "gibbss" ([EMAIL PROTECTED]).
Additionally I've set force unknown acl user = Yes on the Build$ share on
the Samba server just in case.

The directory published by Samba as Build$ is owned by the user gibbss and
has full access permission (777).

I'm not quite sure where to look next.
Here's the extended debug from the rpc net migrate files command - it's
level 4:

[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_start_connection(1388)
  Connecting to host=10.36.32.36
[2005/09/15 15:17:21, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 10.36.32.36 at port 445
[2005/09/15 15:17:21, 4] lib/time.c:get_serverzone(122)
  Serverzone is -3600
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(713)
  Doing spnego session setup (blob length=109)
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
  got OID=1 2 840 48018 1 2 2
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
  got OID=1 2 840 113554 1 2 2
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
  got OID=1 2 840 113554 1 2 2 3
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
  got OID=1 3 6 1 4 1 311 2 2 10
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(745)
  got [EMAIL PROTECTED]
[2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
  Got challenge flags:
[2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x62890215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_CHAL_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
  NTLMSSP: Set final flags:
[2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2005/09/15 15:17:21, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
  NTLMSSP Sign/Seal - Initialising with flags:
[2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
syncing[Build$] files and directories including ACLs, including DOS
Attributes (preserving timestamps)
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_start_connection(1388)
  Connecting to host=10.36.32.36
[2005/09/15 15:17:21, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 10.36.32.36 at port 445
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(713)
  Doing spnego session setup (blob length=109)
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
  got OID=1 2 840 48018 1 2 2
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
  got OID=1 2 840 113554 1 2 2
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
  got OID=1 2 840 113554 1 2 2 3
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
  got OID=1 3 6 1 4 1 311 2 2 10
[2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(745)
  got [EMAIL PROTECTED]
[2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
  Got challenge flags:
[2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x62890215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_CHAL_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
  NTLMSSP: Set final flags:
[2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2005/09/15 15:17:21, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
  NTLMSSP Sign/Seal - Initialising with flags:
[2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN

[Samba] Segmentation Fault

[William Bilancio]

I am currently trying to use the samba-3.0.20-22 RPMS that I got from 
sernet.  They load fine but when I try to join the server to the ADS

domain I get a Segmentation Fault.

Command I am using is: net ads join -UAdministrator%password


Any help would be great.

William Bilancio

My set up is as follows:

Centos4 Linux
krb5

smb.conf:

[global]
workgroup = ARORA
realm = ARORAPC.COM
server string = darkstar
netbios name = darkstar
encrypt passwords = yes
security = ADS
client use spnego = yes
log level = 1 ads:10 auth:10 sam:10 rpc:10
idmap uid = 600-2
idmap gid = 600-2
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = Yes
printing = cups
printcap name = CUPS
use client driver = Yes


[homes]
comment = Home Directories
read only = No
browseable = No

[ghost]
path=/home/ghost
read only = No
browseable = yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
printable = yes






William Bilancio - Network/Systems Administrator
Arora and Associates, P.C.
3120 Princeton Pike 3rd Floor
Lawrenceville, NJ 08648
Phone: 609-844- Ext. 1129
Fax: 609-844-9799
E-Mail: [EMAIL PROTECTED] 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] XP Profile write ok, no read.

[Louis van Belle]

 

>-Oorspronkelijk bericht-
>Van: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] 
>Namens Geert Stappers
>Verzonden: donderdag 15 september 2005 15:24
>Aan: samba@lists.samba.org
>Onderwerp: Re: [Samba] XP Profile write ok, no read.
>
>On Wed, Sep 14, 2005 at 05:08:21PM +0200, Louis van Belle wrote:
>> Hi,
>> 
>> I still have a problem with samba and profiles.
>> The profile is correctly written to the profile share.
>> but when i logon a other computer, logon takes ages..
>
>And when you express ages in secondes,
>how many seconds are we talking about?
about 5 minutes
>
>> and im unable to do anything registry is locked for example. 
>> ( see logs below ) 
>> when i copy the network profile to the local computer there
>> is no problem. ( because the local profile is used ) 
>
>How large is profile?
4 Mb on a 100 or 1000 Mbit netwerk kaart. 

( for example i can copy a DVD iso in 4-5 minutes to my server )
>
>
>   configuration, logging & other information 
>
>
>There was no information about bandwidth.
>
>
>Say the profile is 20 Mbyte and a 10Mbit/s netwerk.
>That will take about 20 seconds,
>which is roughly 1 times the blink of eye.
>
>
>What I trying to say is that some thing do take time
>and performance is mostly in the eye of the beholder.
>
>
>HTH
>St
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] LDAP - Can't add machine

[Michael Christian]

Mchristianjr at nbhandy.com
 schrieb:
>* Ok, I'm pretty much following the book Samba 3 by Example and I've run into
*>* a few problems.
*>* 
*>* I can't add a machine account:
*>* # net rpc join -U Administrator%SECRET
*>* Create of workstation account failed
*>* Unable to join domain HANDY_AUTH.
*>* 
*
Have you added the privileges:

net rpc rights "HANDY_AUTH\Administrator" \
SeMachineAccountPrivilege \
-U Administrator%SECRET

for the whole group:

net rpc rights "HANDY_AUTH\Domain Admins" \
SeMachineAccountPrivilege \
-U Administrator%SECRET

(Docu available in the online samba-howto)

>* If I try root:
*>* # net rpc join -U root%SECRET
*>* Could not connect to server PRIMARY
*>* The username or password was not correct.
*>* 
*>* When I try smbpasswd -a root, I end up getting an error:
*>* # smbpasswd -a root
*>* New SMB password:
*>* Retype new SMB password:
*>* ldapsam_add_sam_account: SID 'S-1-5-21-1529261333-2934293496-63313958-1000'
*>* already in the base, with samba attributes
*>* Failed to add entry for user root.
*>* Failed to modify password entry for user root
*>* 
*
Maybe related to the problem below:

>* Additionally, I also run into the following:
*>* # net groupmap list
*>* [2005/09/14 19:44:47, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2458)
*>*   ldapsam_setsamgrent: LDAP search failed: Size limit exceeded
*>* [2005/09/14 19:44:47, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2523)
*>*   ldapsam_enum_group_mapping: Unable to open passdb
*>* 
*
Check your LDAP server settings in ldap.conf if they match those in smb.conf

>* I seem to get this Size Limit eror in several places, on of which is the
*>* web based LAM utility when clicking on the 'Groups' tab.
*>* 
*>* So somewhere along the way I've screwed up, and after trying from scratch
*>* several times I'm getting a little frustrated at the wasted time.  Is there
*>* a list of steps I can take to diagnose and resolve this issue?
*>* 
*
Google was my friend ;-)

Thomas

===

Thanks Thomas, but I'm running Samba 3.0.10 on rhel - I think the 'net rpc 
rights' command isn't available. I'm pretty much at a total lodss as to how 
to fix this...




-- 
Michael S. Christian Jr.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] XP Profile write ok, no read.

[Geert Stappers]

On Wed, Sep 14, 2005 at 05:08:21PM +0200, Louis van Belle wrote:
> Hi,
> 
> I still have a problem with samba and profiles.
> The profile is correctly written to the profile share.
> but when i logon a other computer, logon takes ages..

And when you express ages in secondes,
how many seconds are we talking about?

> and im unable to do anything registry is locked for example. 
> ( see logs below ) 
> when i copy the network profile to the local computer there
> is no problem. ( because the local profile is used ) 

How large is profile?


   configuration, logging & other information 


There was no information about bandwidth.


Say the profile is 20 Mbyte and a 10Mbit/s netwerk.
That will take about 20 seconds,
which is roughly 1 times the blink of eye.


What I trying to say is that some thing do take time
and performance is mostly in the eye of the beholder.


HTH
St

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] net rpc rights problem with groups

[Benjamin.Oeltze]

Hello List,
 
I have tried to grant SeMachineAccountPrivilege to an extra group.
Users in this group should not have Admin rights but they should be able to 
join workstations to the domain.
My first try was to grant the right to a single user wich is working as 
expected.
 
net rpc rights grant "TOPTEST\toptest.r" SeMachineAccountPrivilege -U 
domainadmin
 
net rpc rights shows:
hgest3201:~ # net rpc rights list accounts -Udomainadmin
Password:
TOPTEST\toptest.r
SeMachineAccountPrivilege

The user can join workstations to TOPTEST.
But when I create a group named wksadd and grant SeMachineAccountPrivilege to 
the group the users of this group cant join workstations.
 
net help rpc rights grant "TOPTEST\wksadd" SeMachineAccountPrivilege -U 
domainadmin
 
hgest3201:~ # net rpc rights list accounts -Udomainadmin
Password:
TOPTEST\wksadd
SeMachineAccountPrivilege
 
Is this a bug ??
 
Benny
 
 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SSO Samba/AD integration

[Brian Atkins]

OK, I'm certain that this topic has been beat to death, but I need some
assistance.  I am trying to migrate to a SSO for the majority of our
workstations and servers within our organization.  I am currently trying
to integrate a Gentoo Linux workstation to authenticate to the AD
server.  Once I get the process nailed down, I'll be moving on to bigger
and better things...

Prior to starting, I already had Samba installed and was able to share
files with Windows based boxes, though only through a guest account. 
Since yesterday, I have installed openLDAP with mit-krb5 and Samba
support enabled.  I modified smb.conf, nsswitch.conf, and /etc/hosts in
accordance with a document I located on the Gentoo site.  It was pretty
straight forward, nothing earth-shattering.  Once Samba was restarted
(with windbind), I was able to use kinit to join the domain
successfully, and can now get user and group listings using the 'getent
[passwd|group]' commands.  However, when I try signing into the
workstation using an AD account, the login is denied.  What gives? 

Here are my basics:

nsswitch.conf:
--
passwd:  compat winbind
shadow:  compat
group:   compat winbind

# passwd:db files nis
# shadow:db files nis
# group: db files nis

hosts:   files dns winbind
networks:files dns

services:db files
protocols:   db files
rpc: db files
ethers:  db files
netmasks:files
netgroup:files
bootparams:  files

automount:   files
aliases: files


hosts
-
...
10.10.57.124tlcdcm.UNICITY.TLCDELIVERS.COM  tlcdcm UNICITY
10.10.57.140tlcdcm2.UNICITY.TLCDELIVERS.COM tlcdcm2
10.10.56.111web-backupws.UNICITY.TLCDELIVERS.COMweb-backupws
...

smb.conf

[global]
   netbios name = briansrapier
   socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
   idmap uid = 1-2
   idmap gid = 1-2
   winbind enum users = yes
   winbind gid = 1-2
   workgroup = UNICITY
   os level = 20
   winbind enum groups = yes
   password server = *
   preferred master = no
   winbind separator = +
   max log size = 50
   log file = /var/log/samba3/log.%m
   encrypt passwords = yes
   dns proxy = no
   realm = UNICITY.TLCDELIVERS.COM
   security = ADS
   wins server = 10.10.57.124
   wins proxy = no
...

Doing a 'getent passwd' returns users similar to:
...
UNICITY+cfedeles:x:10172:1:NAME:/home/UNICITY/cfedeles:/bin/false
UNICITY+tevans:x:10173:1:NAME:/home/UNICITY/tevans:/bin/false
UNICITY+mbare:x:10174:1:NAME:/home/UNICITY/mbare:/bin/false
...

But also lists computer accounts as well:
...
UNICITY+imd-gsanchez$:x:10539:10004:IMD-GSANCHEZ:/home/UNICITY/imd-gsanchez_:/bin/false
UNICITY+imd-sharepoint$:x:10553:10004:IMD-SHAREPOINT:/home/UNICITY/imd-sharepoint_:/bin/false
UNICITY+imd-alucchiani$:x:10559:10004:IMD-ALUCCHIANI:/home/UNICITY/imd-alucchiani_:/bin/false
...

However, 'getent group' works just fine:
...
UNICITY+Exchange Domain Servers:x:10025:
UNICITY+Exchange Enterprise Servers:x:10026:
UNICITY+Trainers:x:10027:UNICITY+sblizzard,UNICITY+jedgell,UNICITY+jime
...

The '/bin/false' login shell in the passwd schema leads me to believe that is 
where the problem lies, but I am not sure what to do to fix it.

Thanks for the input.

-- 
Brian Atkins

"An adventure is never an adventure 
when it's happening.  Challenging
experiences need time to ferment, 
and an adventure is simply physical 
and emotional discomfort recollected 
in tranquility." -- Tim Cahill

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] sambaSIDlist attribute

[Christian Sengstock]

Hi,
i'm using samba 3.0.14a with an openldap 2.2.24 as the userdata
backend. From time to time i get the following entry in the messages
logfile:

Sep 15 12:44:37 myserver slapd[8112]: <= bdb_equality_candidates:
(sambaSIDList) index_param failed (18)
Sep 15 12:44:37 atlas last message repeated 2 times

Anyone knows what the "sambaSIDList" attribute is for? I can't find
this entry in my ldap ("ldapsearch -D ... -b ... | grep sambaSIDList")
but the attribute is defined in the samba3.schema (suse92enterpr).

I populated the ldap with the "smbldap-tools" and use them to manage
the user accounts. Maybe it has something to do with that?
Anyone else got this error?

Regards, Chris
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] help, read_socket_data: recv failure for 11137 ??

[Stefan Sabolowitsch]

Hi List

Which means "11137"

[2005/09/15 10:52:24, 0] lib/util_sock.c:read_socket_data(384)
  read_socket_data: recv failure for 11137. Error =

[2005/09/15 10:52:24, 1] smbd/service.c:close_cnum(836)
  da015 (192.168.0.143) closed connection to service Projekte
[2005/09/15 10:54:36, 0] lib/util_sock.c:read_socket_data(384)
  read_socket_data: recv failure for 4. Error

By this message samba was no more accessible.
>From 10 Ping was successful one.
NIC was already changed (new Nic).


Thanks for each assistance.


Stefan

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: ACL problem

[paul kölle]

David Mataró Ciller wrote:
> Hi all,
> 
> I have joined samba server (3.0.14a-2) to an ADS. I can copy, move and
> remove files from any windows workstation and also I can set ACLs. I
> need migrate files from 4 w2k servers to samba server and preserve
> ACL's. One server are into ADS domain, but the others server are into
> others domains. I use robocopy.exe to migrate files and folders. When I
> run robocopy the files and folders are copied but the ACLs are not
> preserved.
> 
> The error is:
> 
> [2005/09/13 10:15:06, 1] smbd/service.c:make_connection_snum(642) wxp
> (192.168.1.115) connect to service docu initially as user CECOTDM
> +administrador (uid=1, gid=1) (pid 2695)
> [2005/09/13 10:15:06, 0] smbd/posix_acls.c:create_canon_ace_lists(1388)
> create_canon_ace_lists: unable to map SID
> S-1-5-21-1844237615-920026266-725345543-500 to uid or gid.
> 
> Possibly an idea?
How do you expect samba to convert the ACL if there is no SID -> uid/gid
mapping? Apparently the users (i.e. SIDs of DACLs) on your "other
server" are unknown to samba (is it part of a trusted domain?).

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: FW: [Samba] Roaming profile : taking forever to login /log off

[Lorenzo Cerini]

Many thanks, that should really help.
Louis van Belle wrote:



i did it by applying policies at logon.

You can use poledit.exe en the needed templates.
search for samba.adm

or get it from my server at 
http://www.ratio-benelux.nl/sambaldap.rar.gz


all you need is in there.


 


-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] 
Namens Natxo Asenjo

Verzonden: donderdag 15 september 2005 10:23
Aan: Lorenzo Cerini
CC: samba@lists.samba.org
Onderwerp: Re: [Samba] Roaming profile : taking forever to 
login /log off


On 9/15/05, Lorenzo Cerini <[EMAIL PROTECTED]> wrote:
   


Unlucky you need to use gpedit.msc on every client.
 

well, that's why god invented disc-images. Just make an xp 
isntallation you 
are happy with, and deploy its image on the rest of workstations :)


regards,
J.I.Asenjo
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

   



 



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Roaming profile : taking forever to login /log off

[Natxo Asenjo]

On 9/15/05, Lorenzo Cerini <[EMAIL PROTECTED]> wrote:
> 
> Unlucky you need to use gpedit.msc on every client.


well, that's why god invented disc-images. Just make an xp isntallation you 
are happy with, and deploy its image on the rest of workstations :)

regards,
J.I.Asenjo
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Roaming profile : taking forever to login /log off

[Lorenzo Cerini]

Well, it's possible to store all the profile on the server like happens, e.g.,  
in nfs.

On your clients you have the gpedit.msc utility. So 
run->gpedit.msc->user_config->administrative_templates

->user_profiles

here you can exclude some folder of your roaming to be copied up and down (something like 'exclude directory 


from roaming profile', my winxp is in italian). You can write 'Documents; 
Personal; Desktopetc'

In this way these folders will be threated as local, and could be different on 
every client. But you can map

all these ones to a network volume on your samba server.

Just prepare a small logon.bat with time server sync (it's important), and net 
use ... ... to import a network volume

(say U:) on your clients.

Now run->regedit->HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 

Here you can change the displacemant of your profile, and change 
&USERPROFILE&\Desktop -> U:\user_name\Desktop, or better 
you can map U: with a logon.bat.%U script and give a different U: to every user.


Unlucky you need to use gpedit.msc on every client.
For regedit you can take advatage by using a netlogon\Default User share.

One caveat: do not use your logon drive, or your profile drive form U:, take 
another one and put correct
permission.
Another one: On windows you can open explorer->Tools->Folder Options->'off-line 
files' and you can disable
off-line files, in this way, if the client is well-connected to the lan will use the natwork files, if not 
won't. If you enable off-line files, win will sync everything at login/off loosing a lot of time. 
I have clients with 1gb or more for documents folder, and this config helps a lot.


L.Cerini




FM wrote:


Hello,
Thank you for your help :-)
Yes some users have > 200 MB profile

Lorenzo Cerini wrote:


Hi,
i had a lot of similar problems inthe past now solved,
just i didn't understand if the roaming profile of your client are 
actually about 200mb or not.
In one case is possible to manage not to copy all the profile at 
every logon/off, instead if the trouble is not
concerning the bigness of roaming profiles i need to know something 
more about your lan ( how many clients,

how many people, etc..)
L.Cerini






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

FW: [Samba] XP Profile write ok, no read.

[Louis van Belle]

Is there nobody who can help me :-( 
 

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Namens Louis van
Belle
Verzonden: woensdag 14 september 2005 17:08
Aan: samba@lists.samba.org
Onderwerp: [Samba] XP Profile write ok, no read.

Hi,

I still have a problem with samba and profiles.
The profile is correctly written to the profile share.
but when i logon a other computer, logon takes ages..
and im unable to do anything registry is locked for example. 
( see logs below ) 
when i copy the network profile to the local computer there
is no problem. ( because the local profile is used ) 

OS : Linux Kernel 2.6.11  ( custom build )
 Debian Sarge 3.1 (stable) 
 Samba 3.014a-debian
 Ldap  2.2.23-8 ( debian ) 
 smbldap-tools  0.8.7-4  (debian)

i have the nt Usrmgr.exe working, no problems.
i cups with nt point en print setup, no problems.
i have kix logon script working.
i also use nfs without problems
i use acl en ext3 and no problem.
i use policies with folder redirection, no problems.

the starting rights on /home/samba/profiles is 777
user directories are automaticly created with 700

my base was the idealx setup. ( but debianized ) 

i have added these reg keys in my computers

[HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"ExcludeProfileDirs"="Temporary Internet Files;History;Temp"

;-
; force Windows XP Professional clients to accept Samba as a PDC

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:
"signsecurechannel"=dword: 

;-
; Do not check for user ownership of Roaming Profile Folders
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"CompatibleRUPSecurity"=dword:0001


I have  in my smb.conf the following
[profiles]
path = /home/samba/profiles
comment = Profiel omgeving
read only = no
create mask = 0600
directory mask = 0700
browseable = Yes
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U @"Domain Admins"

this in the user/computer samba log : 

[2005/09/14 16:27:53, 2] rpc_parse/parse_prs.c:netsec_decode(1594)
  netsec_decode: FAILED: packet sequence number:
[2005/09/14 16:27:53, 2] lib/util.c:dump_data(1995)
  [000] 3C C7 63 37 99 18 D6 F2   <.c7
[2005/09/14 16:27:53, 2] rpc_parse/parse_prs.c:netsec_decode(1596)
  should be:
[2005/09/14 16:27:53, 2] lib/util.c:dump_data(1995)
  [000] 00 00 00 00 80 00 00 00   
[2005/09/14 16:27:54, 2] lib/smbldap.c:smbldap_open_connection(692)
  smbldap_open_connection: connection opened
[2005/09/14 16:27:54, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: ms249-wxp-043$
[2005/09/14 16:27:54, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: ehouh
[2005/09/14 16:27:54, 2] passdb/pdb_ldap.c:init_group_from_ldap(2000)
  init_group_from_ldap: Entry found for group: 2005
[2005/09/14 16:27:54, 2] passdb/pdb_ldap.c:init_group_from_ldap(2000)
  init_group_from_ldap: Entry found for group: 2017
[2005/09/14 16:27:54, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [ehouh] -> [ehouh] ->
[ehouh] succeeded
[2005/09/14 16:27:55, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580)
  Returning domain sid for domain BAZUIN ->
S-1-5-21-1569642236-1413433477-3613035652
[2005/09/14 16:27:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: ehouh
[2005/09/14 16:27:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: ehouh
[2005/09/14 16:27:55, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [ehouh] -> [ehouh] ->
[ehouh] succeeded
[2005/09/14 16:27:55, 2] smbd/utmp.c:sys_utmp_update(419)
  utmp_update: uname:/var/run/utmp wname:/var/log/wtmp
[2005/09/14 16:27:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: ehouh
[2005/09/14 16:27:55, 1] smbd/service.c:make_connection_snum(642)
  ms249-wxp-043 (192.168.249.132) connect to service profiles initially as
user ehouh (uid=2132, gid=513) (pid 13913)

this is in the userenv.log from xp ( sp 2)

USERENV(27c.280) 16:28:16:828 GetUserGuid: Failed to get user guid with
1355.
USERENV(27c.280) 16:28:16:828 GetUserGuid: Failed to get user guid with
1355.
USERENV(27c.280) 16:2