[Samba] security=server comment
Whoops, redo on this one, un-configured webmail client get my email address wrong. Sorry for the dupe. I was reading posts on the samba list recently and noticed a comment from Volker Lendecke. And as one of the top Samba developers, I'm sure Volker knows. "For both "security=domain" and "security=ads" it is necessary to join the computer to the domain. security=server is the only possibility to go without that, but please be aware that security=server is really highly deprecated and might have suffered from bit-rot recently. Volker" It really didn't strike me at the time, but just tonight as I was in the process of setting up a new server as a new domain controller on a new domain, what are we supposed to use for a Samba primary domain controller if not security=server? And if Samba as a domain controller is going to be dropped, can you let me know now? Before I get too far into the project and then have to force them to Windows Server. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Few questions on configuring Samba as a PDC
On Friday 26 September 2008 14:34:31 Jesse Stone wrote: > Hi David, > > I'm not sure about your response but I research it shortly. > > In regards to John's response, I did change it slightly (I am trying to not > use room) > net groupmap add ntgroup="Domain Admins" unixgroup=domainadmins > net groupmap add ntgroup="Domain Users" unixgroup=domainusers > net groupmap add ntgroup="Domain Guests" unixgroup=nogroup > I have then added two people into the domainadmins group (which I created) > and 1 person into the domainusers group. The users on the domainadmins > group can connect to the domain (if I use the root user to add them which I > want to change) but they cannot save their profiles. > > I belive this is due to the permissions on the folders: > rwxrwxr-x 2 root domainusers 4096 2008-09-25 12:43 netlogon > drwxrwxr-x 3 root domainusers 4096 2008-09-26 01:40 profiles > > I could see how it would work if I kept things as they are as domain admins > would be in the root group and would have access to the folder but since I > am tryig to not use the root group I am at a loss how to set the > permissions on these folders. > > I haven't been able to try the user that is in the domainusers group as > that use runs Kubuntu and I'm not sure how to add a Linux machine onto the > domain. > > Thanks for both your responses! Again, the main goal is to setup a PDC > with roaming profiles without the use of the root account or root group. > > -Jesse > > On Fri, Sep 26, 2008 at 11:18 AM, David Markey <[EMAIL PROTECTED]> wrote: > > net rpc rights grant SeMachineAccountPrivilege > > > > On Fri, Sep 26, 2008 at 7:11 PM, John Drescher <[EMAIL PROTECTED]>wrote: > >> On Fri, Sep 26, 2008 at 1:59 PM, Jesse Stone <[EMAIL PROTECTED]> > >> > >> wrote: > >> > Please don't flame me. I did attempt to search before posting this > >> > >> question > >> > >> > (through Gmail), if there's a better way, please let me know! > >> > > >> > I followed this article for implementing a Samba PDC: > >> > http://www.howtoforge.com/samba_setup_ubuntu_5.10_p4 > >> > > >> > Question 1) The only accout that appears to be able to add an account > >> > >> onto > >> > >> > the domain is the root account. There must be a way to change that to > >> > a standard account. I'm using Ubuntu and do not use the root account > >> > for anything. > >> > > >> > I've tried changing "root = Administrator" in /etc/samba/smbusers to > >> > "otheruser = Administrator" but that doesn't seem to do it. > >> > >> Did you do this: > >> net groupmap modify ntgroup="Domain Admins" unixgroup=root > >> net groupmap modify ntgroup="Domain Users" unixgroup=users > >> net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup > >> > >> And assign users to the Domain Admins group? > >> > >> John > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/listinfo/samba Please refer to chapter 15 of the Samba3-HOWTO available from: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf Any user can be granted the right to add users, add machines, or any other privilege from a Windows client using the "net rpc rights grant" toolset. Cheers, John T. -- John H Terpstra "Don't do as I do; Show me better!" - Anonymous. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
On Fri, Sep 26, 2008 at 12:16:22PM -0400, Ryan Steele wrote: > Some months back, I entertained a conversation with Volker Lendecke, > Adam Tauno Williams, and Simo Sorce about getting Samba to play nice > with LDAP's ppolicy overlay. (Thread starts here: > http://www.mail-archive.com/samba@lists.samba.org/msg92134.html and ends > here: http://www.mail-archive.com/samba@lists.samba.org/msg92214.html) > I was wondering if any progress had been made on this front that would > make the job of maintaining PCI/DSS compliance for Samba PDC shops a bit > more streamlined? Certainly, there have to be more than a few folks out > there who would see this as a huge leap for Samba, and give it more of > an edge in the market? At least I'm not aware of anything that has been done. Sorry, Volker pgp6oOlCZM9dG.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Permissions
On Thu, Sep 25, 2008 at 03:49:44PM -0400, Steve Payne wrote: > Folks, > > We have a sun server that uses samba for our file shares. Our work > stations are Windows xp and Windows Vista. I have noticed that on vista > when I store files or create files, the permissions on windows vista > shows no permissions. What would cause this? Our unix servers are part > of our windows domain. When you ssh into the UNIX box, it shows that > everyone has the correct permissions. What would be the cause? Thanks! Can't tell without looking at debug logs. I'd suggest reporting them to the people who did the install, or here to the list if that was you :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] odd mac situation
On Wed, 24 Sep 2008, Mike Eggleston might have said: > On Wed, 24 Sep 2008, James Peach might have said: > > > 2008/9/11 Mike Eggleston <[EMAIL PROTECTED]>: > > > Morning, > > > > > > This is somewhat off topic. I've not thought of a better place to ask > > > than here. > > > > > > I have a user on a Macbook (Mac OS X 10.5, Leopard) with Microsoft Office > > > 2008 for the mac and Parallels running an image of Microsoft Windows XP > > > Pro with Microsoft Office 2007. Inside Parallels and XP Pro the user can > > > open a spreadsheet shared from a Windows Server 2003 box, and yet the > > > user gets an error (read only, etc) when opening the same spreadsheet > > > shared from the same server on the pure mac side in Microsoft Office 2008. > > > > > > Any idea what might be going on. The user is using a domain account from > > > a samba PDC (ha, there's the samba reference) and I find no entries in > > > the Event Viewer on the Windows 2003 server. > > > > You should check that the Mac user is getting the authentication they > > expect. Maybe they accidentally got connected as the guest user? I > > expect that you could verify this from the Windows serve console. > > > > -- > > James Peach | [EMAIL PROTECTED] > > Great idea and way to test. I'll do that test as soon as the user > returns from a conference. > > Mike Ok, I applied the combo patch for mac os x 10.5, the user rebooted, and I checked the user is getting properly authenticated on the windows 2003 server. The user still has the issue of being able to opena a file inside parallels and not able to open that same file (not at the same time, duh) in mac os x. What to try next? Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Few questions on configuring Samba as a PDC
Hi David, I'm not sure about your response but I research it shortly. In regards to John's response, I did change it slightly (I am trying to not use room) net groupmap add ntgroup="Domain Admins" unixgroup=domainadmins net groupmap add ntgroup="Domain Users" unixgroup=domainusers net groupmap add ntgroup="Domain Guests" unixgroup=nogroup I have then added two people into the domainadmins group (which I created) and 1 person into the domainusers group. The users on the domainadmins group can connect to the domain (if I use the root user to add them which I want to change) but they cannot save their profiles. I belive this is due to the permissions on the folders: rwxrwxr-x 2 root domainusers 4096 2008-09-25 12:43 netlogon drwxrwxr-x 3 root domainusers 4096 2008-09-26 01:40 profiles I could see how it would work if I kept things as they are as domain admins would be in the root group and would have access to the folder but since I am tryig to not use the root group I am at a loss how to set the permissions on these folders. I haven't been able to try the user that is in the domainusers group as that use runs Kubuntu and I'm not sure how to add a Linux machine onto the domain. Thanks for both your responses! Again, the main goal is to setup a PDC with roaming profiles without the use of the root account or root group. -Jesse On Fri, Sep 26, 2008 at 11:18 AM, David Markey <[EMAIL PROTECTED]> wrote: > net rpc rights grant SeMachineAccountPrivilege > > On Fri, Sep 26, 2008 at 7:11 PM, John Drescher <[EMAIL PROTECTED]>wrote: > >> On Fri, Sep 26, 2008 at 1:59 PM, Jesse Stone <[EMAIL PROTECTED]> >> wrote: >> > Please don't flame me. I did attempt to search before posting this >> question >> > (through Gmail), if there's a better way, please let me know! >> > >> > I followed this article for implementing a Samba PDC: >> > http://www.howtoforge.com/samba_setup_ubuntu_5.10_p4 >> > >> > Question 1) The only accout that appears to be able to add an account >> onto >> > the domain is the root account. There must be a way to change that to a >> > standard account. I'm using Ubuntu and do not use the root account for >> > anything. >> > >> > I've tried changing "root = Administrator" in /etc/samba/smbusers to >> > "otheruser = Administrator" but that doesn't seem to do it. >> > >> >> Did you do this: >> net groupmap modify ntgroup="Domain Admins" unixgroup=root >> net groupmap modify ntgroup="Domain Users" unixgroup=users >> net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup >> >> And assign users to the Domain Admins group? >> >> John >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/listinfo/samba >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: dabase file and oplocks
Luca Ferrari wrote: > On Wednesday 24 September 2008 Luca Ferrari's cat, walking on the keyboard, > wrote: >> I've tried to use the options sync always and strict sync, but nothing >> changed. I compiled the 3.2.4 on the linux client machine and mounted the >> exported file system using cifs, but nothing changed. Still the data on the >> server is corrupted, as the program cannot get the lock on the files. >> I've also tried to swtich on and off the oplocks, without any difference. >> In the previous versions of samba (3.0.2) it worked, so I don't understand >> what could be the different configuration. Anyone has an idea? Place the following in the global section: kernel oplocks = Yes You shouldn't need it, but it wouldn't hurt. It's only supported on *BSD and Linux. Place the following in your share section: oplocks = false level2 oplocks = false veto oplock files = /*.dat/*.DAT/ That above line will prevent oplocks from touching files that match the pattern. In your case, no oplocks will be granted on *.dat files. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Few questions on configuring Samba as a PDC
On Fri, Sep 26, 2008 at 1:59 PM, Jesse Stone <[EMAIL PROTECTED]> wrote: > Please don't flame me. I did attempt to search before posting this question > (through Gmail), if there's a better way, please let me know! > > I followed this article for implementing a Samba PDC: > http://www.howtoforge.com/samba_setup_ubuntu_5.10_p4 > > Question 1) The only accout that appears to be able to add an account onto > the domain is the root account. There must be a way to change that to a > standard account. I'm using Ubuntu and do not use the root account for > anything. > > I've tried changing "root = Administrator" in /etc/samba/smbusers to > "otheruser = Administrator" but that doesn't seem to do it. > Did you do this: net groupmap modify ntgroup="Domain Admins" unixgroup=root net groupmap modify ntgroup="Domain Users" unixgroup=users net groupmap modify ntgroup="Domain Guests" unixgroup=nogroup And assign users to the Domain Admins group? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Few questions on configuring Samba as a PDC
Please don't flame me. I did attempt to search before posting this question (through Gmail), if there's a better way, please let me know! I followed this article for implementing a Samba PDC: http://www.howtoforge.com/samba_setup_ubuntu_5.10_p4 Question 1) The only accout that appears to be able to add an account onto the domain is the root account. There must be a way to change that to a standard account. I'm using Ubuntu and do not use the root account for anything. I've tried changing "root = Administrator" in /etc/samba/smbusers to "otheruser = Administrator" but that doesn't seem to do it. Question 2) Per the document about I have made the following permission changes to /home/samba: rwxrwxr-x 2 root domainusers 4096 2008-09-25 12:43 netlogon drwxrwxr-x 3 root domainusers 4096 2008-09-26 01:40 profiles I bet this would work if I added a user as a domainuser but domainadmins cannot store roaming profiles. How can I see it up so that I can have multiple domainadmins and domainusers (and not use root at all)? Question 3) I have three Linux machines that I would like to connect to the domain. Any good documentation on how to do that? For example, my son using Kubuntu and I would like him to be a domain user. Question 4) Using Windows Vista 64bit on an account that is in the domainadmins group, I still get permission denied errors when trying to access certain folders. Should I have full access as a domain administrator? Question 5) Is there a way to sync the new domain account with the existing account? Currently, when I login to the domain I get a fresh profile and lose all my settings. Due to question 4, I can't even manually migrate the settings from my older profile into the new one. I'm about to completely redo my smb.conf as I am currently using the one straight from the website above which is older. I'm going to use the current version of smb.conf and just manually adjust what's required. Is there anything else I should look into? Links to good websites would be great! Thanks, Jesse -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
Hey folks, Some months back, I entertained a conversation with Volker Lendecke, Adam Tauno Williams, and Simo Sorce about getting Samba to play nice with LDAP's ppolicy overlay. (Thread starts here: http://www.mail-archive.com/samba@lists.samba.org/msg92134.html and ends here: http://www.mail-archive.com/samba@lists.samba.org/msg92214.html) I was wondering if any progress had been made on this front that would make the job of maintaining PCI/DSS compliance for Samba PDC shops a bit more streamlined? Certainly, there have to be more than a few folks out there who would see this as a huge leap for Samba, and give it more of an edge in the market? Respectfully, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] logon server
Hi everyone! I am new to this list, so first i want to say hello! I would like to ask that how windows xp client decide that which server to use as logon server? Now we are using two samba server in two different subnets. I would like to force clients, from a third subnet, to use the specified server as logon server. We using one of the samba servers as globan wins server. thanx! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] W2K8 ADS, sernet pkgs (debian)
Hi All! I use on my debian stable hosts here only sernet pkgs with samba 3.0.32. It works perfectly with Windows 2008 ADS. On my unstble host I have the 'standard' debian sid pkgs with samba 3.2.3. I have there a problem. It does work 45min - 1h and then I get this error with wbinfo -t: checking the trust secret via RPC calls failed error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc233) Could not check secret I need to rejoin the ADS with net ads join, after that it works the next 45min - 1h. What can be the problem? I tried to compile the sernet pkgs for debian sid but I get ever this error: Compiling client/smbmount.c In file included from /usr/include/linux/smb.h:14, from /usr/include/linux/smb_fs.h:12, from client/smbmount.c:25: /usr/include/linux/time.h:9: error: redefinition of ‘struct timespec’ /usr/include/linux/time.h:15: error: redefinition of ‘struct timeval’ /usr/include/linux/time.h:20: error: redefinition of ‘struct timezone’ /usr/include/linux/time.h:42: error: redefinition of ‘struct itimerspec’ /usr/include/linux/time.h:47: error: redefinition of ‘struct itimerval’ client/smbmount.c: In function ‘init_mount’: client/smbmount.c:496: warning: the address of ‘options’ will always evaluate as ‘true’ The following command failed: i486-linux-gnu-gcc -I. -I/usr/src/samba-3.0.32/source -gstabs -Wall -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DIDMAP_RID_SUPPORT_TRUSTED_DOMAINS -I/usr/src/samba-3.0.32/source -O2 -D_SAMBA_BUILD_=3 -I/usr/src/samba-3.0.32/source/iniparser/src -Iinclude -I./include -I. -I. -I./lib/replace -I./lib/talloc -I./tdb/include -I./libaddns -I./librpc -DHAVE_CONFIG_H -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -DLDAP_DEPRECATED-I/usr/src/samba-3.0.32/source/lib -D_SAMBA_BUILD_=3 -fPIC -c client/smbmount.c -o client/smbmount.o make[1]: *** [client/smbmount.o] Error 1 make[1]: Leaving directory `/usr/src/samba-3.0.32/source' make: *** [build-stamp] Error 2 dpkg-buildpackage: failure: debian/rules build gave error exit status 2 (All dependencies are resolved) What can be the problem here? Greetz PS: Sorry for my english! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba