[Samba] Issues with joining to W2k3 domain
Hi everyone, I have a gentoo server running samba, winbindd, squid and apache as my main proxy server. I have had it authenticating 100% for a few weeks now. Recently I can no longer join my server to the domain again using the command "net rpc join -U username%password -S PDC". The follwing message is displayed. [2009/07/31 15:46:10, 0] utils/net_rpc_join.c:net_rpc_join_ok(81) net_rpc_join_ok: failed to get schannel session key from server PDC for domain DOMAINNAME. Error was NT_STATUS_ACCESS_DENIED Unable to join domain DOMAINNAME. I opened up my /var/log/samba/lob.wb-DOMAINNAME logfile. below is the result: [2009/07/31 15:46:16, 0] libsmb/credentials.c:creds_client_check(324) creds_client_check: credentials check failed. [2009/07/31 15:46:16, 0] rpc_client/cli_netlogon.c:rpccli_netlogon_sam_network_$ rpccli_netlogon_sam_network_logon: credentials chain check failed The strange thing is: - According to AD in 2003, the machine has joined (I deleted beforehand). - I can perform authentication using wbinfo -a -u and -g. It shows all information. One might say that it is working fine.. but I am rather concerned about the error above. - If I create a new machine account from AD and assign the computer as a pre-2000 computer, the "net rpc join" command works perfectly. However, because there is no encryption happening between the computer account, authentication failes with winbindd. What could be causing this error? I thought it might be a microsoft security update.. I am certain I have not changed any of my configs. I thought I would ask in here first. Any help would be appreciated! Thanks, Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] TYPO Samba 3.4.0 docs-xml/manpages3/ldbrename.1.xml
ldbrename 1 !missing following text! Samba User Commands 3.4 -- --- Oota Toshiya --- t-oota at dh.jp.nec.com NEC Computers Software Operations Unit Shiba,Minato,Tokyo Open Source Software Platform Development Division Japan,Earth,Solar system (samba-jp/ldap-jp Staff,mutt-j/samba-jp postmaster) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] TYPO Samba 3.4.0 docs-xml/smbdotconf/security/accessbasedshareenum.xml
http://www.samba.org/samba/DTD/samba-doc";> public -surplus If this parameter is yes for a service, then the share hosted by the service will only be visible public is defined in security/guestok.xml. So,when make htmlman3,error happen. xsltproc --output output/htmldocs/manpages-3/smb.conf.5.html xslt/html.xsl tmp/manpages-3/smb.conf.5.xml tmp/manpages-3/smb.conf.5.xml:3865: element anchor: validity error : ID PUBLIC already defined public ^ -- --- Oota Toshiya --- t-oota at dh.jp.nec.com NEC Computers Software Operations Unit Shiba,Minato,Tokyo Open Source Software Platform Development Division Japan,Earth,Solar system (samba-jp/ldap-jp Staff,mutt-j/samba-jp postmaster) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining samba domain post heartbeat install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I successfully setup heartbeat and glusterfs (instead of DRBD) to provide an HA Samba configuration. I tested that fail over worked fine all the existing computers were able to get to their shares and re authenticate users. However I discovered that I was not able to join computers to the domain after the configuration was setup. The netbios name was changed to accommodate the new heartbeat VIP and the new VIP is the only address I have samba bound to. When I go to add the computer to the domain, type to the domain in and hit enter, I am presented with a login dialog box. When I enter the admin and password and hit enter, after a few seconds I get the warning that a controller for the domain could not be foumd. I suspect that there is some caching going on and (maybe) winbind is using the old info for the PDC and not the new? Are there any caches I could clear that may fix this? Am I on the right track or is there somethign else I should be looking at? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpyc2YACgkQ5B+8XEnAvquLQgCfdpFbxKaXuzKCqFeb/6jf61FF JpYAoJGJ8V9qlEYaGaX2OT2C/V1OoVxn =7i/q -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net ads search.
I am trying to find a way from the command line to search for a users exchange email address based on the user name. This exposed my lack of understanding for 'net ads search' The man page for 'net' in the search section says "Perform a raw LDAP search on a ADS server and dump the results. The expression is a standard LDAP search expression, and the attributes are a list of LDAP fields to show in the results." So I tried net --user=myuser ads search '(objectClass=user)(email=*)' which errors: search failed: Bad search filter Can someone offer some advice on: a) why is that a bad ldap search filter? b) what search would get the exchange email address for a given users? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Streaming large videos causes server's networking to crash
Well, I figured it out. Turns out the problem was actually the Linux kernel itself. The bug report is here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/347711 Just as the comments suggested, changing to the mainline kernel has apparently solved the problem. I've been playing video for 18 hours solid now and everything is fine. Thanks for your assistance guys. -- Paul A. Quinn Fissler wrote: Your "tsk tsk" etc No - not at all - you inferred that incorrectly. My point was that I'd not bothered to read your email, so asked you a question I didn't need to ask. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] anonymous netlogon
Hi, I am using security = domain for secutiry mode. I am able to do a net rpc join, however when trying to access the share end up with following error message in session log. I was initially using 3.0.24 thru which even the join commands gives the same error message, with 3.0.34 join is successfull but accessing fails. Our PDC is windows 2003 SP2 and has "restrict anonymous access to named pipes" policy enabled. If I add netlogon to this policy, accessing the shares work. However this will not be permitted in PROD environment. Thanks for the help [2009/07/30 10:53:34, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2223) cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine . Error was NT_STATUS_ACCESS_DENIED [2009/07/30 10:53:34, 0] auth/auth_domain.c:connect_to_domain_password_server(119) connect_to_domain_password_server: unable to open the domain client session to machine . Error was : NT_STATUS_ACCESS_DENIED. -- View this message in context: http://www.nabble.com/anonymous-netlogon-tp24741785p24741785.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't compile 3.4.0 Binary on solarisx86
Hello lists I have tried to compile 3.0.4 binary on x86 versions of x86. I attached first 100 lines of config.log. It shows details of my environment. I think configuer works fine. But after I typed make command, some errors appeared. Does anyone have ideas of fix this problems? or Don't you have the instance of compiled on solaris10 OS. SAIKA Iwao bash-3.00# LD_RUN_PATH=/usr/local/lib gmake Using CFLAGS = -O2 -pipe -s -I. -I/opt/src/samba/samba-3.4.0/ source3 -I/opt/src/samba/samba-3.4.0/source3/iniparser/src -Iinclude - I./include -I. -I. -I./../lib/replace -I./../lib/talloc -I./../lib/ tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. - DHAVE_CONFIG_H -I/usr/local/include -D_LARGEFILE_SOURCE -D_REENTRANT - D_FILE_OFFSET_BITS=64 -I/usr/local/include -DLDAP_DEPRECATED -DSUNOS5 -I/opt/src/samba/samba-3.4.0/source3/lib -I.. -I../source4 - D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 PICFLAG= -fPIC LIBS = -lsendfile -lresolv -lrt -lnsl -lsocket -liconv LDFLAGS= -pie -L/usr/local/lib -R/usr/local/lib -R/usr/lib -lthread -L./bin -L/usr/local/lib DYNEXP = LDSHFLAGS = -G -L/usr/local/lib -R/usr/local/lib -R/usr/lib - lthread -L./bin -L/usr/local/lib SHLIBEXT = so SONAMEFLAG = -Wl,-soname= Linking non-shared library bin/libaddns.a gmake: rc: Command not found gmake: [bin/libaddns.a] Error 127 (ignored) Linking non-shared library bin/libnetapi.a gmake: rc: Command not found gmake: [bin/libnetapi.a] Error 127 (ignored) Linking non-shared library bin/libsmbclient.a gmake: rc: Command not found gmake: [bin/libsmbclient.a] Error 127 (ignored) Linking non-shared library bin/libsmbsharemodes.a gmake: rc: Command not found gmake: [bin/libsmbsharemodes.a] Error 127 (ignored) Linking bin/net gcc: bin/libnetapi.a: No such file or directory gmake: *** [bin/net] Error 1 bash-3.00# head -100 config.log This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by Samba configure 3, which was generated by GNU Autoconf 2.63. Invocation command line was $ ./configure --sysconfdir=/etc/samba/conf --localstatedir=/var/log/ samba --with-privatedir=/etc/samba/private --with-lockdir=/var/samba/ locks --with-piddir=/var/run --with-configdir=/etc/samba/conf --with- libiconv=/usr/local --with-automount --with-ldap --with-quotas --with- acl-support LDFLAGS=-L/usr/local/lib -L/usr/lib -R/usr/local/lib -R/ usr/lib LD_LIBRARY_PATH=/usr/local/lib CPPFLAGS=-I/usr/local/include - I/usr/include ## - ## ## Platform. ## ## - ## hostname = unknown uname -m = i86pc uname -r = 5.10 uname -s = SunOS uname -v = Generic_139556-08 /usr/bin/uname -p = i386 /bin/uname -X = System = SunOS Node = unknown Release = 5.10 KernelID = Generic_139556-08 Machine = i86pc BusType = Serial = Users = OEM# = 0 Origin# = 1 NumCPU = 4 /bin/arch = i86pc /usr/bin/arch -k = i86pc /usr/convex/getsysinfo = unknown /usr/bin/hostinfo = unknown /bin/machine = unknown /usr/bin/oslevel = unknown /bin/universe = unknown PATH: /usr/sfw/bin PATH: /usr/local/bin PATH: /usr/sbin PATH: /usr/bin PATH: /sbin PATH: /bin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] krb5 + winbind + ads (back to ads)
On Wed, Jul 29, 2009 at 10:17:11PM -0300, Herbert G. Fischer wrote:
> Hello again folks,
>
> I give up trying RPC. I'm trying to avoid update samba package of my
> Ubuntu 9.04 server (amd64) so I decided to try ADS again. This way I'm
> using the following versions:
>
> krb5-user 1.6.dfsg.4~beta1-5ubuntu2
> samba* 2:3.3.2-1ubuntu3.1
>
> I'm having problem joining a AD domain. I suspect there is something
> related to how my company's directory was setup and I can't change that.
>
> Here are the information for the AD:
>
> Realm: WIN-NET.DOMAIN.COM.BR
> DNS Domain: domain.com.br
> Servers: server.domain.com.br, server1.domain.com.br
>
> NOTE: DNS servers are not in the MSDNS server. And there is no DNS
> domain related to the realm WIN-NET.DOMAIN.COM.BR, only domain.com.br.
>
> Here is my krb5.conf
>
> ===
>
> [libdefaults]
> default_realm = WIN-NET.DOMAIN.COM.BR
>
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> WIN-NET.DOMAIN.COM.BR = {
> kdc = server.domain.com.br
> kdc = server1.domain.com.br
> default_domain = domain.com.br
> kpasswd_server = server.domain.com.br
> admin_server = server.domain.com.br
> }
>
> [domain_realm]
> .domain.com.br = WIN-NET.DOMAIN.COM.BR
> domain.com.br = WIN-NET.DOMAIN.COM.BR
>
> [login]
> krb4_convert = true
> krb4_get_tickets = falsea
>
> [logging]
> default = SYSLOG:err:auth
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> try_first_pass = true
> }
> ===
>
> With this I'm able to get a ticket using kinit and see it using klist:
>
> r...@xx:~# kinit user
> Password for u...@win-net.domain.com.br:
> r...@xx:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: u...@win-net.domain.com.br
>
> Valid starting ExpiresService principal
> 07/29/09 22:07:43 07/30/09 08:07:49
> krbtgt/win-net.domain.com...@win-net.domain.com.br
> renew until 07/30/09 22:07:43
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> ===
>
> And my smb.conf
>
> ===
> [global]
> # server name
> server string = %h
> netbios name = %h
> dns proxy = no
> domain master = no
> local master = no
> preferred master = no
> os level = 0
>
> # charset options
> unix charset = ISO-8859-1
>
> # domain options
> workgroup = WIN-NET
> realm = WIN-NET.DOMAIN.COM.BR
> password server = server.domain.com.br server1.domain.com.br
> security = ads
> name resolve order = wins bcast
> encrypt passwords = true
> client use spnego = yes
> client ntlmv2 auth = yes
> restrict anonymous = 2
>
> # socket and network options
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> interfaces = eth0
> bind interfaces only = yes
>
> # log options
> log level = 1
> #tdb:3 winbind:10 auth:3
> log file = /var/log/samba/log.%m
> max log size = 1024
> syslog = 0
>
> # printer options (disabling)
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # winbind options
> winbind rpc only = yes
> winbind use default domain = yes
> winbind normalize names = yes
> winbind enum users = no
> winbind enum groups = no
> template shell = /bin/bash
> template homedir = /home/%D/%U
>
> # id mapping options
> idmap backend = tdb
> idmap config WIN-NET : backend = tdb
> idmap config WIN-NET : range = 5-55000
> ===
>
>
> However, when I try to join to the ADS I got different erros, depending
> on the parameters I pass:
>
> r...@xx:~# net ads join -U user
> Enter user's password:
> Failed to join domain: failed to find DC for domain WIN-
Re: [Samba] [SOLVED]Mount errors,....try try again
Work around maybe. I created a samba user administrator on the system I wanted to access with a mount command. Which as it turns out is a little different ,you use a cifs mount in the fstab with an auth.smb file to specify username and password. It seems as thought smbfs is no longer supported and you have to use cifs. The end result is not ideal BUT the benefit was I found a reliable way to get a current version of Samba on my CentOS server. Thanks for that guys!! _ Windows Live™ SkyDrive™: Store, access, and share your photos. See how. http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind and getent
I wonder if that means that you didn't join the domain, or you aren't joining with a domain admin account, or you aren't performing operations using an the credentials of a domain user. Check you have the libs. smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs. Does /etc/krb5.conf look correct for your domain? Check you have the libs. smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs. Time must be (i think) within 15 min between kdc and client net ads info # Show AD info including time date # Check time on local host Test if the client has been joined to the domain. net ads testjoin # Shows join is ok If you run the following command without specifying a valid domain '--user=', or the password is incorrect, you will see this: "...Client not found in Kerberos database" net ads search '(objectCategory=group)' If you try to run the following command with a valid user, you will see a huge dump. net --user=myuser ads search '(objectCategory=group)' On Thu, 2009-07-30 at 09:26 -0500, Hoover, Tony wrote: > Have you configured your /etc/krb5.conf file? > > > > > > > Tony Hoover, Network Administrator > KSU - Salina, College of Technology and Aviation > (785) 826-2660 > > "Don't Blend in..." > > > -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] > On Behalf Of Gabriel Petrescu > Sent: Thursday, July 30, 2009 8:39 AM > To: John Stile > Cc: samba@lists.samba.org > Subject: Re: [Samba] winbind and getent > > hi:) > > in my case it's working: > > > wbinfo Shows winbind is doing lookups from ADS > > wbinfo -u > > wbinfo -g > > wbinfo -a mydomain+myuser%mypassword > > and i get an error here: > > kinit tests > kinit(v5): Client not found in Kerberos database while getting initial > credentials > > > any advice here? > > gabi > > On Wed, Jul 29, 2009 at 6:58 PM, John Stile wrote: > > On Wed, 2009-07-29 at 22:33 +1000, tsg-samba wrote: > >> Hi Volker, > >> > >> Yes in smb.conf i have: > >> winbind enum users = Yes > >> winbind enum groups = Yes > > > > getent Shows nsswitch is correct, to resolve ADS users and groups. > > getent passwd > > getent group > > > > wbinfo Shows winbind is doing lookups from ADS > > wbinfo -u > > wbinfo -g > > wbinfo -a mydomain+myuser%mypassword > > > > kinit tests if kerberose can authenticate > > kinit myuser > > > > If 'wbinfo -g' shows MYDOMAIN+Domain Users, > > maybe your share should have a line like: > > valid users = @"MYDOMAIN+Domain Users" > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Minor error in Samba Wiki
On Thu, Jul 30, 2009 at 2:17 AM, Karolin Seeger wrote: > Hi Miguel, > > On Thu, Jul 30, 2009 at 02:09:35AM +0100, Miguel Medalha wrote: > > This is a very minor error, but if someone wants to correct it... > > > > On Samba Wiki page "Release Planning for Samba 3.4" > > > > http://wiki.samba.org/index.php/Release_Planning_for_Samba_3.4 > > > > The release date of Samba 3.4.0, July 3, was a Friday, not a Wednesday as > > it appears on the page. > > fixed, thanks! > > I am glad to notice that at least someone is reading these pages! ;-) > > Cheers, > Karolin > > -- > Samba http://www.samba.org > SerNet http://www.sernet.de > sambaXP http://www.sambaxp.org > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > I am reading it too. 9th and 10th hits are mine ;-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind and getent
yes, and it looks like:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = MYDOMAIN.LOCAL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
MYDOMAIN.LOCAL = {
kdc = server.mydomain.local
admin_server = server.mydomain.local
default_domain = MYDOMAIN.LOCAL
}
[domain_realm]
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL
On Thu, Jul 30, 2009 at 5:26 PM, Hoover, Tony wrote:
> Have you configured your /etc/krb5.conf file?
>
>
>
>
>
>
> Tony Hoover, Network Administrator
> KSU - Salina, College of Technology and Aviation
> (785) 826-2660
>
> "Don't Blend in..."
>
>
> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
> On Behalf Of Gabriel Petrescu
> Sent: Thursday, July 30, 2009 8:39 AM
> To: John Stile
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] winbind and getent
>
> hi:)
>
> in my case it's working:
>
>> wbinfo Shows winbind is doing lookups from ADS
>> wbinfo -u
>> wbinfo -g
>> wbinfo -a mydomain+myuser%mypassword
>
> and i get an error here:
>
> kinit tests
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
>
> any advice here?
>
> gabi
>
> On Wed, Jul 29, 2009 at 6:58 PM, John Stile wrote:
>> On Wed, 2009-07-29 at 22:33 +1000, tsg-samba wrote:
>>> Hi Volker,
>>>
>>> Yes in smb.conf i have:
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>
>> getent Shows nsswitch is correct, to resolve ADS users and groups.
>> getent passwd
>> getent group
>>
>> wbinfo Shows winbind is doing lookups from ADS
>> wbinfo -u
>> wbinfo -g
>> wbinfo -a mydomain+myuser%mypassword
>>
>> kinit tests if kerberose can authenticate
>> kinit myuser
>>
>> If 'wbinfo -g' shows MYDOMAIN+Domain Users,
>> maybe your share should have a line like:
>> valid users = @"MYDOMAIN+Domain Users"
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind and getent
Have you configured your /etc/krb5.conf file? Tony Hoover, Network Administrator KSU - Salina, College of Technology and Aviation (785) 826-2660 "Don't Blend in..." -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gabriel Petrescu Sent: Thursday, July 30, 2009 8:39 AM To: John Stile Cc: samba@lists.samba.org Subject: Re: [Samba] winbind and getent hi:) in my case it's working: > wbinfo Shows winbind is doing lookups from ADS > wbinfo -u > wbinfo -g > wbinfo -a mydomain+myuser%mypassword and i get an error here: kinit tests kinit(v5): Client not found in Kerberos database while getting initial credentials any advice here? gabi On Wed, Jul 29, 2009 at 6:58 PM, John Stile wrote: > On Wed, 2009-07-29 at 22:33 +1000, tsg-samba wrote: >> Hi Volker, >> >> Yes in smb.conf i have: >> winbind enum users = Yes >> winbind enum groups = Yes > > getent Shows nsswitch is correct, to resolve ADS users and groups. > getent passwd > getent group > > wbinfo Shows winbind is doing lookups from ADS > wbinfo -u > wbinfo -g > wbinfo -a mydomain+myuser%mypassword > > kinit tests if kerberose can authenticate > kinit myuser > > If 'wbinfo -g' shows MYDOMAIN+Domain Users, > maybe your share should have a line like: > valid users = @"MYDOMAIN+Domain Users" > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind and getent
hi:) in my case it's working: > wbinfo Shows winbind is doing lookups from ADS > wbinfo -u > wbinfo -g > wbinfo -a mydomain+myuser%mypassword and i get an error here: kinit tests kinit(v5): Client not found in Kerberos database while getting initial credentials any advice here? gabi On Wed, Jul 29, 2009 at 6:58 PM, John Stile wrote: > On Wed, 2009-07-29 at 22:33 +1000, tsg-samba wrote: >> Hi Volker, >> >> Yes in smb.conf i have: >> winbind enum users = Yes >> winbind enum groups = Yes > > getent Shows nsswitch is correct, to resolve ADS users and groups. > getent passwd > getent group > > wbinfo Shows winbind is doing lookups from ADS > wbinfo -u > wbinfo -g > wbinfo -a mydomain+myuser%mypassword > > kinit tests if kerberose can authenticate > kinit myuser > > If 'wbinfo -g' shows MYDOMAIN+Domain Users, > maybe your share should have a line like: > valid users = @"MYDOMAIN+Domain Users" > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New samba server
Serdge V. Pechenko wrote: > ÐÉÓÁÌ(Á) × Ó×Ï£Í ÐÉÓØÍÅ Thu, 30 Jul 2009 08:46:50 +0700: > >> sgm...@mail.bloomfield.k12.mo.us wrote: >>> sgm...@mail.bloomfield.k12.mo.us wrote: sgm...@mail.bloomfield.k12.mo.us wrote: > sgm...@mail.bloomfield.k12.mo.us wrote: >> I did not get this finished last summer, so decided to just wait and >> do >> it this summer. I have setup my new samba server and was trying to get >> some things tweaked to the way that I want them. I thought that I had >> asked this before and that I could do it, but it seems that it does not >> work. >> My new server is running as a domain server just like the old. It has >> the same domain name and I change the the SID using net setlocalsid to >> the same sid number as my old server. This new server is in a test >> environment right now. >> I was hoping that my old machines could just log into this server without having to get out of the domain and then rejoin it, but that >> does not work. It tells me that the domain is not there until I get out >> of the old one and then rejoin the new one. Is that how it has to >> work? I was hoping I would not have to do that if I left the domain >> name the same and set the SID on the new server. I just want to make >> sure I am not missing something before I go around to all 400 computers >> on campus and have them removed and rejoined to the domain. > Mr. Terpstra gave me a bit of help. I had done nothing to set my domainsid, but after doing the following: > net getlocalsid > net getdomainsid > The values are the same on both the old and the new samba server. This > new server will take the place of my old one. Right now it is on a network with nothing else on it besides one of my old windows clients. > If > I remove one of my old clients from the domain and then re-add it, then > it > logs in just fine. If I take an old client from my current network and > put it on this new network and try to login to the new samba server then > it gives me the typical: > "Windows cannot connect to the domain either because the domain controller > is down or otherwise unavailable, or because your computer account was > not > found. Please try again later. If this message continues to appear contact > your System Administrator for assistance." > The name of the Windows machine is business18 so I did an > 'smbldap-adduser > -w business18$' to make sure the machine account was added in to the directory, but the error was the same. I even changed the uid of the > machine account to match the old one in case that was coming into play. > Here is my samba config in case someone sees something that I don't. Which is quite possible since I forget more than I learn it seems. :) > I'll be reading on the How-To to see if I can pick anything else up. [global] > workgroup = BES > server string = Samba Server Version %v > netbios name = SCHOOL > interfaces = lo eth0 > hosts allow = 127. 10.0. 19 2.168.0. localhost > ldap passwd sync = Yes > ldap admin dn = cn=Manager,dc=school,dc=bloomfield.k12.mo.us ldap suffix = dc=school1,dc=bloomfield.k12.mo.us > ldap group suffix = ou=Groups > ldap user suffix = ou=Users > ldap machine suffix = ou=Computers > ldap idmap suffix = ou=Users > add machine script = /usr/sbin/smbldap-useradd -w "%u" > add user script = /usr/sbin/smbldap-useradd -m "%u" > ldap delete dn = Yes > add group script = /usr/sbin/smbldap-groupadd -p "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" > "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" Dos charset = 850 > Unix charset = ISO8859-1 > log file = /var/log/samba/log.%m > max log size = 50 > security = user > passdb backend = ldapsam:ldap://127.0.0.1 > domain master = yes > domain logons = yes > local master = yes > os level = 65 > preferred master = yes > wins support = yes > dns proxy = no > load printers = yes > cups options = raw > [homes] > comment = Home Directories > browseable = no > writable = yes > [printers] > comment = All Printers > path = /var/spool/samba > browseable = no > guest ok = no > writable = no > printable = yes Well, I am getting ready to take the other server offline and put the new one in place. I am planning on just removing all my machines from the domain and adding them back in to get everything to work, though I would prefer not to do this. I am just not sure where else to look. Thought I would post one last time. I figure that most of this comes from me not knowing a lot
[Samba] OpenLDAP compatible AD schema
Hello list users, I've been trying to setup a translucent OpenLDAP proxy to provide access for our company's Linux hosts to Active Directory data. Translucent proxy is needed as I need to transparently add Linux specific attributes (such as home directory, default shell etc) to AD provided data. However, to accomplish that, I would need an OpenLDAP compatible LDAP schema of Active Directory. I noticed that Samba 4 actually has AD schema (files MS-AD_Schema_2K8_Attributes.txt and MS-AD_Schema_2K8_Classes.txt), but it is in format not understood by OpenLDAP. Is there OpenLDAP compatible AD schema available anywhere, or could this AD schema provided with Samba 4 be somehow converted to be OpenLDAP compatible? Regards, Petteri Heinonen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] I got some problem with samba 4 installation
hi guys, I got some problem with samba 4 installation. I have finish the installation. when I tried to client join from XP for the 1st time, I have no problem but when I disjoin the client and after that join again show message error "logon failure : unknown username or bad password " while in the first time i joint the client had no problem. for your notice, I join the with user administrator and pass 123456 is there any of you could help me guys thanks. Best Regards, Roy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind issue connecting to trusted domain controllers
>> So, is there a way I can specify that winbind only uses the CSS domain and >> does not try and connect to the other trusted domains? > > allow trusted domains = no Thanks for the suggestion, but this didn't make a difference. However, I've managed to find the answer / workaround: The following needs to be set in smb.conf: winbind:ignore domains = MAT LPS LAB MMSC GRP IMCR UPGRADE CENTRAL MISE 4THFLOOR AD CSSDEV NAS In case it's not obvious, the list is the names of all the trusted domains I want Winbind to ignore. I did see a patch that performs the inverse of this (so you specify the domains you *want* to search) but as this is not part of the mainline code I decided to avoid it as I don't want to be maintaining different versions. Thanks Julian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New samba server
писал(а) в своём письме Thu, 30 Jul 2009 08:46:50 +0700: sgm...@mail.bloomfield.k12.mo.us wrote: sgm...@mail.bloomfield.k12.mo.us wrote: sgm...@mail.bloomfield.k12.mo.us wrote: sgm...@mail.bloomfield.k12.mo.us wrote: I did not get this finished last summer, so decided to just wait and do it this summer. I have setup my new samba server and was trying to get some things tweaked to the way that I want them. I thought that I had asked this before and that I could do it, but it seems that it does not >> work. My new server is running as a domain server just like the old. It has the same domain name and I change the the SID using net setlocalsid to >> the same sid number as my old server. This new server is in a test environment right now. I was hoping that my old machines could just log into this server without having to get out of the domain and then rejoin it, but that does not work. It tells me that the domain is not there until I get out >> of the old one and then rejoin the new one. Is that how it has to work? I was hoping I would not have to do that if I left the domain name the same and set the SID on the new server. I just want to make sure I am not missing something before I go around to all 400 computers on campus and have them removed and rejoined to the domain. Mr. Terpstra gave me a bit of help. I had done nothing to set my domainsid, but after doing the following: net getlocalsid net getdomainsid The values are the same on both the old and the new samba server. This new server will take the place of my old one. Right now it is on a network with nothing else on it besides one of my old windows clients. If I remove one of my old clients from the domain and then re-add it, then it logs in just fine. If I take an old client from my current network and put it on this new network and try to login to the new samba server then it gives me the typical: "Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear contact your System Administrator for assistance." The name of the Windows machine is business18 so I did an 'smbldap-adduser -w business18$' to make sure the machine account was added in to the directory, but the error was the same. I even changed the uid of the machine account to match the old one in case that was coming into play. Here is my samba config in case someone sees something that I don't. Which is quite possible since I forget more than I learn it seems. :) I'll be reading on the How-To to see if I can pick anything else up. [global] workgroup = BES server string = Samba Server Version %v netbios name = SCHOOL interfaces = lo eth0 hosts allow = 127. 10.0. 19 2.168.0. localhost ldap passwd sync = Yes ldap admin dn = cn=Manager,dc=school,dc=bloomfield.k12.mo.us ldap suffix = dc=school1,dc=bloomfield.k12.mo.us ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users add machine script = /usr/sbin/smbldap-useradd -w "%u" add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" Dos charset = 850 Unix charset = ISO8859-1 log file = /var/log/samba/log.%m max log size = 50 security = user passdb backend = ldapsam:ldap://127.0.0.1 domain master = yes domain logons = yes local master = yes os level = 65 preferred master = yes wins support = yes dns proxy = no load printers = yes cups options = raw [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes Well, I am getting ready to take the other server offline and put the new one in place. I am planning on just removing all my machines from the domain and adding them back in to get everything to work, though I would prefer not to do this. I am just not sure where else to look. Thought I would post one last time. I figure that most of this comes from me not knowing a lot about ldap and how samba interacts with it. I am still learning. The passwords on the new server are different than the old. Does that have any affect on it? Do the passwords have to be the same when it comes to the new machine being added in? I
[Samba] [SOLVE] Batch computer account creation
I found the solution by setting userAccountControl to "4096" ( the
samba net ads join set this value to "69632" and I think that's
incorrect )
If somebody is interested :
#! /usr/bin/perl
use strict;
use Net::LDAP;
use Net::LDAP::Entry;
my $base_dn = "DC=my,DC=domain";
my $computer_name = "host02";
my $computer_branche = "OU=Workstations";
my $computer_dn = "CN=$computer_name,$computer_branche,$base_dn";
my $domain = "my.domain";
my $ldap = Net::LDAP->new( 'ldap://epluxsdc01') or die "$@";
my $mesg = $ldap->bind ("CN=Administrator,CN=Users,$base_dn", password
=> "password");
$mesg->code && die $mesg->error;
my $entry = Net::LDAP::Entry->new;
$entry->dn("$computer_dn");
$entry->add (
objectClass => [ qw(top person organizationalPerson user computer) ],
cn => "$computer_name",
name => $computer_name,
dNSHostName => $computer_name . '.ep.parl.union.eu' ,
sAMAccountName => uc($computer_name) .'$',
objectCategory => "CN=Computer,CN=Schema,CN=Configuration,$base_dn",
operatingSystem => 'EP Linux Desktop LXD',
operatingSystemVersion => '3',
mail => 'ispcell-s...@europarl.europa.eu',
userPrincipalName => 'HOST/'. uc($computer_name) .'@'.uc($domain),
servicePrincipalName => [
"HOST/$computer_name.$domain",
"HOST/$computer_name",
"CIFS/$computer_name.$domain",
"CIFS/$computer_name",
"nfs/$computer_name.$domain",
"nfs/$computer_name" ],
userAccountControl => "4096",
);
my $mesg = $entry->update ( $ldap ); # update directory server
$mesg->code && die $mesg->error;
my $mesg = $ldap->search( # perform a search
base => "$base_dn",
filter => "CN=$computer_name"
);
$mesg->code && die $mesg->error;
foreach my $entry ($mesg->entries) {
foreach my $attr ( $entry->attributes) {
if ($attr eq "objectSid" or $attr eq "objectGUID" ) {
print "$attr : ". _sid2string($entry->get_value ($attr))."\n"
} else {
print "$attr : ". $entry->get_value ($attr)."\n";
}
}
}
sub _sid2string {
my $sid = shift;
my (@unpack) = unpack( "H2 H2 n N V*", $sid );
my ( $sid_rev, $num_auths, $id1, $id2, @ids ) = (@unpack);
my $string = join( "-", "S", $sid_rev, ( $id1 << 32 ) + $id2, @ids );
return $string;
}
sub _string2sid {
my $string = shift;
my (@split) = split( m/\-/, $string );
my ( $prefix, $sid_rev, $auth_id, @ids ) = (@split);
if ( $auth_id != scalar(@ids) ) {
die "bad string: $string";
}
my $sid = pack( "C4", "$sid_rev", "$auth_id", 0, 0 );
$sid .= pack( "C4",
( $auth_id & 0xff00 ) >> 24,
( $auth_id & 0x00ff ) >> 16,
( $auth_id & 0xff00 ) >> 8,
$auth_id & 0x00ff );
for my $i (@ids) {
$sid .= pack( "I", $i );
}
return $sid;
}
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
