[Samba] Samba4, file permissions not respected
Hi, all, I run the latest Samba4 with Windows 7 clients. I have a share that I created in smb.conf like so: [common] path = /home/pmw/installed/samba/common-share csc policy = manual read only = no Within it, I created a file using a regular user. That file has fine-looking security: that user has full permissions, Everyone has read-only permissions. 'getfattr' on that file results in this: user.DosAttrib=0sAQABACAEAgB0zSuiUMsBAHTNK6JQywE= However, another user is able to modify that file -- but not delete it. When that other user tries to delete that file, Samba says: ../ntvfs/posix/pvfs_acl.c:567 denied access to '/home/pmw/installed/samba/common-share/philip-file.txt' - wanted 0x0100 but got 0x001201ff (missing 0x0100) ...but no such message appears when the other user changes the file. Right now, it appears that Samba does not respect Windows' ACLs. I'd like only the originating user to have write access to that file. Am I doing something wrong? -- Philip -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba for AD client?
On Thu, Sep 9, 2010 at 5:20 PM, Matt Richardson wrote: > On 09/05/2010 05:14 PM, Ken D'Ambrosio wrote: > > >> 1) Are there any known issues with BTRFS? >> 2) Which version of Samba would be most appropriate for this? >> 3) AD integration: I've never really done it (with success); any pointers? >> [I've googled a bit, but bump into a zillion different HOWTO's and/or >> utilities, some of which seem to be mutually exclusive.) >> >> > Can't help you with 1, but I've got a couple of Samba servers running as > members in an AD domain: 3.2.5 and 3.4.8. Both integrated into the domain > fairly easily. I have some internal docs that I can post once I clean them > up. I haven't done any ACL testing yet because groups have been sufficient. > > > I also have AD integration working great for samba share login from both windows and os x using kerberos and remote ldap with ubuntu 10.04 + samba 3.4.7 with windows security groups, it's great. However testing the ACLs they don't work when set from windows. Setting from linux shows fine in windows but not other way around. They may work when I get around to adding a local ldap and an ldapsam backend, time alone will tell. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4, DNS, and joining clients
On Thu, Sep 09, 2010 at 09:20:38PM +0200, Daniel Müller wrote: > Did you add a client to your samba ads? > This must work on the fly. You find the machine name in the ads directory. I see my clients in the Active Directory Users and Computers within MMC, if that's what you mean. I didn't add them manually -- they must've gotten added automatically upon joining the domain. Right now I have two computers in that list, but dns_update_list still hasn't been updated. Ideas? -- Philip -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba for AD client?
On 09/05/2010 05:14 PM, Ken D'Ambrosio wrote: 1) Are there any known issues with BTRFS? 2) Which version of Samba would be most appropriate for this? 3) AD integration: I've never really done it (with success); any pointers? [I've googled a bit, but bump into a zillion different HOWTO's and/or utilities, some of which seem to be mutually exclusive.) Can't help you with 1, but I've got a couple of Samba servers running as members in an AD domain: 3.2.5 and 3.4.8. Both integrated into the domain fairly easily. I have some internal docs that I can post once I clean them up. I haven't done any ACL testing yet because groups have been sufficient. -- Matt Richardson IT Consultant College of Arts and Letters CSU San Bernardino work: (909)537-7598 fax: (909)537-5926 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and Windows 7 password change
On Thu, 09 Sep 2010 19:22:37 +1000, Andrew Bartlett wrote: > On Wed, 2010-09-08 at 22:07 -0500, Philip M. White wrote: >> Hi, all, >> >> With the latest Samba4, I am not able to change a user's password via >> Windows 7. >> >> I was able to successfully set a password from within RSAT's Users while >> adding a new user, but that user cannot change his own password. >> >> When I try, Windows 7 tells me that the server rejected the password Hi in Samba4 you need: Password Policy Settings!! Along with Samba4 the Password Policy you can only set from console, with 'net pwsettings ' command. net pwsettings –help: usage: (show | set ) options: -h, --helpshow this help message and exit -H H LDB URL for database or target server --quiet Be quiet --complexity=COMPLEXITY The password complexity (on | off | default). Default is 'on' --history-length=HISTORY_LENGTH The password history length ( | default). Default is 24. --min-pwd-length=MIN_PWD_LENGTH The minimum password length ( | default). Default is 7. --min-pwd-age=MIN_PWD_AGE The minimum password age ( | default). Default is 1. --max-pwd-age=MAX_PWD_AGE The maximum password age ( | default). Default is 43. Samba Common Options: -s FILE, --configfile=FILE Configuration file -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL debug level --option=OPTION set smb.conf option from command line --realm=REALM set the realm name Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos Version Options: --version Display version number So I set my Password Policy: net pwsettings set –--complexity=off net pwsettings set ---max-pwd-age=60 #<---60 Days net pwsettings set –min-pwd-length=5 net pwsettings show: net pwsettings show Password informations for domain 'DC=mydomain,DC=my,DC=dom' Password complexity: off Password history length: 24 Minimum password length: 5 Minimum password age (days): 1 Maximum password age (days): 60 Then change your passwords in your windows7 client. Daniel >> change because the new password doesn't meet the complexity/length >> requirements. >> >> On Samba's end, I see this: >> Changing password of PMWWORLD\sue >> (S-1-5-21-1802782687-180428704-2922416880-1106) >> kpasswdd: Password must be at least 7 characters long, and cannot match >> any of your 24 previous passwords >> >> I get this regardless of what password I try. For the record, I tried >> Secret$1 and Secret$2, both of which meet the first condition and which >> I've tried for the first time ever. >> >> Can anyone confirm this behavior? > > That's an odd one. > > Perhaps it's a minimum password age? > > Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PCD domain menbership (was: winbind authentification trouble)
Dale, thanks for your response. On Thu, Sep 09, 2010 at 12:50:46PM -0500, Dale Schroeder wrote: > I used the pam settings from this article as a starting point. > http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1 I know the mechanics of pam quite well and thus saw that the differences between my setup and the one of this article are neglectible. I kept on trying, however, and at some point I found out that the error messages are... misleading: the real problem is on the other end of the line. I did: | herkules:~# pdbedit -a -m -u gatekeeper | Unix username:gatekeeper$ | NT username: | Account Flags:[W ] | [...] and: | gatekeeper:~# net join member | Joined domain SYNTH. On herkules, this is (I assume) confirmed in the server logs: | secrets_store_schannel_session_info: stored schannel info with key SECRETS/SCHANNEL/GATEKEEPER | _netr_ServerPasswordSet: Server Password Set by remote machine:[GATEKEEPER] on account [GATEKEEPER$] However, as soon as the message "invalid parameter" is generated on client side, I can see in the server log: | _netr_LogonSamLogon: creds_server_step failed. Rejecting auth request from client GATEKEEPER machine account GATEKEEPER$ The reaseon for this can easily be googled: "Your machine thinks it is part of the domain, but your DC/sever does not". What I could not find is: the cause for such a behaviour (several other machines can authenticate with the same PDC quite well, so I assume the basic configuration to be fine). Ciao, Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind and pptpd authentication failure [SOLVED]
On 09/09/10 16:24, Guenther Deschner wrote: On Thu, Sep 09, 2010 at 11:12:52PM +1000, Andrew Bartlett wrote: On Thu, 2010-09-09 at 14:33 +0200, John Anderson wrote: On 09/09/10 13:57, Andrew Bartlett wrote: On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote: I have a linux firewall using winbind to authenticate users coming in with PPTP. It all seemed to work OK at first. After a while I noticed that authentication was denied to users who had previously (as in less than a day) authenticated successfully. After a day or so of fighting with this setup, I found that restarting winbindd will allow users to authenticate successfully again. This happens with both the built-in windows PPTP VPN client, and pppd as a client under linux. What happens is: - restart winbind - authenticate a user - close pptp connection - a few minutes (seems like around 10) after a first (or several) successful authentication, I get the following ppp trace on the client side: rcvd [CHAP Challenge id=0x8b<8b7f80d136cce1a774e888a0d4e83bbc>, name = "pptpd"] sent [CHAP Response id=0x8b <95c9d3a1061299d9ca4874659c37f172161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, name = "x"] rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted"] 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted F8673CADD4286B742EF0C39036393650701D0A60 MS-CHAPv2 mutual authentication failed. CHAP authentication failed sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] In other words, the ntlm-auth helper and AD server says OK, but the hashes aren't equal, which causes ppp to say "mutual authentication failed". I hacked the ppp sources (chap_ms.c) gently to output the two hashes. I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] (tried all of them) on a x86_64 gentoo box. Try with the lastest GIT tree. We finally fixed a bug which caused this kind of breakage. (We returned the wrong session key, which is why the server thinks this is OK, but the client isn't impressed). Thanks for your reply. I have to get this onto a box on the other end of a 512kbps line with a bandwidth cap, so I'd prefer not to clone the entire repository. Would the v3-6-stable head have the fix? I would have said that v3-6-test should have it. I don't know about v3-6-stable, sorry. all branches have the fix now, you could also individually apply the fix mentioned in https://bugzilla.samba.org/show_bug.cgi?id=7568. Sheesh. I spent two days asking google for help on this issue and I never found that bug report. Oh right. That's because I was looking for "MS-CHAPv2 mutual authentication failed". Which isn't in that bug report because it's coming from a different perspective. We got reports that this resolves exactly that issue. I installed v3-6-stable (I think that's the same as 3.6.0pre1 right now), and I'm able to successfully authenticate repeatedly, beyond the 10 minutes which seemed to be the point where it stopped working previously. So here's another report that it resolves the issue. bye John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind authentification trouble
Stefan, I used the pam settings from this article as a starting point. http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1 It places the directives in the login file instead of common-auth. Otherwise, the basic differences are that I have "sufficient" on both; the order is reversed; and use_first_pass option is applied to pam_unix.so. Adapt as necessary for your environment. Dale On 09/09/2010 9:22 AM, Stefan Froehlich wrote: A Debian/Lenny-Server is connected to a PDC (using samba) and tries to authenticate logins via pam_winbind. User mapping and everything else needed works fine (i.e. especially getent shows all the accounts), however remote logins of domain users fail. I have: | gatekeeper:~# cat /etc/pam.d/common-auth | [...] | authsufficient pam_unix.so nullok_secure | authrequiredpam_winbind.so debug use_first_pass and (limited to the winbind-relevant entries) in the smb.conf: | workgroup = [...] | netbios name = [...] | os level = 0 | preferred master = no | domain master = no | local master = no | security = domain | wins support = no | wins server = [...] | password server = [...] | passdb backend = tdbsam | obey pam restrictions = yes | idmap uid = 1-2 | idmap gid = 1-2 | template shell = /bin/bash | winbind enum groups = yes | winbind enum users = yes | winbind use default domain = yes and if someone tries to login, I get: | [...] sshd[19524]: pam_winbind(sshd:auth): [pamh: 0x7f4a5dd15040] ENTER: pam_sm_authenticate (flags: 0x0001) | [...] sshd[19524]: pam_winbind(sshd:auth): getting password (0x0011) | [...] sshd[19524]: pam_winbind(sshd:auth): pam_get_item returned a password | [...] sshd[19524]: pam_winbind(sshd:auth): Verify user 'sfroehli' | [...] sshd[19524]: pam_winbind(sshd:auth): request failed: Invalid parameter, PAM error was System error (4), NT error was NT_STATUS_INVALID_PARAMETER | [...] sshd[19524]: pam_winbind(sshd:auth): internal module error (retval = 4, user = 'sfroehli') | [...] sshd[19524]: pam_winbind(sshd:auth): [pamh: 0x7f4a5dd15040] LEAVE: pam_sm_authenticate returning 4 | [...] sshd[19524]: Failed password for sfroehli from 192.168.1.245 port 49078 ssh2 Sounds to me like "almost working, but not quite". Looking for a solution on the net only brought up an IRC-log of the samba developers which is not really enlightening to me (plus a german clone of this posting sent by me a few days ago). The problem is, I do not even know where to start looking for an error (which I assume had been made by me at some place, as this is not such an uncommon setting). Any ideas? Ciao, Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Windows 7 and logon scripts
You can try this. It works for me on vista and win7: net use m: /HOME On Thu, Sep 9, 2010 at 12:04 PM, Tony Molloy wrote: > > Hi, > > I'm trying to get Windows 7 to run a logon script which mounts a share at > login. This works fine for Windows XP > > In my smb.conf I have the following > > logon script = %G.cmd > logon path = \\%L\profiles\%U > logon drive = H: > logon home = \\YOUNGMUNSTER\homes > > The script is > > �...@echo > �...@echo Setting System Policies: Please Wait. > �...@echo off > NET TIME \\janus /SET /YES > X > net use M: \\youngmunster\ug2010 /persistent:no > X > del X > > > The homes share works fine but the logon script does not seem to be executed. > Any ideas how to get this working. > > Thanks > > Tony > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind authentification trouble
A Debian/Lenny-Server is connected to a PDC (using samba) and tries to authenticate logins via pam_winbind. User mapping and everything else needed works fine (i.e. especially getent shows all the accounts), however remote logins of domain users fail. I have: | gatekeeper:~# cat /etc/pam.d/common-auth | [...] | authsufficient pam_unix.so nullok_secure | authrequiredpam_winbind.so debug use_first_pass and (limited to the winbind-relevant entries) in the smb.conf: | workgroup = [...] | netbios name = [...] | os level = 0 | preferred master = no | domain master = no | local master = no | security = domain | wins support = no | wins server = [...] | password server = [...] | passdb backend = tdbsam | obey pam restrictions = yes | idmap uid = 1-2 | idmap gid = 1-2 | template shell = /bin/bash | winbind enum groups = yes | winbind enum users = yes | winbind use default domain = yes and if someone tries to login, I get: | [...] sshd[19524]: pam_winbind(sshd:auth): [pamh: 0x7f4a5dd15040] ENTER: pam_sm_authenticate (flags: 0x0001) | [...] sshd[19524]: pam_winbind(sshd:auth): getting password (0x0011) | [...] sshd[19524]: pam_winbind(sshd:auth): pam_get_item returned a password | [...] sshd[19524]: pam_winbind(sshd:auth): Verify user 'sfroehli' | [...] sshd[19524]: pam_winbind(sshd:auth): request failed: Invalid parameter, PAM error was System error (4), NT error was NT_STATUS_INVALID_PARAMETER | [...] sshd[19524]: pam_winbind(sshd:auth): internal module error (retval = 4, user = 'sfroehli') | [...] sshd[19524]: pam_winbind(sshd:auth): [pamh: 0x7f4a5dd15040] LEAVE: pam_sm_authenticate returning 4 | [...] sshd[19524]: Failed password for sfroehli from 192.168.1.245 port 49078 ssh2 Sounds to me like "almost working, but not quite". Looking for a solution on the net only brought up an IRC-log of the samba developers which is not really enlightening to me (plus a german clone of this posting sent by me a few days ago). The problem is, I do not even know where to start looking for an error (which I assume had been made by me at some place, as this is not such an uncommon setting). Any ideas? Ciao, Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind and pptpd authentication failure
On Thu, Sep 09, 2010 at 11:12:52PM +1000, Andrew Bartlett wrote: > On Thu, 2010-09-09 at 14:33 +0200, John Anderson wrote: > > On 09/09/10 13:57, Andrew Bartlett wrote: > > > On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote: > > >> I have a linux firewall using winbind to authenticate users coming in > > >> with PPTP. It all seemed to work OK at first. After a while I noticed > > >> that authentication was denied to users who had previously (as in less > > >> than a day) authenticated successfully. After a day or so of fighting > > >> with this setup, I found that restarting winbindd will allow users to > > >> authenticate successfully again. This happens with both the built-in > > >> windows PPTP VPN client, and pppd as a client under linux. > > >> > > >> What happens is: > > >> > > >> - restart winbind > > >> - authenticate a user > > >> - close pptp connection > > >> - a few minutes (seems like around 10) after a first (or several) > > >> successful authentication, I get the following ppp trace on the client > > >> side: > > >> > > >> rcvd [CHAP Challenge id=0x8b<8b7f80d136cce1a774e888a0d4e83bbc>, name = > > >> "pptpd"] > > >> sent [CHAP Response id=0x8b > > >> <95c9d3a1061299d9ca4874659c37f172161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, > > >> name = "x"] > > >> rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF > > >> M=Access granted"] > > >> 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted > > >> F8673CADD4286B742EF0C39036393650701D0A60 > > >> MS-CHAPv2 mutual authentication failed. > > >> CHAP authentication failed > > >> sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] > > >> > > >> In other words, the ntlm-auth helper and AD server says OK, but the > > >> hashes aren't equal, which causes ppp to say "mutual authentication > > >> failed". I hacked the ppp sources (chap_ms.c) gently to output the two > > >> hashes. > > > > > >> I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] > > >> (tried all of them) on a x86_64 gentoo box. > > > > > > Try with the lastest GIT tree. We finally fixed a bug which caused this > > > kind of breakage. (We returned the wrong session key, which is why the > > > server thinks this is OK, but the client isn't impressed). > > > > Thanks for your reply. > > > > I have to get this onto a box on the other end of a 512kbps line with a > > bandwidth cap, so I'd prefer not to clone the entire repository. Would > > the v3-6-stable head have the fix? > > I would have said that v3-6-test should have it. I don't know about > v3-6-stable, sorry. all branches have the fix now, you could also individually apply the fix mentioned in https://bugzilla.samba.org/show_bug.cgi?id=7568. We got reports that this resolves exactly that issue. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpeHSSZl9rPk.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-3.5.4: compilation fails on RHAS5U5
hello
I managed to compile:
I had to add some lines to the spec file:
--with-cifsumount \
/usr/share/locale/de/LC_MESSAGES/net.mo
%{_includedir}/wbc_async.h
%{_mandir}/man5/pam_winbind.conf.5*
werner
> -Original Message-
> From: Nico Kadel-Garcia [mailto:nka...@gmail.com]
> Sent: vrijdag 3 september 2010 23:23
> To: Werner Maes
> Subject: Re: [Samba] samba-3.5.4: compilation fails on RHAS5U5
>
> On Fri, Sep 3, 2010 at 9:07 AM, Werner Maes
> wrote:
> > thank you but apparently these rpms are not based on the spec file
> given by samba for rhel (but on same spec file from suse).
> > e.g.: there is a rpm called samba-cifsmount which is not part of the
> spec file.
> >
> > my question remains: why does the spec file provided does not
> compile?
> >
> > kind regards
> >
> > werner
>
> It's confusing, I admit. The author of that RPM is compiling in his
> personal build environment, not using "mock", which apparently works
> for him. I've sent him some updates for his .spec file to improve RHEL
> compatibility, which he's incorporated, but it could use some
> refinement.
>
> The tarball .spec file is seriously out of date, which is why it
> doesn't work. No one's pushed a more recent one into the source tree,
> not even people like me.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind and pptpd authentication failure
On Thu, 2010-09-09 at 14:33 +0200, John Anderson wrote: > On 09/09/10 13:57, Andrew Bartlett wrote: > > On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote: > >> I have a linux firewall using winbind to authenticate users coming in > >> with PPTP. It all seemed to work OK at first. After a while I noticed > >> that authentication was denied to users who had previously (as in less > >> than a day) authenticated successfully. After a day or so of fighting > >> with this setup, I found that restarting winbindd will allow users to > >> authenticate successfully again. This happens with both the built-in > >> windows PPTP VPN client, and pppd as a client under linux. > >> > >> What happens is: > >> > >> - restart winbind > >> - authenticate a user > >> - close pptp connection > >> - a few minutes (seems like around 10) after a first (or several) > >> successful authentication, I get the following ppp trace on the client > >> side: > >> > >> rcvd [CHAP Challenge id=0x8b<8b7f80d136cce1a774e888a0d4e83bbc>, name = > >> "pptpd"] > >> sent [CHAP Response id=0x8b > >> <95c9d3a1061299d9ca4874659c37f172161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, > >> name = "x"] > >> rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF > >> M=Access granted"] > >> 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted > >> F8673CADD4286B742EF0C39036393650701D0A60 > >> MS-CHAPv2 mutual authentication failed. > >> CHAP authentication failed > >> sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] > >> > >> In other words, the ntlm-auth helper and AD server says OK, but the > >> hashes aren't equal, which causes ppp to say "mutual authentication > >> failed". I hacked the ppp sources (chap_ms.c) gently to output the two > >> hashes. > > > >> I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] > >> (tried all of them) on a x86_64 gentoo box. > > > > Try with the lastest GIT tree. We finally fixed a bug which caused this > > kind of breakage. (We returned the wrong session key, which is why the > > server thinks this is OK, but the client isn't impressed). > > Thanks for your reply. > > I have to get this onto a box on the other end of a 512kbps line with a > bandwidth cap, so I'd prefer not to clone the entire repository. Would > the v3-6-stable head have the fix? I would have said that v3-6-test should have it. I don't know about v3-6-stable, sorry. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind and pptpd authentication failure
On 09/09/10 13:57, Andrew Bartlett wrote: On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote: I have a linux firewall using winbind to authenticate users coming in with PPTP. It all seemed to work OK at first. After a while I noticed that authentication was denied to users who had previously (as in less than a day) authenticated successfully. After a day or so of fighting with this setup, I found that restarting winbindd will allow users to authenticate successfully again. This happens with both the built-in windows PPTP VPN client, and pppd as a client under linux. What happens is: - restart winbind - authenticate a user - close pptp connection - a few minutes (seems like around 10) after a first (or several) successful authentication, I get the following ppp trace on the client side: rcvd [CHAP Challenge id=0x8b<8b7f80d136cce1a774e888a0d4e83bbc>, name = "pptpd"] sent [CHAP Response id=0x8b <95c9d3a1061299d9ca4874659c37f172161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, name = "x"] rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted"] 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted F8673CADD4286B742EF0C39036393650701D0A60 MS-CHAPv2 mutual authentication failed. CHAP authentication failed sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] In other words, the ntlm-auth helper and AD server says OK, but the hashes aren't equal, which causes ppp to say "mutual authentication failed". I hacked the ppp sources (chap_ms.c) gently to output the two hashes. I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] (tried all of them) on a x86_64 gentoo box. Try with the lastest GIT tree. We finally fixed a bug which caused this kind of breakage. (We returned the wrong session key, which is why the server thinks this is OK, but the client isn't impressed). Thanks for your reply. I have to get this onto a box on the other end of a 512kbps line with a bandwidth cap, so I'd prefer not to clone the entire repository. Would the v3-6-stable head have the fix? thanks John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind and pptpd authentication failure
On Tue, 2010-09-07 at 17:35 +0200, John Anderson wrote: > Hi all > > I'm not sure whether to go to the ppp lists for this, or the samba > lists. I thought I'd try here first. > > I have a linux firewall using winbind to authenticate users coming in > with PPTP. It all seemed to work OK at first. After a while I noticed > that authentication was denied to users who had previously (as in less > than a day) authenticated successfully. After a day or so of fighting > with this setup, I found that restarting winbindd will allow users to > authenticate successfully again. This happens with both the built-in > windows PPTP VPN client, and pppd as a client under linux. > > What happens is: > > - restart winbind > - authenticate a user > - close pptp connection > - a few minutes (seems like around 10) after a first (or several) > successful authentication, I get the following ppp trace on the client side: > > rcvd [CHAP Challenge id=0x8b <8b7f80d136cce1a774e888a0d4e83bbc>, name = > "pptpd"] > sent [CHAP Response id=0x8b > <95c9d3a1061299d9ca4874659c37f172161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, > > name = "x"] > rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF > M=Access granted"] > 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted > F8673CADD4286B742EF0C39036393650701D0A60 > MS-CHAPv2 mutual authentication failed. > CHAP authentication failed > sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] > > In other words, the ntlm-auth helper and AD server says OK, but the > hashes aren't equal, which causes ppp to say "mutual authentication > failed". I hacked the ppp sources (chap_ms.c) gently to output the two > hashes. > I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] > (tried all of them) on a x86_64 gentoo box. Try with the lastest GIT tree. We finally fixed a bug which caused this kind of breakage. (We returned the wrong session key, which is why the server thinks this is OK, but the client isn't impressed). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and Windows 7 password change
On Thu, Sep 09, 2010 at 07:22:37PM +1000, Andrew Bartlett wrote: > Perhaps it's a minimum password age? Can you tell me how I can check this or change this behavior? There isn't a group policy that sets a minimum password age, FWIW. -- Philip -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Windows 7 and logon scripts
On Thu, Sep 09, 2010 at 11:04:42AM +0100, Tony Molloy wrote: > I'm trying to get Windows 7 to run a logon script which mounts a share at > login. This works fine for Windows XP This doesn't address the logon scripts problem, but consider using Group Policy Preferences to map a drive at login. It's a cleaner approach than a logon script. -- Philip -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind and pptpd authentication failure
Hi all I'm not sure whether to go to the ppp lists for this, or the samba lists. I thought I'd try here first. I have a linux firewall using winbind to authenticate users coming in with PPTP. It all seemed to work OK at first. After a while I noticed that authentication was denied to users who had previously (as in less than a day) authenticated successfully. After a day or so of fighting with this setup, I found that restarting winbindd will allow users to authenticate successfully again. This happens with both the built-in windows PPTP VPN client, and pppd as a client under linux. What happens is: - restart winbind - authenticate a user - close pptp connection - a few minutes (seems like around 10) after a first (or several) successful authentication, I get the following ppp trace on the client side: rcvd [CHAP Challenge id=0x8b <8b7f80d136cce1a774e888a0d4e83bbc>, name = "pptpd"] sent [CHAP Response id=0x8b <95c9d3a1061299d9ca4874659c37f172161c5daea05d0ded24eaf8ca99f338ab4e8f6491e86cdd4900>, name = "x"] rcvd [CHAP Success id=0x8b "S=5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted"] 5DB7336F26A8F34ABA08DCD453760E3808A090FF M=Access granted F8673CADD4286B742EF0C39036393650701D0A60 MS-CHAPv2 mutual authentication failed. CHAP authentication failed sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"] In other words, the ntlm-auth helper and AD server says OK, but the hashes aren't equal, which causes ppp to say "mutual authentication failed". I hacked the ppp sources (chap_ms.c) gently to output the two hashes. Immediately after the pppd authentication failure, wbinfo -a is successful with the same username. I also tried ntlm_auth --username which comes back with NT_STATUS_OK: Success (0x0) but ntlm_auth --username x --diagnostics comes back with (after a bunch of logging info that I won't post yet) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) Wrong Password (0xc06a) I don't know if that's expected. Any help diagnosing this much appreciated. I've tried starting winbind with the -n switch, and setting winbind cache time = 10 in smb.conf. Neither changes the behaviour I've described. PPTP access works perfectly if I use an identical setup except that I store the usernames and passwords in chap-secrets rather than using winbind. I'be been using samba-3.5.4 (and 3.4.6 and 3.4.8) and ppp-2.4.[2345] (tried all of them) on a x86_64 gentoo box. thanks John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/Winbind issue
Hi, Yes I have tried this, but this doesn't work. As far as I know the underscore in winbind/samba is used for the space in active directory. And if a underscore is used in active directory, winbind/samba cannot handle this. Met vriendelijke groet, Kind regards, Walter van der Heijden | AIX/RedHat System Specialist ABN AMRO | I&O /Expertise /Midrange /Unix Polanerbaan 11 | 3447 GN Woerden | Netherlands | W04.00.40 Tel.: +31 (0) 30 2260597 Denk aan het milieu voordat u deze e-mail print -Original Message- From: Mark Adams [mailto:m...@campbell-lange.net] Sent: maandag 23 augustus 2010 18:50 To: Heijden W.A. van der (Walter) Cc: samba@lists.samba.org; jel...@samba.org Subject: Re: [Samba] Samba/Winbind issue Have you tried to escape it with \ ? On Wed, Aug 11, 2010 at 03:13:49PM +0200, walter.van.der.heij...@nl.abnamro.com wrote: > Hi, > > I have an issue with Samba using winbind. We have Active Directory groups > with underscores (for example sambagroup_underscore). But an underscore in > Samba (Unix) is a space in Active Directory. > > So my question is what character is used in Samba (Unix) for an underscore in > Active Directory? Or are there other solutions to solve this? > > I would be very happy if you can help me! > > > Met vriendelijke groet, Kind regards, > > > Walter van der Heijden | AIX/RedHat System Specialist > ABN AMRO | I&O /Expertise /Midrange /Unix > Polanerbaan 11 | 3447 GN Woerden | Netherlands | W04.00.40 > Tel.: +31 (0) 30 2260597 > > Denk aan het milieu voordat u deze e-mail print > > > > > * DISCLAIMER * > > This message (including any attachments) is confidential and may be > privileged. > If you have received it by mistake please notify the sender by return e-mail > and delete this > message from your system. > Any unauthorised use or dissemination of this message in whole or in part is > strictly prohibited. > Please note that e-mails are susceptible to change. > ABN AMRO Bank N.V, which has its seat at Amsterdam, the Netherlands, and is > registered in > the Commercial Register under number 34334259, including its group companies, > shall not be liable for the improper or incomplete transmission of the > information contained > in this communication nor for any delay in its receipt or damage to your > system. > ABN AMRO Bank N.V. (or its group companies) does not guarantee that the > integrity of this > communication has been maintained nor that this communication is free of > viruses, > interceptions or interference. > - > Dit bericht (inclusief de eventuele bijlagen) is vertrouwelijk. > Wanneer u dit bericht ten onrechte heeft ontvangen, dient u de afzender > hiervan onmiddellijk > per kerende e-mail op de hoogte te brengen en dit bericht te verwijderen uit > uw systeem. > Elk onbevoegd gebruik en/of onbevoegde verspreiding van dit bericht is niet > toegestaan. > U wordt erop gewezen dat e-mail berichten aan wijziging onderhevig kunnen > zijn. > ABN AMRO Bank N.V., statutair gevestigd te Amsterdam en ingeschreven in het > handelsregister > van de Kamer van Koophandel onder nummer 34334259, en haar > groepsmaatschappijen, > is niet aansprakelijk voor de onjuiste en onvolledige overdracht van de > informatie in dit bericht > noch voor mogelijke vertraging in de ontvangst van dit bericht of schade aan > uw systeem als > gevolg van dit bericht. ABN AMRO Bank N.V. (en haar groepsmaatschappijen) > staat er niet > voor in dat de integriteit van dit bericht behouden is gebleven noch dat dit > bericht vrij is > van virussen, niet is onderschept of vatbaar is geweest voor tussenkomst > (door derden). > * > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba * DISCLAIMER * This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V, which has its seat at Amsterdam, the Netherlands, and is registered in the Commercial Register under number 34334259, including its group companies, shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, int
[Samba] Samba-winbind 3.5.4 primary group is always domain users!!!???
Dear All, I stepped over a strange issue today. I have one installation of samba winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a user is updated immediately. On a newer samba 3.5.4 installation the primary group is not updated at all. It always displays "domain users". Is there a new setting for the smb.conf? Here is my smb.conf: [global] netbios name = gedail1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = true password server = server1.somedomain.net server2.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 It's a W2k3 AD Domain. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Windows 7 and logon scripts
Hi, I'm trying to get Windows 7 to run a logon script which mounts a share at login. This works fine for Windows XP In my smb.conf I have the following logon script = %G.cmd logon path = \\%L\profiles\%U logon drive = H: logon home = \\YOUNGMUNSTER\homes The script is @echo @echoSetting System Policies: Please Wait. @echo off NET TIME \\janus /SET /YES > X net use M: \\youngmunster\ug2010 /persistent:no > X del X The homes share works fine but the logon script does not seem to be executed. Any ideas how to get this working. Thanks Tony -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
Allison, My Question was , 1) we have a share "test" and user admin has RW access and user1 has R only access. from the windows PC , I have connected "test" share with user admin. and created subfolder "test_subfolder" 2) and on that sub folder admin user has given RW access to user user1 . Why samba is not preventing this, since user1 has R only access on that share "test".?? Smith explained this in last mail. Thanks for asking Suresh -Original Message- From: Jeremy Allison [mailto:j...@samba.org] Sent: Thursday, September 09, 2010 9:13 AM To: Kandukuru, Suresh Cc: smb...@chrissmith.org; samba@lists.samba.org Subject: Re: [Samba] samba acl - able to change permissions that contradict user security setting On Wed, Sep 08, 2010 at 11:14:40AM -0400, suresh.kanduk...@emc.com wrote: > Thanks smith for the quick reply. what I want to know is ,can not samba > source code prevent the changing setting rw access to "test_subfolder" user1 > , since he has only read only access on the share "test". The processing of security on shares and security in the underlying file system are completely separate. A user who is only granted "read" access on a share should not be able to change permissions on a directory inside the share, as this is a write operation on an underlying directory. An "admin" user should be able to change such permissions at will, as they have full root access to the exported share. Can you explain a little more clearly what you are trying to do (sorry, but I've been a little distracted by other things at the moment) so I can understand if you are describing a bug or not ? Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba acl - able to change permissions that contradict user security setting
Thanks Smith. This explains in detail. -Suresh -Original Message- From: Chris Smith [mailto:smb...@chrissmith.org] Sent: Thursday, September 09, 2010 8:19 AM To: Kandukuru, Suresh Cc: samba@lists.samba.org Subject: Re: [Samba] samba acl - able to change permissions that contradict user security setting On Wed, Sep 8, 2010 at 10:04 PM, wrote: > it looks like code is not designed like this. > > if you don't mind , Can you please explain this , > > -- > - although you would be asking > it to restrict the admin's rights, which wouldn't be proper behavior. > Plus it then wouldn't work like a Windows box, which is a primary > goal. > File level security and share level security are separate - you can limit what a user can do with either one, or both. Consider one box - with no remote file sharing, a system (file level security) is needed to prevent unauthorized access to files and directories for local users. Consider a box that has no idea of file level security, say pre Windows NT such as Windows 95 for instance, files are shared via the network but with an OS that has no concept of file level security something is needed to prevent unauthorized access - share level security. AFAIK, the systems are not integrated, work separately and provide some backward compatibility. As the admin has full share level RW access to the share, he/she can surely make changes to the file level security (that is, if it's allowed by the current file level security) but he's not changing share level security through this, only file level; so locally the non-admin user could (presumably) login locally and access those files, but still be blocked remotely by the share level permissions. It's the way Windows works (and why Samba does also), plus I'm sure other network sharing systems, NFS, etc. have similar attributes. Think of it like trying to gain access to an office in a building. I can keep you from gaining entry in two ways; one is that I prevent you from entering the building (share level), or two, I prevent you from entering the particular office by locking its door (file level). If I prevent you from entering the building it doesn't matter whether or not I lock the office door - you cannot get there. If I lock the office door it doesn't matter if I allow you to enter the building - either way you are effectively locked out. And just because you are prevented, in the one case, from entering the building, there is nothing, nor should there be, to prevent me (the admin) from unlocking the office door, which would give you access if, and only if, you had egress into the building - my access is not affected (I can still unlock the office door), only yours (you still have no access unless I allow you into the building as well). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Authentication questions with domain
Hi there On 9 September 2010 03:15, Jean-Yves Avenard wrote: > Hi there > > On 9 September 2010 02:56, grant little wrote: >> >> nsswitch is using local auth first maybe? > > Thank you for the pointer.. > > This is my nsswitch.conf Playing with nsswitch.conf, all users even with alias can connect.. Seems that "compat" isn't compatible (pardon the pun) with ldap ... Need to find a way to force a particular shell for a machine only... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and Windows 7 password change
On Wed, 2010-09-08 at 22:07 -0500, Philip M. White wrote: > Hi, all, > > With the latest Samba4, I am not able to change a user's password via > Windows 7. > > I was able to successfully set a password from within RSAT's Users while > adding a new user, but that user cannot change his own password. > > When I try, Windows 7 tells me that the server rejected the password > change because the new password doesn't meet the complexity/length > requirements. > > On Samba's end, I see this: > Changing password of PMWWORLD\sue > (S-1-5-21-1802782687-180428704-2922416880-1106) > kpasswdd: Password must be at least 7 characters long, and cannot match any > of your 24 previous passwords > > I get this regardless of what password I try. For the record, I tried > Secret$1 and Secret$2, both of which meet the first condition and which > I've tried for the first time ever. > > Can anyone confirm this behavior? That's an odd one. Perhaps it's a minimum password age? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
