Re: [Samba] rpcclient and NTLMV2 authentication

2010-09-30 Thread Andrew Bartlett 
On Wed, 2010-09-29 at 13:52 +0100, keith Fayne wrote:
> I've seen various notes on this subject, but can't find a definitive answer.
> 
> Does rpcclient support NTLMv2 authentication ?
> 
> i.e if the AD server is setup to send NTLMv2 responses only (and reject LM
> and NTLM) can I still connect with rpcclient ?

rpcclient will honour the same setting in the smb.conf as smbclient -
'client ntlmv2 auth = yes' should do it.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Cisco Inc.


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] help with AD integration

2010-09-30 Thread Gaiseric Vandal 
I suspect Oracle won't be much help with 3rd party s/w.I had opened 
a ticket with Sun last year (?) when I had with domain trusts with the 
samba version they provided (the trusts worked BUT the cache would 
expire and not repopulate.)   They had a cookie cutter setup for joining 
Samba to an AD domain (which wasn't relevant to me.)  They were 
supposedly going to release a build for samba 3.4.x BUT they seemed to 
have killed any more work with Samba.


If Ben switches back to samba 3.0.x from Sun he may be able to get some 
help.Altho I suspect if you did through the release notes you wilL 
NOT find Win 2008 support for Samba 3.0.x.






On 09/29/2010 11:52 AM, Rob LaRose wrote:

Hi Ben,

Which version of AD are you using?  We had no luck integrating Solaris Samba w/ 
AD 2008 last year, and were forced to use a third-party authentication product 
called Centrify DirectControl to facilitate.

This may have changed by now — have you opened a support case with Oracle?

--Rob


Rob LaRose  systems administrator
imaginary forces | 530 west 25th st | new york city | p 646.486.6868 | f 
646.486.4700 | www.imaginaryforces.com


From: Ben Georgemailto:bentech4...@gmail.com>>
Date: Wed, 29 Sep 2010 03:07:15 -0400
To: 
"samba@lists.samba.org"mailto:samba@lists.samba.org>>
Subject: [Samba] help with AD integration

HI

my name ins Ben.T.George

i am new to samba and active directory integration

my machine ins Sun Slaris SPARC (solaris 10).

the unix side samba and all deps are installed...from this link
http://www.sunfreeware.com/programlistsparc10.html#samba

now i want to sync samba with active directory..

so please help to for this..

please provide me the step by step for this..

now i am stuck with kerberos configuration.

also please provide me the kerberos step by step configuration

thanks
Ben.T.George
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



This e-mail is intended only for the named person or entity to which it is addressed 
and contains valuable business information that is proprietary, privileged, 
confidential and/or otherwise protected from disclosure. If you received this e-mail 
in error, any review, use, dissemination, distribution or copying of this e-mail is 
strictly prohibited. Please notify us immediately of the error via e-mail 
to  postmas...@imaginaryforces.com and please delete the e-mail 
from your system, retaining no copies in any media. We appreciate your cooperation.

...imaginaryforces.com...

   


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] help with AD integration

2010-09-30 Thread Gaiseric Vandal 

Hi

Please clarify the following
 -  Did you run "truss getent passwd" command and look for lines with 
nss_winbind-  just in case it is looking for a file with a different 
version.

 - Why does nsswitch.conf have ldap references-  are you using ldap?


You should also look through the samba logs-  it may provide some 
information.



On 09/30/2010 12:14 PM, Ben George wrote:




yes client has Solaris and a windows xp machine under the AD domain

yes i exported the paths to the newly installed /usr/local/samba/lib

me using the new packahes and disabled the default packages


On Thu, Sep 30, 2010 at 6:16 PM, Gaiseric Vandal 
mailto:gaiseric.van...@gmail.com>> wrote:


So to clarify the customer has a Sun Solaris 10 UNIX machine and a
Linux workstation?

FOR SOLARIS

I had problems with getting nsswitch+winbind working with the
samba from sunfreeware-  I had to recompile from scratch (major
headache.)   In hindsight this may not have been necessary for
winbind-  although I had to recompile anyway for ZFS support.

On solaris, you should have a file called
/usr/lib/nss_winbind.so.1 -  which is the nsswitcher winbind
library provided by the samba that sun bundles with solaris 10
(but this is samba 3.0.x and too old to be much use.)

In /usr/local/samba/lib -  do you see an nss_winbind.so.1 file?   
How is your PATH and LD_LIBRARY_PATH set-  you want to make sure

you are using the /usr/local/samba/bin and /usr/local/samba/lib
first.

If you run "truss getent passwd | tee log1.txt"  you should see it
looking for nss_winbind.so.1 -  ideally it will look in
/usr/local/samba/lib before /usr/lib.  If it uses
/usr/lib/nss_winbind.so.1 that will probably NOT work.  You may
want to rename that file just to make sure.






On 09/30/2010 10:57 AM, Ben George wrote:


Sun Solaris 10 (under SPARC)

local users in /etc/passwd

samba 3.4.2 from sunfreeware.com 


getent passwd

*/ramana:x:100:1::/export/home/ramana:/bin/sh
teju:x:101:1::/export/home/teju:/bin/sh
user1:x:102:1::/export/home/user1:/bin/sh
ben:x:103:1::/home/ben:/bin/sh

/*like this*/

/*/
/Thanks
Ben.T.George*/
/*




On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal
mailto:gaiseric.van...@gmail.com>> wrote:

Then it sounds like you need the AD integration.  If the
user's also login to the linux workstation directly  (or via
ssh) then you will need to configure winbind and nsswitch to
support unix logins.

Why does nsswitch.conf include ldap?  Is this the only
linux/unix machine?  Are local users in ldap or /etc/passwd?

What version of samba?   What version of linux?

Ideally "getent passwd" woudl show something like



ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh

or

SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash



I don't think you need a huge amount of AD experience to make
this work but I think you have to have general understanding
of what WIndows domains are about.

You should also review the smb.conf man page for the section
on idmap_ad.





On 09/30/2010 09:24 AM, Ben George wrote:



Thanks for your replay..

yes my client told me like this that's Y..and the manager
gave that work to newly joined me.. :(

i don't have any AD and core unix experience..i have only
experience in linux.not much

may this project will affect my job..  :(

my nsswitch.conf

*/passwd: files ldap winbind
group:  files ldap winbind
hosts:  dns files
ipnodes:dns files/*


"*nsswitch+winbind (which I do) or the smb pam module*"..? :(

 i don't know..my client's need is he has a linux
machine..also a ADS..from the unix machine, he want to share
secure folder's to the AD user's..so eash user can only
access that particular shared folder..when the password of
user changed in AD, that will affect to the
smbpassword...means without changing that particular user's
smb password in the unix machine..

for this need which method is useful..from your experience

"*Does "getent passwd" show the windows users?*"

please check the output ..i think getent password only shows
unix system password

*/bash-3.00# getent passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net

Re: [Samba] install samba 4 alpha13 on centos 5.5 make error

2010-09-30 Thread Daniel Müller 

I used the tarball!?
I downloaded the sources into a fresh new directory and did compile it
from there.
Do I need to delete the old compiling directory containing samba4 alpha12
sources!?




On Thu, 30 Sep 2010 18:03:27 +0200, Jelmer Vernooij 
wrote:
> On Thu, 2010-09-30 at 16:15 +0200, Daniel Müller wrote:
>> downloaded  alpha13, did:
>> ./autogen.sh
>> This result in:
>> [r...@node1 source4]# ./autogen.sh
>> Setting up for waf build
>> done. Now run ./configure or ./configure.developer then make.
>> 
>> ./configure.devloper ←ok
>> Then:
>> Make
>> Error: data.mk:1881: *** Befehle beginnen vor dem ersten Ziel. 
Schluss.
>> Make does nothing?!
>> Any idea1?
> This doesn't seem right. You must still have some old makefile around,
> we don't use data.mk anymore. Did you do a clean checkout, or use the
> tarball?
> 
> Cheers,
> 
> jelmer
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] cannot access samba server from outside domain

2010-09-30 Thread Gaiseric Vandal 

Are the workstations XP, Vista or Win 7?

What happens if you log in to the non-domain workstation using a 
username and password that match a valid domain name and password


If you run "testparm -v" on the samba server do you have both ports 139 
and 445 open?


Yesterday I was trouble shooting a remote access issue as well.   
Windows XP machines in the domain on the LAN have no problem with samba 
shares.


A Window 7 user over VPN  could only access shares on some samba servers 
but not others.   I tested over VPN with an XP workstation, I had 
trouble with one server until I reenabled 445 by DISABLING the following 
line in smb.conf


smb ports = 139


Fixed it for XP, not for Win 7.  The logs on the server 
(/var/log/samba/the-win7-machine) showed that the user failed with


[2010/09/30 05:01:10,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [jsmith] -> [jsmith] 
FAILED with error NT_STATUS_WRONG_PASSWORD








On 09/30/2010 01:52 PM, Lorenzo Monti wrote:

Hello everybody --
can someone please help with this:

win 2008 AD domain controller
samba 3.2.5 on debian lenny configured as domain member

workstations joined to domain can access samba shares.
workstations outside domain cannot access shares.
anytime one tries to connect, popup shows asking for credentials. no
combination of domain\user + password, u...@domain + password or
whatever will be accepted.
I have a similar situation in another site with a 2003 AD domain wich
works flawlessly, configuration files are the same so I guess it can
be a samba<->2008 AD compatibility issue?

config file follows:
---
[global]
 unix charset = UTF8
 display charset = UTF8

 netbios name = DEBIAN
 workgroup = ##
 realm = ##.LOCAL

 encrypt passwords = true
 server string = Samba Server %v
 security = ads
 log level = 1
 syslog = 0
 log file = /var/log/samba/%m.log
 max log size = 500

 ldap ssl = no
 winbind separator = +
 winbind uid = 10-20
 winbind gid = 10-20
 winbind enum users = yes
 winbind enum groups = yes
 winbind use default domain = no
 idmap backend = idmap_rid:##=10-20
 allow trusted domains = no

 passdb backend = tdbsam

 load printers = no
 printing = bsd
 printcap name = /dev/null
 disable spoolss = yes

 passdb expand explicit = no
 os level = 40
 local master = no
 dns proxy = no

 template shell = /usr/sbin/nologin
 template homedir = /dev/null

 wins support = no
 disable netbios = no
#   wins server = 192.168.1.253

 map hidden = yes
#   hide files = /desktop.ini/Thumbs.db/
 nt acl support = no
 dos filemode = yes
 create mask = 0745
 directory mask = 0755

 kernel change notify = yes
 kernel oplocks = yes

 socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=8192
SO_RCVBUF=8192
 panic action = /usr/share/samba/panic-action %d
   


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] cannot access samba server from outside domain

2010-09-30 Thread Lorenzo Monti 
Hello everybody --
can someone please help with this:

win 2008 AD domain controller
samba 3.2.5 on debian lenny configured as domain member

workstations joined to domain can access samba shares.
workstations outside domain cannot access shares.
anytime one tries to connect, popup shows asking for credentials. no
combination of domain\user + password, u...@domain + password or
whatever will be accepted.
I have a similar situation in another site with a 2003 AD domain wich
works flawlessly, configuration files are the same so I guess it can
be a samba<->2008 AD compatibility issue?

config file follows:
---
[global]
unix charset = UTF8
display charset = UTF8

netbios name = DEBIAN
workgroup = ##
realm = ##.LOCAL

encrypt passwords = true
server string = Samba Server %v
security = ads
log level = 1
syslog = 0
log file = /var/log/samba/%m.log
max log size = 500

ldap ssl = no
winbind separator = +
winbind uid = 10-20
winbind gid = 10-20
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
idmap backend = idmap_rid:##=10-20
allow trusted domains = no

passdb backend = tdbsam

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

passdb expand explicit = no
os level = 40
local master = no
dns proxy = no

template shell = /usr/sbin/nologin
template homedir = /dev/null

wins support = no
disable netbios = no
#   wins server = 192.168.1.253

map hidden = yes
#   hide files = /desktop.ini/Thumbs.db/
nt acl support = no
dos filemode = yes
create mask = 0745
directory mask = 0755

kernel change notify = yes
kernel oplocks = yes

socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=8192
SO_RCVBUF=8192
panic action = /usr/share/samba/panic-action %d
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] help with AD integration

2010-09-30 Thread Ben George 
yes client has Solaris and a windows xp machine under the AD domain

yes i exported the paths to the newly installed /usr/local/samba/lib

me using the new packahes and disabled the default packages


On Thu, Sep 30, 2010 at 6:16 PM, Gaiseric Vandal
wrote:

>  So to clarify the customer has a Sun Solaris 10 UNIX machine and a Linux
> workstation?
>
> FOR SOLARIS
>
> I had problems with getting nsswitch+winbind working with the samba from
> sunfreeware-  I had to recompile from scratch (major headache.)   In
> hindsight this may not have been necessary for winbind-  although I had to
> recompile anyway for ZFS support.
>
> On solaris, you should have a file called /usr/lib/nss_winbind.so.1 -
> which is the nsswitcher winbind library provided by the samba that sun
> bundles with solaris 10 (but this is samba 3.0.x and too old to be much
> use.)
>
> In /usr/local/samba/lib -  do you see an nss_winbind.so.1 file?How is
> your PATH and LD_LIBRARY_PATH set-  you want to make sure you are using the
> /usr/local/samba/bin and /usr/local/samba/lib first.
>
> If you run "truss getent passwd | tee log1.txt"  you should see it looking
> for nss_winbind.so.1 -  ideally it will look in /usr/local/samba/lib before
> /usr/lib.  If it uses /usr/lib/nss_winbind.so.1 that will probably NOT
> work.  You may want to rename that file just to make sure.
>
>
>
>
>
>
> On 09/30/2010 10:57 AM, Ben George wrote:
>
>
> Sun Solaris 10 (under SPARC)
>
> local users in /etc/passwd
>
> samba 3.4.2 from sunfreeware.com
>
>
> getent passwd
>
> *ramana:x:100:1::/export/home/ramana:/bin/sh
> teju:x:101:1::/export/home/teju:/bin/sh
> user1:x:102:1::/export/home/user1:/bin/sh
> ben:x:103:1::/home/ben:/bin/sh
>
> *like this*
>
> **
> *Thanks
> Ben.T.George*
> *
>
>
>
>
> On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal <
> gaiseric.van...@gmail.com> wrote:
>
>> Then it sounds like you need the AD integration.  If the user's also login
>> to the linux workstation directly  (or via ssh) then you will need to
>> configure winbind and nsswitch to support unix logins.
>>
>> Why does nsswitch.conf include ldap?  Is this the only linux/unix
>> machine?  Are local users in ldap or /etc/passwd?
>>
>> What version of samba?   What version of linux?
>>
>> Ideally "getent passwd" woudl show something like
>>
>>
>>
>> ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh
>>
>> or
>>
>> SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash
>>
>>
>>
>> I don't think you need a huge amount of AD experience to make this work
>> but I think you have to have general understanding of what WIndows domains
>> are about.
>>
>> You should also review the smb.conf man page for the section on idmap_ad.
>>
>>
>>
>>
>>
>>
>> On 09/30/2010 09:24 AM, Ben George wrote:
>>
>>
>>
>> Thanks for your replay..
>>
>> yes my client told me like this that's Y..and the manager gave that work
>> to newly joined me.. :(
>>
>> i don't have any AD and core unix experience..i have only experience in
>> linux.not much
>>
>> may this project will affect my job..  :(
>>
>> my nsswitch.conf
>>
>> *passwd: files ldap winbind
>> group:  files ldap winbind
>> hosts:  dns files
>> ipnodes:dns files*
>>
>>
>> "*nsswitch+winbind (which I do) or the smb pam module*"..? :(
>>
>>  i don't know..my client's need is he has a linux machine..also a
>> ADS..from the unix machine, he want to share secure folder's to the AD
>> user's..so eash user can only access that particular shared folder..when the
>> password of user changed in AD, that will affect to the smbpassword...means
>> without changing that particular user's smb password in the unix machine..
>>
>> for this need which method is useful..from your experience
>>
>> "*Does "getent passwd" show the windows users?*"
>>
>> please check the output ..i think getent password only shows unix system
>> password
>>
>> *bash-3.00# getent passwd
>> root:x:0:0:Super-User:/:/sbin/sh
>> daemon:x:1:1::/:
>> bin:x:2:2::/usr/bin:
>> sys:x:3:3::/:
>> adm:x:4:4:Admin:/var/adm:
>> lp:x:71:8:Line Printer Admin:/usr/spool/lp:
>> uucp:x:5:5:uucp Admin:/usr/lib/uucp:
>> nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
>> smmsp:x:25:25:SendMail Message Submission Program:/:
>> listen:x:37:4:Network Admin:/usr/net/nls:
>> gdm:x:50:50:GDM Reserved UID:/:
>> webservd:x:80:80:WebServer Reserved UID:/:
>> postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
>> svctag:x:95:12:Service Tag UID:/:
>> nobody:x:60001:60001:NFS Anonymous Access User:/:
>> noaccess:x:60002:60002:No Access User:/:
>> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
>> ramana:x:100:1::/export/home/ramana:/bin/sh
>> teju:x:101:1::/export/home/teju:/bin/sh
>> user1:x:102:1::/export/home/user1:/bin/sh
>> ben:x:103:1::/home/ben:/bin/sh*
>>
>>
>> "you already have a "unix" ben and a "ADS" ben defined?"
>>
>> Yes i defined the ben user in Unix and ADS...bcoz i don't have much
>> knowledge about that sorry
>>
>> Hope u will help me
>> Thanks

Re: [Samba] install samba 4 alpha13 on centos 5.5 make error

2010-09-30 Thread Jelmer Vernooij 
On Thu, 2010-09-30 at 16:15 +0200, Daniel Müller wrote:
> downloaded  alpha13, did:
> ./autogen.sh
> This result in:
> [r...@node1 source4]# ./autogen.sh
> Setting up for waf build
> done. Now run ./configure or ./configure.developer then make.
> 
> ./configure.devloper ←ok
> Then:
> Make
> Error: data.mk:1881: *** Befehle beginnen vor dem ersten Ziel.  Schluss.
> Make does nothing?!
> Any idea1?
This doesn't seem right. You must still have some old makefile around,
we don't use data.mk anymore. Did you do a clean checkout, or use the
tarball?

Cheers,

jelmer
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] help with AD integration

2010-09-30 Thread Gaiseric Vandal 
So to clarify the customer has a Sun Solaris 10 UNIX machine and a Linux 
workstation?


FOR SOLARIS

I had problems with getting nsswitch+winbind working with the samba from 
sunfreeware-  I had to recompile from scratch (major headache.)   In 
hindsight this may not have been necessary for winbind-  although I had 
to recompile anyway for ZFS support.


On solaris, you should have a file called /usr/lib/nss_winbind.so.1 -  
which is the nsswitcher winbind library provided by the samba that sun 
bundles with solaris 10 (but this is samba 3.0.x and too old to be much 
use.)


In /usr/local/samba/lib -  do you see an nss_winbind.so.1 file?How 
is your PATH and LD_LIBRARY_PATH set-  you want to make sure you are 
using the /usr/local/samba/bin and /usr/local/samba/lib first.


If you run "truss getent passwd | tee log1.txt"  you should see it 
looking for nss_winbind.so.1 -  ideally it will look in 
/usr/local/samba/lib before /usr/lib.  If it uses 
/usr/lib/nss_winbind.so.1 that will probably NOT work.  You may want to 
rename that file just to make sure.







On 09/30/2010 10:57 AM, Ben George wrote:


Sun Solaris 10 (under SPARC)

local users in /etc/passwd

samba 3.4.2 from sunfreeware.com 


getent passwd

*/ramana:x:100:1::/export/home/ramana:/bin/sh
teju:x:101:1::/export/home/teju:/bin/sh
user1:x:102:1::/export/home/user1:/bin/sh
ben:x:103:1::/home/ben:/bin/sh

/*like this*/

/*/
/Thanks
Ben.T.George*/
/*




On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal 
mailto:gaiseric.van...@gmail.com>> wrote:


Then it sounds like you need the AD integration.  If the user's
also login to the linux workstation directly  (or via ssh) then
you will need to configure winbind and nsswitch to support unix
logins.

Why does nsswitch.conf include ldap?  Is this the only linux/unix
machine?  Are local users in ldap or /etc/passwd?

What version of samba?   What version of linux?

Ideally "getent passwd" woudl show something like



ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh

or

SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash



I don't think you need a huge amount of AD experience to make this
work but I think you have to have general understanding of what
WIndows domains are about.

You should also review the smb.conf man page for the section on
idmap_ad.





On 09/30/2010 09:24 AM, Ben George wrote:



Thanks for your replay..

yes my client told me like this that's Y..and the manager gave
that work to newly joined me.. :(

i don't have any AD and core unix experience..i have only
experience in linux.not much

may this project will affect my job..  :(

my nsswitch.conf

*/passwd: files ldap winbind
group:  files ldap winbind
hosts:  dns files
ipnodes:dns files/*


"*nsswitch+winbind (which I do) or the smb pam module*"..? :(

 i don't know..my client's need is he has a linux machine..also a
ADS..from the unix machine, he want to share secure folder's to
the AD user's..so eash user can only access that particular
shared folder..when the password of user changed in AD, that will
affect to the smbpassword...means without changing that
particular user's smb password in the unix machine..

for this need which method is useful..from your experience

"*Does "getent passwd" show the windows users?*"

please check the output ..i think getent password only shows unix
system password

*/bash-3.00# getent passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
ramana:x:100:1::/export/home/ramana:/bin/sh
teju:x:101:1::/export/home/teju:/bin/sh
user1:x:102:1::/export/home/user1:/bin/sh
ben:x:103:1::/home/ben:/bin/sh/*


"you already have a "unix" ben and a "ADS" ben defined?"

Yes i defined the ben user in Unix and ADS...bcoz i don't have
much knowledge about that sorry

Hope u will help me
Thanks
Ben.T.George


On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
mailto:gaiseric.van...@gmail.com>> wrote:


disclaimer: I don't use Samba as an ADS member server.  I use
samba as PDC with trusts to an ADS domain.  So my
observations may not be valuid.

Re: [Samba] help with AD integration

2010-09-30 Thread Ben George 
Sun Solaris 10 (under SPARC)

local users in /etc/passwd

samba 3.4.2 from sunfreeware.com


getent passwd

*ramana:x:100:1::/export/home/ramana:/bin/sh
teju:x:101:1::/export/home/teju:/bin/sh
user1:x:102:1::/export/home/user1:/bin/sh
ben:x:103:1::/home/ben:/bin/sh

*like this*

**
*Thanks
Ben.T.George*
*




On Thu, Sep 30, 2010 at 5:45 PM, Gaiseric Vandal
wrote:

>  Then it sounds like you need the AD integration.  If the user's also login
> to the linux workstation directly  (or via ssh) then you will need to
> configure winbind and nsswitch to support unix logins.
>
> Why does nsswitch.conf include ldap?  Is this the only linux/unix machine?
> Are local users in ldap or /etc/passwd?
>
> What version of samba?   What version of linux?
>
> Ideally "getent passwd" woudl show something like
>
>
>
> ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh
>
> or
>
> SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash
>
>
>
> I don't think you need a huge amount of AD experience to make this work but
> I think you have to have general understanding of what WIndows domains are
> about.
>
> You should also review the smb.conf man page for the section on idmap_ad.
>
>
>
>
>
> On 09/30/2010 09:24 AM, Ben George wrote:
>
>
>
> Thanks for your replay..
>
> yes my client told me like this that's Y..and the manager gave that work to
> newly joined me.. :(
>
> i don't have any AD and core unix experience..i have only experience in
> linux.not much
>
> may this project will affect my job..  :(
>
> my nsswitch.conf
>
> *passwd: files ldap winbind
> group:  files ldap winbind
> hosts:  dns files
> ipnodes:dns files*
>
>
> "*nsswitch+winbind (which I do) or the smb pam module*"..? :(
>
>  i don't know..my client's need is he has a linux machine..also a ADS..from
> the unix machine, he want to share secure folder's to the AD user's..so eash
> user can only access that particular shared folder..when the password of
> user changed in AD, that will affect to the smbpassword...means without
> changing that particular user's smb password in the unix machine..
>
> for this need which method is useful..from your experience
>
> "*Does "getent passwd" show the windows users?*"
>
> please check the output ..i think getent password only shows unix system
> password
>
> *bash-3.00# getent passwd
> root:x:0:0:Super-User:/:/sbin/sh
> daemon:x:1:1::/:
> bin:x:2:2::/usr/bin:
> sys:x:3:3::/:
> adm:x:4:4:Admin:/var/adm:
> lp:x:71:8:Line Printer Admin:/usr/spool/lp:
> uucp:x:5:5:uucp Admin:/usr/lib/uucp:
> nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
> smmsp:x:25:25:SendMail Message Submission Program:/:
> listen:x:37:4:Network Admin:/usr/net/nls:
> gdm:x:50:50:GDM Reserved UID:/:
> webservd:x:80:80:WebServer Reserved UID:/:
> postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
> svctag:x:95:12:Service Tag UID:/:
> nobody:x:60001:60001:NFS Anonymous Access User:/:
> noaccess:x:60002:60002:No Access User:/:
> nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
> ramana:x:100:1::/export/home/ramana:/bin/sh
> teju:x:101:1::/export/home/teju:/bin/sh
> user1:x:102:1::/export/home/user1:/bin/sh
> ben:x:103:1::/home/ben:/bin/sh*
>
>
> "you already have a "unix" ben and a "ADS" ben defined?"
>
> Yes i defined the ben user in Unix and ADS...bcoz i don't have much
> knowledge about that sorry
>
> Hope u will help me
> Thanks
> Ben.T.George
>
>
> On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal <
> gaiseric.van...@gmail.com> wrote:
>
>>
>> disclaimer: I don't use Samba as an ADS member server.  I use samba as PDC
>> with trusts to an ADS domain.  So my observations may not be valuid.
>>
>> Did you try updating nsswitch.conf
>>
>>
>>passwd: files winbind
>>group:files winbind
>>
>>
>> If you are using a Windows domain and have a user defined in the domain,
>> you generally don't want to add the user as a local user.   Since the
>> underlying unix OS needs to know about the domain users you need to either
>> use nsswitch+winbind (which I do) or the smb pam module (which I don't use,
>> and not sure if it really is the correct approach.)
>>
>> If you use nsswitch.conf+winbind you can then also OPTIONALLY allow
>> "windows" users "unix" access like ssh.My samba server is a PDC-  I have
>> a domain trust with windows domains BUT  the default shell is "/bin/false."
>>(It is still a little flaky...)
>>
>> Does "getent passwd" show the windows users?   It should show something
>> like
>>
>> ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>
>> or
>>
>> SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>>
>>
>>
>> It looks like = you already have a "unix" ben and a "ADS" ben defined?
>>
>> "wbinfo -s" and "wbinfo -n" are also useful for making sure that the
>> name-to-sid and sid-to-name mappings are correct for domain users.
>>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/sa

Re: [Samba] help with AD integration

2010-09-30 Thread Gaiseric Vandal 
Then it sounds like you need the AD integration.  If the user's also 
login to the linux workstation directly  (or via ssh) then you will need 
to configure winbind and nsswitch to support unix logins.


Why does nsswitch.conf include ldap?  Is this the only linux/unix 
machine?  Are local users in ldap or /etc/passwd?


What version of samba?   What version of linux?

Ideally "getent passwd" woudl show something like



ben:*:10001:10001:Ben George:/export/Home/SRE/ben/:bin/tcsh

or

SRE+ben:*:10001:10001:Ben George:/export/Home/SRE/ben:/bin/bash



I don't think you need a huge amount of AD experience to make this work 
but I think you have to have general understanding of what WIndows 
domains are about.


You should also review the smb.conf man page for the section on idmap_ad.





On 09/30/2010 09:24 AM, Ben George wrote:



Thanks for your replay..

yes my client told me like this that's Y..and the manager gave that 
work to newly joined me.. :(


i don't have any AD and core unix experience..i have only experience 
in linux.not much


may this project will affect my job..  :(

my nsswitch.conf

*/passwd: files ldap winbind
group:  files ldap winbind
hosts:  dns files
ipnodes:dns files/*


"*nsswitch+winbind (which I do) or the smb pam module*"..? :(

 i don't know..my client's need is he has a linux machine..also a 
ADS..from the unix machine, he want to share secure folder's to the AD 
user's..so eash user can only access that particular shared 
folder..when the password of user changed in AD, that will affect to 
the smbpassword...means without changing that particular user's smb 
password in the unix machine..


for this need which method is useful..from your experience

"*Does "getent passwd" show the windows users?*"

please check the output ..i think getent password only shows unix 
system password


*/bash-3.00# getent passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
ramana:x:100:1::/export/home/ramana:/bin/sh
teju:x:101:1::/export/home/teju:/bin/sh
user1:x:102:1::/export/home/user1:/bin/sh
ben:x:103:1::/home/ben:/bin/sh/*


"you already have a "unix" ben and a "ADS" ben defined?"

Yes i defined the ben user in Unix and ADS...bcoz i don't have much 
knowledge about that sorry


Hope u will help me
Thanks
Ben.T.George


On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal 
mailto:gaiseric.van...@gmail.com>> wrote:



disclaimer: I don't use Samba as an ADS member server.  I use
samba as PDC with trusts to an ADS domain.  So my observations may
not be valuid.

Did you try updating nsswitch.conf


   passwd: files winbind
   group:files winbind


If you are using a Windows domain and have a user defined in the
domain, you generally don't want to add the user as a local user.
  Since the underlying unix OS needs to know about the domain
users you need to either use nsswitch+winbind (which I do) or the
smb pam module (which I don't use, and not sure if it really is
the correct approach.)

If you use nsswitch.conf+winbind you can then also OPTIONALLY
allow "windows" users "unix" access like ssh.My samba server
is a PDC-  I have a domain trust with windows domains BUT  the
default shell is "/bin/false."(It is still a little flaky...)

Does "getent passwd" show the windows users?   It should show
something like

ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false

or

SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false



It looks like = you already have a "unix" ben and a "ADS" ben defined?

"wbinfo -s" and "wbinfo -n" are also useful for making sure that
the name-to-sid and sid-to-name mappings are correct for domain users.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] install samba 4 alpha13 on centos 5.5 make error

2010-09-30 Thread Daniel Müller 
Dear all,

downloaded  alpha13, did:
./autogen.sh
This result in:
[r...@node1 source4]# ./autogen.sh
Setting up for waf build
done. Now run ./configure or ./configure.developer then make.

./configure.devloper ←ok
Then:
Make
Error: data.mk:1881: *** Befehle beginnen vor dem ersten Ziel.  Schluss.
Make does nothing?!
Any idea1?

Daniel
---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Storing Profile remote on Samba PDC only works for one user

2010-09-30 Thread Konstantin Kletschke 

For testing purposes I removed the membership from
XXX_user of the group cn=Domain Guests. In the userenv.log no lines
like

USERENV(b8.a0) 17:11:29:906 RestoreUserProfile:  Entering
USERENV(b8.a0) 17:11:29:906 RestoreUserProfile:  User is a Guest

appeared, but the profile of the user was stored on the server remote
then. Also it got loaded after the initial creation.

My question is (I still can't find an error in my LDAP hirarchy alone),
does take membership in Domain Guests group take precedence over Domain
Users?

Kind Regards, Konsti
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] "Access Denied" if printing after logoff

2010-09-30 Thread Daniel Gomes 

 Dear users,

I have Samba (3.0.28a) currently configured to share CUPS (1.3.7) 
printers on a Ubuntu (8.04 hardy) server, using LDAP for authentication.


After installing a printer (accessing the Samba share and inputting the 
user's password), everything is fine and printing works fine. But after 
restarting the computer (or simply logging off), the user gets an 
"Access Denied" error when trying to print. I noticed that if the user 
accesses the share manually (at which point he is asked for his 
credentials) the error disappears. Basically, a "net use" connection is 
necessary to allow the user to print.


I realized I can fix the error with a "net use /USER: //printers 
" command, but as you can imagine, I wouldn't like to store the 
user's password in a cleartext script. I also wouldn't like to force the 
user to input his password every day.


After googling this subject, I also tried "use client drivers" to no 
success.


Here's my current config (I replaced some "sensitive" information):

#=== Global Settings ===

[global]

server string = %h server (Samba, Ubuntu)
dns proxy = no

 Networking 

hosts allow = 127.0.0.1, 192.168.136.0/24, 10.136.0.0/16
hosts deny = 0.0.0.0/0

 Debugging/Accounting 

log level = 3
log file = /var/log/samba/log.%m
# in KiB
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d

### Authentication ###

encrypt passwords = true
security = user
passdb backend = ldapsam:ldap://
ldap admin dn = cn=samba,ou=services,dc=...
ldap suffix = dc=...
ldap user suffix = ou=people
ldap group suffix = ou=samba,ou=groups
ldap machine suffix =
ldap passwd sync = no
ldap delete dn = no

### Domain ###

workgroup = 
domain logons = yes
prefered master = yes
domain master = yes
local master = yes
obey pam restrictions = yes

unix password sync = yes

passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .


pam password change = yes

map to guest = Never

 Misc 

socket options = TCP_NODELAY

#=== Share Definitions ===

load printers = yes
printing = cups
printcap name = cups

[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
read only = yes
create mask = 0700
guest ok = no
use client driver = yes

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
writeable = yes
guest ok = no
write list = @domadmins root administrator


---

So, does any one have an idea how can I make this work?

Thanks in advance,

--
Daniel Gomes (SysAdmin)
dgo...@ipfn.ist.utl.pt
Ext. 3487 - 218419487

Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3.5.5. id-map issues with Active Directory

2010-09-30 Thread Haven 
 To fix this issue on Debian I have rolled back to 3.4.8 using the 
following cached deb files:
libwbclient0_2%3a3.4.8~dfsg-2_amd64.deb  
samba-common_2%3a3.4.8~dfsg-2_all.deb
smbclient_2%3a3.4.8~dfsg-2_amd64.deb
samba_2%3a3.4.8~dfsg-2_amd64.deb 
samba-common-bin_2%3a3.4.8~dfsg-2_amd64.deb  
winbind_2%3a3.4.8~dfsg-2_amd64.deb


This has fixed the issue but I'm no closer to discovering what 
exactly is broken which is very unsatisfying.


To be sure that its not just a Debian issue I recompiled from source 
on Debian and also tested on Gentoo (using 3.5.5) with the same results.


Is anyone aware of any changes in 3.5.5 that would cause this using 
my config from the original post ?


Regards

Simon

On 09/28/10 12:18, Haven wrote:

 Hi,

I'm running Debian Squeeze on a few machines that are all 
authenticating to a pair of Windows 2008 servers. After upgrading 
to samba 3.5.5 from 3.4.8 idmap has stopped resolving which is 
preventing user authentication on these boxes. The boxes that have 
been left at 3.4.8 continue to work fine.


On the 3.5.5 boxes wbinfo and net ads show lists of users and 
groups without issue yet id is not able to map uid's any more.


nsswitch.conf is using:

passwd: files winbind
group:  files winbind
shadow: files winbind


I can successfully connect the affected servers to the AD domain 
using net ads join and the keytab also generates fine.


I have included my smb.conf below and will happily provide any 
details that will help.


Many thanks for your time.

Regards

Simon


[global]

# Debuging domain auth issues:
debug level = 10

workgroup = DOMAIN
security = ads
kerberos method = system keytab
winbind use default domain = true
realm = DOMAIN.NET

disable netbios = yes
name resolve order = host lmhosts
hosts allow = 127.0.0.1 192.168.1.0/24 93.97.246.119
hosts deny = 0.0.0.0/0

password server = 192.168.1.2, 192.168.1.3, *

idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 1-2

idmap backend = ad
winbind offline logon = yes
winbind nested groups = yes
winbind separator = +
winbind cache time = 3600
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind nss info = rfc2307

template homedir = /home/%U
template shell = /bin/bash
client ntlmv2 auth = yes
encrypt passwords = true

local master = no
domain master = no
preferred master = no
dns proxy = no

server string = Samba Server Version %v

socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE 
SO_RCVBUF=8192 SO_SNDBUF=8192


# Fix character set issues:
# 
http://www.unixresources.net/linux/lf/59/archive/00/00/13/18/131896.html 


dos charset = 850
unix charset = UTF-8




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems joining a samba domain with windows 7

2010-09-30 Thread Claudio Prono 
John Drescher ha scritto:
> On Thu, Sep 30, 2010 at 8:06 AM, John Drescher  wrote:
>   
>> On Thu, Sep 30, 2010 at 3:50 AM, Claudio Prono  
>> wrote:
>> 
>>> Hello all,
>>>
>>> I am doing some tests with Windows 7 and a Samba Domain, but into a
>>> working SAMBA domain, where windows XP joins without problems, when i
>>> try with 7 i recieve an error like "The trust relationship between this
>>> workstation and the primary domain failed.". I use OpenSuSE 11.3 with
>>> samba 3.5.4-5.1.2 and openldap 2.4.21-9.1.
>>>
>>>   
>> Have you applied the registry patch on the windows 7 machine from the
>> samba wiki?
>>
>> http://wiki.samba.org/index.php/Windows7
>> 
>
> Sorry I see that you did that. Do you have only 1 domain controller?
> Or to get to the point. Are all domain controllers 3.3 or higher and
> have you restarted them all after the update?
>
> John
>
> !DSPAM:1,4ca47f3f146116287311329!
>
>
>
>   
Solved!

The problem is i have touched some more registry keys than the needed. I
have resetted this two keys:

HKLM\System\CCS\Services\Netlogon\Parameters
DWORD RequireSignOrSeal = 1
DWORD RequireStrongKey = 1

And the join is going well!

Thanks!

Claudio.




-- 

Claudio Prono OPST
System Developer   
  Gsm: +39-349-54.33.258
@PSS Srl  Tel: +39-011-32.72.100
Via San Bernardino, 17Fax: +39-011-32.46.497
10141 Torino - ITALY  http://atpss.net/disclaimer

PGP Key - http://keys.atpss.net/c_prono.asc




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] help with AD integration

2010-09-30 Thread Ben George 
Thanks for your replay..

yes my client told me like this that's Y..and the manager gave that work to
newly joined me.. :(

i don't have any AD and core unix experience..i have only experience in
linux.not much

may this project will affect my job..  :(

my nsswitch.conf

*passwd: files ldap winbind
group:  files ldap winbind
hosts:  dns files
ipnodes:dns files*


"*nsswitch+winbind (which I do) or the smb pam module*"..? :(

 i don't know..my client's need is he has a linux machine..also a ADS..from
the unix machine, he want to share secure folder's to the AD user's..so eash
user can only access that particular shared folder..when the password of
user changed in AD, that will affect to the smbpassword...means without
changing that particular user's smb password in the unix machine..

for this need which method is useful..from your experience

"*Does "getent passwd" show the windows users?*"

please check the output ..i think getent password only shows unix system
password

*bash-3.00# getent passwd
root:x:0:0:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
gdm:x:50:50:GDM Reserved UID:/:
webservd:x:80:80:WebServer Reserved UID:/:
postgres:x:90:90:PostgreSQL Reserved UID:/:/usr/bin/pfksh
svctag:x:95:12:Service Tag UID:/:
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
ramana:x:100:1::/export/home/ramana:/bin/sh
teju:x:101:1::/export/home/teju:/bin/sh
user1:x:102:1::/export/home/user1:/bin/sh
ben:x:103:1::/home/ben:/bin/sh*


"you already have a "unix" ben and a "ADS" ben defined?"

Yes i defined the ben user in Unix and ADS...bcoz i don't have much
knowledge about that sorry

Hope u will help me
Thanks
Ben.T.George


On Thu, Sep 30, 2010 at 3:59 PM, Gaiseric Vandal
wrote:

>
> disclaimer: I don't use Samba as an ADS member server.  I use samba as PDC
> with trusts to an ADS domain.  So my observations may not be valuid.
>
> Did you try updating nsswitch.conf
>
>
>passwd: files winbind
>group:files winbind
>
>
> If you are using a Windows domain and have a user defined in the domain,
> you generally don't want to add the user as a local user.   Since the
> underlying unix OS needs to know about the domain users you need to either
> use nsswitch+winbind (which I do) or the smb pam module (which I don't use,
> and not sure if it really is the correct approach.)
>
> If you use nsswitch.conf+winbind you can then also OPTIONALLY allow
> "windows" users "unix" access like ssh.My samba server is a PDC-  I have
> a domain trust with windows domains BUT  the default shell is "/bin/false."
>(It is still a little flaky...)
>
> Does "getent passwd" show the windows users?   It should show something
> like
>
> ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>
> or
>
> SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false
>
>
>
> It looks like = you already have a "unix" ben and a "ADS" ben defined?
>
> "wbinfo -s" and "wbinfo -n" are also useful for making sure that the
> name-to-sid and sid-to-name mappings are correct for domain users.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem when "valid users" is used

2010-09-30 Thread Arnaud BLONDEL - Alter Way Solutions 
Ok, "net getlocalsid" returned a bad SID Domain but I couldn't change 
with "net setlocalsid" S- , no error but "net getlocalsid" 
returned already the (wrong) same value.


I found in LDAP a second entry SambaDomainName (?!) :

sambaDomainName=MYDOM,dc=company,dc=com
sambaSID: S-1-5-21-1003513250-1319205365-1235820382

and

sambaDomainName=SERVER,dc=company,dc=com
sambaSID: 

I stopped samba, deleted this entry, removed secrets.tdb file, set root 
smb password (smbpasswd -w), set SID (net setlocalsid 
S-1-5-21-1003513250-1319205365-1235820382) and restarted samba.


It's work now.

Thank's


On 30/09/2010 12:10, Harry Jede wrote:


Look at the next error message:
(S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain --

Look up the SIDs of your Server and Domain

net getlocalsid
net getdomainsid




--
Arnaud BLONDEL
Chargé de projets
ALTER WAY SOLUTIONS - Nord

TD: + 33 (0)3 22 84 04 07
FD: + 33 (0)3 22 84 00 73

44, rue Saint Fursy
80200 PERONNE
www.alterway.fr

Nos prochains événements :

Open World Forum, l'évènement Open Source le plus influent de l'année : 
30 sept - 1er oct 2010, Paris. http://bit.ly/aL6BjO


Open CIO Summit, le 1er sommet animé par les DSI pour les DSI : 30 sept, 
Paris http://bit.ly/bucmEs


Petit-déjeuner thématique « Comment monter son Cloud privé / public ? » 
avec Canonical (Ubuntu) et Owlient, éditeur de jeux communautaires en 
ligne, 9 sept, Paris. http://bit.ly/9FL7cu


Conférence "Hébergement & infogérance d'architectures critiques Magento" 
avec le témoignage de Smartbox, Salon E-Commerce, stand L6, 21-23 
septembre Paris. http://bit.ly/c9sVxH


Conférence "Drupal powers sports (and more) at France Télévisions", 
DrupalCon, 23 - 27 août, Copenhague. http://bit.ly/bakOGx
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] help with AD integration

2010-09-30 Thread Gaiseric Vandal 


disclaimer: I don't use Samba as an ADS member server.  I use samba as 
PDC with trusts to an ADS domain.  So my observations may not be valuid.


Did you try updating nsswitch.conf


passwd: files winbind
group:files winbind


If you are using a Windows domain and have a user defined in the domain, 
you generally don't want to add the user as a local user.   Since the 
underlying unix OS needs to know about the domain users you need to 
either use nsswitch+winbind (which I do) or the smb pam module (which I 
don't use, and not sure if it really is the correct approach.)


If you use nsswitch.conf+winbind you can then also OPTIONALLY allow 
"windows" users "unix" access like ssh.My samba server is a PDC-  I 
have a domain trust with windows domains BUT  the default shell is 
"/bin/false."(It is still a little flaky...)


Does "getent passwd" show the windows users?   It should show something like

ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false

or

SRE+ben:*:10001:10001:Ben George:/home/SRE/ben/bin/false



It looks like = you already have a "unix" ben and a "ADS" ben defined?

"wbinfo -s" and "wbinfo -n" are also useful for making sure that the 
name-to-sid and sid-to-name mappings are correct for domain users.





On 09/30/2010 08:17 AM, Ben George wrote:

HI

My name is Ben.T.George.

i followed http://www.edsiohio.com/images/advanced-AD-2009-05-18.pdf this
tutorial


my current status is .i successfully joined to the AD


*bash-3.00# ./net ads join -U administrator
Enter administrator's password:
Using short domain name -- SRE
Joined 'SUN1' to realm 'sre.com'*

and Wbinfo shows the users and groups from the AD

*bash-3.00# ./wbinfo -u
SUN1+ramana
SUN1+user1
SUN1+ben
administrator
guest
support_388945a0
krbtgt
teju
ben
ramana*

*bash-3.00# ./wbinfo -g
helpservicesgroup
telnetclients
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
dnsadmins
dnsupdateproxy*

then i checked the AD,the Sun1 is listed under the computer tab.

That means my connection side is success na..?

this is my smb.conf file

*# Samba config file created using SWAT
# from UNKNOWN (ÿ¿û^H)
# Date: 2010/09/29 17:37:34

[global]
 workgroup = SRE
 realm = SRE.COM
 security = ADS
 idmap uid = 1-2
 idmap gid = 1-2
 winbind separator = +
 winbind use default domain = Yes

[user1]
 path = /export/home/user1
 valid users = user1, ramana, teju

[ramana]
 path = /export/home/ramana
 valid users = ramana, teju

[teju]
 path = /export/home/teju
 valid users = teju

[ben]
 path = /export/home/ben
 valid users = ben
[user1]
 path = /export/home/user1
 valid users = ben, user1, ramana, teju*


And Kerberos file: krb5.conf


*[libdefaults]
 dns_lookup_realm = false
 default_realm = SRE.COM
 ticket_lifetime = 600
 kdc_req_checksum_type = 2
 checksum_type = 2
 ccache_type = 1

#[kdc]
#profile = /krb5/var/krb5kdc/kdc.conf


[logging]
 default = FILE:/usr/local/var/log/kdc.log
 kdc = FILE:/usr/local/var/log/kdc.log
 admin_server = FILE:/usr/local/var/log/adm.log

[realms]
 SRE.COM  = {
 kdc = srec.sre.com:88
 admin_server = srec.sre.com:749
#default_domain = SRE.COM
 }

[domain_realm]
 .sre.com = SRE.COM
 sre.com = SRE.COM

[login]
 krb4_convert = 0*


my need is,suppose ben is a user common to unix and windows..
when i login as ben through a windows machine,want to access the shared
folder for ben in Unix.(without giving password for ben)

another thing is when we change the password or username in Active
Directory,it also affect the same user in the unix

that means suppose i changes the user ben to ben1,and password...the changes
must be written in the /etc/passwd and shadow file..

is there any way to do this..i a beginner to this.so please give me good
advice


Thanks
Ben.T.George
   


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] manage user for samba shares from mmc

2010-09-30 Thread Sebastian.Perkins 
Hello,

Following a previous question, I want to know if it is possible to get the unix 
users in a Microsoft mmc share window.

My config:
Debian lenny or squeeze
Samba : Security=user

Acls have been enabled in a mounted xfs partition.

So far from the mmc :
 - I can access the shares,
 - I can put acls on the shares folders and subfolders.

But when I want to access the unix accounts through the user section of the mmc 
nothing is found (I have tried all sorts of ways to get users !).

I have tried this on debian squeeze and lenny but same problem exists. It's a 
pity because the QNAP we have here (using linux + samba) works exactly like 
this with minimal smb.conf and no fancy winbind ldap...

Thanks for any help or information.

Best Regards,

Sebastian Perkins

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] help with AD integration

2010-09-30 Thread Ben George 
HI

My name is Ben.T.George.

i followed http://www.edsiohio.com/images/advanced-AD-2009-05-18.pdf this
tutorial


my current status is .i successfully joined to the AD


*bash-3.00# ./net ads join -U administrator
Enter administrator's password:
Using short domain name -- SRE
Joined 'SUN1' to realm 'sre.com'*

and Wbinfo shows the users and groups from the AD

*bash-3.00# ./wbinfo -u
SUN1+ramana
SUN1+user1
SUN1+ben
administrator
guest
support_388945a0
krbtgt
teju
ben
ramana*

*bash-3.00# ./wbinfo -g
helpservicesgroup
telnetclients
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
dnsadmins
dnsupdateproxy*

then i checked the AD,the Sun1 is listed under the computer tab.

That means my connection side is success na..?

this is my smb.conf file

*# Samba config file created using SWAT
# from UNKNOWN (ÿ¿û^H)
# Date: 2010/09/29 17:37:34

[global]
workgroup = SRE
realm = SRE.COM 
security = ADS
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
winbind use default domain = Yes

[user1]
path = /export/home/user1
valid users = user1, ramana, teju

[ramana]
path = /export/home/ramana
valid users = ramana, teju

[teju]
path = /export/home/teju
valid users = teju

[ben]
path = /export/home/ben
valid users = ben
[user1]
path = /export/home/user1
valid users = ben, user1, ramana, teju*


And Kerberos file: krb5.conf


*[libdefaults]
dns_lookup_realm = false
default_realm = SRE.COM 
ticket_lifetime = 600
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1

#[kdc]
#profile = /krb5/var/krb5kdc/kdc.conf


[logging]
default = FILE:/usr/local/var/log/kdc.log
kdc = FILE:/usr/local/var/log/kdc.log
admin_server = FILE:/usr/local/var/log/adm.log

[realms]
SRE.COM  = {
kdc = srec.sre.com:88
admin_server = srec.sre.com:749
#default_domain = SRE.COM 
}

[domain_realm]
.sre.com = SRE.COM 
sre.com = SRE.COM 

[login]
krb4_convert = 0*


my need is,suppose ben is a user common to unix and windows..
when i login as ben through a windows machine,want to access the shared
folder for ben in Unix.(without giving password for ben)

another thing is when we change the password or username in Active
Directory,it also affect the same user in the unix

that means suppose i changes the user ben to ben1,and password...the changes
must be written in the /etc/passwd and shadow file..

is there any way to do this..i a beginner to this.so please give me good
advice


Thanks
Ben.T.George
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] help with AD integration

2010-09-30 Thread Ben George 
HI

My name is Ben.T.George.

i followed http://www.edsiohio.com/images/advanced-AD-2009-05-18.pdf this
tutorial


my current status is .i successfully joined to the AD


*bash-3.00# ./net ads join -U administrator
Enter administrator's password:
Using short domain name -- SRE
Joined 'SUN1' to realm 'sre.com'*

and Wbinfo shows the users and groups from the AD

*bash-3.00# ./wbinfo -u
SUN1+ramana
SUN1+user1
SUN1+ben
administrator
guest
support_388945a0
krbtgt
teju
ben
ramana*

*bash-3.00# ./wbinfo -g
helpservicesgroup
telnetclients
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
dnsadmins
dnsupdateproxy*

then i checked the AD,the Sun1 is listed under the computer tab.

That means my connection side is success na..?

this is my smb.conf file

*# Samba config file created using SWAT
# from UNKNOWN (ÿ¿û^H)
# Date: 2010/09/29 17:37:34

[global]
workgroup = SRE
realm = SRE.COM 
security = ADS
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
winbind use default domain = Yes

[user1]
path = /export/home/user1
valid users = user1, ramana, teju

[ramana]
path = /export/home/ramana
valid users = ramana, teju

[teju]
path = /export/home/teju
valid users = teju

[ben]
path = /export/home/ben
valid users = ben
[user1]
path = /export/home/user1
valid users = ben, user1, ramana, teju*


And Kerberos file: krb5.conf


*[libdefaults]
dns_lookup_realm = false
default_realm = SRE.COM 
ticket_lifetime = 600
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1

#[kdc]
#profile = /krb5/var/krb5kdc/kdc.conf


[logging]
default = FILE:/usr/local/var/log/kdc.log
kdc = FILE:/usr/local/var/log/kdc.log
admin_server = FILE:/usr/local/var/log/adm.log

[realms]
SRE.COM  = {
kdc = srec.sre.com:88
admin_server = srec.sre.com:749
#default_domain = SRE.COM 
}

[domain_realm]
.sre.com = SRE.COM 
sre.com = SRE.COM 

[login]
krb4_convert = 0*


my need is,suppose ben is a user common to unix and windows..
when i login as ben through a windows machine,want to access the shared
folder for ben in Unix.(without giving password for ben)

another thing is when we change the password or username in Active
Directory,it also affect the same user in the unix

that means suppose i changes the user ben to ben1,and password...the changes
must be written in the /etc/passwd and shadow file..

is there any way to do this..i a beginner to this.so please give me good
advice


Thanks
Ben.T.George
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems joining a samba domain with windows 7

2010-09-30 Thread John Drescher 
On Thu, Sep 30, 2010 at 8:06 AM, John Drescher  wrote:
> On Thu, Sep 30, 2010 at 3:50 AM, Claudio Prono  
> wrote:
>> Hello all,
>>
>> I am doing some tests with Windows 7 and a Samba Domain, but into a
>> working SAMBA domain, where windows XP joins without problems, when i
>> try with 7 i recieve an error like "The trust relationship between this
>> workstation and the primary domain failed.". I use OpenSuSE 11.3 with
>> samba 3.5.4-5.1.2 and openldap 2.4.21-9.1.
>>
>
> Have you applied the registry patch on the windows 7 machine from the
> samba wiki?
>
> http://wiki.samba.org/index.php/Windows7

Sorry I see that you did that. Do you have only 1 domain controller?
Or to get to the point. Are all domain controllers 3.3 or higher and
have you restarted them all after the update?

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems joining a samba domain with windows 7

2010-09-30 Thread John Drescher 
On Thu, Sep 30, 2010 at 3:50 AM, Claudio Prono  wrote:
> Hello all,
>
> I am doing some tests with Windows 7 and a Samba Domain, but into a
> working SAMBA domain, where windows XP joins without problems, when i
> try with 7 i recieve an error like "The trust relationship between this
> workstation and the primary domain failed.". I use OpenSuSE 11.3 with
> samba 3.5.4-5.1.2 and openldap 2.4.21-9.1.
>

Have you applied the registry patch on the windows 7 machine from the
samba wiki?

http://wiki.samba.org/index.php/Windows7

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 DC GPO Problem

2010-09-30 Thread Bates, Michael J 
I fixed it. The GPMC could not access the sysvol share and upon further
investigation no shares could be accessed. I had to start samba server with
samba -M single, and once i did this I could access shares and GPMC worked.

Michael



On Thu, Sep 30, 2010 at 8:19 PM, Bates, Michael J wrote:

> Hey,
> I recently setup a Samba4 Domain Controller and it has been successful
> except for one thing. I cannot create or modify any GPOs in the Group Policy
> Management Console (Windows 7). Whenever I try I just get the error "An
> Internal error has occurred." Nothing happens in
> /usr/local/samba/var/samba.log.
>
> I am using Debian 5.
>
> Can anyone point me in the right direction?
>
> Thanks,
> Michael
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] help with user permissions

2010-09-30 Thread Philippe LeCavalier 
On Tue, 2010-09-28 at 21:07 +0300, Ben George wrote:

> Thanks for your reply..
> 
> yea i also want that same thing..give permission to that listed users only..
> 
> but when i checked that 3 folders in windows pc.,,only one folder can
> accable without password
> 
> and when i try to access the other 2 folder's,,it says that network not
> reachable..u don't have permission to access this network...like that...

Windows XP will not allow you to access shares using different
credentials within the same session. You have one chance at entering
different credentials than the ones you entered when you first logged
in. After that Windows sends those without asking for different ones.

Phil

> 
> 
> 
> 
> On Tue, Sep 28, 2010 at 8:58 PM, Dale Schroeder <
> d...@briannassaladdressing.com> wrote:
> 
> >  Ben,
> >
> > If I understand you correctly, you are describing expected behavior.  Using
> > "valid users" means only
> > the users listed can access that share.  If you want all the users to have
> > access, don't use "valid users".
> >
> > Dale
> >
> > valid users (S)
> >
> > This is a list of users that should be allowed to login to this service.
> > Names starting with '@', '+' and '&' are interpreted using the same rules as
> > described in the *invalid users* parameter.
> >
> > If this is empty (the default) then any user can login. If a username is in
> > both this list and the *invalid users* list then access is denied for that
> > user.
> >
> > The current servicename is substituted for *%S*. This is useful in the
> > [homes] section.
> >
> > Default: *valid users = # No valid users list (anyone can login) *
> >
> > Example: *valid users = greg, @pcusers *
> >
> >
> > On 09/28/2010 10:22 AM, Ben George wrote:
> >
> > Hi
> >
> > My Name is Ben.T.George
> >
> > i successfully installed samba and other all dependencies on my Solaris 10
> > (SPARC) machine.
> >
> > i stopped the default samba and swat and enabled these 2 from the installed
> > location (/usr/local/samba/sbin)
> >
> > then i edited the smb.conf using swat.after that i got a smb.conf like this\
> >
> >
> > # Samba config file created using SWAT
> > # from UNKNOWN (ÿ¿û )
> > # Date: 2010/09/28 16:30:12
> >
> > [global]
> > workgroup = GROUP
> > hosts allow = 192.168.1.
> >
> > [user1]
> > path = /export/home/user1
> > valid users = user1
> >
> > [ramana]
> > path = /export/home/ramana
> > valid users = ramana
> >
> > [teju]
> > path = /export/home/teju
> > valid users = teju
> > [user1]
> > path = /export/home/user1
> > valid users = user1
> >
> > after that i created these 3 user's and set password (smbpassword and normal
> > password)
> >
> > then i added one windows xp machine to this same GROUP,i can view these
> > shared folders there
> >
> > then my problem is when i access that particular shared folders,every time
> > one folder opens,when i try to access other 2 ,it says not accessible
> >
> > after that i tried to create these same users on windows,i logged another
> > user and tried,,then the folder permission changed
> > still i can access another folder and other 2 are not accessible..
> >
> > every time these changed according to the user.
> >
> > please help me to solve thesewithout giving "valid users" it works
> > perfect for me
> >
> > please
> >
> >
> > Thanks
> > Ben.T.George
> >
> >
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 DC GPO Problem

2010-09-30 Thread Bates, Michael J 
Hey,
I recently setup a Samba4 Domain Controller and it has been successful
except for one thing. I cannot create or modify any GPOs in the Group Policy
Management Console (Windows 7). Whenever I try I just get the error "An
Internal error has occurred." Nothing happens in
/usr/local/samba/var/samba.log.

I am using Debian 5.

Can anyone point me in the right direction?

Thanks,
Michael
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem when "valid users" is used

2010-09-30 Thread Harry Jede 
On Donnerstag, 30. September 2010 wrote Arnaud BLONDEL - Alter Way 
Solutions:
> On 30/09/2010 10:46, Harry Jede wrote:
> > Try to run the same search as Samba does:
> >
> > ldapsearch -s sub -b "ou=Groups,dc=company,dc=com"
> > "(&(objectClass=sambaGroupMapping)(|
> > (displayName=Developpeurs)(cn=Developpeurs)))"
>
> ldapsearch -x -s sub -b 'ou=Groups,dc=company,dc=com'
> "(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Dev
>eloppeurs)))"
>
> dn: cn=Developpeurs,ou=Groups,dc=company,dc=com
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: Developpeurs
> gidNumber: 1005
> sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1015
> sambaGroupType: 2
> displayName: Developpeurs
> description: Le groupe des programmeurs
> memberUid: test
> ...
> ...
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> > Samba find this SID S-1-5-21-1003513250-1319205365-1235820382-1015
> > for your group, but according to your ldif, the SID for
> > Developpeurs is:
> > S-1-5-21-1003513250-1319205365-1235820382-101
> >
> > So you may have a duplicate entry :-( .
>
> Output is wrong, SID is
> S-1-5-21-1003513250-1319205365-1235820382-1015
OK, looks like a "copy and paste error" :-(

Look at the next error message:
(S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain --

Look up the SIDs of your Server and Domain

net getlocalsid
net getdomainsid

-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem when "valid users" is used

2010-09-30 Thread Arnaud BLONDEL - Alter Way Solutions 

On 30/09/2010 10:46, Harry Jede wrote:

Try to run the same search as Samba does:

ldapsearch -s sub -b "ou=Groups,dc=company,dc=com" 
"(&(objectClass=sambaGroupMapping)(|
(displayName=Developpeurs)(cn=Developpeurs)))"



ldapsearch -x -s sub -b 'ou=Groups,dc=company,dc=com' 
"(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Developpeurs)))"


dn: cn=Developpeurs,ou=Groups,dc=company,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Developpeurs
gidNumber: 1005
sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1015
sambaGroupType: 2
displayName: Developpeurs
description: Le groupe des programmeurs
memberUid: test
...
...

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



Samba find this SID S-1-5-21-1003513250-1319205365-1235820382-1015 for your 
group, but
according to your ldif, the SID for Developpeurs is:
S-1-5-21-1003513250-1319205365-1235820382-101

So you may have a duplicate entry :-( .



Output is wrong, SID is S-1-5-21-1003513250-1319205365-1235820382-1015


> SAMBA : Version 3.3.2
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem when "valid users" is used

2010-09-30 Thread Harry Jede 
On Mittwoch, 29. September 2010 wrote Arnaud BLONDEL - Alter Way Solutions:
> Hi,
>
> When I use "valid users" in smb.conf to limit access on my share, I
> have this message with smbclient :
>
>
> [global]
>
> workgroup = MYDOM
> domain master   = no
> local master= no
> security= user
> passdb backend  = ldapsam:ldap://x.x.x.x:389
> ldap admin dn   = cn=admin,dc=company,dc=com
> ldap suffix = dc=company,dc=com
> ldap user suffix= ou=People
> ldap group suffix   = ou=Groups
> ldap idmap suffix   = ou=Idmap
> ldap machine suffix = ou=Computers
> ...
>
> [Images]
>   ...
>   valid users = @Developpeurs
>   ...
>
>
> # smbclient //x.x.x.x/Images -U test
> Enter test's password:
> Domain=[SERVER] OS=[Unix] Server=[Samba 3.3.2]
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
>
> I have this log :
>
> 2010/09/29 16:19:03,  3] lib/util_sid.c:string_to_sid(228)
>string_to_sid: Sid @Developpeurs does not start with 'S-'.
> [2010/09/29 16:19:03,  5] smbd/password.c:user_in_netgroup(425)
>Unable to get default yp domain, let's try without specifying it
> [2010/09/29 16:19:03,  5] smbd/password.c:user_in_netgroup(429)
>looking for user test of domain (ANY) in netgroup Developpeurs
> [2010/09/29 16:19:03,  5] smbd/password.c:user_in_netgroup(445)
>looking for user test of domain (ANY) in netgroup Developpeurs
> [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(69)
>lookup_name: SERVER\Developpeurs => SERVER (domain), Developpeurs
> (name) [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
> lookup_name: flags = 0x077
> [2010/09/29 16:19:03,  3] smbd/sec_ctx.c:push_sec_ctx(224)
>push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2010/09/29 16:19:03,  3] smbd/uid.c:push_conn_ctx(388)
>push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2010/09/29 16:19:03,  3] smbd/sec_ctx.c:set_sec_ctx(324)
>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2010/09/29 16:19:03,  5] auth/token_util.c:debug_nt_user_token(522)
>NT user token: (NULL)
> [2010/09/29 16:19:03,  5]
> auth/token_util.c:debug_unix_user_token(548) UNIX token of user 0
>Primary group is 0 and contains 0 supplementary groups
> [2010/09/29 16:19:03,  5] lib/smbldap.c:smbldap_search_ext(1205)
>smbldap_search_ext: base => [ou=Groups,dc=company,dc=com], filter
> =>
> [(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Dev
>eloppeurs)))], scope => [2]
> [2010/09/29 16:19:03,  2]
> passdb/pdb_ldap.c:init_group_from_ldap(2348) init_group_from_ldap:
> Entry found for group: 1005
> [2010/09/29 16:19:03,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
>pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/09/29 16:19:03, 10] passdb/passdb.c:lookup_global_sam_name(620)
>Found group Developpeurs
Try to run the same search as Samba does:

ldapsearch -s sub -b "ou=Groups,dc=company,dc=com" 
"(&(objectClass=sambaGroupMapping)(|
(displayName=Developpeurs)(cn=Developpeurs)))"

> (S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain --
> ignoring.lookup_name: Unix Group\Developpeurs => Unix Group (domain),
> Developpeurs (name)
Samba find this SID S-1-5-21-1003513250-1319205365-1235820382-1015 for your 
group, but 
according to your ldif, the SID for Developpeurs is: 
S-1-5-21-1003513250-1319205365-1235820382-101

So you may have a duplicate entry :-( .

> [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
>lookup_name: flags = 0x077
> [2010/09/29 16:19:03, 10] smbd/share_access.c:user_ok_token(212)
>User test not in 'valid users'
> [2010/09/29 16:19:03,  2]
> smbd/service.c:create_connection_server_info(663) user 'test' (from
> session setup) not permitted to access this share (Images)
> [2010/09/29 16:19:03,  0] smbd/service.c:make_connection_snum(744)
>create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
>
>
> I use /etc/nsswitch to get users and groups from LDAP
>
> User "test" is in Developpeurs group :
>
> # id anisimov
> uid=1009(anisimov) gid=513(Domain Users) groupes=513(Domain
> Users),1005(Developpeurs)
>
>
> In LDAP :
>
> cn=Developpeurs,ou=Groups,dc=company,dc=com
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: Developpeurs
> gidNumber: 1005
> sambaSID: S-1-5-21-1003513250-1319205365-1235820382-101
> ...
> memberUid: test
> ...
>
> and :
>
> uid=test,ou=People,dc=company,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> ...
> givenName: anisimov
> uid: anisimov
> uidNumber: 1009
> gidNumber: 513
> sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1009
> ...
>
>
> Where is the problem ?
>
>
> SAMBA : Version 3.3.2



-- 

Regards
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samb

[Samba] Recject machine password change & reject auth request from client ... related?

2010-09-30 Thread Martin Hochreiter 

 Hi!

We still suffering on that "Rejecting auth request from client" with our 
windows 7 machines,
and additionally have the problem that windows 7 machines are randomly 
loosing there

trustship.

May it be that both topics are related, that simply windows 7 can not 
set a proper machine
account password from the domain join on and looses trustship if it 
tries to change the password ...?


regards

martin




Both issues:

**

I have samba 3.5.4 on an Ubuntu 8.04 running with windows 7 clients.
(ldapsam as background tdb)

I do have log entries of some machines in my samba log:


/netlogon_creds_server_check failed. Rejecting auth request from client
X machine account X$/

The user working on the machine does not seem affected in any way by
that "problem" but It would be interesting
how to solve that (that machines still have that behaviour after unjoin
an rejoin the domain - as I thought it would
be helpful to set the password again)

Can somebody give me a hint please?

regards
martin



***

On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote:


We are observing the following phenomenon: After 30 days our Windows 7
clients lose their trust relationship with the samba domain. We think, 
that

the automatic machine password change on these clients fails.


I posted a message about the very same problem on July 15.

I think it does not always happen after 30 days (or whatever the change 
interval is set to), but only occurs when the machine password change 
time has arrived and the computer is on, but not no one is logged on 
(i.e. the login box is shown).


Since we are only starting to deploy Windows 7, we simply turned the 
machine password change off in the registry of our imaged installation 
and the few real installations. We had no more problems afterwards.



There are three ways to change the machine password behavior:

Client-Registry:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
DisablePasswordChange = dword:1

or

Client-Registry:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
MaximumPasswordAge = dword:100

or

Server-Registry (if you have a Windows server)
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
RefusePasswordChange = dword:1

With Samba + OpenLDAP, set
sambaRefuseMachinePwdChange = 1
in the sambaDomainName= entry.

Peter
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem when "valid users" is used

2010-09-30 Thread Arnaud BLONDEL - Alter Way Solutions 

I add "loglevel 768" into slapd.conf and I have this in my sulog file :


Sep 30 09:37:19  slapd[23852]: conn=2110 op=47 SRCH 
base="dc=company,dc=com" scope=2 deref=0 
filter="(&(objectClass=posixGroup)(uniqueMember=cn=developpeurs,ou=groups,dc=company,dc=com))"

Sep 30 09:37:19  slapd[23852]: conn=2110 op=47 SRCH attr=gidNumber
Sep 30 09:37:19  slapd[23852]: conn=2110 op=47 SEARCH RESULT tag=101 
err=0 nentries=0 text=



I don't understand why Developpeurs group is not find here (nentries=0).

# ldapsearch -x -b 'ou=groups,dc=company,dc=com' cn=Developpeurs

return :

cn=Developpeurs,ou=Groups,dc=company,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Developpeurs
gidNumber: 1005
sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1015
sambaGroupType: 2
displayName: Developpeurs
description: Le groupe des programmeurs
memberUid: test
...

On 29/09/2010 18:59, Allen Chen wrote:

Arnaud BLONDEL - Alter Way Solutions wrote:

Hi,

When I use "valid users" in smb.conf to limit access on my share, I
have this message with smbclient :


[global]

workgroup = MYDOM
domain master = no
local master = no
security = user
passdb backend = ldapsam:ldap://x.x.x.x:389
ldap admin dn = cn=admin,dc=company,dc=com
ldap suffix = dc=company,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers


[Images]
...
valid users = @Developpeurs
...


# smbclient //x.x.x.x/Images -U test
Enter test's password:
Domain=[SERVER] OS=[Unix] Server=[Samba 3.3.2]
tree connect failed: NT_STATUS_ACCESS_DENIED


I have this log :

2010/09/29 16:19:03, 3] lib/util_sid.c:string_to_sid(228)
string_to_sid: Sid @Developpeurs does not start with 'S-'.
[2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(425)
Unable to get default yp domain, let's try without specifying it
[2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(429)
looking for user test of domain (ANY) in netgroup Developpeurs
[2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(445)
looking for user test of domain (ANY) in netgroup Developpeurs
[2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(69)
lookup_name: SERVER\Developpeurs => SERVER (domain), Developpeurs (name)
[2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
lookup_name: flags = 0x077
[2010/09/29 16:19:03, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/09/29 16:19:03, 3] smbd/uid.c:push_conn_ctx(388)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/09/29 16:19:03, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/09/29 16:19:03, 5] auth/token_util.c:debug_nt_user_token(522)
NT user token: (NULL)
[2010/09/29 16:19:03, 5] auth/token_util.c:debug_unix_user_token(548)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2010/09/29 16:19:03, 5] lib/smbldap.c:smbldap_search_ext(1205)
smbldap_search_ext: base => [ou=Groups,dc=company,dc=com], filter =>
[(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Developpeurs)))],
scope => [2]
[2010/09/29 16:19:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2348)
init_group_from_ldap: Entry found for group: 1005
[2010/09/29 16:19:03, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/09/29 16:19:03, 10] passdb/passdb.c:lookup_global_sam_name(620)
Found group Developpeurs
(S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain --
ignoring.lookup_name: Unix Group\Developpeurs => Unix Group (domain),
Developpeurs (name)
[2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70)
lookup_name: flags = 0x077
[2010/09/29 16:19:03, 10] smbd/share_access.c:user_ok_token(212)
User test not in 'valid users'
[2010/09/29 16:19:03, 2]
smbd/service.c:create_connection_server_info(663)
user 'test' (from session setup) not permitted to access this share
(Images)
[2010/09/29 16:19:03, 0] smbd/service.c:make_connection_snum(744)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED


I use /etc/nsswitch to get users and groups from LDAP

User "test" is in Developpeurs group :

# id anisimov
uid=1009(anisimov) gid=513(Domain Users) groupes=513(Domain
Users),1005(Developpeurs)


In LDAP :

cn=Developpeurs,ou=Groups,dc=company,dc=com
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: Developpeurs
gidNumber: 1005
sambaSID: S-1-5-21-1003513250-1319205365-1235820382-101

memberUid: test


and :

uid=test,ou=People,dc=company,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount

givenName: anisimov
uid: anisimov
uidNumber: 1009
gidNumber: 513
sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1009



Where is the problem ?


SAMBA : Version 3.3.2

Are you talking about uid=anisimov or uid=test ?




--
Arnaud BLONDEL
Charg

Re: [Samba] Samba 3.5.5 with ldap backend crash slapd 2.4.23 !!!

2010-09-30 Thread Frank Bonnet 

Thanks for your answer , but I cannot stop those production servers
to reproduce the bug !



On 09/29/2010 02:42 PM, Pierangelo Masarati wrote:

Frank Bonnet wrote:

Hello

We use here Openldap 2.4.23 server running on a FreeBSD 8.1 server
compiled on the server from the FreeBSD ports. It runs well since
weeks.

We also use a Samba server 3.5.2 with ldap backend on a Linux
Debian Lenny server compiled from source on the server, everything
was running well ...

Last Monday I decided to upgrade the Samba server to the latest
"Stable" release ( 3.5.5 ) then the nightmare begins ...

Few minutes after I restart ( reboot the server ) the samba server
the slapd daemon violently crashed.

After few restart it was still the same :

slapd works well if samba is stopped , Linux clients can authenticate
without problem, if I start samba daemons , windows clients begin
to connect and after few seconds slapd crash ...


You should file an ITS  after collecting
the information described here
.

p.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem when "valid users" is used

2010-09-30 Thread Arnaud BLONDEL - Alter Way Solutions 

Same problem with :

valid users = @"MYDOM\Developpeurs"


 string_to_sid: Sid @MYDOM\Developpeurs does not start with 'S-'.
[2010/09/30 09:08:17,  5] smbd/password.c:user_in_netgroup(425)
  Unable to get default yp domain, let's try without specifying it
[2010/09/30 09:08:17,  5] smbd/password.c:user_in_netgroup(429)
  looking for user test of domain (ANY) in netgroup MYDOM\Developpeurs
[2010/09/30 09:08:17,  5] smbd/password.c:user_in_netgroup(445)
  looking for user test of domain (ANY) in netgroup MYDOM\Developpeurs
[2010/09/30 09:08:17, 10] passdb/lookup_sid.c:lookup_name(69)
  lookup_name: MYDOM\Developpeurs => MYDOM (domain), Developpeurs (name)
[2010/09/30 09:08:17, 10] passdb/lookup_sid.c:lookup_name(70)
  lookup_name: flags = 0x077
[2010/09/30 09:08:17, 10] passdb/util_wellknown.c:lookup_wellknown_name(151)
  map_name_to_wellknown_sid: looking up Developpeurs
[2010/09/30 09:08:17,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/09/30 09:08:17,  3] smbd/uid.c:push_conn_ctx(388)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/09/30 09:08:17,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/09/30 09:08:17,  5] auth/token_util.c:debug_nt_user_token(522)
  NT user token: (NULL)
[2010/09/30 09:08:17,  5] auth/token_util.c:debug_unix_user_token(548)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2010/09/30 09:08:17,  5] lib/smbldap.c:smbldap_search_ext(1205)
  smbldap_search_ext: base => [ou=Groups,dc=company,dc=com], filter => 
[(&(objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Developpeurs)))], 
scope => [2]

[2010/09/30 09:08:17,  2] passdb/pdb_ldap.c:init_group_from_ldap(2348)
  init_group_from_ldap: Entry found for group: 1005
[2010/09/30 09:08:17,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/09/30 09:08:17, 10] passdb/passdb.c:lookup_global_sam_name(620)
  Found group Developpeurs 
(S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain -- 
ignoring.User test not in 'valid users'

[2010/09/30 09:08:17,  2] smbd/service.c:create_connection_server_info(663)
  user 'test' (from session setup) not permitted to access this share 
(Images)

[2010/09/30 09:08:17,  0] smbd/service.c:make_connection_snum(744)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/09/30 09:08:17,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/reply.c(724) cmd=117 (SMBtconX) 
NT_STATUS_ACCESS_DENIED



On 30/09/2010 01:51, John H Terpstra wrote:

On 09/29/2010 12:32 PM, Arnaud BLONDEL - Alter Way Solutions wrote:

Copy and paste are wrong but I have this problem with all users.

I don't understand the first error : "string_to_sid: Sid @Developpeurs
does not start with 'S-'"

On 29/09/2010 18:59, Allen Chen wrote:


Are you talking about uid=test or uid=test ?





Please specify the "valid user" parameters as shown here:

Either:
valid users = @"Company\Developpeurs"

Or as:
valid userse = @%D\Developpeurs

Cheers,
John T.



--
Arnaud BLONDEL
Chargé de projets
ALTER WAY SOLUTIONS - Nord

TD: + 33 (0)3 22 84 04 07
FD: + 33 (0)3 22 84 00 73

44, rue Saint Fursy
80200 PERONNE
www.alterway.fr

Nos prochains événements :

Open World Forum, l'évènement Open Source le plus influent de l'année : 
30 sept - 1er oct 2010, Paris. http://bit.ly/aL6BjO


Open CIO Summit, le 1er sommet animé par les DSI pour les DSI : 30 sept, 
Paris http://bit.ly/bucmEs


Petit-déjeuner thématique « Comment monter son Cloud privé / public ? » 
avec Canonical (Ubuntu) et Owlient, éditeur de jeux communautaires en 
ligne, 9 sept, Paris. http://bit.ly/9FL7cu


Conférence "Hébergement & infogérance d'architectures critiques Magento" 
avec le témoignage de Smartbox, Salon E-Commerce, stand L6, 21-23 
septembre Paris. http://bit.ly/c9sVxH


Conférence "Drupal powers sports (and more) at France Télévisions", 
DrupalCon, 23 - 27 août, Copenhague. http://bit.ly/bakOGx
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Problems joining a samba domain with windows 7

2010-09-30 Thread Claudio Prono 
Hello all,

I am doing some tests with Windows 7 and a Samba Domain, but into a
working SAMBA domain, where windows XP joins without problems, when i
try with 7 i recieve an error like "The trust relationship between this
workstation and the primary domain failed.". I use OpenSuSE 11.3 with
samba 3.5.4-5.1.2 and openldap 2.4.21-9.1.

My config of samba:

[global]
workgroup = MEDIATEST.LOCAL
netbios name = MEDIADC
map to guest = Bad User
passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
log level = 2
printcap name = cups
add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct
--makehomedir --homedir /home/%u -f
delete user script = /usr/sbin/ldapsmb -d -u "%u" -f
add group script = /usr/sbin/ldapsmb -a -g "%g" -f
delete group script = /usr/sbin/ldapsmb -d -g "%g" -f
add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g "%g" -f
delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g
"%g" -f
add machine script = "/usr/sbin/ldapsmb -a -i -wks %u -f"
logon path = \\afs\mediaservice-test.pri\users\%U\.msprofile
logon drive = P:
logon home = \\afs\mediaservice-test.pri\%U\.9xprofile
domain logons = Yes
os level = 99
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=mediaservice-test,dc=pri
ldap ssl = no
ldap user suffix = ou=people
usershare allow guests = Yes
idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
cups options = raw

[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No

[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes

[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/

[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes

[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root

I have modified this registry keys on Windows 7 with no luck:

HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters
DWORD RequireSignOrSeal”= 1
DWORD RequireStrongKey= 1

I have also tried to sync the date and time of the server and the client
with the same timeserver.

Here is the smb log:

[2010/09/29 16:00:12.002747,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:00:12.050876,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:00:12.051737,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2010/09/29 16:00:12.055201,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: pasquale-nb$
[2010/09/29 16:00:12.058927,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [PASQUALE-NB$] ->
[PASQUALE-NB$] -> [pasquale-nb$] succeeded
[2010/09/29 16:00:54.035612,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2010/09/29 16:00:54.036172,  0]
lib/util_sock.c:1432(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2010/09/29 16:01:37.612787,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:01:37.614813,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:01:37.615403,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2010/09/29 16:01:37.628754,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: p