[Samba] Windows prompt for password complexity
Hi all, I`ve successfully configured samba as PDC using LDAP. All is working very fine, but when the user password expires and the new password that the user typed does not meet the complexity check made by check password script, I need to give him a custom change password message (based on my own criterion). check password script cannot do more than return status 0 or != 0 to tell samba about check result. Would be nice if this could return the custom error message to Samba, so it could tell the user properly. Is there some way to customize this message? Thank you, Tom Lobato -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows prompt for password complexity
Sorry, forgot something: I`m running Ubuntu 10.04 and Samba 3.4.7~dfsg-1ubuntu3.5. On 24-04-2011 13:26, Tom Lobato wrote: Hi all, I`ve successfully configured samba as PDC using LDAP. All is working very fine, but when the user password expires and the new password that the user typed does not meet the complexity check made by check password script, I need to give him a custom change password message (based on my own criterion). check password script cannot do more than return status 0 or != 0 to tell samba about check result. Would be nice if this could return the custom error message to Samba, so it could tell the user properly. Is there some way to customize this message? Thank you, Tom Lobato -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Using groups with windows
Hi, we are using samba with ldap for our pdc. And i was told by another admin, that when you use a windows server, you can only get the Domain Users and Domain Admins groups from the samba/ldap pdc. So i tried to add a group, which i know exists on the server, to my windows server, but windows couldn't find it. Is there a way to make other groups then domain users and domain admins usable under windows? Regards, adura -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Using groups with windows
On 4/24/2011 12:45 PM, A.Dura wrote: Hi, we are using samba with ldap for our pdc. And i was told by another admin, that when you use a windows server, you can only get the Domain Users and Domain Admins groups from the samba/ldap pdc. So i tried to add a group, which i know exists on the server, to my windows server, but windows couldn't find it. Is there a way to make other groups then domain users and domain admins usable under windows? Regards, adura Which version of Samba are you using? I was able to get quite a few groups out of LDAP from samba4, but I had to add these entries to my ldap.conf: nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member I also needed to add GID and a password value into the sam.ldb entries that I wanted to flow. In the end I found that some groups hung (not sure why) and the setup caused problems when I installed software (because groupadd doesn't work right). So I turned off getting groups from ldap. I am getting my users from ldap and this works well (except I can't get ssl to work). If you are using Samba3 there are lots of guides on how to do it... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldapsearch with samba4 (now a question about SASL and ldaps
On 4/23/2011 2:34 PM, Andrew Dumaresq wrote: Hi, I've got ldapsearch mostly working: root@morannon:/usr/local/samba/private/tls# ldapsearch '(sAMAccountName=dumaresq)' SASL/GSSAPI authentication started SASL username: administrator@XXX SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (sAMAccountName=dumaresq) # requesting: ALL # results in here... # search result search: 5 result: 0 Success # numResponses: 2 # numEntries: 1 I cannot get ldapsearch -Z or ldaps working: ldapsearch '(sAMAccountName=dumaresq)' -Z SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used Here is what I get in samba.log when I do did that command: [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/lib/ldb-samba/ldb_wrap.c:319(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2011/04/23 14:29:56, 3] ../source4/smbd/service_stream.c:62(stream_terminate_connection) Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2011/04/23 14:29:56, 3] ../source4/smbd/process_single.c:104(single_terminate) single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] I'm not sure where to go from here. I've tried several different options in /etc/ldap/ldap.conf and I always get that error, unless I comment out #TLS_REQCERT allow then I get: ldapsearch '(sAMAccountName=dumaresq)' -Z ldap_start_tls: Connect error (-11) additional info: (unknown error code) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1 additional info: (unknown error code) Update... I did get ldaps and -Z working, but I can't do it with SASL, I can't find docs that say, but is it possible that SASL (GSSAPI) and ldaps are not compatible? ldapsearch -H ldaps://ldapserver.domain -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used dumaresq@morannon:~$ ldapsearch -H ldaps://ldapserver.domain -D 'CN=Administrator,CN=Users,DC=dumaresq,DC=local' -w AdminsPassword '(sAMAccountName=dumaresq)' # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (sAMAccountName=dumaresq) # requesting: ALL # (response in here) # numResponses: 2 # numEntries: 1 So the question is are SASL and ldaps not compatible and if that is the case which is better? I like GSSAPI because I don't need to store passwords on the system, but I'm not clear on how encrypted the data being transmitted is. I did a packet capture and I do see some data that doesn't look like clear text, but that's all I know for sure :) Comments, suggestions? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f7bc844 s3:rpc_client: map fault codes to NTSTATUS with dcerpc_fault_to_nt_status() via e7cf720 s3:winbindd: let winbindd_lookup_names() use dcerpc_binding_handle functions via 7309daa s3:winbindd: let winbindd_lookup_sids() dcerpc_binding_handle functions via c0441b1 lib/util: add RBVAL, RBVALS, RSBVAL and RSRBVALS macros via 5b32708 s3:includes: simplify INO_T_VAL macros via d7aa2eb s3:includes: simplify BIG_UINT macros via 9127e55 s3:smbd/trans2: make use of BVAL() and remove ugly LARGE_SMB_OFF_T ifdef's from fb05e82 Fix license info for talloc in manpage. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f7bc84409a7a6736ec2cf1110dd7200a954e3b7e Author: Stefan Metzmacher me...@samba.org Date: Sun Apr 24 00:00:40 2011 +0200 s3:rpc_client: map fault codes to NTSTATUS with dcerpc_fault_to_nt_status() Most fault codes have a NTSTATUS representation, so use that. This brings the fault handling in common with the source4/librpc/rpc code, which make it possible to share more highlevel code, between source3 and source4 as the error checking can be the same now. metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Sun Apr 24 10:44:53 CEST 2011 on sn-devel-104 commit e7cf7204e60552b45952325f343ea894fda21346 Author: Stefan Metzmacher me...@samba.org Date: Sat Apr 23 23:57:19 2011 +0200 s3:winbindd: let winbindd_lookup_names() use dcerpc_binding_handle functions metze commit 7309daa532c9689d64ce3f33da522f23635213d6 Author: Stefan Metzmacher me...@samba.org Date: Sat Apr 23 23:56:27 2011 +0200 s3:winbindd: let winbindd_lookup_sids() dcerpc_binding_handle functions metze commit c0441b17e6580de65d87d28bfd9ae72d09a3508f Author: Stefan Metzmacher me...@samba.org Date: Sat Apr 23 11:01:34 2011 +0200 lib/util: add RBVAL, RBVALS, RSBVAL and RSRBVALS macros They pull and push [u]int64_t values in big endian. metze commit 5b327085775f279976c66cdd5f105132fda0965a Author: Stefan Metzmacher me...@samba.org Date: Sat Apr 23 11:15:30 2011 +0200 s3:includes: simplify INO_T_VAL macros metze commit d7aa2eb7b664c10551cb45c36d3b564d829e9d44 Author: Stefan Metzmacher me...@samba.org Date: Sat Apr 23 11:10:05 2011 +0200 s3:includes: simplify BIG_UINT macros metze commit 9127e555ab043000adc516a9177e43812e52fd4b Author: Stefan Metzmacher me...@samba.org Date: Sat Apr 23 10:30:59 2011 +0200 s3:smbd/trans2: make use of BVAL() and remove ugly LARGE_SMB_OFF_T ifdef's We rely on uint64_t for a long time now... metze --- Summary of changes: lib/util/byteorder.h | 17 ++--- source3/include/includes.h| 15 source3/lib/netapi/user.c |2 +- source3/libnet/libnet_join.c |2 +- source3/rpc_client/cli_pipe.c |6 +--- source3/smbd/trans2.c | 30 +--- source3/winbindd/winbindd_cm.c|2 +- source3/winbindd/winbindd_msrpc.c | 67 +++- source3/winbindd/winbindd_pam.c | 10 +++--- 9 files changed, 72 insertions(+), 79 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/byteorder.h b/lib/util/byteorder.h index 59ad837..6bcf71e 100644 --- a/lib/util/byteorder.h +++ b/lib/util/byteorder.h @@ -201,18 +201,29 @@ static __inline__ void st_le32(uint32_t *addr, const uint32_t val) #endif /* not CAREFUL_ALIGNMENT */ +/* 64 bit macros */ +#define BVAL(p, ofs) (IVAL(p,ofs) | (((uint64_t)IVAL(p,(ofs)+4)) 32)) +#define BVALS(p, ofs) ((int64_t)BVAL(p,ofs)) +#define SBVAL(p, ofs, v) (SIVAL(p,ofs,(v)0x), SIVAL(p,(ofs)+4,((uint64_t)(v))32)) +#define SBVALS(p, ofs, v) (SBVAL(p,ofs,(uint64_t)v)) + /* now the reverse routines - these are used in nmb packets (mostly) */ #define SREV(x) x)0xFF)8) | (((x)8)0xFF)) #define IREV(x) ((SREV(x)16) | (SREV((x)16))) +#define BREV(x) ((IREV(x)32) | (IREV((x)32))) #define RSVAL(buf,pos) SREV(SVAL(buf,pos)) #define RSVALS(buf,pos) SREV(SVALS(buf,pos)) #define RIVAL(buf,pos) IREV(IVAL(buf,pos)) #define RIVALS(buf,pos) IREV(IVALS(buf,pos)) +#define RBVAL(buf,pos) BREV(BVAL(buf,pos)) +#define RBVALS(buf,pos) BREV(BVALS(buf,pos)) #define RSSVAL(buf,pos,val) SSVAL(buf,pos,SREV(val)) #define RSSVALS(buf,pos,val) SSVALS(buf,pos,SREV(val)) #define RSIVAL(buf,pos,val) SIVAL(buf,pos,IREV(val)) #define RSIVALS(buf,pos,val) SIVALS(buf,pos,IREV(val)) +#define RSBVAL(buf,pos,val) SBVAL(buf,pos,BREV(val)) +#define RSBVALS(buf,pos,val) SBVALS(buf,pos,BREV(val)) /* Alignment macros. */ #define ALIGN4(p,base) ((p) + ((4 - (PTR_DIFF((p), (base)) 3)) 3)) @@ -222,10 +233,4 @@ static __inline__ void st_le32(uint32_t