Re: [Samba] ldap sub groups and Samba
On 6/16/2011 16:14, Juan Diego Calle wrote: Hi, I have a RHEL 5.6 server with samba3x-3.5.4-0.70 instaled, it acts as a PDC, it has OpenLDAP in the same server. Everything works fine, so far, the windows xp and windows 7 machines are inside the domain, and users from the ldap can log from their machines. The thing is that i am trying to create groups, so some users can administrate others users, but not all the users. I know that samba does support administration through usrmng.exe or some other windows tools, so the Domain Admins should be able to administrate all the user. I talked to many people and googled around and I understood that the samba schema wont support groups of people that administer some users, either you are a Domain Admin or Domain User, and Domain Admins have all the administrative privileges, maybe I am wrong I tried using the usrmng.exe and some other tools over windows 7 and I couldnt make them work so I stop trying to manage the users through any Windows Tools. Is it possible to use Domain Admins to manage only some groups? Because everyone told me that the above is not possible, I tried another approach, with OpenLdap, PHPLDAPAdmin and acls. (I need to have a graphical interface, the people that will manage this groups of users are windows techs, so anything from command line like smbldap-tools or anything else seems uber complicated) I created groups on my openldap and with acls the users where able to administer some users, it still needs more testing. I was trying to create nested groups with Domain Users, and my users but then I thought of the following. Instead of nested groups can I create a sub group of Domain Users, and user that belongs to that group will log to the Domain? I am trying this on a Virtual Machine, but my Windows 7 machine died, and I havent being able to test this. Having an group on my ldap like this dn: cn=Grupo de Prueba,cn=Domain Users,ou=Group,dc=mydomain,dc=com objectClass: groupOfNames objectClass: top cn: Grupo de Prueba member: uid=prueba,ou=People,dc=mydomain,dc=com Will the user prueba be able to log on to the samba Domain? Or the user has to be part of the Domain Users directly in order to log on to the Domain. Thanks, Juan Diego there's no reason they can't be domain users also, and just not have any user admins for that group. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
On 6/17/2011 09:46, Aaron E. wrote: In the samba share definition you could add valid users = +group this should have the effect your looking for if I understand you correctly. If not my apologies.. On 06/17/2011 12:28 PM, John McNulty wrote: Hi. I have some shares on a server that are offered to specific Active Directory user groups, but the business doesn't want those users to be able to login to the server. If I were to add require_membership_of to pam_winbind to limit logins and shut out the users I don't want, would it also have the side effect of denying those users access to the shares as well? Regards, John I'm suddenly curious about this as well. please let us know your results! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
Ah, maybe I'm not being clear enough. I want the AD users to be able to access the shares, but not ssh login to the system, which they can currently. I'm wondering if this is a method I can use to achieve that end, as an alternative to using AllowUsers/AllowGroups in sshd_config or using pam_listfile. On 17 June 2011 17:46, Aaron E. ssures...@gmail.com wrote: In the samba share definition you could add valid users = +group this should have the effect your looking for if I understand you correctly. If not my apologies.. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting logins using pam_winbind require_membership_of ?
From: John McNulty johnm...@gmail.com Date: Sat, 18 Jun 2011 15:14:07 +0100 Ah, maybe I'm not being clear enough. I want the AD users to be able to access the shares, but not ssh login to the system, which they can currently. How have you configured around winbind? By default, the shell for users created by winbindd is set to /bin/false so they can not login to the system. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo http://damedame.monyo.com/ / http://facebook.com/monyot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: removing windows 2003 from samba4In-Reply-To=4dedc91a.3080...@samba.org
On 08/06/2011 05:14, Alan wrote: Hello Matthieu, Did you wait for a couple of minutes (1 or 2 hours maybe) for the sync to settle ? also did you transfer roles to the samba4 DC ? In anycase you should restart samba with a higher log level so that we can have more information. If needed pop up in #samba-technical for more real time support. Matthieu. I've restarted samba with log level 5, above is what i've see ( full log is to big ) sync appears to be doing fine, i think: /usr/local/samba/sbin/samba_dnsupdate: schema_fsmo_init: we are master: yes Child /usr/local/samba/sbin/samba_spnupdate exited with status 0 - Success Completed SPN update check OK Child /usr/local/samba/sbin/samba_dnsupdate exited with status 0 - Success Completed DNS update check OK and dreplsrv_notify: DsReplicaSync OK for c0f2d2cc-eab6-4704-9046-1b9566ed85e3._msdcs.samba4.casa if i understood right, my samba already have the right roles too ldb: pdc_fsmo_init: we are master: yes ldb: naming_fsmo_init: we are master: yes Better try this: ./bin/samba-tool fsmo show --url=ldap://127.0.0.1 -U administrator - and that appeared when i run dcpromo to remove windows DC: dreplsrv_periodic_run(): run pending_ops memory=110 dreplsrv_periodic_schedule(300) scheduled for: Tue Jun 7 17:16:15 2011 BRT Schema load pass 1: 0/1 of 1 objects left to be converted. ldb: start ldb transaction (nesting: 0) ldb: replmd_extended_replicated_objects ... ldb: replmd_modify ldb: commit ldb transaction (nesting: 1) ldb: commit ldb transaction (nesting: 0) schema_fsmo_init: we are master: yes Replicated 1 objects (0 linked attributes) for CN=Schema,CN=Configuration,DC=samba4,DC=casa UpdateRefs failed with WERR_DS_DRA_BUSY/NT code 0xc00020f6 for f34e07bd-b0b9-4398-84ca-b3f030a33ef9._msdcs.samba4.casa CN=Schema,CN=Configuration,DC=samba4,DC=casa dreplsrv_op_pull_source(WERR_DS_DRA_BUSY) for CN=Schema,CN=Configuration,DC=samba4,DC=casa ldb: start ldb transaction (nesting: 0) ldb: objectclass_modify You say windows 2003 is it 2003 or 2003r2 ? We mostly test Windows 2003r2, Windows 2008 and Windows 2008r2. So we might have some corner cases still with Windows 2003 (we had last year with samba joining a Windows 2003 DC domain). Once I have your answer I'll try to setup a domain join samba, seize roles and try to dcpromo /remove on Windows. It might not be the best idea when the other DCs is saying that it wants to leave the domain to try to keep it informed about changes ... If you are in hurry and you transferred all the roles to samba you can safely remove the DC by removing the entry in Domain controllers + the Server entries in the Configuration naming context, but there isn't much interests do it as it will still leave some attributes. This issue should be solved soon as we have a couple of patchs waiting in the queue for this but for the moment they are not there ... Matthieu. -- Matthieu Patou Samba Teamhttp://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: removing windows 2003 from samba4In-Reply-To=4dedc91a.3080...@samba.org
2011/6/18 Matthieu Patou m...@samba.org Better try this: ./bin/samba-tool fsmo show --url=ldap://127.0.0.1 -U administrator Nice :-) root@samba4lab:~# /usr/local/samba/bin/samba-tool fsmo show --url=ldap:// 127.0.0.1 -U administrator Password for [SAMBA4\administrator]: InfrastructureMasterRole owner: CN=NTDS Settings,CN=SAMBA4LAB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=casa RidAllocationMasterRole owner: CN=NTDS Settings,CN=SAMBA4LAB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=casa PdcEmulationMasterRole owner: CN=NTDS Settings,CN=SAMBA4LAB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=casa DomainNamingMasterRole owner: CN=NTDS Settings,CN=SAMBA4LAB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=casa SchemaMasterRole owner: CN=NTDS Settings,CN=SAMBA4LAB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba4,DC=casa You say windows 2003 is it 2003 or 2003r2 ? We mostly test Windows 2003r2, Windows 2008 and Windows 2008r2. So we might have some corner cases still with Windows 2003 (we had last year with samba joining a Windows 2003 DC domain). Once I have your answer I'll try to setup a domain join samba, seize roles and try to dcpromo /remove on Windows. It might not be the best idea when the other DCs is saying that it wants to leave the domain to try to keep it informed about changes ... If you are in hurry and you transferred all the roles to samba you can safely remove the DC by removing the entry in Domain controllers + the Server entries in the Configuration naming context, but there isn't much interests do it as it will still leave some attributes. This issue should be solved soon as we have a couple of patchs waiting in the queue for this but for the moment they are not there ... Matthieu I'm using win 2003, so R2 is more recommended to work with Samba4? ( makes sense, compatibility issues, even M$ products have this :P ) i will setup a 2003r2 Box to continue running tests( another DC), and wait for those patchs ( no hurry for that ) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 36e674c s3: Allow NULL sd_size in make_sec_desc from bb66504 s3:modules fix Bug 8244 - Cannot copy files larger than 2 GB to Samba share http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 36e674c134cadd6cce44e11ea9f8b5e7819904f5 Author: Volker Lendecke v...@samba.org Date: Sat Jun 18 09:55:05 2011 +0200 s3: Allow NULL sd_size in make_sec_desc Autobuild-User: Volker Lendecke vlen...@samba.org Autobuild-Date: Sat Jun 18 22:26:15 CEST 2011 on sn-devel-104 --- Summary of changes: libcli/security/secdesc.c | 12 ++-- 1 files changed, 10 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/secdesc.c b/libcli/security/secdesc.c index 5d75f07..2c8fbc5 100644 --- a/libcli/security/secdesc.c +++ b/libcli/security/secdesc.c @@ -173,7 +173,9 @@ struct security_descriptor *make_sec_desc(TALLOC_CTX *ctx, struct security_descriptor *dst; uint32_t offset = 0; - *sd_size = 0; + if (sd_size != NULL) { + *sd_size = 0; + } if(( dst = talloc_zero(ctx, struct security_descriptor)) == NULL) return NULL; @@ -203,6 +205,10 @@ struct security_descriptor *make_sec_desc(TALLOC_CTX *ctx, if(dacl ((dst-dacl = dup_sec_acl(dst, dacl)) == NULL)) goto error_exit; + if (sd_size == NULL) { + return dst; + } + offset = SEC_DESC_HEADER_SIZE; /* @@ -229,7 +235,9 @@ struct security_descriptor *make_sec_desc(TALLOC_CTX *ctx, error_exit: - *sd_size = 0; + if (sd_size != NULL) { + *sd_size = 0; + } return NULL; } -- Samba Shared Repository