Re: [Samba] login via Samba 4 LDAP
On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind user mapping problem
Hello list, I am using Samba + winbind and I have some users that cannot access shares on this server, getting the following error in '/var/log/samba': [2011/12/30 09:33:08.072315, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\teste is invalid on this system Also, in 'winbind-idmap' log file I am getting this: [2011/12/30 09:32:56.902810, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: UID range full!! (max: 12) So what happens in reality? Trying to 'getent' that user results in nothing, so no mapping, right? root@sputnik:/var/cache/samba# getent passwd bmartins bmartins:*:11:10::/home/GALILEU-F/bmartins:/bin/false root@sputnik:/var/cache/samba# getent passwd teste root@sputnik:/var/cache/samba# However, 'wbinfo' works for that user: root@sputnik:/var/cache/samba# wbinfo -u | grep teste teste My 'smb.conf' returns this, regarding to idmap parameters: root@sputnik:/var/cache/samba# cat /etc/samba/smb.conf | grep idmap # idmap uid = 1-20 idmap uid = 10-12 # idmap gid = 30-40 idmap gid = 10-12 I have tried lower and higher values, did a reload on winbind service, but nothing seems to help. Could you please help me on this? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind user mapping problem
Hello I think that you need to clean the Winbind database that contains bridge between UID/GID - SID And then restart winbind, and he again will fill the database On 30/12/2011 10:44, Bruno Martins wrote: Hello list, I am using Samba + winbind and I have some users that cannot access shares on this server, getting the following error in '/var/log/samba': [2011/12/30 09:33:08.072315, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\teste is invalid on this system Also, in 'winbind-idmap' log file I am getting this: [2011/12/30 09:32:56.902810, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: UID range full!! (max: 12) So what happens in reality? Trying to 'getent' that user results in nothing, so no mapping, right? root@sputnik:/var/cache/samba# getent passwd bmartins bmartins:*:11:10::/home/GALILEU-F/bmartins:/bin/false root@sputnik:/var/cache/samba# getent passwd teste root@sputnik:/var/cache/samba# However, 'wbinfo' works for that user: root@sputnik:/var/cache/samba# wbinfo -u | grep teste teste My 'smb.conf' returns this, regarding to idmap parameters: root@sputnik:/var/cache/samba# cat /etc/samba/smb.conf | grep idmap # idmap uid = 1-20 idmap uid = 10-12 # idmap gid = 30-40 idmap gid = 10-12 I have tried lower and higher values, did a reload on winbind service, but nothing seems to help. Could you please help me on this? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind user mapping problem
Hello mate, Thanks for your answer. How can I do that? I've noticed this: root@sputnik:/var/lib/samba# wbinfo -u | wc -l 140 root@sputnik:/var/lib/samba# tdbbackup -v winbindd_idmap.tdb winbindd_idmap.tdb : 521 records Is this normal? 140 users on AD (seems correct), but 521 mappings? Best regards, Bruno Martins On Fri, Dec 30, 2011 at 11:57 AM, Lantukh Sergey sergey.lant...@docpath.com wrote: Hello I think that you need to clean the Winbind database that contains bridge between UID/GID - SID And then restart winbind, and he again will fill the database On 30/12/2011 10:44, Bruno Martins wrote: Hello list, I am using Samba + winbind and I have some users that cannot access shares on this server, getting the following error in '/var/log/samba': [2011/12/30 09:33:08.072315, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\teste is invalid on this system Also, in 'winbind-idmap' log file I am getting this: [2011/12/30 09:32:56.902810, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: UID range full!! (max: 12) So what happens in reality? Trying to 'getent' that user results in nothing, so no mapping, right? root@sputnik:/var/cache/samba# getent passwd bmartins bmartins:*:11:10::/home/GALILEU-F/bmartins:/bin/false root@sputnik:/var/cache/samba# getent passwd teste root@sputnik:/var/cache/samba# However, 'wbinfo' works for that user: root@sputnik:/var/cache/samba# wbinfo -u | grep teste teste My 'smb.conf' returns this, regarding to idmap parameters: root@sputnik:/var/cache/samba# cat /etc/samba/smb.conf | grep idmap # idmap uid = 1-20 idmap uid = 10-12 # idmap gid = 30-40 idmap gid = 10-12 I have tried lower and higher values, did a reload on winbind service, but nothing seems to help. Could you please help me on this? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 30/12/11 09:38, steve wrote: On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve Well, using nslcd, I have finally got through to the Samba 4 LDAP ( getent passwd works and steve4 can finally login The next bit is this: getent passwd does not show the home directory: steve4:x:319:100:steve4::/bin/bash even though I can see it in the ldap ldif steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him to create and edit files correctly and with the correct permissions. Any ideas? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind user mapping problem
The database is here (in Linux/Debian): /var/lib/samba/winbindd_idmap.tdb try to just delete (move/rename) it and then restart winbind. But do not forget about BACKUP! I had this problem and this solution helped me In AD there are not only users but also as a special accounts like krbtgt and groups and more... On 30/12/2011 13:00, Bruno Martins wrote: Hello mate, Thanks for your answer. How can I do that? I've noticed this: root@sputnik:/var/lib/samba# wbinfo -u | wc -l 140 root@sputnik:/var/lib/samba# tdbbackup -v winbindd_idmap.tdb winbindd_idmap.tdb : 521 records Is this normal? 140 users on AD (seems correct), but 521 mappings? Best regards, Bruno Martins On Fri, Dec 30, 2011 at 11:57 AM, Lantukh Sergey sergey.lant...@docpath.com wrote: Hello I think that you need to clean the Winbind database that contains bridge between UID/GID - SID And then restart winbind, and he again will fill the database On 30/12/2011 10:44, Bruno Martins wrote: Hello list, I am using Samba + winbind and I have some users that cannot access shares on this server, getting the following error in '/var/log/samba': [2011/12/30 09:33:08.072315, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\teste is invalid on this system Also, in 'winbind-idmap' log file I am getting this: [2011/12/30 09:32:56.902810, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: UID range full!! (max: 12) So what happens in reality? Trying to 'getent' that user results in nothing, so no mapping, right? root@sputnik:/var/cache/samba# getent passwd bmartins bmartins:*:11:10::/home/GALILEU-F/bmartins:/bin/false root@sputnik:/var/cache/samba# getent passwd teste root@sputnik:/var/cache/samba# However, 'wbinfo' works for that user: root@sputnik:/var/cache/samba# wbinfo -u | grep teste teste My 'smb.conf' returns this, regarding to idmap parameters: root@sputnik:/var/cache/samba# cat /etc/samba/smb.conf | grep idmap # idmap uid = 1-20 idmap uid = 10-12 # idmap gid = 30-40 idmap gid = 10-12 I have tried lower and higher values, did a reload on winbind service, but nothing seems to help. Could you please help me on this? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 30/12/11 13:09, steve wrote: On 30/12/11 09:38, steve wrote: On 29/12/11 19:14, Gémes Géza wrote: 2011-12-29 12:56 keltezéssel, steve írta: On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~ ldapsearch -x # extended LDIF # # LDAPv3 # baseDC=hh3,DC=site (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytabkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza phew. That's a biggie. I have nslcd installed. I've looked at the links and it seems as though I need this in /etc/nslcd.conf uri ldap://127.0.0.1/ base dc=hh3,dc=site sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /dont/know It's the krb5_ccname I can't get. I have: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 12/30/11 09:27:15 12/30/11 19:27:15 krbtgt/hh3.s...@hh3.site renew until 12/31/11 09:27:12 The link you gave suggests: krb5_ccname /var/run/nslcd/nslcd.tkt But doesn't say where that came from. Any ideas? Saludos Steve Well, using nslcd, I have finally got through to the Samba 4 LDAP ( getent passwd works and steve4 can finally login The next bit is this: getent passwd does not show the home directory: steve4:x:319:100:steve4::/bin/bash even though I can see it in the ldap ldif steve4 gets logged into / but changing to /home/CACTUS/steve4 allows him to create and edit files correctly and with the correct permissions. Any ideas? Thanks Steve. Found it: mappasswd homeDirectoryunixHomeDirectory so /etc/nslcd.conf looks like this: uri ldap://127.0.0.1/ base dc=hh3,dc=site mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind user mapping problem
It solved my problem! Now, new users get allocated right. But why did this happen? By the way, is it normal that previously mapped users keep with the old UID, and newly mapped ones get the UID in the now defined UID range? Best regards, Bruno Martins On Fri, Dec 30, 2011 at 12:14 PM, Lantukh Sergey sergey.lant...@docpath.com wrote: The database is here (in Linux/Debian): /var/lib/samba/winbindd_idmap.tdb try to just delete (move/rename) it and then restart winbind. But do not forget about BACKUP! I had this problem and this solution helped me In AD there are not only users but also as a special accounts like krbtgt and groups and more... On 30/12/2011 13:00, Bruno Martins wrote: Hello mate, Thanks for your answer. How can I do that? I've noticed this: root@sputnik:/var/lib/samba# wbinfo -u | wc -l 140 root@sputnik:/var/lib/samba# tdbbackup -v winbindd_idmap.tdb winbindd_idmap.tdb : 521 records Is this normal? 140 users on AD (seems correct), but 521 mappings? Best regards, Bruno Martins On Fri, Dec 30, 2011 at 11:57 AM, Lantukh Sergey sergey.lant...@docpath.com wrote: Hello I think that you need to clean the Winbind database that contains bridge between UID/GID - SID And then restart winbind, and he again will fill the database On 30/12/2011 10:44, Bruno Martins wrote: Hello list, I am using Samba + winbind and I have some users that cannot access shares on this server, getting the following error in '/var/log/samba': [2011/12/30 09:33:08.072315, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\teste is invalid on this system Also, in 'winbind-idmap' log file I am getting this: [2011/12/30 09:32:56.902810, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: UID range full!! (max: 12) So what happens in reality? Trying to 'getent' that user results in nothing, so no mapping, right? root@sputnik:/var/cache/samba# getent passwd bmartins bmartins:*:11:10::/home/GALILEU-F/bmartins:/bin/false root@sputnik:/var/cache/samba# getent passwd teste root@sputnik:/var/cache/samba# However, 'wbinfo' works for that user: root@sputnik:/var/cache/samba# wbinfo -u | grep teste teste My 'smb.conf' returns this, regarding to idmap parameters: root@sputnik:/var/cache/samba# cat /etc/samba/smb.conf | grep idmap # idmap uid = 1-20 idmap uid = 10-12 # idmap gid = 30-40 idmap gid = 10-12 I have tried lower and higher values, did a reload on winbind service, but nothing seems to help. Could you please help me on this? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and LDAP Server
Thanks, I got it! Samba is guided through the SRV records in DNS On 22/12/2011 19:15, David Roid wrote: Hello Lantukh, Domain controller, LDAP server and kdc can be found by DNS, Samba consults DNS server to find them. Therefore DNS server itself can be a single-point. I'm guessing your myserver1 is used as the DNS server in this case and when it's down you are in trouble. Cheers -David 2011/12/23 Lantukh Sergey sergey.lant...@docpath.com mailto:sergey.lant...@docpath.com Good day I could not find an answer to my problem/question, can you help me here... I have SAMBA 3.2.5 on Linux\Debian 5 I using Winbind for connect to MS Active Directory Windows 2003 and get a list of all users. /etc/samba/smb.conf [global] realm = MYDOMAIN.LOCAL Security = ADS /etc/krb5.con [realms] MYDOMAIN.LOCAL = { kdc = myserver1.mydomain.local: 88 kdc = myserver2.mydomain.local: 88 admin_server = myserver1.mydomain.local: 464 default_domain = DOCPATH.ES http://DOCPATH.ES [domain_realm] . mydomain.local = MYDOMAIN.LOCAL mydomain.local = MYDOMAIN.LOCAL My question is: When I give the command: # net ads info I have: LDAP server: 192.168.1.10 LDAP server name: myserver1.mydomain.local Realm: MYDOMAIN.local Bind Path: dc = MYDOMAIN, dc = LOCAL LDAP port: 389 Server time: Thu, 22 Dec 2011 17:52:38 CET KDC server: 192.168.1.10 Server time offset: 2 192.168.1.10 this is myserver1.mydomain.local Where SAMBA knows about my LDAP server? I have 2 Domain Controllers and SAMBA is always connected to the first. When the first server is not available SAMBA can not get a list of users via winbind. How can I get SAMBA to connect to a second domain controller? How can I change the LDAP server for samba? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind user mapping problem
Good for you! I can not say it is logical or not. Maybe in another version works differently... Which version are you using? On 30/12/2011 13:24, Bruno Martins wrote: It solved my problem! Now, new users get allocated right. But why did this happen? By the way, is it normal that previously mapped users keep with the old UID, and newly mapped ones get the UID in the now defined UID range? Best regards, Bruno Martins On Fri, Dec 30, 2011 at 12:14 PM, Lantukh Sergey sergey.lant...@docpath.com wrote: The database is here (in Linux/Debian): /var/lib/samba/winbindd_idmap.tdb try to just delete (move/rename) it and then restart winbind. But do not forget about BACKUP! I had this problem and this solution helped me In AD there are not only users but also as a special accounts like krbtgt and groups and more... On 30/12/2011 13:00, Bruno Martins wrote: Hello mate, Thanks for your answer. How can I do that? I've noticed this: root@sputnik:/var/lib/samba# wbinfo -u | wc -l 140 root@sputnik:/var/lib/samba# tdbbackup -v winbindd_idmap.tdb winbindd_idmap.tdb : 521 records Is this normal? 140 users on AD (seems correct), but 521 mappings? Best regards, Bruno Martins On Fri, Dec 30, 2011 at 11:57 AM, Lantukh Sergey sergey.lant...@docpath.comwrote: Hello I think that you need to clean the Winbind database that contains bridge between UID/GID - SID And then restart winbind, and he again will fill the database On 30/12/2011 10:44, Bruno Martins wrote: Hello list, I am using Samba + winbind and I have some users that cannot access shares on this server, getting the following error in '/var/log/samba': [2011/12/30 09:33:08.072315, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\teste is invalid on this system Also, in 'winbind-idmap' log file I am getting this: [2011/12/30 09:32:56.902810, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: UID range full!! (max: 12) So what happens in reality? Trying to 'getent' that user results in nothing, so no mapping, right? root@sputnik:/var/cache/samba# getent passwd bmartins bmartins:*:11:10::/home/GALILEU-F/bmartins:/bin/false root@sputnik:/var/cache/samba# getent passwd teste root@sputnik:/var/cache/samba# However, 'wbinfo' works for that user: root@sputnik:/var/cache/samba# wbinfo -u | grep teste teste My 'smb.conf' returns this, regarding to idmap parameters: root@sputnik:/var/cache/samba# cat /etc/samba/smb.conf | grep idmap # idmap uid = 1-20 idmap uid = 10-12 # idmap gid = 30-40 idmap gid = 10-12 I have tried lower and higher values, did a reload on winbind service, but nothing seems to help. Could you please help me on this? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind user mapping problem
I'm using 3.5.6. On Fri, Dec 30, 2011 at 12:35 PM, Lantukh Sergey sergey.lant...@docpath.com wrote: Good for you! I can not say it is logical or not. Maybe in another version works differently... Which version are you using? On 30/12/2011 13:24, Bruno Martins wrote: It solved my problem! Now, new users get allocated right. But why did this happen? By the way, is it normal that previously mapped users keep with the old UID, and newly mapped ones get the UID in the now defined UID range? Best regards, Bruno Martins On Fri, Dec 30, 2011 at 12:14 PM, Lantukh Sergey sergey.lant...@docpath.com wrote: The database is here (in Linux/Debian): /var/lib/samba/winbindd_idmap.tdb try to just delete (move/rename) it and then restart winbind. But do not forget about BACKUP! I had this problem and this solution helped me In AD there are not only users but also as a special accounts like krbtgt and groups and more... On 30/12/2011 13:00, Bruno Martins wrote: Hello mate, Thanks for your answer. How can I do that? I've noticed this: root@sputnik:/var/lib/samba# wbinfo -u | wc -l 140 root@sputnik:/var/lib/samba# tdbbackup -v winbindd_idmap.tdb winbindd_idmap.tdb : 521 records Is this normal? 140 users on AD (seems correct), but 521 mappings? Best regards, Bruno Martins On Fri, Dec 30, 2011 at 11:57 AM, Lantukh Sergey sergey.lant...@docpath.com wrote: Hello I think that you need to clean the Winbind database that contains bridge between UID/GID - SID And then restart winbind, and he again will fill the database On 30/12/2011 10:44, Bruno Martins wrote: Hello list, I am using Samba + winbind and I have some users that cannot access shares on this server, getting the following error in '/var/log/samba': [2011/12/30 09:33:08.072315, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\teste is invalid on this system Also, in 'winbind-idmap' log file I am getting this: [2011/12/30 09:32:56.902810, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: UID range full!! (max: 12) So what happens in reality? Trying to 'getent' that user results in nothing, so no mapping, right? root@sputnik:/var/cache/samba# getent passwd bmartins bmartins:*:11:10::/home/GALILEU-F/bmartins:/bin/false root@sputnik:/var/cache/samba# getent passwd teste root@sputnik:/var/cache/samba# However, 'wbinfo' works for that user: root@sputnik:/var/cache/samba# wbinfo -u | grep teste teste My 'smb.conf' returns this, regarding to idmap parameters: root@sputnik:/var/cache/samba# cat /etc/samba/smb.conf | grep idmap # idmap uid = 1-20 idmap uid = 10-12 # idmap gid = 30-40 idmap gid = 10-12 I have tried lower and higher values, did a reload on winbind service, but nothing seems to help. Could you please help me on this? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba file hierarcy issue
Hi I try to configure a samba file server and create a file hierarcy for clients to view folders. What i try to do is as below: I wanted to create a folder x with no password and other folders w,y,z inside folder x with password. So users can enter and view x folder content but cant view w,y,z folder contents without password. But my clients that connect to samba server cant view a folder hierarcy , they can just see the single folders that i defined in the smb.conf. Is it possible to create a folder hierarcy in samba server for clients Thanks Korhan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba file hierarcy issue
On Fri, Dec 30, 2011 at 2:15 PM, korhan yazgan korhanyaz...@gmail.com wrote: Hi I try to configure a samba file server and create a file hierarcy for clients to view folders. What i try to do is as below: I wanted to create a folder x with no password and other folders w,y,z inside folder x with password. So users can enter and view x folder content but cant view w,y,z folder contents without password. But my clients that connect to samba server cant view a folder hierarcy , they can just see the single folders that i defined in the smb.conf. Is it possible to create a folder hierarcy in samba server for clients Thanks Korhan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I think it's only possible by setting permissions, either Windows ACL or POSIX ACL. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba file hierarcy issue
From: korhan yazgan korhanyaz...@gmail.com Subject: [Samba] samba file hierarcy issue Date: Fri, 30 Dec 2011 16:15:40 +0200 I try to configure a samba file server and create a file hierarcy for clients to view folders. What i try to do is as below: I wanted to create a folder x with no password and other folders w,y,z inside folder x with password. So users can enter and view x folder content but cant view w,y,z folder contents without password. (snip) Is it possible to create a folder hierarcy in samba server for clients No, also can't for Windows. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] gnome-screensaver and PAM
On Fri, Dec 30, 2011 at 3:59 PM, Camaleón noela...@gmail.com wrote: On Fri, 30 Dec 2011 10:48:42 +, Bruno Martins wrote: I am having this problem, and it gets logged every second: Dec 25 07:49:51 sputnik gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=joe Dec 25 07:49:51 sputnik gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): getting password (0x0388) Dec 25 07:49:51 sputnik gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): pam_get_item returned a password Dec 25 07:49:51 sputnik gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user (...) I have no idea of what can I do to solve this. Does user joe exist in the system? :-? My setup includes winbind authentication. May this be related? It can be indirectly related but I don't think winbind is generating those messages by its own... is it possible that the system can be accessed remotely (by means of VNC, SSH...)? The logs remember me some kind of password dictionary attack. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.12.30.15.59...@gmail.com User 'joe' exists as a local user, not as an AD user. This server is accessed by SSH and also using xrdp. My first thoughts were precisely that - an attack. This is my nsswitch.conf file: root@sputnik:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba-server, windows7-clients, server-hostname
Greetings, I have setup a computer to act as a 'samba-server'. The machine has these:- --cpu: amd64 --OS: cblfs linux --samba-3.6.0 compiled from sources in /usr/local/samba The clients are windows 7 clients. They can only see the server as its IP- address not a name/hostname. QUESTION: Are there entries to be made in smb.conf to enable the smbserver to be seen as its hostname/or-any-other-name rather than by its IPaddress? suggestions welcomed suincerely lux-Integ 30-12-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-server, windows7-clients, server-hostname
Am 30.12.2011 17:15, schrieb luxInteg: Greetings, I have setup a computer to act as a 'samba-server'. The machine has these:- --cpu: amd64 --OS: cblfs linux --samba-3.6.0 compiled from sources in /usr/local/samba The clients are windows 7 clients. They can only see the server as its IP- address not a name/hostname. QUESTION: Are there entries to be made in smb.conf to enable the smbserver to be seen as its hostname/or-any-other-name rather than by its IPaddress? suggestions welcomed suincerely lux-Integ 30-12-2011 Hi, for example server string = Samba %v on %L greets Juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-server, windows7-clients, server-hostname
Hallo, luxInteg, Du meintest am 30.12.11: I have setup a computer to act as a 'samba-server'. The machine has these:- --cpu: amd64 --OS: cblfs linux --samba-3.6.0 compiled from sources in /usr/local/samba The clients are windows 7 clients. They can only see the server as its IP- address not a name/hostname. QUESTION: Are there entries to be made in smb.conf to enable the smbserver to be seen as its hostname/or-any-other-name rather than by its IPaddress? On the clients: What tells ping IP-address ping Server-name net view \\IP-address net view \\Server-name If net view \\Server-name fails with system error 53 then the problem is/may be related to the server's name server. If even ping Server-name fails then it's no samba problem but looks like a name server problem. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 windows 7 roaming profile not saved
Hi Version 4.0.0alpha18-GIT-bfc7481 In smb.conf I have: [profiles] path = /usr/local/samba/var/profiles read only = no The profiles are set to \\DOMAIN\profiles\%USERNAME% using dsa.msc When a user first logs on, there is a message: 'You cannot access your files and files created in this profile will be deleted when you log off. To fix this, log off and try logging on later.' Logging back on again gives the same error. I can work around this by manually creating the folder: /usr/local/samba/var/profiles/user.V2 and changing uid:gid to whatever wbinfo -i user gives, after which the profile is saved OK when the user logs off. I have looked using regedit to see if there were any bak profiles and in C:\Users to see if there was anything pertaining to the user but nothing. The permissions on /usr/local/samba/var/profiles are: drwxr-xr-x 6 root root 4096 Dec 30 16:31 profiles Any ideas anyone? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 windows 7 roaming profile not saved
On Fri, Dec 30, 2011 at 11:22 AM, steve st...@steve-ss.com wrote: Hi Version 4.0.0alpha18-GIT-bfc7481 In smb.conf I have: [profiles] path = /usr/local/samba/var/profiles read only = no The profiles are set to \\DOMAIN\profiles\%USERNAME% using dsa.msc When a user first logs on, there is a message: 'You cannot access your files and files created in this profile will be deleted when you log off. To fix this, log off and try logging on later.' I seem to recall the samba howto giving an example root prexec command to have the folders created automatically. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 windows 7 roaming profile not saved
The permissions on /usr/local/samba/var/profiles are: drwxr-xr-x 6 root root 4096 Dec 30 16:31 profiles Any ideas anyone? I have the profiles folder set to 1777 (drwxrwxrwt) bernd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 howto add nfs to krb5.keytab
What's the syntax? I've tried: samba-tool spn add nfs/HH3.SITE Administrator which seems to work, but where do I go from here? THanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e39df67 Final part of fix for bug #8679 - recvfile code path using splice() on Linux leaves data in the pipe on short write. via 5e62639 Third part of fix for bug #8679 - recvfile code path using splice() on Linux leaves data in the pipe on short write. via a571542 Second part of fix for bug #8679 - recvfile code path using splice() on Linux leaves data in the pipe on short write. from a108eb4 pyregistry: Remove directory support. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e39df67669f61056692736db9c8dc16fbf2c3624 Author: Jeremy Allison j...@samba.org Date: Fri Dec 30 21:19:08 2011 -0800 Final part of fix for bug #8679 - recvfile code path using splice() on Linux leaves data in the pipe on short write. The code to set a DOS error on short writeX return is amazingly legacy code, and also breaks the reply as fixup_chain_error_packet() enforces a 2-byte wct on any reply where smb_rcls != 0. Found in testing by Andrew Bartlett. Thanks Andrew ! Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Sat Dec 31 08:05:35 CET 2011 on sn-devel-104 commit 5e6263960aaf1a5f9993cb7bb5646d36ff92b9cc Author: Jeremy Allison j...@samba.org Date: Fri Dec 30 20:45:10 2011 -0800 Third part of fix for bug #8679 - recvfile code path using splice() on Linux leaves data in the pipe on short write. Fix default_sys_recvfile() to correctly cope with short writes. Return the amount written. Return -1 and set errno if no data could be written. commit a5715420e37b98038fe8f2c3028e4c6938400eed Author: Jeremy Allison j...@samba.org Date: Fri Dec 30 20:23:00 2011 -0800 Second part of fix for bug #8679 - recvfile code path using splice() on Linux leaves data in the pipe on short write. Split out the functionality of drain_socket() into a separate function from default_sys_recvfile(). --- Summary of changes: source3/lib/recvfile.c | 70 +--- source3/smbd/reply.c |5 --- 2 files changed, 48 insertions(+), 27 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/recvfile.c b/source3/lib/recvfile.c index 5d1c0b2..c74cdd5 100644 --- a/source3/lib/recvfile.c +++ b/source3/lib/recvfile.c @@ -30,16 +30,10 @@ * It's safe to make direct syscalls to lseek/write here * as we're below the Samba vfs layer. * - * If tofd is -1 we just drain the incoming socket of count - * bytes without writing to the outgoing fd. - * If a write fails we do the same (to cope with disk full) - * errors. - * * Returns -1 on short reads from fromfd (read error) * and sets errno. * * Returns number of bytes written to 'tofd' - * or thrown away if 'tofd == -1'. * return != count then sets errno. * Returns count if complete success. */ @@ -96,23 +90,26 @@ static ssize_t default_sys_recvfile(int fromfd, num_written = 0; - while (num_written read_ret) { + /* Don't write any more after a write error. */ + while (tofd != -1 (num_written read_ret)) { ssize_t write_ret; - if (tofd == -1) { - write_ret = read_ret; - } else { - /* Write to file - ignore EINTR. */ - write_ret = sys_write(tofd, - buffer + num_written, - read_ret - num_written); - - if (write_ret = 0) { - /* write error - stop writing. */ - tofd = -1; - saved_errno = errno; - continue; - } + /* Write to file - ignore EINTR. */ + write_ret = sys_write(tofd, + buffer + num_written, + read_ret - num_written); + + if (write_ret = 0) { + /* write error - stop writing. */ + tofd = -1; +if (total_written == 0) { + /* Ensure we return + -1 if the first + write failed. */ +total_written = -1; +} + saved_errno = errno; + break; } num_written +=