[Samba] Re: Two domains on same LDAP backend
John H Terpstra wrote: On Thursday 14 April 2005 04:44, Alex Forrow wrote: Hi folks, I have two samba hosted domains at two different offices. I would like them to use the same LDAP backend so that the accounts are exactly the same. Unfortunately, it seems that a users SID is linked to the domain that created it, so another domain cannot authenticate the user, even if it can see it in the LDAP directory, because the user SID doesn't match the domain. ... My latest thought would be to set the domain SIDs the same on the two domains, could that help? Suggest you set both Domain SIDs the same. Did you read the Samba-3 by Example book? You can download it from: http://www.samba.org/samba/docs/Samba-Guide.pdf In particular chapter 6 of the current on-line version. - John T. Cheers. Had a quick read of that and set the SIDS the same. Works fine. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Two domains on same LDAP backend
Hi folks, I have two samba hosted domains at two different offices. I would like them to use the same LDAP backend so that the accounts are exactly the same. Unfortunately, it seems that a users SID is linked to the domain that created it, so another domain cannot authenticate the user, even if it can see it in the LDAP directory, because the user SID doesn't match the domain. My first thought was to use an Interdomain trust, but the Samba official guide (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/) states: Given that Samba-3 has the capability to function with a scalable backend authentication database such as LDAP, and given its ability to run in Primary as well as Backup Domain Control modes, the administrator would be well advised to consider alternatives to the use of Interdomain trusts I took this to mean that I could have two domains using the backend to get the trust, as I am attempting to do. I have considered using a single domain for both sites, but have decided this idea would not be feasible because the link between the offices is relatively slow and uptime cannot be guaranteed. I would need to ensure computers at one office would only logon to the PDC/BDC at it's side of the link. The most important point is that the two offices must be able to work independantly when required. Here is some information about the domains Redhat 9 with Samba 3.0.2 and OpenLDAP 2.2.23 Fedora Core 3 with Samba 3.0.10 and OpenLDAP 2.2.13 My latest thought would be to set the domain SIDs the same on the two domains, could that help? Any points in the right direction would be greatly appreciated. Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't delete smbpasswd user if not in /etc/passwd
Seems shody but cant you just add the user again to /etc/passwd. Then delete both. Alex On Mon, 20 Sep 2004 09:54:59 +0100 (BST), Mac [EMAIL PROTECTED] wrote: Hi all, Looking for a solution to the following:- # smbpasswd -x jh--- build_sam_account: smbpasswd database is corrupt! username jh--- with uid 1774 is not in unix passwd database! Failed to initialise SAM_ACCOUNT for user jh---. Does this user exist in the UNIX password database ? Failed to modify password entry for user jh--- # Ths user has already been deleted from the /etc/passwd (in fact NIS passwd), so all we're trying to do is to remove them from smbpasswd too. Seems an odd requirement that a user one is trying to delete has to exist in UNIX passwd! Any ideas? Mac Assistant Systems Adminstrator @nibsc.ac.uk [EMAIL PROTECTED] Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime) -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] why join domain
Once a windows computer is joined to the domain, it will use the PDC to authenticate for everything, so centralising the user accounts. There is no need to have local accounts on the clients. If you have few accounts then this isn't so much of a bonus Also, there are other nice features of a global account (such as roaming profiles), but you may not want them. Hope this helps, Alex Forrow On Fri, 23 Jul 2004 23:39:16 -1200, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I've set up a test Samba PDC with a few test shares. From the first Windows PC I logged on to a local computer account and mapped drives to the shares on the Samba PDC. From the second Windows PC I joined the domain and used a logon script to connect to the shares. My question: What are the benefits of joining a Windows PC to the Samba domain? Both arrangements above appear to meet my needs. Thanks for any comments. -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Replacing a W2K box with a Samba box
Yeh Samba can do all that you want, but I believe you will have to get rid of Active Directory, because Samba cannot host it, only join it. So you will have to use a good old NT style domain. You can setup Samba for domain logons, and as long as the adm file is not too new, you can use the NT policy editor to generate .pol files to use. Check out the policies section on my site @ http://forrow.com/nova if you have problems with the new win2k ADM files. This setup will allow for roaming profiles to be used, which is what you are looking for. Hope this helps Alex Forrow On Fri, 18 Jun 2004 13:36:08 -0400, Marteen [EMAIL PROTECTED] wrote: I need to replace a Windows 2000 Server with a Samba box. The W2K is the only domain controller in the network and it runs Active Directory. I know the Samba-3 limitations as an Active Directory Domain Controller, but I don't need absolutely all the features. What I would ideally need is: * Single Sign On * .adm policy files support (for client security and use restrictions - clients are WinXP machines) * Remote profile loading (or whatever it is named - that feature where the client's desktop icons are loaded from the server) It's kind of imperative for me to replace the darn w2k, so if some compromises have to be made in terms of features and usability, I'll do it (Read: I don't mind losing or trading some mentioned features). What do you suggest? :-) Thanks in advance, -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Need a working model of smb.conf for a PDC
I have a PDC using smbpasswd, my smb.conf is available here: http://forrow.com/nova/gear/smb.conf Hope this helps Alex On Fri, 18 Jun 2004 09:15:12 -0400, Matthew Koster [EMAIL PROTECTED] wrote: Having some major troubles with smb and making it a PDC For 2 weeks now I have been testing, and retesting. At one point I had it all working except for password changing. Has anyone goten Samba 3.0.4 to work correctly as a PDC with an smbpasswd back ground (not pam or ldap). If so could you please send me a working copy of your SMB file (only core components needed, no need for shares or anything). Thx in advance. _ Matthew Koster Customer Support Technician International Datacasting Corporation http://www.intldata.ca 613-596-4120 ext 254 This message, and the documents attached hereto, is intended only for the addressee and may contain privileged or confidential information. Any unauthorized disclosure is strictly prohibited. If you have received this message in error, please notify us immediately so that we may correct our internal records. Please then delete the original message. Thank you. -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to keep local profiles when joining domain?
I haven't looked properly but there are lots of registry files in /usr/share/doc/samba-VERSION/docs/registry/ One of which is called Win-2Kx-XPP-ForceLocalProfile.reg Could be helpful Alex On Wed, 16 Jun 2004 23:28:25 +0100, Nash Computer Technology [EMAIL PROTECTED] wrote: Hi I hope someone can help We currently have Windows XP Professional PCs that logon to an old Novell Netware 3.12 server. Were just using the standard Windows Netware client, and each user has a Windows XP User account and password that matches their Novell one. When they logon to Windows, they are automatically authenticated to Novell. However, we are now in the final stages of deploying a Samba server to replace the Novell one. The Samba server is configured as a Primary Domain Controller, and seems to be working fine. We do not wish to use roaming profiles, so the profiles will be held locally on each PC. We wanted to test the migration of modifying the PC network clients to login to the new server, and have cloned a hard drive. I havent played with this myself, but were unsure how to join the new domain, such that the existing profiles (eg desktop layout, applications, etc etc) are retained for each user. When we simply change the PC properties to join the domain, we lose the users settings. For example, if we have a user named Mike who is logging on to our new domain of scodomain, it creates a profile under My Documents Settings named mike.scodomain. There is already a profile named mike. Both users have administrative access on the PC. Weve tried creating and logging on as another administrative user then copying the contents of the profiles folder from mike to mike.scodomain (including hidden files), but we dont get the settings that mike has. Id really appreciate some pointers on this. It must be easy (there again, its Microsoft) I think weve looked at right- clicking on My Computer, Properties, User accounts, Profiles (or something like that) and copying profiles. Also, the administrative tool in the Control Panel. David -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Mapping My Documents
Not sure how usrmgr.exe is going to help but you can get it from my site: http://forrow.com/nova/gear/srvtools.exe. Or just search google for srvtools.exe Haven't used win98 in ages so can't check this but all the main paths for stuff in win2k winXP at least are stored in: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Alex Forrow On Wed, 19 May 2004 17:30:09 +0200, Christoph Scheeder [EMAIL PROTECTED] wrote: Hi, AFAIK you can get usrmgr and srvmgr in download from Micro$oft. the file is called srvtools.exe and can be installed on nt,2k and xp. Christoph L. Claudius schrieb: Also sprach Greg Folkert: On Tue, 2004-05-18 at 21:48, L. Claudius wrote: I'm creating roaming profiles for the Win98 boxes in our network. Is there any way to map the My Documents folder to a share in the Samba server? usermgr.exe from microsoft seems to work quite well for this. AFAIK, I have added users and defined things using the usermgr.exe. I use W2KP and WXPP as the machine I run it on. Works for me. Where do I find this usermgr.exe? I couldn't find it either in a Win98 box or in a Win2k Pro box. -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Execute command as windows administrator
This is the same sort of question as we had a while back. Solution is here: http://www.mail-archive.com/[EMAIL PROTECTED]/msg37467.html hope this helps Alex Forrow On Wed, 21 Apr 2004 18:23:10 +0200, undergra [EMAIL PROTECTED] wrote: Hi, i have installed samba 2.2x PDC+ openldap server and i have many windows clients (~500 computers). All works ok but i need automatize some tasks, for example i need install many programs on windows clients (new antivirus, new version of ftp client, etc.) The question: Exist any way for install a program as windows administrator when the user login on samba pdc? If i add a user on windows machine and the user is of group administrators works ok because i can install a program with this perms. The problem is that i don't want add all users on all computers with group administrator i'm using openldap and when i user log in samba pdc the user exists on ldap but not on windows thanks and sorry for my bad english -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] IPC$ ?
This is a share which lists all the other shares. Its use is invisible to users, but it has to be there Not sure why Windows is still using it after the users have loged out, but shouldn't cause any harm. Alex Forrow -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Hennig Sent: 04 April 2004 10:11 To: [EMAIL PROTECTED] Subject: [Samba] IPC$ ? Some of my users doesent log out. smbstatus show me, that IPC$ is in use by the users, but all are out of the office ;-( i use Samba as PDC for WindowsXP-pro. What is IPC$? Thanks for Help CU CHristin Hennig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba no access
I could do with some more info. Yeh your smb.conf would be useful, and a log on level 3 would also be good. What errors do you get when you are rejected? Try connecting to the server locally using smbclient Alex Forrow -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Botha Sent: 01 April 2004 09:01 To: [EMAIL PROTECTED] Subject: [Samba] Samba no access Dear Sir I am mailing you in my frustration that nobody can help me to solve a problem. Could you try and help me? Well in short this is my problem. I recently installed a new server at a local college with fedora. It is working well as a internet sharing masquerading server but the file server using samba is a mess. I have tried everything and I do not get it going. Firstly if I use security share then I can view the files that I set to every one, if I put restriction onto that it does not work. Setting security to user fails, I cannot access the server, does not recognise my password and username. I come to a conclusion that it does not recognise my users on the system. But they do appear in the smbpasswd and passwd files. To avoid any starting problems I created a dummy user with its own group, then added a user to that group. Still does not work. I desperately want to get the homes to work. Please I would be grateful for a reply. If you would like to have a copy of my smb.cinfig then I am willing to mail it to you. Regards Chris Botha. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Roaming Profiles with WinXP and Samba PDC
Unless I'm mistaken this is just a typo: logon path = \\L%\profiles\%U Surely 'L%' should be '%L'? Would testparm pick this up? Probably not Hope this helps Alex Forrow -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Win2k/XP doesn't execute logon.bat while logging in toSamba PDC
There are too many possibilities to pin-point the problem. I do notice, however that there are errors in your smb.conf unless I'm mistaken: logon path /home/%L/profiles/ For a start you need a '=' and also this should be a windows path telling the clients where to find the users profile. For example, mine is: logon path = \\%L\Profiles\%U Showing that the user's profile is on the 'Profiles' share of the PDC under a directory named as the username. Not sure if this is related. Another point: You use %L a lot. Are you aware that this is just the name of the PDC, looks like you want %U, the username of the connected user. Hope these points help If you still can't get it working try just running the logon script manually (run \\servername\netlogon\logon.bat) or have a look at the logs (up the log level if necessary) Alex Forrow -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mats Hemgren Sent: 19 March 2004 22:17 To: [EMAIL PROTECTED] Subject: [Samba] Win2k/XP doesn't execute logon.bat while logging in toSamba PDC Hi all! I'm going mad about getting my shares mapped to my win2k and winXP machines from my Samba PDC Version 3.0.2 on Debian. Win-machines doesn't seem to execute logon.bat at all, except when i log on as root. I've set the ownership and chmod 0775 all logon.bat files to eatch user on my network. Am i just blind or are there something obvious/very wrong with my config? my smb.conf #=== Global Settings === [global] panic action = /usr/share/samba/panic-action %d netbios name = MIDIAN workgroup = hemgren.com guest ok = no invalid users = bin deamon sys man mail ftp admin users = root administratör mats hosts allow = 192.168.64. domain admin group = root domain admin users = mats log level = 2 log file = /var/log/samba/log.%m max log size = 1000 debug timestamp = yes logon path /home/%L/profiles/ logon script = logon.bat security = user encrypt passwords = true socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 time server = yes # --- Browser Control Options --- local master = yes . os level = 65 domain master = yes preferred master = yes # --- End of Browser Control Options --- wins support = yes name resolve order = lmhosts host wins bcast preserve case = yes short preserve case = yes unix password sync = false domain logons = yes #=== Share Definitions === [homes] comment = Home Directories browseable = yes writable = yes create mask = 0775 directory mask = 0775 [misc] comment = misc path = /share/one browsable = yes writeable = yes create mask = 0775 directory mask = 0775 [anime] comment = anime path = /share/two browsable = yes writeable = yes create mask = 0775 directory mask = 0775 [hanna] comment = hanna path = /home/hanna browsable = yes writeable = yes create mask = 0775 directory mask = 0775 [www] comment = www path = /var/www browsable = yes writable = yes create mask = 0775 directory mask = 0775 [mats] comment = mats path = /home/mats browsable = yes writable = yes create mask = 0775 directory mask = 0775 [netlogon] comment = Network Logon Service path = /home/%L/netlogon public = yes writable = no browsable = yes [profiles] comment = Roaming Profiles Service path = /home/profiles writable = yes create mask = 0700 directory mask = 0700 browsable = no -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Security = user question
For users that are not known to samba allow them to be a guest using this line in smb.conf: map to guest = Bad User Then assign the guest account a unix account guest account = nobody Make sure the user (in this case 'nobody') is in you /etc/passwd In the section for the share add: guest ok = yes That should work Alex Forrow -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 12 March 2004 14:41 To: [EMAIL PROTECTED] Subject: [Samba] Security = user question I am running a Sun Solaris system with Samba 3.0.0. The security level is user but I want 1 share as guest share so that everybody can read it without supplying a username or password. How can I do this ? Thanks for the help. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] No full administrator-permissions on local machines withsamba 3 domain login
When you say domainmember is a member of the admin group, what admin group do you mean? The admin group as set in the smb.conf or the NT 'Domain Admins' group? By the details you are describing, it sounds as though it's not the NT 'Domain Admins' group, but just added in smb.conf. I say this because Samba seems to think you are an admin because it allows you to make users. If this is the case, you must map the admin group to the NT 'Domain Admins' group using net groupmap add.. Now the windows computers should see you their admin, Hope this helps Alex Forrow -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joern Frenzel Sent: 10 March 2004 10:34 To: [EMAIL PROTECTED] Subject: [Samba] No full administrator-permissions on local machines withsamba 3 domain login hi, does anybody know about the following situatuion and it's solution ? we configured an samba3 as pdc - sure in the way it was often described. but if we login on a windowsXP as domainmember (member of the admin group) it seems like we do not really have full administrator-permissions. we can add useres and can do some other tasks only an administraor is allowed to do. but some stuff is still not possible to do. i.e. we can not disable the networkconnection. thanks for your help. -- Jörn Fenzel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba