[Samba] Re: samba-ldap and cyrillic
On Thursday 26 May 2005 15:21, Jerome Tournier wrote: Hi all, i installed a new linux with russian support. I now want to configure Samba and OpenLDAP, but i have many problems for users and groups accounts. Can i create a user account with cyrillic caracter (as i can on Windows) ? Yes, but that user will not be able to login on Linux, because the login program does not accept non-ASCII characers. On the other hand, non-ASCII usernames work well in smbclient against Windows PCs if * charset parameters in smb.conf are set correctly. It looks that i can't as memberUid attribute need to be in ASCII mode. Actually UTF-8. So how do russian people do ? I imagine that they use cyrillic caracter for their login name, but how can they use samba and ldap to authenticate ? There is a standard mapping between Russian and Latin characters, called transliteration. It is used e.g. when a foreign passport is given to a citizen of Russia. Its current version is described (in Russian) here: http://www.travel-russia.ru/ru/tourismdocs/fed_zakon/prilozhenie_7/ E.g. my name, , would be transliterated as Alexander Patrakov. Basically, there is a mapping of characters (e.g. and become zh), and also a separate table for names (e.g. becomes Nadezda even though it contains ). To make it more complicated, name-based surnames are also converted using this table (e.g. becomes Alexanderov). The bad news is that even the officials often mis-apply those rules, transliterate the same name in different ways, and therefore embassies have to give out certificates like A. Pastuhova and A. Pastukhova are the same person. Beware that an old, obsolete, French-based standard is still mentioned on some other web sites and should not be followed. The usual solution is to use Cyrillic usernames in native Windows domains, and transliterated ones in UNIX (and therefore SAMBA). -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: University's using samba and ldap
[EMAIL PROTECTED] wrote: Is there anyone out there from other university's that would be willing to talk to me about you samba layout. We already have it in place but we other colleges within the university that want to start using our setup but want there own domains. I'm kind of confused how this would all work. We do use SAMBA in the Dialog computer class in the Urals State University. The setup is a more or less by-the-book (minus typos) single LDAP-based domain controller. A patched version of LAM is used for administration (but we should definitely use something different, LAM is just too slow with 1000 users). The patch, all configuration files and sample LDAP content will be sent upon request privately. However, I cannot call this a success story. The reason is that operators require re-teaching, and I (as a person responsible for the domain) just receive no additional salary for that additional task. Since even after explanation operators continue to create new users with inconsistent capitalization of names and home directories, I consider migration back to Windows 2000 Server. It's more forgiving. The problem is just how to migrate all the users into Active Directory while preserving organizational units :( Any ideas? -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] mount.cifs and permissions
I have set up a Samba 3.0.7 server (with LDAP password database), and it works perfectly for Windows clients. Now we came to the need of supporting one Linux workstation (with SAMBA 3.0.7 client already installed) in addition to those Windows PCs. Kernel is 2.6.7 on both the client and the server. The problem is the home directories. Usually (without SAMBA) I just share them via NFS in such situations and mount /home on clients. However, since a file server (SAMBA) was already there, I tried to avoid setting up NFS. The following is what I did. 1) Added another user with uid=0 on the server, generated a password. 2) On the client, created the /smbhome directory, and executed the following command: mount -t cifs -o user=mount,password=XX //192.168.0.100/homedirs /smbhome This worked. 3) Logged in as a user. Tried to create a file in the place under /smbhome where this user could do so. The owner of that file was expected to be that user (I wanted to have just a workalike for NFS), but in reality it was root. Is that a bug in SAMBA or in the kernel or just my mis-expectation? Is it possible at all to use a SAMBA share as a NFS workalike? -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: mount.cifs and permissions
Paul Gienger wrote: There have been lots of people that are having problems doing things like mounting windows exported home dirs as unix home dirs and then unix apps (like kde) have lots of issues with things like symlinks and such. In this case why don't you want nfs aside from the 'one more service' thing? There are plenty of good reasons, but they may not apply to your situation. Assuming you know your way around NFS, which it sounds like you do, you could have that set up in less time than it took you to type this message, but making two linux boxes talk across a method derived to support windows and nothing like unix will cause a few problems that could take you days to fix up, judging by the posts of people who are having issues with it. Already done, immediately after typing my message. -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba quota
Matteo Cazzador wrote: Hello, Is it possible to give quota disk at share and not at users, and what is the command to do so? I try get, set quota but i don't know i configure it Can someone help me please? If you use this share as a public place for sharing files (i.e. want to ignore permissions) you can use the force user or force group parameters, and assign quotas to this user or group. Otherwise, you can always do some loop mounting. -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Charset Problem
Wang.Hua wrote: EmailI have serverl mounted point having different iocharset But samba 3.x seems just having one global unix charset option Is there a way to set charset on a directory basis No, but you can use the convmv software to convert all filenames to a single character set -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Automatically changing files names
Guy Roussin wrote: Hi, I have just changed my linux samba server from 2.2 to 3.0 and now i need to change all the file name which contain a sort of apostrophe. With samba 3.0, Windows does not accept this character anymore. It appears under linux with ? or ^Y I'm looking for a model of shell script which could automatically change this character by another in all users directories ! Can somebody give me a hit ? Thank you very much. Some guesses: 1) Probably your locale is not set up correctly. 2) try dos charset = cp437, unix charset=ISO-8859-1 (the default for unix charset is UTF-8). 3) If you do want to use UTF-8 (not recommended if you also run anything other than SAMBA), you will have to rename files. You will be able to do that in a batch with the convmv program: http://j3e.de/linux/convmv/convmv-1.08.tar.gz You will still have to convert all UNIX txt files to UTF-8 with iconv and throw Midnight Commander out of the window, if you adopt the solution (3). -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Chicken-and-egg problem with domain SID
Eric V. Smith wrote: Thank you very much for your response, it's very helpful. While I think I can live with this solution, what I really want to do is to generate the SID on a different box and push all of the config files (including the LDAP database) over to the samba server. It appears I can just do what net getlocalsid does and use it to populate LDAP and the smbldap config. Don't forget that net setlocalsid exists :) -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Winbind issue
Andrew wrote: I recently upgraded to 3.0.4-6.3E from 3.0.2 on RedHat Enterprise 3 and ever since I have been experiencing a strange winbind issue. It looks like winbind is not updating the group memberships properly. If I look at a user using wbinfo -r DOMAIN+User I get the following: 11001 11026 11030 11033 11034 11035 11042 11043 11048 11049 Now if I delete any groups or add the user to any additional groups and run the command again I get: 11001 11026 11030 11033 11034 11035 11042 11043 11048 11049 No Change! Please check if your distro has nscd daemon running by default. nscd is incompatible with winbindd. -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Chicken-and-egg problem with domain SID
Eric V. Smith wrote: I'm trying to configure samba 3.0.3 from FC2 with an LDAP backend as a domain controller. I'm using smbldap-tools from idealx.org. From what I've read, I need to configure the domain SID in /etc/smbldap-tools/smbldap.conf. But in order to generate the SID, I need to be running samba on the domain controller already. No. The net getlocalsid command doesn't need a running samba server. So the solution is: 1) Start an empty ldap server, don't start smbd/nmbd 2) smbpasswd -w ldappassword 3) net getlocalsid - this should write the SID into ldap 4) adjust the SID in the smbldap scripts 5) populate ldap 6) start the SAMBA servers -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samb a 3.0.5 LDAP Question
Jeff Saxton wrote:
I already have LDAP setup fro other purposes and I'm using {MD5}
passwords in ou=people,dc=mycompany,dc=com
What are the correct settings in smb.conf?
is is possible to use stored md5 passwords?
Thanks in advance
SAMBA has to authenticate clients using the information that Windows
provides. And windows only knows how to provide Windows-specific LM and
NT hashes. This is not a problem since SAMBA stores these hashes in LDAP
and never uses the actual LDAP password. If you want anything else to
authenticate against LDAP password, you must tell SAMBA to update it as
well by setting ldap password sync = yes (but remember, SAMBA never
reads it). Of course some ACLs must be in place on LDAP server, like these:
access to dn.base=
by users read
by * none
access to dn.base=cn=Subschema
by users read
by * none
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by group=cn=LdapAdmins,ou=Security,dc=dialog,dc=usu,dc=ru write
by anonymous auth
by self write
by * none
access to [EMAIL PROTECTED],@posixGroup,ou,entry
by group=cn=LdapAdmins,ou=Security,dc=dialog,dc=usu,dc=ru write
by * read
access to *
by group=cn=LdapAdmins,ou=Security,dc=dialog,dc=usu,dc=ru write
by self read
by * none
--
Alexander E. Patrakov
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: loosed accent french codepages , upgrading from samba 2.2.7a (RedHat9) to samba 3.0.2a Mandrake10
Jerome Le Montreer, Consultant wrote: hello Samba codepagers ... I have a linux server for XP pro and Win9x stations. I am migrating the server from RedHat9 (samba 2.2.7a) to Mandrake 10 (samba 3.0.2a) The problem : The french accents and the case options of the filenames are no longer recognized by the WinXP Pro Stations. (preserve case = no, default case = low ...) i tried a lot of CHARSETbut it did nothing samba 3 seems to have less codepages than in samba 2 . How can i recover the former behaviour we had with Samba 2 ? dos charset = cp437 unix charset = iso-8859-1 -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Winbind/PAM Question
Robert Balbir-Brott wrote: Hi All, From the Official Samba-3 HOWTO, section 24.1: Winbind - The pam_winbind.so module allows Samba to obtain authentication from any MS Windows Domain Controller. It can just as easily be used to authenticate users for access to any PAM-enabled application. I understand the second part to this sentence. That is, Samba provides 'pam_winbind.so' which allows, through PAM, users for PAM-aware applications to be authenticated via WinBind to a Windows NT/200x box. What I don't quite grasp is why the module allows Samba to obtain authentication information from any MS Windows Domain Controller. I searched the mailing list, and found a thread in which John Terpstra had said that smbd can use winbind directly (http://lists.samba.org/archive/samba/2003-May/066636.html) So, if smbd can indeed use winbind directly, why would the PAM interface to winbind be needed when simply allowing Samba to obtain authentication information from a Windows box? Winbindd is not for SAMBA. It's for things like login, sshd - this way they can let Windows domain users in. -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: help with LDAP and Samba
Lionel Beard wrote: Hello Alexander, Saturday, August 14, 2004, 5:49:43 AM, you wrote: AEP Andre Cameron wrote: unix password sync = Yes AEP You don't need that in LDAP setup if you keep posix account information AEP in LDAP using posixAccount objectclass, like LAM does. You probably want AEP unix password sync = no, ldap password sync = yes and also mention AEP pam_smbpass.so in /etc/pam.d/* and also install nss-ldap. unix password sync is not necessary when you want synchronization between Windows password and Unix password? When an user changes his password from a Windows workstation to change it for unix login? Not necessary. Exactly what I said. In environment using pam_ldap, there is no unix password, there is ldap password, and I have ldap password sync = yes. In other words, passwords of unix users are validated against ldap, and we let SAMBA change the ldap password. Think about the situation when the user logs in from unix and runs the passwd command. To update SMB password automatically, one needs pam_smbpass. But see: if unix password sync = yes, SAMBA will call passwd again, which will change the SAMBA password again via pam_smbpass, and SAMBA will call passwd yet again - a loop. And in my situation (unix password sync = no, ldap password sync = yes): when a user changes the password from Windows, SAMBA updates also the LDAp password (the one which is checked my pam_ldap). When a user attempts to change his password from unix, pam_smbpass does the same = both SMB and LDAP passwords are changed. -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] My lack of understanding of idmap
Hello,
I don't completely understand the BDC setup as described in the Chapter
6 of The Official Samba-3 HOWTO and Reference Guide.
The reason is that the example setup uses LDAP idmap backend. For
simplicity, the solution is discussed when both PDC and BDC use a Single
Central LDAP Server. (I have never experimented with BDCs before, but
have already set up a LDAP-backed PDC).
As I understand, LDAP is used there for two purposes. First, the account
database is there (typically, in sambaSamAccounts under
ou={People,Computers},dc=example,dc=com, and in sambaGroupMappings under
ou=Groups,dc=example,dc=com). Second, the mapping between SIDs, uids and
gids is stored under ou=Idmap,dc=example,dc=com in sambaIdmapEntries and
sambaSidEntries. Right?
However, it also looks possible to store posix account information in
posixAccounts under ou={People,Computers},dc=example,dc=com, as in fact
many tools (LAM and those from IDEALX) do. Does it really work in a PDC
+ BDC setup?
Are those two methods of storing uids and gids really mutually
exclusive, as I suspect? What are benefits and drawbacks of each?
Do I really need to set up idmap things and run winbindd if I want to
keep posix information in posixAccounts?
Thanks in advance,
--
Alexander E. Patrakov
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: help with LDAP and Samba
Andre Cameron wrote: Hello Everyone, I am having some trouble and would greatly appreciate some assistance. I apologize if this has been on the list before I am however down to two hours before due date. I have use samba before with no problems but this is the first time I have had to do it with LDAP. The problem is no users appear to be authenticating and there are no errors in the logs. I followed the online tutorials and tried several variations to no avail. I would REALLY appreciate it if someone who has a working samba/OpenLDAP enviroment could take a moment to assist me. The main problem is that different tutorials don't mix with each other, and there is no error-free tutorial. The best one is from The Official Samba-3 HOWTO and Reference Guide. below is my config for review: [global] workgroup = ventus.local server string = Ventus Samba Server hosts allow = 172.28.0. 127. OK so far... printcap name = /etc/printcap Oh, you don't use CUPS? bad... the default is printcap name = cups load printers = yes This is the default and can be omitted log file = /var/log/samba/%m.log max log size = 50 OK passdb backend = ldapsam:ldap://192.168.1.243/ ldap suffix = o=ventusnetworks.com,dc=na OK ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) This is probably the curlpit - the working default is: ldap filter = (uid=%u) ldap machine suffix = ou=computers,o=ventusnetworks.com,dc=na ldap user suffix = o=ventusnetworks.com,dc=na ldap admin dn = cn=Manager,dc=na I assume that all those entries exist and that you didn't forget to run smbpass -w managerpassword ldap delete dn = yes OK security = user This is the default null passwords = Yes Hm... Ok encrypt passwords = yes This is the default unix password sync = Yes You don't need that in LDAP setup if you keep posix account information in LDAP using posixAccount objectclass, like LAM does. You probably want unix password sync = no, ldap password sync = yes and also mention pam_smbpass.so in /etc/pam.d/* and also install nss-ldap. Also you forgot to mention IDEALX scripts for adding users and group into LDAP, like: add user script = /var/lib/samba/smbldap/smbldap-useradd.pl -m '%u' delete user script = /var/lib/samba/smbldap/smbldap-userdel.pl %u add group script = /var/lib/samba/smbldap/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/smbldap/smbldap-groupdel.pl '%g' add user to group script = /var/lib/samba/smbldap/smbldap-groupmod.pl \ -m '%g' '%u' delete user from group script = \ /var/lib/samba/smbldap/smbldap-groupmod.pl -x '%g' '%u' set primary group script = /var/lib/samba/smbldap/smbldap-usermod.pl \ -g '%g' '%u' add machine script = /var/lib/samba/smbldap/smbldap-useradd.pl -w '%u' passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* Not needed, since the password is kept in LDAP socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 Overconfiguration local master = yes os level = 255 domain master = yes preferred master = yes domain logons = yes OK logon script = %m.bat logon script = %U.bat You can't have two logon scripts. Do you actually use them? logon path = \\%L\Profiles\%U logon drive = U: name resolve order = wins lmhosts bcast wins support = yes dns proxy = no Looks right. idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no I don't understand this idmap stuff. I know that it is needed when your SAMBA server is a member of a Windows-controlled domain, because there are no other sources of uids. But your situation is different, your PDC is SAMBA. I really don't know what should be done here in ihis case. My PDC doesn't use this winbindd/idmap stuff at all, because uids are in posixAccounts in LDAP. The rest of your file looks OK. I post my own smb.conf for comparison. -- Alexander E. Patrakov [global] debug level = 0 dos charset = CP866 unix charset = UTF-8 workgroup = DOMAIN netbios name = CONTROLLER interfaces = lo,eth1 bind interfaces only = yes passdb backend = ldapsam:ldap://127.0.0.1 # Warning: I don't run winbindd. and don't understand the following # four lines. I also don't understand if they are needed at all. algorithmic rid base = 1 idmap uid = 1-2 idmap gid = 1-2 idmap backend = ldap:ldap://127.0.0.1 domain master = yes local master = yes preferred master = yes os level = 65 security = user guest account = Guest template primary group = Domain Users domain logons = yes logon path = \\%L\profiles\%U add user script = /var/lib/samba/smbldap/smbldap-useradd.pl -m '%u' delete user script = /var/lib/samba/smbldap/smbldap-userdel.pl %u add group script = /var/lib/samba/smbldap/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba
[Samba] Re: Samba 3.0.6rc2 Available for Download
Gerald (Jerry) Carter wrote: This is the second release candidate snapshot of the Samba 3.0.6 code base (the first rc was labeled as 3.0.5rc1) and should be considered for testing only. A release candidate (RC) means that we are close to the final, stable release and in provided for Quality Assurance (QA) purposes. This release is *not* intended for production servers. Use at your own risk. Thanks, will test here. Although I want Bug 1578 to be fixed in the next release - it is very annoying that a file can be created that one can't delete using only Windows. -- Alexander E. Patrakov -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
