[Samba] fs_acl_xattr und vfs_acl_tdb in Samba 3.3/3.4
Hi volks, i want to ask if the "fs_acl_xattr" and "vfs_acl_tdb" in samba 3.3 are now "stable" or if its planned to be stable in 3.4 What is the experience with this vfs modules in 3.3 ? Bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.2, Samba 3.3 release planning
Hi, i visited wiki.samba.org and read the "Release Planning for Samba 3.2" information and the "Release Planning for Samba 3.3" information. So my question is: Is samba 3.2 development stopped and all concentration given to Samba 3.3 ? Because there isnt any further release note available for 3.2, but instead there are some notes for 3.3 ? Bye and thanks for your information :-) Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samaba winwind
Chavez, James R. schrieb: I am using 3.2.3, so it must be available for this version? I do not see it in the man smb.conf output if it is. Any links or docs available out there that can help me grasp this a little better. Gotta ask. I cant see something in the "man smb.conf" too, but i found a man page named "idmap_nss.8", so "man 8 idmap_nss" show you a nice example. But i have to say, i look it up from an "old" source tree from 3.0.31 Or type "apropos idmap" and you should get list the "idmap nss" man page. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samaba winwind
Hi Michael, ah, ok. Was this feature add since 3.0.29 ? I could see nothing in the changelog since 3.0.28. It sounds interesting. You must not be using 3.0.28. The config format changed and they made an nss backend available. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samaba winwind
I'm not a Samba developer but in the latest releases of the 3.0.x tree you can use the idmap backend of "nss" to get the old behavior of mapping the Windows account name to the same account name in Unix. mmm for "idmap backend" the man smb.conf say: idmap_tdb (default) idmap_ldap idmap_rid idmap_tdb and not documented in this lines idmap_ad I think what you mean is the "winbind nss info" parameter, which is used to get nss info like "home dir" and "login shell" for unix users from active directory with existing windows user/group (called mapping). I read the possible values: template sfu and not documented on this lines rfc2307 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: what's good for security=ads ?
d tbsky schrieb: hi: we have a 2003 R2 domain. it is running on 2003 native mode. we want to setup some samba member file servers. our client is windows xp. i try samba 3.2 with "security = domain" and "idmap backend = rid". it seems fine. but i saw there are more advanced options in samba like "security = ads" and even parameter about "rfc2307" to mix windows and samba. they are complex settings and i wonder what benefits they bring to us. our situation is: we want to use samba as file server for windows xp,and we have one single 2003 R2 domain. we may want to migrate to samba 4.0 when it is ready. is simple "security = domain" enough?, or we should setup "security = ads" to prepare for the future? thanks a lot for your help!! Shortly ! The difference between "domain" and "ads" as i understand: domain = NT4 style domain membership In my experience it should be enough unless using Vista clients. ads = like NT4 + kerberos = If you want to use "ads" you have to setup a little kerberos client configuration on your samba server. This is a little bit more work. General: We had issues from windows Vista client to connect to samba server unless we changed from "domain" to "ads" mode, but i dont know the exactly background. But maybe it help to set: client ntlmv2 auth = yes in smb.conf for SMB auth negotiatening with the vista client without changing from "domain" to "ads". Before using Vista "domain" membership works very well with 2003 R2 (native mode), Windows XP and winbind. RFC2307: This is a schemata extension (part of 2003 R2) for ActiveDirectory to make it possible to put posix information to an existing Windows user/group. This information are read out by winbind if: winbind nss info = rfc2307 is set ! I hope i could help you. If i type something wrong please correct me. I'am writing about my experience and tests. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samaba winwind
Chavez, James R. schrieb: Michael, Andreas, and list, Quick questions for clarity please. Using Winbind and having the uid and gid consistent across all linux and Solaris servers is something I have struggled with. So is it fair to say that without SFU, or extending schema with RFC2307, or using Windows 2003R2 and manually populating these Active Directory user objects with Unix attributes, you cannot manually specify which Unix uid is mapped to a Windows ID? You can use OpenLDAP for example instead of SFU or RFC2307 extension:-) But: Yes, this is at least my experience. There is a "net groupmap" command which will write to the tdb database backend, but didnt ever used this and dont know if this command is relevant in this context. I remember this command is (only) used when setup an Samba domain controller to map the builtin windows groups 512,513,514. Although there is no "net usermap" command. I ask this because in certain locations where I work we have existing Unix infrastructures based on NIS. Therefore all access to data is based upon these NIS uid and gid permissions in these environments. The Windows group has been pushing Linux out in these locations and in some cases, insisting they be joined to Active Directory, and authenticate local and SSH logins with Winbind. My issue with this is that the existing resources that the staff accesses have permissions based on NIS permissions. So when logging in with Active Directory credentials, these AD users are dynamically allocated a Unix uid by Winbind that has no longer has access to established resources based on the NIS permissions. What I have done in certain areas is migrated all uid, gid, and host information from NIS into an OpenLDAP directory. Then use Kerberos (AD creds)to authenticate then map the Kerberos name to the 8 character Unix name in LDAP using PADL's nss_ldap. I could just create the LDAP usernames the same as the Kerberos names but wanted to keep with the 8 character scheme, I think AIX still has this limitation. This seems to work but if I can use Winbind to statically map existing Unix uid to Windows ID's that would be less work. Is there in fact a way to use Winbind and use the NIS uid and gid info that already exists? From what I have read so far all Winbind uid generation is dynamic. Please correct me if I am wrong. We had the same constellation in our institute and we put all uids/gids from NIS to Active Directory "by hand", bit by bit. About 200 users. I dont know a way to you nis AND winbind at the same time, so the ActiveDirectory system will read information from NIS and put it together with the Windows AD information, without to migrate the uids/gids. I hope a samba developer could answer this question positive :-) Bye, Andy Thanks James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Adam Sent: Friday, September 12, 2008 2:19 AM To: Andreas Ladanyi Cc: samba@lists.samba.org Subject: Re: [Samba] Re: samaba winwind Hi, Andreas Ladanyi wrote: vishesh schrieb: dear all i am running samba 3.0.28 on two server and using winbind to get active directory users and group. the problem i facing is attach the uid assigned for same user is diffrent on samba servers. The uid saved in the Active Directory is different from the winbind Linux side ? No, the problem is that the uids on the two samba servers are different for the same user. This is because you are using (the default of) "idmap backend = tdb". This assigns increasing uids (per server) to users in the the order the access the server. If you need the same user ids, you have (at least) the following two options: 1. Use "idmap backend = rid". Then a user gets the the uid built as LOW_RANGE_UID + RID. Here LOW_RANGE_UID is the lower bound of the range "idmap uid = LOW_RANGE_UID - HIGH_RANGE_UID" and RID is the "relative identifyer": the user SID is built as follows: DOMAIN_SID-RID. i.e. the rid is the last block of digits of the user's sid, hence is unique inside one domain, and users will get the same uid on all samba servers using "idmap backend = rid". See the man paget idmap_rid(8). 2. Use "idmap backend = ad": When you install the SFU (Services For Unix) schema extensions, then you can set unix attributes for users and groups in actice directory. and the same uid is obtained for users on all samba servers using this backend. Hope this helps, Michael -- Michael Adam <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) na
[Samba] Re: winbind configuration
Hi, ok, now i understand your issue. Please have a look at your first thread in this newsgroup, Michael Adam sent you a nice suggestion. The reason is: The SID->UID/GID mapping will be randomized by default. So you need a mechanism to hold the uid/gid mapping equal ! I think the first suggestion is nice for new uder/group setups, because i think the RID (from SID) on windows site is randomized by windows when the user/group is created in Active Directory and this RID is not changeable by hand ?! The second suggestion is better for an existing user/group environment, because with SFU or the RFC2307 schemata extension you could add the uids/gids by yourself and built a setup with the existing ids from /etc/passwd and /etc/group or NIS. I wish you the very best ;-) Andreas Ladanyi vishesh schrieb: Thanks for reply The SID of windows users and groups is same bacause both server are part of same Domain. The list of users wbinfo -u and groups wbinfo -g is same but the uid and gid is diffrent. Both server is window 2003 standard. The winbind configuration is as follows workgroup = ABP realm = ABP.DEL netbios name = abptest security = ADS allow trusted domains = yes idmap uid = 3000-3 idmap gid = 3000-3 template homedir = /home/%D/%U template shell = /bin/bash winbind cache time = 3600 winbind separator = + winbind nested groups = yes thanking you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samaba winwind
vishesh schrieb: dear all i am running samba 3.0.28 on two server and using winbind to get active directory users and group. the problem i facing is attach the uid assigned for same user is diffrent on samba servers. The uid saved in the Active Directory is different from the winbind Linux side ? Could you give an example, please ? Did you get a result with "wbinfo -u", "wbinfo -g" ? Is this result ok ? Could you post your winbind config ? Which Windows server version do you use ? bye, Andy i am using default for idmap uid and idmap gid Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba server as part of AD domain keeps asking for username and password
[EMAIL PROTECTED] schrieb: Hi Andy, Thanks for the answer but I've tryed this already. With guest ok = yes And/or valid users = TESTDOM\awm013 awm013 testdom\awm013 AWM013 I haven't set the winbind seperator so it should be ok to use \ And also with guest ok = yes I still get the password promt. Thanks Wolfgang Hi Wolfgang, The error message is: Username TESTDOM\AWM013 is invalid on this system < There it is [2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE The username is invalid !! Is AWM013 really a user with unix attributes in the Active Directory ? You are working with winbind. Which backend do you use to save you unix user information ? Windows Server 2003 R2 ? Iam wondering i cant read an "idmap backend = " parameter in your smb.conf ! What is the result of "wbinfo -u" and "wbinfo -g" and "wbinfo -t" ??? Bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba server as part of AD domain keeps asking for username and password
Hallo Wolfgang, [woma] comment = test folder for ads path = /home/woma browseable = yes read only = No guest ok = no create mask = 0770 directory mask = 0770 guest ok = no -> Result is you have to authenticate if you want to access this share ! So you have to to define a "valid user" list: valid user = DOMAIN\user or @DOMAIN\group or both ! The \ between DOMAIN and user or group is given by the parameter: winbind separator = Default ist: \ If you set "guest ok = yes" then i'am sure you will have no use/password prompt ! Then you dont need a "valid user = .." list. bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Howto to set ACLs (like force user/ force group for single user/group) with Samba
Andreas Ladanyi schrieb: Hi everybody, the force user/group does a great work. But i have to set an ACL with Samba when a file/directory is created. Does Samba have an integrated mechanism ? My alternative idea is to use the "preexec" and "postexec" method. Bye, Andy I found out: i have to set an acl on a parent directory my self with setfacl. If i want that the acl for files and directories below this parent directory are set automatically, i have to set: inherit acl = yes to the share definition. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Howto control ssh logins with winbind ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Hi, with NIS the "compat" Mode in /etc/nsswitch.conf was available. So you could exclude user/group from login to the host. I read this mechanism is not possible with winbind. If you are using pam_winbind, look at the require-membership-of PAM config option. Hi jerry, thats perfect ! Thanks a lot, Andy cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFItWW7IR7qMdg1EfYRArzvAKCcLvmmhbvJdJInM4KekRb0QrYz/wCeMRpj 5TODQaVEu2bIYUOqsQyTpHc= =2eAv -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Public share with samba/ Winbind
Hi Alexandre, i have not seen your smb.conf, but guest ok = yes browseable = yes (to get the share listet in the explorer) should work. We use "security = ads" and it works. Is the "guest = ok" parameter accepted by samba ? Does samba run ? You could test your smb.conf with the "testparm" program. Type "testparm" on the command line. Bye, Andy Alexandre Mackow schrieb: Hi all, i have a samba dataserver who works fine with AD authentification ... I need a share who was accessible for everybody ( outside the main domain) .. Is it possible when " security = ads" ? I try public = yes , guest = ok .. But i need to authentificate myself. Thanks a lot. ++ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Howto control ssh logins with winbind ?
Hi, with NIS the "compat" Mode in /etc/nsswitch.conf was available. So you could exclude user/group from login to the host. I read this mechanism is not possible with winbind. Is there any solution to solve this issue ? Bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Hi Doug, i read your mail intently and would thank you for your detailed illustration. ;-) I would change the parameter you suggest and would do some more tests to verify for my comprehension. Bye, Andy Doug VanLeuven schrieb: Andreas Ladanyi wrote: There is one "UNIX attribute" tab and one "Members Of" tab. During some tests we discover the following facts = In "UNIX attribute" tab: winbind is only interested in the UID field -> in ldap tree the attribute "uidnumber". If you're talking SFU, it doesn't use uidnumber. It uses attribute msSFU30UidNumber and displays UID on the Unix Attributes tab. I don't have a Windows 2003 R2 for comparison. Are you really using SFU (Services For Unix 3.0) or do you have the newer 2003 R2? I use 2003 R2 and did install the "Unix plugin" for AD schemata extension from Windows component setup. OK. You probably have the rfc2307 attributes. From rfc2307: 2.2. Attributes The attributes and classes defined in this document are summarized below. The following attributes are defined in this document: uidNumber gidNumber gecos homeDirectory loginShell ...(more attributes)... This isn't "winbind nss info = sfu template", it's "nss info = rfc2307 template" SFU is strictly for MS (c) Services for Unix which added alien attribute names to the tree. SFU attributes are named thus: msSFU30UidNumber msSFU30GidNumber msSFU30Gecos msSFU30HomeDirectory msSFU30LoginShell If I remember the idmap_ad code correctly, idmap_ad queries for each style attribute and remembers what it finds. For basic samba functionality, you don't need to know your windows schema extension. The winbind nss plugin will care though. Winbind will pick up the uidNumber for users and the gidNumber for groups but group membership will be determined by the windows group membership. The gid numbers of the windows groups will come from your unix tab. Put another way, winbind will lookup the SIDs of your windows group membership and lookup the gidNumber attribute for those SIDs. You only have to synchronize the unix tab group membership if you are using the windows NFS server. Windows will use those numbers when it exports NFS shares and sets NFS acls. I used perl LDAP scripting to check the synchronization, because I needed NFS shares in windows and wanted the acl permissions consistent. The other attributes from "UNIX attribute" tab are written to ldap tree, but not used by winbind on linux side. For example we set the following parameter in smb.conf: winbind nss info = sfu Of course we could define our own template bash/home with the "template home" and "template shell" parameter, but its better the "sfu" will work, so we would configure this parameter by the tab. Winbind only uses this parameter when it creates a Unix account. Which shouldn't happen for your AD domain members if your AD is mapped correctly. winbind uses this parameter only if "it" creates a unix account ? In case if i create a unix account with "adduser" on terminal ? The mapping seems to be correctly if i have a look at "getent passwd + getent group" The "primary Group" is written to the ldap tree but not used by winbind on the unix side. I meant the "primary Group" text field from: "UNIX attribute" tab seems to be NOT used by winbind. The "primary group" which you can set: by clicking the button "primary group" in "Members Of" tab IS USED by winbind perfectly. Iam sorry if my explanation wasnt clear at my last posting. # net ads testjoin Join is OK # wbinfo -i forest\\jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent passwd|grep jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent group|grep 100 FOREST\domain users:x:100: You can set the value msSFU30Gecos and winbind will report it, otherwise "Display Name" is used. In "Members Of" tab: In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the "UNIX attribute" tab. What do you say ? Did we configure something wrong ? Is this the normal function ? I needed to use the "idmap config" values: idmap domains = FOREST idmap config FOREST:readonly = yes idmap config FOREST:backend = ad idmap config FOREST:range = 0 - 2 idmap config FOREST:schema_mode = sfu idmap alloc backend = tdb idmap alloc config:range = 5-50999 and of course in nsswitch.conf: passwd: compat winb
[Samba] Howto to set ACLs (like force user/ force group for single user/group) with Samba
Hi everybody, the force user/group does a great work. But i have to set an ACL with Samba when a file/directory is created. Does Samba have an integrated mechanism ? My alternative idea is to use the "preexec" and "postexec" method. Bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
There is one "UNIX attribute" tab and one "Members Of" tab. During some tests we discover the following facts = In "UNIX attribute" tab: winbind is only interested in the UID field -> in ldap tree the attribute "uidnumber". If you're talking SFU, it doesn't use uidnumber. It uses attribute msSFU30UidNumber and displays UID on the Unix Attributes tab. I don't have a Windows 2003 R2 for comparison. Are you really using SFU (Services For Unix 3.0) or do you have the newer 2003 R2? I use 2003 R2 and did install the "Unix plugin" for AD schemata extension from Windows component setup. The other attributes from "UNIX attribute" tab are written to ldap tree, but not used by winbind on linux side. For example we set the following parameter in smb.conf: winbind nss info = sfu Of course we could define our own template bash/home with the "template home" and "template shell" parameter, but its better the "sfu" will work, so we would configure this parameter by the tab. Winbind only uses this parameter when it creates a Unix account. Which shouldn't happen for your AD domain members if your AD is mapped correctly. winbind uses this parameter only if "it" creates a unix account ? In case if i create a unix account with "adduser" on terminal ? The mapping seems to be correctly if i have a look at "getent passwd + getent group" The "primary Group" is written to the ldap tree but not used by winbind on the unix side. I meant the "primary Group" text field from: "UNIX attribute" tab seems to be NOT used by winbind. The "primary group" which you can set: by clicking the button "primary group" in "Members Of" tab IS USED by winbind perfectly. Iam sorry if my explanation wasnt clear at my last posting. # net ads testjoin Join is OK # wbinfo -i forest\\jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent passwd|grep jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent group|grep 100 FOREST\domain users:x:100: You can set the value msSFU30Gecos and winbind will report it, otherwise "Display Name" is used. In "Members Of" tab: In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the "UNIX attribute" tab. What do you say ? Did we configure something wrong ? Is this the normal function ? I needed to use the "idmap config" values: idmap domains = FOREST idmap config FOREST:readonly = yes idmap config FOREST:backend = ad idmap config FOREST:range = 0 - 2 idmap config FOREST:schema_mode = sfu idmap alloc backend = tdb idmap alloc config:range = 5-50999 and of course in nsswitch.conf: passwd: compat winbind group: compat winbind some people like to use "files" instead of "compat", but that's about NIS semantics and doesn't matter to winbind. winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap backend = ad idmap uid = 6000-27000 idmap gid = 600-7000 template shell = /bin/bash template homedir = /home/%U winbind use default domain = yes winbind refresh tickets = yes allow trusted domains = yes winbind nss info = sfu template My nsswitch.conf is like yours. We want to use the "compat" mode because we hope we could exclude some users for login. This isnt possible to winbind ?! Alternatively i know pam_require. Do you know an opportunity to do this task ? Is there a part of documentation where the ldap attributes are shown which are used by winbind ? Or do i have to look up this at source code :-) Thanks a lot for your posting, Andy Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Hay Jerry, Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Ok ! Could it be true this behavior is different between "security=domain" and "security=ads" ? Because we had to put the user to the group: - first on windows side in ActiveFirectory - second on unix site in AD in the tab "Members of" so winbind 3.0.24 client recognise the group membership on unix side in "security=domain" mode. Now we changed to Samba 3.0.31 with security=ads mode and the behavior is a bit different. You lost me here. Maybe due to the fact that I accustomed to the Windows 2003 R2 Unix Attribute tab. The only member of tab I see is to control the Windows group memberships. The reason of my message is a litte confusion: In general you are right ;-) There is one "UNIX attribute" tab and one "Members Of" tab. During some tests we discover the following facts = In "UNIX attribute" tab: winbind is only interested in the UID field -> in ldap tree the attribute "uidnumber". The other attributes from "UNIX attribute" tab are written to ldap tree, but not used by winbind on linux side. For example we set the following parameter in smb.conf: winbind nss info = sfu Of course we could define our own template bash/home with the "template home" and "template shell" parameter, but its better the "sfu" will work, so we would configure this parameter by the tab. The "primary Group" is written to the ldap tree but not used by winbind on the unix side. In "Members Of" tab: In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the "UNIX attribute" tab. What do you say ? Did we configure something wrong ? Is this the normal function ? Thanks, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba + Vista SP1 usernames with @ not working
Andrei Mikhailovsky schrieb: Hi I was wondering if anyone came across an issue with Vista with SP1 and usernames that have @ in their usernames (example [EMAIL PROTECTED]). The login to samba network stopped working once i have installed SP1. The message I get is: The local Session Manager service failed to logon The data area passed to a system call is too small From the server side i don't really seen any errors and the same username on pre SP1 workstation works without problems. Googleing for the problem does not show anything useful Thanks for any suggestions Andrei Hi Andrei, i am not sure i can help you, but i know domain user and domain group are represented as form like: DOMAIN/user or DOMAIN/group on samba site. What is your "log level" in smb.conf ? I recommend you to have a look at the logfile(s). In my case: tail -f logfile is the first utility if something goes wrong. Try to locate the error message. We use samba 3.0.31 in security=ads mode and vista(with and without SP1) in one domain and it works. Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Winbind honors the Windows group membership and not necessarily "msSFU30PosixMemberOf" attributes. So it should be enough if you give the Windows group a GID in tab "UNIX attribute" in Active Directory and you have to do nothing else for the Linux side ?! Yup. Ok ! Could it be true this behavior is different between "security=domain" and "security=ads" ? Because we had to put the user to the group: - first on windows side in ActiveFirectory - second on unix site in AD in the tab "Members of" so winbind 3.0.24 client recognise the group membership on unix side in "security=domain" mode. Now we changed to Samba 3.0.31 with security=ads mode and the behavior is a bit different. ?? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Hi Jerry, Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Hi, after deleting winbindd_idmap and winbindd_cache.tdb files: For security =domain AND security=ADS ! wbinfo -u /-g /-t are ok ! getent passwd is ok. getent group shows different group memberships as ldapsearch with filter "msSFU30PosixMemberOf". Winbind honors the Windows group membership and not necessarily "msSFU30PosixMemberOf" attributes. So it should be enough if you give the Windows group a GID in tab "UNIX attribute" in Active Directory and you have to do nothing else for the Linux side ?! smb.conf - winbind: winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap backend = ad idmap uid = 6000-27000 idmap gid = 600-7000 template shell = /bin/bash template homedir = /home/%u winbind use default domain = yes winbind refresh tickets = yes winbind nss info = template sfu Any ideas ? Andy - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIqyaeIR7qMdg1EfYRAgZWAKDRsC9qFFIIlIYZTgcrrt/+eZNiBQCcDNHE lxx+F3++8Y8maDRIxl3Xny8= =xmUQ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: WG: Windows vista ultimate samba 3.0.31
Hi Daniel, is solved this issue with the parameter: client ntlmv2 use = yes in smb.conf. But my Linux Server is an ADS member (security=ads). I dont know exactly if this is required so that the parameter above will work. http://www.arktur.de/FAQ/28_120_de.html?highlight=lsa Grüße, Andy Daniel Müller schrieb: I found the solution: I tried the srvmgr tool from microsoft to get connected to my samba 3 domain (from an XP client). And this tool told me the same "There is no PDC found for your domain. You may go on but but your rights may be Restricted." As I logged on I saw that both my PDC and BDC where BDCs. I stopped my BDC. Logged on to my PDC and remembering that I had also smbd4wins running on the same machine I restarted smbd4wins and then samba and everithing worked fine. I could join the vista client to the domain on the fly. -Ursprüngliche Nachricht- Von: Daniel Müller [mailto:[EMAIL PROTECTED] Gesendet: Montag, 18. August 2008 15:00 An: 'samba@lists.samba.org' Betreff: Windows vista ultimate samba 3.0.31 Hello to all I have setup samba 3.0.31 as PDC successful with xp clients. Now I have a vista ultimate pc which I cannot join to the domain. The error message when I try to join to the domain is: The Domain is unavailable or the connection could not be established. What I've done so far: Run secpol.msc --> Local Plicies-->Security Options -->Lan Manager authentication level-->changed it to: LM and NTLM- use NTLMV2 session security if negotiated. Had someone did the trick?? Greetings Daniel Müller Tropenklinik Paul-Lechler-Krankenhaus [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Question to smbclient and domain users
The answer is to use %U instead %u (from the old smb.conf) then everything work :-) Andreas Ladanyi schrieb: Hi, smbclient i60ws1\\public_html -U ladanyi results in: [2008/08/17 10:43:10, 0] smbd/service.c:make_connection_snum(1003) '/var/www/public_html/IPR-OFFICE/ladanyi' does not exist or permission denied when connecting to [public_html] Error was Permission denied I use the: winbind use default domain = yes option. This option works for wbinfo -u/-g option. Is it possible to get the query from: /var/www/public_html/IPR-OFFICE/ladanyi "converted" to: /var/www/public_html/ladanyi smb.conf: security=ads workgroup = IPR-OFFICE winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap uid = 6000-27000 idmap gid = 600-7000 idmap backend = ad template shell = /bin/bash template homedir = /home/%u winbind use default domain = yes winbind refresh tickets = yes allow trusted domains = yes winbind nss info = rfc2307 winbind nested groups = yes winbind normalize names = yes Bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Question to smbclient and domain users
Hi, i read FOR EXAMPLE if i have a share: /home/%U the directory structure: /home/DOMAION/username have to be available. In (debian) samba 3.0.24 /home/%U without DOMAIN was possible, however. I setup sernet Samba 3.0.31 and i have to add the DOMAINNAME. If i setup /home/%D/%U then the destination string is: /home/IPR-OFFICE/IPR-OFFICE/ladanyi I think the: winbind use default domain parameter only affect to wbinfo and PAM for login ?? Bye, Andy Andreas Ladanyi schrieb: Hi, smbclient i60ws1\\public_html -U ladanyi results in: [2008/08/17 10:43:10, 0] smbd/service.c:make_connection_snum(1003) '/var/www/public_html/IPR-OFFICE/ladanyi' does not exist or permission denied when connecting to [public_html] Error was Permission denied I use the: winbind use default domain = yes option. This option works for wbinfo -u/-g option. Is it possible to get the query from: /var/www/public_html/IPR-OFFICE/ladanyi "converted" to: /var/www/public_html/ladanyi smb.conf: security=ads workgroup = IPR-OFFICE winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap uid = 6000-27000 idmap gid = 600-7000 idmap backend = ad template shell = /bin/bash template homedir = /home/%u winbind use default domain = yes winbind refresh tickets = yes allow trusted domains = yes winbind nss info = rfc2307 winbind nested groups = yes winbind normalize names = yes Bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Question to smbclient and domain users
Hi, smbclient i60ws1\\public_html -U ladanyi results in: [2008/08/17 10:43:10, 0] smbd/service.c:make_connection_snum(1003) '/var/www/public_html/IPR-OFFICE/ladanyi' does not exist or permission denied when connecting to [public_html] Error was Permission denied I use the: winbind use default domain = yes option. This option works for wbinfo -u/-g option. Is it possible to get the query from: /var/www/public_html/IPR-OFFICE/ladanyi "converted" to: /var/www/public_html/ladanyi smb.conf: security=ads workgroup = IPR-OFFICE winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap uid = 6000-27000 idmap gid = 600-7000 idmap backend = ad template shell = /bin/bash template homedir = /home/%u winbind use default domain = yes winbind refresh tickets = yes allow trusted domains = yes winbind nss info = rfc2307 winbind nested groups = yes winbind normalize names = yes Bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ldapsearch and getent passd/group with nss winbind differs
Hi, after deleting winbindd_idmap and winbindd_cache.tdb files: For security =domain AND security=ADS ! wbinfo -u /-g /-t are ok ! getent passwd is ok. getent group shows different group memberships as ldapsearch with filter "msSFU30PosixMemberOf". smb.conf - winbind: winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap backend = ad idmap uid = 6000-27000 idmap gid = 600-7000 template shell = /bin/bash template homedir = /home/%u winbind use default domain = yes winbind refresh tickets = yes winbind nss info = template sfu Any ideas ? Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem user/group listing with winbind in ADS mode
Hi together, The user information are stored in ActiveDirectory with SFU 3 schemata extension. Some days ago i changed the security mode from: domain -> ADS I did a: net ads join -U.. with the result "DNS Update failed", but the join seems to be ok. Now the problem is the user and group listing: getent group / getent passwd works and information are shown, but there are absolute incorrect. Wrong user in wrong group. wbinfo -u/-g works ok. If i change back to security=domain the information getent group / getent passwd are perfect. Any ideas ? Thanks, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem user/group listing with winbind in ADS mode
Hi together, The user information are stored in ActiveDirectory with SFU 3 schemata extension. Some days ago i changed the security mode from: domain -> ADS I did a: net ads join -U.. with the result "DNS Update failed", but the join seems to be ok. Now the problem is the user and group listing: getent group / getent passwd works and information are shown, but there are absolute incorrect. wbinfo -u/-g works ok. If i change back to security=domain the information getent group / getent passwd are perfect. Any ideas ? Thanks, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Parameter "idmap backend" is deprecated ???
Hi Douglas, thank you. I have forgotten winbind architecture changed since 3.0.25 :-) Buy, Andy In the meantime, use idmap config, something like this: winbind nss info = sfu idmap domains = DOMAINNAME idmap config DOMAINNAME:readonly = yes idmap config DOMAINNAME:default = yes idmap config DOMAINNAME:backend = ad idmap config DOMAINNAME:range = 500 - 2 idmap config DOMAINNAME:schema_mode = sfu idmap alloc backend = tdb idmap alloc config:range = 5-50999 Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Parameter "idmap backend" is deprecated ???
Hi Douglas, thank you. I have forgotten the winbind architecture changed since 3.0.25 :-) Andy In the meantime, use idmap config, something like this: winbind nss info = sfu idmap domains = DOMAINNAME idmap config DOMAINNAME:readonly = yes idmap config DOMAINNAME:default = yes idmap config DOMAINNAME:backend = ad idmap config DOMAINNAME:range = 500 - 2 idmap config DOMAINNAME:schema_mode = sfu idmap alloc backend = tdb idmap alloc config:range = 5-50999 Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Parameter "idmap backend" is deprecated ???
Volker Lendecke schrieb: On Tue, Aug 12, 2008 at 12:23:18AM +0200, Andreas Ladanyi wrote: why is this parameter deprecated ? I have to set this parameter if i want to get my user/group information from Active Directory with SFU AD schemata extension. Is there a new parameter instead of "idmap backend" ??? It will come back in 3.3 :-) Hi Volker, i like your humor ;-) Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join - DNS Update failed !
Hi, it seems that all is working perfectly, but if start an "net ads join" i get the message "DNS Update failed !" . What is the consequence if i dont care about this message ? Is the Samba Server (ADS member) only not registered in the ADS DNS tree ? Buy, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Parameter "idmap backend" is deprecated ???
Hi, why is this parameter deprecated ? I have to set this parameter if i want to get my user/group information from Active Directory with SFU AD schemata extension. Is there a new parameter instead of "idmap backend" ??? Buy Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trouble authenticating to Samba shares with Win 2k3 ADS
Hay Andrew,
i read you use "idmap backend = ad".
Did you install the AD schemata addon for POSIX data. For example MS SFU
or AD4UNIX ?
in our environment we installed MS SFU 3.5. This is a part of the 2003
R2 server Installation, but you have set a tick in "windows
compenent7software setup" to install it.
Bye, Andy
I may have a deficiency in understanding the procedure for ADS
authentication with samba, but most of the server setup works so far. I
have bound a Red Hat Enterprise 5 server to our windows domain, it shows
up in DNS and ADS, I can ping it, but I can't get samba shares to be
accessible to users, or even get the smbclient to return shares
properly.
wbinfo -g returns the domain groups properly
wbinfo -u return the domain users properly
[EMAIL PROTECTED] samba]# wbinfo -a 'DNAME\uname'%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded
[EMAIL PROTECTED] samba]# wbinfo -K 'DNAME\uname'%secret
plaintext kerberos password authentication for [DNAME\uname%secret]
succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
[EMAIL PROTECTED] samba]# wbinfo -t
checking the trust secret via RPC calls succeeded
So that all works fine. smbclient chokes though:
[EMAIL PROTECTED] samba]# smbclient -L solar -U 'DNAME\uname'
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
[EMAIL PROTECTED] samba]# smbclient -L solar -U uname
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
or if I even use a samba user that I have setup with smbpasswd
[EMAIL PROTECTED] samba]# smbclient -L solar -U sambaname
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
The only log file in /var/log/samba that shows any changes is log.nmbd
[2008/07/23 08:18:47, 0] nmbd/nmbd_namequery.c:query_name_response(109)
query_name_response: Multiple (2) responses received for a query on
subnet 192.168.77.244 for name DNAME<1d>.
This response was from IP 192.168.77.216, reporting an IP address of
192.168.77.216.
Here is my smb.conf
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2008/07/17 09:25:15
[global]
workgroup = DNAME
realm = DNAME.LOCAL
netbios aliases = solar.dname.local, solar.dname.com
server string = Samba %v %h
interfaces = 192.168.77.244
security = ADS
# security = user
auth methods = winbind
use kerberos keytab = Yes
encrypt passwords = yes
winbind enum users = Yes
winbind enum groups = Yes
preferred master = No
local master = No
domain master = No
ldap ssl = no
idmap domains = DNAME
idmap uid = 1-2
idmap gid = 1-2
[T_drive]
writeable = yes
valid users = sambaname,'DNAME\uname'
public = yes
path = /data/T_drive
Here is krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DNAME.LOCAL
[realms]
DNAME.LOCAL = {
default_domain =
kdc = nvautil01.DNAME.local:
admin_server = nvadom01:
}
[domain_realm]
dname.local = DNAME.LOCAL
pam.d directory samba file
[EMAIL PROTECTED] samba]# more /etc/pam.d/samba
#%PAM-1.0
authsufficient pam_krb5afs.so
account sufficient pam_krb5afs.so
authsufficient pam_winbind.so
account sufficient pam_winbind.so
session sufficient pam_krb5afs.so
password sufficient pam_krb5afs.so
auth required pam_unix.so
account required pam_unix.so
session sufficient pam_winbind.so
password sufficient pam_winbind.so
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Access Samba share with Vista problem
Hi, Following situation: 1 Vista Client 1 Samba Server 3.0.24 1 2003 R2 AD Server Samba Server is ADS member of 2003 Server. The Vista client could only connect to share on the Samba Server if the user authenticate local. If the user authenticate to the domain on Vista Client, then the Vista client couldnt mount smb Shares from Samba Server. This results in message "Wrong parameter" (german: "Falscher Parameter"). Any ideas ? Bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Use shares like postboxes !
Hello, I want to configure share for Windows like Postboxes. A user has a directory. He could do with content what ever he want. All the world could only put in files in the user directory. I think this must be the Unix permissions: rwx --- -w- How should i configure this share in samba ? I would like a hierarchy like: [postboxes] path = /pathtoboxes/%U I Žam looking forward to your answers. Bye Andy _ In 5 Schritten zur eigenen Homepage. Jetzt Domain sichern und gestalten! Nur 3,99 EUR/Monat! http://www.maildomain.web.de/?mc=021114 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind AD and Kerberos !
Hi, Did i understand it correctly that the difference between "security=ADS" and "security=domain" is ADS will use Kerberos and domain will not ? I configured my winbind with security=ADS. Could i change this to "domain" ? How do you think about the security question ? Andy ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind and the AD Group "Domain-Users" RID 513 !
Hi all, is it possible to configure winbind to not ask for the "Domain-Users" Group ? All my users should not be member of this primary Group, because i created my own Unix Group in the AD. Is it possible to change the Group membership to this Unix Group to get winbind out of asking for "Domain-Users" Group ? This is a problem because we have an old existing NIS with given Unix Groups. Andy ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind BUG ? idmap backend =ad !
Hi all, ldapsearch shows "uidNumber" attribute from ad. samba 0.24 security=ads idmap backend = ad no idmap uid/gid ranges because ids are saved in AD ?!! winbind nss info = sfu or rfc2307 wbinfo-t -u- g OK ! net ads join or net rpc join -> OK. pam_winbind OK ! log.winbind: cat out for my username ! = [2007/05/01 20:55:00, 10] nsswitch/winbindd_cache.c:wcache_save_name_to_sid(764) wcache_save_name_to_sid: IPR-OFFICE\LADANYI -> S-1-5-21-1783225922-323520374-3920701801-1187 [2007/05/01 20:55:00, 10] nsswitch/winbindd_cache.c:wcache_save_sid_to_name(787) wcache_save_sid_to_name: S-1-5-21-1783225922-323520374-3920701801-1187 -> ladanyi [2007/05/01 20:55:00, 10] nsswitch/winbindd_cache.c:wcache_save_user(811) wcache_save_user: S-1-5-21-1783225922-323520374-3920701801-1187 (acct_name ladanyi) same messages with all users [2007/05/01 20:55:00, 1] nsswitch/winbindd_user.c:winbindd_getpwent(729) could not lookup domain user ladanyi [2007/05/01 20:55:00, 10] sam/idmap_util.c:idmap_sid_to_uid(70) idmap_sid_to_uid: sid = [S-1-5-21-1783225922-323520374-3920701801-1187] [2007/05/01 20:55:00, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85) error getting user id for sid S-1-5-21-1783225922-323520374-3920701801-1187 ... same messages with all users ... nsswitch.conf: passwd files winbind group files winbind "su ladanyi" -> Unknown ID. There is noch nscd ! getent passwd -> After "files" was read and winbind should list the users, getent exit after 20 seconds with no nss winbind result. winbind enumerating is activated. Any ideas ? Thank you very much ! Andy ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
