[Samba] Grant computer account access to share?
Hi, I have a Microsoft application (SCCM) which I need to grant access to a samba share, however the service which reads the files can only authenticate using the computer account, there is option to configure it to use a domain account. Is there any way to grant a computer account access to a share? On windows I can simply add computer$ to the permissions but this doesn't seem to be possible. Failing that might somebody suggest where the samba code could be patched so that I could create a matching user account (computer with $ stripped) and have samba grant that access instead. Or a way to grant access based on the IP/name of the client? Thanks Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant computer account access to share?
On Thu, Nov 10, 2011 at 2:48 PM, Chris Weiss cwe...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:24 AM, Andrew Lyon andrew.l...@gmail.com wrote: Hi, I have a Microsoft application (SCCM) which I need to grant access to a samba share, however the service which reads the files can only authenticate using the computer account, there is option to configure it to use a domain account. do you mean to say that it's a windows service that's Log On tab is set to local system? because authenticate using the computer account isn't a thing. A windows service running as local system does not have permissions to access network resources at all. This is a windows restriction, you have to have the account log on as a local or domain user if you want it to be able to access the network. Yes exactly that, in order to give the service access to windows shares on other windows servers I can open the share properties, select permissions, add, and add permissions for the ad computer account, like this: http://oi44.tinypic.com/3007f36.jpg notice the computer icon and trailing $, then a service running as local system can then access the share, here computer management is showing the connected machine http://oi41.tinypic.com/11wedl3.jpg, I can also run cmd.exe as system using sysinternals psexec and access the share. I assume that when the computer boots up it logs on to AD and thus permissions can be granted directly to its AD account, its quite an unusual thing to do and I think it is very bad design that MS provide no way to configure a user account that the service uses to access the share but thats just how it works. Is there any way to grant a computer account access to a share? On windows I can simply add computer$ to the permissions but this doesn't seem to be possible. without reading man smb.conf again, there used to be an option that you could set allowed and denied client IP addresses, and basically make the share public otherwise. I don't know if the option still exists in recent versions, my understanding is that it is trivially easy to spoof. It doesn't really matter how I end up making this work, if I have to run another instance of samba on a different IP and run a separate cable/vlan then that's what i will do, at the moment I'm struggling to find any combination of smb.conf options that allow the process to access the share. Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
-Original Message- From: Andrew Lyon [mailto:andrew.l...@gmail.com] Sent: Freitag, 22. Oktober 2010 11:50 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann oliver.weinm...@vega.de wrote: Hi, Any news regarding this problem? I have testet samba 3.5.6 and the problem still persists. I had to downgrade to 3.3 on a few machines now. Regards, Oliver -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: Donnerstag, 9. September 2010 13:13 To: samba@lists.samba.org Subject: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? Dear All, I stepped over a strange issue today. I have one installation of samba winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a user is updated immediately. On a newer samba 3.5.4 installation the primary group is not updated at all. It always displays domain users. Is there a new setting for the smb.conf? Here is my smb.conf: [global] netbios name = gedail1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = true password server = server1.somedomain.net server2.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 It's a W2k3 AD Domain. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users. I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid: net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P sAMAccountName: Domain Users objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local gidNumber: 1 sAMAccountName: test objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local uidNumber: 10009 gidNumber: 10010 The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users: wbinfo -i test test:*:10009:1:test:/home/test:/bin/bash Andy __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ On Fri, Oct 22, 2010 at 10:55 AM, Oliver Weinmann oliver.weinm...@vega.de wrote: Good to know that I'm not the only one facing this serious problem. I would really like to know why this is not the case under samba 3.3. Currently I have stopped upgrading from 3.3 to 3.5.x because this problem is generating a lot of trouble for us when users of different projects create files and they are read/write for all members of domain users. The only way around this is to use the SGID on the folder to inherit the project group. Hi, I've been looking at this again and found that the primary gid is read from the users primary windows group, not the one set in the UNIX attributes tab which is added by registering nisprop.dll. To change the windows primary group go to the Member Of tab in ADUC, highlight the group and click Set Primary Group, for example I set user test to have domain admins as primary group: uid=10009(test) gid=10010(domain_admins) groups=10010(domain_admins),1(domain_users) The Primary group name/GID in UNIX Attributes seems to be unused by winbind with sfu
Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
On Sun, Oct 24, 2010 at 2:46 PM, Andrew Lyon andrew.l...@gmail.com wrote: -Original Message- From: Andrew Lyon [mailto:andrew.l...@gmail.com] Sent: Freitag, 22. Oktober 2010 11:50 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann oliver.weinm...@vega.de wrote: Hi, Any news regarding this problem? I have testet samba 3.5.6 and the problem still persists. I had to downgrade to 3.3 on a few machines now. Regards, Oliver -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: Donnerstag, 9. September 2010 13:13 To: samba@lists.samba.org Subject: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? Dear All, I stepped over a strange issue today. I have one installation of samba winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a user is updated immediately. On a newer samba 3.5.4 installation the primary group is not updated at all. It always displays domain users. Is there a new setting for the smb.conf? Here is my smb.conf: [global] netbios name = gedail1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = true password server = server1.somedomain.net server2.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 It's a W2k3 AD Domain. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users. I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid: net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P sAMAccountName: Domain Users objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local gidNumber: 1 sAMAccountName: test objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local uidNumber: 10009 gidNumber: 10010 The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users: wbinfo -i test test:*:10009:1:test:/home/test:/bin/bash Andy __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ On Fri, Oct 22, 2010 at 10:55 AM, Oliver Weinmann oliver.weinm...@vega.de wrote: Good to know that I'm not the only one facing this serious problem. I would really like to know why this is not the case under samba 3.3. Currently I have stopped upgrading from 3.3 to 3.5.x because this problem is generating a lot of trouble for us when users of different projects create files and they are read/write for all members of domain users. The only way around this is to use the SGID on the folder to inherit the project group. Hi, I've been looking at this again and found that the primary gid is read from the users primary windows group, not the one set in the UNIX attributes tab which is added by registering nisprop.dll. To change the windows primary group go to the Member Of tab in ADUC, highlight the group and click Set Primary Group, for example I set user test to have domain admins as primary group: uid=10009(test) gid=10010(domain_admins) groups=10010(domain_admins),1(domain_users
[Samba] samba 3.5.6 offline logon?
Hi, Is anybody successfully using offline logon with samba 3.5.6? I've set everything up as per the documentation but even if I manually set winbind offline using smbcontrol winbindd offline I cannot logon if I disconnect the machine from the network. To enable offline logon I added the following settings: /etc/samba/smb.conf winbind offline logon = yes winbind reconnect delay = 5 /etc/security/pam_winbind.conf krb5_auth = yes krb5_ccache_type = FILE cached_login = yes I'm using idmap backend ad with schema mode rfc2307 and also winbind nss info = rfc2307, perhaps that combination is not supported for offline logon? Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann oliver.weinm...@vega.de wrote: Hi, Any news regarding this problem? I have testet samba 3.5.6 and the problem still persists. I had to downgrade to 3.3 on a few machines now. Regards, Oliver -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: Donnerstag, 9. September 2010 13:13 To: samba@lists.samba.org Subject: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? Dear All, I stepped over a strange issue today. I have one installation of samba winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a user is updated immediately. On a newer samba 3.5.4 installation the primary group is not updated at all. It always displays domain users. Is there a new setting for the smb.conf? Here is my smb.conf: [global] netbios name = gedail1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = true password server = server1.somedomain.net server2.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 It's a W2k3 AD Domain. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users. I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid: net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P sAMAccountName: Domain Users objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local gidNumber: 1 sAMAccountName: test objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local uidNumber: 10009 gidNumber: 10010 The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users: wbinfo -i test test:*:10009:1:test:/home/test:/bin/bash Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5.5. id-map issues with Active Directory
On Tue, Oct 12, 2010 at 4:03 PM, Haven ha...@thehavennet.org.uk wrote: Hi Andrew, On 10/12/10 08:26, Andrew Lyon wrote: I've run into the same problem trying to get 3.5.5 and 3.5.6 idmap working in rfc2307 mode, wbinfo -u and -g return users and groups, but wbinfo -iuser fails, other test I tried is: net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P Which shows that I have 3 users and 2 groups which have rfc2307 attributes, however mapping is not working, files owned by the mapped uid/gid do not show the username or group when listed, and users are unable to authenticate to the samba server. I've noticed some errors in winbindd log: [2010/10/12 08:24:53.276576, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 8296]: request interface version [2010/10/12 08:24:53.276748, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 8296]: request location of privileged pipe [2010/10/12 08:24:53.276975, 3] winbindd/winbindd_list_users.c:58(winbindd_list_users_send) list_users [2010/10/12 08:24:56.764312, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 8381]: request interface version [2010/10/12 08:24:56.764473, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 8381]: request location of privileged pipe [2010/10/12 08:24:56.794828, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam test [2010/10/12 08:24:56.927925, 3] libads/ldap_schema.c:324(ads_check_posix_schema_mapping) ads_check_posix_schema_mapping: failed STATUS_SOME_UNMAPPED [2010/10/12 08:24:56.927999, 2] winbindd/idmap_ad.c:185(ad_idmap_cached_connection) ad_idmap_cached_connection: Failed to obtain schema details! Your errors look different but the symptoms are the same. I've another person with the same issue, the link below explains the exact problem I have: http://www.spinics.net/lists/samba/msg92328.html A snippet from one of my logs shows the issue: [2010/10/12 12:54:42.931329, 5] winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-4140011924-985775245-1159988818-1608: NT_STATUS_NONE_MAPPED [2010/10/12 12:54:42.931436, 10] winbindd/winbindd.c:655(wb_request_done) wb_request_done[25718:GETPWNAM]: NT_STATUS_NONE_MAPPED If I wbinfo -S S-1-5-21-4140011924-985775245-1159988818-1608 then I get the right UID returned. When I type id I get No such user wbinfo -u and -g show all my users and groups fine. I've found an odd hack that gets me up and running for a short while but I'm not entirely sure why its working, I've described it below. Old broken: idmap backend = ad winbind nss info = rfc2307 New working: idmap uid = 1-2 idmap gid = 1-2 Doesn't that change work around the problem by disabling idmap altogether? it may work but the mappings will not be consistent if you have multiple samba servers. If I replace my standard smb.conf with the changes above and then net ads join and restart winbind I can get an id for any of my users. I only need to do this for one user. Then I switch back to the original idmap backend = ad smb.conf and restart winbind again. At this point all my user id's work once again with the exception of the test user that I used which now has an invalidly cached uid. If I net cache flush then this breaks the id mapping once again. So basically something is screwy and somehow cache files are involved, I'm pretty sure its /var/run/samba/gencache* that is storing this data but that could be a symptom and not the cause. I've not had chance to start decoding cache files and examining their contents yet. An alternative option that I've tried is to switch to an rid back end across all of our systems, this is obviously going to take some more verification and planning before going into effect but I've included my test rid config below in-case it is of use to you. The few test cases I've run so far gave good results. If you manage to get any further then let me know as curiosity has long since moved onto frustration :) [global] dos charset = 850 workgroup = DOMAIN realm = DOMAIN.NET server string = Samba Server Version %v security = ADS password server = 192.168.1.2, 192.168.1.3, * client NTLMv2 auth = Yes kerberos method = system keytab log level = 10 debug timestamp = No disable netbios = Yes name resolve order = host lmhosts socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No domain master = No dns proxy = No idmap uid = 9000- idmap gid = 9000- template homedir = /home/%U template shell = /bin/bash winbind separator = + winbind use default domain = Yes winbind
[Samba] Samba 3.5.6 pam problems
Hi, I've setup Samba 3.5.6 as a member server in a 2003R2 domain with a single dc, idmapping is by rfc2307 with a tdb backend for builtin accounts etc, I can list users and groups using wbinfo and I can create shares and access them from the windows server, files and folders owned by ad users show the correct user and group names so mapping appears to be working, I can su to ad accounts but I am unable to ssh into the system as a AD user. Relevant config files: cat /etc/samba/smb.conf [global] debug hires timestamp = yes workgroup = SAMBATEST security = ADS winbind use default domain = true realm = SAMBATEST.LOCAL server string = Samba file and print server log level = 3 max log size = 4192 printcap name = cups idmap config SAMBATEST : backend = ad idmap config SAMBATEST : range = 1-10020 idmap config SAMBATEST : schema_mode = rfc2307 idmap config SAMBATEST : default = yes idmap backend = tdb idmap uid = 10100-10110 idmap gid = 10100-10110 winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind refresh tickets = Yes winbind normalize names = Yes winbind nested groups = Yes client ntlmv2 auth = yes encrypt passwords = yes password server = w2k3r2svr.sambatest.local template shell = /bin/bash [homes] comment = Home Directories read only = No [printers] comment = All Printers guest ok = Yes printable = Yes browseable = No available = No cat /etc/pam.d/sshd auth include system-remote-login accountinclude system-remote-login password include system-remote-login sessioninclude system-remote-login cat /etc/pam.d/system-remote-login authinclude system-login account include system-login passwordinclude system-login session include system-login cat /etc/pam.d/system-login authrequiredpam_tally.so onerr=succeed authrequiredpam_shells.so authrequiredpam_nologin.so authinclude system-auth account requiredpam_access.so account requiredpam_nologin.so account include system-auth account requiredpam_tally.so onerr=succeed passwordinclude system-auth session requiredpam_env.so session optionalpam_lastlog.so session include system-auth session optionalpam_ck_connector.so nox11 session optionalpam_motd.so motd=/etc/motd session optionalpam_mail.so file /etc/pam.d/system-auth /etc/pam.d/system-auth: symbolic link to `system-auth-winbind' cat /etc/pam.d/system-auth-winbind #%PAM-1.0 # $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/3.5/system-auth-winbind.pam,v 1.1 2010/03/01 16:19:54 patrick Exp $ authrequired pam_env.so authsufficientpam_winbind.so authsufficientpam_unix.so likeauth nullok use_first_pass authrequired pam_deny.so account sufficientpam_winbind.so account sufficientpam_unix.so passwordrequired pam_cracklib.so retry=3 passwordsufficientpam_unix.so nullok use_authtok md5 shadow passwordrequired pam_deny.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session sufficientpam_unix.so Trust is ok: wbinfo -t checking the trust secret for domain SAMBATEST via RPC calls succeeded I can authenticate the user using kerberos kinit testuser Password for testu...@sambatest.local: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: testu...@sambatest.local Valid starting ExpiresService principal 10/20/10 12:28:11 10/20/10 19:08:11 krbtgt/sambatest.lo...@sambatest.local And with wbinfo: wbinfo -a testuser%abcABC123 plaintext password authentication failed Could not authenticate user testuser%abcABC123 with plaintext password challenge/response password authentication succeeded When authenticating with wbinfo the following events are logged to log.winbindd [2010/10/20 12:39:25.902284, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 2329]: request interface version [2010/10/20 12:39:25.902435, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 2329]: request location of privileged pipe [2010/10/20 12:39:25.902626, 3] winbindd/winbindd_pam.c:818(winbindd_pam_auth) [ 2329]: pam auth testuser [2010/10/20 12:39:25.911435, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 2329]: request interface version [2010/10/20 12:39:25.911533, 3] winbindd/winbindd_misc.c:340(winbindd_info) [ 2329]: request misc
Re: [Samba] Samba 3.5.6 pam problems
On Wed, Oct 20, 2010 at 12:46 PM, Andrew Lyon andrew.l...@gmail.com wrote: Hi, I've setup Samba 3.5.6 as a member server in a 2003R2 domain with a single dc, idmapping is by rfc2307 with a tdb backend for builtin accounts etc, I can list users and groups using wbinfo and I can create shares and access them from the windows server, files and folders owned by ad users show the correct user and group names so mapping appears to be working, I can su to ad accounts but I am unable to ssh into the system as a AD user. Relevant config files: cat /etc/samba/smb.conf [global] debug hires timestamp = yes workgroup = SAMBATEST security = ADS winbind use default domain = true realm = SAMBATEST.LOCAL server string = Samba file and print server log level = 3 max log size = 4192 printcap name = cups idmap config SAMBATEST : backend = ad idmap config SAMBATEST : range = 1-10020 idmap config SAMBATEST : schema_mode = rfc2307 idmap config SAMBATEST : default = yes idmap backend = tdb idmap uid = 10100-10110 idmap gid = 10100-10110 winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind refresh tickets = Yes winbind normalize names = Yes winbind nested groups = Yes client ntlmv2 auth = yes encrypt passwords = yes password server = w2k3r2svr.sambatest.local template shell = /bin/bash [homes] comment = Home Directories read only = No [printers] comment = All Printers guest ok = Yes printable = Yes browseable = No available = No cat /etc/pam.d/sshd auth include system-remote-login account include system-remote-login password include system-remote-login session include system-remote-login cat /etc/pam.d/system-remote-login auth include system-login account include system-login password include system-login session include system-login cat /etc/pam.d/system-login auth required pam_tally.so onerr=succeed auth required pam_shells.so auth required pam_nologin.so auth include system-auth account required pam_access.so account required pam_nologin.so account include system-auth account required pam_tally.so onerr=succeed password include system-auth session required pam_env.so session optional pam_lastlog.so session include system-auth session optional pam_ck_connector.so nox11 session optional pam_motd.so motd=/etc/motd session optional pam_mail.so file /etc/pam.d/system-auth /etc/pam.d/system-auth: symbolic link to `system-auth-winbind' cat /etc/pam.d/system-auth-winbind #%PAM-1.0 # $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/3.5/system-auth-winbind.pam,v 1.1 2010/03/01 16:19:54 patrick Exp $ auth required pam_env.so auth sufficient pam_winbind.so auth sufficient pam_unix.so likeauth nullok use_first_pass auth required pam_deny.so account sufficient pam_winbind.so account sufficient pam_unix.so password required pam_cracklib.so retry=3 password sufficient pam_unix.so nullok use_authtok md5 shadow password required pam_deny.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session sufficient pam_unix.so Trust is ok: wbinfo -t checking the trust secret for domain SAMBATEST via RPC calls succeeded I can authenticate the user using kerberos kinit testuser Password for testu...@sambatest.local: klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: testu...@sambatest.local Valid starting Expires Service principal 10/20/10 12:28:11 10/20/10 19:08:11 krbtgt/sambatest.lo...@sambatest.local And with wbinfo: wbinfo -a testuser%abcABC123 plaintext password authentication failed Could not authenticate user testuser%abcABC123 with plaintext password challenge/response password authentication succeeded When authenticating with wbinfo the following events are logged to log.winbindd [2010/10/20 12:39:25.902284, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 2329]: request interface version [2010/10/20 12:39:25.902435, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 2329]: request location of privileged pipe [2010/10/20 12:39:25.902626, 3] winbindd/winbindd_pam.c:818(winbindd_pam_auth) [ 2329]: pam auth testuser [2010/10/20 12:39:25.911435, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 2329
Re: [Samba] Samba 3.5.5. id-map issues with Active Directory
On Mon, Oct 4, 2010 at 4:53 PM, Haven ha...@thehavennet.org.uk wrote: Its taken a lot of fairly random experimentation but I've finally got configs that work under samba 3.5.5 on both Gentoo and Debian with 2008 server. The sections in my old config that seemed to be causing the problems and their replacements are shown below: I've run into the same problem trying to get 3.5.5 and 3.5.6 idmap working in rfc2307 mode, wbinfo -u and -g return users and groups, but wbinfo -i user fails, other test I tried is: net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P Which shows that I have 3 users and 2 groups which have rfc2307 attributes, however mapping is not working, files owned by the mapped uid/gid do not show the username or group when listed, and users are unable to authenticate to the samba server. I've noticed some errors in winbindd log: [2010/10/12 08:24:53.276576, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 8296]: request interface version [2010/10/12 08:24:53.276748, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 8296]: request location of privileged pipe [2010/10/12 08:24:53.276975, 3] winbindd/winbindd_list_users.c:58(winbindd_list_users_send) list_users [2010/10/12 08:24:56.764312, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [ 8381]: request interface version [2010/10/12 08:24:56.764473, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [ 8381]: request location of privileged pipe [2010/10/12 08:24:56.794828, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam test [2010/10/12 08:24:56.927925, 3] libads/ldap_schema.c:324(ads_check_posix_schema_mapping) ads_check_posix_schema_mapping: failed STATUS_SOME_UNMAPPED [2010/10/12 08:24:56.927999, 2] winbindd/idmap_ad.c:185(ad_idmap_cached_connection) ad_idmap_cached_connection: Failed to obtain schema details! Old broken: idmap backend = ad winbind nss info = rfc2307 New working: idmap uid = 1-2 idmap gid = 1-2 Doesn't that change work around the problem by disabling idmap altogether? it may work but the mappings will not be consistent if you have multiple samba servers. Andy No changes were needed to my kerberos setup. I've included a copy of my current smb.conf that is working for me after upgrading from 3.4.8 to 3.5.5: [global] workgroup = DOMAIN security = ADS kerberos method = system keytab winbind use default domain = true realm = DOMAIN.NET disable netbios = yes name resolve order = host lmhosts hosts allow = 127.0.0.1 192.168.1.0/24 93.97.246.119 hosts deny = 0.0.0.0/0 password server = 192.168.1.2, 192.168.1.3, * idmap config DOMAIN : default = yes idmap config DOMAIN : schema_mode = rfc2307 idmap config DOMAIN : backend = ad idmap config DOMAIN : range = 1-2 idmap uid = 1-2 idmap gid = 1-2 winbind offline logon = yes winbind nested groups = yes winbind separator = + template homedir = /home/%U template shell = /bin/bash client ntlmv2 auth = yes encrypt passwords = yes local master = no domain master = no preferred master = no dns proxy = no server string = Samba Server Version %v socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 # Fix character set issues: # http://www.unixresources.net/linux/lf/59/archive/00/00/13/18/131896.html dos charset = 850 unix charset = UTF-8 There is still a slight discrepancy with debian returning more groups for users when you type id user than gentoo, but it appears to be a gentoo error i.e. 10005(denied rodc password replication group). Something to look at another day as auth works for now which is the main thing. Regards Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] IDMAP_RID with Winbind works for groups but not users
I've also tried storing the gid and uid in active directory by installing the nisprop dll and exposing the unix attributes in aduac, again it works for groups but not for users, users still have sequential uid and it differs between samba servers. Am I missing something? Could somebody post a example working config for consistent mapping of uid and gid to thise held in ad or using idmap_rid. Thanks Andy On 3/22/10, Andrew Lyon andrew.l...@gmail.com wrote: Hi, I've setup samba 3.4.7 to use idmap_rid as per the documentation: idmap backend = rid:DOMAIN=500-1 idmap gid = 500-1 imap uid = 500-1 It seems to work for groups: wbinfo --group-info=domain admins domain admins:x:100512 PsGetSid v1.43 - Translates SIDs to names and vice versa Copyright (C) 1999-2006 Mark Russinovich Sysinternals - www.sysinternals.com SID for DOMAIN\domain admins: S-1-5-21-xx--xx-512 But not for users: wbinfo --user-info=administrator administrator:*:10027:10005:Administrator:/home/DOMAIN/administrator:/bin/zsh SID for DOMAIN\administrator: S-1-5-21-xx-x-xx-500 wbinfo --user-info=Test User test user:*:10048:10005:Test User:/home/DOMAIN/test user:/bin/zsh SID for DOMAIN\test user: S-1-5-21-x-x-xx-1758 Have I made a mistake in the configuration? Andy -- Sent from my mobile device -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] IDMAP_RID with Winbind works for groups but not users
Hi, I've setup samba 3.4.7 to use idmap_rid as per the documentation: idmap backend = rid:DOMAIN=500-1 idmap gid = 500-1 imap uid = 500-1 It seems to work for groups: wbinfo --group-info=domain admins domain admins:x:100512 PsGetSid v1.43 - Translates SIDs to names and vice versa Copyright (C) 1999-2006 Mark Russinovich Sysinternals - www.sysinternals.com SID for DOMAIN\domain admins: S-1-5-21-xx--xx-512 But not for users: wbinfo --user-info=administrator administrator:*:10027:10005:Administrator:/home/DOMAIN/administrator:/bin/zsh SID for DOMAIN\administrator: S-1-5-21-xx-x-xx-500 wbinfo --user-info=Test User test user:*:10048:10005:Test User:/home/DOMAIN/test user:/bin/zsh SID for DOMAIN\test user: S-1-5-21-x-x-xx-1758 Have I made a mistake in the configuration? Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
