[Samba] Compters not logging in ...
Greetings ... I have an FC1 installation with all the updates. I have a few of these, but one of my installations has just freaked out. None of my users can login. I have tried ... [EMAIL PROTECTED] root]# smbclient -L //richardsbay -N protocol negotiation failed Which is odd. I have never has this problem. I have tried upgrading samba from the 3.0.2 to 3.0.6 which is the dev of RawHide with no difference. I have tried turning off all security options to see if an upgrade of the Win2K system could have done this, but I'm still getting nowhere. What is got me, is the smbclient will not even list the samba server. Could I ask for a little help with this. Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RE: CUPS - problems changing printing pref. on Win XP
| Hope I can get some help on printing problems. | I have samba 3.0.0-15 as a PDC and printer server for | a small netwrok - Win98, XP and 2000. | I installed printer drivers on my server using cups | 1.1.20 (and ghostscript ESP 7.07) but I have a few | problems with the clients. XP downloaded the drivers, | I can print but I can´t change printing preferences on | this machine. When I tried to see them I received an | error: ´Function address 0x6a90450e caused a | protection fault. (exception code 0xc005).Some or | all property page(s) may not be displayed.´ Known bug in 3.0.0. Suggest you upgrade. I hate to contradict a Samba developer, but I think you might be using the CUPS generic PostScript Windows drivers, which has a know fault. http://www.cups.org/str.php?L488+P0+S-2+C0+I0+E0+QWindows+driver They hoping to put out a replacment driver soon ... Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] CUPS and Upload printer drivers ...
Greetings ... I'm using the cupsaddsmb to upload the CUPS printer drivers onto my Samba server, but seem to be having problems with new printer queues. I find if that I reload Samba, the upload works fine, otherwise I get result was WERR_INVALID_PRINTER_NAME, which I think maybe Samba needs to ask CUPS if the queue is new or something. Could any boby help me with this problem? Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CUPS and Upload printer drivers ...
Thanks for your quick responce ... I'm using the cupsaddsmb to upload the CUPS printer drivers onto my Samba server, but seem to be having problems with new printer queues. I find if that I reload Samba, the upload works fine, otherwise I get result was WERR_INVALID_PRINTER_NAME, which I think maybe Samba needs to ask CUPS if the queue is new or something. Could any boby help me with this problem? Yes you're right, Samba needs to be restarted for cupsaddsmb recognize the new printers Okay, that is a bit of a problem, is there no way for CUPS to tell Samba that new printers have been added, or for Samba to Ask CUPS if new printers have been added ... would work better, and have less problems ... but then I am just a silly little admin ... Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] primary gid of user [desires] is not a Domain group !
Greetings ... Let's keep the list in on this, other people might be able to get info from this too ... Wendell Wilson wrote: Still more clues! Partially 'fixed.' Okay ... doing ` net rpc user -S domain name info user name ` I can't get this to work ... it just does not return any thing, so I tried a few other things, which also did not give me anything, but ... [EMAIL PROTECTED] root]# net rpc info Domain Name: X-ZA-DM Domain SID: S-1-5-21-3795178988-3942151060-2329322268 Sequence number: 1077004228 Num users: 159 Num domain groups: 0 Num local groups: 0 Which is wierd, showing that I have no groups ... but my net groupmap list shows four maps, why would I not have any groups ... I see that bob only belongs to only Domain Users. Yet, doing pdbedit -L -v -u bob ... shows the primary GID that matches the GID when I do `net groupmap list ` (same as you). Then, I ran ` pdbedit -u bob --group SID= domain admins SID ` ... and the net rpc command shows the user belongs to both groups. Just to be correct, it would be `pdbedit -r -u bob --group SID= domain admins SID `, you should not forget the '-r' when modifing ... I am no longer getting the 'nt doesn't like it / fix it' message in my logs, but I still see the 'failed to decode PDU' message and 'failed to do schannel1 processing' when the user logs in. I went through my LDAP DB and manual fixed all the funny RID's for the Primary Group SID, but I am still seeing my fix P G SID error ... Does this help you any? A little, I am looking further into this ... If so, do you still get the PDU messages when someone logs in? Still, but not as much as before, will keep an eye open on this ... Feb 9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1371) Feb 9 17:31:21 eastrand smbd[2113]: failed to decode PDU Feb 9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) Feb 9 17:31:21 eastrand smbd[2113]: process_request_pdu: failed to do schannel processing. Feb 9 17:31:26 eastrand smbd[2113]: [2004/02/09 17:31:26, 0] rpc_server/srv_util.c:get_domain_user_groups(372) Feb 9 17:31:26 eastrand smbd[2113]: get_domain_user_groups: primary gid of user [desires] is not a Domain group ! Feb 9 17:31:26 eastrand smbd[2113]: get_domain_user_groups: You should fix it, NT doesn't like that But if I do ... [EMAIL PROTECTED] root]# pdbedit -L -v -u desires Unix username:desires NT username: desires Account Flags:[UX ] User SID: S-1-5-21-3795178988-3942151060-2329322268-44008 Primary Group SID:S-1-5-21-3795178988-3942151060-2329322268-513 Full Name:Desire Steyn Home Directory: \\eastrand\desires HomeDir Drive:l: Logon Script: login.bat Profile Path: \\eastrand\desires\profile Domain: X-ZA-DM Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Fri, 13 Dec 1901 22:45:51 GMT Kickoff time: Fri, 13 Dec 1901 22:45:51 GMT Password last set:Thu, 13 Feb 2003 13:24:06 GMT Password can change: 0 Password must change: Fri, 13 Dec 1901 22:45:51 GMT [EMAIL PROTECTED] root]# Now I have an LDAP passdb, and I have done a [EMAIL PROTECTED] root]# net groupmap list Domain Users (S-1-5-21-3795178988-3942151060-2329322268-513) - ntusers Domain Computers (S-1-5-21-3795178988-3942151060-2329322268-515) - machines Domain Admins (S-1-5-21-3795178988-3942151060-2329322268-512) - ntadmin Domain Guests (S-1-5-21-3795178988-3942151060-2329322268-514) - nobody And [EMAIL PROTECTED] root]# getent passwd |grep -i des desires:x:21504:1:Desire:/home/users/desires:/sbin/nologin -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: DOS Networking [OT]
Greetings ... Has anyone ever got command line only Windows 95 DOS to connect to a Samba machine? I can connect to an NT machine no problem using net use ..., but the only machine the DOS machine will see on the network is the NT machine; all of the others, including my Linux machines and a Win 2k machine, it just refuses to see. First, any program you try to run using just W9X DOS and SMB networking, would have to use a very small memory footprint. MicroSoft's DOS network client is pretty big. I hate to show you another network system, but using freeDOS for the client OS, and using an odi base client network, I have found a little easier on the memory needs ... You should then be able to use Novel's client software and mars-nwe ( http://www.compu-art.de/download/mars_nwe.html )for the Linux server, which should give you file and print server. Not a perfect solution, but very nice for old and small systems which still need networking. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] primary gid of user [desires] is not a Domain group !
Wendell Wilson wrote: Precisely the same thing is happening to me! There have been a couple other threads with others having more or less the same problem... but I haven't seen any fixes that work for me, yet. I have 3.0.1, at the moment. Did you upgrade from 2.2.x? or from an earlier version of 3.x? Or did this just start out of the blue? I am not using LDAP, at this point, or even winbind to handle user/group mappings. What sort of setup do you have? Currently using 3.0.2, at least the ones FC1 just shiped over the weekend ... I did a clean installation and converted my LDAP ldif file to from Samba2 to Samba3 ... I have made all sorts of changes and can't get this to go away, so I don't know what the problem is ... At first I through that my posix accounts primary gid how to be mapped to an NT one, then I modified the Primary SID for each users and still got it ... so I really don't know ... Mailed Lee Wendell C.Lee Taylor wrote: Greetings ... I hope somebody can explain this to me, or give me a help to fix this problem ... On my Samba server ( 3.0.2rc2 ) I am getting ... Feb 9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1371) Feb 9 17:31:21 eastrand smbd[2113]: failed to decode PDU Feb 9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) Feb 9 17:31:21 eastrand smbd[2113]: process_request_pdu: failed to do schannel processing. Feb 9 17:31:26 eastrand smbd[2113]: [2004/02/09 17:31:26, 0] rpc_server/srv_util.c:get_domain_user_groups(372) Feb 9 17:31:26 eastrand smbd[2113]: get_domain_user_groups: primary gid of user [desires] is not a Domain group ! Feb 9 17:31:26 eastrand smbd[2113]: get_domain_user_groups: You should fix it, NT doesn't like that But if I do ... [EMAIL PROTECTED] root]# pdbedit -L -v -u desires Unix username:desires NT username: desires Account Flags:[UX ] User SID: S-1-5-21-3795178988-3942151060-2329322268-44008 Primary Group SID:S-1-5-21-3795178988-3942151060-2329322268-513 Full Name:Desire Steyn Home Directory: \\eastrand\desires HomeDir Drive:l: Logon Script: login.bat Profile Path: \\eastrand\desires\profile Domain: X-ZA-DM Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Fri, 13 Dec 1901 22:45:51 GMT Kickoff time: Fri, 13 Dec 1901 22:45:51 GMT Password last set:Thu, 13 Feb 2003 13:24:06 GMT Password can change: 0 Password must change: Fri, 13 Dec 1901 22:45:51 GMT [EMAIL PROTECTED] root]# Now I have an LDAP passdb, and I have done a [EMAIL PROTECTED] root]# net groupmap list Domain Users (S-1-5-21-3795178988-3942151060-2329322268-513) - ntusers Domain Computers (S-1-5-21-3795178988-3942151060-2329322268-515) - machines Domain Admins (S-1-5-21-3795178988-3942151060-2329322268-512) - ntadmin Domain Guests (S-1-5-21-3795178988-3942151060-2329322268-514) - nobody And [EMAIL PROTECTED] root]# getent passwd |grep -i des desires:x:21504:1:Desire:/home/users/desires:/sbin/nologin Has anyone got an idea of what I am missing ... Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] primary gid of user [desires] is not a Domain group !
Greetings ... I hope somebody can explain this to me, or give me a help to fix this problem ... On my Samba server ( 3.0.2rc2 ) I am getting ... Feb 9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1371) Feb 9 17:31:21 eastrand smbd[2113]: failed to decode PDU Feb 9 17:31:21 eastrand smbd[2113]: [2004/02/09 17:31:21, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) Feb 9 17:31:21 eastrand smbd[2113]: process_request_pdu: failed to do schannel processing. Feb 9 17:31:26 eastrand smbd[2113]: [2004/02/09 17:31:26, 0] rpc_server/srv_util.c:get_domain_user_groups(372) Feb 9 17:31:26 eastrand smbd[2113]: get_domain_user_groups: primary gid of user [desires] is not a Domain group ! Feb 9 17:31:26 eastrand smbd[2113]: get_domain_user_groups: You should fix it, NT doesn't like that But if I do ... [EMAIL PROTECTED] root]# pdbedit -L -v -u desires Unix username:desires NT username: desires Account Flags:[UX ] User SID: S-1-5-21-3795178988-3942151060-2329322268-44008 Primary Group SID:S-1-5-21-3795178988-3942151060-2329322268-513 Full Name:Desire Steyn Home Directory: \\eastrand\desires HomeDir Drive:l: Logon Script: login.bat Profile Path: \\eastrand\desires\profile Domain: X-ZA-DM Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Fri, 13 Dec 1901 22:45:51 GMT Kickoff time: Fri, 13 Dec 1901 22:45:51 GMT Password last set:Thu, 13 Feb 2003 13:24:06 GMT Password can change: 0 Password must change: Fri, 13 Dec 1901 22:45:51 GMT [EMAIL PROTECTED] root]# Now I have an LDAP passdb, and I have done a [EMAIL PROTECTED] root]# net groupmap list Domain Users (S-1-5-21-3795178988-3942151060-2329322268-513) - ntusers Domain Computers (S-1-5-21-3795178988-3942151060-2329322268-515) - machines Domain Admins (S-1-5-21-3795178988-3942151060-2329322268-512) - ntadmin Domain Guests (S-1-5-21-3795178988-3942151060-2329322268-514) - nobody And [EMAIL PROTECTED] root]# getent passwd |grep -i des desires:x:21504:1:Desire:/home/users/desires:/sbin/nologin Has anyone got an idea of what I am missing ... Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] VFS - audit errors?
Greetings ... I saw a question about this go out a little while ago, I was wondering, if they are bad, or if I can just ignore them? I am using a Samba 3.0.2rc1 if that makes a differance ... Thanks Mailed Lee Jan 29 09:58:09 nasrec smbd_audit[19242]: rmdir ./ failed: Invalid argument Jan 29 09:58:09 nasrec smbd_audit[19242]: [2004/01/29 09:58:09, 0] modules/vfs_extd_audit.c:audit_rmdir(177) Jan 29 09:58:09 nasrec smbd_audit[19242]: vfs_extd_audit: rmdir ./ failed: Invalid argument Jan 29 09:58:10 nasrec smbd_audit[19242]: rmdir ./ failed: Invalid argument Jan 29 09:58:10 nasrec smbd_audit[19242]: [2004/01/29 09:58:10, 0] modules/vfs_extd_audit.c:audit_rmdir(177) Jan 29 09:58:10 nasrec smbd_audit[19242]: vfs_extd_audit: rmdir ./ failed: Invalid argument Jan 29 09:59:35 nasrec smbd_audit[1603]: [2004/01/29 09:59:35, 0] lib/util_str.c:safe_strcat_fn(629) Jan 29 09:59:35 nasrec smbd_audit[1603]: ERROR: string overflow by 1 in safe_strcat [/] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Remote Citrix Auth Pass-Through ...
Greetings ... Thanks again for your responce ... it currently feels like I am banding my head against a M$ Wall ... Now if we use winbind, we can't setup the Linux servers as PDC. This is incorrect. Winbind runs perfectly fine against Samba 3.0. No, what I mean, if you enable domain logons = yes, getent passwd does not return any users from the AD system, which means I can't have a remote Samba Server acting as PDC to host the netlogon service ... That is a limitation of winbind, and with out the Samba servers running as PDC's I can't get the local workstations as the remote sites to process login scripts. Logon scripts for their own domain, or logon scripts for trusted domains? For the domain that is locale to the user ... Which would be a Samba server at a remote site ... I could give up on the idea of remote sites local workstations automaticly processing login scripts, because that is the only real thing I am looking for. I could manually add login scripts to all the workstations, or I could work out something with trusts. I have been trying setuping up a trust both ways between AD and Samba, but TS will not let any of my users login from Samba. How about you sort out your terminal-services issues first. I think you might be being bitten by generic Samba/TS interactions, and are just making your life more difficult by looking for the most complex solution. I am not sure that is the problem, for a test, I have been able to Join a Win2K3 TS system to my lovely Samba domain and everything works fine. No problem there. In a Samba domain, win2k TS clients need Samba 3.0.1 to store the right extra information. But it sounds like you don't want to run a Samba PDC, except for the fact that it would allow you to serve up a logon script. Can't AD do that as well, if not better? My real problem is a few $h!ty application which I have no control over. iScala, a finance system which uses M$SQL2K, tied very closley into AD. And then Citrix or maybe TS ... I am currently tring to create a trust between Samba and AD domain so that users in my Samba domain have access to AD resources, which currently means access to iScala. But I am still going to have to fine a way to get my remote Samba users to access Citrix via Pass-Through-Auth, but from what have seen, I might not have may options left. Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Trust clarification ...
Greetings ... If I setup a trust between my Samba 3.0.2rc1 domain and a Win2K3 AD domain, plus I enable kerbros which points to the Win2K3 server, would that let users in using my unix id? Because if I browse my Samba server from the Win2K3 server and access a share, I see that my Samba smbstatus reports the local unix user id. Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Remote Citrix Auth Pass-Through ...
Greetings ... Thanks for you reply Andrew, I think I will try and explain again what I am trying to do, maybe I am just going at this the wrong way ... I'm not sure what you mean here. We have two applications which will be distributed by Citrix. I would like to have one username and password for all the services ... Single-Sign-On. Windows2003 has been chosen for our AD. We have a few remote sites with Linux file/print servers. Now if we use winbind, we can't setup the Linux servers as PDC. That is a limitation of winbind, and with out the Samba servers running as PDC's I can't get the local workstations as the remote sites to process login scripts. I could give up on the idea of remote sites local workstations automaticly processing login scripts, because that is the only real thing I am looking for. I could manually add login scripts to all the workstations, or I could work out something with trusts. I have been trying setuping up a trust both ways between AD and Samba, but TS will not let any of my users login from Samba. Throwing in my coin to the wishing well, I wish that Samba could do the domain stuff with AD, but I think that is still a little way off ... Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Remote Citrix Auth Pass-Through ...
Greetings ... Andrew Bartlett wrote: I am posting here, because I believe this a little more technical than I can't get my server work? ... This is still not the place. Samba technical is not technical support, it's technical development of Samba. Okay, sorry ... done ... Sorry for the long delay, but have had other project to try and bring up to scratch ... If I use winbind, I can't setup a PDC. It was explained to create a trust between my Samba domain and ADS domain, and this way I should be able to pass auth through the trust and as I have thought this through, I believe all my users will belong in ADS domain and all the Machine accounts would belong in Samba domain, but I can't get the trust working ... I think this is because of the fact the our ADS is in native mode, and the HowTo only converts Mixed mode, and warns against using/trying in Native Mode ( somebody's got to try it some time ) ... Now this is interesting. We have the code to handle this, but we don't use it. The RPC backends *should* allow you to handle this, but it is suboptimal. Okay, following chapter 16 I do ... On Win2K3 DC I run the create Trust procdure ( which I should maybe put a little step by step down on paper ) ... I found if I had smb running when I ran this I would get all sorts of netlogon secure channel not working errors ... but if I had start smb long enough for WINS to have it listed, then stop smb, it would go through without ask too many questions ... I would then run ... useradd domain-ads smbpasswd -a -i domain-ads net rpc trustdom establish domain-ads All succesful ... I then found that I would trust both ways ... works nice from what I can see ... But my problems is that I would like to use the users in ADS, which with this setup, I have to setup Linux users which would then be trusted by ADS, but then I will loose all the deligation features that ADS brings MicroSoft guys, which is why we are putting this in. Is there no way that I could have my users in ADS, with remote Linux server supporting netlogon scripts for these users? This what I am really looking for ... So, I was hoping that somebody might be able to help me, or if I am missing info ( which I can't think of what to put in here without flooding the list with information that is not needed ) what would be best to forward ... Start by setting an 'IPC username', with wbinfo --set-auth-user=... Which user should I use? After the trush working, I was able to work both ways for general stuff .. I have a long-term goal of removing the need for a 'security=ADS' parameter, moving to more autodetection. This should help this kind of thing a lot, as we can pick up what domains todo what with more easily. I have seen you want to do this in past post ... more autodetection is kewl if there is no loss of flexiblity or control from a good admin ... Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: 3.0.1 - Failed to verify incoming ticket! ...
Greetings ... Downloaded and recompiled for my installation Samba 3.0.2pre1, tested and all is working. I am able to access the shares with the server name fine. Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba + Active Directory
[2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! Is there any special configuration I have to do on Active Directory to become AD authentication available to Samba ? Almost certainly, you are running version 3.0.1, which as best I've been able to determine breaks kerberos ticket handling in the case of a Win2k/XP box trying to access SAMBA. Can people seeing this please test 3.0.2pre1 and let me know if it is fixed now? Thanks. I sent a messages yesterday, explaining that my setup now was working fine ... I have a few other things that I think need to be looked at, but they are minor issues Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Survey Results Thank You
The results so far are: 183 responses 96% use Samba for File and Print 73% use Samba for Domain Control Does this mean there is only 183 people using Samba? No, maybe just a little hard to find the survey, it did not stand out. Did you get a page hit count for the article? Mailed Lee P.S. It was also a good read. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...
Fernando Ruza wrote: Still with the problem. I have tested with the version 3.0.0 and right, I can see the shares however cannot connect to the home shares or shares with valid users option in smb.conf. Besides this version cannot substitute correctly the %D %u %U %S variables. I have written them in the comment option of a share and I can see that the values are not correct. %D gives me the samba hostname, %S gives me IPC_ That is a know bug of Samba 3.0.0, and I am sure it has been fix. If suggest you comment out valid users for Samba 3.0.0, if that is your problem. Trying with version 3.0.1 cannot see no shares. Trying with version 3.0.1rc2, it's the same like 3.0.0, but it seems that some variables are correct like %u but %U is empty. I don't know is very strange. It worked once with this version after I changed the password for the Administrator of my PDC/KDC and the user I use to test the shares however in the next reboot of the WinXP client machine it already doesn't work again. I have see something similar, but could not put my finger on it, but I think that was because of multi server, client and Samba restarts with internels in flux state ... if everthing was started clean, I seemed not to have problems like this with Samba 3.0.1 as a PDC. I think that doing samba 3 be a member of AD is not working properly. Does anyone got it ?? Could make a howto ? Samba 3.0.1 as a domain member of Win2K3 AD, I have had problems, which I have not been able to fix, so I am staying with Samba 3.0.1 as PDC. Samba 3.0.0 as a domain member of Win2K3 AD, works fine, but I need the other fixes that have gone into Samba 3.0.1, so Samba 3.0.0 is still on my testing system until I can find the problem with Samba 3.0.1 or the next upgrade ... Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...
Greetings ... please file a bug for me and we'll work on Still waiting for an account ... sorry, I don't have time to wait around, I have to fix this problem chop chop ... ;-} getting this resolved. This is the 3rd report of the same symptoms. Thanks. Okay, first I throught that maybe this a problem with Samba3, but I know that I have been able to use this, so I tried on both Samba 3.0.0 (FC1 rpms ) and Samba 3.0.1 ( compiled on FC1 by myself rpms ) ... At first I had no joy with either, so I throught that maybe I had done something wrong ( blush! ) ... So, I went back to basics ... I found that if I removed all the funky options in /etc/krb5.conf and used Samba 3.0.0, all seems to work fine ( expect for know bugs in 3.0.0, understandable ) ... I think upgraded to Samba 3.0.1, and I could not access the Samba server again using is hostname ... So now I have two servers for test, both with FC1 and all the updates, one with Samba 3.0.0 ( FC1 rpms ) and the other with Samba 3.0.1 ( self maybe rpms ). If anybody wants a copy of my smb.conf and krb5.conf, let me know. Thanks Mailed Lee |I have a Win2K3 ADS domain, I have two FedoraCore systems, one with | Samba 3.0.0 and the other with Samba 3.0.1. Both give me the same problem. | |If I try access the Samba shares from Win2K3 using the host number, I | get prompted for a username and password, and no matter what I type in, | I can't get in. | |If I use the Samba server IP address, I am able to get into shares | without been prompted for user details, but Point'nPrint don't work, it | too requests user details. | |I do seem to be getting two errors in my logs ... First in smbd.log | | [2003/12/18 13:50:19, 0] lib/util_sock.c:get_peer_addr(948) | getpeername failed. Error was Transport endpoint is not connected | [2003/12/18 16:18:07, 0] lib/util_sock.c:get_peer_addr(948) | getpeername failed. Error was Transport endpoint is not connected | |And the other in the machine log with the IP address eg ... |10.1.1.20.log | [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) | Failed to verify incoming ticket! | [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) | Failed to verify incoming ticket! | |But in the machine log with the hostname, I am getting normal | messages ... | |I have tried to make changes in /etc/krb5.conf, but I don't get any | further ... | |I have tried a few status checks with net, all hosts work fine ... | | [EMAIL PROTECTED] samba]# net lookup ldap | 10.1.1.16:389 | 10.1.1.17:389 | | [EMAIL PROTECTED] samba]# net lookup dc | 10.1.1.16 | 10.1.1.17 | |But net lookup kdc, master domain don't return any thing, so I don't | know what else to look for ... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...
Greetings ... Sorry for the long post, but I prefer to keep a copy of what I think is need for this thread ... As requested, here are my smb.conf ... I have left in my comment to show what I have been changing and see if it makes a differance ... plus some shares ( not all that I use ) ... # Global parameters [global] workgroup = TEST-ZA realm = TEST-ZA.CORP security = ads # netbios aliases = nasrec server string = Samba Server %v %h interfaces = eth0*,lo bind interfaces only = Yes # encrypt passwords = Yes # update encrypted = Yes # min passwd length = 4 # pam password change = Yes # passwd program = /usr/bin/passwd %u # passwd chat debug = Yes # unix password sync = Yes # username map = /etc/samba/smbusers # admin users = administrator, TEST-ZA\administrator log file = /var/log/samba/%m.log max log size = 150 time server = Yes unix extensions = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = login.bat logon drive = l: domain logons = no # lm announce = yes preferred master = no domain master = no # dns proxy = yes # wins support = yes # wins server = * # wins server = naszadc01.test-za.corp, naszadc02.test-za.corp wins server = 10.1.1.16, 10.1.1.17 utmp = Yes message command = /bin/mail -s 'message from %f on %m' root %s; rm %s comment = Test Nasrec Linux Box create mask = 0660 force create mode = 0660 directory mask = 0770 force directory mode = 0770 inherit permissions = Yes map archive = No # name resolve order = host, wins # password server = * password server = 10.1.1.16, 10.1.1.17 # ldap suffix = dc=test-za,dc=corp # ldap idmap suffix = ou=idmap # ldap admin dn = cn=root,dc=test-za,dc=corp ldap suffix = dc=test,dc=co,dc=za ldap admin dn = cn=Manager,dc=test,dc=co,dc=za ldap idmap suffix = ou=idmap # ldap ssl = start tls ldap ssl = no # ldap passwd sync = yes # winbind separator = + # idmap backend = ldap:ldap://localhost idmap backend = ldap:ldap://zeus.test.co.za idmap uid = 1-2 idmap gid = 1-2 # client schannel = no # server schannel = no winbind enum users = yes winbind enum groups = yes winbind use default domain = yes # winbind trusted domains only = yes # template shell = /sbin/nologin # template shell = /bin/bash # template homedir = /home/%D/%U template homedir = /home/TEST-ZA/%U load printers = yes printing = cups printcap = cups # log level = 1 # guest account = NULL restrict anonymous = yes [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes browseable = No public = yes writable = no write list = root, Administrator, TEST-ZA\Administrator printer admin = root, Administrator, TEST-ZA\Administrator vfs object = extd_audit [print$] comment = Printer Driver Download Area path = /home/services/smb/printers/drivers browseable = No # browseable = yes guest ok = Yes # guest ok = no # read only = yes read only = no # write list = @ntadmin, root, Administrator write list = root, Administrator, TEST-ZA\Administrator printer admin = root, Administrator, TEST-ZA\Administrator vfs object = extd_audit [netlogon] comment = Network Logon share path = /home/services/smb/netlogon create mask = 0664 force create mode = 0664 directory mask = 0775 force directory mode = 0775 guest ok = Yes #[profiles] # path = /etc/samba/profiles # read only = No # create mask = 0600 # directory mask = 0700 # browseable = No # csc policy = disable [homes] comment = Home Directory for %u and %D\%S read only = No # valid users = %D\%S, %S create mask = 0600 force create mode = 0600 directory mask = 0700 force directory mode = 0700 profile acls = yes veto files = /Maildir/ /.recycle/ browseable = No vfs object = recycle vfs_recycle_bin:noversions = *.doc|*.xls|*.ppt vfs_recycle_bin:exclude_dir = /tmp|/temp|/cache|/profile vfs_recycle_bin:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.lnk vfs_recycle_bin:maxsize = 0 vfs_recycle_bin:touch = yes vfs_recycle_bin:versions = no vfs_recycle_bin:keeptree = yes vfs_recycle_bin:repository = .recycle/%U [public] comment = Public Stuff path = /home/services/smb/public read only = No create mask = 0664 force create mode =
[Samba] Re: samba Digest, Vol 12, Issue 25
Greetings ... I just scanned several lists and HOWTOs for the problem with valid users = %S in 3.0.1 I know this works, I have tested ... ;-) where he suggests to use 'valid users = %D+%S' instead, but this doesn't work, either. Okay, I think this has to do with winbind, is so the '+' needs to be your winbind separator, in my case or using the default '\', which let me work ... Hope that helps ... Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: valid users = %S doesn't work in 3.0.1
Greetings ... where he suggests to use 'valid users = %D+%S' instead, but this doesn't work, either. Okay, I think this has to do with winbind, is so the '+' needs to be your winbind separator, in my case or using the default '\', which let me work ... Sorry, but I can't convince it to accept this. (I tried valid users = %D\%S #I think this could not work, as \ means line continues? valid users = %D\\%S valid users = %D'\'%S ) Is there a way to find out what smbd expects/accepts to see for a 'valid user'? I normally try in my [homes] comment = Home Directory for %u on %D\%S valid users = %D\%S, %S It does not look pretty while testing, but at least you can see what is been past ... The logic ( at least in my fuzy brain ) is that the share name ( which is %S ), is the same as the user login into the share ... so when you view your server and see all your shares ( I put my view into detailed ) you should see the comment for the share, which should say Home Directory for leet on leet. If share name of [homes], which is normally the user logging should be equale to one of the valid users values ... And where can I get infos about this 'winbind' thing? (I don't have a clue) Don't worry, winbind is only really needed if you are going to Trust an M$ ADS domain ... if you are not using it then it's was not what I throught it was that which I ran into ... Mailed Lee P.S. I hope this makes sense ... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ADS and Winbind ... Can't access with Samba host name ...
Greetings ... It seems I have really got myself confused ... I have a Win2K3 ADS domain, I have two FedoraCore systems, one with Samba 3.0.0 and the other with Samba 3.0.1. Both give me the same problem. If I try access the Samba shares from Win2K3 using the host number, I get prompted for a username and password, and no matter what I type in, I can't get in. If I use the Samba server IP address, I am able to get into shares without been prompted for user details, but Point'nPrint don't work, it too requests user details. I do seem to be getting two errors in my logs ... First in smbd.log [2003/12/18 13:50:19, 0] lib/util_sock.c:get_peer_addr(948) getpeername failed. Error was Transport endpoint is not connected [2003/12/18 16:18:07, 0] lib/util_sock.c:get_peer_addr(948) getpeername failed. Error was Transport endpoint is not connected And the other in the machine log with the IP address eg ... 10.1.1.20.log [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! But in the machine log with the hostname, I am getting normal messages ... I have tried to make changes in /etc/krb5.conf, but I don't get any further ... I have tried a few status checks with net, all hosts work fine ... [EMAIL PROTECTED] samba]# net lookup ldap 10.1.1.16:389 10.1.1.17:389 [EMAIL PROTECTED] samba]# net lookup dc 10.1.1.16 10.1.1.17 But net lookup kdc, master domain don't return any thing, so I don't know what else to look for ... Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...
Greetings ... please file a bug for me and we'll work on I hate doing that, I always get lost ... but I am doing it now ... this things I do in the name of OpenSource ... ;-) getting this resolved. This is the 3rd report of the same symptoms. Thanks. I have seen the reports, but they all seemed a little differant, that is whay I did not say I had a problem like X ... Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: DNS and DHCP setup
Greetings ... Does anyone know of a document that gives details on how to set up Bind 9 and DHCPD 3.x so that dns is updated when clients log on? I saw this is not in the howto collection (http://www.bibsyst.no/samba/docs/man/DNSDHCP.html#id2981727) so I was kind of hoping someone else has some notes. I would be greatfull for any tips and links. I don't know if this is an acceptable alternative, dnsmasq. http://www.thekelleys.org.uk/dnsmasq/doc.html Which will take your dhcp.leases and create dns structure for you ... very easy to and nice to use. Hope this helps. Have fun. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Folder Redirection ...
Redirecting My Documnets isn't a tricky one. Please don't take this discuss off the list ... I have an interest in see what other people have done. Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Windows 2000 and krb5 tickets.
Greetings ... 2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(308) ~ ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(316) ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) ~ Failed to verify incoming ticket! I got a similar errors when I first started up my test system ... now I don't know if they are related, but I set client schannel = no server schannel = no in my smb.conf and the errors when away ... Maybe try that and see if you problem goes away ... just an idea. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Fedora Binaries
Marc Perkel wrote: | So - how about some Fedora binaries in your | redhat collection? I'm working on it. We will have them ready for 3.0.1. Excellent ... Thanks for the great work. Mailed Lee
Re: [Samba] winbind and getent ...
I have got my ADS/Win2K3 system and Samba3 using winbind. I am able to do getent passwd, which returns users out of ADS. My problem is that I wish to have a Samba box at a remote location, which I currently have, using user accounts stored in LDAP, but have not choice but to move to ADS based users because of a Citrix application which we are not able to get to work with Samba and LDAP based accounts. If I enable domain logons, getent passwd returns only local accounts, not ADS based account, plus, I have also seen that if I set winbind trusted domains only = yes, then getent passwd also stops working. Now I am sure, I read somewhere, that you can't use winbind and domain logons, but I am hoping somebody might be able to give us better idea. In Samba 3.0, winbindd should be used on a Samba PDC in order to handle users/groups from trusted domains. Okay, so if I understand what you are get at, is that I should setup an AD domain, make my Samba server belong to another domain and the Samba domain trust the AD domain, that way I get the AD users in my Samba domain, which will let me use domain logins, which is the big thing I am missing with Samba acting as a Server role: ROLE_DOMAIN_MEMBER ... Does this sound right? Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3.0.1pre1 winbind / getent problems
Greetings ... When i try a getent passwd or getent group, i don't have the windows users. I had a same problem, and found that if I had winbind trusted domains only = yes or domain logons = yes then getent passwd would not work, change them both to no and it work fine ... I looked at you confs, but did not see this options. Do a testparm -v -s|less and see if these are set. I have ask the list if this is by design, but have not get a direct answer. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind and getent ...
Greetings ... Okay, I was going to send this to Tech, but throught better of it. I have got my ADS/Win2K3 system and Samba3 using winbind. I am able to do getent passwd, which returns users out of ADS. My problem is that I wish to have a Samba box at a remote location, which I currently have, using user accounts stored in LDAP, but have not choice but to move to ADS based users because of a Citrix application which we are not able to get to work with Samba and LDAP based accounts. If I enable domain logons, getent passwd returns only local accounts, not ADS based account, plus, I have also seen that if I set winbind trusted domains only = yes, then getent passwd also stops working. Now I am sure, I read somewhere, that you can't use winbind and domain logons, but I am hoping somebody might be able to give us better idea. Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: wbinfo --set-auth-user Win2K3
wbinfo --set-auth-user=Administrator%password NEVER do this. There is never a good reason to do this. The wbinfo command is for NT4 trusted domains, that are running 'restrict anonymous'. If you are joined with ADS, and there are ADS trusts to these machines, then Samba can use kerberos, and never needs a 'wbinfo' user. Would this mean that if we have done kinit -V [EMAIL PROTECTED], we should be able to join the domain without providing a password using the same user? Even when you do need a 'wbinfo user', it does not need any special powers - only those given to *every* user. So add a new, boring, unprivileged user. We have been testing against a Windows2003 server, and don't get any user lists ( wbinfo -u ) unless we set auth user ... does this mean something is not correctly setup on our Samba3 server? That password is stored clear-text, in secrets.tdb. I know this, but it's not any worse than smbpasswd -w secret, is it? Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: valid users = %S ...
Installed the rpm from Samba.org for RedHat 9, and found the same problem ... removing valid users = %S from [home] gettings it working, but I do remember somebody explaining that this option makes things a little more secure. Is this true, and is this a bug or is there something better to use? It's a bug. I posted a patch on the list. Please check the archives for it. It will be fixed in 3.0.1 Great, saw it on Samba-Tech. Thanks. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: RE : [Samba] winbind and getent - fix ...
jean-marc pouchoulon wrote: Thanks for your answer. My pleasure ... But it didn't work. Was this, to do with winbind and getent passwd? There is no ldap request except for user with posix account. ( I can see these users using getent ) I don't think there will be any LDAP requested when doing a getent passwd with winbind, but I could be wrong .. I think there is no appeal by libnss library to winbind but I don't understatnd why. I don't think this was meant for me, but I if it's the problem that I had, on RedHat 9 using the rpm from the Samba.org webpage, then do ... cd /lib ln -s libnss_winbind.so libnss_winbind.so.2 And make sure that you have winbind at the end of the line passwd, group and hosts in /etc/nsswitch.conf, ie ... passwd: files winbind group: files winbind and so on ... Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: valid users = %S ...
Greetings ... Installed the rpm from Samba.org for RedHat 9, and found the same problem ... removing valid users = %S from [home] gettings it working, but I do remember somebody explaining that this option makes things a little more secure. Is this true, and is this a bug or is there something better to use? Mailed Lee After upgrading rc2 - rc4 (suse binary packages) line 'valid users = %S' in [homes] section prevents user getting to his homedirectory in logfile smbd says: [2003/09/25 15:07:59, 2] smbd/service.c:make_connection_snum(384) user '' (from session setup) not permitted to access this share () -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] pam_winbind verses pam_krb5
Greetings ... Have a question, was is the advantages of use pam_winbind verses pam_krb5 for Samba user authentaction? I mean, if I point my Linux box Kerberos to a Win2003 AD server, I am able to authenticate my users out of AD, but at the moment still having problems with winbind and nsswitch. Is there an advantage to using pam_winbind instead of pam_krb5? Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: No Getent
Brian C Otto wrote: I've had it in that situation. So I am not alone ... I want to thank some dite, but think it best not too ... it means winbind is querying properly, but that the winbind-nsswitch/pam stuff isn't. Are you using pam? That seems to be the problem ... put pam stuff in with no differance ... I have a LDAP system running, which I am using as a bench, so I know that my system is work, and the LDAP stuff is fine ... and 'net ads join' is working properly? Perfect, wbinfo -t reports fine too ... any winbind errors in the logfile? Or login unknown errors in All the winbind.log says, is that it can't find root, which is the user I am logged in as ... /var/log/messages? How about 'kinit'? Nothing in messages, and kinit -V auth reports fine too. Just some ideas. I'm not sure if pam entries are necessary for a 'getent passwd' Thanks, at least I am getting some idesa, but I have tried these at least. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: No Getent
Brian C Otto wrote: Hmm. you're doing a 'net ads join -U administrator' ? Actually, I do ... [EMAIL PROTECTED] root]#kinit -V [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: Authenticated to Kerberos v5 then [EMAIL PROTECTED] root]# net ads join -U Administrator Administrator password: [2003/08/28 15:05:07, 0] libads/ldap.c:ads_join_realm(1305) Host account for dctest-01 already exists - deleting old account Joined 'DCTEST-01' to realm 'REALM.CORP' If I don't use a capital A in administrator, Kerberos will not authenticate. check to make sure that the /lib/security/pam_winbind.so is up-to-the-samba-rpm date. [EMAIL PROTECTED] root]# rpm -qf /lib/security/pam_winbind.so samba-common-3.0.0rc1-1lnx2 Which I believe is correct. I didn't use the rpm's ( I needed ACL support, so had to use SuSE, and compile it myself) so most of my problems were due to the versions of kerberos I tried to use, and whether or not it had LDAP support built in. I have build my own rpms from the src.rpm, seeing that I need a few changes of my own ... but I use rpms, because I have a better idea of the same binaries between systems. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: No Getent
Brian C Otto wrote: Damn. Sounds like all the ducks are in order. That's what I throught ... hmm. I'll try and remember any more 'gotcha's' I might have encountered. Thanks, if you do, you have my e-mail ... Sorry I've not been much help. I disagree, you have at least put me at rest, I think less that it is my system, and maybe for something else, but I don't seem to be able to get any solid advice or direction. Thanks again Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Trouble shooting winbind ...
Greetings ... Once again I have spent a day tring to get winbind doing what I believe it should be doing, but with no luck, so I am asking if anybody would be able to help me ... I have checked admin details, with kinit -V and they are fine. Then join by Samba box to AD domain, done an net ads testjoin, which is okay. Then do a wbinfo -t, which is also okay. Able to do wbinfo -u, -g, -n, -S which works fine. If I run getent passwd, I don't get any AD users in the list, unlike my LDAP system which I am using as a bench for setup. Does anybody have any hints for me? Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: No Getent
Using winbind for authentication through PDC. Problem: Some users do not get access to the samba share and some do. When I do wbinfo -u the users who cannot access show up but when I do getent passwd, they are not there. What does this mean? It means that you likely do not have in your /etc/nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind Does one really need the shadow: files winbind? From the Samba HOWTO, it states only passwd and group need winbind. Also, you might not have any more info for why getent does not displace the users from AD domain? Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: No Getent
Robert A Wooldridge wrote: I have tried both ways for groups. With files winbinded and without. It makes no difference to this problem. Myself ... having problems with winbind and can't seem to work them out ... I don't understand the 2nd question you have here. Well, running getent passwd should list all local users and remote users, as in users from AD domain, but I can't get my test system to list users from AD. Using winbind for authentication through PDC. Problem: Some users do not get access to the samba share and some do. When I do wbinfo -u the users who cannot access show up but when I do getent passwd, they are not there. What does this mean? It means that you likely do not have in your /etc/nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind Does one really need the shadow: files winbind? From the Samba HOWTO, it states only passwd and group need winbind. Also, you might not have any more info for why getent does not displace the users from AD domain? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: net ads join domain
Greetings ... When I used the command ./net ads join -U ADMINISTRATOR it asked me for the password, after I entered the password it came back with a responce of: [2003/08/22 08:53:16, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267) krb5_cc_get_principal failed (No credentials cache found) [2003/08/22 08:53:16, 0] Libads/ldap.c:ads_join_realm(1292) Host account for computername already exists - deleting old account Joined computername to realm DOM.AIN.NAME First, have you tried kinit -V ADMINISTRATOR@DOM.AIN.NAME ? Should auth fine, unless you have incorrect details. Second, the last meassges almost sounds like you have been joined fine ... seems funny. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: wbinfo -t
Greetings ... When I run ./wbinfo -t it returns with a error of : checking the trust secret via RPC calls failed error code was (0x0) Could not check secret Whats wrong? Had the same problem on a RedHat 9 install. Can't tell you what is wrong, but I grab the src.rpm from RedHat's RawHide, updated to the lastest source, and now wbinfo -t works fine. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind - idmap - ldap ...
Greetings ... I am tring to setup a domain controlled by a Win2K3 ADS servers. Using my Linux boxs as domain members and other network services to provide file and print sharing. I have download and compile 3rc1 and seem to have hit a brick wall. I can get the idmap in winbind to work, but not as expect, so I am looking for more docs so that I might be able to help myself. So I have a few questions. When does winbind alocated uidNumbers? I seem to only be able to get a uidNumber if I quesry winbind by doing wbinfo -S SID number here, which returns a uidNumber, but before that, if I query a file for ower, I just get a uidNumber ... once I ran the command, it will then show the username. Do I have to populate the ldap DB to use idmap backend ldap? If so, how do I, if not, does winbind write into the LDAP DB? Again, when? If there is more info reguarding winbind, idmap all using ldap, could somebody point me at it. Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: winbind tests ...
Installed Samba 3.0.0rc1, and seem to be having problems with winbind. First question, shouldn't wbinfo -t return success? I have wbinfo I grab the RawHide src and updated to 3rc1 and wbinfo -t now works, seems like a problem with mkrpm in 3rc1. I will look further once I have my system working. This also fixed wbinfo -a test2%test2 plaintext password authentication succeeded challenge/response password authentication succeeded Thrid, should winbind return uid numers for nss when configured in /etc/nsswitch.conf by adding winbind to passwd? Does anybody have any hints on any of these? I have found that I have to do a [EMAIL PROTECTED] samba]# wbinfo -n test1 S-1-5-21-2875628134-430090060-3946654109-1114 1 [EMAIL PROTECTED] samba]# wbinfo -S test1 Could not convert sid test1 to uid [EMAIL PROTECTED] samba]# wbinfo -S S-1-5-21-2875628134-430090060-3946654109-1114 1 Before I am able to have nss use the uid numbers for the fs, but I am not able to do a chown test1 ./testdir, I still get chown: `test1': invalid user Do I need to configure pma before I am able to do this? Thanks Mailed Lee P.S. Please can any give me a hand with this. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: winbindd problem with 3.0.0rc1
Greetings ... i've been trying to get samba 3 to join my AD domain, and have gotten stuck. So have I ... when I wbinfo -t it returns Could not check secret Had a similar problem ... but mine was complaining that it could not use rpc for the check ... I download RawHides src.rpm and updated, and now I am able do wbinfo -t. Are you able to run wbinfo -m and wbinfo -u? Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind tests ...
Greetings ... Installed Samba 3.0.0rc1, and seem to be having problems with winbind. First question, shouldn't wbinfo -t return success? I have wbinfo -u, wbinfo -g, wbinfo -p and wbinfo --sequence returning what seems to be valid information. Second, where does winbind keep the details for wbinfo --get-auth-user? And when will these details be set? Thrid, should winbind return uid numers for nss when configured in /etc/nsswitch.conf by adding winbind to passwd? Does anybody have any hints on any of these? If more info is required, please ask, don't know what is need to help with this. Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.0Beta1 - perl(Net::LDAP::LDIF)
Chee Wai Yeung wrote: Hi, Greetings ... try to look for an RPM for perl_ldap. Downloaded three differant srpms and tried to compile them myself before asking on the list if I need this to run. I still have this problem on test box. I think this might be a problem with RedHat 9, seeing that they have made a few small changes to the rpm build system which gives me similar problems on other perl rpms modules. So, now for two questions, one, do I need the perl_ldap rpm to test Samba 3.0.0beta1, and the second, does anybody have the needed srpms to build the perl_ldap rpm module? Thanks Mailed Lee P.S. Great work guys on Samba 3, I am ever impressed, as usual! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.0Beta1 - perl(Net::LDAP::LDIF)
Greetings ... Download and created an rpm with my changes that I will use, but why am I getting a Failed dependencies: perl(Net::LDAP::LDIF) is needed by samba-3.0.0beta1-1lnx1 Should I need this, and I can't seem to find an rpm for this. I have tried to make a few, but they just kill over. Does anybody have rpms for this? Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Can't add Machine account ( LDAP ) ...
Greetings ... Just got bitten in the ass by not been able to join the domain with 2.2.7a Correct me if I am wrong, Jerry did give me a quick explaination. It has to do with usernames and what allowable characters in it for security. Now, I need to fix this, does anybody have a patch/fix or tell me where to look in the source to try and fix this. Thanks. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Can't add Machine account ( LDAP ) ...
Just got bitten in the ass by not been able to join the domain with 2.2.7a Correct me if I am wrong, Jerry did give me a quick explaination. It has to do with usernames and what allowable characters in it for security. Now, I need to fix this, does anybody have a patch/fix or tell me where to look in the source to try and fix this. Finally was able to find the freaking message ... but I think that this might be something else ... Message from Jerry ... ((uid=machine_)(objectclass=sambaAccount)) where it should have been like this: ((uid=machine$)(objectclass=sambaAccount)) This is the alpha_strcpy() stuff again trying to remove unsafe shell characters. If I understand what you where saying is, this is to do with shell? ... But the query here is not shell based. I also tested today with the stuff in LDAP already ... and still seemed to running into problems ( kick oneself for not recording all the stuff I tried, which I will try in my LAB again ) I have diff the samba-2.2.6 to samba-2.2.7a source to try and see what has changed, but I was not able to find anything ... ( the reason I used 2.2.6, is because Buchan Milne [EMAIL PROTECTED] said that this worked in that version ) Also, I have seen a few days old messages, which also seem to be discussing this problem ... but I was not able to follow that to and good end ... I really need domain joining, or at least a work around for it ... Please help me!!! Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Profiles ...
Robert Adkins wrote: Unless your users are using Outlook (or virtually any E-mail client for that matter) I have a few users with .PST files that are over 1Gig in size. This is due to the regular amount of data files that we are sent. I have discussed with them the need to trim those files down. I have seem simlar problems with mail folders ... In the near future, I am planning on replacing the current locally stored .PST files with an IMAP server. There are a few other things that I can do after that to cut down on the logon/logoff time. However, I have other more pressing matters to attend to. I have had to switch to IMAP, but M$ mail system just suck ... I have alot of problem with the mail clients not working properly, and to try and switch users to using another mail client is lke pulling teeth ... Anyway, our network speed is swift enough to get those logoffs down to about twenty minutes or so...(Crazy I know, but that's what it takes.) Logons are thankfully much faster. You try and tell a manager that they are going something wrong and it's not the Linux server causing the problem ... that is like walking through hell ... What I did do for Win98SE, was hack the registery to point to the network server instead of local, so that nothing was download and uploaded, therfore they worked right off the network. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Profiles ...
Now, where my problem is, when I have some users who have huge documents folder, this log on and log off takes a long time, not mention the problems I have run into when their computer is turn off incorrectly. I am sure this is a Micro$oftism, but is there a way to use roaming profiles, but have then use directly off the server and not copied to and from the server at login and logout? This is simply a symptom of BAD BAD BAD practice. You need to educate your I would disagree ... when somebody hit My Documents and M$ has tought them, they should get to their docs. Some users have to have personel docs because they are not share the inof with others ... why create a My Doc's if you must go somewhere else to get to your docs ... it's the way M$ has brain washed these silly users ... users that they should store documents on a drive share. Keep profiles clean and small by making them mandatory. See the Win2K/WinXP resource kits for details how to create a mandatory profile. This forces your users to use network drives instead of dropping their poop all over the shop. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Profiles ...
Bart wrote: Or ju put the documents on the home drive and change the target of the 'my documents' folder to this home drive. that way you have security all the docs on a mounted drive. We did that with Win98SE, and found that some times it would change back or to something that should cause problems ... that is why I was hoping, there was away around this ... but then it seems not. Thanks to everybodies input ... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Profiles ...
John H Terpstra wrote: On Thu, 16 Jan 2003, C.Lee Taylor wrote: Bart wrote: Or ju put the documents on the home drive and change the target of the 'my documents' folder to this home drive. that way you have security all the docs on a mounted drive. We did that with Win98SE, and found that some times it would change back or to something that should cause problems ... that is why I was hoping, there was away around this ... but then it seems not. Did you check the Win98 Resource Kit for how to configure this? No, just searched the registery for the set strings, changed them and tested. Also used support.microsoft.com for other info ... Don't have access to the Resource kits, unless they have not put them up on the net and it's legal for us to use them wihtout paying? Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] SMB+LDAP Question ...
Greetings ... I have a quick question, which I hope will get a straight and quick answer. I am moving my system from flat files to LDAP. I have had my users in LDAP for a while, but then found that my computer accounts for Win2K in still in passwd. My question is, what are the bare minume LDAP attribs that I need for them to contiune to work? But I don't think I am going to get that answered, so, do I need a Unix password for computers? I would just like to keep as little info my LDAP as possible .. I still believe the smallest amount of common info is best. Thanks. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Profiles ...
Greetings ... This is a stupid question which have been wanting to ask for awhile, and hope somebody can help me. Profiles, if I understand it correctly come in two forms, local and roaming? Now local in on the computer the user uses and roaming is one that is download from the server when the user logs in. Now, where my problem is, when I have some users who have huge documents folder, this log on and log off takes a long time, not mention the problems I have run into when their computer is turn off incorrectly. I am sure this is a Micro$oftism, but is there a way to use roaming profiles, but have then use directly off the server and not copied to and from the server at login and logout? Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SMB+LDAP Question ...
I am moving my system from flat files to LDAP. I have had my users in LDAP for a while, but then found that my computer accounts for Win2K in still in passwd. My question is, what are the bare minume LDAP attribs that I need for them to contiune to work? AFAIK, just sambaAccount and related items. Mmm, you see, if you have the /etc/passwd entery and do a smbpasswd -a -m with LDAP, it creates the sambaAccount stuff in LDAP, but if I delete the /etc/passwd without moving it into LDAP, the computer will not logon the PDC/Network. So now I have a few machine accounts which I want to move into LDAP, so I would like to know what I need, at least from and LDAP point of view ... In the end, in 2.2.x and non-NUA sam backends in 3.0alpha, you need the following to work on any DC: $ getent passwd machine$ So, on your DCs, you either need a unix account for the machine in /etc/passwd, or an LDAP account with posixAccount and sambaAccount Okay, but what does Samba 2.2 need with posixAccount? I mean, it does not need a homedir for anything. It does not need the Unix password stuff. I currently use the gid, but if it's in LDAP, I don't think I need that either. BTW, see examples/LDAP/import_smbpasswd.pl in the samba docs if you hanen't yet. Should work for importing machine accounts. But I would think that import_smbpasswd.pl is for importing smbpasswd, I need to bring in the passwd, that is why I am asking ... Again, thanks for your input. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [PATCH 2.2.7a] was: Samba Referrals
Ignacio Coupeau wrote: http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html#patches Tested the rebind stuff with ldap in round robin (master/slave) Some fixes Applied, compiled and will test ... Thanks. Tar and diff -uRn textfiles available: http://www.unav.es/cti/ldap-smb/patches-ldap.tar Thanks, this makes life alot easier ... As two of the patches are for configure.in and configure.h.in, an autoconf is required before the configure. Have done ... Mailed Lee P.S. Sorry for the late reply ... I killed my mail server ...
Re: [PATCH 2.2.7a] was: Samba Referrals
Thanks for the work ... But I have a quick question ... is it needed to make two functions which look the same except for the function name ... is it not better just to have the two parm and three parm call #if def? I think that you might have this in if there is a problem and the functions need to be differant ... Mailed Lee
Re: [Samba] Re: samba (2.2.7a) + openldap (2.0.x)
((uid=machine_)(objectclass=sambaAccount)) where it should have been like this: ((uid=machine$)(objectclass=sambaAccount)) This is the alpha_strcpy() stuff again trying to remove unsafe shell characters. I am sure, but I am sure that I did a Machine Account add with 2.2.7, is this a change in 2.2.7a ... I don't remember seeing that in CVS logs ... but then I have been offline for about a month ... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba (2.2.7a) + openldap (2.0.x)
Buchan Milne wrote: OK, I stayed a bit late, waiting for things to finish compiling etc ... You should not work that hard ... ;-) and did some tests. It seems to work. What I did was just point the production DC at a slave server, and then Kewl ... 1)try and change my password a)while both ldap servers were running (works) Great ... did you watch the traffic follow by any chance ... b)while only the slave is running (doesn't work) That should not, at least not by the standards that I understand that LDAP replcia works ... c)while only the master is running (doesn't work) That should work, but I think that might be a smb.conf thing ... 2)connect to my homes share a)while both servers were running (works) b)while only the slave was running (works) c)while only the master is running (doesn't work) Same as the above ... So, it seems to be all correct, but it would be nice to have ldap failover (multiple ldap servers listed in smb.conf?), but not absolutely necessary. Now our WAN setup should work! This is how I intend it to work, but have not finish testing ... And, I also seem to not be able to have machine accounts created by samba. I lost the (samba) log now, but while I had smbcontrol'ed the smbd handling my domain join, I saw an ldap search string something like this: ((uid=machine_)(objectclass=sambaAccount)) where it should have been like this: ((uid=machine$)(objectclass=sambaAccount)) This I am not certain about this ... but I would think it better to use LDAP scripts to add the accounts, which I think IDXP or something like that does have ... remember, if you use the normal way, Samba is tring to add an account into passwd and shadow, which will not work ... Without the LDAP entry in the server, I got a No mapping was done between etc error on the client. Do you have the LDAP enter at all ... I also had a local machine account (in passwd) at which time I did not get the error AFAICR, but it failed to join. Mmm, I have had problems when there is an account already ... something fails ... I do remember somework in Head to get around this, but not in 2.2 I was hoping to release 2.2.7a RPMs for Mandrake now, but they can't ship like this ... I have made some RPMs for RedHat 8.0, which is what I am about to test, and I see Herb Lewis has sent me a patch for the autoconf check, which I have not looked at yet either ... but I am hoping this can all come together soon ... Good Luck ... Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Fwd: Samba Referrals
2.2.* doesn't support referrals at all :-( It is on a production server, so it is 2.2.7a. but in the 3.0alpha21 and in HEAD/CVS it should work :-) Don't just give up on 2.2, I am try and testing the patch http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html#patches it But if you are using a new OpenLDAP, I think 2.0.20 and above, please don't quote me on that number. Will need to remove the , Null from the ldap_set_rebind_proc, because they don't have a thrid parameter. I am about to test whether this works, which I believe one other person on the Samab List said he had good results. The only thing, if this works, which I need to try and figure out, which Herb Lewis has sent me a patch which I have not looked at yet, is get the autoconf stuff working, so that this can become standard in 2.2 ... I think it would be good if we put something in the docs at the moment about Samba 2.2 Referrals not working ... at least for the moment. Mailed Lee
Re: Fwd: Samba Referrals
I'm also changing/testing the patch in the samba_3 fashion to catch/wrap the correct version/arguments and so. You talking about autoconf stuff for testing weather two or three parameters for ldap_set_rebind_proc?
[Samba] Re: samba (2.2.7a) + openldap (2.0.x)
Thanks, compiles (with warning): Compiling passdb/pdb_ldap.c passdb/pdb_ldap.c: In function `ldap_connect_system': passdb/pdb_ldap.c:289: warning: passing arg 2 of `ldap_set_rebind_proc' from incompatible pointer type Will see if I can actually get it working later today (if I can devise an easy method to test it without disturbing our production dc ...) Don't we all have that problem ... I was hoping to get to test today, but my test lab is infect with users ... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba (2.2.7a) + openldap (2.0.x)
Seems I was wrong (left out ldap switch ...), it doesn't compile on
cooker, here is the error:
Compiling passdb/pdb_ldap.c
passdb/pdb_ldap.c: In function `ldap_connect_system':
passdb/pdb_ldap.c:289: warning: passing arg 2 of `ldap_set_rebind_proc'
from incompatible pointer type
passdb/pdb_ldap.c:289: too many arguments to function
`ldap_set_rebind_proc'
make: *** [passdb/pdb_ldap.o] Error 1
What the real problem, is that the ldap_set_rebind_proc now takes 2 par
instead of 3. On line 289 ( I think remove the ,NULL from the call
and recompile. It should then recompile fine.
I am testing this at the moment. I now wish I could figure out the
autoconf stuff so that it could be tested for.
I hope this helps. Please let me know if it works for you.
Mailed
Lee
--- samba-2.2.7/source/passdb/pdb_ldap.c.ldap 2002-12-10 16:58:15.0 +0200
+++ samba-2.2.7/source/passdb/pdb_ldap.c2003-01-08 18:38:19.0 +0200
@@ -65,6 +65,7 @@
static struct ldap_enum_info global_ldap_ent;
+static pstring ldap_secret;
extern pstring samlogon_user;
extern BOOL sam_logon_in_ssb;
@@ -218,13 +219,60 @@
}
/***
+ ldap rebind proc to rebind w/ the admin dn when following referrals
+***/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) (LDAP_API_VERSION 2000)
+/** @TODO Add a configure check for the rebind_proc version that doesn't take
+the last argument and include a #define here. */
+static int auth_rebind_proc( LDAP *ld,
+ LDAP_CONST char *url,
+ ber_tag_t request,
+ ber_int_t msgid,
+ void *arg)
+{
+int rc;
+if ( ( rc = ldap_simple_bind_s( ld, lp_ldap_admin_dn(), ldap_secret ) ) ==
+LDAP_SUCCESS )
+{
+DEBUG( 2, ( Rebind successful\n ) );
+}
+else {
+DEBUG( 0, ( Rebind failed: %s\n, ldap_err2string( rc ) ) );
+}
+return rc;
+}
+#else
+static int auth_rebind_proc ( LDAP * ld,
+ char **whop,
+ char **credp,
+ int *methodp,
+ int freeit,
+ void *arg )
+{
+/** @TODO Use the samba utility functions here. */
+register char *to_clear = *credp;
+if ( freeit ) {
+free( *whop );
+*whop = NULL;
+while ( *to_clear != '\0' ) *to_clear++ = '\0';
+free( *credp );
+*credp = NULL;
+}
+else {
+*whop = strdup( lp_ldap_admin_dn() );
+*credp = strdup( ldap_secret );
+*methodp = LDAP_AUTH_SIMPLE;
+}
+return LDAP_SUCCESS;
+}
+#endif
+
+/***
connect to the ldap server under system privilege.
**/
static BOOL ldap_connect_system(LDAP * ldap_struct)
{
int rc;
static BOOL got_pw = False;
- static pstring ldap_secret;
/* get the password if we don't have it already */
if (!got_pw !(got_pw=fetch_ldap_pw(lp_ldap_admin_dn(), ldap_secret,
sizeof(pstring
@@ -237,6 +285,12 @@
/* removed the sasl_bind_s EXTERNAL stuff, as my testsuite
(OpenLDAP) doesnt' seem to support it */
+DEBUG( 10, ( ldap_connect_system: setting rebind proc\n ) );
+if ( ( rc = ldap_set_rebind_proc( ldap_struct, auth_rebind_proc ) ) !=
+LDAP_SUCCESS )
+{
+DEBUG( 2, (warning: setting rebind proc failed: %s\n referrals may not
+work\n, ldap_err2string( rc ) ) );
+}
+
DEBUG(10,(ldap_connect_system: Binding to ldap server as \%s\\n,
lp_ldap_admin_dn()));
Re: Samba 2.2.7a and LDAP Rebind for Slave enviroment ...
Standard Samba 2.2.7 does not rebind to do updates. This is a
problem when using LDAP and a replicated directory.
I did try this on the normal mail-list, but got no responce so I hoped
to try here.
I found http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html,
which has a patch to add rebind. Which I am going to try, because I need
it and it looks right, not that I am a programmer or anything like that.
Okay, I gave up hoping that somebody would fix my problem ... so I did
the unthinkable ... I went out and tried to fix it myself. I am no
programmer, so I need a little help ...
First, I took the patch at the above address and googled the net until
I found something reguarding ldap rebind.
All that I had to do to get pdb_ldap.c to compile was to remove the ,
NULL line 289, but then I get the following warning ...
passdb/pdb_ldap.c: In function `ldap_connect_system':
passdb/pdb_ldap.c:289: warning: passing arg 2 of `ldap_set_rebind_proc'
from incompatible pointer type
Now, unlike some projects I have compile, Samba has very few warning,
now is this one a problem?
Also, I don't know who to make an autoconf ( I think ) check to put in
the thrid parameter for ldap_set_rebind_proc function.
This compiles and I will be testing in the morning on a devs box. So I
will let everybody who is interested know tomorrow ... no fingers, toes
and a few other things are all crossed.
Mailed
Lee
P.S. Great work guys.
--- samba-2.2.7/source/passdb/pdb_ldap.c.ldap 2002-12-10 16:58:15.0 +0200
+++ samba-2.2.7/source/passdb/pdb_ldap.c2003-01-08 18:38:19.0 +0200
@@ -65,6 +65,7 @@
static struct ldap_enum_info global_ldap_ent;
+static pstring ldap_secret;
extern pstring samlogon_user;
extern BOOL sam_logon_in_ssb;
@@ -218,13 +219,60 @@
}
/***
+ ldap rebind proc to rebind w/ the admin dn when following referrals
+***/
+#if defined(LDAP_API_FEATURE_X_OPENLDAP) (LDAP_API_VERSION 2000)
+/** @TODO Add a configure check for the rebind_proc version that doesn't take
+the last argument and include a #define here. */
+static int auth_rebind_proc( LDAP *ld,
+ LDAP_CONST char *url,
+ ber_tag_t request,
+ ber_int_t msgid,
+ void *arg)
+{
+int rc;
+if ( ( rc = ldap_simple_bind_s( ld, lp_ldap_admin_dn(), ldap_secret ) ) ==
+LDAP_SUCCESS )
+{
+DEBUG( 2, ( Rebind successful\n ) );
+}
+else {
+DEBUG( 0, ( Rebind failed: %s\n, ldap_err2string( rc ) ) );
+}
+return rc;
+}
+#else
+static int auth_rebind_proc ( LDAP * ld,
+ char **whop,
+ char **credp,
+ int *methodp,
+ int freeit,
+ void *arg )
+{
+/** @TODO Use the samba utility functions here. */
+register char *to_clear = *credp;
+if ( freeit ) {
+free( *whop );
+*whop = NULL;
+while ( *to_clear != '\0' ) *to_clear++ = '\0';
+free( *credp );
+*credp = NULL;
+}
+else {
+*whop = strdup( lp_ldap_admin_dn() );
+*credp = strdup( ldap_secret );
+*methodp = LDAP_AUTH_SIMPLE;
+}
+return LDAP_SUCCESS;
+}
+#endif
+
+/***
connect to the ldap server under system privilege.
**/
static BOOL ldap_connect_system(LDAP * ldap_struct)
{
int rc;
static BOOL got_pw = False;
- static pstring ldap_secret;
/* get the password if we don't have it already */
if (!got_pw !(got_pw=fetch_ldap_pw(lp_ldap_admin_dn(), ldap_secret,
sizeof(pstring
@@ -237,6 +285,12 @@
/* removed the sasl_bind_s EXTERNAL stuff, as my testsuite
(OpenLDAP) doesnt' seem to support it */
+DEBUG( 10, ( ldap_connect_system: setting rebind proc\n ) );
+if ( ( rc = ldap_set_rebind_proc( ldap_struct, auth_rebind_proc ) ) !=
+LDAP_SUCCESS )
+{
+DEBUG( 2, (warning: setting rebind proc failed: %s\n referrals may not
+work\n, ldap_err2string( rc ) ) );
+}
+
DEBUG(10,(ldap_connect_system: Binding to ldap server as \%s\\n,
lp_ldap_admin_dn()));
Re: Samba 2.2.7a and LDAP Rebind for Slave enviroment ...
Herb Lewis wrote: You might want to check out the code in the head branch as this already I would, but I am not a programmer, and downloading head would take almost forever here in the middle of the sticks. has a test for ldap_set_rebind_proc having either 2 or 3 parameters. The rest of your problem may already be fixed there as well. If that was the case, I beleive Andrew would have picked it up and fixed, but then he also focus all his efforts of head. Maybe if I can test this and ( I think Jerry ) see's that it works, he might included it ... It's a start, plus I see another Samba 2.2.7a user has run into this problem also. So I am thinking that we might need to put this in soon, or we are going to see alot of people run into this problem. I also recompiled half my test system before running into this half solution ... and that all takes time and that means TCO go up ... Thanks. Mailed Lee
Re: Samba 2.2.7a and LDAP Rebind for Slave enviroment ...
Standard Samba 2.2.7 does not rebind to do updates. This is a problem when using LDAP and a replicated directory. I did try this on the normal mail-list, but got no responce so I hoped to try here. I found http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html, which has a patch to add rebind. Which I am going to try, because I need it and it looks right, not that I am a programmer or anything like that. Alternatively, it is possible multimaster configuration of openldap. Unfortunately, this multimaster is not officially supported :-( I would like that it would be better to get 2.2 to rebind correctly. I know Andrew did ask someone to try and fix this problem, which has something to do with a change in OpenLDAP, but currently all focus is on head ... which means, if I impliment another upgrade, it's awhole lot of new problems which I am going to run into ... Thanks for your idea. Mailed Lee
Samba 2.2.7a and LDAP Rebind for Slave enviroment ...
Greetings ... Been away a little so, please forgive me if this has been discussed ... I did search the archives and googled the net and this is what I came up with ... Standard Samba 2.2.7 does not rebind to do updates. This is a problem when using LDAP and a replicated directory. I did try this on the normal mail-list, but got no responce so I hoped to try here. I found http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html, which has a patch to add rebind. Which I am going to try, because I need it and it looks right, not that I am a programmer or anything like that. I was wondering when, or if this would be added to 2.2. I know that we don't wish to add anything to 2.2, unless it is a bug fix or sercurity problem, but this could be a problem before 3.0 gets released as production. Thanks. Mailed Lee
[Samba] Samba 2.2.7a and LDAP Rebind for Slave enviroment ...
Greetings ... Been away a little so, please forgive me if this has been discussed ... I did search the archives and googled the net and this is what I came up with ... Standard Samba 2.2.7 does not rebind to do updates. This is a problem when using LDAP and a replicated directory. I found http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html, which has a patch to add rebind. Which I am going to try, because I need it and it looks right, not that I am a programmer or anything like that. I was wondering when, or if this would be added to 2.2. I know that we don't wish to add anything to 2.2, unless it is a bug fix or sercurity problem, but this could be a problem before 3.0 gets released as production. Thanks. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Resolving NetBIOS names within linux
ping windows_machine_name I personal use dnsmasq with dhcp, search freshmeat.net. It's almost a dynamic dns solution, but with alot less head archs ( it took me a long time to get dhcp+bind to do ddns ) The only thing that is a little differant, is you will have to use the full hostname or client with a period on the end ... ping client.domain or ping client. Very quick, very light, very nice. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Password aging ...
Greetings ... A quick question more to confirm a few things reguarding SMB passwords, which I hope might be able to look at for password aging. I saw some discussion on samba-tech list, but nothing conclusive. LM and NT hashs don't have a salt? Do they? ... In other words, a password password LM hashed, always comes out as E52CAC67419A9A224A3B108F3FA6CB6D not matter the case? Just checks, but I take it a password password NT hashed is case sencetive, but still no salt, which means one could search a DB of a large number of LM or NT hashed to crack a LM/NT hash? I understand that we can't use PAM cracklib to do password sanity, but we could use all known hashs in a smb passwd DB, ie ... search ones local LDAP DB for matching LM/NT hashs and not accept password. But I think that the rpc's to look after password expire and sanity have not been finished, am I correct in this thinking? Thanks. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Multiple NT users on a single box
Each winNT user has a drive mapped to their home directory. Therefore, Fred has H:\ mapped to the linux /home/fred/samba share, and Russel has H:\ mapped to the linux /home/russel/samba share (remember is is all on the same box). However, when Fred logs off, and Russel logs on, Russel is able to browse through the network neighborhood and see Freds share. It seems as though once Fred has logged in, his share is still browsable even after he has logged off from the winNT box and another user has logged in (to the same box). How do I prevent this? In your smb.conf under the [homes] def add valid users = %S This should make sure that only the user can see there home share. I also add browseable = No Because I map h: to home with the login script. This way they can't see one another shares, so they will not get errors. Hope this helps. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] bind interface and WINS ...
Greetings ... I am seeing a funny and would just to point it out ... I have a Samba 2.2.5 running in a server with two ethernet interfaces. I have in my smb.conf interfaces = eth1:1 bind interfaces only = Yes But I am still seeing traffic over port 137 ( wins ) from eth0. Other than firewalling off the eth0 137,138,139, why is Samba responding to traffic on eth0 with the above settings? ... Or does nmbd respond to all interfaces? Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba and VPN
To make a long story short, cross-domain and cross-subnet browsing will not work with samba. especially if domains are limited to one subnet. That's it. If anyone is willing/capable of helping me with this, I'd be grateful. However since my original mail received no responses at all, looks like I'll have to do this alone, if I'll have the motivation to continue. thanks for all the fish :-) Great to see that you are working on WINS, but I am sure I saw work put in CVS a little while ago reguarding a new WINS system for Head, but then I watch the CVS list alot.I think Tridge was working on it, but I am not sure if this is related. I wish you luck with your work. Mailed Lee
Re: Draft of branch maintainence and release plans....
Everyone, Greetings ... Here are the plans for getting 3.0 ready for release and the maintainence plans for SAMBA_2_2. Comments welcome. Great ... I would love to see this out sometime during the Fall of this year. Of course, none of this will get done without everyone's help :-) Not to be a pain, but could you state this in a 2002/Q3 or something, I don't know when your fall is. Thanks Mailed Lee
Re: archive bit in xattr possible/exist?
I know it is possible to use map archive to keep track of archive bits, but this is not very useful if you have real UNIX users. I.e. I can't have samba arbitrarily playing with the execute bits. Agreed ... Does anyone know of any attempted implementation of archive bits through extended attributes? This would probably need a VFS layer, to get and set them appropriately. I have asked this question before, but got no responce ... If no one has looked into this is there a better/different way of tracking archive bits? I remember searching the mail list archives, and somebody else proposed this, but I don't think anybody has done anything ... If anybody is going to looking into this, could they keep it on the list, thanks. Mailed Lee
Cascaded VFS ...
Greetings ... Quick question, is the Cascaded VFS system applied to cvs? I don't remember seeing it been applied, but I might have missed it. If I wish to work with it, should I download the cvs or should I download the lastet head alpha tar ball and apply 1.1 patch that Alexander Bokovoy has made. Thanks Mailed Lee
[Samba] VFS and DOS attribs ...
Greetings ... I remember a little while ago about someone talking about storing the DOS attribs in ext2 EA using a VFS module ... has any one taken this any further? Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trust Domains ...
Greetings ... After a little research (somebody did a bit or work ;-O ) with google and the replies to my questions, this what I think I understand and will test very soon ( Hope not to make an ass of myself. ) Andrew Bartlett wrote: Samba 2.2 supports being trusted by NT. Its a bit odd, and mainly works due to the fact that domain logons and interdomain logons are almost exactly the same. Not 'supported', and only works for NT domains with just a PDC. Okay, I asked this question before, but got no responce, so I am going to ask again, but this time with a little more details from my side. NT4sp6 PDC with Exchange 5.5sp4 host the mail ( and other resouces ) for my Linux domain. I wish to setup a Trust domain. If I understand this correctly, the NT4 domain needs to trust my Samba domain. Now according to http://mordor.clayton.edu/samba-tng/tng-pdc-trust.html as my reference, I will need to setup a machine account for the DOMAIN, PDC and each of the BDC's and then in the User Manager setup the trust relationship. This feel like I am missing something, because when a machine joins the domain, it normally needs root password ( which I don't wish to give to NT4 Admin ) and now I don't see any password been setup here ... it just does not seem secure. If I set my root password to something easy for the trust setup and make it secure afterwards would that not break the trust ... As I said, it feel like I am missing something. I have a funny feeling that my Samba server should join the NT4 domain, but then I don't see anything that says I have too. What should the security option set too, because I have see a few errors in one of my domains that have a LDAP SAM, which I had to change the option until the errors went away without kill my network. Once I get this right, I will get a friend to help document what I have done, maybe it could be tha basis for mini-howto or something. This all seems like too much. Thanks for all the help everybody has given me. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trust Domains ...
(Embedded image moved C.Lee Taylor [EMAIL PROTECTED] to file: 06/06/2002 01:54 PM pic26037.pcx) (Embedded image moved C.Lee Taylor [EMAIL PROTECTED] to file: 06/06/2002 01:54 PM pic01468.pcx) Greetings ... After a little research (somebody did a bit or work ;-O ) with google and the replies to my questions, this what I think I understand and will test very soon ( Hope not to make an ass of myself. ) Andrew Bartlett wrote: Samba 2.2 supports being trusted by NT. Its a bit odd, and mainly works due to the fact that domain logons and interdomain logons are almost exactly the same. Not 'supported', and only works for NT domains with just a PDC. Okay, I asked this question before, but got no responce, so I am going to ask again, but this time with a little more details from my side. NT4sp6 PDC with Exchange 5.5sp4 host the mail ( and other resouces ) for my Linux domain. I wish to setup a Trust domain. If I understand this correctly, the NT4 domain needs to trust my Samba domain. Now according to http://mordor.clayton.edu/samba-tng/tng-pdc-trust.html as my reference, I will need to setup a machine account for the DOMAIN, PDC and each of the BDC's and then in the User Manager setup the trust relationship. This feel like I am missing something, because when a machine joins the domain, it normally needs root password ( which I don't wish to give to NT4 Admin ) and now I don't see any password been setup here ... it just does not seem secure. If I set my root password to something easy for the trust setup and make it secure afterwards would that not break the trust ... As I said, it feel like I am missing something. I have a funny feeling that my Samba server should join the NT4 domain, but then I don't see anything that says I have too. What should the security option set too, because I have see a few errors in one of my domains that have a LDAP SAM, which I had to change the option until the errors went away without kill my network. Once I get this right, I will get a friend to help document what I have done, maybe it could be tha basis for mini-howto or something. This all seems like too much. Thanks for all the help everybody has given me. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba pic01468.pcx Description: Binary data pic26037.pcx Description: Binary data
Re: [Samba] Trust Domains ...
(Embedded image moved C.Lee Taylor [EMAIL PROTECTED] to file: 06/06/2002 01:54 PM pic05180.pcx) (Embedded image moved C.Lee Taylor [EMAIL PROTECTED] to file: 06/06/2002 01:54 PM pic26037.pcx) (Embedded image moved C.Lee Taylor [EMAIL PROTECTED] to file: 06/06/2002 01:54 PM pic01468.pcx) Greetings ... After a little research (somebody did a bit or work ;-O ) with google and the replies to my questions, this what I think I understand and will test very soon ( Hope not to make an ass of myself. ) Andrew Bartlett wrote: Samba 2.2 supports being trusted by NT. Its a bit odd, and mainly works due to the fact that domain logons and interdomain logons are almost exactly the same. Not 'supported', and only works for NT domains with just a PDC. Okay, I asked this question before, but got no responce, so I am going to ask again, but this time with a little more details from my side. NT4sp6 PDC with Exchange 5.5sp4 host the mail ( and other resouces ) for my Linux domain. I wish to setup a Trust domain. If I understand this correctly, the NT4 domain needs to trust my Samba domain. Now according to http://mordor.clayton.edu/samba-tng/tng-pdc-trust.html as my reference, I will need to setup a machine account for the DOMAIN, PDC and each of the BDC's and then in the User Manager setup the trust relationship. This feel like I am missing something, because when a machine joins the domain, it normally needs root password ( which I don't wish to give to NT4 Admin ) and now I don't see any password been setup here ... it just does not seem secure. If I set my root password to something easy for the trust setup and make it secure afterwards would that not break the trust ... As I said, it feel like I am missing something. I have a funny feeling that my Samba server should join the NT4 domain, but then I don't see anything that says I have too. What should the security option set too, because I have see a few errors in one of my domains that have a LDAP SAM, which I had to change the option until the errors went away without kill my network. Once I get this right, I will get a friend to help document what I have done, maybe it could be tha basis for mini-howto or something. This all seems like too much. Thanks for all the help everybody has given me. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba pic01468.pcx Description: Binary data pic26037.pcx Description: Binary data pic05180.pcx Description: Binary data
Re: [Samba] Trust Domains ...
Thanks all for responding, it seems my digest samba mail had a virus, so I did not get to read all the reply (I am sure there were many ;-) ) Andrew Bartlett wrote: Sylvestre Taburet wrote: Le Mardi 4 Juin 2002 15:23, C.Lee Taylor a écrit : Greetings ... Please could someone confirm that Samba 2.2.x and Samba 3.0 ( Head ) does not support Trusts between domains. 2.2.X doesn't, 3.0 will, though I don't know if CVS version does it yet. It should be possible with TNG, but I never tried: http://mordor.clayton.edu/samba-tng/tng-pdc-trust.html Will look at this if all else does not work ... I understand it goes like this: Kewl ... Samba 2.2 supports being trusted by NT. Its a bit odd, and mainly works due to the fact that domain logons and interdomain logons are almost exactly the same. Not 'supported', and only works for NT domains with just a PDC. Okay, I hope nobody minds me asking a few question ... I have DOMA, which is an NT4 domain with Exchange 5.5, DOMB is my little Linux server with Samba 2.2.x ( hoping to use 2.2.5 ). If I understand this, DOMA needs to trust DOMB so that the users in DOMB can access their mail in the DOMA Exchange server? Am I right? And would this work? Samba HEAD has support for both being trusted by NT and trusting NT. We don't support doing anything with Win2k ATM. Trusting NT is still a work in progress, but we have shown the basic concepts. I don't really wish to play with Samba Head, but I love to learn ... Samba TNG claims support for being trusted, but I've not tested it myself. You will need current CVS - TNG was able to pick up some of HEAD's work in this area to get around some nasty bugs. Samba-TNG trusting NT domains is a bit dodgy, becouse you need to setup the 'username map' manually. I don't really wish to play with TNG, but I love to learn ... Thanks guys. Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Trust Domains ...
Greetings ... Please could someone confirm that Samba 2.2.x and Samba 3.0 ( Head ) does not support Trusts between domains. Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Log messages ...
Greetings ... I am getting alot of messages in my log ... I don't mind the messages, it's just they don't look like good messages ... Are these messages something to worry about? ... Is there a way to get the logs to display the NETBIOS name of the computer that it is chatting too ... the reason being, that when a messages says shutdowning smbd XXX, I don't know what computer this was with ... Thanks. Mailed Lee Apr 12 11:52:38 aeroton smbd[25817]: [2002/04/12 11:52:38, 0] smbd/oplock.c:oplock_break(843) Apr 12 11:52:38 aeroton smbd[25817]: oplock_break: client failure in break - shutting down this smbd. Apr 12 11:52:38 aeroton smbd[27806]: [2002/04/12 11:52:38, 0] smbd/password.c:domain_client_validate(1517) Apr 12 11:52:38 aeroton smbd[27806]: domain_client_validate: could not fetch trust account password for domain SCANIA-ZA-DM Apr 12 11:52:44 aeroton smbd[27808]: [2002/04/12 11:52:44, 0] smbd/password.c:domain_client_validate(1517) Apr 12 11:52:44 aeroton smbd[27808]: domain_client_validate: could not fetch trust account password for domain SCANIA-ZA-DM Apr 12 11:53:44 aeroton smbd[27806]: [2002/04/12 11:53:44, 0] smbd/oplock.c:oplock_break(758) Apr 12 11:53:44 aeroton smbd[27806]: oplock_break: receive_smb error (Success) Apr 12 11:53:44 aeroton smbd[27806]: oplock_break failed for file tray/3Yparts 2001.doc (dev = 301, inode = 1864493, file_id = 163). Apr 12 11:53:44 aeroton smbd[27806]: [2002/04/12 11:53:44, 0] smbd/oplock.c:oplock_break(843) Apr 12 11:53:44 aeroton smbd[27806]: oplock_break: client failure in break - shutting down this smbd. Apr 12 11:53:44 aeroton smbd[27814]: [2002/04/12 11:53:44, 0] smbd/password.c:domain_client_validate(1517) Apr 12 11:53:44 aeroton smbd[27814]: domain_client_validate: could not fetch trust account password for domain SCANIA-ZA-DM Apr 12 11:58:13 aeroton smbd[24705]: [2002/04/12 11:58:13, 0] rpc_server/srv_netlog.c:api_net_sam_logon(206) Apr 12 11:58:14 aeroton smbd[24705]: api_net_sam_logon: Failed to marshall NET_R_SAM_LOGON. Apr 12 11:58:14 aeroton smbd[24705]: [2002/04/12 11:58:14, 0] rpc_server/srv_pipe.c:api_rpcTNP(1200) Apr 12 11:58:14 aeroton smbd[24705]: api_rpcTNP: api_netlog_rpc: NET_SAMLOGON failed. Apr 12 12:18:02 aeroton smbd[28365]: [2002/04/12 12:18:02, 0] smbd/password.c:domain_client_validate(1517) Apr 12 12:18:02 aeroton smbd[28365]: domain_client_validate: could not fetch trust account password for domain SCANIA-ZA-DM Apr 12 12:20:07 aeroton smbd[28432]: [2002/04/12 12:20:07, 0] smbd/password.c:domain_client_validate(1517) Apr 12 12:20:07 aeroton smbd[28432]: domain_client_validate: could not fetch trust account password for domain SCANIA-ZA-DM Apr 12 12:21:35 aeroton smbd[24705]: [2002/04/12 12:21:35, 0] rpc_server/srv_netlog.c:api_net_sam_logon(206) Apr 12 12:21:35 aeroton smbd[24705]: api_net_sam_logon: Failed to marshall NET_R_SAM_LOGON. Apr 12 12:21:35 aeroton smbd[24705]: [2002/04/12 12:21:35, 0] rpc_server/srv_pipe.c:api_rpcTNP(1200) Apr 12 12:21:35 aeroton smbd[24705]: api_rpcTNP: api_netlog_rpc: NET_SAMLOGON failed. Apr 12 12:37:56 aeroton smbd[19546]: [2002/04/12 12:37:56, 0] lib/util_sock.c:read_data(436) Apr 12 12:37:56 aeroton smbd[19546]: read_data: read failure for 4. Error = Connection reset by peer Apr 12 12:38:16 aeroton smbd[28837]: [2002/04/12 12:38:16, 0] smbd/password.c:domain_client_validate(1517) Apr 12 12:38:16 aeroton smbd[28837]: domain_client_validate: could not fetch trust account password for domain SCANIA-ZA-DM Apr 12 12:39:06 aeroton sshd(pam_unix)[28867]: session opened for user root by (uid=0) Apr 12 12:41:16 aeroton smbd[28996]: [2002/04/12 12:41:16, 0] smbd/password.c:domain_client_validate(1517) Apr 12 12:41:16 aeroton smbd[28996]: domain_client_validate: could not fetch trust account password for domain SCANIA-ZA-DM -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] FS corruption ...
Greetings ... Hoping that somebody could help me ... We just found file corruption on our Redat Linux 7.2, only on our Samba share drive ... Is it possilbe for Samba to corrupt the FS? Details of our installation ... Celeron 900MHz 256MB Ram 4GB SCSI for Linux ( ext3 ) 30GB IDE for Samba shares ( ext3 ) RedHat 7.2 with all updates from their ftp site ( Kernel 2.4.9-31 ) Custom rpm for Samba 2.2.3.a with LDAP-Sam ... Running 30 users for Mail, Samba, IP Masq ... Thanks Mailed Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
