[Samba] Roaming Profiles under LDAP backend
Hi, To this point I have been careful about mixing Win2K and WinXP profiles when using samba as a PDC/Profile server. Settings I have used have been like the following... logon path = \\%L\profiles\%u\%m (in smb.conf) with a typical profile directory as follows... drwx-- 14 test wheel 512 Mar 14 11:32 Win2K drwx-- 17 test wheel 512 Oct 27 18:22 WinXP lrwxr-xr-x 1 test wheel7 Oct 27 18:29 bilbo - ./WinXP lrwxr-xr-x 1 test wheel7 Oct 27 18:32 treebeard - ./Win2K We are using a mix of Win2K and WinXP workstations. I am now testing out a Samba/LDAP Domain and have most all working well but have run into a situation where I do not see how to keep profiles separated as described above. Should I be worried about separating them still? Both the Win2K and WinXP workstations have all the latest security patches and updates with the exception of SP2 on the WinXP. Seems now that since sambaProfilePath is set in the LDAP tree it is forcing (in my case) the testuser1 profile to.. \\LEGOLAS\profiles\testuser1 I have tried removing the sambaProfilePath attribute from the LDAP user's dn so that the login path samba config can take over. In such a case (assuming logon path = \\%L\profiles\%u\%m) %u does not expand to testuser1 but %m will expand to the machine name (grima). Thus the profile directory gets written to the servers file system as... /home/samba/profiles/%u/grima/ ...and all the profile files I'd expect to see there will appear after a first log out. I am seeking Recomendations, pointers to documentation and examples of the best way to deal with this situation. My preference is for a profile style that was first described in this message. Thank you in advance for your time and help. Chris Lawder -- Number 41 Media Corporation Suite 103 - 645 Fort Street Victoria BC V8W 1G2 T 250.414.0410 F 250.414.0411 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming Profiles under LDAP backend
Thank you, that did what I wanted... I guess that since I am using ldap for the posixAccount/shadowAccount part of samba authentication as well that %u (current Unix username) isn't found on the machine but %U (Requested client username) works as it is being passed with the request. Cheers :) Chris Paul Gienger wrote: I have tried removing the sambaProfilePath attribute from the LDAP user's dn so that the login path samba config can take over. In such a case (assuming logon path = \\%L\profiles\%u\%m) %u does not expand to testuser1 but %m will expand to the machine name (grima). Thus the profile directory gets written to the servers file system as... /home/samba/profiles/%u/grima/ For some reason I seem to remember a case sensitivity issue here but I can't find the message regarding it. On our server, with 3.0.11 the following does work: logon path = \\%L\profiles\%U This has been working prior to us putting any profile path info into LDAP. -- Number 41 Media Corporation Suite 103 - 645 Fort Street Victoria BC V8W 1G2 T 250.414.0410 F 250.414.0411 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Seeking Good Documentation for... (freebsd+ldap+samba(pdc)+kerberos)
Hi,
I beleive I have most of the under lying structure set up correctly at
this time. Specific questions would include proper set up of ldap
containers (tree?), authentication users (for adding computers etc), how
to correctly add users and computers, and the tools used to do so. I hit
a wall when I attempted to add a win2k workstation to the domain from
that workstation.
But as mentioned in my original post I will most likely be rebuilding
the Samba(PDC) server as it is currently a Slackware 10 build which
lacks PAM support. Much of what I have read regarding NIS (/etc/passwd)
replacement with LDAP describes using pam_ldap. At this time I have
system(not samba) authentication working via ldap using only nsswitch
but that seems to be restricted to {CRYPT} encrytion of passwords.
I am not yet exactly certain how Kerberos fits into this. I had added
Kerberos support as some of the documentation I read spoke of it as a
prerequisite for LDAP. At this time I am only using it as the rootdn
(gssapi) authentication type for local and remote root access to the
ldap server. But this has given me the opportunity to learn Kerberos as
I have set up ssh auth to all unix server using it now. Fun!
As a note this is my first time working with both Kerberos and OpenLDAP.
Much learning ahead :-)
Thank you for your help,
Chris
Thomas M. Skeren III wrote:
Andrew Bartlett wrote:
I've got it up with two way trusts to a w2k domain everything over a
ipsec vlan:
s: 3.0.10 ports build
FBSD: 5.3
etc. Any specific questions?
On Tue, 2005-03-01 at 15:43 -0800, Chris Lawder wrote:
... Setting up a Samba PDC with the following:
FreeBSD 5.3
Samba 3.0.x
OpenLDAP 2.2.x
Kerberos (Heimdal)
Have you read:
https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
Also, Howard Chu has a module in current OpenLDAP called smbk5pwd, which
was constructed to allow LDAP to 'set' all the different password types.
(Unfortunately I don't use it yet, despite being the person it was
constructed for...)
Andrew Bartlett
--
Number 41 Media Corporation
Suite 103 - 645 Fort Street
Victoria BC V8W 1G2
T 250.414.0410
F 250.414.0411
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Seeking Good Documentation for... (freebsd+ldap+samba(pdc)+kerberos)
... Setting up a Samba PDC with the following: FreeBSD 5.3 Samba 3.0.x OpenLDAP 2.2.x Kerberos (Heimdal) Would like LDAP to take care of both posixAccount(s) and sambaSamAccount(s). Posix account via nsswitch+pam_ldap. Hope to find one complete documentation that describes this setup from scratch, start to finish. A Ports style install of all packages is fine but I can download, compile and install packages by hand if needed. Problem I am currently having is that I can set up a kerberos server and an ldap server, access both and use ldap for authentication to both the system and samba. I can add users via smbpasswd and use those users (in ldap) to access shares. Where I run into problems is trying to add computers (Windows 2kPro) from the windows systems. Have tried much playing around at this point but am unable to figure out the configuration that allows for this. I have been working from the O'Reilly LDAP book and various differing documentation I have found on the net. The O'Reilly book describes a Samba 2.x style samba.schema but I have moved to a 3.x samba.schema set up now as I attempt to learn this. My current Kerb/LDAP server is FreeBSD 5.3. The Samba PDC is Slackware 10 and it's lack of PAM support is possibly causing some issues but do not know for sure. I want to drop Slackware at this point and make the PDC FreeBSD 5.3 as well. I want to keep the Kerb/LDAP server separate from the PDC. I don't have the resources to separate the Kerberos and LDAP servers at this time. I hope to have documentation that describes setting up the needed ldap containers and how to populate them. I have worked from the samba.org documentation too but found I got stuck at a few points. This documentation shows me ldif examples of how records should look but I didn't get a good idea of how to add these records. I didn't believe that copying those and ldapadd(ing) them would be best due to wrong data in fields such as sambaNTPassword and sambaLMPassword. Maybe I wasn't looking in the right places of the samba.org docs? I hope this well describes what I am hoping to find. Thank you all in advance. Chris -- Number 41 Media Corporation Suite 103 - 645 Fort Street Victoria BC V8W 1G2 T 250.414.0410 F 250.414.0411 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: shifting samba machine
When I moved our Samba PDC to a new box I found the following helpful http://ftp.uoi.gr/mirror/net/samba/docs/htmldocs/Samba-BDC-HOWTO.html The section How do I set up a Samba BDC? explained to me how to properly move the private/MACHINE.SID. My PDC was a freeBSD system so the system passwd, group type files were moved as per this posting I found... http://lists.freebsd.org/pipermail/freebsd-questions/2004-February/036123.html Using those two docs I was able to get the new system running as the PDC. Hope this helps Chris Abe Shelton wrote: Jim C. wrote: | I tried this a week ago and afterward, none of the windows clients on | our network would recognize admin users (Domain admins) as actual ... | admin users. Could this have something to do with LDAP posixGroup's vrs. groupOfNames? posixGroup is outdated and cannot be used to gain access to the database itself. This means that your admins would not be able to do stuff like add/remove users but might be able to do things like delete users files and stuff. If you want admins to be database admins as well you need to add them to a groupOfNames type group also. We were not using LDAP at all - just flat /etc/passwd, /etc/group and /etc/samba/smbpasswd files. There isn't anything special about our setup, but still the transfer/shift of PDC machines never did work. Perhaps I needed to port over the SID from the old PDC to the new? Abe -- Number 41 Media Corporation Suite 103 - 645 Fort Street Victoria BC V8W 1G2 T 250.414.0410 F 250.414.0411 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] mounting as a regular user
Hi, This may not be a Samba specific issue I am having but it came up when working with samba shares specificaly so I thought I would ask here first. Please feel free to redirect me to more appropriate sites if needed. I am running Samba version 3.0.4 on Slackware 10. I am running into a problem with being able to allow a normal non-root user to either mount samba shares or regular disk shares but not both. I have made my smbmnt suid and have no fstab entries for the samba shares. Without any other changes I can mount samba shares as my normal user. Problem starts when I try to also allow the same user to mount disk partitions. In order to have the same user mount disk partitions I have added the following lines to my fstab file as per documentation I have found: /dev/hdb1/backup/staging reiserfsuser,noauto 0 0 /dev/sda1 /backup/mediareiserfsuser,noauto 0 0 Now this doesn't seem to work until I chmod u+s /bin/mount and chmod u+s /bin/umount. Once those have been suid(ed) the mounting of samba shares breaks with the mount: only root can do that message. What I find odd is that I need to apply the suid bit on the binaries even with the user definition in the fstab file. If this is more of a mount and fstab configuration issue please let me know. I am happy to provide more information if needed too. I'm sure that there is a way to allow a regular user to mount both samba shares and disk partitions but how to do that is unfortunatly escaping me for the moment. Thanks for the help. Chris -- Number 41 Media Corporation Suite 103 - 645 Fort Street Victoria BC V8W 1G2 T 250.414.0410 F 250.414.0411 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Fwd: [Samba] mounting as a regular user]
Thank you for the reply Joe. Which smb.conf files would you want to see? I am trying to mount shares from 2 FreeBSD, 1 RH9 (linux) and 2 Windows servers to a directory structure on my system. To give an idea my mount script is as follows (with some info removed): # Smeagol (FreeBSD Domain Controler/Profile Server) # mount -t smbfs -o username=$user,password=$pass,ro //smeagol/home-dir$ /backup/smb-mounts/smeagol/home-dir mount -t smbfs -o username=$user,password=$pass,ro //smeagol/samba-shares$ /backup/smb-mounts/smeagol/samba-shares # # Aragorn (FreeBSD Dev Server) # mount -t smbfs -o username=$user,password=$pass,ro //aragorn/accounting /backup/smb-mounts/aragorn/accounting mount -t smbfs -o username=$user,password=$pass,ro //aragorn/everyone /backup/smb-mounts/aragorn/everyone mount -t smbfs -o username=$user,password=$pass,ro //aragorn/mysql-data$ /backup/smb-mounts/aragorn/mysql-data mount -t smbfs -o username=$user,password=$pass,ro //aragorn/webroot /backup/smb-mounts/aragorn/webroot # # Boromor (Win2K Dev Server) # mount -t smbfs -o username=$user,password=$pass,ro //boromir/websites /backup/smb-mounts/boromir/websites mount -t smbfs -o username=$user,password=$pass,ro //boromir/wwwroot /backup/smb-mounts/boromir/wwwroot # # Necromancer (Linux JSP/Oracle Server) # mount -t smbfs -o username=$user,password=$pass,ro //necromancer/webroot-tomcat /backup/smb-mounts/necromancer/webroot-tomcat mount -t smbfs -o username=$user,password=$pass,ro //necromancer/oracle$ /backup/smb-mounts/necromancer/oracle # # Saruman (Win2K Exchange Server) # mount -t smbfs -o username=$user,password=$pass,ro //saruman/exchange-backup$ /backup/smb-mounts/saruman/exchange-backup # I can provide smb.conf files if needed for the FreeBSD and linux systems. Also for the local system I am trying to mount these shares too (Sauron). Wasn't exactly sure which smb.conf file you were asking to see :-) Thanks again for replying!! Chris -- Number 41 Media Corporation Suite 103 - 645 Fort Street Victoria BC V8W 1G2 T 250.414.0410 F 250.414.0411 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
