Re: [Samba] Winbind Authentication on Redhat Home Directories
Dave Morrow wrote: Hi all, I have Winbind authentication up and running properly (thanks to new, easy to use features of Redhat Ent 4). My question is this. I know that I can, by massaging /etc/pam.d files manually, have Winbind/Samba automatically create a home directory for each user that logs in, but I am wondering if Samba/Winbind can instead map to their home directory as defined in their Windows profile (\\mywindowsbox\userhome) ? David A. Morrow Technical Systems Lead Autodata Solutions Company [EMAIL PROTECTED] http://www.autodata.net Tel: (519) 951-6079 Fax: (519) 451-6615 Poor planning on your part does not necessarily constitute an emergency on my part. This message has originated from Autodata Solutions. The attached material is the Confidential and Proprietary Information of Autodata Solutions. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please delete this message and notify the Autodata system administrator at [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] I would *think* that this could be accomplished via autofs on your RHEL server -- though it would probably be more straight forward to use nfs mounts in this case requiring Services For Unix to be installed on the Windows server exporting the shares. Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Best Practices -- Integration with Active Directory
Tim Holmes wrote: ood Morning Everyone: This question is a bit different from the run of the mill -- HELP ME I GOT TROUBLE questions here on the list, however I am interested in getting this situation working correctly and also need to understand the basis behind the process so that I can implement it properly and extend it as necessary First off -- Some Background I am running a 150 station lan where all the workstations are Windows XP Pro SP2 -- Fully patched. The Domain Controller, Exchange Server, and Content Filter (Websense) are all Windows Server 2003 standard (updated and fully patched). The AntiVirus Server (Panda) is An XP SP2 Box. The 2 Webservers (production and development) are Fedora Core 2, as is the File Server, and Database server (MySQL). All have been fully updated with yum in the last week or so. Currently The 2 Webservers and the File server have samba set up on them. This is to facilitate file movement between them and the rest of the network. At the present time to allow access to the samba boxes I create a user account for the person in linux, then create a samba account, and feed it their windows password using the system-config-samba program. Once this is done, they can access the shares without any need for typing usernames and passwords, which is great, but to my way of thinking that is a lot of steps to go through. My question is as follows: Is this the proper / best way to have the integration set up, or is there a better way. From where I sit, and in a perfect world, when a user tried to access a samba share, the samba server would query the domain controller for authentication and process it, similar to accessing a share on one of the windows boxes. I would like to move all my user accounts home directories to the file server, but I don't want to take the time to input all the usernames/passwords, and then have the problem that every time someone changes their windows password, they loose their samba access. If you have suggestions for reading, or ideas or other helpful hints, I would be greatly appreciative. The resources that I have read on the net are at best confusing. Also I am fairly new to Linux, and although I am learning, it is going to take me a while to get all the ins and outs of the system nailed down, so I may need some procedural help to get things working smoothly Thank you so much for your time and assistance Tim Holmes IT Manager / Webmaster Medina Christian Academy A Higher Standard... Jeremiah 33:3 Jeremiah 29:11 Esther 4:14 If your DC is running in Mixed Mode then you should be able to rather easily change your samba security to domain (security = domain), and specify your password server (password server = x.x.x.x). At this point you should be able to create matching linux system accounts as placeholders for setting permissions etc., and when users from windows clients attempt to access Samba resources the Samba server will query the DC for authentication. You can get more advanced in regard to using Winbind, but this is probably the simplest approach. If your DC is running in Native Mode then you will need to involve kerberos which is a little bit more painful. The samba how-to's have very good directions for all of this. Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Upgrade...
Brent Smith wrote: Sorry if this is a dup. I sent right before I subscribed to the list, so I'm not sure if it made it. I have just taken over a redhat system with Samba 3.0.0 configured with security = user, and domain logins enabled. I've included the smb.conf at the end of this message. I would like to upgrade to 3.0.10 for a numbers of reasons, one being security and one being that password changes don't work from workstation machines because of the Windows KB828741 patch. What I want to know, is if I should expect any incompatibilities between versions or if my existing config files will work with the new version? This is a mission critical system, so I really don't want to upgrade unless there are going to be very minimal issues. Will a simple rpm -Uvh ./samba-3.0.10-1_rh9.i386.rpm put me in the clear? Thanks for your help. Here is some information about the system: - OLD RPM PACKAGE - $ rpm -qi samba Name: sambaRelocations: /usr Version : 3.0.0 Vendor: (none) Release : 2 Build Date: Thu 09 Oct 2003 05:12:20 PM PDT Install date: Sat 11 Oct 2003 10:41:04 PM PDT Build Host: *removed* Group : NetworkingSource RPM: samba-3.0.0-2.src.rpm Size: 46416163 License: GNU GPL version 2 Packager: Gerald Carter [Samba-Team] [EMAIL PROTECTED] Summary : Samba SMB client and server - NEW RPM PACKAGE - $ rpm -qpi ./samba-3.0.10-1_rh9.i386.rpm Name: sambaRelocations: /usr Version : 3.0.10Vendor: Samba Team Release : 1 Build Date: Wed 15 Dec 2004 02:04:19 PM PST Install date: (not installed) Build Host: rh9 Group : NetworkingSource RPM: samba-3.0.10-1.src.rpm Size: 45453218 License: GNU GPL version 2 Packager: Gerald Carter [Samba-Team] [EMAIL PROTECTED] Summary : Samba SMB client and server - smb.conf file - [global] netbios name = *removed* workgroup = *removed* preferred master = yes domain master = yes wins support = yes os level = 85 encrypt passwords = yes interfaces = eth0 hosts allow = *removed* invalid users = bin daemon adm sync shutdown logon path = logon drive = U: logon script = logon-%G.bat add machine script = /usr/sbin/useradd -d /dev/null -s /bin/false -c 'Machine Account' -M %u admin users = @smbadmin printer admin = @smbadmin domain logons = Yes min protocol = NT1 [homes] comment = User Directory path = /usr/export/home/%U read only = NO browseable = NO # only user = %S [netlogon] comment = Network Logon Service path = /etc/samba/netlogon guest ok = yes browseable = no [print$] path = /var/samba/printers write list = @smbadmin guest ok = yes [printers] comment = All Printers path = /tmp guest ok = Yes printable = yes printing = lprng browseable = No If you are going from a Red Hat supplied Samba release to one released by samba.org various things will be in different places. /etc/samba/ will remain the same however and your config files should translate over. Also keep in mind that Red Hat has split it's Samba package into three groups (samba, samba-client, samba-common). My advice is to remove all of your existing samba packages (backing up your config files of course) and then doing a clean install if this is the case. Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] disappointed with complete lack of help.
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Allison wrote: | Samba has gone the way of many successful projects: The principal | developers are busy with writing books and talking at conferences | while the mailing lists get flooded with clueless newbie requests. | Nobody knowledgeable finds the time to answer requests at all. you not serious are you ? many Samba developers still take time to monitor and respond to this list. Check the archives. The problem is the signal to noise ratio. The same questions get asked over and over again. I'll also point out that screaming the support on this list is horrible is sadly one of the best ways to get people to respond (no offense to the original poster). cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB+ojWIR7qMdg1EfYRAosXAKCKW1Qtop8W6CrsstA9kFOn9ISAoQCfTIRl msrZCyYD2d+prgOSNHpXUA0= =dr0a -END PGP SIGNATURE- If you ask a question regarding a problem that cannot be solved by an easy google search, describe the problem you are facing in an understandable manner, and supply any related configuration files and/or logs you will generally get relatively prompt feedback from someone. Now and then you will have something so off the wall that nobody really has a clue -- I've sent a few out like that myself :), but such is life. I applaud not only the effort that the Samba team puts forth in regard to the product, but to what extent they *do* monitor this list and help others. Christian Merrill -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Curious timestamp bug in samba???
Testing indicates that when a file located on a linux samba share is modified from a windows client, the creation date is modified along with the modification date. It appears that samba doesn't differentiate between the two? I know it's relatively minor in the great scheme of things, but we have seen a few complaints regarding this behavior. Any feedback would be welcome. Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Curious timestamp bug in samba???
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christian Merrill wrote: | Testing indicates that when a file located on a linux | samba share is modified from a windows client, the creation | date is modified along with the modification date. It | appears that samba doesn't differentiate between the two? | I know it's relatively minor in the great scheme of | things, but we have seen a few complaints regarding | this behavior. Any feedback would be welcome. See 'man 2 stat'. This is one of the semantic differences between UNIX file systems and Win32 ones. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB7STwIR7qMdg1EfYRAgvUAJwI213RzNe856f4HztjSGmT4963bgCguMaD DucKexq8MiYrQyChmPrJQLw= =6qEi -END PGP SIGNATURE- I'm an idiot, thanks for the quick feedback. Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind authentication with fallback
Pau Capdevila wrote: Hi, We use Active Directory users to login into our GNU/Linux workstations. If the network is down, is there any way to use a fallback method to login with the same profile (user, homedir, etc)? Thank you, Pau On windows you can do this because the domain account information is cached after an initial local logon. I'm not sure of any way to replicate this behavior on Linux -- and perhaps a more important question would be: from a security standpoint would you really want to? Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.9 doesn't remove printjobs ?
Collins, Kevin wrote: We just upgraded to Samba 3.0.9 (RedHat Enterprise 3 packages) this weekend and are now seeing similar issues on our workstations. I do not see any printing related errors in our logs however. I do however see these backed up print queues on every workstation. We run a mix of Windows 2000 (SP4) and XP Pro (SP2) machines. So it appears, at least in my case, that it's /not/ an XP-SP2 only issue. One other thing to note: We're in the midst of testing/deploying Debian Sarge servers to replace the RedHat boxes. On a whim this morning, I created a print server using one of my already-in-place Debian machines. To my amazement, the printer that I have hanging off of the Debian box does /not/ have this issue. What's odd about this...both of the print servers are running version 3.0.9. I've used the supplied distro's packages and not built from source in either case. So it appears from my simple tests, that something is different in the Debian build of Samba that cures this issue. A couple things that need to be said about this...I've only hung one printer off of the Debian box. In addition, I've only had two workstations printing to it - one XP-SP2 and one W2k-SP4. So it may very well have something to do with load or other such factor. But the problem has not yet appeared with the Debian package. I hope that this gives someone on the development team some clue as to the exact nature of the problem. I'll be available to answer any questions or fill any need for information that I can. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 12:25 PM To: [EMAIL PROTECTED] Subject: [Samba] Samba 3.0.9 doesn't remove printjobs ? Hello! I'm using samba with CUPS printing (with raw passthru) for a long time now and it worked very well. But after upgrading my samba installation from 3.0.2 to 3.0.9, the printjobs (sent from XP Workstations) aren't removed from the joblist anymore. Means: the job is printed correctly, but opening the printqueue on the XP machine still contains the job (not only mine, but jobs from every user who sent one). When I now delete them manually, they're gone. Since I can't find any remaining SMB or CUPS spool-files, (thought about missing access rights for deletion) I don't know what to look for. The only error message I found is: tdb(/var/lib/samba/printing/Kyocera7000.tdb): rec_read bad magic 0xd9fee666 at offset=26084 in /var/log/samba/smbd (but I got this message sometimes before the upgrade too ...) Thanks for some hints on that (2) problem(s) Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Are you seeing a problem where windows clients are able to print but the print queues never clear? Or are they not even printing? If you are experiencing the former then this is a RH samba problem that should have been fixed by now -- please let me know. It also warrants mentioning (per an earlier thread) that our 3.0.9 packages are likely going to be revised in a very short period of time to fix a kerberos related problem. Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [samba] Adding Domain Groups to local Groups Crashed XP
Daniel Wilson wrote: Hi, Im using samba 3.0.9 with LDAP (Sun Iplanet 5.2 directory Server). On an XP client, im trying to add Domain Users group to the Local Power Users group (For windows updates etc...) However when i try to add the group it just crashed the windows. Also if i use the usrmgr.exe to edit groups, the usermgr also crashes, nothing in logs to show any errors. If i use windows 2000 pro to add Domain Users group to the Local Power Users group it works but takes about 2 mins? Any ideas anybody? my smb.conf file: [global] workgroup = UNI-STAFF passdb backend = ldapsam:ldap://yoda.sunderland.ac.uk username map = /usr/local/lib/usermap log level = 2 logon path = \\uos-stud\profiles\%U logon home = domain logons = Yes os level = 33 preferred master = Yes domain master = Yes ldap admin dn = cn=Directory Manager ldap group suffix = ou=domain-groups ldap idmap suffix = ou=domain-groups,dc=sunderland,dc=ac,dc=uk ldap machine suffix = ou=domain-computers ldap passwd sync = Yes ldap suffix = dc=sunderland,dc=ac,dc=uk idmap backend = ldap:ldap://yoda.sunderland.ac.uk [netlogon] comment = netlogon share path = /usr/local/lib/netlogon I was recently doing some experimenting with Directory Server 5.2 and Samba on Redhat AS 2.1 and RHEL3 and encountered a strange issue that sounds somewhat related. After everything was configured perfectly, win2k clients could join the domain, log on and everything was wonderful. However whenever I tried to logon to an XP client with a domain account, it would authenticate and then reboot the computer. It does not do this with OpenLDAP...I was never able to make any more progress on the issue and have since become sidetracked. Is your XP client actually crash (blue screen) or is it just rebooting? Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] RHEL3 3.0.9 Release Active Directory Membership
Some preliminary testing indicates that there may be problems in the newly released Red Hat 3.0.9 packages (not samba.org's) in regard to joining an AD as a full member (w/kerberos). This may also affect maintaining current membership in such an environment. If anyone has already upgraded and is experiencing the same or different behavior please let me know. Specifically we are seeing no support for encryption type messages when using a net ads join and a return code of -1. Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] RHEL3 3.0.9 Release Active Directory Membership
Ben Vaughan wrote: Hello Christian, Here at Iowa State, we have experienced exactly this behavior, although we haven't noticed any of my samba servers loosing their domain membership. It appears that samba is still functioning via the rpc methods. We compiled samba.org's srpms and haven't had any problems. I can't verify this right now, but I recall having this same problem with RH's 3.0.7 package. I'm still digging to see if that was indeed the case. We are running Samba with an AD in native 2000 mode. We are beginning the transition to AD 2003. We have about 3 dozen or so samba servers in our domain. Let me know if you need any more help or testing or whatever. Thanks, Ben Vaughan Ben Vaughan Engineering Computing Support Services CLUE Network SysAdmin Iowa State University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Merrill Sent: Friday, December 17, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: [Samba] RHEL3 3.0.9 Release Active Directory Membership Some preliminary testing indicates that there may be problems in the newly released Red Hat 3.0.9 packages (not samba.org's) in regard to joining an AD as a full member (w/kerberos). This may also affect maintaining current membership in such an environment. If anyone has already upgraded and is experiencing the same or different behavior please let me know. Specifically we are seeing no support for encryption type messages when using a net ads join and a return code of -1. Christian Actually we've figured this out. Our rpm was built against U4's libkrb5. You should be able to compile RH's source package and see this problem disappear. I believe we should have a binary fix out shortly. Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbd hung processes - Samba 3.0.7
[EMAIL PROTECTED] wrote:
We've seen Samba crash and burn twice in the last 48 hours - it just
started happening, and we have no idea what might be causing it. I'm
hoping that someone will recognize this problem.
Platform: we are running RedHat Enterprise Server, with Samba 3.0.7.
We're using security=domain in an old-style NT4 domain environment.
The symptom that we're seeing is that the number of smbd processes
suddenly begins to increase. We normally run with betwen 100 and 150 smb
processes, but when Samba fails, the number starts to increase quickly,
and users start to have problems accessing files.
smbstatus reports approximately the right number of clients (133), but ps
shows a much larger number of smbd processes active (680). Smbstatus
reports a list of active smbd processes - this list includes the oldest
processes and the newest processes, but there is a block of smbd processes
in the middle that are not in the smbstatus report. What we THINK is
happening is that the smbd processes begin to hang, the clients time out,
they initiate a new session with Samba server, which respawns another smbd
server process (leaving the old, hung process running). This keeps
happening over and over until we kill samba. The hung processes need to
be kill -9'ed.
If you do a strace on these apparently hung processes, you see this:
# strace -p 20403
Process 20403 attached - interrupt to quit
fcntl64(13, F_SETLKW64, {type=F_RDLCK, whence=SEEK_SET, start=280,
len=1}
unfinished ...
I'm not sure if it's relevent, but netstat -a reports a large number of
sockets in the CLOSE_WAIT state (I've included a small sample):
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp1 0 valhalla:microsoft-ds army39:1455 CLOSE_WAIT
tcp1 0 valhalla:microsoft-ds 131.101.40.174:2531
CLOSE_WAIT
tcp 54 0 valhalla:microsoft-ds army39:1435 CLOSE_WAIT
tcp 54 0 valhalla:microsoft-ds 131.101.40.174:2512
CLOSE_WAIT
In this log, valhalla is the Samba server, and microsoft-ds is port 445
(the CIFS port).
There doesn't seem to be anything relevent in the smbd log files (we were
using log level 1). We've increased the log level to 3 in the hope that
we'll get more information the next time Samba goes wild.
Our smb.conf file isn't complicated - the global section looks like this:
[global]
workgroup = ICD
netbios name = VALHALLA
security = domain
password server = *
wins server = nn.nn.nn.nn mm.mm.mm.mm
server string = Linux ClearCase Server %v %h
log file = /var/log/samba/%m.log
log level = 3
max log size = 4000
username map = /etc/samba/smbusers
read raw = no
oplocks = no
kernel oplocks = no
level2 oplocks = no
create mask = 0774
directory mask = 0775
map archive = No
preserve case = yes
deadtime = 0
Is this by any chance with the 3.0.7-1.3E.1 RH Samba update that was
just recently released or one of the previous 3.0.7 RH packages?
Christian
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD Domain member not authenticating
John Stile wrote: I had samba working, then I tried (unsuccessfully) to setup ssh pam auth. Now users are prompted for a password when accessing shares, but no password works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3. I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem. --- These commands succeed: wbinfo -u, wbinfo -g getent passwd getent group net ads info Time is within 2 seconds between 'net time' and 'date' --- Running winbind in interactive mode while trying to connect, winbindd -S -i -F -d 8 -Y The end of the output (as there is a lot) looks like this: ... remove_duplicate_gids: Enter 5 gids remove_duplicate_gids: Exit 5 gids [ 6411]: gid to sid 10001 [ 6411]: gid to sid 10066 [ 6411]: gid to sid 10067 [ 6411]: gid to sid 10265 [ 6411]: gid to sid 10274 read failed on sock 20, pid 6411: EOF read failed on sock 19, pid 6411: EOF --- /etc/samba/smb.conf [global] server string = Samba Server workgroup = MYREALM realm = MYREALM.MY.DOMAIN.COM security = ADS username map = /etc/samba/smbusers map to guest = Bad User password server = * socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = no local master = no domain master = no os level = 33 wins server = 128.32.68.75 128.32.67.118 ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = Yes template primary group = Domain Users template homedir = /home/%U template shell = /bin/bash load printers = no log level = 1 syslog = 0 log file = /var/log/samba/%m.log max log size = 0 --- /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so -- This sounds a lot like the kerberos incompatibility issue we know about with 2003 DC'sAre you using 2003 or 2000? Also, are you sure you are running the 1.3.x MIT kerberos packages? RHEL3 doesn't ship with them and if you managed to get it installed I'd be curious how you did so. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD Domain member not authenticating
John Stile wrote: On Wed, 2004-12-01 at 11:06 -0800, John Stile wrote: I had samba working, then I tried (unsuccessfully) to setup ssh pam auth. Now users are prompted for a password when accessing shares, but no password works. I am using Redhat AS 3, samba-3.0.9-1, and krb5-1.3. I forgot to backup pam file system-auth before modifying things, so I'm not sure if that is the problem. --- These commands succeed: wbinfo -u, wbinfo -g getent passwd getent group net ads info Time is within 2 seconds between 'net time' and 'date' --- Running winbind in interactive mode while trying to connect, winbindd -S -i -F -d 8 -Y The end of the output (as there is a lot) looks like this: ... remove_duplicate_gids: Enter 5 gids remove_duplicate_gids: Exit 5 gids [ 6411]: gid to sid 10001 [ 6411]: gid to sid 10066 [ 6411]: gid to sid 10067 [ 6411]: gid to sid 10265 [ 6411]: gid to sid 10274 read failed on sock 20, pid 6411: EOF read failed on sock 19, pid 6411: EOF --- /etc/samba/smb.conf [global] server string = Samba Server workgroup = MYREALM realm = MYREALM.MY.DOMAIN.COM security = ADS username map = /etc/samba/smbusers map to guest = Bad User password server = * socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = no local master = no domain master = no os level = 33 wins server = 128.32.68.75 128.32.67.118 ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = Yes template primary group = Domain Users template homedir = /home/%U template shell = /bin/bash load printers = no log level = 1 syslog = 0 log file = /var/log/samba/%m.log max log size = 0 --- /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_smb_auth.so use_first_pass nolocal authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so passwordrequired /lib/security/$ISA/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so -- I'm also seeing errors in /var/log/samba/winbindd.log [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] libsmb/clikrb5.c:ads_krb5_mk_req(390) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for requested realm) [2004/12/01 11:14:40, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain CAMPUS failed: Cannot find KDC for requested realm what does your /etc/krb5.conf look like? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] XP/PDC/Directory Server
Alright, I promise I won't put in any more threads regarding this nightmare. Let me rephrase my previous question. Is there *anyone* out there who has XP Pro systems successfully logging into Samba PDC's with Netscape Directory backends? I've rebuilt all components a few times and still I get the same behavior. XP Pro authenticates, begins the login process, and then the machine reboots. Win2k works fine. Did this with a default install as well as with the latest updates. Any info would be appreciated. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: authentication against win2k3 server
Kevin Kobb wrote: Carissa Srugis wrote: I've been trying to setup Samba to authenticate users against accounts existing on a Windows 2003 Server without any backwards capability. Ideally, this needs to be done without any changes to the Windows 2003 Server. Users will not be logging into the Samba shares at all. This is merely for authentication. I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8. This is my smb.conf file: [global] realm = WIN2K3.DOMAIN.LOCAL security = ads auth methods = winbind winbind separator = + encrypt passwords = yes workgroup = DOMAIN.LOCAL netbios name = FREEBSD_Machine winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes idmap uid = 1-2 idmap gid = 1-2 password server = WIN2K3.DOMAIN.LOCAL So once winbindd is running, I type the following and get these results: freebsd_machine# net ads join member -I 192.168.0.1 -U administrator administrator's password: *password* [2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793) Packet send failed to 127.255.255.255(137) ERRNO=Permission denied [2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793) Packet send failed to 127.255.255.255(137) ERRNO=Permission denied [2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186) ads_connect: Permission denied In the winbindd log I've also gotten the following error messages at one point or another: Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL Packet send failed to 127.255.255.255(137) ERRNO=Permission denied ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied get_trust_pw: could not fetch trust account password for my domain DOMAIN.LOCAL The odd part is when I try to use wbinfo to verify connections. If I type wbinfo -g it will display the correct group listing from the win2k3 server. But nothing else seems to work: freebsd_machine# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_INTERNAL_ERROR (0xc0e5) Could not check secret freebsd_machine# wbinfo -u Error looking up domain users freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL Name : WIN2K3.DOMAIN.LOCAL Alt_Name : DOMAIN.LOCAL SID : S-0-0 Active Directory : No Native: No Primary : Yes Sequence : -1 I'm obviously missing something, but I am at a loss. Any help is greatly appreciated! Carissa Srugis You might try looking at FreeBSD 5.3. I don't believe 4.10 has a working nsswitch which I think you will need if you want to login into FreeBSD without a local account, but just a AD account. I have done this on our Windows domain and FreeBSD 5.3 and it works OK. Join the machine to the domain, modify pam files, and nsswitch.conf, and it worked. Are you saying that DOMAIN.LOCAL is your old style NT4 domain name and that WIN2K3.DOMAIN.LOCAL is your directory name -- and not the FQDN of your DC? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: authentication against win2k3 server
Carissa Srugis wrote: This is a fresh w2k3 installation - no NT4 backwards capabilities. Domain Name = DOMAIN.LOCAL FQDN of DC = WIN2K3.DOMAIN.LOCAL Users will NOT be logging into the FreeBSD machine at all. I need the FreeBSD to authenticate via Samba against the W2K3 AD users, which will then be passed through to squid for proxy authentication. Thanks! Carissa On Fri, 19 Nov 2004 09:42:22 -0500, Christian Merrill [EMAIL PROTECTED] wrote: Kevin Kobb wrote: Carissa Srugis wrote: I've been trying to setup Samba to authenticate users against accounts existing on a Windows 2003 Server without any backwards capability. Ideally, this needs to be done without any changes to the Windows 2003 Server. Users will not be logging into the Samba shares at all. This is merely for authentication. I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8. This is my smb.conf file: [global] realm = WIN2K3.DOMAIN.LOCAL security = ads auth methods = winbind winbind separator = + encrypt passwords = yes workgroup = DOMAIN.LOCAL netbios name = FREEBSD_Machine winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes idmap uid = 1-2 idmap gid = 1-2 password server = WIN2K3.DOMAIN.LOCAL So once winbindd is running, I type the following and get these results: freebsd_machine# net ads join member -I 192.168.0.1 -U administrator administrator's password: *password* [2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793) Packet send failed to 127.255.255.255(137) ERRNO=Permission denied [2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793) Packet send failed to 127.255.255.255(137) ERRNO=Permission denied [2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186) ads_connect: Permission denied In the winbindd log I've also gotten the following error messages at one point or another: Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL Packet send failed to 127.255.255.255(137) ERRNO=Permission denied ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied get_trust_pw: could not fetch trust account password for my domain DOMAIN.LOCAL The odd part is when I try to use wbinfo to verify connections. If I type wbinfo -g it will display the correct group listing from the win2k3 server. But nothing else seems to work: freebsd_machine# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_INTERNAL_ERROR (0xc0e5) Could not check secret freebsd_machine# wbinfo -u Error looking up domain users freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL Name : WIN2K3.DOMAIN.LOCAL Alt_Name : DOMAIN.LOCAL SID : S-0-0 Active Directory : No Native: No Primary : Yes Sequence : -1 I'm obviously missing something, but I am at a loss. Any help is greatly appreciated! Carissa Srugis You might try looking at FreeBSD 5.3. I don't believe 4.10 has a working nsswitch which I think you will need if you want to login into FreeBSD without a local account, but just a AD account. I have done this on our Windows domain and FreeBSD 5.3 and it works OK. Join the machine to the domain, modify pam files, and nsswitch.conf, and it worked. Are you saying that DOMAIN.LOCAL is your old style NT4 domain name and that WIN2K3.DOMAIN.LOCAL is your directory name -- and not the FQDN of your DC? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba I just want to make sure the information is correct. On your 2k3 DC if you go START--Administrator Tools--Active Directory Users Computers, your directory name should be displayed. Is it DOMAIN.LOCAL or WIN2K3.DOMAIN.LOCAL? Also, if you right click on it and select Properties, does a pre-Windows 2000 Domain Name exist? If so, what is that? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Running Samba 3 as PDC
Irene Sakellarakis wrote: I am investigating options for using Samba 3.0.7.2.FC1 (Red Hat Fedora Core 1 basic installation, currently updating via yum) as a primary and only domain controller. We have a Windows user environment, and I'm trying to connect the user machines (XP fully patched as of this writing) to the samba domain but keep getting one of 2 errors: 1) authentication failed, when I use the (smb) administrator account and password; 2) user not known when using the root account. I've created the users (both unix and samba), mapped my groups, edited admin groups with the right entries). Frankly, I'm at a loss as to whether this is even feasible, realistically. I've searched the various groups online but any reference I find to this type of setup is with pre-W2k clients and Samba 2.* versions. All the discussions I've found pertaining to 3.0 and W2k/XP are only documenting existing problems similar to mine with no responses to those threads. Is it possible (at this point advisable has been thrown out the window by higher-ups) to get this functioning as a complete replacement to a Windows200* server environment? The official HowTo seems to hint at it, but I find little or no actual instruction on the matter. Thanks much, in advance, Irene It is doable -- could you post your /etc/samba/smb.conf? As to whether or not it is advisable as a replacement for a Win2k environment there are a few things to take into consideration: 1. Samba3 cannot act as an Active Directory DC 2. If you want any failover you will need to have an LDAP backend 3. Fedora Core is not supported -- you might wish to consider moving to a supported OS (RHEL, SusE, Solaris etc.) 4. Staff needs to have the appropriate *nix/Samba skills to administer the environment Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] XP SP2/Samba3.0.8 PDC/Directory Server 5.2 backend
Would anyone care to offer any theories (at this point I'll take whatever I can get) as to why the following happens: 1. w2k boxes can join the domain perfectly, users can logon, life is wonderful. 2. winXP boxes can join the domain perfectly, users authenticate fine, the screen goes blue as if it is about to load up the desktop, the system reboots. 3. Some errors upon relogging in with a local id about a problem with winlogon.exe Nothing good as far as I can tell in the samba logs, as far as samba is concerned it seems to think all is well. This one is driving me nuts... Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: net ads join fails using Red Hat samba 3.0.7-1.3E.1 (Re: Samba 3 as domain member of w2k realm)
Matt Seitz wrote: Resending with corrected subject line Matt Seitz wrote: R.B. wrote: i've a problem joining a samba 3.0.7-1.3E.1 in a w2k domain: [EMAIL PROTECTED] squid]# net ads join -U myuser myuser's password: [2004/11/18 13:29:32, 0] utils/net_ads.c:ads_startup(183) ads_connect: Program lacks support for encryption type This appears to be a bug in Red Hat's version of Samba. See: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139668 Red Hat samba versions 3.0.4 seem to have done a thorough job of breaking compatibility with AD's in Native Mode. It *looks* like this is fixed in 3.0.8 which we have not yet released as a supported RH package. Reviewing your configs may be worthwhile as you might be encountering other problems -- also in some cases it is required to reset the domain admin password and select the account to Use DES encryption types for this account. Otherwise you can test with 3.0.8 (the RH9 rpm made available via samba.org does install without issue on RHEL3), but keep in mind that it is not officially supported by RH at this point in time. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] iplanet ldap and samba
I am not aware of a good guide that takes iplanet into account. I am almost finished working through this with a customer and should hopefully have some documentation put together soon. In this case the customer is running Directory Server 5.2 in a solaris environment with Samba 3.0.7 on RHEL3...my test environment is using Directory Server 5.2/6.0 on AS 2.1 and Samba 3.0.8 on RHEL3. In general we have been working off of the official howto's and the idealx documentation. Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of synrat Sent: Wednesday, November 17, 2004 1:50 PM To: [EMAIL PROTECTED] Subject: [Samba] iplanet ldap and samba Is there a good how-to on getting samba to work with Iplanet LDAP ? I already installed it and started configuring from bits and pieces I could find with google, but there're still many things missing. I also found a posting that said samba schema for Iplanet5 shipped with Samba 3.0.8 isn't up to date. What would need to be changed ? Basically I'm looking for a complete walkthrough, modify/import schema, settings, users to create, etc... also, is it at all possible to get Samba users authenticated via LDAP or PAM without having any lm, SSID and other attributes, basically relying only on successful LDAP bind or PAM success ? thank you -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/Netscape Directory Server
For whatever reason I am trying to configure the following environment and am running into trouble towards the end of things. Hopefully I am overlooking something basic, any assistance would be greatly appreciated. 1. Redhat AS 2.1 server running Netscape Directory Server 5.2 2. RHEL3 system using Samba 3.0.8 acting as a PDC integrated with the Netscape LDAP server 3. Win2k/XP clients as domain members 4.**Using crypt and not md5 Following through various documentation I have what I believe is a functional directory server with the appropriate samba schema loaded in. The RHEL3 system is able to act as an ldap client -- via the various idealx tools the directory server has been populated. net getlocalsid works, getent passwd/group shows appropriate users, and I can su to the various directory users that exist. However, I am unable to join the domain from a windows machine or even manually access a share via something like net use * \\server\share /user:Administrator. The directory server is getting a query but I am getting bad user/pw errors. Additionally I cannot ssh/telnet/ftp on the client machine with ldap accounts though I believe this is likely due to using crypt and pam needing modification. A net use * \\192.168.0.8\test /user:Administrator --with password, returns in the netscape directory log: [16/Nov/2004:10:36:50 -0500] conn=157 op=-1 msgId=-1 - fd=56 slot=56 LDAP connection from 172.16.59.205 to 172.16.59.50 [16/Nov/2004:10:36:50 -0500] conn=157 op=0 msgId=1 - BIND dn=cn=Directory Manager method=128 version=3 [16/Nov/2004:10:36:50 -0500] conn=157 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=directory manager [16/Nov/2004:10:36:50 -0500] conn=157 op=1 msgId=2 - SRCH base=dc=rdu,dc=redhat,dc=com scope=2 filter=((objectClass=sambaDomain)(sambaDomainName=LDAP)) attrs=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass [16/Nov/2004:10:36:50 -0500] conn=157 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0 [16/Nov/2004:10:36:50 -0500] conn=157 op=2 msgId=3 - SRCH base=dc=rdu,dc=redhat,dc=com scope=2 filter=((sambaSID=S-1-5-21-709490077-3483046013-2562787883-501)(objectClass=sambaSamAccount)) attrs=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp [16/Nov/2004:10:36:50 -0500] conn=157 op=2 msgId=3 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:50 -0500] conn=158 op=-1 msgId=-1 - fd=59 slot=59 LDAP connection from 172.16.59.205 to 172.16.59.50 [16/Nov/2004:10:36:50 -0500] conn=158 op=0 msgId=1 - BIND dn=cn=Directory Manager method=128 version=3 [16/Nov/2004:10:36:50 -0500] conn=158 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=directory manager [16/Nov/2004:10:36:50 -0500] conn=158 op=1 msgId=2 - SRCH base=ou=groups,dc=rdu,dc=redhat,dc=com scope=1 filter=((objectClass=posixGroup)(memberUid=nobody)) attrs=gidNumber [16/Nov/2004:10:36:50 -0500] conn=158 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:50 -0500] conn=157 op=3 msgId=4 - SRCH base=ou=groups,dc=rdu,dc=redhat,dc=com scope=2 filter=((objectClass=sambaGroupMapping)(gidNumber=99)) attrs=gidNumber sambaSID sambaGroupType sambasidlist description displayName cn objectClass [16/Nov/2004:10:36:50 -0500] conn=157 op=3 msgId=4 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:50 -0500] conn=157 op=4 msgId=5 - SRCH base=dc=rdu,dc=redhat,dc=com scope=2 filter=((uid=root)(objectClass=sambaSamAccount)) attrs=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp[16/Nov/2004:10:36:50 -0500] conn=157 op=4 msgId=5 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:51 -0500] conn=157 op=5 msgId=6 - SRCH base=dc=rdu,dc=redhat,dc=com scope=2 filter=((uid=root)(objectClass=sambaSamAccount)) attrs=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
Re: [Samba] Samba/Netscape Directory Server
Christian Merrill wrote: For whatever reason I am trying to configure the following environment and am running into trouble towards the end of things. Hopefully I am overlooking something basic, any assistance would be greatly appreciated. 1. Redhat AS 2.1 server running Netscape Directory Server 5.2 2. RHEL3 system using Samba 3.0.8 acting as a PDC integrated with the Netscape LDAP server 3. Win2k/XP clients as domain members 4.**Using crypt and not md5 Following through various documentation I have what I believe is a functional directory server with the appropriate samba schema loaded in. The RHEL3 system is able to act as an ldap client -- via the various idealx tools the directory server has been populated. net getlocalsid works, getent passwd/group shows appropriate users, and I can su to the various directory users that exist. However, I am unable to join the domain from a windows machine or even manually access a share via something like net use * \\server\share /user:Administrator. The directory server is getting a query but I am getting bad user/pw errors. Additionally I cannot ssh/telnet/ftp on the client machine with ldap accounts though I believe this is likely due to using crypt and pam needing modification. A net use * \\192.168.0.8\test /user:Administrator --with password, returns in the netscape directory log: [16/Nov/2004:10:36:50 -0500] conn=157 op=-1 msgId=-1 - fd=56 slot=56 LDAP connection from 172.16.59.205 to 172.16.59.50 [16/Nov/2004:10:36:50 -0500] conn=157 op=0 msgId=1 - BIND dn=cn=Directory Manager method=128 version=3 [16/Nov/2004:10:36:50 -0500] conn=157 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=directory manager [16/Nov/2004:10:36:50 -0500] conn=157 op=1 msgId=2 - SRCH base=dc=rdu,dc=redhat,dc=com scope=2 filter=((objectClass=sambaDomain)(sambaDomainName=LDAP)) attrs=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass [16/Nov/2004:10:36:50 -0500] conn=157 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0 [16/Nov/2004:10:36:50 -0500] conn=157 op=2 msgId=3 - SRCH base=dc=rdu,dc=redhat,dc=com scope=2 filter=((sambaSID=S-1-5-21-709490077-3483046013-2562787883-501)(objectClass=sambaSamAccount)) attrs=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp [16/Nov/2004:10:36:50 -0500] conn=157 op=2 msgId=3 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:50 -0500] conn=158 op=-1 msgId=-1 - fd=59 slot=59 LDAP connection from 172.16.59.205 to 172.16.59.50 [16/Nov/2004:10:36:50 -0500] conn=158 op=0 msgId=1 - BIND dn=cn=Directory Manager method=128 version=3 [16/Nov/2004:10:36:50 -0500] conn=158 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=directory manager [16/Nov/2004:10:36:50 -0500] conn=158 op=1 msgId=2 - SRCH base=ou=groups,dc=rdu,dc=redhat,dc=com scope=1 filter=((objectClass=posixGroup)(memberUid=nobody)) attrs=gidNumber [16/Nov/2004:10:36:50 -0500] conn=158 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:50 -0500] conn=157 op=3 msgId=4 - SRCH base=ou=groups,dc=rdu,dc=redhat,dc=com scope=2 filter=((objectClass=sambaGroupMapping)(gidNumber=99)) attrs=gidNumber sambaSID sambaGroupType sambasidlist description displayName cn objectClass [16/Nov/2004:10:36:50 -0500] conn=157 op=3 msgId=4 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:50 -0500] conn=157 op=4 msgId=5 - SRCH base=dc=rdu,dc=redhat,dc=com scope=2 filter=((uid=root)(objectClass=sambaSamAccount)) attrs=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp[16/Nov/2004:10:36:50 -0500] conn=157 op=4 msgId=5 - RESULT err=0 tag=101 nentries=0 etime=0 [16/Nov/2004:10:36:51 -0500] conn=157 op=5 msgId=6 - SRCH base=dc=rdu,dc=redhat,dc=com scope=2 filter=((uid=root)(objectClass=sambaSamAccount)) attrs=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID
Re: [Samba] Samba/Netscape Directory Server
Andreas wrote: On Tue, Nov 16, 2004 at 11:20:06AM -0500, Christian Merrill wrote: Ok, managed to fix most of this...however something appears to be goofy with the Administrator account...I cannot access shares with it directly and it won't allow me to join a machine to the domain. Are you using username map in /etc/samba/smb.conf? Perhaps your Administrator login is being mapped to root instead of being left alone. Thanks, one more problem out of the way. Now on a windows system I can manually net use to a share with Administrator, however attempting to join the domain still fails with a bad username/pw. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/Netscape Directory Server
Daniel Wilson wrote: Christian Merrill wrote: Daniel Wilson wrote: try setting your admin account with uidNumber=0 gidNumber=512 primarygroupsid = X-512 the uidnumber=0 is the important one i think! Regards Dan Here's what I have -- it all looks good, no idea what I'm missing. I'm thinking something has to be out of place in the directory??? [EMAIL PROTECTED] home]# pdbedit -L -v Administrator Unix username:Administrator NT username: Administrator Account Flags:[U ] User SID: S-1-5-21-709490077-3483046013-2562787883-2996 Primary Group SID:S-1-5-21-709490077-3483046013-2562787883-512 Full Name:Administrator Home Directory: \\GSSLDAP\home\Administrator HomeDir Drive:logondrive Logon Script: Profile Path: \\GSSLDAP\profiles\Administrator\ Domain: LDAP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 GMT Kickoff time: Mon, 18 Jan 2038 22:14:07 GMT Password last set:Tue, 16 Nov 2004 11:21:34 GMT Password can change: 0 Password must change: Fri, 31 Dec 2004 11:21:34 GMT Last bad password : 0 Bad password count : 0 Logon hours : FF what is the uidNumber in ldap it must be 0, (has it got a posixAccount objectclass?) Dan Yup, uid=0 and posixAccount objectclass is there. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/Netscape Directory Server
Andreas wrote: On Tue, Nov 16, 2004 at 12:02:21PM -0500, Christian Merrill wrote: Thanks, one more problem out of the way. Now on a windows system I can manually net use to a share with Administrator, however attempting to join the domain still fails with a bad username/pw. The user you choose to perform the domain joining has to have uid=0 on the Samba box. Perhaps that's what's missing now. h not sure offhand if I understand. A quick review of where thing stand now: 1. 2.1 Server running Netscape Directory Server (is not configured as a client, don't think this matters???) 2. RHEL3 system running Samba PDC with LDAP backend pointing to the 2.1 system 3. The directory shows an Administrator account with uid 0. 4. Commented out the default root = administrator mapping in /etc/samba/smbusers on the samba server. 5. Can manually attach to shares with appropriate user/pw, but cannot join the domain as Administrator or as root from a windows 2k/XP client (bad username or password). Regarding what you are saying, from the RHEL3 Samba server a getent passwd displays Administrator and root both with uid=0 along with the other available local remote ldap accounts. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/Netscape Directory Server
Andreas wrote: On Tue, Nov 16, 2004 at 01:25:56PM -0500, Christian Merrill wrote: Regarding what you are saying, from the RHEL3 Samba server a getent passwd displays Administrator and root both with uid=0 along with the other available local remote ldap accounts. Yes, that's what I meant. Seems OK. You will have to bump the log level up a bit and check out what is going on. Start with level 2. Oh, btw, do you have a add machine script directive? Sorry if you already posted this info. Don't forget that the machine account has to have posix attributes as well, be it in ldap or in /etc/passwd /etc/shadow. Will bump up the logging and see what I can find. Sorry for not posting the config portion: [global] workgroup = LDAP netbios name = GSSLDAP passdb backend = ldapsam:ldap://zorg.rdu.redhat.com name resolve order = wins bcast hosts time server = Yes add user script = /usr/local/sbin/smbldap-useradd -a -m '%u' delete user script = /usr/local/sbin/smbldap-userdel '%u' add group script = /usr/local/sbin/smbldap-groupadd -p '%g' delete group script = /usr/local/sbin/smbldap-groupdel '%g' add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/local/sbin/smbldap-useradd -w '%u' domain logons = Yes domain master = Yes preferred master = Yes wins support = Yes ldap suffix = dc=rdu,dc=redhat,dc=com ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Directory Manager ldap passwd sync = Yes ldap delete dn = Yes map acl inherit = Yes preserve case = yes short preserve case = yes case sensitive = no idmap backend = ldap://zorg.rdu.redhat.com idmap uid = 1-2 idmap gid = 1-2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/Netscape Directory Server
Andreas wrote: On Tue, Nov 16, 2004 at 01:49:52PM -0500, Christian Merrill wrote: Will bump up the logging and see what I can find. Sorry for not posting the config portion: I would also take a closer look at the ldap logs to be certain samba is being able to log in as manager. Can you see if at least the posix part of the computer account was created? That would mean that at least the smbldap-useradd script was run. I knew all along I was an idiot :). The other steps needed to be done but the culprit was me putting the smbldap scripts in /usr/local/bin and then telling samba to look for them in /usr/local/sbin. Amazing how much better it works now. So I can now join a machine to the domain, however on the XP box I am testing on I am running into an interesting problem. When I login with a user account it takes the authentication, goes blue which is normal, and then reboots the machine. Pretty neat, going to see what event logs show (nothing on the smbd side of things), ever seen anything like this? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with smbmount
Jerome Tytgat wrote: Hello list, Sorry for the reposting, but I think someone may have an idea, I don't think I'm the only one with this kind of problem. I have a problem with my samba shares. I have a server with samba installed on it (3.0.7-Debian). I have workstations under wxp and workstations under linux. I have a common share which looks like this : [Archive] available = yes valid users = user1, user2 comment = Repertoire Archive browseable = yes write list = user1, user2 writable = yes admin users = user1 path = /home/archives user = user1, user2 force user = root I connect my wxp to the share without problem and can read/write. Of course all new files are created under the root user as requested by the force user option. I can connect my linux to this share using mount -t smbfs -o rw,username=user1,password=xxx //server/Archive /mnt/server/archive, (either using smbmount does the same behaviour) I can do all the read I want, but I can't make any write. It looks like my workstation get confused by the rights. If I go in a directory where the user1 have RW access, I can create a file, and it is automaticllay given to root (according to the option force user), but I can't make any write where the user root is the owner of the directory. It works well under Windows XP workstation, it does not works under linux workstation (which is a Kanotix/Knoppix/Debian distribution), that's why I think it's a problem with smbmount/mount -t smbfs Any idea ? Thanks Does something like the following work for you: mount -t smbfs -o username=user1,password=xxx,uid=0,gid=0,dmask=770 //server/Archive /mnt/server/archive Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with smbmount
Jerome Tytgat wrote: Does something like the following work for you: mount -t smbfs -o username=user1,password=xxx,uid=0,gid=0,dmask=770 //server/Archive /mnt/server/archive it works for the mount point but not for any folder inside. Thanks anyway Christian try adding fmask=770 as well Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] kerberos and/or winbind ??
Mark Le Noury wrote: Hi, I'm getting confused about the role that kerberos authentication plays. What exactly is the point of using kerberos to join a samba server to an AD domain? If using kerberos still requires you to rely on winbindd for all the nsswitch stuff then what is the point? I can just as easily specify workgroup = wkgrp security = domain and do a net join Instead of doing realm = wkgrp.krb.realm workgoup = wkgrp security = ADS and doing net ads join Are there performance benefits/better security...what?? I think that maybe my understanding of the kerberos setup is a bit flawed. thanks for any replies, Mark Le Noury Here is an over simplified explanation. Configuring kerberos with samba will not give you any additional features. It is definately more secure -- the linux system will authenticate via kerberos with your AD DC. Aside from the security bonus the only other reason you would want to consider doing this is if your Active Directory is running in Native Mode. If this is the case, you *have* to use kerberos if you wish to become a full domain member. Otherwise, if you are running in Mixed Mode (the default mode on 2000/2003) and the added benefits of kerberos security are not a requirement, then by all means run in domain mode as an old style NT system and enjoy being free from the headaches of kerberos compatibility issues. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT and XP clients cannot reach Samba PDC
M Middleton wrote: When attempting to join my domain, the NT 4 Workstation and XP Pro clients cannot contact the domain controller. The Samba server is running normally, and can be connected to via IP address, but not by name. Additionally, when I set up a DNS, it still could not contact the Samba server. The clients and server are on the same subnet. I have read as much as I could find on configuring Samba as a PDC, but thus far have found nothing that has solved my problem. Below is a copy of my smb.conf file. Any assistance is appreciated. Thanks! [global] netbios name = THOR workgroup = ASGARD server string = Thor at Asgard encrypt passwords = yes status = yes wins support = yes passdb backend = smbpasswd os level = 64 prefered master = yes domain master = yes local master = yes security = user domain logons = yes logon path = \\%N\profiles\%u logon drive = S: logon home = \\homeserver\%u\winprofile #logon script = logon.cmd domain admin group = root unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *New*Password* %n\n *Please*Retype*New*Password* %n\n *Password*Updated* [netlogon] comment = Samba PDC Logon Scripts and Policies path = /etc/samba/netlogon read only = yes write list = ntadmin [profiles] comment = Roaming Profiles path = /etc/samba/profiles read only = no create mask = 0600 directory mask = 0700 [homes] comment = %u's Home Directory read only = no browsable = no guest ok = no writeable = yes [printers] comment = All Printers path = /var/spool/samba printer admin = root guest ok = Yes printable = Yes use client driver = Yes browseable = No Have you tried manually setting a WINS entry (ip address of samba server) for the windows machines? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Redhat, Samba 4, Kerberos, Netscape Directory Server
As you may have heard Redhat just recently acquired Netscape's Directory Server. I am curious about any potential compatibility issues that we may run into down the road with Samba 4. In particular can any integration be done with Netscapes LDAP and are we going to be facing any major issues if we remain on MIT kerberos? Any thoughts/feedback would be greatly appreciated. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to map or view resources by name
[EMAIL PROTECTED] wrote: FYI, I have upgraded to Samba 3.0.7-1.3E and the problem persists. Jon Etkins IT Administration Support Austin Logistics, Inc [EMAIL PROTECTED] wrote on 09/22/2004 01:33:55 PM: Hi, folks. I'm in the process of setting up a RH ES3 box as a samba server in our Active Directory environment. I have kerberos working for user authentication, and can both log into the RH machine and map drives from windows clients using domain passwords, but the drive mapping only works if I specify the share name with the server's IP address: \\10.1.200.114\share1. If I try using the server's name - \\sambasvr\share1 - the authentication fails and I see the following in the corresponding client's log file on the server: [2004/09/22 13:23:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! and the following in the Security log on the AD server: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 676 Date: 9/22/2004 Time: 1:23:14 PM User: NT AUTHORITY\SYSTEM Computer: TORO Description: Authentication Ticket Request Failed: User Name: jetkins$ Supplied Realm Name:AUSTINLOGISTICS.COM Service Name: krbtgt/AUSTINLOGISTICS.COM Ticket Options: 0x40810010 Failure Code: 0x6 Client Address: 10.1.200.26 The system is running kerberos 1.2.7-28 and samba 3.0.6-2.3E. Any and all suggestions gratefully accepted - while it's working as is, I'd prefer to get this last wrinkle ironed out before I release it to my users for testing. Thanks, Jon Etkins IT Administration Support Austin Logistics, Inc -- Sounds like you're running into either the kerberos compatibility errors we see with win2k3 or the newest problem where people upgrade from 3.0.6+ and then start encountering apparent kerberos failures in win2k environments. Do you see any Failed to verify incoming ticket! errors in /var/log/samba files? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to map or view resources by name
[EMAIL PROTECTED] wrote: Christian Merrill [EMAIL PROTECTED] wrote on 09/23/2004 10:29:33 AM: Sounds like you're running into either the kerberos compatibility errors we see with win2k3 or the newest problem where people upgrade from 3.0.6+ and then start encountering apparent kerberos failures in win2k environments. Do you see any Failed to verify incoming ticket! errors in /var/log/samba files? Yes. Per my original note: the drive mapping only works if I specify the share name with the server's IP address: \\10.1.200.114\share1. If I try using the server's name - \\sambasvr\share1 - the authentication fails and I see the following in the corresponding client's log file on the server: [2004/09/22 13:23:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! The AD server is Win2k, not 2k3. I have not tried this with a Samba version before3.0.6, as that is the version that came bundled. Odd that it works fine if I specify the server address, but not the name - hopefully that will prove useful in identifying the problem. Cheers, Jon Etkins IT Administration Support Austin Logistics, Inc By using the ip address you are bypassing kerberos and authenticating as an older style NT machine which is why it works. If you're running in Mixed Mode a potential workaround would be to remove the realm parameter and change security back to domain in smb.conf. If you're not running in Mixed Mode then I don't really have anything good to tell you :(. Some RHEL3 customers running similar environments have reported that they re-obtained functionality by downgrading to our 3.0.4 release -- of course this release presents its own problems. Other customers have stated that downgrading did not solve anything for them. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Which distribution to rollout
Daniel Ramaley wrote: I run Samba on OpenBSD. It isn't Linux, but it is free and works very well. It also isn't likely to go away or move to a less stable development any time soon. On Thursday 23 September 2004 09:44 am, Chris McKeever wrote: we are running an older version of RH (7.3) - and I am getting concerned that I may need to migrate off of it - but I dont know what I should move to. Trying to formulate ideas before it becomes a 'got to do it now' scenario. I have some reservations about fedora - I just dont know how stable it is for a production server (our services are mainly samba/ldap/ntp/ssh/rsync/clamav) - we have about 15 samba servers in production currently. RHEL - well - the cost is a factor gentoo - takes to long to deploy Mandrake 10? What are some of the samba users recommendations? thanks I think to some degree it depends on what your implimentation of samba is like...As in are you doing relatively simple file sharing or are you making use of all the bells and whistles available (winbind, kerberos integration, etc.). If you have a relatively simple configuration and this is in a production environment then shell out the money for RHEL or Suse (trying not to be too biased) and enjoy being on a relatively stable unchanging and *supported* OS. If your configuration is more complex then you probably want to avoid those platforms as they try to update very infrequently. Samba tends to be in a constant state of change and of course it has to deal with reacting to whatever Microsoft decides to do...for simple configurations this doesn't tend to matter, but if you're using some of the more powerful features of Samba then you probably have to look forward to having to upgrade on a regular basis. In that case you should probably go with whatever is free and comfortable for you to use. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] username.map limitations
It's looking like there may be a 1024 character limit for each username map? For example: account1 = user1 user2 user3 user4 user5 (etc. etc. etc.) --After a certain point user accounts are not recognized as being part of the map. Is this an intentional limitation, am I coming up against something else, has anyone else encountered this? Using a semi-ugly workaround of creating additional local accounts and splitting the maps up. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] username.map limitations
Paul Gienger wrote: It's looking like there may be a 1024 character limit for each username map? For example: From the smb.conf man page Each line of the map file may be up to 1023 characters long. If you're running up against that maybe you should put all the users you need to map into a group and then make the map someuser = @mapGroup1 I'm curious how you came about needing that many users in one map in the first place... Have a very large customer (26000+ users) needing to set up a very limited form of file sharing using samba. Stability is the major issue here and there's not that much complexity needed in regard to permissions. This is also being configured in a failover environment. So, winbind is not really an optionto make things more interesting many of the domain accounts begin with ~'s and #'s so creating matching system accounts would be a bit of a headache. The easiest and most stable solution was just to map all the users to respective accounts. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Change in smbpasswd in 3.0.6
Hi, we recently had a customer reporting that a script they run that includes an smbpasswd statement was no longer functioning after upgrading. The smbpasswd command was being used to create an account and set a password -- taking the passwd as the second argument. It looks like there has been a change in the code (possibly security related) and I was just curious what the offical reason is for it. Line 177 samba-3.0.4/source/utils/smbpasswd.c switch(argc) has three case statements '0', '1', and '2' in the case of '2', it takes the 2nd parameter and uses it as a password Line 166 samba-3.0.6/source/utils/smbpasswd.c switch(argc) has two case statements '0' and '1' for the value number of parameters that can be passed to the program Thank you, Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Change in smbpasswd in 3.0.6
Jeremy Allison wrote: On Fri, Sep 17, 2004 at 01:18:16PM -0400, Christian Merrill wrote: Hi, we recently had a customer reporting that a script they run that includes an smbpasswd statement was no longer functioning after upgrading. The smbpasswd command was being used to create an account and set a password -- taking the passwd as the second argument. It looks like there has been a change in the code (possibly security related) and I was just curious what the offical reason is for it. Line 177 samba-3.0.4/source/utils/smbpasswd.c switch(argc) has three case statements '0', '1', and '2' in the case of '2', it takes the 2nd parameter and uses it as a password Line 166 samba-3.0.6/source/utils/smbpasswd.c switch(argc) has two case statements '0' and '1' for the value number of parameters that can be passed to the program Yes, I made the change as it is a really bad idea to allow passwords listed in the clear on the command line. The recommended way to script smbpasswd is to use the -s (use stdin for password prompt) option. I don't think the password on command line was ever documented, it just happened to work. Jeremy. Makes perfect sense to me. Thank you so much for the fast response. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] username map --update dynamically?
My assumption is that that Samba needs to be restarted before it can recognize changes made to a username map file. Is there anyway to have it dynamically recognize changes? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] username map --update dynamically?
Eric Boehm wrote: On Sun, Sep 12, 2004 at 06:18:25AM -0400, Christian Merrill wrote: Christian == Christian Merrill [EMAIL PROTECTED] writes: Christian My assumption is that that Samba needs to be restarted Christian before it can recognize changes made to a username map Christian file. Is there anyway to have it dynamically recognize Christian changes? That assumption is not entirely correct. New daemons will see the change immedidately. Already running daemons need a SIGHUP to reload From man smbd The configuration file, and any files that it includes, are automatically reloaded every minute, if they change. You can force a reload by sending a SIGHUP to the server. Reloading the configuration file will not affect connections to any service that is already established. Either the user will have to disconnect from the service, or smbd killed and res- tarted. This is true for 2.2.x and 3.0.x How did I miss that! Thanks Eric. /me crawls into a hole and hides in embarrassment. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Modifying ACL's from client without using winbind
My situation is pretty simple but I'm not able to figure out this last bit (any help is greatly appreciated). I have a Samba3 server that is a standard NT member of an Active Directory. All domain user's have matching local accounts, and the domain groups that are involved also have matching local groups. Clients can set permissions within the shares but are *unable* to add or remove users/groups from those acls. Do I need to configure some kind of additional user or group mapping? Thanks in advance, Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] create_canon_ace_lists: unable to map SID
I know this is probably something very simple but I can't for the life of me figure out what's going on. This is a very basic setup using domain security and joined NT style in an AD running in Mixed Mode. I am *not* using winbind, all user and group accounts are represented locally in /etc/passwd and /etc/group. For the most part this is functional, from a windows client I am able to modify access permissions for users already in the ACL (using acl support, filesystem is mounted with acl option etc.). What I cannot do is add users to the acl from the windows side. Does anyone know what I am doing wrong? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Tom Ryan wrote: I submitted a ticket (bugzilla) to redhat on this.. with the 3.0.6 update from them, coupled with their recent kerberos updates, it fails unless you use the FQDN.. its completely reproducable (at least on my end). I moved to security = domain and have it at least working again.. Tom On Fri, 10 Sep 2004, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christian Merrill wrote: | Well from my end (Redhat) the behavior is indicative of | a known issue with the MIT kerberos 1.2.x packages | that we currently support and Win2k3 DC's...however Win2k | DC's have been operating fine as far as I know. What I | am seeing are customers who were previously running | upgrade to the 3.0.6 samba package and then start to | encounter these errors. If they downgrade the samba | package the problem goes away. I've also noticed a few | other posts from users on other distros such as | Debian encountering very similar behavior. | On the surface it really looks like a kerberos problem, | but people are reporting that it seems to be directly | linked to the samba package. My current test environment | is on 2k3 so I'm still in the process of setting up a | 2k AD environment to do testing on...at this point just | relaying feedback that I am getting from others. I spent some time on this today without any luck reproducing the problem. My test server was SuSE 9.1 pro however with heimdal 0.6.1rc3. I've updated the comments in https://bugzilla.samba.org/show_bug.cgi?id=1717 And I checked the ticket cache produced by smbclient //server/share -k from 3.0.5 and 3.0.6. Same host principal is used ([EMAIL PROTECTED]). So far, I've not learned of any common thread from the people who posted on this. I'm open to suggestions. (off to review abartlet's mail to samba-technical about this). cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc If we're adding to the noise, turn off this song--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBQgLaIR7qMdg1EfYRAhVvAJ9skQtebUDF4QgAMFgxE+3IblGBNACgpnzi atDsjikhg3nr7PyaWuVXaLY= =odE/ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba ___ Tom RyanVoice: 856-225-6361 Consulting System Administrator Fax: 856-969-7900 Rutgers School of Law - Camden IT Help Desk: 856-225-2343 Tom we have had multiple reports of this and I imagine your ticket is probably one of many in my queue right now. We are working on it internally as well but so far have not made any real progress narrowing down the problem. It *appears* that this is actually unrelated to our kerberos update. As I mentioned previously this looks like the problems we have been seeing in win2k3 environments -- almost as if something helped spread this issue to win2k as well. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems com password in win2k
Fernando wrote: I have a problem with password in win2k clients Samba run in a HP-UX version 11.11 I connect to a server, map the drive, and give to me to put a login and a password, but when i reboot the client machine, give me again the login and password. I would like to stop the give to me a login and a password when i reboot the client machine. smb.conf: #=== Global Settings = [global] netbios name = l1000 workgroup = micromidia server string = Samba Server log file = /var/opt/samba/log.%m max log size = 1000 security = share password server = encrypt passwords = no socket options = TCP_NODELAY local master = no preserve case = yes short preserve case = no dos filetime resolution = yes read only = no syslog = 0 # Share Definitions == [tmp] comment = teste do samba share path = /tmp browseable = yes writeable = yes h does adding guest ok = Yes in the [tmp] share help at all? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] (no subject)
Tom Skeren wrote: It's a mount command. On FBSD it's mount_smbfs //[EMAIL PROTECTED]/share /(some local directory path) Gerald Hughes wrote: Samba, Is if possible to connect to a C drive on a windows machine from a Unix machine using SAMBA? We can go the other way but have a problem from Windows to Unix. Any Examples out there? jerry Gerald C. Hughes GEO/Graphic, Inc. 90 West Center Street Logan, UT 84321 ph:435.753-5429 This mail sent through Valley InfiNet Webmail: http://webmail.mtwest.net/ If you want the actual c drive mounted it would be something like: smbmount //windows_machine/c$ -o username=Administrator,workgroup=WORKGROUP Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.6 Problems w/AD and Kerberos
Running into a lot of people upgrading to the 3.0.6 package that all of a sudden begin to experience the Failed to verify incoming ticket! errors etc., that are generally associated with a kerberos package incompatibility. However many of these people are running later versions of kerberos *and* reverting to a previous version of Samba appears to fix the issue. Is there something new setting wise that has taken place, is something really wrong with this new package, or is this all just a strange coincidence? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christian Merrill wrote: | Running into a lot of people upgrading to the 3.0.6 | package that all of a sudden begin to experience | the Failed to verify incoming ticket! errors | etc., that are generally associated with a kerberos | package incompatibility. | | However many of these people are running later | versions of kerberos *and* reverting to a previous | version of Samba appears to fix the issue. Is there | something new setting wise that has taken place, is | something really wrong with this new package, or | is this all just a strange coincidence? I've not been able to reproduce this or track it down. Is there a consensus whether this is an specific issue with using MIT or Heimdal ? Or with Windows 2000 or 2003 DCs ? Any details would be helpful. I've created bug report at https://bugzilla.samba.org/show_bug.cgi?id=1739 cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc If we're adding to the noise, turn off this song--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBPym1IR7qMdg1EfYRAmY5AJ4s+KBbFv3phU9TJzH4/gegWpBPaQCfU21v pv5nb9vsPWHrJtcNS8zzGgE= =HOe8 -END PGP SIGNATURE- Well from my end (Redhat) the behavior is indicative of a known issue with the MIT kerberos 1.2.x packages that we currently support and Win2k3 DC's...however Win2k DC's have been operating fine as far as I know. What I am seeing are customers who were previously running upgrade to the 3.0.6 samba package and then start to encounter these errors. If they downgrade the samba package the problem goes away. I've also noticed a few other posts from users on other distros such as Debian encountering very similar behavior. On the surface it really looks like a kerberos problem, but people are reporting that it seems to be directly linked to the samba package. My current test environment is on 2k3 so I'm still in the process of setting up a 2k AD environment to do testing on...at this point just relaying feedback that I am getting from others. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Rick Brown wrote: On Sun, 5 Sep 2004, Christian Merrill wrote: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christian Merrill wrote: | Running into a lot of people upgrading to the 3.0.6 | package that all of a sudden begin to experience | the Failed to verify incoming ticket! errors | etc., that are generally associated with a kerberos | package incompatibility. | | However many of these people are running later | versions of kerberos *and* reverting to a previous | version of Samba appears to fix the issue. Is there | something new setting wise that has taken place, is | something really wrong with this new package, or | is this all just a strange coincidence? I've not been able to reproduce this or track it down. Is there a consensus whether this is an specific issue with using MIT or Heimdal ? Or with Windows 2000 or 2003 DCs ? Any details would be helpful. I've created bug report at https://bugzilla.samba.org/show_bug.cgi?id=1739 Well from my end (Redhat) the behavior is indicative of a known issue with the MIT kerberos 1.2.x packages that we currently support and Win2k3 DC's...however Win2k DC's have been operating fine as far as I know. What I am seeing are customers who were previously running upgrade to the 3.0.6 samba package and then start to encounter these errors. If they downgrade the samba package the problem goes away. I've also noticed a few other posts from users on other distros such as Debian encountering very similar behavior. On the surface it really looks like a kerberos problem, but people are reporting that it seems to be directly linked to the samba package. My current test environment is on 2k3 so I'm still in the process of setting up a 2k AD environment to do testing on...at this point just relaying feedback that I am getting from others. I've seen this problem on a new machine/samba install.. Our DC recently changed from 2k to 2k3, and I believe that might be part of the cause of the problem. I have 2 samba machines (running 3.0.2) that I joined into the realm when our DC was 2k, they still work great. Last week I brought a new machine online (running 3.0.4) joined the realm with no problems, but then proceeded to get the following error: ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed when authenticating.. I've since downgraded to 3.0.2 with no success, and tried upgrading to 3.0.6 with no success. Oh yea, these are solaris 9 boxes with kerberos 1.2.5 (fully patched). Unfortunately I can't upgrade kerberos to 1.3.4 without a bunch of red tape... so that's not an option. IMO, MIT krb is not the problem, as the two existing machines still work fine. I think it might have something to do with the way AD in 2k3 is storing the cifs and host keys. [ Rick Brown ][ (404) 894-6175 ] [ Office of Information Technology ][[EMAIL PROTECTED] ] [ Georgia Institute of Technology ][ 258 4th street. Atlanta, GA ] I think the only accurate test would be in a 2k environment, I have definately seen these issues on 2k3 with the pre 1.3.x kerberos packages regardless of what version of Samba is being used. The behavior I tend to see in a 2k3 environment is that Samba/Kerberos will work quite happily for about 90 days and then the DC will issue a ticket that the older versions of MIT kerberos can't handle. However when using 2k this really didn't appear to be a problem until upgrading to the 3.0.6 versions. Hopefully I'll be able to get a 2k environment setup soon to test against...I don't understand how the Samba package could in any way be responsible for these kerberos-like problems but that is what appears to be the case at this point. I should also mention that Redhat's packages are somewhat different from the actual ones provided by samba.org -- I am mainly looking at this on the RHEL3 platform, however I have seen some similar issues reported by people using other distros. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Ross, Alex wrote: Christian, FYI: win2k SP4 on AD cause Win3K like behavior of forcing Kerberos Ticket sighning http://support.microsoft.com/default.aspx?scid=kb;en-us;811422 So on win2k ad this breaks krb5 before 1.3.x... -Alex -Original Message- From: Christian Merrill [mailto:[EMAIL PROTECTED] Sent: Sunday, September 05, 2004 9:34 AM To: Rick Brown Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos Rick Brown wrote: On Sun, 5 Sep 2004, Christian Merrill wrote: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christian Merrill wrote: | Running into a lot of people upgrading to the 3.0.6 | package that all of a sudden begin to experience | the Failed to verify incoming ticket! errors | etc., that are generally associated with a kerberos | package incompatibility. | | However many of these people are running later | versions of kerberos *and* reverting to a previous | version of Samba appears to fix the issue. Is there | something new setting wise that has taken place, is | something really wrong with this new package, or | is this all just a strange coincidence? I've not been able to reproduce this or track it down. Is there a consensus whether this is an specific issue with using MIT or Heimdal ? Or with Windows 2000 or 2003 DCs ? Any details would be helpful. I've created bug report at https://bugzilla.samba.org/show_bug.cgi?id=1739 Well from my end (Redhat) the behavior is indicative of a known issue with the MIT kerberos 1.2.x packages that we currently support and Win2k3 DC's...however Win2k DC's have been operating fine as far as I know. What I am seeing are customers who were previously running upgrade to the 3.0.6 samba package and then start to encounter these errors. If they downgrade the samba package the problem goes away. I've also noticed a few other posts from users on other distros such as Debian encountering very similar behavior. On the surface it really looks like a kerberos problem, but people are reporting that it seems to be directly linked to the samba package. My current test environment is on 2k3 so I'm still in the process of setting up a 2k AD environment to do testing on...at this point just relaying feedback that I am getting from others. I've seen this problem on a new machine/samba install.. Our DC recently changed from 2k to 2k3, and I believe that might be part of the cause of the problem. I have 2 samba machines (running 3.0.2) that I joined into the realm when our DC was 2k, they still work great. Last week I brought a new machine online (running 3.0.4) joined the realm with no problems, but then proceeded to get the following error: ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed when authenticating.. I've since downgraded to 3.0.2 with no success, and tried upgrading to 3.0.6 with no success. Oh yea, these are solaris 9 boxes with kerberos 1.2.5 (fully patched). Unfortunately I can't upgrade kerberos to 1.3.4 without a bunch of red tape... so that's not an option. IMO, MIT krb is not the problem, as the two existing machines still work fine. I think it might have something to do with the way AD in 2k3 is storing the cifs and host keys. [ Rick Brown ][ (404) 894-6175 ] [ Office of Information Technology ][[EMAIL PROTECTED] ] [ Georgia Institute of Technology ][ 258 4th street. Atlanta, GA ] I think the only accurate test would be in a 2k environment, I have definately seen these issues on 2k3 with the pre 1.3.x kerberos packages regardless of what version of Samba is being used. The behavior I tend to see in a 2k3 environment is that Samba/Kerberos will work quite happily for about 90 days and then the DC will issue a ticket that the older versions of MIT kerberos can't handle. However when using 2k this really didn't appear to be a problem until upgrading to the 3.0.6 versions. Hopefully I'll be able to get a 2k environment setup soon to test against...I don't understand how the Samba package could in any way be responsible for these kerberos-like problems but that is what appears to be the case at this point. I should also mention that Redhat's packages are somewhat different from the actual ones provided by samba.org -- I am mainly looking at this on the RHEL3 platform, however I have seen some similar issues reported by people using other distros. Christian Checking right now to see what SP level the affected customers are on. However if this is true I would have to assume that they are not running SP4 as they are using 1.2.x kerberos packages and (at least according to them) are functional on any version of Samba 3 prior to 3.0.6. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Blindauer Emmanuel wrote: Le dimanche 05 Septembre 2004 13:38, Christian Merrill a écrit : Running into a lot of people upgrading to the 3.0.6 package that all of a sudden begin to experience the Failed to verify incoming ticket! errors etc., that are generally associated with a kerberos package incompatibility. However many of these people are running later versions of kerberos *and* reverting to a previous version of Samba appears to fix the issue. Is there something new setting wise that has taken place, is something really wrong with this new package, or is this all just a strange coincidence? Christian I confirm the problem: I'm running win2k SP4, AD, mixed mode, no other special conf. the samba is 3.0.6, compiled from sources. I use winbind too. winbind has some krb5_cc_get_principal failed (No credentials cache found) but nothing special. but the samba daemon get, for some users, smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket and this prevent user from acceding their share. the used kerberos is 1.3.4 The 2000 domain has been started from scratch, no NT4 migration. Emmanuel My customers are using 1.2.X packages but this sounds identical to the problem they are seeing. The effect of all this is the classic I can browse to shares by \\ip.address\share_name but when I try to browse by \\netbios_name\share_name I get prompted for a account/password and these errors start popping up in the logs Emmanuel does this problem also go away for you when you revert to an older samba release? Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Best strategy to undo an update
Andrew B. Young wrote: My http authentication through winbind has stopped working with a Fedora Core 2 update of httpd and samba (and others), httpd-2.0.49-4 - httpd-2.0.50-2.1 samba-3.0.3-5 - samba-3.0.6-2.fc2 which I believe is caused by a winbind bug (http://us1.samba.org/samba/news/#comingsoon_3.0.7) What is the best strategy to fix this? I can think of two: 1) rpm --erase all the samba-*-3.0.6-2.fc2 packages and rpm --install all the samba-*-3.0.3-5 packages I have never done this, but suppose it will work. 2) download the Samba 3.0.6 source, apply the patch, compile, install, run I am worried this will somehow interfer w/ samba-*-3.0.6-2.fc2 packages preventing me from using the Fedora update in the future. Thanks, Andrw 1 should work quite well, however keep in mind that by doing that you are going to lose everything in /var/cache/samba (idmaps etc.) so you may need to reapply permissions on local files. I'm not sure how 2 will work and I imagine it would cause some confusion with Fedora's update feature. Christian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
