Re: [Samba] Windows machine has to join two times
Are you using nscd? /etc/nscd stop and see what happens On 10 March 2010 12:16, toonverdo...@dommel.be wrote: I channged the add machine and the add user script to: smbldap-useradd .. %u nscd -i passwd sleep 1s I think that is what you mean? Unfortunately it didn't solved the problem. On 09 Mar 2010, at 16:53, Björn Jacke wrote: On 2010-03-09 at 08:57 +0100 toonverdo...@dommel.be sent off: I'm running a debian lenny machine with samba (3.5.0) and OpenLDAP installed (2.4.11). When i add a machine to the domain, windows reports the following error: The specified computer account could not be found. The computer account is added to the LDAP database but without the samba attributes. The weird thing is that if i try it a second the, the samba attributes are added to the computer account and the machine successfully joins the domain. This happens with XP, Vista and Windows 7 cliënts. I have no idea why it doesn't work the first time. make sure to invoke nscd -i passwd at the end of your add machine/user script and maybe sleep a second. Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows machine has to join two times
Sorry, /etc/init.d/nscd stop On 10 March 2010 12:25, David Markey ad...@dmarkey.com wrote: Are you using nscd? /etc/nscd stop and see what happens On 10 March 2010 12:16, toonverdo...@dommel.be wrote: I channged the add machine and the add user script to: smbldap-useradd .. %u nscd -i passwd sleep 1s I think that is what you mean? Unfortunately it didn't solved the problem. On 09 Mar 2010, at 16:53, Björn Jacke wrote: On 2010-03-09 at 08:57 +0100 toonverdo...@dommel.be sent off: I'm running a debian lenny machine with samba (3.5.0) and OpenLDAP installed (2.4.11). When i add a machine to the domain, windows reports the following error: The specified computer account could not be found. The computer account is added to the LDAP database but without the samba attributes. The weird thing is that if i try it a second the, the samba attributes are added to the computer account and the machine successfully joins the domain. This happens with XP, Vista and Windows 7 cliënts. I have no idea why it doesn't work the first time. make sure to invoke nscd -i passwd at the end of your add machine/user script and maybe sleep a second. Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can I configure Samba with SSL?
Another option might be to use a cheap VPN like OpenVPN On 10 March 2010 15:36, simo i...@samba.org wrote: On Wed, 2010-03-10 at 18:11 +0530, Sai Ram Purandhar-B22305 wrote: Hi List, I'm using Fedora 12, which has samba 3.4.6 version. Can I configure Samba with SSL support? No, CIFS has no support for SSL, but you could use stunnel and non default ports if you *really* care. Will work only between Linux/Unix machines of course. See stunnel man pages for more info. And make sure you upgrade to 3.4.7 as soon as it is pushed (ongoing). Simo. -- Simo Sorce Samba Team GPL Compliance Officer s...@samba.org Principal Software Engineer at Red Hat, Inc. s...@redhat.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba from Sunfreeware and nss_winbind.so
I *think* there'e GPLv3 problems with distributing samba 3.4 with Solaris. You could be waiting a while. On Fri, 04 Dec 2009 09:59:06 -0500, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 12/03/09 17:42, Gaiseric Vandal wrote: Sunfreeware.com has compiled packages of Samba 3.4.2 with kerberos and ldap support included (if you also install the ldap and kerberos packages from sunfreeware.) However it does not include the nss_winbind.so.* or libnss_winbind.so.* files. Solaris does include nss_winbind.so already (since it is included with Samba 3.0.x) or I could compile it from the 3.4.x source code. But then I am not sure if either of these would be compatible with Sunfreeware samba. I am using winbind in /etc/nsswitch.conf for supporting users in a trusted domain.under samba 3.0.x getent passwd did return users from a trusted domain. On 3.4 it is not, although wbinfo -u is working. Thanks I copied the nss_winbind.so file I compiled to /usr/local/samba/lib. Samba will use that in preference to any files in /usr/lib so I didn't need to delete or move Sun provided nss_winbind.so file. I added the following to smb.conf (they had not been required in samba 3.0.x.) idmap uid = 3-3 idmap gid = 3-3 The following entries already exisited in smb.conf (and had been sufficient idmap config TRUSTEDWINDOMAIN:backend = ldap #idmap config TRUSTEDWINDOMAIN:readonly = no idmap config TRUSTEDWINDOMAIN:readonly = yes idmap config TRUSTEDWINDOMAIN:default=no idmap config TRUSTEDWINDOMAIN:ldap_base_dn = ou=administration,ou=idmap,o=domain.com idmap config TRUSTEDWINDOMAIN:ldap_user_dn = cn=Directory Manager idmap config TRUSTEDWINDOMAIN:ldap_url = ldap://ldapserver1.domain.com idmap config TRUSTEDWINDOMAIN:range = 3-3 idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=domain.com idmap alloc config:ldap_user_dn = cn=Directory Manager idmap alloc config:ldap_url = ldap://ldapserver1.domain.com idmap alloc config:range = 3-3 I also needed to add the following line to smb.conf client schannel = no This resolved cm_get_ipc_userpass: No auth-user defined error messages in winbindd.log.I suspect this may be need to be set on the PDC to resolve some other domain trust issues. The trusted domain is Windows 2003 in mixed mode. Ideally Sun will one day provide their own build of Samba 3.4.x. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net sam provision and samba 3.4.0
Yes smbpasswd -w is for user/group/domain information. net idmap secret alloc is specifically for the idmap part of the directory. IMO if there is no idmap password set, it should fall back to the global ldap dn/password. On Mon, 7 Sep 2009 08:35:20 +0200, Zeller, Jan jan.zel...@id.unibe.ch wrote: thank you ! But what's net idmap secret alloc password ? Is it different from smbpasswd -w ? man net says : Store a secret for the specified domain, used primarily for domains that use idmap_ldap as a backend. In this case the secret is used as the password for the user DN used to bind to the ldap server. hmmm... -Ursprüngliche Nachricht- Von: David Markey [mailto:dmar...@dodds.dmarkey.com] Gesendet: Montag, 7. September 2009 00:53 An: Zeller, Jan Cc: samba@lists.samba.org Betreff: Re: [Samba] net sam provision and samba 3.4.0 These are the settings i use: [global] workgroup = TESTDOM encrypt passwords = true passdb backend = ldapsam:ldapi:/// domain logons = yes ldapsam:trusted=yes ldapsam:editposix=yes restrict anonymous = 0 log level = 10 log file = /var/log/samba ldap admin dn = cn=admin,dc=samba,dc=org ldap delete dn = yes ldap passwd sync = yes ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap user suffix = ou=users ldap suffix = dc=samba,dc=org ldap ssl = off logon path = template homedir = /home/%U template shell = /bin/bash idmap backend = ldap:ldapi:/// idmap uid = 100-199 idmap gid = 100-199 idmap alloc backend = ldap idmap alloc config : ldap_url = ldapi:/// idmap alloc config : ldap_base_dn = ou=idmap,dc=samba,dc=org idmap alloc config : ldap_user_dn = cn=admin,dc=samba,dc=org Don't forget net idmap secret alloc password -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net sam provision and samba 3.4.0
These are the settings i use: [global] workgroup = TESTDOM encrypt passwords = true passdb backend = ldapsam:ldapi:/// domain logons = yes ldapsam:trusted=yes ldapsam:editposix=yes restrict anonymous = 0 log level = 10 log file = /var/log/samba ldap admin dn = cn=admin,dc=samba,dc=org ldap delete dn = yes ldap passwd sync = yes ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap user suffix = ou=users ldap suffix = dc=samba,dc=org ldap ssl = off logon path = template homedir = /home/%U template shell = /bin/bash idmap backend = ldap:ldapi:/// idmap uid = 100-199 idmap gid = 100-199 idmap alloc backend = ldap idmap alloc config : ldap_url = ldapi:/// idmap alloc config : ldap_base_dn = ou=idmap,dc=samba,dc=org idmap alloc config : ldap_user_dn = cn=admin,dc=samba,dc=org Don't forget net idmap secret alloc password The docs should probably be updated. On Sun, 6 Sep 2009 21:16:59 +0200, Zeller, Jan jan.zel...@id.unibe.ch wrote: Dear list, i had some problems with net sam provision using samba 3.4.0 I followed the instructions described on http://wiki.samba.org/index.php/Ldapsam_Editposix and those published by iX 4-6/2008 (www.ix.de) but the result of net sam provision was always : # bin/net sam provision Checking for Domain Users group. Adding the Domain Users group. Unable to allocate a new gid to create Domain Users group! Checking for Domain Admins group. Adding the Domain Admins group. Unable to allocate a new gid to create Domain Admins group! Check for Administrator account. Adding the Administrator user. Can't create Administrator user, Domain Admins group not available! The only configuration which is working under 3.4.0 regarding net sam provision seems to be : [global] workgroup = MYDOM netbios name = passdb backend = ldapsam:ldap://yoda.home.lan ldap admin dn = cn=ldapadm,o=it,dc=home,dc=lan ldap suffix = o=it,dc=home,dc=lan ldap ssl = no idmap alloc backend = ldap idmap uid = 1-1 idmap gid = 1-1 idmap config MYDOM : range = 2-2 idmap config MYDOM : backend = ldap idmap alloc config:ldap_url = ldap://yoda.home.lan idmap alloc config:ldap_user_dn = cn=ldapadm,o=it,dc=home,dc=lan idmap alloc config:ldap_base_dn = o=it,dc=home,dc=lan ldapsam:editposix = yes ldapsam:trusted = yes If I omit idmap uid = idmap gid = I obtain the error message mentioned above. The only info I get about that problem is from : Michael Adam (Samba Team, SerNet): ID Mapping Re-Revisited (sambaxp.org) idmap domains seem to be obsolete. testparm always complains about : Unknown parameter encountered: idmap domains Ignoring unknown parameter idmap domains Honestly I don't understand the difference between idmap alloc backend = and idmap backend = idmap alloc backend (G) The idmap alloc backend provides a plugin interface for Winbind to use when allocating Unix uids/gids for Windows SIDs. This option is to be used in conjunction with the idmap domains parameter and refers to the name of the idmap module which will provide the id allocation functionality. idmap backend (G) The idmap backend provides a plugin interface for Winbind to use varying backends to store SID/uid/gid mapping tables. This option is mutually exclusive with the newer and more flexible idmap domains parameter. The main difference between the idmap backend and the idmap domains is that the former only allows one backend for all domains while the latter supports configuring backends on a per domain basis. Quite confusing for people like me ... kind regards, Jan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaPwdMustChange not synced on PDC from BDC
This caught me out too. sambaPwdMustChange has been phased out since late in the 3.0 series. It is ignored. The password expiry is calculated on the fly from sambaPwdLastChange + sambaMaxPwdAge(Domain entry) You will have to run the same version of samba on both PDC and BDC. On Tue, 01 Sep 2009 22:34:41 +0200, Michael Ströder mich...@stroeder.com wrote: nogenetics nogenetics wrote: On Fri, Aug 28, 2009 at 10:25 AM, nogenetics nogenetics nnogenet...@gmail.com wrote: I have a PDC/BDC samba/ldap environment. PDC: samba 3.0.24 slapd 2.3.30 BDC: samba 3.2.5 slapd 2.4.11 Ldap replication is working fine, but I have noticed two issues 1- when a windows user change password on BDC, sambaPwdMustChange and sambaPwdCanChange is not synced on PDC (using ldap passwd sync = yes and unix password sync = no) 2- when using 'net sam set pwdmustchange' on PDC, sambaPwdMustChange is not synced on BDC Anyone can point me what's wrong? About issue 1- , I can use unix password sync = yes and ldap passwd sync = no (using smbldap-passwd) as workaround, but windows user get that annoying warning message (decode_pw_buffer-incorrect-password-length topic). Is there a way to avoid this warning message? This is a issue many users are experiencing. Thanks in advance for your time Bump! No hints? How are you sure you don't run into OpenLDAP replication problems? The OpenLDAP versions you're running are quite old. slapd 2.3.x is not actively supported anymore. There also were interop issues fixed regarding replication between 2.3.x and 2.4.x and numerous syncrepl fixes for 2.4.x. You should definitely upgrade your OpenLDAP installations. Ciao, Michael. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba authentication against Linux-based Kerberos
Use the popular heimdal, openldap + smbk5pwd, samba3 combo This will keep samba/ldap/kerberos passwords in sync no matter how or where the password is changed. Otherwise you could do some pam hackery, perhaps stacking pam_winbind and pam_krb5 for password changing. You would have to do this on all the nodes on your network. and for the windows side of things you could write a password change script, which would be called by samba on a password change. On Tue, 01 Sep 2009 16:48:01 +0200, Robert Markula robert.mark...@gmx.net wrote: Hi, please consider the following situation in a heterogenous, Windows Server-less network, where users use both Windows and Linux: - On Windows users authenticate against a Samba 3.3.2 PDC with tdbsam backend. - On Linux users authenticate against a combination of OpenLDAP and Kerberos. This, of course, brings up the old problem that users have to synchronise their passwords manually for both Windows and Linux. The ideal solution would be that Samba would just support authentication against Linux-based Kerberos, but (correct me if I'm wrong) that doesn't seem possible with Samba3. Is there anything else that can be done? So if users on Windows can't use Linux-based Kerberos for SSO, maybe there is at least a way for users to change their passwords on one OS and get it automatically synced for the other (i.e. if a user changes his password on a Windows machine it gets automatically changed for his Linux account as well and vice versa)? Cheers, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem: LDAP as idmap backend
ldap ssl = off On Thu, 13 Aug 2009 23:26:37 +0200, Chris Osicki o...@admin.swisscom-mobile.ch wrote: Hi I've just upgraded Samba on Solaris 10 from the bundled version (3.0.33) to 3.4.0 and winbind don't want to cooperate with LDAP as idmap backend anymore. The smb.conf I use is: [global] workgroup = CORPROOT netbios name = usonfs security = domain log level = 10 preferred master = no bind interfaces only = yes interfaces = usonfs password server = sg57.corproot.net sg1006z.corproot.net winbind uid = 2-21000 winbind gid = 2-21000 winbind enum users = no winbind enum groups = no # Using ldap server as winbindd backend idmap backend = ldap:ldap://usoldap01.swissptt.ch ldap:ldap://usoldap02.swissptt.ch ldap admin dn = uid=idmapadm,ou=idmap,dc=swissptt,dc=ch ldap idmap suffix = ou=idmap ldap suffix = dc=swissptt,dc=ch I compiled Samba myself: configure; make; make install. It must be something obvious I'm overlooking I hope somebody could point it out. Running winbindd as: /usr/local/samba/sbin/winbindd -d 3 -i -n I see those messages: [ 8286]: sid to uid S-1-5-21-796845957-1547161642-839522115-187984 idmap_init: using 'ldap' as remote backend Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 1 try! Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 3 try! Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 5 try! Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 7 try! Thanks for your time. Regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba HA issue
Yup unfortunately rights granted using net sam/rpc and usrmgr are saved locally in a TDB file(account_policy), this should probably be in LDAP, i suppose it sould be possible to rsync the tdb file. On Wed, 5 Aug 2009 17:10:54 -0500, David Christensen david.christen...@viveli.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Du wrote: David Christensen wrote: Liutauras Adomaitis wrote: On Tue, Aug 4, 2009 at 7:39 PM, David Christensendavid.christen...@viveli.commailto:david.christen...@viveli.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 With samba configured for high availability using heartbeat, I am not able to join new computers to the domain after a fail over. If I fail back to the main samba instance I can join the computer to the domain. However With samba in a fail over state and running on the backup PDC users can still authenticate and gain access to their shares. I have the two instances of samba configured nearly identical except for having them pointed to the instance of ldap that is running on the server itself (which is being replicated). Is there something else, some tdb file etc, that needs to be shared between the two instances of samba so a fail over appears identical to the ldap backend? Thanks. If you are running PDC+BDC configuration with LDAP backend with replication, then you must have master to master replication. In case of master - slave replication you canot write ot slave while your muster is not accessible. Usual slave has a redirection to master for write operations. Slave is readonly and thats why you can authenticate to BDC, but cannot join new machines to the domain. This may be your case Liutauras Liutauras, I have ldap using master-master replication so writing to either ldap instance is no problem. In addition I have both instances of samba configured as PDC's (the smb.conf file is identical on both PDC's except for two things, the ldap each talks to and the host name of the PDC itself; not using the netbios parameter), however only one of them is running at a time. The issue occurs when the 2nd PDC comes online. Based on the ldap logs the query I am seeing from the 2nd PDC in a failed over state is not the same query that the primary PDC does when I add a new computer successfuly. I never see the lookup for the admin user who has the right to add a computer, along with other missing search strings. Is there some SID or some other serial number etc. that the 2nd PDC is lacking that is causing this symptom? Why would a query from a near identical instance of samba to the same ldap DB be so different? I had the same problem with samba 3.0.28 on rhel 4. I fixed my problem by issuing net rpc grant .. commands on the backup PDC. I never understood why it behaved that way but those commands worked for me. I thought those rights were in the LDAP database but it seemed that those rights are stored on the individual servers somehow. John, Not familiar with net rpc grant, where is the invoked or added? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkp6A20ACgkQ5B+8XEnAvquDfACfZoxcbLHuoVAbqrUQauCbPD8R VDYAn3Tz+0TfwD+Ip2HIKtVj5bG5reMc =25vc -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Version of OpenLDAP to use with Samba
Any version of OpenLDAP should work, in fact any LDAP server should work(SunONE, Tivoli, Fedora), OpenLDAP is required for smbk5pwd however. If you want to do replication you should probably use OpenLDAP 2.4.17, it has a lot of fixes in this area, its not that hard to compile from scratch. On Wed, 29 Jul 2009 15:01:50 -0500, Adam Williams awill...@mdah.state.ms.us wrote: i'm running 2.4.12 on a fedora 10 server at work, and 2.4.15 on fedora 11 server at home, both work great. jamrock wrote: I have been using an old version of OpenLDAP on my Samba servers. I am setting up a new server and want to use a more recent version. What versions of OpenLDAP are people on the forum using with Samba? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo returns no domain users
What is the domain controller, Samba, AD, or an NT domain? On Mon, 27 Jul 2009 17:51:45 -0300, Herbert G. Fischer herbert.fisc...@locaweb.com.br wrote: Hi, I've spent two days trying to figure out how to solve this, researching on the web, etc, and found no answer... :S I've setup a Ubuntu 9.04 with Samba and Winbind, joined the domain (using RPC) and when I try to list users and groups using wbinfo I got nothing. I already tryed deleting tdb files from /var/lib/samba and restarting samba and winbind, joined the domain again, etc, and nothing changed this behavior. Any idea on where may be the problem and how to solve it? # wbinfo -t checking the trust secret via RPC calls succeeded # wbinfo -u # wbinfo -g smb.conf [global] server string = %h workgroup = WEB-NET realm = web-net..com.br domain master = no password server = xm850..com.br wins server = xm850..com.br security = domain socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = eth0 bind interfaces only = yes log level = 5 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 # disable printers load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes encrypt passwords = true idmap backend = tdb idmap uid = 5-55000 idmap gid = 5-55000 template shell = /bin/bash template homedir = /home/web-net/%U winbind use default domain = yes winbind separator = \\ winbind enum users = yes winbind enum groups = yes winbind cache time = 15 === log.winbind [2009/07/27 17:43:31, 3] winbindd/ winbindd_misc.c:winbindd_interface_version(754) [12377]: request interface version [2009/07/27 17:43:31, 3] winbindd/ winbindd_misc.c:winbindd_priv_pipe_dir(787) [12377]: request location of privileged pipe [2009/07/27 17:43:31, 2] winbindd/winbindd.c:remove_client(744) final write to client failed: Broken pipe [2009/07/27 17:43:31, 3] winbindd/ winbindd_misc.c:winbindd_list_ent(127) [12377]: list users [2009/07/27 17:43:31, 5] winbindd/winbindd_misc.c:listent_recv(203) listent_recv: XM2012 returned no users. [2009/07/27 17:43:31, 5] winbindd/winbindd_misc.c:listent_recv(203) listent_recv: BUILTIN returned no users. [2009/07/27 17:43:31, 1] winbindd/winbindd_util.c:trustdom_recv(303) Could not receive trustdoms [2009/07/27 17:43:32, 5] winbindd/winbindd_async.c:listent_recv(465) list_ent() failed! [2009/07/27 17:43:32, 5] winbindd/winbindd_misc.c:listent_recv(203) listent_recv: WEB-NET returned no users. [2009/07/27 17:43:32, 2] winbindd/winbindd.c:remove_client(744) final write to client failed: Broken pipe === best regards, Herbert G. Fischer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux member server, or something else?
It's possible to use nss_ldap and idmap backend = nss and no winbind, like you are describing. It's also possible to use nss_winbind and no nss_ldap, however there has been a bug on the server side that has stopped this from working. So the option above is your only option unless you have a version of samba on the server side that isn't affected by the bug. Regards, David On Tue, 30 Jun 2009 00:59:16 -0300, Norberto Bensa nbe...@gmail.com wrote: Hello, On Mon, Jun 29, 2009 at 11:11 PM, John Drescherdresche...@gmail.com wrote: I have a Samba PDC with an LDAP backend password database, against which WinXP clients authenticate. I also have a Ubuntu workstation, which authenticates directly to the same LDAP password database (no Samba). I now wish to have the WinXP clients be able to map shares on the Ubuntu workstation, so I obviously need to get Samba working on it. I can slog through the technical details, but I want to make sure I have the concept properly figured out - will the Ubuntu workstation be a member server, configured as such per the Samba documentation using Winbind, or is there a different way I should be thinking about this? Thanks for any general pointers. That is what I have with my samba setup. I mean I have a PDC, a BDC, 3 to 5 LDAP servers and 5 or so member servers. On my PDC and BDC there are no real file shares. The member servers have that. My member servers have winbind. At work, we're in the process of starting a migration of our Windows XP clients to Ubuntu. My PDC is a Samba server running on Ubuntu Hardy with LDAP backend. I'm testing with my workstation (Ubuntu Jaunty). Samba uses the PDC as a password server. Users and groups are read from LDAP via nsswitch (i.e. nothing about LDAP in smb.conf on the client). Also, no winbind. It seems to work, but I want to know if I'm missing something. Why should I run winbind? If I need to run winbind, does it need to run on server _and_ clients? Many thanks in advance, Norberto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.3.5 not compiling on solaris 10 (libtalloc.so.1)
Have you tried: mv /bin/sh /bin/sh.old ln -s /bin/bash /bin/sh try configure/make again rm /bin/sh mv /bin/sh.old /bin/sh On Tue, 23 Jun 2009 15:18:04 +0200 (CEST), christoph.be...@desy.de wrote: Hi, I found some hints but no solution that worked for me actually, I try to compile 3.3.5 on Solaris 10 and it does not find libtalloc: Linking shared library bin/libtalloc.so.1 /usr/ccs/bin/ld: cannot open linker script file /scratch/samba-3.3.5/source/exports/libtalloc.so.1: No such file or directory gmake: *** [bin/libtalloc.so.1] Error 1 Obviously because it's not there :( : [printsrv9] /scratch/samba-3.3.5/source # ls /scratch/samba-3.3.5/source/exports/ libaddns.symslibtalloc.syms modules-darwin.syms Any hints someone ??? cheers ~christoph -- /* Christoph Beyer | Office: Building 2b / 23 *\ * DESY|Phone: 040-8998-2317* * - IT - | Fax: 040-8998-4060* \* 22603 Hamburg | http://www.desy.de */ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Authentication problem with samba 3.3.4 on AIX 5.3
AIX doesnt have a pam.conf. it uses LAM. change obey pam restrictions = yes to obey pam restrictions = no William Jojo wrote: Arendt, Volker wrote: Hello all, we currently do have a problem with samba 3.3.4 on AIX 5.3. We have set up the samba system to integrate in our AD Domain. Integration was successfull (net ads join), wbinfo executes with parameters -ugt without any problems. Our smb.conf content follows at the end of this mail. We have defined just one share as follows: [smbtest] writeable = yes path = /gpfs/fbb/ls/cip valid users = When we connect from a Windows XP System we get the following error message: --- C:\Programme\Support Toolsnet use p: \\frigg\smbtest Systemfehler 2239 aufgetreten. Dieses Benutzerkonto ist abgelaufen. --- translated: user account has expired In the system log file we get: --- -- [2009/06/09 17:21:16, 10] smbd/sesssetup.c:reply_spnego_kerberos(402) Mapped to [FB6] (using PAC) [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_alloc(133) Finding user FB6+AdmMJ [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(77) Trying _Get_Pwnam(), username as lowercase is fb6+admmj [2009/06/09 17:21:16, 5] lib/username.c:Get_Pwnam_internals(110) Get_Pwnam_internals did find user [FB6+AdmMJ]! [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(472) smb_pam_start: PAM: Init user: admmj [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(489) smb_pam_start: PAM: setting rhost to: 132.195.123.104 [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(498) smb_pam_start: PAM: setting tty [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_start(506) smb_pam_start: PAM: Init passed for user: admmj [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_account(564) smb_pam_account: PAM: Account Management for User: admmj [2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_account(571) smb_pam_account: PAM: User admmj no longer permitted to access system [2009/06/09 17:21:16, 2] auth/pampass.c:smb_pam_error_handler(77) smb_pam_error_handler: PAM: Account Check Failed : User account has expired [2009/06/09 17:21:16, 0] auth/pampass.c:smb_pam_accountcheck(794) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User admmj! [2009/06/09 17:21:16, 4] auth/pampass.c:smb_pam_end(450) smb_pam_end: PAM: PAM_END OK. --- -- Hey, Volker. It's been awhile. Couple of questions: 1) What does /etc/pam.conf look like and 2) What does /opt/pware/lib/fbb-projekte.conf look like? Glad to see you are still using the pWare stuff. :-) :-) How is your cluster testing going? I need to contact Miguel again to see how he is making out. Cheers, Bill An error log, debug level 10 is available on request. Kind regards Volker SMB.CONF --- --- [global] # # setting base configuration parameters # # workgroup = FB6 netbios name = FRIGG server string = AFS-2 security = ADS realm = FB6.UNI-WUPPERTAL.DE auth methods = winbind # password server = AD logon server password server = 132.195.120.9 132.195.120.12 wins server = 132.195.120.12 client use spnego = yes client signing = yes # added wg. ticket #5344 #client lanman auth = no #client ntlmv2 auth = yes encrypt passwords = yes host msdfs = no #domain logons = yes # fuer Samba 3.3.0 # damit keine verschluesselte Verbindung zum Domain Controller # aufgebaut wird ldap ssl = no # - # printer settings # ??? better disable these settings ??? # - # printcap name = cups # disable spoolss = Yes # show add printer wizard = No # - # ID mapping parameters # mapping windows users to unix users # this is performed on the basis of sid on windows and # unix with uid for users and gid for groups # the backend parameter rid allows to get the same mapping # form sid to uid because it is determined algorithmically # that way we get the same mapping even if we use samba on # several disparate systems # CHANGE NOTIFICATIO: with v3.3.0 there are changes # to idmap; idmap domains is no longer supported # - #idmap domains = FB6 #idmap backend = rid idmap backend = tdb idmap config FB6:backend = rid #idmap config FB6:base_rid = 0 idmap config FB6:range = 1 - 4 idmap uid = 1-4 idmap gid = 1-4 winbind separator =+ winbind use default domain = Yes winbind enum users = no winbind enum groups = no winbind cache time = 60
Re: [Samba] Simple question regarding smbpasswd
On Mon, 11 May 2009 10:36:49 -0700 (PDT), Pete Clapham peteclap...@sbcglobal.net wrote: Hi, all -- I want to add SMB passwords using a script. It would appear that some variant on the following: smbpasswd -a -s newusername would work. However, the syntax of the -s option isn't clear. How do I insert the password of the new user into the script? Thanks for your help. cheers, pete echo -e newpassword\nnewpassword\n | smbpasswd -a -s dmarkey -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
ldap password change requested, but LDAP server does not support it --
ignoring
1st, are the ldap libraries samba is compiled with the same as the ldap
server?
2nd, possibly change
password-hash {CRYPT}
to
password-hash {SSHA}
im not sure if password-crypt-salt-format $1$%.2s is needed with {SSHA}
John Du wrote:
David Markey wrote:
John Du wrote:
David Markey wrote:
John Du wrote:
David Markey wrote:
I would imagine that you'll need to re-jig your ACLs in slapd.conf,
Please supply logs.
Thank you very much.
I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows
and UNIX password. If the problem is ACL related, wouldn't I have the
same problem with this tool?
When samba changes passwords, does the process run as root or as the
user making the passwords change?
If you're using smbldap-passwd and unix password sync, it's done as
root. ldap passwd sync is done as the LDAP dn that you've configured in
smb.conf. It's much preferable to use ldap passwd sync.
I did not make myself clear. When I say I can use smbldap-passwd to
change password, I mean I can run the tool from the command line as
root. If I use smbldap-passwd and unix passwd sync in smb.conf, I
get a you do not have permission to change password message when
attempting to change password.
So at this time I am still using ldap passwd sync in smb.conf and that
is when it only changes the Windows password.
Does the userPassword attribute require different ACL than
sambaNTPassword? Also the dn I put in smb.conf is the root DN of the
LDAP database.
That is strange, LDAP password updates are done via EXOP, have you
defined a password hash in slapd.conf?
Re: smbldap-passwd, you need to have a proper passwd chat in smb.conf,
Let us see some logs, smb.conf and maybe slapd.conf and perhaps slapd logs.
My thanks to David and all who have responded to my questions. I have
identified where and what the problem is but I am not sure it is a
Samba problem or OpenLDAP problem.
I am trying to give you a clear picture.
1. unix passwd sync works perfectly.
I replaced ldap passwd sync = Yes with:
unix password sync = Yes
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
passwd chat = Changing UNIX password for*\nNew password* %n\n
*Retype new password* %n\n
No changes on the OpenLDAP side. Users can change their Windows and
LDAP password correctly all the time.
2. ldap passwd sync = Yes does not change the LDAP password but it
changes the Windows password OK.
2.1 OpenLDAP with some ACLs defined.
When the OpenLDAP server has some ACLs defined, the samba server
logs the following:
2009/04/30 23:38:42, 2] passdb/pdb_ldap.c:ldapsam_modify_entry(1590)
ldap password change requested, but LDAP server does not support it
-- ignoring
The LDAP password is not changed.
2.2 When no ACLs are defined in slapd.conf.
[2009/04/30 23:43:03, 10]
lib/smbldap.c:smbldap_extended_operation(1525)
Extended operation failed with error: 80 (Internal (implementation
specific) error) (password hash failed)
[2009/04/30 23:43:03, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
ldapsam_modify_entry: LDAP Password could not be changed for user
johndu: Internal (implementation specific) error
password hash failed
Hash is defined in slapd.conf as follows:
password-hash {CRYPT}
password-crypt-salt-format $1$%.2s
The Windows user will get a the user name or old password is
incorrect message in this case.
The LDAP root DN is used all the time everywhere.
I can mail the complete log files to you if they can help you to
determine the cause of the problem. There seems to be some
compatibility issues between the LDAP server and the Samba server.
Logically I think if the IDEALX tool works the samba server's internal
LDAP functions should work as well.
Let me know if you any further information from me.
Wish you all to have a good weekend!
John
Thanks!
Thanks again.
John Du wrote:
John Du wrote:
Hi,
I have been running Samba with OpenLDAP for a few years. We
recently
upgrade the OpenLDAP server from 2.2.13 to 2.4.11.
When users change their passwords now, only the Windows password is
changed the UNIX password is not changed anymore. Samba server does
not log any errors The samba configuration file did not change
when
the LDAP server was upgraded.
I do have ldap passwd sync =Yes in smb.conf and it used to work
fine.
Has anyone seen this?
If I use
unix password sync = Yes
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
passwd chat = Changing password for*\nNew password* %n\n *Retype
new password* %n\n
instead
Re: [Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
I would imagine that you'll need to re-jig your ACLs in slapd.conf, Please supply logs. John Du wrote: John Du wrote: Hi, I have been running Samba with OpenLDAP for a few years. We recently upgrade the OpenLDAP server from 2.2.13 to 2.4.11. When users change their passwords now, only the Windows password is changed the UNIX password is not changed anymore. Samba server does not log any errors The samba configuration file did not change when the LDAP server was upgraded. I do have ldap passwd sync =Yes in smb.conf and it used to work fine. Has anyone seen this? If I use unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n instead of ldappasswd sync, what access control do I have to add to the slapd.conf file? Thank you very much for your help! John I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel 2.6.9-42.0.2. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
John Du wrote: David Markey wrote: I would imagine that you'll need to re-jig your ACLs in slapd.conf, Please supply logs. Thank you very much. I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows and UNIX password. If the problem is ACL related, wouldn't I have the same problem with this tool? When samba changes passwords, does the process run as root or as the user making the passwords change? If you're using smbldap-passwd and unix password sync, it's done as root. ldap passwd sync is done as the LDAP dn that you've configured in smb.conf. It's much preferable to use ldap passwd sync. Thanks again. John Du wrote: John Du wrote: Hi, I have been running Samba with OpenLDAP for a few years. We recently upgrade the OpenLDAP server from 2.2.13 to 2.4.11. When users change their passwords now, only the Windows password is changed the UNIX password is not changed anymore. Samba server does not log any errors The samba configuration file did not change when the LDAP server was upgraded. I do have ldap passwd sync =Yes in smb.conf and it used to work fine. Has anyone seen this? If I use unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n instead of ldappasswd sync, what access control do I have to add to the slapd.conf file? Thank you very much for your help! John I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel 2.6.9-42.0.2. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] set up for Active Directory
Solaris 10 U6 comes with a samba that is capable to joining AD out of the box. Bjoern Meier wrote: hi, 2009/4/14 McGranahan, Jamen jamen.mcgrana...@vanderbilt.edu: OK, I've installed the MIT version of KRB5 samba appears to have installed correctly. However, it appears that I am not able to join my domain. # ./net ads join -U mcgr...@ds.vanderbilt.edu [2009/04/14 11:36:50, 0] param/loadparm.c:lp_set_enum_parm(7097) WARNING: Ignoring invalid value 'ADS' for parameter 'security' [2009/04/14 11:36:50, 0] param/loadparm.c:lp_do_parameter(7174) Ignoring unknown parameter realm ADS support not compiled in So I tried the -d3 version of ./net and got this: # ./net ads -d3 join -U mcgr...@vanderbilt.edu [2009/04/14 11:17:10, 3] param/loadparm.c:lp_load_ex(8794) lp_load_ex: refreshing parameters [2009/04/14 11:17:10, 3] param/loadparm.c:init_globals(4629) Initialising global parameters [2009/04/14 11:17:10, 3] param/params.c:pm_process(569) params.c:pm_process() - Processing configuration file /usr/local/samba/lib/smb.conf [2009/04/14 11:17:10, 3] param/loadparm.c:do_section(7457) Processing section [global] [2009/04/14 11:17:10, 0] param/loadparm.c:lp_set_enum_parm(7097) WARNING: Ignoring invalid value 'ADS' for parameter 'security' [2009/04/14 11:17:10, 1] param/loadparm.c:map_parameter(6131) Unknown parameter encountered: realm [2009/04/14 11:17:10, 0] param/loadparm.c:lp_do_parameter(7174) Ignoring unknown parameter realm [2009/04/14 11:17:10, 2] lib/interface.c:add_interface(340) added interface ce1 ip=129.59.95.89 bcast=129.59.95.255 netmask=255.255.255.0 ADS support not compiled in [2009/04/14 11:17:10, 2] utils/net.c:main(769) return code = -1 I'm not sure where to check now. Please advise. Thank you! Jamen McGranahan Systems Services Librarian Vanderbilt University -Original Message- From: jerry [mailto:je...@samba.org] Sent: Tuesday, April 14, 2009 9:40 AM To: McGranahan, Jamen Cc: samba@lists.samba.org Subject: Re: [Samba] set up for Active Directory McGranahan, Jamen wrote: configure:59580: checking for ldap_initialize configure:59663: result: no configure:59676: error: Active Directory support requires ldap_initialize Did the howto that was previously posted not help? My advice is to get the latest OpenLDAP and MIT krb5 libs and install those. Then rebuild Samba. Life is to short to spend it trying to get code compiling :-) But it's your call. cheers, jerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html tell us: ADS support not compiled in Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the Kerberos libraries and headers files are installed. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] set up for Active Directory
-bash-3.00# /usr/sfw/sbin/smbd -V Version 3.0.33 Not the most the up to date release bit its progress. jerry wrote: David Markey wrote: Solaris 10 U6 comes with a samba that is capable to joining AD out of the box. Woot! didn't realize that. Very good news :-) What version is it (out of curiousity). cheers, jerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Privileges on Samba 3.2
Can you try to use usrmgr.exe and see if you have permissions problems with that? junior carvalho wrote: Hi all; I'm using samba 3.2 with smbldap-tools ( not ldapsam:*, but dosen't works too ), until that i work with centos 4 and debian etch's samba, I always set the same configuration and works fine, but with debian lenny ( 3.2.5 ) i getting problems with privileges, and i set one user ( administrator ) with all privileges this user can't open gpedit.msc ou change configs on regedit. Is that normal?? or there are something wrong here? Thanks for all help!!! JC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain Privileges on Samba 3.2
I think 3.2.5 has a privileges bug, You'll have to upgrade to the latest in the 3.2 series, probably compile it from scratch. junior carvalho wrote: Yes, it has the same station join the domains with this user... JC 2009/3/16 David Markey dmar...@dodds.dmarkey.com mailto:dmar...@dodds.dmarkey.com Can you try to use usrmgr.exe and see if you have permissions problems with that? junior carvalho wrote: Hi all; I'm using samba 3.2 with smbldap-tools ( not ldapsam:*, but dosen't works too ), until that i work with centos 4 and debian etch's samba, I always set the same configuration and works fine, but with debian lenny ( 3.2.5 ) i getting problems with privileges, and i set one user ( administrator ) with all privileges this user can't open gpedit.msc ou change configs on regedit. Is that normal?? or there are something wrong here? Thanks for all help!!! JC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sun ONE and Samba
One can use the netscape schema that comes with samba to use SunOne. I have had more success with openldap i have to say. Cameron Laird wrote: Has anyone had success using Sun ONE as an LDAP (authentication) back-end to Samba (preferably 4.0, but 3.3 would be fine)? I've found people who've tried and given up. Sun itself hasn't provided answers, but I haven't given up on them; I'll keep reformulating my questions, and asking again. One speculation on my part is that, if I can just figure out where in Sun ONE the LANMAN passwords are kept, I could write my own PAM and get somewhere. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unix permissions mapping query
I've been on #samba about this. The UNIX mappings aren't being mapped for folders, but they are being mapped for files. heres what it looks like: http://dmarkey.com/~dmarkey/snapshot1.png As I'm the owner for the directory I would have thought that all the boxes should be ticked as I have full permissions. Am I incorrect? Thanks. On Wed, 11 Mar 2009 23:55:54 +, David Markey dmar...@dodds.dmarkey.com wrote: When i have a file in a share and go to check its permissions in the permissions tab, all the entries are blank. But if i click advanced then the permissions are shown properly(but in advanced mode). Is there a reason the permissions arent shown on the basic security tab? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Unix permissions mapping query
When i have a file in a share and go to check its permissions in the permissions tab, all the entries are blank. But if i click advanced then the permissions are shown properly(but in advanced mode). Is there a reason the permissions arent shown on the basic security tab? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Complex [homes] rule
Hi All Im my [homes] share i want to have two access rules. First one is %D%w%S so that DOMAINdmarkey will only be able to access his own home directory and nobody elses But I only want users in the postgrad group to be able to access their home directory. How could i implement both rules on the [homes] share? Example: %D%w%S AND @DOMAINPostgrad Any Ideas? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: RE [Samba] Complex [homes] rule
No Sorry, The only people who i want to give access to their own home directory is postgrad. but I only want them to access their own home dirctory not anyone elses(i.e the %D%w%S rule) Any clearer? On Tue, 10 Mar 2009 16:55:14 +0100, Stéphane PURNELLE stephane.purne...@corman.be wrote: Hi, In other word (if I understand), each users (%D%w%S) have access to her home directory and postgard group must be able to access to all homes folder ? If you want this, is preferable to create a other share witn the path of home directory and put access to postgrad on this share be carrefull : homes share is particular ! --- Stéphane PURNELLE stephane.purne...@corman.be Service Informatique Corman S.A. Tel : 00 32 087/342467 samba-bounces+stephane.purnelle=corman...@lists.samba.org a écrit sur 10/03/2009 16:46:01 : Hi All Im my [homes] share i want to have two access rules. First one is %D%w%S so that DOMAINdmarkey will only be able to access his own home directory and nobody elses But I only want users in the postgrad group to be able to access their home directory. How could i implement both rules on the [homes] share? Example: %D%w%S AND @DOMAINPostgrad Any Ideas? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Complex [homes] rule
If you are referring to http://marc.info/?l=sambam=122692173903872w=2 This doesnt work for me because postgrad isnt the primary group of those particular users. On Tue, 10 Mar 2009 16:18:44 +, Miguel Medalha miguelmeda...@sapo.pt wrote: Im my [homes] share i want to have two access rules. First one is %D%w%S so that DOMAINdmarkey will only be able to access his own home directory and nobody elses But I only want users in the postgrad group to be able to access their home directory. That question has already been solved in previous posts. Please search the list. The solution lies with the use of the include parameter. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Complex [homes] rule
I really think i have explained the situation enough and its not that complex. I only want the users in the postgrad group to get access to their home directories via samba but i dont want them to be able to access anyone elses. include = %D%w%S.smb.conf wont work, that would obviosly mean id need an include for for every user in the postgrad group i.e. DOMAINdmarkey.smb.conf DOMAINjoebloggs.smb.conf which is not what i want. On Tue, 10 Mar 2009 18:08:15 +0100, Stéphane PURNELLE wrote: Could you provide more information about your configuration. a homes share with two access, why ? A idea : about include parameter, if you edit your smb.conf and put end of the file the homes shares and the include parameter like : include = %D%w%S.smb.conf [homes] ... valid user= @postgrad and ofcourse define on %D%w%S.smb.conf (the correct homes share for %D%w%S) --- Stéphane PURNELLE stephane.purne...@corman.be Service Informatique Corman S.A. Tel : 00 32 087/342467 samba-bounces+stephane.purnelle=corman...@lists.samba.org a écrit sur 10/03/2009 17:52:07 : If you are referring to http://marc.info/?l=sambam=122692173903872w=2 This doesnt work for me because postgrad isnt the primary group of those particular users. On Tue, 10 Mar 2009 16:18:44 +, Miguel Medalha wrote: Im my [homes] share i want to have two access rules. First one is %D%w%S so that DOMAINdmarkey will only be able to access his own home directory and nobody elses But I only want users in the postgrad group to be able to access their home directory. That question has already been solved in previous posts. Please search the list. The solution lies with the use of the include parameter. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Complex [homes] rule
No.. I want only postgrad group to have access but I dont want them to access anyone elses home directory as discussed previously(using the valid users = %D%w%S). In other words i need some kind of AND statement. i.e. valid users = @DOMAIN\postgrads AND %D%w%S On Tue, 10 Mar 2009 14:04:29 -0400, Andrew Chaplin chaplina+sa...@canisius.edu wrote: I think you are saying you only want the postgrad group to have access to their home directory share. Look at the smb.conf entry for valid users. David Markey wrote: I really think i have explained the situation enough and its not that complex. I only want the users in the postgrad group to get access to their home directories via samba but i dont want them to be able to access anyone elses. include = %D%w%S.smb.conf wont work, that would obviosly mean id need an include for for every user in the postgrad group i.e. DOMAINdmarkey.smb.conf DOMAINjoebloggs.smb.conf which is not what i want. On Tue, 10 Mar 2009 18:08:15 +0100, Stéphane PURNELLE wrote: Could you provide more information about your configuration. a homes share with two access, why ? A idea : about include parameter, if you edit your smb.conf and put end of the file the homes shares and the include parameter like : include = %D%w%S.smb.conf [homes] ... valid user= @postgrad and ofcourse define on %D%w%S.smb.conf (the correct homes share for %D%w%S) --- Stéphane PURNELLE stephane.purne...@corman.be Service Informatique Corman S.A. Tel : 00 32 087/342467 samba-bounces+stephane.purnelle=corman...@lists.samba.org a écrit sur 10/03/2009 17:52:07 : If you are referring to http://marc.info/?l=sambam=122692173903872w=2 This doesnt work for me because postgrad isnt the primary group of those particular users. On Tue, 10 Mar 2009 16:18:44 +, Miguel Medalha wrote: Im my [homes] share i want to have two access rules. First one is %D%w%S so that DOMAINdmarkey will only be able to access his own home directory and nobody elses But I only want users in the postgrad group to be able to access their home directory. That question has already been solved in previous posts. Please search the list. The solution lies with the use of the include parameter. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Complex [homes] rule
[%U] comment = Home Directories browseable = yes read only = no path = %H valid users = @DOMAIN\postgrad ea support = yes store dos attributes = yes map readonly = no map archive = no map system = no hide files = /*.desktop/*.ini/ This seems to be working exactly the way I want it to. Does anyone see any security issues with the above configuration? Thanks for all the replys! On Tue, 10 Mar 2009 18:10:11 +, David Markey dmar...@dodds.dmarkey.com wrote: No.. I want only postgrad group to have access but I dont want them to access anyone elses home directory as discussed previously(using the valid users = %D%w%S). In other words i need some kind of AND statement. i.e. valid users = @DOMAIN\postgrads AND %D%w%S On Tue, 10 Mar 2009 14:04:29 -0400, Andrew Chaplin chaplina+sa...@canisius.edu wrote: I think you are saying you only want the postgrad group to have access to their home directory share. Look at the smb.conf entry for valid users. David Markey wrote: I really think i have explained the situation enough and its not that complex. I only want the users in the postgrad group to get access to their home directories via samba but i dont want them to be able to access anyone elses. include = %D%w%S.smb.conf wont work, that would obviosly mean id need an include for for every user in the postgrad group i.e. DOMAINdmarkey.smb.conf DOMAINjoebloggs.smb.conf which is not what i want. On Tue, 10 Mar 2009 18:08:15 +0100, Stéphane PURNELLE wrote: Could you provide more information about your configuration. a homes share with two access, why ? A idea : about include parameter, if you edit your smb.conf and put end of the file the homes shares and the include parameter like : include = %D%w%S.smb.conf [homes] ... valid user= @postgrad and ofcourse define on %D%w%S.smb.conf (the correct homes share for %D%w%S) --- Stéphane PURNELLE stephane.purne...@corman.be Service Informatique Corman S.A. Tel : 00 32 087/342467 samba-bounces+stephane.purnelle=corman...@lists.samba.org a écrit sur 10/03/2009 17:52:07 : If you are referring to http://marc.info/?l=sambam=122692173903872w=2 This doesnt work for me because postgrad isnt the primary group of those particular users. On Tue, 10 Mar 2009 16:18:44 +, Miguel Medalha wrote: Im my [homes] share i want to have two access rules. First one is %D%w%S so that DOMAINdmarkey will only be able to access his own home directory and nobody elses But I only want users in the postgrad group to be able to access their home directory. That question has already been solved in previous posts. Please search the list. The solution lies with the use of the include parameter. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SWAT with an LDAP Backend
Hi I have a PDC with an LDAP backend that i want to use SWAT to give users the option to change their password via the web interface. I cant seem to be able to get SWAT to authenticate any users it always gives me an authorization error. Is swat with an LDAP backend supported? Cheers. David. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SWAT with an LDAP Backend
Actually i've created my own piece of software (based on phpLdapPasswd) called phpSmbPasswd which uses smbpasswd as a backend. If anyone wants to test it out give me a shout. I was just wondering about SWAT, if LDAP isnt supported then the man pages should be updated to communicate that fact. David On Wed, 4 Feb 2009 19:35:44 +0100, Stefan Dengscherz stefan.dengsch...@gmail.com wrote: Hello David, unfortunately no answer to your question - but once I had the same problem and I've used http://www.karylstein.com/phpLdapPasswd successfully with a bit of hacking (I can't remember exactly what was not working but there were a few patches in the search results when googling for phpLdapPasswd). Another alternative would be to use more mature LDAP Account management web utils: - GOSA - phpLdapAdmin (don't know if it supports user login change Samba password hash) Hope that helps! 2009/2/4 David Markey dmar...@dodds.dmarkey.com: Hi I have a PDC with an LDAP backend that i want to use SWAT to give users the option to change their password via the web interface. I cant seem to be able to get SWAT to authenticate any users it always gives me an authorization error. Is swat with an LDAP backend supported? Cheers. David. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SWAT with an LDAP Backend
Dont think its an option, we use heimdal and smbk5pwd. LAM would have to support EXOP which i dont think it does On Thu, 05 Feb 2009 09:07:12 +1100, Tim Bates t...@new-life.org.au wrote: Stefan Dengscherz wrote: Another alternative would be to use more mature LDAP Account management web utils: - GOSA - phpLdapAdmin (don't know if it supports user login change Samba password hash) LAM Pro (not the free one) also has a user self-service component. It can also let users change other LDAP data if you allow it too. Depending on how many users you have, this could be a good option, especially if you already were considering LAM for managing accounts. TB ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Issue with file server (Non-Domain Controller) authenticating off the same LDAP as the PDC
I dont think so, I've gotten round it by setting domain logons=yes and hard coding the file server name(offaly) on the wins server(kerry) in wins.dat as an ordinary workstation. And disabled nmbd on offaly. It would be great if i had an option domain logons=yes + domain controller=no. Would suit this particular configuration. Dale Schroeder wrote: See if this is what you want: http://us1.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap Hope it helps. Dale David Markey wrote: Hi, Samba version 3.2-test(from git) I have a PDC(CS Domain) called kerry with an openldap backend, I have a file server that i want to authenticate off the same ldap as the PDC but i dont want it to be a BDC. This machine is called offaly. I would have thought that this would work pretty smoothly if i just configure domain logons = no. But then the file server generates it own SID and doesnt use the SID for the CS domain and creates its own account policies. Is there any way to have domain logons=yes but not act as a BDC or is it possible for to have domain logons=no and conform to the SID and account policies for the CS Domain. More info, When Domain Logons = no then it generates this in LDAP: dn: sambaDomainName=OFFALY,dc=cs,dc=dit,dc=ie sambaDomainName: OFFALY sambaSID: S-1-5-21-1810654286-1445949878-2619355827 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 1000 structuralObjectClass: sambaDomain entryUUID: 1db04188-79bc-102d-8b3c-bff53cf5d285 creatorsName: cn=admin,dc=cs,dc=dit,dc=ie createTimestamp: 20090118145748Z sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 But it should i want it to use the CS domain one namely: dn: sambaDomainName=CS,dc=cs,dc=dit,dc=ie sambaAlgorithmicRidBase: 1000 sambaNextUserRid: 1000 structuralObjectClass: sambaDomain entryUUID: cf6b1632-7886-102d-88b4-cdd5ec2918da creatorsName: cn=admin,dc=cs,dc=dit,dc=ie createTimestamp: 20090117020342Z sambaRefuseMachinePwdChange: 0 gidNumber: 1000 sambaDomainName: CS sambaSID: S-1-5-21-162219125-2768231107-2725269179 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaLockoutDuration: 10 sambaLockoutObservationWindow: 10 sambaLockoutThreshold: 5 sambaMinPwdLength: 5 sambaPwdHistoryLength: 5 sambaLogonToChgPwd: 0 sambaMaxPwdAge: 7776000 sambaMinPwdAge: 0 sambaForceLogoff: -1 uidNumber: 1009 sambaNextRid: 1002 Any Ideas? Thanks David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Issue with file server (Non-Domain Controller) authenticating off the same LDAP as the PDC
Hi, Samba version 3.2-test(from git) I have a PDC(CS Domain) called kerry with an openldap backend, I have a file server that i want to authenticate off the same ldap as the PDC but i dont want it to be a BDC. This machine is called offaly. I would have thought that this would work pretty smoothly if i just configure domain logons = no. But then the file server generates it own SID and doesnt use the SID for the CS domain and creates its own account policies. Is there any way to have domain logons=yes but not act as a BDC or is it possible for to have domain logons=no and conform to the SID and account policies for the CS Domain. More info, When Domain Logons = no then it generates this in LDAP: dn: sambaDomainName=OFFALY,dc=cs,dc=dit,dc=ie sambaDomainName: OFFALY sambaSID: S-1-5-21-1810654286-1445949878-2619355827 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 1000 structuralObjectClass: sambaDomain entryUUID: 1db04188-79bc-102d-8b3c-bff53cf5d285 creatorsName: cn=admin,dc=cs,dc=dit,dc=ie createTimestamp: 20090118145748Z sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 But it should i want it to use the CS domain one namely: dn: sambaDomainName=CS,dc=cs,dc=dit,dc=ie sambaAlgorithmicRidBase: 1000 sambaNextUserRid: 1000 structuralObjectClass: sambaDomain entryUUID: cf6b1632-7886-102d-88b4-cdd5ec2918da creatorsName: cn=admin,dc=cs,dc=dit,dc=ie createTimestamp: 20090117020342Z sambaRefuseMachinePwdChange: 0 gidNumber: 1000 sambaDomainName: CS sambaSID: S-1-5-21-162219125-2768231107-2725269179 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaLockoutDuration: 10 sambaLockoutObservationWindow: 10 sambaLockoutThreshold: 5 sambaMinPwdLength: 5 sambaPwdHistoryLength: 5 sambaLogonToChgPwd: 0 sambaMaxPwdAge: 7776000 sambaMinPwdAge: 0 sambaForceLogoff: -1 uidNumber: 1009 sambaNextRid: 1002 Any Ideas? Thanks David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Network design questions
Hi, I'm trying to come up with a distributed design for a samba 3 infrastructure(Heimdal will also be in here too). Please see this picture for what i come up with. http://www.dmarkey.com/~dmarkey/samba.png Opinions? Also, Do password changes always happen on the PDC or will the BDC handle them? Thanks David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.2.4 not locking accounts?
Great to hear it. If you need to get me to test any patches feel free to ask. Jeremy Allison wrote: On Wed, Nov 05, 2008 at 05:01:15PM +, David Markey wrote: https://bugzilla.samba.org/show_bug.cgi?id=5825 I raised this bug a while ago experiencing what you are.Nobody seems to have done much about it. Not forgotten about it. I'm trying to get someone to look at this asap. I'll make sure it's a showstopper for next release. Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.2.4 not locking accounts?
Just applied it and it locked out the account(Yay), now i'm waiting 30 mins to see if it unlocks the account after that time, which it should. Jeremy Allison wrote: On Wed, Nov 05, 2008 at 10:55:57PM -, [EMAIL PROTECTED] wrote: I can confirm that 3.0.32 does lock out accounts, I'll be going back to that until the issue is fixed in 3.2.x Ok, can you try the following patch for 3.2.x and 3.3.x ? (Thanks for BoYang @ Novell for tracking down the underlying issue !). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.2.4 not locking accounts?
Ok that seems to work properly. When is 3.2.5 expected out? David Markey wrote: Just applied it and it locked out the account(Yay), now i'm waiting 30 mins to see if it unlocks the account after that time, which it should. Jeremy Allison wrote: On Wed, Nov 05, 2008 at 10:55:57PM -, [EMAIL PROTECTED] wrote: I can confirm that 3.0.32 does lock out accounts, I'll be going back to that until the issue is fixed in 3.2.x Ok, can you try the following patch for 3.2.x and 3.3.x ? (Thanks for BoYang @ Novell for tracking down the underlying issue !). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.2.4 not locking accounts?
https://bugzilla.samba.org/show_bug.cgi?id=5825 I raised this bug a while ago experiencing what you are.Nobody seems to have done much about it. Victor Medina wrote: Hello guys! I'm using samba 3.2.4 (binaries from samba.org) on SLES9+sp3. I am building a PDC with LDAP support (i am attaching my config files), I'm also using ldapsam:trusted and ldapsam:editposix. Although I am setting the account lock after 3 failed tries in usrmgr, and verified that the parameters are actually set in the LDAP, no locking occurs. I started thinking that it was my fault, since i generate my own ldif from a small app i created that reads a Windows AD and creates/fills an OpenLDAP with the relevant info that Linux (posix account information) and Samba needs, just like my own net vampire, just that mine reads a native AD and migrates to Samba, it just defaults passwords to 1-8. cool! eh? ;) Since everything seems to worked OK except for the account locking, i rebuild the server from scratch using net sam provision and created and extra account, joined a machine, but stills it seems account locking is not working on samba 3.2.4. any ideas/suggestions are welcome? Victor Medina ** Some relevant steps i did to set it up ** smbpasswd -w 12345678 net idmap secret DEFAULT 12345678 net idmap secret alloc 12345678 rcwinbind restart net sam provision smbpasswd administrator net rpc rights grant c1.ve\administrator SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege SeTakeOwnershipPrivilege -U administrator rcsmb start rcnmb start rcwinbind start *** SMB.conf (global) *** [global] workgroup = C1.VE netbios name= PDC-EPA1 security= user guest account = Invitado map to guest= Bad User enable privileges = yes server string = time server = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = yes domain master = yes os level= 65 preferred master= yes wins support= yes deadtime= 20 dont descend= /proc,/dev,/etc,/lib,/lost+found,/initrd encrypt passwords = yes passdb backend = ldapsam:ldap://127.0.0.1 ldap admin dn = cn=Administrador,dc= ldap suffix = dc=c1,c=ve,dc=xxx ldap user suffix= ou=people ldap group suffix = ou=group ldap machine suffix = ou=people ldap delete dn = yes ldap passwd sync= yes ldapsam:trusted = yes ldapsam:editposix = yes idmap domains = DEFAULT idmap config DEFAULT:backend = ldap idmap config DEFAULT:readonly = no idmap config DEFAULT:default = yes idmap config DEFAULT:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx idmap config DEFAULT:ldap_user_dn = cn=Administrador,dc=xxx idmap config DEFAULT:ldap_url = ldap://127.0.0.1 idmap config DEFAULT:range = 1-10 idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=idmap,dc=c1,c=ve,dc=xxx idmap alloc config:ldap_user_dn = cn=Administrador,dc=xxx idmap alloc config:ldap_url = ldap://127.0.0.1 idmap alloc config:range = 1-10 printing= cups printcap name = cups show add printer wizard = yes load printers = yes create mask = 0640 directory mask = 0750 force create mode = 0640 force directory mode= 0750 preserve case = yes short preserve case = yes case sensitive = no mangling method = hash2 Dos charset = 850 Unix charset= ISO8859-1 nt acl support = yes *** slapd.conf *** modulepath /usr/lib/openldap/modules include/etc/openldap/schema/core.schema include/etc/openldap/schema/cosine.schema include/etc/openldap/schema/inetorgperson.schema include/etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args access to dn.base= by * read access to dn.base=cn=Subschema by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to *
