Re: [Samba] winbind issue
Show us your smb.conf. David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 Karthik R [EMAIL PROTECTED] 8/28/2006 2:00 PM i was able to successfully joined the linux machine ie. RHEL 3 to windows 2003 domain and able to pull the AD users and groups using wbinfo -u and wbinfo -g command. Am trying to authenticate the AD user using radtest, a command tool used in freeradius to authenticate the user logon credentials. It rejects AD user logon credentials. I have linux nis server running under same subnet. This machine is binded to this linux NIS domain and joined to windows 2003 domain. Here is my nsswitch.conf file. passwd: files winbind nis dns shadow: files nis dns group: files winbind nis dns #hosts: db files nisplus nis dns hosts: files dns winbind nis Also i tried removing it from linux nis domain and running only with winbind service, it didnt help me. Here is the log file i found about winbind service. winbindd[16208]: [2006/08/28 10:57:31, 0] nsswitch/winbindd_util.c:winbindd_param_init(560) winbindd[16208]: winbindd: idmap uid range missing or invalid winbindd[16208]: [2006/08/28 10:57:31, 0] nsswitch/winbindd_util.c:winbindd_param_init(561) winbindd[16208]: winbindd: cannot continue, exiting. winbind: winbindd startup succeeded I have another linux machine running good with the same error message. could someone throw some light to resolve my issue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind HOWTO specifically for backend_ad?
Does anybody have a howto step-by-step type document on how to implement the backend_ad? David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: winbind HOWTO specifically for backend_ad?
I guess it is my lack of knowledge on how all these things work, but is it basically the case that I cannot use backend_ad without nss? Does the pdc require that it is running something special? What exactly is sfu? Is that something that is configured just on the samba/unix box? David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 Rex Dieter [EMAIL PROTECTED] 8/25/2006 10:19:11 AM David Shapiro wrote: Does anybody have a howto step-by-step type document on how to implement the backend_ad? Samba-HOWTO? http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ -- Rex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Attempt to configure idmap_ad giving error on uidNumber
My long sojourn to get some configuration set up that will then allow me to set a uid of an ad user to whatever unix uid I want (nfs reasons), is still going. I set my backend to ad and added the winbind nss info = sfu. Nothing happened initially in the log.winbindd-idmap, but after lunch I saw some new things in there: 83390]: sid to uid S-1-5-21-54348060-1989963526-242692186-2762 [2006/08/25 14:07:22, 1] ../sam/idmap_ad.c:ad_idmap_get_id_from_sid(309) ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute 'uidNumber' [2006/08/25 14:07:22, 3] ../nsswitch/winbindd_async.c:winbindd_dual_sid2uid(201) [483390]: sid to uid S-1-5-21-54348060-1989963526-242692186-2762 [2006/08/25 14:07:22, 1] ../sam/idmap_ad.c:ad_idmap_get_id_from_sid(309) ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute 'uidNumber' [2006/08/25 14:07:22, 3] ../nsswitch/winbindd_async.c:winbindd_dual_sid2uid(201) [483390]: sid to uid S-1-5-21-54348060-1989963526-242692186-2762 [2006/08/25 14:07:22, 1] ../sam/idmap_ad.c:ad_idmap_get_id_from_sid(309) ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute 'uidNumber' [2006/08/25 14:07:38, 0] ../nsswitch/winbindd_dual.c:child_read_request(49) Got invalid request length: 0 It seems to have some issue with uidNumber. Anybody have an idea on what is going on there? David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] tdbtool help
Please provide me with an example on how to use this tool to change a uid of a user to what I want the uid to be. I am confused on what it thinks are keys. It has a keys command: key 11 bytes: UID 119989 key 44 bytes: S-1-5-21-54348060-1989963526-242692186-2277 key 44 bytes: S-1-5-21-54348060-1989963526-242692186-8749 key 45 bytes: S-1-5-21-54348060-1989963526-242692186-24986 But if I go to type tdb show UID 119989 tdb open winbindd_idmap.tdb tdb show UID 119989 fetch failed tdb What is the key? UID 119989? 119989? 11 bytes: UID 119989? Sigh. No examples are shown in the manpage. What I really want to do is locate the uid assocated with a specific sid and change it to something else. Please help. Thanks, David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] tdbtool help
The dump option works fine: (stopped samba) net idmap dump /usr/local/samba/var/locks/winbindd_idmap.tdb /tmp/dump.out However, after I modify the one line I want, move the old winbindd_idmap.tdb aside, and then try restore: net idmap restore /usr/local/samba/var/locks/winbindd_idmap.tdb /tmp/dump.out I get for all users: Could not set mapping of UID 142261 to sid S-1-5-21-54288060-1989963526-242692186-42261 Could not set mapping of UID 146045 to sid S-1-5-21-54648060-1989963526-242692186-46045 Could not set mapping of UID 145320 to sid S-1-5-21-54448060-1989963526-242692186-45320 Could not set mapping of UID 145286 to sid S-1-5-21-54368060-1989963526-242692186-45486 Could not set mapping of UID 145499 to sid S-1-5-21-54348060-1989963526-242692186-45399 Could not set mapping of UID 145958 to sid S-1-5-21-54348060-1989963526-242692186-45918 Could not set mapping of UID 142524 to sid S-1-5-21-54348060-1989963526-242692186-42524 Could not set mapping of UID 145482 to sid S-1-5-21-54348560-1989963526-242692186-45452 Could not set mapping of UID 145124 to sid S-1-5-21-54348460-1989963526-242692186-45224 Could not set mapping of UID 142065 to sid S-1-5-21-54348160-1989963526-242692186-42045 Could not set mapping of GID 119863 to sid S-1-5-21-54348660-1989963526-242692186-19813 Could not set mapping of GID 127125 to sid S-1-5-21-54348360-1989963526-242692186-27115 Could not set mapping of GID 115329 to sid S-1-5-21-54348360-1989963526-242692186-15349 Could not set mapping of GID 127270 to sid S-1-5-21-54348360-1989963526-242692186-27220 Could not set mapping of GID 110003 to sid S-1-5-21-54348060-1989963526-242692186-10003 Could not set mapping of GID 124933 to sid S-1-5-21-54348050-1989963526-242692186-24933 Could not set mapping of GID 113174 to sid S-1-5-21-54348030-1989963526-242692186-13174 Could not set mapping of GID 110770 to sid S-1-5-21-54348030-1989963526-242692186-10770 Could not set mapping of GID 115883 to sid S-1-5-21-54348030-1989963526-242692186-15853 . . . David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 simo [EMAIL PROTECTED] 8/24/2006 9:10 AM use net idmap dump and net idmap restore Simo. On Thu, 2006-08-24 at 08:59 -0400, David Shapiro wrote: Please provide me with an example on how to use this tool to change a uid of a user to what I want the uid to be. I am confused on what it thinks are keys. It has a keys command: key 11 bytes: UID 119989 key 44 bytes: S-1-5-21-54348060-1989963526-242692186-2277 key 44 bytes: S-1-5-21-54348060-1989963526-242692186-8749 key 45 bytes: S-1-5-21-54348060-1989963526-242692186-24986 But if I go to type tdb show UID 119989 tdb open winbindd_idmap.tdb tdb show UID 119989 fetch failed tdb What is the key? UID 119989? 119989? 11 bytes: UID 119989? Sigh. No examples are shown in the manpage. What I really want to do is locate the uid assocated with a specific sid and change it to something else. Please help. Thanks, David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Strange Usermapping problem with 3.0.23b
This link to the patch location does not work. David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 Guillermo Gutierrez [EMAIL PROTECTED] 8/23/2006 6:28 PM In that case, would you test this patch against 3.0.23b? http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-1.diffs.gz; Hello, Iwas trying to apply this patch from Jerry but I don't have any luck doing so. how would one apply this patch? It is not a .patch file. I am rather new at this and when I tried to follow the directions on http://samba.org/samba/patches/ but couldn't get it to work. It just gives me that message Hmmm...I can't seem to find a patch in there anywhere. These are the commands that I tried to use on my freebsd-6.1 system running samba-3.0.23b: patch patch-3.0.23b-3.0.23c-gwc-1.diffs.gz And patch -pl patch-3.0.23b-3.0.23c-gwc-1.diffs.gz Thanks in advance for any help. Guillermo Gutierrez -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Strange Usermapping problem with 3.0.23b
Not sure. It gave a url not found before. Now it works. David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 Gerald (Jerry) Carter [EMAIL PROTECTED] 8/24/2006 1:27 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: This link to the patch location does not work. http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-1.diffs.gz What doesn't work ? I just verified the URL is valid. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7eF3IR7qMdg1EfYRAujqAKDOBaguJeL4NXnquOd6NehcS33QkgCfUk0U 4iYDkS+SPuI2Tajrlb43Kqw= =DlXz -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] map a uid to a sid -- a never ending story
In my feable desperation to resolve my issue with no response that works yet for me, I tried: net idmap dump /tmp/dumpfile.txt, which dumped the my sid to uid mappings. I then edited the dumpfile.txt to change S-1-5-21-54348060-1989963526-242692186-28788 to map instead from 10 to 785755, which is the uid of the unix user I want it to map to (note that username map = option appears to just map the name, not the uid, so that suggestion does not help me with nfs mounting a samba ad home directory to another server. Anyway, after this I did a restore, but I get the following error that I am not sure why it is giving it to me: [EMAIL PROTECTED]/] net idmap restore /tmp/dumpfile.txt Could not set mapping of UID 785755 to sid S-1-5-21-54348060-1989963526-242692186-28788 USER HWM: 7857551 GROUP HWM: 145448 If I search in the dumpfile.txt, I do not see 7857551 (why the 1 added?), so I cannot remove/change this. Of course, ideally, a solution from you samba wizards would be greatly appreciated. Thanks, David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Strange Usermapping problem with 3.0.23b
What can we do if we have the 3.0.0.23c version already as far as the patch goes? David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 Gerald (Jerry) Carter [EMAIL PROTECTED] 8/23/2006 3:10 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthias Schündehütte wrote: Hi Jerry, On 2006-08-21 23:09:05 +0200, Gerald (Jerry) Carter [EMAIL PROTECTED] said: Does your username map use a ! to stop the parsing. See the man page for details. Sure! Your question made me uncertain since this could be a typical mistake for quick 'n dirty test setups, but I rechecked today: The exclamation marks are all there. I found today another problem: Samba denied a usermapping with the message that a domaingroup with the same name exists... nice to know but who cares? If I want to access local unix files with the account 'foo', what does it matter if there is a windows domain group 'foo'? I downgraded my production server to 3.0.22 today, but I have now a complete identical testserver (same os, same net, same hardware) to track down this misbehaviour. In that case, would you test this patch against 3.0.23b? http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-1.diffs.gz Thanks, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE7KhAIR7qMdg1EfYRAqeJAKCGOZPtL3qpErb+I/jjM0RqiAV35gCZAZc6 QIGQHNe/UCp1HMDYrD2Rnh0= =LP6d -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How to map a user to a specific uid?
I have aix with 3.0.21c samba with the following smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.COM server string = User management Server security = ADS password server = ad.mydomain.com idmap backend = rid:MYDOMAIN=10-20 allow trusted domains = No log level = 0 log file = /usr/local/samba/var/log.%m max log size = 50 name resolve order = hosts wins lmhosts bcast socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 preferred master = No local master = No dns proxy = No wins server = wins01, wins02 ldap ssl = no idmap uid = 10-20 idmap gid = 10-20 template shell = /bin/ksh template homedir = /home/%D/%U winbind separator = + winbind nested groups = Yes winbind use default domain = Yes aio read size = 1 aio write size = 1 nt acl support = Yes I need to nfs share the samba home directory of a user on the samba server over to another server, but the uid it is giving is for example 10 instead of the standard uid for the user on all the other servers. How can I make samba use whatever uid I want for the user (i.e., the uid the user is known as on other servers)? Is there a map type command or file I can use? David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to map a user to a specific uid?
What do you put in the file to map an ad user to a unix user? If I have an ad user MYDOMAIN+joe, do I put in user.map file: joe MYDOMAIN+joe David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 Gerald (Jerry) Carter [EMAIL PROTECTED] 8/22/2006 10:29:37 AM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: I need to nfs share the samba home directory of a user on the samba server over to another server, but the uid it is giving is for example 10 instead of the standard uid for the user on all the other servers. How can I make samba use whatever uid I want for the user (i.e., the uid the user is known as on other servers)? Is there a map type command or file I can use? See 'username map' in smb.conf(5). cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE6xTRIR7qMdg1EfYRAjJcAKDdecx052G1PYWpJAlQGqvvFLB4QwCg1CNW v8O6qKu0HbK9wSWCZGhq5dU= =n1GS -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to map a user to a specific uid?
I noticed that even after I added a username map = /usr/local/samba/lib/users.map to smb.conf ...added to users.map: joe MYDOMAIN+joe The MYDOMAIN+joe home directory still shows the rid uid of 10 instead of the the unix user joe's uid of 785755. What am I doing wrong? David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 Gerald (Jerry) Carter [EMAIL PROTECTED] 8/22/2006 10:29:37 AM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: I need to nfs share the samba home directory of a user on the samba server over to another server, but the uid it is giving is for example 10 instead of the standard uid for the user on all the other servers. How can I make samba use whatever uid I want for the user (i.e., the uid the user is known as on other servers)? Is there a map type command or file I can use? See 'username map' in smb.conf(5). cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE6xTRIR7qMdg1EfYRAjJcAKDdecx052G1PYWpJAlQGqvvFLB4QwCg1CNW v8O6qKu0HbK9wSWCZGhq5dU= =n1GS -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to map a user to a specific uid?
I am using: workgroup = BCBSNC realm = BCBSNC.COM server string = User management Server security = ADS password server = ad.bcbsnc.com idmap backend = rid:BCBSNC=10-20 allow trusted domains = No log level = 0 log file = /usr/local/samba/var/log.%m max log size = 50 name resolve order = hosts wins lmhosts bcast socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 preferred master = No local master = No dns proxy = No wins server = svcmc02, svcmc03 ldap ssl = no idmap uid = 10-20 idmap gid = 10-20 template shell = /bin/ksh template homedir = /home/%D/%U winbind separator = + winbind nested groups = Yes winbind use default domain = Yes aio read size = 1 aio write size = 1 nt acl support = Yes username map = /usr/local/samba/lib/users.map [homes] root preexec = /usr/local/samba/bin/mkhome.sh %D %U path = /home/%D/%U valid users = %D+%U read only = No browseable = No If is do an ls -la of the /home/MYDOMAIN, I see drwxr-x--- 3 joe users 256 Feb 24 13:04 joe But nfs mount joe on the remote system appears as uid of 10 instead of the uid 785757 (joe's unix uid) In that, it is using the rid id not the unix user's uid. David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 Gerald (Jerry) Carter [EMAIL PROTECTED] 8/22/2006 2:14:45 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: What do you put in the file to map an ad user to a unix user? If I have an ad user MYDOMAIN+joe, do I put in user.map file: joe = MYDOMAIN+joe If you are not runnign winbindd and using 'security = ads', you need joe = MYDOMAIN+joe MYDOMAIN.REA.LM+joe to cover cases where the user may login via NTLM or Krb5. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE60mVIR7qMdg1EfYRAo82AKCAGeUBULiAr/MhTOrMIWp8w/3h6ACgu9Ck 4kGtYfCUk1TwNTvWYaGd6FY= =DGxs -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to map a user to a specific uid?
I would like to see: username map option allow you to specify a uid number so that a rid number is not used. joe = 785755 David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 Gerald (Jerry) Carter [EMAIL PROTECTED] 8/22/2006 2:14:45 PM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: What do you put in the file to map an ad user to a unix user? If I have an ad user MYDOMAIN+joe, do I put in user.map file: joe = MYDOMAIN+joe If you are not runnign winbindd and using 'security = ads', you need joe = MYDOMAIN+joe MYDOMAIN.REA.LM+joe to cover cases where the user may login via NTLM or Krb5. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE60mVIR7qMdg1EfYRAo82AKCAGeUBULiAr/MhTOrMIWp8w/3h6ACgu9Ck 4kGtYfCUk1TwNTvWYaGd6FY= =DGxs -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] map an ad user to a specific uid question
I am still trying to resolve an issue where I need the ad user's home directory to have a specific uid so that when I nfs its home somewhere the user can access his files. I found wbuser.pl out there at http://www.occam.com/tools/: Mapping Active Directory Users to Existing UNIX UIDsUse this procedure on systems where AD user accounts should correspond to UNIX user accounts on other systems. Among other things, this allows NFS shares from a UNIX server to work on an Active Directory UNIX client. The normal behavior of winbind is to arbitrarily assign UIDs to users from the range specified in smb.conf. GIDs will continue to be assigned to groups automatically by winbind after following this procedure. Open issue: Is there any way to restrict login access to an AD client? Enable AD authentication as described above. Ensure that the range specified by idmap uid in smb.conf covers the range of UNIX UIDs to which accounts will be assigned. winbind lookups for UIDs outside that range will fail. NB: It's best not to use this procedure on systems that have a mix of AD accounts and UNIX accounts. If both types of accounts have UIDs within the same range, then winbind could automatically assign a UID for an existing UNIX account to an inappropriate AD account. Install wbuser, a custom script used to list, add, and remove the UID/SID mappings stored in /opt/local/samba/var/locks/winbindd_idmap.tdb. If desired, print a list of the current mappings with wbuser -l. For each user, execute sudo wbuser -a username UID, where username is the AD username, and UID is the UNIX UID assigned to it. Create a home directory for the user if necessary. The problem is that I added a user which seemed to work, but the -l option does not display my added entry. It looks like it is trying to use tdbtool to do this. Does anybody have directions on how I can do this without this perl script (I think things may have changed version wise to make the things the perl script regular expressions look for fail). The username map option does not help. I really need to control what uid is getting used for my ad logins, so this is important to get working. Note again, I am using idmap backend and security = ADS.If you know that the wbuser stuff above will not work because of the idmap backend, I need to know that . David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How to access an automounted home and read/write with AD user
hello, I have samba 3.0.21c on an aix 5.2.0.7 server configured to use active directory authentication. However, I need to do something a little funky: The server with samba I will call: sambaserver A server with a user's home directory that is automounted on a few other servers: homeserver The user has on homeserver his files that he works on that he conveniently has automounted on development, test, qa servers. He is used to checking out code from a code repository into a samba share that maps to his home directory on homeserver. This way he can move code around between development, test, qa. This worked fine when he had old non-active-directory samba on the homeserver. Now, we need to remove samba from homeserver and put it on a dedicated samba server. It uses active directory. I set up automount on the sambaserver to allow the user to automount his home directory on the samba server. I then tried to use samba to share the automounted home directory. The problem is that the home directory is owned by the unix user on the box, but the user is connecting to the share with their active directory account. The home directory mounts with mode 077, which makes it so I cannot even read in the directory even when I use force user option (it must be connecting as root and then trying after the fact use the force user option I guess). If I change the directory mode to 022, I can read in the directory, but I still cannot write/read in the directory. I am at a loss as to what user it really is connecting as and why I can read but not write. I tried a map.user file to map the domain user to the unix user. That did not help either. David David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] any plans on getting psexec / cmdat equivalent to Samba?
How about ssh? ssh host ls David Shapiro Distributed Systems Unix Team Lead office: 919-765-2011 cellphone: 730-0538 roland [EMAIL PROTECTED] 5/26/2006 6:39:45 PM Hello ! If anybody want`s to implement the psexec unix port or samba equivalent, maybe taking a look at xCmd from Zoltan Csizmadia at http://www.codeguru.com/Cpp/I-N/network/remoteinvocation/article.php/c5433/ may help a LOT and is a very good example. (This one seems to work similar like psexec - but it is available with sourcecode!) I don`t know if the author is still reachable via this mail adress or if there is any chance to get some help with creating the xCMD/psexec equivalent for linux, but I CC'ed him with this mail to say thank you for making it and for providing the source. regards roland k. systems engineer List: samba Subject:[Samba] any plans on getting psexec / cmdat equivalent to Samba? From: Tomasz Chmielewski mangoo () wpkg ! org Date: 2006-03-22 11:00:23 Message-ID: 44212E47.4040300 () wpkg ! org [Download message RAW] Windows admins can make their work easier with a tool like psexec. It allows to execute commands remotely, without the need to install anything on the target machine. All that is needed is username/password of course. Unfortunately, psexec command only runs on Windows. The usage is as follows (we start notepad interactively with -i to show that something happens): psexec \\192.168.1.2 -i -u username -p password notepad It waits for the command to complete, and returns its exit code, so can be used within scripts. A similar tool we can use with Samba is cmdat, which comes together with samba-tng (one just needs to compile samba-tng, and then can use the tool with a regular Samba). To start a command on a remote system, we can use (we start notepad interactively with /interactive to show that something happens): cmdat -I 192.168.1.2 -U 'username%password' -c 'at now /interactive notepdad' Unfortunately, it uses at to start commands (1 minute from the current time when we use now), so we know nothing about the status of the running command, nor get any exit code. In other words, it's close to impossible to use it in scripts to do anything useful (other than starting single commands). Is any work done in Samba to get a tool similar to psexec? -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] how to upgrade to Samba-3.0.21c
stop samba mv /usr/local/samba /usr/local/samba.old Do the build cp /usr/local/samba.old/lib/smb.conf /usr/local/samba/lib join to domain/realm again (some people copy .tdb files (private/var directories to new version, but join does the trick more easily) start samba Now you can fall back to old version if new doesn't work. David David Shapiro Unix Team Lead 919-765-2011 User 1 [EMAIL PROTECTED] 3/14/2006 5:38:03 AM Dear All, I am running samba-3.0.10-1.fc2 on my FC2, now I want to upgrade it to Samba 3.0.21c . any body please inform me how to safely upgrade? .. many thanks in advance Regards Winanjaya *** Our outgoing mail has been scanned by MSS. *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How to compile with AIX xlc?
During configure, it is running xlc -version for some reason, and xlc does not have a --version option, so it is showing usage information instead. How do you compile with xlc 6.0? David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] IBM xlc compiler and configure question
I am trying desperately to get rid idmap support working. I got xlc 6.0 on the box to compile, but I cannot get past configure because it gives the following error in config.log: cc: 1501-208 command option e is missing a subargument configure:1708: $? = 40 configure:1717: result: configure:1804: checking for gcc configure:1830: result: cc configure:2074: checking for C compiler version configure:2077: cc --version /dev/null 5 cc: 1501-216 command option -version is not recognized - passed to ld C for AIX Compiler, Version 6 Usage: xlc [ option | inputfile ]... cc [ option | inputfile ]... c89 [ option | inputfile ]... xlc128 [ option | inputfile ]... ... If I run cc --version or -version it does in fact just spit out usage information. Why is it doing --version? How do I get configuration going with xlc? Here is my setup.sh script: #!/bin/ksh -x #export LIBPATH=/usr/lib:/usr/local/lib:/opt/freeware/lib env CC=cc \ CFLAGS=-DPAM_AUTHTOK_RECOVER_ERR=PAM_AUTHTOK_RECOVERY_ERR -DPAM_EXTERN=extern -D_LINUX_SOURCE_COMPAT \ CPPFLAGS=-I/usr/local/bdb/include -I/usr/local/ssl/include -I/usr/local/include -I/usr/local \ LDFLAGS=-L/usr/local/bdb/lib -L/usr/local/cyrus-sasl/lib -L/usr/local/ssl/lib -L/usr/local/openldap/li b -L/usr/local/lib /usr/local/lib/libiconv.a /usr/local/lib/libintl.a /usr/local/ssl/lib/libcrypto.a /u sr/local/ssl/lib/libssl.a -L/usr/lib -lc \ ../configure --prefix=/usr/local/samba --with-shared-modules=idmap_ad,idmap_rid --with-ads --with-ldap --with-pam --with-krb5=/usr/local/heimdal-krb5 --with-winbind --with-acl-support --with-utmp --with-quo tas --with-sendfile-support --with-aio-support --enable-shared=yes --disable-static --with-libiconv=/us r/local /usr/local/bin/make exit /usr/local/bin/make install for i in WINBIND pam_winbind.so; do if [ -f /usr/lib/security/$i ]; then mv /usr/lib/security/$i /usr/lib/security/$i.old chmod 555 nsswitch/$i cp nsswitch/$i /usr/lib/security rm /usr/lib/security/$i.old else cp nsswitch/$i /usr/lib/security fi done David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Segmentation Fault when attempting to join AD
What happens when you run kinit [EMAIL PROTECTED] Does kinit core dump? David David Shapiro Unix Team Lead 919-765-2011 Golden Butler [EMAIL PROTECTED] 3/2/2006 9:58 PM Thanks Jeremy. Ok, this is what happened after typed run: (gdb) run Starting program: /usr/bin/net ads join -U administrator (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...[Thread debugging using libthread_db enabled] [New Thread 1078403744 (LWP 7510)] (no debugging symbols found)...(no debugging symbols found)...administrator's password: (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1078403744 (LWP 7510)] 0x400b8d34 in mcc_resolve () from /usr/lib/libkrb5.so.17 (gdb) bt #0 0x400b8d34 in mcc_resolve () from /usr/lib/libkrb5.so.17 #1 0x400a1d12 in allocate_ccache () from /usr/lib/libkrb5.so.17 #2 0x08162396 in kerberos_kinit_password () #3 0x0816266a in ads_kinit_password () #4 0x081d1298 in ads_sasl_spnego_bind () #5 0x081d1a6e in ads_sasl_bind () #6 0x081ca402 in ads_connect () #7 0x08075ce6 in ads_startup () #8 0x08077110 in net_ads_join () #9 0x080741e9 in net_run_function () #10 0x08078945 in net_ads () #11 0x080741e9 in net_run_function () #12 0x080758c3 in main () Looks like it's pointing to some kerberos file. I'm still kind of a linux newbie, what does this mean? Thanks. - Delamatrix _ From: Jeremy Allison [mailto:[EMAIL PROTECTED] To: Golden Butler [mailto:[EMAIL PROTECTED] Cc: Samba Mailing List [mailto:[EMAIL PROTECTED] Sent: Thu, 02 Mar 2006 17:28:17 -0600 Subject: Re: [Samba] Segmentation Fault when attempting to join AD On Thu, Mar 02, 2006 at 04:25:11PM -0600, Golden Butler wrote: I've just installed Samba 3.0.21c on SLES9 box. I've configured kerberos and my smb.conf file to a tee. When I try to join my active directory domain by typing the following: net ads join -U administrator after I type the password, I get this error: Segmentation fault I can successfully get a ticket from AD when invoking: kinit user Is there something I'm doing wrong? Any help will be greatly appreciated. Thanks. Can you run this under gdb as : gdb --args /usr/bin/net ads join -U administrator At the prompt type : run, when it crashes type bt and post the backtrace please. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] problem when compiling samba-3.0.21c on power PC platform
Sounds weird. Try running make distclean first. Also, make a directory called build in samba/source and run configure from within it. cd /usr/local/samba/source/ mkdir build cd build ../configure your options David David Shapiro Unix Team Lead 919-765-2011 Zhai, Shunnian [EMAIL PROTECTED] 3/2/2006 8:45 PM Hi, All, Currently we are using Samba 2.2 and planning to update to samba 3. However, I encountered the following error when I try to compile the samba-3.0.21c: ... Checking for creat64...yes Checking for prctl...yes Configure: error: cannot run test program while cross compiling See 'config.log' for more details. Would anyone with experience on cross compiling samba3 help me? Thanks in advance, Shunnian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 2 x ADS
I would guess you put both servers on the password server = line smb.conf. David Shapiro Unix Team Lead 919-765-2011 Damian Pietras [EMAIL PROTECTED] 3/3/2006 2:59 AM Hi, I have 2 ADS domains on Windows 2003 Server with full functionality of server 2003 and replication. I want to connect Samba 3.x, but in case of a failure of one of them, a system should automatically connect to the second one, like in Windows XP. Is it possible? How to configure Kerberos and Samba? -- Damian Pietras -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] problem with winbind separator = \
I had no luck with \ too. I ended up going back to using + David David Shapiro Unix Team Lead 919-765-2011 Thomas Limoncelli [EMAIL PROTECTED] 3/3/2006 9:10 AM Guillermo Gutierrez wrote: I just rebuilt the samba server that I was working on and when I try to add the line winbind separator = \, testparm tells me that its value must be 1 character and then displays its value as the proceeding line. This is the default value, so you may just omit the line altogether. -TL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: FW: [Samba] samba as a domain member
Note that not only do you need to mess with pam, you need to compile ssh again to use kerberos/pam. David David Shapiro Unix Team Lead 919-765-2011 Guillermo Gutierrez [EMAIL PROTECTED] 3/1/2006 8:05 PM whoops, forgot to copy the list on it. sorry. Well, an update. I can log in to the console using any domain profiles, but, I can not access the exposed home directory through NetBeui (My Network Places/Network Neighborhood). Also, how should I configure /etc/pam.d/sshd to allow domain users to authenticate and logon through an ssh client (PuTTY?, OpenSSH?) -Original Message- From: Guillermo Gutierrez Sent: Wednesday, March 01, 2006 12:47 PM To: 'David Shapiro' Subject: RE: [Samba] samba as a domain member yes, getent passwd returns users and what appears to be machine names as well. wbinfo -u returns user info and computer info. wbinfo -g returns domain groups . Since I sent this email a couple of things changed. the above commands no longer display the domain as part of the info. I cannot get into my home directory which is shared but with a valid user of valid users = %S in the smb.conf. -Original Message- From: David Shapiro [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 01, 2006 12:32 PM To: Guillermo Gutierrez Subject: Re: [Samba] samba as a domain member Is the getent passwd returning users? Does wbinfo -u and wbinfo -g return users and groups? David David Shapiro Unix Team Lead 919-765-2011 Guillermo Gutierrez [EMAIL PROTECTED] 3/1/2006 1:09:26 PM Hello, I am new to this list but I have been learning to use linux/bsd and samba for the past year. so far I have been able to learn enough on my own to be able to successfully set up a functional samba server on FreeBSD and Gentoo Linux boxes. I am trying to learn how to integrate them into an Active Directory windows 2003 server domain. So far I have verified that Kerberos and ldap and winbind (I think) are functioning correctly. I am able to do a 'kinit [EMAIL PROTECTED]' command and not get a failure. I am able to see all of the groups and users/systems in the domain from getent commands. My problem is that I cant access samba shares when permissions are set using domain users. I can access the /home/samba/public share is I DON'T specify a 'valid users =' line in the smb.conf file, but not the other way around. Here is what my smb.conf file looks like: # Samba config file created using SWAT # from 10.11.7.56 (10.11.7.56) # Date: 2006/03/01 09:45:11 [global] workgroup = MARKETSCAN realm = MARKETSCAN.COM server string = %h Samba Server interfaces = lo, eth0 bind interfaces only = Yes security = ADS auth methods = winbind password server = nostradmus, nostradamus_ii, nostradamus_cam log file = /var/log/samba/log.%m socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 load printers = No preferred master = No dns proxy = No wins proxy = No wins server = 10.11.3.198 ldap ssl = no passdb expand explicit = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = max log size = 50 winbind use default domain = Yes [public] comment = %h Public Share path = /home/samba/public read only = No force create mode = 0777 force directory mode = 0777 guest ok = Yes [homes] comment = Home Directory for %U path = /home/%D/%U valid users = %S read only = No force create mode = 0777 force directory mode = 0777 browseable = No I would greatly appreciate any help. thanks, Guillermo Gutierrez Development Systems Engineer Market Scan Information Systems (818) 575-2000 x2427 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.21c: idmap_rid segfaults on AIX 5.3 ML4
Not sure what the fix is yet, but I did put in a bug report for this already. No fix has some other than them saying do not use pthreads. I am not sure how to get it not to use pthreads (there is not --disable-pthreads option or something like that). I wonder if using an old gcc like 2.95 might do the trick, but I do not have that version. It really would be better if they had a --disable-pthreads option). David Shapiro Unix Team Lead 919-765-2011 Jurjen Oskam [EMAIL PROTECTED] 2/28/2006 8:01:58 AM Hi everyone, I'm trying to use idmap_rid on an AIX 5.3 ML4 machine. Samba compiled successfully using the IBM compiler (vac.C) version 6. The only programs I supplied where db and libiconv. I followed the instructions, and put nsswitch/WINBIND in /usr/lib/security, and edited /usr/lib/security/methods.cfg. When I start winbindd -i, it coredumps with a Signal 11: (dbx) where raise.raise(??) at 0xd030e694 abort.abort() at 0xd033c85c smb_panic2(0x20139ba8, 0x1) at 0x10058350 smb_panic(0x20139ba8) at 0x100583a4 fault_report(0xb) at 0x101677b0 sig_fault(0xb) at 0x10167508 glink.atoi() at 0xd17a0b68 init_module() at 0xd17a04f8 do_smb_load_module(0x2ff22010, 0x1) at 0x10050b00 smb_probe_module(0x200e9958, 0x2017c01e) at 0x100511d4 idmap_init(0x201755e8) at 0x1008d2b0 main(0x2, 0x2ff22b24) at 0x10002970 A level 10 log shows: # winbindd -i winbindd version 3.0.21c started. Copyright The Samba Team 2000-2004 INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 Processing section [homes] add_a_service: Creating snum = 0 for homes hash_a_service: creating tdb servicehash hash_a_service: hashing index 0 for service name homes doing parameter read only = No doing parameter browseable = No Processing section [nmon] add_a_service: Creating snum = 1 for nmon hash_a_service: hashing index 1 for service name nmon doing parameter path = /var/log/nmon doing parameter valid users = +beheer doing parameter read only = yes Processing section [controlcenter] add_a_service: Creating snum = 2 for controlcenter hash_a_service: hashing index 2 for service name controlcenter doing parameter path = /export/nim/non-nim/controlcenter doing parameter read only = yes doing parameter guest ok = yes pm_process() returned Yes add_a_service: Creating snum = 3 for IPC$ hash_a_service: hashing index 3 for service name IPC$ adding IPC service add_a_service: Creating snum = 4 for ADMIN$ hash_a_service: hashing index 4 for service name ADMIN$ adding IPC service set_server_role: role = ROLE_DOMAIN_MEMBER Attempting to register new charset UCS-2LE Registered charset UCS-2LE Attempting to register new charset UTF-16LE Registered charset UTF-16LE Attempting to register new charset UCS-2BE Registered charset UCS-2BE Attempting to register new charset UTF-16BE Registered charset UTF-16BE Attempting to register new charset UTF8 Registered charset UTF8 Attempting to register new charset UTF-8 Registered charset UTF-8 Attempting to register new charset ASCII Registered charset ASCII Attempting to register new charset 646 Registered charset 646 Attempting to register new charset ISO-8859-1 Registered charset ISO-8859-1 Attempting to register new charset UCS2-HEX Registered charset UCS2-HEX Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE Substituting charset 'ISO8859-1' for LOCALE added interface ip=192.168.1.115 bcast=192.168.1.255 nmask=255.255.255.0 added interface ip=172.17.1.115 bcast=172.17.255.255 nmask=255.255.0.0 Netbios name list:- my_netbios_names[0]=TSM-LPAR added interface ip=192.168.1.115 bcast=192.168.1.255 nmask=255.255.255.0 added interface ip=172.17.1.115 bcast=172.17.255.255 nmask=255.255.0.0 Opening cache file at /opt/Samba/3.0.21c/var/locks/gencache.tdb namecache_enable: enabling netbios namecache, timeout 660 seconds smb_register_idmap: Successfully added idmap backend 'tdb' db_idmap_init: Opening tdbfile /opt/Samba/3.0.21c/var/locks/winbindd_idmap.tdb idmap_init
Re: [Samba] Building 3.0.21x on AIX 5.2
Note: do not use binutils #!/bin/ksh -x export LIBPATH=/usr/lib:/usr/local/lib:/opt/freeware/lib env CC=gcc \ CFLAGS=-DPAM_AUTHTOK_RECOVER_ERR=PAM_AUTHTOK_RECOVERY_ERR -DPAM_EXTERN=extern -D_LINUX_SOURCE_ COMPAT \ CPPFLAGS=-I/usr/local/bdb/include -I/usr/local/ssl/include -I/usr/local/include -I/usr/include \ LDFLAGS=-L/usr/local/bdb/lib -L/usr/local/cyrus-sasl/lib -L/usr/local/ssl/lib -L/usr/local/ope nldap/lib -L/usr/lib -L/usr/local/lib \ ../configure --prefix=/usr/local/samba --with-shared-modules=idmap_ad,idmap_rid --with-ads --with-ldap --with-pam --with-krb5=/usr/local/heimdal-krb5 --with-winbind --with-acl-support --with-utmp --with-quotas --with-sendfile-support --with-aio-support --enable-shared=yes --disable-static /usr/local/bin/gmake /usr/local/bin/gmake install for i in WINBIND pam_winbind.so; do if [ -f /usr/lib/security/$i ]; then mv /usr/lib/security/$i /usr/lib/security/$i.old chmod 555 nsswitch/$i cp nsswitch/$i /usr/lib/security rm /usr/lib/security/$i.old else cp nsswitch/$i /usr/lib/security fi done # Add to /usr/lib/security config file WINBIND: program = /usr/lib/security/WINBIND options = authonly David Shapiro Unix Team Lead 919-765-2011 Tim Evans [EMAIL PROTECTED] 2/27/2006 7:57:54 AM On Mon, 27 Feb 2006 07:18:25 -0500, William Jojo wrote I'm not able to create this on my 5.2 box, but I'm using gcc 3.4.4. Can you tell me more about your installation? Compiler, additional products? Thanks for your reply. gcc is 3.3.2, as delivered in IBM's /opt/freeware directory. lslpp -L | grep -i gcc gcc3.3.2-3C RGNU Compiler Collection configure options: configured by ./configure, generated by GNU Autoconf 2.59, with options \'--with-acl-support' '--with-utmp' '--with-sendfile-support' '- -with-syslog' '--with-quotas' 'CC=gcc -D_LINUX_SOURCE_COMPAT'\ Do you want the config.log? -- Tim Evans, TKEvans.com, Inc.|5 Chestnut Court [EMAIL PROTECTED] |Owings Mills, MD 21117 http://www.tkevans.com/ |443-394-3864 http://www.come-here.com/News/ | -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Compiling Samba on AIX 5.3 with idmap_rid fails
I have put a bug in for this a couple weeks ago. I have the same issue with 5.2. I think it is somehow related to pthread support in our gcc compilers. I wonder if we would have better luck with ibm visualage... Do you have ibm's compiler to test this theory? David David Shapiro Unix Team Lead 919-765-2011 Jurjen Oskam [EMAIL PROTECTED] 2/25/2006 5:14:07 PM Hi everyone, I'm trying to use idmap_rid with Samba 3.0.21c on AIX 5.3. So far, I've not been successful. I've followed the method from http://us5.samba.org/samba/ftp/Binary_Packages/AIX/README to compile Samba, but added --with-static-modules=idmap_rid. Also, I used IBM's compiler and not gcc. The compilation fails as follows: [...] Compiling sam/idmap.c Compiling sam/idmap_util.c Compiling sam/idmap_ldap.c Compiling sam/idmap_tdb.c Compiling sam/idmap_rid.c Linking bin/winbindd ld: 0711-317 ERROR: Undefined symbol: .idmap_rid_init ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. make: The error code from the last command is 8. When I use gcc, it also fails at the same point. I also tried --with-shared-modules=idmap_rid. The compilation then succeeds, but winbindd then instantly crashes with a signal 11. What can I do to properly diagnose this problem? -- Jurjen Oskam -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Confused about groups and access
Unfortunately, aix does not have getent command. You have 'winbind nested groups = yes' (I know this is obvious).YES * Does 'id username' show the correct listing of groups? only after I log into the box as the user and then do an su to that user as an extra step do I see all the groups. before that, all I see is domain users. * Does `getent group ntcdw` return the group info? * Does `getent group $gid_ntcdw` return the group info? ($gid_ntcdw is the numeric gid of ntcdw). David Shapiro Unix Team Lead 919-765-2011 Gerald (Jerry) Carter [EMAIL PROTECTED] 2/24/2006 9:47 AM -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Shapiro wrote: My nt admin made a group for my samba server called Share_Dfsroot_pvcs-cdw_C and added me as a member. I made a nested group on my side with net rpc group add ntcdw -L -Ux I then added the Share_Dfsroot... with net rpc group addmem ntcdw DOMAIN+Share_Dfsroot... -Ux net rpc group members ntcdw -U shows: DOMAIN\Share_Dfsroot... so all looks good. I then created on unix side a group called ntcdw and then tried to associate ntcdw (ntgroup) with ntcdw (unix group) with: net groupmap modify ntgroup=ntcdw unixgroup=ntcdw I then set my share directory to be owned by the unix group ntcdw and set permissions to 770 on the directory. When I try to cd into the directory with my workstation login, it says Permission Denied. David, Couple of things to check: * You have 'winbind nested groups = yes' (I know this is obvious). * Does 'id username' show the correct listing of groups? * Does `getent group ntcdw` return the group info? * Does `getent group $gid_ntcdw` return the group info? ($gid_ntcdw is the numeric gid of ntcdw). cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD/xx8IR7qMdg1EfYRAvB+AKCeDLX/izARPlVHgbAXU7XT9/5bFACeMVw4 uAhx5X4VHclq2gTz0mI8AjQ= =hvBN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Confused about groups and access
Hello, My nt admin made a group for my samba server called Share_Dfsroot_pvcs-cdw_C and added me as a member. I made a nested group on my side with net rpc group add ntcdw -L -Ux I then added the Share_Dfsroot... with net rpc group addmem ntcdw DOMAIN+Share_Dfsroot... -Ux net rpc group members ntcdw -U shows: DOMAIN\Share_Dfsroot... so all looks good. I then created on unix side a group called ntcdw and then tried to associate ntcdw (ntgroup) with ntcdw (unix group) with: net groupmap modify ntgroup=ntcdw unixgroup=ntcdw I then set my share directory to be owned by the unix group ntcdw and set permissions to 770 on the directory. When I try to cd into the directory with my workstation login, it says Permission Denied. What am I doing wrong? David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] permission denied accessing directories - groupmap - please help
Hello, User can ssh into the box fine, but the directories I groupmapped are not translating (maybe they are not supposed to?) I have, for example, a share called Share_Dfsroot_pvcs-cdw_C that I used net groupmap to map to a unix directory called cdw. I set the group id to match what Share_Dfsroot_pvcs_cdw_C uses in /etc/group. I chgrp cdw on a directory. When the user logs into the server, the directories get translated back to Share_Dfsroot_pvcs_cdw_C, which I see when I run ls -la as the user (it actually shows just the first 8 characters). Wasn't groupmap supposed to map the group name to cdw? I sure could use some help on this soon if at all possible. David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] problem with winbind
Hello, When I log in with ssh and type the command id on aix system, I get just a little information: uid=10(mylogin) gid=10(domain users) If I login in as a local unix account and su to mylogin, id shows me a lot more information: uid=10(u785755) gid=10(domain users) groups=11(Citrix Prod RA-iSeries),12(Dept IS Work Orders F),13(Citrix Prod RA-Telnet),14(Citrix Prod RA-Reflections X),15(Citrix Prod RA-Snapshot Viewer),16(Citrix Prod RA-PowerMHS Production),17(Proj DisasterRecov R),18(Proj WeckDrPowerUG R),19(Durham Campus GPO),100010(Citrix Prod RA-Explorer),100011(Citrix Prod RA-MS Office 2000),100012(Citrix Prod RA-Groupwise),100013(Citrix Prod RA-IE MyTime),100014(Dept NetMgmtWeb2 R),100015(Citrix Prod RA-IE ESEM),100016(Distributed Systems),100017(Proj FastTrack SOP F),100018(Citrix Prod RA-MS Project 2002),102854(Share_Dfsroot_pvcs-cdw_C),100019(Citrix Prod RA-Service Center),100020(Adm_Unix_Team),100021(Citrix Prod RA-Extra1),100022(Citrix Prod RA-Reflections VT),100023(Citrix Prod RA-IE Intraweb),100024(Citrix Prod RA-Extra2) This is a problem because all my groupmap/group access settings on directories is failing because it does not know that the user is a member of the group allowed to access my directory and files I want them to access. Why is this happening? What can I do to fix this? David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba domain groups
Try: net groupmap cleanup David Shapiro Unix Team Lead 919-765-2011 Bjørn Fahnøe [EMAIL PROTECTED] 2/23/2006 7:39 AM When I do a net groupmap list I get Domain Admins (S-1-5-21-1760016482-394088656-2614712563-512) - root Domain Admins (S-1-5-21-1941513877-1053742263-1100610399-512) - -1 Domain Admins (S-1-5-21-57081839-3644741509-3819056003-512) - -1 Domain Guests (S-1-5-21-1760016482-394088656-2614712563-514) - nogroup Domain Guests (S-1-5-21-1941513877-1053742263-1100610399-514) - -1 Domain Guests (S-1-5-21-57081839-3644741509-3819056003-514) - -1 Domain Users (S-1-5-21-1760016482-394088656-2614712563-513) - users Domain Users (S-1-5-21-1941513877-1053742263-1100610399-513) - -1 Domain Users (S-1-5-21-57081839-3644741509-3819056003-513) - -1 Why is there 3 groups of every kind? I have not done anything to get them. Can I delete the groups that is not mapped to unixgroups with Webmin? Or shall I let them exist and not bother about them? Bjørn Fahnøe -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to control who can log into the samba box
Do you have an example of the hide/veto option you used and sshd_config mod you did to do this? David David Shapiro Unix Team Lead 919-765-2011 Gordon Messmer [EMAIL PROTECTED] 2/21/2006 12:01:32 PM David Shapiro wrote: I have samba set up using winbind so that I can ssh into the box with my DOMAIN\mylogin. That's great...kind of. How do I control which users can login to the box? I usually do that by reconfiguring sshd for key-only authentication (that is, disable password based auth). Configure samba to hide or veto the ssh authorized_keys file, and you alone will have access to add keys for the users to whom you want to grant login privileges. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How to control who can log into the samba box
Hello, I have samba set up using winbind so that I can ssh into the box with my DOMAIN\mylogin. That's great...kind of. How do I control which users can login to the box? As it stands now, all users in DOMAIN can log in, which is not desireable. Do I need to map domain groups to unix groups? Do I need to map domain users to the box some how? Even if I do that, how do I then set it up so some users can log into the server and others cannot? David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] idmap rid backend core and INTERNAL ERROR Signal 11
idmap_init: using 'rid' as remote backend Probing module 'rid' Probing module 'rid': Trying to load from /usr/local/samba/lib/idmap/rid.so === INTERNAL ERROR: Signal 11 in pid 50910 (3.0.21b) Please read the Trouble-Shooting section of the Samba3-HOWTO From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf === PANIC: internal error IOT/Abort trap(coredump) Any idea why this is core dumping?The samba3-howto doesn't help at all. David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba does not work with new AD groups
Perhaps: chgrp ll_main/rhmps /u01/test chmod 775 /u01/test valid users = @ll_main/rhmps David David Shapiro Unix Team Lead 919-765-2011 Parker, Michael [EMAIL PROTECTED] 2/15/2006 9:25 AM Hi all, I've configured a system to authenticate with an AD 2k3 domain (all domain controllers have SP1) using winbind. I have joined the server to the domain as well. I created some shares to work with AD groups. Here's a quick snippet of a share from my smb.conf file: [test] comment = test share for winbind testing path = /u01/test write list = @ll_main/rhmps The problem I have is if I tell the write list command to use an existing AD group which I am already a member of, I can write to the share. If on the other hand, I create a new AD group, add my user account to the group, then tell the write list to use the new group, I cannot write to the share. I have rebooted my test workstations, tried writing to the share from multiple XP (SP2), workstations logged out/in, and rebooted my smb server. Nothing seems to help and I'm not seeing anything in any logs to explain the problem. Any help would be greatly appreciated. If I can get it to work, I plan to put this into production. Do you think it would be wise? My samba server is a redat 3.0 box with update 5. The samba version is samba-3.0.9-1.3E.5 Thanks in advance for the help. Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] how to control what users can log into the box if using ad/pam-ssh/winbindd?
Hello, Well, it looks pretty cool. I can ssh in as DOMAIN+username. I could not find a pam_mkhomedir for aix, but I am using a preexec to make the home directories and templates to get around that for now. The question is: how do I make it so some domain users can login in, but other users cannot? I am not real familiar with ad by the way. Do I need to make organizational units and join that unit, or will domain users still have access? David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Setting the user shell...
Check out the template homedir and shell options. David Shapiro Unix Team Lead 919-765-2011 Ross McInnes [EMAIL PROTECTED] 2/16/2006 11:15 AM Hi the list, Bit of an odd one, have asked before but its now a real issue. I have all working fine and dandy AD and 6/7 Samba boxes getting user auth/details from the AD Normally you would specify the user shell in /etc/passwd, but to get AD authing working, getent passwd username returns /bin/false I really need to be able to change this info. I cant see anywhere to change this nor anywhere in docs/online/google/tea leaves either :/ Any help gratefully received. Ross -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind and pam and ssh that's pam enabled
Okay, winbind works and I can su - DOMAIN+user now. When I try to log in with ssh (pam enabled), however, I see in the log it accepts my password, but then the session closes. My pam.conf has; su authsufficient /usr/lib/security/pam_winbind.so login authsufficient /usr/lib/security/pam_winbind.so debug sshdauthsufficient /usr/lib/security/pam_winbind.so debug OTHER authrequired/usr/lib/security/pam_aix su account sufficient /usr/lib/security/pam_winbind.so login account sufficient /usr/lib/security/pam_winbind.so debug sshdaccount sufficient /usr/lib/security/pam_winbind.so debug OTHER account required/usr/lib/security/pam_aix su passwordsufficient /usr/lib/security/pam_winbind.so login passwordsufficient /usr/lib/security/pam_winbind.so debug sshdpasswordsufficient /usr/lib/security/pam_winbind.so debug OTHER passwordrequired/usr/lib/security/pam_aix sshdsession sufficient /usr/lib/security/pam_aix debug OTHER session required/usr/lib/security/pam_aix I read that winbind is providing just auth, ccount, and password capabilities, so I guess pam_aix is what is dropping the session. Do I need to do some voodoo to get from auth, account, password to session? My /usr/lib/security/methods.cfg file has: NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE NISPLUS: program = /usr/lib/security/NISPLUS KRB5: program = /usr/lib/security/KRB5 KRB5A: program = /usr/lib/security/KRB5A WINBIND: program = /usr/lib/security/WINBIND David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] libldap not found
Can anybody clue me in on why this build script is failing? checking for ldap.h... yes checking lber.h usability... yes checking lber.h presence... yes checking for lber.h... yes checking for ber_scanf in -llber... no checking for ldap_init in -lldap... no checking for ldap_set_rebind_proc... no checking whether ldap_set_rebind_proc takes 3 arguments... 3 configure: error: libldap is needed for LDAP support + [ 1 != 0 ] #!/bin/ksh -x env CC=gcc \ CFLAGS=-DPAM_AUTHTOK_RECOVER_ERR=PAM_AUTHTOK_RECOVERY_ERR -DPAM_EXTERN=extern -D_LINUX_SOURCE_COMPAT \ CPPFLAGS=-I/usr/local/bdb/include -I/usr/local/ssl/include -I/usr/local/openldap/include \ LDFLAGS=-L/usr/local/bdb/lib -L/usr/local/cyrus-sasl/lib -L/usr/local/openldap/lib -L/usr/local/ssl/lib \ ../configure --prefix=/usr/local/samba --with-shared-modules=idmap_ad,idmap_rid \ --with-ads --with-ldap --with-ldapsam --with-pam --with-krb5=/usr/local/kerberos --with-winbind \ --with-acl-support --with-utmp --with-quotas --with-sendfile-support \ --with-aio-support --enable-shared=no --enable-static=yes if [ $? != 0 ]; then echo Configure failed so exiting... exit 1 fi /usr/local/bin/gmake /usr/local/bin/gmake install if [ $? != 0 ]; then echo Build failed so exiting... exit 1 fi for i in WINBIND pam_winbind.so; do if [ -f /usr/lib/security/$i ]; then mv /usr/lib/security/$i /usr/lib/security/$i.old chmod 555 nsswitch/$i cp nsswitch/$i /usr/lib/security rm /usr/lib/security/$i.old else cp nsswitch/$i /usr/lib/security fi done David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] libldap not found
Why does it need a shared library? Can't it use static? David I see in /usr/local/openldap/lib: drwxr-sr-x 10 root system 512 Feb 7 15:22 .. -rw-r--r-- 1 root system 293847 Feb 8 14:58 liblber-2.3.a lrwxrwxrwx 1 root system 13 Feb 12 23:01 liblber.a - liblber-2.3.a -rw-r--r-- 1 root system 868 Feb 8 14:58 liblber.la -rw-r--r-- 1 root system 3909639 Feb 8 14:58 libldap-2.3.a lrwxrwxrwx 1 root system 13 Feb 12 23:01 libldap.a - libldap-2.3.a -rw-r--r-- 1 root system 952 Feb 8 14:58 libldap.la -rw-r--r-- 1 root system 4247339 Feb 8 14:58 libldap_r-2.3.a lrwxrwxrwx 1 root system 15 Feb 12 23:01 libldap_r.a - libldap_r-2.3.a -rw-r--r-- 1 root system 962 Feb 8 14:58 libldap_r.la openldap was buildt with: env CC=gcc -D_LINUX_SOURCE_COMPAT -D_THREAD_SAFE \ CPPFLAGS=-I/usr/local/bdb/include -I/usr/local/cyrus-sasl/include -I/usr/local/ssl/include \ LDFLAGS=-L/usr/local/ssl/lib -L/usr/local/bdb/lib -L/usr/local/cyrus-sasl/lib -lpthread \ ../configure --enable-dynamic --enable-spasswd \ --enable-bdb --enable-crypt --enable-slapd --enable-slurpd \ --with-cyrus-sasl=yes --with-tls=openssl --enable-rlookups \ --with-threads=posix --prefix=/usr/local/openldap \ --enable-shared=no --enable-static=yes \ --with-ssl=/usr/local/ssl --with-tls gmake depend gmake gmake install David Shapiro Unix Team Lead 919-765-2011 Dan [EMAIL PROTECTED] 2/13/2006 1:12 PM It sounds like it can not find your libldap library in any of the paths you specified. Do you have a locate program such that you could try locate libldap and see if/where it shows up? David Shapiro wrote: Can anybody clue me in on why this build script is failing? checking for ldap.h... yes checking lber.h usability... yes checking lber.h presence... yes checking for lber.h... yes checking for ber_scanf in -llber... no checking for ldap_init in -lldap... no checking for ldap_set_rebind_proc... no checking whether ldap_set_rebind_proc takes 3 arguments... 3 configure: error: libldap is needed for LDAP support + [ 1 != 0 ] #!/bin/ksh -x env CC=gcc \ CFLAGS=-DPAM_AUTHTOK_RECOVER_ERR=PAM_AUTHTOK_RECOVERY_ERR -DPAM_EXTERN=extern -D_LINUX_SOURCE_COMPAT \ CPPFLAGS=-I/usr/local/bdb/include -I/usr/local/ssl/include -I/usr/local/openldap/include \ LDFLAGS=-L/usr/local/bdb/lib -L/usr/local/cyrus-sasl/lib -L/usr/local/openldap/lib -L/usr/local/ssl/lib \ ../configure --prefix=/usr/local/samba --with-shared-modules=idmap_ad,idmap_rid \ --with-ads --with-ldap --with-ldapsam --with-pam --with-krb5=/usr/local/kerberos --with-winbind \ --with-acl-support --with-utmp --with-quotas --with-sendfile-support \ --with-aio-support --enable-shared=no --enable-static=yes if [ $? != 0 ]; then echo Configure failed so exiting... exit 1 fi /usr/local/bin/gmake /usr/local/bin/gmake install if [ $? != 0 ]; then echo Build failed so exiting... exit 1 fi for i in WINBIND pam_winbind.so; do if [ -f /usr/lib/security/$i ]; then mv /usr/lib/security/$i /usr/lib/security/$i.old chmod 555 nsswitch/$i cp nsswitch/$i /usr/lib/security rm /usr/lib/security/$i.old else cp nsswitch/$i /usr/lib/security fi done David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
When I tried to run the commands you suggested, I got the following: lsuser -R WINBIND ALL Invalid -R option WINBIND Usage: lsuser [-R load_module] [ -c | -f ] [ -a attr attr ... ] { ALL | user1,user2 ... } The WINBIND entry that I copied from the nsswitch directory after the make install is in /usr/lib/security. Why does it not think this is a valid module? David David Shapiro Unix Team Lead 919-765-2011 Doug VanLeuven [EMAIL PROTECTED] 2/9/2006 11:03:38 PM David Shapiro wrote: What can I look at to understand why chown keeps saying user does not exist. wbinfo -u/-g returns the user information klist -v shows kerberos is working net ads join works fine wbinfo -t shows secret is fine aix does not have getent so I can't run getent passwd -- is there something equivalent on aix? Closest you're going to get is lsuser -R load_module lsuser -R NIS ALL lsuser -R LDAP ALL lsuser -R WINBIND ALL and of course lsgroup -R load_module /usr/lib/security/methods.cfg has: WINBIND: program = /usr/lib/security/WINBIND (set with chmod 444) options =authonly Authonly means it's not capable of supplying any user information. I don't know that's true anymore. Look in source/nsswitch/winbind_nss_aix.c Available methods are at the end of the file. Not all methods are implemented, and not all methods implemented return a valid answere. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] WINBIND security methods does not load
I cannot load WINBIND for some reason anymore since some time yesterday morning. I used to not be able to remove WINBIND or copy over it because it would say it is in use, but now I can, which shows it is not in use. In addition, lsuser -R WINBIND does not load the module. What can I do to help determine why this is not loading? David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Fwd: WINBIND security methods does not load
Hmm, I am not sure why this worked, but I moved my WINBIND stanza in /usr/lib/security/methods.cfg up in the file prior to the PAM stanza, and save it. After this, I was able to load the module. Any ideas on why this worked? David David Shapiro Unix Team Lead 919-765-2011 David Shapiro 2/10/2006 9:32:14 AM I cannot load WINBIND for some reason anymore since some time yesterday morning. I used to not be able to remove WINBIND or copy over it because it would say it is in use, but now I can, which shows it is not in use. In addition, lsuser -R WINBIND does not load the module. What can I do to help determine why this is not loading? David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
Thanks for the info. Should I expect su - DOMAIN+mylogin to work? I can now do chown/chgrp commands. When I run su - DOMAIN+mylogin, I get in messages: Feb 10 17:39:59 svcanimp su: BAD SU from root to _010 at /dev/pts/5 and the message: 3004-503 Cannot set process credentials. goes out to stdout. David David Shapiro Unix Team Lead 919-765-2011 Doug VanLeuven [EMAIL PROTECTED] 2/10/2006 3:22:37 PM David Shapiro wrote: I only see winbind_nss_aix.po, but I do not see the .c file. NIS ALL works, but LDAP and WINBIND both do not. Hi Dave, I'm having to work from memory as the work I did on AIX ended last June. In addidtion, when I formulated the phase transitions from samba 2.x nt40 style member to samba 3.x AD member, it was 2003 and at that time, winbindd on AIX wouldn't support returning sufficient information to allow managing user and group accounts using the -R option to chuser, chgroup, mkuser, mkgroup, rmuser, rmgroup. That's why the writeups say /usr/lib/security/methods.cfg WINBIND: options=authonly and KRB5A: options=authonly So NIS and LDAP can be used to maintain the user and group attributes but winbind and kerberos were only used to authenticate an existing user defined locally or in NIS/LDAP, where LDAP is the AIX native LDAP security model. If NIS works and LDAP and WINBIND don't, it looks like you've implemented NIS but not LDAP and WINBIND is configured to authonly. If winbind's capable of returning sufficient information to satisfy lsuser, remove the authonly option. I figured you'd look thru winbind_nss_aix.c and make a determiniation whether or not that was possible with your version of samba. Regards, Doug David Shapiro Unix Team Lead 919-765-2011 Doug VanLeuven [EMAIL PROTECTED] 2/9/2006 11:03:38 PM David Shapiro wrote: What can I look at to understand why chown keeps saying user does not exist. wbinfo -u/-g returns the user information klist -v shows kerberos is working net ads join works fine wbinfo -t shows secret is fine aix does not have getent so I can't run getent passwd -- is there something equivalent on aix? Closest you're going to get is lsuser -R load_module lsuser -R NIS ALL lsuser -R LDAP ALL lsuser -R WINBIND ALL and of course lsgroup -R load_module /usr/lib/security/methods.cfg has: WINBIND: program = /usr/lib/security/WINBIND (set with chmod 444) options =authonly Authonly means it's not capable of supplying any user information. I don't know that's true anymore. Look in source/nsswitch/winbind_nss_aix.c Available methods are at the end of the file. Not all methods are implemented, and not all methods implemented return a valid answere. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Question on AIX 5.2, Samba and NT domains
Welcome to the nightmare. Well, I have gleemed the following: After your make install, go into nsswitch directory in source and copy WINBIND to /usr/lib/security. Next, add to /usr/lib/security/methods.cfg WINBIND: programs=/usr/lib/security/WINBIND Make sure this is before PAM: if that is in there. You should then be able to lsuser DOMAIN+user and do other commands too. I know that the lenght seems to be an issue (home directory does not work for me yet (DOMAIN+user 8). I also have not had luck getting any idmap_backend options to work (they all core dump winbindd). I have seen no good samba document either, although some mention to a dead link at redbooks was out there, so maybe somewhere on redbooks ibm site there is a doc. David David Shapiro Unix Team Lead 919-765-2011 Kent Wick [EMAIL PROTECTED] 2/10/2006 12:33:08 PM Environment: AIX 5.2 Samba 3.0.21b (compiled at this site with Visualage C/C++ 6.0) configure was run as: ./configure --prefix=/usr/local/samba --with-pam --with-acl-support --with-aio-support --with-winbind Windows environment is a mix of Windows NT domain and Novell file servers. Does anybody know of a single document or set of documents that have a cookbook approach to creating/modifying the necessary AIX files to work with Samba with pam, winbind and NSS support as a member server? If I have userids in the NT domain that are longer than 8 characters, am I effed when trying to get them to seamlessly access Samba? AIX 5.2 and below do not allow a username or group name to have a value longer than 8 characters. Do I need a username map file for the long usernames? As far as I can tell, the issue of long names in NT versus limitations of some OS versions is never discussed. The Samba3-HOWTO document(s) in Chapter 23 talk about the compile process creating the file libnss_winbind.so. Something changed between document and Makefile because I get a file named WINBIND automatically created. In that same chapter, it goes on to talk about verifying winbind. I can run the wbinfo -u and wbinfo -g commands just find and it returns the the users and gorups in the NT domain that Samba joined. Then the document talks about using getent to see both local (AIX) and PDC users and groups. Unfortunately, I don't have that one in executable form. I can see the getent source in the testsuite/nsswitch directory but when I compile just that program all that it returns in the local users, nothing from the PDC. If I am using Samba as a member server, do I even need to worry about integrating PAM and winbindd? Another few nit's in the Samba-HOWTO in The Samba Checklist: (1) When I run the smbclient -L sambasrvrname (as root), it asks for a password. When I give it the root password, it comes back with session setup failed: NT_STATUS_LOGON_FAILURE. When I just press enter in response to the password request, it responds that it connected anonymously and returns the necessary data. (2) The nmblookup command in step 4 needs to be clarified a bit more. When I look at a print of the web page, it sure looks like the BIGSERVER and the __SAMBA__ are run together. For that matter, I had to go the web page source to be certain that the __ was a double underscore and not a single. Given the way some laser printer formatting works, it is entirely possible that it could have been a single underscore. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] horrifying slow samba.
set enum groups to no might help. David Shapiro Unix Team Lead 919-765-2011 Martijn Hazenberg [EMAIL PROTECTED] 2/10/2006 9:07:10 AM Hi all, We have a linux data server here, which used to be a workgroup member. Everything was fine then. Now we hav a new sbs server here, so the data server had to be made into a domain member. To do that i followed this manual. The thing is now, that the samba shares on the data server are slow as h**l What can be the problem ? Any ideas are welcome ! Code: [global] netbios name = DATASVR server string = DATASVR socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind gid = 1-2 workgroup = GOVALOKAAL os level = 20 winbind enum groups = yes socket address = 10.0.0.200 password server = * preferred master = no winbind separator = + max log size = 50 log file = /var/log/samba3/log.%m encrypt passwords = yes dns proxy = no realm = GOVA.LOKAAL security = ADS wins server = 10.0.0.201 wins proxy = no workgroup = govalokaal [stuff] comment = stuffpath = /raid/stuff writable = yes and the krb5 config : Code: datasvr etc # cat krb5.conf [libdefaults] default_realm = GOVA.LOKAAL [realms] GOVA.LOKAAL = { kdc = adserver.gova.lokaal } datasvr etc # the hosts file : Code: datasvr etc # cat hosts 127.0.0.1 localhost 10.0.0.201 adserver.gova.lokaal adserver To enable samba to be a domain member i used the following manual : http://forums.gentoo.org/viewtopic-t-114837-postdays-0-postorder-asc-sta rt-0.html http://forums.gentoo.org/viewtopic-t-114837-postdays-0-postorder-asc-st art-0.html thanks a lot ! martijn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] chown DOMAIN+mylogin /dir fails (Please help)
What is the KRB5A option going to provide? David Shapiro Unix Team Lead 919-765-2011 Doug VanLeuven [EMAIL PROTECTED] 2/10/2006 3:22:37 PM David Shapiro wrote: I only see winbind_nss_aix.po, but I do not see the .c file. NIS ALL works, but LDAP and WINBIND both do not. Hi Dave, I'm having to work from memory as the work I did on AIX ended last June. In addidtion, when I formulated the phase transitions from samba 2.x nt40 style member to samba 3.x AD member, it was 2003 and at that time, winbindd on AIX wouldn't support returning sufficient information to allow managing user and group accounts using the -R option to chuser, chgroup, mkuser, mkgroup, rmuser, rmgroup. That's why the writeups say /usr/lib/security/methods.cfg WINBIND: options=authonly and KRB5A: options=authonly So NIS and LDAP can be used to maintain the user and group attributes but winbind and kerberos were only used to authenticate an existing user defined locally or in NIS/LDAP, where LDAP is the AIX native LDAP security model. If NIS works and LDAP and WINBIND don't, it looks like you've implemented NIS but not LDAP and WINBIND is configured to authonly. If winbind's capable of returning sufficient information to satisfy lsuser, remove the authonly option. I figured you'd look thru winbind_nss_aix.c and make a determiniation whether or not that was possible with your version of samba. Regards, Doug David Shapiro Unix Team Lead 919-765-2011 Doug VanLeuven [EMAIL PROTECTED] 2/9/2006 11:03:38 PM David Shapiro wrote: What can I look at to understand why chown keeps saying user does not exist. wbinfo -u/-g returns the user information klist -v shows kerberos is working net ads join works fine wbinfo -t shows secret is fine aix does not have getent so I can't run getent passwd -- is there something equivalent on aix? Closest you're going to get is lsuser -R load_module lsuser -R NIS ALL lsuser -R LDAP ALL lsuser -R WINBIND ALL and of course lsgroup -R load_module /usr/lib/security/methods.cfg has: WINBIND: program = /usr/lib/security/WINBIND (set with chmod 444) options =authonly Authonly means it's not capable of supplying any user information. I don't know that's true anymore. Look in source/nsswitch/winbind_nss_aix.c Available methods are at the end of the file. Not all methods are implemented, and not all methods implemented return a valid answere. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Autocreate user home directories.
homes] root preexec = [ ! -e /home/%U ] { /bin/cp -a /etc/skel /home/%U; /bin/chown -R %U.%G /home/%U; } create mask = 0600 directory mask = 0700 read only = no valid users = EXAMPLE\%S David Shapiro Unix Team Lead 919-765-2011 Trimble, Ronald D [EMAIL PROTECTED] 2/10/2006 12:11:10 PM I am trying to set up our samba server to automatically create a users home directory when they browse to it from a Windows computer. Is there a way to do this? I was looking at the root preexec option to try and do this, but I am not sure how to go about it. Has anybody done this? Can someone please help me out? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Autocreate user home directories.
[homes] root preexec = [ ! -e /home/%U ] { /bin/cp -a /etc/skel /home/%U; /bin/chown -R %U.%G /home/%U; } create mask = 0600directory mask = 0700 read only = no valid users = EXAMPLE\%SI think I chopped a piece off, so I am sending again. David Shapiro Unix Team Lead 919-765-2011 Trimble, Ronald D [EMAIL PROTECTED] 2/10/2006 12:11:10 PM I am trying to set up our samba server to automatically create a users home directory when they browse to it from a Windows computer. Is there a way to do this? I was looking at the root preexec option to try and do this, but I am not sure how to go about it. Has anybody done this? Can someone please help me out? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA configuration nightmare (AIX) - idmaps do not work (core dump), ldap/nss_ldap and pam fail
directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/openldap/var/openldap-data ### # Cache ### # dbcachesize if database is ldbm instead of bdb cachesize 4 # dbcachesize 6000 checkpoint 512 720 ### # Samba Indexes ### index objectClass eq index cn,sn,uid,displayName pres,sub,eq index uidNumber,gidNumber eq index sambaSID eq index sambaPrimaryGroupSID eq index objectClass pres,eq index sambaDomainName eq index rid,primaryGroupIDeq index default sub access to * by self write by *read Made directory /usr/local/openldap/var/openldap-data and set chmod 700 Ran /usr/local/openldap/sbin/slapindex -f slapd.conf after loading samba.ldif with slapadd -f slapd.conf. AIO: AIO support is installed in this package. If you have problems starting Samba, try the following: $ lsdev -Cc posix_aio posix_aio0 Available Posix Asynchronous I/O If the above says Defined instead of Available: $ mkdev -l posix_aio0 posix_aio0 Available $ chdev -l posix_aio0 -a autoconfig=available -P posix_aio0 changed David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] pam samba and aix
Is it enough to get samba to work to do the following: Add in /etc/security/user on the default SYSTEM line: SYSTEM = compat OR WINBIND # OR or AND? Add in /usr/lib/security/methods.cfg: PAM: program = /usr/lib/security/PAM WINBIND: program = /usr/lib/security/WINBIND options = authonly *options = auth=PAM,db=BUILTIN (do we need this line? If so, is BUILTIN always what you need if you use ads/tdb?) How do we know what to use? pam.conf: # Authentication Management sshdauthrequired/usr/lib/security/pam_aix ftpdauthrequired /usr/lib/security/pam_winbind.so debug unknown_ok DOMAIN # are these lines correct if I am trying to use pam for ftp (testing) OTHER authrequired/usr/lib/security/pam_aix # Account management sshdaccount required/usr/lib/security/pam_aix ftpdaccount required/usr/lib/security/pam_aix.so debug OTHER account required/usr/lib/security/pam_aix # Password management sshdpasswordrequired/usr/lib/security/pam_aix ftpdpasswordrequired/usr/lib/security/pam_aix.so debug use_first_pass OTHER passwordrequired/usr/lib/security/pam_aix # Session management sshdsession required/usr/lib/security/pam_aix ftpdsession required/usr/lib/security/pam_aix.so debug OTHER session required/usr/lib/security/pam_aix Where is the logging information so I can see what is going on? It is not in messages. David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] pam ftp login format?
Still hoping for some help here. If my pam setup is correct (not sure if it is), when I run ftp to connect, do I put my login as DOMAIN/mylogin, or do I use DOMAIN+mylogin (my separator is + in smb.conf), or do I do mylogin. Please see my question sent earlier on pam setup: Is it enough to get samba to work to do the following: Add in /etc/security/user on the default SYSTEM line: SYSTEM = compat OR WINBIND # OR or AND? Add in /usr/lib/security/methods.cfg: PAM: program = /usr/lib/security/PAM WINBIND: program = /usr/lib/security/WINBIND options = authonly *options = auth=PAM,db=BUILTIN (do we need this line? If so, is BUILTIN always what you need if you use ads/tdb?) How do we know what to use? pam.conf: # Authentication Management sshdauthrequired/usr/lib/security/pam_aix ftpdauthrequired /usr/lib/security/pam_winbind.so debug unknown_ok DOMAIN # are these lines correct if I am trying to use pam for ftp (testing) OTHER authrequired/usr/lib/security/pam_aix # Account management sshdaccount required/usr/lib/security/pam_aix ftpdaccount required/usr/lib/security/pam_aix.so debug OTHER account required/usr/lib/security/pam_aix # Password management sshdpasswordrequired/usr/lib/security/pam_aix ftpdpasswordrequired/usr/lib/security/pam_aix.so debug use_first_pass OTHER passwordrequired/usr/lib/security/pam_aix # Session management sshdsession required/usr/lib/security/pam_aix ftpdsession required/usr/lib/security/pam_aix.so debug OTHER session required/usr/lib/security/pam_aix Where is the logging information so I can see what is going on? It is not in messages. David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ads kerberos key problem
I tried to use the samba share that I was able to access this morning, but now I cannot get to it. The error in the client's log is: Doing spnego session setup [2006/02/09 13:14:02, 3] ../smbd/sesssetup.c:reply_sesssetup_and_X_spnego(664) NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2006/02/09 13:14:02, 10] ../smbd/password.c:register_vuid(182) register_vuid: allocated vuid = 101 [2006/02/09 13:14:02, 3] ../smbd/sesssetup.c:reply_spnego_negotiate(525) Got OID 1 2 840 48018 1 2 2 [2006/02/09 13:14:02, 3] ../smbd/sesssetup.c:reply_spnego_negotiate(525) Got OID 1 2 840 113554 1 2 2 [2006/02/09 13:14:02, 3] ../smbd/sesssetup.c:reply_spnego_negotiate(525) Got OID 1 3 6 1 4 1 311 2 2 10 [2006/02/09 13:14:02, 3] ../smbd/sesssetup.c:reply_spnego_negotiate(528) Got secblob of size 1396 [2006/02/09 13:14:02, 10] ../passdb/secrets.c:secrets_named_mutex(809) secrets_named_mutex: got mutex for replay cache mutex [2006/02/09 13:14:02, 3] ../libads/kerberos_verify.c:ads_secrets_verify_ticket(249) ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Message size is incompatible with encryption type [2006/02/09 13:14:02, 3] ../libads/kerberos_verify.c:ads_secrets_verify_ticket(249) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Message size is incompatible with encryption type [2006/02/09 13:14:02, 10] ../passdb/secrets.c:secrets_named_mutex_release(821) secrets_named_mutex: released mutex for replay cache mutex [2006/02/09 13:14:02, 3] ../libads/kerberos_verify.c:ads_verify_ticket(378) ads_verify_ticket: krb5_rd_req with auth failed (Error 0) [2006/02/09 13:14:02, 1] ../smbd/sesssetup.c:reply_spnego_kerberos(180) Failed to verify incoming ticket! [2006/02/09 13:14:02, 3] ../smbd/error.c:error_packet(146) error packet at ../smbd/sesssetup.c(182) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2006/02/09 13:14:02, 5] ../lib/util.c:show_msg(454) [2006/02/09 13:14:02, 5] ../lib/util.c:show_msg(464) I rejoined the ads realm again, but that did not help. I am using heimdel krb5. Why does it think my size is wrong? David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] chown DOMAIN+mylogin /dir fails (Please help)
What can I look at to understand why chown keeps saying user does not exist. wbinfo -u/-g returns the user information klist -v shows kerberos is working net ads join works fine wbinfo -t shows secret is fine aix does not have getent so I can't run getent passwd -- is there something equivalent on aix? /usr/lib/security/methods.cfg has: WINBIND: program = /usr/lib/security/WINBIND (set with chmod 444) options =authonly /etc/security/user has for SYSTEM = WINBIND OR WINBIND[FAILURE] AND COMPAT my clock syncs with same ntp as ad server and seems fine I am so tiredbeen working on this for two days. Please help me figure out why this is not working now. David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] cp /usr/local/samba/lib/en.msg /usr/local/samba/lib/en_US.msg okay?
I get a complaint with testparm that en_US.msg not found. Is it okay to copy en.msg to en_US.msg, which seems to make the error go away? David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba and idmap_rid panic
Sigh, Someday i will get samba to work on aix. Now I rebuild samba because I discovered that you needed to request it to build idmap_rid.so or it will not make it. After the rebuild I moved over the smb.conf again and net ads joined again. When I try to start samba, however, it panics with this information: smb_register_idmap: Successfully added idmap backend 'tdb' [2006/02/07 09:16:34, 10] ../sam/idmap_tdb.c:db_idmap_init(500) db_idmap_init: Opening tdbfile /usr/local/samba/var/locks/winbindd_idmap.tdb [2006/02/07 09:16:34, 3] ../sam/idmap.c:idmap_init(132) idmap_init: using 'idmap_rid' as remote backend [2006/02/07 09:16:34, 5] ../lib/module.c:smb_probe_module(104) Probing module 'idmap_rid' [2006/02/07 09:16:34, 5] ../lib/module.c:smb_probe_module(115) Probing module 'idmap_rid': Trying to load from /usr/local/samba/lib/idmap/idmap_rid.so [2006/02/07 09:16:34, 0] ../lib/fault.c:fault_report(36) === [2006/02/07 09:16:34, 0] ../lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 23932 (3.0.21a) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/02/07 09:16:34, 0] ../lib/fault.c:fault_report(39) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/02/07 09:16:34, 0] ../lib/fault.c:fault_report(40) === [2006/02/07 09:16:34, 0] ../lib/util.c:smb_panic2(1554) PANIC: internal error I opened the howto, but I do not see anything related to this error. Any help would be appreciated. david smb.conf: [global] workgroup = DOMAIN realm = DOMAIN.COM server string = User management Server security = ADS allow trusted domains = No password server = ad.domain.com log level = 10 log file = /usr/local/samba/var/log.%m max log size = 50 name resolve order = hosts wins lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 preferred master = No local master = No dns proxy = No wins server = wins01 wins02 idmap backend = idmap_rid:DOMAIN=10-200 idmap uid = 10-20 idmap gid = 10-20 winbind separator = + winbind enum users = No winbind enum groups = No winbind use default domain = Yes winbind nested groups = Yes aio read size = 1 aio write size = 1 [home] path = /home/%D/%u valid users = %S read only = No browseable = No [samba] path = /usr/local/samba username = DOMAIN+mylogin valid users = DOMAIN+mylogin force user = root David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind/rid and authentication questions
hello, I keep gettiing a login prompt when I try to access shares on my newly created samba server. I am trying to use ad/rid (the best option if you want multiple samba servers in your environment?) wbinfo -a DOMAIN/mylogin%password authenticates correctly. wbinfo -u and wbinfo -g shows my groups and users fine. Do I need winbind uid/gid as well as idmap uid/gid? Do I need auth method? Should I use idmap backend = ad instead? Do I need pam support? I am really confused about what the right setup is now with samba. My smb.conf has: [global] workgroup = DOMAIN netbios name = svcanimp socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-20 idmap gid = 1-20 #idmap backend = ad idmap backend = idmap_rid:DOMAIN=1-20 use kerberos keytab = yes # os level = 65 winbind enum users = yes winbind enum groups = yes #winbind use default domain = yes #winbind uid = 1-20 #winbind gid = 1-20 winbind separator = / encrypt passwords = yes server string = User management Server security = ADS #security = domain realm = DOMAIN.COM password server = ad.domain.com preferred master = no log file = /usr/local/samba/var/log.%m log level = 10 #hosts allow = 10.69. 127.0. max log size = 50 local master = No dns proxy = No wins server = wins02 wins03 wins proxy = no name resolve order = hosts wins lmhosts bcast aio read size = 1 aio write size = 1 template homedir = /home/winnt/%D/%U template shell = /bin/bash #acl group control = yes #inherit permissions = Yes #inherit acls = Yes invalid users = root #auth methods = winbind #username map = /usr/local/samba/lib/username.map [homes] valid users = %S browseable = No read only = No David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA Winbind and AIX and chown not showing ad user id
I changed the separator to + from / and now when I use users=DOMAIN+mylogin, I get access to a share finally. However, when I run chown DOMAIN+mylogin testdir, testdir is not set to DOMAIN+mylogin, it is set to tempfn (temporary id is what the gecos/description says). In aix land, what do I need to do to get it to use WINBIND to set the diretory ownership now? My /usr/lib/security/methods.cfg has authonly for WINBIND. I take it that is not enough? I saw something where they wanted me to change SYSTEM=compat to SYSTEM = WINBIND OR WINBIND[UNAVAIL] AND compat, but when I do that, nobody can log in to the system anymore. My smb.conf now looks like the following: [global] workgroup = DOMAIN realm = DOMAIN.COM server string = User management Server security = ADS password server = ad.domain.com log level = 10 log file = /usr/local/samba/var/log.%m max log size = 50 name resolve order = hosts wins lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 preferred master = No local master = No dns proxy = No wins server = svcmc02, svcmc03 idmap uid = 10-20 idmap gid = 10-20 winbind separator = + winbind use default domain = Yes winbind nested groups = Yes aio read size = 1 aio write size = 1 [home] path = /home/%D/%u valid users = %S read only = No browseable = No [samba] path = /usr/local/samba username = DOMAIN+mylogin valid users = DOMAIN+mylogin My /usr/lib/security/methods.cfg: NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE * PAM: * program = /usr/lib/security/PAM WINBIND: program = /usr/lib/security/WINBIND options = authonly *options = auth=PAM,db=BUILTIN (haven't had luck with pam either. It will not let me log in if I use it too) pam.conf: sshdauthrequired/usr/lib/security/pam_aix OTHER authrequired/usr/lib/security/pam_aix # Account management sshdaccount required/usr/lib/security/pam_aix OTHER account required/usr/lib/security/pam_aix # Password management sshdpasswordrequired/usr/lib/security/pam_aix OTHER passwordrequired/usr/lib/security/pam_aix # Session management sshdsession required/usr/lib/security/pam_aix OTHER session required/usr/lib/security/pam_aix OTHER auth required /usr/lib/security/pam_winbind.so debug use_first_pass unknown_ok DOMAIN OTHER account required /usr/lib/security/pam_winbind.so debug use_first_pass unknown_ok DOMAIN OTHER session required /usr/lib/security/pam_winbind.so debug use_first_pass unknown_ok DOMAIN OTHER password required /usr/lib/security/pam_winbind.so debug use_first_pass unknown_ok DOMAIN David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ok - now how to access a share?
I got net ads join to finally work, but I cannot get samba to authenticate a user to a share. [global] workgroup = DOMAIN netbios name = svcanimp socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-2 idmap gid = 1-2 idmap backend = ad use kerberos keytab = yes # os level = 65 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind uid = 1-2 winbind gid = 1-2 winbind separator = / encrypt passwords = yes server string = User management Server security = ADS # security = domain realm = DOMAIN.COM password server = ads.domain.com preferred master = no log file = /usr/local/samba/var/log.%m log level = 10 # hosts allow = 10.69. 127.0. max log size = 50 local master = No dns proxy = No wins server = wins01 wins02 wins proxy = no name resolve order = hosts wins lmhosts bcast aio read size = 1 aio write size = 1 template homedir = /home/winnt/%D/%U template shell = /bin/bash acl group control = yes inherit permissions = Yes inherit acls = Yes [homes] valid users = %S browseable = No read only = No When I try to go the the server via \\sambaserver, it pops up a login prompt. In log.winbindd it says Could not query user's DOMAIN\mylogin uid I am not really sure how all this works. Is my smb.conf correct? wbinfo -u | grep mylogin returns my login, although they do not show up with DOMAIN/mylogin (just mylogin). I am not sure what to do next. David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Confused about what I am seeing with domain names
I could not get wbinfo -g/u to work and was seeing a bunch of errors related to to not being able to enumerate groups. I saw somebody use idmap backend = ad and added this since I have been struggling to get ad working (still not working). Now, when I run wbinfo -g/-u, I am getting groups and users, but the domain it shows is different than what I expected. My domain I was using for workgroup line is DOMAIN, for example, but wbinfo -g returns back: DOMAIN_NETWORK/group Is _NETWORK something that samba added, or is theis the name of the domain I should really be using? I did a grep on wbinfo -u for my user, and it returned my user too. If my domain is actually DOMAIN_NETWORK, is it possible my realm is not domain.com but domain_network.com or something weird like that? Should I change my workgroup line to use domain_network? I still can't get my kinit to find my kdc. I am wondering if I clear this up maybe my kdc kinit command will work. Note that I did ask my nt admin to run dns nslookup checks on _ldap.domain.com and _kerberos.domain.com, and those did return the correct results showing domain.com should be my realm. David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Confused about what I am seeing with domain names - --getdcname fails for ad server
Should I expect to see when I run wbinfo --getdcname=domain it return a domain controller for an ad server? It does return a server name for domain_network, the non-ad server. David Shapiro Unix Team Lead 919-765-2011 David Shapiro 2/3/2006 10:50:51 AM I am trying to get a aix samba server to join an ads domain. I think I see what the DOMAIN_NETWORK is. wbinfo -D for it shows it is not an ads server whereas the DOMAIN one is an ads server. That one is not showing information because kerberos cannot find the kdc for some reason that I can't figure out. It does have SRV records in dns. Here is the krb5.conf file I am using: mit krb5: [libdefaults] default_realm = DOMAIN.COM [realms] DOMAIN.COM = { kdc = adsserver.domain.com admin_server = adsserver.domain.com } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM [logging] kdc = CONSOLE smb.conf: [global] workgroup = DOMAIN netbios name = sambaserver socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-2 idmap gid = 1-2 idmap backend = ad # os level = 65 winbind enum users = yes winbind enum groups = yes #winbind uid = 1-2 #winbind gid = 1-2 winbind separator = / encrypt passwords = yes server string = samba server security = ADS # security = domain realm = DOMAIN.COM password server = adsserver.domain.com preferred master = no log file = /usr/local/samba/var/log.%m log level = 10 max log size = 50 local master = No dns proxy = No wins server = wins02 wins03 wins proxy = no name resolve order = hosts wins lmhosts bcast aio read size = 1 aio write size = 1 template homedir = /home/winnt/%D/%U template shell = /bin/bash [homes] path = /home/%u read only = No David Shapiro Unix Team Lead 919-765-2011 Nico De Wilde [EMAIL PROTECTED] 2/3/2006 9:55:15 AM David, Please post your smb.conf / nsswitch.conf/krb5.conf What are you trying to achieve? Joining a samba server to a Windows AD domain? Please provide some more information. Thx. Regards, Nico - Original Message - From: David Shapiro [EMAIL PROTECTED] To: samba@lists.samba.org Sent: Friday, February 03, 2006 3:49 PM Subject: [Samba] Confused about what I am seeing with domain names I could not get wbinfo -g/u to work and was seeing a bunch of errors related to to not being able to enumerate groups. I saw somebody use idmap backend = ad and added this since I have been struggling to get ad working (still not working). Now, when I run wbinfo -g/-u, I am getting groups and users, but the domain it shows is different than what I expected. My domain I was using for workgroup line is DOMAIN, for example, but wbinfo -g returns back: DOMAIN_NETWORK/group Is _NETWORK something that samba added, or is theis the name of the domain I should really be using? I did a grep on wbinfo -u for my user, and it returned my user too. If my domain is actually DOMAIN_NETWORK, is it possible my realm is not domain.com but domain_network.com or something weird like that? Should I change my workgroup line to use domain_network? I still can't get my kinit to find my kdc. I am wondering if I clear this up maybe my kdc kinit command will work. Note that I did ask my nt admin to run dns nslookup checks on _ldap.domain.com and _kerberos.domain.com, and those did return the correct results showing domain.com should be my realm. David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Confused about what I am seeing with domain names
I have done that during troubleshooting already to no avail. When I put these changes in now it still reports the infamous: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials David Shapiro Unix Team Lead 919-765-2011 Nico De Wilde [EMAIL PROTECTED] 2/3/2006 11:05:11 AM David, Can you add the following lines to your krb5.conf: [realms] DOMAIN.COM = { kdc = ip.of.your.dc:88 admin_server = ip.of.your.dc:749 default_domain = domain.com } Regards, Nico - Original Message - From: David Shapiro To: Nico Wilde Sent: Friday, February 03, 2006 4:50 PM Subject: Re: [Samba] Confused about what I am seeing with domain names I am trying to get a aix samba server to join an ads domain. I think I see what the DOMAIN_NETWORK is. wbinfo -D for it shows it is not an ads server whereas the DOMAIN one is an ads server. That one is not showing information because kerberos cannot find the kdc for some reason that I can't figure out. It does have SRV records in dns. Here is the krb5.conf file I am using: mit krb5: [libdefaults] default_realm = DOMAIN.COM [realms] DOMAIN.COM = { kdc = adsserver.domain.com admin_server = adsserver.domain.com } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM [logging] kdc = CONSOLE smb.conf: [global] workgroup = DOMAIN netbios name = sambaserver socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-2 idmap gid = 1-2 idmap backend = ad # os level = 65 winbind enum users = yes winbind enum groups = yes #winbind uid = 1-2 #winbind gid = 1-2 winbind separator = / encrypt passwords = yes server string = samba server security = ADS # security = domain realm = DOMAIN.COM password server = adsserver.domain.com preferred master = no log file = /usr/local/samba/var/log.%m log level = 10 max log size = 50 local master = No dns proxy = No wins server = wins02 wins03 wins proxy = no name resolve order = hosts wins lmhosts bcast aio read size = 1 aio write size = 1 template homedir = /home/winnt/%D/%U template shell = /bin/bash [homes] path = /home/%u read only = No David Shapiro Unix Team Lead 919-765-2011 Nico De Wilde [EMAIL PROTECTED] 2/3/2006 9:55:15 AM David, Please post your smb.conf / nsswitch.conf/krb5.conf What are you trying to achieve? Joining a samba server to a Windows AD domain? Please provide some more information. Thx. Regards, Nico - Original Message - From: David Shapiro [EMAIL PROTECTED] To: samba@lists.samba.org Sent: Friday, February 03, 2006 3:49 PM Subject: [Samba] Confused about what I am seeing with domain names I could not get wbinfo -g/u to work and was seeing a bunch of errors related to to not being able to enumerate groups. I saw somebody use idmap backend = ad and added this since I have been struggling to get ad working (still not working). Now, when I run wbinfo -g/-u, I am getting groups and users, but the domain it shows is different than what I expected. My domain I was using for workgroup line is DOMAIN, for example, but wbinfo -g returns back: DOMAIN_NETWORK/group Is _NETWORK something that samba added, or is theis the name of the domain I should really be using? I did a grep on wbinfo -u for my user, and it returned my user too. If my domain is actually DOMAIN_NETWORK, is it possible my realm is not domain.com but domain_network.com or something weird like that? Should I change my workgroup line to use domain_network? I still can't get my kinit to find my kdc. I am wondering if I clear this up maybe my kdc kinit command will work. Note that I did ask my nt admin to run dns nslookup checks on _ldap.domain.com and _kerberos.domain.com, and those did return the correct results showing domain.com should be my realm. David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Confused about what I am seeing with domain names
I see you put ip of dc. When I run wbinfo --getdcname DOMAIN it does not return back a dc. The log.winbindd does not show anything even at log level 10: ]: Get DC name for BCBSNC [2006/02/03 11:01:37, 10] ../nsswitch/winbindd_cache.c:cache_retrieve_response(1529) Retrieving response for pid 22330 [2006/02/03 11:03:07, 10] ../nsswitch/winbindd_cache.c:cache_retrieve_response(1529) Retrieving response for pid 22330 [2006/02/03 11:03:07, 10] ../nsswitch/winbindd_cache.c:cache_retrieve_response(1551) Retrieving extra data length=251 [2006/02/03 11:08:07, 10] ../nsswitch/winbindd_cache.c:cache_retrieve_response(1529) Retrieving response for pid 22330 [2006/02/03 11:08:07, 10] ../nsswitch/winbindd_cache.c:cache_retrieve_response(1551) Retrieving extra data length=251 David Shapiro Unix Team Lead 919-765-2011 Nico De Wilde [EMAIL PROTECTED] 2/3/2006 11:05:11 AM David, Can you add the following lines to your krb5.conf: [realms] DOMAIN.COM = { kdc = ip.of.your.dc:88 admin_server = ip.of.your.dc:749 default_domain = domain.com } Regards, Nico - Original Message - From: David Shapiro To: Nico Wilde Sent: Friday, February 03, 2006 4:50 PM Subject: Re: [Samba] Confused about what I am seeing with domain names I am trying to get a aix samba server to join an ads domain. I think I see what the DOMAIN_NETWORK is. wbinfo -D for it shows it is not an ads server whereas the DOMAIN one is an ads server. That one is not showing information because kerberos cannot find the kdc for some reason that I can't figure out. It does have SRV records in dns. Here is the krb5.conf file I am using: mit krb5: [libdefaults] default_realm = DOMAIN.COM [realms] DOMAIN.COM = { kdc = adsserver.domain.com admin_server = adsserver.domain.com } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM [logging] kdc = CONSOLE smb.conf: [global] workgroup = DOMAIN netbios name = sambaserver socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-2 idmap gid = 1-2 idmap backend = ad # os level = 65 winbind enum users = yes winbind enum groups = yes #winbind uid = 1-2 #winbind gid = 1-2 winbind separator = / encrypt passwords = yes server string = samba server security = ADS # security = domain realm = DOMAIN.COM password server = adsserver.domain.com preferred master = no log file = /usr/local/samba/var/log.%m log level = 10 max log size = 50 local master = No dns proxy = No wins server = wins02 wins03 wins proxy = no name resolve order = hosts wins lmhosts bcast aio read size = 1 aio write size = 1 template homedir = /home/winnt/%D/%U template shell = /bin/bash [homes] path = /home/%u read only = No David Shapiro Unix Team Lead 919-765-2011 Nico De Wilde [EMAIL PROTECTED] 2/3/2006 9:55:15 AM David, Please post your smb.conf / nsswitch.conf/krb5.conf What are you trying to achieve? Joining a samba server to a Windows AD domain? Please provide some more information. Thx. Regards, Nico - Original Message - From: David Shapiro [EMAIL PROTECTED] To: samba@lists.samba.org Sent: Friday, February 03, 2006 3:49 PM Subject: [Samba] Confused about what I am seeing with domain names I could not get wbinfo -g/u to work and was seeing a bunch of errors related to to not being able to enumerate groups. I saw somebody use idmap backend = ad and added this since I have been struggling to get ad working (still not working). Now, when I run wbinfo -g/-u, I am getting groups and users, but the domain it shows is different than what I expected. My domain I was using for workgroup line is DOMAIN, for example, but wbinfo -g returns back: DOMAIN_NETWORK/group Is _NETWORK something that samba added, or is theis the name of the domain I should really be using? I did a grep on wbinfo -u for my user, and it returned my user too. If my domain is actually DOMAIN_NETWORK, is it possible my realm is not domain.com but domain_network.com or something weird like that? Should I change my workgroup line to use domain_network? I still can't get my kinit to find my kdc. I am wondering if I clear this up maybe my kdc kinit command will work. Note that I did ask my nt admin to run dns nslookup checks on _ldap.domain.com and _kerberos.domain.com, and those did return the correct results showing domain.com should be my realm. David David Shapiro Unix Team Lead 919-765-2011
Re: [Samba] Confused about what I am seeing with domain names
I hope this isn't a silly question: do you have to use pam to get a server to join ad? I did not see that as a absolute requirement. David Shapiro Unix Team Lead 919-765-2011 Nico De Wilde [EMAIL PROTECTED] 2/3/2006 11:05:11 AM David, Can you add the following lines to your krb5.conf: [realms] DOMAIN.COM = { kdc = ip.of.your.dc:88 admin_server = ip.of.your.dc:749 default_domain = domain.com } Regards, Nico - Original Message - From: David Shapiro To: Nico Wilde Sent: Friday, February 03, 2006 4:50 PM Subject: Re: [Samba] Confused about what I am seeing with domain names I am trying to get a aix samba server to join an ads domain. I think I see what the DOMAIN_NETWORK is. wbinfo -D for it shows it is not an ads server whereas the DOMAIN one is an ads server. That one is not showing information because kerberos cannot find the kdc for some reason that I can't figure out. It does have SRV records in dns. Here is the krb5.conf file I am using: mit krb5: [libdefaults] default_realm = DOMAIN.COM [realms] DOMAIN.COM = { kdc = adsserver.domain.com admin_server = adsserver.domain.com } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM [logging] kdc = CONSOLE smb.conf: [global] workgroup = DOMAIN netbios name = sambaserver socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-2 idmap gid = 1-2 idmap backend = ad # os level = 65 winbind enum users = yes winbind enum groups = yes #winbind uid = 1-2 #winbind gid = 1-2 winbind separator = / encrypt passwords = yes server string = samba server security = ADS # security = domain realm = DOMAIN.COM password server = adsserver.domain.com preferred master = no log file = /usr/local/samba/var/log.%m log level = 10 max log size = 50 local master = No dns proxy = No wins server = wins02 wins03 wins proxy = no name resolve order = hosts wins lmhosts bcast aio read size = 1 aio write size = 1 template homedir = /home/winnt/%D/%U template shell = /bin/bash [homes] path = /home/%u read only = No David Shapiro Unix Team Lead 919-765-2011 Nico De Wilde [EMAIL PROTECTED] 2/3/2006 9:55:15 AM David, Please post your smb.conf / nsswitch.conf/krb5.conf What are you trying to achieve? Joining a samba server to a Windows AD domain? Please provide some more information. Thx. Regards, Nico - Original Message - From: David Shapiro [EMAIL PROTECTED] To: samba@lists.samba.org Sent: Friday, February 03, 2006 3:49 PM Subject: [Samba] Confused about what I am seeing with domain names I could not get wbinfo -g/u to work and was seeing a bunch of errors related to to not being able to enumerate groups. I saw somebody use idmap backend = ad and added this since I have been struggling to get ad working (still not working). Now, when I run wbinfo -g/-u, I am getting groups and users, but the domain it shows is different than what I expected. My domain I was using for workgroup line is DOMAIN, for example, but wbinfo -g returns back: DOMAIN_NETWORK/group Is _NETWORK something that samba added, or is theis the name of the domain I should really be using? I did a grep on wbinfo -u for my user, and it returned my user too. If my domain is actually DOMAIN_NETWORK, is it possible my realm is not domain.com but domain_network.com or something weird like that? Should I change my workgroup line to use domain_network? I still can't get my kinit to find my kdc. I am wondering if I clear this up maybe my kdc kinit command will work. Note that I did ask my nt admin to run dns nslookup checks on _ldap.domain.com and _kerberos.domain.com, and those did return the correct results showing domain.com should be my realm. David David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Confused about what I am seeing with domain names
I see you put ip of dc. When I run wbinfo --getdcname DOMAIN it does not return back a dc. The log.winbindd does not show anything even at log level 10: ]: Get DC name for DOMAIN [2006/02/03 11:01:37, 10] ../nsswitch/winbindd_cache.c:cache_retrieve_response(1529) Retrieving response for pid 22330 [2006/02/03 11:03:07, 10] ../nsswitch/winbindd_cache.c:cache_retrieve_response(1529) Retrieving response for pid 22330 [2006/02/03 11:03:07, 10] ../nsswitch/winbindd_cache.c:cache_retrieve_response(1551) Retrieving extra data length=251 [2006/02/03 11:08:07, 10] ../nsswitch/winbindd_cache.c:cache_retrieve_response(1529) Retrieving response for pid 22330 [2006/02/03 11:08:07, 10] ../nsswitch/winbindd_cache.c:cache_retrieve_response(1551) Retrieving extra data length=251 David Shapiro Unix Team Lead 919-765-2011 David Shapiro Unix Team Lead 919-765-2011 Nico De Wilde [EMAIL PROTECTED] 2/3/2006 11:05:11 AM David, Can you add the following lines to your krb5.conf: [realms] DOMAIN.COM = { kdc = ip.of.your.dc:88 admin_server = ip.of.your.dc:749 default_domain = domain.com } Regards, Nico - Original Message - From: David Shapiro To: Nico Wilde Sent: Friday, February 03, 2006 4:50 PM Subject: Re: [Samba] Confused about what I am seeing with domain names I am trying to get a aix samba server to join an ads domain. I think I see what the DOMAIN_NETWORK is. wbinfo -D for it shows it is not an ads server whereas the DOMAIN one is an ads server. That one is not showing information because kerberos cannot find the kdc for some reason that I can't figure out. It does have SRV records in dns. Here is the krb5.conf file I am using: mit krb5: [libdefaults] default_realm = DOMAIN.COM [realms] DOMAIN.COM = { kdc = adsserver.domain.com admin_server = adsserver.domain.com } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM [logging] kdc = CONSOLE smb.conf: [global] workgroup = DOMAIN netbios name = sambaserver socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-2 idmap gid = 1-2 idmap backend = ad # os level = 65 winbind enum users = yes winbind enum groups = yes #winbind uid = 1-2 #winbind gid = 1-2 winbind separator = / encrypt passwords = yes server string = samba server security = ADS # security = domain realm = DOMAIN.COM password server = adsserver.domain.com preferred master = no log file = /usr/local/samba/var/log.%m log level = 10 max log size = 50 local master = No dns proxy = No wins server = wins02 wins03 wins proxy = no name resolve order = hosts wins lmhosts bcast aio read size = 1 aio write size = 1 template homedir = /home/winnt/%D/%U template shell = /bin/bash [homes] path = /home/%u read only = No David Shapiro Unix Team Lead 919-765-2011 Nico De Wilde [EMAIL PROTECTED] 2/3/2006 9:55:15 AM David, Please post your smb.conf / nsswitch.conf/krb5.conf What are you trying to achieve? Joining a samba server to a Windows AD domain? Please provide some more information. Thx. Regards, Nico - Original Message - From: David Shapiro [EMAIL PROTECTED] To: samba@lists.samba.org Sent: Friday, February 03, 2006 3:49 PM Subject: [Samba] Confused about what I am seeing with domain names I could not get wbinfo -g/u to work and was seeing a bunch of errors related to to not being able to enumerate groups. I saw somebody use idmap backend = ad and added this since I have been struggling to get ad working (still not working). Now, when I run wbinfo -g/-u, I am getting groups and users, but the domain it shows is different than what I expected. My domain I was using for workgroup line is DOMAIN, for example, but wbinfo -g returns back: DOMAIN_NETWORK/group Is _NETWORK something that samba added, or is theis the name of the domain I should really be using? I did a grep on wbinfo -u for my user, and it returned my user too. If my domain is actually DOMAIN_NETWORK, is it possible my realm is not domain.com but domain_network.com or something weird like that? Should I change my workgroup line to use domain_network? I still can't get my kinit to find my kdc. I am wondering if I clear this up maybe my kdc kinit command will work. Note that I did ask my nt admin to run dns nslookup checks on _ldap.domain.com and _kerberos.domain.com, and those did return the correct results showing domain.com should be my realm. David David
Re: [Samba] trouble with winbind
I found mention of how to run net ads join with debugging, which got me some good info when I run net ads join with debuglevel=10: namecache_store: storing 1 address for adserver.domain.com#20: 1.2.3.4:0 [2006/02/03 12:19:02, 10] ../lib/gencache.c:gencache_set(127) Adding cache entry with key = NBT/ADSSERVER.DOMAIN.COM#20; value = 1.2.3.4:0 and timeout = Fri Feb 3 12:30:02 2006 (660 seconds ahead) [2006/02/03 12:19:02, 10] ../libsmb/namequery.c:internal_resolve_name(1145) internal_resolve_name: returning 1 addresses: 10.69.147.110:0 [2006/02/03 12:19:02, 10] ../libsmb/namequery.c:remove_duplicate_addrs2(320) remove_duplicate_addrs2: looking for duplicate address/port pairs [2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1406) get_dc_list: returning 1 ip addresses in an ordered list [2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1407) get_dc_list: 10.69.147.110:0 [2006/02/03 12:19:02, 5] ../libads/ldap.c:ads_try_connect(126) ads_try_connect: trying ldap server '1.2.3.4' port 389 [2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_connect(288) Connected to LDAP server 1.2.3.4 [2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_server_info(2541) got ldap server name [EMAIL PROTECTED], using bind path: dc=DOMAIN,dc=COM [2006/02/03 12:19:02, 4] ../libads/ldap.c:ads_server_info(2547) time offset is 114 seconds [2006/02/03 12:19:02, 4] ../libads/sasl.c:ads_sasl_bind(455) Found SASL mechanism GSS-SPNEGO [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(219) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2006/02/03 12:19:02, 3] ../libsmb/clikrb5.c:ads_krb5_mk_req(478) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2006/02/03 12:19:02, 0] ../libads/kerberos.c:ads_kinit_password(164) kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot resolve network address for KDC in requested realm [2006/02/03 12:19:02, 0] ../utils/net_ads.c:ads_startup(191) ads_connect: Cannot resolve network address for KDC in requested realm [2006/02/03 12:19:02, 2] ../utils/net.c:main(876) return code = -1 So it looks like it found the adsserver buyt then tried to kinit for the samba server I am trying to join and complained about not being able to resolve the kdc. Did it fail to find a credential cache (I thought I was trying to get one with the join command, so it shouldn't find one) and then tried to get one from the local samba server and is saying it is not resolvable? David Shapiro Unix Team Lead 919-765-2011 Nico De Wilde [EMAIL PROTECTED] 2/3/2006 10:57:23 AM Chris, The following error is repeated multiple times in your winbind.log: Client not found in Kerberos database Are you joining these machines as a domain admin or as an account with domain admin priviliges? Is your resolving setup correctly? Are the clocks on your servers synchronized with the DC? Could you try: - kinit [EMAIL PROTECTED] - net ads join -U ADMINISTRATOR What output do these two commands generate on your system? Sample smb.conf for a 'member server' in a 2000/2003 AD domain: -- [global] server string = somebox realm = DOM1.JHUAPL.EDU workgroup = CHOCOWEB password server = dom1-dc6.dom1.jhuapl.edu security = ADS encrypt passwords = true # winbind configuration winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users=yes winbind enum groups=yes --- Sample krb5.conf --- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = DOM1.JHUAPL.EDU dns_lookup_realm = false dns_lookup_kdc = false [realms] DOM1.JHUAPL.EDU = { kdc = the.ip.of.your.dc:88 admin_server = the.ip.of.your.dc:749 default_domain = dom1.jhuapl.edu } -- Nsswitch.conf passwd: files winbind shadow: files group: files winbind hosts: files dns winbind -- This should get you going. Can you provide additional feedback on this? Thx. Regards, Nico - Original Message - From: Chris Stone [EMAIL PROTECTED] To: Nico De Wilde [EMAIL PROTECTED] Sent: Friday, February 03, 2006 4:33 PM Subject: Re: [Samba] trouble with winbind Nico, I've
Re: [Samba] trouble with winbind
Interesting catch. It does not use ntp on the unix box of the same time source as the dc. However, if I manually set the time on the unix box to match the present nt server, kinit still does not allow me to resolve the network address for the kdc in the requested realm while getting the initial credentials. David Shapiro Unix Team Lead 919-765-2011 Dimitri Yioulos [EMAIL PROTECTED] 2/3/2006 1:05:00 PM Top-posting. Eeek. One thing I think I see is that the system times between the Samba and Ad servers may be out of sync. I believe that if the time difference is significant enough, then the krb encryption codes will not match and access to network resources may be denied. Are both of your servers system times sync via ntp? Dimitri On Friday February 03 2006 12:28 pm, David Shapiro wrote: I found mention of how to run net ads join with debugging, which got me some good info when I run net ads join with debuglevel=10: namecache_store: storing 1 address for adserver.domain.com#20: 1.2.3.4:0 [2006/02/03 12:19:02, 10] ../lib/gencache.c:gencache_set(127) Adding cache entry with key = NBT/ADSSERVER.DOMAIN.COM#20; value = 1.2.3.4:0 and timeout = Fri Feb 3 12:30:02 2006 (660 seconds ahead) [2006/02/03 12:19:02, 10] ../libsmb/namequery.c:internal_resolve_name(1145) internal_resolve_name: returning 1 addresses: 10.69.147.110:0 [2006/02/03 12:19:02, 10] ../libsmb/namequery.c:remove_duplicate_addrs2(320) remove_duplicate_addrs2: looking for duplicate address/port pairs [2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1406) get_dc_list: returning 1 ip addresses in an ordered list [2006/02/03 12:19:02, 4] ../libsmb/namequery.c:get_dc_list(1407) get_dc_list: 10.69.147.110:0 [2006/02/03 12:19:02, 5] ../libads/ldap.c:ads_try_connect(126) ads_try_connect: trying ldap server '1.2.3.4' port 389 [2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_connect(288) Connected to LDAP server 1.2.3.4 [2006/02/03 12:19:02, 3] ../libads/ldap.c:ads_server_info(2541) got ldap server name [EMAIL PROTECTED], using bind path: dc=DOMAIN,dc=COM [2006/02/03 12:19:02, 4] ../libads/ldap.c:ads_server_info(2547) time offset is 114 seconds [2006/02/03 12:19:02, 4] ../libads/sasl.c:ads_sasl_bind(455) Found SASL mechanism GSS-SPNEGO [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2006/02/03 12:19:02, 3] ../libads/sasl.c:ads_sasl_spnego_bind(219) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2006/02/03 12:19:02, 3] ../libsmb/clikrb5.c:ads_krb5_mk_req(478) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2006/02/03 12:19:02, 0] ../libads/kerberos.c:ads_kinit_password(164) kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot resolve network address for KDC in requested realm [2006/02/03 12:19:02, 0] ../utils/net_ads.c:ads_startup(191) ads_connect: Cannot resolve network address for KDC in requested realm [2006/02/03 12:19:02, 2] ../utils/net.c:main(876) return code = -1 So it looks like it found the adsserver buyt then tried to kinit for the samba server I am trying to join and complained about not being able to resolve the kdc. Did it fail to find a credential cache (I thought I was trying to get one with the join command, so it shouldn't find one) and then tried to get one from the local samba server and is saying it is not resolvable? David Shapiro Unix Team Lead 919-765-2011 Nico De Wilde [EMAIL PROTECTED] 2/3/2006 10:57:23 AM Chris, The following error is repeated multiple times in your winbind.log: Client not found in Kerberos database Are you joining these machines as a domain admin or as an account with domain admin priviliges? Is your resolving setup correctly? Are the clocks on your servers synchronized with the DC? Could you try: - kinit [EMAIL PROTECTED] - net ads join -U ADMINISTRATOR What output do these two commands generate on your system? Sample smb.conf for a 'member server' in a 2000/2003 AD domain: -- [global] server string = somebox realm = DOM1.JHUAPL.EDU workgroup = CHOCOWEB password server = dom1-dc6.dom1.jhuapl.edu security = ADS encrypt passwords = true # winbind configuration winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users=yes winbind enum groups=yes --- Sample krb5.conf --- [logging
[Samba] ad and samba and a share - pam needed?
Okay, I think I am finally joined to a domain in ad with aix server ( I dumped mit kerberos and used heimdal instead, which worked great. I can wbinfo -u/-g users and groups and I see everything in my ad realm. I was trying to do a test share, but I am not sure why I cannot connect: My user exists on the unix box and the same name exists on the ad server. The share was: [samba] path = /usr/local/samba/test valid users = DOMAIN/mylogin I tried to type chown DOMAIN/mylogin /usr/local/samba/test, but that does not work. Did I need pam to allow me to do things like this? David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requ
/etc/host, resolv.conf are fine. nsswitch.conf does not exist on aix systems, but I did add the winbindd entry where aix expects it.I guess we will see if people respond, but I noticed nobody answered this type of question in the past... David David Shapiro Unix Team Lead 919-765-2011 Dimitri Yioulos [EMAIL PROTECTED] 2/2/2006 10:18 AM On Thursday February 02 2006 8:49 am, David Shapiro wrote: Is there no fix for thi? Nobody answers this for me or other people asking this question. I really need help with this. Is there anything I can be looking at? I would am not getting past doing a simple kinit [EMAIL PROTECTED] It gives me the Cannot resolve network address for KDC as well. Does ads not like krb5? Does it need krb4? Why doesn't kerberos provide any messages in the logs? Any suggestions on ways to figure out what is going on? I tried truss, but that does not show much other than I do see it looking in /etc/krb5.conf and /usr/local/etc/krb5.conf. I can use tcpdump, but I am not sure what to be looking for? David Shapiro Unix Team Lead 919-765-2011 David Shapiro Unix Team Lead 919-765-2011 Dimitri Yioulos [EMAIL PROTECTED] 2/1/2006 10:15:49 AM On Wednesday February 01 2006 9:41 am, David Shapiro wrote: Hello, I am having a problem getting my server to join our realm as a domain member server. I have read through google, yahoo, and this list, but I cannot find the answer yet. When I run: net join ads -Uadministrator and try to login it gives the following error: kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot resolve network address for KDC in requested realm [2006/02/01 09:33:46, 0] ../utils/net_ads.c:ads_startup(191) ads_connect: Cannot resolve network address for KDC in requested realm The details of my setup are: aix 5.2.0.7 libiconv-1.9.1 autoconf-2.59 libiodbc-3.52.4 bison-2.0 m4-1.4.3 db-4.4.20 mysql-connector-odbc-3.51.12 krb samba-3.0.21a ../configure --prefix=/usr/local/samba --with-ads --with-ldap --with-winbind --with-acl-support --with-utmp --with-quotas --with-sendfile-support openldap-2.3.19 ./configure --enable-crypt --without-cyrus-sasl unixODBC-2.2.11 gcc 3.3.2 /etc/krb5.conf: [libdefaults] default_realm = MYREALM.COM default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 ticket_lifetime = 24000 clockskew = 300 dns_lookup_realm = false dns_lookup_kdc = false [realms] MYREALM.COM = { kdc = myadsserver.mydomain.com default_domain = mydomain.com } [domain_realm] .mydomain.com = MYREALM.COM [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log /etc/hosts: 1.2.3.4 myadsserver.mydomain.com myadsserver Note: Nothing goes into the logs and if I move aisde thekrb5.conf it still tries automatically MYREALM.COM. I put an error int he krb5.conf file to see if it would notice, and it does warn about it, so it is looking in krb5.conf. David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba In krb5.conf, try this: [realms] YOURDOMAIN.COM = { default_domain = yourdomain.com kdc = xxx.xxx.xxx.xxx (my note - use ip address of AD server) admin_server = xxx.xxx.xxx.xxx (my note - use ip address of AD server) } HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba David, Firstly, be mindful that the list is made up of volunteers who do their best to provide answers as quickly as possible. Sometimes you may have to wait a bit longer, but I've always found these folks to be most kind and helpful. Give 'em a chance. Now, after that mild rebuke: I have little experience with AIX; my responses are based on my work with Samba on Linux. That said, I believe that you should have nsswitch.conf and resolv.conf files on the system. Are these configured correctly? Is pam.d/login configured correctly? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https
[Samba] ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requested realm
Hello, I am having a problem getting my server to join our realm as a domain member server. I have read through google, yahoo, and this list, but I cannot find the answer yet. When I run: net join ads -Uadministrator and try to login it gives the following error: kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot resolve network address for KDC in requested realm [2006/02/01 09:33:46, 0] ../utils/net_ads.c:ads_startup(191) ads_connect: Cannot resolve network address for KDC in requested realm The details of my setup are: aix 5.2.0.7 libiconv-1.9.1 autoconf-2.59 libiodbc-3.52.4 bison-2.0 m4-1.4.3 db-4.4.20 mysql-connector-odbc-3.51.12 krb samba-3.0.21a ../configure --prefix=/usr/local/samba --with-ads --with-ldap --with-winbind --with-acl-support --with-utmp --with-quotas --with-sendfile-support openldap-2.3.19 ./configure --enable-crypt --without-cyrus-sasl unixODBC-2.2.11 gcc 3.3.2 /etc/krb5.conf: [libdefaults] default_realm = MYREALM.COM default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 ticket_lifetime = 24000 clockskew = 300 dns_lookup_realm = false dns_lookup_kdc = false [realms] MYREALM.COM = { kdc = myadsserver.mydomain.com default_domain = mydomain.com } [domain_realm] .mydomain.com = MYREALM.COM [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log /etc/hosts: 1.2.3.4 myadsserver.mydomain.com myadsserver Note: Nothing goes into the logs and if I move aisde thekrb5.conf it still tries automatically MYREALM.COM. I put an error int he krb5.conf file to see if it would notice, and it does warn about it, so it is looking in krb5.conf. David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Fwd: ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requested realm
I forgot the smb.conf file: [global] workgroup = MYDOMAIN netbios name = svcanimp socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind gid = 1-2 os level = 20 winbind enum groups = yes winbind separator = / encrypt passwords = yes server string = User management Server security = ADS realm = MYREALM.COM password server = myadsserver.bcbsnc.com preferred master = no log file = /usr/local/samba/var/log.%m log level = 0 max log size = 50 local master = No dns proxy = No wins server = wins01 wins02 wins proxy = no name resolve order = wins hosts lmhosts bcast aio read size = 1 aio write size = 1 template homedir = /home/winnt/%D/%U template shell = /bin/bash [homes] path = /home/%u read only = No Hello, I am having a problem getting my server to join our realm as a domain member server. I have read through google, yahoo, and this list, but I cannot find the answer yet. When I run: net join ads -Uadministrator and try to login it gives the following error: kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot resolve network address for KDC in requested realm [2006/02/01 09:33:46, 0] ../utils/net_ads.c:ads_startup(191) ads_connect: Cannot resolve network address for KDC in requested realm The details of my setup are: aix 5.2.0.7 libiconv-1.9.1 autoconf-2.59 libiodbc-3.52.4 bison-2.0 m4-1.4.3 db-4.4.20 mysql-connector-odbc-3.51.12 krb samba-3.0.21a ../configure --prefix=/usr/local/samba --with-ads --with-ldap --with-winbind --with-acl-support --with-utmp --with-quotas --with-sendfile-support openldap-2.3.19 ./configure --enable-crypt --without-cyrus-sasl unixODBC-2.2.11 gcc 3.3.2 /etc/krb5.conf: [libdefaults] default_realm = MYREALM.COM default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 ticket_lifetime = 24000 clockskew = 300 dns_lookup_realm = false dns_lookup_kdc = false [realms] MYREALM.COM = { kdc = myadsserver.mydomain.com default_domain = mydomain.com } [domain_realm] .mydomain.com = MYREALM.COM [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log /etc/hosts: 1.2.3.4 myadsserver.mydomain.com myadsserver Note: Nothing goes into the logs and if I move aisde thekrb5.conf it still tries automatically MYREALM.COM. I put an error int he krb5.conf file to see if it would notice, and it does warn about it, so it is looking in krb5.conf. David Shapiro Unix Team Lead 919-765-2011 David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requ
Thanks, Unfortunately, I still got the same error. I may be wrong, but it is like it does the automatic lookup process of kdc instead of using the krb5.conf file. However, as per my note below, if I do add bad config info to the krb5.conf, it does complain. David David Shapiro Unix Team Lead 919-765-2011 Dimitri Yioulos [EMAIL PROTECTED] 2/1/2006 10:15:49 AM On Wednesday February 01 2006 9:41 am, David Shapiro wrote: Hello, I am having a problem getting my server to join our realm as a domain member server. I have read through google, yahoo, and this list, but I cannot find the answer yet. When I run: net join ads -Uadministrator and try to login it gives the following error: kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot resolve network address for KDC in requested realm [2006/02/01 09:33:46, 0] ../utils/net_ads.c:ads_startup(191) ads_connect: Cannot resolve network address for KDC in requested realm The details of my setup are: aix 5.2.0.7 libiconv-1.9.1 autoconf-2.59 libiodbc-3.52.4 bison-2.0 m4-1.4.3 db-4.4.20 mysql-connector-odbc-3.51.12 krb samba-3.0.21a ../configure --prefix=/usr/local/samba --with-ads --with-ldap --with-winbind --with-acl-support --with-utmp --with-quotas --with-sendfile-support openldap-2.3.19 ./configure --enable-crypt --without-cyrus-sasl unixODBC-2.2.11 gcc 3.3.2 /etc/krb5.conf: [libdefaults] default_realm = MYREALM.COM default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 ticket_lifetime = 24000 clockskew = 300 dns_lookup_realm = false dns_lookup_kdc = false [realms] MYREALM.COM = { kdc = myadsserver.mydomain.com default_domain = mydomain.com } [domain_realm] .mydomain.com = MYREALM.COM [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log /etc/hosts: 1.2.3.4 myadsserver.mydomain.com myadsserver Note: Nothing goes into the logs and if I move aisde thekrb5.conf it still tries automatically MYREALM.COM. I put an error int he krb5.conf file to see if it would notice, and it does warn about it, so it is looking in krb5.conf. David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba In krb5.conf, try this: [realms] YOURDOMAIN.COM = { default_domain = yourdomain.com kdc = xxx.xxx.xxx.xxx (my note - use ip address of AD server) admin_server = xxx.xxx.xxx.xxx (my note - use ip address of AD server) } HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ADS and samba domain member: ads_connect: Cannot resolve network address for KDC in requ
I really need help with this. Is there anything I can be looking at? I would am not getting past doing a simple kinit [EMAIL PROTECTED] It gives me the Cannot resolve network address for KDC as well. Does ads not like krb5? Does it need krb4? Why doesn't kerberos provide any messages in the logs? Any suggestions on ways to figure out what is going on? I tried truss, but that does not show much other than I do see it looking in /etc/krb5.conf and /usr/local/etc/krb5.conf. I can use tcpdump, but I am not sure what to be looking for? David Shapiro Unix Team Lead 919-765-2011 Dimitri Yioulos [EMAIL PROTECTED] 2/1/2006 10:15:49 AM On Wednesday February 01 2006 9:41 am, David Shapiro wrote: Hello, I am having a problem getting my server to join our realm as a domain member server. I have read through google, yahoo, and this list, but I cannot find the answer yet. When I run: net join ads -Uadministrator and try to login it gives the following error: kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot resolve network address for KDC in requested realm [2006/02/01 09:33:46, 0] ../utils/net_ads.c:ads_startup(191) ads_connect: Cannot resolve network address for KDC in requested realm The details of my setup are: aix 5.2.0.7 libiconv-1.9.1 autoconf-2.59 libiodbc-3.52.4 bison-2.0 m4-1.4.3 db-4.4.20 mysql-connector-odbc-3.51.12 krb samba-3.0.21a ../configure --prefix=/usr/local/samba --with-ads --with-ldap --with-winbind --with-acl-support --with-utmp --with-quotas --with-sendfile-support openldap-2.3.19 ./configure --enable-crypt --without-cyrus-sasl unixODBC-2.2.11 gcc 3.3.2 /etc/krb5.conf: [libdefaults] default_realm = MYREALM.COM default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 ticket_lifetime = 24000 clockskew = 300 dns_lookup_realm = false dns_lookup_kdc = false [realms] MYREALM.COM = { kdc = myadsserver.mydomain.com default_domain = mydomain.com } [domain_realm] .mydomain.com = MYREALM.COM [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log /etc/hosts: 1.2.3.4 myadsserver.mydomain.com myadsserver Note: Nothing goes into the logs and if I move aisde thekrb5.conf it still tries automatically MYREALM.COM. I put an error int he krb5.conf file to see if it would notice, and it does warn about it, so it is looking in krb5.conf. David Shapiro Unix Team Lead 919-765-2011 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba In krb5.conf, try this: [realms] YOURDOMAIN.COM = { default_domain = yourdomain.com kdc = xxx.xxx.xxx.xxx (my note - use ip address of AD server) admin_server = xxx.xxx.xxx.xxx (my note - use ip address of AD server) } HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
PLEASE HELP! samba2.2.6rc2cvs - solaris winbind pam - using user nobody instead of domain user
Hello, Used /usr/ccs/bin ld, as, make (solaris 8) and 2.95.3 20010315 (release) I installed samba 2.2.6rc2cvs with cd /usr/local/samba/source env CFLAGS=-Wall -m32 -g ./configure \ --with-winbind \ --with-winbind-auth-challenge \ --with-acl-support \ --with-ssl \ --without-sendfile-support \ --with-included-popt \ --with-pam \ --with-smbwrapper make make install ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/libnss_winbind.so.1 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/libnss_winbind.so.2 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/nss_winbind.so.1 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/nss_winbind.so.2 ln -s /usr/local/samba/source/nsswitch/pam_winbind.so /usr/lib/security/pam_winbind.so crle -l /usr/j2se/jre/lib/sparc -i /usr/j2se/lib/sparc -l /usr/lib -i /usr/lib -l /usr/local/lib -i /usr/local/lib -l /usr/local/ssl/lib -i /usr/local/ssl/lib -i /usr/lib/security -s /usr/lib/security -i /usr/lib/secure -s /usr/lib/security crle -64 -l /usr/lib/64 -i /usr/lib/64 -s /usr/lib/64/secure pam.conf: login auth sufficient /usr/lib/security/$ISA/pam_winbind.so login auth required /usr/lib/security/$ISA/pam_unix.so.1 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 # rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 # dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 # rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 other auth required /usr/lib/security/$ISA/pam_unix.so.1 # # Account management # login account sufficient /usr/lib/security/$ISA/pam_winbind.so login account requisite /usr/lib/security/$ISA/pam_roles.so.1 login account required/usr/lib/security/$ISA/pam_projects.so.1 login account required/usr/lib/security/$ISA/pam_unix.so.1 # dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 dtlogin account required/usr/lib/security/$ISA/pam_projects.so.1 dtlogin account required/usr/lib/security/$ISA/pam_unix.so.1 # other account sufficient /usr/lib/security/$ISA/pam_winbind.so other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required/usr/lib/security/$ISA/pam_projects.so.1 wbinfo -a INS+DavidSha%password (password was my password) returns: plaintext password authentication succeeded However, smbclient //optimus/samba-lib -UINS+DavidSha%password fails: added interface ip=10.1.1.234 bcast=10.1.1.255 nmask=255.255.255.0 added interface ip=127.0.0.1 bcast=127.0.0.255 nmask=255.255.255.0 Got a positive name query response from 10.1.4.11 ( 10.1.1.234 ) Domain=[INS] OS=[Unix] Server=[Samba 2.2.6rc2cvs] tree connect failed: NT_STATUS_WRONG_PASSWORD log.optimus shows it tryint to log in with the user nobody: er_in_list: checking user nobody in list INS+JamesF INS+DavidSha nobody [2002/11/05 09:39:24, 10] lib/username.c:user_in_list(460) user_in_list: checking user |nobody| against |INS+JamesF| [2002/11/05 09:39:24, 10] lib/username.c:user_in_list(460) user_in_list: checking user |nobody| against |INS+DavidSha| [2002/11/05 09:39:24, 10] lib/username.c:user_in_list(460) user_in_list: checking user |nobody| against |nobody| [2002/11/05 09:39:24, 10] lib/username.c:user_in_list(466) user_in_list: user |nobody| matches |nobody| [2002/11/05 09:39:24, 2] smbd/service.c:make_connection(331) Invalid username/password for samba-lib [nobody] [2002/11/05 09:39:24, 3] smbd/error.c:error_packet(110) error packet at smbd/reply.c(166) cmd=117 (SMBtconX) NT_STATUS_WRONG_PASSWORD The smb.conf: Global parameters [global] coding system = client code page = 850 code page directory = /usr/local/samba/lib/codepages workgroup = INS netbios name = OPTIMUS netbios aliases = netbios scope = server string = Samba %v on (%L) interfaces = 10.1.1.234/24 127.0.0.1/24 bind interfaces only = Yes security = DOMAIN encrypt passwords = Yes update encrypted = No allow trusted domains = Yes hosts equiv = min passwd length = 5 map to guest = Never null passwords = No obey pam restrictions = Yes password server = PDC,EXCHANGE_CORP smb passwd file = /usr/local/samba/private/smbpasswd root directory = pam password change = No passwd program = /usr/bin/passwd passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No username map = password level = 0 username level = 0 unix password sync = No restrict anonymous = No lanman auth = Yes use rhosts = No admin log = No log level = 10 syslog = 1 syslog only = No log file = /usr/local/samba/var/log.%m max
PLEASE HELP! samba2.2.6rc2cvs - solaris winbind pam - using user nobody instead of domain user (additional info at top of this message)
Sorry, I forgot to mention that getent passwd and getent group do work (i.e., winbind answers). Of course, the problem where large groups like Domain Users do not return users or even mention of the existence of the group still exists. -Original Message- From: David Shapiro Sent: Tuesday, November 05, 2002 9:45 AM To: '[EMAIL PROTECTED]' Subject: PLEASE HELP! samba2.2.6rc2cvs - solaris winbind pam - using user nobody instead of domain user Hello, Used /usr/ccs/bin ld, as, make (solaris 8) and 2.95.3 20010315 (release) I installed samba 2.2.6rc2cvs with cd /usr/local/samba/source env CFLAGS=-Wall -m32 -g ./configure \ --with-winbind \ --with-winbind-auth-challenge \ --with-acl-support \ --with-ssl \ --without-sendfile-support \ --with-included-popt \ --with-pam \ --with-smbwrapper make make install ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/libnss_winbind.so.1 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/libnss_winbind.so.2 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/nss_winbind.so.1 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/nss_winbind.so.2 ln -s /usr/local/samba/source/nsswitch/pam_winbind.so /usr/lib/security/pam_winbind.so crle -l /usr/j2se/jre/lib/sparc -i /usr/j2se/lib/sparc -l /usr/lib -i /usr/lib -l /usr/local/lib -i /usr/local/lib -l /usr/local/ssl/lib -i /usr/local/ssl/lib -i /usr/lib/security -s /usr/lib/security -i /usr/lib/secure -s /usr/lib/security crle -64 -l /usr/lib/64 -i /usr/lib/64 -s /usr/lib/64/secure pam.conf: login auth sufficient /usr/lib/security/$ISA/pam_winbind.so login auth required /usr/lib/security/$ISA/pam_unix.so.1 login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 # rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 # dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 # rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 other auth required /usr/lib/security/$ISA/pam_unix.so.1 # # Account management # login account sufficient /usr/lib/security/$ISA/pam_winbind.so login account requisite /usr/lib/security/$ISA/pam_roles.so.1 login account required/usr/lib/security/$ISA/pam_projects.so.1 login account required/usr/lib/security/$ISA/pam_unix.so.1 # dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 dtlogin account required/usr/lib/security/$ISA/pam_projects.so.1 dtlogin account required/usr/lib/security/$ISA/pam_unix.so.1 # other account sufficient /usr/lib/security/$ISA/pam_winbind.so other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required/usr/lib/security/$ISA/pam_projects.so.1 wbinfo -a INS+DavidSha%password (password was my password) returns: plaintext password authentication succeeded However, smbclient //optimus/samba-lib -UINS+DavidSha%password fails: added interface ip=10.1.1.234 bcast=10.1.1.255 nmask=255.255.255.0 added interface ip=127.0.0.1 bcast=127.0.0.255 nmask=255.255.255.0 Got a positive name query response from 10.1.4.11 ( 10.1.1.234 ) Domain=[INS] OS=[Unix] Server=[Samba 2.2.6rc2cvs] tree connect failed: NT_STATUS_WRONG_PASSWORD log.optimus shows it tryint to log in with the user nobody: er_in_list: checking user nobody in list INS+JamesF INS+DavidSha nobody [2002/11/05 09:39:24, 10] lib/username.c:user_in_list(460) user_in_list: checking user |nobody| against |INS+JamesF| [2002/11/05 09:39:24, 10] lib/username.c:user_in_list(460) user_in_list: checking user |nobody| against |INS+DavidSha| [2002/11/05 09:39:24, 10] lib/username.c:user_in_list(460) user_in_list: checking user |nobody| against |nobody| [2002/11/05 09:39:24, 10] lib/username.c:user_in_list(466) user_in_list: user |nobody| matches |nobody| [2002/11/05 09:39:24, 2] smbd/service.c:make_connection(331) Invalid username/password for samba-lib [nobody] [2002/11/05 09:39:24, 3] smbd/error.c:error_packet(110) error packet at smbd/reply.c(166) cmd=117 (SMBtconX) NT_STATUS_WRONG_PASSWORD The smb.conf: Global parameters [global] coding system = client code page = 850 code page directory = /usr/local/samba/lib/codepages workgroup = INS netbios name = OPTIMUS netbios aliases = netbios scope = server string = Samba %v on (%L) interfaces = 10.1.1.234/24 127.0.0.1/24 bind interfaces only = Yes security = DOMAIN encrypt passwords = Yes update encrypted = No allow trusted domains = Yes hosts equiv = min passwd length = 5 map to guest = Never null passwords = No obey pam restrictions = Yes password server = PDC,EXCHANGE_CORP smb passwd file = /usr/local/samba/private/smbpasswd root directory = pam password change = No passwd program
[Samba] ssh pam solaris samba 2.2.6
I still get the following errors when I try to ssh into the server: ov 4 09:44:57 raven sshd[5990]: Accepted password for root from 10.1.2.20 port 57524 ssh2 Nov 4 09:44:57 raven sshd[5990]: load_modules: can not open module /usr/lib/security/pam_winbind.so.1 Nov 4 09:44:57 raven sshd[5990]: load_modules: can not open module /usr/lib/security/pam_winbind.so.1 Nov 4 09:44:57 raven sshd[5990]: fatal: PAM session setup failed[1]: Dlopen failure Nov 4 09:44:57 raven sshd[5990]: fatal: PAM session setup failed[1]: Dlopen failure Nov 4 09:44:57 raven sshd[5990]: fatal: PAM session setup failed[1]: Dlopen failure Why can it not find the module? What is Dlopen failure? The module is there: raven:/etc #ls -la /usr/lib/security/pam_winbind.so.1 lrwxrwxrwx 1 root other 32 Nov 4 09:43 /usr/lib/security/pam_winbind.so.1 - /usr/lib/security/pam_winbind.so raven:/etc #ls -la /usr/lib/security/pam_winbind.so -rwxr-xr-x 1 root other 68834 Nov 1 10:19 /usr/lib/security/pam_winbind.so The entry I had in pam.conf: login auth sufficient /usr/lib/security/pam_winbind.so.1 login auth required /usr/lib/security/pam_unix.so.1 login auth required /usr/lib/security/pam_dial_auth.so.1 # rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/pam_unix.so.1 # dtlogin auth required /usr/lib/security/pam_unix.so.1 # rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 other auth required /usr/lib/security/pam_unix.so.1 # # Account management # login account sufficient /usr/lib/security/pam_winbind.so.1 login account required/usr/lib/security/pam_unix.so.1 dtlogin account required/usr/lib/security/pam_unix.so.1 # other account required/usr/lib/security/pam_unix.so.1 # # Session management # other session sufficient /usr/lib/security/pam_winbind.so.1 other session required/usr/lib/security/pam_unix.so.1 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] User nobody logging in to shares instead of domain user
Hello, I have winbind and pam enabled on samba 2.2.6. The problem I am having is that the login it is using to check for authentication to a share I made is user called nobody instead of the domain user INS+DavidSha. I see in the workstation log: [2002/11/04 14:00:43, 10] lib/username.c:user_in_list(456) user_in_list: checking user nobody in list INS+DavidSha user_in_list: checking user |nobody| against |INS+DavidSha| [2002/11/04 14:00:43, 10] lib/username.c:user_in_list(456) 2002/11/04 14:00:43, 2] smbd/service.c:make_connection(331) Invalid username/password for samba-lib [nobody] [2002/11/04 14:00:43, 3] smbd/error.c:error_packet(110) error packet at smbd/reply.c(166) cmd=117 (SMBtconX) NT_STATUS_WRONG_PASSWORD [ [2002/11/04 14:00:43, 6] lib/util_sock.c:write_socket(521) getent passwd returns domain users, so I think winbind is working. The share is set up as follows: [samba-lib] comment = Samba lib path = /usr/local/samba/lib valid users = INS+DavidSha read only = No The directory has group ownership of group called users with gid of 1. I have set up several samba servers. I am stumped on this one. David -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] User nobody logging in to shares instead of domain us er
I have winbind in nsswitch.conf. The getent passwd command works fine, which shows the libaries exist and that winbind is ready to be used for authentication. It is a solaris system. I have used + fine as a separator for a year now. guest ok is actually set to no. The guest user is nobody. David -Original Message- From: Wieprecht, Karen M. [mailto:Karen.Wieprecht;jhuapl.edu] Sent: Monday, November 04, 2002 4:41 PM To: 'David Shapiro'; '[EMAIL PROTECTED]' Subject: RE: [Samba] User nobody logging in to shares instead of domain us er I am assuming that you have guest ok = yes, and that guest is the nobody account. It sounds like your name lookups are not searching winbind, do you have winbind in your nsswitch.conf file for password and group? Have you restarted your nameservice lookups (automatic on solaris, nsadmin restart on Irix, don't know about other platforms but a reboot should certainly take care of it if you don't have a platform-specific command to do this. Also, you are using + as a winbindseparator ... Are you also using NIS? If so, you may want to try using _ instead as a winbind separator, I seemed to have problems with + interacting adversely with NIS. Karen Wieprecht -Original Message- From: David Shapiro [mailto:David.Edward.Shapiro;bti.com] Sent: Monday, November 04, 2002 2:01 PM To: '[EMAIL PROTECTED]' Subject: [Samba] User nobody logging in to shares instead of domain user Hello, I have winbind and pam enabled on samba 2.2.6. The problem I am having is that the login it is using to check for authentication to a share I made is user called nobody instead of the domain user INS+DavidSha. I see in the workstation log: [2002/11/04 14:00:43, 10] lib/username.c:user_in_list(456) user_in_list: checking user nobody in list INS+DavidSha user_in_list: checking user |nobody| against |INS+DavidSha| [2002/11/04 14:00:43, 10] lib/username.c:user_in_list(456) 2002/11/04 14:00:43, 2] smbd/service.c:make_connection(331) Invalid username/password for samba-lib [nobody] [2002/11/04 14:00:43, 3] smbd/error.c:error_packet(110) error packet at smbd/reply.c(166) cmd=117 (SMBtconX) NT_STATUS_WRONG_PASSWORD [ [2002/11/04 14:00:43, 6] lib/util_sock.c:write_socket(521) getent passwd returns domain users, so I think winbind is working. The share is set up as follows: [samba-lib] comment = Samba lib path = /usr/local/samba/lib valid users = INS+DavidSha read only = No The directory has group ownership of group called users with gid of 1. I have set up several samba servers. I am stumped on this one. David -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] pam and solaris and bumps in the night
Hello, I am trying to use pam and samba together on a solaris 7 server. I tried to pam.conf described in the HOWTO but I get the following errors: open_module: stat(/usr/lib/security/pam_winbind.so) failed: No such file or direct ory Nov 1 10:16:52 raven sshd[2]: open_module: stat(/usr/lib/security/pam_winbind.so) failed: No such file or direct ory Nov 1 10:16:52 raven sshd[2]: load_modules: can not open module /usr/lib/security/pam_winbind.so Nov 1 10:16:52 raven sshd[2]: load_modules: can not open module /usr/lib/security/pam_winbind.so I check /usr/lib/security and saw that pam_winbind.so is in that folder. If I use the module, nobody can log in with any services (ftp, ssh, etc.). My pam.conf looks as follows right now: #ident (#)pam.conf 1.1499/09/16 SMI # # Copyright (c) 1996-1999, Sun Microsystems, Inc. # All Rights Reserved. # # PAM configuration # # Authentication management # login auth sufficient /usr/lib/security/$ISA/pam_winbind.so login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass # sshdauth sufficient /usr/lib/security/$ISA/pam_winbind.so sshdauth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass sshdauth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass # dtlogin auth sufficient /usr/lib/security/pam_winbind.so dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass # other auth sufficient /usr/lib/security/pam_winbind.so other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass # # Account management # login account sufficient/usr/lib/security/$ISA/pam_winbind.so login account requisite /usr/lib/security/$ISA/pam_roles.so.1 login account required/usr/lib/security/$ISA/pam_unix.so.1 # sshdaccount sufficient/usr/lib/security/$ISA/pam_winbind.so sshdaccount requisite /usr/lib/security/$ISA/pam_roles.so.1 sshdaccount required/usr/lib/security/$ISA/pam_projects.so.1 sshdaccount required/usr/lib/security/$ISA/pam_unix.so.1 # dtlogin account sufficient/usr/lib/security/$ISA/pam_winbind.so dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 dtlogin account required/usr/lib/security/$ISA/pam_unix.so.1 # other account sufficient/usr/lib/security/pam_winbind.so other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required/usr/lib/security/$ISA/pam_unix.so.1 # # Session management # other session required/usr/lib/security/$ISA/pam_unix.so.1 sshdsession required/usr/lib/security/$ISA/pam_unix.so.1 # # Password management # #other password sufficient /usr/lib/security/pam_winbind.so other password required /usr/lib/security/$ISA/pam_unix.so.1 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] HELP: configure fails for latest cvs samba 3.x
Please help me get samba compiled. I used cvs to download lastest samba-3.x and configure is failing. I have: solaris 7 (32-bit mode kernel), binutils-2.11.2, automake-1.7.1, autoconf-2.54, and libtool-1.4. I used the below script: #!/bin/ksh cd /usr/local/samba/source /usr/local/bin/gmake realclean /usr/bin/rm config.cache ltmain.sh configure aclocal libtoolize --force /usr/local/bin/autoheader /usr/local/bin/autoconf cd /usr/local/samba/source env CFLAGS=-Wall -m32 -g ./configure --with-winbind --without-sendfile-support --with-included-popt --with-smbwrapper Summary of errors: It always whines about aclocal.m4 Tells me to add AC_PROG_LIBTOOL (how do you do this?) Crashes at a configure line 2800 Configure: make: *** No rule to make target `realclean'. Stop. config.cache: No such file or directory configure: No such file or directory Remember to add `AC_PROG_LIBTOOL' to `configure.in'. You should update your `aclocal.m4' by running aclocal. autoheader: `include/config.h.in' is updated configure.in:216: error: possibly undefined macro: AC_ADD_INCLUDE If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.in:220: error: possibly undefined macro: AC_VALIDATE_CACHE_SYSTEM_TYPE configure.in:232: error: possibly undefined macro: AC_PROG_CC_FLAG configure.in:482: error: possibly undefined macro: AC_DIRENT_D_OFF configure.in:582: error: possibly undefined macro: AC_HAVE_DECL configure.in:830: error: possibly undefined macro: AC_LIBTESTFUNC checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking for a BSD-compatible install... ./install-sh -c checking for gawk... no checking for mawk... no checking for nawk... nawk checking if the linker (ld) is GNU ld... yes checking for library containing strerror... none required checking whether gcc and cc understand -c and -o together... yes checking that the C compiler understands volatile... yes checking build system type... sparc-sun-solaris2.7 checking host system type... sparc-sun-solaris2.7 checking target system type... sparc-sun-solaris2.7 ./configure[2799]: syntax error at line 2800 : `(' unexpected -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] solaris 7 and cvs samba 3.x build - No locking available. Running Samba would be unsafe solaris
I changed line 230 to look as follows: ac_includes_default= It had something like ac_includes_default=/ Now I can get through the configure past the No locking message. David -Original Message- From: Matthew Hannigan [mailto:mlh;zip.com.au] Sent: Monday, October 28, 2002 6:01 PM To: David Shapiro Cc: '[EMAIL PROTECTED]' Subject: Re: [Samba] solaris 7 and cvs samba 3.x build - No locking available. Running Samba would be unsafe solaris On Mon, Oct 28, 2002 at 02:55:05PM -0500, David Shapiro wrote: Hello, Getting during configure the infamous error: No locking available. Running Samba would be unsafe solaris Dunno why you would get this, solaris works fine of course. Maybe something screwy with your gcc installation? [problems compiling fcntl_lock] Find the lines #ifdef HAVE_FCNTL_H #include fcntl.h #endif and remove the #ifdef and #endif lines. Matt -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Help: configure error with cvs download samba 3.x
Hello, I used cvs to download and build samba, but it failed to build with error message: checking configure summary... configure: error: summary failure. Aborting config I used the following download and build process: (solaris 7 11/99 gcc 3.2 automake 1.7, libtool 1.4.3, gnu make 3.80, binutils 2.13) !/usr/bin/ksh #cd /usr/local/samba cd /usr/local echo \npassword: anoncvs\n cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot login if [ ! -d /usr/local/samba/source ]; then echo Creating new samba install #mkdir -p /usr/local/samba/source cvs -z5 -d :pserver:[EMAIL PROTECTED]:/cvsroot co samba if [ $! ]; then echo error fi else echo Updating old samba install /usr/bin/rm /usr/local/samba/bin/* /usr/bin/rm /usr/local/samba/sbin/* cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot update -d -P fi # Configure and build samba cd /usr/local/samba/source #/usr/local/bin/gmake realclean #/usr/bin/rm config.cache ltmain.sh configure #aclocal #libtoolize --force #/usr/local/bin/autoheader #/usr/local/bin/autoconf cd /usr/local/samba/source env CFLAGS=-Wall -m32 -g ./configure \ --with-winbind \ --without-sendfile-support \ --with-pam \ --with-pam_smbpass \ --with-included-popt \ --with-smbwrapper # /usr/local/bin/gmake proto /usr/local/bin/gmake /usr/local/bin/gmake install /usr/local/bin/gmake nsswitch/libnss_winbind.so /usr/local/bin/gmake nsswitch/libnss_wins.so ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/libnss_winbind.so.1 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/libnss_winbind.so.2 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/nss_winbind.so.1 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/nss_winbind.so.2 echo If not already done, you need to modify pam.conf for samba pam support. echo See /usr/local/samba/docs/textdocs/Sol* for information. ~ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] solaris 7 and cvs samba 3.x build - No locking available. RunningSamba would be unsafe solaris
Hello, Getting during configure the infamous error: No locking available. Running Samba would be unsafe solaris I went into tests folder and tried summary.c. It fails with the above error. I tried to make the fcntl_lock manually like it tries and got the following: rootraven:/usr/local/samba/source/tests #gcc -m32 -o fcntl_lock fcntl_lock.c fcntl_lock.c: In function `main': fcntl_lock.c:43: storage size of `lock' isn't known fcntl_lock.c:55: `O_RDONLY' undeclared (first use in this function) fcntl_lock.c:55: (Each undeclared identifier is reported only once fcntl_lock.c:55: for each function it appears in.) fcntl_lock.c:63: `F_WRLCK' undeclared (first use in this function) fcntl_lock.c:72: `F_GETLK' undeclared (first use in this function) fcntl_lock.c:75: `F_UNLCK' undeclared (first use in this function) fcntl_lock.c:84: `O_RDWR' undeclared (first use in this function) fcntl_lock.c:84: `O_CREAT' undeclared (first use in this function) fcntl_lock.c:84: `O_EXCL' undeclared (first use in this function) fcntl_lock.c:99: `F_SETLK' undeclared (first use in this function) Any thoughts on how to fix this? I tried --with-spinlocks, but configure fails anyway trying to do the fcntl locking. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
compilation and sco 5.0.6 and winbind for samba 3.x
Are there any specials steps need to get winbind working in sco? I tried to compile with its cc and with gcc (have to use their ld because gnu ld will not compile on sco). compiling nsswitch/winbind_nss.c with Compiling nsswitch/wb_common.c with Linking nsswitch/libnss_winbind.so relocations referenced from file(s) nsswitch/winbind_nss.po nsswitch/wb_common.po fatal error: relocations remain against allocatable but non-writable section: .text collect2: ld returned 1 exit status *** Error code 1 (bu21) Compiling nsswitch/wins.c with don't know how to make param/loadparm.o param/params.o dynconfig.o (bu42).
sco openserver 5.0.6 and winbindd compilation problem
I did not see any information on this, but it is in relation to build failure (sigh, is it because gnu ld does not work on sco openserver?). Does winbind not work on sco? I used the following script to build after cvs head download: #!/bin/ksh cd /usr/local/samba/source /usr/local/bin/make realclean /bin/rm config.cache configure /usr/local/bin/autoconf ./config.status cd /usr/local/samba/source #env CFLAGS=-Wall -m32 -g CC=gcc ./configure \ env CFLAGS=-I include -I ubiqx CC=cc ./configure \ --with-winbind \ --with-included-popt \ --with-gnu-as \ --with-as=/usr/local/bin/as \ --with-smbwrapper /usr/local/bin/make proto /usr/local/bin/make /usr/local/bin/make install /usr/local/bin/make nsswitch/libnss_winbind.so /usr/local/bin/make nsswitch/libnss_wins.so ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/libnss_winbind.so.1 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/libnss_winbind.so.2 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/nss_winbind.so.1 ln -s /usr/local/samba/source/nsswitch/libnss_winbind.so /usr/lib/nss_winbind.so.2 Note: I had to add as a CFLAG option because it was whining about not finding its header files to get this far CFLAG=-I ubiqx -I include compiling nsswitch/wb_common.c with Linking nsswitch/libnss_winbind.so command line: warning: -h ignored when building a static executable Undefined first referenced symbol in file main/usr/ccs/lib/crt1.o socket nsswitch/wb_common.po connect nsswitch/wb_common.po nsswitch/libnss_winbind.so: fatal error: Symbol referencing errors. No output written to nsswitch/libnss_winbind.so make: *** [nsswitch/libnss_winbind.so] Error 1 ompiling tdb/tdbutil.c with tdb/tdbutil.c, line 593: warning: syntax violation: empty declaration tdb/tdbutil.c, line 610: warning: syntax violation: empty declaration Linking nsswitch/libnss_wins.so command line: warning: -h ignored when building a static executable Undefined first referenced symbol in file accept lib/util_sock.po main/usr/ccs/lib/crt1.o yp_get_default_domain lib/username.po htonl lib/interface.po htons libsmb/clidgram.po socket nsswitch/wins.po sendlib/system.po connect lib/util_sock.po listen lib/util_sock.po gethostbyname lib/system.po setsockopt nsswitch/wins.po inet_ntoa libsmb/cliconnect.po getsockname libsmb/clidgram.po bindnsswitch/wins.po recvfromlib/system.po gethostname lib/util.po ntohl lib/interfaces.po ntohs libsmb/clidgram.po gethostbyaddr lib/util_sock.po getsockopt lib/util_sock.po innetgr lib/username.po getpeername lib/util_sock.po sendto libsmb/nmblib.po inet_addr libsmb/clidgram.po nsswitch/libnss_wins.so: fatal error: Symbol referencing errors. No output written to nsswitch/libnss_wins.so make: *** [nsswitch/libnss_wins.so] Error 1
RE: sessionid.tdb missing after build and client read failutre
Title: RE: sessionid.tdb missing after build and client read failutre I recompiled with CFLAGS option -g and ran again: 313 fmtint (buffer, currlen, maxlen, value, 10, min, max, flags);(gdb) 314 break;(gdb) 368 break;(gdb) 400 state = DP_S_DEFAULT;(gdb) 401 flags = cflags = min = 0;(gdb) 402 max = -1;(gdb) 408 break; /* some picky compilers need this */(gdb) 185 switch(state) {(gdb) 187 if (ch == '%') (gdb) 190 dopr_outch (buffer, currlen, maxlen, ch);(gdb) 192 break;(gdb) 408 break; /* some picky compilers need this */(gdb) 185 switch(state) {(gdb) 408 break; /* some picky compilers need this */(gdb) 411 if (maxlen != 0) {(gdb) 412 if (currlen maxlen - 1) (gdb) 413 buffer[currlen] = '\0';(gdb) 419 }(gdb) vsnprintf (str=0x15 Address 0x15 out of bounds, count=1023, fmt=0x1c482e "", args=0xffbef50c) at lib/snprintf.c:77 }(gdb) dbgtext (format_str=0x1c4818 "got smb length of %d\n") at lib/debug.c:982982 format_debug_text( msgbuf );(gdb) 985 } /* dbgtext */(gdb) read_smb_length_return_keepalive (fd=13, inbuf=0x26af68 "", timeout=0) at lib/util_sock.c:541541 return(len);(gdb) 542 }(gdb) receive_smb (fd=13, buffer=0x26af68 "", timeout=0) at lib/util_sock.c:588588 if (len 0) {(gdb) 607 if (len (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {(gdb) 624 ret = read_socket_data(fd,buffer+4,len);(gdb) 625 if (ret != len) {(gdb) 632 return(True);(gdb) 633 }(gdb) receive_message_or_smb (buffer=0x26af68 "", buffer_len=131137, timeout=6) at smbd/process.c:271271 }(gdb) smbd_process () at smbd/process.c:12671267 num_echos = smb_echo_count;(gdb) 1269 process_smb(InBuffer, OutBuffer);(gdb) Program received signal SIGSEGV, Segmentation fault.0xff132e84 in strcmp () from /usr/lib/libc.so.1(gdb) Single stepping until exit from function strcmp, which has no line number information.0xff1544ec in _tzload () from /usr/lib/libc.so.1(gdb) Single stepping until exit from function _tzload, which has no line number information.0xff152df8 in _ltzset_u () from /usr/lib/libc.so.1(gdb) Single stepping until exit from function _ltzset_u, which has no line number information. 0xff152994 in mktime () from /usr/lib/libc.so.1(gdb) Single stepping until exit from function mktime, which has no line number information.0xff1736dc in strftime () from /usr/lib/libc.so.1(gdb) Single stepping until exit from function strftime, which has no line number information.timestring (hires=0) at lib/time.c:709709 }(gdb) dbghdr (level=0, file=0x1c18e0 "lib/fault.c", func=0x1c18f0 "fault_report", line=36) at lib/debug.c:956956 errno = old_errno;(gdb) 957 return( True );(gdb) 958 }(gdb) fault_report (sig=11) at lib/fault.c:3737 DEBUG(0,("INTERNAL ERROR: Signal %d in pid %d (%s)",sig,(int)sys_getpid(),VERSION));(gdb) 38 DEBUG(0,("\nPlease read the file BUGS.txt in the distribution\n"));(gdb) 39 DEBUG(0,("===\n"));(gdb) 41 smb_panic("internal error");(gdb) Program received signal SIGABRT, Aborted.0xff19c724 in _libc_kill () from /usr/lib/libc.so.1(gdb) Single stepping until exit from function _libc_kill, which has no line number information.procfs: couldn't stop process 84866: wait returned -1 -Original Message-From: Esh, Andrew [mailto:[EMAIL PROTECTED]]Sent: Tuesday, July 02, 2002 11:10 AMTo: 'David Shapiro'; 'Andrew Bartlett'Cc: 'Richard Sharpe'; '[EMAIL PROTECTED]'Subject: RE: sessionid.tdb missing after build and client read failutre Don't step at that point. The process has already run the CPU into the wrong segment, or accessed memory using a bad pointer. Stepping will only destroy information. Do a 'bt' instead. That will dump the call stack, and show what path the code ran to get to this point. What I expect to see is somewhere above the strcmp routine, a Samba routine will call strcmp with a bad pointer, or a non-terminated string buffer. We need to know which routine did that. -Original Message- From: David Shapiro [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 9:17 AM To: 'Andrew Bartlett'; David Shapiro Cc: 'Richard Sharpe'; '[EMAIL PROTECTED]' Subject: RE: sessionid.tdb missing after build and client read failutre Trying to get better at this gdb here. I see a segmentation fault: which has no line number information. Program received signal SIGSEGV, Segmentation fault. 0xff132e84 in strcmp () from /usr/lib/libc.so.1 (gdb) step Single stepping until exit from function strcmp, which has no line number information. 0xff1544ec in _tzload () from /usr/lib/libc.so.1 (gdb) step Single stepping until exit from function _tzload, which has no line number information. 0xff152df8 in _ltzset_u () from /usr/lib/libc.so.1 (gdb) step Single stepping until exit from function _ltzset_u,
RE: sessionid.tdb missing after build and client read failutre
It did join successfully though, as far as I can tell (net scrolls debug information now for some reason). It says joined INS domain at the end. Things like getent passwd/group work. There just is no sessionid.tdb.. . On Mon, 1 Jul 2002, David Shapiro wrote: Thanks. Any idea on why wbinfo -t fails? Is it related to sessionid.tdb missing? How do I get this file? I did remove myself from INS domain and rejoined again. Typically that fails because you have not joined the domain properly, or you cannot connect to th DC (ie, name lookup fails). -Original Message- From: Richard Sharpe [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 12:08 PM To: David Shapiro Cc: '[EMAIL PROTECTED]' Subject: Re: sessionid.tdb missing after build and client read failutre On Mon, 1 Jul 2002, David Shapiro wrote: Hello, The latest samba head as of 6/30/02 seems to not provide sessionid.tdb and gives me the following errors: I see this information in the log: 6/28 16:35:59, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(91) secret is good [2002/06/28 16:35:59, 5] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(100) Checking the trust account password returned NT_STATUS_OK [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:client_write(456) client_write: wrote 1300 bytes. [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:winbind_client_read(408) client_read: read 0 bytes. Need 1304 more for a full request. [2002/06/28 16:35:59, 5] nsswitch/winbindd.c:winbind_client_read(415) read failed on sock 13, pid 1002: EOF It is a little confusing. It says secret is good in the log, but it has some error about not reading enough bytes and a sock 13 error. This just means that the client of winbindd closed the socket/whatever and stopped talking to winbindd. In addition, which may be related to the above, it looks for davidsha instead of INS+DavidSha even though smb.conf has it set to not have the server in INS by default. David E. Shapiro Senior Unix Admin BTi - the future of communications 4300 Six Forks Road, Raleigh, NC 27609 -- Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
RE: sessionid.tdb missing after build and client read failutre
: ROLE_DOMAIN_MEMBER [2002/07/02 08:07:28, 0] libsmb/cli_netlogon.c:new_cli_nt_setup_creds(209) cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED [2002/07/02 08:07:28, 0] libsmb/trust_passwd.c:just_change_the_password(42) just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)! [2002/07/02 08:07:28, 0] utils/net_rpc.c:run_rpc_command(149) rpc command function failed! (NT_STATUS_ACCESS_DENIED) Password: Joined domain INS. -Original Message- From: David Shapiro Sent: Tuesday, July 02, 2002 8:12 AM To: 'Richard Sharpe'; David Shapiro Cc: '[EMAIL PROTECTED]' Subject: RE: sessionid.tdb missing after build and client read failutre It did join successfully though, as far as I can tell (net scrolls debug information now for some reason). It says joined INS domain at the end. Things like getent passwd/group work. There just is no sessionid.tdb.. . On Mon, 1 Jul 2002, David Shapiro wrote: Thanks. Any idea on why wbinfo -t fails? Is it related to sessionid.tdb missing? How do I get this file? I did remove myself from INS domain and rejoined again. Typically that fails because you have not joined the domain properly, or you cannot connect to th DC (ie, name lookup fails). -Original Message- From: Richard Sharpe [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 12:08 PM To: David Shapiro Cc: '[EMAIL PROTECTED]' Subject: Re: sessionid.tdb missing after build and client read failutre On Mon, 1 Jul 2002, David Shapiro wrote: Hello, The latest samba head as of 6/30/02 seems to not provide sessionid.tdb and gives me the following errors: I see this information in the log: 6/28 16:35:59, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(91) secret is good [2002/06/28 16:35:59, 5] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(100) Checking the trust account password returned NT_STATUS_OK [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:client_write(456) client_write: wrote 1300 bytes. [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:winbind_client_read(408) client_read: read 0 bytes. Need 1304 more for a full request. [2002/06/28 16:35:59, 5] nsswitch/winbindd.c:winbind_client_read(415) read failed on sock 13, pid 1002: EOF It is a little confusing. It says secret is good in the log, but it has some error about not reading enough bytes and a sock 13 error. This just means that the client of winbindd closed the socket/whatever and stopped talking to winbindd. In addition, which may be related to the above, it looks for davidsha instead of INS+DavidSha even though smb.conf has it set to not have the server in INS by default. David E. Shapiro Senior Unix Admin BTi - the future of communications 4300 Six Forks Road, Raleigh, NC 27609 -- Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
RE: sessionid.tdb missing after build and client read failutre
Thank you Andrew. I was looking at joining because it was mentioned that to get sessionid.tdb, you needed to join domain. I looked ing smbd.log and saw a connection from davidsha, and then in my workstation log and saw at the bottom: user_in_list: checking user |INS+DavidSha| against |INS+DavidSha| [2002/07/02 08:40:53, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is ins+davidsha [2002/07/02 08:40:53, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [INS+DavidSha]! [2002/07/02 08:40:53, 1] smbd/service.c:make_connection_snum(513) Couldn't find group @Users [2002/07/02 08:40:53, 3] smbd/service.c:make_connection_snum(523) Connect path is /usr/local/samba/lib [2002/07/02 08:40:53, 3] smbd/sec_ctx.c:push_sec_ctx(241) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2002/07/02 08:40:53, 3] smbd/uid.c:push_conn_ctx(279) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2002/07/02 08:40:53, 3] smbd/sec_ctx.c:set_sec_ctx(273) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2002/07/02 08:40:53, 0] lib/fault.c:fault_report(36) === [2002/07/02 08:40:53, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 8127 (3.0-alpha17) Please read the file BUGS.txt in the distribution [2002/07/02 08:40:53, 0] lib/fault.c:fault_report(39) === I also keep getting an xterm session pop up that says: xterm: Can't execvp /usr/local/bin/gdb I think this comes from the line in smb.conf: panic action = /usr/openwin/bin/xterm -display $DISPLAY -e /usr/local/bin/gbd -p %d gdb is in /usr/local/bin. What does it mean it can't execvp it? -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 8:36 AM To: David Shapiro Cc: 'Richard Sharpe'; '[EMAIL PROTECTED]' Subject: Re: sessionid.tdb missing after build and client read failutre David Shapiro wrote: getent group shows davidsha is in domain admin. I list using a net from a server I buildt 3 months ago and have not updated, and the new net command from yesterday cvs build of head. Both report I joined the domain, but I do not have a sessionid.tdb after it is done. I can not access shares as it stands now... Joined domain INS. So it joined fine. sessionid.tdb is not related to this at all - and should be created on the first login to the server. Look into the smbd logs for connections, not the domain join. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
RE: sessionid.tdb missing after build and client read failutre
I am fairly new to gdb. After I sleep it for 9000 or during that time, what should I collect? I did an smbstatus and saw the pid it reported for the connection and ran gdb smbd pid#. I stepped a bit through it and saw the stuff here (not sure if this is enough): Program received signal SIGABRT, Aborted. 0xff19c724 in _libc_kill () from /usr/lib/libc.so.1 (gdb) n Single stepping until exit from function _libc_kill, which has no line number information. procfs: couldn't stop process 76253: wait returned -1 (gdb) n procfs: fetch_registers, get_gregs line 3514, /proc/10717/lwp/1: No such file or directory. (gdb) n procfs: fetch_registers, get_gregs line 3514, /proc/10717/lwp/1: No such file or directory. (gdb) n procfs: fetch_registers, get_gregs line 3514, /proc/10717/lwp/1: No such file or directory. (gdb) n procfs: fetch_registers, get_gregs line 3514, /proc/10717/lwp/1: No such file or directory. (gdb) n procfs: fetch_registers, get_gregs line 3514, /proc/10717/lwp/1: No such file or directory. (gdb) n procfs: fetch_registers, get_gregs line 3514, /proc/10717/lwp/1: No such file or directory. (gdb) n procfs: fetch_registers, get_gregs line 3514, /proc/10717/lwp/1: No such file or directory. (gdb) n procfs: fetch_registers, get_gregs line 3514, /proc/10717/lwp/1: No such file or directory. (gdb) n procfs: fetch_registers, get_gregs line 3514, /proc/10717/lwp/1: No such file or directory. (gdb) n procfs: fetch_registers, get_gregs line 3514, /proc/10717/lwp/1: No such file or directory. (gdb) n procfs: fetch_registers, get_gregs line 3514, /proc/10717/lwp/1: No such file or directory. (gdb) n -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 9:01 AM To: David Shapiro Cc: 'Andrew Bartlett'; 'Richard Sharpe'; '[EMAIL PROTECTED]' Subject: Re: sessionid.tdb missing after build and client read failutre David Shapiro wrote: Thank you Andrew. I was looking at joining because it was mentioned that to get sessionid.tdb, you needed to join domain. I looked ing smbd.log and saw a connection from davidsha, and then in my workstation log and saw at the bottom: === [2002/07/02 08:40:53, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 8127 (3.0-alpha17) Please read the file BUGS.txt in the distribution [2002/07/02 08:40:53, 0] lib/fault.c:fault_report(39) === I also keep getting an xterm session pop up that says: xterm: Can't execvp /usr/local/bin/gdb I think this comes from the line in smb.conf: panic action = /usr/openwin/bin/xterm -display $DISPLAY -e /usr/local/bin/gbd -p %d gdb is in /usr/local/bin. What does it mean it can't execvp it? I dunno - but just make it a simple 'panic action = /bin/sleep 9000' and attach manually. Then lets look at it from there. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
RE: sessionid.tdb missing after build and client read failutre
Trying to get better at this gdb here. I see a segmentation fault: which has no line number information. Program received signal SIGSEGV, Segmentation fault. 0xff132e84 in strcmp () from /usr/lib/libc.so.1 (gdb) step Single stepping until exit from function strcmp, which has no line number information. 0xff1544ec in _tzload () from /usr/lib/libc.so.1 (gdb) step Single stepping until exit from function _tzload, which has no line number information. 0xff152df8 in _ltzset_u () from /usr/lib/libc.so.1 (gdb) step Single stepping until exit from function _ltzset_u, which has no line number information. 0xff152994 in mktime () from /usr/lib/libc.so.1 (gdb) step Single stepping until exit from function mktime, which has no line number information. 0xff1736dc in strftime () from /usr/lib/libc.so.1 (gdb) step Single stepping until exit from function strftime, which has no line number information. 0x136db0 in timestring () (gdb) step Single stepping until exit from function timestring, -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 9:01 AM To: David Shapiro Cc: 'Andrew Bartlett'; 'Richard Sharpe'; '[EMAIL PROTECTED]' Subject: Re: sessionid.tdb missing after build and client read failutre David Shapiro wrote: Thank you Andrew. I was looking at joining because it was mentioned that to get sessionid.tdb, you needed to join domain. I looked ing smbd.log and saw a connection from davidsha, and then in my workstation log and saw at the bottom: === [2002/07/02 08:40:53, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 8127 (3.0-alpha17) Please read the file BUGS.txt in the distribution [2002/07/02 08:40:53, 0] lib/fault.c:fault_report(39) === I also keep getting an xterm session pop up that says: xterm: Can't execvp /usr/local/bin/gdb I think this comes from the line in smb.conf: panic action = /usr/openwin/bin/xterm -display $DISPLAY -e /usr/local/bin/gbd -p %d gdb is in /usr/local/bin. What does it mean it can't execvp it? I dunno - but just make it a simple 'panic action = /bin/sleep 9000' and attach manually. Then lets look at it from there. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
RE: sessionid.tdb missing after build and client read failutre
A note to this: The share is: [samba] comment = samba smb.conf path = /usr/local/samba/lib read only = No valid users = INS+DavidSha force create mode=775 force group= users Note that I can get into the share called home: [homes] comment = Home Directories read only = No browseable = No
RE: sessionid.tdb missing after build and client read failutre
Thanks. I checked, and it was my note that had the error, but the line in smb.conf was fine. I wrote a script called smbpanic.sh and tried using it, but I get the same error about execvp: #!/usr/local/bin/perl -w my $pid = shift; my @program = `/usr/bin/ps -efo pid,comm`; foreach (@program) { if (/$pid/) { my ($space,$pid2,$comm) = split(/\s+/); my @split = split(/\//,$comm); $comm = pop @split; if ($comm and $pid) { my $cmd = /usr/local/bin/gdb $comm $pid; system($cmd) or die Failed to run command: $cmd\n; } exit; } } It doesn't seem to want to run anything. In the interim, I run smbstatus and see the pid. This pid changes a few times before a window opens as if it is about to show the share. Once the window opens, that is the one I was able to quickly run my script against to get some debug information. It seems to have a segmentation error during a strcmp and halts during the fault_report. David -Original Message- From: MCCALL,DON (HP-USA,ex1) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 10:11 AM To: 'David Shapiro'; 'Andrew Bartlett' Cc: 'Richard Sharpe'; '[EMAIL PROTECTED]' Subject: RE: sessionid.tdb missing after build and client read failutre Hi David, It looks like you might have misspelt gdb in your smb.conf line (in your message it is spelt gbd Don -Original Message- From: David Shapiro [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 8:56 To: 'Andrew Bartlett'; David Shapiro Cc: 'Richard Sharpe'; '[EMAIL PROTECTED]' Subject: RE: sessionid.tdb missing after build and client read failutre Thank you Andrew. I was looking at joining because it was mentioned that to get sessionid.tdb, you needed to join domain. I looked ing smbd.log and saw a connection from davidsha, and then in my workstation log and saw at the bottom: user_in_list: checking user |INS+DavidSha| against |INS+DavidSha| [2002/07/02 08:40:53, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is ins+davidsha [2002/07/02 08:40:53, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [INS+DavidSha]! [2002/07/02 08:40:53, 1] smbd/service.c:make_connection_snum(513) Couldn't find group @Users [2002/07/02 08:40:53, 3] smbd/service.c:make_connection_snum(523) Connect path is /usr/local/samba/lib [2002/07/02 08:40:53, 3] smbd/sec_ctx.c:push_sec_ctx(241) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2002/07/02 08:40:53, 3] smbd/uid.c:push_conn_ctx(279) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2002/07/02 08:40:53, 3] smbd/sec_ctx.c:set_sec_ctx(273) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2002/07/02 08:40:53, 0] lib/fault.c:fault_report(36) === [2002/07/02 08:40:53, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 8127 (3.0-alpha17) Please read the file BUGS.txt in the distribution [2002/07/02 08:40:53, 0] lib/fault.c:fault_report(39) === I also keep getting an xterm session pop up that says: xterm: Can't execvp /usr/local/bin/gdb I think this comes from the line in smb.conf: panic action = /usr/openwin/bin/xterm -display $DISPLAY -e /usr/local/bin/gbd -p %d gdb is in /usr/local/bin. What does it mean it can't execvp it? -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 8:36 AM To: David Shapiro Cc: 'Richard Sharpe'; '[EMAIL PROTECTED]' Subject: Re: sessionid.tdb missing after build and client read failutre David Shapiro wrote: getent group shows davidsha is in domain admin. I list using a net from a server I buildt 3 months ago and have not updated, and the new net command from yesterday cvs build of head. Both report I joined the domain, but I do not have a sessionid.tdb after it is done. I can not access shares as it stands now... Joined domain INS. So it joined fine. sessionid.tdb is not related to this at all - and should be created on the first login to the server. Look into the smbd logs for connections, not the domain join. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
RE: sessionid.tdb missing after build and client read failutre
Just for test of the samba. -Original Message- From: Richard Sharpe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 12:56 PM To: David Shapiro Cc: 'Andrew Bartlett'; '[EMAIL PROTECTED]' Subject: RE: sessionid.tdb missing after build and client read failutre On Tue, 2 Jul 2002, David Shapiro wrote: A note to this: The share is: [samba] comment = samba smb.conf path = /usr/local/samba/lib read only = No valid users = INS+DavidSha force create mode=775 force group= @users Hmmm, why do you have a share pointing at the directory where Samba keeps its config info etc? Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
RE: sessionid.tdb missing after build and client read failutre
Title: RE: sessionid.tdb missing after build and client read failutre Okay, correct me if I did it wrong... I ran smbstatus, saw the pid of my connection, ran gdb smbd pid #gdb smbd 17294GNU gdb 5.0Copyright 2000 Free Software Foundation, Inc.GDB is free software, covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain conditions.Type "show copying" to see the conditions.There is absolutely no warranty for GDB. Type "show warranty" for details.This GDB was configured as "sparc-sun-solaris2.8".../usr/local/bin/17294: No such file or directory.Attaching to program `/usr/local/samba/sbin/smbd', process 17294Reading symbols from /usr/lib/libsec.so.1...done.Loaded symbols for /usr/lib/libsec.so.1Reading symbols from /usr/lib/libgen.so.1...done.Loaded symbols for /usr/lib/libgen.so.1Reading symbols from /usr/lib/libresolv.so.2...done.Loaded symbols for /usr/lib/libresolv.so.2Reading symbols from /usr/lib/libsocket.so.1...done.Loaded symbols for /usr/lib/libsocket.so.1Reading symbols from /usr/lib/libnsl.so.1...done.Loaded symbols for /usr/lib/libnsl.so.1Reading symbols from /usr/lib/libpam.so.1...done.Loaded symbols for /usr/lib/libpam.so.1Reading symbols from /usr/lib/libc.so.1...done.Loaded symbols for /usr/lib/libc.so.1Reading symbols from /usr/lib/libdl.so.1...done.Loaded symbols for /usr/lib/libdl.so.1Reading symbols from /usr/lib/libmp.so.2...done.Loaded symbols for /usr/lib/libmp.so.2Reading symbols from /usr/platform/SUNW,Sun-Fire-880/lib/libc_psr.so.1...done.Loaded symbols for /usr/platform/SUNW,Sun-Fire-880/lib/libc_psr.so.1Reading symbols from /usr/lib/nss_files.so.1...done.Loaded symbols for /usr/lib/nss_files.so.1Reading symbols from /usr/lib/nss_winbind.so.1...done.Loaded symbols for /usr/lib/nss_winbind.so.1Retry #1:Retry #2:Retry #3:Retry #4:[New LWP 1]Symbols already loaded for /usr/lib/libsec.so.1Symbols already loaded for /usr/lib/libgen.so.1Symbols already loaded for /usr/lib/libresolv.so.2Symbols already loaded for /usr/lib/libsocket.so.1Symbols already loaded for /usr/lib/libnsl.so.1Symbols already loaded for /usr/lib/libpam.so.1Symbols already loaded for /usr/lib/libc.so.1Symbols already loaded for /usr/lib/libdl.so.1Symbols already loaded for /usr/lib/libmp.so.2Symbols already loaded for /usr/platform/SUNW,Sun-Fire-880/lib/libc_psr.so.1Symbols already loaded for /usr/lib/nss_files.so.1Symbols already loaded for /usr/lib/nss_winbind.so.10xff19a138 in _poll () from /usr/lib/libc.so.1(gdb) stepSingle stepping until exit from function _poll, which has no line number information.0xff14cfb4 in select () from /usr/lib/libc.so.1(gdb) nextSingle stepping until exit from function select, which has no line number information.0x14aafc in sys_select ()(gdb) stepSingle stepping until exit from function sys_select, which has no line number information.0x73004 in receive_message_or_smb ()(gdb) stepSingle stepping until exit from function receive_message_or_smb, which has no line number information.0x74610 in smbd_process ()(gdb) stepSingle stepping until exit from function smbd_process, which has no line number information. Program received signal SIGSEGV, Segmentation fault.0xff132e84 in strcmp () from /usr/lib/libc.so.1(gdb) bt#0 0xff132e84 in strcmp () from /usr/lib/libc.so.1#1 0xff194efc in process_cstr () from /usr/lib/libc.so.1#2 0xfefe20c0 in _nss_files_do_all () from /usr/lib/nss_files.so.1#3 0xff149290 in nss_search () from /usr/lib/libc.so.1#4 0xff194bf8 in _getgroupsbymember () from /usr/lib/libc.so.1#5 0xff140c20 in initgroups () from /usr/lib/libc.so.1#6 0x6b5d8 in initialise_groups ()#7 0x75a4c in make_connection_snum ()#8 0x76874 in make_connection ()#9 0x4f16c in reply_tcon_and_X ()#10 0x73854 in switch_message ()#11 0x738e0 in construct_reply ()#12 0x73bc0 in process_smb ()#13 0x7462c in smbd_process ()#14 0x357c8 in main ()(gdb) ---Original Message-From: Esh, Andrew [mailto:[EMAIL PROTECTED]]Sent: Tuesday, July 02, 2002 11:10 AMTo: 'David Shapiro'; 'Andrew Bartlett'Cc: 'Richard Sharpe'; '[EMAIL PROTECTED]'Subject: RE: sessionid.tdb missing after build and client read failutre Don't step at that point. The process has already run the CPU into the wrong segment, or accessed memory using a bad pointer. Stepping will only destroy information. Do a 'bt' instead. That will dump the call stack, and show what path the code ran to get to this point. What I expect to see is somewhere above the strcmp routine, a Samba routine will call strcmp with a bad pointer, or a non-terminated string buffer. We need to know which routine did that. -----Original Message- From: David Shapiro [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 9:17 A
sessionid.tdb missing after build and client read failutre
Hello, The latest samba head as of 6/30/02 seems to not provide sessionid.tdb and gives me the following errors: I see this information in the log: 6/28 16:35:59, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(91) secret is good [2002/06/28 16:35:59, 5] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(100) Checking the trust account password returned NT_STATUS_OK [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:client_write(456) client_write: wrote 1300 bytes. [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:winbind_client_read(408) client_read: read 0 bytes. Need 1304 more for a full request. [2002/06/28 16:35:59, 5] nsswitch/winbindd.c:winbind_client_read(415) read failed on sock 13, pid 1002: EOF It is a little confusing. It says secret is good in the log, but it has some error about not reading enough bytes and a sock 13 error. In addition, which may be related to the above, it looks for davidsha instead of INS+DavidSha even though smb.conf has it set to not have the server in INS by default. David E. Shapiro Senior Unix Admin BTi - the future of communications 4300 Six Forks Road, Raleigh, NC 27609
RE: sessionid.tdb missing after build and client read failutre
Thanks. Any idea on why wbinfo -t fails? Is it related to sessionid.tdb missing? How do I get this file? I did remove myself from INS domain and rejoined again. David -Original Message- From: Richard Sharpe [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 12:08 PM To: David Shapiro Cc: '[EMAIL PROTECTED]' Subject: Re: sessionid.tdb missing after build and client read failutre On Mon, 1 Jul 2002, David Shapiro wrote: Hello, The latest samba head as of 6/30/02 seems to not provide sessionid.tdb and gives me the following errors: I see this information in the log: 6/28 16:35:59, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(91) secret is good [2002/06/28 16:35:59, 5] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(100) Checking the trust account password returned NT_STATUS_OK [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:client_write(456) client_write: wrote 1300 bytes. [2002/06/28 16:35:59, 10] nsswitch/winbindd.c:winbind_client_read(408) client_read: read 0 bytes. Need 1304 more for a full request. [2002/06/28 16:35:59, 5] nsswitch/winbindd.c:winbind_client_read(415) read failed on sock 13, pid 1002: EOF It is a little confusing. It says secret is good in the log, but it has some error about not reading enough bytes and a sock 13 error. This just means that the client of winbindd closed the socket/whatever and stopped talking to winbindd. In addition, which may be related to the above, it looks for davidsha instead of INS+DavidSha even though smb.conf has it set to not have the server in INS by default. David E. Shapiro Senior Unix Admin BTi - the future of communications 4300 Six Forks Road, Raleigh, NC 27609 -- Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]