[Samba] windbind configuration
Hi, OS:CentOS 6.3 Samba: 3.5.10-125.el6 winbindd: 3.5.10-125.el6 I have a standalone server with the above. I would like my Windows 7 users to have access to the shares but not have to create local accounts for them. I'm assuming winbindd does this for me. So far the samba set-up appears to work. I have joined the ADS domain. I can use wbinfo to authenticate users. wbinfo -a auser%321 plaintext password authentication succeeded challenge/response password authentication succeeded I followed the instructions at https://wiki.samba.org/index.php/Samba__Active_Directory which has the winbind separator as '+'. When I tested the logging in I notice this in my samba logs: [2012/12/06 12:12:39.91, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username MYDOMAIN+AUSER is invalid on this system When I changed the separator to '\', it worked. I guess the question is, is there a problem with setting the separator as back-slash. I do see errors in testparm but it appears to be the only way to enable login. winbind separator = '\' winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes Thanks, Dermot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Adding to Samba domain requires super-user password
Hi, Suddenly when I add a new workstation to out Samba3 (LDAP backend) domain, I have to give the root username and password. When I set-up the samba3 domain initially, I could use domain\admin user and their password but that has started to give me unknown user or bad password. This last error is from a Windows7 machine I am currently trying to add. I have merged the registry fix from https://bugzilla.samba.org/attachment.cgi?id=4988action=view. Can someone offer me any pointers on how I can use a domain\admin username and password to add workstations to the domain? Thanks in advance. Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC with Windows 7 support request
2012/1/31 Jiří Procházka jiri.procha...@norbou.com: Dear Samba support team, I have a question on Samba 3.5.8 please, which is not solved by searching the forums. I tried all suggested solutions, but nothing take effect. ... Domain users experience a slow login performance on Windows 7 clients that are joined into a samba domain (Samba version 3.5.4). The Windows 7 client was joined successfully into the domain with the Windows 7 registry settings adjusted according to http://wiki.samba.org/index.php/Windows7 (DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0). ... I have had similar problems. I was referred to the message in the mailing list archive [1]. I have applied what was described - used gpedit.msc - this but I am still experiencing slow login times, exactly 40 seconds on each workstation. I just checked on one workstation where the user had a jpeg as his desktop background, I mention this because there are references to a Window7 bug about slow login and a plain desktop, and that has the correct group policy setting and still the login time was exactly 40 seconds. I too be interested in hearing what others have to say on this. Thanks, Dermot. 1) http://www.mail-archive.com/samba@lists.samba.org/msg104494.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Incorrect domain SID when creating new users
Hi, I created a new user on our Samba domain master yesterday but the user was unable to login from WinXP to the domain. I think they got an error that a device connected to the system wasn't working. The user was created using smbldap-useradd. The logs showed this for the user workstation: _netr_LogonSamLogon: user FOO\efields has user sid S-1-5-21-908662176-1457135431-1537874043-3288 but group sid S-1-5-21-1979685110-1467996072-351907979-513. The conflicting domain portions are not supported for NETLOGON calls I used the phpadmin interface to change the domain part of the SID so it matched the domain and the user was able to login. The question is where do I set the domain SID? I remember doing it at some stage when I set-up the samba domain but I have forgotten. Can someone point me in the right direction. Sorry for the lazy post, I'm sure it I did some more digging I'd find it documented somewhere. Thanks in advance, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Incorrect domain SID when creating new users
fffOn 8 February 2012 10:18, Miguel Medalha miguelmeda...@sapo.pt wrote: (...) The question is where do I set the domain SID? I remember doing it at some stage when I set-up the samba domain but I have forgotten. The SID number is configured in /etc/smbldap-tools/smbldap.conf smbldap-tools comes with a script to assist in the basic configuration of the tools. It's called configure.pl in most versions but the name was recently changed to smbldap-config.pl Thanks for the reply. I can't recall runnning configure.pl. Before I cause myself any harm, I thought I should check with the list. The smbldap.conf says to run `net getlocalsid` to obtain the SID for the config. When I do that I get a different SID from what I was expecting. I would have expected the domain part of the local machine SID to match the domains SID but they do not (see below) and I would have expected the local machine SID to match what is in the smbldap.conf. net getdomainsid SID for local machine PDC is: S-1-5-21-597566789-4152996160-2957772391 SID for domain FOO is: S-1-5-21-1979685110-1467996072-351907979 grep SID /etc/smbldap-tools/smbldap.conf #SID=S-1-5-21-2252255531-4061614174-2474224977 SID=S-1-5-21-900663976-1457140431-1537874043 When I create a new user, the user get a primary group SID that looks like S-1-5-21-1979685110-1467996072-351907979-513 and a SambaSID that reads: S-1-5-21-900663976-1457140431-1537874043-3290 So I need to change the way the domain part of the primary group SID is defined and possibly edit the smbldap.conf so that the SID uses the domain SID. Does that sound correct? If so, how can I modify the primary group SID? Thanks again, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] nmblookup failures
Hi, I have a strange problem with a domain member server. The Samba3 domain master/wins server can not lookup the host. Workstations that are trying to connect to the server appear to be having trouble finding it (network path not found). nmblookup problemserver querying problemserver on 192.168.0.255 name_query failed to find name problemserver rigel:/var/lib/samba# nmblookup otherserver querying otherserver on 192.168.0.255 192.168.0.152 otherserver00 To get around the problem, I have manually added the server into /var/lib/samba/wins.dat. I am having to add it every day. Does anyone have any advice as to what the problem might be or where to begin chasing it down. Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Slow login to Samba domain
On 21 November 2011 08:35, steve st...@steve-ss.com wrote: On 15/11/11 17:22, Marc Cain wrote: Sorry, but I can't follow this method (I'm not a windows admin).Where on win 7 do I find: Computer Configuration\Administrative Templates\System\User Profiles\Set maximum wait time for the network if the user has a roaming user profile or remote home directory. You need to run `gpedit.msc`. It's the group policy editor for Windows. I suspect you will need admin rights to the local machine to run gpedit. HTH, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Slow login to Samba domain
2011/11/16 Allen Chen ac...@harbourfrontcentre.com: Dermot wrote: try to set this one to 0: \\Computer Configuration\Administrative Templates\All setings\Set maximum wait time for the network if a user has a roaming user profile It seems to have worked and the users have local profiles. Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Slow login to Samba domain
2011/11/15 Vladimir Vladimirov mckee...@gmail.com: gpedit.msc Конфигурация компьютера - Административные Шаблоны - Система - Профили Пользователей - Установить максимальное время ожидания сети, если пользователь имеет перемещаемый профиль или удаленный основной каталог Или Computer Configuration \ Administrative Templates \ System \ User Profiles \ Set maximum wait time for the network if the user has a roaming user profile or remote home directory 19.3. Включить политику и поменять значение на 0 секунд Все, Тот же профиль загрузился за 4 секунды Sorry for the delay in replying. This does seem to work. I've tried it on two machines and they are logging in much, much quicker. Thank you all. Dermot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Slow login to Samba domain
Hi, I have noticed that the Windows 7 machines that I have recently installed and joined to our domain take about 40 seconds on average to go from sign in to the desktop displaying. I can't find any explanation for the delay. When the machine are in a work group they login very quickly and the XP machines login at a normal rate. I have searched and not found any articles that are relevant. Does anyone else experience this? Does anyone have any tips on how to work out what Windows 7 is doing during this time? Thanks in advance, Dermot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding a machine acount
On 13 October 2011 08:47, Luca Olivetti l...@wetron.es wrote: Al 12/10/2011 13:33, En/na Dermot ha escrit: Hi, I migrated from an MS NT Domain to a samba3 domain some time back. I forgot about a couple of machines and am trying to add them. These are Buffalo NAS workstations so are basically *nix machines with a web interface. Most probably the web interface only allows to join an AD domain (at least that's what happens to a Lacie network drive, I suppose Buffalo does the same). Even obtaining shell access and manually configuring samba to join the domain wouldn't work (the stock firmware would rewrite the configuration at every boot), so the only option is to replace the stock firmware with a normal Linux distribution (usually debian), provided there's one available for your model and you can find instruction on how to do it (e.g. at nas-central.org). If you don't know what you're doing, don't do it, not only will you void your warranty, you can also lose all of the data in it. I have two buffalos. The newer one's interface (TS-XL/R5) provides fields for giving an Domain Admin username and password. I had no trouble adding that to the domain. The older model doesn't provide those fields so I have to try and add them on the samba PDC. It has options for Workgroup, NT Domain and ADS. I know you can hack Buffalo's with acp_commander. I've telneted into the terastation and modified the /etc/samba/smb.conf and changed workgroup to my new domain and security to domain . There is a net binary so I did `net rpc join -S SAMBAPDC`. It says I've joined the domain successfully but the web interface still says I'm in a workgroup (I left the old domain). I know that everything will revert back to once I reboot but I'll have to settle for this for now. What would have been useful, would be to have worked out if there was anything on the sambaPDC that could have corrected this error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client FOOBAR machine account Thanks, Dermot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Adding a machine acount
Hi, I migrated from an MS NT Domain to a samba3 domain some time back. I forgot about a couple of machines and am trying to add them. These are Buffalo NAS workstations so are basically *nix machines with a web interface. I have not had to add any machines to the domain from the samba PDC before. This is what I've done. I tried to add the machine using it's web interface but it failed and I noticed these errors in the sambaPDC logs: [2011/10/12 10:28:49.106714, 0] rpc_server/srv_netlog_nt.c:475(get_md4pw) get_md4pw: Workstation FOOBAR$: no account in domain [2011/10/12 10:28:49.106886, 0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) _netr_ServerAuthenticate2: failed to get machine password for account FOOBAR$: NT_STATUS_ACCESS_DENIED [2011/10/12 10:28:49.118230, 0] rpc_server/srv_netlog_nt.c:475(get_md4pw) get_md4pw: Workstation FOOBAR$: no account in domain [2011/10/12 10:28:49.118312, 0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) _netr_ServerAuthenticate2: failed to get machine password for account FOOBAR$: NT_STATUS_ACCESS_DENIED The machine didn't seem to be in the ldap backend. So I added it with `smbldpa-useradd -w foobar`. I then went back to the user interface and tried again. I got the same error. I tried `pdbedit -Lv | grep -i foobar` and got Username not found!. I'm not sure if smbldap tool is not working but I did pdbedit -a -m FOOBAR$. I tried to get FOOBAR (not real name) to join again and this time got this error: [2011/10/12 11:06:20.745128, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client LEDA machine account LEDA$ [2011/10/12 11:06:20.753498, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client LEDA machine account LEDA$ I'm a little lost now. I wouldn't mind if someone can explain or confirm if I should do smbldap-useradd and pdbedit to add an account (machine or otherwise) but I'd really appreciate some help resoling this authentication problem. Thanks in advance, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] window, samba and ldap passwords
remove : unix password sync = Yes and try again. I would like to avoid using smbldap-tools, did you manage to get it working without it? Kind regards, - -- Felipe Augusto van de Wiel felipe.w...@complexopequenoprincipe.org.br The solution to that problem was to remove the unix password sync. As for user management tools, I got the srvtools from http://support.microsoft.com/kb/173673 I take a look at LAM (http://www.ldap-account-manager.org/) and some of the other options listed here http://wiki.samba.org/index.php/Account_Management_Tools but I haven't really fired any in anger yet. HTH, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] window, samba and ldap passwords
Hi, I recently migrated to a Samba3x domain. One issue that has been reported to me is that XP users cannot change their password from their PC. I have done some searching and I haven't seen a straight forward answer to this. My config is ldap primary + Samba PDC on host A ldap slave + samba BDC on host B I see this error in the machine log when someone attempts to change their password: 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! I have seen this article: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199 but I am not sure if it's appropriate for my environment. I suspect the answer to this may very dependent on my config. Can anyone offer any advice? Thanks in advance. Dermot. === smb.conf on PDC === dos charset = UTF-8 display charset = UTF-8 workgroup = FOO server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 smb ports = 139 445 name resolve order = wins hosts bcast time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel '%u' delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = logon drive = U: logon home = domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computers, ou=Users ldap passwd sync = yes ldap suffix = dc=mydomain,dc=co,dc=uk ldap ssl = no ldap timeout = 20 ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap backend = ldap:ldap://127.0.0.1/; idmap uid = 15000-2 idmap gid = 15000-2 map acl inherit = Yes case sensitive = No hide unreadable = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] window, samba and ldap passwords
I have a stanza like this in the slapd.conf on the ldap master. # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet by self write by anonymous auth by * none I have a lot of debug messages from ldap going into the logs but I can't any errors. I can't see any attempt at a password change in the log. I know that the ldap password had not changed either. What do you mean by dynamically configured ldap? Thanks, Dp. On 16 August 2011 11:51, J. Echter j.ech...@elektro-mayer-echter.de wrote: Am 16.08.2011 12:48, schrieb Dermot: Hi, I recently migrated to a Samba3x domain. One issue that has been reported to me is that XP users cannot change their password from their PC. I have done some searching and I haven't seen a straight forward answer to this. My config is ldap primary + Samba PDC on host A ldap slave + samba BDC on host B I see this error in the machine log when someone attempts to change their password: 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! I have seen this article: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199 but I am not sure if it's appropriate for my environment. I suspect the answer to this may very dependent on my config. Can anyone offer any advice? Thanks in advance. Dermot. === smb.conf on PDC === dos charset = UTF-8 display charset = UTF-8 workgroup = FOO server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 smb ports = 139 445 name resolve order = wins hosts bcast time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel '%u' delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = logon drive = U: logon home = domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computers, ou=Users ldap passwd sync = yes ldap suffix = dc=mydomain,dc=co,dc=uk ldap ssl = no ldap timeout = 20 ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap backend = ldap:ldap://127.0.0.1/; idmap uid = 15000-2 idmap gid = 15000-2 map acl inherit = Yes case sensitive = No hide unreadable = Yes Hi, afaik, you have to authenticate users to change NTpasswd and stull like that. i have seen this example for slapd.conf # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn=cn=admin,dc=meinnetz,dc=xx write by anonymous auth by self write by * none but i don't know how to add it to dynamically configured ldap. cheers juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options
Re: [Samba] window, samba and ldap passwords
The master is a xenamd64 debian 5.0.6 samba is Version 3.5.6 ldap is 2.4.11 (installed via apt) Dp. On 16 August 2011 12:13, J. Echter j.ech...@elektro-mayer-echter.de wrote: Am 16.08.2011 13:06, schrieb Dermot: I have a stanza like this in the slapd.conf on the ldap master. # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet by self write by anonymous auth by * none I have a lot of debug messages from ldap going into the logs but I can't any errors. I can't see any attempt at a password change in the log. I know that the ldap password had not changed either. What do you mean by dynamically configured ldap? Thanks, Dp. On 16 August 2011 11:51, J. Echterj.ech...@elektro-mayer-echter.de wrote: Am 16.08.2011 12:48, schrieb Dermot: Hi, I recently migrated to a Samba3x domain. One issue that has been reported to me is that XP users cannot change their password from their PC. I have done some searching and I haven't seen a straight forward answer to this. My config is ldap primary + Samba PDC on host A ldap slave + samba BDC on host B I see this error in the machine log when someone attempts to change their password: 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! I have seen this article: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199 but I am not sure if it's appropriate for my environment. I suspect the answer to this may very dependent on my config. Can anyone offer any advice? Thanks in advance. Dermot. === smb.conf on PDC === dos charset = UTF-8 display charset = UTF-8 workgroup = FOO server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 smb ports = 139 445 name resolve order = wins hosts bcast time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel '%u' delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = logon drive = U: logon home = domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computers, ou=Users ldap passwd sync = yes ldap suffix = dc=mydomain,dc=co,dc=uk ldap ssl = no ldap timeout = 20 ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap backend = ldap:ldap://127.0.0.1/; idmap uid = 15000-2 idmap gid = 15000-2 map acl inherit = Yes case sensitive = No hide unreadable = Yes Hi, afaik, you have to authenticate users to change NTpasswd and stull like that. i have seen this example for slapd.conf # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn=cn=admin,dc=meinnetz,dc=xx write by anonymous auth by self write by * none but i don't know how to add it to dynamically configured ldap. cheers juergen -- To unsubscribe from
Re: [Samba] window, samba and ldap passwords
Thanks you very much. That has fixed it. Brilliant. Dp. On 16 August 2011 12:40, L.P.H. van Belle be...@bazuin.nl wrote: Hai, on your master, in smb.conf change these settings. ( im also running debian with pdc/bdc ldap master and multiple slaves through syncrepl ) passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* remove : unix password sync = Yes and try again. Louis -Oorspronkelijk bericht- Van: paik...@googlemail.com [mailto:samba-boun...@lists.samba.org] Namens Dermot Verzonden: 2011-08-16 12:48 Aan: samba@lists.samba.org Onderwerp: [Samba] window, samba and ldap passwords Hi, I recently migrated to a Samba3x domain. One issue that has been reported to me is that XP users cannot change their password from their PC. I have done some searching and I haven't seen a straight forward answer to this. My config is ldap primary + Samba PDC on host A ldap slave + samba BDC on host B I see this error in the machine log when someone attempts to change their password: 2011/08/16 10:04:11.137313, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.200891, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.201002, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! [2011/08/16 10:04:11.215657, 0] auth/pampass.c:705(smb_pam_chauthtok) PAM: UNKNOWN PAM ERROR (8) for User: kreuze [2011/08/16 10:04:11.215741, 0] auth/pampass.c:861(smb_pam_passchange) smb_pam_passchange: PAM: Password Change Failed for user kreuze! I have seen this article: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam. html#id2667199 but I am not sure if it's appropriate for my environment. I suspect the answer to this may very dependent on my config. Can anyone offer any advice? Thanks in advance. Dermot. === smb.conf on PDC === dos charset = UTF-8 display charset = UTF-8 workgroup = FOO server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 smb ports = 139 445 name resolve order = wins hosts bcast time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel '%u' delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = logon drive = U: logon home = domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=mydomin,dc=co,dc=uk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computers, ou=Users ldap passwd sync = yes ldap suffix = dc=mydomain,dc=co,dc=uk ldap ssl = no ldap timeout = 20 ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap backend = ldap:ldap://127.0.0.1/; idmap uid = 15000-2 idmap gid = 15000-2 map acl inherit = Yes case sensitive = No hide unreadable = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [META] suggestions for managing users desktops
Hi, Sorry if this is slightly OT. I have just moved from a WindowNT domain to a Samba3x PDC. What I'd really like now is some tools to help me manage users. Some of the things on my wish list are to be able to edit a remote registry (the user's profiles are local) and Remote desktop access so I do not have to run over their desks every time there is a message they don't understand. Does anyone have any suggestion on how to make user management a little simpler in my environment? Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP is unable to write to samba shares - Valid users?
Does user1 have a local account on the unix box? Dp. On 15 August 2011 20:51, Jefferson Allen j.al...@mercuryfilmworks.com wrote: I have a client with a linux server with samba installed and I've created users using the smbpasswd command (user1,user2,user3...) but when I go to the XP machines they can see the different shares but are unable to write to the folders or create additional folders based on their user1 and password. I want them to validate themselves to the linux server so that if their domain goes down they can still access their files on the samba file server but currently they cannot write to the folder based on the config so far. Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Processing section [DATA] Processing section [USER] Processing section [ADMIN] Processing section [printers] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = Office1 server string = Samba Server log file = /var/log/samba/log.%m max log size = 50 unix extensions = No logon path = \\%25N\%25U\profile logon home = \\%25N\%25U domain master = No cups options = raw [SACA_DATA] path = /mnt/DATA valid users = user1, user2, user3, user4, user5, root admin users = user1 read only = No create mask = 0666 directory mask = 0777 guest ok = Yes [SACA_USER] path = /mnt/USER valid users = user1, user2, user3, user4, user5, root read only = No create mask = 0666 directory mask = 0777 guest ok = Yes [SACA_ADMIN] path = /mnt/ADMIN valid users = root, user4, user5, user1 admin users = user1 read only = No create mask = 0666 directory mask = 0777 guest ok = Yes [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No Thank you, Jefferson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP is unable to write to samba shares - Valid users?
and the permissions on the directory? Dp. On 15 August 2011 22:14, Jefferson Allen j.al...@mercuryfilmworks.com wrote: Yes. User1 has been created on the linux box and I used the same password for creating the user1 and when doing the smbpasswd for user1. Thank you, Jefferson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Moving Domains - profiles question
On 13 August 2011 05:43, TAKAHASHI Motonobu mo...@monyo.com wrote: From: Dermot paik...@googlemail.com Date: Fri, 12 Aug 2011 15:26:00 +0100 I throwing myself at it as I write. What I thought I'd do is copy all the profile except the user.dat. The old user.dat will be there so if there are problems I can retrieve it. Have you tried to use profiles command? It can change SIDs stored in user.dat. I saw this message a little too late but I did try it on one ntuser.dat but I gave me an errors that ending with a message about unable to find the root key. It created a '.new' file but not one I could use. The biggest pain during this migration has been the Outlook profiiles. I have had to re-create them on each machine. A profile tool would have saved me hours of work. I seen seen this http://helgeklein.com/setacl but I am not sure if it might help. Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Moving Domains - profiles question
Thanks Aaron, I throwing myself at it as I write. What I thought I'd do is copy all the profile except the user.dat. The old user.dat will be there so if there are problems I can retrieve it. fingers crossed. Dermot. On 12 August 2011 13:51, Aaron E. ssures...@gmail.com wrote: I'm gong to go out on a limb here and say the process will need tested on your end. In my experience what has worked for one site has not worked for another. It is all about getting the procedure right for your site. That being said the procedure you linked usually works pretty well when dealing with local profiles, I have found it doesn't work all that great with roaming profiles but, what does work well with roaming profiles? I usually clean out all the temp files/cookies and any items you can clean up before the transfer of profiles but that's just my preference.. On 08/11/2011 12:03 PM, Dermot wrote: Hi, I have an existing WinNT domain and, after some labour, a new Samba3x domain. I created the Samba domain with a different name because the WinNT domain name wasn't appropriate. I have about 40 users. Their accounts have been added to the new domain. I'm almost ready to shift everyone to the new domain but I am a bit concerned about the user's profiles. These are local profiles. I want this domain move to be transparent to the users so I need to copy or move the individual profiles. I've seen this procedure for copying a profile (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sysdm_userprofile_copy.mspx?mfr=true) What I'm concerned about is if I move the profile wholesale into the new path, keys in the old user.dat might conflict with the new domain. Does anyone have any experience of this type of migration that can offer any advice? Thanks in advance, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Moving Domains - profiles question
Well the MS Outlook profiles didn't migrate smoothly. I am re-creating them but I suspect there is an easier way to move them. Thanks, Dermot. On 12 August 2011 15:26, Dermot paik...@googlemail.com wrote: Thanks Aaron, I throwing myself at it as I write. What I thought I'd do is copy all the profile except the user.dat. The old user.dat will be there so if there are problems I can retrieve it. fingers crossed. Dermot. On 12 August 2011 13:51, Aaron E. ssures...@gmail.com wrote: I'm gong to go out on a limb here and say the process will need tested on your end. In my experience what has worked for one site has not worked for another. It is all about getting the procedure right for your site. That being said the procedure you linked usually works pretty well when dealing with local profiles, I have found it doesn't work all that great with roaming profiles but, what does work well with roaming profiles? I usually clean out all the temp files/cookies and any items you can clean up before the transfer of profiles but that's just my preference.. On 08/11/2011 12:03 PM, Dermot wrote: Hi, I have an existing WinNT domain and, after some labour, a new Samba3x domain. I created the Samba domain with a different name because the WinNT domain name wasn't appropriate. I have about 40 users. Their accounts have been added to the new domain. I'm almost ready to shift everyone to the new domain but I am a bit concerned about the user's profiles. These are local profiles. I want this domain move to be transparent to the users so I need to copy or move the individual profiles. I've seen this procedure for copying a profile (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sysdm_userprofile_copy.mspx?mfr=true) What I'm concerned about is if I move the profile wholesale into the new path, keys in the old user.dat might conflict with the new domain. Does anyone have any experience of this type of migration that can offer any advice? Thanks in advance, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Moving Domains - profiles question
Hi, I have an existing WinNT domain and, after some labour, a new Samba3x domain. I created the Samba domain with a different name because the WinNT domain name wasn't appropriate. I have about 40 users. Their accounts have been added to the new domain. I'm almost ready to shift everyone to the new domain but I am a bit concerned about the user's profiles. These are local profiles. I want this domain move to be transparent to the users so I need to copy or move the individual profiles. I've seen this procedure for copying a profile (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sysdm_userprofile_copy.mspx?mfr=true) What I'm concerned about is if I move the profile wholesale into the new path, keys in the old user.dat might conflict with the new domain. Does anyone have any experience of this type of migration that can offer any advice? Thanks in advance, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] help - user password expiration in loop
On 4 July 2011 16:37, Fabio Pardi f.pa...@portavita.eu wrote: nobody to help? I just throwing out ideas here. What is the output from pdbedit -P for all these policies: minimum password age, reset count minutes, disconnect time, user must logon to change password, password history, lockout duration, min password length, maximum password age and bad lockout attempt. Perhaps there are clues there. Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Startup issue with Samba
On 3 July 2011 18:09, Malcolm Sievwright malcolm.sievwri...@btopenworld.com wrote: Hi Folks, but the solution does not fit as I can't find an smbd.conf file in /etc/init. My samba config file is located in /etc/samba and I would try removing any bind interface options. HTH, Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Needs to run smbldap-useradd as non-root user
On 28 June 2011 14:02, Nathan Mahu nm...@cyanide-studio.com wrote: Hello, The abstract is : How to run smbldap-useradd (and others) with a non-root user, knowing that giving Samba privileges to the user's account is enough. Now are details : My setup is FreeBSD-8, samba35, nss_ldap, smbldap-tools... And NO pam_ldap. I am creating a webservice which must run smbldap-tools scripts. Everything is running on a FreeBSD-8, and running fine by root. However, my webservices won't have root access, so I logged in with a non-root user (#su - testwww) who is in the LDAP directory (added through smbldap-useradd -a) and tried smbldap-tools scripts. Here is my issue : # smbldap-useradd -a userLambda fails with the following message : Error: modifications require authentication at /usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 1200. OpenLDAP logs : Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 ACCEPT from IP=10.1.5.90:24971 (IP=10.1.5.91:389) Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SRCH base=dc=my-domain,dc=com scope=2 deref=2 filter=((objectClass=posixAccount)(uid=userlambda)) Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text= Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SRCH base=sambaDomainName=MYDOMAIN,dc=my-domain,dc=com scope=0 deref=2 filter=(objectClass=sambaUnixIdPool) Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD dn=sambaDomainName=MYDOMAIN,dc=my-domain,dc=com Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD attr=uidNumber Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 RESULT tag=103 err=8 text=modifications require authentication Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 closed (connection lost) Immediately we see it doesn't BIND (since it says require authentication). I tested with the user : I'm no expert so please consider this as me thinking out loud. Do you have a ACL in the slapd.conf that allows testwww to modify the tree? I would have thought that you would have required a stanza for that if you want testwww to modify other elements of the tree. HTH, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: getent group fails - fixed
On 24 June 2011 05:48, Christian PERRIER bubu...@debian.org wrote: Quoting Dermot (paik...@googlemail.com): Perhaps I am not understanding you correctly because that runs counter my experience. The settings in my /etc/ldap/ldap.conf were correct whereas the ones in /etc/libnss-ldap.conf were not. It was the search filters from libnss-ldap.conf that were being used when I did `getent group`. I think your telling me that getent is tied to the nss framework so would use that config because that's what I told nsswitch.conf to do. I would have thought, but I am no expert, that samba would have used the config from smb.conf and that ldapsearch (and anything else that didn't have hooks else where) would use /etc/ldap/ldap.conf. Please note that Debian has *two* packages for nss-ldap: mykerinos:/home/cperrier# apt-cache search nss ldap naming service libnss-ldap - NSS module for using LDAP as a naming service libnss-ldapd - NSS module for using LDAP as a naming service IIRC (but you probably want to check this), the latter is more actively maintained than the former. I asked about that on the samba IRC two days ago: (14:33:17) : On my distro (Debian), I have two options for NSS 1) libnss_ldap and 2) libnss_ldapd (Source: nss-pam-ldapd) . Does anyone know which one I should use? now I have my answer but it looks like I installed the lesser maintained version :/ libnss_ldap.so.2 (libc6,x86-64) = /lib/libnss_ldap.so.2 libnss_ldap.so (libc6,x86-64) = /usr/lib/libnss_ldap.so libnss_ldap-2.7.so (libc6,x86-64) = /lib/libnss_ldap-2.7.so Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb panic when adding printer with apw
On 24 June 2011 07:13, Thorsten Leiser t.lei...@synchron-is.de wrote: Hi, [2011/06/24 07:47:56, 0] lib/debug.c:reopen_logs(663) Unable to open new log file /var/log/samba/log.smbd: Permission denied [2011/06/24 07:47:56, 0] lib/debug.c:reopen_logs(663) Unable to open new log file /var/log/samba/log.smbd: Permission denied [2011/06/24 07:47:56, 0] lib/debug.c:reopen_logs(663) Unable to open new log file /var/log/samba/log.smbd: Permission denied [2011/06/24 07:47:56, 0] lib/fault.c:fault_report(40) For completeness, perhaps you chould show the file permissions on these files, their parent directory, and who is running the smbd process. Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb panic when adding printer with apw
On 24 June 2011 09:48, Thorsten Leiser t.lei...@synchron-is.de wrote: Hi Dermot, here are the file permissions on /var/log/samba/log.smbd, -rw-r--r-- 1 root root 434340 24. Jun 10:41 log.smbd (all files in this directory have this permission) the parent directory ( /var/log/samba ) drwxr-x--- 3 root adm 4096 24. Jun 08:07 samba the smbd is running as root user, but there are also some smbd childs running with user rights. --- snip root 18677 17385 0 07:36 ? 00:00:01 /usr/sbin/smbd -D root 18678 17385 0 07:36 ? 00:00:00 /usr/sbin/smbd -D m028u032 18683 17385 0 07:39 ? 00:00:00 /usr/sbin/smbd -D root 18684 17385 0 07:39 ? 00:00:01 /usr/sbin/smbd -D root 18685 17385 0 07:39 ? 00:00:02 /usr/sbin/smbd -D --- snap Am 24.06.2011 10:08, schrieb Dermot: On 24 June 2011 07:13, Thorsten Leisert.lei...@synchron-is.de wrote: Hi, [2011/06/24 07:47:56, 0] lib/debug.c:reopen_logs(663) Unable to open new log file /var/log/samba/log.smbd: Permission denied [2011/06/24 07:47:56, 0] lib/debug.c:reopen_logs(663) Unable to open new log file /var/log/samba/log.smbd: Permission denied [2011/06/24 07:47:56, 0] lib/debug.c:reopen_logs(663) Unable to open new log file /var/log/samba/log.smbd: Permission denied [2011/06/24 07:47:56, 0] lib/fault.c:fault_report(40) Can you determine what the user process is? smbstatus perhaps? This error says that it wants to create a new log file. What does your smb.conf say about max log size? I am not very savy with smb printing but that message suggests that something wants to have write access either to the /var/log/samab directory or the log.smbd file and doesn't have it. There are a few tests you can do to see where the error lies. I would chmod the log.smbd file and see it that gets you round the error. Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb panic when adding printer with apw
On 24 June 2011 10:38, Thorsten Leiser t.lei...@synchron-is.de wrote: 10:08, schrieb Dermot: On 24 June 2011 07:13, Thorsten Leisert.lei...@synchron-is.de wrote: Hi, [2011/06/24 07:47:56, 0] lib/debug.c:reopen_logs(663) Unable to open new log file /var/log/samba/log.smbd: Permission denied [2011/06/24 07:47:56, 0] lib/debug.c:reopen_logs(663) Unable to open new log file /var/log/samba/log.smbd: Permission denied [2011/06/24 07:47:56, 0] lib/debug.c:reopen_logs(663) Unable to open new log file /var/log/samba/log.smbd: Permission denied [2011/06/24 07:47:56, 0] lib/fault.c:fault_report(40) Can you determine what the user process is? smbstatus perhaps? This error says that it wants to create a new log file. What does your smb.conf say about max log size? I am not very savy with smb printing but that message suggests that something wants to have write access either to the /var/log/samab directory or the log.smbd file and doesn't have it. There are a few tests you can do to see where the error lies. I would chmod the log.smbd file and see it that gets you round the error. Dp. Hi Dermot, Can you determine what the user process is? smbstatus perhaps? as long as the apw is opened, smbstatus says user administrator. I controlled the pid with ps -ef and it said uid 1001. Also, smbd seems to run with normal user priviliges. I would chmod the log.smbd file and see it that gets you round the error. I did so, but the smb panic occured again, but the error messages Unable to open new log file /var/log/samba/log.smbd: Permission denied disappeared. For a test i set the permissions for all files and subdirectories in /var/lib/samba to 777, but this didn't solve the error. When the panic occurs, samba was still able to create the queue in cups, but the smbd died before associating the queue with the uploaded printer driver. I'm afraid I'm out of ideas. You might want to turn up the debug for printdrivers, loglevel = 3 printdrivers:9 Hopefully that will give you a few more details. Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: getent group fails - fixed
Found it. It turns out that the config file for libnss-ldap is /etc/libnss-ldap.conf on my distro (Debian). So NSS was ignoring the config that I had been in /etc/ldap/ldap.conf and taking it from /etc/libnss-ldap.conf. The former had this nss_base_group ou=Groups,dc=example,dc=co,dc=uk?sub and the latter this nss_base_group ou=group,dc=example,dc=co,dc=uk?one. Once I edited group to Groups, it started working. Package: libnss-ldap Priority: extra Section: net Installed-Size: 304 Maintainer: Richard A Nelson (Rick) ... Architecture: amd64 Version: 261-2.1 Depends: libc6 (= 2.7-1), libcomerr2 (= 1.01), libkrb53 (= 1.6.dfsg.2), libldap-2.4-2 (= 2.4.7), libsasl2-2, debconf | debconf-2.0 Recommends: nscd, libpam-ldap ... Hope that saves someone the (huge) amount of time it's taken me to figure out where this problem was. Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: getent group fails - fixed
On 23 June 2011 13:14, Bruce Richardson wrote: On Thu, Jun 23, 2011 at 01:00:55PM +0100, Dermot wrote: Found it. It turns out that the config file for libnss-ldap is /etc/libnss-ldap.conf on my distro (Debian). So NSS was ignoring the config that I had been in /etc/ldap/ldap.conf and taking it from /etc/libnss-ldap.conf. Samba's ldap searches are affected by anything that goes into /etc/ldap/ldap.conf, which would cause problems if the nsswitch-specific settings had to be stored there. Perhaps I am not understanding you correctly because that runs counter my experience. The settings in my /etc/ldap/ldap.conf were correct whereas the ones in /etc/libnss-ldap.conf were not. It was the search filters from libnss-ldap.conf that were being used when I did `getent group`. I think your telling me that getent is tied to the nss framework so would use that config because that's what I told nsswitch.conf to do. I would have thought, but I am no expert, that samba would have used the config from smb.conf and that ldapsearch (and anything else that didn't have hooks else where) would use /etc/ldap/ldap.conf. # /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap Your workplace configuration sounds like what I am trying to deploy at mine. I'll be back. Thanks, Dermot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getent group fails
slapd[26541]: conn=110 op=0 BIND dn= method=128 Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=0 RESULT tag=97 err=0 text= Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=1 SRCH base=ou=group,dc=sciencephoto,dc=co,dc=uk scope=2 deref=0 filter=(objectClass=posixGroup) Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= Jun 22 13:36:07 rigel slapd[26541]: conn=110 op=2 UNBIND Jun 22 13:36:07 rigel slapd[26541]: conn=110 fd=22 closed and get this response: # search result search: 2 result: 32 No such object matchedDN: dc=example,dc=co,dc=uk I have grepped everywhere but I can not see how to tweak the config so that the search will be performed on ou=groups. I think I am very close to working out what's wrong but I could use some advice. Thanks in advance, Dermot. ldap.conf = base dc=example,dc=co,dc=uk host localhost rigel.example.co.uk binddn cn=admin,dc=example,dc=co,dc=uk bindpw mysecret bind_policy soft pam_password exop timelimit 15 nss_base_passwd dc=example,dc=co,dc=uk?one nss_base_shadow dc=example,dc=co,dc=uk?one nss_base_passwd ou=Computers,dc=example,dc=co,dc=uk?one nss_base_shadow ou=Computers,dc=example,dc=co,dc=uk?one nss_base_group ou=Groups,dc=example,dc=co,dc=uk?one ssl off == = smb.conf = [global] dos charset = UTF-8 display charset = UTF-8 workgroup = LDN server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 smb ports = 139 445 name resolve order = wins hosts bcast time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel '%u' delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = logon drive = U: logon home = domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=example,dc=co,dc=uk ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computers, ou=Users ldap passwd sync = yes ldap suffix = dc=example,dc=co,dc=uk ldap ssl = no ldap timeout = 20 ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap backend = ldap:ldap://127.0.0.1/; idmap uid = 15000-2 idmap gid = 15000-2 map acl inherit = Yes case sensitive = No hide unreadable = Yes [print$] comment = Printer Drivers path = /var/lib/samba/printers [netlogon] path = /var/lib/samba/netlogon browseable = No [profiles] path = /var/lib/samba/profiles force user = %U read only = No create mask = 0600 directory mask = 0700 guest ok = Yes profile acls = Yes browseable = No csc policy = disable [public] path = /tmp read only = No guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Setting domain group ownership on files
Hi, I have been testing out a samba installation and am slowly getting to a point where I am ready to push the project live. I have been playing with a domain member server that uses winbindd. I have created a share in /tmp called public to see what happens with user and group permissions. I created the directory as follows: mkdir /tmp/public; chgrp users /tmp/public; chmod 2777 /tmp/public. Then from a Windows XP work station I logged in as a domain user, connected to the share and created a folder. When I list the folder from the shell on the server I see: root@dev2:/etc/samba# ls -ltr /tmp/public/ total 4 drwxrwxr-x 2 DOM\djohn users 4096 2011-06-21 11:44 d_john That's great, the domain user owns the file. However the group owner is the local group 'users' (coming from the chmod above). My question is Is there a way to chgrp the parent folder to the DOM\Domain users group? or do I have to employ a groupmap between Domain users and the local users group? Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Accessing directory in UNIX from Windows Platform!
On 20 June 2011 11:56, Kanagaraj S raj.kana...@gmail.com wrote: My queries on SAMBA: 1. How the link ( kind of URL ) to those files in SAMBA Server looks like? \\samba-server-nebios-name-or-ip-address\share-name 2. Can we have access to the files in just a Click of that URL? Yes. Read the docs and potential values for the security parameter in smb.conf. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id2564901 HTH, Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] BDC and ldap set-up problem
This problem with `getent passwd` not returning the ldap users seems to have disappeared once I updated nss libraries. Thanks Dermot On 15 June 2011 22:31, Dermot paik...@googlemail.com wrote: Hi, On 15 June 2011 18:56, Gaiseric Vandal gaiseric.van...@gmail.com wrote: I installed winbind but have turn if off. On the BDC, did you ever join the domain? (net join) Yes, several times. Do you have any ideas why the `getent` isn't working? The nsswitch.conf is below. Thanks, Dermot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbindd problems
Hi, I am having problems with winbindd on a BDC but I am not sure where the problem lies. If I run `winbindd -n -i` on the BDC and watch the output from pdbdeit -Lv I see: winbindd version 3.5.4-0.70.el5_6.1 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 initialize_winbindd_cache: clearing cache and re-creating with version number 1 Could not init passdb idmap domain ldap_initialize: Bad parameter to an ldap routine Connection to LDAP server failed for the 1 try! ... ldap_initialize: Bad parameter to an ldap routine Connection to LDAP server failed for the 15 try! ldap_initialize: Bad parameter to an ldap routine I get a similar error if I restart the smb service: ldap_initialize: Bad parameter to an ldap routine Connection to LDAP server failed for the 1 try! ldap_initialize: Bad parameter to an ldap routine Connection to LDAP server failed for the 2 try! ... ... Connection to LDAP server failed for the 15 try! ldap_initialize: Bad parameter to an ldap routine idmap_alloc module ldap already registered! idmap_alloc module tdb already registered! Idmap module passdb already registered! Idmap module nss already registered! ldap_initialize: Bad parameter to an ldap routine Connection to LDAP server failed for the 1 try! Can anyone offer any pointers as to what the problem might be or where a means that might help me track it down? Thanks, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] BDC and ldap set-up problem
Hi, I could use some confirmation on my approach to configuring my BDC. I want the user to be able to access shares on the BDC and have their domain credentials stamped on any files they create. I do not want to add domain users to the /etc/passwd file. At the moment users can authenticate onto the domain but once they try and access a share on the BDC, these XP users get a dialogue box asking for a login. The log for the machine reads: [2011/06/15 17:07:11.827697, 1] auth/auth_util.c:580(make_server_info_sam) User djohn in passdb, but getpwnam() fails! [2011/06/15 17:07:11.827841, 0] auth/auth_sam.c:493(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2011/06/15 17:07:11.834014, 1] auth/auth_util.c:580(make_server_info_sam) User djohn in passdb, but getpwnam() fails! [2011/06/15 17:07:11.834088, 0] auth/auth_sam.c:493(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' At the same time on the ldap master (PDC) I see a search request arrive for the same user and a successful response: Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH base=dc=example,dc=com scope=2 deref=0 filter=((uid=djohn)(objectClass=sambaSamAccount)) Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 15 17:04:03 rigel slapd[648]: conn=2838 fd=18 closed (connection lost) The odd thing is this BDC is also in a replication system with the PDC so if shouldn't need to forward the query. I thought that if I had added ldap to the nsswitch.conf for the passwd and group items, then ldap would be used when the domain users failed to be retrieved from the passwd file. The bigger confusion is around the configuration. Should I be able to use an ldap backend and get the domain user's credentials when the access a share? I have tried to follow the instructions from http://wiki.samba.org/index.php/Samba_%26_LDAP#Let_Samba_use_LDAP The PAM section doesn't match my distro and I ain't see any mention of ldap in /etc/security/* Can anyone help iron out some of the creases in my set-up? Thanks, Dermot. BDC conf = [global] unix charset = LOCALE workgroup = MINE server string = SMB Server netbios name = antares security = user # tried this as domain but it still fails # hosts allow = load printers = no ; printcap name = /etc/printcap ; printcap name = lpstat ; printing = cups cups options = raw ; guest account = pcguest log file = /var/log/samba/%m.log log level = 1 syslog = 0 max log size = 50 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = no domain master = no # passdb backend = ldapsam:ldap://127.0.0.1 passdb backend = ldapsam:ldap://127.0.0.1:389 ldap://rigel.example.com:389; ldap passwd sync = yes ldapsam:trusted = yes ldapsam:editposix = yes domain logons = yes os level = 63 logon script = login.bat logon path = wins server = rigel.example.com ldap ssl = off client ldap sasl wrapping = plain ldap suffix = dc=example,dc=com ldap machine suffix = ou=Computers, ou=Users ldap user suffix = ou=Users ldap group suffix = ou=Group ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=example,dc=com utmp = Yes idmap backend = ldap://rigel.example.com idmap uid = 15000-2 idmap gid = 15000-2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] BDC and ldap set-up problem
Hi, On 15 June 2011 18:56, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On the BDC, does pdbedit -L show you all your domain users? On the BDC, does getent passwd show you all your users? The output from pdbedit shows all the domain users but getent passwd only shows the user in passwd. I use ldap for both samba and unix backends, so pbedit -Lv and getent passwd show me the same output for my domain users and local unix users. I don't need to use winbind/idmap to keep unix uid's and gid's consistent. I installed winbind but have turn if off. On the BDC, did you ever join the domain? (net join) Yes, several times. Do you have any ideas why the `getent` isn't working? The nsswitch.conf is below. Thanks, Dermot passwd: ldap files group: ldap files shadow: files #hosts: db files nisplus nis dns hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files publickey: nisplus automount: files aliases:files nisplus On 06/15/2011 01:09 PM, Dermot wrote: Hi, I could use some confirmation on my approach to configuring my BDC. I want the user to be able to access shares on the BDC and have their domain credentials stamped on any files they create. I do not want to add domain users to the /etc/passwd file. At the moment users can authenticate onto the domain but once they try and access a share on the BDC, these XP users get a dialogue box asking for a login. The log for the machine reads: [2011/06/15 17:07:11.827697, 1] auth/auth_util.c:580(make_server_info_sam) User djohn in passdb, but getpwnam() fails! [2011/06/15 17:07:11.827841, 0] auth/auth_sam.c:493(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2011/06/15 17:07:11.834014, 1] auth/auth_util.c:580(make_server_info_sam) User djohn in passdb, but getpwnam() fails! [2011/06/15 17:07:11.834088, 0] auth/auth_sam.c:493(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' At the same time on the ldap master (PDC) I see a search request arrive for the same user and a successful response: Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH base=dc=example,dc=com scope=2 deref=0 filter=((uid=djohn)(objectClass=sambaSamAccount)) Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 15 17:04:03 rigel slapd[648]: conn=2838 fd=18 closed (connection lost) The odd thing is this BDC is also in a replication system with the PDC so if shouldn't need to forward the query. I thought that if I had added ldap to the nsswitch.conf for the passwd and group items, then ldap would be used when the domain users failed to be retrieved from the passwd file. The bigger confusion is around the configuration. Should I be able to use an ldap backend and get the domain user's credentials when the access a share? I have tried to follow the instructions from http://wiki.samba.org/index.php/Samba_%26_LDAP#Let_Samba_use_LDAP The PAM section doesn't match my distro and I ain't see any mention of ldap in /etc/security/* Can anyone help iron out some of the creases in my set-up? Thanks, Dermot. BDC conf = [global] unix charset = LOCALE workgroup = MINE server string = SMB Server netbios name = antares security = user # tried this as domain but it still fails # hosts allow = load printers = no ; printcap name = /etc/printcap ; printcap name = lpstat ; printing = cups cups options = raw ; guest account = pcguest log file = /var/log/samba/%m.log log level = 1 syslog = 0 max log size = 50 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = no domain master = no # passdb backend = ldapsam:ldap://127.0.0.1 passdb backend = ldapsam:ldap://127.0.0.1:389 ldap://rigel.example.com:389; ldap passwd sync = yes ldapsam:trusted = yes ldapsam:editposix = yes domain logons = yes os level = 63 logon script = login.bat logon path = wins server = rigel.example.com ldap ssl
[Samba] ldap backend failing
SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn diLDNSPLayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber Jun 10 15:54:43 provider slapd[11306]: conn=71 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 10 15:54:43 provider slapd[11306]: conn=71 fd=19 closed (connection lost) I see an error 32 here and I also some see nentries=1 that I'm guessing matched responses. If I do ldapsearch -x -b sambaDomainName=LDNSPL,dc=example,dc=com, I get # extended LDIF # # LDAPv3 # base sambaDomainName=LDNSPL,dc=example,dc=com with scope subtree # filter: (objectclass=*) # requesting: ALL # # LDNSPL, example.com dn: sambaDomainName=LDNSPL,dc=example,dc=com objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: LDNSPL sambaSID: S-1-5-21-1979685110-1467996072-351907979 gidNumber: 1000 sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutThreshold: 0 sambaRefuseMachinePwdChange: 0 sambaMinPwdLength: 5 sambaLogonToChgPwd: 0 sambaNextRid: 1001 sambaForceLogoff: -1 uidNumber: 1116 The same query with cn=djohn returns nothing: ... # filter: cn=djohn # requesting: ALL # # search result search: 2 result: 0 Success So some parts of my configuration look to be working but something is not right but I can't figure out where the problems is. The smb config for the consumer is below. Can any one help track down where the problem lies? Thanks in advance, Dermot. ### SMB.CONF ### [global] unix charset = LOCALE workgroup = LDNSPL server string = Test Server netbios name = docstore # security = domain load printers = no ; printcap name = /etc/printcap ; printcap name = lpstat ; printing = cups cups options = raw ; guest account = pcguest log file = /var/log/samba/%m.log log level = 1 syslog = 0 max log size = 50 name resolve order = wins bcast hosts printcap name = CUPS show add printer wizard = no passdb backend = ldapsam:ldap://provider.example.com; # passdb backend = ldapsam:ldap://consumer.example.com ldap://provider.example.com; domain logons = yes os level = 63 domain master = no logon script = login.bat logon path = wins server = provider.example.com ldap suffix = dc=example,dc=com ldap machine suffix = ou=Computers, ou=Users ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=example,dc=com utmp = Yes idmap backend = ldap://provider.example.com idmap uid = 15000-2 idmap gid = 15000-2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Single sign on nivana
Given that I have currently have 6 member servers, I think that amount of ldap replication would be over-kill. I was considering one ldap slave. I will consult the Docs that Louis pointed me to and look at the winbind config. Thanks, Dp. On 1 June 2011 19:04, Dale Schroeder d...@briannassaladdressing.com wrote: Dermot, What Louis describes does indeed allow for single sign on. The non-PDC systems are no longer member servers in the truest sense, but rather, all become BDC's (security = user). If you do not wish to install ldap on all systems, then the options are to use winbind, or to use nss-ldap and pam-ldap instead. Either will allow for single sign on as true member servers (security = DOMAIN) to authenticate against the PDC. The former is well documented; the latter is much harder to find. Dale On 06/01/2011 10:21 AM, Dermot wrote: Thanks but I am not sure that I have made myself clear. I want to remove Windows NT from my production environment. I would like to use Samba as the PDC with ldap backend and some replication. So far in tests this all works EG, Window7 and WinXP can authenticate. I have one more thing I would like to achieve. I want files on the Samba member server to be owned by the domain user without having to add each domain user locally to the member server's /etc/passwd file. I don't think the articles you have suggested address how to do that. Dp. On 1 June 2011 12:37, L.P.H. van Bellebe...@bazuin.nl wrote: Wel setup ldap with replication. I have this setup and i use syncrepl for ldap replication. This is working for 5 years now. I manage my users and groups with the NT4 user manager. Look here. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html I use this setup : PDC - LDAP master server, BDC - LDAP slave server. My ldap slave is readonly. I use debian OS. look here for a nice example http://www.server-world.info/en/note?os=Debian_6.0p=sambaf=6 and look hier http://fr33co.wordpress.com/2009/02/19/replicacion-ldap-con-syncrepl-en-debian-lenny/ if you need other language put it in a translator ;-) Good luck. Louis -Oorspronkelijk bericht- Van: paik...@googlemail.com [mailto:samba-boun...@lists.samba.org] Namens Dermot Verzonden: 2011-06-01 13:04 Aan: samba@lists.samba.org Onderwerp: [Samba] Single sign on nivana Hi, I have Samba 3.5.6 that is running as a PDC for testing purposes. In my production environment I still use a NT4 domain and all the samba member server use domain security. One of the irritations I have with the Samba members set-up is that I have to add the users to the local server so that files created by a domain user are owned by them and not the guest account. Ideally I would like to add the users to the PDC alone and then if a domain user creates a file on a member server, when I viewed those file, either from a windows machine or from a shell on the member server, I could see who they belong to. I'm sure that there is a means of doing this, but I get gleam it from the docs. Can anyone advise me on the configuration I would need? Thank you, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: A default profile
Cheers Louis, It works fine. Dp. On 29 May 2011 15:18, L.P.H. van Belle be...@bazuin.nl wrote: When using PDC, put the default User in the netlogon folder like this: \\Pdc\netlogon\Default User now the user wil be copied from that folder. Best regards, Louis -Oorspronkelijk bericht- Van: paik...@googlemail.com [mailto:samba-boun...@lists.samba.org] Namens Dermot Verzonden: 2011-05-28 22:53 Aan: samba@lists.samba.org Onderwerp: [Samba] Fwd: A default profile Hi, I am not using roaming profiles, but there is a feature in NT 4 where you store a 'Default User' profile under the C:\winnt\system32\repel\import\scripts\. When a user logins into the Doman for the first time, they get a copy of that profile. I have tried having a copy of the same profile to both the netlogon share and the profiles share on my Samba PDC but the profile does not get downloaded. I was wondering if this feature works for anybody else, in which case, I am doing something wrong. Does anyone able to set a Default User profile on a samba domain controller? Thanks, Dermot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Single sign on nivana
Hi, I have Samba 3.5.6 that is running as a PDC for testing purposes. In my production environment I still use a NT4 domain and all the samba member server use domain security. One of the irritations I have with the Samba members set-up is that I have to add the users to the local server so that files created by a domain user are owned by them and not the guest account. Ideally I would like to add the users to the PDC alone and then if a domain user creates a file on a member server, when I viewed those file, either from a windows machine or from a shell on the member server, I could see who they belong to. I'm sure that there is a means of doing this, but I get gleam it from the docs. Can anyone advise me on the configuration I would need? Thank you, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Single sign on nivana
Thanks but I am not sure that I have made myself clear. I want to remove Windows NT from my production environment. I would like to use Samba as the PDC with ldap backend and some replication. So far in tests this all works EG, Window7 and WinXP can authenticate. I have one more thing I would like to achieve. I want files on the Samba member server to be owned by the domain user without having to add each domain user locally to the member server's /etc/passwd file. I don't think the articles you have suggested address how to do that. Dp. On 1 June 2011 12:37, L.P.H. van Belle be...@bazuin.nl wrote: Wel setup ldap with replication. I have this setup and i use syncrepl for ldap replication. This is working for 5 years now. I manage my users and groups with the NT4 user manager. Look here. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html I use this setup : PDC - LDAP master server, BDC - LDAP slave server. My ldap slave is readonly. I use debian OS. look here for a nice example http://www.server-world.info/en/note?os=Debian_6.0p=sambaf=6 and look hier http://fr33co.wordpress.com/2009/02/19/replicacion-ldap-con-syncrepl-en-debian-lenny/ if you need other language put it in a translator ;-) Good luck. Louis -Oorspronkelijk bericht- Van: paik...@googlemail.com [mailto:samba-boun...@lists.samba.org] Namens Dermot Verzonden: 2011-06-01 13:04 Aan: samba@lists.samba.org Onderwerp: [Samba] Single sign on nivana Hi, I have Samba 3.5.6 that is running as a PDC for testing purposes. In my production environment I still use a NT4 domain and all the samba member server use domain security. One of the irritations I have with the Samba members set-up is that I have to add the users to the local server so that files created by a domain user are owned by them and not the guest account. Ideally I would like to add the users to the PDC alone and then if a domain user creates a file on a member server, when I viewed those file, either from a windows machine or from a shell on the member server, I could see who they belong to. I'm sure that there is a means of doing this, but I get gleam it from the docs. Can anyone advise me on the configuration I would need? Thank you, Dermot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: A default profile
Hi, I am not using roaming profiles, but there is a feature in NT 4 where you store a 'Default User' profile under the C:\winnt\system32\repel\import\scripts\. When a user logins into the Doman for the first time, they get a copy of that profile. I have tried having a copy of the same profile to both the netlogon share and the profiles share on my Samba PDC but the profile does not get downloaded. I was wondering if this feature works for anybody else, in which case, I am doing something wrong. Does anyone able to set a Default User profile on a samba domain controller? Thanks, Dermot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] output from pdbedit - does not belong to our domain
Hi, I'm am in the process of migrating my old NT4 PDC to a Samba 3.2.5 with an Ldap backend. I have been following the instructions from http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html At point 16 is says to try pdbedit -Lw This is the output I get: sid S-1-5-21-1979685110-1467996072-351907979-500 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-2998 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-3010 does not belong to our domain That's not what I expected. Does anyone know why this might be? I did remove /var/lib/samba/*tdb before I began. Point 17 works: net groupmap list Domain Admins (S-1-5-21-1979685110-1467996072-351907979-512) - 512 Domain Users (S-1-5-21-1979685110-1467996072-351907979-513) - 513 Domain Guests (S-1-5-21-1979685110-1467996072-351907979-514) - 514 Domain Computers (S-1-5-21-1979685110-1467996072-351907979-515) - 515 Administrators (S-1-5-32-544) - 544 Account Operators (S-1-5-32-548) - 548 Print Operators (S-1-5-32-550) - 550 Backup Operators (S-1-5-32-551) - 551 Replicators (S-1-5-32-552) - 552 According to LDAP the SambaDomainName SID is S-1-5-21-900663976-1457140431-1537874043. Is there meant to be some correlation between the Domain SID and the group list? net rpc info -UAdministrator -S MyPDC Enter Administrator's password: Domain Name: OurDom Domain SID: S-1-5-21-900663976-1457140431-1537874043 Sequence number: 2946 Num users: 117 Num domain groups: 3 Num local groups: 0 Can anyone offer some guidance please? Thanks, Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 on a Samba 3.2.5 Domain
On 24 September 2010 15:56, Rodolfo Barbosa rodo...@lunarinternet.com.br wrote: Guys, Does the Windows 7 work with a Samba 3.2.5? If it does, where can I find a documentation about it? Try here: http://wiki.samba.org/index.php/Windows7 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 Migration
Thanks all for the replies. I should point out that I have only one PDC and one NT domain. I do have several existing Samba servers that use the domain security option. 10. The LDAP management password must be installed into the secrets.tdb file as follows: root# smbpasswd -w not24get Setting stored password for cn=Manager,dc=terpstra-world,dc=org in secrets.tdb Did you run this command? Yes, I did. I deleted secrets.tdb before I began. I ran it again to see what the output was: smbpasswd -w not24get Setting stored password for cn=admin,dc=mydomain,dc=co,dc=uk in secrets.tdb When I run smbldap-populate I am also prompted by smbpasswd. I am not sure if that is correct. What do the following commands show? net getlocalsid net getdomainsid They should be the same. I get an error: net getlocalsid [2010/09/23 08:13:01, 0] utils/net.c:net_getlocalsid(708) Can't fetch domain SID for name: LDAP net getdomainsid Could not fetch local SID LDAP is the hostname of the local machine that I would like to eventually migrate to. I wondering if that might be a poor choice of hostname now. I checked my history and I definitely ran `net rpc -S my_nt_server_netbios_name`, I hope it doesn't hurt to run it again. This was the output: Storing SID S-1-5-21-900663976-1457140431-1537874043 for Domain MYDOM in secrets.tdb #net rpc getsid -S SPLPDC -U Administrator Storing SID S-1-5-21-900663976-1457140431-1537874043 for Domain MYDOM in secrets.tdb # net getdomainsid Could not fetch local SID # net getlocalsid [2010/09/23 08:18:21, 0] utils/net.c:net_getlocalsid(708) Can't fetch domain SID for name: LDAP I have not used net rpc vampire yet (point 17) because I haven't passed the safety checks in point 16. Can you just manually change your SID in LDAP to match that from the NT4 server? I am not entirely sure this is necessary. In my ldap tree I have an item called sambaDomainName and that has the correct SID: Here is the partial output from slapcat -v # id=001a dn: sambaDomainName=MYDOM,dc=mydomain,dc=co,dc=uk sambaAlgorithmicRidBase: 1000 sambaNextUserRid: 1000 structuralObjectClass: sambaDomain entryUUID: 60ea2452-56bd-102f-9b84-07665867de80 creatorsName: cn=admin,dc=mydomain,dc=co,dc=uk createTimestamp: 20100917153835Z sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 gidNumber: 1000 sambaDomainName: MYDOM sambaSID: S-1-5-21-900663976-1457140431-1537874043 sambaNextRid: 1000 uidNumber: 1000 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool entryCSN: 20100922144116.351528Z#00#000#00 modifiersName: cn=admin,dc=mydomain,dc=co,dc=uk modifyTimestamp: 20100922144116Z I also found (at least with samba 3.4.x) that even if I set ldap group suffix=ou=group in smb.conf, samba would look through my whole LDAP tree for group entries. I had initially tried to have separate ou=group and ou=smb_group containers to separate my unix groups from my samba group mappings. smb.conf: ldap admin dn = cn=admin,dc=mydomain,dc=co,dc=uk ldap group suffix = ou=group ldap idmap suffix = ou=idmap ldap machine suffix = ou=Computer That might be a hint. The ldap group is ou=Groups. I edited my smb.conf, deleted secrets.tdb, and stepped through the process again. Now `net groupmap list` give me: Domain Admins (S-1-5-21-1979685110-1467996072-351907979-512) - 512 Domain Users (S-1-5-21-1979685110-1467996072-351907979-513) - 513 Domain Guests (S-1-5-21-1979685110-1467996072-351907979-514) - 514 Domain Computers (S-1-5-21-1979685110-1467996072-351907979-515) - 515 Administrators (S-1-5-32-544) - 544 Account Operators (S-1-5-32-548) - 548 Print Operators (S-1-5-32-550) - 550 Backup Operators (S-1-5-32-551) - 551 Replicators (S-1-5-32-552) - 552 This is more like it and I may be nearly ready to vampire. However I am worried about the errors I get now from net getlocalsid and getdomainsid. Are you using idmap? I had this when the nextgid value in idmap went out of range for some bizarre reason. Yes I am using idmap smb.conf idmap backend = ldapsam:ldap://127.0.0.1/ idmap uid = 15000-2 idmap gid = 15000-2 I don't know how to get the current or next id to find out if this is the case. I think the question I'd like to ask the list is, do they think that it' safe for me to continue when I am still getting errors from getdomainsid and pdbedit does not show show the root user? Thanks, Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] NT4 Migration
Hi, I am in the process of attempting a NT4 Domain to Samba migration (3.2.5). I have been following the instructions at http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html. I am using an ldap backend. I am not convinced everything is set-up correctly. Before I began I removed all /var/lib/samba/*tdb and shutdown smb and ldap. At point 13 where you do `getent group` the Domain groups do not appear. They exist in the ldap tree ou=Groups. I have the joined the samba machine to the NT4 domain (point 14) When I attempt pdbedit -Lw, I get: sid S-1-5-21-1979685110-1467996072-351907979-500 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-2998 does not belong to our domain sid S-1-5-21-1979685110-1467996072-351907979-3010 does not belong to our domain This sid is not the one that appears in my ldap sambaDomainName or from the `net rpc getsid ` command. Also when I attempt `netgroupmap list` (point 16) I get: net groupmap list [2010/09/22 15:41:05, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3342) ldapsam_setsamgrent: LDAP search failed: No such object [2010/09/22 15:41:05, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3417) ldapsam_enum_group_mapping: Unable to open passdb So something is wrong but I am not sure what. Can anyone offer any advise? Thanks in advance, Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Cannot join domain
On 21 May 2007 at 11:14, Morné du Plessis wrote: Hi Try the next: smbpasswd -a -m pcname Or smbpasswd -j DOMAIN -r DOMAINPC Unfortunatley not. This returns: See 'net join' for this functionality -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beginner Sent: 21 May 2007 10:53 AM To: samba@lists.samba.org Subject: [Samba] Cannot join domain Hi, Samba V 3.0.25 on Red Hat Enterprise Linux 5 PDC: NT 4 Domain. Server security = domain. I have a server (possibly 2) that cannot join the domain. I have tried from the linux server with 'net rpc join' and from the NT Box's Server Manager but it fails. The server appears in Server Manager although you can not get any additional info about it. The NT BOX's event viewer has an error the error: The session set-up computer SERVER failed because there is no trust account in the security database for this computer. The name of the account references is SERVER$ There are a few errors in the PDC's log file: Remote machine MYPDC pipe \NETLOGON fnum 0x480d bind request returned ok. [2007/05/21 10:08:25] rpc_client/cli_pipe.c:get_schannel_session_key(2449) get_schannel_session_key: could not fetch trust account password for domain 'MYDOMAIN' [2007/05/21 10:08:25] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2679) cli_rpc_pipe_open_schannel: failed to get schannel session key from server MYPDC for domain MYDOMAIN. I have tried a number of things, disabling firewall, changing netbios name, deleting the server from Server Manager and upgrading to the latest release but I the error persists. Can anyone offer any advice? Thanx, Dp. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba ## ### This e-mail message has been scanned for Viruses and Content and cleared by FinSource Infrastructure Services' MailMarshal ## ### -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba