Re: [Samba] Use LDAP for passwords ONLY
On Thursday, October 3, 2013 12:56 PM CDT, Garey gareysmi...@sbcglobal.net wrote: Marc Muehlfeld samba at marc-muehlfeld.de writes: Hello, Am 03.10.2013 18:17, schrieb Garey: I am trying to figure out if I can setup samba to verify only passwords against LDAP and keep everything else local. Can you be a bit more specific what you intend to do? Regards, Marc I want all group and user info local on the samba server, but verify passwords against LDAP. So the only thing LDAP is used for is verify the password. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba LDAP still will need a username to go with the password. Could you tell us exactly why you want users local instead of in LDAP? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am looking at your original post again. I don't think you said which version you had been using. net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 04:33 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 16:12, Donny Brooks wrote: On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am
[Samba] Administrative users on domain
Back in January we upgraded/moved our domain from an old install of samba and openldap to a newer version (samba 3.5.10 and openldap 2.4.23) while also moving our domain to a new name. On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain and when the prompt came up in windows to install software we could log in as ourselves. However that is not the case on the new domain and I cannot figure out how to set that back up. I have looked at the docs on samba rights (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html) but it seems I am missing something since when I type: net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U superusername it returns: Failed to grant privileges for MDAH\Domain Admins (NT_STATUS_NO_SUCH_USER) superusername is our superuser account that we have to currently type in to join machines to join the domain. However when installing software we have to log in as local administrator or do a MACHINENAME\Administrator and it's password to install software. Any pointers? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] having issues with shares
Actually it does show locks. Here is the pertinent section: Locked files: Pid UidDenyMode Access R/WOplock SharePath Name Time -- 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0027.gdbtable Fri Feb 8 15:24:47 2013 2752 1149 DENY_WRITE 0x3019f RDWR EXCLUSIVE+BATCH /samba/gis MARIS608/Archaeological_Data.gdb/Site_Poly.SEARCHROOM3.3480.3228.sr.lock Fri Feb 8 15:24:46 2013 2752 1149 DENY_WRITE 0x3019f RDWR EXCLUSIVE+BATCH /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Poly.SEARCHROOM3.3480.3228.sr.lock Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0028.gdbtablx Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0028.gdbtable Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0027.spx Fri Feb 8 15:25:21 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0029.gdbtable Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0029.gdbtablx Fri Feb 8 15:24:46 2013 2752 1149 DENY_WRITE 0x3019f RDWR EXCLUSIVE+BATCH /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Line.SEARCHROOM3.3480.3228.sr.lock Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a002a.spx Fri Feb 8 15:26:55 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0026.gdbtable Fri Feb 8 15:24:47 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0026.spx Fri Feb 8 15:27:05 2013 2752 1149 DENY_WRITE 0x3019f RDWR EXCLUSIVE+BATCH /samba/gis MARIS608/Archaeological_Data.gdb/Site_Point.SEARCHROOM3.3480.3228.sr.lock Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0027.gdbtablx Fri Feb 8 15:24:47 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0026.gdbtablx Fri Feb 8 15:24:47 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a002a.gdbtablx Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0028.spx Fri Feb 8 15:27:05 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a002a.gdbtable Fri Feb 8 15:24:46 2013 2752 1149 DENY_WRITE 0x3019f RDWR EXCLUSIVE+BATCH /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Point.SEARCHROOM3.3480.3228.sr.lock Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0029.spx Fri Feb 8 15:27:09 2013 2752 1149 DENY_NONE 0x2019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/timestamps Fri Feb 8 15:24:15 2013 2752 1149 DENY_WRITE 0x3019f RDWR EXCLUSIVE+BATCH /samba/gis MARIS608/Archaeological_Data.gdb/_gdb.SEARCHROOM3.3480.3228.sr.lock Fri Feb 8 15:24:15 2013 On Friday, February 8, 2013 06:31 PM CST, Edward Ashley n...@redmonkeysoftware.com wrote: What does smbstatus give you when you have a user using their GIS software? Any locks? On 8 February 2013 21:40, Donny Brooks dbro...@mdah.state.ms.us wrote: Everything oplocks related has been disabled. Still the same issue. There have been no updates to the software as the GIS guy or I would have had to applied them. Also on the old domain it created the lock files also but it worked. Thanks for the quick replies. On Friday, February 8, 2013 03:17 PM CST, Edward Ashley n...@redmonkeysoftware.com wrote: I second disabling oplocks however I would check whether they have had any software updates or anything to change their GIS software as I'm not too sure that an oplock would create a .lock file, and it sounds like it maybe the GIS software doing
Re: [Samba] having issues with shares
/gis MARIS608/Archaeological_Data.gdb/a0026.gdbtablx Tue Feb 12 08:57:28 2013 177021258 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/_gdb.GIS.7768.6520.sr.lock Tue Feb 12 08:57:24 2013 177021258 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Site_Point.ed.lock Tue Feb 12 08:57:36 2013 177021258 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Point.ed.lock Tue Feb 12 08:57:36 2013 177021258 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a002a.gdbtablx Tue Feb 12 08:57:29 2013 177021258 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a002a.gdbtable Tue Feb 12 08:57:29 2013 177021258 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Line.GIS.7768.6520.sr.lock Tue Feb 12 08:57:28 2013 177021258 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Site_Point.GIS.7768.6520.sr.lock Tue Feb 12 08:57:28 2013 177021258 DENY_NONE 0x2019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/timestamps Tue Feb 12 08:57:24 2013 177021258 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Site_Poly.ed.lock Tue Feb 12 08:57:36 2013 I am not sure what is going on here. Now the gis guy is telling me that they can migrate from the gdb files to a SQL install and have truly simultaneous edits so he it leaning toward that. Thanks for the input thus far. We still may need to fix this as any migration could take weeks if not months at our pace. On Tuesday, February 12, 2013 08:45 AM CST, Edward Ashley n...@redmonkeysoftware.com wrote: Hi, Can you try adding: veto oplock files = /*.lock/ to your share definition, and seeing what happens. Also if that doesn't help then try adding: fake oplocks = yes just to see what happens. At this point can I just say that I am not responsible for any file corruption as a result of these settings. Thanks Ned On 12 February 2013 14:37, Donny Brooks dbro...@mdah.state.ms.us wrote: Actually it does show locks. Here is the pertinent section: Locked files: Pid UidDenyMode Access R/WOplock SharePath Name Time -- 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0027.gdbtable Fri Feb 8 15:24:47 2013 2752 1149 DENY_WRITE 0x3019f RDWR EXCLUSIVE+BATCH /samba/gis MARIS608/Archaeological_Data.gdb/Site_Poly.SEARCHROOM3.3480.3228.sr.lock Fri Feb 8 15:24:46 2013 2752 1149 DENY_WRITE 0x3019f RDWR EXCLUSIVE+BATCH /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Poly.SEARCHROOM3.3480.3228.sr.lock Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0028.gdbtablx Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0028.gdbtable Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0027.spx Fri Feb 8 15:25:21 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0029.gdbtable Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0029.gdbtablx Fri Feb 8 15:24:46 2013 2752 1149 DENY_WRITE 0x3019f RDWR EXCLUSIVE+BATCH /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Line.SEARCHROOM3.3480.3228.sr.lock Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a002a.spx Fri Feb 8 15:26:55 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0026.gdbtable Fri Feb 8 15:24:47 2013 2752 1149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0026.spx Fri Feb 8 15:27:05 2013 2752 1149 DENY_WRITE 0x3019f RDWR EXCLUSIVE+BATCH /samba/gis MARIS608/Archaeological_Data.gdb/Site_Point.SEARCHROOM3.3480.3228.sr.lock Fri Feb 8 15:24:46 2013 2752 1149 DENY_NONE 0x20089
Re: [Samba] having issues with shares
That seems to have worked. Thanks for that. On Tuesday, February 12, 2013 09:32 AM CST, Edward Ashley n...@redmonkeysoftware.com wrote: Hi, Okay could you please try: share modes = no locking = no on your share. Thanks Ned On 12 February 2013 15:06, Donny Brooks dbro...@mdah.state.ms.us wrote: Same thing on both attempts. Here is the veto oplock try: Locked files: Pid UidDenyMode Access R/WOplock SharePath Name Time -- 176601258 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0027.gdbtable Tue Feb 12 08:55:08 2013 176611149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0027.gdbtable Tue Feb 12 08:55:25 2013 176611149 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/_gdb.SEARCHROOM3.4972.5268.sr.lock Tue Feb 12 08:55:13 2013 176601258 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Point.GIS.6216.5276.sr.lock Tue Feb 12 08:55:08 2013 176611149 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Site_Poly.SEARCHROOM3.4972.5268.sr.lock Tue Feb 12 08:55:24 2013 176611149 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Poly.SEARCHROOM3.4972.5268.sr.lock Tue Feb 12 08:55:24 2013 176601258 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0028.gdbtablx Tue Feb 12 08:55:09 2013 176611149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0028.gdbtablx Tue Feb 12 08:55:24 2013 176601258 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0028.gdbtable Tue Feb 12 08:55:09 2013 176611149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0028.gdbtable Tue Feb 12 08:55:24 2013 176601258 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Poly.ed.lock Tue Feb 12 08:55:17 2013 176601258 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Line.ed.lock Tue Feb 12 08:55:17 2013 176601258 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0029.gdbtable Tue Feb 12 08:55:09 2013 176611149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0029.gdbtable Tue Feb 12 08:55:24 2013 176611149 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Site_Poly.SEARCHROOM3.4972.rd.lock Tue Feb 12 08:55:35 2013 176601258 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0029.gdbtablx Tue Feb 12 08:55:09 2013 176611149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0029.gdbtablx Tue Feb 12 08:55:24 2013 176601258 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Site_Poly.GIS.6216.5276.sr.lock Tue Feb 12 08:55:08 2013 176611149 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Line.SEARCHROOM3.4972.5268.sr.lock Tue Feb 12 08:55:24 2013 176601258 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0026.gdbtable Tue Feb 12 08:55:08 2013 176611149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0026.gdbtable Tue Feb 12 08:55:25 2013 176601258 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Survey_Poly.GIS.6216.5276.sr.lock Tue Feb 12 08:55:08 2013 176611149 DENY_WRITE 0x3019f RDWR NONE /samba/gis MARIS608/Archaeological_Data.gdb/Site_Point.SEARCHROOM3.4972.5268.sr.lock Tue Feb 12 08:55:24 2013 176601258 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0027.gdbtablx Tue Feb 12 08:55:08 2013 176611149 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0027.gdbtablx Tue Feb 12 08:55:25 2013 176601258 DENY_NONE 0x20089 RDONLY NONE /samba/gis MARIS608/Archaeological_Data.gdb/a0026.gdbtablx Tue Feb 12 08:55:08 2013 176611149 DENY_NONE 0x20089
[Samba] having issues with shares
We recently migrated our install from an ancient fedora 11 install of samba and openldap to a centos 6.3 setup with its openldap and samba. The domain has been totally recreated from scratch as the person that did the previous setup has not been employed here in many years. After fighting with shares for a while we mostly got them fixed and working. However the biggest issue now is when our GIS people try to connect to their samba share. Previously two pople could be editing different feature classes, different files, but now it will not let the second person do anything but view. Here is a brief explanation from our head GIS guy: We currently have 5 data sets in one feature class in the GIS. site_point site_poly survey_point survey_line survey_poly Before the conversion to the new Domain: User A could open up the GIS on computer 1 and begin to edit one of the data set. (site_point for example) and User B could open up the GIS on computer 2 and begin to edit any other data set except what User A was editing (in this example site_point). As long a two people didn't try and edit the same data set it worked. After the Domain conversion: User A opens up the GIS on computer 1 and begins to edit any of our data sets. User B opens up the GIS on computer 2 and attempts to edit any of our data sets a window opens up with several errors about file locks. ( I can send up screen shots in the morning) As we saw in the samba logs it appears that once User A begins editing the one data set all the other data sets in the feature class get .lock files along with the one that User A is actually editing. The only way User B can edit data is if User A exits the GIS completely. So with that we have been trying everything we can think of to get it working correctly again. When I setup the share I copied the existing share from the old domain and put it in the new one making only the domain name change to the section. Here is the old setup: [pictures] comment = Shared Folder for Pictures path = /samba/pictures read only = No create mask = 0667 directory mask = 0770 csc policy = disable nt acl support = no force security mode = 777 valid users = @hpres force group = @ADMIN\hpres #inherit permissions = yes write list = @ADMIN\hpres Here is the new: [hp-pictures] comment = Shared Folder for Historic Preservation Pictures path = /samba/arrowhead/hp-pictures read only = No create mask = 0667 directory mask = 0770 csc policy = disable nt acl support = no force security mode = 777 valid users = @hpres force group = @MDAH\hpres write list = @MDAH\hpres Anyone have an idea why this could be happening? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] having issues with shares
Everything oplocks related has been disabled. Still the same issue. There have been no updates to the software as the GIS guy or I would have had to applied them. Also on the old domain it created the lock files also but it worked. Thanks for the quick replies. On Friday, February 8, 2013 03:17 PM CST, Edward Ashley n...@redmonkeysoftware.com wrote: I second disabling oplocks however I would check whether they have had any software updates or anything to change their GIS software as I'm not too sure that an oplock would create a .lock file, and it sounds like it maybe the GIS software doing that. On 8 February 2013 20:56, Donny Brooks dbro...@mdah.state.ms.us wrote: We recently migrated our install from an ancient fedora 11 install of samba and openldap to a centos 6.3 setup with its openldap and samba. The domain has been totally recreated from scratch as the person that did the previous setup has not been employed here in many years. After fighting with shares for a while we mostly got them fixed and working. However the biggest issue now is when our GIS people try to connect to their samba share. Previously two pople could be editing different feature classes, different files, but now it will not let the second person do anything but view. Here is a brief explanation from our head GIS guy: We currently have 5 data sets in one feature class in the GIS. site_point site_poly survey_point survey_line survey_poly Before the conversion to the new Domain: User A could open up the GIS on computer 1 and begin to edit one of the data set. (site_point for example) and User B could open up the GIS on computer 2 and begin to edit any other data set except what User A was editing (in this example site_point). As long a two people didn't try and edit the same data set it worked. After the Domain conversion: User A opens up the GIS on computer 1 and begins to edit any of our data sets. User B opens up the GIS on computer 2 and attempts to edit any of our data sets a window opens up with several errors about file locks. ( I can send up screen shots in the morning) As we saw in the samba logs it appears that once User A begins editing the one data set all the other data sets in the feature class get .lock files along with the one that User A is actually editing. The only way User B can edit data is if User A exits the GIS completely. So with that we have been trying everything we can think of to get it working correctly again. When I setup the share I copied the existing share from the old domain and put it in the new one making only the domain name change to the section. Here is the old setup: [pictures] comment = Shared Folder for Pictures path = /samba/pictures read only = No create mask = 0667 directory mask = 0770 csc policy = disable nt acl support = no force security mode = 777 valid users = @hpres force group = @ADMIN\hpres #inherit permissions = yes write list = @ADMIN\hpres Here is the new: [hp-pictures] comment = Shared Folder for Historic Preservation Pictures path = /samba/arrowhead/hp-pictures read only = No create mask = 0667 directory mask = 0770 csc policy = disable nt acl support = no force security mode = 777 valid users = @hpres force group = @MDAH\hpres write list = @MDAH\hpres Anyone have an idea why this could be happening? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Edward Ashley Developer e. n...@redmonkeysoftware.com u. www.redmonkeysoftware.com t. 0845 867 3849 f. 0845 867 4127 Red Monkey Software | Superior Software Solutions Red Monkey Software Ltd, 24 The Layne, Elmer Sands, Bognor Regis, West Sussex. PO22 6JL Registered in England and Wales no 5923420 Registered Office: 20 Springfield Road, Crawley, West Sussex, RH11 8AD -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Move from roaming to local profiles
On Wednesday, January 9, 2013 04:23 PM CST, Donny Brooks dbro...@mdah.state.ms.us wrote: On Wednesday, January 9, 2013 04:13 PM CST, Norberto Bensa nbensa+sa...@gmail.com wrote: On Wed, Jan 9, 2013 at 6:57 PM, Donny Brooks dbro...@mdah.state.ms.us wrote: Ok, I tested this on a couple of our windows 7 machines. I did as you said and changed the profile to a local one, removed it from the existing domain, added it to the new domain, and logged in as the user again. It gave me a new profile. Looking in C:\Users I see the username folder and username.NEWDOMAIN. It is creating a new profile for the same user on the new domain. Is there a way to do this? I have searched but only see directions for doing local profiles to roaming. Figures I would be going against the grain here. Add the machine to the new domain. Change permisions on the username folder. Also, you'll need to load the user's registry and change permissions. I really can't remember if you also need to change something else in the user's registry. I'll ask our technicians tomorrow and I'll let you know. BTW, the same username in two domains is a different user (different SID). That's why you see username.NEWDOMAIN. Regards, Norberto Thanks for that. I tried changing the permissions on the folder but totally forgot about the registry. Also I tried the program reprofiler as it is supposed to automate alot of this but I couldn't get it just right either. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I spent all day yesterday on this and never got anywhere until just before I left work. I tried everything I could think of and every way of doing it. Here is just one way of what I tried: 1. Log in as user on old domain, verify stuff works 2. Log out and in as local administrator 3. Change from olddomain to newdomain, reboot 4. Log in as user on newdomain, creates new profile (obviously since it is a new user) 5. Reboot to make sure profile is not locked and log in as local administrator 6. Copy contents of olddomain profile over to newdomain folder 7. Change permissions recursively on newdomain profile folder and NTUSER.DAT to allow newdomain user full control 8. Reboot 9. Log in as user, profile is there but no file on desktop is able to be opened. Also could not open Windows Explorer. Finally what worked for me was after step 4 I would navigate to C:\Users\oldprofile as the user on the newdomain, with administrator escalation of course, and copy over only the contents of the specific folders I wanted. For instance the contents of Desktop, certain folders out of AppData/Roaming, etc. This seems to have worked so far. The only issue is that they lose their customizations to windows. But that is not a huge deal. This is just so if anyone else has these problems in the future. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Move from roaming to local profiles
On Friday, January 11, 2013 10:21 AM CST, Norberto Bensa nbensa+sa...@gmail.com wrote: Hello, first, I'm sorry for making you wait for so long. I had some personal problems that required my attention. On Fri, Jan 11, 2013 at 12:32 PM, Donny Brooks dbro...@mdah.state.ms.us wrote: 1. Log in as user on old domain, verify stuff works 2. Log out and in as local administrator 3. Change from olddomain to newdomain, reboot Ok 4. Log in as user on newdomain, creates new profile (obviously since it is a new user) Nope. You should remain logged as administrator, change permissions on the user folder to the user of the newdomain. Then, from regedit, load the user registry and change its permissions. I did as you said and changed permissions on the files and registry. Still when I logged in as the user on the new domain it created a username.NEWDOMAIN folder. It's not a big deal if I have to do it the way I was able to make it work. Kind of cuts down on the user profile garbage. 5. Reboot to make sure profile is not locked and log in as local administrator Yes. Everything else is unnecessary, just login as the user in the new domain and it should work. HTH, Norberto -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Move from roaming to local profiles
We are migrating all of our users from the current domain to a new one we created. In this process we are moving them from roaming profiles to local. What would be the best practice to accomplish this? I can find plenty of writeups on how to do the opposite. Also we will be doing some extra folder redirection. Currently we only redirect their my documents to the server. On the new system we plan to redirect AppData and Desktop also. Is there a good easy way to automate this while still retaining their existing information? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Move from roaming to local profiles
On Wednesday, January 9, 2013 09:14 AM CST, Bjoern Baumbach b...@sernet.de wrote: Hello Donny, On 01/09/2013 03:53 PM, Donny Brooks wrote: We are migrating all of our users from the current domain to a new one we created. In this process we are moving them from roaming profiles to local. What would be the best practice to accomplish this? I can find plenty of writeups on how to do the opposite. Also we will be doing some extra folder redirection. Currently we only redirect their my documents to the server. On the new system we plan to redirect AppData and Desktop also. Is there a good easy way to automate this while still retaining their existing information? You should take a look at the Windows user profile manager. Using WindowsXP you can follow these steps: Right click on My Computer Select Properties Advanced Settings-Button in User Profiles Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de Thanks for the fast reply. That looks like exactly what I was looking for. I am about to test that with a few windows 7 machines I have. What would be the best way to automate the folder redirection, if that is even possible. I thought about just adding the directives to the users netlogon.bat but I am not sure that will move the data automatically. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 folder redirection
Is there a way to have folders redirected to a server share automatically? If not possible for existing users with existing data would it be possible for new users with a fresh install? We are moving to local profiles but I would still like stuff like the users My Documents and Desktop to be on the server so it is backed up every night with our servers. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Move from roaming to local profiles
On Wednesday, January 9, 2013 09:14 AM CST, Bjoern Baumbach b...@sernet.de wrote: Hello Donny, On 01/09/2013 03:53 PM, Donny Brooks wrote: We are migrating all of our users from the current domain to a new one we created. In this process we are moving them from roaming profiles to local. What would be the best practice to accomplish this? I can find plenty of writeups on how to do the opposite. Also we will be doing some extra folder redirection. Currently we only redirect their my documents to the server. On the new system we plan to redirect AppData and Desktop also. Is there a good easy way to automate this while still retaining their existing information? You should take a look at the Windows user profile manager. Using WindowsXP you can follow these steps: Right click on My Computer Select Properties Advanced Settings-Button in User Profiles Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de Ok, I tested this on a couple of our windows 7 machines. I did as you said and changed the profile to a local one, removed it from the existing domain, added it to the new domain, and logged in as the user again. It gave me a new profile. Looking in C:\Users I see the username folder and username.NEWDOMAIN. It is creating a new profile for the same user on the new domain. Is there a way to do this? I have searched but only see directions for doing local profiles to roaming. Figures I would be going against the grain here. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Move from roaming to local profiles
On Wednesday, January 9, 2013 04:13 PM CST, Norberto Bensa nbensa+sa...@gmail.com wrote: On Wed, Jan 9, 2013 at 6:57 PM, Donny Brooks dbro...@mdah.state.ms.us wrote: Ok, I tested this on a couple of our windows 7 machines. I did as you said and changed the profile to a local one, removed it from the existing domain, added it to the new domain, and logged in as the user again. It gave me a new profile. Looking in C:\Users I see the username folder and username.NEWDOMAIN. It is creating a new profile for the same user on the new domain. Is there a way to do this? I have searched but only see directions for doing local profiles to roaming. Figures I would be going against the grain here. Add the machine to the new domain. Change permisions on the username folder. Also, you'll need to load the user's registry and change permissions. I really can't remember if you also need to change something else in the user's registry. I'll ask our technicians tomorrow and I'll let you know. BTW, the same username in two domains is a different user (different SID). That's why you see username.NEWDOMAIN. Regards, Norberto Thanks for that. I tried changing the permissions on the folder but totally forgot about the registry. Also I tried the program reprofiler as it is supposed to automate alot of this but I couldn't get it just right either. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] MIgrating users to new domain
We are currently setting up a new domain with samba 3.5.10 and openldap 2.4.23 (based off of Centos 6.3). The current domain is running older versions, 3.4.7 and 2.4.15 respectively. We are changing domain names also. There is alot of layout changes and the way it works. One change we are implementing is combining all the BDC's/home servers into one and moving them to the PDC. On the old domain every division of the agency has their own home server (BDC) that just connects back to the PDC for authentication and housed the sections shares and the users roaming profiles. On the new setup we are moving all the shares onto the PDC, also we are doing away with roaming profiles. The entire LDAP tree is being remade from scratch, meaning new UID's and GID's. Is there a way we could migrate a section of users at a time instead of having to do all 200 users at once? One problem we have thought of is making the shares consistent between old and new and the uid/gid issue. So say user1 is in group 501 on the old system but on the new system the group is 247. There would be file permission nightmares I would think. The second question is dealing with the conversion from roaming to local profiles. We still will be using netlogon scripts to mount the specific shares and such but just doing away with the roaming profiles. I have been testing this on windows 7 pc's (which account for about half of our users) and keep running into loading temp profiles. I did find some registry tweaks here on the list that seem to work but I was wondering if they are necessary or if I just didn't have something configured right. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 often creates new user profiles
On Saturday, May 12, 2012 04:48 PM CDT, Christian Meier ch2...@arcor.de wrote: On Sat, 12 May 2012 17:47:02 +0200 Christian Meier ch2...@arcor.de wrote: Windows 7 clients often create new roaming profiles for existing users for no identifiable reason. Windows XP isn't affected. Some reasons for this behavior I googled: 1. insufficient permissions for profile-folder 2. trust relationship between this workstation and the primary domain failed. -- dis-join and rejoin the workstation 3. .bak is appended in registry at HKEY_LOCAL_MACHINE\Software\Microsoft \Windows NT\CurrentVersion\ProfileList. Remove the other SIDs and the .bak extension. 4. do not use roaming profiles. (But there are other problems with folder redirection [1].) [1] http://wiki.samba.org/index.php/Samba__Windows_Profiles#Folder_Redirection -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba We too have seen this behavior but only on one of our pc's. It is not the server side that gets the rename as someone else mentioned but rather on the PC side. If you look in C:\Users\ you will see: username username.DOMAIN username.DOMAIN.000 username.DOMAIN.001 username.DOMAIN.002 etc The profile seems to be pulling/writing to the server just fine. We have tried removing all the entries in the registry for all users on the machine except the local administrator one, removing/rejoining the pc to the domain, and double checking permissions all to no avail. It will do right for a few weeks and then it will start doing the multiple profiles again. To this date we have not found a way to fix the issue. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Migrating to new domain
In the comming months we will be setting up a few new machines to replace our PDC and BDC that are currently running Fedora 11 with Samba 3.4.7 and OpenLDAP 2.4.15. We will be upgrading to the latest Fedora with samba/ldap. With this we will be recreating our domain fresh to get rid of alot of old junk not needed and add in new features. We do use roaming profiles also. My main concern is this: can I set up this new domain up along side of our current setup with no problems and then simply migrate a section of users at a time to it? We have roughly 10 BDC's that are setup as home servers for our end that house shares/roaming profiles/my documents for them. I know when we move a BDC to the new domain we will need to remove all of the end users connected to that machine and rejoin them to the new domain. I just don't want to have to rejoin all 200+ users at once. Another way I had thought was to setup the new domain with new BDC/home servers and then just migrate a user at a time. The new and old BDC's could share the same files so the users could still share files no matter if they were moved or not. Would it be beneficial to just create new roaming profiles on the new setup and just copy over their firefox/thunderbird profiles to the new setup or should I migrate profiles to the new system too? I am looking for any and all input on this. I just want it to go as smoothly as possible. Thanks in advance. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrating to new domain
Users will need to access the shares no matter which side of the migration they are on. I will look into the trusts and see how to do that. I just thought that you could not have multiple domains on the same vlans. We will be doing a clean install of OpenLDAP also so we can actually add the users as we go there too. I had thought about the NFS mount deal or keeping a 5-minute rsync going to keep files in sync. As for the profiles I am not too much concerned about users on either side of the migration since I would have to move all the users on a specific BDC once I move that BDC server to the new domain. As long as we can have multiple domains on the various vlan's at one time without issue then this just got alot simpler. It means I can test on a semi-live environment rather than a totally segregated one. Thanks for the input. On Wednesday, March 28, 2012 08:59 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: Do users need to share files with each other? You could set up trusts between the new and old domain, so that users on the new domain can still access files on the old domain. You could also use NFS or autofs to share home directories between samba servers, then have the samba server reshare the nfs share. This means that if you move a user to the new domain, he will access his home directory from a new server, but the new server is actually resharing an nfs export from an old server. But that may be complicating things. Alternately, you could configure a 2nd IP on the BDC's that you are keeping and have two instances of samba running - one for each domain. That way you can move file shares between domains with out actually having to copy them between machines. Moving users to a new domain + copying their files to a server in the domain seems simpler than trying to move users and a DC at the same time. The downside is the extra time in copying files between machines. On 03/28/12 08:14, Donny Brooks wrote: In the comming months we will be setting up a few new machines to replace our PDC and BDC that are currently running Fedora 11 with Samba 3.4.7 and OpenLDAP 2.4.15. We will be upgrading to the latest Fedora with samba/ldap. With this we will be recreating our domain fresh to get rid of alot of old junk not needed and add in new features. We do use roaming profiles also. My main concern is this: can I set up this new domain up along side of our current setup with no problems and then simply migrate a section of users at a time to it? We have roughly 10 BDC's that are setup as home servers for our end that house shares/roaming profiles/my documents for them. I know when we move a BDC to the new domain we will need to remove all of the end users connected to that machine and rejoin them to the new domain. I just don't want to have to rejoin all 200+ users at once. Another way I had thought was to setup the new domain with new BDC/home servers and then just migrate a user at a time. The new and old BDC's could share the same files so the users could still share files no matter if they were moved or not. Would it be beneficial to just create new roaming profiles on the new setup and just copy over their firefox/thunderbird profiles to the new setup or should I migrate profiles to the new system too? I am looking for any and all input on this. I just want it to go as smoothly as possible. Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Yet another 3 vs 4 question
We are currently looking at upgrading our PDC which is currently Samba 3.4.7 with OpenLDAP backend for authentication. As it stands we are only wanting to move it to new hardware and possibly run the latest 3.X.X branch. However one of my co-workers suggested why not look at samba 4. We understand it is still in alpha but from what we read it is ready for production use. As some background we are a small government agency with roughly 200 end users. We have about half XP and 7 machines with a handful of Vista ones. All of our servers are Linux with only one 2008R2 server in there. We mainly use samba for SSO function with OpenLDAP for authentication, file sharing, and roaming profiles. Each division in the department has their own home server (BDC) that houses all their roaming profiles and redirected my documents. We have about 12 BDC's in this configuration with the PDC doing just DC functions. Before I get into the 3 vs 4 stuff I do have one question about migrating to a new machine. What is the best way to migrate the PDC from one machine to the next without having to rejoin all the pc's to the domain? If we end up going just the upgrade path we will need it to be as seamless as possible. Now for the 3 to 4 questions: Is there a way to go from 3 to 4 without having to touch all the pc's? We are wanting to move the PDC from the machine it is currently on onto new hardware (new IP, dns name, etc). Is this easily doable in 4? If so would it be better to migrate to the new machine before doing the upgrade to 4 or after? If we decided to go to 4 but do a fresh install instead of an upgrade does anyone know of an easy way to automate the rejoining of the domain on the end user pc's? Once samba4 is out of alpha should it easily be upgradable to a distributions package? For instance Fedora. Or would it need to be totally reinstalled? Would it be better for us to stay with samba 3 for now and wait for 4 to be out of alpha/beta? Since Samba 4 does not use LDAP as we do currently, should we still be able to authenticate our servers the same as now? Am I missing anything obvious on this possible move to samba 4? Thanks in advance for any and all advice on this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Very odd issue with Win7 and trust relationships
Hello all, We have just concluded a very drawn out test of our domain that is having some trust relationship problems with Windows 7 desktops. Here is a breakdown of our setup: roark PDC running samba 3.4.7 (also has OpenLDAP) on VLAN 2 archives3 BDC running samba 3.4.7 (also has OpenLDAP) on VLAN2 arrowhead BDC home server running samba 3.4.3 on VLAN 9 archives4 BDC home server running samba 3.2.14 on VLAN8 ocm BDC home server running samba 3.3.8 on VLAN8 defiant BDC soon to be home server running samba 3.5.8 on VLAN3 pubinfo BDC home server running samba 3.5.4 on VLAN3 Ok, so we currently have Windows 7 machines on vlan's 3, 8, and 9. The only ones having issues is the ones on vlan3. This problem started a few weeks ago when we upgraded our core network switches. Only on my workstation and one other are we having this problem as we are the only two that have windows 7 on this vlan. In order to test some possible fixes I setup a new machine with windows 7 to perform all the tests on. Usually when I or the other user have to reboot we have to shut down and power right back up and immediately log back in to get past the trust relationship error. The machines on vlan's 8 and 9 are functioning perfectly with no issues what so ever. I have tried turning samba off on all of the servers on the 3 vlan and logging in to the domain on our test machine. Also have tried only having one at a time running samba. Neither way works as we always get the same error. I can then do nothing but change the vlan on the port the machine is plugged in to and then try to log back in and it works flawlessly every time, reboot, power on/off, or log off/on doesn't matter as they all work every time on a different vlan. We have roughly 50 new pc's with Windows 7 that we are about to deploy and I need to get this fixed before we can do so. Would anyone have any idea where to begin? We are working to upgrade our version of samba on the main PDC and BDC but that will require doing a hand compiled version and we would rather just replace the machines with new ones and that has it's own set of challenges in terms of keeping the domain functioning. Looking at the Windows7 page of the wiki I see this: If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: the trust relation between this workstation and the primary domain failed and no one can logon as any domain user. -- Monyo http://wiki.samba.org/index.php?title=User:Monyoaction=editredlink=1 16:22, 5 June 2011 (UTC) But as you can see when on the other vlan's I am not using the latest samba but it works. I am at a loss and need some fresh thoughts on this. I appreciate any and all assistance on this problem. Donny B. MDAH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Very odd issue with Win7 and trust relationships
On 7/26/2011 11:28 AM, Donny Brooks wrote: Hello all, We have just concluded a very drawn out test of our domain that is having some trust relationship problems with Windows 7 desktops. Here is a breakdown of our setup: roark PDC running samba 3.4.7 (also has OpenLDAP) on VLAN 2 archives3 BDC running samba 3.4.7 (also has OpenLDAP) on VLAN2 arrowhead BDC home server running samba 3.4.3 on VLAN 9 archives4 BDC home server running samba 3.2.14 on VLAN8 ocm BDC home server running samba 3.3.8 on VLAN8 defiant BDC soon to be home server running samba 3.5.8 on VLAN3 pubinfo BDC home server running samba 3.5.4 on VLAN3 Ok, so we currently have Windows 7 machines on vlan's 3, 8, and 9. The only ones having issues is the ones on vlan3. This problem started a few weeks ago when we upgraded our core network switches. Only on my workstation and one other are we having this problem as we are the only two that have windows 7 on this vlan. In order to test some possible fixes I setup a new machine with windows 7 to perform all the tests on. Usually when I or the other user have to reboot we have to shut down and power right back up and immediately log back in to get past the trust relationship error. The machines on vlan's 8 and 9 are functioning perfectly with no issues what so ever. I have tried turning samba off on all of the servers on the 3 vlan and logging in to the domain on our test machine. Also have tried only having one at a time running samba. Neither way works as we always get the same error. I can then do nothing but change the vlan on the port the machine is plugged in to and then try to log back in and it works flawlessly every time, reboot, power on/off, or log off/on doesn't matter as they all work every time on a different vlan. We have roughly 50 new pc's with Windows 7 that we are about to deploy and I need to get this fixed before we can do so. Would anyone have any idea where to begin? We are working to upgrade our version of samba on the main PDC and BDC but that will require doing a hand compiled version and we would rather just replace the machines with new ones and that has it's own set of challenges in terms of keeping the domain functioning. Looking at the Windows7 page of the wiki I see this: If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: the trust relation between this workstation and the primary domain failed and no one can logon as any domain user. -- Monyo http://wiki.samba.org/index.php?title=User:Monyoaction=editredlink=1 16:22, 5 June 2011 (UTC) But as you can see when on the other vlan's I am not using the latest samba but it works. I am at a loss and need some fresh thoughts on this. I appreciate any and all assistance on this problem. Donny B. MDAH Also, in addition to the above testing we decided to create a new vlan (vlan 11) and put defiant and the test machine on it. Worked flawlessly pulling multiple users profiles from both roark and arrowhead servers. So something is wrong just on vlan 3. This is very odd. A friend suggested to find a .tdb file editor and see if there are any wonky settings in those files. Could anyone suggest a good program to do that? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Moving PDC
Hi all, We currently have a Fedora 11 machine (about to be upgraded to Fedora 15 though) running Samba 3.4.7 as our PDC and multiple BDC home servers running various versions of samba and OS. What I am needing is a fail proof way to migrate the PDC function off the current machine and onto another new fresh install. Currently our PDC is also the home server for one of our groups of employees. I want to migrate this off onto a separate BDC if possible leaving the PDC functions to be the only thing that machine does. The last time I attempted this it did not work correctly but that is only because I thought I could simply copy the config file over and start up samba. That was incorrect. What I need is a fool proof way to just make it work with minimal downtime for any of our users. We use OpenLDAP for domain authentication if that makes any difference. Before I have read that you demote and promote certain DC's to whatever function but not sure if that is the best way to do this. We have approximately 9 BDC home servers that are a mix of on our campus and some remote (all on our network though). I need the best way to not disrupt any of them if possible. Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Moving PDC
On 6/7/2011 4:35 PM, Gaiseric Vandal wrote: If everything is an LDAP backend that makes it simpler. installing the new machine as BDC then promoting it should be easy enough.In my environment, the each DC was also a LDAP server (in a multi-master replication topology.) You may to make sure that when you switch a machine from PDC to BDC (or vice versa) that you enable/disable ldap read-only in smb.conf. How do you handle idmapping? In my environment, we use LDAP for the underlying unix accounts as well so this keeps unix uid's and gid's for the accounts consistent. A windows client generally doesn't care if it uses a PDC or BDC- it will give preference to a BDC.But if it already is authenticated to a particular DC I don't think it changing mode will matter. I don't know if you have to restart samba to change from PDC to BDC (or vice versa)- that might cause problems for people who were logged in with open files on that server. Do you have trusts set up with other domains?I switched which machine was the PDC and also found I had to make the new PDC the WINS server as well. FC14 has samba 3.5.x. I am sure there are some config changes between 3.4. and 3.5 that may be gotchas. Altho so far for me going from 3.4 to 3.5.x doesn't seem to have broken anything (at least anything else- some things that didn't work under properly 3.4. still don't work for me.) On 06/07/2011 02:57 PM, Donny Brooks wrote: Hi all, We currently have a Fedora 11 machine (about to be upgraded to Fedora 15 though) running Samba 3.4.7 as our PDC and multiple BDC home servers running various versions of samba and OS. What I am needing is a fail proof way to migrate the PDC function off the current machine and onto another new fresh install. Currently our PDC is also the home server for one of our groups of employees. I want to migrate this off onto a separate BDC if possible leaving the PDC functions to be the only thing that machine does. The last time I attempted this it did not work correctly but that is only because I thought I could simply copy the config file over and start up samba. That was incorrect. What I need is a fool proof way to just make it work with minimal downtime for any of our users. We use OpenLDAP for domain authentication if that makes any difference. Before I have read that you demote and promote certain DC's to whatever function but not sure if that is the best way to do this. We have approximately 9 BDC home servers that are a mix of on our campus and some remote (all on our network though). I need the best way to not disrupt any of them if possible. Thanks in advance. Thanks for the reply. Our layout currently is as follows: 1 PDC w/ LDAP (primary) also the home server for some users 1 BDC w/ LDAP (backup) no users on this machine 8 BDC w/o LDAP (all point to the primary) and all home servers The idmapping is all done in ldap. Pretty much all user, machine, and group accounts are in ldap. We only have the one domain so no other trust relationships are setup. Hopefully when I do this I will be able to get everyone to log off their workstations before going home and do this after hours to reduce the risk of open files. So basically just make sure the configs jive between versions and I should be able to migrate via the promote/demote method correct? Just making sure as I do NOT want to make this an all weekend ordeal. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba and OpenLDAP ppolicy
I am looking for a way to enforce our password policy using our PDC with OpenLDAP. I have already configured ppolicy, just can not find a way to make it enforce it on the windows clients. Searches turn up little to go on. I must be searching for the wrong terms. Anyone have any pointers? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Very odd problem
I had previously tried to migrate our PDC to a new machine by simply copying the config over and such. That failed miserably but luckily the various home servers (BDC's in samba speak I think) took up the slack. So after much debate, this weekend we moved the PDC back to the original machine. We never moved LDAP off of the original machine, as only samba functions moved. I now know I did not move the PDC properly, as I should have set the new one up as a BDC and then made sure everything was working, then shut down the PDC and promote the new one to PDC by setting proper settings in smb.conf. With all that behind me I still face a few issues: Our users are still unable to do the CTRL+ALT+DEL change password through windows. This only started occurring after the original move. Looking through the log.nmbd it appears it couldn't find the master browser. So after setting the stuff back to the original location and deleting the wins.tdb and wins.dat files on all the home servers and PDC I started up the PDC and then the others. I get this on the PDC: [2010/11/01 08:09:04, 10] nmbd/nmbd_sendannounce.c:381(announce_myself_to_domain_master_browser) announce_myself_to_domain_master_browser: t (1288616942) - last(1288616642) 900 [2010/11/01 08:09:04, 4] nmbd/nmbd_workgroupdb.c:281(dump_workgroups) dump_workgroups() dump workgroup on subnet10.8.2.3: netmask= 255.255.255.0: ADMIN(1) current master browser = ROARK ROARK 408c9b2b (Roark) ARCHIVES3 40809b1b (ARCHIVES3) [2010/11/01 08:09:04, 4] nmbd/nmbd_workgroupdb.c:281(dump_workgroups) dump_workgroups() dump workgroup on subnet UNICAST_SUBNET: netmask= 10.8.2.3: WORKGROUP(6) current master browser = TESTPC1 HPSEARCH(5) current master browser = SEARCHROOM1 MYGROUP(4) current master browser = GISDUMP HPRES(3) current master browser = MSTOLL HP(2) current master browser = HSMT1 ADMIN(1) current master browser = UNKNOWN ROARK 40899b2b (Roark) Roark is our PDC and Archives3 is our main BDC (secondary LDAP too). Something don't look quite right here since it appears it is trying to talk to two seperate Roark's ROARK 408c9b2b (Roark) first and then ROARK 40899b2b (Roark) secondly. What could cause this? I just need to get this working as it was then we can work on getting the replacement done right. Thanks in advance. Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Book suggestion?
On 10/29/2010 4:27 PM, Ken D'Ambrosio wrote: Hi, all. I haven't really been deep into Samba for a couple of years, and a co-worker just asked me for a Samba book suggestion. Well... I ain't got one. I mean, God bless Samba-3 By Example, but even that's five years old. Any suggestions of something relatively new -- perhaps with focus on AD integration? Thanks! -Ken The problem with standard books and technology is that by the time the book is written, goes to press, and makes it to the retailer the contents are usually out of date. Samba3 by example is a good reference to cut your teeth on. Other than that it is mostly reading documentation online. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Moved PDC now issues
On 10/12/2010 5:02 PM, Donny Brooks wrote: This weekend we moved our samba PDC to a new machine. Now we are having a few issues with not being able to join new computers to the domain and some users cannot change their passwords. People can still login and such though. Here is a brief synopsis: Old server was named roark IP 10.8.2.3. It housed mail, ldap, samba, and a few other things. Was fedora 11 with samba samba-3.4.7. New server is Centos 5.5 with 3.0.33 originally but I upgraded it to the samba3x package and got a whopping 3.3.8 version. IP 10.8.3.4 Both old and new have the BDC set at 10.8.2.2 Everything worked until the move this weekend... I know.. famous last words. ;) This weekend we migrated all the user files to the new machine, copied over /etc/samba/*, edited the ldap portion of smb.conf accordingly, changed all the other servers (we have about a dozen or so home servers for various divisions) to reflect the new IP of the new server and updated DNS accordingly. All seemed fine as we were able to login/logout and get to all the shares just fine. the problem came when users went to change their passwords using the windows method (CTRL+ALT+DEL - change password), which previously worked. Also we are unable to join new computers to the domain at all. Although, users on the same vlan (10.8.3.X) as roark are able to change their passwords it seems. This is odd since all but 3 of the users are on roark as their home server. The other 3 are on a seperate server but are still able to change their passwords. The error that users get when trying to change their password or join a new pc to the domain is Domain ADMIN not found or something along those lines. I have tried everything I can think of to get this resolved. I have made sure the SID stayed the same on roark, rejoined the outlying servers to the domain, reset the smbpasswd ldap password, and scoured every log file I can find. All to no avail. I am including a few configs in hopes that someone can help guide me into fixing this issue. I am also considering moving the PDC back to a fedora machine (fedora 13 to be exact) so that it is more like the original machine and can get the same branch of samba. I hope someone out there can guide me in the correct direction to fix this. :) Here is the CURRENT roark smb.conf: [r...@roark ~]# cat /etc/samba/smb.conf # Samba config file created using SWAT # from UNKNOWN (0.0.0.0) # Date: 2001/07/31 13:51:02 # Global parameters [global] netbios name = roark workgroup = ADMIN server string = Roark hosts allow = 10.8. 127. os level = 66 preferred master = Yes domain master = Yes local master = Yes # oplocks = no # level2 oplocks = no interfaces = lo,eth0 passdb backend = ldapsam:ldap://10.8.2.3 ldap suffix = dc=mdah,dc=state,dc=ms,dc=us ldap machine suffix = Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us idmap backend = ldap:ldap://mdah.state.ms.us map acl inherit = Yes printer admin = root, dbrooks, smccoy, jomiles, sokolsky #winbind enum users = yes #winbind enum groups = yes name resolve order = wins bcast hosts security = user # passwd program = /usr/bin/passwd %u encrypt passwords = yes update encrypted = Yes unix password sync = no ldap passwd sync = yes update encrypted = yes password server = mail # passwd chat = *New*Password* %n\n *Re-enter*new*password* %n\n *Password*changed* #passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # add user script = /usr/sbin/useradd -g smbbox -c Machine Account -d /dev/null -M -s /bin/false %U wins support = Yes wins proxy = yes domain logons = Yes logon path = \\%N\profiles\%U logon script = scripts\%U.bat logon drive = R: logon home = \\roark\%U time server = yes printing = cups load printers = yes guest account = nobody map to guest = bad user map to guest = bad password guest ok = yes dns proxy = No log file = /var/log/samba/log.%m max log size = 500 log level = 3 vfs:2 #log level = 10 syslog = 0 hide dot files = yes time server = yes template shell = /bin/false follow symlinks = yes username map = /etc/samba/smbusers profile acls = yes host msdfs = yes idmap uid = 2-3 idmap gid = 2-3 # winbind separator = + template homedir = /home/winnt/%D/%U template shell = /bin/bash # winbind offline logon = false # winbind use default domain = no allow trusted domains = yes unix charset = LOCALE enable
Re: [Samba] Moved PDC now issues
On 10/13/2010 4:43 PM, Gaiseric Vandal wrote: On windows machines netdiag, dcdiag or nbtstat may help you determine which DC your machine has authenticated to. (dcdiag and netdiag should be in the windows 2003 resource kit or something like that from microsoft downloads.) In general, Windows clients will want to authenticate to a BDC rather than PDC Also, check the net getlocalsid and net getdomainsid on all the DC's. On a DC the localsid should be the same as the domainsid, and all DC's should show the same local and domain sid. Did you run smbpasswd -w on the new DC to make sure it has sufficient ldap privs? Does net groupmap list show the same thing on all DC's? Does pdbedit -Lv show the same output on all DC's? I had issues when I upgraded my PDC from 3.0.x to 3.4.x- primarily with group mapping. I don't know if the changes were between 3.0.x and 3.3.x or 3.3.x or 3.4.x. But I found that samba stopped looking at ldap group suffix = ou=Group and started looking through the whole domain branch of the LDAP tree. Can you recompile samba 3.4.x on FC11 to have consistent versions? On 10/13/2010 10:26 AM, Donny Brooks wrote: On 10/12/2010 5:02 PM, Donny Brooks wrote: This weekend we moved our samba PDC to a new machine. Now we are having a few issues with not being able to join new computers to the domain and some users cannot change their passwords. People can still login and such though. Here is a brief synopsis: Old server was named roark IP 10.8.2.3. It housed mail, ldap, samba, and a few other things. Was fedora 11 with samba samba-3.4.7. New server is Centos 5.5 with 3.0.33 originally but I upgraded it to the samba3x package and got a whopping 3.3.8 version. IP 10.8.3.4 Both old and new have the BDC set at 10.8.2.2 Everything worked until the move this weekend... I know.. famous last words. ;) This weekend we migrated all the user files to the new machine, copied over /etc/samba/*, edited the ldap portion of smb.conf accordingly, changed all the other servers (we have about a dozen or so home servers for various divisions) to reflect the new IP of the new server and updated DNS accordingly. All seemed fine as we were able to login/logout and get to all the shares just fine. the problem came when users went to change their passwords using the windows method (CTRL+ALT+DEL - change password), which previously worked. Also we are unable to join new computers to the domain at all. Although, users on the same vlan (10.8.3.X) as roark are able to change their passwords it seems. This is odd since all but 3 of the users are on roark as their home server. The other 3 are on a seperate server but are still able to change their passwords. The error that users get when trying to change their password or join a new pc to the domain is Domain ADMIN not found or something along those lines. I have tried everything I can think of to get this resolved. I have made sure the SID stayed the same on roark, rejoined the outlying servers to the domain, reset the smbpasswd ldap password, and scoured every log file I can find. All to no avail. I am including a few configs in hopes that someone can help guide me into fixing this issue. I am also considering moving the PDC back to a fedora machine (fedora 13 to be exact) so that it is more like the original machine and can get the same branch of samba. I hope someone out there can guide me in the correct direction to fix this. :) Here is the CURRENT roark smb.conf: [r...@roark ~]# cat /etc/samba/smb.conf # Samba config file created using SWAT # from UNKNOWN (0.0.0.0) # Date: 2001/07/31 13:51:02 # Global parameters [global] netbios name = roark workgroup = ADMIN server string = Roark hosts allow = 10.8. 127. os level = 66 preferred master = Yes domain master = Yes local master = Yes # oplocks = no # level2 oplocks = no interfaces = lo,eth0 passdb backend = ldapsam:ldap://10.8.2.3 ldap suffix = dc=mdah,dc=state,dc=ms,dc=us ldap machine suffix = Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us idmap backend = ldap:ldap://mdah.state.ms.us map acl inherit = Yes printer admin = root, dbrooks, smccoy, jomiles, sokolsky #winbind enum users = yes #winbind enum groups = yes name resolve order = wins bcast hosts security = user # passwd program = /usr/bin/passwd %u encrypt passwords = yes update encrypted = Yes unix password sync = no ldap passwd sync = yes update encrypted = yes password server = mail # passwd chat = *New*Password* %n\n *Re-enter*new*password* %n\n *Password*changed* #passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # add user script
[Samba] Moved PDC now issues
This weekend we moved our samba PDC to a new machine. Now we are having a few issues with not being able to join new computers to the domain and some users cannot change their passwords. People can still login and such though. Here is a brief synopsis: Old server was named roark IP 10.8.2.3. It housed mail, ldap, samba, and a few other things. Was fedora 11 with samba samba-3.4.7. New server is Centos 5.5 with 3.0.33 originally but I upgraded it to the samba3x package and got a whopping 3.3.8 version. IP 10.8.3.4 Both old and new have the BDC set at 10.8.2.2 Everything worked until the move this weekend... I know.. famous last words. ;) This weekend we migrated all the user files to the new machine, copied over /etc/samba/*, edited the ldap portion of smb.conf accordingly, changed all the other servers (we have about a dozen or so home servers for various divisions) to reflect the new IP of the new server and updated DNS accordingly. All seemed fine as we were able to login/logout and get to all the shares just fine. the problem came when users went to change their passwords using the windows method (CTRL+ALT+DEL - change password), which previously worked. Also we are unable to join new computers to the domain at all. Although, users on the same vlan (10.8.3.X) as roark are able to change their passwords it seems. This is odd since all but 3 of the users are on roark as their home server. The other 3 are on a seperate server but are still able to change their passwords. The error that users get when trying to change their password or join a new pc to the domain is Domain ADMIN not found or something along those lines. I have tried everything I can think of to get this resolved. I have made sure the SID stayed the same on roark, rejoined the outlying servers to the domain, reset the smbpasswd ldap password, and scoured every log file I can find. All to no avail. I am including a few configs in hopes that someone can help guide me into fixing this issue. I am also considering moving the PDC back to a fedora machine (fedora 13 to be exact) so that it is more like the original machine and can get the same branch of samba. I hope someone out there can guide me in the correct direction to fix this. :) Here is the CURRENT roark smb.conf: [r...@roark ~]# cat /etc/samba/smb.conf # Samba config file created using SWAT # from UNKNOWN (0.0.0.0) # Date: 2001/07/31 13:51:02 # Global parameters [global] netbios name = roark workgroup = ADMIN server string = Roark hosts allow = 10.8. 127. os level = 66 preferred master = Yes domain master = Yes local master = Yes # oplocks = no # level2 oplocks = no interfaces = lo,eth0 passdb backend = ldapsam:ldap://10.8.2.3 ldap suffix = dc=mdah,dc=state,dc=ms,dc=us ldap machine suffix = Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us idmap backend = ldap:ldap://mdah.state.ms.us map acl inherit = Yes printer admin = root, dbrooks, smccoy, jomiles, sokolsky #winbind enum users = yes #winbind enum groups = yes name resolve order = wins bcast hosts security = user # passwd program = /usr/bin/passwd %u encrypt passwords = yes update encrypted = Yes unix password sync = no ldap passwd sync = yes update encrypted = yes password server = mail # passwd chat = *New*Password* %n\n *Re-enter*new*password* %n\n *Password*changed* #passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # add user script = /usr/sbin/useradd -g smbbox -c Machine Account -d /dev/null -M -s /bin/false %U wins support = Yes wins proxy = yes domain logons = Yes logon path = \\%N\profiles\%U logon script = scripts\%U.bat logon drive = R: logon home = \\roark\%U time server = yes printing = cups load printers = yes guest account = nobody map to guest = bad user map to guest = bad password guest ok = yes dns proxy = No log file = /var/log/samba/log.%m max log size = 500 log level = 3 vfs:2 #log level = 10 syslog = 0 hide dot files = yes time server = yes template shell = /bin/false follow symlinks = yes username map = /etc/samba/smbusers profile acls = yes host msdfs = yes idmap uid = 2-3 idmap gid = 2-3 # winbind separator = + template homedir = /home/winnt/%D/%U template shell = /bin/bash # winbind offline logon = false # winbind use default domain = no allow trusted domains = yes unix charset = LOCALE enable privileges = yes printcap name = CUPS
[Samba] Moving Samba PDC to new machine
I am looking to move our current Samba primary domain controller to a new machine. The current machine is EOL, running Fedora 11 (old), and had way too many services on it to start with (mail, dns, samba, mysql replication, primary ldap, etc). I am looking to move to a Xen domu with either Fedora 13 or Centos 5.5. What my question is is this: what should I look for when I migrate the samba install to the new machine. We use OpenLDAP backend for authentication if that matters for anything. I will most likely keep the machine name the same but will change the IP. I know in the other servers that we have that rely on this one as the PDC I will need to change every reference of its IP address. But I am making sure there is not any gotcha deals. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Moving Samba PDC to new machine
I apologize for not explaining why I am asking this. Recently we had to move a subset of our users off of the primary server as it houses our administration users home directories and my documents. When we moved these users I had all kinds of trouble with them not pulling the profiles like it should have and from the proper server. But since I am not changing the machines name, I don' think I will have similar issues. Am I correct in assuming this? -- Donny B. On Monday, August 23, 2010 02:23 PM CDT, Donny Brooks dbro...@mdah.state.ms.us wrote: I am looking to move our current Samba primary domain controller to a new machine. The current machine is EOL, running Fedora 11 (old), and had way too many services on it to start with (mail, dns, samba, mysql replication, primary ldap, etc). I am looking to move to a Xen domu with either Fedora 13 or Centos 5.5. What my question is is this: what should I look for when I migrate the samba install to the new machine. We use OpenLDAP backend for authentication if that matters for anything. I will most likely keep the machine name the same but will change the IP. I know in the other servers that we have that rely on this one as the PDC I will need to change every reference of its IP address. But I am making sure there is not any gotcha deals. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Roaming profiles, linux client...
I know this may be a hairbrained idea, and I may be totally off base here. If so please let me know. But I was wondering how to have roaming profiles similar to xp and vista/7 on a linux client pc. Say I am at one desk with xp (or vista/7) and I want to login as myself on a linux desktop (say ubuntu or similar) but want to keep all the access to my same browser data and such. How would one go about configuring the Samba PDC to do that? Or is it even possible? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Odd random roaming profile issues
On 7/26/2010 10:02 PM, Paul Venzke wrote: On Mon July 26 2010 16:05, Donny Brooks wrote: We are currently using samba and openLDAP to enable our users to have roaming profiles on our domain network. We have one primary domain controller and 7 home servers at the various locations that serve the profiles and such. The problem is that randomly various users are unable to load their profile and windows just gives them a temporary profile. This mostly happens on vista machines but is not limited to that as it has happened on XP also. What is odd is the user can login as themselves on another machine just fine and other users can usually log in on the first users pc just fine. We have tried the standard checking log files, remove/reinstall pc into domain/ldap, remove/reinstall user into domain/ldap, etc but nothing seems to work. What we usually end up doing is reinstalling the users OS and programs. I know there has to be a better way to do this. Is there anything I may be missing here? Any pointers are more than welcome. Donny B. Donny; I have found that deleting the registry entry for the user will allow them to download the profile from the server. Try deleting the local profile and this entry in the registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\SID of User Should you look at this entry, you will see that the CentralProfile is set to a temporary profile. You may just need to edit the Centralprofile and perhaps delete the local profile rather than deleting the entire key. If you delete the entire SID entry, it will be recreated when the user logs-in the next time. Thanks for that. It appears as though deleting the users registry entry has fixed at least one instance of this issue. I will continue testing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Odd random roaming profile issues
We are currently using samba and openLDAP to enable our users to have roaming profiles on our domain network. We have one primary domain controller and 7 home servers at the various locations that serve the profiles and such. The problem is that randomly various users are unable to load their profile and windows just gives them a temporary profile. This mostly happens on vista machines but is not limited to that as it has happened on XP also. What is odd is the user can login as themselves on another machine just fine and other users can usually log in on the first users pc just fine. We have tried the standard checking log files, remove/reinstall pc into domain/ldap, remove/reinstall user into domain/ldap, etc but nothing seems to work. What we usually end up doing is reinstalling the users OS and programs. I know there has to be a better way to do this. Is there anything I may be missing here? Any pointers are more than welcome. Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Odd random roaming profile issues
I will look in the logs of the next one, have one coming in to be redone tomorrow. But it is odd that I can remove their profile from the pc totally and make it pull the server side and it still fails. On 7/26/2010 4:24 PM, t...@tms3.com wrote: When windows login fails, often windows gives a path error. My suspicion is that some rougue data with incompatible perms has gotten into the local users profile. I've seen it happen, but I'll be damned if I can remember the cause. --- Original message --- *Subject:* [Samba] Odd random roaming profile issues *From:* Donny Brooks dbro...@mdah.state.ms.us *To:* samba@lists.samba.org *Date:* Monday, 26/07/2010 2:05 PM We are currently using samba and openLDAP to enable our users to have roaming profiles on our domain network. We have one primary domain controller and 7 home servers at the various locations that serve the profiles and such. The problem is that randomly various users are unable to load their profile and windows just gives them a temporary profile. This mostly happens on vista machines but is not limited to that as it has happened on XP also. What is odd is the user can login as themselves on another machine just fine and other users can usually log in on the first users pc just fine. We have tried the standard checking log files, remove/reinstall pc into domain/ldap, remove/reinstall user into domain/ldap, etc but nothing seems to work. What we usually end up doing is reinstalling the users OS and programs. I know there has to be a better way to do this. Is there anything I may be missing here? Any pointers are more than welcome. Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Weird samba pdc problem.
Thanks for the input. Before I received this reply I did a little further testing and do believe I got it working right. I ended up having to remove the machine from the domain, remove the local copy of the users profile on the machine, readd the machine to the domain, and have the user re-login to pull his profile across. I had to reboot between each step just to make sure settings stuck. He was able to successfully login and pull his profile from the new machine last night and we will see how it does today. Thanks again for the assistance. Donny B. On 7/21/2010 1:13 AM, Daniel Müller wrote: Hello, I had a problem similar to yours. Did you join the machine to the new domaine? If it is a xp client klick windows+R, type : control keymgrl.dll. Purge all entries. This should help a bit. Greetings --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Donny Brooks Gesendet: Dienstag, 20. Juli 2010 17:05 An: samba@lists.samba.org Betreff: [Samba] Weird samba pdc problem. Hello, We have been running a samba pdc with LDAP backend setup here at work since before my time (a few years now). Recently it has became necessary to move a handful of users to their own server for shares, profiles, and such to reduce the load on the primary server. Of these users, all moved just fine with the exception of one user. All the users that were moved are using windows xp. I updated all their profile paths in ldap, removed their logon scripts from the primary machine, edited the logon scripts on the new machine to point to the proper machine and share, and even ran the unix2dos on the logon scripts for good measure. I even compared the non-working persons ldap entry to one of the working ones and they are identical expect the name and personal stuff. So here it is a week later and 3 of the 4 users are pulling their profiles, my documents, and shares from the new server with little intervention on my part. It is that last one that has me stumped. His machine refuses to pull his profile from the new machine and won't pull his my documents (we redirect them as the R: drive). Instead it tries to pull form the old machine and sees there is no profile so instead loads the local copy instead. I have removed the logon script, removed the folders for his profile and such and restarted the samba and ldap service about a dozen times to no avail. I even made sure his machine was powered completely down to ensure it isn't just hibernating and keeping settings in memory. I am at a loss why this one user is giving me such issues. And of course it would be the head of the section I am doing the server for. Any help or pointers would be much appreciated. Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Weird samba pdc problem.
Hello, We have been running a samba pdc with LDAP backend setup here at work since before my time (a few years now). Recently it has became necessary to move a handful of users to their own server for shares, profiles, and such to reduce the load on the primary server. Of these users, all moved just fine with the exception of one user. All the users that were moved are using windows xp. I updated all their profile paths in ldap, removed their logon scripts from the primary machine, edited the logon scripts on the new machine to point to the proper machine and share, and even ran the unix2dos on the logon scripts for good measure. I even compared the non-working persons ldap entry to one of the working ones and they are identical expect the name and personal stuff. So here it is a week later and 3 of the 4 users are pulling their profiles, my documents, and shares from the new server with little intervention on my part. It is that last one that has me stumped. His machine refuses to pull his profile from the new machine and won't pull his my documents (we redirect them as the R: drive). Instead it tries to pull form the old machine and sees there is no profile so instead loads the local copy instead. I have removed the logon script, removed the folders for his profile and such and restarted the samba and ldap service about a dozen times to no avail. I even made sure his machine was powered completely down to ensure it isn't just hibernating and keeping settings in memory. I am at a loss why this one user is giving me such issues. And of course it would be the head of the section I am doing the server for. Any help or pointers would be much appreciated. Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
