Re: [Samba] openldap integration failed after power cut
Hi running ldapsearch -x on the primary LDAP server fails, it gives [root@servername ~]# ldapsearch -x ldap_bind: Can't contact LDAP server (-1) And yet on that server the Zimbra instance appears to be fine. Can you suggest any further diagnosis of the LDAP on that server, or action I might take? Many Thanks Fergus - Original Message - From: Gaiseric Vandal gaiseric.van...@gmail.com To: Fergus Clarke fcla...@ixico.com Cc: samba@lists.samba.org Sent: Monday, 13 February, 2012 6:32:41 PM Subject: Re: [Samba] openldap integration failed after power cut try ldapsearch with -x for simple (non sasl) authentication. On 02/13/2012 01:29 PM, Fergus Clarke wrote: Hi Thanks for your reply, much appreciated. When I run ldapsearch on the Samba server it prompts me for a password and this fails when tried with the credentials for the ldap bind account specified in smb.conf, also with the root pw for either machine, as follows: ldap_sasl_interactive_bind_s: Invalid credentials (49) I have tried resetting the smbpasswd -w as you suggested and setting the bind account password to the same on the ldap server, but i still get this message. This suggests you are right and it is a credentials issue, is there anything I need to do beyond smbpasswd -wpassword on the samba machine and passwdbind account on ldap server ? The LDAP does appear to be running on the primary LDAP server as I can look at it on the console of the (unused) instance of zimbra on there, it looks OK. That said if I do a ldapsearch on the that machine I get an error: [root@primaryldapserver cacerts]# ldapsearch ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Regards Fergus - Original Message - From: Gaiseric Vandalgaiseric.van...@gmail.com To: samba@lists.samba.org Sent: Monday, 13 February, 2012 5:51:43 PM Subject: Re: [Samba] openldap integration failed after power cut Can you use ldapsearch or a GUI Ldap browser/editor (e.g. Apache Directory Studio) to make sure that your primary LDAP server really is working . Verify that the credentials are good. You may need to re enter the ldap pw in samba if your password store got corrupted # smbpasswd -w LDAPBINDPW On 02/13/2012 11:12 AM, Fergus Clarke wrote: Hi We have a Samba server that authenticates with an openldap server. Or it used to. We had a power cut last week and after a bit of struggling everything came back, but not Samba. Previously our smb.conf file included the line passdb backend = ldapsam:ldap://server.domain.net/ With this line in place the connection to the LDAP server fails, and peoples shares drop off every few minutes. I changed this to point to our 2nd, backup ldap server and now shares and logon work again. I need to get communication started again between our Samba and primary LDAP server. Symptoms include the following: (with the new config, ie pointing at the backup ldap server) On the samba server: servername:/etc/samba# smbclient '\\servername\data' WARNING: The printer admin option is deprecated Enter root's password: session setup failed: NT_STATUS_LOGON_FAILURE but servername:/etc/samba# smbclient -L localhost -U% WARNING: The printer admin option is deprecated Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] Sharename Type Comment - --- netlogonDisk Network Logon Service print$ Disk Printer Drivers etc also: servername:/etc/samba# pdbedit -u username -c [X] doing parameter syslog = 1 doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter smb ports = 139 doing parameter name resolve order = wins bcast hosts doing parameter printcap name = cups doing parameter add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m doing parameter logon script = logon.cmd doing parameter logon path = \\server.domain.net\%U\profile doing parameter logon home = \\server.domain.net\%U doing parameter domain logons = Yes doing parameter os level = 33 doing parameter preferred master = Yes doing parameter domain master = Yes doing parameter dns proxy = No doing parameter wins support = Yes doing parameter ldap admin dn = uid=username,cn=admins,cn=thenameofthecn doing parameter ldap group suffix = ou=groups doing parameter ldap machine suffix = ou=machines doing parameter ldap passwd sync = Yes doing parameter ldap suffix = dc=ixico,dc=com doing parameter ldap user suffix = ou=people doing parameter panic action = /usr/share/samba/panic-action %d pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully
[Samba] openldap integration failed after power cut
and the LDAP alias. I have upped the log level to 10 and grepped for relevant hostnames and things but I am somewhat at a loss as to whats gone wrong, any help you can offer would be very gratefully received. I would also be v happy to post any logs etc to assist. Thanks Fergus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] openldap integration failed after power cut
Hi Thanks for your reply, much appreciated. When I run ldapsearch on the Samba server it prompts me for a password and this fails when tried with the credentials for the ldap bind account specified in smb.conf, also with the root pw for either machine, as follows: ldap_sasl_interactive_bind_s: Invalid credentials (49) I have tried resetting the smbpasswd -w as you suggested and setting the bind account password to the same on the ldap server, but i still get this message. This suggests you are right and it is a credentials issue, is there anything I need to do beyond smbpasswd -w password on the samba machine and passwd bind account on ldap server ? The LDAP does appear to be running on the primary LDAP server as I can look at it on the console of the (unused) instance of zimbra on there, it looks OK. That said if I do a ldapsearch on the that machine I get an error: [root@primaryldapserver cacerts]# ldapsearch ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Regards Fergus - Original Message - From: Gaiseric Vandal gaiseric.van...@gmail.com To: samba@lists.samba.org Sent: Monday, 13 February, 2012 5:51:43 PM Subject: Re: [Samba] openldap integration failed after power cut Can you use ldapsearch or a GUI Ldap browser/editor (e.g. Apache Directory Studio) to make sure that your primary LDAP server really is working . Verify that the credentials are good. You may need to re enter the ldap pw in samba if your password store got corrupted # smbpasswd -w LDAPBINDPW On 02/13/2012 11:12 AM, Fergus Clarke wrote: Hi We have a Samba server that authenticates with an openldap server. Or it used to. We had a power cut last week and after a bit of struggling everything came back, but not Samba. Previously our smb.conf file included the line passdb backend = ldapsam:ldap://server.domain.net/ With this line in place the connection to the LDAP server fails, and peoples shares drop off every few minutes. I changed this to point to our 2nd, backup ldap server and now shares and logon work again. I need to get communication started again between our Samba and primary LDAP server. Symptoms include the following: (with the new config, ie pointing at the backup ldap server) On the samba server: servername:/etc/samba# smbclient '\\servername\data' WARNING: The printer admin option is deprecated Enter root's password: session setup failed: NT_STATUS_LOGON_FAILURE but servername:/etc/samba# smbclient -L localhost -U% WARNING: The printer admin option is deprecated Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5] Sharename Type Comment - --- netlogonDisk Network Logon Service print$ Disk Printer Drivers etc also: servername:/etc/samba# pdbedit -u username -c [X] doing parameter syslog = 1 doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter smb ports = 139 doing parameter name resolve order = wins bcast hosts doing parameter printcap name = cups doing parameter add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m doing parameter logon script = logon.cmd doing parameter logon path = \\server.domain.net\%U\profile doing parameter logon home = \\server.domain.net\%U doing parameter domain logons = Yes doing parameter os level = 33 doing parameter preferred master = Yes doing parameter domain master = Yes doing parameter dns proxy = No doing parameter wins support = Yes doing parameter ldap admin dn = uid=username,cn=admins,cn=thenameofthecn doing parameter ldap group suffix = ou=groups doing parameter ldap machine suffix = ou=machines doing parameter ldap passwd sync = Yes doing parameter ldap suffix = dc=ixico,dc=com doing parameter ldap user suffix = ou=people doing parameter panic action = /usr/share/samba/panic-action %d pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=DOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: username ldapsam_update_sam_account: user username to be modified has dn: uid=username,ou=people,dc=domain,dc=com init_ldap_from_sam: Setting entry for user: username Unable to modify entry! If I change the setting back to point at our original LDAP server I get the following errors, for example: servername:/etc/samba# pdbedit -u username -c [X] doing parameter syslog = 1 doing parameter
Re: [Samba] Remote Desktop Users Group
On 07/02/12 15:31, Jürgen Echter wrote: Hi, could somebody tell me how to add the group 'Remote Desktop Users' to my domain? So i can add users there to login into machines remotely. thanks juergen I think I can around this by going to Remote properties within My Computer properties, and there is a button to specify users/groups that can remote login to the machine. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] ADS with Kerberos trust
Hi Fernando, We are using Samba 3 and I got it to authenticate to ADS.. But the key is to try and get it to authenticate to ADS using the alternative kerberos mapping. When you do thi mapping in AD you can login using kerberos credentials. I'm just not sure how to tell Samba to do this. Fergus -Original Message- From: Fernando Fonseca [mailto:[EMAIL PROTECTED] Sent: Friday, 14 November 2003 9:31 PM To: Fergus McKenzie-Kay; [EMAIL PROTECTED] Subject: Re: [Samba] ADS with Kerberos trust Fergus, What version of Samba are you using? With the version 3.0 if you set ¨encrypt password = yes¨ in smb.conf you will tell it to use Kerberos, but I think that you already do it. Other parameter is the ¨security = ADS¨ that enable the search in ADS. On Friday 14 November 2003 04:18, Fergus McKenzie-Kay wrote: Hi, We have an environment where we use LDAP and Kerberos and we are having trouble setting up Samba with both of these. We also have a win2k Active Directory server that has all the users mapped to our kerberos realm. Unfortunately when we try and configure to use the Active Directory server for authentication it tries to use the native win2k password and not the kerberos realm mapping. I have tried to set the smb.conf to the kerberos realm and the password server to the KDC but I get: session setup failed: NT_STATUS_NO_LOGON_SERVERS Does anyone have any ideas how to make samba either use active directory with the username mappings to kerberos? Or simply use kerberos authentication while and LDAP authorisation? I believe the first solution would be easier as then AD would look after all the details.. whereas when we tried to setup samba talking to kerberos and ldap, the ldap config needed changing and samba had to know how to create users in kerberos and ldap. Any ideas would be appreciated. -- Fergus McKenzie-Kay [EMAIL PROTECTED] -- Fernando Fonseca Network Administrator Tel: +55(11)4039-9260 Triaton do Brasil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ADS with Kerberos trust
Hi, We have an environment where we use LDAP and Kerberos and we are having trouble setting up Samba with both of these. We also have a win2k Active Directory server that has all the users mapped to our kerberos realm. Unfortunately when we try and configure to use the Active Directory server for authentication it tries to use the native win2k password and not the kerberos realm mapping. I have tried to set the smb.conf to the kerberos realm and the password server to the KDC but I get: session setup failed: NT_STATUS_NO_LOGON_SERVERS Does anyone have any ideas how to make samba either use active directory with the username mappings to kerberos? Or simply use kerberos authentication while and LDAP authorisation? I believe the first solution would be easier as then AD would look after all the details.. whereas when we tried to setup samba talking to kerberos and ldap, the ldap config needed changing and samba had to know how to create users in kerberos and ldap. Any ideas would be appreciated. -- Fergus McKenzie-Kay [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba