Re: [Samba] Samba/winbind with Active Directory auth
On Mon, 2010-01-18 at 16:33 +0100, Kris Kaido wrote: > Hi List, > > I'm installing a Samba server with the intended purpose of serving files to > Windows users with seamless authentication on the smb server. > For that, I've been reading and following every single google search result > regarding the subject, but it seems I'm stuck at some point where other > people are not blocked ... > > To summarize, I have these commands OK: > # kinit admin_u...@domain.example.com > # klist (ticket ok) > # net join ads -S server -U admin_user > # wbinfo -u and -g (both showing "DOMAIN\...") > # wbinfo -t (succeeded) > > I configured PAM to use winbind, and to test it I'm using ssh with the same > config as I will for samba > > Here's what I get when I try to ssh into my smb server using my AD > credentials: > Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): getting password > (0x) > Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): request failed: > Named pipe dicconnected, PAM error was System error (4), NT error was > NT_STATUS_PIPE_DISCONNECTED > Jan 18 15:34:18 smb sshd[9157]: pam_winbind(sshd:auth): internal module > error (retval = 4, user = 'DOMAIN\myusername') > Jan 18 15:34:18 smb sshd[9157]: pam_unix(sshd:auth): authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.6 > user= DOMAIN\myusername > Jan 18 15:34:20 smb sshd[9157]: Failed password for DOMAIN\myusername from > 192.168.5.6 port 50872 ssh2 > > Any idea on what this error (NT_STATUS...) means ? > > Also when trying this I get an error: > smb:~# wbinfo -a admin_user%admin_pwd > plaintext password authentication failed > Could not authenticate user henry_admin with plaintext password > challenge/response password authentication failed > error code was NT_STATUS_PIPE_DISCONNECTED (0xc0b0) > error messsage was: Named pipe dicconnected > Could not authenticate user admin_user with challenge/response > smb:~# > > Here's my PAM config: > authsufficient pam_winbind.so > authrequiredpam_unix.so use_first_pass > account sufficient pam_winbind.so > account requiredpam_unix.so > session requiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 > session sufficient pam_winbind.so > session requiredpam_unix.so > passwordrequisite pam_cracklib.so retry=3 type= > passwordsufficient pam_unix.so nullok use_authtok md5 shadow > passwordsufficient pam_winbind.so use_first_pass > passwordrequiredpam_deny.so > > Any help would be greatly appreciated. > > Thanks, > > k. Two things. 1 - make sure nscd is disabled (not just stopped - disable it to prevent restarting on the next reboot) 2 - I found that using "winbind use default domain = yes" caused a lot of my default authentication issues to go away. I only have one domain and so I don't need the extra information / complexity of having to specify domains. Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Vulnerabilities reported by Qualys scan
On Wed, 2009-05-27 at 10:41 -0500, Xu, Ying (Houston) wrote: > Did anyone encounter this kind of audit issue at all? > > Thanks > > Ying > > > -Original Message- > From: samba-bounces+ying.xu=littonloan@lists.samba.org > [mailto:samba-bounces+ying.xu=littonloan@lists.samba.org] On Behalf > Of Xu, Ying (Houston) > Sent: Friday, May 22, 2009 11:01 AM > To: samba@lists.samba.org > Subject: [Samba] Vulnerabilities reported by Qualys scan > > We are running samba services on several solaris10 servers for the users > that need to read reports/logs on their windows workstation. THe shares > are shared read-only and allowed guest account since most of users do > not have unix accounts. Our company recently started Qualys scan on all > servers, and we need to address the vulnerabilities reported. We are > getting the following vulnerabilities regarding the samba services: > > Remote User List Disclosure Using NetBIOS (CVE-2000-1200) > Null Session/Password NetBIOS Access (CVE-1999-0519) > > Is there anyway to address this besides disable guest account? > > > Thanks > > Ying Xu > Unix Group I used to run into security scans and mitigation requirements all the time. From a variety of scan tools... A _VERY_ brief Google search (CVE-2000-1200 samba) lead me to http://www.rapid7.com/vulndb/lookup/cifs-nt-0002 where you can find instructions on mitigating that issue (there are Windows sections, a Samba section, and a Novell section - just scroll). The second issue was also found with a similar search and results - http://www.rapid7.com/vulndb/lookup/cifs-nt-0001. I have typically found that these scan tools will give you a general idea of how to mitigate these issues (perhaps Windows-centric in this case) but still a hint none the less. Even Qualys gives you that much. Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Clarification of 'administrator' config w/ldap
On Mon, 2009-04-20 at 00:03 -0400, jeff sacksteder wrote: > As you say, I see 'root = administrator' in smbuser, but I am still > unable to authenticate as administrator. During the authentication > attempt the following log entry is recorded- > > check_ntlm_password: Authentication for user [administrator] -> > [administrator] FAILED with error NT_STATUS_NO_SUCH_USER > > I believe that I need to use make an entry with pdbedit linking the > domain admin sid to root. > However, trying that produces- > > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] > smbldap_open_connection: connection opened > Username not found! > > So what more do I need to add? > > On Sat, Apr 4, 2009 at 10:15 AM, Adam Williams > wrote: > > root is mapped to windows Administrator account in /etc/samba/smbusers. > > however, since samba 3.0.11 you can make anyone a domain administrator (to > > add machine accounts, install software, etc) see > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html for > > more info. > > > > jeff sacksteder wrote: > >> > >> I have a mostly working config with the ldap backend, at least from > >> the standpoint of standard domain users, but I'm not sure how my > >> Administrator user needs to be configured. The os 'root' user is in > >> /etc/passwd and all my normal users are in the directory for unified > >> login purposes. Is the domain 'Administrator' account supposed to > >> correspond to 'root' in the os, 'Manager' in the directory, or a just > >> a privileged user in the directory? > >> > > Depending upon your setup, you may need to add an additional entry into smbusers that includes the domain name (e.g. root = administrator DOMAIN_NAME\administrator ANOTHER_DOMAIN_NAME\some_guy) Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Remove old password in Windows
On Tue, 2008-11-04 at 08:07 +0800, Nelson Serafica wrote: > I have Samba running as File Server. Most workstation uses Windows XP and I > usually map the samba drive to Windows. > > When I change password, users doesn't prompt to re-enter their password. It > seems the password was cache on Windows and even though I already change the > password, since they have previous connection, they have already granted > access to that directory despite of the new password. > > Is there a way that Windows Users will be force to re-enter their new > password? > > Also, after changing the password of the user in samba, I restart samba > service (service smb restart). However, Windows XP users was prompt of > "Logon failure: unknown user name or bad password". It seems it still using > the old password but since I have change their password, Windows still using > the old password. > > I have visited control panel--->user account-->manage my network password > but didn't see any password save. > > > Please advise if their are other people experience the same thing. > > -- > Nelson Serafica > > http://nelsontux.blogspot.com Nelson, Windows caches your logon credentials after the initial login as a hash value. This is a 'feature' of the MS client systems. You can disable password caching on the Windows machines for any externally accessed resources. I don't believe this affects the current local user session. To disable password caching for new logins, open regedit and add the following keys as DWord values: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Policies\Network\DisablePwdCaching = 1 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Network\DisablePwdCaching = 1 These entries does not exist by default - if you have many clients, you may want to script this into their logon scripts. Another topic to review that was posted recently: http://www.mail-archive.com/samba@lists.samba.org/msg96607.html The issues that making these changes would create is that every user would be prompted for their username and password on every connection. This is, perhaps, undesirable. Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Multiple IP addresses in DNS record
On Wed, 2008-10-22 at 07:58 -0400, Jarrod Hyder wrote: > On Tue, Oct 21, 2008 at 8:17 PM, Frank Gruman <[EMAIL PROTECTED]> > wrote: > > > On Tue, 2008-10-21 at 13:34 -0400, Jarrod Hyder wrote: > > > I have a samba server running on Linux that has two ethernet cards > (eth0 & > > eth1) that are bonded into a single virtual interface (bond0). This > virtual > > interface is connected to the corporate LAN and I have another > ethernet card > > (eth2) that is connected to another server that is used for making > > incremental backups. The problem that I am having is that no matter > what I > > do, the command "net ads dns register -P' causes both the bond0 and > eth2 IP > > addresses to show up in the DNS record on the corporate domain > controller. > > > > I have tried to force samba and winbind to use "interface = bond0" > and > > "bind interfaces only = yes" and it doesn't seem to help this > situation. > > > > If anyone can shed some light on what I am doing wrong, I would > really > > appreciate it. > > > > BTW, I am using samba 3.0.28a > > > > -- > > Jarrod Hyder > > [EMAIL PROTECTED] > > > > > Jarrod, > > Not sure how much help I can be, but give this a try - add the > -d # flag to your 'net ads dns ...' command where # can be > something up to 10 (more debug output). This can at the very > least confirm the smb.conf file being read as well as perhaps > point you in a better direction. If nothing else, posted the > somewhat cleansed output here; it may help others here to see > where your problem lies. > > > > Regards, > Frank > > Frank, > > Here is the debug output of "net ads dns register -P -d 10". I can't > really make heads or tails of it, but I also don't see either of the > IP addresses that are getting registered on the domain. If you could > take a look at it I would really appreciate it. > > Thanks, > > -- > Jarrod Hyder > [EMAIL PROTECTED] > > [2008/10/22 07:46:06, 5] lib/util.c:init_names(309) > Netbios name list:- > my_netbios_names[0]="SERVER" > [2008/10/22 07:46:06, 2] lib/interface.c:add_interface(81) > added interface ip=xxx.yyy.xxx.yyy bcast=xxx.yyy.xxx.255 nmask=255.255.255.0 > [2008/10/22 07:46:06, 5] lib/gencache.c:gencache_init(61) > Opening cache file at /var/lib/samba/gencache.tdb Jarrod, The above snip was the line I was looking for, and had been hoping to see more than one line added. Meanwhile, back at the ranch, I see that Jerry has already responded that this was a bug that was fixed. Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Multiple IP addresses in DNS record
On Tue, 2008-10-21 at 13:34 -0400, Jarrod Hyder wrote: > I have a samba server running on Linux that has two ethernet cards (eth0 & > eth1) that are bonded into a single virtual interface (bond0). This virtual > interface is connected to the corporate LAN and I have another ethernet card > (eth2) that is connected to another server that is used for making > incremental backups. The problem that I am having is that no matter what I > do, the command "net ads dns register -P' causes both the bond0 and eth2 IP > addresses to show up in the DNS record on the corporate domain controller. > > I have tried to force samba and winbind to use "interface = bond0" and > "bind interfaces only = yes" and it doesn't seem to help this situation. > > If anyone can shed some light on what I am doing wrong, I would really > appreciate it. > > BTW, I am using samba 3.0.28a > > -- > Jarrod Hyder > [EMAIL PROTECTED] Jarrod, Not sure how much help I can be, but give this a try - add the -d # flag to your 'net ads dns ...' command where # can be something up to 10 (more debug output). This can at the very least confirm the smb.conf file being read as well as perhaps point you in a better direction. If nothing else, posted the somewhat cleansed output here; it may help others here to see where your problem lies. Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Nmbd is using the wrong ip address as source
Thanks for the update. I was banging my head trying to figure out why yours acted different from mine, with somewhat similar structures... On Thu, 2008-10-09 at 12:58 +0300, Teodor Iacob wrote: > > > Problem solved: > > The origin was a bad configured SNAT rule that didn't include the > output interface so it was doing NAT > on its own IP addresses .. samba works correctly. > > Teo > > > > > > __ > From: Teodor Iacob > Sent: Thursday, October 09, 2008 9:11 AM > To: Frank Gruman > Cc: samba@lists.samba.org > Subject: RE: [Samba] Nmbd is using the wrong ip address as source > > > > I have used also the interface names, with the same results. > Thank you for your time, I'll see to it further on the technical > list.. > > Teo > > > > > > __ > From: Frank Gruman [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 09, 2008 5:26 AM > To: Teodor Iacob > Cc: samba@lists.samba.org > Subject: RE: [Samba] Nmbd is using the wrong ip address as source > > > > > On Wed, 2008-10-08 at 09:21 +0300, Teodor Iacob wrote: > > > > > Also nmblookup is using the external ip address: > > querying HDV on 10.10.10.255 > > 09:19:19.461813 IP X.X.X.X.45781 > 10.10.10.255.netbios-ns: NBT UDP > > PACKET(137): QUERY; REQUEST; BROADCAST > > 09:19:19.732139 IP X.X.X.X.45781 > 10.10.10.255.netbios-ns: NBT UDP > > PACKET(137): QUERY; REQUEST; BROADCAST > > 09:19:20.002136 IP X.X.X.X.45781 > 10.10.10.255.netbios-ns: NBT UDP > > PACKET(137): QUERY; REQUEST; BROADCAST > > name_query failed to find name HDV > > > > The debugging information would show: > > params.c:pm_process() - Processing configuration file > > "/etc/samba/smb.conf" > > Processing section "[global]" > > doing parameter workgroup = HOSTNAME > > doing parameter netbios name = HDV > > handle_netbios_name: set global_myname to: HDV > > doing parameter interfaces = 10.10.10.1 > > doing parameter hosts allow = 127.0.0., 10.10.10. > > doing parameter bind interfaces only = yes > > doing parameter socket options = IPTOS_LOWDELAY TCP_NODELAY > > SO_RCVBUF=8192 SO_SNDBUF=8192 > > doing parameter preferred master = yes > > doing parameter domain master = yes > > doing parameter local master = yes > > doing parameter os level = 100 > > doing parameter remote announce = 10.10.10.255/HOSTNAME > > doing parameter socket address = 10.10.10.255 > > doing parameter log level = 1 > > .. > > added interface ip=10.10.10.1 bcast=10.10.10.255 nmask=255.255.255.0 > > socket option SO_KEEPALIVE = 0 > > socket option SO_REUSEADDR = 1 > > socket option SO_BROADCAST = 1 > > .. > > Socket opened. > > querying HDV on 10.10.10.255 > > Sending a packet of len 50 to (10.10.10.255) on port 137 > > tdb(unnamed): tdb_open_ex: could not open > > file /var/cache/samba/unexpected.tdb: No such file or directory > > tdb(unnamed): tdb_open_ex: could not open > > file /var/cache/samba/unexpected.tdb: No such file or directory > > tdb(unnamed): tdb_open_ex: could not open > > file /var/cache/samba/unexpected.tdb: No such file or directory > > Sending a packet of len 50 to (10.10.10.255) on port 137 > > tdb(unnamed): tdb_open_ex: could not open > > file /var/cache/samba/unexpected.tdb: No such file or directory > > tdb(unnamed): tdb_open_ex: could not open > > file /var/cache/samba/unexpected.tdb: No such file or directory > > tdb(unnamed): tdb_open_ex: could not open > > file /var/cache/samba/unexpected.tdb: No such file or directory > > Sending a packet of len 50 to (10.10.10.255) on port 137 > > tdb(unnamed): tdb_open_ex: could not open > > file /var/cache/samba/unexpected.tdb: No such file or directory > > tdb(unnamed): tdb_open_ex: could not open > > file /var/cache/samba/unexpected.tdb: No such file or directory > > tdb(unnamed): tdb_open_ex: could not open > > file /var/cache/samba/unexpected.tdb: No such file or directory > > name_query failed to find name HDV > > .. > > > > > > > > > > From: Frank Gruman [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, October 07, 2008 3:29 AM > > To: Teodor Iacob > > Cc: samba@lists.samba.org > > Subject: RE: [Samba] Nmbd is using the wrong ip address as source > > > > > > > > On Mon, 2008-10-06 at 09:05 +0300, Teodor
RE: [Samba] Nmbd is using the wrong ip address as source
On Wed, 2008-10-08 at 09:21 +0300, Teodor Iacob wrote: > > > Also nmblookup is using the external ip address: > > querying HDV on 10.10.10.255 > 09:19:19.461813 IP X.X.X.X.45781 > 10.10.10.255.netbios-ns: NBT UDP > PACKET(137): QUERY; REQUEST; BROADCAST > 09:19:19.732139 IP X.X.X.X.45781 > 10.10.10.255.netbios-ns: NBT UDP > PACKET(137): QUERY; REQUEST; BROADCAST > 09:19:20.002136 IP X.X.X.X.45781 > 10.10.10.255.netbios-ns: NBT UDP > PACKET(137): QUERY; REQUEST; BROADCAST > name_query failed to find name HDV > > The debugging information would show: > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > Processing section "[global]" > doing parameter workgroup = HOSTNAME > doing parameter netbios name = HDV > handle_netbios_name: set global_myname to: HDV > doing parameter interfaces = 10.10.10.1 > doing parameter hosts allow = 127.0.0., 10.10.10. > doing parameter bind interfaces only = yes > doing parameter socket options = IPTOS_LOWDELAY TCP_NODELAY > SO_RCVBUF=8192 SO_SNDBUF=8192 > doing parameter preferred master = yes > doing parameter domain master = yes > doing parameter local master = yes > doing parameter os level = 100 > doing parameter remote announce = 10.10.10.255/HOSTNAME > doing parameter socket address = 10.10.10.255 > doing parameter log level = 1 > .. > added interface ip=10.10.10.1 bcast=10.10.10.255 nmask=255.255.255.0 > socket option SO_KEEPALIVE = 0 > socket option SO_REUSEADDR = 1 > socket option SO_BROADCAST = 1 > .. > Socket opened. > querying HDV on 10.10.10.255 > Sending a packet of len 50 to (10.10.10.255) on port 137 > tdb(unnamed): tdb_open_ex: could not open > file /var/cache/samba/unexpected.tdb: No such file or directory > tdb(unnamed): tdb_open_ex: could not open > file /var/cache/samba/unexpected.tdb: No such file or directory > tdb(unnamed): tdb_open_ex: could not open > file /var/cache/samba/unexpected.tdb: No such file or directory > Sending a packet of len 50 to (10.10.10.255) on port 137 > tdb(unnamed): tdb_open_ex: could not open > file /var/cache/samba/unexpected.tdb: No such file or directory > tdb(unnamed): tdb_open_ex: could not open > file /var/cache/samba/unexpected.tdb: No such file or directory > tdb(unnamed): tdb_open_ex: could not open > file /var/cache/samba/unexpected.tdb: No such file or directory > Sending a packet of len 50 to (10.10.10.255) on port 137 > tdb(unnamed): tdb_open_ex: could not open > file /var/cache/samba/unexpected.tdb: No such file or directory > tdb(unnamed): tdb_open_ex: could not open > file /var/cache/samba/unexpected.tdb: No such file or directory > tdb(unnamed): tdb_open_ex: could not open > file /var/cache/samba/unexpected.tdb: No such file or directory > name_query failed to find name HDV > .. > > > > > > > __ > From: Frank Gruman [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 07, 2008 3:29 AM > To: Teodor Iacob > Cc: samba@lists.samba.org > Subject: RE: [Samba] Nmbd is using the wrong ip address as source > > > > > On Mon, 2008-10-06 at 09:05 +0300, Teodor Iacob wrote: > > > Hello, > > Sorry for seeming impatient, I just had some rough night hours > > because of this problem :) > > tcpdump shows: > > 08:21:22.920832 IP X.X.X.X.netbios-dgm > 10.10.10.255.netbios-dgm: > > NBT UDP PACKET(138) > > 08:21:22.920986 IP X.X.X.X.netbios-dgm > 10.10.10.255.netbios-dgm: > > NBT UDP PACKET(138) > > 08:21:23.072063 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > > 08:21:23.072069 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > > 08:21:23.072073 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > > 08:21:23.072076 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > > 08:21:23.072079 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > > 08:21:24.072491 IP X.X.X.X.netbios-dgm > 10.10.10.255.netbios-dgm: > > NBT UDP PACKET(138) > > 08:21:24.072497 IP X.X.X.X.netbios-dgm > 10.10.10.255.netbios-dgm: > > NBT UDP PACKET(138) > > 08:21:24.072656 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > > UDP PACKET(137): QUERY; REQUEST; BROADCAST > > 08:21:25.073432 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > > 08:21
RE: [Samba] Nmbd is using the wrong ip address as source
On Mon, 2008-10-06 at 09:05 +0300, Teodor Iacob wrote: > Hello, > > Sorry for seeming impatient, I just had some rough night hours because > of this problem :) > > tcpdump shows: > 08:21:22.920832 IP X.X.X.X.netbios-dgm > 10.10.10.255.netbios-dgm: NBT > UDP PACKET(138) > 08:21:22.920986 IP X.X.X.X.netbios-dgm > 10.10.10.255.netbios-dgm: NBT > UDP PACKET(138) > 08:21:23.072063 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > 08:21:23.072069 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > 08:21:23.072073 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > 08:21:23.072076 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > 08:21:23.072079 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > 08:21:24.072491 IP X.X.X.X.netbios-dgm > 10.10.10.255.netbios-dgm: NBT > UDP PACKET(138) > 08:21:24.072497 IP X.X.X.X.netbios-dgm > 10.10.10.255.netbios-dgm: NBT > UDP PACKET(138) > 08:21:24.072656 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > UDP PACKET(137): QUERY; REQUEST; BROADCAST > 08:21:25.073432 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > 08:21:25.073438 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > 08:21:25.073441 IP X.X.X.X.netbios-ns > 10.10.10.255.netbios-ns: NBT > UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST > > ( where X.X.X.X is the public ip address of the linux server from > eth0 ), this tcpdump was taken from another linux machine with the > ip: 10.10.10.2 > > The requested netstat output: > > [EMAIL PROTECTED] ~]# netstat -nap |grep [sn]mbd > tcp0 0 10.10.10.1:139 0.0.0.0:* > LISTEN 18538/smbd > tcp0 0 10.10.10.1:445 0.0.0.0:* > LISTEN 18538/smbd > udp0 0 10.10.10.1:137 0.0.0.0:* > 18542/nmbd > udp0 0 10.10.10.255:1370.0.0.0:* > 18542/nmbd > udp0 0 10.10.10.1:138 0.0.0.0:* > 18542/nmbd > udp0 0 10.10.10.255:1380.0.0.0:* > 18542/nmbd > unix 2 [ ] DGRAM194986 18542/nmbd > unix 2 [ ] DGRAM194960 18538/smbd > > nmblookup from both machines returns this: > querying server on 10.10.10.255 > name_query failed to find name server > > Right now there are no PCs open in the network, but friday when I was > testing various configurations, > I was able to see that one of the XP machines reported back as master > browser ( I could see the share list > with _MSBROWSE_ as well. ) > > > However if I do a unicast request to 10.10.10.1 ( basically it acts as > a wins server ): > querying HDV on 10.10.10.1 > 10.10.10.1 HDV<00> > > In the nmbd.log I have: > > [2008/10/06 08:52:50, 0] nmbd/nmbd.c:main(698) > Netbios nameserver version 3.0.28-1.el5_2.1 started. > Copyright Andrew Tridgell and the Samba Team 1992-2007 > [2008/10/06 08:52:51, 0] > nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(290) > become_domain_master_browser_bcast: > Attempting to become domain master browser on workgroup HOSTNAME on > subnet 10.10.10.1 > [2008/10/06 08:52:51, 0] > nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(303) > become_domain_master_browser_bcast: querying subnet 10.10.10.1 for > domain master browser on workgroup HOSTNAME > [2008/10/06 08:53:01, 0] > nmbd/nmbd_become_dmb.c:become_domain_master_stage2(113) > * > > Samba server HNS is now a domain master browser for workgroup > HOSTNAME on subnet 10.10.10.1 > > * > [2008/10/06 08:53:15, 0] > nmbd/nmbd_become_lmb.c:become_local_master_stage2(396) > * > > Samba name server HNS is now a local master browser for workgroup > HOSTNAME on subnet 10.10.10.1 > > * > > Thank you for your time! > > Teodor > > > > > > __ > From: Frank Gruman [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 05, 2008 10:28 PM > To: Teodor Iacob > Cc: samba@lists.samba.org > Subject: RE: [Samba] Nmbd is using the wrong ip address as source > > > > > On Sun, 2008-10-05 at 18:35 +0300, Teodor Iacob wrote: > > > Does anybody have a suggestion for another list or forum to address > > this issue? &
RE: [Samba] Nmbd is using the wrong ip address as source
On Sun, 2008-10-05 at 18:35 +0300, Teodor Iacob wrote: > Does anybody have a suggestion for another list or forum to address > this issue? > > > > -Original Message- > > From: Teodor Iacob > > Sent: 4 octombrie 2008 09:14 > > To: [EMAIL PROTECTED]; samba@lists.samba.org > > Subject: RE: [Samba] Nmbd is using the wrong ip address as source > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > [EMAIL PROTECTED] > > > Sent: Saturday, October 04, 2008 4:41 AM > > > To: samba@lists.samba.org > > > Subject: Re: [Samba] Nmbd is using the wrong ip address as source > > > > > > Teodor Iacob wrote: > > > > Hello, > > > > > > > > I have a linux box with the following S/W versions: > > > > CentOS release 5.2 (Final) > > > > Linux ns.hostname.ro 2.6.18-92.1.13.el5 #1 SMP Wed Sep 24 > > > 19:32:05 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux > > > > Version 3.0.28-1.el5_2.1 > > > > > > > > My server has 2 IP interfaces, eth0: with the public ip > > > address and br0: for the private subnet. > > > > Br0 being a bridge ip interface between eth1 and tap0 ( for > > > openvpn ). > > > > > > > > Now my problem is that the nmbd is doing the netbios > > > broadcasts using the eth0 ip address instead > > > > of the br0 one. I'm only interested in enabling samba on > > > the local network (br0). I have checked > > > > this by using tcpdump on another linux machine in the > > > network and saw the broadcasts with the source > > > > address the eth0 ip. Nmbd claims to win the master browsing > > > election, but in reality the windows machines > > > > ignore the election packets and another machine becomes > > > master and the browsing list is messed up.. > > > > The smbd works just fine, connecting to the shares manually > > > works correctly. > > > > > > > > How can I make nmbd to use the correct ip address? ( btw, I > > > removed the bridge config just for testing > > > > and only enabled ip on the eth1 and the same problem.. ). I > > > saw that in the previous version there was > > > > a parameter "-I" to force the source address.. > > > > > > > > For reference this is my smb.conf: > > > > [global] > > > > workgroup = HOSTNAME > > > > netbios name = HNS > > > > interfaces = 10.10.10.1 127.0.0.1 > > > > > > ... why not just say "interfaces = br0" so that it binds to your > > > private interface (which I presume owns 10.10.10.1)? You > > don't need > > > to have Samba listen on the loopback address if you can > > talk to it on > > > another local address. > > > > I mentioned also br0 in my quest of trying all possibilities > > I could think of.. No change. > > But bind is only for listening, my problem is when nmbd it > > sends packets by itself to make the election. I told you smbd > > works fine and I can see from netstat -an at the LISTEN part > > that it was only bound to the 10.10.10.1:139 and 10.10.10.1:445 > > > > > > > > > > > hosts allow = 127.0.0., 10.10.10. > > > > bind interfaces only = yes > > > [snip] > > > > remote announce = 10.10.10.255/HOSTNAME > > > > socket address = 10.10.10.1 > > > > > > Don First of all, thank you for your patience on volunteer attempts to help you resolve your issue (considering it is still the weekend in much of the world). Now, can you include a portion of the tcpdump you viewed from the other machine (particularly the part where the wrong address is appearing). Also, I am assuming you have restarted both smbd and nmbd after each configuration change. To verify that your samba settings are being read properly, try to run "netstat -nap |grep [sn]mbd" to see which ports are open on your local machine. Also, try running "nmblookup -B 10.10.10.255 server" to ensure that nmbd is responding to name server queries on the broadcast address. I Googled a moment, and came up with much of the above from her - http://samba.org/~tpot/articles/multiple-interfaces.html Let us know how it goes. Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "hide dot files" parameter
On Wed, 2008-09-24 at 11:36 +0200, Jean Frontin wrote: > Hi, > > I put "hide dot files = yes" in [homes] section. > I don't understand why I always see files beginning with a dot when I > open a session on this server. > Do you have the option to view hidden files enabled in Windows?? (From Windows Explorer > Tools > Folder Options > View tab > near the bottom of the first page is the option for "Hidden files and folders"). A dot (.) file in Windows is not automatically considered hidden unless the Samba option you have set is enabled. The option I noted here will effectively disable that option. > Have a good day You as well. Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Integrating Misys into existing Samba network
I am making an assumption that by Active Domain, you mean Active Directory? Does the MISYS server only have to act as a domain member server, and authenticates users based on their existence / password in what ever back end authentication system provided? If you are running centralized authentication through Samba as a NT-style domain controller, you should still be able to get user authentication to work with a Win2K3 server. I have 5 Win2K3 boxes that act as member servers in my Samba lab right now. Two of them actually use my Samba backend for user authentication in the apps they run. You need to find out specifically what functionality MISYS requires of your authentication system. Regards, Frank On Thu, 2008-02-21 at 20:13 -0700, Jeff Ross wrote: > Hi, > > I do the networking for a smallish medical clinic here. They have > decided to go with the Misys MyWay Electronic Medical Records system. > The engineers from Mysis about freaked out when the found out that I'm > running Samba on OpenBSD, and had all kinds of issues they were worried > about--whether their Windows Server 2003 system with Active Domain would > integrate with Samba was the biggest, how SQL Serve would integrate was > next and so on. > > I'm not using Active Domain for the samba server, and never have, so I > couldn't really address their concerns. > > My question, then, is two fold: has anyone out there integrated Misys > into a Samba network, and if not, can anyone see a reason why I can't > just drop their server into the network? As I understand it, and > believe me, I know not much about Misys at all yet, each client has to > authenticate against the Misys server. I fail to see why this is a > problem but if you've ever had a bad experience integrating some sort of > middleware like this into an existing network I'd sure like to hear > about it. > > The sooner the better--their Misys server is scheduled to be installed > on Wednesday, 2/27/2008. > > Thanks, > > Jeff Ross -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: windows 2008 server support
Neeraj, This is the type of question better directed to the general user community. The developers here try to spend their time focusing on development and design. The user list is a more appropriate list. I have copied that list as well. FYI - If you have not read the Samba documentation yet you should start there. It does a pretty good job of detailing Samba in a Windows environment. If your definition of "multi-OS" goes beyond that, ask the users list. Someone else out there may have a similar configuration as you. Regards, Frank On Fri, 2008-02-15 at 13:42 +0530, neeraj suriyal wrote: > Dear Samba Team , > Can any one tell me how can i configure Samba as PDC in multi OS environment > > > On 14/02/2008, feroz ahmed <[EMAIL PROTECTED]> wrote: > > > > Dear Samba Team, > > > > In samba source repositary there are two branches "3.2 test" and "3.0test" > > both of these will support windows 2008 server. > > > > My question is do samba team provide 2008 server support for the next > > version of 3.0.x too??? > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Official Samba builds for Ubuntu?
Michael, I believe Ubuntu has builds of Samba available through their repositories. Most of the tutorials you can find through a simple search will inform you to use apt-get to pull down samba if you don't already have it installed. See these links: http://ubuntuforums.org/showthread.php?t=202605 http://ubuntuforums.org/showthread.php?t=451314 http://ubuntuforums.org/showthread.php?t=575214 Regards, Frank On Sat, 2008-01-26 at 21:45 -0500, Michael Lueck wrote: > Greetings- > > I am wondering if anyone from the Samba team would happen to have interest in > creating official builds for Ubuntu? > > To add a twist, unfortunately I would not be fishing for 7.10 packages, but > rather 7.04 as we ran into too many issues with 7.10 whereas 7.04 seems rock > solid stable. > > Or, are there packages built of Samba releases for Ubuntu external to > samba.org? > > Thanks, > > -- > Michael Lueck > Lueck Data Systems > http://www.lueckdatasystems.com/ > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap interface authentication
On Wed, 2008-01-09 at 06:26 -0800, Deas, Jim wrote: > What specific ldap config files are used by samba when it's used as the > backend db? > > I have followed the FDC Howto and setup the ldap data on a dedicated FDC > server. From the samba machine I have been able to do 'ldapsearch -x -D > "cn=dirmng" -W *' for all the sambaSam information. I have added the > ldap data to smb.conf and set the passwd for the admin account. > > What appears to happen to me is that my ldap server is setup for simple > authentication only while it looks like smb is not. How can I specify > smb use simple authentication? > > Try using 'ldap ssl = off' in your smb.conf. According to the man page (man smb.conf) "The ldap ssl can be set to one of three values: · Off = Never use SSL when querying the directory. · Start_tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server. · On = Use SSL on the ldaps port when contacting the ldap server. Only available when the backwards-compatiblity --with- ldapsam option is specified to configure. See passdb backend .RE Default: ldap ssl = start_tls" Hope that helps. Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind nss configuration
On Thu, 2007-06-14 at 19:18 -0500, Jerome Haltom wrote: > I'm having the hardest time trying to come up with the optimal > configuration with NSS Winbind support. I want it to work right offline. > That is, name lookups shouldn't take 30 minutes to time out or lock the > system up. And if the name lookup is for a local name, I want Winbind to > be 100% out of hte picture. > > I've tried this, without much luck: > > passwd: compat [SUCCESS=return] winbind > groups: compat [SUCCESS=return] winbind > > My naive understanding is that this would make name lookups that > suceeded in `compat` completely avoid winbind. That was my understanding > until I disconnected the machine and could not log in as root. > > What am I missing? > > What do your PAM files look like?? What is your distribution? I know for a while that SUSE was putting winbind in as a required auth mechanism which kind of sucks for anything offline or for local users. Try looking at it from that path. Perhaps a method of 'sufficient' would be good for all 4 methods (auth, acc, sess, pass). Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Building Samba 4 - Includes.c missing?
>From: Frank Gruman <[EMAIL PROTECTED]> >Date: 2007/02/27 Tue PM 08:24:45 CST >To: samba@lists.samba.org >Subject: [Samba] Building Samba 4 - Includes.c missing? >Hello all, > >I've been peacefully using Samba 3 for about 3 years now, and it has done a >wonderful job in my little world as domain member servers for file and print >serving. Much bettetrver farms that some of my peers in the company are using. > >So I want to try Samba 4 and see if I can play with making it my PDC. The >only problem is that when I go to make, I receive the following error: > >... >Creating torture/ndr/proto.h >Generating dependencies for torture/ndr/ndr.c >Generating dependencies for torture/local/local.c >Removing precompiled headers >Precompiling include/includes.h >gcc: include/includes.c: No such file or directory >gcc: no input files >make: *** [include/includes.h.gch] Error 1 > > >This, after a successful autoconf, configure, and make pch all. In looking in >the include folder, there is only includes.h. > >I pulled the files straight from subversion, so would have hoped that I got >everything necessary. Has anyone else had this issue building Samba 4? > >Regards, >Frank > Wow - I stepped on my earlier note...should have read "Much better than the Win2k3 server farms..." Anyway - that aside, I realized I had not added any extra potentially pertinent info: OS = OpenSUSE 10.2 gcc = 4.1.2 Also - I ran autogen.sh, and not autoconf as I noted above. Basically, I did everything defined in the howto.txt that is pulled down with the code. Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Building Samba 4 - Includes.c missing?
Hello all, I've been peacefully using Samba 3 for about 3 years now, and it has done a wonderful job in my little world as domain member servers for file and print serving. Much bettetrver farms that some of my peers in the company are using. So I want to try Samba 4 and see if I can play with making it my PDC. The only problem is that when I go to make, I receive the following error: ... Creating torture/ndr/proto.h Generating dependencies for torture/ndr/ndr.c Generating dependencies for torture/local/local.c Removing precompiled headers Precompiling include/includes.h gcc: include/includes.c: No such file or directory gcc: no input files make: *** [include/includes.h.gch] Error 1 This, after a successful autoconf, configure, and make pch all. In looking in the include folder, there is only includes.h. I pulled the files straight from subversion, so would have hoped that I got everything necessary. Has anyone else had this issue building Samba 4? Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Mutiple authentication databases with Samba in ADS mode
Robert Bannocks wrote: I have Samba with Kerberos in server = ads mode. I however, have a few odd accounts that only exist under Unix. Is it possible to get samba to "fall back" on the local smbpassword file for users not found in ADS? If so how? Thanks Robert, How do you have your PAM modules configured? Also, your nsswitch.conf should allow for the order of authentication. Double check your configuration of these against what is in the Samba Guidefor ADS integration - http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Active Directory authentication very slow (winbind/PAM)
Hello all, SLES9 Apache 2.0.54 Samba 3.0.9-2.6-SUSE PAM 0.77 I have been using Linux for a while on the side, and am now taking advantage of my position to try to implement a test server. I am the technical product and network lead in my department with a higher MIS group that dictates global network access. They do not want to change any of the existing ADS network to accomodate my small Linux setup, so I am not able to setup LDAP for authentication (they won't provide the ADS LDAP address or attributes). I am trying to setup a web server to allow access to some applications I am hosting (Subversion, ViewCVS) on this server, and want the users to be able to authenticate to their ADS accounts. To get there, I have set up winbind using pam_winbind and in Apache, mod_auth_pam. I have Samba authenticating to a medium-sized Windows 2000 Active Directory domain (approx 5000 users). The authentication times are ranging from 15 to 30 seconds, and when trying to win acceptance for Linux as a stable server platform / file and development code repository, this performance is unacceptable to many of my peers. It is the same whether they authenticate through the Apache engine or if I add authentication to the xdm config and I login to KDE, or even from command line. Anyone have any ideas or better ways of doing this? Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
