Re: [Samba] idealx-smbtools gone?
On Mon, 11 Jun 2007 19:58:40 +0200 (CEST), Asier wrote Andreas Paulick dijo: Does anyone knows a valid source? Am I blind, looking for trees while standing in a forrest? You can go to their sourceforge page and download from there[1], or you can take it from some distribution. In Debian you have the original sources[2] and the .deb package. [1] http://sourceforge.net/projects/smbldap-tools/ [2] http://packages.debian.org/smbldap-tools They are also included in the the standard .tgz source in the directory examples/LDAP/smbldap-tools-0.9.2 ... Best regards, Ganaël LAPLANCHE [EMAIL PROTECTED] http://www.martymac.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] New version of the ldapscripts
Hi all, I've had good feedbacks of people using ldapscripts v1.0... Here is a new 1.1 version, with the following improvements : - Ability to create home directories and set rights - Ability to generate randomized (or not) passwords while creating a user - Password list generation can be activated while doing a massive user import / creation - Added an _ldapinit command to initialize the LDAP tree - ... and bug fixes / code improvements Here is a direct link to download the v1.1 : http://contribs.martymac.com/ldapscripts/ldapscripts-1.1.tgz Again, any feedback welcome :) Ganaël LAPLANCHE [EMAIL PROTECTED] http://www.martymac.com Tel : (+33)6.84.03.57.24. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Ldapscripts v1.0 !
Hi all, I've been working on shell scripts that allow to manage ldap accounts (users, groups, machines). They are similar to the smbldap-tools but do not need PERL to work (and so on...) and are *very* simple to configure - they may be a good alternative. The only tools you need are standard ldap client commands (ldapadd, ldapdelete, ldapmodify, ldapsearch). The scripts can be used as standalone commands or within Samba configuration : add machine script = /usr/local/bin/ldapaddmachine '%u' sambamachines add user script = /usr/local/bin/ldapadduser '%u' sambausers add group script = /usr/local/bin/ldapaddgroup '%g' add user to group script = /usr/local/bin/ldapaddusertogroup '%u' '%g' delete user script = /usr/local/bin/ldapdeleteuser '%u' delete group script = /usr/local/bin/ldapdeletegroup '%g' delete user from group script = /usr/local/bin/ldapdeleteuserfromgroup '%u' '%g' set primary group script = /usr/local/bin/ldapsetprimarygroup '%u' '%g' (see README file for more details) For those who want to give a try, you can find the tarball of ldapscripts v1.0 here : http://contribs.martymac.com http://linagora.org/article108.html Just extract the tarball and type in ./install as root... These scripts are in early version, so feel free to send bug reports and any feedback ! Ganael LAPLANCHE - http://www.martymac.com [EMAIL PROTECTED] [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Ldapscripts v1.0 !
Hi Jochen, You must use the root account (or any account with an UID=0) on the client side to join a machine to the domain... The log of the ldapscripts are right : the POSIX account must has been created on the LDAP directory (you can check it by searching the accounts on the LDAP directory) BUT samba could not add its piece of info (LDAP attributes) on the LDAP... Sincerely, Ganaël LAPLANCHE [EMAIL PROTECTED] http://www.martymac.com Tel : (+33)6.84.03.57.24. -- Original Message --- From: Jochen Witte [EMAIL PROTECTED] To: Ganael Laplanche [EMAIL PROTECTED] Cc: samba@lists.samba.org, samba-technical@lists.samba.org Sent: Tue, 08 Feb 2005 18:17:37 +0100 Subject: Re: [Samba] Ldapscripts v1.0 ! Hi I just tried out YOur scripts on a brand new installation. Very cool but: ldapscripts.log: 02/08/05 - 06:09:01 : Command : /usr/local/bin/ldapaddmachine Successfully added machine philippines$ to LDAP samba-log: -- [2005/02/08 18:09:01, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:02, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:03, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:04, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:05, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:06, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:07, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:08, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:09, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:10, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:11, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:12, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:13, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:14, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:15, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:16, 0] lib/smbldap.c:smbldap_open(881) smbldap_open: cannot access LDAP when not root.. [2005/02/08 18:09:16, 0] lib/smbldap.c:smbldap_search_suffix(1169) smbldap_search_suffix: Problem during the LDAP search: (unknown) (Timed out) [2005/02/08 18:09:16, 0] rpc_server/srv_samr_nt.c:_samr_create_user (2398) could not add user/computer philippines$ to passdb. Check permissions? = I am not able to add a machine account. Any hints? /Jochen Am Dienstag, den 08.02.2005, 15:27 + schrieb Ganael Laplanche: Hi all, I've been working on shell scripts that allow to manage ldap accounts (users, groups, machines). They are similar to the smbldap-tools but do not need PERL to work (and so on...) and are *very* simple to configure - they may be a good alternative. The only tools you need are standard ldap client commands (ldapadd, ldapdelete, ldapmodify, ldapsearch). The scripts can be used as standalone commands or within Samba configuration : add machine script = /usr/local/bin/ldapaddmachine '%u' sambamachines add user script = /usr/local/bin/ldapadduser '%u' sambausers add group script = /usr/local/bin/ldapaddgroup '%g' add user to group script = /usr/local/bin/ldapaddusertogroup '%u' '%g' delete user script = /usr/local/bin/ldapdeleteuser '%u' delete group script = /usr/local/bin/ldapdeletegroup '%g' delete user from group script = /usr/local/bin/ldapdeleteuserfromgroup '%u' '%g' set primary group script = /usr/local/bin/ldapsetprimarygroup '%u' '%g' (see README file for more details) For those who want to give a try, you can find the tarball of ldapscripts v1.0 here : http://contribs.martymac.com http://linagora.org/article108.html Just extract the tarball and type in ./install as root... These scripts are in early version, so feel free to send bug reports and any feedback ! Ganael LAPLANCHE - http://www.martymac.com [EMAIL PROTECTED] [EMAIL PROTECTED] -- Jochen Witte [EMAIL PROTECTED] --- End of Original Message --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Group Mapping Problems with Samba 3.0.2a OpenLDAP 2.2.6
Hi, Didn't you forget to create a posixGroup entry for the group you're trying to add ? 1 - Create your group in /etc/group groupadd somegroup 2 - Add this entry to your Ldap directory : dn: cn=somegroup,ou=Groups,dc=domain,dc=com objectClass: posixGroup cn: somegroup gidNumber: 1003 (modify the dn and gid to match your needs...) Once this entry added, you should be able to map somegroup to any Windows group... Good luck, Ganaël LAPLANCHE [EMAIL PROTECTED] http://www.martymac.com Tel : (+33)6.84.03.57.24. -- Original Message --- From: Chris Slack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Mon, 15 Mar 2004 13:58:34 - Subject: [Samba] Group Mapping Problems with Samba 3.0.2a OpenLDAP 2.2.6 Hello all, I am attempting to setup a Samba 3.0.2a based PDC using OpenLDAP 2.2.6 for my user/group authentication backend. So far everything seems to be working properly, I can join the domain from a Win2k PC, login via an account created with smbldap-useradd.pl, map my home directory, run the proper login script, etc. However, with all of that working I'm still having difficulties getting group mapping to work. I've run through the steps in the Samba HOWTO manual and tried everything else I could find on the web but I'm stumped at this point. When I type: net groupmap list I get nothing, when I type: net groupmap add rid=512 ntgroup=Domain Admins unixgroup=Domain Admins I get the message adding entry for group Domain Admins failed!. I've tried several permutations of this using different groups, I've tried adding groups to the local /etc/group file to see if it was having an issue with LDAP, but nothing seems to help. I can't seem to find anyone else who has had this problem and like I said, everything else is working fine. Attached to the bottom of this message is a dump from testparm with the details of my /etc/samba/smb.conf file. Please let me know if anyone can give me any suggestions. Thanks, Chris Slack IT System Administrator Mercy Ships M/V Anastasis - Currently docked in Freetown, Sierra Leone, West Africa www.mercyships.org [EMAIL PROTECTED] /etc]# testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [nobody] Processing section [netlogon] Processing section [Profiles] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions # Global parameters [global] workgroup = CHANNEL server string = Samba Server null passwords = Yes passdb backend = ldapsam:ldap://127.0.0.1/ passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u passwd chat = *New*password* %n\n *ReType*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* unix password sync = Yes log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/local/sbin/smbldap-useradd.pl -m -d /dev/null -g 553 -s /bin/false %u add machine script = /usr/local/sbin/smbldap-useradd.pl -m -d /dev/null -g 553 -s /bin/false %u logon script = login.js logon path = \\%L\Profiles\%U logon drive = X: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap port = 389 ldap suffix = ou=MSAN,dc=ana,dc=mercyships,dc=org ldap admin dn = cn=Manager,dc=ana,dc=mercyships,dc=org ldap ssl = no [homes] comment = Home Directories read only = No browseable = No [nobody] comment = to prevent from user nobody from having a home share path = /dev/null browseable = No [netlogon] comment = Network Logon Service path = /msu/netlogon browseable = No share modes = No root preexec = /usr/local/bin/mkuserconfig.pl %U root postexec = rm /msu/netlogon/%U.conf [Profiles] path = /msu1/Profiles read only = No create mask = 0600 directory mask = 0700 guest ok = Yes browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba --- End of Original Message --- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] New French Samba document - Admin tool specs
Hi all, For those of you who can speak French (sorry for the others), here is a new document I've just written (working at EDF Research center). Summary : - Group mapping limits (test results, bugs) - Admin tools comparison / limits - New *complete* Admin tool / API specification (basis for tool devel) [...] Here is a link to my contribs web page : http://contribs.martymac.com The doc is published within the GNU-FDL license. I hope this document will be useful... Any comment/suggestion welcome ! Ganaël LAPLANCHE, [EMAIL PROTECTED] http://www.martymac.com signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] [PATCH] Group mapping primary group SID update
Hi all ! This is a patch for Group mapping bug #1 reported here : http://lists.samba.org/archive/samba-technical/2004-January/034057.html It activates users' primary group SID update when adding/modifying/deleting a group mapping. It patches utils/net_groupmap.c (net_groupmap_add, net_groupmap_modify, net_groupmap_delete) and can be applied to samba-3.0.2rc1. net_groupmap_add : Scan users having the *new* Unix gid mapped as primary group and update their primaryGroupSid info in passdb. net_groupmap_modify : Scan users having the *old* Unix gid mapped as primary group and update their primaryGroupSid info in passdb by computing it. Scan users having the *new* Unix gid mapped as primary group and update their primaryGroupSid info in passdb. net_groupmap_delete : Scan users having the *old* Unix gid mapped as primary group and update their primaryGroupSid info in passdb by computing it. !!!NOTE!!! : THIS PATCH DOESNT WORK WITH TDB BACKEND, but it works perfectly with ldap backend. Since I'm not a Samba guru, I couldn't make this patch work with TDB backend. I think it is very simple to fix : the problem is pdb_ldap and pdb_tdb doesn't update sam account the same way : pdb_tdb.c invalidates the iterator during a sam update (while pdb_ldap doesn't), so the main loop crashes after the first pdb_update_sam_account while trying to use pdb_getsampwent. The patch may be easy to fix and can be a good start for an final bugfix. - Start of updatesid.patch - --- utils/net_groupmap.c.orig 2003-09-24 19:16:13.0 +0200 +++ utils/net_groupmap.c2004-01-29 13:38:06.0 +0100 @@ -80,6 +80,65 @@ return True; } +/** + Update primary group SID in passdb with string_sid + for users whose Unix primary group is gid. Useful + after a net_groupmap add/modify/delete. +**/ +static BOOL update_users_primgroup_sid(const gid_t gid, fstring string_sid) +{ + SAM_ACCOUNT *sam_pwent=NULL; + struct passwd *pass=NULL; + fstring usrname = ; + + /* Initialize static context */ + if(!initialize_password_db(True)) { + DEBUG(0,(update_users_primgroup_sid: Cannot initialize password database.\n)); + return False; + } + /* Open password database for update */ + if(!pdb_setsampwent(True)) { + DEBUG(0,(update_users_primgroup_sid: Cannot open password database.\n)); + return False; + } + + while (NT_STATUS_IS_OK(pdb_init_sam(sam_pwent)) pdb_getsampwent(sam_pwent)) { + fstrcpy(usrname,pdb_get_username(sam_pwent)); + if(!(pass = Get_Pwnam(usrname))) { + DEBUG(0,(update_users_primgroup_sid: Cannot find Unix account for %s.\n, usrname)); + return False; + } + + if ((pass-pw_gid) != (gid_t)-1) { + /* Check if user's primary group SID must be updated (if mapped gid is the user's primary group gid) */ + if (pass-pw_gid == gid) { + if (string_sid) { /* String specified, use it */ + pdb_set_group_sid_from_string(sam_pwent, string_sid, PDB_CHANGED); + } + else { /* no string specified, must compute the RID */ + pdb_set_group_sid_from_rid(sam_pwent, pdb_gid_to_group_rid(pass-pw_gid), PDB_CHANGED); + } + + /* Commit changes */ + if (pdb_update_sam_account(sam_pwent)) { + /* Works well with pdb LDAP, BUT !!Error!! while using pdb TDB : pdb_tdb.c invalidates + the iterator in tdb_update_sam (called by pdb_update_sam_account). The result is + an iterator error in the next pdb_getsampwent of the loop. MUST BE CORRECTED*/ + d_printf(Successully updated primary group SID for user %s\n, usrname); + } + else { + d_printf(Could not update primary group SID for user %s\n, usrname); + } + } + } + pdb_free_sam(sam_pwent); + } + pdb_free_sam(sam_pwent); + pdb_endsampwent(); + + return True; +} + /* Dump a GROUP_MAP entry to stdout (long or short listing) **/ @@ -287,6 +346,9 @@ } d_printf(Successully added group %s to the mapping db\n, ntgroup); + + update_users_primgroup_sid(gid, string_sid); +
[Samba] Group mapping bugs + PATCH
= NULL; + GROUP_MAP dummy; + + if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, dummy, +map-gid))) { + DEBUG(0, (ldapsam_update_group_mapping_entry: Unix group %ld already mapped in LDAP\n, (unsigned long)map-gid)); + return NT_STATUS_UNSUCCESSFUL; + } + rc = ldapsam_search_one_group_by_gid(ldap_state, map-gid, result); if (rc != LDAP_SUCCESS) { - end of pdb_ldap.c.patch - Note : I also modified debug info to make them more explicit... * Final note Hope this helps, any question/comment welcome ! Ganael LAPLANCHE [EMAIL PROTECTED] http://www.martymac.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-LDAP Howto
Hi all, For those of you who speak French, I've writtent a small Samba 2.2.8a/Ldap Howto. It's available on my website : http://www.martymac.com (Avoid the html format still the conversion isn't really perfect !). I hope this document will help you :) Regards, Ganaël LAPLANCHE. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Backing up NT4 shares - migration from NT4 to Samba
Hi all, I'm trying to mygrate my NT4 PDC to a Samba v3rc2 PDC. Everything worked well during accounts migration (vampire). I'm now trying to back-up the shares (homes, profiles, netlogon), in order to fully migrate the accounts. Unfortunately, I'm facing a stupid problem : each home directory (or profile directory) can only be read from its creator, NOT from the Administrator of the machine. So, I can't use smbclient (then the tar command) or smbtar, because I always get an access denied error. How can I easily create an archive of each share ? I don't want to reset each right on each folder/file and to give me permissions !!! I thought the Admin could do everything... isn't it right on NT ? How do you, admins, make backups of data you can't read Thank you very much, Regards, Ganaël LAPLANCHE. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Réf. : Re: [Samba] Net rpc vampire : NT_STATUS_ACCESS_DENIED
Hi all, Thank you for your help, and sorry for my late answer. Everything works fine by now ! Yes, you have to become a BDC to vampire the accounts ! This is why I was getting an Access denied error : I thought my Samba was a BDC, but I forgot to add domain logon = Yes in my smb.conf, so Samba was a simple share server. Here is the steps I followed to suck the accounts : 1 - smb.conf extract : -- ; low OS level os level = 40 domain logons = Yes domain master = No local master = No ; Undocumented : this is compulsory to allow Samba to create Unix accounts on the Samba server ; Created in two groups : samba and machines add machine script = /usr/sbin/useradd -g machines -c Samba Machine -d /dev/null -s /bin/false '%u' add user script = /usr/sbin/useradd -g samba -c Samba User -d /dev/null -s /bin/false '%u' add group script = /usr/sbin/groupadd '%g' add user to group script = /usr/sbin/usermod -G `/usr/bin/id -G '%u' | /bin/sed 's/ /,/g'`,'%g' '%u' -- 2 - Testparm should report : ROLE_DOMAIN_BDC 3 - Add an account for the Samba machine on the NT4 station (via server manager) 4 - Start Samba 5 - Join the domain : net rpc join -S nt4 machine's netbios name -w domain name -U Administrator (the samba machine should appear as a BDC on the NT4 server manager) 6 - Vampire : net rpc vampire -S nt4 machine's netbios name) -U Administrator%password Everything should be okay, except that Samba won't be able to create system accounts for compound names and names with accents. You'll have to modify system groups names on the NT4 server BEFORE sucking them, with a tool such ultraadmin (http://www.doriansoft.com/ultraadmin/). After having vampired your victims, you'll be able to see them zombiing in your Unix box with : System : - getent passwd - getent group Samba : - pdbedit -L Shows the groups/users/machines accounts you've just imported. If you try : net groupmap list you'll see every group has correctly been mapped. Thanks to your answers and to : http://lists.samba.org/pipermail/samba/2002-November/085854.html Good luck, Ganaël. Envoyé par : [EMAIL PROTECTED] Pour : [EMAIL PROTECTED] cc : [EMAIL PROTECTED] Objet : Re: [Samba] Net rpc vampire : NT_STATUS_ACCESS_DENIED On Fri, Aug 29, 2003 at 02:11:13PM -0400, Andrew Kohlsmith wrote: Did you set the domain sid on the Samba box? This must match the NT4 domain SID if you are going to be recognized as a BDC. I thought it wasn't possible to have samba be the BDC for an NT4 PDC?? Things change in Samba3.0. You need to join as a BDC in order to vampire out all the account info to take over as PDC. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Net rpc vampire : NT_STATUS_ACCESS_DENIED
Hi ! I'm trying to migrate accounts from my NT4 server, I followed each step described in the HOWTO : - tunred off samba - set domain master at No in config file - created groups + mappings as it is advised to - created the BDC account in the NT4 server manager - net rpc join'ed the domain but when I try to vampire user/group accounts, here is what I get : # net rpc vampire -S MYDC-NT4 -U Administrator Fetching DOMAIN database Failed to fetch domain database: NT_STATUS_ACCESS_DENIED A 5th-level debug gives the following result : [2003/08/28 12:42:58, 5] rpc_parse/parse_prs.c:prs_ntstatus(664) 0034 status: NT_STATUS_ACCESS_DENIED Failed to fetch domain database: NT_STATUS_ACCESS_DENIED Nothing interesting... I suppose I haven't correctly created the BDC account on my NT machine... Am I right ? How can I do that ? Do I have to turn Samba on before vampiring ? The is also something strange : net doens't ask for the Administrator password, that may be why It can't access the NT4 server, but even with %mypassword, it doenst work... Is there another way of specifying the password ? Could it be the source of my problem ? Thank you, Ganaël LAPLANCHE. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Can a user belong to two groups in Samba ???
Hi, I'm using samba 3b3 (+ldapsam) and have created a user belonging to two groups : - his primary group is mapped to the Domain Users Windows group, - his secondary one is mapped to the Domain Admins Windows group. Unfortunately, only the first group seems to be known by Samba, since the user doesn't become a Domain Admin at all (but he is a Domain User)... I've googled a lot and haven't been able to find much info about multiple-groups-per-user handling in Samba ; some users seem to get the same problem without getting a solution ; Redhat did record this as a bug in bugzilla... So : Is it a bug ? Is it related to LDAP ? Finally, Is it possible to have a user belonging to two (or more) Windows domain groups ? Regards, Ganaël. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] cannot access LDAP when not root
Hi all, While playing with group mapping, I'm regularly getting this error : [2003/08/07 08:10:39, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1619) ldapsam_search_one_group: searching for: [((objectClass=sambaGroupMapping)(gidNumber=1001))] [2003/08/07 08:10:39, 0] lib/smbldap.c:smbldap_open(799) smbldap_open: cannot access LDAP when not root.. [2003/08/07 08:10:39, 1] lib/smbldap.c:smbldap_retry_open(888) Connection to LDAP Server failed for the 1 try! [2003/08/07 08:10:39, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1634) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (Insufficient access)ldapsam_search_one_group: searching for: [((objectClass=sambaGroupMappin g)(gidNumber=1002))] I know I can access the LDAP server because every user in my domain can authenticate. Moreover, Group mapping works... What's the matter ? Who must be root... Smbd/Nmbd belong to root... Thank you very much, Ganaël. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] How does group mapping function ?
Hi all, this is a re-post, maybe the Samba Team can help ? I'm testing group mapping, wondering how It works exactly... I thought Samba was storing a mapping table allowing to retreive infos on Unix/Windows groups in a DYNAMIC way. Unfortunately, group mapping seems to be static, here is what I did : [I'm using Samba b3v3 + LDAP, WITHOUT nss-ldap/pam-ldap/winbind - everything is stored in my /etc/passwd and /etc/group + in LDAP for Samba accounts] 1) Created Unix group (let's say domusers) : groupadd domusers 2) Created LDAP group, with ldapadd, and a file containing : dn: cn=domusers,ou=Users,dc=domain,dc=org objectClass: posixGroup gidNumber: 1001 cn: domusers memberUid: foo 3) Created Unix user (foo, primary group domusers) : useradd -g domusers foo 4) Created Group mapping : net groupmap add sid=mySID-513 unixgroup=domusers ntgroup=Domain Users type=domain (then net groupmap list, OK) 5) Finally, created LDAP (samba) user : smbpasswd -a foo Ok, no problem, foo gets the domain local sid + the domain users rid as SambaPrimaryGroupSid, he IS a Win Domain User. Here is what I don't understand : If I delete the groupmapping or modify it, the SambaPrimaryGroupSid of foo isn't modified ! Foo remains a Domain User... Another example : if I create first the user, then the mapping : the user doens't get the new SambaPrimaryGroupSid and doesn't become a Domain User... Am I missing something ? Is the mapping only used while creating users ? I thought the table was used in a more dynamic way... Is there a technical limit in implementing this function this way ? Please help me... Regards, Ganaël. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Secondary group not working ?
Hi, I'm using samba 3b3 and have created a user with two groups : his primary group is mapped to the Domain Users Windows group, and his secondary one is mapped to the Domain Admins Windows group. Unfortunately, only the first group seems to be known by Samba, since the user doesn't become a Domain Admin at all (but he is a Domain User)... I've googled a lot and haven't been able to find any info about multiple-groups handling in Samba ; many users seems to get the same problem without getting a solution... Any clue ? Regards, Ganaël. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Réf. : Re: R?f. : [Samba] system users andsmbpasswd users
Hi :) As I'd say in French de rien ! (you're welcome :)) Yes, you can use PAM to redirect the system authentication calls to your LDAP directory, but in reality samba will continue to use two types of accounts : the posixAccounts (same as /etc/passwd) and the sambaSamAccounts. Everything will be stored in you LDAP directory, but Samba still needs two types of accounts : one for the system, one for Samba (even if the accounts will be merged in only one entry). If you plan to use PAM, don't forget to use nsswitch (libnss-ldap), which allows your system to catch name services calls (e.g. to identify the available accounts when you use getent passwd) and to redirect them to a dedicated backend (e.g. /etc/passwd). Pam is for only authentication, while nsswitch is for name service translation. You should use both libpam-ldap and libnss-ldap if you want your System being able to identify AND authenticate LDAP-only users. I don't have much more infos about _nua accounts, I think they've been removed, or maybe they were just planned... I really don't know... Good luck ! Ganaël. [EMAIL PROTECTED] on 07/31/2003 04:02:46 PM Pour : [EMAIL PROTECTED] cc : Objet : Re: R?f. : [Samba] system users and smbpasswd users Hi, Thanks for the mail. On Wed, Jul 30, 2003 at 10:58:35AM +0200, Ganael LAPLANCHE wrote: Samba needs two accounts : a system account AND a samba account. The reason for this is you can't store every piece of information samba needs in the /etc/passwd file (e.g. Samba Home dir). oh! some people say that I can use PAM for this. Do you have any ideas on this? You may have heard about _nua (No Unix Accounts) backends, a way of storing users in samba-only No never heard of this. Can you give some more info. As you say in French, Merci beaucoup :) With warm regards, -Payal -- Visit GNU/Linux Success Stories http://payal.staticky.com Guest-Book Section Updated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Réf. : Re: R?f. : [Samba] system users andsmbpasswd users
Hi again, A useful link : see http://www.padl.com for more infos on libnss-ldap and libpam-ldap... Hope this helps, Regards, Ganaël. [EMAIL PROTECTED] on 07/31/2003 04:02:46 PM Pour : [EMAIL PROTECTED] cc : Objet : Re: R?f. : [Samba] system users and smbpasswd users Hi, Thanks for the mail. On Wed, Jul 30, 2003 at 10:58:35AM +0200, Ganael LAPLANCHE wrote: Samba needs two accounts : a system account AND a samba account. The reason for this is you can't store every piece of information samba needs in the /etc/passwd file (e.g. Samba Home dir). oh! some people say that I can use PAM for this. Do you have any ideas on this? You may have heard about _nua (No Unix Accounts) backends, a way of storing users in samba-only No never heard of this. Can you give some more info. As you say in French, Merci beaucoup :) With warm regards, -Payal -- Visit GNU/Linux Success Stories http://payal.staticky.com Guest-Book Section Updated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Réf. : Réf. : [Samba] trash can on samba
Mateus, here is a more complex (working !) example : vfs objects = recycle recycle:name = .recycle ; max-size (in bytes) of files allowed in the recycle bin recycle:maxsize = 200 ; keep directory trees ? recycle_keeptree = True ; files to exclude from the bin recycle:exclude = *.tmp *.temp *.swp ; root dirs to exclude from the bin recycle:exclude_dir = tmp ; include file versionning in the bin (adds a Copy #n of before the filename) recycle:versions = True ; files to exclude from the versionning (previous versions are lost) recycle:noversions = *.doc *.xls *.ppt Did someone try versionning ? I get a strange error while deleting a file with versionning activated : WinXP tells me the file doesn't exist anymore... but it is supposed to delete it ! In fact, the file has been deleted, and versionned in the bin BEFORE the appearance of the msgbox... Stange... If I deactivate versionning, everything works well... Ganaël. Ganael LAPLANCHE 07/29/2003 09:47 AM Pour : [EMAIL PROTECTED] cc : [EMAIL PROTECTED] Objet : Réf. : [Samba] trash can on samba (Document link: Ganael LAPLANCHE) Hi ! I successfully used recycle bin + audit with these parameters : vfs objects = extd_audit recycle I didn't configure anything else, so I can't tell for advanced options... I don't remember having used any configure options for this. Ganael. [EMAIL PROTECTED]@lists.samba.org on 07/28/2003 12:46:54 PM Envoyé par : [EMAIL PROTECTED] Pour : [EMAIL PROTECTED] cc : Objet : [Samba] trash can on samba I'm having problems to install de recycle module on samba. I think it can be some configuration error or something missing when I compiled samba. Is there any special compilation option to enable vfs and de recycle.so module? I used: ./configure --with-smbmount --with-syslog --with-vfs And here my configuration options: smb.conf: [homes] comment = Pastas Pessoais browseable = no writable = yes admin users = mateus vfs object = /usr/local/samba/lib/recycle.so vfs options = /usr/local/samba/lib/recycle.conf recycle.conf: name = .recycle mode = KEEP_DIRECTORIES|VERSIONS|TOUCH maxsize = 0 exclude = *.tmp|*.temp|*.o|*.obj|~$* excludedir = /tmp|/temp|/cache noversions = *.doc|*.xls|*.ppt Sorry for my poor english Mateus Tarcinalli Machado site: http://mateus.webhostme.com/ e-mail: [EMAIL PROTECTED] ICQ: 40075236 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Group mapping... static ???
Hi all, I'm testing group mapping, wondering how It works exactly... I thought Samba was storing a mapping table allowing to retreive infos on Unix/Windows groups in a DYNAMIC way. Unfortunately, group mapping seems to be static, here is what I did : [I'm using Samba b3v3 + LDAP, WITHOUT nss-ldap/pam-ldap/winbind - everything is stored in my /etc/passwd and /etc/group + in LDAP for Samba accounts] 1) Created Unix group (let's say domusers) : groupadd domusers 2) Created LDAP group, with ldapadd, and a file containing : dn: cn=domusers,ou=Users,dc=domain,dc=org objectClass: posixGroup gidNumber: 1001 cn: domusers memberUid: foo 3) Created Unix user (foo, primary group domusers) : useradd -g domusers foo 4) Created Group mapping : net groupmap add sid=mySID-513 unixgroup=domusers ntgroup=Domain Users type=domain (then net groupmap list, OK) 5) Finally, created LDAP (samba) user : smbpasswd -a foo Ok, no problem, foo gets the domain local sid + the domain users rid as SambaPrimaryGroupSid, he IS a Win Domain User. Here is what I don't understand : If I delete the groupmapping or modify it, the SambaPrimaryGroupSid of foo isn't modified ! Foo remains a Domain User... Another example : if I create first the user, then the mapping : the user doens't get the new SambaPrimaryGroupSid and doesn't become a Domain User... Am I missing something ? Is the mapping only used while creating users ? I thought the table was used in a more dynamic way... Is there a technical limit in implementing this function this way ? Please help me... Regards, Ganaël. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Réf. : [Samba] groupmember list fails with 3.0.0b3 and LDAP
Hi, Same problem for me, any clue ? Ganaël. [EMAIL PROTECTED]@lists.samba.org on 07/31/2003 01:42:21 AM Envoyé par : [EMAIL PROTECTED] Pour : [EMAIL PROTECTED] cc : Objet : [Samba] groupmember list fails with 3.0.0b3 and LDAP Hi all, I've been working on a PDC with group mapping with Samba-3.0.0Beta3 with OpenLDAP-2.1.22. Things are mostly working, however I don't seem to be able to retrieve a list of users in a group, nor am I able to grant ACL's based on group membership. Here's what I did. 1. Created an LDAP posixGroup account 2. net groupmap add rid=512 ntgroup=Domain Admins unixgroup=domadmin The resulting LDIF shows up as follows: # domadmin, Group, GSLIS dn: cn=domadmin,ou=Group,dc=GSLIS objectClass: posixGroup objectClass: sambaGroupMapping cn: domadmin gidNumber: 512 memberUid: admin sambaSID: S-1-5-21-3469007649-3513637358-4254120478-512 sambaGroupType: 2 displayName: Domain Admins The output of net groupmember list Domain Admins -U admin gives error 2220 The output of net groupmap list Domain Admins (S-1-5-21-3469007649-3513637358-4254120478-512) - domadmin Some Blah Group (S-1-5-21-3469007649-3513637358-4254120478-7676) - blahgrp I can log on to a domain member using the admin password, but I'm not an admin. Any ideas where to start looking? -- Brynnen Owen( this space for rent ) [EMAIL PROTECTED] ( ) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Réf. : [Samba] trash can on samba
Hi ! I successfully used recycle bin + audit with these parameters : vfs objects = extd_audit recycle I didn't configure anything else, so I can't tell for advanced options... I don't remember having used any configure options for this. Ganael. [EMAIL PROTECTED]@lists.samba.org on 07/28/2003 12:46:54 PM Envoyé par : [EMAIL PROTECTED] Pour : [EMAIL PROTECTED] cc : Objet : [Samba] trash can on samba I'm having problems to install de recycle module on samba. I think it can be some configuration error or something missing when I compiled samba. Is there any special compilation option to enable vfs and de recycle.so module? I used: ./configure --with-smbmount --with-syslog --with-vfs And here my configuration options: smb.conf: [homes] comment = Pastas Pessoais browseable = no writable = yes admin users = mateus vfs object = /usr/local/samba/lib/recycle.so vfs options = /usr/local/samba/lib/recycle.conf recycle.conf: name = .recycle mode = KEEP_DIRECTORIES|VERSIONS|TOUCH maxsize = 0 exclude = *.tmp|*.temp|*.o|*.obj|~$* excludedir = /tmp|/temp|/cache noversions = *.doc|*.xls|*.ppt Sorry for my poor english Mateus Tarcinalli Machado site: http://mateus.webhostme.com/ e-mail: [EMAIL PROTECTED] ICQ: 40075236 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] cannot access LDAP when not root
Hi, I found strange errors in my samba logs : [2003/07/28 16:32:16, 0] lib/smbldap.c:smbldap_open(799) smbldap_open: cannot access LDAP when not root.. [2003/07/28 16:32:16, 1] lib/smbldap.c:smbldap_retry_open(888) Connection to LDAP Server failed for the 1 try! [2003/07/28 16:32:16, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1634) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (Insufficient access)ldapsam_search_one_group: searching for: [((objectClass=sambaGroupMapp ing)(gidNumber=-1))] Exploring the source code, I found It was related to the euid of samba (file lib/smbldap.c) : #ifndef NO_LDAP_SECURITY if (geteuid() != 0) { DEBUG(0, (smbldap_open: cannot access LDAP when not root.. \n)); return LDAP_INSUFFICIENT_ACCESS; } #endif NO_LDAP_SECURITY was not defined during compilation... How could I resolve the problem ? How could I have an euid of 0 running samba ? Thank you very much, Ganaël. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Réf. : Re: [Samba] smbpasswd problem
Hi, In fact, you still need an /etc/passwd file : you need a system account in order to create a samba account, but you can use libnss-ldap to redirect the system calls to the LDAP directory (via nsswitch), this will allow you use ldap-only accounts... Ganaël. [EMAIL PROTECTED]@lists.samba.org on 07/28/2003 07:30:15 AM Envoyé par : [EMAIL PROTECTED] Pour : [EMAIL PROTECTED] cc : Objet : Re: [Samba] smbpasswd problem Im now testing SAMBA under LDAP . I have a LDAP account anthony. I do not know how to use smbpasswd to change this LDAP account. You do not need smbpasswd anymore. When using LDAP, you can store the Samba-Password along with other data in the LDAP-DIrectory. Have a look at the howto concerning how to replace smbpasswd with an LDAP-directory and it will tell you what to do :-) Furthermore, have a look at the smbldap-tools you can find at www.idealx.org ... they will do things like changing passwords for you (as long as you do not yet use Samba3). Thilo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Réf. : Re: [Samba] Unofficial Samba+ACL HOWTO
Mandrake 9.1's kernel needs a patch to support ACL's : http://qa.mandrakesoft.com/show_bug.cgi?id=3615 Regards, Ganaël LAPLANCHE. [EMAIL PROTECTED]@lists.samba.org on 07/23/2003 06:09:59 PM Envoyé par : [EMAIL PROTECTED] Pour : [EMAIL PROTECTED] cc : Objet : Re: [Samba] Unofficial Samba+ACL HOWTO -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Message: 54 Date: Wed, 23 Jul 2003 13:11:38 +1200 From: Paul Eggleton [EMAIL PROTECTED] Subject: [Samba] Unofficial Samba+ACL HOWTO To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi all, I have finally got around to updating my unofficial HOWTO on setting up Samba with ACL support: http://www.bluelightning.org/linux/samba_acl_howto As always, comments and suggestions welcome. You may want to change the title to be Unofficial Redhat Samba + ACL + Winbind Howto, since most other distros have ACL support out the box (Mandrake since 8.1 has had ACL support on XFS, 9.0 had ACL support on ext2/3 also, most recent SuSE releases had ACL support on XFS, some on ext2/3, I believe one of the Debain kernels has XFS/ACL support), and Mandrake 9.0 and 9.1 will setup winbind for you during installation. Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/HrM8rJK6UGDSBKcRAgZeAKC+wZN5sJpsLMUWYN/n7li//8KveQCeP8D9 c6zUongSCjg3j5bwiUOy7Qw= =jM6n -END PGP SIGNATURE- ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. ** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3 - Can't create trusted domain account
Hi ! I'm using Samba 3 - simple smbpasswd backend, no winbind. I try to use interdomain trusts between (samba) domains TRUSTED and TRUSTING. I get an error while creating the TRUSTED domain account : smbpasswd -D 10 -a -i TRUSTED Get_Pwnam_internals didn't find user [TRUSTED$]! Failed initialise SAM_ACCOUNT for user TRUSTED$. Failed to modify password entry for user TRUSTED$ Samba can't find the entry, isn't it supposed to CREATE it ? How can I do that ? Did someone manage to do it ? Thank you, Ganaël. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Réf. : Samba 3 - Can't create trusted domain account
Woops, I just forgot to create the UNIX$ account associated with the trusted domain name... Sorry ;-) Ganaël. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Group mapping, net group add troubles !!!
Hi all, I'm trying to add a Unix group to Samba to test group mapping... At the beginning, I just wanted to map the Windows Domain Admins group to my Linux group, called domainadmins : net getlocalsid, then net groupmap add sid=SID-512 unixgroup=domainadmins But here is what Samba returns : Group 1004 must exist exactly once in LDAP Okay, no pb, I just have to create the domainadmins group under Samba (into my LDAP directory), so : net group ADD domainadmins -U smbadmin (smbadmin is a Linux AND Samba user with uid/gid 0) Unfortunately, Samba returns this error message : return code = 50 Don't know what it means, but the group isn't added, if I try to list Samba groups : net group -l -U smbadmin The list is empty :(( Could someone help me with adding new (Unix-already-existing) group to Samba ? How could I map this group to the M$ Domain admins one ? Thank you very much ! Ganaël LAPLANCHE. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba