[Samba] samba runs only in interactive mode
Hi, We have migrated our old Win2000 AD domain (~ 1000 user accounts) to Samba 4.0.7 AD, but some things doesn't work as expected (samba process crashes a few times a day/week with PANIC without any noticeable reason; samba dbcheck can't fix some db errrors and so on) , and I'm trying to resolve the issues. I tested this on various servers (Debian wheezy, Ubuntu 12.04) and different samba versions (4.0.6, 4.0.7, 4.1.rc1) - the issues remain the same. Now the problem - I can run samba only in interactive mode When I run in tmux session with command /usr/local/samba/sbin/samba -i -d 3 -M single then samba accepts incoming connections/authorization and so on, until it crashes after some hours or days For example, I can access netlogon share: smbclient //vasec/netlogon -k -c exit Domain=[SKOLA] OS=[Unix] Server=[Samba 4.1.0rc1] When I run samba in daemon mode, then it stops responding (but still shows in process list) /usr/local/samba/sbin/samba -d 3 -M single smbclient //vasec/netlogon -k -c exit session setup failed: NT_STATUS_IO_TIMEOUT server log file shows nothing valuable (at least for mee): http://pastebin.com/WNPa0Lvh Any ideas how to fix or troubleshoot it? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SOLVED: Re: samba runs only in interactive mode
On 07/31/2013 07:06 PM, Gints Neimanis wrote: When I run samba in daemon mode, then it stops responding (but still shows in process list) /usr/local/samba/sbin/samba -d 3 -M single smbclient //vasec/netlogon -k -c exit session setup failed: NT_STATUS_IO_TIMEOUT When samba is run in daemon mode and removed -M single: /usr/local/samba/sbin/samba -d 3 then server is running and responding as expected. G. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] WinXP not print - Samba3.6.6
Hi, maybe this will help you: [printers] ... use client driver = yes ... On 07/24/2013 11:46 PM, Thiago Parolin wrote: Hi, After upgrading samba from 3.5 to 3.6, WinXP can not print, and the samba log shows: [2013/07/24 17:40:00.377907, 0] rpc_server/spoolss/srv_spoolss_nt.c:1748(_spoolss_OpenPrinterEx) _spoolss_OpenPrinterEx: Cannot open a printer handle for printer \\spsi All other systems are ok. (until now) Any hint to fix this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: authenticate Linux users to AD on Windows 2003R2
Hello, You can use pam-mount module http://pam-mount.sourceforge.net/ Gints James D. Parra rakstīja, 2009.05.14. 23:19: Hello, I have enough details on how to have Linux users authenticate to a 2003r2 AD, but I need help getting their home dir's to automatically mount to a windows share. Any details would be greatly appreciated. Many thanks, James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbpasswd and rpcclient differences between 3.0.14a and 3.0.21a
Hi all, The problem is that from version 3.0.21a the commands rpcclient and smbpasswd does't work as before (and as I wish), when connecting to remote Windows2000 domain controller. Below are some tests and outputs, which show the command outputs. In both cases samba is compiled from original sources. OS - Debian testing and verified on Ubuntu. RPCLIENT: ./rpcclient -c 'queryuser 0x2270' -U admin%password PDC 3.0.14a returns neccessary user data, like: User Name : ... ... skip ... logon_hrs[0..21]... 3.0.21a returns: === result was NT_STATUS_NONE_MAPPED === (other tested rpclient commands works as expected) SMBPASSWD: in version 3.0.21a it is impossible to change expired passwords and passwords, where the option User must change password at next logon is enabled. 3.0.21a: == ./smbpasswd -r PDC -U domuser Old SMB password: New SMB password: Retype new SMB password: cli_pipe_validate_current_pdu: RPC fault code NT code 0x0005 received from remote machine PDC pipe \samr fnum 0x4002! machine PDC rejected the password change: Error was : NT code 0x0005. Failed to modify password entry for user domuser == 3.0.14a: == ./smbpasswd -r PDC -U domuser Old SMB password: New SMB password: Retype new SMB password: Password changed for user domuser on PDC. == Actually both commands are very useful, we are used it for our tasks (to query user data and change passwords from web form), but now with new versions they don't work as (we) expected. Or I'm something missing, and both tasks can be accomplished in different ways? Have a nice day! Gints Neimanis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: auto mounting users share on a 2003 server
Hi, Look at pam_automount module, which can do this job for you. Jochen Kaechelin wrote: hello list, i have the following problem: Windows 2003 Server, acting as DC and Fileserver. Directory home is shared with the following structure: home user1_directory user2_directory ... user1512_directory The Clients run Suse 9.3. Authentication againts ADS on the 2003 works fine - every user can log in, but I don't know how to manage that each user gets mounted his Windows-Directory on the Linuxbox automatically. Any hints? Thanx -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Getting Winbind IDMAP into LDAP?
Hi, to use ldap as winbind idamp backend, you don't need the NSS_LDAP at all. All queries and updates to ldap is performed by winbind itself. Your smb.conf looks fine. You may check 2 things: * Have you stored the LDAP Manager password to LDAP database with command smbpasswd -w 'verysecretldapmanager password' ? * and look if you have added winbind to /etc/nsswitch.conf (and then command getent passwd should show all domain users with id from ldap)? like: === ... passwd: files winbind group: files winbind ... === Next - you may increase the loglevel (loglevel 256) for LDAP server and look in ldap messages what is wrong in connection. Gints Gibbs, Simon wrote: Hi, I¹ve been trying to populate an LDAP directory with IDMAP information from Winbind using NSS_LDAP without much success over the last week. Can anybody tell me if I¹ve done anything obviously wrong? I¹ve followed the example shown in the Samba ³By Example² doc and am at the stage where the LDAP directory has been created and configured, NSS_LDAP config is amended, smb.conf contains entries to use LDAP as a backend and I have deleted /var/cache/samba/winbindd_cache.tdb and winbindd_idmap.tdb. Now wbinfo u and wbinfo g show users and groups on the domain but getent passwd/groups only displays local users. The winbindd_cache.tdb and winbindd_idmap.tdb files have been recreated but only winbindd_cache.tdb holds any information. When I attempt to access a Samba share I¹m prompted to enter a username and password. As I understand it once the wbinfo commands have been run this process should automatically populate the Idmap ou with the ID mappings is this correct? If so there must be something wrong with my config. Here¹s the current config and relevent info sorry it¹s a bit long: /etc/samba/smb.conf [global] workgroup = UKCORPLAN netbios name = UKFS01 server string = UKFS01 Samba Server winbind separator = / ldap ssl = no idmap uid = 1-1000 idmap gid = 1-1000 ldap admin dn = cn=Manager,dc=uk,dc=corplan,dc=net ldap idmap suffix = ou=Idmap ldap suffix = dc=uk,dc=corplan,dc=net idmap backend = ldap:ldap://10.10.4.111/ winbind enum users = yes winbind enum groups = yes template homedir = /mnt/emcpowerb/user/%D/%U template shell = /bin/bash password server = ukdc01.uk.corplan.net security = ADS #encrypt passwords = yes realm = uk.corplan.net browseable = yes username map = /etc/samba/smbusers log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10 syslog = 0 log file = /var/log/samba/%m max log size = 50 # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes [public] comment = Public Stuff path = /home/samba public = yes read only = no [test] comment = test share path = /mnt/emcpowera/shared/test public = yes browseable = yes writeable = yes /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns /etc/openldap/slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # ## schema files (core.schema is required by default) include /etc/openldap/schema/core.schema ## needed for sambaSamAccount include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid argsfile/var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleloadback_shell.la # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base= by * read # access to dn.base=cn=Subschema by * read #access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., access to * by * read) # # rootdn can always read and write EVERYTHING! ### # ldbm and/or bdb database definitions ### databasebdb suffix dc=uk,dc=corplan,dc=net rootdn
[Samba] Re: Getting Winbind IDMAP into LDAP?
Hi Simon, I thnik it is not the error in documentation (I don't know about which chapter we are talking :)). If you use winbdind authentication (+ idmap/ldap) only, you don't need the NSS_LDAP. But if you build a domain, where all user data is stored in LDAP, then you may authenticate users (from *nix) directly to LDAP database - and then you should use the NSS_LDAP (and Windows clients are using (SAMBA)Domain authentication. And the Samba guides are more explaining how to build the full Samba domain with LDAP backend. About winbind*tdb. I have too such files and I think it is expected (it speeds up resolving the id's). My setup with W2K as domain controller and SAMBA servers with winbind+idmap_ldap works fine for ~2 year without any trouble for 900 users (Thanks for Samba team!). Gints Gibbs, Simon wrote: Hi Gints, Changing nsswitch.conf from: passwd: files ldap group: files ldap to passwd: files winbind group: files winbind did the trick. Running getent passwd/group began populating LDAP and I can search all the records using ldapsearch and slapcat. Would this be an error in the documentation as (unless I was reading the wrong section) it uses the ldap entries in it's example? My one concern is that when winbind is stopped and restarted the winbindd_idmap.tdb and winbindd_cache.tdb files are recreated and entries are added. Would this be expected? I guess I can test this today when I begin configuring a second node. Thanks for your help. Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Home directories on AD/Samba
Hi Kalin, Do you have template homedir = string in smb.conf ? If you whish to automaticaly create the home dir, then you may use the pam_mkhomdir (and add obey pam restrictions = yes to smb.conf) AND: If the SAMBA authenticates over Active Directory, then you don't need to add domain users to linux passwd database !!! Can you post your smb.conf file? Gints Neimanis Kalin Evtimov wrote: I just set up our Samba-Server to athenticate over Active Directory (Win 2003). But there is one thing that bothers me: There are no home-directories for the domain users, that waere added to the linux passwd database (EXAMPLE.COM+user1 can be authenticated, but has no home on the Linux-box). If I create a share home, nobody can open it, because it cannot be found. Only if I set the path option, it works, but all users that log in on the AD get this directory as home. Is there any solution to this, or I have to live with making a special share for every new user that comes to the AD? Thank you very much! Best regards: Kalin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: PDC, BDCs - how do you synchronize roaming profiles?
Tomasz Chmielewski wrote: As a consequence, this also means, that on each server there has to be a copy of a profile of a given user, right? No, not right. The user roaming profile is stored only on one server. Maybe you may rename the each SAMBA server in each location in the same NetBIOS name, but the profile directory on each server is fetched from the central server over NFS. Gints -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Solved: err: I have no name (Idmap Ldap)
Solved. There was mistake in smb.conf file, the idmap uid value was incorrect. Gints gints neimanis wrote: I succesfully setted up the winbind with idmap backend = ldap:ldap:... LDAP is used only to store idmap's. The problem: On the server with OpenLDAP and winbind, all is working fine! Thanks to the SAMBA team and OSS community! But on the second server, where winbind is used to authenticate users and retrieve uid's from server with ldap, users get error message: id: cannot find name for user ID The authentication works fine, users can use their samba shares, but ssh sessions are not more accessible (There is error, that it is not possible to retrieve username for lastlog and session closes). May bee someone had already such problem, and know's solution? There is some illustration of problem: === [EMAIL PROTECTED] /]# wbinfo -t checking the trust secret via RPC calls succeeded === [EMAIL PROTECTED] /]# wbinfo -u ...skip tst10 tst11 ...skip === [EMAIL PROTECTED] /]# getent passwd | grep tst1 tst10:x:20694:3::/skola/tst10:/bin/bash tst11:x:20695:3::/skola/tst11:/bin/bash ...skip === But! [EMAIL PROTECTED] /]# su tst10 Creating directory '/skola/tst10'. Creating directory '/skola/tst10/tmp'. id: cannot find name for user ID 20694 [I have no [EMAIL PROTECTED] /]$ and [I have no [EMAIL PROTECTED] tst10]$ ls -l total 4 drwxr-xr-x 2 20694 3 4096 aug 21 13:27 tmp/ === The both systems are like each other: The configuration on both servers are like each other: - Mandrake Cooker - samba 3.0.5.2 (including winbind) The samba.conf on secondary server [EMAIL PROTECTED] root]# cat /etc/samba/smb.conf [global] workgroup = SKOLA security = domain netbios name = VIRSIS winbind use default domain = yes default service = homes unix charset = iso8859-13 idmap gid = 2-3 idmap uid = 3-4 winbind separator = + winbind use default domain = yes idmap backend = ldap:ldap://10.0.0.50 ldap admin dn = cn=Manager,dc=venta,dc=lv ldap suffix = dc=venta,dc=lv ldap idmap suffix = ou=Idmap winbind enum users = yes winbind enum groups = yes encrypt passwords = Yes template homedir = /skola/%U os level = 18 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = 10.0.0.10 log level = 3 obey pam restrictions = yes template shell = /bin/bash max log size = 200 min protocol = NT1 password server = * local master = No [homes] ...skip The /etc/nsswitch.conf ... passwd: files winbind nisplus nis shadow: files nisplus nis group: files winbind nisplus nis ... There is no working nscd daemon, which will cause I have no name! problem. Thanks! Gints -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] err: I have no name (Idmap Ldap)
I succesfully setted up the winbind with idmap backend = ldap:ldap:... LDAP is used only to store idmap's. The problem: On the server with OpenLDAP and winbind, all is working fine! Thanks to the SAMBA team and OSS community! But on the second server, where winbind is used to authenticate users and retrieve uid's from server with ldap, users get error message: id: cannot find name for user ID The authentication works fine, users can use their samba shares, but ssh sessions are not more accessible (There is error, that it is not possible to retrieve username for lastlog and session closes). May bee someone had already such problem, and know's solution? There is some illustration of problem: === [EMAIL PROTECTED] /]# wbinfo -t checking the trust secret via RPC calls succeeded === [EMAIL PROTECTED] /]# wbinfo -u ...skip tst10 tst11 ...skip === [EMAIL PROTECTED] /]# getent passwd | grep tst1 tst10:x:20694:3::/skola/tst10:/bin/bash tst11:x:20695:3::/skola/tst11:/bin/bash ...skip === But! [EMAIL PROTECTED] /]# su tst10 Creating directory '/skola/tst10'. Creating directory '/skola/tst10/tmp'. id: cannot find name for user ID 20694 [I have no [EMAIL PROTECTED] /]$ and [I have no [EMAIL PROTECTED] tst10]$ ls -l total 4 drwxr-xr-x 2 20694 3 4096 aug 21 13:27 tmp/ === The both systems are like each other: The configuration on both servers are like each other: - Mandrake Cooker - samba 3.0.5.2 (including winbind) The samba.conf on secondary server [EMAIL PROTECTED] root]# cat /etc/samba/smb.conf [global] workgroup = SKOLA security = domain netbios name = VIRSIS winbind use default domain = yes default service = homes unix charset = iso8859-13 idmap gid = 2-3 idmap uid = 3-4 winbind separator = + winbind use default domain = yes idmap backend = ldap:ldap://10.0.0.50 ldap admin dn = cn=Manager,dc=venta,dc=lv ldap suffix = dc=venta,dc=lv ldap idmap suffix = ou=Idmap winbind enum users = yes winbind enum groups = yes encrypt passwords = Yes template homedir = /skola/%U os level = 18 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = 10.0.0.10 log level = 3 obey pam restrictions = yes template shell = /bin/bash max log size = 200 min protocol = NT1 password server = * local master = No [homes] ...skip The /etc/nsswitch.conf ... passwd: files winbind nisplus nis shadow: files nisplus nis group: files winbind nisplus nis ... There is no working nscd daemon, which will cause I have no name! problem. Thanks! Gints -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind idmap ldap question
Hi all! Question about idmap=ldap backend in domain with win2k PDC: Should I manually add all domain users to ldap and then retrieve the idmap from ldap, or in case of sucessfull authentication againt Win2k PDC, users are addedd automaticaly to ldap? Or I can use idmap ldap backend only in SAMBA LDAP PDC case? Thanks! Gints -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: films on Desktops and roaming profiles
There is simple solution with logon script un registry file, which puts necessary registry keys in the user enviroment: === logon.bat == echo off net use g: /home regedit /S \\server\netlogon\usf.reg net use k: \\server\pub$ net use p: \\server\appz net time \\server /set /yes cls end usf.reg REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders] AppData=G:\\PROFILE\\APPDATA Desktop=g:\\PROFILE\\Desktop Favorites=g:\\PROFILE\\Favorites Personal=G: My Pictures=G:\\PROFILE\\My Pictures Templates=G:\\PROFILE\\Templates end == If you decide to use Group policies, IMHO you can write our own administrative templates, but I don't have big experience with Group policies. Gints Michal Kurowski wrote: gints neimanis [EMAIL PROTECTED] wrote: If your clients have a network drive, you can leave the Desktop on that drive and exclude from roaming profile. You need to change registry key (via policies or logon script), for exanple to: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Desktop; REG_SZ ; H:\PROFDATA\Desktop Or via policies you can exclude Desktop from roaming profile; Or you can set disk quota on storage where roaming profiles are located; Great, thanks a lot ! Could you please provide some more detail on the policy setting excluding Desktop from the roaming profile ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: films on Desktops and roaming profiles
If your clients have a network drive, you can leave the Desktop on that drive and exclude from roaming profile. You need to change registry key (via policies or logon script), for exanple to: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Desktop; REG_SZ ; H:\PROFDATA\Desktop Or via policies you can exclude Desktop from roaming profile; Or you can set disk quota on storage where roaming profiles are located; Gints Michal Kurowski wrote: Adam Tauno Williams [EMAIL PROTECTED] wrote: I'd like to ask you what do you limit Desktops syncing in case users put large files on them, e.g. films. Downloading / uploading such large files can generate lots of unnecessary traffic. Is there any kind of filtering possible ? Other solutions ? Via policies, just like with a Windows DC. Could you please elaborate ? The only thing I could find is the windows Slow network setting supposed to disable network share checkout in case of slow network, timeout, etc. There is a registry setting enabling enforcing slow network for good. Samba has got csc policy, but frankly, I do not quite get how to use it. Could provide some clue in here ? Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: home directories with winbind
Yes, it is possible with pam_mkhomedir For example, that configurations works very well: /etc/pam.d/system-auth #%PAM-1.0 authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_winbind.so authsufficient/lib/security/pam_unix.so likeauth nullok use_first_pass authrequired /lib/security/pam_deny.so account sufficient/lib/security/pam_winbind.so account required /lib/security/pam_unix.so passwordrequired /lib/security/pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0 passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so Gints [EMAIL PROTECTED] wrote: Hello all, I've installed samba-3.0.1 on a linux machine that has a role of domainmember in an NT domain. What I would like is that there would be nothing to do on the linux machine when adding a user in teh NT domain. For that I have started and configured winbind that works fine. But I want to create a share for each user on the NT domain. I have in my smb.conf a [homes] share, but when a user is added to the NT domain, the directory of his share is not created automatically. I presume it's normal, but it's reducing to 0 the role of winbind, because I have to create a directory on the linux machine each time a user is added to the domain, so a script creating the user at the smae time as the share could do the work. So with or without winbind I have an operation to do on the linux machine while I would like to have no operation to do. Is there a way to do that? A possibility to execute a script automatically where a user is created on the domain or anything, but the template homedir parameter doesn't seem to do this. Thank you -- Thundax -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Questions about winbind idmap ldap
We are using W2K domain with Samba3 servers. The implementation of samba servers with winbind authentication was successful. Now we are looking for winbind idmap ldap backend for distributing winbind users ID's, and I have following question: 1. Do I need put all users from W2K domain to LDAP by hand (with export - import tools)? 2. Or it is possible to automatically put successfully authenticated users to LDAP directory with some of useradd script? 3. Is any other documentation excepted SAMBA3 HOWTO, with closer look to winbind idmap LDAP? Regards, Gints Neimanis -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
