Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Adrian Chow wrote: Hi Igor (and samba team), I have done the following:- -I have upgraded the samba versions of the both servers to be the same. -The ldap servers are in the same version. -DomainAPDC and DomainBPDC has winbind in nsswitch -wbinfo all works. -getent group and getent passwd shows ldap entries of local domain and winbind entries of the remote domain. -However I still cannot map the home directory of the Domain_B_user when I log into Domain_B on Domain_A_XP computer. - smbclient //domain_A_PDC/shared -U domain_B/domain_B_user is working. The command I run on the command prompt (which will work) if I am Domain_A_user into Domain_A on Domain_A_XP_computer is net use x: /home. But before I map it, the home directory is already mapped based on the sambahomepath and sambahomedrive in the ldap entries. I am using the net use command to do testing. If I were to run the same net use x: /home command as a Domain_B_User logging into Domain_B on Domain_A_XP_computer, the home directory never gets mapped. Igor has make it work on his server but I am still stuck. (Igor, if you run net use z: /home command as the Domain_B_User logging into Domain_B on DOmain_A_XP, does it work?) I think there's some miscommunication involved. :) User's home directory does get mapped during login according to sambaHomePath and sambaHomeDrive LDAP entries. I can verify this by looking at the net use output. However, when I run net use x: /home it gives me an error: The user's home directory could not be determined. Accroding to DomainA log during this call the user's home share get created on ServerA (PDC for DomainA) instead of using the one specified as sambaHomePath: [2004/11/05 08:17:44, 3] param/loadparm.c:lp_add_home(2341) adding home's share [testA] for user 'DOMAINA\testA' at '/home/DOMAINA/testA' I'm still investigating if this is based solely on XP request (XP side problem) of if this is a way Samba responds on a general net use x: /home request (Samba side problem). On my winbind log on Domain_A_PDC, I get the following :- legend:- uwcstu is domain_B grade2 is domain_B_user 1 is gid of DomainB\Domain Users group on Domain_A_PDC. staff is domain A - [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1030) [29440]: getgroups UWCSTU\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(374) [29440]: gid to sid 1 [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgrnam(243) [29440]: getgrnam grade2 [2004/11/05 19:10:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008) ldapsam_getgroup: Did not find group [2004/11/05 19:10:16, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298) group grade2 in domain STAFF does not exist Questions:- 1. Why domain_A_PDC will try to getgrnam grade2? How did grade2 ended up as a group and not a user? 2. Isn't it supposed to be getgrnam UWCSTU\Domain Users since winbindd_gid_to_sid is converting 1 to UWCSTU\Domain Users? 3. Any commands for me to test getgroups? 4. Any ideas how to proceed on? I have similar problem - the same errors in winbind log. I'm investigating this as well. I actually have 2 groups for userA and one gets mapping into user's name with domain stripped out, another into 'tty'. I suspect it's a Samba bug. But, again - it does not cause problems with automatic map of user home. The only suggestion I have at the moment is to look into the source... Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
the questions I can think of now. Thanks for helping. adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? No, I don't. How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H: dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Yes, I did. I apologize for delays - I work with Samba only in my spare time. Igor Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my /etc/nsswitch.conf I have only ldap without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains. I don't know why would you want to put winbind into libnss_ldap which is configuration for LDAP interface for NSS (when you use 'ldap' in /etc/nssswitch.conf file) 3. My winbind works with :- (For both sides) wbinfo -t wbinfo -p wbinfo -u wbinfo -g getent passwd (For DomainA) getent group shows all the local groups and also the groups shown in wbinfo -g (For DomainB) getent group shows all the local groups and only the GUESTs group. Very weird. The rest of the groups in wbinfo -g does not come up. The logs is something like this:- --- nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Adrian Chow wrote: Hi Igor, Got some logs from the Domain_A_PDC on the domain_A_XP when domain_B user (grade2) logs into domain_B on domain_A_XP. [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] libsmb/namequery_dc.c:rpc_dc_name(145) rpc_dc_name: Returning DC GLOIN (172.16.7.227) for domain UWCSTU [2004/11/05 11:18:45, 3] libsmb/cliconnect.c:cli_start_connection(1376) Connecting to host=GLOIN [2004/11/05 11:18:45, 3] lib/util_sock.c:open_socket_out(752) Connecting to 172.16.7.227 at port 445 [2004/11/05 11:18:46, 3] auth/auth_util.c:make_server_info_info3(1114) User grade2 does not exist, trying to add it [2004/11/05 11:18:46, 0] auth/auth_util.c:make_server_info_info3(1122) make_server_info_info3: pdb_init_sam failed! [2004/11/05 11:18:46, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:46, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 Cannot understand why going to GLOIN (Domain_B_PDC) will not get grade2 (domain_B_user) user and trying to add it!!?? Any ideas? Thanks. adrian Was this is for the case with winbind in the /etc/nsswitch.conf or without it? As I've described in my previouse message - I was wrong - you do need winbind in /etc/nsswitch.conf for things to work. I'd suggest to increase log level to 5 - there could be more helpful information. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? No, I don't. How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H: dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Yes, I did. I apologize for delays - I work with Samba only in my spare time. Igor Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my /etc/nsswitch.conf I have only ldap without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains. I don't know why would you want to put winbind into libnss_ldap which is configuration for LDAP interface for NSS (when you use 'ldap' in /etc/nssswitch.conf file) 3. My winbind works with :- (For both sides) wbinfo -t wbinfo -p wbinfo -u wbinfo -g getent passwd (For DomainA) getent group shows all the local groups and also the groups shown in wbinfo -g (For DomainB) getent group shows all the local groups and only the GUESTs group. Very weird. The rest of the groups in wbinfo -g does not come up. The logs is something like this:- --- nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error
[Samba] Re: Trusting and trusted domain (home mapping) problem
I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my /etc/nsswitch.conf I have only ldap without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains. I don't know why would you want to put winbind into libnss_ldap which is configuration for LDAP interface for NSS (when you use 'ldap' in /etc/nssswitch.conf file) 3. My winbind works with :- (For both sides) wbinfo -t wbinfo -p wbinfo -u wbinfo -g getent passwd (For DomainA) getent group shows all the local groups and also the groups shown in wbinfo -g (For DomainB) getent group shows all the local groups and only the GUESTs group. Very weird. The rest of the groups in wbinfo -g does not come up. The logs is something like this:- --- nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: NT_STATUS_NO_SUCH_GROUP) [2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795) could not lookup domain group STAFF\wheel --- Do you mean that this error message was reported during getent group in DomainB? Because, without this error message I would assume that you have winbind written in /etc/nsswithc.conf on your DomainA server but not on your DomainB server. The error message means that Samba thinks that 'wheel' is a Domain group of the 'STAFF' domain and fails to find its mapping. I would expect this error to come up during login of a Domain user whose primary group is a local 'wheel' group instead of a Domain group. If this user is supposed to have 'wheel' as a primary group you probably forgot to create a groupmap from a Domain group for it. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories)Problem
Interesting... Commenting out add user script did allow me to login and winbind entries to be created but I do believe at there's a problem with Samba then - local users should be created only for the Domain PDC manages. I would expect that it should fall to winbind immidiately after realizing that its another Domain. I'll try to investigate this one. On the other hand, after login - testB home was correctly mapped from DomainB's server machine, so I still don't see the problem you encounter. Note, that both my domains has Samba 3.0.7 and maybe the first thing you sould try is to upgrade your PDCs to this latest stable version as well. Igor Adrian Chow wrote: Hi Igor, I think it is default in the smb.conf script that if you login as a user that is not found in the PDC, and that the user is found in the remote domain that is trusted, the add user script = will be activated. You can prevent users from being created if u do not specify add user script in the smb.conf. adrian Igor Belyi wrote: I've tried to login with a user testB which exists in DomainB but not in DomainA (Client XP is a DomainA member) and noticed that there's an attempt in DomainA to create a local user testB. I'm trying to investigate if there any problem with my winbind setup in DomainA... I'll keep you posted. Igor Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Thanks for your prompt reply. Just curious whether you have read my previous email regarding the different setup for my side. I have :- Domain A controller :- openldap 2.1.23 (slave), samba 3.04 (PDC) Domain B controller :- openldap 2.1.30-3 (slave), samba 3.07 (PDC) Main LDAP server : - openldap 2.0.27-3.bunk (master). So you have the same LDAP directory for both PDCs? Can you show smb.conf for both PDCs? How did you configure your LDAP slaves - do they have write access to the entries PDC uses? Question 1:- Wonder if there will be a problem with the openldap setup? Should I upgrade all the LDAP to have same version? Since we don't know yet what kind of problem you face it's difficult to say if LDAP version matters. My guess is it does not and that the newer version you have the better. Question 2:- If I were to upgrade Domain A to samba 3.07 (as I thought there could be a potential problem with the trusting/trusted domains), any clue of how can I upgrade to samba 3.07 without losing the SID or any problems?I was thinking of doing the following:- 1. Backup the smb.conf file I don't think smb.conf gets changed during upgrade, but backups never hurt. 2. smbldap-conf file (containing the SID number). It will make sense if you plan to update smbldap tools as well. Note, that Domain SID which Samba uses is kept in LDAP entry and the one written in smbldap-conf file should mirror it. And since it is kept in LDAP upgrade of Samba 3.x should not cause its change. I don't remember big changes in smbldap-conf between 3.0.4 and 3.0.7 Sambas but I would recommend to look at the 'diff' between backuped and newly installed versions to verify that. Is there any thing I left out? Will the SID be changed? The reason I ask was because I already got a domain member server under domain A (samba 3.04) and I do not want to lose the SID cos I have like 260 users's home directory in that domain member server (windows 2003 server). Thanks in advance. Regards, adrian Igor Belyi wrote: Sorry... Got busy with something else. I'll try to do the test with different users tomorrow. There could be a problem with my previous test since the user present in both Domains also has the same password and this may allow credentials from one domain to somehow be used in another. If you would collect trace for both 'login' and 'net user x: /home' times - it will be great. Make sure that trace is with 'log level = 5' and if you have more than one machine that you collect trace for the Client XP machine (probably, by including %m in the 'log file'). I apologize for the delay. Igor Adrian Chow wrote: Hi Igor, Wondering have you tried to one the scenario when a domain B user logins on domain A machine where the domain B username is not found in domain A machine? Can you still map the drives? Also you were asking for the smbd files how should I get them? During when I login or during when I typed the commmand net use x: /home on the dos prompt? Thanks. Just concerned as I have not heard from you. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: pam_ldap for unix accounts, smbpassword for samba?
What error do you see in smbd log? Did you try to add -W domain name to smbclient command? Igor Misty Stanley-Jones wrote: Is this setup possible? I am converting an old server to look on LDAP for its UNIX account info. I am able to auth in every way with a LDAP-only user (login, telnet, ssh, su). However, after adding the user with smbpasswd -a, the password doesn't work: [EMAIL PROTECTED] log]# smbpasswd -a testuser New SMB password: Retype new SMB password: Added user testuser. [EMAIL PROTECTED] log]# smbclient -L furnsrv -U testuser Password: session setup failed: NT_STATUS_LOGON_FAILURE [EMAIL PROTECTED] log]# su testuser Password: sh-2.05b$ Any help with this would be appreciated. I'm not ready to move the SAMBA side of things over to LDAP just yet. Thanks, Misty -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: pam_ldap for unix accounts, smbpassword for samba?
Can you list shares as a guest - without -U option and with empty password? Does your Samba listen on 'lo' interface? Igor Misty Stanley-Jones wrote: On Thursday 28 October 2004 11:33, Igor Belyi wrote: What error do you see in smbd log? Did you try to add -W domain name to smbclient command? This is the error message: [2004/10/28 10:39:13, 0] lib/util_sock.c:get_peer_addr(1000) getpeername failed. Error was Transport endpoint is not connected Same behavior with or without the -W parameter. This is a completely different Samba server than the other one I have been setting up. This one is Samba 3.0.6, not sure if it matters. Misty Igor Misty Stanley-Jones wrote: Is this setup possible? I am converting an old server to look on LDAP for its UNIX account info. I am able to auth in every way with a LDAP-only user (login, telnet, ssh, su). However, after adding the user with smbpasswd -a, the password doesn't work: [EMAIL PROTECTED] log]# smbpasswd -a testuser New SMB password: Retype new SMB password: Added user testuser. [EMAIL PROTECTED] log]# smbclient -L furnsrv -U testuser Password: session setup failed: NT_STATUS_LOGON_FAILURE [EMAIL PROTECTED] log]# su testuser Password: sh-2.05b$ Any help with this would be appreciated. I'm not ready to move the SAMBA side of things over to LDAP just yet. Thanks, Misty -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: pam_ldap for unix accounts, smbpassword for samba?
If you are _not_ on FreeBSD, check your /etc/nsswitch.conf setup. Do you see those users with 'getent passwd'? Igor Misty Stanley-Jones wrote: On Thursday 28 October 2004 13:13, Igor Belyi wrote: Can you list shares as a guest - without -U option and with empty password? Does your Samba listen on 'lo' interface? I can list shares as anyone who is a normal UNIX user. As soon as I comment them out of /etc/passwd so they are visible only from LDAP, smbpasswd complains. I found the log message. It's in pdcname.log, not smbd.log like I would expect: [2004/10/28 11:35:55, 0] passdb/pdb_smbpasswd.c:build_sam_account(1183) build_sam_account: smbpasswd database is corrupt! username misty with uid 533 is not in unix passwd database! [2004/10/28 11:35:55, 0] passdb/pdb_smbpasswd.c:build_sam_account(1183) build_sam_account: smbpasswd database is corrupt! username w2kbrandon$ with uid 535 is not in unix passwd database! [2004/10/28 11:35:55, 0] passdb/pdb_smbpasswd.c:build_sam_account(1183) build_sam_account: smbpasswd database is corrupt! username xpcarl$ with uid 537 is n ot in unix passwd database! But it's not corrupt. I don't know how to rebuild it without losing all kinds of stuff, I don't know what is wrong. :( Igor Misty Stanley-Jones wrote: On Thursday 28 October 2004 11:33, Igor Belyi wrote: What error do you see in smbd log? Did you try to add -W domain name to smbclient command? This is the error message: [2004/10/28 10:39:13, 0] lib/util_sock.c:get_peer_addr(1000) getpeername failed. Error was Transport endpoint is not connected Same behavior with or without the -W parameter. This is a completely different Samba server than the other one I have been setting up. This one is Samba 3.0.6, not sure if it matters. Misty Igor Misty Stanley-Jones wrote: Is this setup possible? I am converting an old server to look on LDAP for its UNIX account info. I am able to auth in every way with a LDAP-only user (login, telnet, ssh, su). However, after adding the user with smbpasswd -a, the password doesn't work: [EMAIL PROTECTED] log]# smbpasswd -a testuser New SMB password: Retype new SMB password: Added user testuser. [EMAIL PROTECTED] log]# smbclient -L furnsrv -U testuser Password: session setup failed: NT_STATUS_LOGON_FAILURE [EMAIL PROTECTED] log]# su testuser Password: sh-2.05b$ Any help with this would be appreciated. I'm not ready to move the SAMBA side of things over to LDAP just yet. Thanks, Misty -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: LDAP: strange net groupmap behaviour
For those who may also look into this problem. 1. This problem is on FreeBSD 4.10 (read - without NSS!) 2. UNIX groups and accounts are kept locally (not in LDAP) whereas Samba is configured to use LDAP. 3. gidNumber=4294967295 is the same as 0x which is (unsigned int)-1 and Samba's attempt to look for a group with this gid may indicate an incorrect check for an error in the code. Let's do it together, shall we? :) Igor Igor Belyi wrote: Ilia Chipitsine wrote: Dear Sirs, I did the following command (against ldapsam backend): net groupmap add rid=3002 unixgroup=wheel type=local ntgroup=Marketoids comment=Mm -d 10 I just wanted to add new group. But instead of that I saw many-many-many records: lib/smbldap.c:smbldap_search(963) passdb/pdb_ldap.c:ldapsam_getgroup(2008) they all wanted to find group with gidNumber=4294967295, yes, sure, there's no such group. I didn't mean to find that group, I just meant to add new one. What's wrong ? 'net groupmap' is used to map a Domain group SID to an existing UNIX group. If you want to create UNIX group in LDAP you may want to use smbldap tools: /usr/local/sbin/smbldap-groupadd.pl group name To add a group and a mapping use '-a' option with smbldap-groupadd.pl script. To add groups and a mapping via 'net group add' command or with usrmgr.exe Windows utility, add the following line to your smb.conf: add group script = /usr/local/sbin/smbldap-groupadd.pl -p %g Please, read Samba docs. Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories)Problem
Adrian Chow wrote: Hi Igor, Thanks for your prompt reply. Just curious whether you have read my previous email regarding the different setup for my side. I have :- Domain A controller :- openldap 2.1.23 (slave), samba 3.04 (PDC) Domain B controller :- openldap 2.1.30-3 (slave), samba 3.07 (PDC) Main LDAP server : - openldap 2.0.27-3.bunk (master). So you have the same LDAP directory for both PDCs? Can you show smb.conf for both PDCs? How did you configure your LDAP slaves - do they have write access to the entries PDC uses? Question 1:- Wonder if there will be a problem with the openldap setup? Should I upgrade all the LDAP to have same version? Since we don't know yet what kind of problem you face it's difficult to say if LDAP version matters. My guess is it does not and that the newer version you have the better. Question 2:- If I were to upgrade Domain A to samba 3.07 (as I thought there could be a potential problem with the trusting/trusted domains), any clue of how can I upgrade to samba 3.07 without losing the SID or any problems?I was thinking of doing the following:- 1. Backup the smb.conf file I don't think smb.conf gets changed during upgrade, but backups never hurt. 2. smbldap-conf file (containing the SID number). It will make sense if you plan to update smbldap tools as well. Note, that Domain SID which Samba uses is kept in LDAP entry and the one written in smbldap-conf file should mirror it. And since it is kept in LDAP upgrade of Samba 3.x should not cause its change. I don't remember big changes in smbldap-conf between 3.0.4 and 3.0.7 Sambas but I would recommend to look at the 'diff' between backuped and newly installed versions to verify that. Is there any thing I left out? Will the SID be changed? The reason I ask was because I already got a domain member server under domain A (samba 3.04) and I do not want to lose the SID cos I have like 260 users's home directory in that domain member server (windows 2003 server). Thanks in advance. Regards, adrian Igor Belyi wrote: Sorry... Got busy with something else. I'll try to do the test with different users tomorrow. There could be a problem with my previous test since the user present in both Domains also has the same password and this may allow credentials from one domain to somehow be used in another. If you would collect trace for both 'login' and 'net user x: /home' times - it will be great. Make sure that trace is with 'log level = 5' and if you have more than one machine that you collect trace for the Client XP machine (probably, by including %m in the 'log file'). I apologize for the delay. Igor Adrian Chow wrote: Hi Igor, Wondering have you tried to one the scenario when a domain B user logins on domain A machine where the domain B username is not found in domain A machine? Can you still map the drives? Also you were asking for the smbd files how should I get them? During when I login or during when I typed the commmand net use x: /home on the dos prompt? Thanks. Just concerned as I have not heard from you. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories)Problem
I've tried to login with a user testB which exists in DomainB but not in DomainA (Client XP is a DomainA member) and noticed that there's an attempt in DomainA to create a local user testB. I'm trying to investigate if there any problem with my winbind setup in DomainA... I'll keep you posted. Igor Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Thanks for your prompt reply. Just curious whether you have read my previous email regarding the different setup for my side. I have :- Domain A controller :- openldap 2.1.23 (slave), samba 3.04 (PDC) Domain B controller :- openldap 2.1.30-3 (slave), samba 3.07 (PDC) Main LDAP server : - openldap 2.0.27-3.bunk (master). So you have the same LDAP directory for both PDCs? Can you show smb.conf for both PDCs? How did you configure your LDAP slaves - do they have write access to the entries PDC uses? Question 1:- Wonder if there will be a problem with the openldap setup? Should I upgrade all the LDAP to have same version? Since we don't know yet what kind of problem you face it's difficult to say if LDAP version matters. My guess is it does not and that the newer version you have the better. Question 2:- If I were to upgrade Domain A to samba 3.07 (as I thought there could be a potential problem with the trusting/trusted domains), any clue of how can I upgrade to samba 3.07 without losing the SID or any problems?I was thinking of doing the following:- 1. Backup the smb.conf file I don't think smb.conf gets changed during upgrade, but backups never hurt. 2. smbldap-conf file (containing the SID number). It will make sense if you plan to update smbldap tools as well. Note, that Domain SID which Samba uses is kept in LDAP entry and the one written in smbldap-conf file should mirror it. And since it is kept in LDAP upgrade of Samba 3.x should not cause its change. I don't remember big changes in smbldap-conf between 3.0.4 and 3.0.7 Sambas but I would recommend to look at the 'diff' between backuped and newly installed versions to verify that. Is there any thing I left out? Will the SID be changed? The reason I ask was because I already got a domain member server under domain A (samba 3.04) and I do not want to lose the SID cos I have like 260 users's home directory in that domain member server (windows 2003 server). Thanks in advance. Regards, adrian Igor Belyi wrote: Sorry... Got busy with something else. I'll try to do the test with different users tomorrow. There could be a problem with my previous test since the user present in both Domains also has the same password and this may allow credentials from one domain to somehow be used in another. If you would collect trace for both 'login' and 'net user x: /home' times - it will be great. Make sure that trace is with 'log level = 5' and if you have more than one machine that you collect trace for the Client XP machine (probably, by including %m in the 'log file'). I apologize for the delay. Igor Adrian Chow wrote: Hi Igor, Wondering have you tried to one the scenario when a domain B user logins on domain A machine where the domain B username is not found in domain A machine? Can you still map the drives? Also you were asking for the smbd files how should I get them? During when I login or during when I typed the commmand net use x: /home on the dos prompt? Thanks. Just concerned as I have not heard from you. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories)Problem
Sorry... Got busy with something else. I'll try to do the test with different users tomorrow. There could be a problem with my previous test since the user present in both Domains also has the same password and this may allow credentials from one domain to somehow be used in another. If you would collect trace for both 'login' and 'net user x: /home' times - it will be great. Make sure that trace is with 'log level = 5' and if you have more than one machine that you collect trace for the Client XP machine (probably, by including %m in the 'log file'). I apologize for the delay. Igor Adrian Chow wrote: Hi Igor, Wondering have you tried to one the scenario when a domain B user logins on domain A machine where the domain B username is not found in domain A machine? Can you still map the drives? Also you were asking for the smbd files how should I get them? During when I login or during when I typed the commmand net use x: /home on the dos prompt? Thanks. Just concerned as I have not heard from you. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: LDAP: strange net groupmap behaviour
Ilia Chipitsine wrote: Dear Sirs, I did the following command (against ldapsam backend): net groupmap add rid=3002 unixgroup=wheel type=local ntgroup=Marketoids comment=Mm -d 10 I just wanted to add new group. But instead of that I saw many-many-many records: lib/smbldap.c:smbldap_search(963) passdb/pdb_ldap.c:ldapsam_getgroup(2008) they all wanted to find group with gidNumber=4294967295, yes, sure, there's no such group. I didn't mean to find that group, I just meant to add new one. What's wrong ? 'net groupmap' is used to map a Domain group SID to an existing UNIX group. If you want to create UNIX group in LDAP you may want to use smbldap tools: /usr/local/sbin/smbldap-groupadd.pl group name To add a group and a mapping use '-a' option with smbldap-groupadd.pl script. To add groups and a mapping via 'net group add' command or with usrmgr.exe Windows utility, add the following line to your smb.conf: add group script = /usr/local/sbin/smbldap-groupadd.pl -p %g Please, read Samba docs. Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Importing from smbpasswd to ldapsam
Miguel Angel Díaz Armentia wrote: I've got a ldap+samba server and I should like to import ther users accounts from my old smbpasswd from another server to ldpasam. Any idea? Assuming that SID of the domain is the same: pdbedit --import smbpasswd --export ldapsam Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Fail in add user script
Run /usr/sbin/useradd -m veronika from the command line and see what error prevents it from creating such a user. Igor opk Bronislav wrote: Dear all, I have a problem with adduser script in smb.conf. I traing to log in WinXP as a user from trusted domain. But it writes me alwais this fail: useradd: unable to lock password file [2004/10/21 14:00:53, 3] auth/auth_util.c:smb_create_user(53) smb_create_user: Running the command `/usr/sbin/useradd -m veronika' gave 1 My add user script in smb.conf: add user script = /usr/sbin/useradd -m %u Please can you help me?? Best regards, Sopik Bronislav -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: can't join domain / smbldap-useradd -w machine not working
I'd guess that you either have nscd running on your PDC or Administrator with that password does not exists in PDC user database. In first case you will need either stop or restart nscd. In second - create such user or check its password. Hope it helps, Igor Tomasz Chmielewski wrote: Hello, I'm trying to set up Samba + OpenLDAP as a PDC. I followed the instructions from chapter 6 in Samba-3 by Example, my system is SuSE 9.1. ldap, winbind, nmb and smb are running. testparm says my smb.conf file is OK. I set LDAP password using smbpasswd -w. There was a similar post a few days ago (smbldap-tools don't create machine account properly), but it didn't help me. When I try to join using net rpc (page 158 of Samba-3 by Example), I get this: # net rpc join -U Administrator%password Could not connect to server SERVER The username or password was not correct. This is what is logged with debugs 1-9 in smb.conf (same log with each debug): # cat /var/log/samba/log.192.168.0.109 [2004/10/25 15:01:04, 0] rpc_server/srv_netlog_nt.c:get_md4pw(201) get_md4pw: Workstation SERVER$: no account in domain I get the same even when I add machine SERVER manually. I can find this machine manually using ldapsearch: # ldapsearch -x -b dc=magista,dc=de (uid=SERVER$) # extended LDIF # # LDAPv3 # base dc=magista,dc=de with scope sub # filter: (uid=SERVER$) # requesting: ALL # # server$, Users, magista.de dn: uid=server$,ou=Users,dc=magista,dc=de objectClass: top objectClass: inetOrgPerson objectClass: posixAccount cn: server$ sn: server$ uid: server$ uidNumber: 1004 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: 'add/change/delete share command'(s) in smb.conf
What David meant is that you can achieve this by making user to run scripts adding/removing share from a command line instead of using srvmgr.exe or 'net share add/delete'. When those scripts will run on a share which forces access to be root they will update smb.conf as a root. Other shares will be accessed from a normal user identity. Igor [EMAIL PROTECTED] wrote: Igor David, Thanks for the replies. However, what I think I'm reading is that there is no current solution for my problem, right? As Igor states, how would the Windows GUI 'add/change/delete'(or even command-line 'rmtshare') commands (know to) use this [config] share? I trust the 'user' , that's not a problem. The problem is that I don't want them to always be 'root' on the Samba server, especially as they create most of the files. There are other processes which rely on these files being owned by this particular user, not 'root' . Gary R. Webster Igor Belyi [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/16/04 01:38 AM To: David Rankin [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject:Re: [Samba] Re: 'add/change/delete share command'(s) in smb.conf On a second thought... It doesn't matter if path is '/' or '/etc/samba' - if user has access to edit smb.conf directly he/she can create similar share with 'path = /' and 'force user = root' any time and have access to the whole computer. So, I agree - you'd better trust 'theusername' as if it were 'root'. Igor Igor Belyi wrote: Hm... Interesting idea... Since access is necessary only to smb.conf than probably changing share's path to 'path = /etc/samba' could be a better alternative... But then again.. how 'add/change/delete share commands' will know that this particular user has access to this [config] share even if path is left as '/'? So, it probably won't work via those commands - user will need to edit smb.conf by hand while accessing it via the [config] share. Igor David Rankin wrote: This will work: [config] comment = Admin Share path = / valid users = theusername force user = root force group = theusergroup admin users = theusername writeable = Yes W A R N I N G whoever 'theusername' is will have complete access to all files listed in or below the path directory (your entire box as shown above). If you can limit the path to say /home or wherever the files of concern are, you would be much better off. -- David C. Rankin, J.D., P.E. Rankin * Bertin, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 www.rankin-bertin.com - Original Message - From: Igor Belyi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 11:17 PM Subject: [Samba] Re: 'add/change/delete share command'(s) in smb.conf [EMAIL PROTECTED] wrote: Hello. I need to allow one of my users to add delete shares on my Samba server through the 'server manager' applet on his client . This same user also writes some files to the same Samba server. I don't want the files that he writes to be owned/written by 'root' . The way I understand the 'add share command' currently, this is not possible. Am I missing something? I think you are right. User can not have more than 1 identity when connecting to Samba. If it's an Administrator everything will be done from the root account. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: You have no permission to change your password
Is it possible that account has User Cannot Change Password set? Igor Steve Simeonidis wrote: Error when you try to change your password from Windows XP, SP1, latest patches (ctrl-Alt-Del) Server configuration Fedora Core 1 samba-3.0.7-2FC1 Samba is configured as PDC with roaming profiles. I've just noticed testparm gives the following error ERROR: the 'passwd chat' script [*old password* %o\n *new password* %n\n *new password* %n\n *changed*] expects to use the old plaintext password via the %o substitution. With encrypted passwords this is not possible. workgroup = EWS-NET netbios name = EWS-SRV1 server string = EWS Network obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *old password* %o\n *new password* %n\n *new password* %n\n *changed* passwd chat debug = Yes username map = /etc/samba/smbusers password level = 8 username level = 8 unix password sync = Yes log level = 1 log file = /var/log/samba/%m.log max log size = 50 name resolve order = wins lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 show add printer wizard = No add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u logon script = %U.bat logon path = \\%L\%U\.profile logon drive = H: domain logons = Yes os level = 66 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.168.5., 127. hide special files = Yes I had initially used the default passwd chat line which is ; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* with no luck! Is there something that I have missed or please help. Steve Simeonidis -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: ADS valid users can't map share
Greg Adams wrote: So am I up a creek on this issue? Gerald (Jerry) Carter wrote: Yup. That's my change. But since the NTLM authentication is succeeding, then I'll assume that the token sent back was an NTLMSSP tocken as well. So for some reason the client either can't or won't obtain a ticket for the Samba server. DNS reverse mapping glitch perhaps? Ok, as I said I don't have any experience with ADS and I have some value knowledge of Kerberos so I'll try to put a theory and if it's completely wrong at least it will give somebody a chance to correct me. Basic of Kerberos is that everyone take their tickets from the same source. Client get its own ticket from Security server. Whenever it needs to authenticate itself to an application server it gets from the same Security server application server ticket as well. This application server ticket is used to encrypt client's identity so that only the right application server can find them out. Server on the other hand trust client because it encrypted its identity with a ticket which it can get only from the same Security server application server got its own ticket. To be honest I don't know details of Kerberos setup between Client, Samba, and ADS when 'security = ads' is used but I would guess that ADS is a Security server which distributes Kerberos tickets and Samba is a server which provides shares depending on client's identity. But, the fact that failed Kerberos communication can fall back to normal domain authentication (NTLM) confuses me. Does it mean that client after first failed attempt will pass only NTLM credentials only? But why then there's still information regarding Kerberos abilities passed around? I think that what Jerry says is that client (XP) got incorrect Samba server ticket from ADS. According to what I heard ADS gives tickets based on the name of the server, the machine name this server runs on and the Realm server belongs to. Unfortunately, I don't know how and who determines the machine name but based on Jerry's comment this could be the reason for the problem. I'd guess it's a good idea to check if DNS name - IP - DNS name gives consistent result on all 3 participants: Samba server, XP client, and ADS. Hope it's not useless, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories) Problem
Adrian Chow wrote: Hi Igor, Thanks for giving it a shot. Maybe by asking questions I get to clarify something. 1. What do you mean by Shares specified with Domain? When you run 'net user X: /homes' you do not specify a domain to get [homes] shares from. On the other hand using \\DomB\homes - does. My 2 PDCs are having the default \\%N\%U at the logon home path in the smb.conf. However, under LDAP, each user (in both domains) are having a sambaHomePath and sambaHomeDrive attribute. And the home path is not necessary pointing to the PDC. It could be a remote server which is a domain member of the respective PDC. Hence I have setup such that the each domain have a different atttribute. I did not change the smb.conf configuration on the logon home. Domain A user may point to \\domain_member_server_of_DomA\%U Domain B user may point to \\PDC_of_DomB\%U I also tested that the attributes in LDAP overwrites the smb.conf logon home. Likewise I got the same signs. ClientXP joins Domain A. Logins as Domain A user. Able to map all drive specified in LDAP for domain A and also load the login script specified in LDAP for Domain A. ClientXP then logins as Domain B user. Unable to map anything and fail to load the login scripts. Vice Versa. It depends whether the Client joins which Domain. In the syslogs on both PDCs, (Client Joins DomA) I found out that some how they are querying the LDAP_DomA for the user_DomB, when I login to the dom B. It is weird, it should just query PDC_Dom_B for the user and then allow it to map. However on the syslog, I saw it queries PDC_DomB first and then queries LDAP_DomA for user_Dom B. it is weird. As if the query failed for asking from PDC_Dom_B. But on the syslog, NO errors and PDC_Dom_B checks its own LDAP and returns all the attributes for the users. I've tried to reproduce your problem and was surprised to see that I've got your expected behavior. I've got DomainA, served by ServerA and DomainB, served by ServerB. I have a user 'user' in both domains but in DomainA it has 'sambaHomeDrive = Z:' and 'sambaHomePath = \\ServerA\user' while in DomainB it has 'sambaHomeDrive = X:' and 'sambaHomePath = \\ServerB\user'. I joined ClientXP to DomainA. When I login as a user 'user' into DomainA on this ClientXP I get home mapped on Z: and files are from ServerA. When I login as a user 'user' into DomainB I get home mapped on X: and files are from ServerB. I haven't try this yet with users present only in one domain and not in the other. BTW, can you share your smbd logs? It could help to understand what happens in your setup. Thanks, Igor Thanks. adrian Igor Belyi wrote: I can give a shoot at explaining the behavior and if I'm too off I hope I'll be corrected. When you select Domain into which you want to login you specify the Domain where your credentials (username and password) should be verified but shares specified without Domain will be retrieved from the Domain your XP client belongs to. I think what you want is to have 'logon home = \\%D\%U' instead of the one you get by default: '\\%N\%U' Hope it helps, Igor Adrian Chow wrote: Hi, Here is my scenario:- 1. I got 1 LDAP server with two domains (A B) configured to it. 2. Both domain PDCs are fully trusted to one another. I did the trustdom establish both ways. 3. I have 1 XP client that has joined Dom A. The login bar can allow you to login to 2 domains. 4. I can managed to login to both domains. 5. I got all the sambaHomePath and home drive done properly on both servers in terms of LDAP portions. Problem:- When I login (from XP client) to Dom A, no problem. The home drive gets mapped. When I login to Dom B, the home drive never gets mapped. The login scripts never run. net use x: /home on the xp client says: the user home directory cannot be determined. But \\domB\homes on windows explorer worked!! I turn all syslog to debug and check everything on BOTH PDCs. NO errors! What is going wrong? Funny thing is that the Dom A PDC will query the Dom B for passwd auth check during the net use x: /home. Then it will query itself for the sambaHomeDrive details and such no errors at all... but logging in to Dom B cannot do it. I have also tried unjoining Dom A and rejoining Dom B. The results is vice versa. That means Logging in to Dom B got no problems in terms of mapping. But Logging in to Dom A got problems. Can anyone shed a light for me in this? I was about to do mass deployment. My version of Samba is 3.07 for Dom B and 3.04 for Dom A. They are running on Debian. Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: msdfs root in [homes] do not work in XP
Any error messages in smbd log? Igor F. Latorre wrote: Hi We setup a samba server (3.02a ) under Debian, acting as PDC. Clients are w98 S.E. and XP sp1. Server name is box-p In smb.conf we configure: [clouds] ... [homes] ... msdfs root = yes We create dfs links in home directory of users : ln -s msdfs:box-p\\clouds shared When users log into PDC using an win98 machine they find shared in his home, and can access it. When users log into PDC using an win XP pro they find shared in his home, but can't access it: the resource is inaccesible or doesn't exists. We tried to move the dfs to other share, acting as dfs root, and create mdfsd links there. Then any machine can see share and have access to its contents. We need the first configuration, because we can create differents links for any user. (there are many shares, and we don't want show all for any user) ¿Any idea? F. Latorre Segovia Spain -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: smbldap-tools don't create machine account properlly
Is it possible that 'ldap admin dn' used in your smb.conf does not have write access to 'ou=Computers,dc=unimix,dc=com,dc=br'? What was the error in smbd log when machine failed to join the Domain? Igor Fernando Ribeiro wrote: Hi all, I have smb.conf with: add machine script = /usr/local/sbin/smbldap-useradd -w %u add user script = /usr/local/sbin/smbldap-useradd -m %u add machine script = /usr/local/sbin/smbldap-useradd -w %u add group script = /usr/local/sbin/smbldap-groupadd -p %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user script = /usr/local/sbin/smbldap-userdel %u delete group script = /usr/local/sbin/smbldap-groupdel %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u while i try include the w2k machine in samba domain it create the ldap machine account entry: dn: uid=suporte$,ou=Computers,dc=unimix,dc=com,dc=br objectClass: top objectClass: inetOrgPerson objectClass: posixAccount cn: suporte$ sn: suporte$ uid: suporte$ uidNumber: 1020 gidNumber: 1000 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer And don't join in samba domain. While i create a machine account manually with: dn: uid=suporte$,ou=Computadores,dc=unimix,dc=com,dc=br gidNumber: 3 uidNumber: 1022 uid: suporte$ sambaSID: S-1-5-21-715268823-1473299472-2771147885-3044 sambaAcctFlags: [W ] cn: suporte homeDirectory: /dev/null objectClass: top objectClass: sambaSamAccount objectClass: posixAccount objectClass: account It join in the samba domain without problem. Anyone know why it don't create sambaSamAccount ? Machine account need inetOrgPerson ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Can't view Windows shares
Do you use smbfs or smbclient to view Windows files? Igor Joseph Earl wrote: All, I can view the Samba shares on any Windows system. I can not view Windows files on my Linux system. Below is my config file. Thanks in advance, Jearl # Global parameters [global] workgroup = DLSMIS server string = Joe's Place password server = None username map = /etc/samba/smbusers log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 65 preferred master = No domain master = No dns proxy = No wins server = 180.0.70.41 ldap ssl = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 valid users = jearl, @jearl write list = jearl, @jearl read only = No [homes] comment = Home Directories browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [jearl] path = /home/jearl -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba / Cups and PDF'S
Flewid Productions wrote: Hi All, I'm not sure if this is a problem specific to samba, or to cups, or to something else. I have a samba 3.0.7 server acting as a PDC, and print server for my wonderfully overcomplicated home network setup. The problem is when I send a PDF to the cups server to be printed, it only prints the first page then the cups mgmt interface will say that the job is completed. Do you mean that you send it to Samba which in its turn sends it to CUPS server or that you use CUPS client to send it to CUPS server? If the first, try to do it without Samba involved. If it will fix your problem - it's some kind of Samba bug and you're on the right list. If not - it has nothing to do with Samba and you need to try your luck with CUPS folks. Igor If it's a very large (+4mb) PDF, it will print the first page, or half of the frst page and then the CUPS mgmt inteface gives an error saying it was aborted. Could this merely be a memory issue? I believe there is only 256 megs in that machine. If i'm asking the wrong people, please let me know and I'll go somewhere else, I've tried searching google, but the only results I find are printing with CUPS-PDF, which i also have working, and it works fine (I can even print pdf's to it and it will create another multiple page pdf).. thanks in advance, matt -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: uid and gid problems with linux as client and server
As far as I know smbfs uses uid and gid only for those shares which do not have their own access attributes. If server exports access attributes smbfs obeys them. You can play with 'force user' and 'force group' attribute for this share to force access to be by uid and gid known on server. Igor Frédéric RAVETIER wrote: I mounted a samba directory on my client with something like : mount -t smbfs -o auto,rw,users,username=name,password=pwd,uid=fred,gid=fred //servername/data /mnt/server Then mnt/server is own by fred:fred but the uid and gid are not recursive. So I can not acces to some directory in mnt/server. Note that the uid and gid of the server are not the same as the one on my client. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories) Problem
I can give a shoot at explaining the behavior and if I'm too off I hope I'll be corrected. When you select Domain into which you want to login you specify the Domain where your credentials (username and password) should be verified but shares specified without Domain will be retrieved from the Domain your XP client belongs to. I think what you want is to have 'logon home = \\%D\%U' instead of the one you get by default: '\\%N\%U' Hope it helps, Igor Adrian Chow wrote: Hi, Here is my scenario:- 1. I got 1 LDAP server with two domains (A B) configured to it. 2. Both domain PDCs are fully trusted to one another. I did the trustdom establish both ways. 3. I have 1 XP client that has joined Dom A. The login bar can allow you to login to 2 domains. 4. I can managed to login to both domains. 5. I got all the sambaHomePath and home drive done properly on both servers in terms of LDAP portions. Problem:- When I login (from XP client) to Dom A, no problem. The home drive gets mapped. When I login to Dom B, the home drive never gets mapped. The login scripts never run. net use x: /home on the xp client says: the user home directory cannot be determined. But \\domB\homes on windows explorer worked!! I turn all syslog to debug and check everything on BOTH PDCs. NO errors! What is going wrong? Funny thing is that the Dom A PDC will query the Dom B for passwd auth check during the net use x: /home. Then it will query itself for the sambaHomeDrive details and such no errors at all... but logging in to Dom B cannot do it. I have also tried unjoining Dom A and rejoining Dom B. The results is vice versa. That means Logging in to Dom B got no problems in terms of mapping. But Logging in to Dom A got problems. Can anyone shed a light for me in this? I was about to do mass deployment. My version of Samba is 3.07 for Dom B and 3.04 for Dom A. They are running on Debian. Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories) Problem
Igor Belyi wrote: I can give a shoot at explaining the behavior and if I'm too off I hope I'll be corrected. When you select Domain into which you want to login you specify the Domain where your credentials (username and password) should be verified but shares specified without Domain will be retrieved from the Domain your XP client belongs to. I think what you want is to have 'logon home = \\%D\%U' instead of the one you get by default: '\\%N\%U' Hope it helps, Igor I'm contradicting myself.. :( %D or %L won't make a difference for a client belonging to DomA. What you need is seting up NIS home directory server to return consistent information for users login into foreign Domain. Igor Adrian Chow wrote: Hi, Here is my scenario:- 1. I got 1 LDAP server with two domains (A B) configured to it. 2. Both domain PDCs are fully trusted to one another. I did the trustdom establish both ways. 3. I have 1 XP client that has joined Dom A. The login bar can allow you to login to 2 domains. 4. I can managed to login to both domains. 5. I got all the sambaHomePath and home drive done properly on both servers in terms of LDAP portions. Problem:- When I login (from XP client) to Dom A, no problem. The home drive gets mapped. When I login to Dom B, the home drive never gets mapped. The login scripts never run. net use x: /home on the xp client says: the user home directory cannot be determined. But \\domB\homes on windows explorer worked!! I turn all syslog to debug and check everything on BOTH PDCs. NO errors! What is going wrong? Funny thing is that the Dom A PDC will query the Dom B for passwd auth check during the net use x: /home. Then it will query itself for the sambaHomeDrive details and such no errors at all... but logging in to Dom B cannot do it. I have also tried unjoining Dom A and rejoining Dom B. The results is vice versa. That means Logging in to Dom B got no problems in terms of mapping. But Logging in to Dom A got problems. Can anyone shed a light for me in this? I was about to do mass deployment. My version of Samba is 3.07 for Dom B and 3.04 for Dom A. They are running on Debian. Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: LDAP weirdness
Ilia Chipitsine wrote: Dear Sirs, I installed OpenLDAP and smbldap-tools by IDEALX. samba is 3.0.7, smbldap is 0.8.5 what else did I do: 1) smbldap-populate 2) pdbedit -i smbpasswd:/usr/local/private/smbpasswd -e ldapsam:ldap://127.0.0.1 3) smbpasswd -w clear text password what is not very clear, should I use the same Manager account or not. It should be the password of the 'ldap admin dn' listed in your smb.conf file. however, account information was exported to LDAP successfully. samba is running well over that data. users can log in. but, when I do net groupmap ... I'm getting errors: sol# net groupmap list [2004/10/20 19:40:25, 0] lib/smbldap.c:smbldap_search_domain_info(1338) Adding domain info for SOLAR failed with NT_STATUS_UNSUCCESSFUL This means that 'ldap admin dn' does not have write access to the tree listed as 'ldap suffix' in your smb.conf file. You can fix it either in slapd.conf file by adding correct 'access' statement or change 'ldap admin dn' to the one which already have the right access. Domain Admins (S-1-5-21-1906877464-905504629-2230954338-512) - 512 Domain Users (S-1-5-21-1906877464-905504629-2230954338-513) - school Domain Guests (S-1-5-21-1906877464-905504629-2230954338-514) - 514 Print Operators (S-1-5-32-550) - 550 Backup Operators (S-1-5-32-551) - 551 Replicators (S-1-5-32-552) - 552 Those numbers mean that smbldap-populate expects that builtin Domain Group SIDs should be mapped into UNIX groups with gid the same as RID part of SID. Since you already have one of the gid's reserved for a group named 'school' it's not a good assumption for your site. You may want to create your own UNIX groups for 'Domain Admins' and so on and then use 'net groupmap modify' to update the mapping. sol# why pdbedit successfully migrated data, but net groupmap doesn't want to work with that ? Cheers, Ilia Chipitsine Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: ADS valid users can't map share
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greg Adams wrote: | I'm sorry, I still don't quite follow you. | | I have security = ads, and, as far as I can tell, | a working kerberos installation, so that means I'm | using kerberos authentication, right? Correct. | From the messages above, that means samba should | be honoring the domain portion of entries in the | username map, which it is not doing. Or am I | using NTLM authentication for some weird reason? smbd should be honoring entries like jerry = AD\gcarter You can check a level 10 smbd debug log to verify that the krb5 SNPEGO login is working. I'll work on getting the NTLM/username map functionality fixed. Jerry, Are you saying that username will be sent differently depending on the protocol Samba and ADS agree to? And that if it's Kerberos, the name will be Domain name\username even if 'winbind separator = +' in smb.conf? Thanks, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: ADS valid users can't map share
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greg Adams wrote: | I tried to send a level 10 log from the moment of connection to the | user that should be mapped touching a file, but the attachment was too | large and the messages bounced, awaiting moderator approval. So | instead, I'll try to post the sections I think are relevant here: | | searching for spnego and username.map led me to this section: | * | [2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) | Doing spnego session setup | [2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) | NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows | 2002 5.1] PrimaryDomain=[] | [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615) | Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24 | len2=24 NTLMSSP authentication here. Not kerberos. :-) So maybe you have 2 problems going on ? username map and kerberos | Scanning username map /opt/samba/lib/username.map | user_in_list: checking user imguser in list | user_in_list: checking user |imguser| against |EDSADDDM+imguser| | make_user_info_map: Mapping user [EDSADDDM]\[imguser] from | workstation [MULE] I've got the log when it was sent originally and I think the following is more relevant part. I just don't know which one of the autentication methods is used for Kerberos. It looks like the NTLM is the one which got selected. [2004/10/18 08:08:04, 5] auth/auth.c:load_auth_module(384) load_auth_module: Attempting to find an auth method to match guest [2004/10/18 08:08:04, 5] auth/auth.c:load_auth_module(409) load_auth_module: auth method guest has a valid init [2004/10/18 08:08:04, 5] auth/auth.c:load_auth_module(384) load_auth_module: Attempting to find an auth method to match sam [2004/10/18 08:08:04, 5] auth/auth.c:load_auth_module(409) load_auth_module: auth method sam has a valid init [2004/10/18 08:08:04, 5] auth/auth.c:load_auth_module(384) load_auth_module: Attempting to find an auth method to match winbind:ntdomain [2004/10/18 08:08:04, 5] auth/auth.c:load_auth_module(384) load_auth_module: Attempting to find an auth method to match ntdomain [2004/10/18 08:08:04, 5] auth/auth.c:load_auth_module(409) load_auth_module: auth method ntdomain has a valid init [2004/10/18 08:08:04, 5] auth/auth.c:load_auth_module(409) load_auth_module: auth method winbind has a valid init [2004/10/18 08:08:04, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xe008b297 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_NEGOTIATE_OEM NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_LM_KEY NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2004/10/18 08:08:04, 5] auth/auth.c:get_ntlm_challenge(95) auth_get_challenge: module guest did not want to specify a challenge [2004/10/18 08:08:04, 5] auth/auth.c:get_ntlm_challenge(95) auth_get_challenge: module sam did not want to specify a challenge [2004/10/18 08:08:04, 5] auth/auth.c:get_ntlm_challenge(95) auth_get_challenge: module winbind did not want to specify a challenge [2004/10/18 08:08:04, 5] auth/auth.c:get_ntlm_challenge(135) auth_context challenge created by random Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: ADS valid users can't map share
Here's maybe even more relevant part of the log: [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 3 6 1 4 1 311 2 2 10 [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 48018 1 2 2 [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 113554 1 2 2 [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(447) Got secblob of size 48 [2004/10/18 08:08:04, 5] auth/auth.c:make_auth_context_subsystem(498) Making default auth method list for security=ADS If I interpret it correctly, then either KRB5 is not compiled in for this smbd or OID return by ADS does not require Kerberos authentication... Igor Greg Adams wrote: That completely sucks! kinit and klist seem to work: * # kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/20/04 09:20:13 10/20/04 19:20:14 krbtgt/[EMAIL PROTECTED] renew until 10/21/04 09:20:13 * I don't have a krb5.conf to screw things up, on the recommendation of either the Official Samba Howto or the By Example document. * Here's my smb.conf: # cat smb.conf [global] workgroup = EDSADDDM realm = EDSADDDM.DDM.APM.BPM.EDS.COM server string = Maul Test Server log level = 2 max log size = 100 security = ADS local master = no os level = 0 domain master = no preferred master = no wins server = 199.42.192.103 dns proxy = no encrypt passwords = yes idmap uid = 6-7 idmap gid = 8-9 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = no [space] comment = Space Partition Share path = /space writable = yes browsable = yes valid users = EDSADDDM+imguser * So can anyone tell me what's causing Samba to use NTLM authentication instead of Kerberos? And how do I fix it? Greg On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greg Adams wrote: | I tried to send a level 10 log from the moment of connection to the | user that should be mapped touching a file, but the attachment was too | large and the messages bounced, awaiting moderator approval. So | instead, I'll try to post the sections I think are relevant here: | | searching for spnego and username.map led me to this section: | * | [2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) | Doing spnego session setup | [2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) | NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows | 2002 5.1] PrimaryDomain=[] | [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615) | Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24 | len2=24 NTLMSSP authentication here. Not kerberos. :-) So maybe you have 2 problems going on ? username map and kerberos | Scanning username map /opt/samba/lib/username.map | user_in_list: checking user imguser in list | user_in_list: checking user |imguser| against |EDSADDDM+imguser| | make_user_info_map: Mapping user [EDSADDDM]\[imguser] from | workstation [MULE] cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy zU0nasCPyhoO9pfobcZDpIo= =YogI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: ADS valid users can't map share
Igor Belyi wrote: Here's maybe even more relevant part of the log: [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 3 6 1 4 1 311 2 2 10 [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 48018 1 2 2 [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 113554 1 2 2 This OID corresponds to Kerberos authentication... So, it could be the case that Samba is not compiled with Kerberos?.. Igor [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(447) Got secblob of size 48 [2004/10/18 08:08:04, 5] auth/auth.c:make_auth_context_subsystem(498) Making default auth method list for security=ADS If I interpret it correctly, then either KRB5 is not compiled in for this smbd or OID return by ADS does not require Kerberos authentication... Igor Greg Adams wrote: That completely sucks! kinit and klist seem to work: * # kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/20/04 09:20:13 10/20/04 19:20:14 krbtgt/[EMAIL PROTECTED] renew until 10/21/04 09:20:13 * I don't have a krb5.conf to screw things up, on the recommendation of either the Official Samba Howto or the By Example document. * Here's my smb.conf: # cat smb.conf [global] workgroup = EDSADDDM realm = EDSADDDM.DDM.APM.BPM.EDS.COM server string = Maul Test Server log level = 2 max log size = 100 security = ADS local master = no os level = 0 domain master = no preferred master = no wins server = 199.42.192.103 dns proxy = no encrypt passwords = yes idmap uid = 6-7 idmap gid = 8-9 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = no [space] comment = Space Partition Share path = /space writable = yes browsable = yes valid users = EDSADDDM+imguser * So can anyone tell me what's causing Samba to use NTLM authentication instead of Kerberos? And how do I fix it? Greg On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greg Adams wrote: | I tried to send a level 10 log from the moment of connection to the | user that should be mapped touching a file, but the attachment was too | large and the messages bounced, awaiting moderator approval. So | instead, I'll try to post the sections I think are relevant here: | | searching for spnego and username.map led me to this section: | * | [2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) | Doing spnego session setup | [2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) | NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows | 2002 5.1] PrimaryDomain=[] | [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615) | Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24 | len2=24 NTLMSSP authentication here. Not kerberos. :-) So maybe you have 2 problems going on ? username map and kerberos | Scanning username map /opt/samba/lib/username.map | user_in_list: checking user imguser in list | user_in_list: checking user |imguser| against |EDSADDDM+imguser| | make_user_info_map: Mapping user [EDSADDDM]\[imguser] from | workstation [MULE] cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy zU0nasCPyhoO9pfobcZDpIo= =YogI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: ADS valid users can't map share
Igor Belyi wrote: Igor Belyi wrote: Here's maybe even more relevant part of the log: [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 3 6 1 4 1 311 2 2 10 [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 48018 1 2 2 [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 113554 1 2 2 This OID corresponds to Kerberos authentication... So, it could be the case that Samba is not compiled with Kerberos?.. No, wait! Samba checks only the first OID! And this is the reason for NTLM! Here's the comment from source/smbd/sesssetup.c: /* only look at the first OID for determining the mechToken -- accoirding to RFC2478, we should choose the one we want and renegotiate, but i smell a client bug here.. Problem observed when connecting to a member (samba box) of an AD domain as a user in a Samba domain. Samba member server sent back krb5/mskrb5/ntlmssp as mechtypes, but the client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an NTLMSSP mechtoken. --jerry */ Jerry, that's your comment, right? :) Igor [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(447) Got secblob of size 48 [2004/10/18 08:08:04, 5] auth/auth.c:make_auth_context_subsystem(498) Making default auth method list for security=ADS If I interpret it correctly, then either KRB5 is not compiled in for this smbd or OID return by ADS does not require Kerberos authentication... Igor Greg Adams wrote: That completely sucks! kinit and klist seem to work: * # kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/20/04 09:20:13 10/20/04 19:20:14 krbtgt/[EMAIL PROTECTED] renew until 10/21/04 09:20:13 * I don't have a krb5.conf to screw things up, on the recommendation of either the Official Samba Howto or the By Example document. * Here's my smb.conf: # cat smb.conf [global] workgroup = EDSADDDM realm = EDSADDDM.DDM.APM.BPM.EDS.COM server string = Maul Test Server log level = 2 max log size = 100 security = ADS local master = no os level = 0 domain master = no preferred master = no wins server = 199.42.192.103 dns proxy = no encrypt passwords = yes idmap uid = 6-7 idmap gid = 8-9 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = no [space] comment = Space Partition Share path = /space writable = yes browsable = yes valid users = EDSADDDM+imguser * So can anyone tell me what's causing Samba to use NTLM authentication instead of Kerberos? And how do I fix it? Greg On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greg Adams wrote: | I tried to send a level 10 log from the moment of connection to the | user that should be mapped touching a file, but the attachment was too | large and the messages bounced, awaiting moderator approval. So | instead, I'll try to post the sections I think are relevant here: | | searching for spnego and username.map led me to this section: | * | [2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) | Doing spnego session setup | [2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) | NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows | 2002 5.1] PrimaryDomain=[] | [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615) | Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24 | len2=24 NTLMSSP authentication here. Not kerberos. :-) So maybe you have 2 problems going on ? username map and kerberos | Scanning username map /opt/samba/lib/username.map | user_in_list: checking user imguser in list | user_in_list: checking user |imguser| against |EDSADDDM+imguser| | make_user_info_map: Mapping user [EDSADDDM]\[imguser] from | workstation [MULE] cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy
Re: [Samba] Re: ADS valid users can't map share
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Igor Belyi wrote: | No, wait! Samba checks only the first OID! And this is the | reason for NTLM! Here's the comment from source/smbd/sesssetup.c: | |/* only look at the first OID for determining the mechToken -- | accoirding to RFC2478, we should choose the one we want | and renegotiate, but i smell a client bug here.. | | Problem observed when connecting to a member (samba box) | of an AD domain as a user in a Samba domain. Samba member | server sent back krb5/mskrb5/ntlmssp as mechtypes, but the | client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an | NTLMSSP mechtoken. --jerry */ | | Jerry, that's your comment, right? :) Yup. That's my change. But since the NTLM authentication is succeeding, then I'll assume that the token sent back was an NTLMSSP tocken as well. So for some reason the client either can't or won't obtain a ticket for the Samba server. Do you mean NTLM got negotiated earlier than that code? Or that client obtains Kerberos tickets directly from security server and then just passes them to Samba server? Where those OIDs corresponding to Kerberos come from then? I don't have ADS and I never saw one. I apologize if my questions are naive. Thanks, Igor DNS reverse mapping glitch perhaps? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: ADS valid users can't map share
Igor Belyi wrote: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Igor Belyi wrote: | No, wait! Samba checks only the first OID! And this is the | reason for NTLM! Here's the comment from source/smbd/sesssetup.c: | |/* only look at the first OID for determining the mechToken -- | accoirding to RFC2478, we should choose the one we want | and renegotiate, but i smell a client bug here.. | | Problem observed when connecting to a member (samba box) | of an AD domain as a user in a Samba domain. Samba member | server sent back krb5/mskrb5/ntlmssp as mechtypes, but the | client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an | NTLMSSP mechtoken. --jerry */ | | Jerry, that's your comment, right? :) Yup. That's my change. But since the NTLM authentication is succeeding, then I'll assume that the token sent back was an NTLMSSP tocken as well. So for some reason the client either can't or won't obtain a ticket for the Samba server. Do you mean NTLM got negotiated earlier than that code? Or that client obtains Kerberos tickets directly from security server and then just passes them to Samba server? Where those OIDs corresponding to Kerberos come from then? I don't have ADS and I never saw one. I apologize if my questions are naive. Thanks, Igor DNS reverse mapping glitch perhaps? Do you mean it can be related to the machine's domain not being the same as Realm? The corresponding bug: https://bugzilla.samba.org/show_bug.cgi?id=1651 I just don't know what symptoms may result in this mismatch. Will Samba fall back to NTLM if Kerberos authentication is unsuccesful? What else Greg should check to find the reason of failure? Thanks, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: REVISED: Nobody can join domain (was W2K can't join 3.0.7 domain)
There could be number of reasons why you can't join domain. The best way to investigate your problem is to look in smbd log for error messages. Igor Misty Stanley-Jones wrote: On Monday 18 October 2004 14:51, Misty Stanley-Jones wrote: W2K reports User not found when I try to join the domain. However, the machine account is indeed created in LDAP! But the machine doesn't think it has joined. I also can't join from a Linux system. Here is what I get: baa:/home/misty # net rpc join -SCORPSRV -U root Password: Create of workstation account failed Unable to join domain CORP1. But the machine account is created fine in LDAP, it's in the right ou, has the right GID and everything. Can someone give me a clue what might be happening here? I assume it's the same problem with the W2K system as well. Misty -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: REVISED: Nobody can join domain (was W2K can't join 3.0.7 domain)
This log shows no attempts to join domain at all - only initial initialization of Samba. Can you check the time written in the log and time you attempt to join the domain? What do you do to join the domain? What error message do you get while attempting to join the domain? Igor Misty Stanley-Jones wrote: On Tuesday 19 October 2004 09:32, Igor Belyi wrote: There could be number of reasons why you can't join domain. The best way to investigate your problem is to look in smbd log for error messages. There are no errors in the log. See the entire level 10 log for the time when I attempted to join the domain from my Linux box: [2004/10/19 10:10:42, 6] param/loadparm.c:lp_file_list_changed(2681) lp_file_list_changed() file /usr/local/samba/lib/bhpro.smb - /usr/local/samba/lib/bhpro.smb last mod_time: Mon Oct 18 14:46:33 2004 file /usr/local/samba/lib/printers.smb - /usr/local/samba/lib/printers.smb last mod_time: Fri Oct 8 08:47:47 2004 file /usr/local/samba/lib/smb.conf - /usr/local/samba/lib/smb.conf last mod_time: Mon Oct 18 17:00:56 2004 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_KEEPALIVE = 1 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_REUSEADDR = 1 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_BROADCAST = 0 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option TCP_NODELAY = 1 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option IPTOS_LOWDELAY = 0 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option IPTOS_THROUGHPUT = 0 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_SNDBUF = 16384 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_RCVBUF = 87380 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_SNDLOWAT = 1 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_RCVLOWAT = 1 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_SNDTIMEO = 0 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_RCVTIMEO = 0 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_KEEPALIVE = 1 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_REUSEADDR = 1 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_BROADCAST = 0 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option TCP_NODELAY = 1 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option IPTOS_LOWDELAY = 0 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option IPTOS_THROUGHPUT = 0 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_SNDBUF = 16384 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_RCVBUF = 87380 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_SNDLOWAT = 1 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_RCVLOWAT = 1 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_SNDTIMEO = 0 [2004/10/19 10:10:42, 5] lib/util_sock.c:print_socket_options(147) socket option SO_RCVTIMEO = 0 [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:make_pdb_context_list(763) Trying to load: ldapsam:ldap://localhost [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:smb_register_passdb(93) Attempting to register passdb backend ldapsam [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:smb_register_passdb(106) Successfully added passdb backend 'ldapsam' [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:smb_register_passdb(93) Attempting to register passdb backend ldapsam_compat [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:smb_register_passdb(106) Successfully added passdb backend 'ldapsam_compat' [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:smb_register_passdb(93) Attempting to register passdb backend smbpasswd [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:smb_register_passdb(106) Successfully added passdb backend 'smbpasswd' [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:smb_register_passdb(93) Attempting to register passdb backend tdbsam [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:smb_register_passdb(106) Successfully added passdb backend 'tdbsam' [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:smb_register_passdb(93) Attempting to register passdb backend guest [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:smb_register_passdb(106) Successfully added passdb backend 'guest' [2004/10/19 10:10:42, 5] passdb/pdb_interface.c:make_pdb_methods_name(648) Attempting to find an passdb backend to match ldapsam:ldap://localhost (ldapsam) [2004/10/19 10:10:42, 5
[Samba] Re: Samba setup with Winbind connecting to NT4 PDC - Login is Slow...
I think you will be interested in recent Andreas's experience with KDE: http://lists.samba.org/archive/samba-technical/2004-October/037685.html Igor Eric Murray wrote: -| PDC - Login isnow Slow... -| -| winbind enum users = yes -| winbind enum groups = yes remove those two... Mit freundlichem Gruß, Ok, I removed those 2 lines and tried again... It still took at least 2 minutes to login as it just Sit's on the KDE welcome screen with nothing and then all of a sudden up pops the KDE login box and proceeds as normal. Questions : - Is there a chance that becuase I'm on a trusted Domain with 3 locations that it is trying to Syncronize with the PDC's on the 3 domains on startup? Causing it to be slow like that? - Is there a chance that PAM has something to do with it? My SMB shares are all working and it authenticates with the PDC correctly so I would rather not mess with pam as I don't know what I'm doing with it. Here is my current SMB.CONF and NSSWITCH.CONF files again now. - SMB.CONF - # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE # Date: 2004-09-16 [global] workgroup = SHELTER printing = cups printcap name = cups printcap cache time = 750 cups options = raw printer admin = @ntadmin, root, administrator username map = /etc/samba/smbusers map to guest = Bad User ###include = /etc/samba/dhcp.conf #logon path = \\%L\profiles\.msprofile #logon home = \\%L\%U\.9xprofile #logon drive = P: # My additions... security = DOMAIN encrypt passwords = yes password server = shelternt1 sriesrv2 obey pam restrictions = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = shelternt1 sriesrv2 dns proxy = no netbios name = sriemailsrv log level = 1 winbind separator = + winbind uid = 1-2 winbind gid = 1-2 winbind cache time = 15 #winbind enum users = yes #winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash winbind use default domain = yes name resolve order = wins lmhosts host bcast [pdf] comment = PDF creator path = /var/tmp printable = Yes print command = /usr/bin/smbprngenpdf -J '%J' -c %c -s %s -u '%u' -z %z create mask = 0600 [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 [Public] comment = Public Folder path = /data/Public writable = yes [NetworkAccess] writable = yes path = /data/NetworkAccess write list = @shelter+TestLinuxGroup force group = ntadmin force user = root comment = Network Share for Writability... create mode = 0660 directory mode = 0770 [tmp] comment = Temporary File Space path = /data/tmp read only = no public = yes - NSSWITCH.CONF - # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # compat Use compatibility setup # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the /var/db databases # [NOTFOUND=return] Stop searching if not found so far # # For more information, please read the nsswitch.conf.5 manual page. # # passwd: files nis # shadow: files nis # group: files nis passwd: compat winbind group: compat winbind hosts: files dns networks: files dns services: files protocols: files rpc:files ethers:files netmasks: files netgroup: files publickey:files bootparams: files automount: files nis aliases:files Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: smbfs mount issues
Have you tried to browse this share with smbclient? Igor Jason Pirok wrote: This problem began a couple months ago with my new install of (you guessed it) XP sp2. Now, when i mount a share from the xp machine to my debian box, everyone, including rot, gets a permission denied trying to ls the dir. I've read posts about switching to cifs, but that has opened a whole new can of worms. I'd just like to see smbfs mount my shares properly the way they used to. My version of samba is 3.0.7-1 according to dpkg on debian unstable. the mount command is mount -t smbfs -o credentials=cred.file,netbiosname=intruder,workgroup=workgroup,ip=111.111.111.111 //host/share /path/to/mount/dir I've done lots of look ups on google regarding many combinations of xp smbfs and the problems encountered to no avail. I'm at wits end and don't know what else to do. Sincerely, Jason -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: password change error
Can you be a little bit more specific? What do you mean by 'users cannot change their passwords? Does it mean that they cannot change it via Windows' Change Password dialog? What error message they get? Can Administrator do it for them? Can they change it under Linux with smbpasswd? Is there any error messages in smbd logs? Igor Gurnish Anand wrote: Hi, We migrated from redhat 7.1 to redhat 3 ES and ran into one road block after the other. Most of them were solved except this last one. Users cannot change their passwords and then I read somewhere that samba 3.0 and MS KB828471 or 741 don't want to be friends. Then I upgraded my samba to be samba 3.0.7 (which i guess is the latest) Then I un-installed the KBB patch being accused. Still cannot change my passwords. Please advice. The following is my smb.conf # Global parameters [global] workgroup = sambapdc netbios name = PCSERVER server string = primary domain server running samba%v min password length = 6 ; obey pam restrictions = Yes pam password change = Yes ; username map = /etc/passwd smb passwd file = /etc/samba/smbpasswd passwd program = /usr/bin/passwd %u encrypt passwords = yes passwd chat = *New*Unix*Password* %n\n *Retype*new*Unix*password*%n\n *passwd: all authentication tokens updated successfully* %n passwd chat debug = Yes username level = 10 unix password sync = Yes log level = 2 case sensitive = no log file = /var/log/samba/log.%m max log size = 50 time server = Yes unix extensions = Yes socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 admin users = worldofbanking\gurnish, @employee, administrator, @administrators add user script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M %u logon script = netlogon.bat logon path = \\%L\profile\%u.pds logon home = domain logons = Yes os level = 64 preferred master = Yes domain master = yes wins support = Yes hosts allow = 127.0.0.1 192.168.2.0/255.255.255.0 ; password server = None hosts deny = 0.0.0.0/0 @web 192.168.2.200 [profile] path = /home/samba/profile force user = %U writeable = yes create mask = 0600 directory mask = 0700 guest ok = Yes profile acls = Yes browseable = No csc policy = disable [netlogon] path = /home/samba/netlogon write list = root @administrator browseable = No [pcshare] path = /home/samba writeable = yes create mask = 0 directory mask = 0 guest ok = Yes [Wywo] path = /home/samba/WYWO writeable = yes create mask = 0 directory mask = 0 guest ok = Yes [temp] path = /home/samba/temp writeable = yes create mask = 0 directory mask = 0 guest ok = Yes [Docs] path = /home/samba/MB/DOCS writeable = yes create mask = 0 directory mask = 0 [epsonprint] path = /tmp printable = Yes [EMAIL PROTECTED] root]# -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Major Samba Battle
You may want to start looking at the smbd logs instead of ethereal. If the problem isn't obvious from the default log level, try to increase it up to 5 and see why Samba doesn't like to give a user access. If smbd log doesn't say much to you I can try to help looking through it - just send it showing events from the moment user answers the first login prompt till it get another one. Igor Brian Witowski wrote: I've been here before but I'm still battling with getting Samba to work right with my XP Pro clients. In a nutshell, when I try to access a share, it asks for a username and password. I enter a username and password and it simply goes right back to the prompt, asking again. This is when it's set up as a domain controller. I should note: I CAN join the domain. I DO have my workstations added as machines. My [homes] mapping works fine. After I log in, I can access my H: drive (homes). I have added Unix users and passwords to Samba I've tried disabling Shorewall But that's about the only thing that works. Ethereal is showing errors such as: NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED and Tree Connect AndX Request, Path :\\SERVER\DOWNLOADS then Tree Connect AndX Response, Error: STATUS_BAD_NETWORK_NAME. Im at my wits end. I've been fighting with this for 3 weeks and not making any progress. PLEASE, give me a push in the right direction. Brian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: smb_lookup: find //pagefile.sys failed
This error message is reported by smbfs kernel module, it has nothing to do with Samba... Probably, the error code reported in this message can give you move information. I just want to add that pagefile.sys is a special file (swap) under Windows which is handled somewhat special and you can get similar error message just checking permission on it. I'm not familiar with Fedore, but some automatic file managers (like Nautilus) tend to browse files on freshly mounted shares. My guess is that some file manager deamon attempts to go into this directory for you. Hope it helps, Igor Raul Acevedo wrote: When I mount a particular Windows 2000 share, I get this error hundreds of times in /var/log/messages. All I have to do is mount the share, I don't have to go into the directory or do anything with the share. I actually don't know for sure that it's only for this one share. Why does this happen? I'm on Fedora Core 2, using the samba-3.0.7-2.FC2 RPM that comes with it. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: root preexec script runs twice
[netlogon] is a special share. I would guess Windows mounts it more than once when user logins but you should see it then with 'log level = 5' as 'cmd=/home/samba/scripts/create-login-script.sh adrian.h' line in smbd logs. Have you tried to put this 'root preexec' into [home] share instead? Igor Adrian Hicks wrote: Hi. I'm tesing Samba 3.0.7-a on Debian Sarge with Debian kernel 2.6.8. I am working on auto-creation of logon scripts, am using a root preexec on the netlogon share for this. In testing I have passed the user ID to the script, and have used echo to test output. The netlogon service parameters and other info are below. The output from the script occurs twice in the output file, leading me to believe that my script is being run twice by the root preexec command (if I run the script manually there is only one instance of the output). Note that after each test I have deleted the text file to ensure it is not being appended to. I have tried raising the log level to 5 and cannot see any reference to the root preexec in any of the logs. Am I getting something wrong here or is this a possible bug? [netlogon] comment = Network Logon Service path = /home/samba/netlogon browseable = no guest ok = yes writable = no share modes = no root preexec = /home/samba/scripts/create-login-script.sh %u --- Test Script --- #!/bin/bash SAMBAUSER=$1 echo $SAMBAUSER /tmp/smbtest.txt echo - /tmp/smbtest.txt exit 0 --- End Test Script --- --- smbtest.txt --- adrian.h - adrian.h - --- End smbtest.txt --- Adrian Hicks -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba and photoshop
Is there any error message reported on Samba side in smbd or nmbd logs? Igor ip.guy wrote: i'm having the same problem with my samba server and photoshop 7.0 strangely enought though, the problem only exists on one of the two mounted file systems (both identically formatted and mounted) [EMAIL PROTECTED] wrote: Hello all, I have a OSX server that is serving to an XP box via samba. When the user on the XP box tries to save a file out of photoshop, It errors out giving a delay write failure error. He can save local and then copy it to the same directory without a problem. If you open a different paint app ( or any app for that matter) on the XP box ( ex, paint or paint shop pro), it works fine. you can save files to the OSX server no problem, but if you open the exact file in photoshop and do a save as, it won't save. My hunch is that there is something photoshop is doing as it saves that samba doesn't like, maybe tring to save a temp cache file or something. I have tried the same action ( same file) with a totally different OSX server ( fresh install, with only afp and samba turned on) and XP box, with the exect same results. Has anyone ever seen this and maybe know a work around? Thanks Brent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba server stucking problem - Samba 3.x
It sounds like a locking problem to me... Have you tried 'blocking locks = no' and 'oplocks = no' share parameters? Igor Brodsky Denis-RM08520 wrote: Hello All, I have Samba 3.0 and 3.0.7 servers that have similar problem , the problem occures once a week ~aprox, all about 1 per minute samba server created smbd -D process with root ownership thats never die, the server stucks after about 200 such processes and I need to reboot it to release the stuck. There is someone knows why it happens Denis _ Brodsky Denis System Administrator, IT dept. Freescale Semiconductor, Inc. http://www.freescale.com www.freescale.com (972) 9 9522264 (972) 57 7788157 (Iden) (972) 9 958 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba server 3.0.7: Short read when getting file
Can you provide 'smbclient -d 5' log for the problem? Igor P.Saffrey wrote: I am running a Samba server on Debian testing. Each day, I run an automatic update via apt. Up until recently, the server was working fine; I am assuming that the update has upgraded to a non-working version. I can log onto the server using smbclient and browse the files, but when I issue a get command I get the Short read error message. If I use smbmount, things are worse: The directory mounts but I cannot browse it or unmount it. Accessing the directory from a Windows machine provides a similar effect to smbclient: I can browse the directories but accessing the files does not work. Has anybody experienced these problems or know a solution for them? Peter -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Help Samba. More then 1 virtual samba servers.
You can start more than one samba server without a problem if you specify explicitly what configuration file each of them use by adding '-s config' option to smbd and nmbd daemons. If you need each of those servers to bind to a particular interface add 'interfaces = ehx' and 'bind interfaces only = yes' in a [global] section of their config files. Igor ZHivulin Vitalij Urievich wrote: Excuse for troubling. But neither in FAQ, nor in the documentation i have not found the answer to the question. How do i start on 1 computer it is more than 1 virtual Samba-servers? It is necessary for me that to everyone virtual VLAN-based interface corresponded a virtual SAMBA-server. It is thankful in advance, Vitaly. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Two Questions concerning samba - file access times - two instances on one server
Laurenz, Dirk wrote: Hello everybody, i have two questions concerning samba. 1st Topic - file times NTFS has three file times for each file, the create time, the change time and the access time. The create time will never be modified, the change time will be changed every time you save a file, the access time will be changed every time you access (read) a file. If i access a file on a samba share, the access time will be modified correctly, but if i resave a file, the create time is also changed although i would expect that only the change time will be modified. I found some parameters concerning file times, but none of them changes the behaviour. I used the following parameters: dos filetimes = yes dos filetime resolution = yes Has anyone a suggestion, which parameters must be set, to get the NTFS behaviour? B.t.w., the underlying filesystem is an ext3 with acl,user_xattr mount options. It's more like an ext3 question... NTFS has create, modify, and access timestamps whereas ext3 has change, modify, and access ones. According to my experiments on NTFS: 'create' really never changed. 'modify' changes whenever file is saved. 'access' changes whenever property of the file (Permissions or its name) get changed. reading file does not change any timestamp at least when I read a text file with Notepad.exe. According to my experiments on ext3: 'change' changes whenever property of the file (access mask, owner) get changed or file is saved. 'modify' changes whenever file is saved. 'access' changes whenever content of the file accessed. There's no timestamp keeping creation of the file. ext3's 'access' get mapped into NTFS 'access' ext3's 'modify' get mapped into NTFS 'modify' and 'create'. I don't see any way for Samba to simulate NTFS timestamps unless there's some extra attributes which can be used on ext3 for timestamps. 2nd Topic - two instances on one server I have successfully running two instances on one server. Both are members in an NT4 Domain and every thing works right, but local username resolution and groupmappings. Normal startup order is: - Instance A - Instance B Setting some groupmappings works fine for Instance B. if i restart Instance A but not B, the groupmappings/usermappings from Instance A get effective. And thats very bad If i restart afterwards Instance B, everything is fine. I guess, this is a winbind issue. The problem is, I think, the last started winbindd wins... Unfortunately, 'idmap backend' understand only LDAP as a backend choice and if you don't set it mapping get saved in winbindd_idmap.tdb cache file which is common for both servers. You can switch to 'ldap' idmap method and then specify different 'idmap suffix' for each of your servers. Another solution will be to patch Samba so that it accepts 'tdb' with a file name as an argument for 'idmap backend' parameter. Hope it helps, Igor Here are my conf's (INSTANCE A and B) INSTANCE A ## [global] name resolve order = lmhosts, wins, bcast private dir = /samba/ages001/conf/private/ idmap gid = 1-4 debug uid = yes host msdfs = yes wtmp directory = /samba/ages001/conf/wtmp lock directory = /samba/ages001/conf/locks/ netbios name = ages001 printing = none idmap uid = 1-4 workgroup = XX os level = 20 socket address = 192.168.84.34 security = domain winbind separator = + log file = /samba/ages001/conf/log/%m.log load printers = yes smb passwd file = /samba/ages001/conf/private/smbpasswd loglevel = 10 wins server = 193.29.124.81 193.29.122.75 pid directory = /samba/ages001/conf/pids/ interfaces = 192.168.84.34/24 username map = /samba/ages001/conf/private/smbusers domain master = No encrypt passwords = yes template shell = /bin/bash winbind enum users = yes password server = SRVA SRVB SRVC template homedir = /samba/ages001/data/winbindjail winbind enum groups = yes preferred master = no unix charset = UTF-8 utmp directory = /samba/ages001/conf/utmp winbind cache time = 300 socket options = SO_KEEPALIVE TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT [dfsroot] comment = XX msdfs root = yes path= /samba/ages001/data/dfsroot/dfsroot_a hide files = /lost+found/ hide dot files = yes read only = yes ### INSTANCE B ### [global] private dir =
Re: [Samba] Re: Two Questions concerning samba - file access times - two instances on one server
Holger Krull wrote: It's more like an ext3 question... NTFS has create, modify, and access timestamps whereas ext3 has change, modify, and access ones. According to my experiments on NTFS: 'create' really never changed. 'modify' changes whenever file is saved. 'access' changes whenever property of the file (Permissions or its name) get changed. reading file does not change any timestamp at least when I read a text file with Notepad.exe. That's strange, because it should do just that, it does here. Are you shure you didn't set NtfsDisableLastAccessUpdate in your registry? Interesting... I've tried to read the same file today and it got access timestamp updated... Probably, there's some caching gets involved - that there some time have to pass before reading will result in access timestamp updated. And no - I don't have it set. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: PDC and windows xp domain joining - root user does not exist
Any smbd log you want to share? I'd expect some kind of error in there? :) Igor Mark Rutherford wrote: ok, changed the computers name and added it just as I added 'test' then, deleted the 'test' machine the new machine I called 'mark' and, it was already in a workgroup.. so I rebooted it no change. it still tells me that root is an invalid user so, im back where I started. Anton K. wrote: Mark Rutherford wrote: I am trying to set up a samba PDC, and I have followed many FAQ's and HOWTO's ive found online. all seem to be just about the same.. So, I made a config up (at the end of this email) then I did the following: added users/machines as such: (just trying to get it to work, will spice it up later) useradd test$ passwd -l test$ smbpasswd -a -m test smbpasswd root (entered a password twice...) Now... I went to the windows xp machine, changed some registry settings (windows xp with service pack 2, BTW.) then I attempted to join the domain, entered 'TEST' as the domain, and a prompt came up asking me for the username and password required to join the domain.. entered root and the root password and... it tells me: 'the specified user does not exist' now, thats damned strange... so I create another unix user, and then another samba user.. I call this user 'test' with a password 'test' so, I try to use that, and it tells me access denied... so I can understand that.. I try to enter root with no password, and it tells me the username or password is invalid.. I expected that as well, I guess. im at a loss. I honestly dont know what to do. my thing is, at work we are considering switching off of novell in favor of samba, so I best get to know it im off to a rocky start. I hope that someone on list has an idea. thanks in advance :) here is my smb.conf, mostly copied from examples: [global] workgroup = TEST netbios name = SAMBAPDC server string = Samba %v on %L log level = 1 log file = /var/log/samba/log.%L max log size = 1000 time server = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 logon script = logon.bat logon path = \\%N\profiles\%u domain logons = Yes os level = 255 preferred master = Yes domain master = Yes [netlogon] path = /home/samba/netlogon browseable = No [profiles] path = /home/samba/profiles read only = No create mask = 0700 directory mask = 0700 browseable = No [data] path = /home/samba/data read only = No create mask = 0750 directory mask = 0750 guest ok = Yes How did you called the machine. It has to be the same like the machine account of cource, probably 'test' in your case. I saw that you called the workgroup the same. My win workstations complain if have machine with same name as domain. Try calling domain test1 and machine test for instance. I also noticed that sometimes a win machine has to be restarted before joining a domain I don't know why. You can also try make a WinXP SP2 a workgroup machine before joining to the domain and test user root and password. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: PDC and windows xp domain joining - root user does not exist
Ok... Can you try to do the following: 1. remove domain trust account for the machine leaving its /etc/passwd entry as it is. smbpasswd -x vdfbox$ 2. attempt to join your Domain again and collect 'log level = 5' smbd log. Note, that Samba will create machine trust account for you during joining of the Domain. Let me know how it goes Igor Mark Rutherford wrote: Igor, what should I set the loglevel to? they get very big but I have a log here from a few minutes ago when I set it to '10' they are accessible here: http://www.maunzelectronics.com/~mark/samba/log.smbd http://www.maunzelectronics.com/~mark/samba/log.nmbd ive since changed all the names of the servers, just to move away from the 'test', 'test1' confusion if there is anything specific anyone wants to see, I can post it up someplace. also, after changing names around, ect im still getting this infamous 'user does not exist' thanks for the help :) Igor Belyi wrote: Any smbd log you want to share? I'd expect some kind of error in there? :) Igor Mark Rutherford wrote: ok, changed the computers name and added it just as I added 'test' then, deleted the 'test' machine the new machine I called 'mark' and, it was already in a workgroup.. so I rebooted it no change. it still tells me that root is an invalid user so, im back where I started. Anton K. wrote: Mark Rutherford wrote: I am trying to set up a samba PDC, and I have followed many FAQ's and HOWTO's ive found online. all seem to be just about the same.. So, I made a config up (at the end of this email) then I did the following: added users/machines as such: (just trying to get it to work, will spice it up later) useradd test$ passwd -l test$ smbpasswd -a -m test smbpasswd root (entered a password twice...) Now... I went to the windows xp machine, changed some registry settings (windows xp with service pack 2, BTW.) then I attempted to join the domain, entered 'TEST' as the domain, and a prompt came up asking me for the username and password required to join the domain.. entered root and the root password and... it tells me: 'the specified user does not exist' now, thats damned strange... so I create another unix user, and then another samba user.. I call this user 'test' with a password 'test' so, I try to use that, and it tells me access denied... so I can understand that.. I try to enter root with no password, and it tells me the username or password is invalid.. I expected that as well, I guess. im at a loss. I honestly dont know what to do. my thing is, at work we are considering switching off of novell in favor of samba, so I best get to know it im off to a rocky start. I hope that someone on list has an idea. thanks in advance :) here is my smb.conf, mostly copied from examples: [global] workgroup = TEST netbios name = SAMBAPDC server string = Samba %v on %L log level = 1 log file = /var/log/samba/log.%L max log size = 1000 time server = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 logon script = logon.bat logon path = \\%N\profiles\%u domain logons = Yes os level = 255 preferred master = Yes domain master = Yes [netlogon] path = /home/samba/netlogon browseable = No [profiles] path = /home/samba/profiles read only = No create mask = 0700 directory mask = 0700 browseable = No [data] path = /home/samba/data read only = No create mask = 0750 directory mask = 0750 guest ok = Yes How did you called the machine. It has to be the same like the machine account of cource, probably 'test' in your case. I saw that you called the workgroup the same. My win workstations complain if have machine with same name as domain. Try calling domain test1 and machine test for instance. I also noticed that sometimes a win machine has to be restarted before joining a domain I don't know why. You can also try make a WinXP SP2 a workgroup machine before joining to the domain and test user root and password. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Problems with samba shares locking in w2k ADS environment.
Have you tried setting 'use sendfile = no' for the share in your smb.conf? Igor Jim Canfield wrote: Greetings, I have a Gentoo Linux machine running samba 3.0.7-r2 It's a member of a win2k ADS domain...all that seems to be working fine. Problem: When I share a directory on the Samba machine ADS members can see it, browse it, and even create directories and small text files. However, if I try to drop anything large or binary, it lock up the win2k client for about 2 minutes then resets. Could this be a socket issue? SMB logs for that client don't show anything odd. Here is my smb.conf: [global] netbios name = TSHTUX socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 1-2 winbind enum users = yes winbind gid = 1-2 workgroup = TSH os level = 20 winbind enum groups = yes password server = * preferred master = no winbind separator = + max log size = 50 log file = /var/log/samba3/log.%m encrypt passwords = yes dns proxy = no realm = TSH.MYDOMAIN.COM security = ADS wins server = ** wins proxy = no [public] comment = Perl Files path = /public/ read only = no writable = yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ADS valid users can't map share
Greg Adams wrote: Yeah, that solved the problem for valid users. Thanks. However, I now have a different problem. The same kind of logic should apply to the username map, right? But it doesn't seem to. smb.conf: * [global] workgroup = EDSADDDM realm = EDSADDDM.DDM.APM.BPM.EDS.COM server string = Maul Test Server log level = 2 max log size = 100 security = ADS local master = no os level = 0 domain master = no preferred master = no wins server = 199.42.192.103 dns proxy = no encrypt passwords = yes idmap uid = 6-7 idmap gid = 8-9 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = no username map = /opt/samba/lib/username.map [space] comment = Space Partition Share path = /space writable = yes browsable = yes * username.map: * !grega = EDSADDDM+imguser * If I map the share from my Windows XP client as EDSADDDM\imguser, it doesn't do the mapping. I get the following messages in log.smbd: * [2004/10/14 09:57:39, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. open_sockets_smbd: accept: Software caused connection abort [2004/10/14 09:57:39, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/10/14 09:57:40, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [imguser] - [imguser] - [EDSADDDM+imguser] succeeded [2004/10/14 09:57:40, 1] smbd/service.c:make_connection_snum(648) mule (199.42.192.45) connect to service space initially as user EDSADDDM+imguser (uid=60001, gid=8) (pid 25694) * and if I create a new file it gets the following ownership/permission: * # ls -l /space/tmp total 0 -rwxr--r-- 1 nobody EDSADDDM+Domain Users 0 Oct 14 09:59 New Text Document.txt * However, if I change username.map to the following and restart Samba: * !grega = imguser * The username map does what I think it should... The permissions on the created file are as follows: * # ls -l /space/tmp total 0 -rwxr--r-- 1 gregaeng0 Oct 14 10:01 New Text Document.txt * So... it appears that the username map is not using the domain information. I do believe it should... Could you provide 'log level = 10' from the moment 'EDSADDDM+imguser' logs in and till it creates a file? This should be logs for the '!grega = EDSADDDM+imguser' line in the map file. Thanks, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: for XP client do I need to have a machine account
bill eight wrote: Hi, Ok - win95 systems were on Samba 2.2.x Now, added XP pro systems... added user account on XP desktop AND on samba/linux server and did a smbpasswd -a c:\net use \\ipaddr\share /user:user works .. but on the XP system (logged in as that user) I CAN't see the network, even doing an add network places.. (I get no error.. ) question - DO I need to put info about the XP machine into the samba server? If you use 'security = user' than machine (XP system) should become a member of this domain before you will be able to login into domain from this machine. So, yes - you DO need to put info about the XP machine into the Samba server. The good news is that when you join the Domain Samba will put this info for you. It probably doesn't answer what you have actually asked but it's a hint that you maybe need to give more details on what you did, what you expected to see and what you actually saw. :) Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Group membership
The trick is in you picking SID by yourself. :o)
sambaPrimaryGroupSID: should always be either explicit mapping of
gidNumber in the groupmap or implicit arithmetic mapping: (gidNumber *
2) + 'rid base' + 1. Your problem is that you have inconsistency in you
root's setup. As a result its primary group 0 gets mapped into RID 1001
which corresponds to engr.
You can do one of the following:
1. change gidNumber of the cn=root to that of the 'Domain Admins' or
2. change the name of gid=0 to be 'Domain Admins' or
3. change mapping 'Domain Admins - root'
I would also recommend to use arithmetic gidNumber - SID mapping unless
you are mapping predefined Windows RIDs.
Hope it helps,
Igor
Misty Stanley-Jones wrote:
I am using Samba PDC with OpenLDAP2 and smbldap-tools. As part of my
logon.bat, I call a script called ifmember.exe. This script can list out the
groups a user is a member of. It is reporting that my root user is a member
of the group 'engr.' I don't know if this is a bug with ifmember.exe or if
it's an issue in Samba or in LDAP. Here is some relevant data:
oink:/etc/smbldap-tools # smbldap-groupshow engr
dn: cn=engr,ou=groups,dc=borkholder,dc=com
cn: engr
gidNumber: 1001
memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb
objectClass: top,posixGroup,sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001
oink:/usr/local/sbin # ./smbldap-usershow root
dn: cn=root,ou=people,dc=borkholder,dc=com
objectClass: account,posixAccount,top,sambaSamAccount
cn: root
uid: root
uidNumber: 0
gidNumber: 0
loginShell: /bin/bash
homeDirectory: /root
displayName: root
sambaPwdCanChange: 1095966471
sambaPwdMustChange: 2147483647
sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE
sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678
sambaPasswordHistory:
sambaPwdLastSet: 1095966471
sambaAcctFlags: [U ]
userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2
sambaSID: S-1-5-21-725326080-1709766072-2910717368-500
sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512
oink:/usr/local/sbin # net groupmap list
acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) - acct_admin
truss (S-1-5-21-725326080-1709766072-2910717368-1005) - truss
hr (S-1-5-21-725326080-1709766072-2910717368-1004) - hr
furniture (S-1-5-21-725326080-1709766072-2910717368-1003) - furniture
dutch (S-1-5-21-725326080-1709766072-2910717368-1002) - dutch
Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) - Domain Admins
Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) - Domain Users
Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514) - Domain Guests
Print Operators (S-1-5-32-550) - Print Operators
Backup Operators (S-1-5-32-551) - Backup Operators
Replicators (S-1-5-32-552) - Replicators
Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) -
Workgroup Computers
Administrators (S-1-5-32-544) - Administrators
acct (S-1-5-21-725326080-1709766072-2910717368-1007) - acct
receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) - receptionist
engr (S-1-5-21-725326080-1709766072-2910717368-1001) - engr
Is there anywhere else I can look to see why this command thinks I'm a member
of the engr group? I'm using nss_ldap on the server for authentication as
well.
Misty
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Group membership
Ok, the logic goes like this...
If you want to use root for Domain administration purposes it has to be
in the Domain user database.
If it's a Domain user its primary group should be a Domain group.
All Domain groups in Samba are mappings from UNIX groups into SIDs.
If mapping for a particular gid is not present it will be created
automatically using arithmetic approach.
Therefore, if you want your root user to keep its primary gid but to be
associated with a Domain group 'Domain Admins' the best approach will be
to map this Domain group into UNIX group 'root' instead of creating
additional UNIX group 'Domain Admins'.
Another approach will be to use some other user to administer your
Domain and put it into 'admin users' list in smb.conf then you will be
free to choose any primary group for it you like just keep the
consistency between gidNumber and sambaPrimaryGroupSID. All users in the
'admin users' list are forced into been root when they access Samba so
you will have the same control you would have with root.
I don't know why this is not documented... I don't read documentation
that often.. I do know though that Samba team welcomes all suggestions
to make documentation better. If you know which part of the
documentation got you confused - let them know how to make it more clear.
Hope it helps,
Igor
Misty Stanley-Jones wrote:
This doesn't make sense. My root user needs to be gid=0 for all of my UNIX
systems that I have auth'ing against the DB. Will it resolve this if I make
the primaryGroupSID of root to be the one of Domain Admins? This isn't
documented anywhere that I can tell. Thank you for your help, by the way.
On Saturday 16 October 2004 06:16 pm, you wrote:
The trick is in you picking SID by yourself. :o)
sambaPrimaryGroupSID: should always be either explicit mapping of
gidNumber in the groupmap or implicit arithmetic mapping: (gidNumber *
2) + 'rid base' + 1. Your problem is that you have inconsistency in you
root's setup. As a result its primary group 0 gets mapped into RID 1001
which corresponds to engr.
You can do one of the following:
1. change gidNumber of the cn=root to that of the 'Domain Admins' or
2. change the name of gid=0 to be 'Domain Admins' or
3. change mapping 'Domain Admins - root'
I would also recommend to use arithmetic gidNumber - SID mapping unless
you are mapping predefined Windows RIDs.
Hope it helps,
Igor
Misty Stanley-Jones wrote:
I am using Samba PDC with OpenLDAP2 and smbldap-tools. As part of my
logon.bat, I call a script called ifmember.exe. This script can list out
the groups a user is a member of. It is reporting that my root user is a
member of the group 'engr.' I don't know if this is a bug with
ifmember.exe or if it's an issue in Samba or in LDAP. Here is some
relevant data:
oink:/etc/smbldap-tools # smbldap-groupshow engr
dn: cn=engr,ou=groups,dc=borkholder,dc=com
cn: engr
gidNumber: 1001
memberUid: pat,chuck,gene,paul,roger,jerry,mike,jose,todd,howard,jb
objectClass: top,posixGroup,sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-725326080-1709766072-2910717368-1001
oink:/usr/local/sbin # ./smbldap-usershow root
dn: cn=root,ou=people,dc=borkholder,dc=com
objectClass: account,posixAccount,top,sambaSamAccount
cn: root
uid: root
uidNumber: 0
gidNumber: 0
loginShell: /bin/bash
homeDirectory: /root
displayName: root
sambaPwdCanChange: 1095966471
sambaPwdMustChange: 2147483647
sambaLMPassword: 9B3390AB6FD22782AAD3B435B51404EE
sambaNTPassword: 6F0F56FE06D5EFFDE700A23B9A944678
sambaPasswordHistory:
sambaPwdLastSet: 1095966471
sambaAcctFlags: [U ]
userPassword: {SSHA}KeQmB88xtBT1lxXzLsG30CSVHIPD+VE2
sambaSID: S-1-5-21-725326080-1709766072-2910717368-500
sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-512
oink:/usr/local/sbin # net groupmap list
acct_admin (S-1-5-21-725326080-1709766072-2910717368-1006) - acct_admin
truss (S-1-5-21-725326080-1709766072-2910717368-1005) - truss
hr (S-1-5-21-725326080-1709766072-2910717368-1004) - hr
furniture (S-1-5-21-725326080-1709766072-2910717368-1003) - furniture
dutch (S-1-5-21-725326080-1709766072-2910717368-1002) - dutch
Domain Admins (S-1-5-21-725326080-1709766072-2910717368-512) - Domain
Admins Domain Users (S-1-5-21-725326080-1709766072-2910717368-513) -
Domain Users Domain Guests (S-1-5-21-725326080-1709766072-2910717368-514)
- Domain Guests Print Operators (S-1-5-32-550) - Print Operators
Backup Operators (S-1-5-32-551) - Backup Operators
Replicators (S-1-5-32-552) - Replicators
Workgroup Computers (S-1-5-21-725326080-1709766072-2910717368-515) -
Workgroup Computers
Administrators (S-1-5-32-544) - Administrators
acct (S-1-5-21-725326080-1709766072-2910717368-1007) - acct
receptionist (S-1-5-21-725326080-1709766072-2910717368-1008) -
receptionist engr (S-1-5-21-725326080-1709766072-2910717368-1001) - engr
Is there anywhere else I can look to see why this command thinks I'm a
member of the engr
[Samba] Re: Missing folders when accessing via Samba ?
Can you provide 'log level = 5' of smbd for the time you open the share. Also provide at least one name of the folder which is present in this share but is not shown in Windows. Thanks, Igor Mario Bittencourt wrote: Hi, at least for me no changes. I've added those hide unreadable/unwriteable = no , restarted samba and tried to access. Same thing. Anyone with the same problem ? On Mon, 11 Oct 2004 18:04:00 +0100, Hamish [EMAIL PROTECTED] wrote: A long shot, but maybe try `hide unreadable = no` and `hide unwriteable = no`? charlie wrote: I have the same trouble, but in my case is with Win XP machines and G5.The G5, lost some files in transfers of big number of files, and then this same files look like dissapear in the XP machine when you browse from G5.You look into the XP from XP an there it is. weird!!! Any clues about this? thanks On Mon, 11 Oct 2004 07:29:19 -0400, Mario Bittencourt [EMAIL PROTECTED] wrote: Hi, I have a linux server (FC2) with samba 3.0.7 (3.0.7-2.FC2). Everything was fine but recently I found the some folders that I used to access from windows clients are missing. They exist if I log on the samba server (using ssh) and ls. but does not apper in my windows machine. Other folders in the same share do appear. All folders (that appear and don't appear) have the same owner/group and permitions. If I put the full path (]\\samba\share\missing_folder) in my windows explorer I can access the missing folder and use it without a problem. I am not quite sure but it seems to have started after the latest update of my samba version. The machine has been rebooted since this event. Any ideas ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Adding linux users to linux server with samba
[EMAIL PROTECTED] wrote: Is there a way to add the linux user to the system on the fly while you run smbpasswd -a and even set the password so you do not have to do two steps or to have adduser or useradd add a user to smb by default with the same password if created. Many of the users in a small business do not remember to add both and then get frustrated when they can't use the system to find it is because they did not add users to both places. I think you need to add the following parameter in your smb.conf: add user script = /usr/sbin/useradd -d /dev/null -s /bin/false %u If you need to add ability to login into Linux system as well then change values of -d (user's home) and -s (user's shell) and add 'unix password sync = yes' to have UNIX password to be the same as the Samba's one. Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Can't browse network using nautilus
I think it's a good idea to ask this question on a Nautilus list: http://mail.gnome.org/mailman/listinfo/nautilus-list Igor Steve Blackwell wrote: Hi, I'n using the nautilus file browser in a GNOME desktop environment on a FC2 system. If I enter smb:/// in the location bar in nautilus I can see the network but whenever I try to look at the shares on a computer I get a message saying that I do not have permissions to view the contents. I looked in the archives and found a thread on a similar problem. This thread mentioned that the gnome-vfs-extras rpm had been depreciated and should be removed. This solved the problem for that person but didn't work for me (I did have that rpm installed snd removed it). Here are the rpms that I have installed: samba-common-3.0.7-2.FC2 samba-client-3.0.7-2.FC2 system-config-samba-1.2.15-0.fc2.1 samba-3.0.7-2.FC2 samba-swat-3.0.7-2.FC2 nautilus-2.6.0-4 gnome-vfs2-smb-2.6.0-8 gnome-vfs2-2.6.0-8 gnome-vfs2-devel-2.6.0-8 In looking at an ethereal trace I see some NBNS messages folloed by 3 TCP messages and 2 SMB Netgotiate Protcol Request/Response, all of which look OK. Then comes a session setup andx request, NTLMSSP_NEGOTIATE message. In this message is a Security Blob section and part of this is Calling workstation domain. This is set to WORKGROUP which is wrong for me and does not match what I have set in my smb.conf file. There is also a session setup andx request, NTLMSSP_AUTH message that has the same problem. My user name and machine name are set correctly but the domain is wrong. So it would appear that Nautilus is not reading my smb.conf file. Any pointers on how to proceed from here will be appreciated. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: NT4 RAS Dial-in with Samba 3 PDC
I use usrmgr.exe on WinXP Pro without a problem. Did you check for any error message in smbd log and in Window's Event Viewer? Igor Aaron Rosenblum wrote: Hi, I installed UsrMgr.exe (downloaded from the MS support site) on an XP client, joined the client to the domain hosted by the Samba 3 PDC, then opened UsrMgr.exe. The NT tools saw the domain and listed the users and groups, but when I clicked on a user or group and hit properties, the UsrMgr.exe crashed. Am I missing something obvious like you cant run this tool on a newer OS than NT 4? Or you have to run it on a server version of the OS, or should this work? thanks Aaron On Oct 11, 2004, at 5:36 PM, Andrew Bartlett wrote: On Tue, 2004-10-12 at 00:56, Aaron Rosenblum wrote: Hi, I am searching for information on how to set up an NT4 RAS server to authenticate users against a Samba 3 PDC. Right now we have 2 domain controllers and the plan is to phase them out. We want to set up samba as the PDC, but we need RAS to work for the time being. Is there a way to do this? Have you tried this? Does it fail? Particularly with the LDAP backend (or tdbsam) and setting the properties in usrmgr, it should work... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Authentication Developer, Samba Teamhttp://samba.org Student Network Administrator, Hawker College [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3.0.7, SuSE 8.2 and Heimdal Compile Problem
Have you tried to ask on Heimdal list? [EMAIL PROTECTED] Igor L. Mark Stone wrote: Trying to follow Chapter 9.3.3 of S3BE to create a SuSE 8.2 Active Directory domain member server. 9.3.3 says heimdal = .6 is required. I installed the Sernet packages and saw 0.6.2 source is included. Running ./configure after unpacking the heimdal source completes OK, but running make results in the following errors: creating libss.la /usr/bin/sed: can't read Packages/heimdal-0.6.2/lib/editline/libeditline.la: No such file or directory libtool: link: `Packages/heimdal-0.6.2/lib/editline/libeditline.la' is not a valid libtool archive make[2]: *** [libss.la] Error 1 make[2]: Leaving directory `/home/lmstone/Desktop/Samba Packages/heimdal-0.6.2/lib/sl' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/lmstone/Desktop/Samba Packages/heimdal-0.6.2/lib' make: *** [all-recursive] Error 1 [EMAIL PROTECTED]:~/Desktop/Samba Packages/heimdal-0.6.2 I also tried with 0.6.3 from the Heimdal site and got the same error. I am not a programmer, so please don't assume I know too much! Are there certain options I should be running with ./configure? Any other ideas? Thanks, Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Mapping ADS groups
Greg Adams wrote: I've got a Samba 3.0.7 member server of an ADS domain. Is there some way to map everyone in an ADS group to a single user for the purposes of Unix permissions? I thought I could do this with an smb.conf entry of: usernam map = /opt/samba/etc/username.map and an entry in the username map of smbuser = @DOMAIN\Group Name I know it's not obvious, but looking at the code it looks like just plain 'smbuser = DOMAIN\Group Name should work. '@' can be used only for UNIX groups. Hope it helps, Igor but that doesn't seem to do it. Using a username map entry of smbuser = DOMAIN\User ID works, but the ADS domain has over 1 users in the target group I need to map, and I don't want to elaborate each of those users in the username map. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: page_log: no entries when printing from samba
Have you tried to print from the same machine where cups-server runs without invoking Samba? If it has the same problem - you will need to ask help on cups list: http://www.cups.org/newsgroups.php Igor Karsten Dello wrote: good evening, if i print to our cups-server from a winxp-machine via the samba-server on the same machine the job is done well. i can also see the corresponding entry in http://...:631/jobs?which_jobs=completed but no entry is made into /var/log/cups/page_log, which i need for some kind of basic accounting. on the client-side we use the cups-printer-driver (rc3), on the server-side we use cups 1.1.20 and samba 3.0.7. if the cups server is used directly (e.g. from another cups on another linux-box) everything works fine. any help would be appreciated, karsten dello -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba 3.0.7 and OpenLDAP
Mario Ohnewald wrote: Hello List, yet another OpenLDAP/Samba problem... OpenLDAP: slapd 2.2.17 Samba: Version 3.0.7 Debian stable with 2.4.27 I am trying to do this howto (smb auth via ldap): http://www.idealx.org/prj/samba/smbldap-howto.en.html Even IF the user does not exits in my ldap table, why does smbd just exit? Do i start it the wrong way? This is the output of smbd -F -i -d 9 -S -s /etc/samba/smb.conf This is expected behavior. When you start smbd as a deamon - it will run forever forking children for each incoming request. After handling the request child process exits. If you start it in the interactive mode it will wait for the first request and then process the request as if it were a spawn child. Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Starting Samba 3.0.7 using -F -S flags
Greg J. Zartman, P.E. wrote: I'm attempting to start smbd and nmbd using the -F -S flags, but get the following: added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 added interface ip=192.168.0.1 bcast=192.168.0.255 nmask=255.255.255.0 standard input is not a socket, assuming -D option Seems that Samba is defaulting back to the -D flag. Any ideas? If you want to run it from a command line use also '-i' (interactive mode) flag. Without '-i' smbd assumes it was called from inetd deamon. Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: 'add/change/delete share command'(s) in smb.conf
[EMAIL PROTECTED] wrote: Hello. I need to allow one of my users to add delete shares on my Samba server through the 'server manager' applet on his client . This same user also writes some files to the same Samba server. I don't want the files that he writes to be owned/written by 'root' . The way I understand the 'add share command' currently, this is not possible. Am I missing something? I think you are right. User can not have more than 1 identity when connecting to Samba. If it's an Administrator everything will be done from the root account. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: 'add/change/delete share command'(s) in smb.conf
Hm... Interesting idea... Since access is necessary only to smb.conf than probably changing share's path to 'path = /etc/samba' could be a better alternative... But then again.. how 'add/change/delete share commands' will know that this particular user has access to this [config] share even if path is left as '/'? So, it probably won't work via those commands - user will need to edit smb.conf by hand while accessing it via the [config] share. Igor David Rankin wrote: This will work: [config] comment = Admin Share path = / valid users = theusername force user = root force group = theusergroup admin users = theusername writeable = Yes W A R N I N G whoever 'theusername' is will have complete access to all files listed in or below the path directory (your entire box as shown above). If you can limit the path to say /home or wherever the files of concern are, you would be much better off. -- David C. Rankin, J.D., P.E. Rankin * Bertin, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 www.rankin-bertin.com - Original Message - From: Igor Belyi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 11:17 PM Subject: [Samba] Re: 'add/change/delete share command'(s) in smb.conf [EMAIL PROTECTED] wrote: Hello. I need to allow one of my users to add delete shares on my Samba server through the 'server manager' applet on his client . This same user also writes some files to the same Samba server. I don't want the files that he writes to be owned/written by 'root' . The way I understand the 'add share command' currently, this is not possible. Am I missing something? I think you are right. User can not have more than 1 identity when connecting to Samba. If it's an Administrator everything will be done from the root account. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: 'add/change/delete share command'(s) in smb.conf
On a second thought... It doesn't matter if path is '/' or '/etc/samba' - if user has access to edit smb.conf directly he/she can create similar share with 'path = /' and 'force user = root' any time and have access to the whole computer. So, I agree - you'd better trust 'theusername' as if it were 'root'. Igor Igor Belyi wrote: Hm... Interesting idea... Since access is necessary only to smb.conf than probably changing share's path to 'path = /etc/samba' could be a better alternative... But then again.. how 'add/change/delete share commands' will know that this particular user has access to this [config] share even if path is left as '/'? So, it probably won't work via those commands - user will need to edit smb.conf by hand while accessing it via the [config] share. Igor David Rankin wrote: This will work: [config] comment = Admin Share path = / valid users = theusername force user = root force group = theusergroup admin users = theusername writeable = Yes W A R N I N G whoever 'theusername' is will have complete access to all files listed in or below the path directory (your entire box as shown above). If you can limit the path to say /home or wherever the files of concern are, you would be much better off. -- David C. Rankin, J.D., P.E. Rankin * Bertin, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 www.rankin-bertin.com - Original Message - From: Igor Belyi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 15, 2004 11:17 PM Subject: [Samba] Re: 'add/change/delete share command'(s) in smb.conf [EMAIL PROTECTED] wrote: Hello. I need to allow one of my users to add delete shares on my Samba server through the 'server manager' applet on his client . This same user also writes some files to the same Samba server. I don't want the files that he writes to be owned/written by 'root' . The way I understand the 'add share command' currently, this is not possible. Am I missing something? I think you are right. User can not have more than 1 identity when connecting to Samba. If it's an Administrator everything will be done from the root account. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Problem adding users to the PDC
Users (S-1-5-32-545) is a local group. Domain users should have Domain group from their domain as their primary group. I would recommend to change mapping by removing 'Users - users' map and adding 'Domain Users - users' one. The problem can be also caused if you already have 'Domain Users - users' and add 'Users - users' since Samba mapps gid - SID by finding the first SID - gid mapping with the right gid and will fail if 'Users - users' is the first map it encounters. Hope it helps, Igor Anton K. wrote: I have problem adding users after I set up a goupmap. Before there was no problem. net groupmap ntgroup=Users unixgroup=users Users (S-1-5-32-545) - users useradd pesho -g users pdbedit -a pesho new password: retype new password: tdb_update_sam: Failing to store a SAM_ACCOUNT for [pesho] without a primary group RID Unable to add user! (does it already exist?) pesho of cource doesn´t exist pdbedit -L | grep pesho returns nothing. I´m using two passwd backends: passdb backend = tdbsam:/etc/samba/passdb.tdb \ smbpasswd:/etc/samba/smbpasswd In this case I´m trying to add pesho to tdbsam, when I remove it and only smbpasswd was in the smb.conf I was able to add it sucessfully. I´m using samba 3.0.7-2.FC1. Can somebody tell me what have I done wrong? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trust between two samba domains
Please, read carefuly Samba doc regarding Interdomain Trust: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html Interdomain trust implies that one Domain will trust another that a user logged into it correctly. Your assumption that user from one Domain should be able to login into another is incorrect. Users from DomainA should login into DomainA but will be able to use resources of the DomainB if DomainB trust DomainA. Hope it helps, Igor opk Bronislav wrote: Hi, I posted my problem to list but nobody answerd me. I have found a solution of netsamlogon_cache.tdb but still I have a problem with authentication. I have changed a smb.conf files. servera: [global] workgroup = DOMAINA netbios name = SERVERA security = user passdb backend = smbpasswd local master = yes domain logons = yes os level = 33 domain master = yes preferred master = yes log level = 3 allow trusted domains = yes wins support = yes [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon read only = yes [Documents] comment = Dokumenty path = /export/documents writeable = yes browseable = yes guest ok = yes serverb: [global] workgroup = DOMAINB netbios name = SERVERB security = user passdb backend = smbpasswd local master = yes domain logons = yes os level = 33 domain master = yes preferred master = yes log level = 3 allow trusted domains = yes wins support = yes [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon read only = yes [Documents] comment = Dokumenty path = /export/documents writeable = yes browseable = yes guest ok = yes loga: [2004/10/13 16:40:21, 3] rpc_server/srv_pipe.c:api_rpcTNP(1541) api_rpcTNP: rpc command: NET_SAMLOGON [2004/10/13 16:40:21, 3] rpc_server/srv_netlog_nt.c:_net_sam_logon(613) SAM Logon (Interactive). Domain:[DOMAINA]. User:[EMAIL PROTECTED] Requested Domain:[DOMAINB] [2004/10/13 16:40:21, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/10/13 16:40:21, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2004/10/13 16:40:21, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/10/13 16:40:21, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2004/10/13 16:40:21, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2004/10/13 16:40:21, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2004/10/13 16:40:21, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/10/13 16:40:21, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2004/10/13 16:40:21, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/10/13 16:40:21, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2004/10/13 16:40:21, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/10/13 16:40:21, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2004/10/13 16:40:21, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/10/13 16:40:21, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2004/10/13 16:40:21, 3] libsmb/namequery_dc.c:rpc_dc_name(145) rpc_dc_name: Returning DC SERVERB (192.168.100.11) for domain DOMAINB [2004/10/13 16:40:21, 3] libsmb/cliconnect.c:cli_start_connection(1376) Connecting to host=SERVERB [2004/10/13 16:40:21, 3] lib/util_sock.c:open_socket_out(752) Connecting to 192.168.100.11 at port 445 [2004/10/13 16:40:21, 3] auth/auth_util.c:make_server_info_info3(1114) User bronasek does not exist, trying to add it [2004/10/13 16:40:21, 0] auth/auth_util.c:make_server_info_info3(1122) make_server_info_info3: pdb_init_sam failed! [2004/10/13 16:40:21, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [bronasek] - [bronasek] FAILED with error NT_STATUS_NO_SUCH_USER [2004/10/13 16:40:21, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544) free_pipe_context: destroying talloc pool of size 6274 [2004/10/13 16:40:21, 3] smbd/pipes.c:reply_pipe_write_and_X(199) writeX-IPC pnum=73cc nwritten=336 [2004/10/13 16:40:21, 3] smbd/process.c:process_smb(1092) Transaction 39 of length 63 [2004/10/13 16:40:21, 3] smbd/process.c:switch_message(887) switch message SMBreadX (pid 10156) conn 0x83d8040 [2004/10/13 16:40:21, 3] smbd/pipes.c:reply_pipe_read_and_X(242) readX-IPC pnum=73cc min=1024 max=1024 nread=96 logb: [2004/10/13 16:17:06, 3] rpc_server/srv_netlog_nt.c:_net_sam_logon(620) SAM Logon (Network).
[Samba] Re: Samba 3.0.7 adding machines. Wrong primary group.
I have a strange feeling that the clue is in the server-manager since I don't use it to join domain at all. I have Debian/unstable x86 Linux 2.6.7 Samba 3.0.7 as a PDC. Workstation is WinXP Pro SP1. To join domain I just go into System Properties/Computer Name/Change... and put Domain name in the Member of/Domain: field. Then I click Ok, put Domain administrator's name and password in popuped Computer Name Changes window, and click Ok again. After getting Welcome to DOMAIN domain. and You must restart this computer for the changes to take effect. popups I reboot and have computer as a domain member. Do you join domain some other way? Igor Michael Liebl wrote: Am Mittwoch, den 13. Oktober 2004 schrubte Igor Belyi: Using: Debian/unstable x86 Linux 2.6.5 Samba: Version 3.0.7-Debian Interesting case... The request comes from Windows to update machine account with a bunch of new values and in this request RID of the primary group for the account (group_rid) is listed as 513 (0x201). If you look at the 'fields_present' in the request you will notice that it requests almost all information to be updated - 09f827fa (this is a bitwise mask of fields to be updated). When I add a computer in my domain I have it only '00c4 fields_present : 0112'. Note, that on How do you add? Details welcome. So, I suspect the problem is somewhere on Windows side. I haven't found any Domain Policy requiring all accounts to be in Domain Users group which is the only thing which comes to my mind as a probably cause for the problem. Strange. @home I have WinXP SP1 only, with standard server-manager from the WinNT4 Resource Kit. At the customer we have W2K with a unknown server-manager, but same results @ samba 3.0.7 on RH box. I hope somebody having more experience with different Domain/Windows configurations can help in this case. May I install an old samba 3.0.1 to test that? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Printer Device Modes
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ryan Suarez wrote: | Greetings Admins, | | The howto details setting the device mode using a windows client: | http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/printing.html#id2552900 | | | Is there a way to script this process? We support 260+ printers and | it's a pain in the ass. (My wrist is hurting!) There is actually. You can store default initialization data for each printer driver and then a printer will get this information assigned when it is bound to the driver. What you do is to set a printer bound to the driver in quetion to be like you want it and the send a SetPrinterData() call to set the registry value named _p_f_a_n_t_0_m_ (type REG_BINARY) to some arbitrary value. The value doesn't really matter. This tells smbd to save a snapshot of that printer's data as the default initialization data for that driver. Then when you bind a new printer to the same driver, it will be assigned that get that initialization data. Hope this helps. Jerry, can you cut paste what you just said into Samba-HOWTO-Collection? :o) Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authentication woes
Can you also provide smbd log showing the error message during your attempts? Igor Brian Witowski wrote: Hello, I have a perplexing problem. Im running Mandrake 10.0 and samba 3.0 setup as a domain controller. My client machines are XP Pro. I can join the domain and my Homes directory connects as it should. But that's all I can do. I have other shares that I can't access. For instance, I have a downloads share. Ive tried every conceivable setting but when I try to access that share, it prompts for my username and password. I enter it but it doesn't take. It just asks again. I've tried different logins and get the same result. Ive tried setting guest=yes and that didn't help. Ive set the attributes to 777 and that didn't help. Evidently it doesn't see my netlogon share either because my logon script never runs. Ive included my samba.conf for inspection. Keep in mind this is only one of MANY configurations I've tried. Any help would be greatly appreciated. Brian --- # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2004/10/07 07:23:18 # Global parameters [global] workgroup = PYRAMID netbios name = SERVER interfaces = eth1, lo bind interfaces only = Yes username map = /etc/samba/smbusers log level = 31 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 445 name resolve order = wins bcast hosts time server = Yes add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u shutdown script = /var/lib/samba/scripts/shutdown.sh abort shutdown script = /sbin/shutdown -c logon script = \\%L\netlogon\default.bat logon path = \\server\profiles\%U logon drive = X: logon home = \\%L\%U domain logons = Yes ldap ssl = no default service = Downloads winbind use default domain = Yes [downloads] path = /mnt/hda3/downloads read only = No create mask = 0777 force create mode = 0777 directory mask = 0777 force directory mode = 0777 [netlogon] comment = Network Logon Service path = /mnt/hda3/home/netlogon read only = No [brianw] path = /mnt/hda3/home/brianw read only = No guest ok = Yes [laptop] path = /home/laptop read only = No guest ok = Yes [profiles] path = /mnt/hda3/home/samba/profiles read only = No guest ok = Yes [homes] path = /mnt/hda3/home read only = No [jan] path = /mnt/hda3/home/jan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Linux freezes on large file transfers
Monty wrote: I am running MD 10 (Community) as a file server on a Shuttle SB61G2. This setup worked very well under Mandrake 9.2 however, everytime I try to copy files larger than say 550 ~650MB using MD 10, my linux box freezes and must be rebooted. I can FTP the same file(s) perfectly fine to other PC 's on my home net. Small volumes of files work fine as well as ISO images, the box seems to lock up only after it passes some type of treshold treshold. I am not sure what to do here. I have installed of the latest SMB packages for MD 10. The problem still persists. Is there some config parameter that I must change? Have you tried use sendfile = no in smb.conf? Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: unable to change password on multi IP
Kris Van Bruwaene wrote: When trying to connect to a new machine on our internal network I first got: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE I searched the list archives and found the following solution, which gave me a new error: smbpasswd -U bruwaek -r //rto.be Old SMB password: New SMB password: Retype new SMB password: unable to find an IP address for machine //rto.be. Failed to modify password entry for user bruwaek Why did you put '//' in front of a machine name? Try just: smbpasswd -U bruwaek -r rto.be Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: problem with samba, ldap and windows
Different people have different reason for this failure but in your case you need to remember that besides finding Administrator Samba need to find machine trust account as well. If it can't find it the same error message Can't find user is reported back to Windows. Check that machine account was successfuly created during joining of the Domain, that flag marks it as a Workstation trust account (W), and that you can see this account with 'getent passwd' request. And a minor note, which probably is unrelated to your problem - don't use '-a' option to smbldap-useradd in your 'add user script' since Samba expects this script to create only Posix account. Igor Samuele Giovanni Tonon wrote: hi, i have read that someone has similar problem to mines, however i didn't find how it solved them . The problem is this: samba as a PDC for a window domain. The authentication is managed with openldap. if i try to change the password of any ldap account with smbpassword i have no error. if i try to access to the shared folder of samba, with windows, it asks me for authentication and it all work. The only thing i'm not able to do is to manage the windows authentication through domain: when i try to join the domain using Administrator it says to me Can't find user but in samba log i have: [2004/10/13 11:27:45, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/10/13 11:27:45, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/10/13 11:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485) init_sam_from_ldap: Entry found for user: Administrator [2004/10/13 11:27:45, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [Administrator] - [Administrator] - [Administrator] succeeded [2004/10/13 11:27:46, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477) Returning domain sid for domain KOSAVUTU - S-1-5-21-1603302580-212172761-3240640930 [2004/10/13 11:27:46, 2] smbd/server.c:exit_server(571) Closing connections so Administrator is known, the authentication works, but in some way either samba or windows doesn't communicate well. Any hints ? i'm attaching my smb.conf, hoping it can help. Regards # # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentary and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command # testparm to check that you have not many any basic syntactic # errors. # #=== Global Settings === [global] ## Browsing/Identification ### workgroup = KOSAVUTU ;netbios name = PDC server string = %h server (Samba %v) syslog = 30 security = user null passwords = true encrypt passwords = true add user script = /usr/sbin/smbldap-useradd -m -a %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = logon.bat logon path = \\PDC\profiles\%g client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No min protocol = LANMAN2 time server = Yes server signing = auto local master = Yes os level = 40 domain logons = Yes preferred master = Yes domain master = Yes wins support = No wins server = 10.0.0.1 log file = /var/log/samba/samba.log.%m log level = 2 passdb:2 auth:2 winbind:2 admin users = root,Administrator passdb backend = ldapsam:ldap://127.0.0.1/ passwd program = /usr/sbin/smbldap-passwd -o %u passwd chat = *new*password* %n\n *new*password:* %n\ *succesfully* passwd chat debug = Yes ldap suffix = dc=sferacarta,dc=com ldap machine suffix = ou=machines ldap user suffix = ou=people ldap group suffix = ou=groups ldap idmap suffix = ou=users
[Samba] Re: problem with samba, ldap and windows
Different people have different reason for this failure but in your case you need to remember that besides finding Administrator Samba need to find machine trust account as well. If it can't find it the same error message Can't find user is reported back to Windows. Check that machine account was successfully created during joining of the Domain, that flag marks it as a Workstation trust account (W), and that you can see this account with 'getent passwd' request. And a minor note, which probably is unrelated to your problem - don't use '-a' option to smbldap-useradd in your 'add user script' since Samba expects this script to create only Posix account. Igor Samuele Giovanni Tonon wrote: hi, i have read that someone has similar problem to mines, however i didn't find how it solved them . The problem is this: samba as a PDC for a window domain. The authentication is managed with openldap. if i try to change the password of any ldap account with smbpassword i have no error. if i try to access to the shared folder of samba, with windows, it asks me for authentication and it all work. The only thing i'm not able to do is to manage the windows authentication through domain: when i try to join the domain using Administrator it says to me Can't find user but in samba log i have: [2004/10/13 11:27:45, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/10/13 11:27:45, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/10/13 11:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485) init_sam_from_ldap: Entry found for user: Administrator [2004/10/13 11:27:45, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [Administrator] - [Administrator] - [Administrator] succeeded [2004/10/13 11:27:46, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477) Returning domain sid for domain KOSAVUTU - S-1-5-21-1603302580-212172761-3240640930 [2004/10/13 11:27:46, 2] smbd/server.c:exit_server(571) Closing connections so Administrator is known, the authentication works, but in some way either samba or windows doesn't communicate well. Any hints ? i'm attaching my smb.conf, hoping it can help. Regards # # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentary and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command # testparm to check that you have not many any basic syntactic # errors. # #=== Global Settings === [global] ## Browsing/Identification ### workgroup = KOSAVUTU ;netbios name = PDC server string = %h server (Samba %v) syslog = 30 security = user null passwords = true encrypt passwords = true add user script = /usr/sbin/smbldap-useradd -m -a %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = logon.bat logon path = \\PDC\profiles\%g client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No min protocol = LANMAN2 time server = Yes server signing = auto local master = Yes os level = 40 domain logons = Yes preferred master = Yes domain master = Yes wins support = No wins server = 10.0.0.1 log file = /var/log/samba/samba.log.%m log level = 2 passdb:2 auth:2 winbind:2 admin users = root,Administrator passdb backend = ldapsam:ldap://127.0.0.1/ passwd program = /usr/sbin/smbldap-passwd -o %u passwd chat = *new*password* %n\n *new*password:* %n\ *succesfully* passwd chat debug = Yes ldap suffix = dc=sferacarta,dc=com ldap machine suffix = ou=machines ldap user suffix = ou=people ldap group suffix = ou=groups ldap idmap suffix = ou=users
[Samba] Re: Groupmapping doesn't work
Tilo Lutz wrote: I got a problem with groupmapping. It doesn't work correct: Wilma2:/home/root # net groupmap list | grep 512 Domain Admins (S-1-5-21-3371203057-3264423045-2392767973-512) - domadm ldapsearch -x cn=domadm: # domadm, groups, wms-hn.de dn: cn=domadm,ou=groups,dc=my-domain objectClass: posixGroup objectClass: sambaGroupMapping cn: domadm gidNumber: 65669 memberUid: tilo sambaSID: S-1-5-21-3371203057-3264423045-2392767973-512 sambaGroupType: 2 displayName: Domain Admins description: Domain Admins The problem is tilo doesn't have any administrator rights. Any idea whats wrong? I use samba 3.0.7 What 'getent group domadm' returns you? I suspect that it does not have tilo as a member. If you have the same posixGroup defined both in /etc/group and in LDAP and what to have definition wormhole:/var/log # getent group | grep domadm domadm:x:65669:tilo It has tilo as member. The group is only define in ldap, not in /etc/group Did you also check that SID of this 'Domain Admins' is acctually belong to your Domain? What 'net getlocalsid' returns you? Does tilo user belong to 'Domain Admins' when you look at it with usrmgr.exe under Windows? Does 'Domain Admins' group is a member of local 'Administrators' group on Windows? Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3.0.7 adding machines. Wrong primary group.
Michael Liebl wrote: Domainname: MITTELERDE PDC:ISENGART Machinename I added: TESTMACHINE My Command: add machine script = /usr/sbin/useradd -c Samba-Computer -d /dev/null -g machines -s /bin/false %u If I change 'set primary group script' to /bin/true the machine will stay in Group machines, so the command works. After adding the machine, it has the primary unix group domusr. Domain Users (S-1-5-21-1418210569-3342691074-3409555407-513) - domusr Using: Debian/unstable x86 Linux 2.6.5 Samba: Version 3.0.7-Debian (Also I checked with FC2) If you need more info, please let me know. Interesting case... The request comes from Windows to update machine account with a bunch of new values and in this request RID of the primary group for the account (group_rid) is listed as 513 (0x201). If you look at the 'fields_present' in the request you will notice that it requests almost all information to be updated - 09f827fa (this is a bitwise mask of fields to be updated). When I add a computer in my domain I have it only '00c4 fields_present : 0112'. Note, that on the other hand I have similar set of data updates when I create normal user with usrmgr.exe: 00c4 fields_present : 08f827fa. So, I suspect the problem is somewhere on Windows side. I haven't found any Domain Policy requiring all accounts to be in Domain Users group which is the only thing which comes to my mind as a probably cause for the problem. I hope somebody having more experience with different Domain/Windows configurations can help in this case. Bellow is the relavent extracts from the (log level = 5) smbd log: Igor [2004/10/11 09:06:31, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2245) _samr_create_user: Running the command `/usr/sbin/useradd -c Samba-Computer -d /dev/null -g machines -G samba -s /bin/false testmachine$' gave 0 [2004/10/11 09:06:31, 5] lib/username.c:Get_Pwnam(293) Finding user testmachine$ .. [2004/10/11 09:06:31, 5] passdb/pdb_tdb.c:tdb_update_sam(631) Storing (new) account testmachine$ with RID 5024 .. [2004/10/11 09:06:31, 4] rpc_server/srv_pipe.c:api_rpcTNP(1534) api_rpcTNP: samr op 0x3a - api_rpcTNP: rpc command: SAMR_SET_USERINFO .. [2004/10/11 09:06:31, 5] rpc_parse/parse_prs.c:prs_uint32(635) 00b8 user_rid : [2004/10/11 09:06:31, 5] rpc_parse/parse_prs.c:prs_uint32(635) 00bc group_rid : 0201 [2004/10/11 09:06:31, 5] rpc_parse/parse_prs.c:prs_uint32(635) 00c0 acb_info : 0080 [2004/10/11 09:06:31, 5] rpc_parse/parse_prs.c:prs_uint32(635) 00c4 fields_present : 09f827fa .. [2004/10/11 09:06:31, 5] rpc_server/srv_samr_nt.c:_samr_set_userinfo(2977) _samr_set_userinfo: sid:S-1-5-21-1418210569-3342691074-3409555407-5024, level:23 [2004/10/11 09:06:31, 5] rpc_server/srv_samr_nt.c:set_user_info_23(2830) Attempting administrator password change (level 23) for user testmachine$ [2004/10/11 09:06:31, 5] rpc_server/srv_samr_nt.c:set_user_info_23(2850) Changing trust account or non-unix-user password, not updating /etc/passwd [2004/10/11 09:06:31, 3] passdb/lookup_sid.c:fetch_gid_from_cache(247) fetch uid from cache 6000 - S-1-5-21-1418210569-3342691074-3409555407-513 [2004/10/11 09:06:31, 3] groupdb/mapping.c:smb_set_primary_group(1189) smb_set_primary_group: Running the command `/usr/sbin/usermod -g domusr testmachine$' gave 0 [2004/10/11 09:06:31, 5] passdb/pdb_tdb.c:tdb_update_sam(631) Storing account testmachine$ with RID 5024 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Failed groupmap
Users (S-1-5-32-545) is a local group. Domain users should have Domain group from their domain as their primary group. I would recommend to change mapping by removing 'Users - users' map and adding 'Domain Users - users' one. The problem can be also caused if you already have 'Domain Users - users' and add 'Users - users' since Samba mapps gid - SID by finding the first SID - gid mapping with the right gid and will fail if 'Users - users' is the first map it encounters. Hope it helps, Igor Anton Krosnev wrote: I have problem adding users after I set up a goupmap. Before there was no problem. net groupmap ntgroup=Users unixgroup=users Users (S-1-5-32-545) - users useradd pesho -g users pdbedit -a pesho new password: retype new password: tdb_update_sam: Failing to store a SAM_ACCOUNT for [pesho] without a primary group RID Unable to add user! (does it already exist?) pesho of cource doesn´t exist pdbedit -L | grep pesho returns nothing. I´m using two passwd backends: passdb backend = tdbsam:/etc/samba/passdb.tdb \ smbpasswd:/etc/samba/smbpasswd In this case I´m trying to add pesho to tdbsam, when I remove it and only smbpasswd was in the smb.conf I was able to add it sucessfully. I´m using samba 3.0.7-2.FC1. Can somebody tell me what have I done wrong? This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba and OpenLDAP Problem :((
Can you provide smbd log showing the error message you receive on login attempts? Does your 'pdbedit -L' lists machine accounts as well as user's one? How did you migrate your user database into LDAP (you may lost your password during migration)? Why do you use samba 2.x schema with Samba 3.0.7? I know it should work, but it was design for those poor souls who had LDAP configured with Samba 2.x and now migrate to Samba 3.x. Igor Soheil Hassas Yeganeh wrote: Dear All, When i configured samba to use openldap for passdb backend, no one could connect to it, (all workstation maked time out.) But, pdbedit -L works and prints all the users i've created.So, i think everything about my ldap is right. (I've used samba 2.x scheme on my openldap, so I used ldapsam_compat:ldap://localhost/ for passdb backend.) when i comment the LDAP lines of my smb.conf it works :)) i don't know what's bad about it. I'm using Samba 3.0.7 on fedora core 2. and my smb.conf is : # Global parameters [global] workgroup = CYBERMEHR server string = arthus username map = /etc/samba/smbusers log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No passdb backend = ldapsam_compat:ldap://localhost/ ldap admin dn = cn=Manager,dc=cybermehr,dc=com ldap group suffix = ou=Group ldap machine suffix = ou=Hosts ldap suffix = dc=cybermehr,dc=com ldap ssl = no ldap user suffix = ou=People ldap filter = ((uid=%u)) [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No Does anyone know what can i do to make it work ? Best Regards Soheil -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Groupmapping doesn't work
What 'getent group domadm' returns you? I suspect that it does not have tilo as a member. If you have the same posixGroup defined both in /etc/group and in LDAP and what to have definition (and member list) to be taken from LDAP instead of local file you need to list 'ldap' before 'files' in your group description in /etc/nsswitch.conf: group: ldap files Hope it helps, Igor Tilo Lutz wrote: Hi I got a problem with groupmapping. It doesn't work correct: Wilma2:/home/root # net groupmap list | grep 512 Domain Admins (S-1-5-21-3371203057-3264423045-2392767973-512) - domadm ldapsearch -x cn=domadm: # domadm, groups, wms-hn.de dn: cn=domadm,ou=groups,dc=my-domain objectClass: posixGroup objectClass: sambaGroupMapping cn: domadm gidNumber: 65669 memberUid: tilo sambaSID: S-1-5-21-3371203057-3264423045-2392767973-512 sambaGroupType: 2 displayName: Domain Admins description: Domain Admins The problem is tilo doesn't have any administrator rights. Any idea whats wrong? I use samba 3.0.7 Cheers Tilo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3.0.7 adding machines. Wrong primary group.
Michael Liebl wrote: A machine account has not to be in a primary Samba group I think. That would not make any sense to me. I saw in the log that Samba grep'd the primary Samba group for the machine$ (Domain Users) an then called set primary group script. Should I add the Log to the List or directly to you? Feel free to send logs directly to me. I'll do my best looking through them and if I'm unsuccessful, I'll post summary of my findings as a reply so that anyone with better insight has easier time getting to the root of the problem. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Public share
Barbara M. wrote: Anyone have a working conf (PDC+homes+public in samba 3.0.x)? Ok, I finally noticed that you don't have map to guest in your smb.conf which means it gets value Never. I would recommend to set it to Bad User and then all nonexisting in domain users will be silently mapped to guest. Hope it will help. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Can join domain; can't logon
Chris St. Pierre wrote: I did some further investigation, and it appears that in the conditional on lines 250-254 of rpc_server/srv_netlog_nt.c in get_md4pw() is where the failure point is. Namely, the account is not disabled, and the pass is not null, but none of the trust checks pass. (acct_ctrl == 16). I put a quick hack in pdb_get_acct_ctrl() on line 45 of passdb/pdb_get_set.c (return ACB_WSTRUST;) to get past this immediate problem; it worked, but logins still don't work. There's some sort of problem with credentials that I've been trying to work out. I would recommend to change account to be Workstation account instead of hacking the code. :o) ldapmodify dn: uid=guinea-pig$,ou=people,o=nebrwesleyan.edu,o=isp changetype: modify replace: sambaAcctFlags sambaAcctFlags: [W ] Just a note: when creating machine account with smbldap-useradd.pl by hand use -w option instead of -a - just like the one used in your smb.conf. Another note: despite what you heard it's quite possible to put machine accounts in a separate LDAP directory. Let me know if you still have problems. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: smbfs timestamp problem
smbfs is not the same as Samba - they use although the same net protocol. You can try to put files into share with smbclient to see if Samba also has the same problem, but if it's smbfs specific you will need to go to the correct maintainer. You can also try to mount share with CIFS - they say it provides much better results than smbfs. Igor Nigel Roberts wrote: Here's a curly one. I have a share mounted via smbfs on my linux desktop. This share is on a NetApp filer somewhere, but I've also tried this on a an old linux server as well, and I have the same problem. Basically, since day light savings came into effect here (NZDT or +13), any file I create on the share gets a time creation timestamp that is way out (approximately 12 hours and 48 minutes behind). This really confuses applications that rely on these times for normal operation, such as emacs. If I create a file on the local file system, it gets the correct date. Here's an example: first local: $ date touch new ls -l new Tue Oct 5 17:18:41 NZDT 2004 -rw-r--r-- 1 nigelr nigelr 0 2004-10-05 17:18 new $ and then the remote samba share: $ date touch new ls -l new Tue Oct 5 17:17:22 NZDT 2004 -rwxr--r-- 1 nigelr nigelr 0 2004-10-05 04:30 new $ The date on both the servers are correct as they are using the same ntp time source as my desktop. If I create a file using windows to access the share, it get's the correct date (and it reads as the correct date using linux as well). I'm using version 3.0.7 of the samba tools and I have a linux 2.6.8.1 kernel. Anyone seen anything like this before? Any suggestions? Regards, Nigel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: NT 4 Client, Samba user w/no password
M Middleton wrote: I've got several users I created with a blank password (only temporary until I can get the system fully operational, long story behind that), but for some reason when I try to access a share that a user with no password is authorized for, NT 4 won't let me in to the share. Any and all assistance is greatly appreciated! You need to verify that Account Policy for your NT4 domain in Minimum Password Length properties has Permit Blank Passwords checked. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trust between two samba
security = DOMAIN means that server is a member of a domain and not a PDC. To set servera as a PDC you will need to use security = USER (which is the default). Please, read Samba-HOWTO. Igor opk Bronislav wrote: Hi, it is my project in the school, I need to create this trust between two domains. My smb.conf are follow: In servera: [global] workgroup = DOMAINA netbios name = SERVERA security = DOMAIN encrypt passwords = yes local master = yes domain logons = yes os level = 33 domain master = yes preferred master = yes dns proxy = no log level = 3 allow trusted domains = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes serverb [global] workgroup = DOMAINB netbios name = SERVERB security = DOMAIN encrypt passwords = yes local master = yes domain logons = yes os level = 33 domain master = yes preferred master = yes dns proxy = no log level = 3 allow trusted domains = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes IPaddresses are: servera 192.168.100.10 serverb 192.168.100.11 If can someone help my, I will be very happy. Thank you. Best regards Citace z emailu od rruegner [EMAIL PROTECTED]: opk Bronislav schrieb: I have a problem with Samba: I want to make trust between two Samba domains. I have setup the trust on the DOMAINB server then on the Samba DOMAINA server net rpc trustdom establish DOMAINB I then get the following: Password: [entered password] Could not connect to server SERVERB[this is the PDC for the DOMAINB domain] Trust to domain DOMAINB established When I then try to logon to the DOMAINB domain from XP computers in DOMAINA domain, I always get a fail with bad password. Please can someone help me. Sopik Brona hi, this normally is a network problem for establish the trust a good connection and wins browsing must work but there may be also some other issues which bug your trust, what are the log talking of? Regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Users can delete a file they don't have permition in the public share
To prevent deletion you should remove write access on the directory containing the file: chmod a-w /home/samba/public Igor Bruno Gimenes Pereti wrote: Hi! I'll try to explain all the situation to help you understand the problem. I have a Samba 3.0.4 + LDAP + ACL PDC and I use poledit to define the background image of the users to \\PDC\public\background.bmp, this file: -rw-r--r--1 Administrator root 787510 09-23 17:34 background.bmp Yes, the acl is not used in this file. This is the public share in smb.conf: [public] comment = Compartilhamento Público path = /home/samba/public # public = yes # guest ok = yes writable = yes create mask = 0666 directory mask = 777 printable = no invalid users = prova yesterday one of the users (students) deleted this file and I thought they shouldn't have permission to do this because they don't have write permission in the file. I tried every thing I know about permition (that's not much) and couldn't find a solution. What can I do to prevent the students to delete this file? Thanks, Bruno Pereti. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Can't join domain
TRAPPE wrote: When i do on my pdc server : net rpc join Administrator Create of workstation account failed User specified does not have administrator privileges Unable to join domain BIC. Did you mean to issue: net rpc join -U Administrator? And I would recommend to look in the Samba log files to have better understanding of the problem. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: winbind with ldap backend permissions
Thorsten Scherf wrote: hi, I set up a winbindd with a ldap backend, here is the relevant part of my smb.conf: idmap backend = ldap:ldap://mail.rhel.homelinux.com ldap admin dn = cn=winbind,dc=example,dc=com ldap suffix = dc=example,dc=com ldap idmap suffix = ou=idmap On the ldap server I set up the ou=idmap and also permissions for cn=winbind to write into the ou=idmap: access to dn=(.),ou=idmap,dc=example,dc=com by dn=cn=winbind,dc=example,dc=com by * read Did you try to change your 'what' part of the access to: dn.subtree=ou=idmap,dc=example,dc=com Igor when trying a getent passwd on the client I get the following error messages on the ldap-server: Oct 6 13:02:49 mail slapd[21955]: conn=2 op=22 SEARCH RESULT tag=101 err=0 text= Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 MOD dn=cn=IdPool,ou=Idmap,dc=example,dc=com Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 RESULT tag=103 err=0 text= Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 ADD dn=SAMBASID=S-1-5-32-546,OU=IDMAP,DC=EXAMPLE,DC=COM Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 RESULT tag=105 err=50 text=no write access to parent Oct 6 13:02:49 mail slapd[21955]: conn=2 op=25 SRCH base=ou=idmap,dc=example,dc=com scope=2 filter=((objectClass=sambaIdmapEntry)(sambaSID=S-1-5-32-547)) so, seems that winbind have no write access on the PARENT! if I give him write access on dc=example,dc=com everything works just fine and the sid/uid/gib-mapping works wonderful. but why is winbind needing access on the parent and not just on the ou-container where the id-mapping happens, ou=idmap? can anybody explain that to me?! thanks and greetings, thorsten -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: winbind with ldap backend permissions
Thorsten Scherf wrote: On Wed, 06.10.2004 Igor Belyi wrote: Thorsten Scherf wrote: hi, I set up a winbindd with a ldap backend, here is the relevant part of my smb.conf: idmap backend = ldap:ldap://mail.rhel.homelinux.com ldap admin dn = cn=winbind,dc=example,dc=com ldap suffix = dc=example,dc=com ldap idmap suffix = ou=idmap On the ldap server I set up the ou=idmap and also permissions for cn=winbind to write into the ou=idmap: access to dn=(.),ou=idmap,dc=example,dc=com by dn=cn=winbind,dc=example,dc=com by * read Did you try to change your 'what' part of the access to: dn.subtree=ou=idmap,dc=example,dc=com this works fine. but what is the difference to dn=(.*),ou=idmap,dc=example,dc=com? with my understanding of the ldap-access rules it should just be a performance issue, souldn't it?! I think the difference is that you forgot to add '.regexp' to your access statement. It should have been: dn.regexp=(.*),ou=idmap,dc=example,dc=com otherwise it was matching dn as it is without applying regular expression rules. Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: winbind with ldap backend permissions
Igor Belyi wrote: Thorsten Scherf wrote: this works fine. but what is the difference to dn=(.*),ou=idmap,dc=example,dc=com? with my understanding of the ldap-access rules it should just be a performance issue, souldn't it?! I think the difference is that you forgot to add '.regexp' to your access statement. It should have been: dn.regexp=(.*),ou=idmap,dc=example,dc=com otherwise it was matching dn as it is without applying regular expression rules. Hm.. On the second reading of slapd.access it looks like regex is a default dnstyle... I'll try to experiment and see if I can comeup with the answer to the 'difference' question. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: winbind with ldap backend permissions
Thorsten Scherf wrote: On Wed,, 06.10.2004 Igor Belyi wrote: I think the difference is that you forgot to add '.regexp' to your access statement. It should have been: dn.regexp=(.*),ou=idmap,dc=example,dc=com otherwise it was matching dn as it is without applying regular expression rules. I think I got it! :o) To add entries you need to have access to the root entry where children are created and that's what subtree does. In your example you have an extra comma which cause you the headache. Try to change it to the following: dn=(.*)ou=idmap,dc=example,dc=com Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Can join domain; can't logon
Chris St. Pierre wrote: I had a problem similar to my current one a week or so ago, and I was encouraged to upgrade from Samba 2.2.9 to 3.0.7, which I did. Now that I've completed that nightmare, the problem I initially set out to fix is still there, just different. Namely: I am trying to set up Samba 3.0.7 on a SuSE 9.1 box as an LDAP PDC whose only job will be authentication. Our LDAP server is on a separate box. I can join the domain just fine, but when I try to login via Windows, I get the following error: The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect. I suspected that neither of these were the case, as I created the account with idealx's smbldap-tools. I verified that the account is there with ldapsearch. Last time I had this problem, Samba wasn't even communicating with LDAP, but this time it is. When I try to login, here's what the LDAP logs show: smbldap-tools create posixAccounts in case you use NSS LDAP support. You should verify that it's there with 'getent passwd GUINEA-PIG$'. If not - you probably use passwd or shadow in which case you need to use adduser to to the job. Besides posixAccount you should also have Samba account as well. You should look at what was responses to the LDAP requests by looking at the SEARCH RESULT lines with the same 'conn=' and 'op='. I would guess that response was 'nentries=0' And it has nothing to do with some optional attributes being empty - just with the fact that there's no such entry with 'objectClass=sambaSamAccount'. It can also be a problem of nscd if you have one. Your LDAP requests are at 10:03 and your nmbd log extract is for 11:14 which means LDAP requests were done long before Samba requests unless there's a timezone issue between the machines or that their clocks are really scrude up. I would also recommend to post smbd log instead of nmbd since its smbd which interacts with LDAP. Igor [05/Oct/2004:10:03:52 -0500] conn=53576 op=7 SRCH base=o=nebrwesleyan.edu,o=isp scope=2 filter=((uid=GUINEA-PIG$)(objectClass=sambaSamAccount)) attrs=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp [05/Oct/2004:10:03:52 -0500] conn=53576 op=8 SRCH base=o=nebrwesleyan.edu,o=isp scope=2 filter=((uid=GUINEA-PIG$)(objectClass=sambaSamAccount)) attrs=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp It searches twice for the machine trust account, which I've verified exists. The only thing I can think of is that not all of the attributes it's asking for exist. (In fact, a lot of them don't.) As you can see in the attached nmbd log, though, Samba doesn't show any obvious errors. I've also included my smb.conf (with some changes to protect my server's innocence). Any ideas are greatly appreciated. Thanks. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University 402.465.7549 [global] server string = test workgroup = NWU_TEST netbios name = TESTERATOR log level = 1 encrypt passwords = yes max smbd processes = 0 socket options = TCP_NODELAY add machine script = /usr/local/sbin/smbldap-useradd -w '%u' logon script = scripts\logon.bat logon path = \\%L\profiles\%U domain logons = yes local master = yes preferred master = yes wins server = 10.9.1.12 security = user passdb backend = ldapsam:ldap://server.nebrwesleyan.edu ldap suffix = o=nebrwesleyan,o=edu ldap machine suffix = ou=Machines ldap user suffix = ou=People ldap group suffix = ou=Groups ldap filter = (uid=%u) ldap admin dn = cn=foo ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = yes locking = No [profiles] comment = Profile Share path = /var/lib/samba/profiles read only = No [tmp] comment = temporary files path = /tmp read only = yes [2004/10/05 11:14:43, 5] nmbd/nmbd_packets.c:process_dgram(1194) process_dgram: ignoring dgram packet
Re: [Samba] Re: Can join domain; can't logon
Chris St. Pierre wrote: However! Here's the smbd log: [2004/10/05 16:24:17, 1] lib/smbldap.c:add_new_domain_info(1289) failed to add domain dn= sambaDomainName=NWU_TEST,o=nebrwesleyan.edu,o=isp with: Object class violation [2004/10/05 16:24:17, 0] lib/smbldap.c:smbldap_search_domain_info(1338) Adding domain info for NWU_TEST failed with NT_STATUS_UNSUCCESSFUL [2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261) get_md4pw: Workstation GUINEA-PIG$: no account in domain [2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261) get_md4pw: Workstation GUINEA-PIG$: no account in domain Which alerts me to the fact that it's the creation of the domain in LDAP that's causing problems. I properly installed the 3.0.7 schema -- as is evidenced by other things working -- but this is giving me an object class violation. I cranked the log level up to 10, but it didn't give me much more information that was readily useful to me; the full 157K log is available, though, if you want it. Any ideas? Or, if anyone has a typical LDAP domain entry I can look at, I can add it by hand and get more info from it. Hopefuly you already found that it's something obvious in your setup, but just in case... Here's the relevant part of the samba.scheme: objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase ) ) Here's what I have for this entry: # TESTPDC, mydomain.org dn: sambaDomainName=TESTPDC,dc=mydomain,dc=org sambaDomainName: TESTPDC sambaSID: S-1-5-21-2972487546-3827399895-3041126189 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain You can also look in LDAP log to see if all MUST attributes are sent in ldap_add_s call for the domain entry. Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba + OpenLdap replication problem
Mattia wrote: [EMAIL PROTECTED] root]# slapadd -l Master.ldif -f /etc/openldap/slapd.conf slapadd: bad configuration file! Try adding -d 15 to your slapadd command for more verbose explanation of the error. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: can't join a domain
John H Terpstra wrote: On Friday 01 October 2004 02:13, Thorsten Scherf wrote: when trying to put a samba3 server into a domain (samba3 pdc) I always get the following error messages: [EMAIL PROTECTED] samba]# net join -d 2 -U smbadmin RHEL -S server1.example.com smbadmin must have uid 0. ..or be listed as one of admin users in smb.conf Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
Jim C. wrote: access to dn.subtree=dc=j9starr,dc=net by group/posixGroup/memberUid=cn=Domain Controllers,ou=Group,dc=j9starr,dc=net by * read I pulled that info from faq-o-matic just a minute ago. No dice. See below. access to dn.subtree=dc=j9starr,dc=net by group/posixGroup/memberUid=cn=Domain Controllers,ou=Group,dc=j9starr,dc=net by * read # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/ldap/slapd.pid argsfile/var/run/ldap/slapd.args modulepath /usr/lib/openldap slapd.conf 154L, 5397C written [EMAIL PROTECTED] 0 openldap]$ slapd -t /etc/openldap/slapd.conf: line 47: group cn=Domain Controllers,ou=Group,dc=j9starr,dc=net: inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26 My bad - I forgot to add 'write': access to dn.subtree=dc=j9starr,dc=net by group/posixGroup/memberUid=cn=Domain Controllers,ou=Group,dc=j9starr,dc=net write by * read Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
