Re: [Samba] [Resolved] Reestablishing trust with PDC
I will give this a shot. Thanks. On 1/11/2011 7:00 PM, Taso Hatzi wrote: On Wed, Jan 12, 2011 at 6:24 AM,iordo...@berkeley.edu wrote: I also tried this to no avail: Disabled the machine password change on all win7 clients by setting HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange = dword:1 If Win 7 is ignoring that setting, it might honor the one which sets the password change period. MaximumPasswordAge determines when the computer password needs to be changed. Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Value = MaximumPasswordAge REG_DWORD Default = 30 Range = 1 to 1,000,000 (in days) Group policy setting: Computer Configuration\windows Settings\Security settings\Local Policies\Security Options Domain member: Maximum machine account Password age To clear things up, it is 7 days on Windows NT by default, and 30 days on Windows 2000 and up. The trust password follows the same setting. So Trust between two NT 4 domains is 7 days. Trusts between Windows 2000 and up and anything else is 30 days. So what this means is if 2000 and NT4 trust password is 30 days. 2000 to 2000 is 30 days. 2000 to 2003 is 30 days. 2003 to 2003 is 30 days. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SOLVED: Samba as fileserver on Active Directory domain
We got our Samba joined our Active Directory domain as a fileserver. We emerge the latest Samba version on 3.4.2. Instead of using the group name on Active Directory as the owner and group of a directory or file we are sharing, I used GID and UID instead. hostname~#chown 1:200 /share/test Also, below is a portion of my smb.conf. [test] comment = test path = /share/test public = yes browseable = yes writable = yes users = MYDOMAIN+mygroup Thanks, -Ivan Ivan Ordonez wrote: I was able to set ACL with local username but can't do it on domain username or groups. hostname ~ # getfacl /shared/drive getfacl: Removing leading '/' from absolute path names # file: shared/drive # owner: mylocalusername # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::rwx default:other::r-x When I tried to set ACLs for domain account or groups, it was invalid option. hostname ~ #setfacl -m g:DOMAIN+Domain Admins:rwx /shared/drive setfacl: Option -m: Invalid argument near character 3 hostname ~ #setfacl -m g:DOMAIN+myusername:rwx /shared/drive setfacl: Option -m: Invalid argument near character 3 I believe the drive is mounted and ACL is enable. hostname ~ # mount /dev/hda3 on / type ext3 (rw,noatime,acl) Here is my /etc/fstab /dev/hda3/ext3noatime,acl0 1 What I find odd is running wbinfo and getent command to be very inconsistent. I would sometimes get result and sometimes not. hostname ~ # wbinfo -u Error looking up domain users Any other suggestions? Thanks. Robert LeBlanc wrote: Sorry, my bad, 3.3.8 was the security release. It sounds like it is working however. As far as ACLs, make sure that ACLs are turned on on your file system (mount -o acl for most filesystems) and the make sure you have the ACL packages for your distro installed (Debian apt-get install acl). Then it's a matter of using the setfacl command like `setfacl -m d:u:ad-user:rwx,u:ad-user:rwx,d:g:ad-group:rx,g:ad-group:rx /my/shared/dir. You can add as many ACLs as you want, remember that the linux default rwx perms sets the max for ACL users and groups. If the linux user (owner) ACL is rx, then even though an ACL specifies another user with rwx, they will only have rx. The second thing to remember is that the default ACL is not needed, but if specified will set those ACLs on all new files and directories and act much like Windows. If you set the permissions using Windows, the default ACL will be set. Thidly, only Linux user and group have the file counted against their quota, permissions assigned in ACLs do not affect thoes user and groups quotas. Fourtly, some applications are not ACL aware, Apache for instance does not look at ACLs on Linux. To check your set ACLs, use getfacl /this/is/my/file. Hope that helps. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Mon, Oct 5, 2009 at 2:34 PM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: I was able to install 3.3.8 version of Samba. I am running it now. I can see shares, but could not write at all. ACL seems simple but I can't get it to work. Any help or advise would be greatly appreciated. Robert LeBlanc wrote: The changes have not made it into a 3.3.x release yet, 3.3.7 was a security release, ideally 3.3.8 should have the fix. There were quiet a number of configuration changes from 3.0.x to 3.3.x in regards to Active Directory, you may not be able to use you old config without updating some things. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got some realm complaints when I run testparm and some ADS related error. The 3.3.7 version is masked by Gentoo portage and not sure if it will be available soon. Thanks, -Ivan Robert LeBlanc wrote: What version of samba are you using? I submitted a patch to Samba that is in 3.4.1 and slated for the next version of 3.3.x that fixes the workgroup/realm thing. It falls back to SPEGO without the patch, but it takes a little while, the patch speeds things up. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson jpeters...@garnser.se mailto:jpeters...@garnser.se wrote: How did you solve the kerberos portion how things, when winbind tries to connect to my server the kerberos sessions fails as it tries to connect with the workgroup instead of the realm
Re: [Samba] Samba as fileserver on Active Directory domain
I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got some realm complaints when I run testparm and some ADS related error. The 3.3.7 version is masked by Gentoo portage and not sure if it will be available soon. Thanks, -Ivan Robert LeBlanc wrote: What version of samba are you using? I submitted a patch to Samba that is in 3.4.1 and slated for the next version of 3.3.x that fixes the workgroup/realm thing. It falls back to SPEGO without the patch, but it takes a little while, the patch speeds things up. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson jpeters...@garnser.se mailto:jpeters...@garnser.se wrote: How did you solve the kerberos portion how things, when winbind tries to connect to my server the kerberos sessions fails as it tries to connect with the workgroup instead of the realm. Thanks /Jonathan On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: Jonathan Petersson wrote: Hi Ivan, I'm working on a similar thing but is having some issues with the kerberos sessions between samba and AD. Is your Samba server a member of a Win2k8R2 or a Win2k3 domain? Thanks /Jonathan On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: Robert LeBlanc wrote: What are the permissions on /shared/drive? We use ACLs to control access rather than smb.conf. This gives us great flexability and you can kind of manage it using a Windows machine. If you have Kerberos keytab generated, you can smbmount on Linux using the -o sec=krb5 and no passwords are needed, it also obeys ACL. The only catch is that you need to use RID or LDAP for uid/gid mapping or else your permissions won't line up. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu mailto:iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: Hello, We have a Gentoo box running Samba and is a member of the Active Directory domain. This Gentoo box will be a fileserver when everything is completed and setup as it should. I want our users to login to their computer (Computers are all members of the same Active Directory domain) using Active Directory accounts/domain for authentication. I am using Winbind for Active Directory authentication/integration. I'm almost done except file permission issue. All is working smoothly (ie. wbinfo, smbclient, getent, etc.). I can access/map the shared drive on the Gentoo box from any Windows computer, login to a machine without a problem using Active Directory accounts. The Active Directory authentication with Winbind is working as it should. For some odd reason, I can't figure out how to give permissions to all users the ability to make changes/add new folders on the shared drive. I am getting access denied even when the users or group are valid users of the shared drive per smb.conf. Below is my smb.conf shared configuration: [shared] comment = shared path = /shared/drive read only = no inherit permissions = yes create mask = 755 directory mask = 755 valid users = @MYDOMAIN+mygroup browseable = yes writable = yes Any help would be greatly appreciated. -Ivan --To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Hi, The files and folders on the shared drive are owned by local Linux account. The permissions are read, write and execute by the owner, read and write by group and all. I was hoping that smb.conf will control the shared drive access but having a hard time doing so. I would like to use ACL if that is the best way to make it work. Would you mind giving me few pointers or point me to the right direction to get started on ACL? I am no LDAP expert but I think I can get by if I have to use it. Thanks! -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Hi Jonathan, Our Samba server is a member of Win2k8R2 domain. Thanks, -Ivan
Re: [Samba] Samba as fileserver on Active Directory domain
I was able to install 3.3.8 version of Samba. I am running it now. I can see shares, but could not write at all. ACL seems simple but I can't get it to work. Any help or advise would be greatly appreciated. Robert LeBlanc wrote: The changes have not made it into a 3.3.x release yet, 3.3.7 was a security release, ideally 3.3.8 should have the fix. There were quiet a number of configuration changes from 3.0.x to 3.3.x in regards to Active Directory, you may not be able to use you old config without updating some things. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got some realm complaints when I run testparm and some ADS related error. The 3.3.7 version is masked by Gentoo portage and not sure if it will be available soon. Thanks, -Ivan Robert LeBlanc wrote: What version of samba are you using? I submitted a patch to Samba that is in 3.4.1 and slated for the next version of 3.3.x that fixes the workgroup/realm thing. It falls back to SPEGO without the patch, but it takes a little while, the patch speeds things up. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson jpeters...@garnser.se mailto:jpeters...@garnser.se wrote: How did you solve the kerberos portion how things, when winbind tries to connect to my server the kerberos sessions fails as it tries to connect with the workgroup instead of the realm. Thanks /Jonathan On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: Jonathan Petersson wrote: Hi Ivan, I'm working on a similar thing but is having some issues with the kerberos sessions between samba and AD. Is your Samba server a member of a Win2k8R2 or a Win2k3 domain? Thanks /Jonathan On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: Robert LeBlanc wrote: What are the permissions on /shared/drive? We use ACLs to control access rather than smb.conf. This gives us great flexability and you can kind of manage it using a Windows machine. If you have Kerberos keytab generated, you can smbmount on Linux using the -o sec=krb5 and no passwords are needed, it also obeys ACL. The only catch is that you need to use RID or LDAP for uid/gid mapping or else your permissions won't line up. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu mailto:iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: Hello, We have a Gentoo box running Samba and is a member of the Active Directory domain. This Gentoo box will be a fileserver when everything is completed and setup as it should. I want our users to login to their computer (Computers are all members of the same Active Directory domain) using Active Directory accounts/domain for authentication. I am using Winbind for Active Directory authentication/integration. I'm almost done except file permission issue. All is working smoothly (ie. wbinfo, smbclient, getent, etc.). I can access/map the shared drive on the Gentoo box from any Windows computer, login to a machine without a problem using Active Directory accounts. The Active Directory authentication with Winbind is working as it should. For some odd reason, I can't figure out how to give permissions to all users the ability to make changes/add new folders on the shared drive. I am getting access denied even when the users or group are valid users of the shared drive per smb.conf. Below is my smb.conf shared configuration: [shared] comment = shared path = /shared/drive read only = no inherit permissions = yes create mask = 755
[Samba] Active Directory and Samba as fileserver
Hello, We have a Gentoo box running Samba and is a member of the Active Directory domain. This Gentoo box is going to be a fileserver. I want our users to login to their computer using Active Directory for authentication. The computers are all members of the Active Directory domain. I setup Samba to use Winbind. All is working smoothly (ie. wbinfo, smbclient, getent, etc) I can also access the shared drive and login to a machine without a problem using Active Directory accounts. The authentication is working as it should. For some odd reason, I can't figure out how to give permissions to all users the ability to make changes/add new folders on the shared drive. I am getting access denied even when the users or group are valid users of the shared drive per smb.conf. Any help would be greatly appreciated. -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba as fileserver on Active Directory domain
Hello, We have a Gentoo box running Samba and is a member of the Active Directory domain. This Gentoo box will be a fileserver when everything is completed and setup as it should. I want our users to login to their computer (Computers are all members of the same Active Directory domain) using Active Directory accounts/domain for authentication. I am using Winbind for Active Directory authentication/integration. I'm almost done except file permission issue. All is working smoothly (ie. wbinfo, smbclient, getent, etc.). I can access/map the shared drive on the Gentoo box from any Windows computer, login to a machine without a problem using Active Directory accounts. The Active Directory authentication with Winbind is working as it should. For some odd reason, I can't figure out how to give permissions to all users the ability to make changes/add new folders on the shared drive. I am getting access denied even when the users or group are valid users of the shared drive per smb.conf. Below is my smb.conf shared configuration: [shared] comment = shared path = /shared/drive read only = no inherit permissions = yes create mask = 755 directory mask = 755 valid users = @MYDOMAIN+mygroup browseable = yes writable = yes Any help would be greatly appreciated. -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as fileserver on Active Directory domain
I was able to set ACL with local username but can't do it on domain username or groups. hostname ~ # getfacl /shared/drive getfacl: Removing leading '/' from absolute path names # file: shared/drive # owner: mylocalusername # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::rwx default:other::r-x When I tried to set ACLs for domain account or groups, it was invalid option. hostname ~ #setfacl -m g:DOMAIN+Domain Admins:rwx /shared/drive setfacl: Option -m: Invalid argument near character 3 hostname ~ #setfacl -m g:DOMAIN+myusername:rwx /shared/drive setfacl: Option -m: Invalid argument near character 3 I believe the drive is mounted and ACL is enable. hostname ~ # mount /dev/hda3 on / type ext3 (rw,noatime,acl) Here is my /etc/fstab /dev/hda3/ext3noatime,acl0 1 What I find odd is running wbinfo and getent command to be very inconsistent. I would sometimes get result and sometimes not. hostname ~ # wbinfo -u Error looking up domain users Any other suggestions? Thanks. Robert LeBlanc wrote: Sorry, my bad, 3.3.8 was the security release. It sounds like it is working however. As far as ACLs, make sure that ACLs are turned on on your file system (mount -o acl for most filesystems) and the make sure you have the ACL packages for your distro installed (Debian apt-get install acl). Then it's a matter of using the setfacl command like `setfacl -m d:u:ad-user:rwx,u:ad-user:rwx,d:g:ad-group:rx,g:ad-group:rx /my/shared/dir. You can add as many ACLs as you want, remember that the linux default rwx perms sets the max for ACL users and groups. If the linux user (owner) ACL is rx, then even though an ACL specifies another user with rwx, they will only have rx. The second thing to remember is that the default ACL is not needed, but if specified will set those ACLs on all new files and directories and act much like Windows. If you set the permissions using Windows, the default ACL will be set. Thidly, only Linux user and group have the file counted against their quota, permissions assigned in ACLs do not affect thoes user and groups quotas. Fourtly, some applications are not ACL aware, Apache for instance does not look at ACLs on Linux. To check your set ACLs, use getfacl /this/is/my/file. Hope that helps. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Mon, Oct 5, 2009 at 2:34 PM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: I was able to install 3.3.8 version of Samba. I am running it now. I can see shares, but could not write at all. ACL seems simple but I can't get it to work. Any help or advise would be greatly appreciated. Robert LeBlanc wrote: The changes have not made it into a 3.3.x release yet, 3.3.7 was a security release, ideally 3.3.8 should have the fix. There were quiet a number of configuration changes from 3.0.x to 3.3.x in regards to Active Directory, you may not be able to use you old config without updating some things. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got some realm complaints when I run testparm and some ADS related error. The 3.3.7 version is masked by Gentoo portage and not sure if it will be available soon. Thanks, -Ivan Robert LeBlanc wrote: What version of samba are you using? I submitted a patch to Samba that is in 3.4.1 and slated for the next version of 3.3.x that fixes the workgroup/realm thing. It falls back to SPEGO without the patch, but it takes a little while, the patch speeds things up. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson jpeters...@garnser.se mailto:jpeters...@garnser.se wrote: How did you solve the kerberos portion how things, when winbind tries to connect to my server the kerberos sessions fails as it tries to connect with the workgroup instead of the realm. Thanks /Jonathan On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: Jonathan Petersson wrote: Hi Ivan, I'm working on a similar thing but is having some issues with the kerberos sessions between samba and AD. Is your Samba server a member of a Win2k8R2 or a Win2k3 domain
Re: [Samba] Samba as fileserver on Active Directory domain
Robert LeBlanc wrote: What are the permissions on /shared/drive? We use ACLs to control access rather than smb.conf. This gives us great flexability and you can kind of manage it using a Windows machine. If you have Kerberos keytab generated, you can smbmount on Linux using the -o sec=krb5 and no passwords are needed, it also obeys ACL. The only catch is that you need to use RID or LDAP for uid/gid mapping or else your permissions won't line up. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: Hello, We have a Gentoo box running Samba and is a member of the Active Directory domain. This Gentoo box will be a fileserver when everything is completed and setup as it should. I want our users to login to their computer (Computers are all members of the same Active Directory domain) using Active Directory accounts/domain for authentication. I am using Winbind for Active Directory authentication/integration. I'm almost done except file permission issue. All is working smoothly (ie. wbinfo, smbclient, getent, etc.). I can access/map the shared drive on the Gentoo box from any Windows computer, login to a machine without a problem using Active Directory accounts. The Active Directory authentication with Winbind is working as it should. For some odd reason, I can't figure out how to give permissions to all users the ability to make changes/add new folders on the shared drive. I am getting access denied even when the users or group are valid users of the shared drive per smb.conf. Below is my smb.conf shared configuration: [shared] comment = shared path = /shared/drive read only = no inherit permissions = yes create mask = 755 directory mask = 755 valid users = @MYDOMAIN+mygroup browseable = yes writable = yes Any help would be greatly appreciated. -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Hi, The files and folders on the shared drive are owned by local Linux account. The permissions are read, write and execute by the owner, read and write by group and all. I was hoping that smb.conf will control the shared drive access but having a hard time doing so. I would like to use ACL if that is the best way to make it work. Would you mind giving me few pointers or point me to the right direction to get started on ACL? I am no LDAP expert but I think I can get by if I have to use it. Thanks! -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as fileserver on Active Directory domain
Jonathan Petersson wrote: Hi Ivan, I'm working on a similar thing but is having some issues with the kerberos sessions between samba and AD. Is your Samba server a member of a Win2k8R2 or a Win2k3 domain? Thanks /Jonathan On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez iordo...@berkeley.edu wrote: Robert LeBlanc wrote: What are the permissions on /shared/drive? We use ACLs to control access rather than smb.conf. This gives us great flexability and you can kind of manage it using a Windows machine. If you have Kerberos keytab generated, you can smbmount on Linux using the -o sec=krb5 and no passwords are needed, it also obeys ACL. The only catch is that you need to use RID or LDAP for uid/gid mapping or else your permissions won't line up. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez iordo...@berkeley.edu mailto:iordo...@berkeley.edu wrote: Hello, We have a Gentoo box running Samba and is a member of the Active Directory domain. This Gentoo box will be a fileserver when everything is completed and setup as it should. I want our users to login to their computer (Computers are all members of the same Active Directory domain) using Active Directory accounts/domain for authentication. I am using Winbind for Active Directory authentication/integration. I'm almost done except file permission issue. All is working smoothly (ie. wbinfo, smbclient, getent, etc.). I can access/map the shared drive on the Gentoo box from any Windows computer, login to a machine without a problem using Active Directory accounts. The Active Directory authentication with Winbind is working as it should. For some odd reason, I can't figure out how to give permissions to all users the ability to make changes/add new folders on the shared drive. I am getting access denied even when the users or group are valid users of the shared drive per smb.conf. Below is my smb.conf shared configuration: [shared] comment = shared path = /shared/drive read only = no inherit permissions = yes create mask = 755 directory mask = 755 valid users = @MYDOMAIN+mygroup browseable = yes writable = yes Any help would be greatly appreciated. -Ivan --To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Hi, The files and folders on the shared drive are owned by local Linux account. The permissions are read, write and execute by the owner, read and write by group and all. I was hoping that smb.conf will control the shared drive access but having a hard time doing so. I would like to use ACL if that is the best way to make it work. Would you mind giving me few pointers or point me to the right direction to get started on ACL? I am no LDAP expert but I think I can get by if I have to use it. Thanks! -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Hi Jonathan, Our Samba server is a member of Win2k8R2 domain. Thanks, -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as fileserver on Active Directory domain
Adam Williams wrote: did you set /shared/drive to 777 permissions? It was set to 755. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba as fileserver on Active Directory domain
Hello, We have a Gentoo box running Samba and is a member of the Active Directory domain. This Gentoo box will be a fileserver when everything is completed and setup as it should. I want our users to login to their computer (Computers are all members of the same Active Directory domain) using Active Directory accounts/domain for authentication. I am using Winbind for Active Directory authentication/integration. I'm almost done except file permission issue. All is working smoothly (ie. wbinfo, smbclient, getent, etc.). I can access/map the shared drive on the Gentoo box from any Windows computer, login to a machine without a problem using Active Directory accounts. The Active Directory authentication with Winbind is working as it should. For some odd reason, I can't figure out how to give permissions to all users the ability to make changes/add new folders on the shared drive. I am getting access denied even when the users or group are valid users of the shared drive per smb.conf. Below is my smb.conf shared configuration: [shared] comment = shared path = /shared/drive read only = no inherit permissions = yes create mask = 755 directory mask = 755 valid users = @MYDOMAIN+mygroup browseable = yes writable = yes Any help would be greatly appreciated. -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to move a samba PDC to a diffrent box
Should this be set on smbldap.conf file? If I do the command as you suggest, the machine's local SID is going to be the domain's SID. Is that something I should do? Thanks, -Ivan Bruno La Torre wrote: Ivan Ordonez ha scritto: John Drescher wrote: Sorry to bother you. I hope you can help me with my issue. Always cc to the list as well. We have a domain with more than 100 users and we need to replace our PDC. The PDC main function is to authenticate our users to connect to the shared drive and to authenticate computer login. The PDC is running samba with openldap on Gentoo machine. I have two BDCs with ACL set to read and write only. It was set that way to make the syncing process easier. The syncing process is like a chain using slurpd. We plan to use syncrepl later. What is the best way to do to replace the PDC? I already have a Gentoo machine up and running. I copied over all the samba and openldap files from the old PDC to this new machine. I also exported the database by running the slapcat -l command. I am hesitant to start the slapd, slurpd and samba service as I am not so sure if I am doing the right thing. Disconnect the network cable on the new machine to make sure you are not interfering with the rest of the network. Start slapd then use slapadd to add your ldap to the database. Use slapcat to verify that all was added and the ldif looks correct. Then start samba and see if the smbclient can connect to itself. Is the old machine the same name as the new? How about the ipddress? Are you using wins, lmhosts or dns for your clinets to find the pdc? I will try your suggestion. We plan on using the same name on the new machine and the same IP address as well. We are using WINS for our client to find the PDC. you must set on the new PDC the SID of the old PDC see net getlocalsid and net setlocalsid bruno -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to move a samba PDC to a diffrent box
All seems to be working fine. I had issues joining PC to the domain but it seems to be working now. We did not do anything to fix the issue. We just waited and give the PDC few minutes and it works. Thanks so much for all the help and suggestions. You guys are great. -Ivan Ivan Ordonez wrote: Should this be set on smbldap.conf file? If I do the command as you suggest, the machine's local SID is going to be the domain's SID. Is that something I should do? Thanks, -Ivan Bruno La Torre wrote: Ivan Ordonez ha scritto: John Drescher wrote: Sorry to bother you. I hope you can help me with my issue. Always cc to the list as well. We have a domain with more than 100 users and we need to replace our PDC. The PDC main function is to authenticate our users to connect to the shared drive and to authenticate computer login. The PDC is running samba with openldap on Gentoo machine. I have two BDCs with ACL set to read and write only. It was set that way to make the syncing process easier. The syncing process is like a chain using slurpd. We plan to use syncrepl later. What is the best way to do to replace the PDC? I already have a Gentoo machine up and running. I copied over all the samba and openldap files from the old PDC to this new machine. I also exported the database by running the slapcat -l command. I am hesitant to start the slapd, slurpd and samba service as I am not so sure if I am doing the right thing. Disconnect the network cable on the new machine to make sure you are not interfering with the rest of the network. Start slapd then use slapadd to add your ldap to the database. Use slapcat to verify that all was added and the ldif looks correct. Then start samba and see if the smbclient can connect to itself. Is the old machine the same name as the new? How about the ipddress? Are you using wins, lmhosts or dns for your clinets to find the pdc? I will try your suggestion. We plan on using the same name on the new machine and the same IP address as well. We are using WINS for our client to find the PDC. you must set on the new PDC the SID of the old PDC see net getlocalsid and net setlocalsid bruno -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to move a samba PDC to a diffrent box
John Drescher wrote: Sorry to bother you. I hope you can help me with my issue. Always cc to the list as well. We have a domain with more than 100 users and we need to replace our PDC. The PDC main function is to authenticate our users to connect to the shared drive and to authenticate computer login. The PDC is running samba with openldap on Gentoo machine. I have two BDCs with ACL set to read and write only. It was set that way to make the syncing process easier. The syncing process is like a chain using slurpd. We plan to use syncrepl later. What is the best way to do to replace the PDC? I already have a Gentoo machine up and running. I copied over all the samba and openldap files from the old PDC to this new machine. I also exported the database by running the slapcat -l command. I am hesitant to start the slapd, slurpd and samba service as I am not so sure if I am doing the right thing. Disconnect the network cable on the new machine to make sure you are not interfering with the rest of the network. Start slapd then use slapadd to add your ldap to the database. Use slapcat to verify that all was added and the ldif looks correct. Then start samba and see if the smbclient can connect to itself. Is the old machine the same name as the new? How about the ipddress? Are you using wins, lmhosts or dns for your clinets to find the pdc? I will try your suggestion. We plan on using the same name on the new machine and the same IP address as well. We are using WINS for our client to find the PDC. Thanks for all the help. BTW, I have to cut this a lot shorter than I want but I am very busy at the day job and if I do not get my tasks done several new users will not have a pc on Monday. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] BDC problem joining domain
We have a PDC running Samba Version 3.0.24 while the BDC is running Samba Version 3.0.28a. Both domain controllers are running Gentoo. The problem seems to be a compatibility issue between two versions of Samba. Please see below the error when I tried joining the BDC. [2008/05/12 15:15:25, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(310) error setting trust account password: NT code 0x1c010002 I believe that upgrading Samba on the PDC to version 3.0.28a will fix the problem but upgrade is not an option at this time. Upgrading Samba 3.0.28a will break a lot of its (PDC) functionalities. I've found similar issue on the web and the fix was to upgrade or downgrade Samba. I was wondering that maybe Simo or Gerry Carter can help me on this. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
Make sure that the version of samba are all the same. Somehow, the 3.0.26 version is not compatible with 3.0.24. If your PDC has an earlier version to that machine you are trying to join, you will not be able to join it to the domain. Adam Williams wrote: I turned on log level = 10 and got some more data. [EMAIL PROTECTED] samba]# net rpc join -S GOMER -U root [2007/11/07 15:52:27, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:52:27, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \NETLOGON fnum 0x7751returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Password: [2007/11/07 15:53:00, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:53:00, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \samr fnum 0x7775returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Creation of workstation account failed Unable to join domain ADMIN. [EMAIL PROTECTED] samba]# /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart Shutting down SMB services:[ OK ] Starting SMB services: [ OK ] Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [EMAIL PROTECTED] samba]# wbinfo -u Error looking up domain users Diego Obetko wrote: but you used that sintax that didn't work again.. try this # net rpc join -S GOMER -U root then # /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart then # wbinfo -u -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc join -U root error
I think he did a net rpc testjoin command and got a no suitable server response. Diego Obetko wrote: i'm sorry but he did join the machine in an earlier reply.. don't know if it's the same machine or situation... [quote] [EMAIL PROTECTED] etc]# net rpc join -S GOMER -U root Password: Joined domain ADMIN. [/quote] On Nov 7, 2007 7:04 PM, Ivan Ordonez [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Make sure that the version of samba are all the same. Somehow, the 3.0.26 version is not compatible with 3.0.24. If your PDC has an earlier version to that machine you are trying to join, you will not be able to join it to the domain. Adam Williams wrote: I turned on log level = 10 and got some more data. [EMAIL PROTECTED] samba]# net rpc join -S GOMER -U root [2007/11/07 15:52:27, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:52:27, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \NETLOGON fnum 0x7751returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Password: [2007/11/07 15:53:00, 0] libsmb/clientgen.c:cli_receive_smb(112) Receiving SMB: Server stopped responding [2007/11/07 15:53:00, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) rpc_api_pipe: Remote machine GOMER pipe \samr fnum 0x7775returned critical error. Error was Call timed out: server did not respond after 1 milliseconds Creation of workstation account failed Unable to join domain ADMIN. [EMAIL PROTECTED] samba]# /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart Shutting down SMB services:[ OK ] Starting SMB services: [ OK ] Shutting down Winbind services:[ OK ] Starting Winbind services: [ OK ] [EMAIL PROTECTED] samba]# wbinfo -u Error looking up domain users Diego Obetko wrote: but you used that sintax that didn't work again.. try this # net rpc join -S GOMER -U root then # /etc/rc.d/init.d/smb restart /etc/rc.d/init.d/winbind restart then # wbinfo -u -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Promoting Samba BDC to PDC
Hi, Our domain is setup with one Primary Domain Controller and two Backup Domain Controllers, and a member server. All domain controllers (PDC and BDCs) are running Gentoo Linux with Samba and LDAP. The member server (fileserver) is a SUNS machine running Solaris. We do everything (add, edit, modify groups and accounts) on the PDC and it will then sync all the changes to the BDC by way of SLURPD, then from the BDC to another BDC. To access the shared file on the member server (Solaris), the user will authenticate using the PDC which is the password server on smb.conf file of the member server. What we want to do in the coming days is to turn off and upgrade the PDC and promote one of the BDC to PDC and don't miss a beat. I first stop slapd, slurpd and samba service on the PDC. I then edit the smb.conf file of one of the BDC and make it a PDC. I also added a new line which is security = user. I run a testparm command after making changes to BDC's smb.conf file and it showed that it is now the Primary Domain Controller. I edit the member server's smb.conf file and change the password server line to match the new PDC. password server = IP of the new PDC I login to one of the test machine and see if I can login and it worked, but when I tried to map to one of our shared drive, it ask for username and password. Somehow the member server doesn't know that the password server has now been changed. There is not much error on the logs that are helpful. I made sure that I restarted the samba service every time I made changes. Please help. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Promoting BDC to PDC
Hi, Does someone know how will all my client machines find the BDC when the PDC is stopped. Both PDC and BDC are running Samba with LDAPSAM backend replicated on both the PDC with master LDAP database and BDC with replicated LDAP database. But when I stop PDC the clients are not detecting the BDC broadcast. The replication on all domain controllers are perfect. I went as far as making BDC the new PDC by doing the following on smb.conf. There's actually a little success when I did this. preferred master = Yes domain master = Yes I was able to login but then could not access the shared drive running on a member server. I made sure that the smb.conf file on the member server that contains all the shared drive is set to: Password Server = new PDC hostname Any idea of where I may be wrong? I guess to make it short, how can I promote a BDC to a PDC, if in case the PDC crashed. I want to make sure that if I promote one of the BDC to PDC, that all my user can still login and access shared files. We have 4 machine running samba, 3 with LDAP backend (PDC, 2 BDC) and 1 machine as fileserver or member server only and used for filesharing. Thanks, -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT_STATUS_LOGON_FAILURE
Have you try adding lo on the interface line of your smb.conf file? If not, try adding this line. interfaces = eth0 lo 192.168.1.1 Hope this helps. Thanks, -Ivan At 03:28 AM 6/12/2006, you wrote: I've installed Samba 3.0.22 on my Ubuntu Dapper release. I need Samba di be able to share some information with Windows XP. On my portable PC is installed Ubuntu and on my fix PC in installed Windows XP. I need to see the infomation on my fix PC with the portable one. Before upgrading my Ubuntu from Breezy to Dapper I had no problem. Now I can't see the windows network. In particular, typing smbclient -L HOSTNAME or smbclient //HOSTNAME/USERNAME after giving the password I receive the following message: session setup failed: NT_STATUS_LOGON_FAILURE Could someone help me? Many thanks, Michele -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba will not start
Hi, Right after I run vampire (net rpc vampire -S gia42c-1 -U Administrator) command, samba would no longer start. The samba server was installed on Gentoo linux and running behind a firewall. The PDC which is Windows NT 4 server is on different subnet with no firewall. Please check the log and smb.conf below and see if there's anything I can do to make samba start again. Thanks in advance for all the help. -Ivan Below is my smb.conf file [global] netbios name = sambaservername server string = Samba Server %v log file = /var/log/samba/log.%m max log size = 50 log level = 5 hosts allow = 22.32.115. 22.32.116. map to guest = bad user security = user password server = gia42c-1 encrypt passwords = yes username map = /etc/samba/smbusers socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = eth0 lo 22.32.115.15 local master = no os level = 65 domain master = no preferred master = no domain logons = yes # Scripts for file (passwd, smbpasswd) backend: add user script = /usr/sbin/useradd -s /bin/false '%u' delete user script = /usr/sbin/userdel '%s' add user to group script = /usr/bin/gpasswd -a '%u' '%g' delete user from group script = /usr/bin/gpasswd -d '%u' '%g' set primary group script = /usr/sbin/usermod -g '%g' '%u' add group script = /usr/sbin/groupadd %g getent group '%g'|awk -F: '{print $3}' delete group script = /usr/sbin/groupdel '%g' passdb backend = tdbsam smbpasswd passdb expand explicit = no name resolve order = host wins lmhosts bcast wins server = 22.32.116.25 dns proxy = no Logs from log.smbd Attempting to register passdb backend ldapsam [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(107) Successfully added passdb backend 'ldapsam' [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(94) Attempting to register passdb backend ldapsam_compat [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(107) Successfully added passdb backend 'ldapsam_compat' [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(94) Attempting to register passdb backend NDS_ldapsam [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(107) Successfully added passdb backend 'NDS_ldapsam' [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(94) Attempting to register passdb backend NDS_ldapsam_compat [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(107) Successfully added passdb backend 'NDS_ldapsam_compat' [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(94) Attempting to register passdb backend smbpasswd [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(107) Successfully added passdb backend 'smbpasswd' [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(94) Attempting to register passdb backend tdbsam [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(107) Successfully added passdb backend 'tdbsam' [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(94) Attempting to register passdb backend guest [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:smb_register_passdb(107) Successfully added passdb backend 'guest' [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:make_pdb_methods_name(822) Attempting to find an passdb backend to match tdbsam (tdbsam) [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:make_pdb_methods_name(843) Found pdb backend tdbsam [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:make_pdb_methods_name(846) pdb backend tdbsam has a valid init [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:make_pdb_context_list(950) Trying to load: smbpasswd [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:make_pdb_methods_name(822) Attempting to find an passdb backend to match smbpasswd (smbpasswd) [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:make_pdb_methods_name(843) Found pdb backend smbpasswd [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:make_pdb_methods_name(846) pdb backend smbpasswd has a valid init [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:make_pdb_methods_name(822) Attempting to find an passdb backend to match guest (guest) [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:make_pdb_methods_name(843) Found pdb backend guest [2006/05/23 15:16:12, 5] passdb/pdb_interface.c:make_pdb_methods_name(846) pdb backend guest has a valid init [2006/05/23 15:16:12, 4] lib/substitute.c:automount_server(359) Home server: sambaservername [2006/05/23 15:16:12, 4] lib/substitute.c:automount_server(359) Home server: sambaservername [2006/05/23 15:16:12, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/05/23 15:16:12, 1] auth/auth_util.c:make_server_info_sam(876) User Guest in passdb, but getpwnam() fails! [2006/05/23 15:16:12, 5] auth/auth_util.c:free_server_info(1511) attempting to free (and zero) a server_info structure [2006/05/23
Re: [Samba] samba domain controller
Run the testparm (without the quotes) command and see if your samba is really a PDC. Hope this helps. -Ivan At 03:03 PM 5/23/2006, Rodney Richison wrote: I tried to post this in the debian group, but my mail never appeared there.. Am attempting to do a test install of samba as a primary domain controller. I can see the shares and navigate them. However, when I attempt to join the domain, WinXP says username could not be found. I have a root user with a password. I can see it's shares as well if I use the root name and password. So the problem appears to be ONLY when I try to join. I'll post some logs for /var/logs/samba/log.0.0.0.0 as they may be a hint. [2006/05/23 09:56:15, 0] lib/util_sock.c:get_peer_addr(1150) getpeername failed. Error was Transport endpoint is not connected [2006/05/23 09:56:15, 0] lib/access.c:check_access(328) [2006/05/23 09:56:15, 0] lib/util_sock.c:get_peer_addr(1150) getpeername failed. Error was Transport endpoint is not connected Denied connection from (0.0.0.0) [2006/05/23 09:56:15, 1] smbd/process.c:process_smb(1084) [2006/05/23 09:56:15, 0] lib/util_sock.c:get_peer_addr(1150) getpeername failed. Error was Transport endpoint is not connected Connection denied from 0.0.0.0 [2006/05/23 09:56:15, 0] lib/util_sock.c:write_socket_data(430) write_socket_data: write failure. Error = Connection reset by peer [2006/05/23 09:56:15, 0] lib/util_sock.c:write_socket(455) write_socket: Error writing 5 bytes to socket 27: ERRNO = Connection reset by peer [2006/05/23 09:56:15, 0] lib/util_sock.c:send_smb(647) Error writing 5 bytes to client. -1. (Connection reset by peer) r writing 5 bytes to client. -1. (Connection reset by peer) [2006/05/23 09:56:15, 0] lib/util_sock.c:send_smb(647) Error writing 5 bytes to client. -1. (Connection reset by peer) r writing 5 bytes to client. -1. (Connection reset by peer) Below is my smb.conf file. [global] # the domain name workgroup = pdc smb passwd file = /etc/samba/smbpasswd # the server's name netbios name = file-server # comment describing what the machine is server string = the file server # workstations will set their time by this server time server = yes # security and logging settings security = user ; this must be 'user' on a PDC # allow connections only from the local machine and the 10.0.0.* address range: # (you'll want to change this if your network uses a different addressing range) hosts allow = 127.0.0.1 192.168.1. # don't allow connections from any other IP address ranges than defined by 'hosts allow': hosts deny 0.0.0.0/0 # only allow connections from ethernet cards and the loopback address: interfaces = eth* lo bind interfaces only = yes # for Windows 2000 encrypted passwords encrypt passwords = yes # provide logon scripts, home directories etc aswell as authentication domain logons = yes log file = /var/log/samba/log.%m # log level = 2 # put a capping on the size (in kB) of the log file max log size = 50 # PDC and master browser settings os level = 64 ; ensure this machine consulted 1st regarding current browse list preferred master = yes local master = yes domain master = yes ; This is the Primary Domain Controller # automatedly add a Linux and Samba machine account add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u # user profiles and home directory # the local path to which the home ([HOMES]) directory will be connected logon drive = H: # where 'profiles' = [profiles] further on logon path = \\%L\profiles\%U logon script = netlogon.bat ; logon script, location defined in [NETLOGON] # define user mappings between this system and Windows systems. # without this you get asked for a password even if none is required # username map = /etc/samba/users.map # but if you've created SMB users on here you don't need it # fine-tuning Samba for increased speed on Linux systems # SO_KEEPALIVE - sends a probe every 4 hours to check that a connection is still active. if the connection does not respond, it is closed # TCP_NODELAY - # IPTOS_LOWDELAY - # SO_SNDBUF=14596 - 14596 is roughly the best in most ciscumstances, it may be able to be tuned better for your system # SO_RCVBUF=14596 - same reason as above socket options = TCP_NODELAY, IPTOS_LOWDELAY, SO_KEEPALIVE, SO_SNDBUF=14596, SO_RCVBUF=14596 # keep the case when saving; when looking for a file # matching is done without regard to case, as expected by Windows preserve case = yes short preserve case = yes case sensitive = no # check every 30 seconds to see if client has disconnected # I've used 30 so that the Samba server can be restarted and # maybe the connections won't be lost keep alive = 30 #sync Unix passwords from Windows workstations using PAM unix password sync = yes pam password change = yes # printing printing = BSD print command = /usr/bin/lpr -r %s min print space = 2000 # --- shares --- [printers] # (picks up all printers specified in /etc/printcap) # tell Samba its a printer share, not a disk share
[Samba] Samba behind firewall
Hi, I was able to join samba to the domain successfully (net rpc testjoin command says ok) but could not see it in network neighborhood. I can't map to it as well. The machine is sitting on a different subnet and behind the firewall. What port should I open to make samba accessible to all Windows XP client sitting on different subnets and not behind the firewall. I want to make samba a domain member and use it for file, printer sharing etc. Settings: Samba version 3.0.22 with Windows NT 4.0 server and XP clients. Thanks in advance for all the help. -Ivan . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba behind firewall
Hello, At 12:15 PM 5/18/2006, Felipe Alfaro Solana wrote: What port should I open to make samba accessible to all Windows XP client sitting on different subnets and not behind the firewall. I want to make samba a domain member and use it for file, printer sharing etc. I guess 137/tcp, 137/udp, 138/tcp, 138/udp, 139/tcp, 139/udp, 445/upd, 445/tcp. Those ports above are already open. I was able to join samba to my windows domain successfully. However, the machine will not show on Network Neighborhood. I could not map to the machine as well. Thanks, -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win2k clients won't rejoin Samba PDC domain, Remote Procedure Call Failed?
Did you try putting the dollar sign? Example#smbpasswd -a -m machine_name$ At 02:21 PM 4/27/2006, wally wrote: Hey everyone, firstly thanks for your time, I've spent hours, a lot straight days too, for the last couple of weeks trying to solve this issue. The only thing (afai can see) I've got left is asking the experts and formatting all the machines and starting over, the latter of which I'm not interesting in doing because it doesn't solve the issue (well it might make the problem go away, but I won't know what it was, and I don't consider that a solution). So thanks for reading this, even if you've just got a no idea I'm afraid, but I would suggest the following obvious things... that'd be so appriciated. I've gotten to the point where I'm getting so frustrated and impatient I'm forgetting what I have / havn't tried already, so a fresh run would be great : ) So, here we go. I've setup a PDC for a small network. I'm running Samba 3.0.14a-2 on FC5, with 256mb of RAM and other working hardware. I mean to say, I'm fairly certain its something I've misconfigured, not a hardware fault. I've also upgraded Samba twice (while moving from FC4 to 5, and once again recently), neither of which solved the issue. So my smb.conf looks like this: // SOF # Global parameters [global] workgroup = PLFCDOMAIN server string = Fedora Linux running Samba 3.0.14a-2 passwd program = /usr/bin/passwd %U passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n $unix password sync = Yes log level = 2 acl compatibility = win2k socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add machine script = /usr/sbin/adduser -d / -g 600 -M -s /sbin/nologin $logon script = %U.BAT logon path = \\%N\profiles\%U logon drive = Z: domain logons = Yes os level = 33 preferred master = Yes domain master = Yes wins support = Yes # remote announce = 192.168.0.255/FILESERVER profile acls = Yes [netlogon] path = /var/lib/samba/netlogon read only = No guest ok = Yes [profiles] comment = Profiles share path = /home/ read only = No create mask = 0751 directory mask = 0751 map system = Yes map hidden = Yes // EOF (I've got some other shares too, if anybody is interested in seeing those I'll post them up too, otherwise I'll save the bytes in this message for now.) When I first set it up, I had it running with a Windows 2000 client (no SP patches applied) in the domain, and everyone could log on and off as they liked. Everything was fine. Then I joined another 2000 machine (for which I used the add machine script) which worked really neatly, and still everything worked fine. Then I added an XP machine, which also joined perfectly happily. This is the point from which things must have gone wrong. I then applied SP4 to the FIRST of the two Windows 2000 machines. I mucked about a bit with poledit to make a NTLogon.pol for the NTLOGON share, which worked like a dream. I'd had a few users loging on and off of all the machines fine, all the shares worked as I wanted, everything seemed quite happy. Then I had a problem with a user not being able to write to a given share. Turns out adding profile acls = yes to the Samba config fixed this (I found that out on the net), but before I discovered that I paniced and tried REMOVING the win2k machine from the domain, and readding it, which FAILED. The message I received was remote procedure call failed. Ever since, I've not been able to join machines to the domain (I always get that error). Checking the Samba logs, nothing screams out at me. Ocassionally I get an INVALID PIPE xyz (log level 3), but that isn't persistant (infact so little that I can't even find one to paste here right now). It also seems that I have to reboot the win2k machine to get it to try joining the domain again properly, if that's of any relevance. I've followed the Samba HOWTO doc as best I can several times over, I've tried adding the machines by hand using # smbpasswd -am plfc-01 (that being the name of one of the win2k machines) and that doesn't work, I've tried with and without the add machine script, both without it completely and with manually adding the UNIX user, I've really tried everything I can think of and then some, but I can't get it to join. This applies to ALL win2k machines (I've only got one XP one available, which I daren't disjoin the domain with incase it never goes back on because everyone uses it), I've tried several win2k machines which have never been on the network (fresh installs of 2k, even they won't touch it. The only thing (may be irrelevant, but my understanding of SMB and Samba is pretty limited), the smbpasswd file has very different entries for each of the computers: (this is the XP machine which is already added) generaloffice1$:507:XX
Re: [Samba] Domain admins and samba
I could not use the command net rpc rights list as well. I will get a Could not connect to server 127.0.0.1 message. I can't use rpc command at all. Can someone please point me to the right direction. Thanks, -Ivan At 02:13 PM 4/24/2006, Asier Baranguan wrote: El Lunes, 24 de Abril de 2006 20:28, Ivan Ordonez escribió: I added the line (enable privileges = yes) on my smb.conf, stop and start samba service but still no luck. I still can't add a computer to the domain using regular account that are part of sysadmin group. I think he refers to this link: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id2567877 -- Asier. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain admins and samba
I added the line (enable privileges = yes) on my smb.conf, stop and start samba service but still no luck. I still can't add a computer to the domain using regular account that are part of sysadmin group. Anything else I should do? Thanks, -Ivan At 07:30 AM 4/22/2006, Josh Kelley wrote: On 4/21/06, Ivan Ordonez [EMAIL PROTECTED] wrote: How can I give a user account the ability to join or add computer to the domain? Are privileges enabled? (enable privileges = yes in smb.conf) If not, then I believe that only root can join computers to the domain. If privileges are enabled, then see Chapter 14 of the Samba HOWTO-Collection for instructions on delegating privileges to your Domain Admins group. Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain admins and samba
How can I give a user account the ability to join or add computer to the domain? Below are the steps I did but none work: 1. Edit smb.conf file and add the following line. # domain administrators domain admin group = root user1 user2 @sysadmin domain admin users = @sysadmin I have a group called sysadmin on my /etc/group profile and added both user1 and user2. 2. Map the Windows Domain Admins to sysadmin group account using the command below: pcname#net groupmap modify ntgroup=Domain Admins unixgroup=sysadmin 3. Check if the command was successful by using the command below: pcname#net groupmap list Domain Admins (S-1-5-21-1071463269-1754759636-1174686074-512) - sysadmin The above result clearly shows that it was successful and the Domain Admins group is pointing to sysadmin. Thanks for all the help. -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Could not start samba
Hi, We are trying to migrate our Windows NT domain to samba 3.0.21b and we run into a situation we have not seen before. Right after we run the net rpc vampire command, samba service will not start anymore. All accounts from NT domain were transferred and migrated to samba and it looks like the vampire command runs successfully. Can anyone please point me to the right direction. The logs are not showing anything helpful. [2006/04/06 14:02:12, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/04/06 14:02:12, 1] auth/auth_util.c:make_server_info_sam(876) User Guest in passdb, but getpwnam() fails! [2006/04/06 14:02:12, 5] auth/auth_util.c:free_server_info(1511) attempting to free (and zero) a server_info structure [2006/04/06 14:02:12, 0] smbd/server.c:main(829) ERROR: failed to setup guest info. Thanks, -Ivan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrate NT domain 4 to samba
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrate NT domain 4 to samba
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Fwd: Re: [Samba] Migrate NT domain 4 to samba
I tried net lookup dc and samba PDC did not show. The NT machine we have has been shut down and not functional anymore. Right now, we only have one linux box with gentoo running samba and we want it to be the PDC. Thanks, -Ivan X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Subject: Re: [Samba] Migrate NT domain 4 to samba To: Ivan Ordonez [EMAIL PROTECTED] X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003 From: Donald W Watson [EMAIL PROTECTED] Date: Thu, 23 Mar 2006 15:50:43 -0800 X-MIMETrack: Serialize by Router on D03NM124/03/M/IBM(Release 6.53HF752 | November 15, 2005) at 03/23/2006 16:50:48 X-Virus-Scanned: amavisd-new at nature.berkeley.edu Ivan, The smb.conf looks fine, nearly identical to mine except I don't have the entry for netbios name. If rock is the name of your samba server this shouldn't make difference. As an experiment, have you tried to see if the PDC is visible from another Unix box by using either net lookup dc or nmblookup (nmbd must be running)? This will help isolate the problem to either the samba PDC itself or something configured on the NT machine. Sincerely, Don Watson Linux Technology and Solutions; Beaverton, OR 503-578-4861/TL: 775-4861; [EMAIL PROTECTED] Inactive hide details for Ivan Ordonez [EMAIL PROTECTED] Ivan Ordonez [EMAIL PROTECTED] Ivan Ordonez [EMAIL PROTECTED] 03/23/2006 03:34 PM [] To Donald W Watson/Beaverton/[EMAIL PROTECTED] [] cc samba@lists.samba.org [] Subject Re: [Samba] Migrate NT domain 4 to samba Hi, We were finally able to run net rpc vampire command. We created a brand new smb.conf and add some user scripts. We shut down our NT machine and make samba the PDC. I have created the machine name in samba and created a samba root account as well. When I try to join one machine, PDC is not found. Somehow, the samba PDC does not know that he is supposed to be a domain controller now that the NT is down. Anything I need to check or change on my smb.conf? workgroup = mydomain netbios name = rock server string = Samba Server %v interfaces = eth0 map to guest = Bad User log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups dns proxy = No os level = 65 passdb expand explicit = no passdb backend=tdbsam security = user local master = yes domain master = yes preferred master = yes domain logons = yes password server = pc1 encrypt passwords = yes # Scripts for file (passwd, smbpasswd) backend: add user script = /usr/sbin/useradd -s /bin/false '%u' #delete user script = /usr/sbin/userdel '%s' add user to group script = /usr/bin/gpasswd -a '%u' '%g' #delete user from group script = /usr/bin/gpasswd -d '%u' '%g' set primary group script = /usr/sbin/usermod -g '%g' '%u' add group script = /usr/sbin/groupadd %g getent group '%g'|awk -F: '{print $3}' #delete group script = /usr/sbin/groupdel '%g' add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M '%u' Thanks, -Ivan At 07:34 AM 3/23/2006, Donald W Watson wrote: Ivan, I noticed when I did this with the old documentation I had to be very careful reading the chapter and discovering all the necessary instructions. I also noticed that the old documentation states that with ldapsam you should not start samba until after the net rpc vampire call, but with tdbsam it states you should start samba before the net rpc vampire call. In the new documentation it looks much simpler ( http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.pdf), chapter 35: In smb.conf, domain master = no (you already have this). In smb.conf, passdbbackend = tdbsam (you already have this). Samba must not be running. net rpc join -S NT4 PDC ipaddr -U Administrator%Administrator password net rpc vampire -S NT4 PDC ipaddr -U Administrator%Administrator password pdbedit -L should now show all the new users. Maybe this will help. Sincerely, Don Watson Linux Technology and Solutions; Beaverton, OR 503-578-4861/TL: 775-4861; [EMAIL PROTECTED] Inactive hide details for Ivan Ordonez [EMAIL PROTECTED] Ivan Ordonez [EMAIL PROTECTED] Ivan Ordonez [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/22/2006 11:54 AM [] To samba@lists.samba.org [] cc [] Subject [Samba] Migrate NT domain 4 to samba I have been following the Chapter 9 on Samba -3 by example book on How to Migrate NT 4 domain to samba 3 and not having any luck at all. Somehow the vampire command will not work and give me an error: Fetching DOMAIN database Failed to fetch domain database: NT_STATUS_ACCESS_DENIED What I want to accomplish is to remove Windows NT 4.0 server as PDC and make Samba our Primary Domain Controller. Also, I'm not sure if I have tdbsam setup correctly. How do you set it up correctly? is there a command I should run or should I just edit smb.conf file and add tdbsam? please see below for my smb.conf configuration. # Global parameters [global]workgroup
[Samba] Migrate NT domain 4 to samba
I have been following the Chapter 9 on Samba -3 by example book on How to Migrate NT 4 domain to samba 3 and not having any luck at all. Somehow the vampire command will not work and give me an error: Fetching DOMAIN database Failed to fetch domain database: NT_STATUS_ACCESS_DENIED What I want to accomplish is to remove Windows NT 4.0 server as PDC and make Samba our Primary Domain Controller. Also, I'm not sure if I have tdbsam setup correctly. How do you set it up correctly? is there a command I should run or should I just edit smb.conf file and add tdbsam? please see below for my smb.conf configuration. # Global parameters [global] workgroup = MyDomain netbios name = rock server string = rock (Samba %v) security = domain interfaces = eth0 192.168.1.2 encrypt passwords = yes passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb passdb expand explicit = no log file = /usr/local/var/log/log.smb max log size = 50 dns proxy = No wins server = 192.168.1.3 name resolve order = wins host lmhosts ldap ssl = no log level = 5 passdb:5 auth:10 winbind:2 syslog = 3 domain master = no domain logons = no I send an email to this list yesterday abd I thought I should email back to remind everyone. I am a total newbie and would like much help is possible. Thank you in advance. FYI: As it stand, I have samba as our member server only and using it to host filesharing. Our users login to the domain using domain accounts. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to fetch error message
I am trying to migrate our Windows NT 4 Domain to Samba 3.0.21b and got the error message below when I run the command: net rpc vampire -S myPDC -U administrator%mypasswd Fetching DOMAIN database Failed to fetch domain database: NT_STATUS_ACCESS_DENIED What I want to accomplish is to remove Windows NT 4.0 server as PDC and make Samba our Primary Domain Controller. Looking at Chapter 9 Migrating NT 4 Domain to Samba 3 on Samba-3 By Example book that it is possible to merge or migrate NT domain to Samba using tdbsam backend. Can someone please point me to the right direction. Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba