[Samba] Samba4 server not visible from windows network
Hi people: I recently installed a Samba 4.0.3 server in a small company. Users are still working as a workgroup -not as a NT nor ADS domain yet- using Windows XP and Windows 7. Everything seems to be working fine except for one thing: Windows clients can't find the samba server from the Windows Network Places (My Network Places - Entire Network - ...). It just appears the rest of Windows machines but not the samba server. Samba server only becomes accesible if I try to access to it directly using Start - Run - \\netbiosname. This didn't happen when I had Samba 3.x. I tried from a windows command line something like this: C:\ nbtstat -a netbiosname C:\ nbtstat -c Those commands shown above give me the right netbios name and ip address of my samba server. Even when Windows client use the IP address of my samba4 server as a unique DNS address things doesn't seem to get fixed. Anyway if windows client are still working just as a workgroup I think DNS server in this case isn't important. By the way, nobody use WINS here. Do you know what could cause this problem? I hope someone can give me some ideas. Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Basic questions regarding Samba capabilities
Hi, thanks for your reply: On Mon, May 21, 2012 at 7:51 AM, Aaron E. ssures...@gmail.com wrote: First, I'm not sure if your speaking of samba4 or just upgrading your s3 domain structure .. my comments are based on samba4 hope it helps .. Actually I was thinking about using a stable version of Samba like 3.x. I know that Samba 4 is still being developed for many years. Do you really suggest me to use this alpha version of Samba4 for a critical environment like the one I described? It would be great to have an Open Source ADS implementation with Samba4 but for now I think I can just get as much as possible of features that Samba 3.x can offer me. Policies: -- Group policy works with S4.. So whatever group policies you can set in windows DC you can set on the S4 dcs.. What tool do you use for edit/create policies? I was reading a little about the native MS Windows 2000 tool for policy editing but if you suggest me to use Samba4 I believe you could recommend me to use the Windows 2003/2008 policy editor or something like that? Scalability -- 1PDC and several BDCs would be your answer. Essentially your going to create the same infrastructure as you would with the windows family of servers. unstead of multiple pdc's you'd use bdc's at in different vlans.. or RODC's but I am not sure where the RODC's are in terms of completeness. I'm sorry but I have never heard about RODCs before. Are they read only primary or backup domain controller? How do they work? Backend -- OPENLDAP isn't supported as a back-end.. I believe that your only option is to use the built-in samba4 back-end at this point.. Compatability -- there are no special steps in joining windows 7 or 2008 servers to the S4 domain.. There is an upgrade script that should pull your users and computers to the new domain, obviously this would require extensive testing in your environment. Thanks for all On 05/20/2012 11:32 AM, Jason Voorhees wrote: Hi people: I've been using Samba for a long time with some basic features like Samba working as a PDC, integrated with OpenLDAP, being a print server, among others, for a small number of almost controlled users (no more than 30 or 50 users). But now I'm interested to implement a Windows domain using Samba for a University with 6000-8000 users distributed through several VLANs, subnets, offices in a medium/big campus. I'd like to avoid using a propietary solution like Windows 2008 with ADS so I'd like to know some suggestions like these: Policies: === - How well can Samba manage policies for workstations? - Is it easy or safe to apply and/or remove policies from workstations? - What kind of things can I allow or deny from succeding in workstations using policies? For example: could I avoid users from changing the IP address of the workstation? Could I set a fixed wallpaper or internet explorer proxy settings to workstations? Scalability In a big scenario like the previous i mentioned: - How many BDCs would be needed? Is it enough to have 1 PDC and severals BDCs? - Is it possible to have multiple PDCs of the same domain each one being in a different VLAN? or, what's the right approach in terms of structure-architecture to implement PDCs and BDCs? Backend === Definitely I plan to use OpenLDAP as backend but, similar to the previous question about BDCs: how many Master/Slave OpenLDAP servers do you think it would be necessary? It could be 1 BDC+OpenLDAP (slave or master) for each office or VLAN? Compatibility: === - I know that are some procedures to join Windows 7 to Samba domain, I did this before successfully. Do you know -maybe- of another possible compatibility problem that you suggest I can be prepared for? - If after some time (weeks, months or years) I plan to replace this Samba based domain to Windows 2k ADS domain: is it possible to do this migration without problem? it isn't necessary to reinstall all the domain and rejoin all the workstation? Technically I can investigate how to implement each of these features (policies, BDCs, openldap, etc...) but before taking a decision like this i would like to have some suggestions of people that have done similar implementations before. This help it would be excellent for me, I hope some one can help. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Basic questions regarding Samba capabilities
Hi: On Mon, May 21, 2012 at 8:01 AM, Daniel Müller muel...@tropenklinik.de wrote: IN a such great environment like yours I would suggest having several PDCs in replication mode. Is this possible to implement with Samba 3.x? --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Aaron E. Gesendet: Montag, 21. Mai 2012 14:51 An: samba@lists.samba.org Betreff: Re: [Samba] Basic questions regarding Samba capabilities First, I'm not sure if your speaking of samba4 or just upgrading your s3 domain structure .. my comments are based on samba4 hope it helps .. Policies: -- Group policy works with S4.. So whatever group policies you can set in windows DC you can set on the S4 dcs.. Scalability -- 1PDC and several BDCs would be your answer. Essentially your going to create the same infrastructure as you would with the windows family of servers. unstead of multiple pdc's you'd use bdc's at in different vlans.. or RODC's but I am not sure where the RODC's are in terms of completeness. Backend -- OPENLDAP isn't supported as a back-end.. I believe that your only option is to use the built-in samba4 back-end at this point.. Compatability -- there are no special steps in joining windows 7 or 2008 servers to the S4 domain.. There is an upgrade script that should pull your users and computers to the new domain, obviously this would require extensive testing in your environment. On 05/20/2012 11:32 AM, Jason Voorhees wrote: Hi people: I've been using Samba for a long time with some basic features like Samba working as a PDC, integrated with OpenLDAP, being a print server, among others, for a small number of almost controlled users (no more than 30 or 50 users). But now I'm interested to implement a Windows domain using Samba for a University with 6000-8000 users distributed through several VLANs, subnets, offices in a medium/big campus. I'd like to avoid using a propietary solution like Windows 2008 with ADS so I'd like to know some suggestions like these: Policies: === - How well can Samba manage policies for workstations? - Is it easy or safe to apply and/or remove policies from workstations? - What kind of things can I allow or deny from succeding in workstations using policies? For example: could I avoid users from changing the IP address of the workstation? Could I set a fixed wallpaper or internet explorer proxy settings to workstations? Scalability In a big scenario like the previous i mentioned: - How many BDCs would be needed? Is it enough to have 1 PDC and severals BDCs? - Is it possible to have multiple PDCs of the same domain each one being in a different VLAN? or, what's the right approach in terms of structure-architecture to implement PDCs and BDCs? Backend === Definitely I plan to use OpenLDAP as backend but, similar to the previous question about BDCs: how many Master/Slave OpenLDAP servers do you think it would be necessary? It could be 1 BDC+OpenLDAP (slave or master) for each office or VLAN? Compatibility: === - I know that are some procedures to join Windows 7 to Samba domain, I did this before successfully. Do you know -maybe- of another possible compatibility problem that you suggest I can be prepared for? - If after some time (weeks, months or years) I plan to replace this Samba based domain to Windows 2k ADS domain: is it possible to do this migration without problem? it isn't necessary to reinstall all the domain and rejoin all the workstation? Technically I can investigate how to implement each of these features (policies, BDCs, openldap, etc...) but before taking a decision like this i would like to have some suggestions of people that have done similar implementations before. This help it would be excellent for me, I hope some one can help. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Basic questions regarding Samba capabilities
Hi people: I've been using Samba for a long time with some basic features like Samba working as a PDC, integrated with OpenLDAP, being a print server, among others, for a small number of almost controlled users (no more than 30 or 50 users). But now I'm interested to implement a Windows domain using Samba for a University with 6000-8000 users distributed through several VLANs, subnets, offices in a medium/big campus. I'd like to avoid using a propietary solution like Windows 2008 with ADS so I'd like to know some suggestions like these: Policies: === - How well can Samba manage policies for workstations? - Is it easy or safe to apply and/or remove policies from workstations? - What kind of things can I allow or deny from succeding in workstations using policies? For example: could I avoid users from changing the IP address of the workstation? Could I set a fixed wallpaper or internet explorer proxy settings to workstations? Scalability In a big scenario like the previous i mentioned: - How many BDCs would be needed? Is it enough to have 1 PDC and severals BDCs? - Is it possible to have multiple PDCs of the same domain each one being in a different VLAN? or, what's the right approach in terms of structure-architecture to implement PDCs and BDCs? Backend === Definitely I plan to use OpenLDAP as backend but, similar to the previous question about BDCs: how many Master/Slave OpenLDAP servers do you think it would be necessary? It could be 1 BDC+OpenLDAP (slave or master) for each office or VLAN? Compatibility: === - I know that are some procedures to join Windows 7 to Samba domain, I did this before successfully. Do you know -maybe- of another possible compatibility problem that you suggest I can be prepared for? - If after some time (weeks, months or years) I plan to replace this Samba based domain to Windows 2k ADS domain: is it possible to do this migration without problem? it isn't necessary to reinstall all the domain and rejoin all the workstation? Technically I can investigate how to implement each of these features (policies, BDCs, openldap, etc...) but before taking a decision like this i would like to have some suggestions of people that have done similar implementations before. This help it would be excellent for me, I hope some one can help. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba shares and MS Office 2010 locking
Hi people: I'm using Samba 3.5.11 with some sharing settings like these: [global] workgroup = MARKETING netbios name = SMBSERVER server string = Samba, OpenLDAP Server obey pam restrictions = Yes passdb backend = ldapsam:ldap://localhost; passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* client lanman auth = Yes log level = 2 log file = /var/log/samba/samba.log time server = Yes printcap name = cups add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon path = logon home = domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=admin,dc=marketing-alterno,dc=com ldap delete dn = Yes ldap group suffix = ou=groups ldap idmap suffix = ou=people ldap machine suffix = ou=machines ldap passwd sync = yes ldap suffix = dc=marketing-alterno,dc=com ldap ssl = no ldap user suffix = ou=people [sharing] path = /var/samba/sharing valid users = @accounting, @Domain Admins admin users = @Domain Admins read only = No inherit permissions = Yes vfs objects = recycle recycle:exclude = *.tmp|*.TMP|*.temp|*.o|*.obj|~$*|*.~??|*.log|*.trace recycle:versions = yes recycle:keeptree = yes recycle:repository = .trash Many times when a user open, modifies and then close a Office 2010 document (Word, Excel, Power Point), the file keeps locked. A different user tries to open the file and gets a error message related to locking, read only permissions or something similar. After a unknown amount of time (it could be seconds, minutes, i'm not sure how long) the locking seems to dissapear. I tried some options settings related to file locking without success. There are so many options that using the right combination of them to achieve the expected result is difficult to me. Does anybody has experimented and solved this issue? I hope someone can help me. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Access to administrative shares on Windows
Hi people: I'm running Samba 3.0.33 and 3.3.5 (both just for testing at different installations) under CentOS Linux 5.5. My Samba server is configured as PDC with an LDAP backend based on OpenLDAP+smbldaptools+gosa. I understand this: 1. Every Windows machine has a local Administrators group. 2. When a Windows machine joins my Samba domain (named MYDOM), the group MYDOM\Domain Admins is addedd to the local Administrators group of the Windows machine. 3. According to (2), root account is a member of MYDOM\Domain Admins group, I can verify this as follows: # net rpc group members Domain Admins MYDOM\root 4. Every Windows machine by default shares C$, ADMIN$ and IPC$ as administratives shares and they grant access to local Administrators group of the machine, and so to MYDOM\Domain Admins as a consequence of being previously joined to the domain. Are these four assumptions right? If yes I think it should be true that: - I would we able to access to C$ share of a machined joined to the domain using the credentials of MYDOM\root account Am I right? If yes, could someone tell me why these assumption isn't working in my scenario? Every time I try to access C$ share with MYDOM\root credentials I just get the login window again and again (similar when someone puts a wrong password). I tried to find some logging at Samba but I didn't find anything obvious, I even enabled all security policies audit at Windows but its log doesn't show anything useful. My smb.conf looks like: [global] workgroup = MYDOM netbios name = SAMBAPDC server string = Samba PDC Server passdb backend = ldapsam:ldap://127.0.0.1 passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log level = 3 log file = /var/log/samba/log time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/bin/smbldap-useradd -m %u delete user script = /usr/bin/smbldap-userdel %u add group script = /usr/bin/smbldap-groupadd -p %g delete group script = /usr/bin/smbldap-groupdel %g add user to group script = /usr/bin/smbldap-groupmod -m %u %g delete user from group script = /usr/bin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon path = domain logons = Yes preferred master = Yes domain master = Yes ldap admin dn = uid=mailadmin,ou=users,dc=mydom,dc=com ldap delete dn = Yes ldap group suffix = ou=groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=computers ldap passwd sync = Yes ldap suffix = dc=mydom,dc=com ldap ssl = no ldap user suffix = ou=users idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 Ok I know my configuration isn't perfect, surely there are some directives that aren't necessary but I hope someone can help me with this. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba groups membership
Hi all: I was running Samba 3.0.x (from CentOS 5 repository) integrated with OpenLDAP as a complete PDC solution that worked fine for several moths. As we needed to join Win7 computers to the domain I upgraded to Samba 3.5.3 keeping my Samba configuration the same. We find that after this upgrade the root account of the domain wasn't able to access to C$, D$ or other administrative resources of Windows Machines. After looking for a solution I found some issues that I'm not really sure if they appeared as a consequence of the upgrade. I found this: # net groupmap list returns this: users (S-1-5-21-895592719-3520082440-1574223224-2001) - jpp Account Operators (S-1-5-32-548) - Account Operators Administrators (S-1-5-32-544) - Administrators Backup Operators (S-1-5-32-551) - Backup Operators Domain Admins (S-1-5-21-895592719-3520082440-1574223224-512) - Domain Admins ... among other groups # smbldap-groupshow Domain Admins ... returns this: dn: cn=Domain Admins,ou=groups,dc=mintra,dc=gob,dc=pe cn: Domain Admins gidNumber: 512 description: Netbios Domain Administrators displayName: Domain Admins objectClass: posixGroup,sambaGroupMapping sambaGroupType: 2 sambaSID: S-1-5-21-895592719-3520082440-1574223224-512 memberUid: mescalante,jhuarancca,kaguilar,olmontero,ycabezas,arojas,secretaria_tecnica,graymundo,dpenadillo,jbarreda,lquevedo,hurquizo,mnicho,root ... so I can see that root is member of this Domain Admins group, but... # net rpc group members Domain Admins ... returns nothing! The same happens when querying other Samba groups. I don't know why this command doesn't return the list of members of this group. Well, I just tried to add a user manually: # net rpc group addmem Domain Admins someuser -U root and return this: Could not add someuser to Domain Admins: NT_STATUS_ACCESS_DENIED Does anybody know why can't add a user to the group? Why Samba net utility isn't showing the list of members of my groups? I know that the Domain Admins group determines who can take control of machines joined to the Domain, but after the upgrade to Samba 3.5.x the list of members isn't working correctly. I would appreciate some help regarding this. I don't know if I need to add some extra configuration to smb.conf. I hope someone can help me. Thanks P.D.: Sorry, my english isn't too good -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] please help me PLEASEEEEEEEE
On Fri, Mar 13, 2009 at 3:58 AM, ankit jariwala ankit...@gmail.com wrote: Dear ALL Please tell me how to configure Openldap in rhel 5 Please send me links document Thanks in advance Hey, I'm sure this link will be useful to you: http://www.catb.org/~esr/faqs/smart-questions.html After reading it ask again how we can help you in specific problems related to SAMBA. Remember, this isn't OpenLDAP mailing list, your question should be posted there maybe. Bye Ankit Jariwala 9725655020 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] user y pass in winxp --share public
Hi: On Fri, Mar 6, 2009 at 6:19 AM, Ariel Llauger Rabaza ariel.llau...@gmail.com wrote: Hello; I have samba 3.0.23d , in AIX server. This server are member of domain AD win2003. All OK. when access a share , my winXP , recuest me user and pass., this resource are public=yes Are you logging Samba activity with 'log file' and 'log level' directives? You could get some useful information in logs. Anyway, I think it's necessary more information fro your configuration. Post smb.conf without comments. Is WinXP machine joined to the domain? thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to access samba server from remote location
hi: On Fri, Mar 6, 2009 at 9:16 AM, Muthukumaran Saravanan sarava...@ccatgroup.com wrote: Dear all, We have redhat 9 linux server configured with samba server. We have share folder in which we have lot of information. We want to all the users from our different branch office to access the samba server and share the information. How are connected your branc offices? Are they communicating trough a VPN connection? If yes, then I think that NetBIOS among other broadcast traffic will not pass trough this VPN connection. So all the remote users have to do is poing to the Samba server by its IP address and their corresponding share name. Something like this it would be executed at Windows: \\IP_ADDRESS\sharename Once connected, they will be able to use that share as a drive. In the local network we map the samba share folder as a drive. How to do the same in the remote location. Pls guide me. Regards M.Saravanan CCAT LTD 302, Koon Fook Centre, 9, Knutsford Terrace, T.S.T, Kowloon, Hong Kong. Phone: 28516318 Mobile : 61000856 Fax: 37434866 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Adding existing ldap users as Samba users
Hi people: I have a LDAP server running OpenLDAP that serves authentication purposes to services like ftp, imap, openvpn, etc. Now I implemented a Samba PDC based on LDAP. I did the configuration with Samba 3.2.5 on Debian Etch and smbldap-tools. I was able to join a WinXP workstation to my domain without problems but I can't login with any existing user in my LDAP directory. Then I added my user to the Samba database with smbpasswd -a myuser with the same current password of myuser. Now, I need to enable all LDAP users as Samba users but I don't want to run smbpasswd for every user because I don't know their passwords. What could be the solution to convert all my ldap users as samba users? Simply adding the corresponding objectClass and samba attributes to the users ldap entries would be enough? If this is true, what value should I use for sambaNTPassword, sambaPasswordHistory, sambaSID, among other samba attributes? I hope some can help me a bit :( Thanks :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding existing ldap users as Samba users
Hi: On Thu, Mar 5, 2009 at 4:35 PM, John H Terpstra - Samba Team j...@samba.org wrote: Jason Voorhees wrote: Hi people: I have a LDAP server running OpenLDAP that serves authentication purposes to services like ftp, imap, openvpn, etc. Now I implemented a Samba PDC based on LDAP. I did the configuration with Samba 3.2.5 on Debian Etch and smbldap-tools. I was able to join a WinXP workstation to my domain without problems but I can't login with any existing user in my LDAP directory. Then I added my user to the Samba database with smbpasswd -a myuser with the same current password of myuser. Now, I need to enable all LDAP users as Samba users but I don't want to run smbpasswd for every user because I don't know their passwords. Have these users previously used Samba to connect to this server? Do you have an smbpasswd file or a tdbsam file? No, they never used Samba to connect to the server nor login to the domain. My current PDC is a Windows NT Server 4.0. I'm using ldapsam as passdb backend pointing to my LDAP server that is in my network. If so, there is an easy way to migrate the SambaSAM account information so long as the uid and gid for each user has not changed. You can then execute: pdbedit -i smbpasswd -e ldapsam or pdbedit -i tdbsam -e ldapsam Those actions should copy the NT passwords into a SambaSAM account extenstion in your LDAP directory. This would not be applicable to my case, right? Any idea? What could be the solution to convert all my ldap users as samba users? The UNIX password hashes can not be converted into NT password hashes. Simply adding the corresponding objectClass and samba attributes to the users ldap entries would be enough? If this is true, what value should I use for sambaNTPassword, sambaPasswordHistory, sambaSID, among other samba attributes? I hope some can help me a bit :( Thanks :) Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
