Re: [Samba] Solaris 8 + Active Directory
Hi Steven, On Wed, 7 Jan 2004, Steven Aizic wrote: Hi Jochen, 1) How do I know if my Solaris has libsendfile support? /usr/lib/abi/abi_libsendfile.so.1 /usr/lib/abi/sparcv9/abi_libsendfile.so.1 /usr/lib/libsendfile.so /usr/lib/libsendfile.so.1 /usr/lib/sparcv9/libsendfile.so /usr/lib/sparcv9/libsendfile.so.1 /usr/share/man/sman3lib/libsendfile.3lib You should have this files. If you don't have this files you should install the latest Maintenance Update (MU) since the files are only contained in a Patch. 2) Where can I get these MIT-Kerberos header files? You will need the complete distribution including binary files. You can get it here: http://web.mit.edu/kerberos/dist/index.html After you have sendfile support and Kerberos you should compile samba with the --with-kerberos=mit-install-base flag. The libsendfile is not required since samba has it own which is used if no system library has been found. But i strongly recommend to install the MU since there are some other bugs are fixed. Greetings Jochen Thanks, Steven. - Original Message - From: Jochen Schmidt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 3:15 PM Subject: Re: [Samba] Solaris 8 + Active Directory Hi Steven, there is nothing special - if your Solaris has libsendfile-Support. Second you need the MIT-Kerberos since the Sun Kerberos doesn't provide any headerfiles. Compile Samba with your needs and be happy. If you are happy with 3.0.0 you can use the (Sparc) binary Package from http://www.millenux.com/~jschmidt/samba/solaris/8/ This package has cups and kerberos support statically compiled in. The Installation Base is /opt/samba3 I think i will compile 3.0.2pre1 this weekend on solaris 8. If you want i can inform you when the binaries are out. Greetings Jochen On Wed, 7 Jan 2004 [EMAIL PROTECTED] wrote: Good Day All, I'm looking for a HowTO on how to compile/Install/Configure Samba 3.0.1 with active directory support running on Solaris 8. i.e. The samba server should be able to authenticate against a Windows 2000 active directory. Is there any such document? I've searched and have come up empty. Thank you kindly. Steven. 1 -- mit freundlichen Grüßen Jochen Schmidt Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] anouncing getent passwd database as domain users without winbind?
Hi, does anyone know if it is possible to implement a samba-Setup using Domain users without the use of Winbind? If've the following environment: - Ldap-Server with every Userinformation (Single Point of Administration) - Group and User (also the Mappings and the Passwords) are replicated into the ADS Domain - The ADS is needed to get group Policies working. - The fileserver is Linux with pam_ldap and nss_ldap so all users are always there. If i use winbind, i have every user twice on the Linux-System. Second the User generated by winbind (used from windows client) and first the normal Ldap-User (used from any Unix-Workstations). Since the Usernames and Group-Memberships are defined in Ldap i want to use only the ldap-Userdatabase. If i disable winbind i will no longer able to use add/modify/delete Security Record (or simple ACL's) using the Windows GUI. If i enable winbind this is possible, but the UID used is the one generated by winbind and not the unix-UID so that the user can't access his files from Unix :( Is the a working solution for this? thanks Jochen -- Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Solaris 8 + Active Directory
Hi Steven, there is nothing special - if your Solaris has libsendfile-Support. Second you need the MIT-Kerberos since the Sun Kerberos doesn't provide any headerfiles. Compile Samba with your needs and be happy. If you are happy with 3.0.0 you can use the (Sparc) binary Package from http://www.millenux.com/~jschmidt/samba/solaris/8/ This package has cups and kerberos support statically compiled in. The Installation Base is /opt/samba3 I think i will compile 3.0.2pre1 this weekend on solaris 8. If you want i can inform you when the binaries are out. Greetings Jochen On Wed, 7 Jan 2004 [EMAIL PROTECTED] wrote: Good Day All, I'm looking for a HowTO on how to compile/Install/Configure Samba 3.0.1 with active directory support running on Solaris 8. i.e. The samba server should be able to authenticate against a Windows 2000 active directory. Is there any such document? I've searched and have come up empty. Thank you kindly. Steven. 1 -- mit freundlichen Grüßen Jochen Schmidt Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 and W2K3 AD intergration problems
Hi Rob, RedHat uses MIT Kerberos 1.2.7. I suggest you to use krb Version 1.3.1. You can find precompiled RPMs for RedHat Enterprise Linux 3 at http://www.millenux.com/~jschmidt/samba/linux/rhas3/ . Maybe they work also with RH8. Greetings Yoshi On Sun, 4 Jan 2004, Rob Mokkink wrote: All, Have already got Samba 3 and W2K Ad intergrating working in production without any problems. I have set up a test domain to test W2K3 and Samba3 on a Red Hat 8 server. I did the following: * Have set up the NTP Daemon to synchronize time with the W2K3 domain controller. * installed the latest Kerberos packages for Red Hat 8, maid sure that krb5-workstation is installed. * installed the samba 3 rpm's from www.samba.org * configurered the smb.conf like this [global] workgroup = TEST realm = TEST.CORP server string = security = ADS log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ldap ssl = no idmap uid = 1-65000 idmap gid = 1-65000 [homes] comment = Home Directories read only = No hosts allow = 192.168.0.0/24 browseable = Yes [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = Yes * this is my krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = TEST.CORP dns_lookup_realm = false dns_lookup_kdc = false [realms] TEST.CORP = { kdc = 192.168.0.50:88 admin_server = 192.168.0.50:749 default_domain = test.corp } [domain_realm] .test.corp = TEST.CORP test.corp = TEST.CORP [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } * i did a kinit [EMAIL PROTECTED], this worked * then net join -U [EMAIL PROTECTED] * i saw in the W2K3 server that the linux server was successfully intergrated into AD. * from the Linux server i issued a smbclient //DCSRV01/C$ -k, this worked * then from the W2K3 server i tryed to go to the adminsitrator share on the Linux server. \\RH8SMB\administrator * i got a box which asked me for my username and password, i typed it in and i did not work * if i go to the share by ipadress is works \\192.168.0.55\administrator or \\192.168.0.55 In the log files i found this: smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! I tryed the option: use spnego = yes All with the same result. Has anyone found a solution for this problem. Regards, Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- mit freundlichen Grüßen Jochen Schmidt Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Statistics Tool?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, does anybody knows a good tool to present management-aware statistics of samba? thanks for your help! Yoshi - -- - Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/4G2oj6ErEwmNILURAhKxAJ9emSnhQvjYmJadGK94zTtuFas9HQCfZR9c 05wF6ZszdQeY//F7fbwIq0I= =Q/K3 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with , in Common Name when running samba3 as ADS Member (Problem with Group-Contents)
/ldap_utils.c:ads_do_search_retry(52) Search for (distinguishedName=CN=FIBU HSt,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 1 replies [2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361) ads: dn_lookup [2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52) Search for (distinguishedName=CN=Steinle Solution Factory,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 1 replies [2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361) ads: dn_lookup [...] [2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52) Search for (distinguishedName=CN=Waldherr\, Bernhard,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 0 replies [2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361) ads: dn_lookup [2003/12/02 12:24:24, 5] libads/ldap_utils.c:ads_do_search_retry(52) Search for (distinguishedName=CN=Damaschke\, Klaus,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de) gave 0 replies [2003/12/02 12:24:24, 3] nsswitch/winbindd_ads.c:dn_lookup(361) ads: dn_lookup [...] - debug level 99 winbindd - As you can see at the last few lines CN=Damaschke\, Klaus,OU=Benutzer,DC=testenvironment,DC=millenux,DC=de gaves 0 replies from the ldap Server. The Syntax of this entry is LDAP v3 compliant (ftp://ftp.rfc-editor.org/in-notes/rfc2253.txt - Section 2.4). - If you use ldapsearch from the openldap Packages you get an ldap_search_ext: Bad search filter (87) - If you remove the backslash (which escapes the ,) the ldapsearch will succeed 3. Reproduce 0. Memory your group-memberships (using getent group or similar things) 1. Open your Active Directory Users and Computer 2. select one user. 3. left click on the selected user to got an cursor within the name 4. insert a comma into the name 5. a window Rename User will popup 6. the Common Name (not the Display Name) have a comma 7. click OK 8. only to be sure: restart winbind (or flush cache or whatever) 9. get the group memberships (getent group) 10. make a diff between the results of 0. and 9. 11. Oops 4. Future = We currently think this is an openldap-Issue. We will track down this issue and find an suiteable solution for this Problem. 5. Comments, Flamewars, are always welcome Greetings Jochen -- Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Translation samba 3 how to in german, Übersetzung des Samab 3 How to ins deutsch
Hi, i'm also willing to translate a part the HOWTO. John: who is the master of the current Samba-HOWTO-Collection and where is the HOWTO held? I havn't found it in the samba-cvs-Tree.. Greetings Yoshi On Fri, 7 Nov 2003, rruegner wrote: Hallo Leute, ich möchte gerne die Samba Doku ins deutsch übersetzen. Ich arbeite schon lange mit Samba und denke es wäre kein übermässiger Aufwand. Da ich Samba aber meist als Pdc benutze bin ich mit einigen Features technisch nicht so vertraut. ( samba und ldap an einem win server etc ) Ich würde mich freuen wenn einige Deutsche mitmachen würden damit wir uns technisch und gramatikalisch gegenseitig verbessern könnten. Mfg RRuegner Hi Samabtistas, i am looking for some people which would help to translate the samba 3 doks to german. As i am working with samba for years i think this should not be a big problem. But most of the time i used samba as pdc , so i am afraid that i will do tec failures in some chapters i never used , so people who want to take part to make help in translations and debug each other will be needed Best Regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- mit freundlichen Grüßen Jochen Schmidt Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
Hi Christoph On 31 Oct 2003, Andrew Bartlett wrote: On Fri, 2003-10-31 at 21:41, [EMAIL PROTECTED] wrote: Hi Jochen et al, that worked fine, though if I get it right everyone can now read the active directory structure (?) No, you still need to authenticate, but nothing stops an attacker from 'stealing' the TCP/IP connection, if they control the network. If you want see what *everybody* can see try an ldapsearch -x -b dc=MYDOMAIN,dc=DE -h adscontroller -p 389 on a UNIX-Box. Connecting to the samba machine results still in errors, but that may be something stupid on my behalf too... thanks for helping ~christoph connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine ADC1. Error was : NT_STATUS_UNSUCCESSFUL. You will need to turn up the debug level - it will probably be something simple... I've attcht my own configuration I use on an ADS Domain Member. The Winbind-Stuff comes from an other LDAP-Server and has no relation to the ADS-LDAP. If you don't use winbind you won't need the winbind section. You should first do the kinit [EMAIL PROTECTED] and then a net ads join. Greetings Jochen -- Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 # smb.conf # # Samba ADS-Member Konfiguration # # # (C) 2003 Thinking Objects Software GmbH # Lilienthalstrasse 2/1 # 70825 Stuttgart-Korntal # DE # Web: http://www.to.com/ # Email : [EMAIL PROTECTED] # Phone : +49.711.88770.400 # Fax: +49.711.88770.449 # Hotline: +49.711.88770.444 [EMAIL PROTECTED] # # Author: Jochen Schmidt # $Id: smb.conf,v 1.3 2003/10/16 15:54:38 root Exp $ # # Global parameters [global] # Allgemein workgroup = TOPALIS-GROUP realm = TOPALIS-GROUP.TO.COM netbios name = saaac000 server string = Thinking Primary Domain Server comment = by Thinking Objects Hotline debuglevel = 3 unix charset = CP850 load printers = no disable spoolss = no # Pfade/Interfaces lock directory = /var/cache/samba/saaac000 pid directory = /var/cache/samba/saaac000 private dir = /var/cache/samba/saaac000/private log file = /var/log/samba/%m.c000 log level = 1 bind interfaces only = yes interfaces = 3.8.8.107/255.255.255.0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins support = No name resolve order = host lmhosts # Winbind idmap backend = ldap:ldap://3.8.8.103/ idmap uid = 4-5 idmap gid = 4-5 ldap idmap suffix = ou=idmap,o=topalis-group ldap admin dn = cn=admin,o=topalis-group winbind use default domain = no # Security security = ADS use spnego = Yes client signing = Yes client use spnego = Yes encrypt passwords = Yes guest account = nobody # Domain stuff domain master = no domain logons = no preferred master = no # EOF -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
Hi Christoph, On Wed, 29 Oct 2003 [EMAIL PROTECTED] wrote: I'm using the production release of 3.0.0 and can not join a W2003 domain: [printsrv4] /spool/samba-3.0.0/bin $ ./net -d 10 ads join -Uhumpty_dumpty [2003/10/29 15:35:39, 3] libads/sasl.c:ads_sasl_spnego_bind(191) got [EMAIL PROTECTED] [2003/10/29 15:35:39, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No credentials cache found) [2003/10/29 15:35:40, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385) Got KRB5 session key of length 16 [2003/10/29 15:35:40, 1] utils/net_ads.c:ads_startup(181) ads_connect: Strong authentication required Maybe your Domain only allows NTLMv2. See smb.conf Manpage about client ntlmv2 auth (and maybe also about client schannel, client signing, client use spnego) Greetings Jochen [2003/10/29 15:35:40, 2] utils/net.c:main(758) return code = -1 The krb5 token looks OK: [printsrv4] /spool/samba-3.0.0/bin $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/29/03 13:48:09 10/29/03 23:48:18 krbtgt/[EMAIL PROTECTED] renew until 10/30/03 13:48:09 Kerberos 4 ticket cache: /tmp/tkt0 Principal: [EMAIL PROTECTED] Issued Expires Principal 10/21/03 15:42:14 10/22/03 17:08:35 [EMAIL PROTECTED] 10/21/03 15:42:14 10/22/03 17:08:35 [EMAIL PROTECTED] 10/22/03 15:18:13 10/22/03 17:13:13 [EMAIL PROTECTED] -- Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join W2003 domain with 3.0.0 (krb ticket is OK though)
Hi Christoph, please try the following: - Open dsa.msc as Domain Administrator. - Right-Click your AD-Domain and select properties - Select the Group Policy Tab and Edit your Policy (or the Default Domain Policy) - Select Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Define the policy Network security: LDAP client signing requirements to none Please respond if this helps or not! Jochen On Thu, 30 Oct 2003, Christoph Beyer wrote: Hi Andrew et al, thank you for the tip, is there any way to get around this, my windows admins don't know how to disable this feature. Is it possible to set it on a 'per host base' on the windows side, if yes: where ? Are there plans to realize the feature in an upcoming release in the near future ? thanks again for any advice ! ~christoph -- mit freundlichen Grüßen Jochen Schmidt Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3beta2/3 with ldapsam as PDC dont advice itself
Hi, i have a problem with samba3 (with ldapsam). I've set up my samba3 beta2 (also tried beta3) as a pdc, but it seems that samba does not anounce it's DOMAIN correctly. I don't see my JOCHENGROUP Domain from any Windows-Workstation. I can search for the name of my PDC using the 'Search Computer' Function and Windows will find it. I can doubleclick the PDC and login using the created testusers and browse the shares. This seems to be ok. The thing which won't work is the PDC functionality of samba. Samba as standalonefileserver seems to work fine. Environment: - Samba3 on RedHat AS2.1 (self-compiled) with external WINS - Samba3 on RedHat AS2.1 (self-compiled) with internal WINS (isolated network) - Samba3 on RedHat 7.3 (self-compiled) with internal WINS (isolated network) - Samba3 on RedHat 7.3 (pre-comiled) with internal WINS (isolated network) isolated network meens no changes to the Machines only cut the uplink-cable to the rest of the network. I think it is an ldap-Problem, but i can't find anything. I've attached my Samba-Config an ldif-File from my Ldap (eDirectory 8.7.0.3 on Linux) and the converted edir samba-Schema for beta2 and beta3 as ldif. Does anyone has a hint for me how to solve my problem (I've searched the ML and it seems that i'm the only one with this problem). thanks, Jochen -- Jochen Schmidt [EMAIL PROTECTED] Mi||enux GmbHmobile: +49.175.5752483 Lilienthalstraße 2 phone: +49.711.88770.300 70825 Stuttgart-Korntal fax: +49.711.88770.349 -= linux without limits -=- http://linux.zSeries.org/ =- PGP Fingerprint: 6F9A 85CE 78EA 7EF1 B2BA 3559 8FA1 2B13 098D 20B5 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba