[Samba] Re: Samba-OpenLDAP and AD question..
Hi Andrew.. On Mon, 2006-10-30 at 13:14 -0800, John Little wrote: Hi all We have slowly been migrating our NT4 domain to Samba+OpenLDAP. Today I was told that we were going to to create an AD 'resource' domain, put all of the workstations in it and create a trust relationship between the two domains. In other words the users would be in the Samba+OpenLDAP domain and the workstations in the AD 'resource' domain. If it matters we have about 1750 workstations with about 2000 users. Is this a reasonable model to follow or thing to do? It depends on the reasons for creating the resource domain. If we do this what sort of pitfalls, if any, should I expect to encounter? Any ideas, opinions, knowledge of this are greatly appreciated. It should work. In fact, I think I even tested it briefly at my site. It will just be an interdomain trust as far as Samba and AD are concerned. My concern is that currently the machines are joined to the NT4 domain (AD has not been implemented as of yet). We have users in the Samba domain accessing shares on Windows servers joined to the NT4 domain. Occasionally these users cannot access a share and get a message about the trust relationship not working. This does not occur when the workstation is joined to the Samba domain. The workstations are Win XP pro and Win2k. Note that I am not speaking of logon issues here, just of intermittent share access issues. Since we are a hospital patient safety and care is of utmost priority. Translated into IS terms doctors and nurses have to access information quickly and when they need it. Hence my concern about keeping the workstations on the NT4 or AD domain. Are the trust relationships more stable with AD or am I possible missing something in my setup that would cause the intermittent access issues? Andrew Bartlett Regards, John Little -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba-OpenLDAP and AD question..
Hi Andrew.. On Mon, 2006-10-30 at 13:14 -0800, John Little wrote: Hi all We have slowly been migrating our NT4 domain to Samba+OpenLDAP. Today I was told that we were going to to create an AD 'resource' domain, put all of the workstations in it and create a trust relationship between the two domains. In other words the users would be in the Samba+OpenLDAP domain and the workstations in the AD 'resource' domain. If it matters we have about 1750 workstations with about 2000 users. Is this a reasonable model to follow or thing to do? It depends on the reasons for creating the resource domain. If we do this what sort of pitfalls, if any, should I expect to encounter? Any ideas, opinions, knowledge of this are greatly appreciated. It should work. In fact, I think I even tested it briefly at my site. It will just be an interdomain trust as far as Samba and AD are concerned. My concern is that currently the machines are joined to the NT4 domain (AD has not been implemented as of yet). We have users in the Samba domain accessing shares on Windows servers joined to the NT4 domain. Occasionally these users cannot access a share and get a message about the trust relationship not working. This does not occur when the workstation is joined to the Samba domain. The workstations are Win XP pro and Win2k. Note that I am not speaking of logon issues here, just of intermittent share access issues. Since we are a hospital patient safety and care is of utmost priority. Translated into IS terms doctors and nurses have to access information quickly and when they need it. Hence my concern about keeping the workstations on the NT4 or AD domain. Are the trust relationships more stable with AD or am I possible missing something in my setup that would cause the intermittent access issues? Andrew Bartlett Regards, John Little -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-OpenLDAP and AD question..
Hi all We have slowly been migrating our NT4 domain to Samba+OpenLDAP. Today I was told that we were going to to create an AD 'resource' domain, put all of the workstations in it and create a trust relationship between the two domains. In other words the users would be in the Samba+OpenLDAP domain and the workstations in the AD 'resource' domain. If it matters we have about 1750 workstations with about 2000 users. Is this a reasonable model to follow or thing to do? If we do this what sort of pitfalls, if any, should I expect to encounter? Any ideas, opinions, knowledge of this are greatly appreciated. Thanks, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] error message: Can't contact the NETLOGON pipe
Hi all, I have two samba 3.0.21c + openldap domains setup and the appropriate trusts between them are functioning. Whenever a user logs in to the domain that the machine is not a member of the logon script fails. The only hint I've been able to find are the following messages: Apr 14 08:00:41 hrhmachdc1 winbindd[3923]: [2006/04/14 08:00:41, 1] nsswitch/winbindd_misc.c:winbindd_dual_getdcname(199) Apr 14 08:00:41 hrhmachdc1 winbindd[3923]: Can't contact the NETLOGON pipe Apr 14 08:00:41 hrhmachdc1 winbindd[3977]: [2006/04/14 08:00:41, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) Apr 14 08:00:41 hrhmachdc1 winbindd[3977]: cli_pipe_validate_current_pdu: RPC fault code NT code 0x1c010002 received from remote machine ARUBA pipe \lsarpc fnum 0x775c! I have my nsswitch.conf file configued to look at files ldap winbind. Can someone steer me in the right direction of what I'm missing or misconfigured? Thanks, John __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] wbinfo -u responds with Error looking up domain users
Hi all, I have an Samba + LDAP PDC and BDC setup with a trust to an NT 4 domain. I am using Samba 3.0.21c on Sles 9. HRH is the Samba domain and Hendricks is the NT4 domain. When using getent passwd and/or wbinfo -u on the pdc all of the users from both domains are listed: getent passwd: snipHRH users: njcloud:x:1034:1014:System User:/home/njcloud:/bin/bash acrardi:x:1035:513:System User:/home/acrardi:/bin/bash kkkiefe:x:1036:513:System User:/home/kkkiefe:/bin/bash tgmarcu:x:1037:513:System User:/home/tgmarcu:/bin/bash kakeese:x:1041:1011:System User:/home/kakeese:/bin/bash snipHendricks users: HENDRICKS\acbevin:*:150009:15:Bevins, Armand C.:/home/HENDRICKS/acbevin:/bin/false HENDRICKS\acdusa:*:150010:15:Dusa, Adrian C:/home/HENDRICKS/acdusa:/bin/false HENDRICKS\achagga:*:150011:15:Haggard, Adalyn C.:/home/HENDRICKS/achagga:/bin/false HENDRICKS\achatt:*:150012:15:Chattin, Apastra:/home/HENDRICKS/achatt:/bin/false HENDRICKS\achousd:*:150013:15:Housden, Alison C.:/home/HENDRICKS/achousd:/bin/false snipHendricks users and wbinfo -u from PDC HENDRICKS\aghuffm HENDRICKS\agmiran HENDRICKS\ahdosse HENDRICKS\ajbarto snip When using the same utilities from the bdc I get the message Error looking up domain users with wbinfo and only the HRH (LDAP) users with getent passwd. getent passwd (from the bdc showing the ldap users) snip mastewa:x:1309:513:System User:/home/mastewa:/bin/bash eldewee:x:1310:513:System User:/home/eldewee:/bin/bash mbsmall:x:1311:513:System User:/home/mbsmall:/bin/bash xalicis:x:1312:513:System User:/home/xalicis:/bin/bash aerober:x:1313:513:System User:/home/aerober:/bin/bash snip wbinfo -u (from the bdc) hrhbdc01:/etc/samba # wbinfo -u Error looking up domain users hrhbdc01:/etc/samba # I have the ldap database replicating from the pdc to the bdc which is working ok. Net rpc trustdom list shows the domains properly from the bdc: hrhbdc01:/etc/samba # net rpc trustdom list Password: Trusted domains list: HENDRICKS S-1-5-21-1606818979-933581049-1307212239 Trusting domains list: HENDRICKS S-1-5-21-1606818979-933581049-1307212239 hrhbdc01:/etc/samba # and the join to the HRH domain: hrhbdc01:/etc/samba # net rpc testjoin Join to 'HRH' is OK hrhbdc01:/etc/samba # Some relevant entries from smb.conf: passdb backend = ldapsam:ldap://localhost ldap://hrhdc01.hrh.org ldap://fp3lb.hrh.org; wins server = 128.1.3.55 ldap admin dn = cn=Manager,dc=hrh,dc=org ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=People ldap passwd sync = Yes ldap suffix = dc=hrh,dc=org ldap user suffix = ou=People idmap backend = ldap:ldap://localhost idmap uid = 15-25 idmap gid = 15-25 I also upgraded to 3.0.21c directly from 3.0.15. What could be the problem with winbind on the BDC? Thanks, John Little __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Proposal to allow owning group to edit ACLs.
From: Jeremy Allison [EMAIL PROTECTED] Subject: [Samba] Proposal to allow owning group to edit ACLs. CC: [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Mon, 18 Jul 2005 15:47:31 -0700 To: [EMAIL PROTECTED] Hi all, I've been spending some time with customers lately and I've discovered an interesting thing. Many IT departments completely delegate the settings on directory and file ACLs to the users who are interested in the data. For example, on a given share for Finance, the finance group is given full control on the containing directory (ie. they're allowed to set ACLs on everything within it) and are left alone to sort out their access control as they wish. This is difficult on Samba with POSIX ACLs due to the fact that POSIX ACLs can only be changed by the owner of the file/directory or root. Windows semantics allow the owner of a file/directory to always change the ACL (as does POSIX), but the difference is that under Windows a group can be the owner of a file/directory - with no user owner at all. Now I know the correct way to fix this is full NT ACL semantics and we're moving towards that in the future but an easy stop-gap solution for us is a new parameter, so I'm proposing a new parameter called acl group control. If set to True on a share then it would allow both the owning user and the *primary group owner* of a file or directory to change the ACL on it. This would allow a finance group to be the primary POSIX group owner of a shared directory and then any member of that group could set ACLs on it, whether they were the actual user owner or not. In conjunction with the ability to have group ownership of files/directories in a directory inherited from the parent by setting the SETGID bit on the directory this should allow delegation of ACL control under Samba. Please let me know what you think - it's easy to add to the current code but I'd like to get some user feedback before I do so. Cheers, Jeremy. Jeremy, While we try to avoid that practice at times it is easier to let the departments do it. Generally we set up the director or someone he designates as the owner to handle it so that it doesn't fly out of control. So yes that would be a useful feature for us and we could use the departmental admin group to make the changes. Regards, John Little Hendricks Regional Health Happiness is understanding how things work. __ Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Antivirus for Windows with Linux administration console
Hello, This is not a Samba question itself, but it's somewhat related to Samba. I am planning to replace the two Windows 2000 Server servers in a client company with two Samba PDCs with LDAP backend. Currently, those W2K servers hold the Active Directory and the the antivirus management console. And this is the only nuisance we are finding when moving from Windows Server to Samba PDC. If you have a Windows Server and Windows workstations, everything is all right: you go to the server and deploy and manage the antivirus to the workstations from the antivirus' management console (Panda Antivirus for Business, in this case). The problem is what to do if you have a Linux server and Windows workstations. Every management console I know (Kaspersky's, Panda's, Symantec's, etc) is for Windows Server. You could try Crossover Office on the PDC for running running the console. They have a trial version at http://www.codeweavers.com/ . Do you guys know any way to deploy and manage a Windows antivirus from a Linux server acting as a Samba PDC? (we are ready to move from Panda Antivirus to any other antivirus as long as they provided a Linux management console) Dr.Web (www.drweb.com) once ago announced Java based management console for their corporate edition antivirus. I don't like them much, I'm pretty fed up with running their antivirus for checking e-mail (and I'm happy with ClamAV since I replaced drweb with clamav :-), they are good programmers, but management is not very good. But if You pay money, probably they will pay more attention to your requests :-) Thank you. Happiness is understanding how things work. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3, ldap and password expiry
Hi all! We are using 1 Samba PDC and 2 bdc (Version 3.0.15pre3-SVN-build-UNKNOWN-PS-SuSE) with openldap2-2.2.6-37.38 on SLES 9. New users setup ok and first logon password change works. Because of HIPAA we need the passwords to change every 30 days however this isn't happening. I thought that I had this working once upon a time while I was testing and getting ready for production but somewhere along the line I must've changed something. At any rate we're moving into production (3 departments so far!) and this has come to my attention. Other relevant data: ldapsearch -x -b dc=hrh,dc=org (ObjectClass=*) current_ldapsearch.txt and looking up my account shows: # jslittl, People, hrh.org dn: uid=jslittl,ou=People,dc=hrh,dc=org objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: jslittl sn: jslittl uid: jslittl uidNumber: 1004 homeDirectory: /home/jslittl loginShell: /bin/bash gecos: System User sambaSID: S-1-5-21-1418864132-1159184377-506600700-3008 description: domain admin sambaKickoffTime: 0 sambaPasswordHistory: sambaLogonHours: FF sambaAcctFlags: [U ] gidNumber: 512 sambaPrimaryGroupSID: S-1-5-21-1418864132-1159184377-506600700-512 sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1116358396 sambaPwdLastSet: 1116358396 displayName: little, john sambaProfilePath: \\hrhdc01\profiles\jslittl from smbldap-tools.conf: defaultMaxPasswordAge=30 under the Unix Accounts Configuration We are using smbldap-tools-0.9.1-1 for this. Please let me know what else to check/change for this to work. Regards, John Little Hendricks Regional Health [EMAIL PROTECTED] Sell on Yahoo! Auctions no fees. Bid on great items. http://auctions.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3 dms doesn't allow access through interdomain trust
Hello everyone! I have a little problem: HRH = trusted domain (Samba 3) Hendricks = trusting domain (NT4 sp6a) Trusts are setup between the NT4 and Samba3 + OpenLDAP domain and appear to be working properly. When logged into the HRH domain on a W2k workstation I can view,read, and write on available shares for HRH groups and users on our Windows file servers. Whenever I try to see available shares on our Samba 3 domain member server I get the prompt for 'Incorrect password or unknown user name for fp3lb'. If I put in my Hendricks username and password it will let me in. I have gone through the smb.conf(5) man page and tried all the settings that I could find for the smb.conf that might help. So far no luck. I have included some details and outputs from our setup below. If someone could tell me what I'm missing or where to go look I would appreciate it Best regards to all, John Little Network Engineer Hendricks Regional Health http://hendricks.org Scenario Samba versions in use: HRH (trusted Samba 3 domain): hrhdc01:~ # smbd -V Version 3.0.10-SerNet-SuSE hrhdc01:~ # Hendricks (trusting NT4 sp6a domain): fp3lb:/share2 # smbd -V Version 3.0.11-SerNet-SuSE fp3lb:/share2 # NT4 sp6a Domain = Hendricks Samba 3 OpenLDAP Domain = HRH The interdomain trusts are setup: From the NT4 domain using a Samba 3 domain member server (fp3lb): fp3lb:~ # net rpc trustdom list -U jslittl Password: Trusted domains list: HRH S-1-5-21-1418864132-1159184377-506600700 Trusting domains list: HRH S-1-5-21-1418864132-1159184377-506600700 fp3lb:~ # From the Samba OpenLDAP domain (HRHDC01, domain controller) hrhdc01:~ # net rpc trustdom list Password: Trusted domains list: HENDRICKS S-1-5-21-1606818979-933581049-1307212239 Trusting domains list: HENDRICKS S-1-5-21-1606818979-933581049-1307212239 hrhdc01:~ # getent password snippet from the Samba dms on the Hendricks (trusting domain): ymculpe:x:12084:10003:Culpepper, Yvonne:/home/HENDRICKS/ymculpe:/bin/bash ypmayer:x:12085:10003:Mayer Yvonne:/home/HENDRICKS/ypmayer:/bin/bash ysbrown:x:12086:10003:Brown, Yong S.:/home/HENDRICKS/ysbrown:/bin/bash zgeorg:x:12087:10003:George, Zachary:/home/HENDRICKS/zgeorg:/bin/bash ztlcordet:x:12088:10003:ZZCordes, Theresa:/home/HENDRICKS/ztlcordet:/bin/bash HRH+administrator:x:12372:10149:Administrator:/home/HRH/administrator:/bin/bash HRH+nobody:x:12373:10149:nobody:/home/HRH/nobody:/bin/bash HRH+root:x:12364:10149:root:/home/HRH/root:/bin/bash HRH+jslittl:x:12363:10149:john little:/home/HRH/jslittl:/bin/bash ACLs are working on the Samba dms for the HRH (trusted) domain: fp3lb:/share2 # setfacl -R -m u:HRH+jslittl:rwx test fp3lb:/share2 # getfacl test # file: test # owner: jslittl # group: infosys1 user::rwx user:HRH+jslittl:rwx group::rwx mask::rwx other::r-x fp3lb:/share2 # Mounting a share on a Windows (Hendricks, trusting domain) file server from the HRHDC01 (HRH domain controller) hrhdc01:~ # smbmount //newexchange/Documents /tmp/d01 -o username=HRH\\jslittl Password: hrhdc01:~ # l /tmp/d01 total 954 drwxr-xr-x 1 root root 4096 May 18 08:53 ./ drwxrwxrwt 16 root root480 May 18 08:45 ../ -rwxr-xr-x 1 root root 98304 Jun 16 2004 Info Mgt Pln 05-01-16-04 Drft.doc* -rwxr-xr-x 1 root root 221240 May 27 2004 STAFF.pdf* -rwxr-xr-x 1 root root 146412 May 27 2004 VISITOR VOLUNTEER.pdf* drwxr-xr-x 1 root root 4096 Nov 9 2004 _vti_cnf/ -rwxr-xr-x 1 root root 16058 May 18 2005 devotions.pdf* -rwxr-xr-x 1 root root 202772 Mar 9 10:52 devotions.pdf.old* -rwxr-xr-x 1 root root 80364 Jul 13 2004 menu.002* -rwxr-xr-x 1 root root 61289 May 10 12:56 menu.pdf* -rwxr-xr-x 1 root root 58940 Jul 19 2004 next.002* -rwxr-xr-x 1 root root 80848 May 17 11:20 next.pdf* hrhdc01:~ # Attempting to mount a share on the Samba 3 (Hendricks, trusting domain)file server from the HRHDC01 (HRH domain controller) hrhdc01:~ # smbumount /tmp/d01/ hrhdc01:~ # smbmount //cluster1/test /tmp/d01 -o username=HRH\\jslittl Password: 7159: session setup failed: ERRDOS - ERRnoaccess SMB connection failed hrhdc01:~ # l /tmp/d01 total 1 drwxr-xr-x 2 root root 48 May 18 04:06 ./ drwxrwxrwt 16 root root 480 May 18 09:00 ../ hrhdc01:~ # Discover Yahoo! Get on-the-go sports scores, stock quotes, news and more. Check it out! http://discover.yahoo.com/mobile.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3, SLES 9 and ldap
Hi all, I am using Chapter 6 of the Samba by Example series from the web site to set up our ldap server. When I issue the command net getlocalsid I receive the following error: lib/smbldap.c:smbldap_search_suffix(1159) smbldap_search_suffix: Problem during the LDAP search: (No such object) SID for domain SLES9T is: S-1-5-21-1056785705-3799760564-261985621 Based on some google searches I tried setting the machine to PDC, BDC and Standalone all of which generated the error. I am not sure where to go looking for my error. I would appreciate it if someone could steer me in the right direction or tell me some things to check. Thanks! John Little Network Engineer Hendricks Regional Health __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba with winbind trouble
Try smbclient //pxtest/tli -o username=yourdomain\tli or if you have a separator in your smb.conf winbind: smbclient //pxtest/tli -o username=YOURDOMAIN+tli where the + sign is the separator defined in your smb.conf winbind section hth John [EMAIL PROTECTED] root]# smbclient //pxtest/tli -U tli added interface ip=172.30.1.167 bcast=172.30.1.255 nmask=255.255.255.0 Password: session setup failed: NT_STATUS_LOGON_FAILURE [EMAIL PROTECTED] root]# = Happiness is understanding how things work. __ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Question on migrating NT4 shares to Samba 3 (Mandrake)
Hi all, A quick question on migrating some shares so that they retain proper user and group permissions from NT4 to Samba 3. I plan on using ch 31 Migration from NT4 PDC to Samba-3 PDC (http://de.samba.org/samba/docs/man/NT4Migration.html) as a guide to perform the migration. User authentication is by winbind. This is already up and running with the machine joined to the domain. The Samba machine will be a member server rather than a domain controller. I have already made a trial run at just moving the directories/files via rsync which went well. Since the machine will not be a domain controller, is there any part of those instructions that I should not perform or additional instruction listed elsewhere that I should know about? One that comes to mind is should I migrate the users since the net rpc vampire command is for use on a bdc? Thanks for any insight. Regards to all, John Little = Happiness is understanding how things work. __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind samba and nt4 pdc
Hi all I am attempting to install winbind on a Redhat 9 machine with an NT4 PDC. The winbind version is samba-2.2.7a-7.9.0 as a stock RH install. I have followed the install instructions on the man page and I still get the errors shown below. I have searched google for the STATUS_BUFFER_OVERFLOW (0x8005)error and the plaintext password authentication failed error but nothing I've found has led me to a solution. Something I am unsure about though is the sentence in the man page that reads: In /etc/pam.d/* replace the auth lines with something like this: what is the * in /etc/pam.d/? I have tried those lines in /etc/pam.d/samba /etc/pam.d/login and /etc/pam.d/system-auth but I am unsure if those are the correct places. Any insight or other documents that would help me with this are greatly appreciated. Sincerely, John Little [EMAIL PROTECTED] pam.d]# smbpasswd -j hendricks -r hchdc01 -U jslittl%password Joined domain HENDRICKS. [EMAIL PROTECTED] pam.d]# wbinfo -t Secret is bad 0x8005 [EMAIL PROTECTED] pam.d]# wbinfo -a HENDRICKS+jslittl%password plaintext password authentication failed error code was STATUS_BUFFER_OVERFLOW (0x8005) Could not authenticate user HENDRICKS+jslittl%password with plaintext password [EMAIL PROTECTED] pam.d]# rpm -q samba samba-2.2.7a-7.9.0 [EMAIL PROTECTED] pam.d]# = Happiness is understanding how things work. __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba