[Samba] How to get Samba, PAM MS-AD all working together properly
The biggest thing we have stopping us from adopting Samba-Linux 100% for our file and print servers is permissions administration/flexibility. Does anyone have a good resource that outlines how to get PAM working so permissions can be managed like MS's are? Guess what I am asking is can PAM do permissions like MS and if yes, can the be done in the same easy fashion as 'right-click-properties', etc. ? Also, does PAM aid in the sharing and permissions to network printers? Please don't point me to the howto's, I've been there done that. I am looking to see if anyone here has successfully emulated a MS file server (and its easy ui share/permission administration) using Samba and Linux. If not, is it possible? or would we need to use a Linux based LDAP server as our primary domain security catalog? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba clients fail after reboot
Please follow this thread: Subject = [Samba] wbinfo can not convert User names and Group name to S ID -Original Message- From: Leen Toelen [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 12:14 PM To: samba@lists.samba.org Subject: [Samba] Samba clients fail after reboot Hi all, since three weeks ago, whenever one of our Linux client gets rebooted, it can't get access to a W2K domain anymore. Everything is working, nothing is changed in the configs, the Linux machines are simply rebooted. Does anyone know whether tehre is a security update or so on w2K that causes this? Another strange thing is that once in a while for an unknown reason loggin in to the linux box works again and 10 minutes later it stops without touching the box. On the domain controller I get in the event viewer: The session setup from the computer LNXSRV failed to authenticate. The name of the account referenced in the security database is LNXSRV$. The following error occurred: Access is denied. On the linux side I get: # wbinfo --sequence PEAK4S : 1 BUILTIN : 1 PEAKADILLY : DISCONNECTED # wbinfo -D PEAKADILLY Name : PEAKADILLY Alt_Name : PEAKADILLY.LOCAL SID : S-1-5-21-725345543-813497703-839522115 Active Directory : Yes Native: No Primary : Yes Sequence : -1 # wbinfo -u Error looking up domain users # wbinfo -g BUILTIN\System Operators BUILTIN\Replicators BUILTIN\Guests BUILTIN\Power Users BUILTIN\Print Operators BUILTIN\Administrators BUILTIN\Account Operators BUILTIN\Backup Operators BUILTIN\Users Any idea anyone? Regards, Leen Toelen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba clients fail after reboot
Yep, and you will sometimes succeed and sometimes fail. Just be sure to stop all the services, do the join then start all the services in their proper order and that usually allows you to pull a good list. -Original Message- From: Leen Toelen [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 12:55 PM To: Kevin Wilson Cc: samba@lists.samba.org Subject: Re: [Samba] Samba clients fail after reboot Hi, I remove the security update from out w2k pdc, and rebooted it. After I remove the linux client from the domain, do a net join (which succeeds), the linux client shows up again in the domain. wbinfo -u gets an Ertror looking up domain users again. Regards, Leen On 8/26/05, Leen Toelen [EMAIL PROTECTED] wrote: Hi, in the thread a solution is not mentioned. Did you roll back the update on the w2k box, or change the samba confi. On a sidenote, is it better to use security = ads and configure kerberos, or still use security = domain and use the net rpc commands? Regards, Leen On 8/26/05, Kevin Wilson [EMAIL PROTECTED] wrote: Please follow this thread: Subject = [Samba] wbinfo can not convert User names and Group name to S ID -Original Message- From: Leen Toelen [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 12:14 PM To: samba@lists.samba.org Subject: [Samba] Samba clients fail after reboot Hi all, since three weeks ago, whenever one of our Linux client gets rebooted, it can't get access to a W2K domain anymore. Everything is working, nothing is changed in the configs, the Linux machines are simply rebooted. Does anyone know whether tehre is a security update or so on w2K that causes this? Another strange thing is that once in a while for an unknown reason loggin in to the linux box works again and 10 minutes later it stops without touching the box. On the domain controller I get in the event viewer: The session setup from the computer LNXSRV failed to authenticate. The name of the account referenced in the security database is LNXSRV$. The following error occurred: Access is denied. On the linux side I get: # wbinfo --sequence PEAK4S : 1 BUILTIN : 1 PEAKADILLY : DISCONNECTED # wbinfo -D PEAKADILLY Name : PEAKADILLY Alt_Name : PEAKADILLY.LOCAL SID : S-1-5-21-725345543-813497703-839522115 Active Directory : Yes Native: No Primary : Yes Sequence : -1 # wbinfo -u Error looking up domain users # wbinfo -g BUILTIN\System Operators BUILTIN\Replicators BUILTIN\Guests BUILTIN\Power Users BUILTIN\Print Operators BUILTIN\Administrators BUILTIN\Account Operators BUILTIN\Backup Operators BUILTIN\Users Any idea anyone? Regards, Leen Toelen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
in smb.conf add line log level = 10 then restart nmb, smb and winbind. -Original Message- From: Theodore Jencks [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 1:03 PM To: samba@lists.samba.org Subject: RE: [Samba] net ads join error Where would I find the log for this? How would I set the debug level to 10 on a Redhat system? Regards, Theo -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 10:11 AM To: Theodore Jencks Cc: samba@lists.samba.org Subject: Re: [Samba] net ads join error -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theodore Jencks wrote: Compiling version 3.0.20 from source on RedHat Fedora Core 4 everything seems to go smoothly. However upon trying to join a 2000 domain with the following command net ads join -U Administrator%Password 'OU' I get the following error: [2005/08/26 09:43:56, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory I have checked my smb.conf file with the testparm utility and Kerberos seems to be working fine using kinit. Does anyone have any info on this error or how to workaround/fix the problem. Better look at a level 10 debug log fron the 'net join' to see why the error is being generated. That's my advice at least. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDD007IR7qMdg1EfYRAnPmAKCOwcriQUybsEUZv398ALHjEKAXkwCg3o2X JeTTF775me+aSUqskFX0dhQ= =w6Py -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba clients fail after reboot
Jerry Carter (from Samba) picked up on the thread and is testing 3.0.20 to see if it works. The only thing we did was bring up a AD-PDC that does not include the August 9th security fix from MS. While we can access our shares now the wbinfo commands do not work 100%. I believe this is simply due to our secondary DC that still has the Aug 9th fix in it is queried/answers first. As for your second question, I can't answer it. Maybe someone else would be able to give you the 411. -Original Message- From: Leen Toelen [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 12:38 PM To: Kevin Wilson Cc: samba@lists.samba.org Subject: Re: [Samba] Samba clients fail after reboot Hi, in the thread a solution is not mentioned. Did you roll back the update on the w2k box, or change the samba confi. On a sidenote, is it better to use security = ads and configure kerberos, or still use security = domain and use the net rpc commands? Regards, Leen On 8/26/05, Kevin Wilson [EMAIL PROTECTED] wrote: Please follow this thread: Subject = [Samba] wbinfo can not convert User names and Group name to S ID -Original Message- From: Leen Toelen [mailto:[EMAIL PROTECTED] Sent: Friday, August 26, 2005 12:14 PM To: samba@lists.samba.org Subject: [Samba] Samba clients fail after reboot Hi all, since three weeks ago, whenever one of our Linux client gets rebooted, it can't get access to a W2K domain anymore. Everything is working, nothing is changed in the configs, the Linux machines are simply rebooted. Does anyone know whether tehre is a security update or so on w2K that causes this? Another strange thing is that once in a while for an unknown reason loggin in to the linux box works again and 10 minutes later it stops without touching the box. On the domain controller I get in the event viewer: The session setup from the computer LNXSRV failed to authenticate. The name of the account referenced in the security database is LNXSRV$. The following error occurred: Access is denied. On the linux side I get: # wbinfo --sequence PEAK4S : 1 BUILTIN : 1 PEAKADILLY : DISCONNECTED # wbinfo -D PEAKADILLY Name : PEAKADILLY Alt_Name : PEAKADILLY.LOCAL SID : S-1-5-21-725345543-813497703-839522115 Active Directory : Yes Native: No Primary : Yes Sequence : -1 # wbinfo -u Error looking up domain users # wbinfo -g BUILTIN\System Operators BUILTIN\Replicators BUILTIN\Guests BUILTIN\Power Users BUILTIN\Print Operators BUILTIN\Administrators BUILTIN\Account Operators BUILTIN\Backup Operators BUILTIN\Users Any idea anyone? Regards, Leen Toelen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] wbinfo can not convert User names and Group name to S ID
Nah, we haven't updated our samba installations because they are production servers and we have no confirmation that the latest and greatest will fix the problem. In a nutshell we get the following: a power down or service restart doesn't automatically reacquire the domain membership. you cannot use the join syntax using PDC I outlined before, you must specify the DC to use. wbinfo -u -g will immediately following joining the domain. getent passwd group usually works if the above does but I have a working server with lists that were updated when the getent commands didn't pull the lists properly...go figure? wbinfo -m doesn't report the primary domain even though you just joined it. wbinfo -t fails intermittently. initially you can't access the shares then sometimes (after a 1/2 hour or so) you can but not always. -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Thursday, August 25, 2005 8:31 AM To: Kevin Wilson Cc: samba@lists.samba.org Subject: Re: [Samba] wbinfo can not convert User names and Group name to S ID -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kevin Wilson wrote: Yep. We are dealing with once perfectly fine working 3.0.9 servers to erratic and weird behaved ones. We believe this is due to changes made my MS in http://www.microsoft.com/technet/security/Bulletin/MS05-042.mspx but thus far have not been able to confirm. Commands like:net rpc join -S PDC -U Admin now return no suitable server found even though that is the same command used when we setup the darn thing and it worked then. You you test 3.0.20 just for kicks? There have been several hotfix compatibility issues we've had to work around already. I'm downloading these hotfixes now and will try to test things out tomorrow. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDDcgsIR7qMdg1EfYRAl+zAKCPdJtnDatrtIszgohDy32nqeOdBACgqtBH JhJlb3WftN5VuFYMlDNKv6g= =MmXy -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] wbinfo can not convert User names and Group name to S ID
Yep. We are dealing with once perfectly fine working 3.0.9 servers to erratic and weird behaved ones. We believe this is due to changes made my MS in http://www.microsoft.com/technet/security/Bulletin/MS05-042.mspx but thus far have not been able to confirm. Commands like: net rpc join -S PDC -U Admin now return no suitable server found even though that is the same command used when we setup the darn thing and it worked then. Bottom line is our samba member machines didn't change but security updates to our PDC, master browser, etc. were done last week and that is when the problems started. Use of wbinfo is very erratic, most of the time the users and groups list won't pull down. The -m option doesn't report the primary domain we belong to, etc. After a service restart or a machine reboot nobody can access the shares then after some magical period of time (an hour) you check and then you can access them but sometimes you can't. Usually I restart winbind and wait then I can sometimes get into the shares after the second attempt. -Original Message- From: Todor Genov [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 24, 2005 11:21 AM To: samba@lists.samba.org Subject: [Samba] wbinfo can not convert User names and Group name to SID Hi there, I've been fighting with winbind for over 4 hours now and read every related article I found on google to no avail. A server of mine rebooted due to power outage today and a perfectly running winbind + AD setup, wbinfo can now no longer convert user names or group names to SID or vica versa. The weird part is that the built-in groups work just fine. [EMAIL PROTECTED] samba]# wbinfo -n BUILTIN/System Operators S-1-5-32-549 Well-known Group (5) [EMAIL PROTECTED] samba]# wbinfo -n Engineers Could not lookup name Engineers [EMAIL PROTECTED] samba]# getent group |grep Engineers Engineers:x:10018: [EMAIL PROTECTED] samba]# wbinfo -G 10018 S-1-5-21-3139104342-3182081393-1008461833-2114 [EMAIL PROTECTED] samba]# wbinfo -s S-1-5-21-3139104342-3182081393-1008461833-2114 Could not lookup sid S-1-5-21-3139104342-3182081393-1008461833-2114 After I upgraded samba to 3.0.10 everything seemed to work for a while, however after I restarted winbind - the problems started again. Now user-to-SID and vica versa works fine, but group-to-SID still does not. Has anybody experience a similar problem ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba