[Samba] Samba 3 and Windows 8 Point'n'Print drivers
Hi list, To my best knowledge samba 3 does not support level 4 drivers used by Windows 8 for Point'n'Print (If that is not the case could you let me know the minimal version of samba required?) According to http://msdn.microsoft.com/en-us/library/windows/hardware/hh852373.aspx Windows 8 should be able to use level 3 drivers, but it does not seem to work for me. Are they any workarounds that can be applied (client or server side) to make this happen? I know there was a small patch submitted to the list quite a while ago, but i would rather not do that. Many thanks L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3 and Windows 8 Point'n'Print drivers
On 06/06/13 15:40, Chris Smith wrote: On Thu, Jun 6, 2013 at 9:56 AM, Lukasz Zalewski lu...@eecs.qmul.ac.uk wrote: According to http://msdn.microsoft.com/en-us/library/windows/hardware/hh852373.aspx Windows 8 should be able to use level 3 drivers, but it does not seem to work for me. Are they any workarounds that can be applied (client or server side) to make this happen? If you're getting error 0x06d1 see my blog post: http://blog.realcomputerguy.com/2013/06/fix-error-0x06d1-using-level-3.html Hi Chris, Thank you for this. Unfortunately i do not even get that far. Windows claims that there is no driver found :( Does the driver have to be installed manually? L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0 released - The First Free Software Active Directory Compatible Server is now available !
Great achievement :) Well done samba team! Thank you for all of the hard work you put in. Regards L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] s3fs and symlinks
On 04/07/12 09:37, steve wrote: On 04/07/12 01:42, Andrew Bartlett wrote: On Tue, 2012-07-03 at 15:14 +0200, steve wrote: On 03/07/12 14:33, Volker Lendecke wrote: On Tue, Jul 03, 2012 at 12:48:26PM +0200, steve wrote: Hi everyone I have a problem with S4 following symlinks. In windows, I can access a share ¡f the the path is the actual directory but not if the share contains a symlink to the same directory. I get access errors. In Linux under NFS, I can access the share either directly via the symlink. Does s3fs understand symlinks at the moment? Look for wide links, unix extensions and allow insecure wide links in man smb.conf. Volker Hi Volker Unfortunately, wide links (which I think is what I need) doesn't work: samba-tool testparm Unknown parameter encountered: wide links Ignoring unknown parameter wide links Press enter to see a dump of your service definitions and samba_spnupdate throws errors too. Regardless of the errors, they will still work. We have two loadparm engines, and we have not yet reconciled them. It remains a tedious job that hasn't yet been finished. To check if a parameter is accepted by the file server component, run 'testparm' rather than 'samba-tool testparm'. Andrew Bartlett Hi Andrew, hi everyone I didn't know about testparm without samba-tool. With: wide links = Yes in [global] testparm is clean BUT, the symlink gives Access is denied. Here is the share containing the symlinks: [students] path = /home2/students/data read only = No Here is an example of the symlink in /home2/students/data pointing to the actual data: lrwxrwxrwx 1 root root 30 Jul 4 09:51 brian - /home2/students/year7/7a/brian Here is an example of the actual data: drwxr-xr-x 21 brian Domain Users 4096 Jul 4 10:24 brian If the share points at the actual data, we are allowed access. If the share points to the links, we get Access is denied. What have I done wrong? Cheers, Steve Hi Steve, Check other parameters that Volker mentioned and how they can affect each other, for example (from man smb.conf for 3.5.8) unix extensions (G): ... Note if this parameter is turned on, the wide links parameter will automatically be disabled. Default: unix extensions = yes L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf for around 2500 users
On 03/07/12 09:29, steve wrote: On 03/07/12 09:40, steve wrote: On 02/07/12 23:44, Lukasz Zalewski wrote: On 02/07/2012 21:20, steve wrote: On 02/07/12 18:50, Lukasz Zalewski wrote: On 02/07/12 17:20, steve wrote: On 02/07/12 17:49, Jonathan Buzzard wrote: On Mon, 2012-07-02 at 17:39 +0200, steve wrote: Hi Steve, Maybe I have misunderstood what you are trying to do but if you already have automounter doing the right thing - maybe for the sake of argument mapping /home2/students/year7/year7a/student1 /home2/students/year7/year7a/student2 ... ... /home2/students/year13/year13a/student2500 to /homes/student1 /homes/student2 ... ... /homes/student250 then you need only [homes] share in the smb.conf, and then (similarly to Matthieu's suggestion) provide \\servername\%username% for homeDirectory attribute (and profilePath if you want roaming profiles)? HTH L Hi Lukasz No, you have understood perfectly Is you [homes] a winbind [homes]? If so, we'd rather avoid having everyone in the same folder even if they are only links to the real data. We'd like to separate students from e.g. [staff] [admin] [webstuff] ... if only for readability purposes e.g. [students] path = /home/students/data read only = No browsable = No then ln -s /home2/students/year7/year7a/student1 /home/students/data/student1 In AD that becomes: unixHomeDirectory: /home2/students/year7/year7a/student1 homeDirectory: \\server\students\student1 homeDrive: Z: How does that look? Cheers and thanks for your time, Steve Hi OK I made the link in /home/students/data lrwxrwxrwx 1 root root 31 Jul 3 09:54 joseph - /home2/students/year7/7a/joseph However, in xp browsing to Z: gives: access is denied Not even Administrator has access to it. If Administrator grants himself rights and gives full control to joseph, both he and joseph still get access denied. However, joseph can access his home folder with the share like this (without the link): [students] path = /home/students read only = No browsable = No Are we sure that the file server understands symlinks? Cheers, Steve Hi Steve, Check wide links smb.conf parameter L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf for around 2500 users
On 03/07/12 08:40, steve wrote: On 02/07/12 23:44, Lukasz Zalewski wrote: On 02/07/2012 21:20, steve wrote: On 02/07/12 18:50, Lukasz Zalewski wrote: On 02/07/12 17:20, steve wrote: On 02/07/12 17:49, Jonathan Buzzard wrote: On Mon, 2012-07-02 at 17:39 +0200, steve wrote: Hi Steve, Maybe I have misunderstood what you are trying to do but if you already have automounter doing the right thing - maybe for the sake of argument mapping /home2/students/year7/year7a/student1 /home2/students/year7/year7a/student2 ... ... /home2/students/year13/year13a/student2500 to /homes/student1 /homes/student2 ... ... /homes/student250 then you need only [homes] share in the smb.conf, and then (similarly to Matthieu's suggestion) provide \\servername\%username% for homeDirectory attribute (and profilePath if you want roaming profiles)? HTH L Hi Lukasz Hi Steve No, you have understood perfectly Is you [homes] a winbind [homes]? No, We do not use winbind at all. Our main directory service is still openldap (which is used on all of the linux infrastructure + legacy s3 domain) and Samba4 is used purely as a Windows DC. We have plans to move to only Samba4 directory service but that will take some time If so, we'd rather avoid having everyone in the same folder even if they are only links to the real data. We'd like to separate students from e.g. [staff] [admin] [webstuff] ... if only for readability purposes e.g. In our case the separation is done on the posix permission/group membership and physical location of the data - staff and students live on the separate partitions/volumes We do do a separation trick (akin to the symlinks that you mentioned but slightly coarse grained) for profiles again through automounter maps. Our profiles stanza is smb.conf is [profiles] path = /profiles/%G and /profiles will include /profiles/staff /profiles/ug profiles/msc ... But again single smb share [students] path = /home/students/data read only = No browsable = No then ln -s /home2/students/year7/year7a/student1 /home/students/data/student1 In AD that becomes: unixHomeDirectory: /home2/students/year7/year7a/student1 homeDirectory: \\server\students\student1 homeDrive: Z: How does that look? Cheers and thanks for your time, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A device attached to the system is not functioning
On 02/07/12 16:15, Alan Holt wrote: Also, this is SID of groups in domain: # net groupmap list Domain Admins (S-1-5-21-2139989288-483860436-2398042574-512) - Domain Admins Domain Users (S-1-5-21-2139989288-483860436-2398042574-513) - Domain Users Domain Guests (S-1-5-21-2139989288-483860436-2398042574-514) - Domain Guests Domain Computers (S-1-5-21-2139989288-483860436-2398042574-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators and this is SID of my user: # pdbedit -Lv alexander User SID: S-1-5-21-2139989288-483860436-2398042574-3186 Primary Group SID:S-1-5-21-3745118107-2241246581-749181168-513-513 They are completely different Hi Alan, I do not know how you came about this setup, but from a quick glance the sid defined in alexander's Primary Group SID is incorrect: Domain Users' sid is defined by SID: S-1-5-21domain-513 (from http://support.microsoft.com/kb/243330) So it seems to me that: 1) you have additional -513 appended at the end 2) Your domain portion of the sid for Primary Group SID is different to the one used in the User SID and to the ones listed by net groupmap admins So shouldn't alexander's Primary Group SID be S-1-5-21-2139989288-483860436-2398042574-513? HTH L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf for around 2500 users
On 02/07/12 17:20, steve wrote: On 02/07/12 17:49, Jonathan Buzzard wrote: On Mon, 2012-07-02 at 17:39 +0200, steve wrote: Samba4 with Linux and Windows clients wanting to get the same home folder data. Hi A college has students arranged with Linux home directories according to which year they belong to and which class within that year, a or b or whatever, they belong to e.g.: /home2/students/year7/year7a/student1 /home2/students/year7/year7a/student2 ... ... /home2/students/year13/year13a/student2500 To get at the same data on windows, I was thinking of a share for each of the classes e.g. [year7a] path = /home2/students/year7/year7a read only = No browsable = No ... ... [year13a] path = /home2/students/year13/year13a read only = No browsable = No and mapping a drive letter to the share e.g. map Z: to \\server\year7a\%USERNAME% Deal with it through your NSS mechanism so that the file server knows for \\server\%USERNAME% where the users home directory is actually located and then you can just use the special [homes] share. I do this with winbind and the unixHomeDirectory attribute in AD. JAB. Hi Jonathan Thanks for the quick response. I think I must be missing something here because as far as I can see, winbindd puts all users into the directory specified in template homedir. [homes] then picks out the user from there. At the moment we are using nss-pam-ldapd to grab the unixHomeDirectory from AD. How do I get winbindd or nss to map unixHomeDirectory to something I can then map to a windows drive letter? Cheers, Steve Hi Steve, Have you considered using autofs to do all of the mapping work for you, so that you have only one /homes/ (or whatever else you want to call it) to worry about? L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf for around 2500 users
On 02/07/2012 21:20, steve wrote: On 02/07/12 18:50, Lukasz Zalewski wrote: On 02/07/12 17:20, steve wrote: On 02/07/12 17:49, Jonathan Buzzard wrote: On Mon, 2012-07-02 at 17:39 +0200, steve wrote: Hi Steve, Have you considered using autofs to do all of the mapping work for you, so that you have only one /homes/ (or whatever else you want to call it) to worry about? L Hi Lukasz Yes, that's exactly what we are doing at the moment. Our Linux clients get their home directory automounted via nfs. It works fine. What I want is for that same home directory to be mapped to a windows drive letter. My method of having one share per class works, but would create over 30 shares. I'm not sure that having this many shares is advisable. I can find few examples of smb.conf's with more than but a handful of shares. Cheers, Steve Hi Steve, Maybe I have misunderstood what you are trying to do but if you already have automounter doing the right thing - maybe for the sake of argument mapping /home2/students/year7/year7a/student1 /home2/students/year7/year7a/student2 ... ... /home2/students/year13/year13a/student2500 to /homes/student1 /homes/student2 ... ... /homes/student250 then you need only [homes] share in the smb.conf, and then (similarly to Matthieu's suggestion) provide \\servername\%username% for homeDirectory attribute (and profilePath if you want roaming profiles)? HTH L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Basic questions regarding Samba capabilities
Hi Jorell, On 25/05/12 16:57, Jorell wrote: On 5/25/2012 7:48 AM, Jason Voorhees wrote: Hi, thanks for your reply: On Mon, May 21, 2012 at 7:51 AM, Aaron E.ssures...@gmail.com wrote: First, I'm not sure if your speaking of samba4 or just upgrading your s3 domain structure .. my comments are based on samba4 hope it helps .. Actually I was thinking about using a stable version of Samba like 3.x. I know that Samba 4 is still being developed for many years. Do you really suggest me to use this alpha version of Samba4 for a critical environment like the one I described? It would be great to have an Open Source ADS implementation with Samba4 but for now I think I can just get as much as possible of features that Samba 3.x can offer me. From reading the mailing list, people using S4 for it's Active Directory have had great success, it's when they try to use the file server side of things is when they have problems. Also Samba 4 ADS is interchangeable with Windows Server ADS. We have been running samba4 in production environment for almost two years. Our setup is quite basic, single S4 DC, and s3 member servers for file serving and printing. We have ~300 pc's (almost all Windows 7) and ~2500 users But you probably will need more elaborate setup. Policies: -- Group policy works with S4.. So whatever group policies you can set in windows DC you can set on the S4 dcs.. What tool do you use for edit/create policies? I was reading a little about the native MS Windows 2000 tool for policy editing but if you suggest me to use Samba4 I believe you could recommend me to use the Windows 2003/2008 policy editor or something like that? To manage group policies you install Group Policy Management Console (gpmc.msi) on a windows workstation connected to the domain. Windows RAT will do the trick: http://wiki.samba.org/index.php/Samba4/HOWTO#Step_1:_Installing_Windows_Remote_Administration_Tools_onto_Windows Scalability -- 1PDC and several BDCs would be your answer. Essentially your going to create the same infrastructure as you would with the windows family of servers. unstead of multiple pdc's you'd use bdc's at in different vlans.. or RODC's but I am not sure where the RODC's are in terms of completeness. I'm sorry but I have never heard about RODCs before. Are they read only primary or backup domain controller? How do they work? Backend -- OPENLDAP isn't supported as a back-end.. I believe that your only option is to use the built-in samba4 back-end at this point.. Compatability -- there are no special steps in joining windows 7 or 2008 servers to the S4 domain.. There is an upgrade script that should pull your users and computers to the new domain, obviously this would require extensive testing in your environment. Thanks for all On 05/20/2012 11:32 AM, Jason Voorhees wrote: Hi people: I've been using Samba for a long time with some basic features like Samba working as a PDC, integrated with OpenLDAP, being a print server, among others, for a small number of almost controlled users (no more than 30 or 50 users). But now I'm interested to implement a Windows domain using Samba for a University with 6000-8000 users distributed through several VLANs, subnets, offices in a medium/big campus. I'd like to avoid using a propietary solution like Windows 2008 with ADS so I'd like to know some suggestions like these: Policies: === - How well can Samba manage policies for workstations? - Is it easy or safe to apply and/or remove policies from workstations? - What kind of things can I allow or deny from succeding in workstations using policies? For example: could I avoid users from changing the IP address of the workstation? Could I set a fixed wallpaper or internet explorer proxy settings to workstations? Scalability In a big scenario like the previous i mentioned: - How many BDCs would be needed? Is it enough to have 1 PDC and severals BDCs? - Is it possible to have multiple PDCs of the same domain each one being in a different VLAN? or, what's the right approach in terms of structure-architecture to implement PDCs and BDCs? Backend === Definitely I plan to use OpenLDAP as backend but, similar to the previous question about BDCs: how many Master/Slave OpenLDAP servers do you think it would be necessary? It could be 1 BDC+OpenLDAP (slave or master) for each office or VLAN? Compatibility: === - I know that are some procedures to join Windows 7 to Samba domain, I did this before successfully. Do you know -maybe- of another possible compatibility problem that you suggest I can be prepared for? - If after some time (weeks, months or years) I plan to replace this Samba based domain to Windows 2k ADS domain: is it possible to do this migration without problem? it isn't necessary to reinstall all the domain and rejoin all the workstation? Technically I can investigate how to implement each of these features (policies, BDCs, openldap, etc...) but before taking a
Re: [Samba] Samba4 - create a new auxiliary classe in AD
On 22/05/12 10:49, Hervé Hénoch wrote: I'm using the 4.0.0alpha21-GIT-1d53e57 version. I've tried your proposal and it seems that it works ... thank you. Another question : my fonctionnal level (domain and forest) is 2003 can I grow it to 2008R2 ? Hi, samba-tool allows you to raise the functional level (for both the domain and the forest - check the options), i.e. ./samba-tool domain level Usage: samba-tool domain level (show|raise options) [options] But i have not used it myself. L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - create a new auxiliary classe in AD
On 22/05/12 07:37, Hervé Hénoch wrote: Hello I've migrated from Samba3 to Samba4 using this howto : http://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO : ok ! great ! Now I want to create a new auxiliary classe in AD by using mmc - Schéma Active Directory. I've generated the object OID using the script : http://www.microsoft.com/technet/scriptcenter/scripts/ad/domains/addmvb03.mspx?mfr=true Hi Which version of Samba 4 are you using? In later versions you have to explicitly allow schema modifications by adding the following to smb.conf dsdb:schema update allowed = yes HTH L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Printer support in Samba4
On 26/04/12 16:49, Adnan Kunic wrote: Dear all, I have installed configured and running Samba4 version 4.0.0alpha20-GIT-5b5b696 as domain controller. I'm wondering is there a print server support in this alpha release? If not, what is a workaround. OS Platform is CenOS 6.2. Kind reagards, Hi Adnan, As far as i know (but others will correct me if I'm wrong) there is no print support in s4 yet. As a workaround you can use samba 3 member server for printing (and you can deploy those printer connection through group policy) Regards L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: Windows 7 problems
On 10/11/2010 15:03, henri wrote: -Message d'origine- De : samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] De la part de Cain, Marc Envoyé : mardi 9 novembre 2010 21:34 À : samba@lists.samba.org Objet : [Samba] Fwd: Windows 7 problems On Nov 9, 2010, at 7:29 AM, henri wrote: I have a couple of questions related to Windows 7 : - opening a domain session on the Win7 client takes a long time. At least 40 seconds, while there is no delay on XP client. Is it a kown problem ? A bug ? What can be done to avoid such a delay ? There are a least two timeouts that I've found that can affect domain logons -- Roaming profile logon timeout: When a user with a roaming profile attempts to logon to a Samba domain Windows will display the Welcome screen for 30 seconds before enabling the user's desktop. This bug does not affect Active Directory logons. Setting the GPO below to 0 seconds will work around this timeout. \\Computer Configuration\Administrative Templates\System\Set maximum wait time for the network if a user has a roaming user profile or remote home directory Set to: 0 -- Synchronous Logon script timeout: When the local Computer GPO is set to Run logon scripts synchronously Windows 7 displays the Welcome screen for 30 seconds before enabling the user's desktop. NOTE: this bug may only be extant in Windows 7 Professional, not Enterprise or may have been addressed in service pack. Creating the following REG_DWORD registry key will work around this bug: \\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Policies\System\DelayedDesktopSwitchTimeout Set to: 0001 There is also the solid color background bug (again, it may have since been addressed in a service pack): Change the background color to any .jpg image. Thanks for that. After some tests I got it work. - in smb.conf , the %a value for Windows 7 is Vista , right ? Don't know. The %a switch hasn't worked in our shop for some time. Windows 7 will tag the profile folder listed with a .V2 extension or will expect a .V2 extension. I was asking for the %a substitution in order to call the right script file at logon . For me , logon%a.cmd is substitued by logonVista.cmd . I assume it's ok. - NT Default Profile no longer works with Windows 7 . I guess it is normal , but is there a workaround ? Default User profiles do work with Windows 7 and Samba. See the article for Windows 7 default profile details: http://support.microsoft.com/kb/973289 Thanks for the link. I will try the procedure. - Same question for NT policies : I assume it is normal that windows 7 does not support NTconfig.pol files any longer. Nevertheless, is there a way to get the same features ? For these kind of functionality (having some control of user profiles on Win7 clients) , is AD the only and inescapable solution ? We create a local group policy that we copy from the server via logon script at logon time. Works great for bot WinXP and Windows 7. How do you generate the policy file and how do you copy it from server to client via logon script ? XP was automaticaly loading ntconfig.pol (generated by the old poledit.exe) in the netlogon directory , but what about Win 7 ? Henri, Yeah, since Vista ntconfig.pol does not work. We have a tool that translates contents of ntconfig.pol (which essentially is a registry hive) into local group policy - it feteches the .pol file from the netlogon share and does the translation on the fly. I have not fully tested it on windows 7 (since we moved to samba4) but it worked fine on Windows XP. You are more than welcome to have it. Note that the script only supports machine policy. If you after proper group policy you should consider samba4 Regrds Luk Thanks for your help. Henri For my needs (200 domain users), NT domain was a sufficient solution and worked perfectly with XP. I am affraid that with Windows 7, I will have to move to something much more and unnecessarily complex :-( . Thanks in advance for your help. Henri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain user printing
On 25/10/2010 19:52, Robert Moskowitz wrote: It looks like a domain user has NO printing permission. Do I need Policy Editor for this? Where do I get it to run on an XP Pro system? I have seen various notes about this, but I can't make head or tails of them. Robert, Have a look at http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba This explains deployment of system policy through samba 3.X. It also outlines the difference between system policy and group policy You can still use Local Group Policy (through gpedit.msc), but as the name suggests its local to every machine, and not deployable from the Domain Controller. If you using samba4 have a look at http://wiki.samba.org/index.php/Samba4/HOWTO#Step_1:_Installing_Windows_Remote_Administration_Tools_onto_Windows These tools include Group Policy Management console that works very well with samba4 HTH Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Our success story with samba4
On 10/25/2010 07:45 AM, Daniel Müller wrote: Hi Daniel, Hi, besides nsd it is possible to make dynamic update work with bind on centos 5.5. I think the version of bind shipped with CentOS 5.5 is too old. See http://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates You can, as wiki suggests, build one from source Regards Luk --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lukasz Zalewski Gesendet: Freitag, 22. Oktober 2010 21:55 An: Michael Wood Cc: samba@lists.samba.org; samba-technical Betreff: Re: [Samba] Our success story with samba4 On 22/10/2010 19:52, Michael Wood wrote: Hi Michael, Hi Lukasz On 19 October 2010 11:12, Lukasz Zalewskilu...@eecs.qmul.ac.uk wrote: Hi all, This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. This semester we have moved from samba 3.0.X DC to samba4 DC for students, and things are working great The move was predominantly driven by switching from Windows XP to Windows 7 desktop platform (but also by a need for proper group policy). Our setup is quite simple and includes: One samba4 DC (running on centos 5.5 x64) with nsd dns backend [...] Do you have dynamic DNS updates working with nsd? Using Kerberos? From clients too or just with the samba_dnsupdate script? Nope, AFAIK nsd can't do ms style dynamic updates (its the one bundled with Centos 5.5). We decided to go for static dns (we have only one s4 DC), which is composed of the bind config file generated by s4 provision (nsd can use bind config files, but TXT records have to be quoted for some reason) and all other records generated from database. How was it to set up compared to bind? Besides not setting up dynamic updates, quite easy (I think easier than bind). As mentioned earlier, it supports bind config syntax (but TXT records have to be quoted). Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Our success story with samba4
On 10/25/2010 08:31 AM, Michael Wood wrote: Hi Michael, On 25 October 2010 08:45, Daniel Müllermuel...@tropenklinik.de wrote: Hi, besides nsd it is possible to make dynamic update work with bind on centos 5.5. Yes, sure. It's just that bind configuration seems to be a significantly difficult part of getting Samba 4 working (many people seem to have trouble with it) so I was wondering if nsd was any better. I am using bind, but I don't really need dynamic DNS updates because I am only using Samba 4 for authentication of services on a couple of servers. i.e. no workstations. Static IPs. No machines joining/leaving etc. This was our reasoning for switching to nsd (as we run nsd for other services). We do have machines joining/leaving, but the ip's and names are static so the records can be generated beforehand. Since I have bind working, I am not looking to switch to nsd. I was just wondering why Lukasz chose it, but I suppose they were using it already, before implementing Samba 4. We started with bind and it was all working (RHEL 6 beta), but when we switched to CentOS 5 the bind was not new enough. We wanted to avoid needles manual builds of bind (in general any packages) and keep everything packaged. (In saying that i had to build ldap module for python 2.6 to get the import from ldap script working) Regards Luk -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lukasz Zalewski Gesendet: Freitag, 22. Oktober 2010 21:55 An: Michael Wood Cc: samba@lists.samba.org; samba-technical Betreff: Re: [Samba] Our success story with samba4 On 22/10/2010 19:52, Michael Wood wrote: Hi Michael, Hi Lukasz On 19 October 2010 11:12, Lukasz Zalewskilu...@eecs.qmul.ac.ukwrote: Hi all, This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. This semester we have moved from samba 3.0.X DC to samba4 DC for students, and things are working great The move was predominantly driven by switching from Windows XP to Windows 7 desktop platform (but also by a need for proper group policy). Our setup is quite simple and includes: One samba4 DC (running on centos 5.5 x64) with nsd dns backend [...] Do you have dynamic DNS updates working with nsd? Using Kerberos? From clients too or just with the samba_dnsupdate script? Nope, AFAIK nsd can't do ms style dynamic updates (its the one bundled with Centos 5.5). We decided to go for static dns (we have only one s4 DC), which is composed of the bind config file generated by s4 provision (nsd can use bind config files, but TXT records have to be quoted for some reason) and all other records generated from database. How was it to set up compared to bind? Besides not setting up dynamic updates, quite easy (I think easier than bind). As mentioned earlier, it supports bind config syntax (but TXT records have to be quoted). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 22/10/2010 18:13, Robert Moskowitz wrote: This is on an XP Pro workstation. Now I am trying to print. I can print from a local user. I added domain\user to the permisssions for the printer. I try a test print from the printer properties and get an error. Then I think, well I can print to the printer from the Samba PDC directly, and I have a print share, so lets attach it. So I go to the run dialog and enter \\server I get a windows browser window of all of my shares including the printer share. So I right click on it and check connect and I get the error: A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator (which of course is me :( ). So what policy might this be that is blocking printing and how can I fix this for printing either way... Check Point and Print Restrictions http://technet.microsoft.com/en-us/library/cc781985%28WS.10%29.aspx HTH Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Our success story with samba4
On 22/10/2010 19:52, Michael Wood wrote: Hi Michael, Hi Lukasz On 19 October 2010 11:12, Lukasz Zalewskilu...@eecs.qmul.ac.uk wrote: Hi all, This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. This semester we have moved from samba 3.0.X DC to samba4 DC for students, and things are working great The move was predominantly driven by switching from Windows XP to Windows 7 desktop platform (but also by a need for proper group policy). Our setup is quite simple and includes: One samba4 DC (running on centos 5.5 x64) with nsd dns backend [...] Do you have dynamic DNS updates working with nsd? Using Kerberos? From clients too or just with the samba_dnsupdate script? Nope, AFAIK nsd can't do ms style dynamic updates (its the one bundled with Centos 5.5). We decided to go for static dns (we have only one s4 DC), which is composed of the bind config file generated by s4 provision (nsd can use bind config files, but TXT records have to be quoted for some reason) and all other records generated from database. How was it to set up compared to bind? Besides not setting up dynamic updates, quite easy (I think easier than bind). As mentioned earlier, it supports bind config syntax (but TXT records have to be quoted). Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 22/10/2010 20:38, Robert Moskowitz wrote: On 10/22/2010 03:22 PM, Chris Smith wrote: On Fri, Oct 22, 2010 at 2:43 PM, Robert Moskowitzr...@htt-consult.com wrote: This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. No functional limitations on OEM versions, except that some were tied to specific manufacturers (they wouldn't install if the BIOS string did not identify the device as that manufacturers). The license is an OEM license (per system properties) registered to the E-Waste Recycler I bought it from. It is an IBM SFF. But why no policies for allowing printing when attacked to a domain? Why not connect when domain logged in. Robert, Are you using AD for group policy, samba (system policy) or local group policy. I have noticed, that on my XP client machines not all of the policies are present until you add appropriate templates (don't know if its SP3 feature). If you right-click on Administrative templates, there will be an option to Add/Remove templates. The required policy is part of system.adm I tried connecting to the server printer share from a local login, and that got past the policy block and was asking for the printer driver. So it is REALLY something tied into how a domain user acts on this system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap user suffix
On 10/20/2010 08:16 AM, vishesh kumar wrote: Thanks oliver for your reply, But No this is not possible in my case Thanks Why do you want to store users in two separate OU's? What is the rule that defines which OU should be used? You could look into openldap overlays, which might allow you to do dynamic re-write of dn's (amongst other things). Some distros ship openldap without overlays enabled so you need to check (this approach sounds like an overkill though, and might be more trouble than its worth) I'm assuming you are using openldap Regards Luk On 10/20/10, Olivier FONTESoliv...@famille-fontes.net wrote: On Wed, 20 Oct 2010 11:19:12 +0530, vishesh kumar linuxtovish...@gmail.com wrote: Dear friends My domain users in two diffrent OU, one OU is TEMP_USERS and other OU is PEOPLE. What i should mention in smb.conf ? If i mention ldap user suffix = ou=PEOPLE, then users of ou TEMP_USERS is not able to authenticate. Please guide me. Thanks -- http://linuxinterviews.blogspot.com Hi, is it possible to put the two OU into a specific OU that you could mention in your smb.conf ?? I had a similar problem, i solved it this way. Olivier --- Le domaine famille-fontes.net est auto hébergé à mon domicile. Contactez moi si vous souhaitez faire de même. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Our success story with samba4
Hi all, This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. This semester we have moved from samba 3.0.X DC to samba4 DC for students, and things are working great The move was predominantly driven by switching from Windows XP to Windows 7 desktop platform (but also by a need for proper group policy). Our setup is quite simple and includes: One samba4 DC (running on centos 5.5 x64) with nsd dns backend Two samba 3.3.8 domain members (running on centos 5.5 x64) providing file services and printing We also have Windows Server 2003 domain member ~340 Windows 7 x64 Workstations ~1900 users, that were imported from our previous samba3 domain with ldap back-end. Note that we did not move entire domain, but decided to start afresh, and existing users (and computers) were ported to the new domain. We use group policy to deploy various settings, user profiles, software and printers. So, please grab samba4, start using it, report the bugs, make it even better than it is :) Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Our success story with samba4
On 10/19/2010 03:53 PM, Ludek Finstrle wrote: Hi Ludek, Hi, Tue, Oct 19, 2010 at 10:12:16AM +0100, Lukasz Zalewski napsal(a): This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. it's nice to know it. How you cooperate with other systems required LDAP accounts and some additional data? As I know there is no complete support for external LDAP server which is stopper for us. Do you mirror user's account to external LDAP or you don't need it at all? Yeah we still maintain openldap backend (which provides core functionality for the school) - the way i see it is that samba account information has moved from openldap to s4. AFAICT (but would like to be proven wrong) s4 allows the storage of posix account attributes, but i do not think you can add custom schemas to it. I suspect this behaviour is probably no different to real AD Regards Luk Best regards, Luf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Implementing Samba4
Michael, all On 09/01/2010 10:15 PM, Michael Wood wrote: 2010/9/1 Daniel Müllermuel...@tropenklinik.de: On Wed, 1 Sep 2010 12:00:29 +0200, Michael Woodesiot...@gmail.com wrote: Hi 2010/9/1 Juan Asensio Sánchezoke...@gmail.com: El 1 de septiembre de 2010 09:54, Daniel Müller muel...@tropenklinik.deescribió: [...] Why do not just use the samba 4 internal ldap-server?? And just net rpc vampire the users and groups from I doubt net rpc vampire will do anything except give you an error message :) I believe the rpc vs. ads etc. options are considered to have been a mistake, so are not supported by Samba4's net command. Also, there is no support currently for vampiring from Samba3 to Samba4. Someone is working on a migration script, though. Check the How about: 2 Samba4-DCs with OpenLDAP 2.4.8 in Multi-Master-Replication at: http://lists.samba.org/archive/samba-technical/2008-April/058567.html I think perhaps Samba4 worked better with OpenLDAP in the past and it should also be fixed to work with it again in future, but at the moment it won't work: http://lists.samba.org/archive/samba-technical/2010-July/072445.html For various reasons, the OpenLDAP backend for Samba4 is not functional at this time. Here's the message where Lukasz Zalewski says he's working on the Samba 3 to Samba 4 migration script: http://lists.samba.org/archive/samba-technical/2010-August/072683.html Since web-based archives scrub the attachments i have attached the relevant scripts to this message: myldap-pub.py.org - Metze's original import script (attached for completeness) myldap-pub-2.dif - patch which extends functionality of the above by allowing use of ldap uri's and other customisations (custom filters, attribute values substitutions). Please note the script is not complete yet, but you should be able to import users, computers and groups (trusts are still TODO) HTH Luk samba-technical archives. --- myldap-pub.py.org 2010-08-10 12:29:40.563592748 +0100 +++ myldap-pub.py 2010-08-24 17:34:04.810586364 +0100 @@ -1,3 +1,5 @@ +#!/usr/bin/env python +# import sys from ldif import LDIFParser, LDIFWriter import ldap @@ -5,6 +7,8 @@ import binascii import base64 import re +from optparse import OptionParser, OptionGroup +from getpass import getpass class MyLDIFParser(LDIFParser): def __init__(self, input): @@ -379,6 +383,15 @@ SID_NAME_UNKNOWN = 8 #oops. SID_NAME_COMPUTER = 9 #machine +IMPORT_TYPE_USERS = 1 +IMPORT_TYPE_COMPUTERS = 2 +IMPORT_TYPE_TRUSTS= 4 +IMPORT_TYPE_GROUPS= 8 +IMPORT_TYPE_ALL = 15 + +import_types= dict({Users: IMPORT_TYPE_USERS, Computers: IMPORT_TYPE_COMPUTERS, Trusts: IMPORT_TYPE_TRUSTS, Groups: IMPORT_TYPE_GROUPS, All: IMPORT_TYPE_ALL}) +env_var_mapping = dict({%USERNAME%: sAMAccountName}) + class ImportSamba3SearchState: def __init__(self, basedn, scope, filterstr, importdn): self.basedn = basedn @@ -395,7 +408,11 @@ trusts_search, computers_search, users_search, - groups_search): + groups_search, +output_ignore_sids=False, +remove_attributes=[], +import_type=IMPORT_TYPE_ALL, +user_replace_attrs={}): self.domain = domain_search self.trusts = trusts_search @@ -418,7 +435,10 @@ # TODO self.new_next_rid = 14 - self.convertObjects() + self.convertObjects(remove_attributes=remove_attributes, +output_ignore_sids=output_ignore_sids, +import_type=import_type, +user_replace_attrs=user_replace_attrs) def parse_sambaAcctFlags(self, str): #print sambaAcctFlags '%s'\n % str @@ -1145,16 +1165,22 @@ return dn, entry def convert_sambaSamAccount(self, old, basedn, objectClass=user, - keep_sid=True, is_computer=False): - - name = old['uid'][0] - try: - ou = old['ou'][0] - except: - ou = 'DefaultOU' - pass + keep_sid=True, is_computer=False, +remove_attributes=[], +output_ignore_sids=False, +output_display=True, +user_replace_attrs={}, +disable_if_no_unicodePwd=False): + +name = old['uid'][0] + #try: + # ou = old['ou'][0] + #except: + # ou = 'DefaultOU' + # pass - ou_dn = OU=%s
Re: [Samba] Samba 4 and password policy pwsetting error
On 08/26/2010 05:51 PM, Glenn T. Arnold wrote: Hello, When I tried to change the password policy on a samba 4 domain controller I get the following error. r...@server01:/usr/local/samba/lib/python2.6/site-packages/samba/netcmd# ./pwsettings.py --complexity=off Traceback (most recent call last): File ./pwsettings.py, line 25, inmodule import samba.getopt as options ImportError: No module named samba.getopt r...@lcsdc01:/usr/local/samba/lib/python2.6/site-packages/samba/netcmd# What am I doing wrong when running this command? Thanks -Glenn Glenn, run it as follows: /usr/local/samba/bin/net pwsettings your options HTH Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Import samba 3 to samba 4
On 08/08/2010 12:44 AM, Michael Wood wrote: On 7 August 2010 19:11, Nico Kadel-Garcianka...@gmail.com wrote: On Mon, Aug 2, 2010 at 10:06 AM, Dave Thurstondthurs...@comcast.net wrote: I have searched but I have yet to find a method to import users and passwords from a samba3/ldap system to samba4. Is there available a method of doing this? Why do you need to import? Isn't the backend Kerberos and the account informat sufficiently similar that you can simply switch over? (I ask as someone using Samba 3, eyeing Samba 4 with interest to get LDAP out of the hands of Active Directory.) By default Samba 4 uses its own built in LDAP server and the OpenLDAP backend is currently not working properly. I have managed to migrate users from an Apple Open Directory server (which is based on MIT Kerberos and OpenLDAP) to Samba 4, but I was only using Open Directory for authentication of one service. No machines joined to OD or anything like that. All I needed to do was dump the kerberos database, import it to Heimdal, dump it from Heimdal again and then use the password hashes from the Heimdal dump to create the necessary unicodePwd attributes in Samba's directory. After that I used ldapsearch to get hold of the groups each user was a member of and then used ldbmodify (or perhaps ldapmodify. I can't remember now) to migrate them to Samba. I've never used Samba 3 as a PDC, so I'm not sure what the LDAP schema looks like and how it differs from what Samba 4 uses, but as long as the password hashes are in a compatible format, I imagine it's just a matter of slapcat or ldapsearch, munging the results and then ldbmodify to add the users to Samba 4. I don't know of an existing script to do this. I have started writing a script that will pull account information (Users, Groups and Computers) from s3's ldap backend and import it to s4. its still early days though. I'm pretty sure that there will be loads of hurdles to jump before is in any usable state Regards Luk Cc: samba-technical -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 to samba4 migration
On 29/06/2010 19:14, Luciano Andre Baramarchi wrote: Hi, I'm testing samba 4 in my organization. I have a samba3 domain with LDAP backend. I'm trying migrate workstations and users from old samba to samba4. Is this possible? Thanks, Luciano luci...@multitasknet.com.br Hi, We are in the same situation with large user/group/machine set needed to be ported to the new s4 world. The only solution i can see at the moment would be to dump the contents of the appropriate LDAP sections (it being users/group/machines/etc) into ldif(s) in a format acceptable by s4 and then add them using ldbadd (and possbly sync using ldbmodify later on). Would it be a worthwhile to add yet another net cmd utility to allow importing stuff from existing LDAP infrastructure (maybe conceptually simmilar to existing vampire cmd)? Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join to a Samba4 domain
On 27/05/2010 09:54, Tomasz Chmielewski wrote: Am 25.05.2010 21:03, Tomasz Chmielewski wrote: Am 25.05.2010 20:55, Lukasz Zalewski wrote: If I block LDAP on UDP, Windows does not send queries to LDAP on TCP. Is it the same for you? And indeed, the error message is the same whether 389/UDP is blocked or not. I'n my case if one protocol (TCP or UDP) in that port is enabled things seem to work. if both are disabled i get the error message. Have you tried to disable firewall on samba4 host just to rule it out? Presumably you don't have any other firewalls in the way? I will try to join Windows 2008 to the domain tomorrow as a test. There is no firewall between the hosts. I'll try to test it with Windows XP, but it may take 1-2 days before I'm able to do it. Unfortunately, Windows XP SP3 fails to join a Samba4 domain as well. How can I troubleshoot it? Are both the samba4 and client machine on the same subnet? If not are there any firewalls, or routers in the way? Is your client dns configuration pointing explicitly at samba4 Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join to a Samba4 domain
On 29/05/2010 19:17, Tomasz Chmielewski wrote: Am 29.05.2010 20:15, Lukasz Zalewski wrote: Unfortunately, Windows XP SP3 fails to join a Samba4 domain as well. How can I troubleshoot it? Are both the samba4 and client machine on the same subnet? If not are there any firewalls, or routers in the way? Same subnet, no firewalls or routers on the way. Is your client dns configuration pointing explicitly at samba4 Yes. Hmm this is mostly odd, are you using FQDN to join the domain? Can you resolve all of the samba4 generated dns records externally (http://wiki.samba.org/index.php/Samba4/HOWTO Configure DNS section), such as host -t SRV _ldap._tcp.samdom.example.com. . . . Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 Patch: newuseradv and newgroupadv scripts for net cmd utlity
Hi all, As per Jelmer's request - in response to bug #7455 attached diff file. Please let me know what you think and if any modificationes need to be performed Regards Luk --- samba/netcmd/__init__.py.org2010-05-25 17:28:00.0 +0100 +++ samba/netcmd/__init__.py2010-05-26 11:43:16.0 +0100 @@ -160,3 +160,7 @@ commands[vampire] = cmd_vampire() from samba.netcmd.machinepw import cmd_machinepw commands[machinepw] = cmd_machinepw() +from samba.netcmd.newuseradv import cmd_newuseradv +commands[newuseradv] = cmd_newuseradv() +from samba.netcmd.newgroupadv import cmd_newgroupadv +commands[newgroupadv] = cmd_newgroupadv() --- samba/samdb.py.org 2010-05-25 13:12:16.0 +0100 +++ samba/samdb.py 2010-05-26 21:34:11.0 +0100 @@ -140,6 +140,158 @@ else: self.transaction_commit() +def newgroupadv(self, groupname, groupou=None, grouptype=None, +description=None, mailaddress=None, notes=None): +Adds a new group with additional parameters + +:param groupname: Name of the new group +:param grouptype: Type of the new group +:param description: Description of the new group +:param mailaddress: Email address of the new group +:param notes: Notes of the new group + + +self.transaction_start() +try: +group_dn = CN=%s,%s,%s % (groupname, (groupou or CN=Users), self.domain_dn()) + +# The new user record. Note the reliance on the SAMLDB module which +# fills in the default informations + ldbmessage = {dn: group_dn, +sAMAccountName: groupname, +objectClass: group} + + if grouptype is not None: +ldbmessage[groupType] = %d % ((grouptype)-2**32) + +if description is not None: +ldbmessage[description] = description + +if mailaddress is not None: +ldbmessage[mail] = mailaddress + +if notes is not None: +ldbmessage[info] = notes + +self.add(ldbmessage) + +except: +self.transaction_cancel() +raise +else: +self.transaction_commit() + +def newuseradv(self, username, password, +force_password_change_at_next_login_req=False, + userou=None, surname=None, givenname=None, initials=None, + profilepath=None, scriptpath=None, homedrive=None, homedirectory=None, + jobtitle=None, department=None, company=None, description=None, + mailaddress=None, internetaddress=None, telephonenumber=None, + physicaldeliveryoffice=None): +Adds a new user with additional parameters + +:param username: Name of the new user +:param password: Password for the new user +:param force_password_change_at_next_login_req: Force password change +:param userou: Object container (without domainDN postfix) for new user +:param surname: Surname of the new user +:param givenname: First name of the new user +:param initials: Initials of the new user +:param profilepath: Profile path of the new user +:param scriptpath: Logon script path of the new user +:param homedrive: Home drive of the new user +:param homedirectory: Home directory of the new user +:param jobtitle: Job title of the new user +:param department: Department of the new user +:param company: Company of the new user +:param description: of the new user +:param mailaddress: Email address of the new user +:param internetaddress: Home page of the new user +:param telephonenumber: Phone number of the new user +:param physicaldeliveryoffice: Office location of the new user + + +displayName = ; +if givenname is not None: +displayName += givenname + +if initials is not None: +displayName += ' %s.' % initials + +if surname is not None: +displayName += ' %s' % surname + +self.transaction_start() +try: +user_dn = CN=%s,%s,%s % (username, (userou or CN=Users), self.domain_dn()) + +# The new user record. Note the reliance on the SAMLDB module which +# fills in the default informations + ldbmessage = {dn: user_dn, +sAMAccountName: username, +objectClass: user} + + if surname is not None: +ldbmessage[sn] = surname + + if givenname is not None: +ldbmessage[givenName] = givenname + + if displayName is not : +ldbmessage[displayName] = displayName +ldbmessage[name] = displayName + + if initials is not None: +ldbmessage[initials] = '%s.' % initials + + if
Re: [Samba] unable to join to a Samba4 domain
On 05/25/2010 12:13 PM, Tomasz Chmielewski wrote: Am 25.05.2010 12:24, Tomasz Chmielewski wrote: Am 25.05.2010 12:14, Tomasz Chmielewski wrote: Am 24.05.2010 21:47, Mike Leone wrote: Tomasz, How are you performing the join? The normal way: my Computer- Properties - Domain... (is it possible to join a Windows PC differently)? You can join from the command line using the NETDOM utility. Right. Tried that as well, doesn't work for me. I'll try to build Samba4 from scratch. Didn't help with the newest git fetch and new setup - I'm still unable to join Windows 2008 to Samba4 domain. What more info should I provide? The only way i can replicate your problem and get simmilar message, is by blocking access to port 389 both TCP and UDP on the samba4 host - it seems like enabling either (i.e. TCP or UDP) produces enter credentials dialog. Note that i have used Windows 7 rather than Srv2008 Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join to a Samba4 domain
On 25/05/2010 14:08, Tomasz Chmielewski wrote: Am 25.05.2010 14:50, Tomasz Chmielewski wrote: Am 25.05.2010 13:58, Lukasz Zalewski wrote: What more info should I provide? The only way i can replicate your problem and get simmilar message, is by blocking access to port 389 both TCP and UDP on the samba4 host - it seems like enabling either (i.e. TCP or UDP) produces enter credentials dialog. Note that i have used Windows 7 rather than Srv2008 The only packets exchanged, from the moment I press OK button to when the error is shown, are: - DNS queries - LDAP queries (192.168.128.11 - Samba4; 192.168.128.12 - Windows 2008) So, nothing blocked on Samba4 side (and LDAP queries add some data to Samba debug log). If I block LDAP on UDP, Windows does not send queries to LDAP on TCP. Is it the same for you? And indeed, the error message is the same whether 389/UDP is blocked or not. I'n my case if one protocol (TCP or UDP) in that port is enabled things seem to work. if both are disabled i get the error message. Have you tried to disable firewall on samba4 host just to rule it out? Presumably you don't have any other firewalls in the way? I will try to join Windows 2008 to the domain tomorrow as a test. Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - List of options for smb.conf
On 22/04/2010 12:14, Andrew Bartlett wrote: On Tue, 2010-04-20 at 12:44 -0400, Stuart Wehrly wrote: Is there a list of options for smb.conf? Sadly Samba4 does lack documentation. But testparm -v from Samba4 should get you what you want. Andrew Bartlett Hi Andrew, This seems to show some of the default parameters, but what about non-default/optional ones (like share permissions) and % variables? Seems like %U and %G are not honoured, and have been replaced by longer version, i.e. testparam -v shows two of them template homedir = /home/%WORKGROUP%/%ACCOUNTNAME% Can one assume that %G will be %GROUPNAME%? Is there a validation schema/definition file for those parameters? Alternatively which bit of code is responsible for parsing and validating them? Many Thanks Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join to a Samba4 domain
On 21/05/2010 16:56, Tomasz Chmielewski wrote: Am 21.05.2010 06:25, Andrew Bartlett wrote: When you provisioned samba4 it generated sample bind and zone config for that dc, have a look at samba_install_dir/private/dns/samba4.my.domain.zone which includes all of the dns records for that zone and see which ones you are missing Indeed, if you used a zone file other than the one we generated, then you are asking for trouble. Please us the one we generate. I'm using the zone generated by Samba (and did not modify it). Tomasz, How are you performing the join? Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 upgradeprovision and sysvol permissions error
On 21/05/2010 12:53, Andrew Bartlett wrote: On Thu, 2010-05-20 at 19:29 +0100, Lukasz Zalewski wrote: Hi! I have recently upgraded samba4 to the latest GIT build. I have run upgradeprovision according to upgrading-samba4.txt instructions. All seems to be well, but when i try to access Group Policy Objects from gpmc utility on windows i get the following error message: --- Group Policy Management --- The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. After OK'ing i can edit and modify the setting and i believe everything gets applied correctly. However when i re-select the same object sam error message appears. What should be the permissions on sysvol directory? And where is he place where they are stored? I did not see this behaviour in the previous build, befor running upgradeprovision upgradeprovision has fixed the ACLs in your directory, but not those on disk. A big update to upgradeprovision is pending - keep an eye on the GIT tree or ask Matthieu Patou (CC'ed). Andrew Bartlett Thx Andrew, Matthieu please let us know when the change will happen. Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join to a Samba4 domain
On 20/05/2010 15:26, Hoover, Tony wrote: Try adding these SRV entries to your DNS server: --- _ldap._tcp.samba4.my.domain. INSRV00389 ldapserver.samba4.my.domain. _ldap._tcp.dc._msdcs.samba4.my.domain.INSRV00389 ldapserver.samba4.my.domain. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samba4.my.domain. INSRV00389ldapserver.samba4.my.domain. _kerberos._tcp.samba4.my.domain.INSRV0088 kerberosserver.samba4.my.domain. _kerberos._tcp.dc._msdcs.samba4.my.domain.INSRV0088 kerberosserver.samba4.my.domain. --- Where ldapserver.samba4.my.domain is the FQDN of the LDAP server in your domain (samba4 domain controller?), and kerberosserver.samba4.my.domain. is the FQDN of your kerberos server (also your samba4 domain controller?) If you have multiple domain controllers, you will need to have the full set of SRV records point to the each of the DCs. Good luck. T When you provisioned samba4 it generated sample bind and zone config for that dc, have a look at samba_install_dir/private/dns/samba4.my.domain.zone which includes all of the dns records for that zone and see which ones you are missing Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 upgradeprovision and sysvol permissions error
Hi! I have recently upgraded samba4 to the latest GIT build. I have run upgradeprovision according to upgrading-samba4.txt instructions. All seems to be well, but when i try to access Group Policy Objects from gpmc utility on windows i get the following error message: --- Group Policy Management --- The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. After OK'ing i can edit and modify the setting and i believe everything gets applied correctly. However when i re-select the same object sam error message appears. What should be the permissions on sysvol directory? And where is he place where they are stored? I did not see this behaviour in the previous build, befor running upgradeprovision Thx Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 idmap operations
Hi all, I have been playing with samba4 (Samba 4.0.0alpha12-GIT-9ad9fd5) for a few days and so far its working great - clients join the domain, with roaming profiles and home directories served from it. AFAICT the xidNumber is incrementally assigned from a pool of values between lowerBound and upperBound. My questions are as follows: When is this mapping actually generated - i have created new users using net newuser username but this mapping was not present soon after the creation. Does it get generated when file access is needed? One can force its generation using wbinfo: bin/wbinfo --sid-to-uid S-1-5-21-4036476082-4153129556-3089177936-1006 312 which does generate the mapping, but this brings me to the next question: can this mapping be generated during account creation with specific uid, i.e. net newuser username -uid 503 I am aware that wbinfo can do this for you but when i run it the following error occurs bin/wbinfo --set-uid-mapping=503,S-1-5-21-4036476082-4153129556-3089177936-1006 failed to call wbcSetUidMapping: WBC_ERR_DOMAIN_NOT_FOUNDCould not create or modify uid to sid mapping Am I missing something obvious? And finally is there a way to ammend/add those values using ldap interface instead of operating directly on ldb database files? If so what would be the bind/base dn for such operation? Many thanks Lukasz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba support for ADM files
Kevin Hall wrote: Hi What I would like to do is have my custom adm files in a shared folder on my samba server so that if I make a change, it updates the windows XP clients on my network in a similar fashion to active directory on a windows server. However, I cannot seem to find any support for this in samba in the documentation I have read. Do I have to go to each machine and use group policy editor to load the adm file? Am I missing something or is this going to be a feature of samba 4? Regards Kevin Hall AFAIK samba 3 only supports system policies and only samba 4 will be able to use GPO like policies. Have a look at http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba This should give you some basic insight on how it all works. You can convert existing .adm templates, or write your own ones, to be used with system policies by removing appropriate #if version statements. Note that system policies have several limitations, i.e. will only be synced upon domain logon - i.e. background refresh or boot-time refresh will not work, and they will lack some of the rich features of GPO. They also work on registry tatooing principle so reverting a policy is more tricky. We have been using system policies for some time and they work pretty well (if you acknowledge their limitations). I have written a small tool that can be run as a startup script, or at any time, which will convert existing NTConfig.pol data into Local GPO information - this might save you the effort of manual adjusting Local GPO's on every machine. The utility supports machine policies and user policies however the group stuff is missing - we just didn't have a need for it HTH Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Using LDAP, no PDC/BDC, for multiple samba servers
Adam Williams wrote: are you using security = user or security = domain on your multiple servers? Soohoon Lee wrote: Hi Is it possible to use single LDAP server and multiple samba servers? The problem I'm having now is Each server thinks their host name is their LDAP domain name, or sambaDomainName, and complain the user's SID is different so can't authenticate. How do I make samba servers use one domain name and SID? LDAP domain name is DOMSMB dn: sambaDomainName=DOMSMB,dc=my-domain,dc=com sambaSID: S-1-5-21-2479917030-3150298425-213194246 And samba server created a new domain after its hostname. dn: sambaDomainName=SRV6,dc=my-domain,dc=com sambaSID: S-1-5-21-4202146032-850913369-3381557932 And complain user's SID is different from its SID. Thanks, Soohoon. We have student domain and staff domain and one LDAP server. We wanted staff members to log onto student domain. So we considered two options: 1. Interdomain trust relationship (http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html) However this option was not good for us as we didn't want to open up the firewall and we wanted staff members to get the proper student experience (i.e. home dirs and profiles on the student server). So that brought us to the second option: 2. ldap translucent proxy overlay (http://linux.die.net/man/5/slapo-translucent) In this setting we override sids (i.e. domain sid part of the staff domain is substituted with student domain portion of the sid) for users and groups and point samba to the overlay. Bear in mind that all of the changes make by samba like machine passwords, user passwords, idmap mappings etc will go no further than the proxy so great care must be taken in LDAP setups that use referrals. Now the most important question is what do you use you two domains for? HTH Lukasz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Using LDAP, no PDC/BDC, for multiple samba servers
Lukasz Zalewski wrote: Adam Williams wrote: are you using security = user or security = domain on your multiple servers? Soohoon Lee wrote: Hi Is it possible to use single LDAP server and multiple samba servers? The problem I'm having now is Each server thinks their host name is their LDAP domain name, or sambaDomainName, and complain the user's SID is different so can't authenticate. How do I make samba servers use one domain name and SID? LDAP domain name is DOMSMB dn: sambaDomainName=DOMSMB,dc=my-domain,dc=com sambaSID: S-1-5-21-2479917030-3150298425-213194246 And samba server created a new domain after its hostname. dn: sambaDomainName=SRV6,dc=my-domain,dc=com sambaSID: S-1-5-21-4202146032-850913369-3381557932 And complain user's SID is different from its SID. Thanks, Soohoon. We have student domain and staff domain and one LDAP server. We wanted staff members to log onto student domain. So we considered two options: 1. Interdomain trust relationship (http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html) However this option was not good for us as we didn't want to open up the firewall and we wanted staff members to get the proper student experience (i.e. home dirs and profiles on the student server). So that brought us to the second option: 2. ldap translucent proxy overlay (http://linux.die.net/man/5/slapo-translucent) In this setting we override sids (i.e. domain sid part of the staff domain is substituted with student domain portion of the sid) for users and groups and point samba to the overlay. Bear in mind that all of the changes make by samba like machine passwords, user passwords, idmap mappings etc will go no further than the proxy so great care must be taken in LDAP setups that use referrals. Now the most important question is what do you use you two domains for? HTH Lukasz Ah sorry I didn't read the Subject line properly you do not want PDC. As Andy pointed out maybe you should have one of the servers as a domain member of the other domain Lukasz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] domain trust relationship with AD 2003 and user profile and home directory problems
Hi! We have a PDC for EEKS domain, running samba 3.2.0 FC9 64 bit, with the following trust relationships: one way trust where EEKS trusts ITL domain which is running Samba 3.0.30 FC8 64 bit two way trust between EEKS and ADEEKS domain which is running Windows Server 2003. Now for a given Windows XP SP2 workstation in EEEKS domain: 1. User logs onto ITL domain through the trust relationship and gets the appropriate profile and home directory 2. User logs onto EEKS domain and also gets the appropriate profile and home directory 3. User logs onto ADEEKS domain but does not get home directory nor a profile. I have been looking at the logs and found the following entries: [2008/07/31 17:44:48, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0 netr_LogonSamLogon: struct netr_LogonSamLogon out: struct netr_LogonSamLogon return_authenticator : * return_authenticator: struct netr_Authenticator cred: struct netr_Credential data : cb8ab18ac5739c1a timestamp: Thu Jul 31 17:44:47 2008 BST validation : * validation : union netr_Validation(case 3) sam3 : * sam3: struct netr_SamInfo3 base: struct netr_SamBaseInfo last_logon : NTTIME(0) last_logoff : Thu Sep 14 03:48:05 30828 BST acct_expiry : Thu Sep 14 03:48:05 30828 BST last_password_change : Mon Jan 1 00:00:47 1601 LMT allow_password_change: Mon Jan 1 00:00:47 1601 LMT force_password_change: Thu Sep 14 03:48:05 30828 BST account_name: struct lsa_String length : 0x (0) size : 0x (0) string : * string : 'goo' full_name: struct lsa_String length : 0x (0) size : 0x (0) string : * string : '' logon_script: struct lsa_String length : 0x (0) size : 0x (0) string : * string : '' profile_path: struct lsa_String length : 0x (0) size : 0x (0) string : * string : '' home_directory: struct lsa_String length : 0x (0) size : 0x (0) string : * string : '' home_drive: struct lsa_String length : 0x (0) size : 0x (0) string : * string : '' logon_count : 0x (0) bad_password_count : 0x (0) rid : 0x0456 which seems to suggest that the necessary information is equal to the empty string (That information does exist in AD). Is this happening due to the misconfiguration of samba, or AD? Can this be done at all? If so what do i need to change? If this cannot be change can i override the above settings through samba? I have run out of ideas so any suggestions would be much appreciated Regards Lukasz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba