[Samba] Upgraded samba, mostly still works, but have one issue
Hello list,
I recently upgraded an Ubuntu 8.04 LTS samba server to 10.04 LTS which
took the installed version of samba from version 3.0.28a to version
3.4.7. The server is an AD member using idmap-rid. I have updated the
idmap directives in the config and it mostly worked (winbind works,
Windows users can get to their shares with their correct permissions,
etc.). The only thing that got broken is the ability of our IP security
cameras to store data directly to the server through samba. I believe
this may have been caused by a change to a default setting, such as the
allowed authentication methods or possibly something like 'allow trusted
domains', since these cameras are not capable of actually joining the
domain. I've looked at some of the in-between release notes but no
changes have jumped out at me.
The cameras are configured to connect to the given smb/cifs server and
share (which exists and can be mapped from Windows if you use the right
user). The share ('camshare') has share-level permissions set such that
DOMAIN\camera should have full access. I have winbind set to use the
default domain so the cameras are configured to connect as 'camera'
instead of 'DOMAIN\camera' (but I've tried both anyway, to no avail). I
have checked the password on the 'camera' account repeatedly.
However you can see that something isn't right when the cameras try to
mount the share:
root@server:~# tail -f /var/log/samba/log.smbd | grep camera
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
If I use that username with the password when mapping the share from
Win7, it works and the correct permissions are there.
Here is the smb.conf:
[global]
server string = File Server
workgroup = DOMAIN
realm = DOMAIN.COM
security = ADS
password server = *
#password server = dc1.domain.com
username map = /etc/samba/smbusers
obey pam restrictions = Yes
enable privileges = Yes
map to guest = Bad User
client NTLMv2 auth = Yes
log level = 2, vfs:1
syslog = 0
max log size = 0
load printers = No
preferred master = No
local master = No
domain master = No
dns proxy = No
disable netbios = yes
ldap ssl = no
host msdfs = No
template shell = /bin/false
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
idmap backend = tdb
idmap uid = 10-19
idmap gid = 10-19
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 10 - 50
idmap config DOMAIN:default = yes
hosts allow = 10.0.1.0/255.255.255.0 10.1.1.0/255.255.255.0
10.2.0.0/255.255.255.0 10.0.8.0/255.255.255.0 10.1.8.0/255.255.255.0
10.2.8.0/255.255.255.0 172.10.0.0/255.255.255.0 172.11.0.0/255.255.255.0
map acl inherit = No
hide special files = Yes
map archive = No
map readonly = No
map system = No
map hidden = No
force create mode = 707
force directory mode = 707
ea support = No
store dos attributes = No
wide links = No
follow symlinks = No
dos filemode = No
add share command=/etc/samba/command.pl
delete share command=/etc/samba/command.pl
change share command=/etc/samba/command.pl
[camshare]
comment = Camera data share
path = /home/camshare
read only = No
writeable = Yes
inherit owner = Yes
guest ok = No
[mainshare]
comment = Main Fileshare
path = /home/mainshare
read only = No
writeable = Yes
inherit owner = Yes
guest ok = Yes
vfs objects = recycle extd_audit
recycle:repository = Recycle Bin
recycle:directory_mode = 707
recycle:keeptree = yes
recycle:versions = no
recycle:touch = yes
recycle:touch_mtime = no
recycle:maxsize = 209715200
recycle:exclude = *.tmp *.temp ~$* *.~??
I've left off some other shares that don't seem relevant.
I can provide other info and or more logs if needed. Thanks in advance
for any assistance you may be able to provide.
Thank you,
Mark
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: Upgraded samba, mostly still works, but have one issue
Forgot to cc list. Sorry
Sent via mobile
Begin forwarded message:
From: Mark Casey ma...@unifiedgroup.com
Date: December 12, 2011 1:25:34 PM CST
To: Dale Schroeder d...@briannassaladdressing.com
Subject: Re: [Samba] Upgraded samba, mostly still works, but have one issue
Dale,
That fixed it. Thanks very much for your time in looking at this issue! That
leads to another question though. I don't get why 'winbind use default
domain' did not cover the issue, since I have it set to yes. I assumed I
could leave off the DOMAIN\ portion and it would add it for me...but more
specifically, even using DOMAIN\camera wouldn't work. I should clarify though
that nowhere in my config am I actually typing DOMAIN\; I'm only swapping
that in on the mailing list as a redaction. When I tried the fully
qualified user account in the IP camera's config the domain matched the one
that this samba server is joined to.
I did note this part in smb.conf's man page about 'winbind use default
domain':
While this does not benifit Windows users, it makes SSH, FTP and e-mail
function in a way much closer to the way they would in a native unix system.
This would all make more sense if that line means that 'winbind use default
domain' excludes not only Windows users but all smb/cifs authentication
attempts. Then, it wouldn't apply the the IP cameras at all. However even if
that were the case I still can't explain the failure when I tried the user
DOMAIN\camera.
Would you (or anyone) be able to provide any insight? Regardless, thanks
again for your help thus far as I can now get this out of the urgent section
of my list!
Thank you,
Mark
On 12/12/2011 12:23 PM, Dale Schroeder wrote:
On 12/12/2011 10:14 AM, Mark Casey wrote:
Hello list,
I recently upgraded an Ubuntu 8.04 LTS samba server to 10.04 LTS which took
the installed version of samba from version 3.0.28a to version 3.4.7. The
server is an AD member using idmap-rid. I have updated the idmap directives
in the config and it mostly worked (winbind works, Windows users can get to
their shares with their correct permissions, etc.). The only thing that got
broken is the ability of our IP security cameras to store data directly to
the server through samba. I believe this may have been caused by a change
to a default setting, such as the allowed authentication methods or
possibly something like 'allow trusted domains', since these cameras are
not capable of actually joining the domain. I've looked at some of the
in-between release notes but no changes have jumped out at me.
The cameras are configured to connect to the given smb/cifs server and
share (which exists and can be mapped from Windows if you use the right
user). The share ('camshare') has share-level permissions set such that
DOMAIN\camera should have full access. I have winbind set to use the
default domain so the cameras are configured to connect as 'camera' instead
of 'DOMAIN\camera' (but I've tried both anyway, to no avail). I have
checked the password on the 'camera' account repeatedly.
However you can see that something isn't right when the cameras try to
mount the share:
root@server:~# tail -f /var/log/samba/log.smbd | grep camera
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] - [camera]
FAILED with error NT_STATUS_NO_SUCH_USER
If I use that username with the password when mapping the share
from Win7, it works and the correct permissions are there.
Here is the smb.conf:
[global]
server string = File Server
workgroup = DOMAIN
realm = DOMAIN.COM
security = ADS
password server = *
#password server = dc1.domain.com
username map = /etc/samba/smbusers
obey pam restrictions = Yes
enable privileges = Yes
map to guest = Bad User
client NTLMv2 auth = Yes
log level = 2, vfs:1
syslog = 0
max log size = 0
load printers = No
preferred master = No
local master = No
domain master = No
dns proxy = No
disable netbios = yes
ldap ssl = no
host msdfs = No
template shell = /bin/false
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
idmap backend = tdb
idmap uid = 10-19
idmap gid = 10-19
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 10 - 50
idmap config DOMAIN:default = yes
hosts allow = 10.0.1.0/255.255.255.0 10.1.1.0/255.255.255.0
Re: [Samba] common causes for failure to find domain controller ?
On 2/17/2010 4:15 AM, Evan Ingram wrote:
Hi,
are there any common causes for a windows machines failure to find a
samba domain controller?
im trying to join a windows 2008 server to a samba[3.4.0] PDC and
debug/netsetup says failed to find a DC in the specified domain.
cheers
Evan,
Yes there are a few. A very common one is the DC and your server's
clocks being too far out of sync but afaik that does not seem to be your
issue. In your case it just says it can't find a DC to being with. You
might try a few of these, some of which may not apply depending on
whether you are listing your DCs explicitly or just letting them be
found automatically.
1. Make sure you can ping between your hosts. Ping the DC from the smb
box and the smb box from the DC; try both 'ping server' and 'ping
server.domain.local'.
2. On the DC run netdiag and dcdiag. There is a dns only test in dcdiag
too, I think the syntax is dcdiag /test:dns.
My smb boxes use my DCs for DNS and the DNS are AD integrated, so you
may need to tweak those suggestions if thats not your setup. Generally
though, check out the health of the DNS.
3. In case you get nothing there (and you haven't done this already),
try specifying your DCs explicity in the kerberos config and in
smb.conf. I've never had my config reviewed by the experts, but it works
for me:
/etc/krb5.conf
...
[realms]
DOMAINNAME.COM = {
kdc = dal-dc1.domainname.com
kdc = den-dc1.domainname.com
master_kdc = dal-dc1.domainname.com
admin_server = dal-dc1.domainname.com
}
[domain_realm]
.domainname.com = DOMAINNAME.COM
...
/etc/samba/smb.conf
...
[global]
server string = Dallas File Server
workgroup = DOMAINNAME
realm = DOMAINNAME.COM
security = ADS
password server = *
#password server = dal-dc1.domainname.com
#password server = dal-dc1.domainname.com, den-dc1.domainname.com
...
Note the password option especially. For awhile I had to list it explicitly.
4. Use kinit to make sure kerberos is working, and maybe search for your
error more in the list archives (read: google).
r...@yourhost:~# kinit administra...@domainname.com
Password for administra...@domainname.com:
r...@yourhost:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@domainname.com
Valid starting ExpiresService principal
02/17/10 09:09:19 02/17/10 19:09:26 krbtgt/domainname@domainname.com
renew until 02/18/10 09:09:19
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
r...@yourhost:~# kdestroy
r...@yourhost:~# kdestroy
kdestroy: No credentials cache found while destroying cache
r...@yourhost:~#
HTH,
Mark Casey
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issue with mapping BUILTIN on ADS member server
On 2/11/2010 2:53 PM, Mark Casey wrote: Hello list, Quick summary of the issue (repeated below after the details): Running 'wbinfo --user-info=markc' on either smb ads member server will return identical info. Running 'wbinfo --group-info=BUILTIN\\Users' returns different information on each server. I'd like to make mappings for BUILTIN consistent in case I ever use them. Background and details: (original message truncated) Thank you, Mark Casey Anyone have any ideas? Here is the progress I've made on the aforementioned test box's config. BUILTIN items are mapping, but they still seem to be going to tdb instead of ldap. [global] server string = Dallas File Server workgroup = UNIFIEDGROUP realm = UNIFIEDGROUP.COM security = ADS # password server = * password server = dal-dc1.unifiedgroup.com #password server = dal-dc1.unifiedgroup.com, den-dc1.unifiedgroup.com # client schannel = Yes # server schannel = Yes username map = /etc/samba/smbusers obey pam restrictions = Yes enable privileges = Yes map to guest = Bad User # restrict anonymous = 2 allow trusted domains = No # lanman auth = No # ntlm auth = No # client NTLMv2 auth = Yes log level = 2 syslog = 0 # min protocol = NT1 # client signing = Yes # server signing = Yes load printers = No preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no host msdfs = No idmap domains = BUILTIN UNIFIEDGROUP idmap alloc backend = ldap template shell = /bin/false winbind enum users = Yes winbind enum groups = Yes winbind use default domain = No winbind refresh tickets = Yes idmap alloc config:range = 10 - 50 idmap alloc config:ldap_url = ldap://dal-dc1.unifiedgroup.com idmap alloc config:ldap_user_dn = cn=idmapmgr,cn=users,dc=unifiedgroup,dc=com idmap alloc config:ldap_base_dn = ou=idmap,dc=sambaidmap1,dc=unifiedgroup,dc=com idmap config BUILTIN:range = 10 - 50 idmap config BUILTIN:ldap_url = ldap://dal-dc1.unifiedgroup.com idmap config BUILTIN:ldap_user_dn = cn=idmapmgr,cn=users,dc=unifiedgroup,dc=com idmap config BUILTIN:ldap_base_dn = ou=idmap,dc=sambaidmap1,dc=unifiedgroup,dc=com idmap config BUILTIN:backend = ldap idmap config UNIFIEDGROUP:range = 10 - 50 idmap config UNIFIEDGROUP:ldap_url = ldap://dal-dc1.unifiedgroup.com idmap config UNIFIEDGROUP:ldap_user_dn = cn=idmapmgr,cn=users,dc=unifiedgroup,dc=com idmap config UNIFIEDGROUP:ldap_base_dn = ou=idmap,dc=sambaidmap1,dc=unifiedgroup,dc=com idmap config UNIFIEDGROUP:backend = ldap idmap config UNIFIEDGROUP:default = yes hosts allow = (redacted) map acl inherit = No hide special files = Yes map archive = No map readonly = No map system = No map hidden = No force create mode = 707 force directory mode = 707 ea support = No store dos attributes = No wide links = No follow symlinks = No dos filemode = No add share command=/etc/samba/command_cust.pl delete share command=/etc/samba/command_cust.pl change share command=/etc/samba/command_cust.pl Thanks in advance for any insight you may have, Mark Casey -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] issue with mapping BUILTIN on ADS member server
Hello list, Quick summary of the issue (repeated below after the details): Running 'wbinfo --user-info=markc' on either smb ads member server will return identical info. Running 'wbinfo --group-info=BUILTIN\\Users' returns different information on each server. I'd like to make mappings for BUILTIN consistent in case I ever use them. Background and details: I have a production environment with 2 ADS member servers that I'm planning to re-work, and I've found an oversight with how my setup maps items from BUILTIN. I hadn't been using anything from there so it isn't a big deal at the moment, but I'm trying to fix it and/or decide how to simplify my whole idmap setup. Here is some background info, let me know if you need something else: -Native-mode AD, all DCs on 2003R2 SP2 x64. -Two Ubuntu Server x64 8.04.03 LTS AD member servers running Samba 3.0.28a. (samba_3.0.28a-1ubuntu4.10_i386.deb). -I have a few directives that may be considered odd (map to guest, force create/dir) for my type of setup. This is because I'm still getting rid of some XP Home workstations that need guest shares. This was the only way I could get them to play nice (IIRC this was due to ADS mode rejecting the credentials before it realized it was a request for a guest share). Here is my current config: [global] server string = Dallas File Server workgroup = DOMAINNAME realm = DOMAINNAME.COM security = ADS password server = * #password server = dal-dc1.domainname.com #password server = dal-dc1.domainname.com, den-dc1.domainname.com # client schannel = Yes # server schannel = Yes username map = /etc/samba/smbusers obey pam restrictions = Yes enable privileges = Yes map to guest = Bad User # restrict anonymous = 2 allow trusted domains = No # lanman auth = No # ntlm auth = No # client NTLMv2 auth = Yes log level = 4 syslog = 0 # min protocol = NT1 # client signing = Yes # server signing = Yes load printers = No preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no host msdfs = No idmap domains = DOMAINNAME idmap alloc backend = ldap template shell = /bin/false winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes idmap alloc config:range = 10 - 50 idmap alloc config:ldap_url = ldap://dal-dc1.domainname.com ldap://den-dc1.domainname.com idmap alloc config:ldap_user_dn = cn=idmapmgr,cn=users,dc=domainname,dc=com idmap config DOMAINNAME:range = 10 - 50 idmap config DOMAINNAME:ldap_url = ldap://dal-dc1.domainname.com ldap://den-dc1.domainname.com idmap config DOMAINNAME:ldap_user_dn = cn=idmapmgr,cn=users,dc=domainname,dc=com idmap config DOMAINNAME:ldap_base_dn = ou=idmap,dc=sambaidmap,dc=domainname,dc=com idmap config DOMAINNAME:backend = ldap idmap config DOMAINNAME:default = yes hosts allow = (redacted) map acl inherit = No hide special files = Yes map archive = No map readonly = No map system = No map hidden = No force create mode = 707 force directory mode = 707 ea support = No store dos attributes = No wide links = No follow symlinks = No dos filemode = No add share command=/etc/samba/command_cust.pl delete share command=/etc/samba/command_cust.pl change share command=/etc/samba/command_cust.pl The actual issue/question (as stated above): Running 'wbinfo --user-info=markc' on either smb ads member server will return identical info. Running 'wbinfo --group-info=BUILTIN\\Users' returns different information on each server. I'd like to make mappings for BUILTIN consistent in case I ever use them. I guess it is falling back to tdb since I can grep for relevant info and the tdb for group mapping matches. I've labbed my setup by setting up a third smb server in the same config, and a blank ad partition for mapping...so I can change things for testing there (and I have been). My browser has no fewer than 20 tabs up with various man pages, pdfs, and list posts on idmap but it isn't quite coming together for me on this one aspect that deals with BUILTIN. tia for any assistance you can provide. Thank you, Mark Casey -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails
Rob LaRose wrote: Hi Mark, Mind if I ask how you're doing ssh against your Windows AD? I'm trying to do this now. I've got a script that joins me to the domain and makes SSH work but not samba. Then I can do net ads join and samba works but not ssh. Gotta find the happy medium! Are you somehow using samba to auth ssh too? --Rob LaRose Imaginary Forces On Mar 19, 2009, at 3:19 PM, Mark Casey wrote: Hello all, As the subject says, as far as I can tell everything works on my ads integrated samba server. Domain accounts can be used for ssh, and accessing shares, I just can't leave the domain. Here is a successful join command followed by an unsuccessful leave command at debug level 4. Any ideas? TIA, Mark u...@dordal:~$ sudo net ads join -U administra...@mydomain.com -d 4 [2009/03/19 14:00:07, 3] param/loadparm.c:lp_load(5063) lp_load: refreshing parameters [2009/03/19 14:00:07, 3] param/loadparm.c:init_globals(1448) Initialising global parameters [2009/03/19 14:00:07, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2009/03/19 14:00:07, 3] param/loadparm.c:do_section(3802) Processing section [global] doing parameter workgroup = MYDOMAIN doing parameter realm = MYDOMAIN.COM doing parameter security = ADS doing parameter password server = dal-dc1.mydomain.com, den-dc1.mydomain.com doing parameter client schannel = Yes doing parameter server schannel = Yes doing parameter username map = /etc/samba/smbusers doing parameter obey pam restrictions = Yes doing parameter enable privileges = Yes doing parameter restrict anonymous = 2 doing parameter allow trusted domains = No doing parameter lanman auth = No doing parameter ntlm auth = No doing parameter client NTLMv2 auth = Yes doing parameter log level = 1 doing parameter syslog = 0 doing parameter min protocol = NT1 doing parameter client signing = Yes doing parameter server signing = Yes doing parameter load printers = No doing parameter preferred master = No doing parameter local master = No doing parameter domain master = No doing parameter dns proxy = No doing parameter ldap ssl = no doing parameter host msdfs = No doing parameter idmap domains = MYDOMAIN doing parameter idmap alloc backend = ldap doing parameter template shell = /bin/false doing parameter winbind enum users = Yes doing parameter winbind enum groups = Yes doing parameter winbind use default domain = Yes doing parameter winbind refresh tickets = Yes doing parameter idmap alloc config:range = 10 - 50 doing parameter idmap alloc config:ldap_url = ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com doing parameter idmap alloc config:ldap_user_dn = cn=idmapmgr,cn=users,dc=mydomain,dc=com doing parameter idmap alloc config:ldap_base_dn = ou=idmap,dc=sambaidmap,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:range = 10 - 50 doing parameter idmap config MYDOMAIN:ldap_url = ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com doing parameter idmap config MYDOMAIN:ldap_user_dn = cn=idmapmgr,cn=users,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=sambaidmap,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:backend = ldap doing parameter idmap config MYDOMAIN:default = yes doing parameter hosts allow = 10.0.0.0/255.255.254.0 10.1.0.0/255.255.254.0 doing parameter map acl inherit = No doing parameter hide special files = Yes doing parameter map archive = No doing parameter map readonly = No doing parameter map system = No doing parameter map hidden = No doing parameter ea support = No doing parameter store dos attributes = No doing parameter wide links = No doing parameter follow symlinks = No doing parameter dos filemode = No doing parameter add share command = /etc/samba/command.pl doing parameter delete share command = /etc/samba/command.pl doing parameter change share command = /etc/samba/command.pl [2009/03/19 14:00:07, 4] param/loadparm.c:lp_load(5094) pm_process() returned Yes [2009/03/19 14:00:07, 2] lib/interface.c:add_interface(81) added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0 [2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(73) ads_dc_name: domain=MYDOMAIN [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: 10.0.1.30, dal-dc1.mydomain.com, den-dc1.mydomain.com [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.0.1.30:389 10.1.1.30:389 [2009/03/19 14:00:07, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 10.0.1.30 [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: 10.0.1.30, dal-dc1.mydomain.com, den-dc1.mydomain.com [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list
[Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails
Hello all, As the subject says, as far as I can tell everything works on my ads integrated samba server. Domain accounts can be used for ssh, and accessing shares, I just can't leave the domain. Here is a successful join command followed by an unsuccessful leave command at debug level 4. Any ideas? TIA, Mark u...@dordal:~$ sudo net ads join -U administra...@mydomain.com -d 4 [2009/03/19 14:00:07, 3] param/loadparm.c:lp_load(5063) lp_load: refreshing parameters [2009/03/19 14:00:07, 3] param/loadparm.c:init_globals(1448) Initialising global parameters [2009/03/19 14:00:07, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2009/03/19 14:00:07, 3] param/loadparm.c:do_section(3802) Processing section [global] doing parameter workgroup = MYDOMAIN doing parameter realm = MYDOMAIN.COM doing parameter security = ADS doing parameter password server = dal-dc1.mydomain.com, den-dc1.mydomain.com doing parameter client schannel = Yes doing parameter server schannel = Yes doing parameter username map = /etc/samba/smbusers doing parameter obey pam restrictions = Yes doing parameter enable privileges = Yes doing parameter restrict anonymous = 2 doing parameter allow trusted domains = No doing parameter lanman auth = No doing parameter ntlm auth = No doing parameter client NTLMv2 auth = Yes doing parameter log level = 1 doing parameter syslog = 0 doing parameter min protocol = NT1 doing parameter client signing = Yes doing parameter server signing = Yes doing parameter load printers = No doing parameter preferred master = No doing parameter local master = No doing parameter domain master = No doing parameter dns proxy = No doing parameter ldap ssl = no doing parameter host msdfs = No doing parameter idmap domains = MYDOMAIN doing parameter idmap alloc backend = ldap doing parameter template shell = /bin/false doing parameter winbind enum users = Yes doing parameter winbind enum groups = Yes doing parameter winbind use default domain = Yes doing parameter winbind refresh tickets = Yes doing parameter idmap alloc config:range = 10 - 50 doing parameter idmap alloc config:ldap_url = ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com doing parameter idmap alloc config:ldap_user_dn = cn=idmapmgr,cn=users,dc=mydomain,dc=com doing parameter idmap alloc config:ldap_base_dn = ou=idmap,dc=sambaidmap,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:range = 10 - 50 doing parameter idmap config MYDOMAIN:ldap_url = ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com doing parameter idmap config MYDOMAIN:ldap_user_dn = cn=idmapmgr,cn=users,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=sambaidmap,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:backend = ldap doing parameter idmap config MYDOMAIN:default = yes doing parameter hosts allow = 10.0.0.0/255.255.254.0 10.1.0.0/255.255.254.0 doing parameter map acl inherit = No doing parameter hide special files = Yes doing parameter map archive = No doing parameter map readonly = No doing parameter map system = No doing parameter map hidden = No doing parameter ea support = No doing parameter store dos attributes = No doing parameter wide links = No doing parameter follow symlinks = No doing parameter dos filemode = No doing parameter add share command = /etc/samba/command.pl doing parameter delete share command = /etc/samba/command.pl doing parameter change share command = /etc/samba/command.pl [2009/03/19 14:00:07, 4] param/loadparm.c:lp_load(5094) pm_process() returned Yes [2009/03/19 14:00:07, 2] lib/interface.c:add_interface(81) added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0 [2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(73) ads_dc_name: domain=MYDOMAIN [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: 10.0.1.30, dal-dc1.mydomain.com, den-dc1.mydomain.com [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.0.1.30:389 10.1.1.30:389 [2009/03/19 14:00:07, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 10.0.1.30 [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: 10.0.1.30, dal-dc1.mydomain.com, den-dc1.mydomain.com [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.0.1.30:389 10.1.1.30:389 [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: 10.0.1.30, dal-dc1.mydomain.com, den-dc1.mydomain.com [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses
Re: [Samba] root ownership on all new files for admin users
Hi, I'm dealing with the same issue so I thought I'd share a few ideas I've found so far. write users= should just be letting those users write as themselves. Its the admin users= line that is intervening and mapping them to root. If its just the need for admin rights, I know that there is a privileges system built into samba. Most of the things you would want for an admin user to be able to do can actually be enabled for that user instead of mapping them to root. I've read that while no account has any privileges by default, the Domain Admins group is automatically given the right to hand out new privileges. Just search for samba privileges online, I think this is the preferred way to accomplish what you want, removing the need for the admin users parameter. Another thing you may consider is just make a new user in AD, and then change the admin users line so that it only lists that account. I don't even imagine that account would have to be an admin as far as Windows is concerned, but it could be made one if the situation arises to warrant it. Then your write list can write as themselves, and the new user can be mapped to root and not used to edit user's files. They could share the password if more than one person needs access, which is no worse than having them all mapped to root anyway (possibly better). I don't quite have it figured yet so double check me if you go with one of those, but I HTH. -Mark Vladimir Shved wrote: Hello, I have samba server on windows domain, in ADS mode but have problem tracking files that belong to admin users, anytime new file created the default owner is root. For non-admin users its normal, newly created files have correct ownership permissions. Its possible for a user to go and take ownership manually from windows machine but its just inconvenient. Is there anyway to change default behavior to create files with correct ownership of original user rather than mapping to root for admin users? Thank you, Vladimir Shved My setup: Ubuntu 8.04 Hardy Samba 3.0.28a ext3 fs w/ ACLs censored smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL server string = File Server security = ADS syslog = 0 log file = /var/log/samba/log.%m log level = 1 ads:10 auth:10 sam:10 rpc:10 max log size = 1000 local master = No dns proxy = No socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = 192.168.1.2 winbind enum users = no winbind enum groups = no winbind use default domain = yes winbind nested groups = yes passdb backend = tdbsam ldap ssl = on idmap domains = MYDOMAIN idmap config MYDOMAIN:backend = ldap idmap config MYDOMAIN:readonly = yes idmap config MYDOMAIN:default = yes idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=mydomain,dc=local idmap config MYDOMAIN:ldap_url = ldaps://ldapmachine idmap config MYDOMAIN:ldap_anon = yes idmap alloc backend = tdb idmap alloc config:range = 3-4 template shell = /bin/bash admin users = @BUILTIN\administrators write list = @BUILTIN\administrators client use spnego = yes domain master = no load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes guest account = nobody map to guest = bad user invalid users = root map to guest = bad password [share] path = /share guest ok = Yes create mask = 0664 directory mode = 0775 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] help - logon script
Adam Williams wrote: have you put that regedit4 data into a file and ran it with regedit /s time.reg in their login script? yudi shiddiq wrote: Hello everybody... I need help about logon script, this time i want to change time format from 12 format to 24 format on pc client. I'm using samba 3.0.20 on PDC and the client is mostly win xp but we have pc with os win ME too. I change from logon.exe that i put on every user directory which has script like this REGEDIT4 [HKEY_CURRENT_USER\Control Panel\International] iTime=1 sTimeFormat=HH:mm:ss But when i try to login the time format doesn't change it still in 12 format, i've tried many times but still the same. Is there any clue... I'm sorry if there is any mistake on my english.:) Thx Oooo yay a registry question. A few things to keep in mind, starting with the most obvious (some, I realize, you may already know...but I'm gonna paint with a wide brush). 1. The _CURRENT_USER hive of the registry is just that, per user. Changes to one user will not effect others. But when i try to login the time format doesn't change If you set the script ONLY for your users and then YOU login with your own account that does not have the script, then it makes sense that your time would not change. 2. You do not need to leave these changes in the logon script. Once the change is actually made for each user, it should stick. Once it is working you can leave it there for a few weeks (until everyone has logged in) and then remove it. 3. You can modify [HKEY_USERS\.DEFAULT\Control Panel\International] with your preferred settings, and all NEW users will inherit them in their HKCU. 4. Some settings in various versions of Windows are VERY hard to change via scripts. For example in WinXP, changing whether the Start menu hides, is locked, has quick launch, and etc is rather difficult. The reason is that Windows XP reads the settings into explorer.exe from the user's HKCU before your logon script can work, and writes them back at logoff; rendering scripts useless. (not to mention that all of those settings are globbed into one long binary string (50 characters or so) representing all of the settings). I just tested the time settings on my Win XP Pro system and manual changes seem to be retained, and the time format did change when I logged back on...just be aware that Windows may be working against you (depending on the version and what you are trying to change, etc). 5. You can mount a user's HKCU as a subkey of HKLM even when they are logged off. Open HKLM and go to File- load hive. Choose the user's ntuser.dat file (usually C:\documents and settings\USERNAME\ntuser.dat). This can be invaluable for investingating things or for changing settings like the ones I described in #4. (In fact, deciphering the long binary string for the start menu settings and writing a program to enumerate all the users, mount their ntuser.dat, and make the change when they are not logged in is the only way I've seen #4 done.) Other than that, try what others have suggested here. Make sure the time format is actually changing when you merge the .reg manually or manually edit the registry. Also note that there is the command line REG command that can be used to work with individual keys, should your command line merge method never work. HTH -Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] add/change share script
Hello, I'm trying to write up new a script for add/change/delete share command, cause I think its pretty nifty messing with shares from windows. I wrote a test script that just prints the passed parameters to a text file and does nothing else. This is what I got from an add attempt. /etc/samba/smb.conf bakcups /home/backups comment-ADD 0 Would I be correct to assume that the zero on the last line just represents that samba made me appear to be root when I did this? (uid=0 based on a usermap) If not, anyone know what the zero is for? All of the others were pretty self explanatory. Thank you, Mark Casey p.s. The newest information I can find on this method was from (at the latest) 2006. Please advise if there is a new way to do this; as this is just the method I came across first. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Is this possible? (syncing users between a system withsamba 3 on and a win2k3 server)
Hi there, Do you know of any good documentation or books that cover this? As I said in a previous post I've not used Samba in a few years, so I'd feel more comfortable on reading up a bit then doing some experimentation in a test vmware network. Thanks Mark -Original Message- From: Christoph Scheeder [mailto:[EMAIL PROTECTED] Sent: 20 June 2004 17:41 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Is this possible? (syncing users between a system withsamba 3 on and a win2k3 server) Hi, it is possible, but you'll have to install some packages manualy by compiling them for your own. these packages are kerberos and samba, as the versions in most distros are to old to work correct as an ads-member in win2k3-ADS. AFAIK you'll have to install MIT-kerberos 1.33 and, at the moment, samba from svnall other versions do not work. Christoph Mark Casey schrieb: Well, the gentoo mention was a joke. (the loving compile times remark) Are there any good books on the subject dealing with what I mentioned, as I haven't used Samba for a few years. (probably pre 2.0) Anyway, if I do setup any *bsd or linux servers they will be dedicated to the task and will not have any additional programs installed. I would most likely leave the win2k3 server as the PDC, I have heard of some issues in the past dealing with Samba and it being a PDC. The situation is that I want to apply the practice of least change, I don't want to (or feel the network needs to) have a new domain controller.. Having all machines join the new domain etc. So, SBS won't allow a BDC? (suppose I'll have to go and buy it then do some tests in vmware) What're saying is that it isn't possible currently with Samba 3 to replicate users from win 2k3? (without some manual work, is it possible at all to script any of it?) Thanks Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Is this possible? (syncing users between a system with samba 3 on and a win2k3 server)
Okay, first a bit of background... It looks as though I'm going to be getting a consulting job soon to replace a guy at a company, turns out he has done something of a poor job (for example the router login is accessible from the outside, any ip etc). Now, the main server at this company is running Windows 2003 Server (SBS possibly) it also acts as the email server etc I plan to separate things a bit at the company and dedicate such tasks to separate servers, one for email, one for webserver etc. (they had a hard disk failure recently, the current guy didn't do the tape backups correctly and so they lost email, webserver and pdc). At the moment I plan to setup a linux system (either debian or gentoo.. Love those compile times) for the email server (postfix or qmail.. Probably postfix I have more experience with that) and have the users use imap to access their email internally and setup squirrelmail so they can access their work email at home. (some users often do work at home) Here is what I want to do: Whenever a new user (or any other currently existing users) are created on the win 2k3 server they are replicated on the email server (same username password) automatically. Is it possible to do this with Samba? It's mostly because they'll be a good number of currently existing users on the win 2k3 server and so when I setup the email server I don't want to be creating a very large number of users, I'd much rather it was totally automated. Sorry about this being a bit long, I tried to shorten it. Thanks Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Is this possible? (syncing users between a system withsamba 3 on and a win2k3 server)
Well, the gentoo mention was a joke. (the loving compile times remark) Are there any good books on the subject dealing with what I mentioned, as I haven't used Samba for a few years. (probably pre 2.0) Anyway, if I do setup any *bsd or linux servers they will be dedicated to the task and will not have any additional programs installed. I would most likely leave the win2k3 server as the PDC, I have heard of some issues in the past dealing with Samba and it being a PDC. The situation is that I want to apply the practice of least change, I don't want to (or feel the network needs to) have a new domain controller.. Having all machines join the new domain etc. So, SBS won't allow a BDC? (suppose I'll have to go and buy it then do some tests in vmware) What're saying is that it isn't possible currently with Samba 3 to replicate users from win 2k3? (without some manual work, is it possible at all to script any of it?) Thanks Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
