[Samba] paw_winbind.so reporting Wrong Password
Hi, I have: samba-3.0.14a krb5-1.4.1 on Fedora Core 3 and a 2003 based Active directory I have joined the linux box to the domain and everything seems OK. wbinfo -u comes back with the correct users, wbinfo -a user%pass authenticates fine and net ads testjoin comes back OK. However when I put the line: authsufficient /lib/security/pam_winbind.so in /etc/pam.d/system-auth I start getting errors like this in /var/log/messages: May 17 17:08:37 newmail pam_winbind[2376]: request failed: Wrong Password, PAM error was 7, NT error was NT_STATUS_WRONG_PASSWORD I was just wondering if this is a misconfiguration on my part of the PAM settings or something else. Any help appreciated, thanks, Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbindd forgetting the user maps
Hi, I have a bit of a problem - everytime our samba server reboots, winbindd seems to forget its user and group id mapping. Also after I have rebooted, I need to run getent passwd and getent group otherwise it looks like this: drwx--2 10183root 4096 Dec 8 16:12 dir0080 After I have run those commands, the directories are owned by different users. Thanks for any help, Mark Le Noury Barone, Budge Dominick Tel. (+2711)532 8415 Cell. +27825624412 E-mail: [EMAIL PROTECTED] This e-mail is confidential and subject to the disclaimer published on the website http://www.bbd.co.za/emaildisclaimer.htm. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] member server and kerberos
Hi, I had the exact same problem yesterday - which I managed to somehow correct. What I think happened was that after I had re-compiled kerberos support into samba, I forgot to copy the new libnns_winbind.so to the /lib directory. Once I had copied the new library, I did a killall -9 winbindd and a service smb stop and then restarted it all again. It just seemed to work after that. But I am just taking a huge guess about that being the cause - I could have been something else that I changed by mistake. I also found it necessary to build and install krb5-1.3.5 from MIT in order to get everything to work correctly together. The older version of kerberos that came with my distribution just wasn't happy talking to my windows server. (Although I am using windows server 2003) Thanks, Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of thomas constans Sent: 15 October 2004 04:46 PM To: [EMAIL PROTECTED] Subject: [Samba] member server and kerberos hello i have been struggling for to long trying to setup the following configuration: debian samba 3 member server of a win 2000 AD here is my configuration: ## smb.conf ## [global] log level = 4 interfaces = 192.168.10.11/255.255.255.0 workgroup = datom realm = datom.dyndns.org server string = samba membre security = ads netbios name = cafeine log file = /var/log/samba/samba.log max log size = 50 idmap uid = 1-2 idmap gid = 1-2 password server = nicotine.datom.dyndns.org socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no preferred master = no domain logons = no dns proxy = no obey pam restrictions = Yes winbind separator = / inherit acls = yes inherit permissions = yes admin users = DATOM.DYNDNS.ORG/administrateur winbind enum users = yes winbind enum groups = yes [share] comment = partage path = /home/samba browseable = yes ## krb5.conf ## [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] #ticket_lifetime = 24000 default_realm = DATOM.DYNDNS.ORG dns_lookup_realm = false dns_lookup_kdc = false [realms] DATOM.DYNDNS.ORG = { kdc = NICOTINE.DATOM.DYNDNS.ORG:88 admin_server = DATOM.DYNDNS.ORG:749 default_domain = DATOM.DYNDNS.ORG } [domain_realm] .datom.dyndns.org = DATOM.DYNDNS.ORG datom.dyndns.org = DATOM.DYNDNS.ORG [kdc] profile = /var/kerberos/krb5kdc/kdc.conf ## nsswitch.conf ## passwd:files winbind #ldap group: files winbind #ldap shadow:files #ldap tests effectués: # kinit administrateur + mdp - ok # net ads join [2004/10/15 16:30:32, 0] libads/ldap.c:ads_add_machine_acct(1283) ads_add_machine_acct: Host account for cafeine already exists - modifying old account Using short domain name -- DATOM Joined 'CAFEINE' to realm 'DATOM.DYNDNS.ORG' # klist -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/15/04 13:50:20 10/15/04 23:50:20 krbtgt/[EMAIL PROTECTED] 10/15/04 13:50:54 10/15/04 23:50:20 [EMAIL PROTECTED] 10/15/04 13:50:55 10/15/04 23:50:20 kadmin/[EMAIL PROTECTED] # wbinfo -D datom Name : DATOM Alt_Name : datom.dyndns.org SID : S-1-5-21-1214440339-616249376-839522115 Active Directory : Yes Native: No Primary : Yes Sequence : -1 # wbinfo -g BUILTIN/System Operators BUILTIN/Replicators BUILTIN/Guests BUILTIN/Power Users BUILTIN/Print Operators BUILTIN/Administrators BUILTIN/Account Operators BUILTIN/Backup Operators BUILTIN/Users BUT # wbinfo -u Error looking up domain users i suspect a kerberos configuration issue because reverting to a security = domain model, and everything works perfectly can anybody shed a light on this ??? thanx in advance -- thomas constans [EMAIL PROTECTED] openDoor.fr -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3.0.7 / AD Domain Group Resolving
Hi, I think that you are fomatting the valid users directive incorrectly. Try valid users = DOMAIN+Group_name (I use + as my winbind separator, substitute for whatever you have chosen) No @ sign necessary It works fine for me like that. Thanks, Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 14 October 2004 12:38 PM To: [EMAIL PROTECTED] Subject: [Samba] Samba 3.0.7 / AD Domain Group Resolving Hello List, currently we have Samba 3.0.7 running on SLES8 systems with AD integration. We´re using the SerNet RPM´s (ftp.sernet.de) Everything works fine so far, we just have a problem with resolving domain groups. wbinfo -g works fine, the domain groups are correctly resolved. But when inserting a valid users = @AD_DOMAIN_GROUP statement in the smb.conf we get the following error: smbd/service.c:make_connection_snum(314) user 'DOMAIN\User.Name' (from session setup) not permitted to access this share (sharename) Inserting the user with his normal accountname does work (e.g. valid users = DOMAIN\User.Name) We do have a lot of AD Groups, some users are member of more than 200 groups (and no, we cannot fix that, reducing the number of groups is unfortunately not an option). I did find several post in the list archives on this topic, but no practical solution yet. Is there a solution? Are more details necessary? One more thing: we also have the problem that once in a while winbind dies when executing wbinfo -g or -u. I don´t know, if this is somehow connected. Anyone any ideas? I´m a bit lost here... Greetings Andreas Grzeski Systems Engineer/RHCE Stadtwerke München GmbH -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3.0.7 / AD Domain Group Resolving
Could you post the share definition from your smb.conf file? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 14 October 2004 02:10 PM To: [EMAIL PROTECTED] Subject: RE: [Samba] Samba 3.0.7 / AD Domain Group Resolving Hi Mark, that did not resolve the problem for me. Removing the @ sign produced the same error message (see below)... Greetings Andreas -Ursprüngliche Nachricht- Von: Mark Le Noury [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 14. Oktober 2004 12:43 An: [EMAIL PROTECTED] Betreff: RE: [Samba] Samba 3.0.7 / AD Domain Group Resolving Hi, I think that you are fomatting the valid users directive incorrectly. Try valid users = DOMAIN+Group_name (I use + as my winbind separator, substitute for whatever you have chosen) No @ sign necessary It works fine for me like that. Thanks, Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 14 October 2004 12:38 PM To: [EMAIL PROTECTED] Subject: [Samba] Samba 3.0.7 / AD Domain Group Resolving Hello List, currently we have Samba 3.0.7 running on SLES8 systems with AD integration. We´re using the SerNet RPM´s (ftp.sernet.de) Everything works fine so far, we just have a problem with resolving domain groups. wbinfo -g works fine, the domain groups are correctly resolved. But when inserting a valid users = @AD_DOMAIN_GROUP statement in the smb.conf we get the following error: smbd/service.c:make_connection_snum(314) user 'DOMAIN\User.Name' (from session setup) not permitted to access this share (sharename) Inserting the user with his normal accountname does work (e.g. valid users = DOMAIN\User.Name) We do have a lot of AD Groups, some users are member of more than 200 groups (and no, we cannot fix that, reducing the number of groups is unfortunately not an option). I did find several post in the list archives on this topic, but no practical solution yet. Is there a solution? Are more details necessary? One more thing: we also have the problem that once in a while winbind dies when executing wbinfo -g or -u. I don´t know, if this is somehow connected. Anyone any ideas? I´m a bit lost here... Greetings Andreas Grzeski Systems Engineer/RHCE Stadtwerke München GmbH -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] kerberos and/or winbind ??
Hi, I'm getting confused about the role that kerberos authentication plays. What exactly is the point of using kerberos to join a samba server to an AD domain? If using kerberos still requires you to rely on winbindd for all the nsswitch stuff then what is the point? I can just as easily specify workgroup = wkgrp security = domain and do a net join Instead of doing realm = wkgrp.krb.realm workgoup = wkgrp security = ADS and doing net ads join Are there performance benefits/better security...what?? I think that maybe my understanding of the kerberos setup is a bit flawed. thanks for any replies, Mark Le Noury -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba server as NT4 domain member- security=domain - needto create password db manually?
Hi, Looks like you are missing the password server = domain_controller_name Directive in the [global] section. Thanks, Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Moorhouse Sent: 06 October 2004 12:24 AM To: [EMAIL PROTECTED] Subject: [Samba] samba server as NT4 domain member- security=domain - needto create password db manually? # Global parameters [global] workgroup = MYDOMAIN server string = Samba Server %v on %L security = DOMAIN log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap local master = No dns proxy = No wins server = MYWINSERVER idmap uid = 15000-2 idmap gid = 15000-2 winbind use default domain = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [domain_user] comment = My Private Share path = /home/samba/domain_username valid users = domain_username read only = No guest ok = Yes [public] path = /home/samba/public valid users = domain_user read only = No [data] comment = Data Drive path = /home/samba/data read only = No volume = Sample-Data-Drive Hi I want to set up a samba domain-member server with shares for office users. I can see the samba server on the NT/Win2000 network. I can access the [data] share above - as it requires no authentication. The public and domain_user shares both ask for a username and password when I try to open them from a windows machine. As I am using our NT4 domain controller for user authentication I shouldnt have to use encrypted files and create each samba user with smbpasswd should I? Thats the point of telling samba I want to use 'domain' isnt it? If I do wbinfo -u and wbinfo -g on the samba server I see a list of the groups and useraccounts. Can someone tell me what I am missing from smb.conf? Do I need some password backend in samba. Thanks for any help R. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.773 / Virus Database: 520 - Release Date: 05/10/2004 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind pam nsswitch question
Hey man, You only need to do the nsswitch stuff in order to accomplish what you described. The pam stuff is for logging in to the unix box with an AD account, the nss stuff is necessary for the enumeration of the AD accounts + groups. So you need winbindd + libnss_winbind.so + changes to nsswitch.conf Hope this helped. Thanks, Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Adams Sent: 06 October 2004 05:26 PM To: [EMAIL PROTECTED] Subject: [Samba] winbind pam nsswitch question I am setting up a Samba 3.0.6 ADS member server, configured like this: Windows 2000 ADS Server Samba 3.0.6 ADS members server (Solaris 9) is a member of ADS domain Windows XP clients are members of ADS domain, require access to Samba shares on Solaris server. I'm trying to make it so that I don't have to maintain a usermap to map all of the users or groups in the ADS domain on the Solaris server. I think I still need winbindd running in order for Samba to be able to enumerate the users and groups on the ADS server, but I'm confused as to which parts of the tutorials to follow. I don't want the ADS accounts to be able to log in to the Solaris server, I just want them to be able to map drives. I also don't want to have files that the ADS accounts access to have user or group ownership based on their ADS accounts... I'd like to force all the ADS users to a single Solaris account. From looking at the tutorials, I'm thinking that I'll use Unix directory permissions to achieve that instead of force user in smb.conf. Here are my questions: 1. The By Example document talks about adding winbind to /etc/nsswitch.conf and putting libnss_winbind.so in my /usr/lib directory. Is this required for the situation described above, or is this only required if you want to be able to log into the Solaris server using an ADS account and password? 2. The Official Howto talks about adding pam_smbpass.so and/or pam_winbind.so entries to /etc/pam.conf. Again, is this required for the situation described above, or is this only required for logging into Unix with ADS accounts? Thanks for any info... Greg Adams -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] WINBIND Problem.....
Hi, Sorry for a few more obvious questions, but... What does the share definition in smb.conf look like? What global parameters have you set? Maybe I missed an earlier post or something. Thanks, Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Travis Bullock Sent: 05 October 2004 05:07 PM To: 'Hamish' Cc: [EMAIL PROTECTED] Subject: RE: [Samba] WINBIND Problem. Most definitely. The test directory appears as follows: [EMAIL PROTECTED] avamx_shares]# ls -al total 12 drwxr-xr-x 3 root root 4096 Sep 21 14:40 . drwxr-xr-x 17 root root 4096 Sep 2 06:07 .. drwxr-xr-x 2 tbullock Domain Admins 4096 Sep 21 14:40 tbullock The directory 'tbullock' is the one I am trying to gain access to. As you see Fedora allows me to use the winbind generated or acquired tbullock user and Domain Admins groups which I found pretty cool by the way. And also the wierd thing is if I try to browse to that 'tbullock' share and I am not actually logged in as 'tbullock' (Domain account) it gives me an straight forward Access Denied message. If I am sitting at my computer logged in as my Domain Account 'tbullock' then the message is much different and goes something like: Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. So it is returning different error messages depending on which account attempts to access the share. Thanks for the interest in this problem. Cheers, Travis -Original Message- From: Hamish [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 4:48 AM To: Travis Bullock Cc: [EMAIL PROTECTED] Subject: Re: [Samba] WINBIND Problem. Sorry for obvious question, but have you made sure that you have write permission to the directory you are trying to write to? Travis Bullock wrote: Hello again. Still have not resolved this winbind issue, although it may not be winbind at all. The odd thing is, when I attempt to access a share on the Fedora C2 server running samba 3.x and winbind it will ask for a password. If I enter the wrong username and password, it will give me an invalid username or password error. If I enter the correct username and password, it will give me a Access Denied contact your administrator...blah..blah...blahfollowed by a Network Path Not Found. Any ideas out there? Cheers, Travis -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbindd not emunerating domain local security groups
Hi, I have a small problem with winbindd (from samba 3.07) + W2k3 Ad: wbinfo -g fetches a list of only the Global security groups. I need to be able to chown(1) directories to be owned by domain local groups so that I can assign Global groups permissions to these directories. I was wondering if this was a know bug/feature with winbind? (I did have a look through a few of the list archives - but got bored so please excuse if this has been posted before!) thanks, Mark Le Noury -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] file locking problem
Hi, I'm having a strange problem today with samba 2.2.7. Samba is reporting that one of our users has locked a file. I have asked him to reboot his machine and stopped and restarted the smb daemon. The file remains locked. I have also tried to kill the pid of the samba process associated with the locked file - this does not help at all. I was wondering if anyone has any suggestions - maybe I just need to delete the locking.tdb file, would that help?? thanks, Mark Le Noury Barone, Budge Dominick Tel. (+2711)532 8415 Cell. +27825624412 E-mail: [EMAIL PROTECTED] This e-mail is confidential and subject to the disclaimer published on the website http://www.bbd.co.za/emaildisclaimer.htm. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] performance issues
Hi, I have compiled and am running samba version 2.2.7.a on Redhat linux 7.3. I am having some performance issues with it and was wondering if I was doing something wrong. I have noticed that if I use samba in security = server mode, every time a new connection is made to the server from the same client a new smbd process is started. It also seems as if the process only ends when the client machine is rebooted. When I use the server in security = user mode, every time a new connection is made from a different client a new process is started. It also only seems to kill the process when the client is rebooted. I end up with a lot of processes running on the fileserver and sometimes the machine locks up and complains about the max file limit being reached. I have found a workaround by increasing the file-max value in /proc/sys/fs. I was just wondering if there is a way to get the processes to die as soon as the client disconnects from the server - maybe I have omitted something when running the configure command?? I was also wondering if it is the default behaviour of samba to spawn new processes every time a connection is made? Is it possible to change this behaviour? thanks in advance, Mark Le Noury -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba