Re: [Samba] SAMBA+LDAP
On Thu, 2005-02-24 at 15:27 -0800, Roger Morris wrote: I don't want to integrate into AD, I have a SAMBA server running the latest and greatest that comes with Redhat AS4 (Samba 3.0.10-1.4E). All I want to do is to be able to authenticate against an existing LDAP server. You might want to try the smbldap-tools from http://samba.idealx.org/dist/ Follow the instructions to populate the ldap server with the necessary entries, which brings us to your other question... I would have figured it should be as straightforward as putting the LDAP specific settings in the smb.conf. I'm obviously mistaken. Am I going to have to get the LDAP admin to add the include for samba.schema in the LDAP server configs? Yes. Are there any docs for setting up a new SAMBA box for authenticating against an existing LDAP server? if yes, Where? It's the same steps any which way you go, just leave out the steps that are already done... -Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
OT: Heimdal snapshots for debian (was: Re: [Samba] LDAP + SASL (kerberos) password syncing)
On Fri, 2005-01-21 at 13:58 +1100, Andrew Bartlett wrote: On Thu, 2005-01-20 at 20:58 -0500, Mark Roach wrote: You could also use the smbk5pwd OpenLDAP module, which will fill out the other Kerberos encryption types at the same time. (I'm not yet running this). I think this module should run with 'ldap password sync = only'. That seems like the ideal situation. It sounds like I'm not going to be able to pull this off with the versions of openldap and heimdal in the debian repositories though. Not a big deal, but not ideal for my purposes. Perhaps I'll do some custom packaging. I'll be interested to see what you come up with, and happy to help on it. I'm looking to move my LDAP off RedHat, so I can use the Heimdal libs and this stuff :-) FYI, I packaged one of the heimdal snapshots. I had to do some fiddling that didn't quite feel kosher though, mainly changing the libtool arguments for libasn1 to keep the major version at 5 instead of 4 as it seemed to want to turn out for me. Official Debian heimdal packages are compiled against kerberos4kth versions of libroken, libotp, libss, libsl, this one is not. Of course, sasl has to be rebuilt against these package versions, but that is a pretty easy one. I don't think I had to change more than one line in the control file to make that happen. Files are here: http://mrroach.okmaybe.com/software/heimdal/ any suggestions are welcome, and if someone has the bandwidth and inclination to put binaries up somewhere that would be cool. -Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Add machine as non-root (was: Samba LDAP and add machine script problems)
On Mon, 2005-01-24 at 18:18 +0100, Tony Earnshaw wrote: Geoff Scott: root# cd /var/lib/samba/sbin root# ./smbldap-usermod.pl -u 0 Administrator OK. I see the criticism, but where's your solution? You know, on the Bottom line: Ignacio Coupeau tells you (blam) right out that your LDAP admin user has to have a uidnumber and gidnumber attribute both of 0 and you'd better believe him, since otherwise nothing works from XP/2000's side. So. I end up with an LDAP root with uidnumber 0, gidnumber 0, who may well have another password than the /etc/passwd root, but who gets the job done (i.e. enabling XP/200 Windows domain logons). I find this abhorrent, but the boss pays me, and my job is to provide the solutions for which he pays my beer. I too hate this. It seems to be a hardcoded rule though, perhaps one that can be patched around. As a test, I tried chown -R :Domain\ Admins /var/lib/samba and chmod -R g+rw /var/lib/samba and running smbpasswd -L -m -a test$ as a non-root user in the Domain Admins group. It whines and moans about not being able to perform the operation as non-root. However, if as the same user, you run the command as fakeroot smbpasswd -L -m -a test$ it works fine. When performing a join, samba doesn't even try to run the machine add script unless the user is root. Maybe someone who knows the code can remove that check or make a allow non root join pretty please option... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Add machine as non-root
On Tue, 2005-01-25 at 16:30 -0600, Gerald (Jerry) Carter wrote: http://www.samba.org/~jerry/Samba-Rights-HOWTO That's excellent news. Thanks for the info! -Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: LDAP + SASL (kerberos) password syncing
On Fri, 2005-01-21 at 11:56 +0100, paul kölle wrote: Mark Roach wrote: I have already wrapped some of the kadmin library for use from python, I'm not quite sure how to accomplish this piece of it, but it might be worth the effort... I'd be very interested in that pyhon stuff. Do you consider sharing the code? Yup, it's part of EDSAdmin: http://edsadmin.sf.net just snag the kadm5, mit_error, and heimdal_error files from the edsadmin source. It uses ctypes, so you'll need that too. It is still in a testing state, and it is likely that I forgot to free some of objects, and that it doesn't work on 64 bit systems, but it works here with heimdal and mit kadmin servers. Email me if you have any trouble/suggestions etc. -Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP + SASL (kerberos) password syncing
I am getting a bit confused about which methods to use to keep my passwords synced given the following scenario. Samba PDC using LDAP backend. LDAP uses [EMAIL PROTECTED] type passwords Sasl mechanism is saslauthd using kerberos5 I can use pam like: password required pam_smbpass.so password required pam_krb5.so use_first_pass and then passwd will set both passwords but how can I make it so that changing user password from a windows workstation will also change the kerberos password? pam passwd change does not seem to be doing the trick. On a side note, is there a way to test windows-style password changing from the server? I'm assuming smbpasswd won't do the trick, I expected something like net rpc passwd... Thanks, Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP + SASL (kerberos) password syncing
Hi, Andrew. On Fri, 2005-01-21 at 09:16 +1100, Andrew Bartlett wrote: Samba don't have the plaintext password, so can't do things via PAM that require the original plaintext. At my site, I have Heimdal Kerberos backed onto the same LDAP directory as Samba, so they share the passwords for the arcfour-hmac-md5 encryption type, and so there is no need for a separate Kerberos password set. Ahh, that makes sense. I am using heimdal, not using the ldap backend yet though. It sounds like the method described here: https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap right? You could also use the smbk5pwd OpenLDAP module, which will fill out the other Kerberos encryption types at the same time. (I'm not yet running this). I think this module should run with 'ldap password sync = only'. That seems like the ideal situation. It sounds like I'm not going to be able to pull this off with the versions of openldap and heimdal in the debian repositories though. Not a big deal, but not ideal for my purposes. Perhaps I'll do some custom packaging. If you can't do all that, then you need to write a script for the 'unix password sync' and specify it in 'passwd program'. It must have the ability to set passwords, while being root on your Samba server, without the previous plaintext. (ie, a wrapper around kadmin). I have already wrapped some of the kadmin library for use from python, I'm not quite sure how to accomplish this piece of it, but it might be worth the effort... Thanks very much for your response. -Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 3 / AD / krb5_cc_get_principal failed
On Mon, 2004-09-06 at 11:51 +0200, Olaf Zaplinski wrote: Hi all, I successfully joined my Samba 3.0.6 box to our AD tree. wbinfo -t and -u work as expected. But when I try to access a share on the samba box (Windows AD controller), I am asked for a password, Samba then logs [2004/09/06 11:49:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! winbindd sometimes logs [2004/09/06 11:42:55, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No credentials cache found) I had this same problem. Samba + AD compatibility seems to be much farther from complete than advertised, and is rather flimsy. It's easier to use RPC, but if your domain is in native mode, there are likely to be problems still. We have a server that worked great for several years, and since we switched to native mode AD (which the samba FAQs say is fine) we have had no end of problems. Numerous groups don't work, ACLs stopped working, hangs, crashes etc. Not trying to discourage you, but be warned that this is the sort of bleeding-edge stuff that will actually leave you bleeding. -Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] CIFS+unix only appears to do permissions?
It seems that a share mounted with cifs *shows* the correct file permissions, but treats every user on the system as the person who mounted the share. If I mount a share as a user with full access, and then try to create a file as a user who should have no access, it works. for example: # mount.cifs //192.168.150.101/test /tmp/test/ -o user=mrroach # ls -ld /tmp/test/testdir/ drwxrwxr-x2 root root0 2004-08-06 02:38 /tmp/test/testdir/ # su guest $ touch /tmp/test/testdir/should_give_an_error $ ls -l /tmp/test/testdir/should_give_an_error -rw-r--r--1 mrroach mrroach 0 2004-08-03 00:07 /tmp/test/testdir/should_give_an_error Is this working as intended? am I missing something? (Debian systems, Linux 2.6.7 on client, 2.6.6 on server, samba 3.0.5 on both) -Mark smb.conf: [global] workgroup = roach server string = %h server (Samba %v) dns proxy = yes unix extensions = yes log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = tdbsam guest obey pam restrictions = yes invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX \spassword:* %n\n . socket options = TCP_NODELAY [homes] comment = Home Directories browseable = no writable = yes create mask = 0775 directory mask = 0775 [test] path = /home/mrroach/test writable = yes [printers] comment = All Printers browseable = no path = /tmp printable = yes public = no writable = no create mode = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Native mode switch causing chdir (/path) failed
We just switched our Windows 2003 Active Directory domain into native mode and are encountering a strange problem: (Samba 2.2.8a) It seems that group membership is not being honored when attempting to access a share. The shared directory has permissions like so: # file: is # owner: root # group: DOMAIN\Domain Admins user::rwx group::rwx group:DOMAIN\Domain Admins:rwx mask::rwx other::r-x default:user::rwx default:group::rwx default:group:DOMAIN\Domain Admins:rwx default:mask::rwx default:other::--- The share is set up like so: [is$] comment = Information Systems Shared path = /samba/group/is valid users = @DOMAIN\Domain Admins read only = No The error I get is: [2004/07/23 19:53:20, 0] smbd/service.c:set_current_service(60) chdir (/samba/group/is) failed The user I am trying to connect as is DOMAIN\mrr001 and: # getent group DOMAIN\Domain Admins DOMAIN\domain admins:x:10001: ... DOMAIN\mrr001 ... The only change that occurred was the active directory change. This configuration had been working fine till that point. If I change the file permissions (chmod o+rwx) I am able to connect just fine. Anyone have any thoughts on this? I have had to open my file permissions all the way up for the time being... Thanks, -- Mark Roach [EMAIL PROTECTED] www.EruditeTech.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ok, so oplocks: good or bad?
On Fri, 2003-06-20 at 15:38, John H Terpstra wrote: On Fri, 20 Jun 2003, Jonathan Johnson wrote: OK, I don't have a strong understanding of oplocks, but I'm sure someone will correct me where I go wrong. Those interested in the whole OpLock story might benefit from reading chapter 14 'File and Record Locking of: http://samba.org/~jht/NT4migration/Samba-HOWTO-Collection.html From this coverage it should be obvious that file locking affects a complex interaction of Client and Server protocols and configuration settings. Please draw your own conclusions. Hi, John. I'm pretty sure I get what oplocks are for and why they are good, I guess my question would be more along the lines of do they work properly in samba? along with the error message that prompts the question. I think the question could be further distilled to Is this an example of oplocks not working properly, or is it something else entirely? I hope my question makes more sense worded that way. Thanks very much, Mark Roach -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] vampire: account mapping strangeness
I am testing samba 3.0's net rpc vampire tool and am getting strange results... after I import the account info, the samba usernames seem to be mapping to hardcoded unix uid #'s instead of account names. For example: # pdbedit -u jah000 idmap uid range missing or invalid idmap will be unable to map foreign SIDs idmap gid range missing or invalid idmap will be unable to map foreign SIDs jah000:4:TNCorp - Heyer, Jeff A. # getent passwd jah000 jah000:x:1003:100::/home/jah000:/bin/bash why is jah000's account in the pdb linked to uid 4? I'm guessing that it has something to do with the idmap stuff, but I'm not sure where to go from here... any thoughts? Thanks, Mark Roach -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Citrix reports no more connections to samba server
On Sun, 2003-03-30 at 21:23, Phil Hale wrote: Hi All I have a Win2K server with Citrix Metaframe XPe installed on the network and uses mapped network drives to a Samba file server. The Citrix server is locking users out of the mapped network drive on the samba server. Citrix has 125 concurrent licences and Terminal services licences of the same amount Samba version is 2.2.3a Running on a Redhat 7.3 box. Please advise if more into is required and what is required. Has this been seen before and what is the possible solution. This is probably because the MAX_CONNECTIONS is set too low. I set mine to 768 and have had no problems with about 45 users per citrix server. look in smbd/conn.c in the samba sources: /* set these to define the limits of the server. NOTE These are on a per-client basis. Thus any one machine can't connect to more than MAX_CONNECTIONS services, but any number of machines may connect at one time. */ #define MAX_CONNECTIONS 128 -Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba (server) queues do not reflect status of cups queues
I have had a couple of cups queues that have gone to a stopped status (print data was rejected). To my nt clients, the samba queues look empty and active. Once I start the cups queue, all the jobs go through no problem, but shouldn't the state of the cups queues be reflected by the samba queues? I would think they should at least show the jobs (sometimes quite a few when a user decides to just resend 100 times). Can anyone give me suggestions on how to make samba's queues match the state of the cups queues? Thanks, Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba