Re: [Samba] Samba over IPX
On 4/12/2011 11:00 AM, Gaiseric Vandal wrote: Even Novell Netware made the switch from IPX/SPX to TCP/IP years ago as their preferred network stack. Netware 5, in ... 1999, IIRC. And netware itself is end-of-lifed. That I think would the the final nail for IPX. Shame. I always liked and preferred Netware's eDir to MS AD. Oh, well. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] few quick domain questions
On 12/23/2010 9:11 AM, Gaiseric Vandal wrote: 1. Domain Admins, Domain Computers etc Those are well known groups. Do you have any windows servers or are they just samba servers?If you have, or plan to have, any Windows machines in the domain you are probably better off setting up the groups correctly rather than trying to fix it later. Your domain controllers should belong to the Domain Computers group- I don't know if any permissions are by default applied to that group. In an MS Active Directory domain, domain controllers are in a separate OU and separate group called (oddly enough ...) Domain Controllers. :-) They are not in Domain Computers group or Computers OU; those computers are only for member servers or member workstations. I'm not using Samba as a domain controller in a Windows Server-less domain, so maybe the situation is different there. Or if the directory service in use is not MS ADS. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Guest shares in an ADS security model
On 10/22/2010 2:12 PM, Michael Wood wrote: On 22 October 2010 19:36, Madhusudan Singhsingh.madhusu...@gmail.com wrote: Ok. In my mind, guest access should be just that - no authentication. Well, I believe that it is. But that you need to enable the Guest account in AD for it to be allowed. AFAIK, the Guest account is disabled by default in AD (at least, the later versions, 2003 onwards, possibly earlier). -- Michael J. Leone, mailto:tur...@mike-leone.com PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: http://www.flickr.com/photos/mikeleonephotos You have become an avatar of woe and ire, and all of your deeds will conduce to evil Fatal Revenant, Stephen R. Donaldson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ARGH... once again samba causes permission errors.
On 6/1/2010 12:03 PM, John H Terpstra had this to say: # cat /etc/samba/smb.conf [global] workgroup = CYTE.COM Do NOT use a '.' character in a workgroup/domain name. In MS Windows NT4 (the protocols Samba3 implements) this is not a supported character. It would be better to just declare the workgroup name as CYTE or 'CYTE-COM Hmmm ... my Win2003 AD NetBIOS (or short name) has a . in it. Does that mean I should replace the . with - in the WORKGROUP name? (I presume that using a . in the REALM is OK). In my case, I would be using SECURITY=ADS and IDMAP=AD. -- Michael J. Leone, mailto:tur...@mike-leone.com PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: http://www.flickr.com/photos/mikeleonephotos Mister, can you tell me who I am? Do you think I stand out? Or am I just a face in the crowd? A Face in the Crowd, The Kinks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join to a Samba4 domain
On 5/24/2010 3:39 PM, Tomasz Chmielewski had this to say: Am 23.05.2010 13:51, Lukasz Zalewski wrote: On 21/05/2010 16:56, Tomasz Chmielewski wrote: Am 21.05.2010 06:25, Andrew Bartlett wrote: When you provisioned samba4 it generated sample bind and zone config for that dc, have a look at samba_install_dir/private/dns/samba4.my.domain.zone which includes all of the dns records for that zone and see which ones you are missing Indeed, if you used a zone file other than the one we generated, then you are asking for trouble. Please us the one we generate. I'm using the zone generated by Samba (and did not modify it). Tomasz, How are you performing the join? The normal way: my Computer- Properties - Domain... (is it possible to join a Windows PC differently)? You can join from the command line using the NETDOM utility. -- Michael J. Leone, mailto:tur...@mike-leone.com PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: http://www.flickr.com/photos/mikeleonephotos USER ERROR: replace user and press any key to continue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Oplocks - when do they help
On 05/23/2010 10:11 AM, Volker Lendecke wrote: On Sat, May 22, 2010 at 01:21:41PM -0400, Fred Kienker wrote: I've been setting up Samba servers for years under the impression (delusion) that Samba can't handle multiple users on Access .mdb files correctly with op locks turned on. Has this changed in the 3.5.x branch? Well, it should work the same way (good or bad) it does against a Windows server. Once a second opener comes in, the oplocks should be broken anyway. If I remember correctly in the past I have seen hints by Microsoft how to turn oplocks off in Windows server for shares that host Access files, so this problem might not be samba-specific and/or fixed in recent Windows. I can remember having to vastly increase the record-locking features of Netware 4, if you had users using Access dbs, especially multi-user. That was back around 2000 or so, so record-locking issues with Access dbs have been around for a really long time ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Moving to another idmap backend
On 05/21/2010 06:32 PM, Nick Irvine wrote: Hi all, I've got winbind up and running on two servers, but the UID/GIDs don't match up. After educating myself a little, I think I would like to use the idmap_rid backend. I have set up the smb.conf's accordingly, but after restarting samba/winbind services, my UIDs and GIDs are still the old ones. I realize this will break stuff on the filesystem, but am prepared to fix it by hand. I had that problem, until I started using the idmap_ad backend, and assigning the UIDs and GIDs in Active Directory, and just reading them using the AD backend. Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Still can't mount Samba shares from other Samba server - some slight progress
On a hunch, I removed the winbind separator = + And can mount shares from the command line: # mount -t cifs //workhorse/OldHome /OldHome -o user=DACRIB\\turgon,password= --verbose mount.cifs kernel mount options: unc=//workhorse\OldHome,domain=DACRIB,ver=1,rw,user=turgonip=10.0.0.20,pass= Note that I had to escape the backslash separator, both in the DOMAIN\USER entry, and (in this case) also in the password, which has a exclamation mark (!) in it. r...@dual-booter:/etc# ls -la /OldHome/ r...@dual-booter:/etc# ls -la /OldHome/ total 4 drwxr-xr-x 13 DACRIB\turgon DACRIB\domain users0 2010-05-09 18:25 . drwxr-xr-x 29 root root4096 2010-05-12 23:03 .. drwxrwxrwx 11 DACRIB\turgon DACRIB\domain users0 2010-05-09 18:25 mjl drwxrwxrwx 23 DACRIB\turgon DACRIB\domain users0 2010-03-27 14:30 turgon So YAY! for that. Still can't mount it in fstab, however. It doesn't work if I specify the username and password in the entry, nor does it work if I put it in a credentials file. No indications that I can see as to why it's failing. Is using samba really supposed to be this hard? :-( On 05/13/2010 12:20 AM, Mike Leone wrote: I am *still* unable to mount shares from a Ubuntu 10.04 server, using a Ubuntu 10.04 laptop. I totally re-formatted both my desktop and my laptop with Ubuntu 10.04 (so that they would be using the same version of Samba). I am using the exact same smb.conf for the 2 machines (less the share definitions, which exist only on the desktop, known as workhorse). wbinfo -u, wbinfo -g, wbinfo -t, wbinfo -a domainuser- these all work. getent passwd and getent group both work, and both return the exact same info, on both machines: DACRIB+administrator:*:10002:1:Administrator:/home/DACRIB/Administrator:/bin/sh DACRIB+krbtgt:*:10006:1:krbtgt:/home/DACRIB/krbtgt:/bin/sh DACRIB+turgon:*:10003:1:Mike Leone:/home/DACRIB/turgon:/bin/bash DACRIB+leonem:*:1:1:Leone, Mike:/home/DACRIB/LeoneM:/bin/bash DACRIB+servicerunner:*:10005:1:ServiceRunner:/home/DACRIB/ServiceRunner:/bin/sh DACRIB+ldap-proxy:*:10001:1:LDAP Proxy:/home/DACRIB/ldap-proxy:/bin/sh It returns the uid that was entered on the Unix Attributes tab of my Win2003 w/SFU AD entry. So it looks like domain users are being mapped identically, on both machines. Yet trying to mount a share from workhorse onto Dual-Booter fails: (on Dual-Booter) # smbmount //workhorse/OldHome /OldHome -o username=DACRIB+turgon Password: mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) So I did a echo 1 /proc/fs/cifs/cifsFYI and tried again, and then saw this, in syslog: /build/buildd/linux-2.6.32/fs/cifs/cifsfs.c: Devname: //workhorse/OldHome flags: 64 /build/buildd/linux-2.6.32/fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 1 with uid: 0 /build/buildd/linux-2.6.32/fs/cifs/connect.c: Username: DACRIB+turgon /build/buildd/linux-2.6.32/fs/cifs/connect.c: UNC: \\workhorse\OldHome ip: 10.0.0.20 /build/buildd/linux-2.6.32/fs/cifs/connect.c: Socket created /build/buildd/linux-2.6.32/fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x6d6 /build/buildd/linux-2.6.32/fs/cifs/connect.c: Existing smb sess not found /build/buildd/linux-2.6.32/fs/cifs/cifssmb.c: secFlags 0x7 /build/buildd/linux-2.6.32/fs/cifs/transport.c: For smb_command 114 /build/buildd/linux-2.6.32/fs/cifs/transport.c: Sending smb: total_len 82 /build/buildd/linux-2.6.32/fs/cifs/connect.c: Demultiplex PID: 1752 /build/buildd/linux-2.6.32/fs/cifs/connect.c: rfc1002 length 0x5f /build/buildd/linux-2.6.32/fs/cifs/misc.c: Calculated size 81 vs length 95 mismatch for mid 1 /build/buildd/linux-2.6.32/fs/cifs/cifssmb.c: Dialect: 2 /build/buildd/linux-2.6.32/fs/cifs/cifssmb.c: negprot rc 0 /build/buildd/linux-2.6.32/fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x80f3fc TimeAdjust: 14400 /build/buildd/linux-2.6.32/fs/cifs/sess.c: sess setup type 2 /build/buildd/linux-2.6.32/fs/cifs/transport.c: For smb_command 115 /build/buildd/linux-2.6.32/fs/cifs/transport.c: Sending smb: total_len 260 /build/buildd/linux-2.6.32/fs/cifs/connect.c: rfc1002 length 0x5e /build/buildd/linux-2.6.32/fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release /build/buildd/linux-2.6.32/fs/cifs/sess.c: ssetup rc from sendrecv2 is 0 /build/buildd/linux-2.6.32/fs/cifs/sess.c: Guest login /build/buildd/linux-2.6.32/fs/cifs/sess.c: UID = 100 /build/buildd/linux-2.6.32/fs/cifs/sess.c: bleft 48 /build/buildd/linux-2.6.32/fs/cifs/sess.c: serverOS=Unix /build/buildd/linux-2.6.32/fs/cifs/sess.c: serverNOS=Samba 3.4.7 /build/buildd/linux-2.6.32/fs/cifs/sess.c: serverDomain=DACRIB /build/buildd/linux-2.6.32/fs/cifs/sess.c: ssetup freeing small buf d99201c0 /build/buildd/linux-2.6.32/fs/cifs/connect.c: CIFS Session Established successfully /build/buildd/linux-2.6.32/fs/cifs/connect.c: file mode: 0x1ed dir mode: 0x1ed /build/buildd/linux-2.6.32/fs/cifs/transport.c: For smb_command 117 /build
[Samba] Still can't mount Samba shares from other Samba server
I am *still* unable to mount shares from a Ubuntu 10.04 server, using a Ubuntu 10.04 laptop. I totally re-formatted both my desktop and my laptop with Ubuntu 10.04 (so that they would be using the same version of Samba). I am using the exact same smb.conf for the 2 machines (less the share definitions, which exist only on the desktop, known as workhorse). wbinfo -u, wbinfo -g, wbinfo -t, wbinfo -a domainuser- these all work. getent passwd and getent group both work, and both return the exact same info, on both machines: DACRIB+administrator:*:10002:1:Administrator:/home/DACRIB/Administrator:/bin/sh DACRIB+krbtgt:*:10006:1:krbtgt:/home/DACRIB/krbtgt:/bin/sh DACRIB+turgon:*:10003:1:Mike Leone:/home/DACRIB/turgon:/bin/bash DACRIB+leonem:*:1:1:Leone, Mike:/home/DACRIB/LeoneM:/bin/bash DACRIB+servicerunner:*:10005:1:ServiceRunner:/home/DACRIB/ServiceRunner:/bin/sh DACRIB+ldap-proxy:*:10001:1:LDAP Proxy:/home/DACRIB/ldap-proxy:/bin/sh It returns the uid that was entered on the Unix Attributes tab of my Win2003 w/SFU AD entry. So it looks like domain users are being mapped identically, on both machines. Yet trying to mount a share from workhorse onto Dual-Booter fails: (on Dual-Booter) # smbmount //workhorse/OldHome /OldHome -o username=DACRIB+turgon Password: mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) So I did a echo 1 /proc/fs/cifs/cifsFYI and tried again, and then saw this, in syslog: /build/buildd/linux-2.6.32/fs/cifs/cifsfs.c: Devname: //workhorse/OldHome flags: 64 /build/buildd/linux-2.6.32/fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 1 with uid: 0 /build/buildd/linux-2.6.32/fs/cifs/connect.c: Username: DACRIB+turgon /build/buildd/linux-2.6.32/fs/cifs/connect.c: UNC: \\workhorse\OldHome ip: 10.0.0.20 /build/buildd/linux-2.6.32/fs/cifs/connect.c: Socket created /build/buildd/linux-2.6.32/fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x6d6 /build/buildd/linux-2.6.32/fs/cifs/connect.c: Existing smb sess not found /build/buildd/linux-2.6.32/fs/cifs/cifssmb.c: secFlags 0x7 /build/buildd/linux-2.6.32/fs/cifs/transport.c: For smb_command 114 /build/buildd/linux-2.6.32/fs/cifs/transport.c: Sending smb: total_len 82 /build/buildd/linux-2.6.32/fs/cifs/connect.c: Demultiplex PID: 1752 /build/buildd/linux-2.6.32/fs/cifs/connect.c: rfc1002 length 0x5f /build/buildd/linux-2.6.32/fs/cifs/misc.c: Calculated size 81 vs length 95 mismatch for mid 1 /build/buildd/linux-2.6.32/fs/cifs/cifssmb.c: Dialect: 2 /build/buildd/linux-2.6.32/fs/cifs/cifssmb.c: negprot rc 0 /build/buildd/linux-2.6.32/fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x80f3fc TimeAdjust: 14400 /build/buildd/linux-2.6.32/fs/cifs/sess.c: sess setup type 2 /build/buildd/linux-2.6.32/fs/cifs/transport.c: For smb_command 115 /build/buildd/linux-2.6.32/fs/cifs/transport.c: Sending smb: total_len 260 /build/buildd/linux-2.6.32/fs/cifs/connect.c: rfc1002 length 0x5e /build/buildd/linux-2.6.32/fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release /build/buildd/linux-2.6.32/fs/cifs/sess.c: ssetup rc from sendrecv2 is 0 /build/buildd/linux-2.6.32/fs/cifs/sess.c: Guest login /build/buildd/linux-2.6.32/fs/cifs/sess.c: UID = 100 /build/buildd/linux-2.6.32/fs/cifs/sess.c: bleft 48 /build/buildd/linux-2.6.32/fs/cifs/sess.c: serverOS=Unix /build/buildd/linux-2.6.32/fs/cifs/sess.c: serverNOS=Samba 3.4.7 /build/buildd/linux-2.6.32/fs/cifs/sess.c: serverDomain=DACRIB /build/buildd/linux-2.6.32/fs/cifs/sess.c: ssetup freeing small buf d99201c0 /build/buildd/linux-2.6.32/fs/cifs/connect.c: CIFS Session Established successfully /build/buildd/linux-2.6.32/fs/cifs/connect.c: file mode: 0x1ed dir mode: 0x1ed /build/buildd/linux-2.6.32/fs/cifs/transport.c: For smb_command 117 /build/buildd/linux-2.6.32/fs/cifs/transport.c: Sending smb: total_len 94 /build/buildd/linux-2.6.32/fs/cifs/connect.c: rfc1002 length 0x27 /build/buildd/linux-2.6.32/fs/cifs/netmisc.c: Mapping smb error code 5 to POSIX err -13 /build/buildd/linux-2.6.32/fs/cifs/connect.c: CIFS Tcon rc = -13 /build/buildd/linux-2.6.32/fs/cifs/connect.c: CIFS VFS: in cifs_put_tcon as Xid: 2 with uid: 0 /build/buildd/linux-2.6.32/fs/cifs/cifssmb.c: In tree disconnect /build/buildd/linux-2.6.32/fs/cifs/transport.c: For smb_command 113 /build/buildd/linux-2.6.32/fs/cifs/transport.c: Sending smb: total_len 39 /build/buildd/linux-2.6.32/fs/cifs/connect.c: rfc1002 length 0x27 /build/buildd/linux-2.6.32/fs/cifs/netmisc.c: Mapping smb error code 64 to POSIX err -5 /build/buildd/linux-2.6.32/fs/cifs/cifssmb.c: Tree disconnect failed -5 /build/buildd/linux-2.6.32/fs/cifs/connect.c: CIFS VFS: in cifs_put_smb_ses as Xid: 3 with uid: 0 /build/buildd/linux-2.6.32/fs/cifs/cifssmb.c: In SMBLogoff for session disconnect /build/buildd/linux-2.6.32/fs/cifs/transport.c: For smb_command 116 /build/buildd/linux-2.6.32/fs/cifs/transport.c: Sending smb: total_len 43 /build/buildd/linux-2.6.32/fs
Re: [Samba] smb.conf works for 3.4.0; doesn't work for 3.4.7
On 05/08/2010 04:00 AM, Christian PERRIER wrote: Quoting Mike Leone (tur...@mike-leone.com): directories. Even tho Ubuntu 10.04 seems to have the /etc/pam.d files already configured for samba, I copied over the common-account, common-auth, common-password, common-session files from the 9.10 server to the 10.04 server. Did the same with the nsswitch.conf file. This is very very probably the source of all your problems. No, I get the exact same results, using the original files as provided by Ubuntu. I thought *they* were the cause of the problem, so that's why I changed them to match the working ones on the other server. the chances that your manual changes broke the planned upgrade path are high. I kep copies of the original files, and replaced my changes with those. Exact same errors - getent passwd fails. I'm suggest putting the common-* files you had after upgrading and There was no upgrade. This was a clean install of 10.04. before replacing them with those of 9.10 (you kept them somewhere, right?) in place and reconfigure packages with dpkg-reconfigure winbind. Did that. Exact same error - getent passwd fails. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf works for 3.4.0; doesn't work for 3.4.7 - RESOLVED
I got it (almost) working. Finally! Here's what I found: 1. For Win2003 AD (with SFU), you need idmap config DACRIB:schema_mode = sfu winbind nss info = sfu If you have Win2003 AD R2, you should be using: idmap config DACRIB:schema_mode = rfc2307 winbind nss info = rfc2307 (I found a forum post that said that; haven't seen it in any official docs) 2. When you install SFU in AD, you get a Unix Attributes tab for each user. On that tab, you *have* to set the UID, shell, home directory and primary group, for all users you want your Linux box to see. If you don't set these attributes, Samba won't see those users. 3. Watch out for typos. :-) Oh, and don't try and over-think the situation. If your distro has kindly pre-configured PAm for you, go with that. :-) SO, using : idmap config DACRIB:backend = ad idmap config DACRIB:range = 1 - 2 idmap config DACRIB:schema_mode = sfu idmap uid = 1-2 idmap gid = 1-2 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = No winbind nested groups = Yes winbind refresh tickets = true winbind separator = + winbind nss info = sfu allow trusted domains = No AND making sure that the UIDs you specify in point #2 above, must be within the range specified. If you make a typo and set a UID outside that range, that user will *not* be seen by Samba. getent passwd from Dual-Booter: DACRIB+administrator:*:10002:1:Administrator:/home/DACRIB/Administrator:/bin/sh DACRIB+krbtgt:*:10006:1:krbtgt:/home/DACRIB/krbtgt:/bin/sh DACRIB+turgon:*:10003:1:Mike Leone:/home/DACRIB/turgon:/bin/bash DACRIB+leonem:*:1:1:Leone, Mike:/home/DACRIB/LeoneM:/bin/bash DACRIB+servicerunner:*:10005:1:ServiceRunner:/home/DACRIB/ServiceRunner:/bin/sh DACRIB+bearclan:*:10004:1:Andie Philo:/home/bearclan:/bin/bash DACRIB+ldap-proxy:*:10001:1:LDAP Proxy:/home/DACRIB/ldap-proxy:/bin/sh Those are all the proper UIDs I set in AD. Now, of course, the *other* Samba server is acting up. I removed it from the domain, and tried to use the above settings on it. And now wbinfo -t fails for IT. SIGH Oh, well. Something more to do ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smb.conf works for 3.4.0; doesn't work for 3.4.7
Some may remember all my issues trying to get one Samba server to mount shares from another Samba server. Well, I decided to completely reformat my laptop with Ubuntu 10.04, and start over (leaving the other Samba server at Ubuntu 9.10) (to recap - I have a Win2003 AD (not R2), with SFU installed) I took the smb.conf from the 9.10 server (running 3.4.0) and loaded it on the Ubuntu 10.04 laptop, which is running 3.4.7. The only editing I did was to remove the share definitions, which don't exist on the laptop (no shares defined at all). Also copied the krb5.conf, to configure Kerberos. Cleared the /var/lib/samba, /var/cache/samba, /var/log/samba directories. Even tho Ubuntu 10.04 seems to have the /etc/pam.d files already configured for samba, I copied over the common-account, common-auth, common-password, common-session files from the 9.10 server to the 10.04 server. Did the same with the nsswitch.conf file. Figured I should get identical results, right? HA! :-( Got a ticket. Joined the domain. It gave me an error message, something about the client not existing in the Kerberos database. It worked, tho, as the computer account did appear in AD. wbinfo -t works. wbinfo -u works. wbinfo -g works. If I use sudo, then wbinfo -a DOMAIN+user works. (I used + as a delimiter) Getent passwd fails. Getent group fails. I am seeing this, in log.winbind on the 10.04 server: [2010/05/07 23:16:59, 1] winbindd/winbindd_user.c:97(winbindd_fill_pwent) error getting user id for sid S-1-5-21-2780757143-49591276-3462498634-500 [2010/05/07 23:16:59, 1] winbindd/winbindd_user.c:856(winbindd_getpwent) could not lookup domain user Administrator [2010/05/07 23:16:59, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) Could not get unix ID and repeating, for all domain users. I'm pretty much ready to just give up, and use the Windows installed on this laptop. That one has no problem accessing shares from the Samba server, or the Windows stations on the LAN. Anyone? Please. :-) Testparm of smb.conf: (I had to add the idmap uid/gid statements to the 10.04 server) [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L - %R) security = ADS auth methods = winbind allow trusted domains = No map to guest = Bad User obey pam restrictions = Yes password server = dim-win2300.DaCrib.local pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes client NTLMv2 auth = Yes log level = 3 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 server signing = auto os level = 2 local master = No domain master = No dns proxy = No eventlog list = Application, System, Security, SyslogLinux usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap uid = 10-20 idmap gid = 10-20 template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind nss info = sfu winbind refresh tickets = Yes idmap config DACRIB: schema_mode = sfu idmap config DACRIB: range = 10 - 20 idmap config DACRIB: backend = ad hide dot files = No Testparm of smb.conf of 9.10 server: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L - %R) security = ADS auth methods = winbind map to guest = Bad User obey pam restrictions = Yes password server = dim-win2300.DaCrib.local pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes client NTLMv2 auth = Yes log level = 4 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 server signing = auto os level = 2 local master = No domain master = No dns proxy = No eventlog list = Application, System, Security, SyslogLinux usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind nss info = sfu winbind refresh tickets = Yes idmap config DCRIB:schema_mode = sfu idmap config DACRIB: range = 10 - 20 idmap config DACRIB: backend = ad hide dot files = No wide links = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Getent passwd and getent group fail / Samba 3.5.2
On 5/4/2010 4:20 AM, Oliver Weinmann had this to say: Hi all, I just stepped over a problem where I can't add a local user to an AD group. Running getent passwd and getent group doesn't display the AD users. Wbinfo -g and -u work fine. Here is my smb.conf: snip In the log I get this error when running getent group: tail -f /var/log/samba/log.winbindd-idmap Could not get unix ID [2010/05/04 10:15:29.444783, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) Could not get unix ID Doesn't that indicate that Samba thinks the SFU extensions aren't installed? What is the version of AD? Is it 2003 R2, or 2003 with SFU installed? -- Michael J. Leone, mailto:tur...@mike-leone.com PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: http://www.flickr.com/photos/mikeleonephotos USER ERROR: replace user and press any key to continue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbclient -k works; mount -t cifs does not
On 5/4/2010 3:18 PM, Rob Townley had this to say: $ sudo mount -t cifs //dual-booter/TestShare /mnt -o sec=krb5 mount error(2): No such file or directory Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Try using the FQDN of the server in the UNC. For instance: //dual-booter.dacrib.local/TestShare Nothing. I used the FQDN in /etc/fstab, and nothing happens. No error listed, but also nothing mounts. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbclient -k works; mount -t cifs does not
On 05/04/2010 04:43 PM, Helmut Hullen wrote: Hallo, Mike, tur...@mike-leone.com meinte am 04.05.10 in Samba zum Thema Re: [Samba] smbclient -k works; mount -t cifs does not: $ sudo mount -t cifs //dual-booter/TestShare /mnt -o sec=krb5 mount error(2): No such file or directory Try using the FQDN of the server in the UNC. For instance: //dual-booter.dacrib.local/TestShare Nothing. I used the FQDN in /etc/fstab, and nothing happens. No error listed, but also nothing mounts. It's no good idea to put a (perhaps not working) mount directive into / etc/fstab. What you want has to work at least in a command line, and then (and there) you can see more messages. It does work from the command line, when mounting using Kerberos options. It does not work in /etc/fstab. :-) I've since upgraded my laptop to Xubuntu 10.04 (a clean install). This uses Samba 3.4.7, as opposed to my previous 3.4.0. So basically I will be starting over from scratch, and we'll see how it goes. :-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PLUG] Problems using multiple Samba servers in a Win2003 AD domain - more
On 05/03/2010 04:14 PM, Dale Schroeder wrote: On 05/02/2010 10:32 PM, Mike Leone wrote: Here's what I don't understand - the user I am trying to mount shares with, does not show up the same on both systems, yet the smb.confs are the same. From workhorse: $ getent passwd snip DACRIB+turgon:*:10007:10012:Mike Leone:/home/DACRIB/turgon:/bin/bash $ getent group snip DACRIB+domain users:x:10012: From Dual-Booter: $ getent passwd snip DACRIB+turgon:*:10003:1:Mike Leone:/home/DACRIB/turgon:/bin/bash $ getent group snip DACRIB+domain users:x:1: Is this the reason I can't mount? Shouldn't the group IDs be equivalent on both Samba servers, especially since the smb.confs have the same settings? Mike, Since I see you're using RID for the idmap backend, Only because I found a web howto that recommended it. :-) Apparently, I need the domain uid and gid to be the same on different Samba servers, and this page recommend RID as the way to do it. yes, the user and group ID's should be the same across all Samba servers. I can't say if that's your only problem. You might try regenerating /var/cache/samba/idmap_cache.tdb on both systems to see which is correct. Be aware that you will have to reset directory/file permissions on the incorrect system after this is done. How do I do that? Do I just stop winbind and samba; delete the idmap_cache.tdb; and restart winbind and samba? I believe I had started fresh, by leaving the domain; deleting all .tdb files; rejoining the domain. But I may be mis-remembering ... If you only have one domain, I do. you might also try the simpler, old-style idmap_rid declaration. #idmap config DACRIB:range = 1 - 2 #idmap config DACRIB:backend = rid #idmap config DACRIB:schema_mode = rfc2307 idmap backend = rid:DACRIB=1-2 For testing purposes, also note that for idmap_rid, the defaults for auth methods and winbind nss info are usually sufficient. I can give that a shot, sure. :-) Although it may not matter, there are some significant differences in the smb.conf's. Specifically, in Dual-Booter, you have set some parameters in [global] (that are normally reserved for shares) which are not declared in workhorse. [global] read only = No create mask = 0700 directory mask = 0775 I can lose those, no big deal. Additionally, Dual-Booter has the following, but workhorse does not. invalid users = root I am told (on another list) that I will need to use nss_ldap, if I want(need?) to keep domain lookups consistent across Samba servers. Using winbind for NSS only guarantees consistent uid/gids on one server. Such conflicting information is what makes these ... less than enjoyable. :-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbclient -k works; mount -t cifs does not
I am confused (nothing new there ...). I have 2 Ubuntu 9.10 Samba servers. I am trying to mount a share from the other (i.e., workhorse is trying to mount a share on dual-booter). If I specify a smbmount command with a -k option, I can mount the share: tur...@workhorse:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: tur...@dacrib.local Valid starting ExpiresService principal 05/03/10 18:55:31 05/04/10 04:55:31 krbtgt/dacrib.lo...@dacrib.local renew until 05/09/10 22:56:03 05/03/10 23:07:07 05/04/10 04:55:31 cifs/dual-booter.dacrib.lo...@dacrib.local renew until 05/09/10 22:56:03 tur...@workhorse:~$ smbclient //dual-booter/TestShare /mnt -k Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0] smb: \ ls . D0 Sat May 1 19:27:48 2010 .. D0 Mon May 3 19:58:00 2010 TestFile0 Sat May 1 19:27:48 2010 37555 blocks of size 524288. 22379 blocks available However, I can't seem to mount it using mount -t cifs: $ sudo mount -t cifs //dual-booter/TestShare /mnt -o username=DACRIB+turgon [sudo] password for turgon: Password: mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) What I'd like to do is to set this in /etc/fstab. But there seems to be no way to use Kerberos to authenticate the mounting, and it's only Kerberos (and smbmount) that seems to work. And using the -o sec=krb5 options on mount doesn't seem to work, either. $ sudo mount -t cifs //dual-booter/TestShare /mnt -o sec=krb5 mount error(2): No such file or directory Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Anyone? I really don't want to have to make a script that uses smbmount -k, running on login, rather than in /etc/fstab. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problems using multiple Samba servers in a Win2003 AD domain
I've been at this for days, and making no headway. It's very discouraging. I have a Win2003 domain, that has the Services for Unix extensions installed. I am trying to have multiple Samba servers as domain members. (in my case, one desktop sharing files, and one laptop, accessing the shares). And at the moment, it doesn't (fully) work. Each Samba server can see shares from the other. Windows clients can see and mount shares from each Samba server. Each Samba server can mount shares from Windows clients on the domain. What they can't do ... is mount shares from each other. I get mount error(13): Permission denied no matter what I try, I find various pages on how to do this, half of which conflict with each other, or are outdated, none of which work. I am using virtually the same smb.conf on both machines. Domain name = DCRIB.LOCAL (short name DACRIB) Win2003 DC = dim-win2300.dacrib.local 2 Ubuntu 9.10 members (Samba 3.4.0) Desktop = workhorse (with various shares) Laptop = Dual-Booter (which will access the shares on workhorse and elsewhere) So, can anyone point out what's wrong with these configs? Dual-Booter can see the shares on workhorse, and workhorse can see the share on Dual-Booter. Each can (and is) mounting shares from a WinXP machine. I can get Kerberos tickets on each Samba server. Each Samba server can mount a share from a WinXP desktop called p4-desktop, altho I seem to have to specify the username as tur...@dacrib in the credentials; it doesn't work any other way. I can't mount shares from the other Samba regardless of how I specify the user, however. testparm output - Dual-Booter: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L - %R) security = ADS auth methods = winbind map to guest = Bad User obey pam restrictions = Yes password server = dim-win2300.DaCrib.local pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes client NTLMv2 auth = Yes log level = 3 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 server signing = auto socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 2 local master = No domain master = No dns proxy = No eventlog list = Application, System, Security, SyslogLinux usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes idmap config DACRIB:range = 1 - 2 idmap config DACRIB:backend = rid idmap config DACRIB:schema_mode = rfc2307 hide dot files = No [TestShare] path = /TestShare testparm output - Dual-Booter: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L - %R) security = ADS auth methods = winbind map to guest = Bad User obey pam restrictions = Yes password server = dim-win2300.DaCrib.local pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes client NTLMv2 auth = Yes log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 server signing = auto os level = 2 local master = No domain master = No dns proxy = No eventlog list = Application, System, Security, SyslogLinux usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes idmap config DACRIB:schema_mode = rfc2307 idmap config DACRIB:range = 1-2 idmap config DACRIB:backend = rid invalid users = root read only = No create mask = 0700 directory mask = 0775 hide dot files = No wide links = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No browsable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [OldHome] comment = The Old Home Folder path = /OldHome Thanks for any help. -- To unsubscribe from this list go to the following URL and read
Re: [Samba] [PLUG] Problems using multiple Samba servers in a Win2003 AD domain - more
Here's what I don't understand - the user I am trying to mount shares with, does not show up the same on both systems, yet the smb.confs are the same. From workhorse: $ getent passwd snip DACRIB+turgon:*:10007:10012:Mike Leone:/home/DACRIB/turgon:/bin/bash $ getent group snip DACRIB+domain users:x:10012: From Dual-Booter: $ getent passwd snip DACRIB+turgon:*:10003:1:Mike Leone:/home/DACRIB/turgon:/bin/bash $ getent group snip DACRIB+domain users:x:1: Is this the reason I can't mount? Shouldn't the group IDs be equivalent on both Samba servers, especially since the smb.confs have the same settings? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problems mounting shares from a samba server
I have an Active Directory 2003 domain, named DACRIB. This domain has Windows members, and 2 Samba servers as members. From one Samba server (DUAL-BOOTER), I can mount shares from the Windows clients on the domain. But I can not mount shares from the other Samba server; I always get Permission denied. $ sudo mount -t cifs //workhorse/OldHome /mnt/OldHome -o username=DACRIB+turgon --verbose Password: mount.cifs kernel mount options: unc=//workhorse\OldHome,ver=1,rw,username=DACRIB+turgon,ip=10.0.0.20,pass= mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) The user DACRIB+turgon is a Domain Admin, and is the account set as the owner of the share on the Samba server workhorse. Using the same command and DACRIB+turgon account, I can mount shares from a WinXP machine. I'm not sure where to go here. I can't seem to figure out why I can't mount shares from workhorse. Windows clients *can* access the shares from workhorse; I just can't access them the other . The smb.conf for the 2 Samba servers are (virtually) identical. workhorse: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L - %R) security = ADS auth methods = winbind map to guest = Bad User password server = dim-win2300.DaCrib.local pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes client NTLMv2 auth = Yes log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 server signing = auto os level = 2 local master = No domain master = No dns proxy = No eventlog list = Application, System, Security, SyslogLinux usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes idmap config DACRIB:schema_mode = rfc2307 idmap config DACRIB: default = true invalid users = root read only = No create mask = 0700 directory mask = 0775 hide dot files = No wide links = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No browsable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [OldHome] comment = The Old Home Folder path = /OldHome Dual-Booter: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L - %R) security = ADS auth methods = winbind map to guest = Bad User obey pam restrictions = Yes password server = dim-win2300.DaCrib.local pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes client NTLMv2 auth = Yes log level = 3 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 server signing = auto socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 2 local master = No domain master = No dns proxy = No eventlog list = Application, System, Security, SyslogLinux usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes idmap config DACRIB:schema_mode = rfc2307 idmap config DACRIB: default = true hide dot files = No Any clues? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo -a fails plaintext auth; passes challenge/response - HALF SOLVED ?
A bit brute force, but I semi-solved it. I left the domain. I deleted all files in /var/lib/samba. I rejoined domain. net ads testjoin - works getent passwd - works wbinfo -u - works wbinfo -g - works wbinfo -t - works wbinfo -a DACRIB+turgon .. half works. $ wbinfo -a DACRIB+turgon Enter DACRIB+turgon's password: plaintext password authentication succeeded Enter DACRIB+turgon's password: challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set correctly. Could not authenticate user DACRIB+turgon with challenge/response Running it as a sudo - works. $ sudo wbinfo -a DACRIB+turgon Enter DACRIB+turgon's password: plaintext password authentication succeeded Enter DACRIB+turgon's password: challenge/response password authentication succeeded Is that the way wbinfo -a works? It can only be run as root? It seems so ... HOWEVER ... still can't mount a share ... $ sudo mount -t smbfs -o username=DACRIB+turgon,password=Bub0n\!c //workhorse/OldHome /mnt mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) So I suppose I am making progress of sorts ... Still need to figure out why I can't mount shares. Any pointers? Where to investigate? I have log levels at 3, but don't see any errors in there. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo -a fails plaintext auth; passes challenge/response
Any clues? I also can't mount shares, I'm guessing it's all related: $ sudo mount -t smbfs -o username=turgon,password=*** //workhorse/OldHome /mnt mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) The turgon account is a Domain Admin, not to mention owner of the share I am trying to mount. Once again, I am trying to add a machine to my Win2003 AD (that has Services for Unix installed). I am using Xubuntu 9.10, and samba 3.4.0. I set up Kerberos, and am getting a ticket. I have successfully joined the domain. # net ads join -U administrator Enter administrator's password: Using short domain name -- DACRIB Joined 'DUAL-BOOTER' to realm 'DaCrib.local' wbinfo -u does return all users, both local and AD. wbinfo -g returns all groups, both local and AD. wbinfo -t succeeds. However, I am failing plaintext authentication, with wbinfo -a: wbinfo -a turgon Enter turgon's password: plaintext password authentication failed Could not authenticate user turgon with plaintext password Enter turgon's password: challenge/response password authentication succeeded Google seems to be non-helpful, with this failure message from samba. Can anyone shed any light on my problem? Eventually, I want to configure this machine so that I can log into the machine using only AD accounts (no local logins), but I didn't want to proceed, until I had this problem solved. testparm: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L - %R) security = ADS map to guest = Bad User password server = dim-win2300.DaCrib.local pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 2 local master = No domain master = No dns proxy = No eventlog list = Application, System, Security, SyslogLinux usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes idmap config DACRIB:schema_mode = rfc2307 idmap config DACRIB: default = true invalid users = root read only = No create mask = 0700 directory mask = 0775 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] wbinfo -a fails plaintext auth; passes challenge/response
Once again, I am trying to add a machine to my Win2003 AD (that has Services for Unix installed). I am using Xubuntu 9.10, and samba 3.4.0. I set up Kerberos, and am getting a ticket. I have successfully joined the domain. # net ads join -U administrator Enter administrator's password: Using short domain name -- DACRIB Joined 'DUAL-BOOTER' to realm 'DaCrib.local' wbinfo -u does return all users, both local and AD. wbinfo -g returns all groups, both local and AD. wbinfo -t succeeds. However, I am failing plaintext authentication, with wbinfo -a: wbinfo -a turgon Enter turgon's password: plaintext password authentication failed Could not authenticate user turgon with plaintext password Enter turgon's password: challenge/response password authentication succeeded Google seems to be non-helpful, with this failure message from samba. Can anyone shed any light on my problem? Eventually, I want to configure this machine so that I can log into the machine using only AD accounts (no local logins), but I didn't want to proceed, until I had this problem solved. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can join AD 2003 domain; can't list shares from other servers
On 04/24/2010 03:14 PM, grant little wrote: maybe, but have you also tried smbclient -L workhorse -Uturgon Yep. No joy. $ smbclient -L workhorse -U turgon Enter turgon's password: session setup failed: NT_STATUS_ACCESS_DENIED On Fri, Apr 23, 2010 at 3:58 PM, Michael Leone tur...@mike-leone.comwrote: No, dim-win2300 knows who turgon is. ;-) in fact, I am logged in on the console of dim-win2300 right now. And turgon is a Domain Admin. It was the account I used to join the laptop to the domain with. And it did join, as I see the laptop machine account in AD. So I think it must be something else ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can join AD 2003 domain; can't list shares from other servers
On 04/24/2010 03:36 PM, grant little wrote: Also you say that other systems work fine. Are they the same version of samba on the same OS and version? As in are we comparing apples with apples... I only have one other Linux machine with Samba. The other machine: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 9.10 Release:9.10 Codename: karmic It can do a smbclient -L to a Linux machine, or to the 2 Windows boxes: tur...@workhorse:~$ smbclient -L turgon-laptop Enter turgon's password: Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0] Sharename Type Comment - --- IPC$IPC IPC Service (turgon-laptop server (Samba 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1)) print$ Disk Printer Drivers Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0] Server Comment ---- TURGON-LAPTOPturgon-laptop server (Samba 3.4.0, Domain: , Ser WorkgroupMaster ---- DACRIB However, it can NOT do a smbclient to itself! $ smbclient -L localhost Enter turgon's password: session setup failed: NT_STATUS_ACCESS_DENIED $ smbclient -L workhorse Enter turgon's password: session setup failed: NT_STATUS_ACCESS_DENIED This is leading me to think the problem is with workhorse, and not with turgon-laptop. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] wbinfo -t fails
This used to work ... r...@workhorse:/var/log/samba# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret r...@workhorse:/var/log/samba# net ads info LDAP server: 10.0.0.60 LDAP server name: dim-win2300.DaCrib.local Realm: DACRIB.LOCAL Bind Path: dc=DACRIB,dc=LOCAL LDAP port: 389 Server time: Sat, 24 Apr 2010 16:20:52 EDT KDC server: 10.0.0.60 Server time offset: 0 log.smbd: [2010/04/24 16:08:15, 0] libads/kerberos.c:332(ads_kinit_password) kerberos_kinit_password workhor...@dacrib.local failed: Preauthentication failed log.winbindd: [2010/04/24 16:08:16, 0] libsmb/cliconnect.c:996(cli_session_setup_spnego) Kinit failed: Preauthentication failed [2010/04/24 16:08:17, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms [2010/04/24 16:08:25, 0] libads/kerberos.c:332(ads_kinit_password) kerberos_kinit_password workhor...@dacrib.local failed: Preauthentication failed [2010/04/24 16:08:25, 1] winbindd/winbindd_ads.c:127(ads_cached_connection) ads_connect for domain DACRIB failed: Preauthentication failed [2010/04/24 16:08:25, 1] winbindd/idmap.c:438(idmap_init_passdb_domain) Could not init passdb idmap domain Googling leads me to believe that the machine secret password is wrong. But I haven't been able to figure out how to fix it. Should I delete the machine account in AD, and try to add again? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba: trust fails - MORE
So I ended up doing a net ads leave which removed the machine account from Active directory. Now I am trying to re-add it, but it seems to still be hanging around in Kerberos ... r...@workhorse:/etc# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@dacrib.local Valid starting ExpiresService principal 04/24/10 17:25:50 04/25/10 03:25:55 krbtgt/dacrib.lo...@dacrib.local renew until 04/25/10 17:25:50 r...@workhorse:/etc# net ads testjoin -Uadministrator%password Enter workhor...@dacrib.local's password: [2010/04/24 17:30:45, 0] libads/kerberos.c:332(ads_kinit_password) kerberos_kinit_password workhor...@dacrib.local failed: Client not found in Kerberos database Join to domain is not valid: Improperly formed account name WORKHORSE is the server I am trying to add. I dunno why it is trying to use that password, rather than the administrator password. So now I am more lost than ever. :-) Why is it wanting to use the machine name, to join? Where to go now? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba: trust fails - RESOLVED
Well, after much gnashing of teeth, and rough words, I was finally able to get it to work. I have successfully re-joined it to the domain. tur...@workhorse:~$ wbinfo -t checking the trust secret via RPC calls succeeded tur...@workhorse:~$ sudo net ads testjoin Join is OK and checking from another Linux machine running Samba is able to list and connect to shares: tur...@turgon-laptop:~/.gnupg$ smbclient -L workhorse Enter turgon's password: Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0] Sharename Type Comment - --- print$ Disk Printer Drivers OldHome Disk The Old Home Folder Photos Disk IPC$IPC IPC Service (workhorse server (Samba 3.4.0, Domain: DACRIB, Server: workhorse - NT1)) Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0] Server Comment ---- WORKHORSEworkhorse server (Samba 3.4.0, Domain: , Server: WorkgroupMaster ---- DACRIB So I'm working now. Hopefully, I won't break it again. :-) Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't mount samba shares
Honestly, it's enough to make you scream. :-( I can't seem to mount a samba share: $ mount -t smbfs //workhorse/OldHome /network -o username=DACRIB+turgon,password=xx mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) (I'm logging into this laptop as the domain user DACRIB+turgon, domain = DACRIB. That part works perfectly.) I have the share name right, and I can query the list of shares on the other server: dacrib+tur...@turgon-laptop:/$ smbclient -L workhorse Enter DACRIB+turgon's password: Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0] Sharename Type Comment - --- print$ Disk Printer Drivers OldHome Disk The Old Home Folder Photos Disk IPC$IPC IPC Service (workhorse server (Samba 3.4.0, Domain: DACRIB, Server: workhorse - NT1)) Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0] Server Comment ---- WORKHORSEworkhorse server (Samba 3.4.0, Domain: , Server: WorkgroupMaster ---- DACRIB The folder on the server is chmod 777. The share definition just says: [OldHome] comment = The Old Home Folder path = /OldHome Windows stations on the LAN can see the share, and access it. It's just this Linux laptop that can't seem to mount any shares. (I get the same error trying to mount any share, either from workhorse or from an actual Windows share). I don't know if this has anything to do with it: r...@turgon-laptop:/var/log/samba# wbinfo -a turgon Enter turgon's password: plaintext password authentication failed Could not authenticate user turgon with plaintext password Enter turgon's password: challenge/response password authentication succeeded r...@turgon-laptop:/var/log/samba# I don't know why the plaintext failed, but the challenge/response password worked to authenticate. And I know I am using the correct domain ID and password. Where to investigate next? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can join AD 2003 domain; can't list shares from other servers
I set up an old laptop with Xubuntu 9.10. I configured Samba as to work with my Win2003 AD domain that has MS Services for Unix installed. I can get a Kerberos ticket. I successfully added the laptop to the AD domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows me all groups. wbinfo -a user%password returns successfully. getent passwd works as expected - I see local users, and domain users. net ads info works correctly, returning info. LDAP server: 10.0.0.60 LDAP server name: dim-win2300.DaCrib.local Realm: DACRIB.LOCAL Bind Path: dc=DACRIB,dc=LOCAL LDAP port: 389 Server time: Fri, 23 Apr 2010 13:12:53 EDT KDC server: 10.0.0.60 Server time offset: 1 And yet: $ smbclient -L workhorse Enter turgon's password: session setup failed: NT_STATUS_ACCESS_DENIED I have no idea why it's failing; I'm not seeing anything in the samba or winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member server) I can do the reverse; from workhorse I can see all the shares on the laptop: tur...@workhorse:~$ smbclient -L turgon-laptop Enter turgon's password: Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0] Sharename Type Comment - --- IPC$IPC IPC Service (turgon-laptop server (Samba 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1)) print$ Disk Printer Drivers Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0] Server Comment ---- TURGON-LAPTOPturgon-laptop server (Samba 3.4.0, Domain: , Ser WorkgroupMaster ---- DACRIB Hints as to where to go next? It must be something wrong on this specific laptop, since it works from my other server, but I dunno where, since all the other tests work. Firewall is off, on both machines. === smb.conf: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L - R) security = ads map to guest = Bad User client use spnego = true client ntlmv2 auth = yes eventlog list = Application System Security SyslogLinux # PAM AUTH encrypt passwords = yes obey pam restrictions = Yes pam password change = true password server = dim-win2300.DaCrib.local passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes log level = 3 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 domain master = No local master = No os level = 2 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d # WINBIND idmap config DACRIB: default = true idmap uid = 1-2 idmap gid = 1-2 idmap config DACRIB:schema_mode = rfc2307 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind refresh tickets = true winbind nss info = rfc2307 winbind separator = + template homedir = /home/%D/%u template shell = /bin/bash ; invalid users = root create mask = 0700 directory mask = 0775 writable = Yes enable privileges = Yes restrict anonymous = 2 wide links = no socket options = TCP_NODELAY -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can join AD 2003 domain; can't list shares from other servers - MORE
More info - it now appears that the problem is with workhorse, not the laptop. I *can* successfully do a smbclient -L to the other, actual Windows stations on the LAN: $ smbclient -L dim-win2300 Enter turgon's password: Domain=[DACRIB] OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003 5.2] Sharename Type Comment - --- C$ Disk Default share IPC$IPC Remote IPC ADMIN$ Disk Remote Admin TempDisk Temp Share SYSVOL Disk Logon server share NETLOGONDisk Logon server share Domain=[DACRIB] OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003 5.2] Server Comment ---- DIM-WIN2300 The DC WorkgroupMaster ---- DACRIB DIM-WIN2300 tur...@turgon-laptop:/etc/samba$ smbclient -L p4-desktop Enter turgon's password: Domain=[DACRIB] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] Sharename Type Comment - --- E$ Disk Default share My DocumentsDisk IPC$IPC Remote IPC D$ Disk Default share Videos Disk Watchin' the images print$ Disk Printer Drivers G$ Disk Default share ADMIN$ Disk Remote Admin N$ Disk Default share Old MyDocs Disk Old My Documents C$ Disk Default share Tunez Disk Listening to the sounds Domain=[DACRIB] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] Server Comment ---- WorkgroupMaster ---- So the problem is specific to trying to do a smbclient -L against the other Linux box running Samba. Not sure if that's indicative of other Samba issues. workhorse has no problem doing a smbclient -L against the laptop ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unix exts / wide links / symlinks
Jeremy Allison had this to say: Ok, I'm or with a wide links = insecure option, with the man page expressing the opinion that enabling it is insane :-). But I'm not spending the time to code it up (but will test and apply patches from people who do :-). So then this: It is a big mistake to set the wide links Samba parameter to no in the Samba configuration file /etc/smb.conf. http://www.faqs.org/docs/securing/chap29sec287.html should be completely ignored, I guess? I'm a bit new to Samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] IDMAP question
I have a Samba 3.4.0 server (from Ubuntu 9.04), as a member server in my Win2003 AD (which has MS Services for Unix 3.5 installed). All seems well, in that it is properly joined to my AD, I've got it all configured so that domain members can log into the Linux servers using their domain credentials. Here's my config: # WINBIND # idmap domains = DACRIB idmap config DACRIB: default = true idmap uid = 1-2 idmap gid = 1-2 idmap config DACRIB:schema_mode = rfc2307 2 questions: 1. I had to comment out idmap domains = DACRIB, as it said it was an unknown parameter. Isn't that the proper format to list the AD domain for idmapping? 2. If I understand it correctly, idmap config DACRIB:RID=1-2 equivalent to what I have above? Would that give me any capabilities that my default = true does not give me? (I'd have to change passdb backend = tdbsam to .. what?) smb.conf follows: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L -%R) security = ADS map to guest = Bad User client use spnego = true client ntlmv2 auth = yes # PAM AUTH encrypt passwords = Yes obey pam restrictions = Yes pam password change = true password server = dim-win2300.DaCrib.local passdb backend = tdbsam pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 preferred master = No domain master = No local master = No os level = 2 ; browse list = Yes dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d # WINBIND # idmap domains = DACRIB idmap config DACRIB: default = true idmap uid = 1-2 idmap gid = 1-2 idmap config DACRIB:schema_mode = rfc2307 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = No winbind nested groups = Yes winbind refresh tickets = true winbind nss info = rfc2307 winbind separator = + template homedir = /home/%D/%u template shell = /bin/bash invalid users = root create mask = 0700 directory mask = 0775 writable = Yes enable privileges = Yes restrict anonymous = 2 wide links = no [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [OldHome] comment = The Old Home Folder read only = No path = /OldHome -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PLUG] Ongoing saga with Samba and AD
What is the output of `getent passwd $user` ? I wonder if your shell is not set to an sh variant. # getent passwd DACRIB+ldap-proxy DACRIB+ldap-proxy:*:10006:10012:LDAP Proxy:/home/DACRIB:/bin/false I suppose it's that /bin/false that's doing it? How can I change that, only for my AD domain users? My local Linux users show /bin/bash. So, your logins are successful. The shell just exits immediately and the user logs out! It looks like you need template shell = /bin/bash in your smb.conf file. (At least that's what Google tells me.) And it just told me the same. And that works! I was able to login. WooHoo! :-) dacrib+ldap-pr...@workhorse:~$ pwd /home/DACRIB/ldap-proxy dacrib+ldap-pr...@workhorse:~$ So huge progress! Later, I will try other things like login scripts and such. Maybe I will try to change the smb.conf to not require the domain name; that would be much cleaner. I just left it that way, to make sure the local users and domain users stood out visually from each other. I'm sure there are other things to play with. Good practice and knowledge (maybe) for use at work. Thanks everyone for the help. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problems with winbind and AD using Ubuntu 9.10
Greetings! I am having a bit of an issue using Ubuntu 9.10 and AD 2003. AD domain = dacrib.local AD server = dim-2300.dacrib.local IP = 10.0.0.60 Samba server = workhorse.dacrib.local IP = 10.0.0.20 I have been following https://help.ubuntu.com/community/Samba/Kerberos, and my Kerberos seems set up properly, as I can get a ticket. r...@workhorse:/etc/samba# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@dacrib.local Valid starting ExpiresService principal 03/27/10 18:36:58 03/28/10 04:37:05 krbtgt/dacrib.lo...@dacrib.local renew until 03/28/10 18:36:58 Then, following https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto I set up my Samba server, and was able to join it to the domain. r...@workhorse:/etc/samba# net ads info LDAP server: 10.0.0.60 LDAP server name: dim-win2300.DaCrib.local Realm: DACRIB.LOCAL Bind Path: dc=DACRIB,dc=LOCAL LDAP port: 389 Server time: Sat, 27 Mar 2010 19:09:28 EDT KDC server: 10.0.0.60 Server time offset: 0 I can see my server in AD. Other domain members can browse to \\10.0.0.20, and see the defined shares, and access the files in there. So it appears to be properly joined to the domain, and sharing. What's not working is winbind. I do *not* see any domain users or groups, from wbinfo -u or wbinfo -g. wbinfo --all-domains does know about the AD domain, however: r...@workhorse:/etc/samba# wbinfo --all-domains BUILTIN WORKHORSE DACRIB I did edit nsswitch.conf: r...@workhorse:/etc/samba# more /etc/nsswitch.conf # /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis At this point, I'm a bit lost. My eventual goal is to have any Linux user authenticate against the AD domain, but before I can get that far, I need winbind to work. Any thoughts? Where do I go from here, to troubleshoot winbind not returning any users or groups? smb.conf: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba) security = ADS map to guest = Bad User client use spnego = true client ntlmv2 auth = yes eventlog list = Application System Security SyslogLinux # PAM AUTH encrypt passwords = Yes obey pam restrictions = Yes pam password change = true password server = dim-win2300.DaCrib.local passdb backend = tdbsam pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 preferred master = No domain master = No local master = No os level = 31 browse list = Yes dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d # WINBIND idmap backend = ad idmap uid = 1-2 idmap gid = 1-2 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind refresh tickets = true winbind nss info = rfc2307 invalid users = root create mask = 0700 directory mask = 0775 writable = Yes enable privileges = Yes restrict anonymous = 2 [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [OldHome] comment = The Old Home Folder read only = No path = /OldHome -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems with winbind and AD using Ubuntu 9.10 - MORE
D'OH! So sorry, I had forgotten to restart the services. I am properly seeing all users and groups from wbinfo and from getent passwd and getent group. Boy, do I feel stupid. :-) Sorry for the waste of bandwidth. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problems logging in when authenticating against Active Directory
Greetings! I am having a bit of an issue using Ubuntu 9.10 and AD 2003. AD domain = dacrib.local AD server = dim-2300.dacrib.local IP = 10.0.0.60 Samba server = workhorse.dacrib.local IP = 10.0.0.20 I joined the server to AD, and I can see all the domain users and groups when I do a getent passwd and getent group. wbinfo -u lists all domain users, and wbinfo -g gives me all domain groups. AD shows the server as a member, and other domain computers can see and access the shares. Now, I want to able to login to the Linux server as a domain user, and have it authenticate against my AD. I have my smb.conf set up so that I need to logon domain members as DACRIB+logonname. And when I go to do that, this happens: I tried to log on as DACRIB+administrator at the physical console. I was prompted twice for my password (dunno if that's because my password has a ! in it or not). Then it starts to login. I see the motd. I see it say that it was trying to create a home directory for administrator in /home/DACRIB/administrator - which is exactly what it should do. Then I am immediately logged out, and returned to a new login prompt. No other messages on the console, nothing. auth.log says: Mar 27 21:04:15 workhorse login[4213]: pam_unix(login:auth): authentication failure; logname=turgon uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=DACRIB+administrator Mar 27 21:04:15 workhorse login[4213]: pam_winbind(login:auth): getting password (0x0180) Mar 27 21:04:21 workhorse login[4213]: pam_winbind(login:auth): user 'DACRIB+administrator' granted access Mar 27 21:04:21 workhorse login[4213]: pam_unix(login:session): session opened for user DACRIB+administrator by turgon(uid=0) Mar 27 21:04:21 workhorse login[4213]: pam_unix(login:session): session closed for user DACRIB+administrator Nothing in syslog or messages. The home directory was created, as it should: ls -la /home/DACRIB/ drwx-- 2 DACRIB+administrator DACRIB+domain users 4096 2010-03-27 21:04 administrator ls -la /home/DACRIB/administrator/ drwx-- 2 DACRIB+administrator DACRIB+domain users 4096 2010-03-27 21:04 . dr-xr-xr-x 4 root root4096 2010-03-27 21:04 .. -rw--- 1 DACRIB+administrator DACRIB+domain users 220 2010-03-27 21:04 .bash_logout -rw--- 1 DACRIB+administrator DACRIB+domain users 3180 2010-03-27 21:04 .bashrc -rw--- 1 DACRIB+administrator DACRIB+domain users 167 2010-03-27 21:04 examples.desktop -rw--- 1 DACRIB+administrator DACRIB+domain users 675 2010-03-27 21:04 .profile So I am confused as to why the domain accounts are immediately logged out. NOTE: local users log in just fine. Where to go next? Here are the changes I've made to PAM. $ cat /etc/pam.d/common-account account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account requiredpam_permit.so $ cat /etc/pam.d/common-auth auth[success=2 default=ignore] pam_unix.so nullok_secure auth[success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE authrequisite pam_deny.so authrequiredpam_permit.so $ cat /etc/pam.d/common-session session [default=1] pam_permit.so session requisite pam_deny.so session requiredpam_permit.so session requiredpam_unix.so session requiredpam_mkhomedir.so umask=0022 skel=/etc/skel Thanks for any help. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PLUG] Ongoing saga with Samba and AD
Ben Love had this to say: * Mike Leone wrote on [2010-03-27 22:02:38 -0400]: I tried to log on as DACRIB+administrator at the physical console. I was prompted twice for my password (dunno if that's because my password has a ! in it or not). Then it starts to login. I see the motd. I see it say that it was trying to create a home directory for administrator in /home/DACRIB/administrator - which is exactly what it should do. Then I am immediately logged out, and returned to a new login prompt. No other messages on the console, nothing. This sounds like a problem with PAM configuration. I've definitely had PAM ask for my password multiple times when I set up things like pam_mount and so on. I have an idea that it tries to look up the user as local, and fails. And then asks again, to authenticate remotely. Maybe one of those use_first_pass options will help? Or re-ordering the local vs winbind lines? PAM is probably also responsible for the immediate logout. The /etc/pam.d/common-* files are the most likely culprits. (You may also have an /etc/pam.d/login file, but that usually just links to the common-* files.) Congratualations on getting this far! You're nearly there. Almost, almost ... Here's the auth.log (I added debug=yes to pam_winbind.conf, and krb5_auth=yes) on a failed login: am_unix(login:auth): authentication failure; logname=DACRIB+ldap-proxy uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=DACRIB+ldap-proxy pam_winbind(login:auth): [pamh: 0x89f63b8] ENTER: pam_sm_authenticate (flags: 0x) pam_winbind(login:auth): getting password (0x0181) pam_winbind(login:auth): Verify user 'DACRIB+ldap-proxy' pam_winbind(login:auth): PAM config: krb5_ccache_type 'FILE' pam_winbind(login:auth): enabling krb5 login flag pam_winbind(login:auth): enabling request for a FILE krb5 ccache pam_winbind(login:auth): request wbcLogonUser succeeded pam_winbind(login:auth): user 'DACRIB+ldap-proxy' granted access pam_winbind(login:auth): request returned KRB5CCNAME: FILE:/tmp/krb5cc_10006 pam_winbind(login:auth): Returned user was 'DACRIB+ldap-proxy' pam_winbind(login:auth): [pamh: 0x89f63b8] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) pam_unix(login:session): session opened for user DACRIB+ldap-proxy by DACRIB+ldap-proxy(uid=0) pam_winbind(login:setcred): [pamh: 0x89f63b8] ENTER: pam_sm_setcred (flags: 0x0002) pam_winbind(login:setcred): PAM_ESTABLISH_CRED not implemented pam_winbind(login:setcred): [pamh: 0x89f63b8] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) pam_unix(login:session): session closed for user DACRIB+ldap-proxy Looks like it *should* be working - it's using kerberos, as I told winbind to do; I see request wbcLogonUser succeeded. I see granted access. Then I see the session closed. :-( I suppose this means that tomorrow, I concentrate on the common-ssession parts of /etc/pam.d -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba