[Samba] member server and groups

2013-04-04 Thread Neil Price 

I have a samba 3 member server joined to a samba pdc using ldap. Join is OK.
Version is from debian wheezy: 3.6.6

With servers that are bdc's I have no problems with authentication, with 
the member server I cannot get group file permissions to work.

User file permissions work fine
Samba share user and group permissions work fine
getent group shows expected groups with correct gid, which is an 
improvement on the 3.5.4 that I tried before.

Only thing interesting the logs show is access denied.
BUT if I change the dir/file permission to domain users group THEN it 
works.
So I think samba is only looking up the primary group. I know there was 
bug like this somewhere around 3.6.0


Is net idmap secret alloc no longer needed? It responds with The only 
currently supported backend is LDAP. smbpasswd -w seemed to do all I 
needed.


Critical parts of my smb.conf
I'm using the nss_ldap method with nss-ldapd

   security = domain
   workgroup = DOMAIN
   ldap admin dn = cn=System Administrator,ou=people,dc=domain,dc=com

   ldap suffix = dc=domain,dc=com

   ldap user suffix = ou=people

   ldap group suffix = ou=groups

   ldap idmap suffix = ou=idmap

   ldap machine suffix = ou=winstations,ou=systems

   ldap ssl = Off

idmap config DOMAIN : backend = ldap
idmap config DOMAIN : range= 8-99000
idmap config DOMAIN : ldap_url = ldap://my.ldap.serverl/

   winbind use default domain = yes

[comp]
path = /home/shares/comp
inherit permissions = yes
public = no
browsable = yes
writeable = yes
valid users = @computer

Directory perms
drwxrwx--- 19 root computer 4096 Jan 18 15:25 comp


nsswitch.conf
passwd: compat ldap
group:  compat ldap
shadow: compat ldap

hosts:  files dns wins
networks:   files

/etc/nslcd.conf
# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://my.ldap.server/

# The search base that will be used for all queries.
base dc=domain,dc=com

# The LDAP protocol version to use.
#ldap_version 3


# SSL options
#ssl off
#tls_reqcert never

# The search scope.
#scope sub


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] wbinfo ok, but getent nothing

2011-02-07 Thread Neil Price 

On 2011/02/07 02:39 PM, Jean-Yves Avenard wrote:


After wasting 2 days on this ; I removed 3.5.6 then installed 3.4.9...
And getent passwd properly shows everything :(

I had the same experience.. for me the problem is only on member 
servers, and only with getent group (getent passwd works)



So something is broken in 3.5.6


All the 3.5.x versions in fact...


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] getent group fails on member server after upgrade to 3.5.5

2010-10-21 Thread Neil Price 
 I have a member server joined to a samba 3 domain. It was working fine 
with 3.4.8 but after an upgrade to 3.5.5 (debian lenny with backports) 
getent group no longer works.


getent passwd works fine, wbinfo -u and wbinfo -g work fine

I upgraded some other servers which are DC's and those work fine.

winbind.log shows
[2010/10/21 14:06:13.918006,  3] 
winbindd/winbindd_misc.c:352(winbindd_interface_version)

  [16709]: request interface version
[2010/10/21 14:06:13.918103,  3] 
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)

  [16709]: request location of privileged pipe
[2010/10/21 14:06:13.918288,  3] 
winbindd/winbindd_getgrent.c:51(winbindd_getgrent_send)

  [16709]: getgrent
[2010/10/21 14:06:14.618332,  5] 
winbindd/winbindd_getgrent.c:149(winbindd_getgrent_recv)

  getgrent failed: NT_STATUS_NONE_MAPPED

Relevant parts of smb.conf

security = domain
   ldap ssl = Off

   idmap backend = ldap:ldap://170.130.105.39
   idmap uid = 8-9
   idmap gid = 8-9
   idmap alloc backend = ldap
   idmap alloc config: ldap_url = ldap://170.130.105.39
   idmap alloc config: ldap_base_dn = ou=idmap,dc=gibb,dc=co,dc=za
   idmap alloc config: ldap_user_dn = 
cn=admin,ou=people,dc=gibb,dc=co,dc=za

   idmap alloc config: range = 8-9

password server = *
   winbind enum groups = yes
   winbind enum users = yes

Relevant part of nsswitch.conf
passwd: compat winbind
group:  compat winbind
shadow: compat

hosts:  files dns wins


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 3.4.7 as NT4 domain member and win9x

2010-10-06 Thread Neil Price 

 On 2010/10/05 10:44 PM, Chris Weiss wrote:

I can connect win9x using local accounts, just not domain accounts.
the same domain accounts work from all other OS's, and on older Samba
versions.
I had a problem with a dos login to a domain account that worked with 
3.2.x but not with 3.4.x and 3.5.x


I worked out it was trying trying to connect to a local account and 
ignoring the workgroup/domain.


I simply created a local account since that worked for me.  I forced the 
group bit on the directory so the files were readable by others.


But this may well be a bug.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NT4 Migration

2010-09-22 Thread Neil Price 

Quoting Dermot paik...@gmail.com:

sid S-1-5-21-1979685110-1467996072-351907979-500 does not belong to  
our domain
sid S-1-5-21-1979685110-1467996072-351907979-2998 does not belong to  
our domain
sid S-1-5-21-1979685110-1467996072-351907979-3010 does not belong to  
our domain


Are you using idmap? I had this when the nextgid value in idmap went  
out of range for some bizarre reason.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] wbinfo_group.pl and spaces in group names

2010-08-27 Thread Neil Price 
 Hi, I;m using wbinfo_group.pl from samba 3.4.8 for squid ntlm 
authentication because I'm using multiple samba groups


squid version is 2.7 from debian Lenny

squid.conf contains:

external_acl_type nt_group ttl=0 children=5 %LOGIN 
/usr/lib/squid/wbinfo_group.pl -d

acl AuthorizedUsers proxy_auth REQUIRED
acl internet external nt_group /etc/squid/allowed-groups
http_access deny !internet

Allowed groups contains

LAWCO\Internet%20Users
GIBB\Computer

This tests fine from command line
echo lawco\\nprice 
lawco\\Internet%20users|/usr/lib/squid/wbinfo_group.pl -d


But from squid it does not work, it seems that squid escapes the escape.

I changed  wbinfo_group.pl

foreach $group (@groups) {
$group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack(c,hex($1))/eg;
#this next line added by me
$group =~ s/%20/ /;
$ans = check($user, $group);
last if $ans eq OK;
}

Probably horrify perl purists but it works for me. Hope this helps someone.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Is samba3_vscan compiled anymore, by anyone?

2010-08-23 Thread Neil Price 

 On 2010/08/22 06:15 PM, Nico Kadel-Garcia wrote:

I'm looking at the RPM's over at http://ftp.sernet.de/pub/samba/3.5/,
and noticing that the samba3-vscan package is not being built for
any OS. Is this deliberate? If so, perhaps it can be deleted from the
SRPM? It no longer builds correctly for Samba v3.5, and is a years old
virus scanning tool in any case. It's therefore probably unsuitable
for virus scanning of any modern CIFS share.
I haven't tried it yet but this looks like good candidate for replacing 
that package: http://svs.sourceforge.net/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] gecos?

2010-06-15 Thread Neil Price 

This has always bothered me.. wtf does gecos mean (in the samba ldap)?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Debian Lenny 3.5.3 packages pam-auth-update

2010-06-09 Thread Neil Price 
I hope it is relevant to report this here. The debian lenny samba 3.5.3 
packages at  http://pkg-samba.alioth.debian.org have this problem:


Setting up winbind (2:3.5.3~dfsg-1~unoff50+1) ...
/var/lib/dpkg/info/winbind.postinst: line 16: pam-auth-update: command 
not found

dpkg: error processing winbind (--configure):
 subprocess post-installation script returned error exit status 127
Errors were encountered while processing:
 winbind

I presume pam-auth-update is not relevant to Lenny.

So I modified /var/lib/dpkg/info/winbind.postinst and ran dpkg 
--configure --pending. Seems fine.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind 3.5.2 caching issues under SLES11???

2010-04-26 Thread Neil Price 

On 2010/04/23 10:58 PM, Chris Smith wrote:


Don't know if it's related but on 2 systems with 3.5.2 I could not get
the new idmap backend (moved from tdb to rid) to work without deleting
the gencache* tdb's in addition to the winbind ones.

   
I had the same problem on 3.4.7 moving from tdb to ldap. I also had get 
rid of nscd which for some reason Debian always installs with Samba. I 
was confused because everything would come right after a reboot. I 
thought that Samba is emulating Windows a little TOO closely!


I wrote this little script while I was messing with different idmap options:
#!/bin/sh
#
# stop samba, reset cache and restart
/etc/init.d/winbind stop
/etc/init.d/samba stop
rm -f /var/run/samba/gencache.tdb
rm -f /var/cache/samba/*.tdb
/etc/init.d/samba start
/etc/init.d/winbind start
/etc/init.d/nslcd restart


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba as a trusting domain

2010-04-20 Thread Neil Price 
I'm establishing a trust to an NT domain (a real NT domain with a real 
NT servers)


I set up the trusting domain on the NT server
then on the samba server

# net rpc trustdom establish lawco
Enter GIBB.LOCAL$'s password:
Could not connect to server CAPETOWN-2
Trust to domain LAWCO established

It seems to work, but I always get the could not connect to server. 
Just curious.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] idmap with member servers

2010-04-13 Thread Neil Price 
I'm using a member server joined to my primary domain. I'm using winbind 
because I have a trusted domain.


both pdc and member server has

   idmap uid = 8-9
   idmap gid = 8-9
   idmap backend = ldap:ldap://my.pcd

member server has

security=domain
password server = *

(and no passdb line)

nsswitch.conf on the member is
passwd: compat winbind
group:  compat winbind
shadow: compat

Everything works great. Mappings are stored in idmap and I have 
consistent uids for the trusted domain on both the pdc and the member 
server.


However mappings for the primary domain (that the server is a member of) 
on the member server are diifferent from the pdc of that domain because 
it creates new mappings in  idmap in ldap.


That means that all member servers will have consistent mappings for the 
primary domain and all bdcs will have consistent mappings but the 2 sets 
of mappings will not be the same.


Is there any way I can make the 2 sets the same? Samba is 3.4.7.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba