[Samba] Machine Login
Hi all, In my system, samba (3.0.34) is configured as PDC with an LDAP backend and has some user and machine accounts, and it all works fine. But recently I've found out that if I remove one machine account from the LDAP server user logins into the domain from that machine are still possible, even if the machine login verification fails: ... [2009/05/05 19:34:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: test [2009/05/05 19:34:47, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [test] - [test] - [test] succeeded [2009/05/05 19:34:52, 1] smbd/service.c:make_connection_snum(1033) vmvista (192.168.100.198) connect to service netlogon initially as user test (uid=1507, gid=1000) (pid 27646) [2009/05/05 19:35:00, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) get_md4pw: Workstation VMVISTA$: no account in domain [2009/05/05 19:35:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) _net_auth2: failed to get machine password for account VMVISTA$: NT_STATUS_ACCESS_DENIED [2009/05/05 19:35:06, 1] smbd/service.c:close_cnum(1230) vmvista (192.168.100.198) closed connection to service netlogon [2009/05/05 19:36:40, 2] smbd/sesssetup.c:setup_new_vc_session(1214) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/05/05 19:36:40, 2] smbd/sesssetup.c:setup_new_vc_session(1214) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/05/05 19:36:40, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2009/05/05 19:36:41, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) get_md4pw: Workstation VMVISTA$: no account in domain [2009/05/05 19:36:41, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) ... Is there a way to prevent users logins from machines that have been removed from system? Nelson Vale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] please help me PLEASEEEEEEEE
http://lmgtfy.com/?q=openldap+redhat+configuration On Friday 13 March 2009 08:58:43 ankit jariwala wrote: Dear ALL Please tell me how to configure Openldap in rhel 5 Please send me links document Thanks in advance Ankit Jariwala 9725655020 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Hide Home Share for a single user
Hi, Does anyone knows how to hide a home share just for a particular user? Thx Nelson Vale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Hide Home Share for a single user
Hi again, How do you mean hide? So that they can't browse it, or so that they cannot see the 'homes' service? What I wan't is to just hide (well wath I'd really wanted was to disable it but I don't know if it is possible), the Home Share for one particular user, i.e. don't show it when the user browses the available shares. The user is not allowed to connect to the share anyway. And do you mean hide from everyone else, or hide from that user themselves? The other users have no access to it. Thx, Nelson Vale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] [POSIX ACLs] Only ACE rules from Samba Primary Group are applied.
Hi, I've a samba 3.0.24 server running in a debian alike OS with a (Open)LDAP backend and I'm having the following problem: I have LDAP users that belong to more than one (POSIX) group. For instance, I have a user2 that belongs to group users and grupo2 and I have a share with the following ACL settings: getfacl /home/shares/share1/ getfacl: Removing leading '/' from absolute path names # file: home/shares/share1 # owner: user1 # group: grupo1 user::rwx group::rwx group:grupo2:r-x group:users:rw- mask::rwx other::--- default:user::rwx default:group::rwx default:group:grupo2:r-x default:group:users:rw- default:mask::rwx default:other::--- user2 has group grupo2 in the sambaPrimaryGroupSID in LDAP. If I login with this user into share1 and try to create a file it will get Permission Denied. If I login as user2 in system and go to share1 folder I'm able to create files, so settings are OK. Also if I use the write list = @users I'm able to create files when I'm connected to the share. In the samba logs I can see that the ACL - UNIX convertion seems fine: gid_to_sid: local 100 - S-1-22-2-100 canonicalise_acl: Access ace entries before arrange : canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms --- canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) SMB_ACL_GROUP perms rw- canon_ace index 2. Type = allow SID = S-1-22-2-1001 gid 1001 (grupo2) SMB_ACL_GROUP_OBJ perms r-x canon_ace index 3. Type = allow SID = S-1-5-21-822431398-922470320-1179183166-1666 uid 1666 (user2) SMB_ACL_USER_OBJ perms rwx print_canon_ace_list: canonicalise_acl: ace entries after arrange canon_ace index 0. Type = allow SID = S-1-5-21-822431398-922470320-1179183166-1666 uid 1666 (user2) SMB_ACL_USER_OBJ perms rwx canon_ace index 1. Type = allow SID = S-1-22-2-100 gid 100 (users) SMB_ACL_GROUP perms rw- canon_ace index 2. Type = allow SID = S-1-22-2-1001 gid 1001 (grupo2) SMB_ACL_GROUP_OBJ perms r-x canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms --- map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff map_canon_ace_perms: Mapped (UNIX) 180 to (NT) 12019f map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9 map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0 But when I try to create the file I get: New file New Text Document (2).txt unix_mode(New Text Document (2).txt) inheriting from . unix_mode(New Text Document (2).txt) inherit mode 42770 unix_mode(New Text Document.txt) returning 0760 open_file_ntcreate: fname=New Text Document.txt, dos_attrs=0x80 access_mask=0x2019f share_access=0x7 create_disposition = 0x2 create_options=0x40 unix mode=0760 oplock_request=3 open_file_ntcreate: fname=New Text Document.txt, after mapping access_mask=0x2019f allocated file structure 2723, fnum = 6819 (2 used) calling open_file with flags=0x2 flags2=0x80 mode=0777, access_mask = 0x2019f, open_access_mask = 0x2019f Permission denied opening New Text Document (2).txt If I use the write list = @users I get: New file New Briefcase [2007/12/06 13:54:04, 2] smbd/dosmode.c:unix_mode(96) unix_mode(New Briefcase) inheriting from . [2007/12/06 13:54:04, 2] smbd/dosmode.c:unix_mode(104) unix_mode(New Briefcase) inherit mode 42770 [2007/12/06 13:54:04, 3] smbd/dosmode.c:unix_mode(147) unix_mode(New Briefcase) returning 0760 [2007/12/06 13:54:04, 10] smbd/open.c:open_file_ntcreate(1144) open_file_ntcreate: fname=New Briefcase, dos_attrs=0x80 access_mask=0x2019f share_access=0x7 create_disposition = 0x2 create_options=0x40 unix mode=0760 oplock_request=3 [2007/12/06 13:54:04, 10] smbd/open.c:open_file_ntcreate(1306) open_file_ntcreate: fname=New Briefcase, after mapping access_mask=0x2019f [2007/12/06 13:54:04, 5] smbd/files.c:file_new(126) allocated file structure 5967, fnum = 10063 (2 used) [2007/12/06 13:54:04, 4] smbd/open.c:open_file_ntcreate(1545) calling open_file with flags=0x2 flags2=0xC0 mode=0777, access_mask = 0x2019f, open_access_mask = 0x2019f [2007/12/06 13:54:04, 10] smbd/open.c:fd_open(56) fd_open: name New Briefcase, flags = 0302 mode = 0777, fd = 26. [2007/12/06 13:54:04, 2] smbd/open.c:open_file(352) nelsonvale opened file New Briefcase read=Yes write=Yes (numopen=2) [2007/12/06 13:54:04, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 1000) : sec_ctx_stack_ndx = 1 [2007/12/06 13:54:04, 3] smbd/uid.c:push_conn_ctx(345) push_conn_ctx(101) : conn_ctx_stack_ndx = 0 [2007/12/06 13:54:04, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/12/06 13:54:04, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) What I've figured so far is that UNIX file access rules works fine, but for POSIX ACLs only Primary Group access rules are applied for ACL settings. The differences I see between the two cases are in flags2 variable in calling open_file FOR THE SAME SHARE, USER AND GROUP SETTINGS: ACLs only: calling open_file with flags=0x2 flags2=0x80 mode=0777, access_mask = 0x2019f, open_access_mask =
Re: [Samba] security = user, LDAP, and adding users to ACLs
If your Samba is running as a PDC, and you are logged in the samba domain, you are able to list the LDAP users in the shares or files security tab, and you don't need winbind. All you need is nsswitch.conf configured with: # /etc/nsswitch.conf # passwd: files ldap group: files ldap shadow: files ldap Plus ldap.conf like: bindpw binddn xxx uri ldap://xxx.xxx.xxx.xxx base dc=local,dc=loc rootbinddn x host 127.0.0.1 ldap_version 3 scope one ssl no pam_login_attribute uid pam_member_attribute gid pam_password md5 nss_base_passwd dc=local,dc=loc?sub nss_base_shadow dc=local,dc=loc?sub nss_base_group ou=Groups,dc=local,dc=loc?one In smb.conf you need to put something like: ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap suffix = dc=local,dc=loc ldap admin dn = cn=xx ldap idmap suffix = ou=Idmap Your LDAP must also have the default samba Domain Groups. Em Thursday 06 December 2007 20:29, o Shammah Chancellor escreveu: Hi, Problem: I seem to be able to add users to ACLs from windows due to an Name Not Found error when looking up a username. According to what I have been able to find, you cannot browse users on a samba server from windows without winbind and security = domain/ads. However, winbind does not have any place in my environment aside from remedying this problem. Is there some alternative to enable this feature, or method of setting up winbind that is innocuous in my environment while maintaining security = user? Background on the Environment: I am running Samba 3.0.25c on Solaris 10u4 with security = user.I am using the vfs object zfsacl to enable ACL support on my zfs filesystem. We use LDAP as a password backend, which also stores sambaSIDs for every user. SIDs and unix UIDs are synchronized across all the samba servers because they all use the same LDAP backend. Thanks in advance! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] User Multiple Groups in Standalone Mode with LDAP Backend
Hi, I have samba 3.0.24 installed and running on my linux (debian alike) system as a (PDC) Standalone Server with an LDAP backend. The problem that I'm facing is that I want to have users belonging to multiple (LDAP) groups. My LDAP user ldif is like: # user1, People, local.loc dn: uid=user1,ou=x,dc=x objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount uidNumber: 1501 gidNumber: 1000 cn: user1 uid: user1 homeDirectory: /home/users/user1 loginShell: /bin/bash sn: user1 sambaSID: S-1-5-21-399272150-696482500-2462376985-1501 sambaPrimaryGroupSID: S-1-5-21-399272150-696482500-2462376985-1000 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1 sambaAcctFlags: [U] sambaLMPassword: sambaNTPassword: and my groups ldif is like (I'm using rfc2307bis schema for this with compatible nss-ldap): dn: cn=group1,ou=Groups,dc=,dc= objectClass: posixGroup objectClass: groupOfNames objectClass: top cn: group1 gidNumber: 1000 member: uid=userx,ou=x,dc=,dc= member: uid=usery,ou=x,dc=,dc= memberUid: userx memberUid: usery dn: cn=group2,ou=Groups,dc=,dc= objectClass: posixGroup objectClass: groupOfNames objectClass: top cn: group2 gidNumber: 1001 member: uid=userx,ou=x,dc=,dc= memberUid: userx The samba configuration file is like: ... ldap user suffix = ou=x idmap gid = 1-2 ldap password sync = yes logon drive = z: domain master = yes passdb backend = ldapsam:ldap://127.0.0.1 wins proxy = no wins support = yes ldap delete dn = Yes ldap machine suffix = ou=Computers ldap group suffix = ou=Groups idmap uid = 1-2 ldap suffix = dc=,dc= local master = yes workgroup = SAMBASERVER ldap admin dn = cn=,ou=x,dc=,dc= security = user preferred master = yes ldap idmap suffix = ou=Idmap ... This is all working well and if I do id userx I get all the groups the user belongs to. My problem is that samba is not getting all groups that a user belong. In fact I'm only getting the group that is defined in the sambaPrimaryGroupSID, so I'm wondering that I'm missing something, I just don't now what. What can I do to make samba get all groups that a user belongs to? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba with AD Authentication Backend
But why can't I use AD as an LDAP server, since microsoft says it's LDAP compatible? Qui, 2007-06-21 às 12:54 -0400, Adam Tauno Williams escreveu: Please help me if you can. Has somebody ever managed to configure Samba PDC to use AD as an authentication backend, i.e, like an ldap backend. I'am trying to build a system where Samba is my PDC and I want to authenticate AD users in my Samba domain. I do not want to add Samba to AD domain, and I can not use an Ldap Server (like OpenLdap). Is this possible? What do I need to do? I doubt it. But you can [I believe, last I knew] that you can establish a trust between an AD domain and an NT4 domain (with a Samba PDC). That should provide access to domain resources by AD domain users. -- Nelson Vale Critical Links, S.A. Parque Industrial de Taveiro, Lote 48 3045-504 Coimbra PORTUGAL Tel: +351.239989100 Fax: +351.239989119 Web: www.critical-links.com/ Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Authentication against Radius server
Hello guys, I have my linux system configured to authenticate/authorize (windows XP and Vista) users for several services, like PPTP, SMTP and POP3, against a radius server (using PAM), and now I want to add support for samba authentication also. I was planning to do it by using one tdbsam backend (I can not have LDAP for several reasons, unfortunately) but I have some doubts: Is it possible to authenticate samba users directly against the radius server (is there a way to do it)? For tdbsam is there any solution to keep passwords sync with radius server? Tanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Roaming Profiles
Hello all, I have a samba 3.0.9 acting as a PDC in a network where all users use Win XP, and all is working fine except for Roaming Profiles. The thing is that when I create a new user and login into the domain, windows will store the profile from one of the existing users, normally the profile of the first user created, in the user's profile dir (in linux). Even stranger is that if I create a new file, for instance in the desktop dir of the new user, this file will also be stored in the first user desktop dir. The smb.conf file is: [global] ldap user suffix = ou=People idmap gid = 1-2 passwd chat = *new* %n\n *retype\snew* %n\n *changed* logon drive = z: map to guest = Bad User domain master = yes wins proxy = no passwd program = /usr/bin/change_password.pl %u passdb backend = ldapsam:ldap://127.0.0.1 wins support = yes ldap delete dn = Yes server string = Samba Server ldap machine suffix = ou=Computers ldap group suffix = ou=Groups idmap uid = 1-2 ldap suffix = dc=local,dc=loc unix password sync = yes local master = yes workgroup = TEST ldap admin dn = cn=Administrator,ou=Users,dc=local,dc=loc security = user preferred master = yes add machine script = /usr/bin/computer_add.pl '%m' ldap idmap suffix = ou=Idmap domain logons = yes [netlogon] root preexec = sh -c '/usr/sbin/pdc-sua.pl %U %I NETLOGON' valid users = root @users writeable = no browsable = no public = no path = /home/samba/netlogon/ [homes] create mask = 0664 root preexec = sh -c '/usr/sbin/pdc-sua.pl %U %I PREEXEC rm /home/users/%U/profile/Start Menu/Programs/Startup/desktop.ini' comment = Home Directories read only = No directory mask = 0775 browseable = No valid users = %S hide files = desktop.ini My questions are: Is this a known issue or can it be a bad Samba configuration? Is there any solution for this? I'am missing something? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba