[Samba] Getting user list for each group
I use Winbind auth for squid-dansguardian ntlm authentication purpose. I need matching users/group for filtering in squid/dansguardian. getent group is used for finding users for groups except for group Domain Users. getent passwd is used for finding all users and specifically users for group Domain Users (over group ID). This requires enumeration option(winbind enum users, winbind enum groups) enabled in smb.conf. For thousands of users this may block many system functions puts wait even for tcpdump and ssh logins. So, I want to disable enum options end stop using getent. Are there any way to get user list for each group with wbinfo or any other other tools? What may be the best practice for the aim in paragraph 1? Thank you and Best Regards, -- Oguz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
I have joined to central DC. AFAIK winbind/samba creates a machine account? What other thing is done in Active Directory DC during join process? I want to fully understand what samba is doing to be able to guide DC administrator. After this I can not join local DC again. If Central DC replicates into local DC, this machine account etc should have been replicated into local DC. Isnt it possible to disable this machine account creation process? Thank you -- Oguz On Fri, Oct 12, 2012 at 10:53 AM, Matthieu Patou m...@samba.org wrote: On 10/12/2012 12:05 AM, Oguz Yilmaz wrote: RODC is Windows Server 2008 R2 Enterprise 7601 Service Pack 1. What do you suggest? We keep rodc as read only. How can I join and continue to auth and get user list over read only dc? Your first problem is the join, I think this can only be done with a RWDC. As for the day to day use I think it's possible to use a RODC but if you didn't allow the RODC to replicate then every auth request will be proxied from the RODC to the RWDC. The list of users will be served by the RODC directly. Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
Dear Matthieu, After joining should I change just IP addresses in krb5.conf, smb.conf, lmhost to the local IP address? Could you please summary the steps from remote join to local authentication and getting user list? Thanks, -- Oguz YILMAZ On Sat, Oct 13, 2012 at 11:21 AM, Matthieu Patou m...@samba.org wrote: On 10/13/2012 01:18 AM, Oguz Yilmaz wrote: I have joined to central DC. AFAIK winbind/samba creates a machine account? What other thing is done in Active Directory DC during join process? I want to fully understand what samba is doing to be able to guide DC administrator. After this I can not join local DC again. If Central DC replicates into local DC, this machine account etc should have been replicated into local DC. Isnt it possible to disable this machine account creation process? If you joined the central one and waited for the replication why rejoin on the local RODC one ? Matthieu. -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining Samba RODC, NT_STATUS_NOT_SUPPORTED
Dear list users,
I have a problem when joining an Active Directory domain. In this
project we have one Main Dc in capital city and one read only dc in
one remote city.
We join to main DC succesfully. However, we can not join to local
Replicate (rodc14). We are using this method for winbind / squid ntlm
authentication purposes not a full samba server. İnternet conection is
not fast and we have thousands of users. Remote joining is not our
first choice.
First of all I try to join without lmhosts entry. That time , I got
Failed to join domain: failed to find DC for domain. /etc/hosts
entry was in place and AD dns server was running. Anyway, I have
overcomed this problem after adding lmhosts entry.
Now my problem is:
result : WERR_NOT_SUPPORTED
Failed to join domain: Failed to set account flags for machine account
(NT_STATUS_NOT_SUPPORTED)
I have searched and come up with, this may be about read only dc.We
have changed dc to normal mode. Nothing has changed.
I need some help for joining to a read only dc and the problem debugged below.
System is Centos 5 i386
AD Server is Windows Server 2008 R2 Enterprise 7601 Service Pack 1
Samba is
samba3-utils-3.6.8-44.el5
samba3-3.6.8-44.el5
samba3-winbind-3.6.8-44.el5
samba3-client-3.6.8-44.el5
Rpms from sernet. (actually I was using samba3x rpms fron Centos. I
have upgrades when I have encountered these problems)
net ads -d 10 testjoin
net ads join -d 3 -U test14%pass
Debugs are below.
DC: rodc14.testdom.com.tr, 10.10.25.4
domain: TESTDOM.COM.TR
Machine Name: TEST14
AD USER: test14 (In administrator group)
Best Regards,
Oguz
[root@test14 ~]# kinit
Password for tes...@testdom.com.tr:
[root@test14 ~]# echo $?
0
[root@test14 ~]# net ads testjoin
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Decrypt
integrity check failed
kerberos_kinit_password TEST14$@TESTDOM.COM.TR failed: A service is
not available that is required to process the request
Join to domain is not valid: Undetermined error
cat /etc/hosts:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost test14
::1 localhost6.localdomain6 localhost6
10.10.25.4 rodc14.testdom.com.tr #Do not edit/remove this line,
required for labris AD integration
cat /etc/samba/lmhosts:
# This file provides the same function that the lmhosts file does for
# Windows. It's another way to map netbios names to ip addresses.
#
# Cf. section 'name resolve order' in the manual page of smb.conf for
# more information.
127.0.0.1 localhost
#127.0.0.1 FOO#20
#192.168.1.1 MYDOM#1C
10.10.25.4 TESTDOM
/etc/samba/smb.conf:
[global]
netbios name = TEST14
realm = testdom.com.tr
workgroup = TEST
security = ads
encrypt passwords = yes
password server = 10.10.25.4
log level = 3
log file = /var/log/samba.log
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
domain master = no
local master = no
preferred master = no
template shell = /sbin/nologin
getwd cache = yes
winbind cache time = 10
ldap connection timeout = 1200
ldap timeout = 2400
allow trusted domains = yes
# ldap ssl = off
# winbind offline logon = yes
# winbind refresh tickets = yes
# client use spnego = no
# use spnego = no
# ldap ssl ads = no
# client ldap sasl wrapping = plain
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TESTDOM.COM.TR
default_tkt_enctypes = rc4-hmac des-cbc-crc
default_tgs_enctypes = rc4-hmac des-cbc-crc
# dns_lookup_realm = false
# dns_lookup_kdc = false
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
TESTDOM.COM.TR = {
kdc = 10.10.25.4
admin_server = 10.10.25.4
default_domain = TESTDOM.COM.TR
}
[domain_realm]
.testdom.com.tr = TESTDOM.COM.TR
testdom.com.tr = TESTDOM.COM.TR
net ads join Log:
net ads join -d 3 -U test14%pass
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file /etc/samba/smb.conf
Processing section [global]
WARNING: The idmap uid option is deprecated
WARNING: The idmap gid option is deprecated
added interface eth9.102 ip=fe80::20c:bdff:fe05:28f8%eth9.102
bcast=fe80:::::%eth9.102 netmask=:::::
added interface eth1 ip=fe80::290:bff:fe21:43ac%eth1
bcast=fe80:::::%eth1 netmask=:::::
added interface eth2 ip=fe80::290:bff:fe21:43ad%eth2
bcast=fe80:::::%eth2 netmask=:::::
added interface eth0 ip=fe80::290:bff:fe27:b5bf%eth0
bcast=fe80:::::%eth0 netmask=:::::
added interface eth9.102 ip=95.0.0.26 bcast=
[Samba] Enhancing NTLM Authentication to Remote Site Active Directory server
Hi,
We use NLTM Authentication with Squid is some setups.On those setup,
local machine joins active directory and squid ntlm_auth helper
authenticate through local samba service. Users transparently
authenticate through NTLM authentication handshake on HTTP without
entering any password in their browser.
However, in some cases, branch offices has no local active directory
server. Branch office is connected to the headquarters through a IPSEC
vpn. I can make branch office samba to join to the headquarter active
directory domain and set NTLM authentication on Squid up correctly.
This setup has a weakness inherited from high latency, packet loss
ofsome other things that I dont know about samba. 3-4 times in a
dayusers get prompted with user name password authentication popup
ontheir browser. Sometimes this recovered naturally in a few
minutes.However, it requires rejoining to the domain in come cases.
(wbinfo -tgives error and wbinfo -l can not list users).
I have made some tunings in samba:
getwd cache = yes
winbind cache time = 3000
ldap connection timeout = 10
ldap timeout = 120
Which other tunings can I do on samba and squid? I need your experiences.
Best Regards,
squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 20
auth_param basic realm Squid AD Auth
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
/etc/samba/smb.conf:
[global]
netbios name = SQUID
realm = MY.DOM
workgroup = my.dom
security = ads
encrypt passwords = yes
password server = 172.16.5.10
log level = 3
log file = /var/log/samba.log
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
domain master = no
local master = no
preferred master = no
template shell = /sbin/nologin
getwd cache = yes
winbind cache time = 3000
ldap connection timeout = 10
ldap timeout = 120
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY.DOM
default_tkt_enctypes = rc4-hmac des-cbc-crc
default_tgs_enctypes = rc4-hmac des-cbc-crc
# dns_lookup_realm = false
# dns_lookup_kdc = false
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MY.DOM = {
kdc = 172.16.5.10
admin_server = 172.16.5.10
default_domain = MY.DOM
}
[domain_realm]
.ronesans.hol = MY.DOM
ronesans.hol = MY.DOM
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] different output of getent group with samba 3.0.33 and samba3-3.5.1: WAS: getting users of a Active Directory group
I narrowed the problem, With samba-3.0.33-3.15.el5_4.1 getent group will display groups including users as fouth field g_group1:*:10263:mr.smith,mrs.smith However with samba3-3.5.1-43.el5 (from sernet) getent group will NOT diplar users g_group1:*:10263: What do you think the problem is? Regards, -- Oguz YILMAZ On Thu, Nov 11, 2010 at 5:32 PM, Oguz Yilmaz oguzyilmazl...@gmail.com wrote: Hi all, I try to form a file to include AD usernames with their group memberships. I have no problems with joining and getent and wbinfo stuff. All are working. A user may have more then one group membership except Domain Users group. One way is to run getent group and grep for the group I try to find its members. After finding its GID I can search getent passwd output for the users with this GID. However, in some servers getent passwd only show GID for default Domain Users group which every user is a member of. Another way is to run getent group. In one of my servers (win2003), getent group output will give users in the form of: g_group1:*:10263:mr.smith,mrs.smith Then I can conclude g_group1 has members mr.smith and mrs.smith. However in another type of server (2008r2), getent group does not list members as fourth field in the output. Also getent passwd lists only domain users group GID. I do want to now What can be the difference with those AD servers? Is this about organizational hirarchy of AD? Can you propose any other way to find members of a specific group? Samba is samba3-3.5.1-43.el5, os is Centos 5 level. Best Regards, -- Oguz YILMAZ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] getting users of a Active Directory group
Hi all, I try to form a file to include AD usernames with their group memberships. I have no problems with joining and getent and wbinfo stuff. All are working. A user may have more then one group membership except Domain Users group. One way is to run getent group and grep for the group I try to find its members. After finding its GID I can search getent passwd output for the users with this GID. However, in some servers getent passwd only show GID for default Domain Users group which every user is a member of. Another way is to run getent group. In one of my servers (win2003), getent group output will give users in the form of: g_group1:*:10263:mr.smith,mrs.smith Then I can conclude g_group1 has members mr.smith and mrs.smith. However in another type of server (2008r2), getent group does not list members as fourth field in the output. Also getent passwd lists only domain users group GID. I do want to now What can be the difference with those AD servers? Is this about organizational hirarchy of AD? Can you propose any other way to find members of a specific group? Samba is samba3-3.5.1-43.el5, os is Centos 5 level. Best Regards, -- Oguz YILMAZ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RHEL 5 compilation of Samba 3.5.2, termcap library problem, use '--no-as-needed'
http://www.sernet.de/de/samba/ On Sun, Apr 11, 2010 at 3:40 AM, Nico Kadel-Garcia nka...@gmail.com wrote: On Sat, Apr 10, 2010 at 4:02 PM, Oguz Yilmaz oguzyilmazl...@gmail.com wrote: Check for precompiled rpms if it is appropriate for you. rpms fr Centos 5 isTested in Centos 5.4 http://enterprisesamba.com/index.php?id=65 http://ftp.sernet.de/pub/samba/ http://ftp.sernet.de/pub/samba/3.5/centos/5/i386/ If you need SRPMS check new RHEL 5.5 SRPMS. ftp://ftp.redhat.com/redhat/linux/enterprise/5Server/en/os/SRPMS/ Thank you for the pointer: the official RedHat and CentOs RPM's don't go past 3.3.8. The ftp.sernet.de repository has version 3.5.x, but I do not see SRPM's there, nor do I see the stated SRPM from their 'rpm -qi' information listed anywhere in Google, so I don't see access to the relevant SRPM to review it or compare it to my own work. It's unusual to publish an RPM repository without the SRPM's in a related location: who runs that site? where is it a mirror from? Whose is that site? Do they have the SRPM';s somewhere else? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RHEL 5 compilation of Samba 3.5.2, termcap library problem, use '--no-as-needed'
Check for precompiled rpms if it is appropriate for you. rpms fr Centos 5 isTested in Centos 5.4 http://enterprisesamba.com/index.php?id=65 http://ftp.sernet.de/pub/samba/ http://ftp.sernet.de/pub/samba/3.5/centos/5/i386/ If you need SRPMS check new RHEL 5.5 SRPMS. ftp://ftp.redhat.com/redhat/linux/enterprise/5Server/en/os/SRPMS/ On Sat, Apr 10, 2010 at 2:43 AM, Nico Kadel-Garcia nka...@gmail.com wrote: There have been various reports of the difficulties compiling Samba 3.5.x on RHEL 5 and other older operating systems, due to the failure to correctly load the 'termcap' libraries. The issue is described in various sources as involving the automaticlaly included GCC option: '--as-needed' failes to detect the dependencies and add the termcap library. There are two graceful fixes for this: one is to add a '--with-termcap' test to configure.in. The other is to edit configure.in to change the '--as-needed' flag to '--no-as-needed', at least on platforms that have this issue. I've written a quick and dirty .spec file for RHEL 5, which I'm happy to post. It's built from the Fedora 12 SRPM and .spec file, and also rearranges the 'BuildRequires' to work for RHEL 5 if the RPM settings match that release. Does anyone want it for testing, or is in a better position than me to host RHEL compatible updates for Samba and could use this? CentOS isn't prepared, I think, to jump *that* far ahead of RHEL with this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
