[Samba] Can someone verify my checklist?
Hi guys, Here's what I'm doing: Upgrading fro Samba 2.2.8a to Samba 3.0.2a Simultaneously migrating to a new server. My checklist:(*)=done , (-) = remaining * Download and install Samba 3.0.2a on the new server * Clone (by hand) hostname, sldapd, nssswitch * Hand edit new smb.conf to match the old config. * Export ldif file from old LDAP db * Dump old Domain SID using smbpassword -X * Convert ldif using ConvertSambaAccount --sid * Start new LDAP server and import new ldif file. - Stop old server and copy all home directories to new server. - Start new Samba Server and test.. I am hoping that cloning the SID and keeping the same server name that my 65 Windows clients will not know the difference and everything will be transparent. I definitely want to avoid new profile creation, you know? Can anyone confirm that I have not forgotten anything? Thanks in advance.. -- Scott Phelps Linux: $ su - root -- Windows: (reboot) -- Scott Phelps Regional IT Manager Ridgway's, LTD. 5001 Cleveland Street Virginia Beach, VA 23462 757-490-2305 --- Linux: $ su - root -- Windows: (reboot) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: Re[2]: [Samba] Samba problem
-Original Message- From: [EMAIL PROTECTED] [mailto:samba- [EMAIL PROTECTED] On Behalf Of Àíäðåé Åäóíîâ Sent: Tuesday, August 19, 2003 3:55 AM To: [EMAIL PROTECTED] Subject: Re[2]: [Samba] Samba problem I know this is stating the obvious, but it appears that the server is unreachable. A few questions: - Can you ping Samba Server and 'password server'? - Are you using hostname or IP as 'password server=' We need more info to help you.. ;-) -- Scott -- Thanks for replay Scott! Sure I can ping both of this servers (but they in the different subnetworks) I'm using hostname as 'password server=', but after your advice i replace this string to IP, the same problem. and one more thing, in Event Log if 'password server' i got the following message: Can't determinate username or hostname. Returned code 1326. Any ideas? You'll have to crank up debugging to like 3 or 4 and watch the output. Also if it works for a while and then stops then you may have other issues. You'll have to isolate it via normal IT detective work. :) Then you can submit an effective bug report if necessary. -- Scott -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] XP Local Group add prblem - Object Picker Incomplete
Hey troops! Well, it seems that I'm the one that needs some helps this time. Here's the situation. I've got a suXP Pro box with SP1 on it that whenever I try to add any 'domain_user' to any 'local_group' it gives me the following error message: Information returned from the object picker for object username was incomplete. The object will not be processed. A couple notes: 1. This is not a problem on Windoze 2K or NT 2. I have fixed the three relevant Registry keys: (HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX\Services\Netlogon\Parameters\re quiresignorseal = 0) (HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX\Services\Netlogon\Parameters\re quirestrongkey = 0) 3. I changed the following Group policy to 'enabled': Computer Configuration\Administrative Templates\System\User Profiles\Do not check for user ownership of Roaming Profile Folders 4. The XP box is a domain member with a machine$ account. It has Domain Admins in the Local Admins Group, as well as Domain Users in the Local Users Group. If I add the user to the 'domain admin group' on Samba she does inherit Local Admin rights. So every thing is working fine **except** the ability to add a user specifically from the Domain to the Local Group! 4. I have Googled for days, and nobody has come up with an answer in previous postings. FYI: An example search http://www.mail-archive.com/cgi-bin/htsearch?method=andformat=shortcon fig=samba_lists_samba_orgrestrict=exclude=words=object+picker+ Thank's! -- Scott -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba problem
-Original Message- From: [EMAIL PROTECTED] [mailto:samba- [EMAIL PROTECTED] On Behalf Of Àíäðåé Åäóíîâ Sent: Monday, August 18, 2003 11:32 AM To: [EMAIL PROTECTED] Subject: [Samba] Samba problem Hi list! I have some problem with my Samba samba-2.2.5-178 I'm using the following config: security = SERVER password server = some_server.com All work fine some time (about 30 minutes). After that I receive the message in Samba log: [2003/08/18 14:11:27, 0] lib/util_sock.c:write_socket_data(499) write_socket_data: write failure. Error = Connection reset by peer After this message when I try to map some shared resource using net use command on Windows box, I receive the next message: [2003/08/18 14:21:28, 1] smbd/password.c:server_validate(1099) password server is not connected [2003/08/18 14:21:28, 1] smbd/password.c:pass_check_smb(545) Couldn't find user 'and' in passdb. What does it mean? And how can I close this problem? I know this is stating the obvious, but it appears that the server is unreachable. A few questions: - Can you ping Samba Server and 'password server'? - Are you using hostname or IP as 'password server=' We need more info to help you.. ;-) -- Scott -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Adding Windows servers to a Samba PDC network
-Original Message- From: [EMAIL PROTECTED] [mailto:samba- [EMAIL PROTECTED] On Behalf Of Jason Williams Sent: Monday, August 18, 2003 4:27 PM To: [EMAIL PROTECTED] Subject: [Samba] Adding Windows servers to a Samba PDC network Hi everyone. Just wanted to ask a question here. We are running RH 7.3 as our samba PDC. Everything is working great and im really enjoying the setup. However, we need to add two Windows 2000 Adv. Servers to our Domain because of software that we run on this. I probably already know the answer, but I figured I would ask this anyway. The default account on the Windows servers is administrator. I've added an account to our Samba PDC called administrator. If i'm correct, all I should have to do is log into the Windows box, and join the computer to my domain using the 'root' account, correct? Correct. You will then have access to the Domain Administrator object of your Samba Domain. Watch out for XP Pro though! (see the last post this morning by me!) Only reason im asking this is because im trying to figure out how to use the default Windows 'administrator' account correctly on our network. For instance, im not sure if anyone is familiar with the 'Run As' feature in Windows 2000, but that is something I would like to be able to use when I join my Windows 2000 client machines to the domain and the 'Run As' feature relies on the Windows 'administrator account. I appreciate everyone. Correct me if I am wrong, but I don't believe you can run an executable as a Domain Administrator, you can only run it as the Local Admin. -- Scott -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] DID IT! - Samba 2.2.8a+LDAP+PDC
I am so stoked I just had to share this with y'all. I just SEAMLESSLY migrated all of my machines and users over to my new Gentoo Linux Server. I even kept the same: domain name and old PDC NetBios name. The trickiest part was getting all of the users to keep their same profile, but I managed that by cloning the RID and Lanman/NT hashes for the user accounts. Free at last! # include much_backpatting.h -- Scott -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] SWAT Issue
AUTH is uttering the following error when I try to log into SWAT as root [from log file] PAM_smbpass[639]: Failed to find entry for user root. I never recalled swat wanting a root account in secrets.tdb to do this PS /etc/xinetd.d/swat is configured properly (i.e. turned on for user root) Thanks! -- Scott -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Need help taking over my Windoze Domain
Hi again, My goal here is to 'fdisk' my Windoze PDC, and I think I just need a little more help OK, I've susccessfully set up Samba 2.2.8a and OpenLDAP 2.0.27. I was able to join a XP,NT, and 2000 box to a new test domain, and log into it. Now I want to shut down my WindowsPDC, change my NetBios and workgroup name on my Samba server, and have it take over without anybody knowing it. I tried this last night, but it didn't work as planned. I know I need to run 'smbpasswd -S' to get the Domain SID from the WinPDC. But what else do I need to do... (see Question 3) Question 1) Are the smbldap-tools (smbldap-migrate-accounts.pl) capable of importing machine$ SIDs proprely. Also, why do I have to run smbpasswd username even though I have an entry in objectClass=SambaAccount? Is it a correct conclusion that secrets.tb is needed although you are using LDAP? I can't fit those pieces together in my brain.. For some reason I have not had good results from these tools. I always have to create users/machines manually from an self-created LDIF file for Samba to play nice with it LDAP. Question 2) Is Samba 3 stable enough to run in a critical production environment. In reading the posts here I seems that it is more suited to run as a PDC w/LDAP with alot more features. What are the real-world advantages/problems you have discovered by upgrading. Opinions welcome! Question 3) What is the proper way to take over a Windows Domain with Samba? Again, thanks for the input and help! -- Scott Phelps -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba-2.2.8a /LDAP can't join domain
On Sat, 2003-07-12 at 01:43, Chee Wai Yeung wrote: Hi, have you checked your smb logs? Is the smbd talking to your ldap server as a start? Also try to check your ldap logs to see if any searches were made to your ldap server when the join took place. smbd should be searching for something in the line of ((uid=MYMACHINE$)(objectclass=sambaAccount)) Hope this can help your troubleshooting. (PS: your LDIF entries looked ok) Chee Wai Hora! I got it working! Although with one bug which I will list at the bottom of this email. I am posting how I fixed this for everyone in the future who runs into this problem. First I recompiled OpenLDAP with the --include-debug option (It won't log jack unless you do!) And set up slapd.conf to loglevel = -1. It's also a good idea to configure syslog to dump this to it's own file because it uses /var/log/messages by default. Second I started Samba and Slapd up and tried to join my new domain from a Windows XP laptop. Here's the (pertinent) output from my slapd.log sorry it's so long. I'll continue at the bottom.. Jul 12 16:43:29 localhost slapd[11546]: cache_find_entry_id( 8 ) uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net (found) (1 tries) Jul 12 16:43:29 localhost slapd[11546]: = id2entry_r( 8 ) 0x80e96f8 (cache) Jul 12 16:43:29 localhost slapd[11546]: = test_filter Jul 12 16:43:29 localhost slapd[11546]: AND Jul 12 16:43:29 localhost slapd[11546]: = test_filter_and Jul 12 16:43:29 localhost slapd[11546]: = test_filter Jul 12 16:43:29 localhost slapd[11546]: EQUALITY Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: search access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net uid requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = test_filter 6 Jul 12 16:43:29 localhost slapd[11546]: = test_filter Jul 12 16:43:29 localhost slapd[11546]: EQUALITY Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: search access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net objectClass requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = test_filter 6 Jul 12 16:43:29 localhost slapd[11546]: = test_filter_and 6 Jul 12 16:43:29 localhost slapd[11546]: = test_filter 6 Jul 12 16:43:29 localhost slapd[11546]: = send_search_entry: uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: read access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net entry requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: read access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net uid requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: read access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net uid requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: read access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net pwdLastSet requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: read access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net pwdLastSet requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: read access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net logonTime requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: read access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net logonTime requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: read access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net logoffTime requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: read access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net logoffTime requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: read access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net kickoffTime requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: = access_allowed: read access to uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net cn requested Jul 12 16:43:29 localhost slapd[11546]: = root access granted Jul 12 16:43:29 localhost slapd[11546]: conn=10 op=1 ENTRY dn=uid=MY_COMPUTER$,ou=Machine,dc=MY_DOMAIN,dc=net Jul 12 16:43:29 localhost slapd[11546]: = send_search_entry Jul 12 16:43:29 localhost slapd[11546]: cache_return_entry_r( 8 ): returned (0) Jul 12 16:43:29 localhost slapd[11500]: daemon: select: listen=6
RE: [Samba] Samba-2.2.8a /LDAP can't join domain
On Sun, 2003-07-13 at 19:42, [EMAIL PROTECTED] wrote: Hi Scott, I've had the same message and wasn't getting any further with it for some time, until someone pointed me to my resolution of groups and id's which is done through nss, check your nsswitch.conf and libnss-ldap.conf or your /etc/ldap/ldap.conf (depends on your distro, I use debian). With both of us it was that ldap didn't look in the group tree from the ldap directory You can fix this here(this is mine): nss_base_passwd dc=blah,dc=com?sub nss_base_shadow ou=Users,dc=blah,dc=com?one nss_base_group ou=Groups,dc=blah,dc=com?one Hope to be of help and good luck (when it works, it works like a charm) Regards, Bas AND... On Sun, 2003-07-13 at 18:08, _Chris McKeever_ wrote: make sure your ldap.conf is set like this, or it wont go searching the tree: nss_base_passwd dc=domin,dc=com?sub Thanks guys! You both are right. I really appreciate the help! BTW. I am so stoked to have this working. It is going to feel so rightious to 'format C:' my hard drive on my Windoze PDC next weekend! Samba/OpenLDAP/GQ rock! Regards, Scott -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-2.2.8a LDAP - Can't join Domain - SID mapping error
Hi everyone, I am at my wits end and am hoping one of you can help me out. I am getting the following error when attempting to join Windows XP/2000 machine to the domain: The following error occurred attempting to join the domain MY_DOMAIN No mapping between account names and security IDs was done. Running Gentoo Linux Samba 2.2.8a OpenLDAP 2.0.27 I performed the following registry hacks: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters] requirestrongkey=dword:requiresignorseal=dword: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters] requirestrongkey=dword:requiresignorseal=dword: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] requirestrongkey=dword:requiresignorseal=dword: I am attempting to join the domain as root. root was added via smbpasswd -a root domain admin group = rootWas placed in my smb.conf I set up a fake root user this way in LDAP: dn: uid=root,ou=People,dc=virginiabeach,dc=net objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: sambaAccount uidNumber: 0 gidNumber: 0 homeDirectory: /home/root loginShell: /bin/bash gecos: root shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword: {SSHA}GN3hrCs7c8Kgd93df23838hHH uid: root pwdLastSet: 1057974221 logonTime: 0 logoffTime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 2147483647 pwdMustChange: 2147483647 displayName: root cn: root smbHome: \\MY_PDC\homes homeDrive: Z: scriptPath: logon.cmd profilePath: \\MT-PDC\profiles\root rid: 1000 primaryGroupID: 1001 lmPassword: 639C041927C79D99AAEJKHRJFHKRJKL ntPassword: 6E1766AB79DDFHGJDHFJJHBJFHBJRHR acctFlags: [UX ] The machine name is also in LDAP like this: dn: uid=MYMACHINE$,ou=Machine,dc=virginiabeach,dc=net objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: sambaAccount uid: MYMACHINE$ uidNumber: 11014 gidNumber: 11014 homeDirectory: /dev/null loginShell: /bin/false gecos: rid96itlaptop windows machine,,, userPassword: {crypt}x shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 pwdLastSet: 0 logonTime: 0 logoffTime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 2147483647 pwdMustChange: 2147483647 displayName: MYMACHINE$ acctFlags: [W] rid: 23028 primaryGroupID: 23029 homeDrive: U: smbHome: profilePath: scriptPath: logon.cmd lmPassword: xxx ntPassword: xxx cn: MYMACHINE$ Everything else works, and I am able to log into Linux and a Samba share using a test user authenticating strictly via LDAP. Any help is greatly appreciated. Otherwise I will have no hair left! Thanks, -- Scott Phelps -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-2.2.8a /LDAP can't join domain
-Original Message- From: Scott Phelps [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2003 9:19 PM To: '[EMAIL PROTECTED]' Subject: Samba-2.2.8a LDAP - Can't join Domain - SID mapping error Hi everyone, I am at my wits end and am hoping one of you can help me out. I am getting the following error when attempting to join Windows XP/2000 machine to the domain: The following error occurred attempting to join the domain MY_DOMAIN No mapping between account names and security IDs was done. Running Gentoo Linux Samba 2.2.8a OpenLDAP 2.0.27 I performed the following registry hacks: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters] requirestrongkey=dword:requiresignorseal=dword: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters] requirestrongkey=dword:requiresignorseal=dword: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] requirestrongkey=dword:requiresignorseal=dword: I am attempting to join the domain as root. root was added via smbpasswd -a root domain admin group = rootWas placed in my smb.conf I set up a fake root user this way in LDAP: dn: uid=root,ou=People,dc=virginiabeach,dc=net objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: sambaAccount uidNumber: 0 gidNumber: 0 homeDirectory: /home/root loginShell: /bin/bash gecos: root shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword: {SSHA}GN3hrCs7c8Kgd93df23838hHH uid: root pwdLastSet: 1057974221 logonTime: 0 logoffTime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 2147483647 pwdMustChange: 2147483647 displayName: root cn: root smbHome: \\MY_PDC\homes homeDrive: Z: scriptPath: logon.cmd profilePath: \\MT-PDC\profiles\root rid: 1000 primaryGroupID: 1001 lmPassword: 639C041927C79D99AAEJKHRJFHKRJKL ntPassword: 6E1766AB79DDFHGJDHFJJHBJFHBJRHR acctFlags: [UX ] The machine name is also in LDAP like this: dn: uid=MYMACHINE$,ou=Machine,dc=virginiabeach,dc=net objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: sambaAccount uid: MYMACHINE$ uidNumber: 11014 gidNumber: 11014 homeDirectory: /dev/null loginShell: /bin/false gecos: rid96itlaptop windows machine,,, userPassword: {crypt}x shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 pwdLastSet: 0 logonTime: 0 logoffTime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 2147483647 pwdMustChange: 2147483647 displayName: MYMACHINE$ acctFlags: [W] rid: 23028 primaryGroupID: 23029 homeDrive: U: smbHome: profilePath: scriptPath: logon.cmd lmPassword: xxx ntPassword: xxx cn: MYMACHINE$ Everything else works, and I am able to log into Linux and a Samba share using a test user authenticating strictly via LDAP. Any help is greatly appreciated. Otherwise I will have no hair left! Thanks, -- Scott Phelps -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba