[Samba] Password policy doesn't work (pdbedit)
Hello, I'm using samba 3.0.24 and Debian 4.0. As a password backend I use smbpasswd. I set password policy: Length - 8 signs, Password history - 3, password complexity - script, maximum password age - 30 days The password length and complexity works, but password history and maximum password age doesn't. I tried do the same on test machine (samba 3.2.5) and it works fine (users and settings I took from my working Samba 3.0.24) . What can I do about that? What should I check? Any ideas? Pdbedit shows correct settings but the password must change time is 19 jan 2038 04:14:07 CET Thanks and regards Radek Bojek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba] Password complexity checks
Hello, I want to use crackcheck to check password complexity, but users (when password change failed because of complexity check fail) gets only information about valid password length, password history. I think that may be a problem for users. How can I (or Can I?) give them information about expected complexity. I'm almost sure that with NT PDC they would get information about expected complexity. Crackcheck exits with error -4, and writes information to stderr, maybe can I use that and send it somehow to the client or force Windows XP to display standard message about password complexity like with NT PDC? Regards and many thanks. Radek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba] Password complexity checks
Hello, I want to use crackcheck to check password complexity, but users (when password change failed because of complexity check fail) gets only information about valid password length, password history. I think that may be a problem for users. How can I (or Can I?) give them information about expected complexity. I'm almost sure that with NT PDC they would get information about expected complexity. Crackcheck exits with error -4, and writes information to stderr, maybe can I use that and send it somehow to the client or force Windows XP to display standard message about password complexity like with NT PDC? Regards and many thanks. Radek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Information about password complexity for users
Hello, I want to use crackcheck to check password complexity, but users (when password change failed) gets only information about valid password length, password history. I think that may be a problem for users. How can I (or Can I?) give them information about expected complexity. Crackcheck exits with error -4, and writes information to stderr, maybe can I use that and send it somehow to the client or force Windows XP to display standard message about password complexity? Regards and many thanks. Radek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] pdbedit - password age
Hello, I try to force users to change password once a given period using his command: #pdbedit -P maximum password age -C 300 It works only for new users (users created after first first launch of this command), old users are not affected, passwords doesn't expire. How to do his for old users? I would be pleased for your help. Regards. Radek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Transparent Samba 2.2 - 3.0.X migration
Hello, I wan't to migrate accounts, roaming profiles and other shares from Samba 2.2 (Slackware) to Samba 3.0.23 (Debian). It should be transparent for clients. I migrated linux user accounts, smbpasswd file, smb.conf and domain SID. I can join new client to the new domain and it works, but when I'm trying to substitute old server with new one (only for test clients of course, without making any changes in WinXP configuration), I can connect only once, Windows XP client says after login that he can't find domain controler, and after logout I can't login anymore. Names of domain, controlers and SIDs are the same, but some how Windows after first login knows that this is not the domain it should be. How to cheat Windows XP? Or What I forgot to do? There is one more issue which (I thing) come out of the same problem: Windows Theme, Last programs (in start menu) not working in the new domain (I have copied profiles to new domain and add computer). Does anyone know how to do it? In logs I found message like this: [2008/02/05 09:19:04, 0] libsmb/credentials.c:creds_server_check(159) creds_server_check: credentials check failed. [2008/02/05 09:19:04, 0] rpc_server/srv_netlog_nt.c:_net_sam_logon(667) _net_sam_logon: creds_server_step failed. Rejecting auth request from client COMPUTER machine account COMPUTER$ Many Thanks, Radek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with often password prompt box (security=user)
Hi, a while ago i had to migrate from old server on Debian Sarge to new one on Debian Etch (amd64). Since then, with the same config i had earlier it became a common problem that client workstations connecting to the server have to reauthenticate very often (at least few times a day), and the staff is going to kill me if i dont fix this soon. Any ideas what could be the cause/solution ? -- Goblin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba Digest, Vol 26, Issue 43 (Odpov v neptomnosti )
Dobry den, V termnu od 28.2.2005 do 2.3.2005 bohuel nemohu na V e-mail reagovat z dvodu neptomnosti. Je-li V e-mail dleit a je z na strany oekvna okamit reakce, kontaktujte prosm pana Lutonskho na adrese [EMAIL PROTECTED], kter mne po dobu m neptomnosti zastupuje Dekuji za pochopeni a peji pkn den. I will be out of the office starting 28.2.2005 and will not return until 2.3.2005. I have no access to my mail system, so I'll respond to your message when I return. In urgent cases please contact my colleague [EMAIL PROTECTED] Best regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba Digest, Vol 22, Issue 36 (Odpov v neptomnosti )
Dobry den, V termnu od 25.10.2004 do 20.11.2004 bohuel nemohu na V e-mail reagovat z dvodu neptomnosti. Je-li V e-mail dleit a je z na strany oekvna okamit reakce, kontaktujte prosm pana Lutonskho na adrese [EMAIL PROTECTED], kter mne po dobu m neptomnosti zastupuje Dekuji za pochopeni a peji pkn den. I will be out of the office starting 25.10.2004 and will not return until 20.11.2004. I have no access to my mail system, so I'll respond to your message when I return. In urgent cases please contact my colleague [EMAIL PROTECTED] Best regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Forcing RIDs to desired value
Michael Gasch wrote: what about the algorithmic rid base (G) parameter? I gave it a try. But even with this disabled, the pdbedit still complains about mismatched RIDs. I used tdbdump to get a view what is inside the tbdsam database. To my surprise, the mappings from RID to usernames are there (key = RID_), but contains still 2*UID+1000 values, regardless of the last number of user's SID! Probably the cause of the complains. Is the format of this tdb database somewhere documented, so I could manually correct it? For example, I *REALLY* want to have the possibility to change the DOMAIN the user is marked in. (pdbedit -Lv | grep Domain) Best regards Radek Svoboda Neovision s.r.o., Prague [EMAIL PROTECTED] http://www.neovision.cz -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Announcing to ourselves ???
I found this i our log.nmbd, occurs each hour: [2004/09/10 16:03:36, 2] nmbd/nmbd_browsesync.c:announce_local_master_browser_to _domain_master_browser(109) announce_local_master_browser_to_domain_master_browser: We are both a domain and a local master browser for workgroup NEOVISION. Do not announce to ourselves. [2004/09/10 16:03:36, 2] nmbd/nmbd_browsesync.c:sync_with_dmb(151) sync_with_dmb: Initiating sync with domain master browser SERVER20 at IP 192.168.0.1 for workgroup NEOVISION One cause for this I can imagine is that we joined by SERVER machine our own domain controlled by the same machine. Do you know how to *left* joined domain, e.g. by using net command? Radek Svoboda Neovision s.r.o., Prague [EMAIL PROTECTED] http://www.neovision.cz -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Forcing RIDs to desired value
Radek Svoboda wrote: Why don't you use your old samba-databases from /var/lib/samba ? matze Actually I did. But this copies only SID of the server (stored in secrets.tdb), not the RIDs. It seems that samba calculates them by the fixed algorithm as 2*UID+1000. And because I must have different UIDs on the new system, the profile mapping in Windows does not work. I found the possibility to force RID using -U option (with full SID and RID) of pdbedit program. Unfortunately, samba really *DISLIKES* the RIDs being different from the algorithmic ones: # smbpasswd someuser New SMB password: Retype new SMB password: Unable to modify TDB passwd ! Error: Record does not exist occured while storing the RID index (RID_07da) Failed to modify entry for user someuser. Failed to modify password entry for user someuser Luckily, even with such complaints, the password has been changed succesfully. Is this normal? No-one is moving samba to different UIDs server and having similar problems Radek Svoboda Neovision s.r.o., Prague [EMAIL PROTECTED] http://www.neovision.cz -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Modifying Domain field of pdbedit dump
I have Debian server with NetBios name SERVER and domain NEOVISION. The created user accounts in the tdbsam backed shows (when listed by pdbedit -Lv) that the domain is SERVER, not NEOVISION. Newly added users however, has domain specified correctly as NEOVISION. I have a suspection that it is because the installation script which created the accounts based on old smbpasswd file was using unfinished smb.conf file (the SERVER was not yet set as PDC). 1) How to change the listed domain of the existing user/machine? 2) What is the role of the Domain field in pdbedit dump? Thanks for help Radek Svoboda Neovision s.r.o., Prague [EMAIL PROTECTED] http://www.neovision.cz -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Forcing RIDs to desired value
I found that after moving my samba server to different hardware (and diferent Linux installation), domain logons cannot find their Windows profiles and created new ones. This is caused by the different RID of the users. It seems these are calculated as 2*UID + 1000. And my UID's on new server do not match those on the old one. How to force SAMBA to provide different RIDs for the users? I do not want to run LDAP for our 20 stations and 20 users here. Thanks for help Radek Svoboda Neovision s.r.o., Prague [EMAIL PROTECTED] http://www.neovision.cz -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Forcing RIDs to desired value
On Fri, 3 Sep 2004, Matthias Spork wrote: Radek Svoboda schrieb: I found that after moving my samba server to different hardware (and diferent Linux installation), domain logons cannot find their Windows profiles and created new ones. This is caused by the different RID of the users. It seems these are calculated as 2*UID + 1000. And my UID's on new server do not match those on the old one. How to force SAMBA to provide different RIDs for the users? I do not want to run LDAP for our 20 stations and 20 users here. Why don't you use your old samba-databases from /var/lib/samba ? matze Actually I did. But this copies only SID of the server (stored in secrets.tdb), not the RIDs. It seems that samba calculates them by the fixed algorithm as 2*UID+1000. And because I must have different UIDs on the new system, the profile mapping in Windows does not work. Best regards Radek Svoboda [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba