RE: [Samba] BUG IN SAMBA 3.0.4 ?
add to each share writeable = yes or read-only = no This Helps! Rauno -Original Message- From: Leandro I used the samba-3.0.1pre1 without problems. When I use the samba-3.0.4 (bug ms04-011 fixed), i canĀ“t write in all shares. Is this a bug?! I use the same smb.conf #Share Definitions [homes] comment = Home Directories browseable = no writable = no write list = %S @administradores valid users = %S @administradores invalid users = force create mode = 0770 force directory mode = 0770 directory mask = 0770 create mask = 0770 force user = %S force group = administradores [netlogon] comment = Network Logon Service path = /usr/local/samba/netlogon read only = yes public = no valid users = %S @usuarios @administradores writable = no write list = llattan locking = no [fprotdefs] comment = Definiciones de Virus path = /usr/local/f-prot/fprotdefs public = no valid users = %S @usuarios @administradores writable = no write list = llattan locking = no [total_usuarios] comment = Directorio para Administrador path = /home browseable = no read only = yes public = no valid users = @administradores writable = no write list = [total_grupos] comment = Directorio para Administrador path = /home2 browseable = no read only = yes public = no valid users = @administradores writable = no write list = # Provide a specific roving profile share # the default is to use the user's home directory # The permissions on the profiles directory should be # chmod 1757 /usr/local/samba/profiles # drwxr-xrwt 5 root root 4096 May 1 08:43 profiles #[profiles] # path = /usr/local/samba/profiles # read only = no # create mask = 0600 # directory mask = 0700 # writable = yes # ;browseable = no # ;guest ok = yes ##[ingenieria] ## path = /home/ingenieria ## valid users = @administradores @ingenieria ## public = no ## writable = no ## write list = @administradores @ingenieria ## force create mode = 0770 ## force directory mode = 0770 ## directory mask = 0770 ## create mask = 0770 ## force group = ingenieria [sistemas] path = /home2/sistemas valid users = @administradores @sistemas browseable = no public = no writable = no write list = @administradores @sistemas force create mode = 0770 force directory mode = 0770 directory mask = 0770 create mask = 0770 force user = administrador force group = sistemas [compras] path = /home2/compras valid users = @administradores @compras browseable = no public = no writable = no write list = @administradores @compras force create mode = 0770 force directory mode = 0770 directory mask = 0770 create mask = 0770 force user = administrador force group = compras [administrac] path = /home2/administracion valid users = @administradores @administracion browseable = no public = no writable = no write list = @administradores @administracion force create mode = 0770 force directory mode = 0770 directory mask = 0770 create mask = 0770 force user = administrador force group = administracion [vencimientos] path = /home2/vencimientos valid users = @administradores @vencimientos browseable = no public = no writable = no write list = @administradores @vencimientos force create mode = 0770 force directory mode = 0770 directory mask = 0770 create mask = 0770 force user = administrador force group = vencimientos [finanzas] path = /home2/finanzas valid users = @administradores @finanzas browseable = no public = no writable = no write list = @administradores @finanzas force create mode = 0770 force directory mode = 0770 directory mask = 0770 create mask = 0770 force user = administrador force group = finanzas [auditoria] path = /home2/auditoria valid users = @administradores @auditoria browseable = no public = no writable = no write list = @administradores @auditoria force create mode = 0770 force directory mode = 0770 directory mask = 0770 create mask = 0770 force user = administrador force group = auditoria [comercioext] path = /home2/comercioext valid users = @administradores @comercioext browseable = no public = no writable = no write list = @administradores @comercioext force create mode = 0770 force directory mode = 0770 directory mask = 0770 create mask = 0770 force user = administrador force group = comercioext [tipodecambio] path = /home2/tipodecambio valid users = @administradores @tipodecambio browseable = no public = no writable = no write list = @administradores rvalentini force create mode = 0770 force directory mode = 0770 directory mask = 0770 create mask = 0770 force user = administrador force group = tipodecambio [reloj] comment = Fichadas Reloj Empleados path = /home2/reloj valid users = @administradores @reloj public = no browsable = no writable = no writelist = @administradores @reloj force create mode = 0770 force directory mode = 0770 directory mask = 0770 create mask = 0770 force user = administrador force
RE: [Samba] BUG: Vfs audit module samba 3.0.4 == share unacces sible
add to each share writeable = yes or read-only = no This Helps! Rauno -Original Message- From: werner maes [mailto:[EMAIL PROTECTED] Sent: 11. mai 2004. a. 16:19 To: [EMAIL PROTECTED] Subject: [Samba] BUG: Vfs audit module samba 3.0.4 == share unaccessible Hello Maybe there's a bug in samba-3.0.4. The following configuration does NO longer work. It did work fine in samba-3.0.2a. I did not test samba-3.0.3 The share is no longer accessible !!! [BKHI-CC3] path = /home/BKHI-CC3 valid users = @BKHI-CC3-R, @BKHI-CC3-W write list = @BKHI-CC3-W force group = +BKHI-CC3-W create mask = 0664 directory mask = 02775 vfs objects = audit logfile: May 11 09:31:39 smbd[14267]: smbd_vfs_init: vfs_init_custom failed for audit May 11 09:31:39 smbd[14267]: vfs_init failed for service BKHI-CC3 if I uncomment vfs objects = audit, then I can access the share without any problems. Can someone take a look at this? It's probably in vfs.c Thanks Werner -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] adding machine accounts on-the-fly - 3.0.4 and LDAP
Hi, I want to achieve, that the IT staff could add machines (2000/XP) to samba-3 (LDAP backend) on the fly. Creating a new machine account to LDAP requires special access to samba (uid=0). In samba-2.2.x was a great parameter called domain admin group. So everyone, who belonged to the specified group and root (uid=0) could modify LDAP. Others got message - cannot access LDAP when not root. In samba-3 this parameter was removed (I don't get it, why?!?!). Until 3.0.2a I could pass the LDAP access check by specifying in smb.conf global admin users = @domain_admins So users, who where in domain_admins group, their uid was forced to 0 and they passed the LDAP check. (wrote about it: http://lists.samba.org/archive/samba/2003-September/073997.html ) After upgrading to 3.0.4 that trick also doesn't work. So at the moment using root account (uid=0) is the one and ONLY way to add machines to LDAP. All this LDAP access has nothing to do with groupmap. I created an administrator account (uid=0)(basically fake root) # smbldap-usershow.pl administrator dn: uid=root,ou=Users,dc=company,dc=lan objectClass: posixAccount,shadowAccount,sambaSamAccount,inetOrgPerson sambaDomainName: DOMAIN uidNumber: 0 gidNumber: 0 sambaSID: S-1-5-21-1347305728-752463190-2852647101-500 displayName: administrator cn: administrator uid: administrator sambaAcctFlags: [U ] sambaPrimaryGroupSID: S-1-5-21-1347305728-752463190-2852647101-514 The specified user does not belong to any group and has got no access rights on domain. RID -514 is domain guest. On XP box ja log in as local admin. No machine account exists on PDC. On joining domain I enter administrator/password and samba creates successfully a new LDAP entry and returns error to client Access denied. When entering the same administrator/password again (second time), XP successfully joins domain. When the machine is in domain and I log into that box as DOMAIN\administrator, I get no privileged access on that box. Entire joining was done without any relevance to group mapping (domain admins groupmap is not needed for join at this case). In this case I've an administrator account, which hasn't got any admin rights. Why can't there be a parameter, with what I could specify additional access to LDAP? like in 2.2.x was... I discussed about it earlier: http://lists.samba.org/archive/samba/2003-September/073608.html Because you now have something much more powerful that provides real NT Groups to your NT/200x/XP clients. Well, where is the power, when I can't modify LDAP!?!?! Giving to each IT staff member a password on administrator account is a very bad option. Basically administrator account is meant to be a account of power. Restricting this isnt polite... but sharing the power to each membes is also bad and could have very bad consequences. What would be the solution? Best regards, Rauno Tuul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] share is read-only since 3.0.3 - access is denied
Hi, I've a samba-3.0.2a running perfectly on redhat-8. Filesystem is EXT3 with ACL support. I can't upgrade the PDC to 3.0.3 or 3.0.4, because shares are only read-only. In 3.0.3 only home share and temp share are writable. All other shares are in read-only mode. Users can see the files/directories, but can't save anything or create new items. When trying to create a new item - windows promps Access is denied. I don't get, what is wrong. Do I have to change something in my setup, to get shares be writable? 3.0.0 and 3.0.2.a runs well. Best regards, Rauno --- ./configure --with-ldap --bindir=/bin --sbindir=/sbin --sysconfdir=/etc/samba --with-configdir=/etc/samba --with-logfilebase=/var/log/samba --with-smbmount --with-quotas --with-acl-support smb.conf nt acl support = yes acl compatibility = Auto security = user restrict anonymous = no encrypt passwords = yes # Create modes directory mask = 0775 force directory mode = 0775 create mask = 0664 force create mode = 0664 encrypt passwords = yes deadtime = 0 force group = users force user = %U [homes] browseable = no writable = yes [it] path = /arc/it valid users = @osak_it write list = @osak_it browseable = yes [temp] comment = Temporary file space path = /home/samba/tmp force user = nobody force group = nobody create mask = 0777 directory mask = 0777 public = yes writeable = yes browseable = yes Folder: drwxrwxr-x 49 root users4096 it User account: # smbldap-usershow.pl rauno dn: uid=rauno,ou=Users,dc=ehk,dc=lan sambaSID: S-1-5-21-1347305728-752463190-2852647101-3000 uidNumber: 1000 gidNumber: 221 sambaPrimaryGroupSID: S-1-5-21-1347305728-752463190-2852647101-1443 Group entries: users:x:221: osak_it:x:215:rauno Group mappings: # net groupmap list Osakond_it (S-1-5-21-1347305728-752463190-2852647101-1431) - osak_it Users (S-1-5-21-1347305728-752463190-2852647101-1443) - users smbd.log of trying to create new folder (level 5) unix_convert called on file aee/New Folder size=168 smb_com=0x25 smb_rcls=0 [2004/05/10 09:45:50, 5] smbd/filename.c:unix_convert(177) smb_reh=0 unix_convert begin: name = aee/New Folder, dirpath = aee, start = New Folder smb_err=0 smb_flg=24 smb_flg2=51207 smb_tid=1 smb_pid=228 [2004/05/10 09:45:50, 5] smbd/filename.c:unix_convert(312) smb_uid=101 New file New Folder smb_mid=28736 [2004/05/10 09:45:50, 3] smbd/vfs.c:reduce_name(864) smt_wct=16 reduce_name [aee/New Folder] [/arc/it] smb_vwv[ 0]=0 (0x0) ... [2004/05/10 09:45:50, 3] smbd/process.c:switch_message(685) reduced to aee/New Folder switch message SMBtrans (pid 31406) [2004/05/10 09:45:50, 3] smbd/trans2.c:call_trans2qfilepathinfo(2353) [2004/05/10 09:45:50, 4] smbd/uid.c:change_to_user(186) call_trans2qfilepathinfo: SMB_VFS_STAT of aee/New Folder failed (No such file or directory) change_to_user: Skipping user change - already user [2004/05/10 09:45:50, 3] smbd/error.c:error_packet(94) [2004/05/10 09:45:50, 3] smbd/ipc.c:reply_trans(538) error string = No such file or directory trans \PIPE\ data=84 params=0 setup=2 [2004/05/10 09:45:50, 3] smbd/error.c:error_packet(118) error packet at smbd/trans2.c(2219) cmd=50 (SMBtrans2) NT_STATUS_OBJECT_NAME_NOT_FOUND [2004/05/10 09:45:50, 5] smbd/ipc.c:reply_trans(557) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: share is read-only since 3.0.3 - access is denie d
Well... It worked for me. Only thing I had to do was to add writeable = yes for each share. IMHO there is a slight difference since 3.0.3, not 1.9 ;) It would be nice to mention it in changelog too. Rauno -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Jeff Umbach wrote: | They changed the read only default to yes in | versions 3.0.3 and 3.0.4. Sorry Jeff. But 'read only = yes' has been the default for as long as I can remember (back to 1.9). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] homes-share broken in 3.0.2! any fix or workaround available?
hi, I ran also into the home share problem, as discussed earlier in this list (http://lists.samba.org/archive/samba/2004-February/080593.html). But so far I haven't seen any solution. In samba 3.0.2 changelog is a line: BUG 977: Don't create a homes share for a user if a static share already exists by the same name. I don't know what was changed, but it affected the behaviour of the home share. My smb.conf important lines: logon home = logon drive = h: logon path = [homes] comment = Home Directories browseable = no writable = yes In LDAP base has every user these lines: sambaHomePath: \\alfa\homes sambaHomeDrive: H: Most interesting point is, that users that belong to the Domain Admins group have home share and it gets connected automatically. It works also in terminal server. Other users have the home share, but it isnt mapped to H: drive. If users searches up his homedirs from \\pdc, it is accessible. This happens on users workstation and on terminal server too. But executing: 'net use H: /HOME /persistent:no' returns an error: System error 67 has occurred. The network name cannot be found. What is going on? Why the ordinary users can't have the home share mapped automatically? Is there something I can fix or I have to go back to 3.0.0 ? (3.0.1 was anyway broken). Rauno -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Hows samba calculating sambaPwdMustChange?
Hi, In latest samba 3 there is a policy setting option: $ pdbedit -P maximum password age -C 7776000 When user changes password, then new sambaPwdMustChange will be calculated based on policy. My policy is 90 days. works just fine. 2147483647 is just a value in far future (year 2030 or something), meaning that user doesn't have to change his password. Another way is to set value in smbldap-tools (latest version needed (included in samba 3.0.1 package). smbldap_conf.pm # Default password validation time (time in days) Comment the next line if # you don't want password to be enable for $_defaultMaxPasswordAge days (be # careful to the sambaPwdMustChange attribute's value) $_defaultMaxPasswordAge = 90; When using 'smbldap-passwd.pl username' password will be changed and needed sambaPwdMustChange will be set. Third way is to change value manually in LDAP base with ldap-modify. Regards, Rauno -Original Message- From: Beast [mailto:[EMAIL PROTECTED] When samba password has been expired, user are force to change their password from client WS. Samba will modify sambaPwdMustChange attribute and the value seems always 2147483647, this not happen when changin password with smbpasswd. From where samba calculate value for sambaPwdMustChange? is it constant? Is it possible to specify different value? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] different win machines on PDC not accessible at diffe rent times
This problem is something about SAMBA smbd. It doesn't matter whether samba runs also as WINS server. I wrote earlier: http://lists.samba.org/archive/samba/2003-December/077722.html My networks WINS server is WINDOWS 2000, not samba. I had both my PDC and BDC upgraded to 3.0.1 once. The errors accessing W2K workstation went away after downgrading both samba servers to 3.0.0. Even BDC can cause these errors. hopefully this helps someone... Rauno Tuul -Original Message- From: John H. [mailto:[EMAIL PROTECTED] I am having nearly the EXACT same problem as http://lists.samba.org/archive/samba-technical/2003-December/0 33315.html I have samba 3.0.1-1 rpms and fedora core 1. Samba is set as a WINS server, which the win2k machines, who use DHCP from router, are pointed to by the WINS server address specified in router(each of the win2k machines, via ipconfig /all reveal they do in fact use the wins server). At different times, and different machines, the win2k clients get one of the two errors... \\computer not accessible. the system cannot find message text for message number 0x%1 in the message file for %2 or \\computer is not accessible an internal windows 2000 error occurred while these unaccessible computers generate this message, if i try from the linux machine for the same \\machine, i get session setup failed: NT code 0xf90a8141 via smbclient -L \\machine -U user later, it is accessible. it keeps going on and off. I was told this may be fixed if I install netbeui protocol on all win2k machines? This is a pretty annoying problem, and I've checked and checked my config, but have found no solution in it or on the internet. My smb.conf is attached. Any help would be appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Sometimes unable to browse w2k shares
Hi, I had exatly the same problems with 3.0.1. I also wrote about this couple weeks ago to samba list (http://lists.samba.org/archive/samba/2003-December/077722.html). I got 2 replies (off the list) from other users, who are having the same problem. Is this 3.0.1 particular error? Has anyone understood what is the issue of the problem and will it be fixed in 3.0.2? Regards, Rauno -Original Message- From: rmi [mailto:[EMAIL PROTECTED] , Plz i need some advice, im totally clueless at the moment where to look and what to do. I have one samba 3.0.1 PDC and ten win 9x clients and two XP pro clients and one w2k print server with some shares. It all worked good until i joined the w2k server into the domain. The first couple of hours after joining all shares and all printer were available on the win2k server. But then all of a sudden i couldnt see any shares from the w2k server on the netwerk.When i try to browse the w2k server shares via 9x clients i get a unknown error 31. Even the ./smbclient -L //w2k/share -U aap doesnt let me see shares. Sometimes after an hour orso the shares are again available, or else i have to stop and start samba. What could be wrong, Does any1 have any suggestions? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.0-3.0.1 = 2 problems - outlook browsing fails
Hi, I upgraded my 3.0.0 setup to 3.0.1. Basic functions worked well: logging to domain, login script executes, home drive gets connected, PDC is browseable, shares accessible. Network WINS server is a Win 2000 server, not samba PDC. First problem appeared, when users tried to open their Outlook mailbox'es to exchange 5.5 (on win 2000 server). Some users got into their mailbox, others couldn't. Outlook asked for username and password (even if typed in correct password, user couldn't open mailbox). Second problem is was that users couldn't access other windows servers/workstation shares. Start - run - \\hostname or \\ip gave 2 different errors: An extended error has occured The system cannot find message text for message number 0x in the message file for \\hostname. Eiher way, the shares list wasn't accessible. (Users couldn't print and so on). Sometimes, after a few minutes, I could open that machines share list, but when trying later, again failed. At the moment I downgraded my PDC to 3.0.0 and things started to work again. I'm able to open my mailbox, browse other win machines. Samba logs (log level 3) or windows event viewer doesn't show any seriuos errors... For about 10 times today (after user login): [2003/12/30 13:15:37, 0] lib/substitute.c:alloc_sub_basic(500) alloc_sub_basic: NULL source string! This should not happen for 800 times I got today: [2003/12/30 13:21:40, 3] smbd/trans2.c:call_trans2qfilepathinfo(1934) call_trans2qfilepathinfo: SMB_VFS_STAT of SNMPAPI.dll failed (No such file or directory) What went wrong with my 3.0.1??? has anyone else ran into this situation? I used exactly the same configuration parameters as in 3.0.0 (/configure --with-ldap --bindir=/bin --sbindir=/sbin --sysconfdir=/etc/samba --with-configdir=/etc/samba --with-logfilebase=/var/log/samba --with-quotas --with-sys-quotas --with-acl-support). I haven't tried any other rc's between 3.0.0 and 3.0.1... My smb.conf has been the same for several weeks... http://rullnokk.pri.ee/temp/smb.conf.txt Looking for some help... rgds, Rauno Tuul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Forcing Users to change passwords.
Hi, Samba-3 with LDAP backend is capable in this. I'm using it and it works. All you have to do, is to use LDAP and set proper account policies: $ pdbedit -P bad lockout attempt -C 5 (after 5 wrong password, user account will be locked out - samba sets password hashes to ***NOPASSWORD*** and user is unable to logon). $ pdbedit -P min password length -C 9 # password age 90 days $ pdbedit -P maximum password age -C 7776000 Samba takes age in seconds, so 60*60*24*90, is what you need. Remember, that the user has to change his/her password from workstation once, then policy takes effect. Another way is to manually change users sambaPwdMustChange value to 0, so user is forced to change password on next logon. After password change, new sambaPwdMustChange will be set, with timestamp 90 days forward. $ pdbedit -P password history -C 3 Doesn't work. Andrew said, it isn't implemented yet. Samba doesn't store password history... I don't know how it should be done, but it would be very nice to have it. regards, Rauno Tuul On Dec 10, 2003, at 8:28 AM, Ross McInnes (Systems) wrote: Recently we were audited and as part of that they looked at our systems and policies etc and produced a report. As part of that report they mentioned about forcing users to change thier passwords every 90 days or so. They also mentioned about disabling accounts after 3 login attempts. Im pretty sure both can be done on NT, but id rather stick with rh and samba thanks ever so much. Can samba does these things? even if its a tinkering kind of job? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] using more than one ldap server in smb.conf
Hello, well samba-3 does it without any problems. samba 2.2.x should also be able to do it. Have you specified the second ldap server in /etc/ldap.conf ? uri ldaps://ldap1.com/ ldaps://ldap2.com/ in smb.conf you should have then: passdb backend = ldapsam:ldaps://ldap1.com ldaps://ldap2.com Andrew helped me out once with this... regards, Rauno -Original Message- From: Stefan Weigel [mailto:[EMAIL PROTECTED] I'm trying to get Samba running to accept more than one ldap server in smb.conf. I applied this patch (http://groups.g. to the samba (2.2.5) sources, but samba doesn't query the second ldap server I specified in smb.conf. Is there a version that can handle multiple ldap serverr ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't find free connection
Hi, I ran into this problem too once. The cause was, that I'm using terminalservers and samba connections count between terminal and samba is limited. Read this e-mail http://www.mail-archive.com/[EMAIL PROTECTED]/msg19398.html That worked for me. I've set my #define MAX_CONNECTIONS to 512 (each terminal has 100 users, each user has 4 shares) After recompiling my samba, errors are history for me. BTW, there is also an parameter in smb.conf max connections, but that isn't the problem (default connection limit is 0). I hope that helps, Rauno -Original Message- From: Selzner, Peter (KRZ) [mailto:[EMAIL PROTECTED] Hi, since some days we have follow entries in the logfile: smbd/service.c:make_connection(340) Couldn't find free connection Google says less or nothing. Can I control this with max connection = 0. Any another ideas? Please help. Thanks. Peter -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] roaming profiles
Hi, Change these 2 parameters to blank. Then noone can can create roaming profile. logon home = logon path = Manual is the key: http://www.samba.org/samba/docs/man/ProfileMgmt.html Rauno -Original Message- From: Alexandru Molodoi [mailto:[EMAIL PROTECTED] How can you disable roaming profiles in Samba 2.2.7a, so that the contents of \Documents and Settings\user\ isn't syncronized at every logon? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba3: problem with machine accounts - change PC name
Hi, Running samba 3.0.0, LDAP passdb. I've in smb.conf (script is from samba3.0.0 source tree) add machine script = /usr/local/sbin/smbldap-useradd.pl -w %u delete user script = /usr/local/sbin/smbldap-userdel.pl %u When a machine (win 2000/xp) is added once to samba domain on-the-fly. Everything works well. Things get tricky, when there's need to change machine name. Samba doesn't delete the old entry and create a new one, but tries to change it. Well, it doesn't work. Sample: machine with random name was added to domain and afterwards changed the PCs name. # smbldap-usershow.pl changed-name$ dn: uid=ml-lit0tylgqgnp$,ou=Computers,dc=my,dc=domain cn: ml-lit0tylgqgnp$ sn: ml-lit0tylgqgnp$ uid: CHANGED-NAME$ uidNumber: 1285 ... sambaAcctFlags: [UW ] displayName: CHANGED-NAME$ So results: * only uid and displayname are changed. * I don't understand why the new name is written is UPPER CASE. Machine name is lower case in windows... * Users can't login on that machine, because machine account has failed. * sambaacctFlags: U gets set!?!?! This machine account appears to security list of users. (in usermanager is shown a user ending with $ ). To get the workstation to work, I've delete the entry and recreate it with the same name. Then users can log in again. How things should be: # smbldap-usershow.pl changed-name$ dn: uid=changed-name$,ou=Computers,dc=my,dc=domain cn: changed-name$ sn: changed-name$ uid: changed-name$ uidNumber: 1285 ... sambaAcctFlags: [W ] Any suggestions? ideas? Fixes? I'm in somekind of a trouble... btw: not changing the name isn't an option :( Best regards, Rauno Tuul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] connection limit using 3.0.0 ???
Hi, My users get sometimes this weird message, when trying to log in. The domain WHATEVER is not available My PDC has these errors in smbd.log [2003/11/07 10:35:57, 1] smbd/conn.c:conn_new(103) ERROR! Out of connection structures [2003/11/07 10:35:57, 0] smbd/service.c:make_connection_snum(352) Couldn't find free connection. Windows box event entry: Event Type: Failure Audit Logon Failure: Reason: An unexpected error occurred during logon What is going on? I saw such errors in lists, but in 2.2.2 time... Any fix/solution? samba has LDAP backend and when the error occured, there was about 320 logons and 250 smb threads. system redhat 8. regards, Rauno Tuul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba-3 trustdom AD (mixed mode) problem
Hi, I want to get my SAMBA-3.0.0 domain to trust W2K AD (mixed mode) both ways. I don't want to make my samba box an AD member, just trust it. Samba-PDC uses ldap as passdb. winbind isn't used. WINS server is running in W2K PDC server. Also created a machine account entry to LDAP base, set samba I flag. Here we go (using mmc @ w2k PDC): I add my samba domain to Domains trusted by this domain and it nicely says to me: The trusted domain has been added and the trust has been verified From Samba domain I can access AD domain members shares, get AD users list and so on. IT works. access from W2K a samba PDC file share: \\samba-pdc is not accessible The security database on the server does not have a computer account for this workstation trust relationship. [2003/10/26 01:57:37, 0] auth/auth_domain.c:connect_to_domain_password_server(115) connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine W2K-PDC. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. [2003/10/26 01:59:15, 0] auth/auth_domain.c:domain_client_validate(167) domain_client_validate: Domain password server not available. I try to add my samba domain to Domains that trust this domain list. W2K asks me, whether to verify the trust. I say yes and get the following error: Trust cannot be verifiew at this time due to the following situation: The RPC server is unavailable. [2003/10/26 02:00:06, 0] auth/auth_domain.c:connect_to_domain_password_server(115) connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine W2K-PDC. Error was : NT_STATUS_UNSUCCESSFUL. [2003/10/26 02:00:06, 0] auth/auth_domain.c:domain_client_validate(167) domain_client_validate: Domain password server not available. From samba domain side, nothing changes, everythings fine. But access from W2K samba PDC file share: \\samba-pdc A device attached to the system is not functioning. I get the same error, when I try to get SAMBA's user list. What is wrong? What I must change add to get it work? Is it possible? Why samba keeps looking for Domain password server? From samba PDC: $ net rpc trustdom establish w2kdomain [2003/10/26 02:10:36, 0] utils/net_rpc.c:rpc_trustdom_establish(1919) Success! Regards, Rauno Tuul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] interdomain trust relationships
Hi, Probably You have a LDAP passdb. I have and also ran into that problem. I have samba-3.0.0. Solution, use smbldap-tools // create machine account $ smbldap-useradd.pl -w ntdomain // set desired password for the account $ smbldap-passwd.pl ntdomain$ The entry you created, has sambaAcctFlags [W ] but should have [I ] So make a tiny text file (foobar) for changing the entry: dn: uid=ntdomain$,ou=Computers,dc=whatever,dc=com changetype: modify sambaAcctFlags: [I ] // Then apply the text file to LDAP $ ldapmodify -x -h 127.0.0.1 -D cn=Manager,dc=whatever,dc=com -W -f /path-to/foobar // after You have created one side trust from NT usermanager, run $ net rpc trustdom establish ntdomain enter the set password and voila! It works with samba-3 - NT 4 domain and also samba-3 - Windows 2000 AD in mixed mode. Important: both DC's, samba and NT must have the same WINS server, otherwise the trust will never work. I windows 2000 WINS and it took a while before windows machines found the DC of my samba domain. I hope it helps. Regards, Rauno Tuul. -Original Message- From: Gordon Heydon [mailto:[EMAIL PROTECTED] smbpasswd -a -i xxx Failed initialise SAM_ACCOUNT for user xxx$. Failed to modify password entry for user xxx$ I have samba set up so that I can set up users and machine automatically, so I am not sure what is wrong. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] step 2 - samba-3 PDC BDC fail-over with 2 LDAP servers fails
-Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] passdb backend = ldapsam:ldaps://ldap1 ldaps://ldap2 is what you want. This helped me a little bit forward. I suggest to add this line also to samba-pdc help. But still I ran into problems. I fixed the passdb lines on PDC and BDC. If the second server (on PDC slave-ldap and on BDC master-ldap) goes down, everything works fine further. The first (closest) server authenticates the client and all is fine. So I got a bit further. But it gets tricky when I shut the first LDAP server in line down (on PDC master-ldap and on BDC slave-ldap). master ldap down: PDC: smbclient - session setup failed: NT_STATUS_LOGON_FAILURE [2003/10/10 13:17:15, 1] auth/auth_util.c:make_server_info_sam(818) User myusername in passdb, but getpwnam() fails! [2003/10/10 13:17:15, 0] auth/auth_sam.c:check_sam_security(459) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' BDC: ok slave ldap down: PDC: ok BDC: session setup failed: NT_STATUS_LOGON_FAILURE [2003/10/10 13:15:12, 0] auth/auth_sam.c:check_sam_security(459) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' Basically it finds the user in LDAP, but somehow it fails. I don't get. I also have log level 10 log files, but I can't figure much more out of them. Andrew if you want them, I can send them (gzipped logs). regards, Rauno Tuul. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RE: step 3 - samba-3 PDC BDC fail-over with 2 LDAP - works !
-Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] You need to do exactly the same in nsswitch. /etc/ldap.conf is used to control the behaviour of libnss_ldap, and needs *exactly* the same line. (or else you will get this happening, where Samba finds the server, but nss_ldap doesn't). Thank You Andrew! It works just fine! I recommend to add something like this advice also to the samba-bdc.html help and maybe also to samba-howto-collection. in /etc/ldap.conf modified 1 line: uri ldaps://alfa.sf.lan/ ldaps://ksii.sf.lan/ and in smb.conf is passdb like this: passdb backend = ldapsam:ldaps://alfa.sf.lan ldaps://ksii.sf.lan Hopefully I can migrate my corporate network (17 NT domains, 300 PCs/users) to one and only samba-3 domain next weekend. Best regards, - Rauno Tuul - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba-3 PDC BDC fail-over with 2 LDAP servers fails
Hi, In samba help: samba-bdc.html there is a section available configs: Possible PDC/BDC plus LDAP configurations include: PDC - LDAP master, with secondary slave LDAP server. BDC - LDAP slave server, with secondary master LDAP server. So I configured it so and tested samba's ability to switch over to backup LDAP backend. If both LDAP servers are up, everything is just fine. But when 1 LDAP goes down, samba should understand it and work with another LDAP. Well, I doesn't work for me... PDC (also master-ldap) smb.conf passdb backend = ldapsam:ldaps://master-ldap.lan ldapsam:ldaps://slave-ldap.lan BDC (also slave-ldap) smb.conf passdb backend = ldapsam:ldaps://slave-ldap.lan ldapsam:ldaps://master-ldap.lan case 1) I shut master LDAP down on PDC master-ldap# smbclient -U username -L (it takes about 15 sec to prompt the pwd) Password: session setup failed: Call timed out: server did not respond after 2 milliseconds on BDC slave-ldap# smbclient -U username -L (it takes about 15 sec to prompt the pwd) Password: tree connect failed: Call timed out: server did not respond after 2 milliseconds case 2) I shut slave LDAP down on PDC master-ldap# smbclient -U username -L (it takes about 15 sec to prompt the pwd) Password: tree connect failed: Call timed out: server did not respond after 2 milliseconds on BDC slave-ldap# smbclient -U username -L (it takes about 15 sec to prompt the pwd) Password: session setup failed: Call timed out: server did not respond after 2 milliseconds In logs of both servers: smbldap_search: LDAP server is down! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Can't contact LDAP server) Basically if 1 LDAP goes down, both SAMBA's are down. Anyone got a hint, why it doesn't work? Both SAMBA's can use any LDAP server (master or slave), if only 1 LDAP defined. Best regards, - Rauno Tuul - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba + LDAP + Password Expiry = Almost working...
Hi, You almost got it... Samba 2 has a weird behaviour, when using LDAP and passwd program. When you change the password from windows, thnings happen like this: 1) samba reads all the user data from LDAP to memory (doesn't read userpassword) 2) executes the passwd program to change userpassword. I this point your script also sets the new pwdMustChange valus. 3) things get tricky here, when samba writes back all the data, he got from LDAP earlier and changes password hashes. So if your script changes the pwdMustChange value, samba puts it back as it was before :P Workaround is to modify pdb_ldap.c and teach samba not to write back pwdMustChange. It can be achieved with commenting out 2 lines. When samba3 calculates new pwdMustChange based on policy. In samba2 you must do it with scripts. btw, your perl script is way too complex. I attached one my e-mail sent to samba-technical ages ago, where this trick is described. Best regards, Rauno Tuul. -Original Message- From: Collins, Kevin [mailto:[EMAIL PROTECTED] I've got a Samba 2.2.7a domain with an LDAP backend. It's been working for nearly 3 months now without much bother. By the way: Great work and thanks for all of the effort! I have been missing one minor thing from the setup since I moved away from NT 4: Password Expiration. In the past I have posted questions about this on the list and I've gotten two answers: Wait for 3. or Write your own script to do it for you. Well, I sorta went the second route. By sorta I mean that I modified a pre-existing script to make it do what I wanted it to. What I did was this...I started with IDEALX's howto and scripts to get things going. I had Samba configured to use their smbldap-passwd.pl script to modify passwords. That worked, I could change any Windows account password from Windows or the command line and indeed all three passwords for that user are changed (Unix, LM and NT passwords). I later discovered the LDAP entry pwdMustChange while looking at a user account one day. When I set this to a date inside of 14 days from today, Windows begins to barks about Password will expire in X days - Great I thought I found my solution. But the default password change script wouldn't modify this value., but I would prefer not to as they seem to work so well. . -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] smbldap.c
Hi, Well in samba 2.2.8 (in 2.2.4 wasnt) was passdb/pdb_ldap.c check like this: /* check that the user is in the domain admin group for connecting */ if ( (uid != 0) !user_in_list(pass-pw_name, lp_domain_admin_group()) ) { DEBUG(0, (ldap_open_connection: cannot access LDAP when not root or a member of domain admin group..\n)); return False; } So users who belonged to domain admin group were able to modify LDAP base, for example add PC's to domain without having uid=0. Basically samba3 is back at 2.2.4 level. I saw this in smb-ldap howto by IDEALX (howto was written for 2.2.4) and there was a little patch. As in samba3 there is no such variable as domain admin group, so there is no way users with uid!=0 can change LDAP... For big networks adding PCs to domain with one username and password (uid=0, rid=500) just doesnt make sense... IMHO groupmapping doesnt fill that hole, because whatever groupmap entry doesn't give admin rights on LDAP. Regards, Rauno Tuul. -Original Message- From: Antoine Jacoutot ajacoutot at lphp.org Tue Sep 16 16:21:49 GMT 2003 I was just wondering if that piece of code was important (for security and such), because I had to comment it in smbldap.c before compiling samba-3.0; otherwise, I would have errors like: (Insufficient access)smbldap_open: cannot access LDAP when not root #ifndef NO_LDAP_SECURITY if (geteuid() != 0) { DEBUG(0, (smbldap_open: cannot access LDAP when not root..\n)); return LDAP_INSUFFICIENT_ACCESS; } #endif -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] smbldap.c
-Original Message- From: Antoine Jacoutot [mailto:[EMAIL PROTECTED] On Tuesday 16 September 2003 21:34, Rauno Tuul wrote: IMHO groupmapping doesnt fill that hole, because whatever groupmap entry doesn't give admin rights on LDAP. So, you think that's ok to remove that piece of code, right ? removing isn't the best solution, for security reasons. then can anyone turn the LDAP to a mess... Honestly said, the parameter domain admin group should come back. Some say it isn't necessary. But how can you add PC's to domain with for example 2 users brick and stone (different passwords), when their uid isn't 0 and they aren't in admin users list? Rgds, Rauno. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] smbldap.c
-Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] |IMHO groupmapping doesnt fill that hole, because whatever groupmap entry |doesn't give admin rights on LDAP. You're thinking about this from the wrong perspective. The 'domain admin group' from 3.0 was a limited way to handle group mapping. Instead of being a smb.conf parameter, the domain admin group is now a mapping between the domain admins SID and a unix gid. The check will be pretty much the same. We'll just make the domain admin sid against the current user's NT_TOKEN. | Honestly said, the parameter domain admin group should come back. | Some say it isn't necessary. No. I can fix this just using the group mapping entry for Domain Admins. We'll fix it post 3.0.0. This LDAP access check for group mapping entry for Domain Admins is a good idea and I'm glad to hear, that solution is coming. After some time, but hopefully it comes... rgds, - Rauno Tuul - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Documentation
=server_operators,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 225 cn: server_operators description: Windows Domain Server Operators displayName: Server Operators sambaSID: S-1-5-32-1541 sambaGroupType: 5 dn: cn=print_operators,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 226 cn: print_operators description: Windows Domain Print Operators displayName: Print Operators sambaSID: S-1-5-32-1453 sambaGroupType: 5 dn: cn=backup_operators,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 227 cn: backup_operators description: Windows Domain Members can bypass file security to back up files displayName: Backup Operators sambaSID: S-1-5-32-1455 sambaGroupType: 5 dn: cn=replicator,ou=Groups,dc=mydomain,dc=lan description: Supports file replication in a domain description: Windows Domain Supports file replication in a domain objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 228 cn: replicator sambaSID: S-1-5-21-11-2-33-1457 sambaGroupType: 2 displayName: Replicator dn: cn=enterprise_admins,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping cn: enterprise_admins gidNumber: 203 sambaGroupType: 2 displayName: Enterprise Admins sambaSID: S-1-5-21-11-2-33-519 dn: cn=domain_admins,ou=Groups,dc=mydomain,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 200 cn: domain_admins sambaSID: S-1-5-21-11-2-33-512 sambaGroupType: 2 displayName: Domain Admins dn: cn=administrators,ou=Groups,dc=ehk,dc=lan objectClass: posixGroup objectClass: sambaGroupMapping cn: administrators gidNumber: 220 sambaGroupType: 5 displayName: Administrators description: Local Unix group sambaSID: S-1-5-32-1441 === PS. Since the unicode was fixed, samba 3.0 works like a charm. Best regards, Rauno Tuul. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba-3 problem joining ws to domain
Howdi, I can't add a w2k workstation to samba3 domain with my username. If I add my username to admin users list, then I can add the box to domain (but overritten by euid). My goal is, that joining domain can be done without using admin users option. Groupmapping is done and works. When machine is in domain and log in, I get full admin rights on that box. Removing the box from domain works anytime. Error message in windows is: Logon failure: invalid user name or bad password. In log files (debuglevel 10) appear such lines: ... [2003/09/11 18:09:33, 5] lib/util_seaccess.c:se_access_check(331) se_access_check: access (211) denied. [2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) ... [2003/09/11 18:09:33, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106) _samr_create_user: access check ((granted: 0x0201; required: 0x0010) [2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) ... When user is admin users list, then happens this... _samr_open_domain: ACCESS should be DENIED (requested: 0x0211) but overritten by euid == sec_initial_uid() ... after that, access is granted. Whats wrong? Could someone please say, what is wrong with my setup? # smb.conf passdb backend = ldapsam:ldaps://alfa.sf.lan, guest delete user script = /usr/local/sbin/smbldap-userdel.pl %u add group script = /usr/local/sbin/smbldap-groupadd.pl %g add machine script = /usr/local/sbin/smbldap-computeradd.pl %u ldap suffix = dc=ehk,dc=lan ldap machine suffix = ou=Computers,dc=ehk,dc=lan,dc=ehk,dc=lan ldap user suffix = ou=Users,dc=ehk,dc=lan,dc=ehk,dc=lan ldap admin dn = cn=Manager,dc=ehk,dc=lan force user = %U force group = users # Unix username:khk_rauno.tuul User SID: S-1-5-21-1347305728-752463190-2852647101-3000 Primary Group SID:S-1-5-21-1347305728-752463190-2852647101-1443 # net groupmap list Domain Users (S-1-5-21-1347305728-752463190-2852647101-513) - domain_users Users (S-1-5-21-1347305728-752463190-2852647101-1443) - users Domain Admins (S-1-5-21-1347305728-752463190-2852647101-512) - domain_admins Administrators (S-1-5-21-1347305728-752463190-2852647101-1441) - administrators # domain_admins:x:200:khk_rauno.tuul domain_users:x:201:khk_rauno.tuul administrators:x:220:khk_rauno.tuul users:x:221: (these groups are stored in LDAP). I attached also 2 log files with those messages. Best regards, - Rauno Tuul - ... [2003/09/11 18:09:33, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106) _samr_open_domain: access check ((granted: 0x0030; required: 0x0020) [2003/09/11 18:09:33, 10] lib/util_seaccess.c:se_access_check(250) se_access_check: requested access 0x0211, for NT token with 15 entries and first sid S-1-5-21-1347305728-752463190-2852647101-3000. [2003/09/11 18:09:33, 3] lib/util_seaccess.c:se_access_check(267) [2003/09/11 18:09:33, 3] lib/util_seaccess.c:se_access_check(268) se_access_check: user sid is S-1-5-21-1347305728-752463190-2852647101-3000 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1443 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1427 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1431 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-513 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1447 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1449 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1451 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1407 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1409 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-512 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1441 se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 20385, current desired = 211 se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f07ff, current desired = 10 se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask = f07ff, current desired = 10 [2003/09/11 18:09:33, 5] lib/util_seaccess.c:se_access_check(331) se_access_check: access (211) denied. [2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) ... [2003/09/11 18:09:33, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106) _samr_create_user: access check ((granted: 0x0201; required: 0x0010) [2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2003/09
[Samba] change w2k user profile SID
Hi, Windows binds user profile and SID in registry: HLKM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ I replaced old sid with new samba sid. It worked. After joining new domain, user got back his old profile. But if I look in System properties to the Profile list, profile owners name is account unknown. Where is the second place (for that list), where the old SID resides? anyone know? - Rauno Tuul - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba-3 doesnt show quota limit?
Hi, My samba 3.0.0rc2 is built --with-qoutas and each user has a quota limit. Filesystem is ext3 on linux. Quota type is old (1). Differences between samba 2.2.8 and 3.0.0rc2 In old version samba showed to the user disk space by quota, if user had 200MB quota limit, then in windows client was network drives disk space also 200MB. User always knew the exact free space he got until quota limit. But in samba-3 samba always shows disk space by physical size (74GB), so user can't see the actual disk free he has. User can't exceed the quota limit and will suddenly be prompted disk full. Is this normal behaviour of samba-3 or is there something wrong with my samba? - Rauno Tuul - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba3 - On-the-Fly Machine Accounts - domain admin g roup?
Hi, -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] domain admin group removed Because you now have something much more powerful that provides real NT Groups to your NT/200x/XP clients. But if I use LDAP for both Samba and system auth. The groups, what I added with base.ldif (idealx) exist in samba and system. for example getent group shows me all groups in system (/etc/group + ldap entries). Here are the basic steps: 1. Add a UNIX group account that will be mapped to the NT Domain Admins global group: groupadd ntadmins How samba knows, that users in that group may update LDAP base? based on groupmap entry? If no groupmapping is done, then noone except admin user? 2. Now add the UNIX users who should be a member of the NT Domain Admins group to the UNIX ntadmins account: a) You can edit /etc/group so that the ntadmins entry looks like: ntadmins:x:543:maryo,willy,billg Now map the UNIX group to the NT Domain Admins group: net groupmap add ntgroup=Domain Admins unixgroup=ntadmins If I'm correct: net groupmap add ntgroup=Domain Admins unixgroup=whatevergroup is a must be for adding On-the-Fly Machine Accounts? But what if I already did it in LDAP? I added a group name Domain Admins to my base, added users to group. It's useless? As I followed your instructions, I made a random group. But problem is... I can't get working net groupmap list and net groupmap add commands. Something is wrong, but I can't figure out what it is... Here are the files and data of my current state and problem: http://raunz.pri.ee/linux/samba/samba3/ smb.conf getent group getent passwd ldap data debug output of net groupmap... commands Hope this helps! IT is covered in the Samba-HOWTO-Collection.pdf file that is included with Samba-3 in the docs directory. I read it... even tried to use that script for group adding... nothing. Honestly said, I'm pretty lost in here... Regards, Rauno -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba3 - On-the-Fly Machine Accounts - domain admin group?
Hi, Could someone explain, why was parameter domain admin group removed from samba3? passdb/pdb_ldap got totally rewritten... but why remove an useful variable... # Removed Parameters (order alphabetically): # * domain admin group In 2.2.8 (with LDAP backend) I defined domain admin group = @Domain Admins and added several users to that group for creating machine accounts. I worked and well. Users in that group didn't have root permissions, but were able to add new accounts. But what I do in samba3? # add machine script - will be run by smbd(8) # when a machine is added to it's domain using # the administrator username and password method. I made an custom script, based on idealx useradd script and added some lines for working with LAM (http://lam.sf.net). Problem is, how can this script be used by others, who need to add machine accounts... Am I correct, that samba assumes administrator username = root # admin users - list of users who will be granted administrative # privileges on the share. This means that they will do all # file operations as the super-user (root). Defining several people to be admin users, isn't also the right solution, cause they get too high privileges. On shares and file access. I used it and managed to add new machine account... For samba I was logged in as admin user (root privileges). # The name of the account that is used to create domain member # machine accounts can be anything the network administrator # may choose. If it is other than root then this is easily # mapped to root using the file pointed to be the smb.conf # parameter username map = /etc/samba/smbusers. Doesn't that make exatly the same as listing users as admin users? Basically will samba recognize that anything as admin user (root privileges) or not? Any recommendations? solutions? Regards, Rauno Tuul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] groups in samba with LDAP (double entries?)
Hi, I have a samba 2.2.8a with LDAP backend. System auth also uses ldap. I used base.ldif from idealx.org to create base group entries to my ldap base. Client is win2000 sp3. When I share folder out from w2k and choose permissions, i can select users from localhost or samba domain - there are no double entries. But, when I want to change permissions of file on my samba share and click permissions, I see this: http://raunz.pri.ee/linux/samba/samba_groups.jpg Groups account operators, administrators, domain admins, domain users... appear twice in the listing. (for windows, some are local groups and others global groups). Group users appears even 3 times. which one is the correct group, that i added to LDAP base??? from where come these double entries??? and how to get rid of them and see only these groups, that are listed below? # getent group (entries gid 200) Domain Admins:x:200: Domain Users:x:201: Domain Guests:x:202: Administrators:x:220: Users:x:221: Guests:x:222:nobody Power Users:x:223: Account Operators:x:224: Server Operators:x:225: Print Operators:x:226: Backup Operators:x:227: Replicator:x:228: Enterprise Admins:x:229: regards, - Rauno Tuul - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
suggestion: LDAP and pwdMustChange value in pdb_ldap.c
Hi, Little suggestion to SAMBA developers... as long samba doesn't support password expire time I have in my office a rule, that every domain password must be changed every 90 days. I store user info in LDAP. So I added to smb.conf this line: passwd program = /usr/local/sbin/smbldap-pass.pl %u The perl script is a tune-up from smbldap-tools script pack by IDEALX. It changes the UNIX password and sets the time when password expires in LDAP. Content of the script is at the end of e-mail. But the problem is in pdb_ldap.c When user calls out that binary to change password, then first will be all data about the user read from LDAP and stored in memory. Then will my Perl script (passwd program) called out, which successfully changes unix password and sets the new expire date in LDAP. But at the end samba writes back all the data, he got from LDAP, including the pwdmustchange value. So even if the script changes the value, samba puts back the previous value. There are 2 ways to solve this: 1) change the pdb_ldap.c, so it calculates the new pwdmustchange value and writes it to LDAP. (if you need to change the time, then you must recompile samba) 2) comment out few lines in pdb_ldap.c and use the perl script. (for little modification tune only the perl script) pdb_ldap.c 773,775c773,774 // commented out by raunz //slprintf (temp, sizeof (temp) - 1, %li, pdb_get_pass_must_change_time(sampass)); //make_a_mod(mods, ldap_state, pwdMustChange, temp); --- slprintf (temp, sizeof (temp) - 1, %li, pdb_get_pass_must_change_time(sampass)); make_a_mod(mods, ldap_state, pwdMustChange, temp); I don't understand, why samba even reads/writes the other LDAP values, when samba only changes password hashes and passwordsettime... This way I got samba to act as I wanted :) I hope that made sense... Best solution would be to implement the password expire time variable. RaunZ == #!/usr/bin/perl use strict; use smbldap_tools; use smbldap_conf; my $user; my $ret; my $arg; foreach $arg (@ARGV) { if (substr($arg,0) ne '-') { $user = $arg; } } # test existence of user in LDAP my $dn_line = get_user_dn($user); my $dn = get_dn_from_line($dn_line); # prompt for new password my $pass; my $pass2; system stty -echo; print New password : ; chomp($pass=STDIN); print \n; system stty echo; system stty -echo; print Retype new password : ; chomp($pass2=STDIN); print \n; system stty echo; # change unix password $ret = system $ldappasswd $dn -s '$pass' /dev/null; if ($ret == 0) { print password changed successfully\n; } else { return $ret; } # generate time, when password expires my $passexpires = time() + 90*24*60*60; my $tmpldif = $dn_line changetype: modify replace: pwdmustchange pwdmustchange: $passexpires - ; do_ldapmodify($tmpldif); undef $tmpldif; exit 0; # - The End
[Samba] (no subject)
confirm 802487 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba