Re: [Samba] SMS 2003 and Samba
Jeremy Allison wrote:
On Wed, Jun 15, 2005 at 12:25:15PM +0100, Kristyan Osborne wrote:
Hi,
I was wondering if anyone has played with Microsoft's SMS 2003? I've got
a Samba 3 PDC using an LDAP backend, and a Windows 2003 server running
SMS 2003. The SMS 2003 setup moans that it cannot verify the service
account in the domain. Its reasons are it cannot connect to the domain
as either the user account does not have access to the domain or the
domain controller is down. I know the PDC is up and running and I have
logged in as root to prove that I have full access.
I was wondering if this is a Samba compatibility issue or whether it's
something else.
Can you get a network capture trace of what the SMS server is trying to
do to the DC ?
I have a very similar setup (if not exact) as the original poster and am
having the same problem. The only difference there might be is that I
am running Windows 2003 SP1, whereas the original poster didn't mention
Service Pack level.
What I have learned is that SMS 2003 must be installed on a server in a
domain but by a user account that has domain write access. The account
that SMS is having problems verifying is a administration/maintenance
account for SMS, and this account MUST be a domain account. I have
tried using my Domain Admin account (the one that was used to added the
machine to the domain and is a part of Domain Admin and Admin groups),
but I still receive the above mentioned error message. I've included a
tcpdump of the traffic to and from the PDC. Would you need a capture of
the traffic from the DC to the LDAP server?
Rob
07:38:23.340046 wdselab-b-61-1.comm.mot.com.netbios-ns
173.140.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
4500 004e 8248 8011 203d ad8c 3d01
ad8c 0089 0089 003a 6a2d 88a8 0110
0001 2046 4543 4e46 4845
4546 4445 4645 4d45 4245 4343 4143 4143
4143 4143 4143 4142 4c00 0020 0001
07:38:23.341265 wdselab-b-1-100.comm.mot.com.netbios-ns
wdselab-b-61-1.comm.mot.com.netbios-ns: NBT UDP PACKET(137): QUERY; POSITIVE;
RESPONSE; UNICAST (DF)
4500 005a 4000 4011 a115 ad8c 0164
ad8c 3d01 0089 0089 0046 e0c5 88a8 8580
0001 2046 4543 4e46 4845
4546 4445 4645 4d45 4245 4343 4143 4143
4143 4143 4143 4142 4c00 0020 0001 0003
f480 0006 6000 ad8c 0164
07:38:23.341509 wdselab-b-61-1.comm.mot.com.netbios-dgm
wdselab-b-1-100.comm.mot.com.netbios-dgm: NBT UDP PACKET(138)
4500 0118 8249 8011 1e0e ad8c 3d01
ad8c 0164 008a 008a 0104 81e7 1002 88a7
ad8c 3d01 008a 00ee 2046 4845 4546
4445 4645 4d45 4245 4343 4e45 4343 4e44
4744 4243 4e44 4243 4141 4100 2046 4543
4e46 4845 4546 4445 4645 4d45 4245 4343
4143 4143 4143 4143 4143 4142 4c00 ff53
4d42 2500
1100
004e 00e8 0300
004e 005c 0003 0001 0001 0002
0065 005c 4d41 494c 534c 4f54 5c4e 4554
5c4e 4554 4c4f 474f 4e00 0700 5744 5345
4c41 422d 422d 3631 2d31 005c 4d41 494c
534c 4f54 5c4e 4554 5c47 4554 4443 3837
3000 5700 4400 5300 4500 4c00 4100 4200
2d00 4200 2d00 3600 3100 2d00 3100
0b00 0010
07:38:23.342789 wdselab-b-1-100.comm.mot.com.netbios-dgm
wdselab-b-61-1.comm.mot.com.netbios-dgm: NBT UDP PACKET(138) (DF)
4500 0118 4000 4011 a057 ad8c 0164
ad8c 3d01 008a 008a 0104 6c5d 100a 562d
ad8c 0164 008a 00ee 2046 4845 4546
4445 4645 4d45 4245 4343 4e45 4343 4e44
4243 4e44 4244 4144 4141 4100 2046 4845
4546 4445 4645 4d45 4245 4343 4e45 4343
4e44 4744 4243 4e44 4243 4141 4100 ff53
4d42 2500
1100
004e
004e 005c 0003 0001 0001 0002
0065 005c 4d41 494c 534c 4f54 5c4e 4554
5c47 4554 4443 3837 3000 0c00 5744 5345
4c41 422d 422d 312d 3130 3000 5700 4400
5300 4500 4c00 4100 4200 2d00 4200 2d00
3100
Re: [Samba] SMS 2003 and Samba
Jeremy Allison wrote: On Wed, Jun 22, 2005 at 07:43:34AM -0500, Robert Rati wrote: I have a very similar setup (if not exact) as the original poster and am having the same problem. The only difference there might be is that I am running Windows 2003 SP1, whereas the original poster didn't mention Service Pack level. What I have learned is that SMS 2003 must be installed on a server in a domain but by a user account that has domain write access. The account that SMS is having problems verifying is a administration/maintenance account for SMS, and this account MUST be a domain account. I have tried using my Domain Admin account (the one that was used to added the machine to the domain and is a part of Domain Admin and Admin groups), but I still receive the above mentioned error message. I've included a tcpdump of the traffic to and from the PDC. Would you need a capture of the traffic from the DC to the LDAP server? FYI: A text file does not a capture make :-). We need *binary* files containing the actual network traffic. Look at the tcpdump options for how to make it output the real network traffic, not a text summary of it. Or better still, use ethereal. Not a problem. People seem to have different definitions of a network capture, and different capabilities for review, so I opted for the lowest common denominator. My appologies if I wasted anyone's time. Here's a binary capture using the -w option with tcpdump. I've used this before and I know ethereal can option the capture file. Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SMS 2003 and Samba
Jeremy Allison wrote: On Wed, Jun 22, 2005 at 07:43:34AM -0500, Robert Rati wrote: I have a very similar setup (if not exact) as the original poster and am having the same problem. The only difference there might be is that I am running Windows 2003 SP1, whereas the original poster didn't mention Service Pack level. What I have learned is that SMS 2003 must be installed on a server in a domain but by a user account that has domain write access. The account that SMS is having problems verifying is a administration/maintenance account for SMS, and this account MUST be a domain account. I have tried using my Domain Admin account (the one that was used to added the machine to the domain and is a part of Domain Admin and Admin groups), but I still receive the above mentioned error message. I've included a tcpdump of the traffic to and from the PDC. Would you need a capture of the traffic from the DC to the LDAP server? FYI: A text file does not a capture make :-). We need *binary* files containing the actual network traffic. Look at the tcpdump options for how to make it output the real network traffic, not a text summary of it. Or better still, use ethereal. The attachment on my previous e-mail seems to have disappeared. Here's a gzipped version of the capture file. Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SMS 2003 and Samba
Then how would I make sure the network capture gets sent to the correct people? Just send it to one person (not the list) that has responded (ie Jeremy Allison or possibly yourself)? Rob Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Rati wrote: The attachment on my previous e-mail seems to have disappeared. Here's a gzipped version of the capture file. attachments always get stripped from list mail. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCuY9FIR7qMdg1EfYRAvPSAKDTZpma4/ZyiWB4wMLW0wphwAnm/gCfcVrp EI2eTL3Q7QgnhGIfW1ORXvw= =H2kD -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Fwd: [Samba] Still having groupmap problems]
I turned on debug level 10 (by adding -d 10 to the net command), and I see this over and over again in the syslog: Dec 18 13:35:36 wdselab-a-1-100 net: ldapsam_search_one_group: Problem during the LDAP search: LDAP error: invalid DN (Invalid DN syntax)ldapsam_search_one_group: Query was: ou=Groups,dc=domain, ((objectClass=sambaGroupMapping)(gidNumber=4294967295)) So why is that gidNumber being used? I can't find a way to change this search query in any way. I manually added the objectClass=sambaGroupMapping and it's corresponding entries to my LDAP database before I did this. Would that cause a problem? Rob Original Message Subject: [Samba] Still having groupmap problems Date: Wed, 17 Dec 2003 14:00:19 -0600 From: Robert Rati[EMAIL PROTECTED] To: [EMAIL PROTECTED] I have two samba servers on two separate subnets that are comprising a single domain, and one of the samba servers is also the LDAP server. I've gotten everything configured except that I can't use the groupmap command. When I run: net groupmap add sid=SID-512 ntgroup=Domain Admins unixgroup=dom_admin type=domain I get this error over and over again (and increasing the log level via smbcontrol doesn't seem to provide any more information): ldapsam_search_one_group: Problem during the LDAP search: LDAP error: invalid DN (Invalid DN syntax) I also see this message every so often in the syslogs of both samba servers: passdb/pdb_ldap.c:ldapsam_search_one_group(1612) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: invalid DN (Invalid DN syntax)ldapsam_search_one_group: Query was: ou=Groups,dc=domain, ((objectClass=sambaGroupMapping)(gidNumber=65534)) Are the samba servers trying to get group mappings from each other? Is gidNumber=65534 being used because the group mapping isn't setup? Can someone give me any advice on things to try to find the problem with my group map actions? Any help would be appreciated. Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Fwd: [Samba] Still having groupmap problems]
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Rati wrote: | Dec 18 13:35:36 wdselab-a-1-100 net: ldapsam_search_one_group: Problem | during the LDAP search: LDAP error: invalid DN (Invalid DN | syntax)ldapsam_search_one_group: Query was: ou=Groups,dc=domain, | ((objectClass=sambaGroupMapping)(gidNumber=4294967295)) (gdb) print (int)4294967295 $1 = -1 Did you see the other message about not using quotes surrounding the ldap suffixes in smb.conf? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/4hA0IR7qMdg1EfYRAqHBAKCWdybrn95u0RHol8qVUBKoBtJ6DgCfajBU 3wkZIguo9U1r3NHo78W4+gs= =uOPh -END PGP SIGNATURE- I missed that message. I removed the quotes from my smb.conf file and now I can do a groupmap list (whereas before I couldn't) and groupmap add, so the quotes appear to be the problem. Thanks! Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Still having groupmap problems
I have two samba servers on two separate subnets that are comprising a single domain, and one of the samba servers is also the LDAP server. I've gotten everything configured except that I can't use the groupmap command. When I run: net groupmap add sid=SID-512 ntgroup=Domain Admins unixgroup=dom_admin type=domain I get this error over and over again (and increasing the log level via smbcontrol doesn't seem to provide any more information): ldapsam_search_one_group: Problem during the LDAP search: LDAP error: invalid DN (Invalid DN syntax) I also see this message every so often in the syslogs of both samba servers: passdb/pdb_ldap.c:ldapsam_search_one_group(1612) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: invalid DN (Invalid DN syntax)ldapsam_search_one_group: Query was: ou=Groups,dc=domain, ((objectClass=sambaGroupMapping)(gidNumber=65534)) Are the samba servers trying to get group mappings from each other? Is gidNumber=65534 being used because the group mapping isn't setup? Can someone give me any advice on things to try to find the problem with my group map actions? Any help would be appreciated. Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Group Mapping problems
When I enable logging level 5 (or even 10)), I don't see any more useful information. I just see (over and over again): ldapsam_search_one_group: Problem during the LDAP search: LDAP error: invalid DN (Invalid DN syntax) But every one in a while (apparantly not related to my net groupmap attempts), I see this: passdb/pdb_ldap.c:ldapsam_search_one_group(1612) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: invalid DN (Invalid DN syntax)ldapsam_search_one_group: Query was: ou=Groups,dc=domain, ((objectClass=sambaGroupMapping)(gidNumber=65534)) I'm assuming a machine on my domain is making this query (but I don't know why), but why is gidNumber=65534 being used for this query? Can anyone shed some light as to what is going on? I'm executing this command: net groupmap add sid=SID-512 ntgroup=Domain Admins unixgroup=dom_admin type=domain Rob Greg Dickie wrote: I think a debug level 5 will show you exactly what its looking for. You can do smbcontrol smbd debug 5 to set that. hth, Greg On Monday 15 December 2003 17:27, Robert Rati wrote: I'm trying to map my LDAP groups to Windows Groups, but I'm not having any luck. Here is a group I'm trying to map: dn: cn=dom_admin,ou=Groups,dc=domain objectClass: sambaGroupMapping objectClass: posixGroup gidNumber: 1000 cn: dom_admin memberUid: dom_admin description: Domain Admininistrators Group sambaSID: S-1-5-21-835892245-73647866-3919785651-512 sambaGroupType: 2 but when I do a net groupmap command, I get this error over and over again: ldapsam_search_one_group: Problem during the LDAP search: LDAP error: invalid DN (Invalid DN syntax) What DN syntax is being used for this search? How do I modify it/fix this problem? Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Group Mapping problems
I'm trying to map my LDAP groups to Windows Groups, but I'm not having any luck. Here is a group I'm trying to map: dn: cn=dom_admin,ou=Groups,dc=wdselab objectClass: sambaGroupMapping objectClass: posixGroup gidNumber: 1000 cn: dom_admin memberUid: dom_admin description: Domain Admininistrators Group sambaSID: S-1-5-21-835892245-73647866-3919785651-512 sambaGroupType: 2 but when I do a net groupmap command, I get this error over and over again: ldapsam_search_one_group: Problem during the LDAP search: LDAP error: invalid DN (Invalid DN syntax) What DN syntax is being used for this search? How do I modify it/fix this problem? Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] More info on Home Drive mapping problems
I'm running Samba 3.0 on Debain stable (compiled myself) with LDAP as the backend authentication. I've gotten everything working except home drive mapping (which I've gotten to work with limited success). I turned on log level 5 on my samba server, and I found that if I don't enable that path variable in the [homes] section that the server is trying to use /dev/null as the home path. Since this obviously isn't valid, it fails to map the home drive. If I enable the path variable, the user can access his home drive but ONLY his home drive. How do I allow a user to read/write to his home dir and read everyone else's home dir? Can this be done? The home drives are located on another server (or two). Here's the LDAP entry for sambaHomePath: sambaHomePath = \\Samba server\tester I've also tried: sambaHomePath = \\Samba server\homes sambaHomePath = \\Samba server\homes\tester and get the same result. Here's my smb.conf: [global] panic action = /usr/share/samba/panic-action %d workgroup = Workgroup Name server string = Samba Server printcap name = /etc/printcap load printers = yes log file = /var/log/samba/log.%m logon drive = z: netbios name = Samba Server name max log size = 50 security = user password server = localhost:389 encrypt passwords = true passdb backend = ldapsam:ldap://localhost guest smb passwd file = /etc/smbpasswd unix password sync = No passwd program = /usr/bin/smbldap-passwd %u passwd chat = *New*password* %n\n *ReType*new*password* %n\n username map = /etc/samba/smbusers socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = IP/subnet remote browse sync = other Samba server remote announce = subnet IP local master = yes os level = 99 preferred master = yes domain logons = yes name resolve order = wins host lmhosts bcast wins server = wins IP dns proxy = no case sensitive = yes ldap suffix = o=suffix ldap admin dn = cn=Manager,o=suffix ldap port = 389 ldap server = ldap_ip #ldap ssl = start tls ldap ssl = no ldap passwd sync = yes ldap user suffix = ou=Users [homes] path =/home/%u # comment = Home Directory # users = %S # public = no # guest ok = no browseable = no writable = yes create mask = 0644 directory mask = 0755 [Profiles] path = /home/profiles browseable = no guest ok = no profile acls = yes create mode = 0644 csc policy = disable directory mode = 0755 writeable = yes Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Home Drive Mapping problems
Replacing valid users with users didn't change anything. Unless I have the path variable enabled in the [homes] section, I get this error from windows when trying to browse any home drive: The network name can not be found Is there some kind of mapping I need to do that I'm not understanding? The only way I've gotten a home directory mapped is by enabling the path variable, but then ALL home drives the user looks at are that exact path. Rob Computer Science wrote: Replace valid users for users. Simple fix once you know this is the problem. Leo Robert Rati wrote: I've got Samba 3.0 on a Debian stable system set up to authenticate using an LDAP server (also on the Debian system), and I'm having problems getting home drive mapping to work. What I would like, is that if someone browses to the Samba server (on a win2k PC), they can see all the home drives of all the users on the server and also have read-only access to them. The owner of a home drive would have it mapped to their win2k machine and have read-write access, obviously. Here's the entry I have in LDAP for the home drive: sambaHomePath: \\PDC\homes and here's my [homes] section in smb.conf: [homes] # path =/home/%u comment = Home Directories # valid users = %S browseable = no writable = yes create mask = 0644 directory mask = 0755 If I enable valid users, then no one can log into their home drives. In fact, I can't figure out what user IS valid to look at the home drive. I can sort of get things to work if I enable the path variable, but then I have an issue that every home drive the user looks at on the server is their home drive. For example, if userA looks on the PDC, he sees drives for userA, userB, and userC. If userA looks in any of the drives all he sees is the contents of userA's home drive. All of the examples I've looked at don't use the path variable in [homes], but if I don't then windows reports the share isn't accessable when browsing to it. What am I doing wrong? Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Home Drive Mapping problems
I've got Samba 3.0 on a Debian stable system set up to authenticate using an LDAP server (also on the Debian system), and I'm having problems getting home drive mapping to work. What I would like, is that if someone browses to the Samba server (on a win2k PC), they can see all the home drives of all the users on the server and also have read-only access to them. The owner of a home drive would have it mapped to their win2k machine and have read-write access, obviously. Here's the entry I have in LDAP for the home drive: sambaHomePath: \\PDC\homes and here's my [homes] section in smb.conf: [homes] # path =/home/%u comment = Home Directories # valid users = %S browseable = no writable = yes create mask = 0644 directory mask = 0755 If I enable valid users, then no one can log into their home drives. In fact, I can't figure out what user IS valid to look at the home drive. I can sort of get things to work if I enable the path variable, but then I have an issue that every home drive the user looks at on the server is their home drive. For example, if userA looks on the PDC, he sees drives for userA, userB, and userC. If userA looks in any of the drives all he sees is the contents of userA's home drive. All of the examples I've looked at don't use the path variable in [homes], but if I don't then windows reports the share isn't accessable when browsing to it. What am I doing wrong? Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Groups and LDAP
I'm a little weak on how the groups assignments work with Samba and LDAP. The Samba HOWTO collection says to map each Domain Group to a UNIX system group, but if all authentication is done via LDAP (Unix and Windows) then do the groups still have to exist on the Samba Unix machine? Where do the RIDs fit into all this? I don't see a schema in LDAP for sambaGroup. Do I create the domain groups with the posixGroup schema and set their gid to a RID that will exist on the Windows machine (like 512 for Domain Admins)? Or do I just bypass the group mapping altogether and set a Domain Admins sambaPrimaryGroupSID to SID-512? Any help on this would be very helpful, as I think I'm confusing myself. Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Groups and LDAP
I think I understand. So, if I want a user (in LDAP) to be a part of your ntadmins group, I'd set his gidNumber to 1000, correct? Would I also need to add a memberUid field in the ntadmins group for this user? IE for user bob: dn: cn=ntadmins,ou=Groups,dc=firerun,dc=net cn: ntadmins objectClass: top objectClass: posixGroup gidNumber: 1000 memberUid: root memberUid: patrick memberUid: bob Can an LDAP user have a gidNumber of 0 and be a root user on a Unix machine? Rob Patrick wrote: Rob, Maybe I can shed some light on this for you. I have just setup a Samba PDC + LDAP machine here. For the group assignments to work you will still need to have a unix group on the machine. So you use the normal method to add a unix group in the ldap directory. You can then add any users you want to that group. So for example I setup the following unix group in ldap: # ntadmins, Groups, firerun, net dn: cn=ntadmins,ou=Groups,dc=firerun,dc=net cn: ntadmins objectClass: top objectClass: posixGroup gidNumber: 1000 memberUid: root memberUid: patrick Then you will need to use the net tool to do a group mapping. first you will need to lookup the SID of the domain. So you will use net getlocalsid SID once you have the Domain SID you will use the following command to map the unix group to a domain group: net groupmap add sid=domain sid-512 ntgroup=Domain Admins unixgroup=ntadmins type=domain That command will add the samba group mapping attributes and the ntadmins group will now be the Domain Admins group on Windows clients. Any users that are added to the ntadmins unix group will be members of the Domain Admins group. To confirm the mapping just use net groupmap list. Patrick Robert Rati wrote: I'm a little weak on how the groups assignments work with Samba and LDAP. The Samba HOWTO collection says to map each Domain Group to a UNIX system group, but if all authentication is done via LDAP (Unix and Windows) then do the groups still have to exist on the Samba Unix machine? Where do the RIDs fit into all this? I don't see a schema in LDAP for sambaGroup. Do I create the domain groups with the posixGroup schema and set their gid to a RID that will exist on the Windows machine (like 512 for Domain Admins)? Or do I just bypass the group mapping altogether and set a Domain Admins sambaPrimaryGroupSID to SID-512? Any help on this would be very helpful, as I think I'm confusing myself. Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win2K Password Hash
I have installed nss_ldap and changed my nsswitch.conf file to be like the example given with the nss_ldap package, so I thought that would satisfy the samba requirement. Is there other system configuration that needs to be done (other than changing nsswitch.conf) to satisfy this samba requirement? All the information I've found regarding setting up LDAP in this regard has been sketchy at best. I would think I'd have to configure a base dn atleast, but I haven't found out how to do this. Rob Andrew Bartlett wrote: On Tue, 2003-11-11 at 06:50, Robert Rati wrote: I have a Samba 3.0 PDC using LDAP as it's password database backend, but I can't get a user to log on to a Win2k machine on the domain. In the log file for the PC (on the Samba machine), I see that the user is found in the LDAP backend but that getpwnam failed. The username does not exist on the Linux machine in any form. Samba *requires* that the username exist on the server, via nsswtich, as a normal user. You cannot have users in Samba which are not in /etc/passwd or it's nsswitch'ed equivalent (nss_ldap etc). Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Win2k Password Hash
I posted this earlier, but never saw it show up in the mailing list so
I'm posting it again.
I have a Samba 3.0 PDC using LDAP as it's password database backend, but
I can't get a user to log on to a Win2k machine on the domain. In the
log file for the PC (on the Samba machine), I see that the user is found
in the LDAP backend but that getpwnam failed. The username does not
exist on the Linux machine in any form. These usernames are ment to be
for Windows only (at this time anyway). I set log level at 5 and tried
again and I see that the Lanman and NT password checks fail. I used the
mkntpwd that comes with samba 3.0 to create the passwords I put in the
LDAP database, but obviously I've done something wrong. Is the mkntpwd
program supposed to be for NT4.0 machines? Does Win2k use a different
password algorithm? The entries in the LDAP database for a user have
these fields:
sambaLMPassword: 1st hash from mkntpwd
sambaNTPassword: 2nd hash from mkntpwd
Should I have something preceeding the passwords in the LDAP database
(like {SSHA})? Any help on this would be much appreciated.
Rob
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Win2K Password Hash
I have a Samba 3.0 PDC using LDAP as it's password database backend, but
I can't get a user to log on to a Win2k machine on the domain. In the
log file for the PC (on the Samba machine), I see that the user is found
in the LDAP backend but that getpwnam failed. The username does not
exist on the Linux machine in any form. These usernames are ment to be
for Windows only (at this time anyway). I set log level at 5 and tried
again and I see that the Lanman and NT password checks fail. I used the
mkntpwd that comes with samba 3.0 to create the passwords I put in the
LDAP database, but obviously I've done something wrong. Is the mkntpwd
program supposed to be for NT4.0 machines? Does Win2k use a different
password algorithm? The entries in the LDAP database for a user have
these fields:
sambaLMPassword: 1st hash from mkntpwd
sambaNTPassword: 2nd hash from mkntpwd
Should I have something preceeding the passwords in the LDAP database
(like {SSHA})? Any help on this would be much appreciated.
Rob
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] User Logon Problem
I have a Samba 3.0 PDC talking to an LDAP server, but I can't get a user to log in on a Windows 2000 client. I see this in the log file: [2003/11/07 11:37:20, 1] auth/auth_util.c:make_server_info_sam(818) User tester in passdb, but getpwnam() fails! [2003/11/07 11:37:20, 0] auth/auth_sam.c:check_sam_security(459) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' So the user is found in the LDAP database, but there's obviously something else that needs to be done. I checked the web, but the only case where this was mentioned didn't provide much information. How do I solve this problem? Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win2K or Samba Caching?
I found the CachedLogonsCount registry settings in the Windows client and set them to 0 (zero), but it had no effect. The deleted user could still log on. On top of that, no new users can log on so something seems amiss. Rob Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Rati wrote: | I have a PDC that is Samba 3.0 setup to talk to an OpenLDAP server for | authentication, and I was able to get a user to log in to a Windows 2000 | machine on the domain. Then I tried adding additional users, but none | of them could log in. So I tried deleting the admin user from the LDAP | database, but the user could still log into the Windows 2000 machine. | Then I tried stopping the LDAP database completely, and while it took | the Windows 2000 machine a long time to attempt to authenticate, the | user could STILL log into the machine. Does anyone know if Windows 2000 | or Samba 3.0 do any user/authentication cachine? Is there any other | explanation for this? The windows client is cachign the logons. It's controlled by a registry key. CacheLogonsCount or something like that. - -- ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ You can never go home again, Oatman, but I guess you can shop there. ~--John Cusack - Grosse Point Blank (1997) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/ose7IR7qMdg1EfYRArzwAJ9LLVP/2bLEnSTVfpTBGCKJFf6T1ACfYA2i 9I/PWLatuDSG/yZAtkd+esw= =srxm -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Win2K or Samba Caching?
I have a PDC that is Samba 3.0 setup to talk to an OpenLDAP server for authentication, and I was able to get a user to log in to a Windows 2000 machine on the domain. Then I tried adding additional users, but none of them could log in. So I tried deleting the admin user from the LDAP database, but the user could still log into the Windows 2000 machine. Then I tried stopping the LDAP database completely, and while it took the Windows 2000 machine a long time to attempt to authenticate, the user could STILL log into the machine. Does anyone know if Windows 2000 or Samba 3.0 do any user/authentication cachine? Is there any other explanation for this? Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0 + LDAP + Machine accounts
I'm trying to setup Samba 3.0 to talk to an LDAP server for authentication, but I can't get any communication to the LDAP server from Samba when a machine attempts to join the domain. I see the machine sending out the broadcast request to join the domain, but the samba server does not respond (security = domain, domain logons = yes). Does the samba server always have to authenticate the machine joining the domain, or can it pass it off to the LDAP server? If domain logons = yes, does that mean the samba server will always authenticate the machine? If so, how do you get samba to pass off the machine authentication to the LDAP server? Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + LDAP
Does anyone know if the binaries provided by the Samba team are compiled with LDAP support? I've tried 2.2.8a and 3.0.0 for Debian, but both complain that the ldap parameters (like ldap server) for unknown. Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + LDAP
Adam Williams wrote: Does anyone know if the binaries provided by the Samba team are compiled with LDAP support? I've tried 2.2.8a and 3.0.0 for Debian, but both complain that the ldap parameters (like ldap server) for unknown. Just ldd /usr/sbin/smbd. Is libldap in the list? If not, than the smbd isn't linked against it. Most (all?) distributed binaries I've met don't include things like ACL, LDAP, etc... support for obvious reasons (least common denominator). Yes, I see libldap.so.2 listed in the ldd output. I notice in the documentation that certain LDAP configuration options are only recognized if the --with-ldapsam is used at compile time. Is there someplace were they list what options are used to compile the binary? Doesn't seem to make sense to have some LDAP options included in the samba build, but others (the important ones like ldap server) needing a compile switch but that appears to be the way it's setup (according to the manpages anyway). Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba compiled with LDAP support?
Are the 2.2.8a Debian Samba packaes provided by the Samba team compiled with LDAP support? I figured they would be, but when I try to configure a LDAP option in smb.conf, I get an error in log.smbd like this: [2003/10/17 11:58:12, 0] param/loadparm.c:map_parameter(2093) Unknown parameter encountered: ldap server To me, that looks like LDAP support was not compiled into the binary. Is that so? Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Help using multiple file servers
I am trying to setup samba so that I can authenticate users from a single server, but use multiple file servers to server the home directories and user profiles. How would I go about doing this? Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help using multiple file servers
I'm not sure this will solve the problem I am looking at. I can see an LDAP server for authentication (although I currently don't have one setup and would prefer not to have to set one up), but how does an LDAP server help with the home directory and profile serving? If a user logs onto machine A which is on subnet A, then samba server A would authenticate against the LDAP server and serve the home dir and profile. What happens if the same user logs onto machine B which is on subnet B? The samba server B would authenticate with the LDAP server, but would the user's home directory and profile be served from server A? Will the LDAP solution you suggest provide this ability? Ideally, I'd like all the users to be authenticated through one samba server (let's say server A), and the home directories and profiles for those users to be served from the authenticating server (server A) or an alternate samba server (server B). Rob Radio Gong 2000 GmbH Co. KG [Technik] wrote: Hi, the best way, I think, is to use LDAP for authenticating. So you've one server, which does all the stuff for you. The other way is to write a little and simple script, which keeps the passwordfiles in sync: #!/bin/sh # 08-30-2000 # Synchronize the user accounts every night scp /etc/passwd 192.168.10.2:/etc/passwd scp /etc/shadow 192.168.10.2:/etc/shadow scp /etc/group 192.168.10.2:/etc/group scp /etc/gshadow 192.168.10.2:/etc/gshadow scp /etc/samba/smbpasswd 192.168.10.2:/etc/samba/smbpasswd cp -v /etc/passwd /data/backup/user/ cp -v /etc/shadow /data/backup/user/ cp -v /etc/group /data/backup/user/ cp -v /etc/gshadow /data/backup/user/ cp -v /etc/samba/smbpasswd /data/backup/user/ # END I installed an ssh-key, so a cronjob can do the job for me... Makes no sense but it's nice... :-) Greetings Sascha -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba authentication
Is it possible to have two samba servers in two separate domains acting as PDCs authenticate against each other for logins? IE server A attempts to authenticate against B and then itself, and server B attempts to authenticate against A and then itself. Any help doing this would be very much appreciated. Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba authentication
I have two separate subnets, two servers, and one domain. I want to serve half of my users from server A and half from server B, but all users would be able to log onto both subnets. The reason I want to separate them like this is so that the home directories and profiles will be split between the servers. Is it possible to serve the profiles and home dirs from a samba server the user doesn't authenticate with? In other words, what I'd like is for a user on server A (controlling subnet A) to be able to log into a PC on subnet A and B and have his home dir and profile servered from server A. At the same time, I'd like different users to have the same ability using server B. Rob [EMAIL PROTECTED] wrote: I think it is possible, but why would you do it? What you said sounds weird. Why do you want both servers to auth from ech other first? Normally you would only have server B auth from server A and then B. And server A auth from server A then B. Are you sure you don't want to replicate servers A B's databases? - Original Message - From: Robert Rati [EMAIL PROTECTED] Date: Wednesday, September 10, 2003 7:31 am Subject: [Samba] Samba authentication Is it possible to have two samba servers in two separate domains acting as PDCs authenticate against each other for logins? IE server A attempts to authenticate against B and then itself, and server B attempts to authenticate against A and then itself. Any help doing this would be very much appreciated. Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problems with 2 server and 2 domains
I am trying to set up a windows Domain with Samba 2.2.8a and 2.2.7 on Debian and Redhat systems (respectively). This network has two subnets, so I have a samba server for each subnet, and they are configured to pass netbios traffic to each other so both networks can be seen in network neighborhood. I'm trying to expand this setup and create a windows Domain that will work like this: Two samba servers, A and B, that control users that log on to the PCs on the domain. Each server has half of the users on it along with their roaming profile and home directory. If a user whose account information is located on server A logs into a machine in subnet A (which is controlled by server A), then server A authenticates the user and serves up his profile and home directory to be mapped. If the user logs into subnet B (controlled by server B), then server B uses server A for authentication and the users profile and home directory are served from server A. Same thing for a user on server B. I thought this could be accomplished by setting security = server and setting server A as a password server in server B's configuration file (and vice versa for server A), but that doesn't seem to work. In fact, I can't get server B to use server A to authenticate even if server A is using security = user and server B is using security = server. I can see how this could be done with multiple NFS mounts on servers (each mouthing the other's user's directories), but that seems really messy and I don't think it would allow for the users to easily maintain their passwords (they'd have to change their password on each server as all users would have to exist on each server). Is what I'm trying to do possible? Can someone help me figure out what I'm doing wrong? Any help would be much appreciated. Rob -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
