[Samba] LDAP + smbpasswd
an easy questions (hopefully) 1) When using ldapsam as the password backend, do machine accounts have to have posix accounts as well? There are pieces of documentation that seem to indicate that they are not needed... and for a while running rc1 it worked for me... but now under rc2, not so much. -Sean -- Sean Kellogg University of Washington Biostatistics Department - Linux Guy e: [EMAIL PROTECTED]p: 5-9176 Linux is to the internet what duct tape is to everything else signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] cross-subnet domain join issue
Okay, I'm clearly not as smart as I'd hoped, as I failed to have my Samba PDC connect to our WINS server. Adding the server IP has changed things, but I'm still experiencing difficulties. Here's my nmdb log from startup there's some strange stuff in here. - [2003/09/08 11:29:20, 0] nmbd/nmbd_nameregister.c:register_name_response(130) register_name_response: server at IP 128.95.113.168 rejected our name registration of LOGOS00 IP 128.95.113.9 with error code 6. [2003/09/08 11:29:20, 0] nmbd/nmbd_mynames.c:my_name_register_failed(36) my_name_register_failed: Failed to register my name LOGOS00 on subnet 128.95.113.9. [2003/09/08 11:29:20, 0] nmbd/nmbd_namelistdb.c:standard_fail_register(283) standard_fail_register: Failed to register/refresh name LOGOS00 on subnet 128.95.113.9 [2003/09/08 11:29:20, 0] nmbd/nmbd_logonnames.c:add_logon_names(163) add_domain_logon_names: Attempting to become logon server for workgroup LOGOS on subnet 128.95.113.9 [2003/09/08 11:29:20, 0] nmbd/nmbd_logonnames.c:add_logon_names(163) add_domain_logon_names: Attempting to become logon server for workgroup LOGOS on subnet UNICAST_SUBNET [2003/09/08 11:29:20, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(327) become_domain_master_browser_wins: Attempting to become domain master browser on workgroup LOGOS, subnet UNICAST_SUBNET. [2003/09/08 11:29:20, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(341) become_domain_master_browser_wins: querying WINS server from IP 0.0.0.0 for domain master browser name LOGOS1b on workgroup LOGOS [2003/09/08 11:29:25, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(124) become_logon_server_success: Samba is now a logon server for workgroup LOGOS on subnet 128.95.113.9 [2003/09/08 11:29:41, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(124) become_logon_server_success: Samba is now a logon server for workgroup LOGOS on subnet UNICAST_SUBNET [2003/09/08 11:29:41, 0] nmbd/nmbd_become_dmb.c:become_domain_master_query_fail(252) become_domain_master_query_fail: Error 0 returned when querying WINS server for name LOGOS1b. [2003/09/08 11:29:43, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396) * Samba name server LOGOS is now a local master browser for workgroup LOGOS on subnet 128.95.113.9 * [2003/09/08 11:30:03, 0] nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(350) find_domain_master_name_query_fail: Unable to find the Domain Master Browser name LOGOS1b for the workgroup LOGOS. Unable to sync browse lists in this workgroup. [2003/09/08 11:34:20, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(327) become_domain_master_browser_wins: Attempting to become domain master browser on workgroup LOGOS, subnet UNICAST_SUBNET. [2003/09/08 11:34:20, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(341) become_domain_master_browser_wins: querying WINS server from IP 0.0.0.0 for domain master browser name LOGOS1b on workgroup LOGOS [2003/09/08 11:34:40, 0] nmbd/nmbd_become_dmb.c:become_domain_master_query_fail(252) become_domain_master_query_fail: Error 0 returned when querying WINS server for name LOGOS1b. [2003/09/08 11:39:25, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(327) become_domain_master_browser_wins: Attempting to become domain master browser on workgroup LOGOS, subnet UNICAST_SUBNET. [2003/09/08 11:39:25, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(341) become_domain_master_browser_wins: querying WINS server from IP 0.0.0.0 for domain master browser name LOGOS1b on workgroup LOGOS [2003/09/08 11:39:25, 1] nmbd/nmbd_processlogon.c:process_logon_packet(95) process_logon_packet: Logon from 128.95.113.168: code = 0x12 [2003/09/08 11:39:25, 1] nmbd/nmbd_processlogon.c:process_logon_packet(95) process_logon_packet: Logon from 128.95.113.168: code = 0x12 [2003/09/08 11:39:46, 0] nmbd/nmbd_become_dmb.c:become_domain_master_query_fail(252) become_domain_master_query_fail: Error 0 returned when querying WINS server for name LOGOS1b. Some googling tells me that its okay that it might be okay for the IP to be listed as 0.0.0.0... but I'm not so sure. Can anyone confirm? In addition, any theories as to what exactly Error 0 might be... what about Error 6? Thanks, Sean On Sat, 2003-09-06 at 04:34, Richard Coates wrote: Hi Sean, all you need for cross-subnet browsing/domain functionality is correct routing...no port blocking/firewall problems across routers etc. ONE only wins server with ALL severs/clients using it. netbios over tcp (I havent tried setup without this) correctly setup pdc and Xp/Nt/2k/linux as local subnet master browsers. All is explained nicely in the old browsing.txt doc, and probably included in the new samba3 docs. Richard Coates. On Sat, 2003-09-06 at 08:04, Sean Kellogg wrote: So, I already sent this message once before (yesterday), but I can't seem to find
[Samba] smbpasswd -a issues
This totally worked a few days ago... when running 'smbpasswd -a user -D 5' I get the following: [EMAIL PROTECTED]:/home/niles/ldap/debian# smbpasswd -a user -D 5 Netbios name list:- my_netbios_names[0]=LOGOS New SMB password: Retype new SMB password: Trying to load: ldapsam:ldap://logos.biostat.washington.edu Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend guest Successfully added passdb backend 'guest' Attempting to find an passdb backend to match ldapsam:ldap://logos.biostat.washington.edu (ldapsam) Found pdb backend ldapsam Searching for:[((objectClass=sambaDomain)(sambaDomainName=LOGOS))] smbldap_search_suffix: searching for:[((objectClass=sambaDomain)(sambaDomainName=LOGOS))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesful connected pdb backend ldapsam:ldap://logos.biostat.washington.edu has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init smbldap_search_suffix: searching for:[((uid=user)(objectclass=sambaSamAccount))] Unable to locate user [user] count=0 Finding user user Trying _Get_Pwnam(), username as lowercase is user Trying _Get_Pwnam(), username as uppercase is USER Checking combinations of 0 uppercase letters in user Get_Pwnam_internals didn't find user [user]! Failed initialise SAM_ACCOUNT for user user. Failed to modify password entry for user user As you can see, I'm using ldap, and running at a higher debug value shows that I am successfully connecting to the ldap server. This works fine if the user already has a posix account established... but it used to create the account automagically. While its not the end of the world in terms of users, it is very troublesome when trying to add a machine to the domain (where it evokes smbpasswd -am MACHINE NAME). Again, broken. But this totally worked a few days ago. While I'm not surp The only thing I can think of is that I upgraded to 3.0.0rc2-Debian from 3.0.0rc1-Debian. But that seems like an odd thing to change. Has anyone else experienced this problem? smb.conf [global] netbios name = logos workgroup = logos encrypt passwords = true unix password sync = no ldap passwd sync = yes pam password change = yes obey pam restrictions = yes domain master = yes local master = yes preferred master = yes os level = 65 passdb backend = ldapsam:ldap://logos.biostat.washington.edu ldap admin dn = cn=admin,dc=biostat,dc=washington,dc=edu ldap suffix = dc=biostat,dc=washington,dc=edu ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap ssl = off security = user domain logons = yes wins server = 128.95.29.52 logon path = \\%L\profiles\%u logon script = logon.bat logon drive = H: time server = yes idmap uid = 1-65000 idmap gid = 1-65000 add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false %u printing = BSD load printers = yes printer admin = @domadmin printcap name = /etc/printcap Help would be appreciated... hell, it works for me would even be good, as then I know its something I'm doing at not the developers. -Sean -- Sean Kellogg University of Washington Biostatistics Department - Linux Guy e: [EMAIL PROTECTED]p: 5-9176 Linux is to the internet what duct tape is to everything else signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbpasswd -a issues
I'll just go ahead and reply to my own message with some info I've found... see if that inspires anyone to help. After some greping through the smbpasswd source code (pretty clean stuff, if I may say so), I figured the line of death resides in passdb/passdb.c, function pdb_init_sam_new, lines 304 - 307: - pwd = Get_Pwnam(username); if (!pwd) return NT_STATUS_NO_SUCH_USER; - Looks like its trying to find a uid for a user that does not exist. Now, this is supposed to be the defined behavior for actual users, but I was under the impression that with ldap as the backend, machines did not need a posix account... and that the RID was generated by some other algorithm. Am I off my rocker here? -Sean On Mon, 2003-09-08 at 13:24, Sean Kellogg wrote: This totally worked a few days ago... when running 'smbpasswd -a user -D 5' I get the following: [EMAIL PROTECTED]:/home/niles/ldap/debian# smbpasswd -a user -D 5 Netbios name list:- my_netbios_names[0]=LOGOS New SMB password: Retype new SMB password: Trying to load: ldapsam:ldap://logos.biostat.washington.edu Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend guest Successfully added passdb backend 'guest' Attempting to find an passdb backend to match ldapsam:ldap://logos.biostat.washington.edu (ldapsam) Found pdb backend ldapsam Searching for:[((objectClass=sambaDomain)(sambaDomainName=LOGOS))] smbldap_search_suffix: searching for:[((objectClass=sambaDomain)(sambaDomainName=LOGOS))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesful connected pdb backend ldapsam:ldap://logos.biostat.washington.edu has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init smbldap_search_suffix: searching for:[((uid=user)(objectclass=sambaSamAccount))] Unable to locate user [user] count=0 Finding user user Trying _Get_Pwnam(), username as lowercase is user Trying _Get_Pwnam(), username as uppercase is USER Checking combinations of 0 uppercase letters in user Get_Pwnam_internals didn't find user [user]! Failed initialise SAM_ACCOUNT for user user. Failed to modify password entry for user user As you can see, I'm using ldap, and running at a higher debug value shows that I am successfully connecting to the ldap server. This works fine if the user already has a posix account established... but it used to create the account automagically. While its not the end of the world in terms of users, it is very troublesome when trying to add a machine to the domain (where it evokes smbpasswd -am MACHINE NAME). Again, broken. But this totally worked a few days ago. While I'm not surp The only thing I can think of is that I upgraded to 3.0.0rc2-Debian from 3.0.0rc1-Debian. But that seems like an odd thing to change. Has anyone else experienced this problem? smb.conf [global] netbios name = logos workgroup = logos encrypt passwords = true unix password sync = no ldap passwd sync = yes pam password change = yes obey pam restrictions = yes domain master = yes local master = yes preferred master = yes os level = 65 passdb backend = ldapsam:ldap://logos.biostat.washington.edu ldap admin dn = cn=admin,dc=biostat,dc=washington,dc=edu ldap suffix = dc=biostat,dc=washington,dc=edu ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Group ldap ssl = off security = user domain logons = yes wins server = 128.95.29.52 logon path = \\%L\profiles\%u logon script = logon.bat logon drive = H: time server = yes idmap uid = 1-65000 idmap gid = 1-65000 add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false %u printing = BSD load printers = yes printer admin = @domadmin printcap name = /etc/printcap Help would be appreciated... hell, it works for me would even be good, as then I know its something I'm doing at not the developers. -Sean -- Sean Kellogg University of Washington Biostatistics Department - Linux Guy e: [EMAIL PROTECTED]p: 5-9176 Linux is to the internet what duct tape is to everything else signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win box copying files to Linux via Samba - unwanted
Steve - It sounds like you have roaming profiles setup... although it doesn't quite look like they are setup in your smb.conf file. When roaming profiles are setup, the win clients will transmit all the data you mentioned to the samba PDC so that if you were to login from some other win client, everything would appear the same. Its a neat trick, but if you don't want it... then its best to disable it, because it can cause headaches. The real question here is why is it happening. In my smb.conf file, I have to have the following to get roaming profiles up: logon path = \\%L\profiles\%u As well as a [profiles] share for the profiles to be saved. The only thing like that in your smb.conf file is your logon home directive. I might suggest dropping that. While I don't have my Samba book here with me, I'm pretty certain you don't need that if all you want is your home directories to mount to the p: drive. Keep the 'logon drive' directive, and add the following share: [homes] read only = no browsable = no guest ok = no map archive = yes Then dump the [steve] and [oracle] shares... as the [homes] share will auto generate them. Hope that works, Sean On Sun, 2003-09-07 at 03:26, Stephen Roach wrote: Hi, Well, I've just set up Samba + goodies to get my Red Hat (lisa) and WinME (homer) boxes connected and it all seems to be going rather well...except for one thing. I'm not even sure if this is supposed to happen but here's the deal. First up, my smb.conf file... --- [global] domain logons = yes encrypt passwords = yes log file = /var/log/samba.log logon drive = p: logon home = \\lisa\%U netbios name = lisa os level = 99 preferred master = yes security = user socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins support = yes workgroup = MYHOME [public] path = /usr/public guest ok = yes writeable = yes [steve] comment = Steve's home path = /home/steve valid users = steve public = no writable = yes printable = no [oracle] comment = Oracle's home path = /home/oracle valid users = oracle public = no writable = yes printable = no -- I have two users set up on the ME box, steve oracle. The first time I log in on the ME box as either user, a whole load of stuff (I believe is the technical term) is copied across the network to the linux home directory of the appropriate user (e.g. Directories; Application Data, Desktop, etc, containing what looks like user configuration data). Some of this is updated on logout. The question is, is this supposed to happen? I would prefer that Windows kept its files to itself unless I explicitly copy them over but, if it really is necessary, is it possible to direct this stuff to a sub-directory to keep it out of the way? If this is not a Samba question, can anyone point me at an appropriate froup. Any scathing remarks on the content of the smb.conf file would also be appreciated. TIA Steve Steve Roach: [EMAIL PROTECTED] 0417 847 502 -- Sean Kellogg 1st Year - UW Law School c: 206.498.8207e: [EMAIL PROTECTED] w: http://students.washington.edu/skellogg/ When the only tool you have is a hammer, you tend to treat everything as if it were a nail. -- Abraham Maslow signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba-3 Ldap Adding Administrator Account
Okay... you're a bit light on information, but let me see if I can assist and I'll just make a few assumptions. First, you'll have to create a unix account with the name Administrator, and then use smbpasswd -a to give the guy the necessary samba info. In order to give our user 'Administrator' the necessary rights to actually tromp around the domain as an administrator, he'll (strange... I never think of root as having a gender, but Administrator seems like a he) have to be part of a group that is mapped to the Domain Administrator group. To do this, add a unix group named 'domadmin', and then use the 'net groupmap' command to associate the proper RID (the domian admin RID is 512) with the unix group. Then add your Administrator user to the domadmin group, restart the samba server (may not be necessary), and everything should work as desired. I have a bunch of links about this stuff back at work, but its Sunday, and as much fun as it would be to ssh into my work box, I try not to during the weekend. If you need further assistance or expectation (like how to use net... its a bit of a beast), just shout and I'll try and dig up those links on Monday for ya. -Sean On Monday 08 September 2003 02:52 am, [EMAIL PROTECTED] wrote: How do you add an Administrator account to ldap. I want to leave root in /etc/passwd but have Administrator in ldap I have checked Howto Collection and the Samba-Ldap-3 but they contain no information. The Ldap-Howto has a suggestion but then says not to use. Godfrey -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] cross-subnet domain join issue
So, I already sent this message once before (yesterday), but I can't seem to find it on the archives (and have received no responses), so I'm wondering if it got bounced. If it didn't and I'm just being ignore, then I'll just stay put over here in the corner... if it did, please take a read and see if you can help. -Sean -- I am one hurdle away from finishing my test PDC with ldap and password sync. Its been a hair raising effort... and if I can solve this one issue, we'll be ready to kick our Windows PDC out the window. When I attempt to initially join the domain ( LOGOS ) from a win2K client residing on a different subnet, I get the following: The following error occured validating the name LOGOS The condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Website: http://go.microsoft.com/fwlink/?LinkID=5171 The specified domain either does not exist or could not be contacted This is the same error I would get on clients residing on the same subnet that didn't have NetBIOS over TCP/IP enabled. Once enabled, I was able to join without incident. However this does not appear to be the issue with clients residing on other subnets, as they are properly configured. Adding to complications, I am certain that the server running the domain (also named LOGOS) can be seen from other subnets by doing lookups on //LOGOS/. Documentation on the subject seems to indicate that this shouldn't be an issue... the tough part is supposed to be browsing, but I can't start tackling that issue until I'm join to the domain in the first place. Thanks for any assistance, Sean -- Sean Kellogg University of Washington Biostatistics Department - Linux Guy e: [EMAIL PROTECTED]p: 5-9176 Linux is to the internet what duct tape is to everything else -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] cross-subnet domain join issue
I am one hurdle away from finishing my test PDC with ldap and password sync. Its been a hair raising effort... and if I can solve this one issue, we'll be ready to kick our Windows PDC out the window. When I attempt to initially join the domain ( LOGOS ) from a win2K client residing on a different subnet, I get the following: The following error occured validating the name LOGOS The condition may be caused by a DNS lookup problem. For information about troubleshooting common DNS lookup problems, please see the following Microsoft Website: http://go.microsoft.com/fwlink/?LinkID=5171 The specified domain either does not exist or could not be contacted This is the same error I would get on clients residing on the same subnet that didn't have NetBIOS over TCP/IP enabled. Once enabled, I was able to join without incident. However this does not appear to be the issue with clients residing on other subnets, as they are properly configured. Adding to complications, I am certain that the server running the domain (also named LOGOS) can be seen from other subnets by doing lookups on //LOGOS/. Documentation on the subject seems to indicate that this shouldn't be an issue... the tough part is supposed to be browsing, but I can't start tackling that issue until I'm join to the domain in the first place. Thanks for any assistance, Sean -- Sean Kellogg University of Washington Biostatistics Department - Linux Guy e: [EMAIL PROTECTED]p: 5-9176 Linux is to the internet what duct tape is to everything else signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
