[Samba] SMB4 ADDC possible attribute corruption
Hi All, I am having a problem with SMB4 ADDC. I cannot join the AD from Fedora. I have done a wireshark capture and found that it does 2 LDAP search requests when doing a discovery. The 1st query was a search for the defaultNamingContext and supportedCapabilities attributes. This got a successful search response packet and a result of 1. the 2nd query was a search for the NetLogon attribute. This also got a successful search response packet but it had a result of 0 so no attribute details. I am currently using RealmD to join and get: ! Received invalid or unsupported Netlogon data from server I get this from both discover and join samba 4.0.7 compiled from source Realmd discover normally lists required packages to join a certain domain but as it wasn't working a tried installing any packages that i thought it would require. krb5-workstation is installed but not configured as realmd should do this. I have tried this on 2 F19 fresh installs and both have the same fault. i also did a packet capture whilst discovering another 2008R2 domain and the netlogon attribute on the LDAP search was fully populated. This was an MS Win2008 DC though. I am not sure if this LDAP result is the failure of the join but the packet capture finish very abrubtly after that with a couple of ACK's and FIN's. What might throw a bit of a spanner in the works is that i joined the AD fine from a Win7 VM. Not sure if Win7 is unreliant of this netlogon attribute to join. Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Invalid listing, samba 3.6.6
Hello list, i do have a problem with Amanda and Smbclient again. Im trying to backup some shares and I do get some errors which i cannot fix: ? smbclient: Error reading file \Dtel\El\2009-11 u TEST\2009-11\Logos\meeting, England\P1020272.MOV : NT_STATUS_OK ? smbclient: Didn't get entire file. size=86525282, nread=61719840 ? smbclient: NT_STATUS_OK opening remote file \Dr\P1020273.JPG (\Dnd\File) ? smbclient: NT_STATUS_CONNECTION_INVALID listing \Drittmittel\Directory\* I have no idea how to solve this. Im using Samba 3.6.6 with Debian Wheezy, the share is on a Windows Server 2008 R2. Please help if you can. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4: pdbedit not changing SID
On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder (you would probably need to ldbmodify the user record of each one) to do, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. If I could change the subject somewhat, I am also not clear on how to configure SAMBA4 and the DNS server if my network has an existing DNS server on another machine and I don't really want to move it. The DNS server is a stock install of bind from the distro's repository: bind-9.8.2-0.17.rc1.el6_4.4.x86_64 Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS not running
On Tue, 9 Apr 2013, Ricky Nance wrote: That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky, with your help, I fixed the problem. I had started krb5kdc, not realizing that the krb server was also built into samba. Once I stopped this and re-started SAMBA, the internal dns server started working. Simon On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems attaching Windows server as secondary DC.
On Sat, 20 Apr 2013, Matthieu Patou wrote: On 04/13/2013 04:38 PM, simon+sa...@matthews.eu wrote: I have my Samba4 up and running. I was able to get a Windows 2012 server to join the samba4 domain. However, I have not been able to get the Windows server to promote itself to a secondary DC. I would appreciate any suggestions on debugging this issue. One the Server 2012 machine, in the prerequisites check, I see the following message: Verification or prerequisites for Active Directory preparation failed .. Exception: THe RPC server is unavailable. . Adprep could not retrieve data from the server servername ... The servername is correct and resolves to my samba4 server. On the Samba4 server, I see the following in the logs: [2013/04/12 12:02:30, 3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088235 [2013/04/12 12:02:30, 3] ../source4/rpc_server/dcerpc_server.c:961(dcesrv_request) Warning: 60 extra bytes in incoming RPC request [2013/04/12 12:02:30, 3] ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind) ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with system_session [2013/04/12 12:02:33, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED' [2013/04/12 12:02:33, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED] Any ideas? We don't support Windows 2012 yet, for multiple reasons: In order to have a Windows 2012 DC you must have a 2012 compliant schema, up to Windows 2008R2 included the way to do was to run programs provided by Microsoft on existing DC to upgrade the schema and do some adaptation to the database. With windows 2012 they have introduced a way to do it also remotely via webservices that we don't support and we dont' plan to support. So usual upgrade path is not possible. Up to now we have asked and received new schema from Microsoft after each new AD product but for 2012 we didn't really asked so we haven't received it yet, *if* we had it the way to go would be to run something like samba_upgradeprovision so that we would be able to add missing schema entries and modify needed objects, but this is not yet a solution (although it might be a much shorter delay before getting it). Last would be to add an older version of Windows (2003, 2008, 2008R2) to the domain and run the program to upgrade the schema, it won't work until you migrate schema master role to the newly added Windows DC. Then you might run into problems while synchronizing this is a known problem that we are working on and you'll face for sure if you try to join samba to a domain with a Windows 2012 schema. Are you saying that, in addition to not being able to join a Windows 2012 server to a samba domain, the reverse will not work as well? I can't join a Linux box to a Windows 2012 domain as a client (not as a DC, but just a domain member)? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems attaching Windows server as secondary DC.
On Mon, 15 Apr 2013, Jonis Maurin Ceará wrote: Only Win 2012 DC, 2008 R2 join fine as DC. Same here with fresh install of S4 and Win 2012. I am trying to join a Windows Server 2012 machine as a secondary DC. This should work, right? Simon 2013/4/15 Friedmar friedmar.m...@me.com simon+samba at matthews.eu writes: I have my Samba4 up and running. I was able to get a Windows 2012 server to join the samba4 domain. However, I have not been able to get the Windows server to promote itself to a secondary DC. I would appreciate any suggestions on debugging this issue. One the Server 2012 machine, in the prerequisites check, I see the following message: Verification or prerequisites for Active Directory preparation failed .. Exception: THe RPC server is unavailable. . Simon you are not alone! Same here: Ubuntu 13.04 and samba4-4.0.1+dfsg1-1+. This exists since long time (12.04 and S4 beta). At present level it seems that Win DC could not join S4 Domains. So you could not get ridd of samba4. Bug or feature? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problems attaching Windows server as secondary DC.
I have my Samba4 up and running. I was able to get a Windows 2012 server to join the samba4 domain. However, I have not been able to get the Windows server to promote itself to a secondary DC. I would appreciate any suggestions on debugging this issue. One the Server 2012 machine, in the prerequisites check, I see the following message: Verification or prerequisites for Active Directory preparation failed .. Exception: THe RPC server is unavailable. . Adprep could not retrieve data from the server servername ... The servername is correct and resolves to my samba4 server. On the Samba4 server, I see the following in the logs: [2013/04/12 12:02:30, 3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088235 [2013/04/12 12:02:30, 3] ../source4/rpc_server/dcerpc_server.c:961(dcesrv_request) Warning: 60 extra bytes in incoming RPC request [2013/04/12 12:02:30, 3] ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind) ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with system_session [2013/04/12 12:02:33, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED' [2013/04/12 12:02:33, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED] Any ideas? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Internal DNS not running
After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS not running
On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba_dnsupdate?
Now for the next question. I think (hope?) that I am quite close now. In order to add a machine to the domain, I think that I need to add a record to samba's DNS table. But samba_dnsupdate isn't working: # samba_dnsupdate -d 5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] Processing section [netlogon] Processing section [sysvol] pm_process() returned Yes added interface eth0 ip=fe80::5054:ff:fefd:9729%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.99.19 bcast=192.168.99.255 netmask=255.255.255.0 schema_fsmo_init: we are master[yes] updates allowed[no] As you can see updates are not allowed. But my smb.conf looks like this: [global] workgroup = MYAD realm = MYAD.my.domain netbios name = SAMBA4 server role = active directory domain controller idmap_ldb:use rfc2307 = yes # log file = /var/log/samba/samba.log.%m log level = 3 allow dns updates = True dns forwarder = 192.168.99.2 Simon On Tue, 9 Apr 2013, Ricky Nance wrote: Glad to hear :) Ricky On Tue, Apr 9, 2013 at 8:15 PM, Simon Matthews si...@matthews-family.org.uk wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky, with your help, I fixed the problem. I had started krb5kdc, not realizing that the krb server was also built into samba. Once I stopped this and re-started SAMBA, the internal dns server started working. Simon On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] was: samba_dnsupdate? now Could not find child xxxxx -- ignoring
OK, solved that problem. nsupdate worked, even if samba_dnsupdate did not. New problem: Lots of entries like this in the log: [2013/04/09 22:25:39.559029, 2] ../source3/smbd/server.c:436(remove_child_pid) Could not find child 15172 -- ignoring [2013/04/09 22:26:39.613172, 2] ../source3/smbd/server.c:436(remove_child_pid) Could not find child 15175 -- ignoring I see a bug that describes this problem, but it is marked as fixed since June 2011. https://bugzilla.samba.org/show_activity.cgi?id=8269 Simon On Tue, 9 Apr 2013, simon+sa...@matthews.eu wrote: Now for the next question. I think (hope?) that I am quite close now. In order to add a machine to the domain, I think that I need to add a record to samba's DNS table. But samba_dnsupdate isn't working: # samba_dnsupdate -d 5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] Processing section [netlogon] Processing section [sysvol] pm_process() returned Yes added interface eth0 ip=fe80::5054:ff:fefd:9729%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.99.19 bcast=192.168.99.255 netmask=255.255.255.0 schema_fsmo_init: we are master[yes] updates allowed[no] As you can see updates are not allowed. But my smb.conf looks like this: [global] workgroup = MYAD realm = MYAD.my.domain netbios name = SAMBA4 server role = active directory domain controller idmap_ldb:use rfc2307 = yes # log file = /var/log/samba/samba.log.%m log level = 3 allow dns updates = True dns forwarder = 192.168.99.2 Simon On Tue, 9 Apr 2013, Ricky Nance wrote: Glad to hear :) Ricky On Tue, Apr 9, 2013 at 8:15 PM, Simon Matthews si...@matthews-family.org.uk wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky, with your help, I fixed the problem. I had started krb5kdc, not realizing that the krb server was also built into samba. Once I stopped this and re-started SAMBA, the internal dns server started working. Simon On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Please help: classicupgrade not importing users -- SOLVED
I finally found the solution. I was moving from a Gentoo system to Centos and the layout of the files is different under Gentoo. In the Gentoo layout, the default location for passdb.tdb, schannel_store.tdb and secrets.tdb is in /var/lib/samba/private . When I first tried to import, I had got an error message about secrets.tdb not being found, so I had made a link /var/lib/samba/secrets.tdb that pointed to /var/lib/samba/private/secrets.tdb, but, crucially, I did not do this for the other files in the secrets subdirectory. Once I made the links for the other files, all I had to do was clean up my old tdb files (duplicate and otherwise bad entries) and then the import worked! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Please help: classicupgrade not importing users
Does anyone have any ideas what I might have done wrong or why this is not working? Simon On Tue, 2 Apr 2013, simon+sa...@matthews.eu wrote: I have tried everything that I can think of, but the users are still not being imported. I deleted and re-created the /usr/local/samba directory (using make install), I added users to the local passwd file (ypcat passwd /etc/passwd) and then stopped ypbind. Still the same. The users are not imported while the groups are. I would really appreciate some help in getting past this step. The transcript of my last attempt at classicupgrade can be found here: http://pastebin.com/tP8bG5Yb I changed the realm that I used to a.b and made edits to the file to make it consistent. Simon On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Ricky Nance wrote: http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTOhttps://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO should help. I have been following those instructions. I have a tdb backend, I am working on a VM that does not have SAMBA3 installed. The command: # samba-tool user list does not show my users. Interestingly, the groups seem to be there. If I use # samba-tool group list I see the expected groups. Simon Ricky On Tue, Apr 2, 2013 at 12:06 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-02 05:35 keltezéssel, simon+sa...@matthews.eu írta: On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding I users. I ran the command: /usr/local/samba/bin/samba-**tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' realm --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder(you would probably need to ldbmodify the user record of each one) todo, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. I went back to trying to get the classicupgrade to work: /usr/local/samba/bin/samba-**tool domain classicupgrade \ --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \ /etc/samba/smb.conf --use-xattrs=yes For the realm, I used a subdomain of one of the two existing dns domains in the LAN. It appears to be processing the information from the old domain tdb files, although I see some errors: Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Could not add group name=Remote Desktop Users ((68, samldb: Account name (sAMAccountName) 'Remote Desktop Users' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, id=5077, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Group already exists sid=S-1-5-21-4254857281-**3346836279-4152649156-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. However, after this, all I get from pdbedit -L is: # pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: [root@samba ~]# pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: krbtgt
Re: [Samba] SAMBA4: pdbedit not changing SID
On Tue, 2 Apr 2013, Ricky Nance wrote: http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTOhttps://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO should help. I have been following those instructions. I have a tdb backend, I am working on a VM that does not have SAMBA3 installed. The command: # samba-tool user list does not show my users. Interestingly, the groups seem to be there. If I use # samba-tool group list I see the expected groups. Simon Ricky On Tue, Apr 2, 2013 at 12:06 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-02 05:35 keltezéssel, simon+sa...@matthews.eu írta: On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-**tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder(you would probably need to ldbmodify the user record of each one) todo, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. I went back to trying to get the classicupgrade to work: /usr/local/samba/bin/samba-**tool domain classicupgrade \ --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \ /etc/samba/smb.conf --use-xattrs=yes For the realm, I used a subdomain of one of the two existing dns domains in the LAN. It appears to be processing the information from the old domain tdb files, although I see some errors: Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Could not add group name=Remote Desktop Users ((68, samldb: Account name (sAMAccountName) 'Remote Desktop Users' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, id=5077, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Group already exists sid=S-1-5-21-4254857281-**3346836279-4152649156-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. However, after this, all I get from pdbedit -L is: # pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: [root@samba ~]# pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: krbtgt:4294967295:--dbdir=/**var/lib/samba/ --realm=a.b /etc/samba/smb.confnobody:99:**Nobody Any ideas? What information might help debug this? Simon Could this happen because pdbedit is from the samba3 install? I recommend doing upgrade on a new box/virtual machine where no samba3 is installed, and copying the tdb files to the new box. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Please help: classicupgrade not importing users
I have tried everything that I can think of, but the users are still not being imported. I deleted and re-created the /usr/local/samba directory (using make install), I added users to the local passwd file (ypcat passwd /etc/passwd) and then stopped ypbind. Still the same. The users are not imported while the groups are. I would really appreciate some help in getting past this step. The transcript of my last attempt at classicupgrade can be found here: http://pastebin.com/tP8bG5Yb I changed the realm that I used to a.b and made edits to the file to make it consistent. Simon On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Ricky Nance wrote: http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTOhttps://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO should help. I have been following those instructions. I have a tdb backend, I am working on a VM that does not have SAMBA3 installed. The command: # samba-tool user list does not show my users. Interestingly, the groups seem to be there. If I use # samba-tool group list I see the expected groups. Simon Ricky On Tue, Apr 2, 2013 at 12:06 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-02 05:35 keltezéssel, simon+sa...@matthews.eu írta: On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding I users. I ran the command: /usr/local/samba/bin/samba-**tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' realm --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder(you would probably need to ldbmodify the user record of each one) todo, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. I went back to trying to get the classicupgrade to work: /usr/local/samba/bin/samba-**tool domain classicupgrade \ --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \ /etc/samba/smb.conf --use-xattrs=yes For the realm, I used a subdomain of one of the two existing dns domains in the LAN. It appears to be processing the information from the old domain tdb files, although I see some errors: Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Could not add group name=Remote Desktop Users ((68, samldb: Account name (sAMAccountName) 'Remote Desktop Users' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, id=5077, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Group already exists sid=S-1-5-21-4254857281-**3346836279-4152649156-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. However, after this, all I get from pdbedit -L is: # pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: [root@samba ~]# pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: krbtgt:4294967295:--dbdir=/**var/lib/samba/ --realm=a.b /etc/samba/smb.confnobody:99:**Nobody Any ideas? What information might help debug this? Simon Could this happen because pdbedit is from the samba3 install? I recommend doing upgrade on a new box/virtual machine where no samba3 is installed, and copying the tdb files
Re: [Samba] SAMBA4: pdbedit not changing SID
On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder (you would probably need to ldbmodify the user record of each one) to do, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. If I could change the subject somewhat, I am also not clear on how to configure SAMBA4 and the DNS server if my network has an existing DNS server on another machine and I don't really want to move it. The DNS server is a stock install of bind from the distro's repository: bind-9.8.2-0.17.rc1.el6_4.4.x86_64 Simon-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4: pdbedit not changing SID
On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder (you would probably need to ldbmodify the user record of each one) to do, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. I went back to trying to get the classicupgrade to work: /usr/local/samba/bin/samba-tool domain classicupgrade \ --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \ /etc/samba/smb.conf --use-xattrs=yes For the realm, I used a subdomain of one of the two existing dns domains in the LAN. It appears to be processing the information from the old domain tdb files, although I see some errors: Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Could not add group name=Remote Desktop Users ((68, samldb: Account name (sAMAccountName) 'Remote Desktop Users' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-4254857281-3346836279-4152649156-555, id=5077, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-4254857281-3346836279-4152649156-555' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-3346836279-4152649156-555, ((32, Base-DN 'SID=S-1-5-21-4254857281-3346836279-4152649156-555' not found)) Group already exists sid=S-1-5-21-4254857281-3346836279-4152649156-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. However, after this, all I get from pdbedit -L is: # pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: [root@samba ~]# pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: krbtgt:4294967295:--dbdir=/var/lib/samba/ --realm=a.b /etc/samba/smb.confnobody:99:Nobody Any ideas? What information might help debug this? Simon-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SAMBA4: pdbedit not changing SID
Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ran classiupgrade, users not there
On Fri, 29 Mar 2013, simon+sa...@matthews.eu wrote: I am attempting to do an upgrade from SAMBA3 to SAMBA4. I am working on a new VM rather than the existing SAMBA3 server. The old server uses tdbsam as the passdb backend. I copied the contents of /var/lib/samba and the smb.conf from the old machine to the new machine. We run a yp domain, which has the same name as the samba domain. The dns domain is different. Users exist in both the yp passwd map and the samba domain. I followed the instructions on building SAMBA here: http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/ then moved to the instructions on migration here: http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO#Upgrading_In_Place It appeared to finish normally (it complained about a couple of duplicate entries). However, after the classicupgrad, running /usr/local/samba/bin/pdbedit -L reveals that the users and groups do not exist. Should I expect this? If so, what database holds the user information? I should also mention that I used the dns domain for the realm in the classicupgrade command. The DNS domain is different from the YP/SAMBA domain. Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Ran classiupgrade, users not there
I am attempting to do an upgrade from SAMBA3 to SAMBA4. I am working on a new VM rather than the existing SAMBA3 server. The old server uses tdbsam as the passdb backend. I copied the contents of /var/lib/samba and the smb.conf from the old machine to the new machine. We run a yp domain, which has the same name as the samba domain. The dns domain is different. Users exist in both the yp passwd map and the samba domain. I followed the instructions on building SAMBA here: http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/ then moved to the instructions on migration here: http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO#Upgrading_In_Place It appeared to finish normally (it complained about a couple of duplicate entries). However, after the classicupgrad, running /usr/local/samba/bin/pdbedit -L reveals that the users and groups do not exist. Should I expect this? If so, what database holds the user information? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] migrating from Samba3 with tdbsam to samba4 AD server?
What's the best path to do this? I currently have a SAMBA3 domain controller using tdbsam and would like to migrate to Samba4 as an AD controller. I assume that this will require loading my existing user database into ldap. What's the best path for this? Should I look for a samba3 to samba4 migration, continuing to use tdbsam in samba4, and then convert to ldap, or convert my existing samba3 installation from tdbsam to ldap first? Clearly, I want to ensure that logins (and especially SIDs) are preserved so that there is minimal impact to Windows clients. Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining a linux server as a domain member with samba4
Hi All, Playing with Samba4 RC6 and its working amazing in my test network as a DC. One thing i am not clear with is who to join a file server to it. on the file server do i install samba4 the same way and run: samba-tool domain join member ... i did try net join ads but it seems it didnt compile in ads then i saw some people saying this was not the way to do it. S i just want to get a clear answer what is the recommended way on joining a linux server as a domain member with samba4? Cheers, Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] MMC crashes with rc6
I just deployed a RC6 and i think i am getting the same thing. This was a clean install pulled from git samba-master. Will work on getting a packet capture if possible. Simon From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] on behalf of Andrew Bartlett [abart...@samba.org] Sent: Thursday, December 06, 2012 1:25 PM To: Thomas Simmons Cc: samba@lists.samba.org Subject: Re: [Samba] MMC crashes with rc6 On Wed, 2012-12-05 at 19:43 -0500, Thomas Simmons wrote: Hello, I am having a problem after performing a classicupgrade with rc6. This did not happen with previous RCs. When adding any of the AD MMC snap-ins from a member computer, MMC crashes with the error below. I have the provision scripted and am using the same ldif, smb.conf and /var/lib/samba, so I'm fairly certain the only difference is rc6. I am testing with a Win 7 VM image that was joined to S3. I restore it each time I provision to verify I can login to existing systems, so even that's the same. One thing to note, if I provision rc5, login with this VM, shut it down and then provision rc6, I don't have the problem. Problem signature: Problem Event Name: APPCRASH Application Name: mmc.exe Application Version: 6.1.7600.16385 Application Timestamp: 4a5bc808 Fault Module Name: dsadmin.dll Fault Module Version: 6.1.7601.17514 Fault Module Timestamp: 4ce7c618 Exception Code: c005 Exception Offset: 00049717 OS Version: 6.1.7601.2.1.0.256.48 Locale ID: 1033 Additional Information 1: fe9a Additional Information 2: fe9ada6e5173959adf48eb8bcf42009a Additional Information 3: e888 Additional Information 4: e8882ed1eba1626dfcb33f05b2c2092a This is going to be quite tricky, but if you can get a network capture we might have a clue what the last (and presumably fatal) reply was. Otherwise we ill need to work with Microsoft to get this under a debugger. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How can I show only the shares that user have access to in SAMBA
Dear All, For the issue i am having to display shares only to users having access i did come across a article but just wondering what exactly it means access based share enum (S) If this parameter is yes for a service, then the share hosted by the service will only be visible to users who have read or write access to the share during share enumeration (for example net view \\sambaserver). This has parallels to access based enumeration, the main difference being that only share permissions are evaluated, and security descriptors on files contained on the share are not used in computing enumeration access rights. Default: access based share enum = no I apprecite if someone could clarify it with example - my smb.conf is --- [kmplan] comment = masterplan testing directory path = /opt/network/testplan valid users = @localgrp write list = @localgrp read only = No hide unreadable = Yes hide unwriteable files = Yes access based share enum = Yes want only the users of localgrp to see the share and no others appreciate your kind help regards simon --- On Sat, 10/13/12, simon ben guy200...@yahoo.com wrote: From: simon ben guy200...@yahoo.com Subject: [Samba] How can I show only the shares that user have access to in SAMBA To: samba@lists.samba.org Date: Saturday, October 13, 2012, 1:58 PM Dear All, As I have a issue to display only those shares the users have access too.. i am really trying to find a solution and came across a post http://serverfault.com/questions/144339/hiding-samba-share-from-browse-list-for-unauthorised-users its about the include statement this would exactly achieve my purpose but when I did that as I could put browseable = no in my kmplan section of my smb.conf file and browseable = yes in the include file testparm says Can't find include file /etc/samba/%G.conf i did try with other variables like u or U but its the same Appreciate your help regards simon --- On Thu, 10/11/12, simon ben guy200...@yahoo.com wrote: From: simon ben guy200...@yahoo.com Subject: Re: [Samba] How can I show only the shares that user have access to in SAMBA To: Björn JACKE b...@sernet.de Cc: samba@lists.samba.org Date: Thursday, October 11, 2012, 1:04 PM Dear Bjorn, Indeed so grateful for your quick reply I was indeed using earlier samba actually I just installed it using yum. now I did upgrade samba to recent one samba 3.6.8 and after running the testparm command displayed no errors but still I was not able to achieve my goal as christian mentioned in his reply i do think his mistaken cause there are many guys whos post i see and they have solved it by adding just his 2 below command in their smb.conf file hide unreadable = Yes hide unwriteable files = Yes Is there anything I could look into as I mentioned before I have used webmin to create both local and samba users whos user names are the same and so also groups here below my smb.conf [global] workgroup = MYGROUP server string = Samba Server Version %v disable spoolss = Yes domain master = No idmap config * : backend = tdb cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes print ok = Yes browseable = No [kmplan] comment = masterplan testing directory path = /opt/network/testplan valid users = @localgrp write list = @localgrp read only = No hide unreadable = Yes hide unwriteable files = Yes access based share enum = Yes also here below are the permissions of /opt/network/testplan directory drwxrws--T 3 root localgrp 4096 Oct 10 19:39 testplan Actually every things works fine what I mean is if I log in as a user who belongs to localgrp I can read/write the kmplan share which is perfect but when i log in as user who does not belong to localgrp i can see the kmplan share although i cannot access it. as christian said i can hide the share but even for valid users the share is hidden n i obviously dont want to hide the share for valid users regards simon --- On Thu, 10/11/12, Björn JACKE b...@sernet.de wrote: From: Björn JACKE b...@sernet.de Subject: Re: [Samba] How can I show only the shares that user have access to in SAMBA To: simon ben guy200...@yahoo.com Cc: samba@lists.samba.org Date: Thursday, October 11, 2012, 2:10 AM On 2012-10-11 at 01:22 -0700 simon ben sent off: but when I do a testparm it gives a error --- [root@kmshare samba]# testparm /etc/samba/smb.conf Load smb config files from /etc/samba/smb.conf Unknown parameter encountered: access based share enum Ignoring unknown parameter access based share enum then your
[Samba] How can I show only the shares that user have access to in SAMBA
Dear All, As I have a issue to display only those shares the users have access too.. i am really trying to find a solution and came across a post http://serverfault.com/questions/144339/hiding-samba-share-from-browse-list-for-unauthorised-users its about the include statement this would exactly achieve my purpose but when I did that as I could put browseable = no in my kmplan section of my smb.conf file and browseable = yes in the include file testparm says Can't find include file /etc/samba/%G.conf i did try with other variables like u or U but its the same Appreciate your help regards simon --- On Thu, 10/11/12, simon ben guy200...@yahoo.com wrote: From: simon ben guy200...@yahoo.com Subject: Re: [Samba] How can I show only the shares that user have access to in SAMBA To: Björn JACKE b...@sernet.de Cc: samba@lists.samba.org Date: Thursday, October 11, 2012, 1:04 PM Dear Bjorn, Indeed so grateful for your quick reply I was indeed using earlier samba actually I just installed it using yum. now I did upgrade samba to recent one samba 3.6.8 and after running the testparm command displayed no errors but still I was not able to achieve my goal as christian mentioned in his reply i do think his mistaken cause there are many guys whos post i see and they have solved it by adding just his 2 below command in their smb.conf file hide unreadable = Yes hide unwriteable files = Yes Is there anything I could look into as I mentioned before I have used webmin to create both local and samba users whos user names are the same and so also groups here below my smb.conf [global] workgroup = MYGROUP server string = Samba Server Version %v disable spoolss = Yes domain master = No idmap config * : backend = tdb cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes print ok = Yes browseable = No [kmplan] comment = masterplan testing directory path = /opt/network/testplan valid users = @localgrp write list = @localgrp read only = No hide unreadable = Yes hide unwriteable files = Yes access based share enum = Yes also here below are the permissions of /opt/network/testplan directory drwxrws--T 3 root localgrp 4096 Oct 10 19:39 testplan Actually every things works fine what I mean is if I log in as a user who belongs to localgrp I can read/write the kmplan share which is perfect but when i log in as user who does not belong to localgrp i can see the kmplan share although i cannot access it. as christian said i can hide the share but even for valid users the share is hidden n i obviously dont want to hide the share for valid users regards simon --- On Thu, 10/11/12, Björn JACKE b...@sernet.de wrote: From: Björn JACKE b...@sernet.de Subject: Re: [Samba] How can I show only the shares that user have access to in SAMBA To: simon ben guy200...@yahoo.com Cc: samba@lists.samba.org Date: Thursday, October 11, 2012, 2:10 AM On 2012-10-11 at 01:22 -0700 simon ben sent off: but when I do a testparm it gives a error --- [root@kmshare samba]# testparm /etc/samba/smb.conf Load smb config files from /etc/samba/smb.conf Unknown parameter encountered: access based share enum Ignoring unknown parameter access based share enum then your Samba version is too old then. This parameter was introduced with Samba 3.6 I think (maybe 3.5 already). On http://www.enterprisesamba.org you might find recent packages for your distribution that support that feature. Cheers Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen ☎ +49-551-37-0, ℻ +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I show only the shares that user have access to in SAMBA
Dear Bjorn I really apprecite your quick reply. by the way I did add the access based share enum = yes but when I do a testparm it gives a error --- [root@kmshare samba]# testparm /etc/samba/smb.conf Load smb config files from /etc/samba/smb.conf Unknown parameter encountered: access based share enum Ignoring unknown parameter access based share enum Processing section [homes] Processing section [printers] Processing section [kmplan] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = MYGROUP server string = Samba Server Version %v passdb backend = tdbsam disable spoolss = Yes winbind use default domain = Yes winbind trusted domains only = Yes cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [kmplan] comment = masterplan testing directory path = /opt/network/testplan valid users = @localgrp write list = @localgrp read only = No hide unreadable = Yes hide unwriteable files = Yes the directory /opt/network/testplan is sahred as kmplan and localgrp has 2 valid users user1 and user2 so if I log in as user1 or user2 kmplan share can be accessed perfectly i have a third user user3 and he not belong the localgrp . also wanted to mentioned that I have used webmin to create local users and in samba windows file sharing option of webmin== user and group synchronisation == i am using yes for all. that is when a unix user is created automatically add a samba user likewise for groups. apprecite your help and advise regards simon --- On Wed, 10/10/12, Björn JACKE b...@sernet.de wrote: From: Björn JACKE b...@sernet.de Subject: Re: [Samba] How can I show only the shares that user have access to in SAMBA To: simon ben guy200...@yahoo.com Cc: samba@lists.samba.org Date: Wednesday, October 10, 2012, 1:28 PM On 2012-10-10 at 13:02 -0700 simon ben sent off: i have right now one share and want only the users who have access to the share to see it and the others should not when I log into the user who has no access I see the share and when i double click it ask me for username and password googling arround this issuse is solved by using the below in smb.conf file hide dot files = yes hide unreadable = yes in the share definition section. but its still visible can you please try setting access based share enum = yes ? Cheers Björn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I show only the shares that user have access to in SAMBA
Dear Bjorn, Indeed so grateful for your quick reply I was indeed using earlier samba actually I just installed it using yum. now I did upgrade samba to recent one samba 3.6.8 and after running the testparm command displayed no errors but still I was not able to achieve my goal as christian mentioned in his reply i do think his mistaken cause there are many guys whos post i see and they have solved it by adding just his 2 below command in their smb.conf file hide unreadable = Yes hide unwriteable files = Yes Is there anything I could look into as I mentioned before I have used webmin to create both local and samba users whos user names are the same and so also groups here below my smb.conf [global] workgroup = MYGROUP server string = Samba Server Version %v disable spoolss = Yes domain master = No idmap config * : backend = tdb cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes print ok = Yes browseable = No [kmplan] comment = masterplan testing directory path = /opt/network/testplan valid users = @localgrp write list = @localgrp read only = No hide unreadable = Yes hide unwriteable files = Yes access based share enum = Yes also here below are the permissions of /opt/network/testplan directory drwxrws--T 3 root localgrp 4096 Oct 10 19:39 testplan Actually every things works fine what I mean is if I log in as a user who belongs to localgrp I can read/write the kmplan share which is perfect but when i log in as user who does not belong to localgrp i can see the kmplan share although i cannot access it. as christian said i can hide the share but even for valid users the share is hidden n i obviously dont want to hide the share for valid users regards simon --- On Thu, 10/11/12, Björn JACKE b...@sernet.de wrote: From: Björn JACKE b...@sernet.de Subject: Re: [Samba] How can I show only the shares that user have access to in SAMBA To: simon ben guy200...@yahoo.com Cc: samba@lists.samba.org Date: Thursday, October 11, 2012, 2:10 AM On 2012-10-11 at 01:22 -0700 simon ben sent off: but when I do a testparm it gives a error --- [root@kmshare samba]# testparm /etc/samba/smb.conf Load smb config files from /etc/samba/smb.conf Unknown parameter encountered: access based share enum Ignoring unknown parameter access based share enum then your Samba version is too old then. This parameter was introduced with Samba 3.6 I think (maybe 3.5 already). On http://www.enterprisesamba.org you might find recent packages for your distribution that support that feature. Cheers Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen ☎ +49-551-37-0, ℻ +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] quotas on samba shares
Dear All, Below I had earlier posted this issue but its solved I accutally forgot about going to unused modules and then configure quota sorry for this regards simon Dear All, I have just implemented a new setup of centos 5.8 server to be used as a Linux file server using sambais The server is partitioned with the defaults below is a df -k output --- Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/VolGroup00-LogVol00 119885916 1174332 112523348 2% / /dev/hda1 101086 12632 83235 14% /boot tmpfs 1029780 0 1029780 0% /dev/shm --- I have created samba users and shares and everything is fine. i have used webmin to achieve this now I want to have quotas implemented on the shares that is both for users home share and group share In webmin under system i dont see quota option I have tried to install quota package with yum but still I dont see the quota option in webmin appreciate if someone could help me and advise me or help me with some helpful link regards simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How can I show only the shares that user have access to in SAMBA
Dear All, I have implemented samba to right now in test environment to be implemented in production as samba file server so far its working grt but I have one issue i have right now one share and want only the users who have access to the share to see it and the others should not when I log into the user who has no access I see the share and when i double click it ask me for username and password googling arround this issuse is solved by using the below in smb.conf file hide dot files = yes hide unreadable = yes in the share definition section. but its still visible security is set as user here the part of my smb.conf -- [kmplan] writeable = yes path = /opt/network/testplan write list = @localgrp revalidate = yes hide unreadable = yes hide dot files = yes comment = masterplan testing directory valid users = @localgrp - is there anything i need to set in smb.conf appreciate your help and advice regards simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] setting up quotas on shares
Dear All, I have just implemented a new setup of centos 5.8 server to be used as a Linux file server using sambais The server is partitioned with the defaults below is a df -k output --- Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/VolGroup00-LogVol00 119885916 1174332 112523348 2% / /dev/hda1 101086 12632 83235 14% /boot tmpfs 1029780 0 1029780 0% /dev/shm --- I have created samba users and shares and everything is fine. i have used webmin to achieve this now I want to have quotas implemented on the shares that is both for users home share and group share In webmin under system i dont see quota option I have tried to install quota package with yum but still I dont see the quota option in webmin appreciate if someone could help me and advise me or help me with some helpful link regards simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Is this a bug in smbclient?
Hi there, im trying to backup a Windows Server 2003 64Bit with Amanda. It uses the smbclient for backing up a Windows Share. So far so good, but on large shares I do get a lot of error messages which I can not explain. ? NT_STATUS_OK opening remote file \Daten\Titelseite\153x215.ai (\Daten\Titelseite\) ? NT_STATUS_IO_TIMEOUT listing \Daten\Titelseite\* ? NT_STATUS_OK opening remote file \Daten\MÀdchen.jpg (\Daten\) ? NT_STATUS_IO_TIMEOUT listing \Daten\Bilder_Fotos und Logos\Fotolia\* Im using the smbclient 3.6.6 which comes with Debian Wheezy.Is there anything I can do or test about it? Greetings! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Suggestions for moving a PDC function
I currently have a server which is both the PDC for my domain and the file server for the network. I need to split these functions and move the PDC function to another box, while leaving the original server as the file server on which home directories and roaming profiles are stored. User credentials are stored in a tdbsam database and I am running Samba 3.5. Does anyone have any pointers on what to move and any potential pitfalls in the process? I have always used the same machine for both the PDC and file server, so this is somewhat unknown territory for me. I assume that the file server will still run samba, and I will change the domain master = and domain logins = to no in both cases. Also security = should be set to security = domain and add set up a machine account on the file server which is then joined to the domain? What files need to be moved to the new samba server? I see that there are files in /var/cache/samba (it's a Gentoo system) which I assume also have to be put into the proper place on the new server. Is there anything else I need to look for. Many thanks for any suggestions. Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Roaming profiles not being loaded
I tried to build a setup to model and hence learn how to configure samba servers for the setup that I described below. However, a user login in which the profile is defined to be on a samba server that is not the PDC never gets a roaming profile -- instead the user always gets a temporary profile. Looking at the Windows logs, it is complaining about a permissions issue. However, once logged in (with the temporary profile), that user can create and modify files in the profile directory. I have turned logging level to 3, but I don't see anything useful. The PDC is running SAMBA 3.5.11, while the other server (modeling the fileserver in the proposed network) is running SAMBA 3.5.10. The usernames exist in the /etc/passwd files on both machines (although I think that I should not need this if I can get winbindd working properly). Home directories for the suers exist on both machines. Some specifics: 1. smb.conf from the fileserver (Not the PDC, but the machine where the profile directories are found): [global] workgroup = MATTHEWS server string = Samba Server Version %v netbios name = sambatest log file = /var/log/samba/log.%m max log size = 50 log level = 3 security = domain passdb backend = tdbsam password server = firewall idmap backend = tdb idmap uid = 9000- idmap gid = 9000- local master = no load printers = yes cups options = raw [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [profiles] comment = profiles path = /export/profiles browseable = yes guest ok = yes smb.conf from the PDC: [global] workgroup = MATTHEWS netbios aliases = SERVER, firewall, newfirewall server string = Samba Server %v interfaces = 192.168.89.1, 127.0.0.1, 192.168.89.2, 192.168.89.6, 10.9.0.1 bind interfaces only = Yes security = user log file = /var/log/samba3/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap os level = 90 preferred master = Yes domain master = Yes domain logons = yes dns proxy = No wins server = 192.168.89.1 wins support = Yes admin users = root, simon, @wheel hosts allow = 192.168.0.0/255.255.0.0, 10.8.0.0/24 hosts deny = 0.0.0.0/0 passdb backend = tdbsam logon path = \\%N\profiles\%U logon home = \\firewall\%U\winprofile [profiles] comment = profiles path = /export/profiles read only = No [homes] comment = Home Directories path = /home/%u read only = No [allhomes] comment = Home Directories path = /home guest ok = Yes [print$] path = /var/lib/samba/printers guest ok = Yes [CD] path = /mnt/cdrom/ guest ok = Yes [certs] path = /home/certs guest ok = Yes [pub] path = /home/pub read only = No guest ok = Yes [HP] comment = HP Printer path = /tmp guest ok = Yes printable = Yes print command = lpr -P HP -oraw -r -l %s lpq command = lpq -P'HP' lprm command = lprm -P'HP' %j use client driver = Yes [Laser] path = /tmp printable = Yes pdb data for user that cannot get a profile: pdbedit -v simontest Unix username:simontest NT username: Account Flags:[U ] User SID: S-1-5-21-812011073-3920078087-27638135-1004 Primary Group SID:S-1-5-21-812011073-3920078087-27638135-513 Full Name: Home Directory: \\firewall\simontest\winprofile HomeDir Drive: Logon Script: Profile Path: \\sambatest\profiles\simontest Domain: MATTHEWS Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 07:06:39 PST Kickoff time: Wed, 06 Feb 2036 07:06:39 PST Password last set:Sat, 24 Mar 2012 15:09:20 PDT Password can change: Sat, 24 Mar 2012 15:09:20 PDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF Does anyone have any suggestions on what might be wrong? If it needs entries from the log files, I can add these. Simon On Sat, Mar 24, 2012 at 12:09 PM, Simon Matthews simon.d.matth...@gmail.com wrote: I currently have a server which is both the PDC for my domain and the file server for the network. I need to split these functions and move the PDC function to another box, while leaving the original server as the file server on which home directories and roaming profiles are stored. User credentials are stored in a tdbsam database and I am running Samba 3.5. Does anyone have any pointers on what to move and any potential pitfalls in the process? I have always used the same machine for both the PDC and file server, so this is somewhat unknown territory for me. I assume that the file
Re: [Samba] samba PDC/NIS client
On Sun, Mar 11, 2012 at 4:09 AM, Tony Molloy tony.mol...@ul.ie wrote: On Sunday 11 March 2012 05:31:35 Simon Matthews wrote: On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: Do you have password sync enabled?If password sync is enabled, samba will try to use the passwd command to set the unix password. But with nis, you probably might need something nis specific. On solaris it was “passwd –r nis” - not sure about linux.Probably better to just disable password sync. I've got a very similar setup to you. Except I use a smbpasswd file. No, I don't have this option enabled. I am not sure how it is relevant. Problem summary: The samba PDC is an NIS client getent passwd retruns the passwd data. The user's SAMBA password was set using smbpasswd The user's NIS passwd was set using yppasswd So far all the same. ALL I had to do to allow domain logins was: ypcat passwd | grep username /etc/passwd Why duplicate the password entries. I just have them in NIS and /etc/passwd just has the system passwords. Note that after copying the user details to /etc/passwd, the password that was set with smbpasswd was the password that was used with the successful domain login. Don't really uinderstand what you mean by domain logins 1. Create the user under linux first 2. Use smbpasswd to add the user to samba You now have a user in both linux and samba but remember the passwords are stored separately, changing one does not change the other. 3. Edit /etc/nsswitch.conf. Set passwd:files nis shdow: files Removing the nis entry from shadow: in /etc/nsswitch.conf solved the issue. I don't understand why, but it did . Simon That works for me. YMMV Tony Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: Do you have password sync enabled?If password sync is enabled, samba will try to use the passwd command to set the unix password. But with nis, you probably might need something nis specific. On solaris it was “passwd –r nis” - not sure about linux.Probably better to just disable password sync. No, I don't have this option enabled. I am not sure how it is relevant. Problem summary: The samba PDC is an NIS client getent passwd retruns the passwd data. The user's SAMBA password was set using smbpasswd The user's NIS passwd was set using yppasswd ALL I had to do to allow domain logins was: ypcat passwd | grep username /etc/passwd Note that after copying the user details to /etc/passwd, the password that was set with smbpasswd was the password that was used with the successful domain login. Simon ** ** ** ** ** ** *From:* Simon Matthews [mailto:simon.d.matth...@gmail.com] *Sent:* Friday, March 09, 2012 4:04 PM *To:* gaiseric.van...@gmail.com *Cc:* samba@lists.samba.org *Subject:* Re: [Samba] samba PDC/NIS client ** ** ** ** On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal gaiseric.van...@gmail.com wrote: I don't think is this a samba issue. Samba accounts need to have a corresponding unix account. Shouldn't matter if they are in NIS or /etc/passwd. If you have users in both it could get a problem. Is getent passwd really showing the users from NIS? ** ** Yes. In fact, for those users who are in both the /etc/passwd and nis tables, it shows both entries (and the details match between both entries) ** ** How about getent shadow (assuming a linux machine and not solaris, No, this only shows the users with entries in /etc/shadow. However: 1. getent passwd includes the hashed passwords of users in the nis tables* *** 2. It was not necessary to add the user to /etc/shadow in order to allow samba domain logins. All I had to do was add the user to /etc/passwd. and probably doesn't matter anyway.) Do you have an /etc/nsswitch.conf entry for shadow: files nis Yes Are you missing the : in the nsswitch.conf entries? No. Are your user names all in lower case? Are they all 8 characters or under. ** ** Yes. ** ** Simon On 03/08/12 22:46, Simon Matthews wrote: I have a server which is a samba PDC and has recently been converted to an NIS client. For historic reasons, many users login information is in the local machine's /etc/passwd and /etc/shadow files. samba is set up to use a tdbsam database. I got the first indication of problems when I tried to add a user using the smbpasswd -a command. I found that smbpasswd would not recognize the user unless either the username was in the /etc/passwd file, or I changed /etc/nsswitch.conf from passwd compat TO: passwd files nis However, if I make the latter change, the user cannot log into any Windows machines that are controlled by my PDC. To allow logins, all I have to do is ypcat passwd | grepusername/etc/passwd After this, the user can log in. Is there any configuration of samba that will allow it to properly recognize user data from the NIS map and not require the user to be listed in the /etc/passwd file? Simon ** ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ** ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: I don't think is this a samba issue. Samba accounts need to have a corresponding unix account. Shouldn't matter if they are in NIS or /etc/passwd. If you have users in both it could get a problem. Is getent passwd really showing the users from NIS? Yes. In fact, for those users who are in both the /etc/passwd and nis tables, it shows both entries (and the details match between both entries) How about getent shadow (assuming a linux machine and not solaris, No, this only shows the users with entries in /etc/shadow. However: 1. getent passwd includes the hashed passwords of users in the nis tables 2. It was not necessary to add the user to /etc/shadow in order to allow samba domain logins. All I had to do was add the user to /etc/passwd. and probably doesn't matter anyway.) Do you have an /etc/nsswitch.conf entry for shadow: files nis Yes Are you missing the : in the nsswitch.conf entries? No. Are your user names all in lower case? Are they all 8 characters or under. Yes. Simon On 03/08/12 22:46, Simon Matthews wrote: I have a server which is a samba PDC and has recently been converted to an NIS client. For historic reasons, many users login information is in the local machine's /etc/passwd and /etc/shadow files. samba is set up to use a tdbsam database. I got the first indication of problems when I tried to add a user using the smbpasswd -a command. I found that smbpasswd would not recognize the user unless either the username was in the /etc/passwd file, or I changed /etc/nsswitch.conf from passwd compat TO: passwd files nis However, if I make the latter change, the user cannot log into any Windows machines that are controlled by my PDC. To allow logins, all I have to do is ypcat passwd | grepusername/etc/passwd After this, the user can log in. Is there any configuration of samba that will allow it to properly recognize user data from the NIS map and not require the user to be listed in the /etc/passwd file? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba PDC/NIS client
I have a server which is a samba PDC and has recently been converted to an NIS client. For historic reasons, many users login information is in the local machine's /etc/passwd and /etc/shadow files. samba is set up to use a tdbsam database. I got the first indication of problems when I tried to add a user using the smbpasswd -a command. I found that smbpasswd would not recognize the user unless either the username was in the /etc/passwd file, or I changed /etc/nsswitch.conf from passwd compat TO: passwd files nis However, if I make the latter change, the user cannot log into any Windows machines that are controlled by my PDC. To allow logins, all I have to do is ypcat passwd | grep username /etc/passwd After this, the user can log in. Is there any configuration of samba that will allow it to properly recognize user data from the NIS map and not require the user to be listed in the /etc/passwd file? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Group Mappings
Samba 3.6.2 My Domain Admins, including root, don't get admin permissions on local PCs. My Windows 7 clients can join the domain but when I look in the Administrators group it shows the sid for the Domain Admins group (RID = 512) and the icon has a question mark net groupmap list seems OK Any ideas where to look next? TIA Simon -- Simon Faulkner 01538 303 900 Staffordshire Moorlands -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Screenshot
Any chance anyone can take a look at this screen shot of the Administrator group on a Domain PC I can't figure out why it is showing the SID rather than the name of the group? TIA Simon -- Simon Faulkner 01538 303 900 Staffordshire Moorlands -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] upgraded to 3.6.2
Hi Folks, I have upgraded my very stock Ubuntu 8.04.4 running 3.0.28a to 3.6.2 by compiling in place as per these notes: http://www.jeremycole.com/blog/2009/12/01/upgrade-samba-3-0-28a-to-3-4-3-on-ubuntu-8-04-lts/ Worked a treat - big respect to the team. However, I am struggling a little with group mapping net groupmap list used to show the half dozen or so groups but now it doesn't Have I broken it or is it no longer done that way? Any tips on troubleshooting would be most helpful... TIA Simon -- Simon Faulkner 01538 303 900 Staffordshire Moorlands -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ntlm_auth always returns ok
Hi, I'm trying to configure Squid to authenticate with winbind and everything seemed to be going ok until I try and do a test which should fail I'm always geting NT_STATUS_OK: Success (0x0) My PDC is another machine. wbinfo -t checking the trust secret via RPC calls succeeded wbinfo -u lists my users from the PDC but only username not DOMAIN\username as stated in some docs wbinfo -g lists my groups from PDC wbinfo -a nouser%badpassword plaintext password authentication succeeded challenge/response password authentication succeeded ntlm_auth --username=nouser --password=badpassword NT_STATUS_OK: Success (0x0) I've been going round in circles on this any help or pointers much appreciated -- Simon Kelsall Network Administrator St James the Great R.C Primary Nursery School http://www.stjamesthegreat.org/ This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Guest ? logon problems
Hi, I have just upgraded to Samba 3.4.7 on Ubuntu 10.04 runing as a PDC We have a short cut on the desktop which pointed to the server ( \\server ) Previously when we clicked this it asked for logon credentials immediatley. Since the upgrade it shows a list of shares ( printers, netlogon etc ) and dosn't ask for credentials until you try to access a share. This means the first time you click the server shortcut you wont see your home drive listed. You need to click one of the shares , logon then close the window and click on the shortcut again before you see your home drive. I have gone through the smb.conf and turned off guest access on all the shares and anywhere else I could find it ( printer section etc ) . How do I revert to the previous behavour ? Many thanks -- Simon Kelsall Network Administrator St James the Great R.C Primary Nursery School http://www.stjamesthegreat.org/ This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] failed to join domain error - solved
Dear All, googling arround and trying various options finally i mamaged to have my Centos 5.2 server join my win2003AD Server.. really banged my head through but never thought it was so simple it was just basically the correct entries in my hosts n resolv.conf file thnks all, regards simon -Original Message- From: samba-bounces+james_zuelow=ci.juneau.ak...@lists.samba.org [mailto:samba-bounces+james_zuelow=ci.juneau.ak...@lists.samba .org] On Behalf Of Benedict simon Sent: Friday, 27 March, 2009 05:06 To: samba@lists.samba.org Subject: [Samba] failed to join domain error Dear All, I have succesfully managed to have my kerberos configured n working without error when i say kinit Administrator and after entering password i get the # prompt so its works fine now i configured /etc/samba/smb.conf but when i try to join my Win2003 ADS domain server net ads join -U Administrator Administrator's password: [2009/03/26 21:58:05, 0] utils/net_ads.c:ads_startup_int(286) ads_connect: No logon servers Failed to join domain: No logon servers thnks and Regards Simon -- Network ADMIN - KUWAIT MUNICIPALITY: I just had a host do this recently, using Samba 3.2.5-4 Debian. DNS was working fine, kerberos was working fine, but for some reason net ads join didn't want to work. I resolved it by putting an entry for a domain controller into /etc/hosts. After that net ads join worked fine. James ZuelowCBJ MIS (907)586-0236 Network Specialist...Registered Linux User No. 186591 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Thanks and really apprecite your quick reply by the way i do have a entry in my hosts file 172.16.2.227BALADIA.LOCAL also the realm was different from my krb5.conf file i think since i was jus tryin options so now the realm i have corrected and my realm in smb.conf n krb5.conf is the same also when i run net ads info it gives me -- Failed to get server's current time! LDAP server: 172.16.2.227 LDAP server name: kmun.baladia.local Realm: BALADIA.LOCAL Bind Path: dc=BALADIA,dc=LOCAL LDAP port: 389 Server time: Thu, 01 Jan 1970 03:00:00 AST KDC server: 172.16.2.227 Server time offset: 0 again i mention my AD win2003 server domain is BALADIA.LOCAL computer name is kmun ip === 172.16.2.227 apprecite if you could help me with somne suggestions thanks once again regards simon -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] failed to join domain error
Dear All, I have succesfully managed to have my kerberos configured n working without error when i say kinit Administrator and after entering password i get the # prompt so its works fine my krb5.conf -- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = BALADIA.LOCAL dns_lookup_kdc = false dns_lookup_realm = false [realms] BALADIA.LOCAL = { default_domain = baladia.local kdc = xx.xx.xx.xx:88 admin_server = xx.xx.xx.xx:749 kdc = KMUN } [domain_realm] baladia.local = BALADIA.LOCAL klist shows icket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@baladia.local Valid starting ExpiresService principal 03/26/09 11:33:04 03/26/09 21:33:18 krbtgt/baladia.lo...@baladia.local renew until 03/27/09 11:33:04 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached now i configured /etc/samba/smb.conf but when i try to join my Win2003 ADS domain server net ads join -U Administrator Administrator's password: [2009/03/26 21:58:05, 0] utils/net_ads.c:ads_startup_int(286) ads_connect: No logon servers Failed to join domain: No logon servers after googling and tryin various options in /etc/samba/smb.conf file here is the latest smb.conf file - [global] #--authconfig--start-line-- # Generated by authconfig on 2009/03/26 12:50:28 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = BALADIA.LOCAL ; password server = kmun.baladia.local password server = 172.16.2.227 realm = KMUN.BALADIA.LOCAL security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind separator = + template shell = /bin/bash winbind use default domain = true winbind offline logon = false encrypt passwords = yes log level = 3 #--authconfig--end-line-- encrypt passwords = yes dns proxy = no server string = Samba Server Version %v os level = 20 client use spnego = no server signing = auto -- where i could be goin wrong i would be thankful and really apprecite your advice for any setting in my smb.conf file Is there anything else to check. really once again apprecite your help and advice when i run testparam it gives no errors output of testparm is -- [r...@testproxy ~]# testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [printers] Loaded services file OK. 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = BALADIA.LOCAL realm = KMUN.BALADIA.LOCAL server string = Samba Server Version %v security = ADS password server = 172.16.2.227 log level = 3 server signing = auto client use spnego = No preferred master = No dns proxy = No idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind separator = + winbind use default domain = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No thnks and Regards Simon -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] failed to join domain error
-Original Message- From: samba-bounces+james_zuelow=ci.juneau.ak...@lists.samba.org [mailto:samba-bounces+james_zuelow=ci.juneau.ak...@lists.samba .org] On Behalf Of Benedict simon Sent: Friday, 27 March, 2009 05:06 To: samba@lists.samba.org Subject: [Samba] failed to join domain error Dear All, I have succesfully managed to have my kerberos configured n working without error when i say kinit Administrator and after entering password i get the # prompt so its works fine now i configured /etc/samba/smb.conf but when i try to join my Win2003 ADS domain server net ads join -U Administrator Administrator's password: [2009/03/26 21:58:05, 0] utils/net_ads.c:ads_startup_int(286) ads_connect: No logon servers Failed to join domain: No logon servers thnks and Regards Simon -- Network ADMIN - KUWAIT MUNICIPALITY: I just had a host do this recently, using Samba 3.2.5-4 Debian. DNS was working fine, kerberos was working fine, but for some reason net ads join didn't want to work. I resolved it by putting an entry for a domain controller into /etc/hosts. After that net ads join worked fine. James ZuelowCBJ MIS (907)586-0236 Network Specialist...Registered Linux User No. 186591 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Thanks and really apprecite your quick reply by the way i do have a entry in my hosts file 172.16.2.227BALADIA.LOCAL also the realm was different from my krb5.conf file i think since i was jus tryin options so now the realm i have corrected and my realm in smb.conf n krb5.conf is the same also when i run net ads info it gives me -- Failed to get server's current time! LDAP server: 172.16.2.227 LDAP server name: kmun.baladia.local Realm: BALADIA.LOCAL Bind Path: dc=BALADIA,dc=LOCAL LDAP port: 389 Server time: Thu, 01 Jan 1970 03:00:00 AST KDC server: 172.16.2.227 Server time offset: 0 again i mention my AD win2003 server domain is BALADIA.LOCAL computer name is kmun ip === 172.16.2.227 apprecite if you could help me with somne suggestions thanks once again regards simon -- Network ADMIN - KUWAIT MUNICIPALITY: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Groups authentication?
Hi, Is it possible to use group authentication instead of user/share authentication? I did create a very basic share on a test server and it allows everyone. I would like to create a samba group on the server and only give access to the users in that group. Can I do that? I'm using Samba 3.0.25b on a CentOS 5 server. Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] kernel log (smbfs): smb_proc_readdir_long: error=-2, breaking
Hi Samba users We use RHEL 4.5. What mean those log entries? How to solve this issue? Such entries appear in logs after copy jobs. Dec 16 20:55:43 nahant048 kernel: smb_proc_readdir_long: error=-2, breaking Dec 16 20:55:45 nahant048 last message repeated 2 times Dec 16 20:58:02 nahant048 kernel: smb_proc_readdir_long: error=-13, breaking Dec 16 20:58:02 nahant048 kernel: smb_proc_readdir_long: error=-13, breaking Dec 17 20:31:54 nahant048 kernel: smb_proc_readdir_long: error=-2, breaking Dec 17 20:31:55 nahant048 last message repeated 2 times Dec 17 20:33:04 nahant048 kernel: smb_proc_readdir_long: error=-13, breaking Dec 17 20:33:05 nahant048 kernel: smb_proc_readdir_long: error=-13, breaking # modinfo smbfs filename: /lib/modules/2.6.9-55.0.9.ELlargesmp/kernel/fs/smbfs/smbfs.ko license:GPL depends: vermagic: 2.6.9-55.0.9.ELlargesmp SMP gcc-3.4 # rpm -q -a | grep samba samba-common-3.0.25b-1.el4_6.2 samba-client-3.0.25b-1.el4_6.2 mount options: defaults,uid=512,gid=512,username=domain\user,password=password filesystem type: smbfs cheers Simon -- XMPP: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 2GB limit
I have a PC-BSD system running with SAMBA. I wanted to backup an image disk which size is about 10Gb. The system has 4 HD, each 80 GB, so the space was not the problem. I tried to copy this image data from Windows XP to my PC-BSD system via samba. I could copy up to 2Gb and then I had an error. I googled to find out how to fix this error and I found that it was fixed some time ago. I verified samba version installed. It is ver 3.26a. samba-3.0.26a,1 samba-libsmbclient-3.0.26a I checked the disk format. It is UFS2. I saw couple blogs saying that it is possible to enable this if the option lfs is enabled. I checked smb.conf man to see if there was an option that I set incorrectly. So far I couldn't see anything wrong. My configuration is really simple workgroup = TEST netbios name = Test_Srv server string = Test Server security = user [BackUps] comment = System Backups path = /media/srvInfo/BckUp browseable = yes valid users = test public = no writable = yes printable = no create mask = 0765 Could you help me to fix this? I don't know where else I can check. Does any body had similar problem like this with current version 3.26? Thanks in advance Simon - Comparte video en la ventana de tus mensajes (y también tus fotos de Flickr). Usa el nuevo Yahoo! Messenger versión Beta. Visita http://mx.beta.messenger.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind partial data
Hello All got a nasty problem that has reared its head this morning. Windows 2003 ADS controller. Samba 3.022 Ubuntu 6.06LTS getent passwd returns users but not all of them. I am missing a couple of hundred. Also if i add a new user they do not appear in getent. however they all show in in wbinfo -u. Has anyone seen this before? I am really up against it with a school full of kids returning tomorrow. Thanks in advance Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind cache problem after upgrade to 3.0.25b.
Have just upgraded from 3.0.14a to 3.0.25b. On starting winbindd it puts the following in /var/log/messages: initialize_winbindd_cache: clearing cache and re-creating with version number 1 All the winbind UID/GID mappings are lost and it starts again from scratch. Hence all file ownership / ACLs on this samba server become invalid. Anyone else seen this? Why does it see fit to destroy this important file in such a casual manner?! It didn't even bother to make a backup copy. Thanks in advance for any help... Simon Ashford. --- This e-mail and any attachments may contain confidential and/or privileged material; it is for the intended addressee(s) only. If you are not a named addressee, you must not use, retain or disclose such information. NPL Management Ltd cannot guarantee that the e-mail or any attachments are free from viruses. NPL Management Ltd. Registered in England and Wales. No: 2937881 Registered Office: Serco House, 16 Bartley Wood Business Park, Hook, Hampshire, United Kingdom RG27 9UY --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Remotely executing scheduled tasks
From another Windows system using schtasks.exe a scheduled task can be executed with the following syntax: schtasks /Run /TN Backups /S remote_system_name I suppose the Unix/SSH equivalent is: ssh user@remote_system_name /usr/local/bin/backups.sh Is there samba client for schtask.exe ? -- Simon Males [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Vampire and Capital Letters
I find Linux to be a nightmare if usernames have capital letters. Some old Windows PDCs that we are vampiring have usernames with capital letters. AFAIK you can't change a windows username Is there a way of telling the vampire to make all usernames lowercase as it imports them? Can I use pdbedit or any other tool to make them lowercase? At the moment I am changing /etc/passwd and the rest in vi then binary editing passdb.tdb to make them lower case - ugh! What do other folks do? TIA Sim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba OpenLDAP Setup
I am trying to follow http://us3.samba.org/samba/docs/man/Samba-Guide/appendix.html#altldapcfg It says: It is also necessary to preload the well-known Windows NT Domain Groups, as they must have the correct SID so that they can be recognized as special NT Groups by the MS Windows clients. How do I do this? Most grateful for any hints... TIA Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD integration checklist
I modified nsswitch.conf and I restarted winbind. Still cannot authenticate. Wbinfo -u does return the list of my domain users. I can also see the groups. I do not have a /etc/pam.d/samba file. Any idea what I need to check next? Thanks! Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James A. Dinkel Sent: 8 décembre, 2006 16:24 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist -Original Message- From: Don Meyer Sent: Friday, December 08, 2006 2:12 PM Don't forget the necessary modifications to nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind Cheers, -Don That's right. Although, I do not have winbind after the shadow directive, and I've never seen any documentation saying you need it, just after passwd and group. Also, I believe this is also required in /etc/pam.d/samba: auth required pam_winbind.so account required pam_winbind.so but I've never tried it without this. James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD integration checklist
Now if I run net ads user, I see the following error messages and then I see the list of users: [2006/12/11 13:36:24, 0] param/loadparm.c:map_parameter(2443) Unknown parameter encountered: dmap uid [2006/12/11 13:36:24, 0] param/loadparm.c:lp_do_parameter(3131) Ignoring unknown parameter dmap uid ? Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Renshaw Sent: 11 décembre, 2006 12:48 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist I modified nsswitch.conf and I restarted winbind. Still cannot authenticate. Wbinfo -u does return the list of my domain users. I can also see the groups. I do not have a /etc/pam.d/samba file. Any idea what I need to check next? Thanks! Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James A. Dinkel Sent: 8 décembre, 2006 16:24 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist -Original Message- From: Don Meyer Sent: Friday, December 08, 2006 2:12 PM Don't forget the necessary modifications to nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind Cheers, -Don That's right. Although, I do not have winbind after the shadow directive, and I've never seen any documentation saying you need it, just after passwd and group. Also, I believe this is also required in /etc/pam.d/samba: auth required pam_winbind.so account required pam_winbind.so but I've never tried it without this. James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD integration checklist
Hi, I compiled Samba 3.0.23d on a CentOS 4.4 machine. Then I configured /etc/krb5.conf for my domain. Was able to successfully run kinit and join my Windows 2003 domain with a net ads join. Net ads user and net ads group returns the users and the groups of the domain. So far so good. I'm kinda stuck on the next step. I would like to grant access to the share defined in smb.conf to anybody in the domain. How do I make it authenticate users on the domain instead of using the server? Content of smb.conf: [global] workgroup = BENCHCAN server string = Virtual Linux wins server = 192.168.64.20 netbios name = BACKUP realm = BENCHMARKCANADA.COM password server = castor-srvr1.benchmarkcanada.com security = ADS [share] path = / guest ok = no read only = no Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD integration checklist
Thanks for the reply. You are correct, I'm testing on a virtual machine. I modified smb.conf with the lines you said but when I try to access the share, I keep getting prompted for my user/pass. Any idea? Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James A. Dinkel Sent: 8 décembre, 2006 13:05 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist -Original Message- From: Simon Renshaw Sent: Friday, December 08, 2006 10:13 AM Hi, I compiled Samba 3.0.23d on a CentOS 4.4 machine. Then I configured /etc/krb5.conf for my domain. Was able to successfully run kinit and join my Windows 2003 domain with a net ads join. Net ads user and net ads group returns the users and the groups of the domain. So far so good. I'm kinda stuck on the next step. I would like to grant access to the share defined in smb.conf to anybody in the domain. How do I make it authenticate users on the domain instead of using the server? Content of smb.conf: [global] workgroup = BENCHCAN server string = Virtual Linux wins server = 192.168.64.20 netbios name = BACKUP realm = BENCHMARKCANADA.COM password server = castor-srvr1.benchmarkcanada.com security = ADS [share] path = / guest ok = no read only = no Thanks! Simon You need this in your global section: idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes encrypt passwords = yes And this in your share section: valid users = @BENCHCAN\domain users Although this will give all your users access to / which doesn't seem like a good idea, but I assume this is just for testing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.23 PDC with ldapsam:trusted backend - failed to setup guest info.
Hi everybody. This is my first post here - Im hoping that someone out there can shed some light on my little problem, it's starting to drive me nuts! :) Ive had a look through the archives as well as other methods for finding a solution to my problem but to no avail, so I decided to post here - hope you dont mind! Im migrating an old samba 2.2 PDC to a new system running 3.0.23, we have a requirement not to have local users on this new machine - no problems says I , this will give me a chance to try out an ldapsam backend with ldapsam:trusted. I have populated the nobody and root user accounts (as well as some test users) into LDAP but when I try to start samba, it fails with a ERROR: failed to setup guest info. error in log.smbd. From what I have seen from a debug level 3 log (attached) of this sequence, it binds to the LDAP directory, finds the root user, hits a permission error (WERR_ACCESS_DENIED) along the way, starts to find my nobody user (I see references to nobody's uid - 60001 - in the log) and then bombs out. nmdb starts up but smbd doesnt come up (for more than a second anyway, if at all) Our directory already has the samba schemas installed and this directory serves PDC requests for another of our domains (that has local unix users defined) - so I am assuming that this is not a schema issue. I am thinking that I have missed something rather obvious along the way, as it is my first time attempting this, or i have done something completely wrong fundamentally and digging myself a deeper and deeper hole as I continue?! Any help would be GREATLY appreciated :) I have included copies of my log.smbd (debug level 3) , my smb.conf and a dump of my root,nobody and nobody group ldap entries. If you need any more information - just ask. Thanks Simon (log.smbd) [2006/08/22 11:44:58, 0] smbd/server.c:main(847) smbd version 3.0.23 started. Copyright Andrew Tridgell and the Samba Team 1992-2006 [2006/08/22 11:44:58, 2] param/loadparm.c:do_section(3704) Processing section [homes] [2006/08/22 11:44:58, 2] param/loadparm.c:do_section(3704) Processing section [netlogon] [2006/08/22 11:44:58, 2] param/loadparm.c:do_section(3704) Processing section [Profiles] [2006/08/22 11:44:58, 3] param/loadparm.c:lp_add_ipc(2629) adding IPC service [2006/08/22 11:44:58, 3] printing/pcap.c:pcap_cache_reload(117) reloading printcap cache [2006/08/22 11:44:59, 3] printing/print_svid.c:sysv_cache_reload(72) No Printers found!!! [2006/08/22 11:44:59, 3] printing/pcap.c:pcap_cache_reload(223) reload status: error [2006/08/22 11:44:59, 3] printing/pcap.c:pcap_cache_reload(117) reloading printcap cache [2006/08/22 11:44:59, 3] printing/print_svid.c:sysv_cache_reload(72) No Printers found!!! [2006/08/22 11:44:59, 3] printing/pcap.c:pcap_cache_reload(223) reload status: error [2006/08/22 11:44:59, 2] lib/interface.c:add_interface(81) added interface ip=130.95.72.10 bcast=130.95.72.255 nmask=255.255.255.0 [2006/08/22 11:44:59, 2] lib/interface.c:add_interface(81) added interface ip=130.95.136.10 bcast=130.95.136.255 nmask=255.255.255.0 [2006/08/22 11:44:59, 3] smbd/server.c:main(877) loaded services [2006/08/22 11:44:59, 3] smbd/server.c:main(892) Becoming a daemon. [2006/08/22 11:44:59, 2] lib/tallocmsg.c:register_msg_pool_usage(61) Registered MSG_REQ_POOL_USAGE [2006/08/22 11:44:59, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2006/08/22 11:44:59, 2] lib/smbldap_util.c:smbldap_search_domain_info (219) smbldap_search_domain_info: Searching for:[( (objectClass=sambaDomain)(sambaDomainName=EE-CIIPS2))] [2006/08/22 11:44:59, 2] lib/smbldap.c:smbldap_open_connection(788) smbldap_open_connection: connection opened [2006/08/22 11:44:59, 3] lib/smbldap.c:smbldap_connect_system(992) ldap_connect_system: succesful connection to the LDAP server [2006/08/22 11:44:59, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2006/08/22 11:44:59, 3] smbd/uid.c:push_conn_ctx(345) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2006/08/22 11:44:59, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2006/08/22 11:44:59, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) init_sam_from_ldap: Entry found for user: root [2006/08/22 11:44:59, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/08/22 11:44:59, 3] passdb/lookup_sid.c:store_gid_sid_cache(1038) store_gid_sid_cache: gid 0 in cache - S-1-22-2-0 [2006/08/22 11:44:59, 3] passdb/lookup_sid.c:fetch_sid_from_uid_cache (907) fetch sid from uid cache 0 - S-1-5-21-2285122461-3938449209-3485319758-1000 [2006/08/22 11:44:59, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache (979) fetch sid from gid cache 0 - S-1-22-2-0 [2006/08/22 11:44:59, 3] lib/util_seaccess.c:se_access_check(250) [2006/08/22 11:44:59, 3] lib/util_seaccess.c:se_access_check(251
[Samba] Mounting /home filesystems with Samba
I have a number of linux hosts (4+) that I wish to mount from a a common server. Currently we are using MSW2003R2 as a domain controller and are using Active Directory for centralised authentication. I was planning on using the inbuilt NFS server to server unix home directories across all the linux hosts, but I'm having some permission issues. Is it possible to use Samba to server posix home directories to linux clients ??? ie. mount /home at boot time using the CIFS filesystem I felt this was a higher risk option than using an NFS server on 2003R2. What do the Samba experts think? Would performance or reliability be better to serve /home directories using: 1. Linux/NFS - 2003R2/NFS 2. Linux/Samba(CIFS) - 2003R2/CIFS Thanks, Brendan. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Trying to find why it is not working
Hi, First, sorry if this is a bit long. I'm having problems finding what is wrong with my setup. Running Samba 3.0.10-1.4E.6 on CentOS 4.3. PDC is AD on windows 2003. Samba and winbind are running. My smb.conf file: # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2006/05/30 10:52:16 # Global parameters [global] workgroup = MONTREAL realm = CASTORTECH.COM interfaces = eth0 security = ADS password server = castor-srvr1 wins server = 192.168.64.20 [Main] comment = Test path = / guest ok = yes writeable = yes I was able to join the domain with net ads join. I see the Linux box in AD. I also see it in my Network Places on Windows and the share called Main but it asks for a user/password when I try to access it and it doesn't work. If I run net ads testjoin: Join is OK If I run net ads info: LDAP server: 192.168.64.20 LDAP server name: castor-srvr1 Realm: CASTORTECH.COM Bind Path: dc=CASTORTECH,dc=COM LDAP port: 389 Server time: Fri, 02 Jun 2006 14:04:26 GMT KDC server: 192.168.64.20 Server time offset: -947 If I run net ads lookup: Information for Domain Controller: castor-srvr1 Response Type: SAMLOGON GUID: e7508a6a-4561-4440-b45c-9fd246d4c93c Flags: Is a PDC: yes Is a GC of the forest: yes Is an LDAP server: yes Supports DS:yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable:yes Has a hardware clock: no Is a non-domain NC serviced by LDAP server: no Forest: castortech.com Domain: castortech.com Domain Controller: castor-srvr1.castortech.com Pre-Win2k Domain: MONTREAL Pre-Win2k Hostname: CASTOR-SRVR1 Site Name: Default-First-Site-Name Site Name (2): Default-First-Site-Name NT Version: 5 LMNT Token: LM20 Token: Net ads user also return a list of the domain's users. Wbinfo -u and -g return a list of the domain's users and groups. But if I run wbinfo -a simon%bvhdohgo I get: plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user simon%bvhdohgo with plaintext password challenge/response password authentication succeeded I also tried with administrator but I got the same result. But I ran wbinfo --set-auth-user=administrator%pass and get MONTREAL\administrator%pass if I run wbinfo --get-auth-user. So it is able to get the domain info. I don't get it. And of course, getent passwd returns the local users, not the one from the domain. Passwd, shadow and group are set as files winbind in /etc/nsswitch.conf. I think that I am pretty close to a solution but I don't know what to do next. Any idea what is wrong and what should I check next? Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windbind auth
Hi, I was able to get my server in the domain. I can see it from ADUC and Network Places. But I can't get it to use AD to authenticate the users that want to access the server/share. Wbinfo -u and -g return the users and group of my MONTREAL domain. Net ads info also returns the correct information about my domain. I then tried to run getent passwd but that only returned the list of the local account. Content of /etc/nsswitch.conf: passwd: files windbind shadow: files windbind group: files windbind hosts: files dns wins The rest are set as files. I tried to remove files in passwd, shadow and group but when I ran getent passwd it returned nothing. I then replaced windbind with compat and got the same result. What should I do about that? And what else should I check? Found this in the doc: -- Do not forget to specify also the ldap admin dn and to make certain to set the LDAP administrative password into the secrets.tdb using: root# smbpasswd -w ldap-admin-password In place of ldap-admin-password, substitute the LDAP administration password for your system. -- I assume that this is the password of Administrator? I did that with the password of Administrator. And if I got this right, to allow users to access a share from a group I need to put a @ first? For example: valid users = @MONTREAL\Domain Users I'm running Samba 3.0.10-1.4E.6 on CentOS 4.3. The clients would be Windows machines. I'm about to give up and just create a bunch of local users :/ If you need to know more details, just let me know. Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] New Samba installation
Hi, Samba was restarted (actually, the server was restarted a few times since...) but Winbind wasn't running. Now it is. [EMAIL PROTECTED] ~]# wbinfo -t checking the trust secret via RPC calls succeeded And wbinfo -u returned a list of the domain users and the name of the computers in the domain. Still can't access \\vlb2. Thanks! Simon -Original Message- From: James Zuelow [mailto:[EMAIL PROTECTED] Sent: 25 mai, 2006 19:11 To: Simon Renshaw Subject: RE: [Samba] New Samba installation You didn't specify restarting Samba and Winbind after joining the domain. What does the output of `wbinfo -t` and `wbinfo -u` look like? James ZuelowCBJ MIS (907)586-0236 Network Specialist...Registered Linux User No. 186591 -Original Message- --8 If I try to access \\vlb2, it asks for a username and then gives me an access denied message is I use MONTREAL\user. Thanks for the help, Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] FW: Linux Problem
-Original Message- From: Simon Chan [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 24, 2006 3:09 PM To: Linux Group ([EMAIL PROTECTED]) Subject: Linux Problem Now I have run redhat FC5 version, I have install samba-3.0.22-1.fc5 version, I have find problem, when I have set auto in rc.3 or manually run # service smb start , I brower samba server, So I wil see this error, but when I run # service smb stop , and then manually run # /usr/local/samba/sbin/smbd or nmbd, so I can brower samba server , why have this error and then Can I restart PC , can auto this path ( run # /usr/local/samba/sbin/ smbd or nmbd ) can you help me , thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Linux Problem
-Original Message- From: Jeremy Allison [mailto:[EMAIL PROTECTED] Sent: Thursday, May 25, 2006 1:13 AM To: Simon Chan Subject: Re: Linux Problem On Wed, May 24, 2006 at 03:09:18PM +0800, Simon Chan wrote: Now I have run redhat FC5 version, I have install samba-3.0.22-1.fc5 version, I have find problem, when I have set auto in rc.3 or manually run # service smb start , I brower samba server, So I wil see this error, but when I run # service smb stop , and then manually run # /usr/local/samba/sbin/smbd or nmbd, so I can brower samba server , why have this error and then Can I restart PC , can auto this path ( run # /usr/local/samba/sbin/ smbd or nmbd ) can you help me , thanks Please ask questions like this on the main [EMAIL PROTECTED] mailing list please. Jeremy. FONT size=2PCCW IMS Virus Control Center, powered by Trend Micro, scans all your attachment for known viruses. /A/FONTtable __ NOD32 1.1555 (20060524) Information __ This message was checked by NOD32 antivirus system. http://www.nod32.com.hk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] New Samba installation
Hi, I'm using Samba 3.0.10-1.4E.6 that came with CentOS 4.3 (fresh install) and Active Directory is running on windows 2003 SP1. I've been following instructions of the chapter 6 of the HOWTO and would like to validate the work I did. First I modified smb.conf: # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2006/05/24 23:51:58 # Global parameters [global] workgroup = MONTREAL realm = CASTORTECH.COM interfaces = eth0 security = ADS wins server = 192.168.64.20 password server = castor-srvr1 encrypt passwords = yes [Main] comment = Test path = / read only = No I didn't modify the krb5.conf file since what was inside was OK. Then I ran kinit [EMAIL PROTECTED] and entered the password. No error message, it just returned to the prompt. I assume that it worked. The first time I did get a clock skew error, but I corrected it. Then I ran net ads join -U Administrator%password. It told me: Using short domain name -- MONTREAL Joined 'VLB2' to realm 'CASTORTECH.COM' So far so good. I can see it in ADUC\Computers. I think that I'm pretty close but I'm not sure what to do next. I want that share to be available to anyone on their Windows machine using their Windows login. If I try to access \\vlb2, it asks for a username and then gives me an access denied message is I use MONTREAL\user. Thanks for the help, Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Managed to make some progress, stuck again.
What packages should I look for? All those I listed or a few specifics? As long as they are for Redhat EL 4, I'll be ok. I started to look for them but I'm not sure what I need. (Sorry about that, I'm a Windows guy.) Simon -Original Message- From: Jeremy Allison [mailto:[EMAIL PROTECTED] Sent: 18 avril, 2006 19:38 To: Simon Renshaw Cc: Jeremy Allison; samba@lists.samba.org Subject: Re: [Samba] Managed to make some progress, stuck again. On Tue, Apr 18, 2006 at 04:25:50PM -0400, Simon Renshaw wrote: OK, I'll try to upgrade it. I just downloaded MIT Kerberos 1.4.3. I ran rpm -qa|grep krb and got: krb5-server-1.3.4-27 krb5-auth-dialog-0.2-1 krb5-libs-1.3.4-27 krbafs-1.2.2-6 krb5-devel-1.3.4-27 krbafs-devel-1.2.2-6 krbafs-utils-1.2.2-6 krb5-workstation-1.3.4-27 pam_krb5-2.1.8-1 Should I uninstall everything krb related before compiling 1.4.3? Look for updated kerberos rpms rather than compiling it yourself. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Managed to make some progress, stuck again.
Hi, An update on my work to integrate my Linux server (CentOS 4.3) in AD 2003. Sorry about the long post :) Found this page (http://www.enterprisenetworkingplanet.com/netos/article.php/3487081) and followed the instructions on it. First, I made sure that the Samba installation is supporting Kerberos, LDAP, AD and Windbind. That was OK. I made sure that /etc/hosts contain the name of the AD server (castor-srvr1). Then I edited /etc/krb5.conf to include the following: [libdefaults] default_realm = CASTORTECH.COM [realms] CASTORTECH.COM = { kdc = castor-srvr1.castortech.com } [domain_realm] .kerberos.server = CASTORTECH.COM I got the default realm name when I ran ksetup on the AD server. I then tried to connect using kinit [EMAIL PROTECTED] It asks for a password and it return an error (krb_error 14 KDC has no support for encryption type). If I use another user (simon, my account with domain admin rights), it connects and create a new ticket. To be sure, I tested with a user that don't exist and got a krb_error 24 Pre-authentication information was invalid. Any idea why administrator won't connect? I modified /etc/samba/smb.conf with the info in chapter 13 on the Samba book. The pre-Windows 2000 name of the domain is MONTREAL. [global] workgroup = MONTREAL realm = CASTORTECH.COM preferred master = no security = ADS template shell = /bin/bash idmap uid = 500-1000 idmap gid = 500-1000 winbind use default domain = yes winbind nested groups = yes encrypt passwords = yes log level = 3 server string = Linux wins server = 192.168.64.20 dns proxy = no password server = None username map = /etc/samba/smbusers [homes] comment = Home Directories browseable = no writeable = yes [root] path = / writeable = yes guest ok = yes Password server was at none by default. Do I need to put the AD server there? Not sure if the workgroup needs to be the NetBIOS name of the domain (MONTREAL) or the AD server name. [root] is the share I created on my Linux box. Missing anything for that? If I run testparm with that config: Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [printers] Processing section [root] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER To join the domain, the site says to run net ads join -U Administrator. Of course, that didn't work (ads_connect: No such file or directory). I ran net ads join -U administrator --server=castor-srvr1. And got: [2006/04/18 13:52:13, 0] libads/ldap.c:ads_add_machine_acct(1368) ads_add_machine_acct: Host account for castor-srvr4 already exists - modifying old account Using short domain name -- MONTREAL Joined 'CASTOR-SRVR4' to realm 'CASTORTECH.COM' If I open ADUC I can see the server under Computers. So far so good. I think. Now I need to configure Winbind. I edited /etc/nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind hosts: files dns wins Then I restarted the services. I ran a few wbinfo commands to test it. Wbinfo -g BUILTIN\System Operators BUILTIN\Replicators BUILTIN\Guests BUILTIN\Power Users BUILTIN\Print Operators BUILTIN\Administrators BUILTIN\Account Operators BUILTIN\Backup Operators BUILTIN\Users Look like BUILTIN is on the Linux box instead of AD. But wbinfo --domain=MONTREAL -g Error looking up domain groups Same thing with -u. I tried net ads info --server=castor-srvr1 LDAP server: 192.168.64.20 LDAP server name: castor-srvr1 Realm: CASTORTECH.COM Bind Path: dc=CASTORTECH,dc=COM LDAP port: 389 Server time: Tue, 18 Apr 2006 14:35:24 GMT KDC server: 192.168.64.20 Server time offset: 187 Net ads testjoin --server=castor-srvr1 Join is OK So according to this, the Linux box is in the domain but there is a problem with Windbind. Or something. I can't access the Linux box from Windows. This is where I'm stuck and would appreciate some help. Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Managed to make some progress, stuck again.
OK, I'll try to upgrade it. I just downloaded MIT Kerberos 1.4.3. I ran rpm -qa|grep krb and got: krb5-server-1.3.4-27 krb5-auth-dialog-0.2-1 krb5-libs-1.3.4-27 krbafs-1.2.2-6 krb5-devel-1.3.4-27 krbafs-devel-1.2.2-6 krbafs-utils-1.2.2-6 krb5-workstation-1.3.4-27 pam_krb5-2.1.8-1 Should I uninstall everything krb related before compiling 1.4.3? -Original Message- From: Jeremy Allison [mailto:[EMAIL PROTECTED] Sent: 18 avril, 2006 15:19 To: Simon Renshaw Cc: samba@lists.samba.org Subject: Re: [Samba] Managed to make some progress, stuck again. It looks like the version of kerberos you're using doesn't have support for the AD enctypes. Update it. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Active directory authentification with Samba
I went in the Samba settings and went in the security tab. I selected ADS, added the IP of my AD server and added my Kerberos realm (found it by running ksetup on my AD server). But since I've done that, I can't even access the server. The message tells me that the server is not accessible or that I might not have permission. It also mentions that configuration information can't be read from the domain controller. What am I missing? (Yes, I'm trying to read the doc... 943 pages, ugh) Simon -Original Message- From: Rob Tanner [mailto:[EMAIL PROTECTED] Sent: 11 avril, 2006 20:23 To: Simon Renshaw Cc: samba@lists.samba.org Subject: Re: [Samba] Active directory authentification with Samba Use security = ADS or security = DOMAIN On 04/11/2006 01:17 PM, Simon Renshaw wrote: Hi, I looked at the doc but I can't find what I'm looking for. I have 1 Linux server (CentOS 4.3) running Samba 3.0.10 in a Windows 2003 AD domain. I modified Samba's conf file to point it to our WINS server. We can access the share using \\servername. So far so good. Is there a way to use AD to authenticate the users instead of the Samba users that are on the server? Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Active directory authentification with Samba
You mean this? http://us4.samba.org/samba/docs/man/Samba-Guide/kerberos.html Or do you mean something the HOWTO section? While there are indeed a lot of examples in it, it seems to deal with Windows shares under a Samba domain. No my situation. Or there is too much fluff and I just missed it. I will rephrase what I want to do. I want to share / (read and write) and make it available to everybody that is in the Domain Users group of AD. Simple, no? So in my smb.conf file, the share will look like that? [root] path = / writeable = yes guest ok = yes valid users = @MONTREAL\Domain Users But the Domain Users group is in the Users OU. Should I put Montreal\Users\Domain Users instead? I have only 1 Linux server and 5-6 users so security (or the lack of it) is not a problem. Oh, and I never used SWAT. Thanks! Simon From: Rob Tanner [mailto:[EMAIL PROTECTED] Sent: 13 avril, 2006 12:59 To: Simon Renshaw Cc: samba@lists.samba.org Subject: Re: [Samba] Active directory authentification with Samba The samba home page (in SWAT) has a section at the bottom called Books. Click on Samba 3 by Example. Then click on Active Directory, Kerberos ans Security. Go through that material and make sure you've set everything up correctly. It has a lot of step by step info. -- Rob Simon Renshaw said the following on 04/13/2006 08:44 AM: I went in the Samba settings and went in the security tab. I selected ADS, added the IP of my AD server and added my Kerberos realm (found it by running ksetup on my AD server). But since I've done that, I can't even access the server. The message tells me that the server is not accessible or that I might not have permission. It also mentions that configuration information can't be read from the domain controller. What am I missing? (Yes, I'm trying to read the doc... 943 pages, ugh) Simon -Original Message- From: Rob Tanner [mailto:[EMAIL PROTECTED] Sent: 11 avril, 2006 20:23 To: Simon Renshaw Cc: samba@lists.samba.org Subject: Re: [Samba] Active directory authentification with Samba Use security = ADS or security = DOMAIN On 04/11/2006 01:17 PM, Simon Renshaw wrote: Hi, I looked at the doc but I can't find what I'm looking for. I have 1 Linux server (CentOS 4.3) running Samba 3.0.10 in a Windows 2003 AD domain. I modified Samba's conf file to point it to our WINS server. We can access the share using \\servername. So far so good. Is there a way to use AD to authenticate the users instead of the Samba users that are on the server? Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind
Hi All, I am currently weaving samba into an active directory domain. ntlm works fine. but wbinfo is not so good. wbinfo -r username returns Could not get groups for user username wbinfo -n username returns S-1-5-21-1482476501-343818398-682003330-6830 User (1) wbinfo -a username%password plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user username%password with plaintext password challenge/response password authentication succeeded wbinfo -s S-1-5-21-1482476501-343818398-682003330-6830 returns DOMAIN\username 1 wbinfo -S S-1-5-21-1482476501-343818398-682003330-6830 returns Could not convert sid S-1-5-21-1482476501-343818398-682003330-6830 to uid I have been trawling the net for a few days now and though i see the problems out there the solutions they posted did not work for me. FC5 Windows 2000 ADS Any help greatly recieved Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Active directory authentification with Samba
Hi, I looked at the doc but I can't find what I'm looking for. I have 1 Linux server (CentOS 4.3) running Samba 3.0.10 in a Windows 2003 AD domain. I modified Samba's conf file to point it to our WINS server. We can access the share using \\servername. So far so good. Is there a way to use AD to authenticate the users instead of the Samba users that are on the server? Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] (no subject)
unsubscribe [EMAIL PROTECTED] qwerty1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Need krb5 on Interdomain trust Win2003SP1 - Samba3.0.21?
Hi Geoff, I've made it. Yes, it is good enough to follow the steps in Ch 12.3.2 , anyway, I have attached part of my krb5.conf for you as reference: -starts [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] MYDOMAIN.COM = { kdc = w2k3.mydomain.com admin_server = w2k3.mydomain.com default_domain = mydomain.com } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM ---end Then kinit and klist -e will get what you want. and now I have a successful interdomain trust between Samba.3.0.21a and Win2003SP1. THX guys do shed light on my problem!! Best Wishes Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geoffrey Scott Sent: Wednesday, January 04, 2006 11:10 AM To: Gerald (Jerry) Carter Cc: samba@lists.samba.org Subject: [Samba] Need krb5 on Interdomain trust Win2003SP1 - Samba3.0.21? SHA1 wrote: Simon Leung wrote: Anyway, my question is beside Winbind, do I need to configure krb5 on Samba (Domain A) when talking to Win2003SP1 on Domain B? Beginning with 3.0.21 if you are talking to AD in anyways (domain member server, domain controller with domain trusts, etc...) you should ensure that you configure with ADS support and correctly configure /etc/krb5.conf. Hi Jerry JHT hasn't got any mention of configuring /etc/krb5.conf in S by example chapter 7.3.4 but he has in chapter 12.3.2. Other docs say only an empty config file is needed or non at all depending on whether you are using Heimdal or MIT kerberos. How much info if any should be in /etc/krb5.conf? is the chapter 12 example enough?: [libdefaults] default_realm = LONDON.ABMAS.BIZ [realms] LONDON.ABMAS.BIZ = { kdc = w2k3s.london.abmas.biz } Sorry to ask a basic question, but if I do an apt-get install samba and samba-common, will it install all the files needed for ADS domain membership? Regards Geoff Scott Gerald (Jerry) Carter wrote: -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Need krb5 on Interdomain trust Win2003SP1 - Samba3.0.21?
Hi there, I am reading the Samba3-By-Example dated 29Dec2005. I've found that there's no information on telling how to make a successful deployment on interdomain trust, but this is the missing Chapter that I am really looking for. Anyway, my question is beside Winbind, do I need to configure krb5 on Samba (Domain A) when talking to Win2003SP1 on Domain B? Best Wishes and Happy New Year Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ads_connect
ads_connect: No such file or directory I was mystified by this error and could not find any solutions for it, even though I saw lots of inquiries about it. my solution was: make sure the password server line in smb.conf is either removed or set correctly. duh. Richard Simon Giant Killer Robots 361 Brannan St. San Francisco, CA 94107 (415) 777-2477 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Administering Groups
I have my Samba PDC running :-) How do I administer groups from the samba box? usrmgr.exe runs on the workstation but won't let me see groups samba 3.0.14a-2 with tdbsam TIA Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Administering Groups
paul kölle wrote: Simon Faulkner wrote: I have my Samba PDC running :-) How do I administer groups from the samba box? usrmgr.exe runs on the workstation but won't let me see groups have you setup groupmapping? Err, not sure! I used the vampire to get the details from the NT4 PDC I am wondering where to look for groups etc! Sim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Administering Groups
I am wondering where to look for groups etc! Hmmm, it all seems to be done with net groupmap list It's great, as you peer down into the murk you understand the next layer and you realise there are many more layers of voodoo to go! wish me luck... Sim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Administering Groups
net groupmap list ntgroup=Domain Admins Domain Admins (S-1-5-21-1065375514-2370838480-4047619883-512) - -1 Does this mean I have no group for Domain Admins? Do I need to map them to root? TIA -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] groupmap
Why would I have some NT domains more than once? Did I screp up my import with the Vampire? Should I delete the unmapped ones (Gulp!) [EMAIL PROTECTED] ~]# net groupmap list System Operators (S-1-5-32-549) - -1 Replicator (S-1-5-32-552) - Replicator Guests (S-1-5-32-546) - Guests Recipe (S-1-5-21-1019967034-149178136-1846952604-1016) - recipe Domain Users (S-1-5-21-1065375514-2370838480-4047619883-513) - -1 Domain Users (S-1-5-21-217354674-1388124147-264849902-513) - -1 Domain Guests (S-1-5-21-217354674-1388124147-264849902-514) - -1 Power Users (S-1-5-32-547) - -1 Domain Users (S-1-5-21-2542624836-2007811437-2422883089-513) - -1 Domain Admins (S-1-5-21-1065375514-2370838480-4047619883-512) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - Administrators Sage (S-1-5-21-1019967034-149178136-1846952604-1005) - Sage Domain Admins (S-1-5-21-1019967034-149178136-1846952604-512) - -1 Domain Users (S-1-5-21-2196479170-443629602-2075717434-513) - users Domain Guests (S-1-5-21-1019967034-149178136-1846952604-514) - -1 Domain Admins (S-1-5-21-2196479170-443629602-2075717434-512) - root Domain Guests (S-1-5-21-1065375514-2370838480-4047619883-514) - -1 Domain Users (S-1-5-21-1019967034-149178136-1846952604-513) - -1 Domain Guests (S-1-5-21-2196479170-443629602-2075717434-514) - nobody Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-2968525064-3424225456-755833301-513) - -1 Domain Admins (S-1-5-21-2968525064-3424225456-755833301-512) - -1 Domain Guests (S-1-5-21-2968525064-3424225456-755833301-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - Users Domain Admins (S-1-5-21-2542624836-2007811437-2422883089-512) - -1 Accounts Dept (S-1-5-21-2196479170-443629602-2075717434-2003) - acctsdep Domain Admins (S-1-5-21-217354674-1388124147-264849902-512) - -1 Domain Guests (S-1-5-21-2542624836-2007811437-2422883089-514) - -1 Financial Services (S-1-5-21-2196479170-443629602-2075717434-2005) - finsrvcs Sales (S-1-5-21-1019967034-149178136-1846952604-1030) - sales TIA -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] groupmap
it does appear that there is a problem with your setup. At this point you should try a tdbdump of your tdb passdb to see what it looks like and if it is garbage, delete it and start all over. If it looks good, you can net setlocalsid and it should take but the results of the other commands I listed above I can tell you this much...I have never been satisfied with my first pass ever on a vampire from an NT4 server. Generally, I have to fix stuff up with my LDAP setup or smbldap-tools to get it exactly right. I never use tdb passdb so I can't tell you the exact procedures but with ldap passdb, I always slapcat the ldap db prior to doing the net rpc vampire, check out the results in ldap, wipe it all out, restore from the slapcat that I did previously, fix the things that aren't perfect and do it again. It takes a few passes. The first time I ever migrated an NT4 PDC to samba PDC, it probably took about 30 passes - but I tried to be meticulous. Now, it probably takes me from 2-4 passes but I am getting quite good at setting up ldap. Cheers Craig, LDAP is next on my Agenda... I'm just trying to get a grip of net groupmap - I think that holds the answer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] MS Access macro's running very slowly
Looks like increasing the send and receive buffers has done the trick so far - although that page has given me a few extra things to look at/think about in the future. Thanks for that. From: Gerald Drouillard [EMAIL PROTECTED] Organization: Drouillard Associates, Inc. Date: Fri, 04 Nov 2005 14:06:58 -0500 To: Gibbs, Simon [EMAIL PROTECTED] Cc: samba@lists.samba.org samba@lists.samba.org Subject: Re: [Samba] MS Access macro's running very slowly Gibbs, Simon wrote: Hi, I¹ve recently migrated to a Samba3 server and everything seems to be running well apart from a problem with some users that run macros in MS Access. I¹m told that a process which used to take 15min on the old W2K server took over an hour on the new samba box. After having a scan through the archives I think the problem may be related to oplocks/locking but I¹m pretty sure I¹ve got these setup OK. Checking usage through top and vmstat shows that the server isn¹t overloaded so I guess there may be a problem in my config somewhere. If anyone has any ideas please let me know. Thanks Have a look at: http://drouillard.ca/TipsTricks/Samba/Oplocks.htm -- Regards -- Gerald Drouillard Technology Architect Drouillard Associates, Inc. http://www.Drouillard.ca The information contained in this email message may be confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Although this message and any attachments are believed to be free of viruses, no responsibility is accepted by TF Informa for any loss or damage arising in any way from receipt or use thereof. Messages to and from the company are monitored for operational reasons and in accordance with lawful business practices. If you have received this message in error, please notify us by return and delete the message and any attachments. Further enquiries/returns can be sent to [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] RID
I have my PDC up and running with the old (migrated PCs) I am trying to add a new PC (XP Pro) It doesn't seem to work from the XP Join Domain Dialogue I have added an account with adduser But [EMAIL PROTECTED] samba]# pdbedit -a -m -u AZURE tdb_update_sam: SAM_ACCOUNT (azure$) with no RID! Unable to add machine! (does it already exist?) [EMAIL PROTECTED] samba]# Any idea where I might be going wrong? :-( TIA Simon -- Simon Faulkner Dedicated Programmes 01538 303 900 07771 845 326 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Roaming Profiles - the next step
Thanks to the enthuiastic help of Mr. Dan Shearer and the excellent writings of John H. Terpstra (Samba-3 by Example) I have migrated an NT4 PDC to Samba 3.0.14a-2 on Fedora Core 4 (Cries of amazement) The clients (XP, NT4WS, Win2K, 98 and 95) didn't notice the switch (once I had made all the correct folders!) My questions now are fine tuning and filling in gaps in my Windows knowledge. Roaming Profiles - seems like a great idea. Login on any PC and get all your settings etc. So why have a local settings folder in your profile that doesn't move? This means that your email won't travel and your .pst gets shredded/copied/mangled. I guess it's because a .pst can end up at 2 Gb and would kill logins? So, if I switch to Thunderbird and use IMAP can I get a fully roaming profile? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] MS Access macro's running very slowly
Hi, I¹ve recently migrated to a Samba3 server and everything seems to be running well apart from a problem with some users that run macros in MS Access. I¹m told that a process which used to take 15min on the old W2K server took over an hour on the new samba box. After having a scan through the archives I think the problem may be related to oplocks/locking but I¹m pretty sure I¹ve got these setup OK. Checking usage through top and vmstat shows that the server isn¹t overloaded so I guess there may be a problem in my config somewhere. If anyone has any ideas please let me know. Thanks The box is running RHEL4, kernel version 2.6.9-11.ELsmp and samba-3.0.10-1.4E. smb.conf is as follows: [global] # General Settings netbios name = UKFS01 server string = UKFS01 Samba Server template homedir = /mnt/emcpowerb/user/%D/%U # template shell = /bin/bash admin users = @Domain Admins # Active Directory/Winbind Settings workgroup = xx winbind separator = / password server = security = ADS realm = xx winbind use default domain = yes # Winbind LDAP/IDMAP Settings ldap ssl = no idmap uid = 1-1000 idmap gid = 1-1000 ldap admin dn = cn=,dc=xx,dc=,dc= ldap idmap suffix = ou=Idmap ldap suffix = dc=,dc=,dc= idmap backend = ldap:ldap://x.x.x.x # winbind enum users = yes # winbind enum groups = yes # Network Configuration ;socket address = ;bind interfaces = ;bind interfaces only = socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Tuning parameters #encrypt passwords = yes browseable = yes username map = /etc/samba/smbusers hide dot files = yes case sensitive = no preserve case = yes acl compatibility = auto write cache size = 262144 # for a 256k cache size per file max xmit = 65535 dead time = 15 getwd cache = yes large readwrite = yes inherit acls = yes inherit permissions = yes nt acl support = yes map acl inherit = yes map archive = yes security mask = 0777 enhanced browsing = yes client use spnego = yes use spnego = yes defer sharing violations = true fake oplocks = no kernel oplocks = yes level2 oplocks = yes oplock break wait time = 0 oplock contention limit = 2 oplocks = yes veto oplock files = /*.mdb/*.MDB/*.ldb/*.LDB/ posix locking = yes blocking locks = yes lock spin count = 30 # Logging Information #log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10 log level = 1 syslog = 1 log file = /var/log/samba/%m max log size = 50 # Share Definitions == [LMIUData] comment = LMIU Data Share path = /mnt/emcpowera/data/LMIUData public = yes browseable = yes writeable = yes nt acl support = true force unknown acl user = yes admin users = @Domain Admins The information contained in this email message may be confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Although this message and any attachments are believed to be free of viruses, no responsibility is accepted by TF Informa for any loss or damage arising in any way from receipt or use thereof. Messages to and from the company are monitored for operational reasons and in accordance with lawful business practices. If you have received this message in error, please notify us by return and delete the message and any attachments. Further enquiries/returns can be sent to [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] nt migration concerns
1. what are the catches or gotcha's that i have to anticipate? 2. what approach should i take before i take the leap? 3. do i need ldap for samba pdc? 4. it simpliest terms what does ldap do? 5. just in case can i make our current nt4.0 become bdc? 6. having samba pdc, is it possible to authenticate from nt 4. bdc? 7. any other tips? I am struggling with this move at the moment Jeisma, but only with 10 clients! 1. - The main gotcha I am having is to make the clients think it is the same PDC and thus not make a new profile. 2. - PLAN and TEST - http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html 3. - No. But, with 300 clients you will wish that you did! 4. - It is a directory for storing usernames and passwords that you can use for logging on 5. - No 6. - No 7. - Replicate your NT4 and setup a test network in the Laboratory. Have the NT4, Samba and a couple of clients and do a complete trial move making notes. This is a tough one because you need to switch and it's VERY difficult to move back once you have gone. Good luck... Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] UK Samba Consultant Required
Hi All, I would like to migrate a 10 user NT4 Domain to a new Samba server. I have had a practice run but am struggling to make the (mostly) XP machines login to the new server without creating a new profile. I am sure that I migrated the SID but obviously I didn't get something right! Are there any consultants out there who might be able to help me through this process and teach me a little more about profiles on the way? I've been supporting Samba for 10 years now but never as a login server so I have the basics but need the cream... We're in Staffordshire but ssh will work from anywhere! £££ waiting as they say in the movies LOL TIA Simon 01538 303 900 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] UK Samba Consultant Required
Your message caught my eye. We support Samba but as much as we would love the opportunity, we haven't yet migrated a Windows PDC. My advice to you is, if you have 10 years Samba experience, you probably know as much as most. Perhaps you might repost to the list, with some more detail (logs etc). Cheers Andy (and others) I will of course use this list to help me on the way, I was just hoping for a quick fix on this one and the opportunity to watch someone else on the job (I always learn from watching others) My 10 years experience sounds great but in reality I only ever use the default setup in RedHat (Fedora now). I change as little as possible so that it is simple to resetup new servers when I need to. We have around 30 Linux servers in the wild and (as you know) they jut do the business with minimum fuss. Samba, Rsync, Postfix, Squid, DansGuardian, Dovecot, SpamAssassin, ClamAV, MySQL, Plone, Python - It does it all for us! Ah well, I am working my way through it and I am sure I will prevail... Simon Rolling up sleeves.. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Master browser? Confusion!
Hi there, I have samba 3.0.20a running with winbind as DC (security = user) (say DomainA), I have another Windows domain (DomainB). I can see the correct master browser in DomainA from smbclient -L \\localhost -N, can resolve the netbios name by nslookup and ping. Then I setup the trust as stated in the How-To from DomainA net rpc trustdom establish DomainB, then password. I was prompted with this: Could not connect to server DomainB-server Trust to domain DomainB established but I can list users/groups in DomainB by wbinfo -u or -g Ant ideas? THX Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] WinXP SP2 winlogon.exe blue screen to death
-2000 winbind enum users = yes winbind enum groups = yes winbind use default domain = no winbind trusted domains only = yes hosts allow = allowd ip range interfaces = ip of SAMBA3 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 smb ports = 139 445 ## LOGGING utmp = yes syslog = 0 log level = 10 passdb:0 auth:2 winbind:5 max log size = 50 log file = /var/log/samba/log.%m ## MISC Files/Directories dos charset =CP950 unix charset =BIG5 oplocks = Yes level2 oplocks = Yes mangling method = hash2 ## Profile logon script = logon.bat logon path = logon drive = logon home = profile acls = yes csc policy = disable template shell = /bin/false ## Global printing settings load printers = yes printing = lprng printcap name = /etc/printcap show add printer wizard = yes use client driver = No lpq command = /usr/bin/lpstat %p print command = /usr/bin/lpr -U%m -P%p -J'%J' -r %s lprm command = /usr/bin/lprm -P%p %j lppause command = /usr/sbin/lpc hold %p %j lpresume command = /usr/sbin/lpc release %p %j queuepause command = /usr/sbin/lpc stop %p queueresume command = /usr/sbin/lpc start %p ## MISC client schannel = no server signing = auto Any ideas? THX Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Attempt #2 :Interdomain Trust
Dear All, I have posted the following HELP recently, and seems like no response afterwards. Anyway, I try to make it short again here: As instrcuted from the Samba3-HOWTO.pdf Ch 18.4.2: [EMAIL PROTECTED] var]# net rpc trustdom establish DomainA Password: Could not connect to server DomainA-PDC Trust to domain DomainA established Then, a workstation (WinXP SP2) had successfully joined DomainB (with Domain A listed on the Log on to). Users in Domain A can login but found an error from the event viewer Event ID:15 Source: AutoEnrollment Type Error: Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. another problem is when Domain A user logon the workstation from Domain B, a blue screen to death was prompted where the error from winlogon.exe (msgina.dll) I hope someone can help. With a BIG THX Simon _ From: Simon Leung [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 14, 2005 2:17 PM To: 'samba@lists.samba.org' Subject: Yelling for help on interdomain Trust (a long one) Hi there, Scenario: Domain A: Win2000Server(PDC)(DC1) + Win2003Server (DC2) Domain B:Samba 3.0.20 (compiled with the patches from http://us1.samba.org/samba/patches/) Where Domain A is the TRUSTED domain whereas Domain B is the TRUSTING domain. And here is part of my smb.conf: -Starts-- # Global parameters [global] ## NETBIOS / Domain Server Settings workgroup = SAMBA netbios name = SAMBA3 server string = Samba-LDAP Server %v PDC security = user preferred master = yes domain master = yes os level = 65 allow trusted domains = yes domain logons = Yes local master = yes encrypt passwords = Yes admin users = @Domain Admins Time server = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ## USER / LDAP Settings ldap port = 389 ldap suffix = dc=mydomain,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Users ldap admin dn = cn=Manager,dc=mydomain,dc=com ldap ssl = no ldap passwd sync = yes passdb backend = ldapsam:ldap://127.0.0.1 admin users = administrator guest account = nobody obey pam restrictions = No #add user script = /usr/local/sbin/smbldap-useradd -m %u add machine script = /usr/local/sbin/smbldap-useradd -w %u #add group script = /usr/local/sbin/smbldap-groupadd -p %g #add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g #set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u ## WINS / DNS settings wins support = yes idmap uid = 1-2 idmap gid = 1-2 winbind use default domain = no winbind cache time = 15 winbind enum users = yes winbind enum groups = yes winbind uid = 1-2 winbind gid = 1-2 winbind trusted domains only = yes template shell = /bin/false name resolve order = wins hosts bcast smb ports = 139 445 hosts allow = IP addresses under my network ## LOGGING utmp = yes syslog = 0 log level = 3 passdb:0 auth:2 winbind:5 panic action = /usr/share/samba/panic-action %d max log size = 50 log file = /var/log/samba/log.%m ## MISC Files/Directories nt acl support = yes map acl inherit = yes dos charset = CP950 unix charset = BIG5 case sensitive = no directory mask = 0750 hide dot files = yes hide unreadable = yes oplocks = Yes level2 oplocks = Yes ## Profile logon script = logon.bat logon path = logon drive = logon home = ## MISC Other mangling method = hash2 deadtime = 10 #client schannel = no #client schannel = auto #server schannel = yes #client signing = auto #server signing = no -END- My journey to setting up the trust: 1. Create Domain A account in Openldap -- smbldap-useradd -I Name of Domain A 2. Create trust on Domain A (DC2) -- added Name of Domain B and assigned password and valid the trust -- No error message 3. establish the trust on Samba -- net rpc trustdom establish DomainA -U administrator, then password My problem: 1. I was prompted with the following error: Could not connect to server DC1 Trust to domain DomainA established 2. joined a workstation (WinXP SP2
Re: [Samba] Data migration using net rpc share migrate
NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_start_connection(1388) Connecting to host=127.0.0.1 [2005/09/15 15:17:21, 3] lib/util_sock.c:open_socket_out(752) Connecting to 127.0.0.1 at port 445 [2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(713) Doing spnego session setup (blob length=98) [2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738) got OID=1 2 840 113554 1 2 2 [2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738) got OID=1 2 840 48018 1 2 2 [2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738) got OID=1 3 6 1 4 1 311 2 2 10 [2005/09/15 15:17:21, 3] libsmb/cliconnect.c:cli_session_setup_spnego(745) got [EMAIL PROTECTED] [2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878) Got challenge flags: [2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60890215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900) NTLMSSP: Set final flags: [2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2005/09/15 15:17:21, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2005/09/15 15:17:21, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2005/09/15 15:17:21, 3] utils/net_rpc.c:sync_files(2763) calling cli_list with mask: \* [2005/09/15 15:17:21, 3] libsmb/clilist.c:cli_list_new(310) received 33 entries (eos=1) [2005/09/15 15:17:21, 3] utils/net_rpc.c:copy_fn(2674) got mask: \*, name: 3DP-2KXP-2181.exe [2005/09/15 15:17:21, 3] utils/net_rpc.c:copy_fn(2719) got file: \3DP-2KXP-2181.exe opening file \3DP-2KXP-2181.exe on originating server opening file \3DP-2KXP-2181.exe on destination server copying [\\10.36.32.36\Build$\3DP-2KXP-2181.exe] = [\\127.0.0.1\Build$\3DP-2KXP-2181.exe] with ACLs and with DOS Attributes (preserving timestamps) opening file \3DP-2KXP-2181.exe on originating server DACL ACL Num ACEs: 1 revision: 2 --- ACE type: ACCESS ALLOWED (0) flags: 16 Specific bits: 0x1ff Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS SID: S-1-5-21-25276289-2414859457-3260481563-2975 Owner SID: S-1-5-21-25276289-2414859457-3260481563-2975 Parent SID: S-1-5-21-1547161642-839522115-682003330-513 [2005/09/15 15:17:32, 1] libsmb/clisecdesc.c:cli_set_secdesc(127) NT_TRANSACT_SET_SECURITY_DESC failed [2005/09/15 15:17:32, 0] utils/net_rpc_printer.c:net_copy_fileattr(384) could not set secdesc on \3DP-2KXP-2181.exe: NT_STATUS_ACCESS_DENIED could not copy file \3DP-2KXP-2181.exe: NT_STATUS_ACCESS_DENIE Thanks, Simon From: Guenther Deschner [EMAIL PROTECTED] Date: Tue, 6 Sep 2005 12:25:30 +0200 To: Gibbs, Simon [EMAIL PROTECTED] Cc: samba@lists.samba.org samba@lists.samba.org Subject: Re: [Samba] Data migration using net rpc share migrate Hi, On Mon, Sep 05, 2005 at 05:04:04PM +0100, Gibbs, Simon wrote: Hi, I¹m in the process of testing out the net rpc share migrate data migration tool but keep running into an error message when using the --acl option. I¹m testing using the following command: net rpc share migrate files -S 10.36.32.36 --acls --attrs --timestamps -v -U gibbss but get with this error for each file in the share: [2005/09/05 16:50:02, 0] utils/net_rpc_printer.c:net_copy_fileattr(384) could not set secdesc on \WinAXE_Plus_v7\xwpdllid.dll: NT_STATUS_ACCESS_DENIED could not copy file \WinAXE_Plus_v7\xwpdllid.dll: NT_STATUS_ACCESS_DENIED Each file copies OK and the timestamp is correct but none of the ACL¹s are there. ACL/xattrs mount options have already been added to the filesystem and I can use setfacl/getfacl so can¹t see a problem with ACL support and the share is on a PC logged in with the user account specified so all the files are owned by that account. I guess this must be a permission problem somewhere but can¹t think what it may be. Can anyone point me in the right direction? this can happen because of: - smbd not being built
[Samba] Data migration using net rpc share migrate
Hi, I¹m in the process of testing out the net rpc share migrate data migration tool but keep running into an error message when using the --acl option. I¹m testing using the following command: net rpc share migrate files -S 10.36.32.36 --acls --attrs --timestamps -v -U gibbss but get with this error for each file in the share: [2005/09/05 16:50:02, 0] utils/net_rpc_printer.c:net_copy_fileattr(384) could not set secdesc on \WinAXE_Plus_v7\xwpdllid.dll: NT_STATUS_ACCESS_DENIED could not copy file \WinAXE_Plus_v7\xwpdllid.dll: NT_STATUS_ACCESS_DENIED Each file copies OK and the timestamp is correct but none of the ACL¹s are there. ACL/xattrs mount options have already been added to the filesystem and I can use setfacl/getfacl so can¹t see a problem with ACL support and the share is on a PC logged in with the user account specified so all the files are owned by that account. I guess this must be a permission problem somewhere but can¹t think what it may be. Can anyone point me in the right direction? Thanks, Simon The information contained in this email message may be confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Although this message and any attachments are believed to be free of viruses, no responsibility is accepted by TF Informa for any loss or damage arising in any way from receipt or use thereof. Messages to and from the company are monitored for operational reasons and in accordance with lawful business practices. If you have received this message in error, please notify us by return and delete the message and any attachments. Further enquiries/returns can be sent to [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Permissions Problem (?)
Hello, I'm an inexperienced Linux / Samba user attempting to get some simple networking going with various versions of Windows. Running Samba 3.0.14a-2 on a 'freebie magazine' fedora install. I appear to have a what I think is a permissions problem, but could(?) be username or password related. I can see my shares on all of my Windows clients (2k,xp and 98). I can read from them, but not write to them. Win 2K and 98 reports 'Cannot access this file. Check security priveleges over the network drive'. when trying to create a new or modify an existing file. If I smbmount the share (on the linux box on which it exists), I also cannot write to it when logged in as user Simon, though I can write to it direct (ie not through the mount point) logged in as Simon. I have the following in smb.conf: [global] workgroup = AED wins support = yes log level = 3 max log size = 1000 read only = no hosts allow = 192.168.2. printcap name = /etc/printcap printing = lprng log file = /root/smb.log server string = Testing smb passwd file = etc/samba/smbpasswd password level = 8 username level = 8 and [D-Main-Data] comment = Main Data Drive path = /usr/AED/D-Main-Data/ valid users = Simon create mask = 0775 write list = Simon At /usr/AED/D-Main-Data, the permisions show as drwxrwxrwx, though at the the point where the share is smbmounted are drwx-r-xr-x. I suspect this is the clue to the whole thing, but I don't know the solution! I've tried setting the owner of /usr/AED/D-Main-Data to both root and to Simon to no avail. Windows shows no permissions ticked in Security Properties for the shared directory or directories under it. A file created on the Linux box as user Simon shows as having Read and Write ticked, but I still can't modify and save it. I have the same user / password combinations set up on the Win and Linux boxes, and also in smbpasswd. I have a horrible feeling this is a basic linux permissions issue, but I'm at the end of my own limited abilities with it. Thanks in advance, Simon Ansley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Getting Winbind IDMAP into LDAP?
Hi, The uidNumber and gidNumber are in already in LDAP - they're shown using ldapsearch but not slapcat. I think they automatically get added by samba. Thanks, Simon From: Sam [EMAIL PROTECTED] Newsgroups: linux.samba Date: Tue, 16 Aug 2005 11:16:10 +1000 To: Gibbs, Simon [EMAIL PROTECTED] Subject: Re: [Samba] Getting Winbind IDMAP into LDAP? snip idmap uid = 1-1000 idmap gid = 1-1000 snip [EMAIL PROTECTED] etc]# slapcat | grep -i IDMAP o: Samba Idmap Directory dn: ou=Idmap,dc=uk,dc=corplan,dc=net ou: idmap I've googled about a bit and haven't bee able to find to much except this in ur LDIF used to populate LDAP add gidNumber: 1 uidNumber: 1 this provides initial seed for IDMAP. Thats how it worked for me. YMMV. Lookfor LDAP debug logs for more clues about its failure wrt LDAP connection. regards Shirish [EMAIL PROTECTED] The information contained in this email message may be confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Although this message and any attachments are believed to be free of viruses, no responsibility is accepted by TF Informa for any loss or damage arising in any way from receipt or use thereof. Messages to and from the company are monitored for operational reasons and in accordance with lawful business practices. If you have received this message in error, please notify us by return and delete the message and any attachments. Further enquiries/returns can be sent to [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Getting Winbind IDMAP into LDAP?
Hi Gints, Changing nsswitch.conf from: passwd: files ldap group: files ldap to passwd: files winbind group: files winbind did the trick. Running getent passwd/group began populating LDAP and I can search all the records using ldapsearch and slapcat. Would this be an error in the documentation as (unless I was reading the wrong section) it uses the ldap entries in it's example? My one concern is that when winbind is stopped and restarted the winbindd_idmap.tdb and winbindd_cache.tdb files are recreated and entries are added. Would this be expected? I guess I can test this today when I begin configuring a second node. Thanks for your help. Simon From: gints neimanis [EMAIL PROTECTED] Date: Tue, 16 Aug 2005 11:57:48 +0300 To: Gibbs, Simon [EMAIL PROTECTED], samba@lists.samba.org Subject: Re: Getting Winbind IDMAP into LDAP? Hi, to use ldap as winbind idamp backend, you don't need the NSS_LDAP at all. All queries and updates to ldap is performed by winbind itself. Your smb.conf looks fine. You may check 2 things: * Have you stored the LDAP Manager password to LDAP database with command smbpasswd -w 'verysecretldapmanager password' ? * and look if you have added winbind to /etc/nsswitch.conf (and then command getent passwd should show all domain users with id from ldap)? like: === ... passwd: files winbind group: files winbind ... === Next - you may increase the loglevel (loglevel 256) for LDAP server and look in ldap messages what is wrong in connection. Gints Gibbs, Simon wrote: Hi, I?ve been trying to populate an LDAP directory with IDMAP information from Winbind using NSS_LDAP without much success over the last week. Can anybody tell me if I?ve done anything obviously wrong? I?ve followed the example shown in the Samba ?By Example? doc and am at the stage where the LDAP directory has been created and configured, NSS_LDAP config is amended, smb.conf contains entries to use LDAP as a backend and I have deleted /var/cache/samba/winbindd_cache.tdb and winbindd_idmap.tdb. Now wbinfo ?u and wbinfo ?g show users and groups on the domain but getent passwd/groups only displays local users. The winbindd_cache.tdb and winbindd_idmap.tdb files have been recreated but only winbindd_cache.tdb holds any information. When I attempt to access a Samba share I?m prompted to enter a username and password. As I understand it once the wbinfo commands have been run this process should automatically populate the Idmap ou with the ID mappings ? is this correct? If so there must be something wrong with my config. Here?s the current config and relevent info ? sorry it?s a bit long: /etc/samba/smb.conf [global] workgroup = UKCORPLAN netbios name = UKFS01 server string = UKFS01 Samba Server winbind separator = / ldap ssl = no idmap uid = 1-1000 idmap gid = 1-1000 ldap admin dn = cn=Manager,dc=uk,dc=corplan,dc=net ldap idmap suffix = ou=Idmap ldap suffix = dc=uk,dc=corplan,dc=net idmap backend = ldap:ldap://10.10.4.111/ winbind enum users = yes winbind enum groups = yes template homedir = /mnt/emcpowerb/user/%D/%U template shell = /bin/bash password server = ukdc01.uk.corplan.net security = ADS #encrypt passwords = yes realm = uk.corplan.net browseable = yes username map = /etc/samba/smbusers log level = 10 ads:10 auth:10 sam:10 rpc:10 idmap:10 syslog = 0 log file = /var/log/samba/%m max log size = 50 # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes [public] comment = Public Stuff path = /home/samba public = yes read only = no [test] comment = test share path = /mnt/emcpowera/shared/test public = yes browseable = yes writeable = yes /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns /etc/openldap/slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # ## schema files (core.schema is required by default) include /etc/openldap/schema/core.schema ## needed for sambaSamAccount include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid argsfile/var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleload
Re: [Samba] Re: Getting Winbind IDMAP into LDAP?
Hi John, I was using the online By-Example documentation at: http://us3.samba.org/samba/docs/man/Samba-Guide/unixclients.html#id2579097 Starting at the sub heading IDMAP Storage in LDAP using Winbind. The example that appears to be incorrect is related to /etc/nsswitch.conf: ... passwd: files ldap shadow: files ldap group: files ldap ... hosts: files wins ... The correct entries (working for me now) are: ... passwd: files winbind shadow: files group: files winbind ... hosts: files dns (we don't use wins) From a personal point of view it would have been useful to have an additional entry in this section explaining how the the idmap ou is populated, but I guess you can figure it out in the end. Hope this helps, Simon From: John H Terpstra [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 16 Aug 2005 08:46:45 -0600 To: samba@lists.samba.org Cc: gints neimanis [EMAIL PROTECTED], Gibbs, Simon [EMAIL PROTECTED] Subject: Re: [Samba] Re: Getting Winbind IDMAP into LDAP? On Tuesday 16 August 2005 04:27, gints neimanis wrote: Hi Simon, I thnik it is not the error in documentation (I don't know about which chapter we are talking :)). I have reviewed the documentation on IDMAP in LDAP and it looks to me like something got deleted from the documentation sources somewhere in the editing cycle. That is why I would like to know precisely what version and section of the documentation has been referred to. I will fix any weaknesses, or lack of clarity, that can be uncovered. If you use winbdind authentication (+ idmap/ldap) only, you don't need the NSS_LDAP. Correct. But if you build a domain, where all user data is stored in LDAP, then you may authenticate users (from *nix) directly to LDAP database - and then you should use the NSS_LDAP (and Windows clients are using (SAMBA)Domain authentication. And the Samba guides are more explaining how to build the full Samba domain with LDAP backend. Correct. Cheers, John T. The information contained in this email message may be confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Although this message and any attachments are believed to be free of viruses, no responsibility is accepted by TF Informa for any loss or damage arising in any way from receipt or use thereof. Messages to and from the company are monitored for operational reasons and in accordance with lawful business practices. If you have received this message in error, please notify us by return and delete the message and any attachments. Further enquiries/returns can be sent to [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Getting Winbind IDMAP into LDAP?
,nisMapEntryeq,pres,sub # Indices required for Samba index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URIldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never HOST 10.10.4.111 BASE dc=uk,dc=corplan,dc=net #TLS_CACERTDIR /etc/openldap/cacerts /etc/ldap.conf - nss_ldap config - only shows changes the rest is as default # @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # PADL Software # http://www.padl.com # # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). host 10.10.4.111 # The distinguished name of the search base. base dc=uk,dc=corplan,dc=net # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. uri ldap://10.10.4.111/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=Manager,dc=uk,dc=corplan,dc=net # The credentials to bind with. # Optional: default is no credential. bindpw secret # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. pam_password exop # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be 'd with the # default filter. # You can omit the suffix eg: # nss_base_passwd ou=People, # to append the default base DN but this # may incur a small performance impact. nss_base_passwd ou=People,dc=uk,dc=corplan,dc=net?one nss_base_shadow ou=People,dc=uk,dc=corplan,dc=net?one nss_base_group ou=Groups,dc=uk,dc=corplan,dc=net?one #nss_base_hosts ou=Hosts,dc=example,dc=com?one #nss_base_services ou=Services,dc=example,dc=com?one #nss_base_networks ou=Networks,dc=example,dc=com?one #nss_base_protocols ou=Protocols,dc=example,dc=com?one #nss_base_rpc ou=Rpc,dc=example,dc=com?one #nss_base_ethersou=Ethers,dc=example,dc=com?one #nss_base_netmasks ou=Networks,dc=example,dc=com?ne #nss_base_bootparamsou=Ethers,dc=example,dc=com?one #nss_base_aliases ou=Aliases,dc=example,dc=com?one #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one [EMAIL PROTECTED] etc]# slapcat | grep -i IDMAP o: Samba Idmap Directory dn: ou=Idmap,dc=uk,dc=corplan,dc=net ou: idmap I've googled about a bit and haven't bee able to find to much except this thread: http://www.mail-archive.com/samba@lists.samba.org/msg30905.html But most I've checked most of the info and it looks OK in comparison to my setup. Any help with this is much appreciated... Thanks, Simon The information contained in this email message may be confidential. If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. Although this message and any attachments are believed to be free of viruses, no responsibility is accepted by TF Informa for any loss or damage arising in any way from receipt or use thereof. Messages to and from the company are monitored for operational reasons and in accordance with lawful business practices. If you have received this message in error, please notify us by return and delete the message and any attachments. Further enquiries/returns can be sent to [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: SuSE 9.3 + Samba 3 + LDAP
On Aug 15, 2005 09:42 AM, Geoffrey Scott [EMAIL PROTECTED] wrote: Horst Simon wrote: On Thu, 11 Aug 2005 14:55, Geoffrey Scott wrote: David Krider wrote: * The IDEALX smbldap-useradd script example in their smb.conf file is a little misleading. You'll need a `-a' to get it to add a sambaSamAccount object-classed account. You need to use an -a when using the smbldap-tools scripts on the commandline, but there should be no such need within your smb.conf as samba takes care of samba attributes by itself. GS I think this is my problem too, but using the -a option still did not add sambaSamAccount. I am using smbldap tools 0.91. From previous messages I found a patch for smbldap-useradd for version 0.91, after I applied the patch, the sambaSAMAccount object class and information was added, but still no luck. The next step is to add the computers into ou=Users and not into ou=Computers as discussed in some other posts. Samba and the idealx tools can handle having users in one ou and computers in another quite easily. Eg ou=Users,ou=split,ou=OxObjects,dc=dynohire,dc=com Ou=Computers,ou=split,ou=OxObjects,dc=dynohire,dc=com Then you point your nss and pam at ou=split,ou=OxObjects,dc=dynohire,dc=com as the base password etc But OpenXchange isn't that flexible. There are config files for the javastuff that have to be edited heavily to allow for this sort of set up. Therefore it is easier to just put computers and users in the same ou. Regards Geoff I have it working with users and computers in ou=Users. Regards, Horst -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba