Re: [Samba] SAMBA4: pdbedit not changing SID
On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder (you would probably need to ldbmodify the user record of each one) to do, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. If I could change the subject somewhat, I am also not clear on how to configure SAMBA4 and the DNS server if my network has an existing DNS server on another machine and I don't really want to move it. The DNS server is a stock install of bind from the distro's repository: bind-9.8.2-0.17.rc1.el6_4.4.x86_64 Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS not running
On Tue, 9 Apr 2013, Ricky Nance wrote: That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky, with your help, I fixed the problem. I had started krb5kdc, not realizing that the krb server was also built into samba. Once I stopped this and re-started SAMBA, the internal dns server started working. Simon On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] migrating from Samba3 with tdbsam to samba4 AD server?
What's the best path to do this? I currently have a SAMBA3 domain controller using tdbsam and would like to migrate to Samba4 as an AD controller. I assume that this will require loading my existing user database into ldap. What's the best path for this? Should I look for a samba3 to samba4 migration, continuing to use tdbsam in samba4, and then convert to ldap, or convert my existing samba3 installation from tdbsam to ldap first? Clearly, I want to ensure that logins (and especially SIDs) are preserved so that there is minimal impact to Windows clients. Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Suggestions for moving a PDC function
I currently have a server which is both the PDC for my domain and the file server for the network. I need to split these functions and move the PDC function to another box, while leaving the original server as the file server on which home directories and roaming profiles are stored. User credentials are stored in a tdbsam database and I am running Samba 3.5. Does anyone have any pointers on what to move and any potential pitfalls in the process? I have always used the same machine for both the PDC and file server, so this is somewhat unknown territory for me. I assume that the file server will still run samba, and I will change the domain master = and domain logins = to no in both cases. Also security = should be set to security = domain and add set up a machine account on the file server which is then joined to the domain? What files need to be moved to the new samba server? I see that there are files in /var/cache/samba (it's a Gentoo system) which I assume also have to be put into the proper place on the new server. Is there anything else I need to look for. Many thanks for any suggestions. Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Roaming profiles not being loaded
I tried to build a setup to model and hence learn how to configure samba servers for the setup that I described below. However, a user login in which the profile is defined to be on a samba server that is not the PDC never gets a roaming profile -- instead the user always gets a temporary profile. Looking at the Windows logs, it is complaining about a permissions issue. However, once logged in (with the temporary profile), that user can create and modify files in the profile directory. I have turned logging level to 3, but I don't see anything useful. The PDC is running SAMBA 3.5.11, while the other server (modeling the fileserver in the proposed network) is running SAMBA 3.5.10. The usernames exist in the /etc/passwd files on both machines (although I think that I should not need this if I can get winbindd working properly). Home directories for the suers exist on both machines. Some specifics: 1. smb.conf from the fileserver (Not the PDC, but the machine where the profile directories are found): [global] workgroup = MATTHEWS server string = Samba Server Version %v netbios name = sambatest log file = /var/log/samba/log.%m max log size = 50 log level = 3 security = domain passdb backend = tdbsam password server = firewall idmap backend = tdb idmap uid = 9000- idmap gid = 9000- local master = no load printers = yes cups options = raw [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [profiles] comment = profiles path = /export/profiles browseable = yes guest ok = yes smb.conf from the PDC: [global] workgroup = MATTHEWS netbios aliases = SERVER, firewall, newfirewall server string = Samba Server %v interfaces = 192.168.89.1, 127.0.0.1, 192.168.89.2, 192.168.89.6, 10.9.0.1 bind interfaces only = Yes security = user log file = /var/log/samba3/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap os level = 90 preferred master = Yes domain master = Yes domain logons = yes dns proxy = No wins server = 192.168.89.1 wins support = Yes admin users = root, simon, @wheel hosts allow = 192.168.0.0/255.255.0.0, 10.8.0.0/24 hosts deny = 0.0.0.0/0 passdb backend = tdbsam logon path = \\%N\profiles\%U logon home = \\firewall\%U\winprofile [profiles] comment = profiles path = /export/profiles read only = No [homes] comment = Home Directories path = /home/%u read only = No [allhomes] comment = Home Directories path = /home guest ok = Yes [print$] path = /var/lib/samba/printers guest ok = Yes [CD] path = /mnt/cdrom/ guest ok = Yes [certs] path = /home/certs guest ok = Yes [pub] path = /home/pub read only = No guest ok = Yes [HP] comment = HP Printer path = /tmp guest ok = Yes printable = Yes print command = lpr -P HP -oraw -r -l %s lpq command = lpq -P'HP' lprm command = lprm -P'HP' %j use client driver = Yes [Laser] path = /tmp printable = Yes pdb data for user that cannot get a profile: pdbedit -v simontest Unix username:simontest NT username: Account Flags:[U ] User SID: S-1-5-21-812011073-3920078087-27638135-1004 Primary Group SID:S-1-5-21-812011073-3920078087-27638135-513 Full Name: Home Directory: \\firewall\simontest\winprofile HomeDir Drive: Logon Script: Profile Path: \\sambatest\profiles\simontest Domain: MATTHEWS Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 07:06:39 PST Kickoff time: Wed, 06 Feb 2036 07:06:39 PST Password last set:Sat, 24 Mar 2012 15:09:20 PDT Password can change: Sat, 24 Mar 2012 15:09:20 PDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF Does anyone have any suggestions on what might be wrong? If it needs entries from the log files, I can add these. Simon On Sat, Mar 24, 2012 at 12:09 PM, Simon Matthews simon.d.matth...@gmail.com wrote: I currently have a server which is both the PDC for my domain and the file server for the network. I need to split these functions and move the PDC function to another box, while leaving the original server as the file server on which home directories and roaming profiles are stored. User credentials are stored in a tdbsam database and I am running Samba 3.5. Does anyone have any pointers on what to move and any potential pitfalls in the process? I have always used the same machine for both the PDC and file server, so this is somewhat unknown territory for me. I assume that the file
Re: [Samba] samba PDC/NIS client
On Sun, Mar 11, 2012 at 4:09 AM, Tony Molloy tony.mol...@ul.ie wrote: On Sunday 11 March 2012 05:31:35 Simon Matthews wrote: On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: Do you have password sync enabled?If password sync is enabled, samba will try to use the passwd command to set the unix password. But with nis, you probably might need something nis specific. On solaris it was “passwd –r nis” - not sure about linux.Probably better to just disable password sync. I've got a very similar setup to you. Except I use a smbpasswd file. No, I don't have this option enabled. I am not sure how it is relevant. Problem summary: The samba PDC is an NIS client getent passwd retruns the passwd data. The user's SAMBA password was set using smbpasswd The user's NIS passwd was set using yppasswd So far all the same. ALL I had to do to allow domain logins was: ypcat passwd | grep username /etc/passwd Why duplicate the password entries. I just have them in NIS and /etc/passwd just has the system passwords. Note that after copying the user details to /etc/passwd, the password that was set with smbpasswd was the password that was used with the successful domain login. Don't really uinderstand what you mean by domain logins 1. Create the user under linux first 2. Use smbpasswd to add the user to samba You now have a user in both linux and samba but remember the passwords are stored separately, changing one does not change the other. 3. Edit /etc/nsswitch.conf. Set passwd:files nis shdow: files Removing the nis entry from shadow: in /etc/nsswitch.conf solved the issue. I don't understand why, but it did . Simon That works for me. YMMV Tony Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: Do you have password sync enabled?If password sync is enabled, samba will try to use the passwd command to set the unix password. But with nis, you probably might need something nis specific. On solaris it was “passwd –r nis” - not sure about linux.Probably better to just disable password sync. No, I don't have this option enabled. I am not sure how it is relevant. Problem summary: The samba PDC is an NIS client getent passwd retruns the passwd data. The user's SAMBA password was set using smbpasswd The user's NIS passwd was set using yppasswd ALL I had to do to allow domain logins was: ypcat passwd | grep username /etc/passwd Note that after copying the user details to /etc/passwd, the password that was set with smbpasswd was the password that was used with the successful domain login. Simon ** ** ** ** ** ** *From:* Simon Matthews [mailto:simon.d.matth...@gmail.com] *Sent:* Friday, March 09, 2012 4:04 PM *To:* gaiseric.van...@gmail.com *Cc:* samba@lists.samba.org *Subject:* Re: [Samba] samba PDC/NIS client ** ** ** ** On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal gaiseric.van...@gmail.com wrote: I don't think is this a samba issue. Samba accounts need to have a corresponding unix account. Shouldn't matter if they are in NIS or /etc/passwd. If you have users in both it could get a problem. Is getent passwd really showing the users from NIS? ** ** Yes. In fact, for those users who are in both the /etc/passwd and nis tables, it shows both entries (and the details match between both entries) ** ** How about getent shadow (assuming a linux machine and not solaris, No, this only shows the users with entries in /etc/shadow. However: 1. getent passwd includes the hashed passwords of users in the nis tables* *** 2. It was not necessary to add the user to /etc/shadow in order to allow samba domain logins. All I had to do was add the user to /etc/passwd. and probably doesn't matter anyway.) Do you have an /etc/nsswitch.conf entry for shadow: files nis Yes Are you missing the : in the nsswitch.conf entries? No. Are your user names all in lower case? Are they all 8 characters or under. ** ** Yes. ** ** Simon On 03/08/12 22:46, Simon Matthews wrote: I have a server which is a samba PDC and has recently been converted to an NIS client. For historic reasons, many users login information is in the local machine's /etc/passwd and /etc/shadow files. samba is set up to use a tdbsam database. I got the first indication of problems when I tried to add a user using the smbpasswd -a command. I found that smbpasswd would not recognize the user unless either the username was in the /etc/passwd file, or I changed /etc/nsswitch.conf from passwd compat TO: passwd files nis However, if I make the latter change, the user cannot log into any Windows machines that are controlled by my PDC. To allow logins, all I have to do is ypcat passwd | grepusername/etc/passwd After this, the user can log in. Is there any configuration of samba that will allow it to properly recognize user data from the NIS map and not require the user to be listed in the /etc/passwd file? Simon ** ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ** ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba PDC/NIS client
On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: I don't think is this a samba issue. Samba accounts need to have a corresponding unix account. Shouldn't matter if they are in NIS or /etc/passwd. If you have users in both it could get a problem. Is getent passwd really showing the users from NIS? Yes. In fact, for those users who are in both the /etc/passwd and nis tables, it shows both entries (and the details match between both entries) How about getent shadow (assuming a linux machine and not solaris, No, this only shows the users with entries in /etc/shadow. However: 1. getent passwd includes the hashed passwords of users in the nis tables 2. It was not necessary to add the user to /etc/shadow in order to allow samba domain logins. All I had to do was add the user to /etc/passwd. and probably doesn't matter anyway.) Do you have an /etc/nsswitch.conf entry for shadow: files nis Yes Are you missing the : in the nsswitch.conf entries? No. Are your user names all in lower case? Are they all 8 characters or under. Yes. Simon On 03/08/12 22:46, Simon Matthews wrote: I have a server which is a samba PDC and has recently been converted to an NIS client. For historic reasons, many users login information is in the local machine's /etc/passwd and /etc/shadow files. samba is set up to use a tdbsam database. I got the first indication of problems when I tried to add a user using the smbpasswd -a command. I found that smbpasswd would not recognize the user unless either the username was in the /etc/passwd file, or I changed /etc/nsswitch.conf from passwd compat TO: passwd files nis However, if I make the latter change, the user cannot log into any Windows machines that are controlled by my PDC. To allow logins, all I have to do is ypcat passwd | grepusername/etc/passwd After this, the user can log in. Is there any configuration of samba that will allow it to properly recognize user data from the NIS map and not require the user to be listed in the /etc/passwd file? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba PDC/NIS client
I have a server which is a samba PDC and has recently been converted to an NIS client. For historic reasons, many users login information is in the local machine's /etc/passwd and /etc/shadow files. samba is set up to use a tdbsam database. I got the first indication of problems when I tried to add a user using the smbpasswd -a command. I found that smbpasswd would not recognize the user unless either the username was in the /etc/passwd file, or I changed /etc/nsswitch.conf from passwd compat TO: passwd files nis However, if I make the latter change, the user cannot log into any Windows machines that are controlled by my PDC. To allow logins, all I have to do is ypcat passwd | grep username /etc/passwd After this, the user can log in. Is there any configuration of samba that will allow it to properly recognize user data from the NIS map and not require the user to be listed in the /etc/passwd file? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba