Re: [Samba] Roaming Profiles - WinXP and Win7
(...) is there a solution to this behavior. Partial folder redirection? Why partial? Are there folders not to redirect? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] recommended procedure for mandatory roaming profiles for win7 with samba 3
Hello, I have a PDC and a File (member) server for homes and profiles (Samba 3.4.17). For XP clients I have mandatory profiles with all user shell folders redirected to their respective home share. Now I'm adding win 7 clients to the mix and I want the same thing. It's (almost) working but I think my procedure is a bit dirty (i.e. I use windows enabler to build my ntuser.man roaming profile). Could someone help me or point me to some documentation? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issues with Windows 7 roaming profiles
On 12 nov. 2012, at 21:44, Preston Hagar wrote: On Mon, Nov 12, 2012 at 6:02 AM, Thierry Lacoste laco...@u-pec.fr wrote: I made some modifications but still cannot use my Windows7 with a domain account. On 10 nov. 2012, at 12:27, Thierry Lacoste wrote: Hello, I have a centOS 5.5 box acting as as a PDC with samba 3.4.9 and openldap 2.4.22. Then I joined the domain with a centOS box (samba 3.4.17) which hosts the homes and profiles. I have no problem with XP clients. I can join a windows 7 client to my domain but it is unable to load the profile when logging in. See below a level 2 log.smdb from the file server when I log in with a domain account. Is the unable to create profs/lacoste.V2 the culprit ? I created a directory profs/lacoste.V2 and put an NTUSER.DAT (build for a local user added to the windows 7 box) in it. This box still won't let me in; it closes the session during the course of opening the session. [...] A couple of things to check. Make sure you have the registry settings set that are recommended here: https://wiki.samba.org/index.php/Windows7#Windows_7_Registry_settings I did that. Also, you may need a [profiles.V2] share as described here: http://lists.samba.org/archive/samba-technical/2007-April/052674.html Actually the windows box wants to open /export/profiles/profs/lacoste.V2 so I created this folder and populate it with the whole local profile made on the windows 7 machine. When I try to open a session, there is long bunch of messages on my CentOS file server: [2012/11/13 10:25:26, 1] smbd/service.c:1063(make_connection_snum) test-win7 (:::194.214.12.186) connect to service Profiles initially as user lacoste (uid=5001, gid=4000) (pid 12488) [2012/11/13 10:25:26, 2] smbd/open.c:580(open_file) lacoste opened file profs/lacoste.V2/NTUSER.DAT read=Yes write=No (numopen=1) [2012/11/13 10:25:26, 2] smbd/open.c:580(open_file) lacoste opened file profs/lacoste.V2/ntuser.ini read=Yes write=No (numopen=2) [...] After a while the windows box closes connection with those message on log.smbd : [2012/11/13 10:25:48, 2] smbd/close.c:612(close_normal_file) lacoste closed file profs/lacoste.V2/NTUSER.DAT (numopen=1) NT_STATUS_OK [2012/11/13 10:25:48, 1] smbd/service.c:1240(close_cnum) test-win7 (:::194.214.12.186) closed connection to service lacoste [2012/11/13 10:26:00, 2] smbd/close.c:612(close_normal_file) lacoste closed file profs/lacoste.V2/ntuser.ini (numopen=0) NT_STATUS_OK [2012/11/13 10:26:12, 1] smbd/service.c:1240(close_cnum) test-win7 (:::194.214.12.186) closed connection to service Profiles [2012/11/13 10:26:18, 0] lib/util_sock.c:539(read_fd_with_timeout) As a last note, last time I looked into this (and asked the list) Win 7 roaming profiles and Win XP roaming profiles could not be shared. Each user would have a new, separate profile for each version of windows. Hopefully someone will correct me if I am wrong. As I said I created à lacoste.V2 folder for windows 7 in the folder where the profile lacoste lives (for my Win XP clients). This is driving me nuts. I have no idea where to go now. Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issues with Windows 7 roaming profiles
I made some modifications but still cannot use my Windows7 with a domain account. On 10 nov. 2012, at 12:27, Thierry Lacoste wrote: Hello, I have a centOS 5.5 box acting as as a PDC with samba 3.4.9 and openldap 2.4.22. Then I joined the domain with a centOS box (samba 3.4.17) which hosts the homes and profiles. I have no problem with XP clients. I can join a windows 7 client to my domain but it is unable to load the profile when logging in. See below a level 2 log.smdb from the file server when I log in with a domain account. Is the unable to create profs/lacoste.V2 the culprit ? I created a directory profs/lacoste.V2 and put an NTUSER.DAT (build for a local user added to the windows 7 box) in it. This box still won't let me in; it closes the session during the course of opening the session. Here are my settings. - smb.conf on the PDC : [global] workgroup = MIAGE netbios name = VCOS-CASTOR netbios aliases = ALDAP3 passdb backend = ldapsam:ldap://localhost add machine script = /usr/sbin/smbldap-useradd -w '%u' loglevel = 2 domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes ldap suffix = o=miage ldap machine suffix = ou=Computers,ou=Accounts ldap user suffix = ou=Users,ou=Accounts ldap group suffix = ou=Groups ldap admin dn = cn=sambamgr,ou=Managers,o=miage ldap passwd sync = yes enable privileges = yes ssl = Off [netlogon] comment = Network Logon Service path = /samba/netlogon admin users = root guest ok = Yes browseable = No [public] path = /samba/public guest ok = Yes - smb.conf on my file server : [global] workgroup = MIAGE netbios name = VCOS-CAPELLA security = DOMAIN name resolve order = wins bcast wins server = 194.214.12.135 # IP of my PDC netbios aliases = AHOMES APROFILES server string = %L password server = ALDAP3 log level = 2 [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Roaming Profile Share path = /export/profiles read only = No profile acls = Yes vfs object = fake_perms - level 2 log.smdb from the file server : [2012/11/12 12:47:30, 2] smbd/sesssetup.c:1360(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/12 12:47:30, 2] smbd/sesssetup.c:1360(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/12 12:47:30, 2] auth/auth.c:310(check_ntlm_password) check_ntlm_password: authentication for user [lacoste] - [lacoste] - [lacoste] succeeded [2012/11/12 12:47:30, 2] lib/module.c:64(do_smb_load_module) Module '/usr/lib/samba/vfs/fake_perms.so' loaded [2012/11/12 12:47:30, 1] smbd/service.c:1063(make_connection_snum) test-win7 (:::194.214.12.168) connect to service Profiles initially as user lacoste (uid=5001, gid=4000) (pid 8617) [2012/11/12 12:47:30, 1] smbd/service.c:1063(make_connection_snum) test-win7 (:::194.214.12.168) connect to service lacoste initially as user lacoste (uid=5001, gid=4000) (pid 8617) [2012/11/12 12:47:41, 1] smbd/service.c:1240(close_cnum) test-win7 (:::194.214.12.168) closed connection to service Profiles [2012/11/12 12:47:41, 1] smbd/service.c:1240(close_cnum) test-win7 (:::194.214.12.168) closed connection to service lacoste Best regards, Thierry Lacoste. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] issues with Windows 7 roaming profiles
Hello, I have a centOS 5.5 box acting as as a PDC with samba 3.4.9 and openldap 2.4.22. Then I joined the domain with a centOS box (samba 3.4.17) which hosts the homes and profiles. I have no problem with XP clients. I can join a windows 7 client to my domain but it is unable to load the profile when logging in. See below a level 2 log.smdb from the file server when I log in with a domain account. Is the unable to create profs/lacoste.V2 the culprit ? What do I have to do to make it work ? Best regards, Thierry Lacoste. [2012/11/09 13:17:40, 2] smbd/sesssetup.c:1360(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/09 13:17:40, 2] smbd/sesssetup.c:1360(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/09 13:17:40, 2] libsmb/namequery.c:781(name_query) Got a positive name query response from 194.214.12.135 ( 194.214.12.135 ) [2012/11/09 13:17:40, 2] auth/auth.c:310(check_ntlm_password) check_ntlm_password: authentication for user [lacoste] - [lacoste] - [lacoste] succeeded [2012/11/09 13:17:40, 2] lib/module.c:64(do_smb_load_module) Module '/usr/lib/samba/vfs/fake_perms.so' loaded [2012/11/09 13:17:40, 1] smbd/service.c:1063(make_connection_snum) test-win7 (:::194.214.12.186) connect to service Profiles initially as user lacoste (uid=5001, gid=4000) (pid 27369) [2012/11/09 13:17:40, 2] smbd/open.c:2415(open_directory) open_directory: unable to create profs/lacoste.V2. Error was NT_STATUS_ACCESS_DENIED [2012/11/09 13:17:41, 1] smbd/service.c:1063(make_connection_snum) test-win7 (:::194.214.12.186) connect to service lacoste initially as user lacoste (uid=5001, gid=4000) (pid 27369) [2012/11/09 13:17:50, 1] smbd/service.c:1240(close_cnum) test-win7 (:::194.214.12.186) closed connection to service Profiles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issues with smbclient 3.0.x against 3.4.x server
On 16 févr. 11, at 12:59, Thierry Lacoste wrote: Hello, I'm upgrading my samba installation from 3.0.34 (FreeBSD 6.4) to 3.4.x (CentOS 5.5) from SerNet. I have LDAP based samba domain (PDC and BDC) and a homes/Profiles member server. I first upgraded my DCs to 3.4.9 with no problem. I have recently installed a new file server (samba 3.4.11 on CentOS 5.5). I have issues connecting to this server with old versions of smbclient which give 'session setup failed: NT_STATUS_LOGON_FAILURE' with the foolowing command line: smbclient //new-server/user -U user My bad. This has nothing to do with clients. I just need to specify the domain. I found the answer with a log level = 3 on the homes server. On a client with the smb.conf workgroup parameter unset, smbclient //new-server/user -U user is rejected and the server's log shows: [2011/02/17 15:17:23, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth) Got user=[user] domain=[WORKGROUP] workstation=[CLIENT1] len1=24 len2=24 On a client with the workgroup set to MYGROUP (which is the case on some packaged distributions of samba), smbclient is also rejected and as one could expect we have: [2011/02/17 15:09:13, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth) Got user=[user] domain=[MYGROUP] workstation=[CLIENT2] len1=24 len2=24 On every client, specifying the domain to which the file server is joined works: smbclient //new-server/user -U user -W MYDOMAIN AFAICS it was not required to specify the domain with 3.0.x member servers Sorry for the noise. Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] issues with smbclient 3.0.x against 3.4.x server
Hello, I'm upgrading my samba installation from 3.0.34 (FreeBSD 6.4) to 3.4.x (CentOS 5.5) from SerNet. I have LDAP based samba domain (PDC and BDC) and a homes/Profiles member server. I first upgraded my DCs to 3.4.9 with no problem. I have recently installed a new file server (samba 3.4.11 on CentOS 5.5). I have issues connecting to this server with old versions of smbclient which give 'session setup failed: NT_STATUS_LOGON_FAILURE' with the foolowing command line: smbclient //new-server/user -U user I'm having trouble determining a pattern and I don't even know where to start debugging the problem. I thought it happened when using 3.0.x smbclient as 3.4.x smbclient work but my old 3.0.34 smbclient on FreeBSD also works. I found this issue with smbclient 3.0.25b-apple on MacOSX, 3.0.9-1.3E.15 on RedHat ES3 and 3.0.33-0.17.el4 on RedHat AS4. This will probably not be a blocking problem for me but I'm just curious to know if there are some known such issues (and workaround). Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Changing passwords from Windows
On 27 janv. 11, at 16:55, TAKAHASHI Motonobu wrote: 2011/1/26 Joe Tseng joe_ts...@hotmail.com: Is it possible for a user to change his/her password from Windows? I tried it out last night as a test user against my PDC and it only changed for Samba; I was still able to log into the PDC via SSH using the previous password. (I changed it for the test user as root and it took for both SSH and Windows.) Set ldap password sync = yes in LDAP environment or set unix password sync = yes and pam password change = yes in normal environment with PAM enabled. I tried to use smbldap-passwd as the test user, but I got a message back saying I had insufficient privileges: Have you set by self write to both sambaLMPassword and sambaNTPassword? AFAICT this is not needed. The user never accesses theses hashes for himself. The samba ldap admin dn and the smbldap-tools masterDN need write access to them. I believe the smbldap-tools masterDN (and probably the samba ldap admin dn) also needs write access to : - sambaPwdLastSet - sambaPwdCanChange - sambaPwdMustChange - sambaAcctFlags Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Changing passwords from Windows
On 28 janv. 11, at 11:26, TAKAHASHI Motonobu wrote: 2011/1/28 Thierry Lacoste laco...@u-pec.fr: On 27 janv. 11, at 16:55, TAKAHASHI Motonobu wrote: I tried to use smbldap-passwd as the test user, but I got a message back saying I had insufficient privileges: Have you set by self write to both sambaLMPassword and sambaNTPassword? AFAICT this is not needed. The user never accesses theses hashes for himself. The samba ldap admin dn and the smbldap-tools masterDN need write access to them. Have you examined? As far as I examined smbldap-tools 0.9.5, to set by self write to both sambaLMPassword and sambaNTPassword is needed for a user to change his own password with smbldap-passwd. I misread the OP. Moreover I've always used smbldap-passwd as root. Sorry for the noise. Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does the BDC need to join a domain?
On 14 oct. 09, at 22:57, Mariano Absatz wrote: On Wed, Oct 14, 2009 at 13:36, Gaiseric Vandal gaiseric.van...@gmail.com wrote: I supposed it depends if Samba is configured to automatically create the underlying unix accounts when you create samba accounts. My setup doesn't. I created a user account in ldap for my BDC. (the unix passwd shd be *LK* and the shell shd be / bin/false) Running net rpc join will then add the appropriate samba attributes. (...) Thanx Gaiseric, it was more or less the way you said... only changing the order: 1) BDC# net join -S PDC -UAdministrator (since I'm using ldapsam:editposix = yes, the posix account is created automatically by samba) 2) BDC# net rpc getsid (this automatically retrieves the domain SID from the PDC and stores it into secrets.tdb) According to samba 3 by example this is not necessary unless you run winbind (http://www.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap- bldg1) Now you must obtain the domain SID from the PDC and store it into the secrets.tdb file also. This step is not necessary with an LDAP passdb backend because Samba-3 obtains the domain SID from the sambaDomain object it automatically stores in the LDAP backend. It does not hurt to add the SID to the secrets.tdb, and if you wish to do so, this command can achieve that: root# net rpc getsid MEGANET2 Storing SID S-1-5-21-3504140859-1010554828-2431957765 \ for Domain MEGANET2 in secrets.tdb When configuring a Samba-3 BDC that has an LDAP backend, there is no need to take any special action to join it to the domain. However, winbind communicates with the domain controller that is running on the localhost and must be able to authenticate, thus requiring that the BDC should be joined to the domain. The process of joining the domain creates the necessary authentication accounts. The only thing that doesn't seem completely right is that after this, if I run BDC# net getdomainsid I get: Could not fetch local SID However, if I run BDC# sudo net getlocalsid MYDOMAIN I get the correct SID for the domain... maybe I must generate a local SID for the BDC? or something went wrong?... You can issue net setlocalsid S- on your BDC where S- is the SID obtained with net getlocalsid MYDOMAIN Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does the BDC need to join a domain?
On 14 oct. 09, at 18:36, Gaiseric Vandal wrote: I supposed it depends if Samba is configured to automatically create the underlying unix accounts when you create samba accounts. My setup doesn't. I created a user account in ldap for my BDC. (the unix passwd shd be *LK* and the shell shd be /bin/false) Running net rpc join will then add the appropriate samba attributes. I think you also need to grab the domain SID BDC# net rpc getsid Password: Storing SID S-...1234 for Domain MYDOMAIN in secrets.tdb # However, I am not sure the domainsid for the machine is meant to match the domainsid of the domain.On my PDC, they match. On the BDC, they don't.I am not sure if I need to change that. They shoul match (see e.g. http://lists.samba.org/archive/samba/2007-August/134734.html) . group mappings do NOT seem to be stored in ldap. So you either need to copy the approp tdb file over or run the identical net group map commands on the BDC. Group mappings should be stored in LDAP. This is the purpose of the sambaGroupMapping auxiliary objectClass which extends the posixGroup structural objectClass in a typical samba/ldap implementation. Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] default log level
Hello, According to 'man smb.conf' and 'testparm -v' the default log level 0 while it seems to be actually 1. Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
On 1 mai 09, at 01:45, John Du wrote: David Markey wrote: John Du wrote: David Markey wrote: I would imagine that you'll need to re-jig your ACLs in slapd.conf, Please supply logs. Thank you very much. I can use /opt/IDEALX/sbin/smbldap-passwd to change both the Windows and UNIX password. If the problem is ACL related, wouldn't I have the same problem with this tool? When samba changes passwords, does the process run as root or as the user making the passwords change? If you're using smbldap-passwd and unix password sync, it's done as root. ldap passwd sync is done as the LDAP dn that you've configured in smb.conf. It's much preferable to use ldap passwd sync. I did not make myself clear. When I say I can use smbldap-passwd to change password, I mean I can run the tool from the command line as root. If I use smbldap-passwd and unix passwd sync in smb.conf, I get a you do not have permission to change password message when attempting to change password. So at this time I am still using ldap passwd sync in smb.conf and that is when it only changes the Windows password. Does the userPassword attribute require different ACL than sambaNTPassword? Also the dn I put in smb.conf is the root DN of the LDAP database. That's weird. The root DN has complete access to the DB (ACLs do not apply to it). However, maybe you can definitely rule out an ACL problem by puting 'access to * by * write' as your first backend specific ACL and test. If you have the same problem with this setting then it is not ACL related. Regards, Thierry Thanks! Thanks again. John Du wrote: John Du wrote: Hi, I have been running Samba with OpenLDAP for a few years. We recently upgrade the OpenLDAP server from 2.2.13 to 2.4.11. When users change their passwords now, only the Windows password is changed the UNIX password is not changed anymore. Samba server does not log any errors The samba configuration file did not change when the LDAP server was upgraded. I do have ldap passwd sync =Yes in smb.conf and it used to work fine. Has anyone seen this? If I use unix password sync = Yes passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n instead of ldappasswd sync, what access control do I have to add to the slapd.conf file? Thank you very much for your help! John I forgot to mention that the Samba version is 3.0.28 on EHEL4 kernel 2.6.9-42.0.2. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] questions about bug 5535
AFAICs Simo's patch for bug 5535 was only applied to the 3.3 series. Does the closing comment in https://bugzilla.samba.org/show_bug.cgi?id=5535 mean that the inconsistencies about RID calculation won't be addressed in the 3.0 and 3.2 series? Does the fact that 3.3.2 always uses sambaNextRid mean that algorithmic RID allocation is doomed to obsolescence? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] questions about bug 5535
AFAICs Simo's patch for bug 5535 was only applied to the 3.3 series. Does the closing comment in https://bugzilla.samba.org/show_bug.cgi?id=5535 mean that the inconsistencies about RID calculation won't be addressed in the 3.0 and 3.2 series? Does the fact that 3.3.2 always uses sambaNextRid mean that algorithmic RID allocation is doomed to obsolescence? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] questions about bug 5535
AFAICs Simo's patch for bug 5535 was only applied to the 3.3 series. Does the closing comment in https://bugzilla.samba.org/show_bug.cgi?id=5535 mean that the inconsistencies about RID calculation won't be addressed in the 3.0 and 3.2 series? Does the fact that 3.3.2 always uses sambaNextRid mean that algorithmic RID allocation is doomed to obsolescence? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] questions about bug 5535
AFAICs Simo's patch for bug 5535 was only applied to the 3.3 series. Does the closing comment in https://bugzilla.samba.org/show_bug.cgi?id=5535 mean that the inconsistencies about RID calculation won't be addressed in the 3.0 and 3.2 series? Does the fact that 3.3.2 always uses sambaNextRid mean that algorithmic RID allocation is doomed to obsolescence? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Conflicting RID creation
Quoting Thierry Lacoste laco...@miage.univ-paris12.fr: With samba 3.0.34 I have the issue described here http://webui.sourcelabs.com/samba/issues/5535 That is smbpasswd -a joe gives RID=2*UID+1000 while net rpc user add joe gives the value of the sambaNextRid attribute of the sambaDomainName LDAP entry. Also smbpasswd -am machine gives RID=2*UID+1000 while directly joining the domain gives RID=sambaNextRid This is a problem because I'm trying to update from 3.0.22 where sambaNextRid is never used (actually it doesn't even exist in my LDAP database). Is there something I can do to ensure that RID=2*UID+1000 in every case? Or else what should I do to avoid conflicts between my current RIDs (generated by 3.0.22) and those that will be generated by 3.0.34? I tried 3.2.8 and I have the same problems. I also found another weirdness. If I have the following line in my smb.conf add machine script = /usr/local/sbin/smbldap-useradd -W '%u' tryng to join the DC to its domain (just for testing purposes) first gives Creation of workstation account failed although the expected LDAP entry with Posix and Samba attributes was created for the machine account. The second attempt to join the domain is OK. I have exactly the same behavior with add machine script = /bin/sh /root/add-machine.sh '%u' where add-machine.sh is /usr/local/sbin/smbldap-useradd -w $1 # create Posix stuff only /usr/local/bin/smbpasswd -am $1 # add samba attributes Do I have to simply give up the 'add machine script' and add my computer accounts by hand before joining them? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Conflicting RID creation
Quoting Miguel Medalha miguelmeda...@sapo.pt: Is there something I can do to ensure that RID=2*UID+1000 in every case? See attribute sambaAlgorithmicRidBase under class sambaDomain. I don't understand. The value of this attribute is 1000 in my LDAP DB. Changing it to say 10 will give me RID=2*UID+10 in the cases where the equation is applied. No? But the problem is that the equation is not always applied. Do you think it will make the equation apply in the cases that I described where the RID is obtained from the value of sambaNextRid (e.g net rpc user add joe)? Moreover, if I change it smbd refuses to start and 'smbpasswd -a joe' panics: The value of 'algorithmic RID base' has changed since the LDAP database was initialised. Aborting. pdb backend ldapsam:ldap://localhost did not correctly init (error was NT_STATUS_UNSUCCESSFUL) PANIC (pid 860): pdb_get_methods_reload: failed to get pdb methods for backend ldapsam:ldap://localhost BACKTRACE: 6 stack frames: #0 0x816ce81 smb_panic+125 at smbpasswd #1 0x8113b2a make_pdb_method_name+1170 at smbpasswd #2 0x81153ba initialize_password_db+38 at smbpasswd #3 0x808938c _start+2508 at smbpasswd #4 0x8089bb2 main+186 at smbpasswd #5 0x8088a36 _start+118 at smbpasswd Segmentation fault: 11 (core dumped) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Conflicting RID creation
With samba 3.0.34 I have the issue described here http://webui.sourcelabs.com/samba/issues/5535 That is smbpasswd -a joe gives RID=2*UID+1000 while net rpc user add joe gives the value of the sambaNextRid attribute of the sambaDomainName LDAP entry. Also smbpasswd -am machine gives RID=2*UID+1000 while directly joining the domain gives RID=sambaNextRid This is a problem because I'm trying to update from 3.0.22 where sambaNextRid is never used (actually it doesn't even exist in my LDAP database). Is there something I can do to ensure that RID=2*UID+1000 in every case? Or else what should I do to avoid conflicts between my current RIDs (generated by 3.0.22) and those that will be generated by 3.0.34? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: problem with sambaNextRid (WAS: updating samba/ldap: do I need new attributes?)
Sorry if I missed your point but I have no problems with UIDs and GIDs. The smbldap-tools keep the next available ones in the attributes uidNumber and gidNumber of the sambaDomainName LDAP entry. The problem is that samba's RID calculation changed somewhere between 3.0.22 and 3.0.34. What should I do to upgrade as easily as possible from 3.0.22 (where RID=1000+2*UID) to 3.0.34 (where the next available RID is kept in the sambaNextRid attribute of the sambaDomainName LDAP entry)? If I don't deel with this change I will have SID clashes. Or did you mean that you assign SIDs by hand with ldif files? Regards, Thierry Quoting Adam Williams awill...@mdah.state.ms.us: samba creates the RID when smbpasswd -a is used (or machine is joined to the domain). smbldap-tools creates an entry in ldap to keep up with the next available UID. i don't remember what it is. personally, I just use a text file that contains my next available UID and GID in it and increment when i add a user. i do everything by hand with .ldif files though. Thierry Lacoste wrote: Hello, I did the steps described below and I have a problem with machine RIDs. When I first join a machine, samba adds to my sambaDomainName ldap entry a sambaNextRid attribute with a value of 1000. Now samba uses this value (incremented each time) to give its RID to the machine. This is going to be a real problem as my current samba computes RDIs as 1000+2*UID. FWIW I'm using smbldap-tools to create user accounts and I have add machine script = /usr/local/sbin/smbldap-useradd -w '%u' in my smb.conf though I don't think it is relevant because AFAIK this script is only called to create the posix machine account. What are my options? If at all possible, I'd rather stick to the 1000+2*UID algorithm. I googled about it and I know that others where caught too but I wasn't able to find a solution. Regards, Thierry. Quoting Adam Williams awill...@mdah.state.ms.us: your steps are fine. you don't need the samba LDAP entries you listed, when ou do smbpasswd -a user, it will add the minimum required LDAP entries for samba. laco...@miage.univ-paris12.fr wrote: Hello, I plan to update my samba-3.0.22/openldap-2.3.24 to samba-3.0.34/openldap-2.4.15 and I'm currently testing it. This is on FreeBSD. My idea is : 1) slapcat the openldap server and save the various tdb files. 2) deinstall samba and openldap and wipe out the bdb files 3) install the newer versions 4) slapadd to the new openldap server This seems to work in my test lab. During my tests I also built a new domain afresh and realized that the sambaDomainName ldap entry has some attributes that are not in my production server: sambaMinPwdLength, sambaLogonToChgPwd, sambaLockoutDuration, sambaLockoutObservationWindow, sambaLockoutThreshold, sambaForceLogoff. Do I have to add these attributes to my ldif file before slapadd? More generally, do I have to add some attributes to my ldap entries? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: problem with sambaNextRid (WAS: updating samba/ldap: do I need new attributes?)
I was talking about SID calculation for machine accounts upon domain joining. What is the relation that you have between SID and UID for a given machine? Can you handcraft this relation? Quoting Adam Williams awill...@mdah.state.ms.us: Oh, i calculate the RID by hand and add it with net groupmap add rid= ntgroup=what ever unixgroup=whatever type=d and i think your math is wrong, it is group # * 2 + 1001. to get a UID's RID, it is uid * 2 + 1000. Thierry Lacoste wrote: Sorry if I missed your point but I have no problems with UIDs and GIDs. The smbldap-tools keep the next available ones in the attributes uidNumber and gidNumber of the sambaDomainName LDAP entry. The problem is that samba's RID calculation changed somewhere between 3.0.22 and 3.0.34. What should I do to upgrade as easily as possible from 3.0.22 (where RID=1000+2*UID) to 3.0.34 (where the next available RID is kept in the sambaNextRid attribute of the sambaDomainName LDAP entry)? If I don't deel with this change I will have SID clashes. Or did you mean that you assign SIDs by hand with ldif files? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] problem with sambaNextRid (WAS: updating samba/ldap: do I need new attributes?)
Hello, I did the steps described below and I have a problem with machine RIDs. When I first join a machine, samba adds to my sambaDomainName ldap entry a sambaNextRid attribute with a value of 1000. Now samba uses this value (incremented each time) to give its RID to the machine. This is going to be a real problem as my current samba computes RDIs as 1000+2*UID. FWIW I'm using smbldap-tools to create user accounts and I have add machine script = /usr/local/sbin/smbldap-useradd -w '%u' in my smb.conf though I don't think it is relevant because AFAIK this script is only called to create the posix machine account. What are my options? If at all possible, I'd rather stick to the 1000+2*UID algorithm. I googled about it and I know that others where caught too but I wasn't able to find a solution. Regards, Thierry. Quoting Adam Williams awill...@mdah.state.ms.us: your steps are fine. you don't need the samba LDAP entries you listed, when ou do smbpasswd -a user, it will add the minimum required LDAP entries for samba. laco...@miage.univ-paris12.fr wrote: Hello, I plan to update my samba-3.0.22/openldap-2.3.24 to samba-3.0.34/openldap-2.4.15 and I'm currently testing it. This is on FreeBSD. My idea is : 1) slapcat the openldap server and save the various tdb files. 2) deinstall samba and openldap and wipe out the bdb files 3) install the newer versions 4) slapadd to the new openldap server This seems to work in my test lab. During my tests I also built a new domain afresh and realized that the sambaDomainName ldap entry has some attributes that are not in my production server: sambaMinPwdLength, sambaLogonToChgPwd, sambaLockoutDuration, sambaLockoutObservationWindow, sambaLockoutThreshold, sambaForceLogoff. Do I have to add these attributes to my ldif file before slapadd? More generally, do I have to add some attributes to my ldap entries? Regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Outlook and roaming profiles?
you may put pst files on a samba share, as the place where they get hosted is free configurable in outlook i e. you can setup their default place with an adm to users home which has normally nothing to do with profile share but as default a pst file can only be opened by one user at the same time, the other problem is open big pst files over the network is very slow and may damage the pst file, Are there any recommandations about the maximum size of a pst file hosted on a samba server ? regards, Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap and password expiration
On 29 sept. 08, at 21:28, Onatawahtaw wrote: Greetings, I just recently set up a new server with samba and openldap authentication using smbldap. The passwords seem to be expiring after about 30 days. How do I set them so that they don't expire? Change the value of defaultMaxPasswordAge in smbldap.conf Regards, Thierry Thanks, Onatawahtaw -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba on FreeBSD 7.0
On Friday 13 June 2008 20:40, white list wrote: Hello ALL, does any body know the options to enable when installing samba from ports collection? It depends what you intend to do with samba. A good start could be the first part of samba 3 by example http://us1.samba.org/samba/docs/man/Samba-Guide/ExNetworks.html 6 implementations are described so that you can choose the closest to your needs; after that the options become clearer. If it is just for testing samba without a particular goal in mind yet, I guess you probably can enable everything. The other way round would be compiling with no options and when you're stuck with something you can't do, recompile with the correct option(s). You chould check LDAPif you want to store users and machines in LDAP ADS if you want your samba server joined to a windows AD domain CUPSif you want a print server WINBIND if windows will store users who will ues your samba server ACL_SUPPORT if you want windows-type ACLs etc... HTH Thierry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to have a Default Profile per group ?
FWIW here's the method I'm using here (I'm using mandatory profiles but it will also work with normal profiles). I build three different profiles on an XP box (for teachers, students and administrators) and make then usable by everybody. I copy each resulting NTUSER.DAT file to the root of the profiles share on my samba server /export/profiles naming them NTUSER1.MAN, NTUSER2.MAN and NTUSER3.MAN. When I add a user toto I create a symbolic link /export/profiles/toto/NTUSER.MAN pointing to the desired profile. If you do not want mandatory profiles just keep the .DAT extension and make a copy instead of a symlink and don't forget to chown toto /export/profiles/toto/NTUSER.DAT I guess there is a cleaner way to go but it works and it is quite simple. Regards, Thierry. On Wednesday 06 February 2008 18:51, Tom wrote: Hello, My main question is : « Is it possible to have a dedicated Default Profile per group ? » The idea is to have a specified and prepared default profile for each groups we have. For the time being we've already had a Default User/ directory in our netlogon directory which delivers a single and only fresh default profile. It's the same profile for everyone even if there're not in the same group.. Each new user will have this default profile only. It runs fine. But... we want more :) For instance, we'd like to have a define profile with differents policies, icons, links, etc for : - our employees - our teachers - and finally for our students At least we need 2 special crafted default profiles for the employees and for the teachers. We can assume that if you're not an employee nor a teacher you will have the Default User profile which is a student profile. I've red somewhere that it was possible to prepare more than one default profile with a default profile per group renamed with the name of the group. For example here is the directory tree : netlogon/ Default User/ teachers/ employees/ with teachers and employees known as Samba groups. But it doesn't work for me. Does anybody have any hints, documentations and/or URLs to find a way to do this. I've tried google a lot but I'm not sure to use the good keyword since I'm searching because I have found nothing :( Some infos about our samba systems: - samba 3.0.26a (from the very good enterprisesamba.org) 1PDC + 1BDC - ldap backend - some parts of smb.conf [..] domain logons = yes logon script = %U.bat logon path = \\%h\profiles\%G\%U logon drive = U: logon home = \\%h\homes\%G\%U [..] - /home/netlogon/Default User/ toto.bat titi.bat [..] To finish my mail, I'd like to thank you all the samba team and sernet for theirs works and for the debian packaging of the last samba versions. Just one word for this big piece of software : « Thanks. » A+ Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+ldap in FreeBSD
On Tuesday 30 October 2007 20:01, Roylan Suarez Reyes wrote: Hello friends I am trying to configure Samba + ldap for my domain, the server is FreeBSD ... When I try to run the following command smbldap-populate It gives me the following error: adding new entry: cn=Backup Operators,ou=Group,dc=vn,dc=pri,dc=jovenclub,dc=cu failed to add entry: Can't contact LDAP server at /usr/local/sbin/smbldap-populate line 471, GEN1 line 20. adding new entry: cn=Replicators,ou=Group,dc=vn,dc=pri,dc=jovenclub,dc=cu failed to add entry: Can't contact LDAP server at /usr/local/sbin/smbldap-populate line 471, GEN1 line 21. adding new entry: sambaDomainName=jcv,dc=vn,dc=pri,dc=jovenclub,dc=cu failed to add entry: Can't contact LDAP server at /usr/local/sbin/smbldap-populate line 471, GEN1 line 21. Please provide a password for the domain Administrato: Can't contact LDAP server at /usr/local/lib/perl5/site_perl/5.8.8/smbldap_tools.pm line 341. Did you run configure.pl from the smbldap-tools package ? Here's what I did mkdir /usr/local/etc/smbldap-tools chmod 700 /usr/local/etc/smbldap-tools /usr/local/share/examples/smbldap-tools/configure.pl Also I'd rather run smbldap-populate -e /tmp/init.ldif and then ldapadd the ldif file after revewing it. HTH Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Pam_mount + cifs
I have it working in an LDAP context. However I was unable to make KDE work. http://lists.samba.org/archive/samba/2006-July/122347.html If you make some progress please let me know. Regards, Thierry. On Wednesday 17 October 2007 19:18, Diego Obetko wrote: Hi, i'm probably not the first but i have found no concrete information about my problem... lots of information, nothing helped.. :S so, here's the thing.. i'm running a samba-3.0.22-13.16 server on SLES 9 kernel 2.6.16.21-0.8-default as an nt domain controller, there was a migration to Linux for the workstations so i had to implement WINBIND + PAM_MOUNT. Maybe a winbind issue. See below. after searching for the right configuration y got it working with SMBFS and here's the problem... smbfs doesn't support hardlinks or symlinks... a BIG trouble since the workstations run KDE (dcop)... i've tryed mounting homes with cifs insted but this is what happens - pam_mount.conf - debug 1 mkmountpoint 1 luserconf .pam_mount.conf options_allow nosuid,nodev options_denysuid,dev options_require nosuid,nodev lsof /usr/sbin/lsof %(MNTPT) fsck /sbin/fsck -p %(FSCKLOOP) cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o username=%(USER)%(before=\,\ OPTIONS) smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o username=%(USER),gid=%(USERGID)%(before=\,\ OPTIONS) umount /bin/umount %(MNTPT) mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT) volume * cifs 192.168.9.15/home/ uid=,dir_mode=0700,workgroup=COLEGIO - - --- pam_mount(mount.c:368) information for mount: pam_mount(mount.c:369) -- pam_mount(mount.c:370) (defined by globalconf) pam_mount(mount.c:373) user: dobetko pam_mount(mount.c:374) server:192.168.9.15 pam_mount(mount.c:375) volume:dobetko pam_mount(mount.c:376) mountpoint:/home/dobetko pam_mount(mount.c:377) options: user=dobetko,dir_mode=0700 pam_mount(mount.c:378) fs_key_cipher: pam_mount(mount.c:379) fs_key_path: pam_mount(mount.c:380) use_fstab: 0 pam_mount(mount.c:381) -- pam_mount(mount.c:177) realpath of volume /home/dobetko is /home/dobetko pam_mount(mount.c:182) checking to see if //192.168.9.15/dobetko is already mounted at /home/dobetko pam_mount(mount.c:799) checking for encrypted filesystem key configuration pam_mount(mount.c:819) about to start building mount command pam_mount(misc.c:264) command: /bin/mount [-t] [cifs] [//192.168.9.15/dobetko] [/home/dobetko] [-o] [username=dobetko,user=dobetko,dir_mode=0700] pam_mount(mount.c:851) mount errors (should be empty): pam_mount(mount.c:100) pam_mount(misc.c:341) set_myuid(pre): real uid/gid=0:10003, effective uid/gid=0:10003 pam_mount(mount.c:100) pam_mount(misc.c:376) set_myuid(post): real uid/gid=0:10003, effective uid/gid=0:10003 pam_mount(mount.c:854) waiting for mount S.ficheros Bloques de 1K UsadoDispon Uso% Montado en /dev/hda1 27617036 15634032 10580132 60% / tmpfs 254372 0254372 0% /lib/init/rw udev 1024052 10188 1% /dev tmpfs 254372 0254372 0% /dev/shm //192.168.9.15/dobetko 117206592 101382352 15824240 87% /home/dobetko pam_mount(pam_mount.c:123) clean system authtok (0) pam_mount(misc.c:264) command: /usr/sbin/pmvarrun [-u] [dobetko] [-o] [1] pam_mount(misc.c:341) set_myuid(pre): real uid/gid=0:10003, effective uid/gid=0:10003 pam_mount(misc.c:376) set_myuid(post): real uid/gid=0:10003, effective uid/gid=0:10003 pam_mount(pam_mount.c:360) pmvarrun says login count is 3 pam_mount(pam_mount.c:491) done opening session bash: /home/dobetko/.bashrc: Permision denied $mount //192.168.9.15/dobetko on /home/dobetko type cifs (rw,mand) $ls -l /home drwx-- 36 1181 guest0 2007-10-17 09:33 dobetko Apparently the user id is not resolved. What's the output of 'id dobetko' and 'id 1181' ? What's the output of 'whami' and 'ls -l /home/dobetko' ? smb.conf (server side) [global] server string = Samba PDC domain logons = Yes domain master = Yes netbios name = samba security = users wins support = Yes # unix password sync = yes workgroup = COLEGIO logon drive = H: logon path = \\%L\%U\./.perfil_win logon home = \\%L\profiles\%U add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ passdb backend = smbpasswd veto files = /*.asf/*.wma/*.wmv/*.mp2/*.mp4/*.mp3/*.rsm/*root*/ local master = Yes os level = 65 preferred master = Yes ea support = yes unix extensions = yes map archive = No delete
[Samba] strange uid=domain\5Cuser ldap search requests
Hello, I have a Samba/OpenLDAP domain (PDB+BDC) and a member Samba server hosting homes and profiles which is identifying users with nss_ldap and is issuing some strange ldap searches. I have these messages in my slapd logs: conn=14143 op=2 SRCH base=ou=XXX scope=1 deref=0 filter=((objectClass=posixAccount)(uid=domain\5Cuser)) conn=14143 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=14143 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= always repeating exactly 3 times and then conn=14143 op=5 SRCH base=ou=XXX scope=1 deref=0 filter=((objectClass=posixAccount)(uid=user)) conn=14143 op=5 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire conn=14143 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text= Although the server also NFS exports the homes for Linux clients I'm pretty sure that these searches come from samba as it seems to happen only upon logon to the domain from a Windows client. I obtain exactly the same search request when I issue an 'id domain\user'. Can someone explain what's happening? Is this because of the 'password server' directive? Is it better to use 'passdb backend = ldapsam' together with the 'ldap' directives as I use them on my DCs? Regards, Thierry. My smb.conf: [global] workgroup = XXX netbios name = CAPELLA security = DOMAIN name resolve order = wins bcast wins server = xxx.xxx.xxx.xxx netbios aliases = AHOMES APROFILES server string = %L password server = ALDAP1 ALDAP2 [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Roaming Profile Share path = /export/profiles read only = No profile acls = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] logon requests on the BDC
On Monday 06 August 2007 05:38, Volker Lendecke wrote: On Mon, Aug 06, 2007 at 10:39:14AM +1000, Andrew Bartlett wrote: Are there special things to do to make the BDC bias work? How can I troubleshoot the reason why it does not work? It has more to do with the order that the WINS server returns the addresses. There were some plans to have this randomised at one point. That's false as well. Metze knows more, but iirc it's the one who answers the getdc port 138 request first. So I guess the first address returned by the WINS server has an advantage. If the WINS server stores DCs addresses in increasing order (as I always observed) I suspect that there is a bias for the DC with the smallest IP. Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] sambaPwdCanChange and sambaPwdMustChange (WAS: ldap passwd sync only)
On Wednesday 15 August 2007 01:59, Michal Bruncko wrote: Hello I have exactly the same trouble as described here: http://www.nabble.com/ldap-passwd-sync-on-3.0.25a-tf4261008.html on samba-3.0.25b-2.fc7. When i set ldap passwd sync to only and I change password on some ldap samba user, password in attribute userPassword is never changed by samba daemon (to update NT and LM password I use smbk5pwd overlay). If i set pwd sync to On, both attributes (NTLM and userPassword) was updated successfully. I have not been able to make 3.0.25 change the sambaPwdCanChange and sambaPwdMustChange attributes when changing a password from windows. This may explain the problem with ldap passwd sync = only as demonstrated by a log level 10: [2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1784) ldapsam_update_sam_account: user lacoste to be modified has dn: uid=lacoste,ou=Users,ou=Accounts,o=stars [2007/08/14 23:45:26, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972) init_ldap_from_sam: Setting entry for user: lacoste [2007/08/14 23:45:26, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3 [2007/08/14 23:45:26, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(101) : conn_ctx_stack_ndx = 1 [2007/08/14 23:45:26, 3] smbd/sec_ctx.c:set_sec_ctx(243) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3 [2007/08/14 23:45:26, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2007/08/14 23:45:26, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2007/08/14 23:45:26, 10] lib/gencache.c:gencache_get(226) Returning valid cache entry: key = ACCT_POL/maximum password age, value = 4294967295 , timeout = Tue Aug 14 23:46:25 2007 [2007/08/14 23:45:26, 3] smbd/sec_ctx.c:pop_sec_ctx(366) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2007/08/14 23:45:26, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1797) ldapsam_update_sam_account: mods is empty: nothing to update for user: lacoste Here's a log level 10 on 3.0.22: [2007/08/14 23:17:31, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1846) ldapsam_update_sam_account: user lacoste to be modified has dn: uid=lacoste,ou=Users,ou=Accounts,o=stars [2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064) init_ldap_from_sam: Setting entry for user: lacoste [2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454) smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1187126144| [2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463) smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1187126251| [2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(454) smbldap_make_mod: deleting attribute |sambaPwdMustChange| values | 1218662144| [2007/08/14 23:17:31, 10] lib/smbldap.c:smbldap_make_mod(463) smbldap_make_mod: adding attribute |sambaPwdMustChange| value |2147483647| [2007/08/14 23:17:31, 5] lib/smbldap.c:smbldap_modify(1254) smbldap_modify: dn = [uid=lacoste,ou=Users,ou=Accounts,o=stars] [2007/08/14 23:17:31, 3] passdb/pdb_ldap.c:ldapsam_modify_entry(1732) ldapsam_modify_entry: LDAP Password changed for user lacoste [2007/08/14 23:17:31, 2] passdb/pdb_ldap.c:ldapsam_update_sam_account(1879) ldapsam_update_sam_account: successfully modified uid = lacoste in the LDAP database I tried to play with account policies but with no success. Did I miss something? How can I trigger a change of sambaPwdCanChange and sambaPwdMustChange? Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ppolicy overlay (WAS: Enforcing Password Policies...)
On Monday 13 August 2007 03:11, Andrew Bartlett wrote: On Thu, 2007-08-09 at 00:56 +0200, Thierry Lacoste wrote: On Wednesday 08 August 2007 20:17, Matt Anderson wrote: Dear Help, I'm currently running Samba with an LDAP passdb backend. I'm trying to figure out how to NOT allow a particular user to change their password (through Windows, or any interface). I've tried modifying the values for sambaPwdCanChange and sambaPwdMustChange for a particular user, but it seems like it only effects making them change their password, instead of whether or not they're ALLOWED to. With OpenLDAP one can use ldap passwd sync = only in smb.conf and let the smbk5pwd overlay synchronize the LM and NT passwords. If you add the ppolicy overlay you have a clean way to prevent password changes for some acounts (through Windows, or any interface). For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE The only problem is that a Windows client reports a successful password change even though the password was not changed because of the above pwdPolicy. Was it not changed? To OpenLDAP, the change from Samba doesn't look like a user change (because we set it using Samba's credentials). According to man 5 slapo-ppolicy: Note that some of the policies do not take effect when the operation is performed with the rootdn identity; all the operations, when performed with any other identity, may be subjected to constraints, like access control. The pwdPolicy applies to my smb.conf ldap admin dn because it is not my slapd.conf rootdn. - I first remove the pwdPolicy from a user's account using my rootdn: $ ldapmodify -D 'cn=ldapmgr,ou=managers,o=stars' -w ldappass dn: uid=lacoste,ou=Users,ou=Accounts,o=stars changetype: modify delete: pwdPolicySubentry modifying entry uid=lacoste,ou=Users,ou=Accounts,o=stars - I confirm that my slapd.conf ACLs allow my ldap admin dn to change a user's password: $ ldapmodify -D 'cn=sambamgr,ou=managers,o=stars' -w sambapass dn: uid=lacoste,ou=Users,ou=Accounts,o=stars changetype: modify userPassword: secret1 modifying entry uid=lacoste,ou=Users,ou=Accounts,o=stars - I apply a pwdPolicy: $ ldapsearch -LLL -b 'ou=Policies,o=stars' 'cn=frozen' dn: cn=frozen,ou=Policies,o=stars objectClass: pwdPolicy objectClass: device objectClass: top cn: frozen pwdAttribute: userPassword pwdAllowUserChange: FALSE $ ldapmodify -D 'cn=ldapmgr,ou=managers,o=stars' -w ldappass dn: uid=lacoste,ou=Users,ou=Accounts,o=stars changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=frozen,ou=Policies,o=stars modifying entry uid=lacoste,ou=Users,ou=Accounts,o=stars - Now my ldap admin dn cannot change the user's password: $ ldapmodify -D 'cn=sambamgr,ou=managers,o=stars' -w sambapass dn: uid=lacoste,ou=Users,ou=Accounts,o=stars changetype: modify userPassword: secret2 modifying entry uid=lacoste,ou=Users,ou=Accounts,o=stars ldap_modify: Insufficient access (50) additional info: User alteration of password is not allowed Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ldap passwd sync on 3.0.25a
I have an strange issue with ldap passwd sync = only on FreeBSD 6.1 with Samba 3.0.25a + OpenLDAP 2.3.37 I have the OpenLDAP smbk5pwd overlay which successfuly synchronizes LM and NT passwords: $ ldappasswd -D 'cn=sambamgr,ou=managers,o=stars' -w sambapass -s secret1 'uid=lacoste,ou=Users,ou=Accounts,o=stars' Result: Success (0) My OpenLDAP auditlog file confirms that smbk5pwd is working: # modify 1187006837 o=stars cn=sambamgr,ou=Managers,o=stars dn: uid=lacoste,ou=Users,ou=Accounts,o=stars changetype: modify replace: userPassword userPassword:: e1NTSEF9UFZSZk1zcTNoRlFuYWhGMzRWN1BZWE5BU3U0MHNVTWo= - replace: sambaPwdMustChange sambaPwdMustChange: 1218542837 - replace: sambaPwdLastSet sambaPwdLastSet: 1187006837 - replace: sambaLMPassword sambaLMPassword: 8d16f4badd1da493aad3b435b51404ee - replace: sambaNTPassword sambaNTPassword: b39a61f16a4e11fa80580241f1d4aae8 - replace: pwdChangedTime pwdChangedTime: 20070813120717Z - replace: entryCSN entryCSN: 20070813120717Z#00#00#00 - replace: modifiersName modifiersName: cn=sambamgr,ou=Managers,o=stars - replace: modifyTimestamp modifyTimestamp: 20070813120717Z - # end replace 1187006837 Here's the auditlog when I modify the password under Windows XP with ldap passwd sync = yes. Note that as expected there are two modifications: - one for the LM and NT passwords - and one for the userPassword which triggers another change of the LM and NT passwords. # modify 1187007048 o=stars cn=sambamgr,ou=Managers,o=stars dn: uid=lacoste,ou=Users,ou=Accounts,o=stars changetype: modify delete: sambaLMPassword sambaLMPassword: 8d16f4badd1da493aad3b435b51404ee - add: sambaLMPassword sambaLMPassword: 485B60ABDAF3DCBEAAD3B435B51404EE - delete: sambaNTPassword sambaNTPassword: b39a61f16a4e11fa80580241f1d4aae8 - add: sambaNTPassword sambaNTPassword: C2CC78BA8B1DF908F563858B3095C7C7 - delete: sambaPwdLastSet sambaPwdLastSet: 1187006837 - add: sambaPwdLastSet sambaPwdLastSet: 1187007048 - replace: entryCSN entryCSN: 20070813121048Z#00#00#00 - replace: modifiersName modifiersName: cn=sambamgr,ou=Managers,o=stars - replace: modifyTimestamp modifyTimestamp: 20070813121048Z - # end replace 1187007048 # modify 1187007048 o=stars cn=sambamgr,ou=Managers,o=stars dn: uid=lacoste,ou=Users,ou=Accounts,o=stars changetype: modify replace: userPassword userPassword:: e1NTSEF9YmVKTHNIOFVaK3pkNDJ4WGhHTUdtcVk2QjZiMWVzR1Q= - replace: sambaPwdMustChange sambaPwdMustChange: 1218543048 - replace: sambaPwdLastSet sambaPwdLastSet: 1187007048 - replace: sambaLMPassword sambaLMPassword: 485b60abdaf3dcbeaad3b435b51404ee - replace: sambaNTPassword sambaNTPassword: c2cc78ba8b1df908f563858b3095c7c7 - replace: pwdChangedTime pwdChangedTime: 20070813121048Z - replace: entryCSN entryCSN: 20070813121048Z#01#00#00 - replace: modifiersName modifiersName: cn=sambamgr,ou=Managers,o=stars - replace: modifyTimestamp modifyTimestamp: 20070813121048Z - # end replace 1187007048 To avoid the double change of LM and NT passwords I set ldap passwd sync = only in my smb.conf but when I change the password from XP none of the passwords is changed even though XP reports success. This works like a charm with Samba 3.0.22 + OpenLDAP 2.3.24 under FreeBSD 6.1. Any help to troubleshoot the problem would be appreciated. Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACLs and winbind
On Thursday 09 August 2007 15:58, Angela Gavazzi wrote: My working nsswitch.conf look like this: passwd: files winbind ldap group: files winbind ldap shadow: files winbind ldap By, Angela Can nss_winbind be used against a Samba domain? AFAICS it is only used to identify users/groups of Windows domains. Please correct me if I'm wrong. I found three options to allow windows users to manage ACLs in their homes on a Samba server which is joined to a Samba domain and uses nss_ldap against the DC's backend LDAP server. option 1: basic smb.conf - winbind needed to add ACLs - winbind trusted domains only = yes needed so that the domain appears in the original ACLs (and not the NetBIOS name of the server) and winbind_idmap.tdb maps domain users/groups to their LDAP uids/gids option2: smb.conf with LDAP idmap backend Same requirements. Note that as above I need to define ranges for idmap uid and gid although winbindd_idmap.tdb never changes option3: smb.conf with LDAP passdb backend - winbind needed (but netlogon proxy only mode is OK) otherwise ACLs can be added but when displayed users/groups are not resolved Are there other options? What is the best in terms of performance? While I can imagine why winbind is needed for option 1 I don't see - why it can't be used in netlogon proxy only mode for option 2 and - why it is needed at all for otion 3. Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACLs and winbind
On Thursday 09 August 2007 08:38, Henrik Zagerholm wrote: 8 aug 2007 kl. 16:18 skrev Thierry Lacoste: I'm trying to allow XP clients to add ACLs in the homes share. It appears that I'm unable to do it unless I use winbind although I'm in a pure Samba/OpenLDAP environment. I have a PDC and BDC with Samba/OpenLDAP and a member Samba server with homes and profiles (below is its smb.conf) on which I have Posix ACLs. If I comment out the idmap lines I cannot add ACLs from XP in my home share though. I can browse and pick domain users and groups but cannot add them to the security tab of a file in a user's home share. Do I really need winbind? Yes, I'm pretty sure you'll need winbind. Cheers, henke Thanks Henrik. Can someone explain why or point me to some doc? What I read everywhere is that winbind is used to identify users of a windows domain at the NSS level (mapping them localy with winbindd_idmap.tdb or globaly with ldap) while my users are correctly identified by nss_ldap. What puzzles me is that I didn't touch my /etc/nsswitch.conf which reads: group: files ldap hosts: files dns networks: files passwd: files ldap Is this a common setting to use winbind for samba and not for NSS? Also I realized that my smb.conf was not entirely functional. When I create a file with XP the domain part of the initial ACLs is the NetBIOS name of the server and not my domain name. Moreover when I pick a domain group (which truly appears as a domain group) to add it in the ACLs of the file it is mapped to gid 1 through entries in winbindd_idmap.tdb. Adding the following lines to my smb.conf solved the problem. passdb backend = ldapsam:ldap://aldap1.stars.net ldap ssl = start_tls ldap suffix = o=stars ldap admin dn = cn=sambamgr,ou=Managers,o=stars ldap machine suffix = ou=Computers,ou=Accounts ldap user suffix = ou=Users,ou=Accounts ldap group suffix = ou=Groups In this case getfacl reports the correct group and winbindd_idmap.tdb appears to never change. Still I need the idmap lines to be able to add ACLs. Regards, Thierry. workgroup = STARS netbios name = CAPELLA security = DOMAIN name resolve order = wins bcast wins server = castor netbios aliases = AHOMES APROFILES password server = ALDAP1 ALDAP2 log level = 2 idmap gid = 1-2 idmap uid = 1-2 [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Roaming Profile Share path = /export/profiles read only = No profile acls = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ACLs and winbind
I'm trying to allow XP clients to add ACLs in the homes share. It appears that I'm unable to do it unless I use winbind although I'm in a pure Samba/OpenLDAP environment. I have a PDC and BDC with Samba/OpenLDAP and a member Samba server with homes and profiles (below is its smb.conf) on which I have Posix ACLs. If I comment out the idmap lines I cannot add ACLs from XP in my home share though. I can browse and pick domain users and groups but cannot add them to the security tab of a file in a user's home share. Do I really need winbind? Regards, Thierry. workgroup = STARS netbios name = CAPELLA security = DOMAIN name resolve order = wins bcast wins server = castor netbios aliases = AHOMES APROFILES password server = ALDAP1 ALDAP2 log level = 2 idmap gid = 1-2 idmap uid = 1-2 [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Roaming Profile Share path = /export/profiles read only = No profile acls = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Enforcing Password Policies...
On Wednesday 08 August 2007 20:17, Matt Anderson wrote: Dear Help, I'm currently running Samba with an LDAP passdb backend. I'm trying to figure out how to NOT allow a particular user to change their password (through Windows, or any interface). I've tried modifying the values for sambaPwdCanChange and sambaPwdMustChange for a particular user, but it seems like it only effects making them change their password, instead of whether or not they're ALLOWED to. If you set sambaPwdCanChange in the future (e.g 1286597349 which corresponds to Saturday, October 9th 2010, 4:09:09 (GMT)) the user can not change its password until this date with windows. The problem is that he can still modify its LDAP password. You could add acls to your slapd.conf such that only your ldap admin dn has write acces to the userPassword attribute. In this case the only way to change the password is via samba. HTH, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ppolicy overlay (WAS: Enforcing Password Policies...)
On Wednesday 08 August 2007 20:17, Matt Anderson wrote: Dear Help, I'm currently running Samba with an LDAP passdb backend. I'm trying to figure out how to NOT allow a particular user to change their password (through Windows, or any interface). I've tried modifying the values for sambaPwdCanChange and sambaPwdMustChange for a particular user, but it seems like it only effects making them change their password, instead of whether or not they're ALLOWED to. With OpenLDAP one can use ldap passwd sync = only in smb.conf and let the smbk5pwd overlay synchronize the LM and NT passwords. If you add the ppolicy overlay you have a clean way to prevent password changes for some acounts (through Windows, or any interface). For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE The only problem is that a Windows client reports a successful password change even though the password was not changed because of the above pwdPolicy. Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] logon requests on the BDC
On Monday 06 August 2007 05:38, Volker Lendecke wrote: On Mon, Aug 06, 2007 at 10:39:14AM +1000, Andrew Bartlett wrote: Are there special things to do to make the BDC bias work? How can I troubleshoot the reason why it does not work? It has more to do with the order that the WINS server returns the addresses. There were some plans to have this randomised at one point. That's false as well. Metze knows more, but iirc it's the one who answers the getdc port 138 request first. Does the order mentioned by Andrew correspond to the order given by nmblookup 'mydomain#1c'? Playing with IP adresses I noticed that on a XP client echo %LOGONSERVER% gives me the netbios name of the DC (PDC or BDC) which has the smallest IP. In any case nmblookup 'mydomain#1c' outputs the PDC before the BDC. Is this behavior expected? Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: 2 questions about start_tls (was: Re: [Samba] TLS and ldap referals)
When I shutdown the PDC, logon to a windows client and update my password I get a domain unavailable error as expected. When I restart the master and do it again, evrything is OK. Therefore I guess the referal is chased and TLS is used, or did I miss something? I miserably screwed up my test. Sorry for the noise. It appears that I'm unable to make my BDC chase referrals (with or without TLS) though an ldapmodify gives me the correct referrals. I'm going back to docs ... [...] From man smb.conf: [...] Default: ldap ssl = start_tls This still puzzles me. In certain situations (e.g. SSL certificate problem) when I put explicitely ldap ssl = start_tls in my smb.conf I have [2007/07/26 16:43:28, 0] lib/smbldap.c:smb_ldap_start_tls(546) Failed to issue the StartTLS instruction: Connect error When I remove it everything is fine. Do I misunderstand the word Default? Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
2 questions about start_tls (was: Re: [Samba] TLS and ldap referals)
On Thursday 14 June 2007 13:56, Thierry Lacoste wrote: On Thursday 14 June 2007 10:17, Andrew Bartlett wrote: On Wed, 2007-06-06 at 22:40 +0200, Thierry Lacoste wrote: I have a samba PDC with a master openldap server and a samba BDC with a slave openldap server. Replication is done with slurpd with a TLS connection and the slave ldap server has an updateref pointing to the master (I don't use ldaps). On each domain controller my smb.conf contains: passdb backend = ldapsam:ldap://localhost Now I'd like my ldap servers to reject non TLS connections except on the loopback interface (to avoid unnecessary encryption). Is it possible to configure my BDC so that TLS is used when chasing the referal but connections to its passdb backend are not encrypted? Perhaps if the referrals were given as an LDAPS URL in the server? In terms of localhost allowing cleartext, perhaps use ldapi://, which is by definition local only. Andrew Bartlett Apparently everything is working as I want but I'd like to understand the magic behind. On both servers, my very first ACL in slpad.conf is: # first, make sure TLS or localhost access to * by tls_ssf=1 none break by peername.ip=127.0.0.1 none break by * none so cleartext sessions are indeed rejected except on the loopback. On the slave I have updateref ldap://my.master.ldap.server On both servers my smb.conf contains: passdb backend = ldapsam:ldap://127.0.0.1 BTW if I use localhost instead of 127.0.0.1, ldap connections are rejected. When I shutdown the PDC, logon to a windows client and update my password I get a domain unavailable error as expected. When I restart the master and do it again, evrything is OK. Therefore I guess the referal is chased and TLS is used, or did I miss something? It's working great but I can't find a satisfactory explanation on how. Can someone shed some light on what's happening? From man smb.conf: ldap ssl (G) This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is NOT related to Samba's previous SSL support which was enabled by specifying the--with-ssl option to the configure script. The ldap ssl can be set to one of three values: o Off = Never use SSL when querying the directory. o Start_tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server. o On = Use SSL on the ldaps port when contacting the ldap server. Only available when the backwards-compatiblity --with-ldapsam option is specified to configure. See passdb backend Default: ldap ssl = start_tls I have two questions about start_tls: 1) does it apply on the loopback when passdb backend = ldapsam:ldap://127.0.0.1 2) does it apply when chasing referals? If the answers are respectively no and yes I think I have the explanation I was looking for. Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming profile - Folder redirection - Erase file on server
Maybe a problem with offline files. Did you disable them? If not try to do it with gpedit.msc Thierry. On Saturday 30 June 2007 03:01, Patrik Dufresne wrote: [I post the same message on Ubuntu forum] Hi, I need help to fix a problem with Samba as PDC and Folder redirection on a Roaming Profile. I know it's not the best place to post this, but I don't know any better place. So if you have suggestion, tell me. Here my problem : I'm in a testing environement with a Samba server setup as a PDC with some share (netlogon, profiles) to support roaming profile. My smb.conf file contain the good configuration parameters for logon path and logon home etc .. For my roaming profile, I setup a Folder redirection using the HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Explorer\User Shell Folders registery key. I modify the value of AppData, Cookies, Desktop, Favorites, My Pictures, Personal. Every folder are redirect to the network share with %LOGONSERVER% and %USERNAME% variable. There is no problem with the redirection, when I connect every thing are correctly redirect. For example, if I create a file named textfile.txt on my desktop, I see it on the shared folder. (I do a ls command with ssh directly on the server to be sure). I can add, remove, edit file on the desktop and every thing are OK. The problem come when I logout The window client do some sort of synchronization of a local folder with the shared folder. For example, C:\Documents and Seetings\admin\Desktop\ with \\MyServer\profiles\admin\Desktop. I fact, it's not a synchronization, it's just delete the shared folder and replace it by the content of the local folder. The result is that every modification done on the desktop (that are redirected) are lost at the logout. It's a very annoying problem that I can't solve by my self. I search everywhere without any tips. I try some config with ExcludeProfileDirs registry key without success. It's possible that I don't use it correctly. Thank for you help and comment. [global] dos charset = 850 unix charset = UTF8 workgroup = ENTREPRISESMD server string = Samba server passdb backend = ldapsam:ldap://127.0.0.1/ time server = Yes deadtime = 15 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = login.bat OR %U.bat logon path = \\%L\PROFILES\%U logon drive = h: logon home = \\%L\PROFILES\%U domain logons = Yes os level = 40 domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=entreprisesmd,dc=homeip,dc=net ldap delete dn = Yes ldap group suffix = ou=Group ldap idmap suffix = ou=People ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=entreprisesmd,dc=homeip,dc=net ldap user suffix = ou=People winbind use default domain = Yes inherit permissions = Yes inherit acls = Yes inherit owner = Yes case sensitive = No hide files = /desktop.ini/ntuser.ini/NTUSER.*/ msdfs root = Yes [netlogon] comment = Network Logon Service path = /data/usersdata/netlogon read only = No browseable = No [PROFILES] comment = User profiles path = /data/usersdata/profiles read only = No create mask = 0600 directory mask = 0700 inherit permissions = No inherit acls = No inherit owner = No profile acls = Yes browseable = No csc policy = disable I take a look in the log file c:\windows\debug\usermode\userenv.txt and it's clear that the windows workstation just remove the file I add on the desktop USERENV(25c.260) 20:36:52:752 SyncItems: removing E:\admin\Desktop\New Text Document.txt -- Patrik Dufresne -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] TLS and ldap referals
On Thursday 14 June 2007 10:17, Andrew Bartlett wrote: On Wed, 2007-06-06 at 22:40 +0200, Thierry Lacoste wrote: I have a samba PDC with a master openldap server and a samba BDC with a slave openldap server. Replication is done with slurpd with a TLS connection and the slave ldap server has an updateref pointing to the master (I don't use ldaps). On each domain controller my smb.conf contains: passdb backend = ldapsam:ldap://localhost Now I'd like my ldap servers to reject non TLS connections except on the loopback interface (to avoid unnecessary encryption). Is it possible to configure my BDC so that TLS is used when chasing the referal but connections to its passdb backend are not encrypted? Perhaps if the referrals were given as an LDAPS URL in the server? In terms of localhost allowing cleartext, perhaps use ldapi://, which is by definition local only. Andrew Bartlett Apparently everything is working as I want but I'd like to understand the magic behind. On both servers, my very first ACL in slpad.conf is: # first, make sure TLS or localhost access to * by tls_ssf=1 none break by peername.ip=127.0.0.1 none break by * none so cleartext sessions are indeed rejected except on the loopback. On the slave I have updateref ldap://my.master.ldap.server On both servers my smb.conf contains: passdb backend = ldapsam:ldap://127.0.0.1 BTW if I use localhost instead of 127.0.0.1, ldap connections are rejected. When I shutdown the PDC, logon to a windows client and update my password I get a domain unavailable error as expected. When I restart the master and do it again, evrything is OK. Therefore I guess the referal is chased and TLS is used, or did I miss something? It's working great but I can't find a satisfactory explanation on how. Can someone shed some light on what's happening? Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] TLS and ldap referals
I have a samba PDC with a master openldap server and a samba BDC with a slave openldap server. Replication is done with slurpd with a TLS connection and the slave ldap server has an updateref pointing to the master (I don't use ldaps). On each domain controller my smb.conf contains: passdb backend = ldapsam:ldap://localhost Now I'd like my ldap servers to reject non TLS connections except on the loopback interface (to avoid unnecessary encryption). Is it possible to configure my BDC so that TLS is used when chasing the referal but connections to its passdb backend are not encrypted? Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Replicated Failover Domain Controller and file server using LDAP
Hello, Unless I missed something, it appears to me that in the slurpd version of the master slapd.conf, you don't need any of the by dn=cn=syncuser,dc=differentialdesign,dc=org read In fact the only place where the syncuser dn has to appear is in the replica directive. I guess this is not the case for the syncrepl versions because of the pull model. Best regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Domain Problem
My guess is that you have misconfigured nss-ldap. What is the value of nss_base_passwd in your nss-ldap configuration? Thierry. On Monday 27 November 2006 17:43, [EMAIL PROTECTED] wrote: Good Afternoon I have some problems in my samba domain. When I try add some machine on samba domain his execute a smbldap script, this script save the entrie on ou=computers but the samba search on ou=People, somepeople can help-me ? See a LOG piece Nov 27 12:55:50 x slapd[8298]: conn=178 op=24 SRCH base=ou=People,dc=xxx,dc=xxx scope=2 deref=0 filter=((objectClass=posixAccount)(uid=kcg-e84$)) Nov 27 12:55:50 x slapd[8298]: conn=178 op=25 SRCH base=ou=People,dc=xxx,dc=xxx scope=2 deref=0 filter=((objectClass=posixAccount)(uid=kcg-e84$)) My smb.conf = #=== LDAP DEFINITIONS == passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=xxx,dc=xxx #ldap delete dn = Yes ldap user suffix = ou=People ldap Group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=xxx,dc=xxx ldap ssl = no idmap backend = ldap:ldap://127.0.0.1 idmap uid = 15000-2 idmap gid = 15000-2 # USER DEFINITIONS == add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u Thanks for help. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security with normal profiles
Thanks a lot. It is not advisable that the NTuser.dat file be made read-only This indeed limits my options. I guess I'll have to stik to mandatory profiles. Can somebody share his experience with redirecting Favorites to the user's home share? I fond contradictory informations wether it's possible to do that. Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] security with normal profiles
Following TOSHARG and Samba 3 by examples I implemented Folder redirection plus some security restrictions by building a custom NTUSER.DAT which is the default profile of my users. The problem is that each user has read/write access to its profile share therefore he can replace its NTUSER.DAT. This is why I chose mandatory profiles. Is there another solution? The problem with mandatory profiles is that some settings are not saved: for instance the Favorites folder; I did not redirect it because I read in several books that only the Desktop, My documents, Application Data and Start Menu can be redirected. Is there a way to save Favorites with mandatory profiles? Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'ldap machine suffix' is ignored?
And I can't join domain from WinXP workstation (WINHOST, for ex.) with the error No such user smbldap-useradd -w %u works perfectly and adds winhost$ to ou=computers , ldapsearch found it. Maybe an issue with nss_ldap configuration. What's the output of 'id winhost$' ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] issues with folder redirection and synchronisation
I have a samba/ldap PDC with a netlogon share and a samba member server (called sirius) with Profiles and homes shares (samba 3.0.14). Each user in the LDAP database has its sambaHomeDrive attribute set to H:. I'm trying to follow http://samba.org/samba/docs/man/Samba-Guide/happy.html#redirfold to configure my XP Pro client. It seems that I'm unable to have folder redirection AND folder exclusion from roaming profiles work together. After a fresh install of XP pro I use gpedit.msc to exclude My documents from roaming profiles. Then I copy NTUSER.DAT from Default User to the netlogon share. After joining XP to the domain everything works as expected. Folders are roaming except My documents. Now I logon with a domain user and redirect his My documents folder to H:\Windows\My documents. Then each time I logout I have a popup window saying: synchronisation of \\Sirius\lacoste on Samba 3.0.14a (Sirius). Also at the bottom left of every icon in My documents there is a blank square with two blue arrows. Can someone please explain what's going on? Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] prefered configuration for a homes share server
I'm using FreeBSD 6.1 DCs with samba-3.0.22 and openldap-2.3.24. I have two DCs. The first one runs the master ldap server and the other runs a replica. They both hold only the [netlogon] share. I have a third machine which holds the [homes] and [profiles] share. This machine is simply joined to the domain and is an LDAP client only at the OS level (i.e. with nss_ldap). Here is its smb.conf (ALDAP1 and ALDAP2 are netbios aliases for the 2 DCs): [global] workgroup = MIAGE netbios name = CAPELLA security = DOMAIN name resolve order = wins bcast wins server = castor netbios aliases = AHOMES APROFILES password server = ALDAP1 ALDAP2 [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Roaming Profile Share path = /export/profiles read only = No profile acls = Yes From a security and/or performance perpective, is it better to make my smb.conf ldap-aware (with passdb backend = ldapsam, etc...)? Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] issues with cifs mount
I have a samba 3.0.14a PDC on FreeBSD 6.0-RELEASE. With pam_mount on Ubuntu 5.10 users have their home mounted with mount.cifs. I have 2 issues with this setting. First with the evolution email client, when I pop my mails I have the following error: Cannot append message to mbox file: /home/profs/user1/.evolution/mail/local/Inbox: Permission denied The log.smbd shows: [2006/06/10 08:25:33, 2] smbd/open.c:open_file(245) user1 opened file .evolution/mail/local/Inbox read=Yes write=Yes (numopen=10) [2006/06/10 08:25:33, 2] smbd/open.c:open_file(245) user1 opened file .evolution/mail/local/InboxizR3Ga read=Yes write=Yes (numopen=11) [2006/06/10 08:25:33, 2] smbd/close.c:close_normal_file(272) user1 closed file .evolution/mail/local/InboxizR3Ga (numopen=10) [2006/06/10 08:25:33, 2] smbd/open.c:open_file(245) user1 opened file .evolution/mail/local/InboxizR3Ga read=Yes write=No (numopen=11) [2006/06/10 08:25:33, 2] smbd/close.c:close_normal_file(272) user1 closed file .evolution/mail/local/InboxizR3Ga (numopen=10) [2006/06/10 08:25:33, 2] smbd/open.c:open_file(245) user1 opened file .evolution/mail/local/.#Inbox.cmeta read=Yes write=Yes (numopen=11) [2006/06/10 08:25:33, 2] smbd/close.c:close_normal_file(272) user1 closed file .evolution/mail/local/.#Inbox.cmeta (numopen=10) [2006/06/10 08:25:33, 2] smbd/open.c:open_file(245) user1 opened file .evolution/mail/local/.#Inbox.cmeta read=Yes write=No (numopen=11) [2006/06/10 08:25:33, 2] smbd/close.c:close_normal_file(272) user1 closed file .evolution/mail/local/.#Inbox.cmeta (numopen=10) [2006/06/10 08:25:33, 2] smbd/open.c:open_file(245) user1 opened file .evolution/mail/local/Inbox.cmeta read=Yes write=No (numopen=11) [2006/06/10 08:25:33, 2] smbd/close.c:close_normal_file(272) user1 closed file .evolution/mail/local/Inbox.cmeta (numopen=10) [2006/06/10 08:25:33, 2] smbd/open.c:open_file(245) user1 opened file .evolution/mail/local/.#Inbox.cmeta read=Yes write=No (numopen=11) [2006/06/10 08:25:33, 2] smbd/close.c:close_normal_file(272) user1 closed file .evolution/mail/local/.#Inbox.cmeta (numopen=10) [2006/06/10 08:25:33, 2] smbd/open.c:open_file(245) user1 opened file .evolution/mail/local/Inbox.lock read=Yes write=No (numopen=11) [2006/06/10 08:25:33, 2] smbd/close.c:close_normal_file(272) user1 closed file .evolution/mail/local/Inbox.lock (numopen=10) [2006/06/10 08:25:33, 2] smbd/close.c:close_normal_file(272) user1 closed file .evolution/mail/local/Inbox (numopen=9) I checked the permissions on .evolution/mail/local/ which appear to be OK. I have no problem with evolution if my home is on the local filesystem. The second issue is about KDE applications. For instance when running kmail from a terminal I have an endless series of WARNING: Problem deleting stale lockfile /home/profs/user1/.kde/share/config/kconf_updaterc.lock The log.smbd shows: [2006/06/10 08:47:19, 2] smbd/open.c:open_file(245) user1 opened file .kde/share/config/kconf_updaterc.lock6GU7Wb.tmp read=Yes write=Yes (numopen=6) [2006/06/10 08:47:19, 2] smbd/close.c:close_normal_file(272) user1 closed file .kde/share/config/kconf_updaterc.lock6GU7Wb.tmp (numopen=5) [2006/06/10 08:47:19, 2] smbd/open.c:open_file(245) user1 opened file .kde/share/config/kconf_updaterc.lock6GU7Wb.tmp read=Yes write=No (numopen=6) [2006/06/10 08:47:19, 2] smbd/close.c:close_normal_file(272) user1 closed file .kde/share/config/kconf_updaterc.lock6GU7Wb.tmp (numopen=5) I have exactly the same issues with samba 3.0.21b on FreeBSD 6.1. Any help would be appreciated. Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] cifs mount and quotas
I configured a samba 3.0.14a PDC on FreeBSD 6.0-RELEASE with a [homes] share on which I activated user quotas. From an Ubuntu 5.10 client with smbmount 3.0.14 when I do smbmount //carioca/user1 /mnt -o username=user1 and copy a large file to /mnt I have a No space left on device error which is what I expect. But with mount.cifs version 1.6 when I do mount.cifs //carioca/user1 /mnt -o username=user1 and copy the same file there is no message and the command must be interrupted with Ctrl+C What are my options? Regards, Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] password sync and ldap acls
Hello, I followed the Linux Samba-OpenLDAP Howto from IDEALX. My slapd.conf rootdn is cn=ldapmgr,ou=Managers,o=miage My smb.conf ldap admin dn is cn=sambamgr,ou=Managers,o=miage With the ACLs from section 5 (Security considerations) of the Howto when I change a user password from windows XP the userPassword attribute is not modified so my Unix and Windows passwords are not in sync. I found that adding the following ACL to my slapd.conf resoves the issue. access to * by dn=cn=sambamgr,ou=Managers,o=miage read I did several tests but can't figure out what are the attributes that sambamgr needs to read in order to update the userPassword attribute ? Any help would be appreciated. Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password sync and ldap acls
On Thursday 01 June 2006 23:23, Thierry Lacoste wrote: I'm using samba 3.0.14a + openldap .2.27 on FreeBSD 6.0-RELEASE. I followed the Linux Samba-OpenLDAP Howto from IDEALX. My slapd.conf rootdn is cn=ldapmgr,ou=Managers,o=miage My smb.conf ldap admin dn is cn=sambamgr,ou=Managers,o=miage With the ACLs from section 5 (Security considerations) of the Howto when I change a user password from windows XP the userPassword attribute is not modified so my Unix and Windows passwords are not in sync. I found that adding the following ACL to my slapd.conf resoves the issue. access to * by dn=cn=sambamgr,ou=Managers,o=miage read I did several tests but can't figure out what are the attributes that sambamgr needs to read in order to update the userPassword attribute. Answering myself the following thread discusses this issue: http://lists.samba.org/archive/samba/2005-February/099816.html Sorry for the noise. Thierry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] password sync and ldap acls
I'm using samba 3.0.14a + openldap .2.27 on FreeBSD 6.0-RELEASE.
I followed the Linux Samba-OpenLDAP Howto from IDEALX.
My slapd.conf rootdn is cn=ldapmgr,ou=Managers,o=miage
My smb.conf ldap admin dn is cn=sambamgr,ou=Managers,o=miage
With the ACLs from section 5 (Security considerations) of the Howto
when I change a user password from windows XP the userPassword
attribute is not modified so my Unix and Windows passwords are
not in sync.
I found that adding the following ACL to my slapd.conf resoves the issue.
access to *
by dn=cn=sambamgr,ou=Managers,o=miage read
I did several tests but can't figure out what are the attributes that
sambamgr needs to read in order to update the userPassword attribute.
Any help would be appreciated.
Thierry.
Here's my smb.conf
[global]
workgroup = MIAGE
netbios name = CARIOCA
passdb backend = ldapsam:ldap://localhost
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
ldap suffix = o=miage
ldap machine suffix = ou=Computers,ou=Accounts
ldap user suffix = ou=Users,ou=Accounts
ldap group suffix = ou=Groups
ldap admin dn = cn=sambamgr,ou=Managers,o=miage
ldap ssl = no
ldap passwd sync = Yes
enable privileges = yes
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
log level = 2
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /samba/netlogon
admin users = root
guest ok = Yes
browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /samba/profiles/maryo
[Profiles]
comment = Roaming Profile Share
path = /samba/profiles
read only = No
profile acls = Yes
Here's my slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
###
# BDB database definitions
# Chan##
databasebdb
suffix o=miage
rootdn cn=ldapmgr,ou=Managers,o=miage
rootpw {SSHA}IcqxO1Pi3TelluIAf8Gh3hIV3c7HxXhY
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,sambaPwdCanChange
by dn=cn=sambamgr,ou=Managers,o=miage write
by anonymous auth
by * none
access to
attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
by dn=cn=sambamgr,ou=Managers,o=miage write
by * read
access to attrs=description,telephoneNumber
by dn=cn=sambamgr,ou=Managers,o=miage write
by self write
by * read
access to
attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
by dn=cn=sambamgr,ou=Managers,o=miage write
by self read
by * none
access to dn.base=o=miage
by dn=cn=sambamgr,ou=Managers,o=miage write
by * none
access to dn=ou=Users,ou=Accounts,o=miage
by dn=cn=sambamgr,ou=Managers,o=miage write
by * none
access to dn=ou=Groups,o=miage
by dn=cn=sambamgr,ou=Managers,o=miage write
by * none
access to dn=ou=Computers,ou=Accounts,o=miage
by dn=cn=sambamgr,ou=Managers,o=miage write
by * none
# I tried this ACL following the output of slapd but it does not work
access to
attrs=sn,loginShell,structuralObjectClass,entryUUID,creatorsName,createTimestamp,entryCSN,modifiersName,modifyTimestamp
by dn=cn=sambamgr,ou=Managers,o=miage read
access to *
by dn=cn=sambamgr,ou=Managers,o=miage read
access to *
by self write
by users auth
by
