Re: [Samba] XP 2.2.8a issues
Use tail -f to watch your logs (you may have to tweak your log level in smb.conf to at least 3). Attempt your mapping connections and see if you can define the error. TJ On Fri, 2004-06-25 at 08:27, Tom Skeren wrote: I have some 30 XP boxes in one offices joined to a w2k domain. The w2k server has no problem mapping drives on the samba server, however, the XP workstations refuse. Put in user name and password in the box after mapping, and it just pops back up like you've entered a wrong pass/user name. I have changed signorseal to 0 in registry to no avail. Of course, when the server was NT4, I had no problem. And if the XP boxes are in workgroup mode rather than domain mode there's also no problem maping the samba drives. Any advise would be appreciated, as I'm about to roof test the worthless w2k server. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Compilation with Kerberos problem
On Fri, 2004-06-25 at 06:07, Daniel Ramaley wrote: I'm trying to compile Samba 3.0.4 with Active Directory support on OpenBSD 3.5, using the native Kerberos libraries (which happens to be Heimdal 0.6). Unfortunately, ./configure isn't working right. If anyone can help me figure out what the problem is, i would appreciate it. First a bit of info on OpenBSD's Kerberos path layout, in case it matters: /usr/libexec - daemons such as: kadmind, kdc, kpasswdd /usr/sbin - admin programs such as: kadmin, kstash, ktutil /usr/bin - user programs such as: kauth, kinit, krb5-config, kdestroy, klist /usr/lib - libraries /etc/kerberosV - configuration file: krb5.conf /usr/include/kerberosV - include files Here's the configure command i'm using: # ./configure --prefix=/usr/local/samba \ --localstatedir=/var \ --with-configdir=/etc/samba \ --with-lockdir=/var/spool/samba \ --with-piddir=/var/run \ --with-logfilebase=/var/log \ --with-privatedir=/etc/samba \ --with-ads \ --with-winbind \ --with-krb5 \ --with-krb5=/usr/lib \ --with-ssl \ --with-sslinc=/usr/include/ssl \ --with-ssllib=/usr/lib \ configure.out 2 configure.err After it fails, configure.err contains this: configure: WARNING: net/if.h: present but cannot be compiled configure: WARNING: net/if.h: check for missing prerequisite headers? configure: WARNING: net/if.h: proceeding with the preprocessor's result configure: WARNING: rpcsvc/yp_prot.h: present but cannot be compiled configure: WARNING: rpcsvc/yp_prot.h: check for missing prerequisite headers? configure: WARNING: rpcsvc/yp_prot.h: proceeding with the preprocessor's result configure: WARNING: sys/mount.h: present but cannot be compiled configure: WARNING: sys/mount.h: check for missing prerequisite headers? configure: WARNING: sys/mount.h: proceeding with the preprocessor's result configure: WARNING: netinet/ip.h: present but cannot be compiled configure: WARNING: netinet/ip.h: check for missing prerequisite headers? configure: WARNING: netinet/ip.h: proceeding with the preprocessor's result configure: error: libkrb5 is needed for Active Directory support I don't understand why libkrb5 isn't found, since it is in /usr/lib and ldconfig knows where it is: $ ls -l /usr/lib/libkrb5.* -r--r--r-- 5 root bin 648812 Mar 29 13:51 /usr/lib/libkrb5.a -r--r--r-- 4 root bin 457791 Mar 29 13:51 /usr/lib/libkrb5.so.13.0 $ ldconfig -r | grep krb5 12:-lkrb5.13.0 = /usr/lib/libkrb5.so.13.0 I won't bog the list down with the entirety of configure.out, but here are the last few lines of the file: checking for Active Directory and krb5 support... yes checking for krb5-config... /usr/bin/krb5-config checking for working krb5-config... yes checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking gssapi.h usability... yes checking gssapi.h presence... yes checking for gssapi.h... yes checking gssapi/gssapi_generic.h usability... no checking gssapi/gssapi_generic.h presence... no checking for gssapi/gssapi_generic.h... no checking gssapi/gssapi.h usability... no checking gssapi/gssapi.h presence... no checking for gssapi/gssapi.h... no checking com_err.h usability... yes checking com_err.h presence... yes checking for com_err.h... yes checking for _et_list in -lcom_err... no checking for krb5_encrypt_data in -lk5crypto... no checking for des_set_key in -lcrypto... no checking for copy_Authenticator in -lasn1... no checking for roken_getaddrinfo_hostspec in -lroken... no checking for gss_display_status in -lgssapi... no checking for krb5_mk_req_extended in -lkrb5... no checking for gss_display_status in -lgssapi_krb5... no checking for krb5_set_real_time... no checking for krb5_set_default_in_tkt_etypes... no checking for krb5_set_default_tgs_ktypes... no checking for krb5_principal2salt... no checking for krb5_use_enctype... no checking for krb5_string_to_key... no checking for krb5_get_pw_salt... no checking for krb5_string_to_key_salt... no checking for krb5_auth_con_setkey... no checking for krb5_auth_con_setuseruserkey... no checking for krb5_locate_kdc... no checking for krb5_get_permitted_enctypes... no checking for krb5_get_default_in_tkt_etypes... no checking for krb5_free_ktypes... no checking for krb5_free_data_contents... no checking for krb5_principal_get_comp_string... no checking for addrtype in krb5_address... no checking for addr_type in krb5_address... yes checking for enc_part2 in krb5_ticket... no checking for keyvalue in krb5_keyblock... yes checking for ENCTYPE_ARCFOUR_HMAC_MD5... yes checking for
Re: [Samba] I can't compile samba 3.0.4 with LDAP
Is your samba scheme defined in slapd.conf? On Fri, 2004-06-25 at 06:06, Piotr Brudny wrote: I have downloaded Samba 3.0.4 (tar.gz). I tryed to compile samba to work with OpenLDAP 2.1.30 I wrote: ./configure --with-ldapsam and make Then when i issue the make file i get... Using FLAGS = -O -I./popt -Iinclude -I/home/rootk/samba-3.0.4/source/include -I/home/rootk/samba-3.0.4/source/ubiqx -I/home/rootk/samba-3.0.4/source/smbwrapper -I. -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -I/home/rootk/samba-3.0.4/source LIBS = -lcrypt -lresolv -lnsl -ldl LDSHFLAGS = -shared LDFLAGS = Compiling dynconfig.c Compiling smbd/vfs.c Compiling passdb/pdb_interface.c Compiling passdb/pdb_ldap.c passdb/pdb_ldap.c: In function `ldapsam_delete_entry': passdb/pdb_ldap.c:276: warning: assignment makes pointer from integer without a cast passdb/pdb_ldap.c: In function `ldapsam_update_sam_account': passdb/pdb_ldap.c:1480: warning: assignment makes pointer from integer without a cast passdb/pdb_ldap.c: In function `ldapsam_add_sam_account': passdb/pdb_ldap.c:1627: warning: assignment makes pointer from integer without a cast passdb/pdb_ldap.c:1675: warning: assignment makes pointer from integer without a cast passdb/pdb_ldap.c: In function `ldapsam_add_group_mapping_entry': passdb/pdb_ldap.c:2078: warning: assignment makes pointer from integer without a cast passdb/pdb_ldap.c: In function `ldapsam_update_group_mapping_entry': passdb/pdb_ldap.c:2163: warning: assignment makes pointer from integer without a cast passdb/pdb_ldap.c: In function `ldapsam_modify_aliasmem': passdb/pdb_ldap.c:2390: warning: assignment makes pointer from integer without a cast passdb/pdb_ldap.c: In function `pdb_init_ldapsam_common': passdb/pdb_ldap.c:2651: error: incompatible types in assignment passdb/pdb_ldap.c: In function `pdb_init_ldapsam': passdb/pdb_ldap.c:2737: error: incompatible types in assignment make: *** [passdb/pdb_ldap.o] Error 1 Any sugestion ? Samba 3.0.4 dont work with Opan LDAP 2.1.30?/ Thanks for all information. Piotr Brudny [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Compilation with Kerberos problem
I think if you do a ./configure --help you can find out default dir's. Then you have to define you ./configure.. TJ On Fri, 2004-06-25 at 08:58, Tom Skeren wrote: Wow, 3.5. I had a number of problems on 5.2.1, maybe they're similar. Here's the configure I use: ./configure --exec-prefix=/usr/local --localstatedir=/var --with-configdir=/usr/local/etc --with-libdir=/usr/local/lib/samba --with-swatdir=/usr/local/share/swat --with-piddir=/var/run --with-lockdir=/var/db/samba --with-privatedir=/usr/local/private --with-logfilebase=/var/log/samba --with-manpages-langs=en --with-libiconv=/usr/local --with-pam --with-readline --with-sendfile-support --with-libsmbclient --without-python --disable-cups --without-syslog --without-quotas --with-winbind --with-ldapsam --without-pam_smbpass --with-ads --with-krb5 --with-ldap --prefix=/usr/local i386-portbld-freebsd5.2.1 Tim Jordan wrote: On Fri, 2004-06-25 at 06:07, Daniel Ramaley wrote: I'm trying to compile Samba 3.0.4 with Active Directory support on OpenBSD 3.5, using the native Kerberos libraries (which happens to be Heimdal 0.6). Unfortunately, ./configure isn't working right. If anyone can help me figure out what the problem is, i would appreciate it. First a bit of info on OpenBSD's Kerberos path layout, in case it matters: /usr/libexec - daemons such as: kadmind, kdc, kpasswdd /usr/sbin - admin programs such as: kadmin, kstash, ktutil /usr/bin - user programs such as: kauth, kinit, krb5-config, kdestroy, klist /usr/lib - libraries /etc/kerberosV - configuration file: krb5.conf /usr/include/kerberosV - include files Here's the configure command i'm using: # ./configure --prefix=/usr/local/samba \ --localstatedir=/var \ --with-configdir=/etc/samba \ --with-lockdir=/var/spool/samba \ --with-piddir=/var/run \ --with-logfilebase=/var/log \ --with-privatedir=/etc/samba \ --with-ads \ --with-winbind \ --with-krb5 \ --with-krb5=/usr/lib \ --with-ssl \ --with-sslinc=/usr/include/ssl \ --with-ssllib=/usr/lib \ configure.out 2 configure.err After it fails, configure.err contains this: configure: WARNING: net/if.h: present but cannot be compiled configure: WARNING: net/if.h: check for missing prerequisite headers? configure: WARNING: net/if.h: proceeding with the preprocessor's result configure: WARNING: rpcsvc/yp_prot.h: present but cannot be compiled configure: WARNING: rpcsvc/yp_prot.h: check for missing prerequisite headers? configure: WARNING: rpcsvc/yp_prot.h: proceeding with the preprocessor's result configure: WARNING: sys/mount.h: present but cannot be compiled configure: WARNING: sys/mount.h: check for missing prerequisite headers? configure: WARNING: sys/mount.h: proceeding with the preprocessor's result configure: WARNING: netinet/ip.h: present but cannot be compiled configure: WARNING: netinet/ip.h: check for missing prerequisite headers? configure: WARNING: netinet/ip.h: proceeding with the preprocessor's result configure: error: libkrb5 is needed for Active Directory support I don't understand why libkrb5 isn't found, since it is in /usr/lib and ldconfig knows where it is: $ ls -l /usr/lib/libkrb5.* -r--r--r-- 5 root bin 648812 Mar 29 13:51 /usr/lib/libkrb5.a -r--r--r-- 4 root bin 457791 Mar 29 13:51 /usr/lib/libkrb5.so.13.0 $ ldconfig -r | grep krb5 12:-lkrb5.13.0 = /usr/lib/libkrb5.so.13.0 I won't bog the list down with the entirety of configure.out, but here are the last few lines of the file: checking for Active Directory and krb5 support... yes checking for krb5-config... /usr/bin/krb5-config checking for working krb5-config... yes checking krb5.h usability... yes checking krb5.h presence... yes checking for krb5.h... yes checking gssapi.h usability... yes checking gssapi.h presence... yes checking for gssapi.h... yes checking gssapi/gssapi_generic.h usability... no checking gssapi/gssapi_generic.h presence... no checking for gssapi/gssapi_generic.h... no checking gssapi/gssapi.h usability... no checking gssapi/gssapi.h presence... no checking for gssapi/gssapi.h... no checking com_err.h usability... yes checking com_err.h presence... yes checking for com_err.h... yes checking for _et_list in -lcom_err... no checking for krb5_encrypt_data in -lk5crypto... no checking for des_set_key in -lcrypto... no checking for copy_Authenticator in -lasn1... no checking
[Samba] Samba denies access to vaild share
Hello, I'm looking for some help troublshooting why I can't access this share. Everything looks good to me, but smbd does not allow my account in Samba 3.0.4 on Debian [2004/06/21 11:41:35, 2] smbd/service.c:make_connection_snum(311) user 'LABOR\TIM' (from session setup) not permitted to access this share (ISO) [2004/06/21 11:41:35, 3] smbd/error.c:error_packet(118) error packet at smbd/reply.c(389) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED [ISO] comment = Linux Distros path = hdb4/iso/ browseable = yes writable = yes valid users = @LABOR\TIM (I have tested with and without quotes) Unix Permissions: drwxrwxrwx9 LABOR\TIM LABOR\Domain Admins 216 May 21 09:43 hdb4 drwxrwxrwx 16 LABOR\TIM LABOR\Domain Admins 392 Jun 21 10:29 iso -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba denies access to vaild share
I have share working fine with: [Software] comment = Open Source Software path = /hdb4/Software read only = No guest ok = Yes But I want to limit access to LABOR\Domain Admins on some shares and this is just not working. Winbind is working just fineI'm at a loss.. TJ On Mon, 2004-06-21 at 11:51, Board, Clint wrote: Have you tried accessing it without the valid users directive? -Original Message- From: Tim Jordan [mailto:[EMAIL PROTECTED] Sent: Monday, June 21, 2004 2:51 PM To: [EMAIL PROTECTED] Subject: [Samba] Samba denies access to vaild share Hello, I'm looking for some help troublshooting why I can't access this share. Everything looks good to me, but smbd does not allow my account in Samba 3.0.4 on Debian [2004/06/21 11:41:35, 2] smbd/service.c:make_connection_snum(311) user 'LABOR\TIM' (from session setup) not permitted to access this share (ISO) [2004/06/21 11:41:35, 3] smbd/error.c:error_packet(118) error packet at smbd/reply.c(389) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED [ISO] comment = Linux Distros path = hdb4/iso/ browseable = yes writable = yes valid users = @LABOR\TIM (I have tested with and without quotes) Unix Permissions: drwxrwxrwx9 LABOR\TIM LABOR\Domain Admins 216 May 21 09:43 hdb4 drwxrwxrwx 16 LABOR\TIM LABOR\Domain Admins 392 Jun 21 10:29 iso -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba denies access to vaild share
Duhhh!..Ooops! Thanks, it's working great! TJ On Mon, 2004-06-21 at 12:26, Jeremy Allison wrote: On Mon, Jun 21, 2004 at 11:50:51AM -0800, Tim Jordan wrote: Hello, I'm looking for some help troublshooting why I can't access this share. Everything looks good to me, but smbd does not allow my account in Samba 3.0.4 on Debian [2004/06/21 11:41:35, 2] smbd/service.c:make_connection_snum(311) user 'LABOR\TIM' (from session setup) not permitted to access this share (ISO) [2004/06/21 11:41:35, 3] smbd/error.c:error_packet(118) error packet at smbd/reply.c(389) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED [ISO] comment = Linux Distros path = hdb4/iso/ browseable = yes writable = yes valid users = @LABOR\TIM (I have tested with and without quotes) Remove the @ sign. This specifies a group, not a user. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba Version 3.0.5pre1
Buchan, I'm sending this to the samba list also. I'm hoping someone can pick out my config error - if that is what my problem is... On Fri, 2004-05-28 at 11:16, Buchan Milne wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Jordan wrote: | Is this package OK to use? I started building yesterday and did not | notice that it moved from 3.0.4 to 3.0.5. I haven't used it much myself yet ... been too busy with real work ... but we need to get an update out, so I wanted some testing. I uderstand, this is the first time this week I have had time to play. On a testing note I noticed that the krb5-client package was not installed with your samba package. Is this by design? | I'm asking becasue I'm having | trouble getting a BDC configuration working. Trouble seems to be | related to winbind. | Are you setting up a BDC to a windows server YES! I want to migrate my users over to my samba server. Then I will take it samba out of the production environment and put it into a test network at which time I would reconfigure samba to be a PDC. This is all for testing, I CAN NOT impact the production domain (labor.ak). You shouldn't need winbind for a BDC to another samba server (although I have seem some ridiculous guides that suggest this ...), you just need all the samba servers looking at the same LDAP tree. Okay, after I joined the labor domain I tried a wbinfo -t and recieved this error: #wbinfo -t checking the trust secret via RPC calls failed Error code was STATUS_BUFFER_OVERFLOW (0x8005) could not check secret This led me to install winbind. Obviously I'm off base on that one | getent passwd - brings up local account then pauses, like it's going to | bring in the domain users, and then just ends. log snip | | nsswitch/winbind_user.c:winbindd_gerpwent(571) | could not lookup domain user TIMJORDAN | | If it can't lookup the domain user account, then how does it know | TIMJORDAN exists??? | Depends what you were doing at the time, but if you were trying to access a share or otherwise authenticate, it would know the user you're connecting as. The log shows each user in the domain (labor). I simply issued a getent passwd command. I have no local TIMJORDAN account. | /etc/samba/smb.conf | | [global] | workgroup = LABOR | realm = labor.ak | encrypt passwords = yes | password server = * | passdb backend = ldapsam:ldap://localhost | domain master = no | domain logons = no This needs to be yes for a BDC. Really? I don't want to offer a logon service until I have the samba server out of our production environment. | idmap backend = ldap:ldap://localhost | ldap admin dn = cn=root,dc=smb2ldap,dc=org | ldap suffix = dc=smb2ldap,dc=org | ldap machine suffix = ou=computers | ldap user suffix = ou=People | ldap group suffix = ou=Groups | ldap idmap suffix = ou=Idmap | ldap ssl = off | idmap uid = 1-2 | idmap gid = 1-2 | wins server = ipaddres | Regards, Buchan Thanks Buchan! TJ - -- Buchan Milne Senior Support Technician Obsidian Systems http://www.obsidian.co.za B.EngRHCE (803004789010797) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAt5AUrJK6UGDSBKcRAiBgAJ9zl4V0R1vVHtJSCCgFjCAmwnk8/ACeNRQL cR8AHbuD2hMV1E3WfNBXLEw= =QG0O -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] conflicting domain SIDS
I would like to migrate users into my Samba3 server. Problem is I have a sambaDomainSID that conflicts with my Windows domain SID. My backend is LDAP. I'm not sure what to delete so I can get my SambaDomainSid in sync with Windows domain SID and start migrating users. Thanks! TJ Cannot import users from LABOR at this time, as the current domain: DOL-ANC-SAMBA3: S-1-5-##--##- conflicts with the remote domain LABOR: S-1-5-21-##--# -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba-server-3.0.4-2mdk
I took your advice late in the day Friday and pointed my urpmi sources at cooker. It took care of the Perl upgrade. I'm hoping to find time for configuration against the Openldap server I built. I really can't believe the Mandrake doc's got me up and running so quickly. I even created accounts in ldap for fellow staff memebers, including the boss, and had them log in. Love the pam_mkhomedir module! I've been thinking this morning about how I might duplicate our existing Active Directory server. I was thinking of recuiting some scripting help and just run an ldap search against AD ldif file. Then uploading the ldif file to my Openldap server. Perhaps that is what Samba's net vampire script does but I really don't know Thoughts? TJ On Sun, 2004-05-16 at 04:15, Buchan Milne wrote: yOn Fri, 14 May 2004, Tim Jordan wrote: On Fri, 2004-05-14 at 08:39, Buchan Milne wrote: Sure. Just look on any cooker mirror. proxad.net is pretty fast: ftp://ftp.proxad.net/pub/Distributions_Linux/Mandrakelinux/devel/cooker/i586/Mandrake/RPMS The 3.0.4-2mdk packages were there yesterday when I mailed you ... Having trouble upgrading Perl-base so the samba-server package will install. Please advise: # rpm -i samba-server-3.0.4-2mdk.i586.rpm error: Failed dependencies: perl-base = 2:5.8.4 is needed by samba-server-3.0.4-2mdk perl(Net::LDAP) is needed by samba-server-3.0.4-2mdk perl(Net::LDAP::LDIF) is needed by samba-server-3.0.4-2mdk D'Oh, forgot perl had been upgraded in cooker ... but, you can (in this case) just --nodeps the samba-server package .. the existing perl-ldap packages you have will work if you don't upgrade perl (so don't). # rpm -i perl-base-5.8.4-2mdk.i586.rpm file /usr/bin/perl5 from install of perl-base-5.8.4-2mdk conflicts with file from package perl-base-5.8.3-5mdk file /usr/bin/suidperl from install of perl-base-5.8.4-2mdk conflicts with file from package perl-base-5.8.3-5mdk # rpm -U perl-base-5.8.4-2mdk.i586.rpm error: Failed dependencies: perl-base = 2:5.8.3-5mdk is needed by (installed) perl-5.8.3-5mdk Either, keep your existing perl-base package, or wait until I have packages on the samba FTP mirrors (early this coming week hopefully). Regards, Buchan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.3 Available for Download
Hello Buchan, Can you please give me the link to your Mandrake packages for current samba version. I seem to have misplaced it. Also, are you maintaing Openldap for Mandrake? I've been testing Openldap and pam_ldap, nss_ldap -under Debian with little sucess authenticating from ldap. Though maybe I could test the Mandrake packages. Finally, when setting up Samba to join an Active Directory domain, do you find the krb5 tickets types are conisistenly wrong? Whats the best approach toward determining what your server (w2K pdc) wants to issue for krb5 tickets? Finally can this processes be automated so when installing the Mandrake samba package it it can query the kdc for ticket types and configure the krb5.conf properly? I hope that makes sense. Thanks, TJ On Fri, 2004-05-07 at 00:28, Buchan Milne wrote: On Thu, 6 May 2004, Chris Garrigues wrote: From: Gerald \(Jerry\) Carter [EMAIL PROTECTED] Date: Thu, 29 Apr 2004 08:27:56 -0500 This is the latest stable release of Samba. This is the version that production Samba servers should be running for all current bug-fixes. There have been several issues fixes since the 3.0.2a release and new features have been added as well. See the Changes section for details on exact updates. ... Binary packages are available at ~ http://download.samba.org/samba/ftp/Binary_Packages/ Any idea when we might see Mandrake RPMs here for 3.0.3? As soon as I find out why 3.0.3 breaks winbind on my installation (and vscan doesn't seem to work either). Regards, Buchan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] wbinfo -a is failing
-Forwarded Message- From: Tim Jordan [EMAIL PROTECTED] To: Jim Smith [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Samba] wbinfo -a is failing Date: Tue, 13 Apr 2004 14:40:05 -0800 Samba Team, could you please advise if I have broken security by making the following changes.Thanks.TJ This may or may not be applicable to your case but take a look at the following I just did on my Mandrake box: [EMAIL PROTECTED] tim]$ wbinfo -a tim%secret plaintext password authentication succeeded challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. Could not authenticate user tim with challenge/response [EMAIL PROTECTED] tim]$ ls -l /var/cache/samba/w winbindd_cache.tdb winbindd_idmap.tdb winbindd_privileged [EMAIL PROTECTED] tim]$ ls -l /var/cache/samba/winbindd_privileged/ ls: /var/cache/samba/winbindd_privileged/: Permission denied [EMAIL PROTECTED] tim]$ su Password: [EMAIL PROTECTED] tim]# ls -l /var/cache/samba/ total 6852 drwxr-x--- 2 root root4096 Apr 13 13:43 winbindd_privileged/ Once this worked I changed the group ownership to Domain Admins. Then I tried again, no root this time, and it seceded! [EMAIL PROTECTED] tim]# chgrp Domain Admins /var/cache/samba/winbindd_privileged/ [EMAIL PROTECTED] tim]$ ls -l /var/cache/samba/ drwxrwx--- 2 root Domain Admins4096 Apr 13 13:43 winbindd_privileged/ [EMAIL PROTECTED] tim]$ wbinfo -a tim%secret plaintext password authentication succeeded challenge/response password authentication succeeded I hope this helps.TJ On Tue, 2004-04-13 at 14:16, Jim Smith wrote: I have edited /etc/pam.d/login to include the following auth sufficient /lib/security/pam_winbind.so accountsufficient /lib/security/pam_winbind.so but at that point I still not able to use wbinfo -a but that also broke wbinfo -u and wbinfo -g I got the documentatin from here. http://us3.samba.org/samba/docs/using_samba/ch09.html Jim - Original Message - From: Tim Jordan [EMAIL PROTECTED] Date: Tue, 13 Apr 2004 11:29:50 -0800 To: Jim Smith [EMAIL PROTECTED] Subject: Re: [Samba] wbinfo -a is failing Good winbindd is working. Here are notes from a server I configured about year ago. This may help in your case. I do know that some systems function differently with pam. Also pam is very touchy - so you may have to tweak your configs until it works. /etc/pam.d/login authrequired/lib/security/pam_securetty.so authrequired/lib/security/pam_nologin.so authsufficient/lib/security/pam_winbind.so authsufficient/lib/security/pam_env.so authrequired /lib/security/pam_unix.so use_first_pass nullok accountsufficient/lib/security/pam_winbind.so accountsufficient/lib/security/pam_unix.so /etc/pam.d/system-auth authrequired /lib/security/pam_env.so authsufficient /lib/security/pam_winbind.so authsufficient /lib/security/pam_unix.so use_first_pass nullok use_first_pass authrequired/lib/security/pam_deny.so accountsufficient/lib/security/pam_winbind.so accountsufficient/lib/security/pam_unix.so I'll be here for another hour if I can help, TJ On Tue, 2004-04-13 at 13:12, Jim Smith wrote: wbinfo -u and wbinfo -g both work and report back the users and groups from the AD domian. JIm - Original Message - From: Tim Jordan [EMAIL PROTECTED] Date: Tue, 13 Apr 2004 10:44:18 -0800 To: Jim Smith [EMAIL PROTECTED] Subject: Re: [Samba] wbinfo -a is failing If your going to logon with AD doing the authentication - then yes you need to tweak your pam.d/login. You should be able to query the domain for users and groups if you configured properly. wbinfo -u wbinfo -g Let me know, TJ On Tue, 2004-04-13 at 12:28, Jim Smith wrote: I specified it in my smb.conf by password server = ip.address.of.MS.AD.server I have not edited my /etc/pam.d/login file maybe that is the problem... When I try to use wbinfo and I check tcpdump I do not see any traffic coming accross to the AD server so it seems the traffic is not getting off the samba server and going to the AD server. Jim - Original Message - From: Tim Jordan [EMAIL PROTECTED] Date: Tue, 13 Apr 2004 10:22:00 -0800 To: Jim Smith [EMAIL PROTECTED] Subject: Re: [Samba] wbinfo -a is failing Jim, did you
[Samba] Help with samba migration
-Forwarded Message- From: Jeremy Austin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Help with samba migration (long) Date: Fri, 27 Feb 2004 12:36:10 -0900 Mostly about WebDAV... I'm most of the IT department for a small non-profit school etc., and I'm mulling over some series issues here, guys. Wonder if anyone has some thoughts to add. Sorry this is so long -- Existing services (among others): Support 100 users Provide cross-platform file share access ~ 100 Clients: Windows 95/98/NT4/2K/XP Home/XP Pro/Mac OS X Public user file spaces Web file access Email/webmail/groupware Must support computers not under my direct administration New goals: Private user file spaces Current setup: Mandrake 9.x Samba 3/LDAP Postfix/IMAP I've been running Samba for 5 years, running a NT-style domain. I don't have the network bandwidth to support roaming profiles, nor do I have the space on shared computers (approx. 3 dozen, mixed OSen) for tons of local profiles. So we've been using one account (shared) for public file access -- shares get mounted with an on-the-fly logon script, and individual accounts for email, groupware, web apps, etc. I can't give all domain users Administrator privileges on newer MS OSes -- and therefore on the domain -- and yet they must, in general, run with admin privileges because of legacy applications we haven't the budget to replace. So I'm pretty sure I'm going to have to stick with single profiles on shared computers; I haven't the network bandwidth or hard drive space for roaming profiles. Windows 2K or XP allow one to specify an account when connecting to a network share, so we're halfway there. Windows 9x, however, are a real pain in the rear -- everyone can use the same local profile, but logging on and off (to switch users) is too slow. Win2K or XP often require one to log off anyway to reconnect to a given share with different credentials. (I can't teach 5th graders the intricacies of net use /delete...) Possible solution: Continue using single logon for public shares + samba and Use something else (nfs, afp, WebDAV) for private shares There are some reportedly good commercial NFS clients, but I don't have the budget for it. Nor can I afford AFP clients. I've looked into WebDAV -- South River has a client that maps drive letters (would cost me $1500 for 100 users). Internet Explorer has its 'Web Folders' feature, which allows me to put shares into My Network Places -- this might be adequate, and would work nicely, I think. I see a number of universities online doing this. Likely to be a problem with WebDAV (as in mod_dav) is that all files (and hence user directories) must be owned by apache, thus trashing my quotas. mod_dav FAQ says, in short, If you understand the security issues in running apache as root, write your own code and suid. I'm not quite capable of doing that. MoulDAVia, which purports to solve this problem, appears to be 403 at the moment and sounds like it was never finished. The universities must have this figured out, since I see lots of them online using WebDAV. If I give up having quota support, and roll my own, then I could do mod_dav. I could use linux quota support for everything but apache-owned files, and run a handy-dandy script with du -s, I'm sure, for everything else. My home directories would look like this: Owner Directory someuserusers /home/someuser /home/someuser/Mail- webmail accessible apache apache /home/someuser/Private - WebDAV accessible shareduser users /home/someuser/Public - linked to separate SMB Public share Does anyone think I should use mod_dav? If there are any caveats I'm missing, I'd love to hear from anyone. Thanks to any and all, Jeremy Austin Whitestone Schools - To unsubscribe, send email to [EMAIL PROTECTED] with 'unsubscribe' in the message body. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Building SAMBA3/LDAP in VMware
I've worked with Samba 3 in an Active Directory environment. Now it's time to learn Openldap and eventually migrate an existing Active Directory domain. Looking for a good How To or Guide for Openldap, Samba 3, and Debian Woody. The State of Alaska is evaluating File Print Server standards as they are moving our IT into an Entrprise wide system (consolidating all departmental IT). Currently Novel MS and being discussed. I'd like to get Samba/LDAP involved if I can present a good showing. Currently our Enterprise email system is being authenticated from Sun One. It would be great if I could configure Samba to use the Sun directory server for demonstration. Thanks, Tim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] setting up samba3 on rh9 using win bind
I have winbind running and both the wbinfo, and getent passwd commands return users and groups from the windows domain. Samba is set up, using the gui but when I try and add users, the domain users do not appear in the list. Hi Tim, The idea behind winbind is that you don't have to add domain users. Winbind will query the PDC for authentication. If they are in the Windows domain, good enough. The step by step instruction your looking for is currently The Official SAMBA 3 - HOW TO by John Terpstra and Jelmer Vernooij. It's not exactly step by step but from your email it will be a great help to you! For now look over the How To documentation at samba.org. Also, what security parameter are you using in the smb.conf? I use security=ads for taking advantage of kerberoes since our domain is W2K. I have used security=domain which also uses winbindd but not nearly as slick (with this config you do have to map M$ users to *nix users. It seems winbindd is working from wbinfo and getent so now you should look at setting up your groupmappings, test the smbclient against a windows share, setup a share in smb.conf, check the *nix permissions on the directory your sharing, then with smbd, nmbd, winbindd, running try to connect from a M$ client. Finally, since your new I would suggest giving Mandrake 9.2 a try with samba packages from http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1 I found it very easy to setup and you can use SWAT to manage the Samba server. If you want I can assist you via email. Good Luck, Tim Jordan On Thu, 2004-01-08 at 12:15, Tim Thorpe wrote: I have been attempting to set up RH9 as a file server using Windows authentication. I have winbind running and both the wbinfo, and getent passwd commands return users and groups from the windows domain. Samba is set up, using the gui but when I try and add users, the domain users do not appear in the list. I am sure the gurus will tell me not to use the gui's but I am really new at this and would like to get this running in a relative hurry. Are there step by step instructions anywhere for setting up Samba, using a Windows DC for authentication, on RH9. If you gurus can walk me through setting this up from the command line I will greatly appreciate that also. I did download a document from geceventures.com that I thought would help but the first thing it tells me to do is On the Linux server, add user... Adding users that already exist on my DC to the linux box is exactly what I would like to avoid. TIA, TPT -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Re[2]: [Samba] Winbind login: has DOMAIN+user, wants user
Try stopping all the related services: smbd, nmbd, winbindd then wait a minute and restart them. Try your getent passwd and see where you stand. Tim On Wed, 2003-12-31 at 23:07, Sean Lee wrote: I stopped Samba, rm -rf /var/lib/samba/*tdb, edited the config file (winbind use default domain = yes), started Samba. The situation is the same - DOMAIN+john can login, john cannot. getend passwod and getent group show Windows accounts with the domain portion, I don't get it - there is very little to configure until the getent step... Is it possible that I misconfigured something else? [EMAIL PROTECTED] pam.d]# getent passwd | grep john DOMAIN+john:x:10004:1:john:/home/winnt/DOMAIN/john:/bin/bash [EMAIL PROTECTED] pam.d]# wbinfo -u DOMAIN+Administrator DOMAIN+Guest DOMAIN+john ... Jan 1 23:52:50 redhat9 login(pam_unix)[30046]: check pass; user unknown Jan 1 23:52:50 redhat9 login(pam_unix)[30046]: authentication failure; logname= uid=0 euid=0 tty=tty1 ruser= rhost= Jan 1 23:52:59 redhat9 pam_winbind[30046]: request failed: Unexpected information received, PAM error was 4, NT error was NT_STATUS_INVALID_PARAMETER Jan 1 23:52:59 redhat9 pam_winbind[30046]: internal module error (retval = 4, user = `john' Jan 1 23:52:59 redhat9 login(pam_unix)[30046]: check pass; user unknown Jan 1 23:53:01 redhat9 login[30046]: FAILED LOGIN 1 FROM (null) FOR john, Authentication failure Jan 1 23:53:07 redhat9 pam_winbind[30046]: user 'DOMAIN+john' granted acces Jan 1 23:53:07 redhat9 pam_winbind[30046]: user 'DOMAIN+john' granted acces Jan 1 23:53:07 redhat9 login(pam_unix)[30046]: session opened for user DOMAIN+john by (uid=0) Jan 1 23:53:07 redhat9 -- DOMAIN+john[30046]: LOGIN ON tty1 BY DOMAIN+john Thanks Happy New Year Sean On Wed, 31 Dec 2003 15:49:09 + (GMT) John H Terpstra [EMAIL PROTECTED] wrote: On Wed, 31 Dec 2003, Sean Lee wrote: Hello, I'm using RH9 with latest Samba 3.0.x-x I configured winbind as per http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html#id2935561 I use the default smb.conf with following (from URL above) added to its global section: winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes use nss_winbind = yes template homedir = /home/winnt/%D/%U template shell = /bin/bash Add: winbind use default domain = Yes I cannot login using Active Directory's username; instead I must use login DOMAIN+username at login prompt as recommended at http://lists.samba.org/archive/samba/2002-June/045313.html, otherwise I get the same error as mentioned at this URL. Why is that? I want to auth SMTP users via winbind so I want to be able to use user instead of DOMAIN+user. If the above change does not work for you let me know. PS: For this to work you must: 1. Make the change shown 2. Stop Samba 3. Delete your existing /var/lib/samba/*tdb files (could be in /var/cache/samba/*tdb or /usr/local/samba/var/(tdb) 4. Restart Samba Make certain that: getent passwd shows your accounts without the Domain name portion. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...
Fernando hello agian. I would really like to help test your setup. I do have it working under RPMs that Buchan Milne packaged for Mandrake 9.2. I can not get AD domain member working under Samba 3.0.1 compiled from source. I'm getting the same problems everyone else on the list is compaining about... Please provide your OS platform, ./configure options, design goals etc... I look forward to working with you, Tim Jordan On Tue, 2003-12-23 at 11:19, Fernando Ruza wrote: Still with the problem. I have tested with the version 3.0.0 and right, I can see the shares however cannot connect to the home shares or shares with valid users option in smb.conf. Besides this version cannot substitute correctly the %D %u %U %S variables. I have written them in the comment option of a share and I can see that the values are not correct. %D gives me the samba hostname, %S gives me IPC_ Trying with version 3.0.1 cannot see no shares. Trying with version 3.0.1rc2, it's the same like 3.0.0, but it seems that some variables are correct like %u but %U is empty. I don't know is very strange. It worked once with this version after I changed the password for the Administrator of my PDC/KDC and the user I use to test the shares however in the next reboot of the WinXP client machine it already doesn't work again. I think that doing samba 3 be a member of AD is not working properly. Does anyone got it ?? Could make a howto ? Thanks in advance, Fernando. On Fri, 2003-12-19 at 14:00, C.Lee Taylor wrote: Greetings ... Sorry for the long post, but I prefer to keep a copy of what I think is need for this thread ... As requested, here are my smb.conf ... I have left in my comment to show what I have been changing and see if it makes a differance ... plus some shares ( not all that I use ) ... # Global parameters [global] workgroup = TEST-ZA realm = TEST-ZA.CORP security = ads # netbios aliases = nasrec server string = Samba Server %v %h interfaces = eth0*,lo bind interfaces only = Yes # encrypt passwords = Yes # update encrypted = Yes # min passwd length = 4 # pam password change = Yes # passwd program = /usr/bin/passwd %u # passwd chat debug = Yes # unix password sync = Yes # username map = /etc/samba/smbusers # admin users = administrator, TEST-ZA\administrator log file = /var/log/samba/%m.log max log size = 150 time server = Yes unix extensions = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = login.bat logon drive = l: domain logons = no # lm announce = yes preferred master = no domain master = no # dns proxy = yes # wins support = yes # wins server = * # wins server = naszadc01.test-za.corp, naszadc02.test-za.corp wins server = 10.1.1.16, 10.1.1.17 utmp = Yes message command = /bin/mail -s 'message from %f on %m' root %s; rm %s comment = Test Nasrec Linux Box create mask = 0660 force create mode = 0660 directory mask = 0770 force directory mode = 0770 inherit permissions = Yes map archive = No # name resolve order = host, wins # password server = * password server = 10.1.1.16, 10.1.1.17 # ldap suffix = dc=test-za,dc=corp # ldap idmap suffix = ou=idmap # ldap admin dn = cn=root,dc=test-za,dc=corp ldap suffix = dc=test,dc=co,dc=za ldap admin dn = cn=Manager,dc=test,dc=co,dc=za ldap idmap suffix = ou=idmap # ldap ssl = start tls ldap ssl = no # ldap passwd sync = yes # winbind separator = + # idmap backend = ldap:ldap://localhost idmap backend = ldap:ldap://zeus.test.co.za idmap uid = 1-2 idmap gid = 1-2 # client schannel = no # server schannel = no winbind enum users = yes winbind enum groups = yes winbind use default domain = yes # winbind trusted domains only = yes # template shell = /sbin/nologin # template shell = /bin/bash # template homedir = /home/%D/%U template homedir = /home/TEST-ZA/%U load printers = yes printing = cups printcap = cups # log level = 1 # guest account = NULL restrict anonymous = yes [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes browseable = No public = yes writable = no write list = root, Administrator, TEST-ZA\Administrator printer admin = root, Administrator, TEST-ZA
Re: [Samba] Problem Restarting Samba3
Sounds like you may not be stopping the smbd3 competely. How are you stopping the service? Do verify that the smbd3 is stopped: ps -ae | grep smbd3 Also, here are the latest Mandrake RMPS for Samba: http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1 Good luck, TJ On Mon, 2003-12-22 at 15:49, [EMAIL PROTECTED] wrote: I have Samba 3.0.0 installed on Mandrake 9.2. I also have Samba 2.8.8a installed per instructions from Mandrake -- but I do NOT start Samba 2.8.8a automatically. In fact, I don't use it at all. Maybe I should uninstall the Samba 2.8.8a rpm??? I will update to 3.0.1 as soon as an rpm is available from Mandrake. Anyway, I have a problem when I try to add a new share to my smb.conf file. I can't make it accessible to my Windows machines unless I reboot the Linux box. Simple restarting Samba3 doesn't do the trick (I think it's making Samba 2.2.8a START after shutting down Samba 3.0.0). Is there any trick to adding new shares and making them accessible to Windows without restarting either Samba3 or the whole server? And if I have to restart Samba3 -- and if I succeed in making it really restart -- won't that disconnect Windows users who are already connected to the server? Thanks for your advice. Andy Liebman -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: FW: [Samba] Cannot access shares from a Win2k client
This is keeping you from seeing DOMAIN\username:
winbind use default domain = yes
Personally I like this option especially when you have large domains
with trust relationships.
You also may want to look at putting client use spnego = yes into your
smb.conf since your using W2k3.
Can you get a valid kerberoes ticket from kinit?
What does your klist -e look like?
Several of us are trying to nail out similiar errors. I have this
working correctly on a Mandrake 9.2 server using Samba3.0.pre1.but
it's not working on my Gentoo box running Samba3.0.1
Look for my post and maybe compare notes...
Tim
On Fri, 2003-12-19 at 23:22, Brian Spiegel wrote:
Here's a followup. I also get these errors in the smbd logs. The thing is,
the share directory has full permissions (0777) and the smb.conf is set to
be fully readable, writeable and okay for guests.
[2003/12/19 15:21:23, 0] smbd/service.c:make_connection_snum(677)
'/home/bspiegel/test/' does not exist or is not a directory, when
connecting to [test]
[2003/12/19 15:21:23, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/12/19 15:21:23, 3] smbd/connection.c:yield_connection(69)
Yielding connection to test
[2003/12/19 15:21:23, 3] smbd/error.c:error_packet(94)
error string = Permission denied
[2003/12/19 15:21:23, 3] smbd/error.c:error_packet(118)
error packet at smbd/reply.c(286) cmd=117 (SMBtconX)
NT_STATUS_BAD_NETWORK_NAME
-Original Message-
From: Brian Spiegel [mailto:[EMAIL PROTECTED]
Sent: Friday, December 19, 2003 2:53 PM
To: '[EMAIL PROTECTED]'
Subject: [Samba] Cannot access shares from a Win2k client
Hey all.
I'm running Samba 3.0.1 as a domain member in a Win2k3 ADS domain. I'm
attempting to view shares on the samba server via a Win2000 client.
I've been getting the following messages from the smbd logs and I'm
wondering why. I can connect to the Samba server (using the IP only) to
view which shares are available, but when I double click the share to access
it, I get a network name cannot be found on the share.
From smbd log:
[2003/12/19 14:25:08, 3] libads/kerberos_verify.c:setup_keytab(147)
unable to create MEMORY: keytab (Unknown Key table type)
[2003/12/19 14:25:08, 3] libads/kerberos_verify.c:ads_verify_ticket(280)
ads_verify_ticket: unable to setup keytab
[2003/12/19 14:25:08, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
Failed to verify incoming ticket!
Can anyone shed some light on what this might be caused by?
Also, I'm running winbind for UNIX/Windows user/group mapping. The 'wbinfo
-u' command works, but it spits out only the user names rather than
DOMAIN\username. Since usernames aren't unique across our OSes, 'getent
passwd' results in duplicate entries. Groups are not prefixed by their
domain either. Anyone have this problem?
Below are my configs:
smb.conf
--
[global]
; smbd settings
log level = 3
log file = /var/log/samba/log.%m
server string = %U [Samba Server %v]
; Active Directory settings
;dns proxy = yes
workgroup = FOO
security = ADS
realm = FOO.COM
local master = no
domain master = no
preferred master = no
os level = 0
; winbind stuff
winbind separator = +
winbind enum users = yes
idmap uid = 1-2
winbind enum groups = yes
idmap gid = 1-2
winbind use default domain = yes
password server = dc.foo.com
encrypt passwords = yes
[test]
comment = Samba functionality test directory
path = /home/user/test/
read only = no
browsable = yes
writable = yes
guest ok = yes
krb5.conf
--
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = FOO.COM
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
FOO.COM = {
kdc = dc.foo.com:88
admin_server = dc.foo.com:749
default_domain = foo.com
}
[domain_realm]
.foo.com = FOO.COM
foo.com = FOO.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
nsswitch.conf
--
...
passwd: files winbind
shadow: files
group: files winbind
host: files dns winbind
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbind failing to find user in Active Directory
I have my Mandrake 9.2 box running as a domain member for a W2K AD domain. This is a new problem or I'm missing something really obvious. Possible bug? Setup: Samba Server 3.0.1 = ANC-GENTOO Windows Domain = LABOR windows xp client = ANC-07-14927xp tim = Windows Active Directory Domain Acccount Getting this check_winbind_security error when trying to connect to Samba vai windows client (xp): ** [2003/12/19 21:43:24, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2003/12/19 21:43:24, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2003/12/19 21:43:24, 3] auth/auth_winbind.c:check_winbind_security(79) check_winbind_security: Not using winbind, requested domain was for this SAM. [2003/12/19 21:43:24, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [tim] - [tim] FAILED with error NT_STATUS_NO_SUCH_US ER [2003/12/19 21:43:25, 3] smbd/process.c:timeout_processing(1104) timeout_processing: End of file from client (client has disconnected). ** 1. winbind is working: # wbinfo -u | grep tim tim # getent group | grep Domain Admins Domain Admins:x:10003:tim, Administrator, etc..., ,,...,.. 2. I noticed that when trying to connect to my Samba shares the username and password comes back as: username: ANC-Gentoo\tim It should read: username: LABOR\tim 3. I took it out of the domain and then rejoined the domain: net ads join -U tim%password Using short domain name -- LABOR Joined 'ANC-GENTOO' to realm 'LABOR.AK' 4. klist -e 12/19/03 22:45:54 12/20/03 03:58:16 [EMAIL PROTECTED] Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5 Now when trying to connect to Samba from XP workstation: [2003/12/19 22:47:44, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2003/12/19 22:47:44, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2003/12/19 22:47:44, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2003/12/19 22:47:44, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2003/12/19 22:47:44, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2003/12/19 22:47:44, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/12/19 22:47:44, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [tim] - [tim] FAILED with error NT_STATUS_NO_SUCH_USER [2003/12/19 22:47:44, 3] smbd/process.c:timeout_processing(1104) timeout_processing: End of file from client (client has disconnected). ** I noticed the domain field changed to properly read LABOR\tim. Problem is Samba still cant find my domain account! My brain is melting so I'm taking a break...here are my .config files Tim smb.conf: [global] workgroup = LABOR realm = LABOR.AK server string = Samba Server %v printcap name = cups load printers = yes printing = cups printer admin = @Domain Admins log file = /usr/local/samba/var/log.%m max log size = 100 log level = 10 security = ads password server = ipaddress of pdc encrypt passwords = yes winbind uid = 1-2 winbind gid = 1-2 #winbind use default domain = yes allow trusted domains = no auth methods = winbind template homedir = /home/%D/%U obey pam restrictions = yes template shell = /bin/bash socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no os level = 0 domain master = no preferred master = no domain logons = no add user script = /usr/sbin/useradd -s /bin/false '%u' idmap uid = 1-2 idmap gid = 1-2 name resolve order = wins lmhosts bcast wins server = ipaddress of winsserver dns proxy = no -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba working in Active Directory .config's included
I'm struggling just as much as the next person on this setup. Although;
I do have it working under Mandrake 9.2 with Samba3.0.pre1.
Perhaps we can work together and figure out what is different between
setups.
smb.conf:
#=== Global Settings =
[global]
# 1. Server Naming Options:
workgroup = LABOR
realm = LABOR.AK
server string = Samba Server %v
# 2. Printing Options:
printcap name = cups
load printers = yes
printing = cups
# This should work well for winbind:
printer admin = @Domain Admins
# 3. Logging Options:
log file = /var/log/samba3/log.%m
max log size = 50
log level = 5
# 4. Security and Domain Membership Options:
security = ads
password server = ipaddress of w2k pdc
encrypt passwords = yes
# 5. Winbind
winbind uid = 1-2
winbind gid = 1-2
winbind use default domain = yes
allow trusted domains = no
template homedir = /home/%D/%U
obey pam restrictions = yes
template shell = /bin/bash
# 5. Browser Control and Networking Options:
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
os level = 0
domain master = no
preferred master = no
/etc/pam.d/samba
#%PAM-1.0
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_stack.so service=system-auth
accountrequired /lib/security/pam_stack.so service=system-auth
sessionrequired /lib/security/pam_stack.so service=system-auth
/etc/pam.d/system-auth
#%PAM-1.0
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_stack.so service=system-auth
accountrequired /lib/security/pam_stack.so service=system-auth
sessionrequired /lib/security/pam_stack.so service=system-auth
# 6. Domain Control Options:
domain logons = no
add user script = /usr/sbin/useradd -s /bin/false '%u'
idmap uid = 1-2
idmap gid = 1-2
# 7. Name Resolution Options:
name resolve order = wins lmhosts bcast
wins server = ipaddress of wins server
dns proxy = no
# Share Definitions ==
[Domain Admins]
comment = Private Directory
path = /private
valid users =@Domain Admins
public = no
writable = yes
printable = no
[Temp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
[Gentoo]
comment = Gentoo resources
path = /samba/gentoo
public = yes
writable = no
write list = @Domain Admins
krb5.conf:
logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = LABOR.AK
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
#permitted_enctypes = des-cbc-crc des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
LABOR.AK = {
kdc = MYW2KPDC.LABOR.AK:88
admin_server = MYW2KPDC.LABOR.AK:749
default_domain = LABOR.AK
}
[domain_realm]
.LABOR.AK = LABOR.AK
[kdc]
profile = /etc/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[login]
krb4_convert = false
krb4_get_tickets = false
Checking encryption type:
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
12/19/03 13:59:10 12/19/03 23:59:50 krbtgt/[EMAIL PROTECTED]
renew until 12/20/03 13:59:10, Etype (skey, tkt): DES cbc mode with CRC-32,
DES cbc mode with CRC-32
/etc/pam.d/login:
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_stack.so service=system-auth-winbind
auth required /lib/security/pam_nologin.so
accountsufficient /lib/security/pam_stack.so service=system-auth-winbind
password required /lib/security/pam_stack.so service=system-auth
sessionrequired /lib/security/pam_stack.so service=system-auth
sessionoptional /lib/security/pam_console.so
/etc/pam.d/system-auth-winbind
#%PAM-1.0
authrequired /lib/security/pam_env.so
authsufficient/lib/security/pam_winbind.so
authsufficient/lib/security/pam_unix.so likeauth nullok use_first_pass
authrequired /lib/security/pam_deny.so
account sufficient/lib/security/pam_winbind.so
account required /lib/security/pam_unix.so
passwordrequired /lib/security/pam_cracklib.so retry=3
passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow
Re: [Samba] check_winbind_security: Not using winbind..samba-3.0.1
Jerry, Thanks for the reply. When I tried to connect to my samba server I entered just a username and password. The windows client then returned with SAMBASERVER\username. I tried it that way and then tried it with DOMAIN\username. I can query the domain for users via wbinfo and getent. I'm still at a loss... On Thu, 2003-12-18 at 11:57, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Jordan wrote: | Can anyone advise as to why Samba is not using winbind? | | check_winbind_security: Not using winbind, requested domain | was for this SAM. The should only be logged if someone tries to connect with a username such as SAMBA\foo (fill in 'SAMBA' with the name of your server). - -- cheers, jerry ~ -- ~ Hewlett-Packard- http://www.hp.com ~ SAMBA Team -- http://www.samba.org ~ GnuPG Key http://www.plainjoe.org/gpg_public.asc ~ If we're adding to the noise, turn off this song --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/4hS4IR7qMdg1EfYRAvIxAJ9+0zOORcRt12iOEXNPsykchzGzdgCgjniR GFLpFO/gtGfX2P/41/OH/ps= =8CYL -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbindd
On Wed, 2003-12-17 at 08:56, [EMAIL PROTECTED] wrote: * a Samba server that is a member of a Windows domain should run winbindd to allocate IDs for users/groups in its own domain and trusted domains. In my specific situation, the UNIX id's are set up first so they don't conflict with legacy systems/GIDs/UIDs, NT user names match the UNIX user names and users maintain their own UNIX and NT passwords separately ie. it's up to them to make them the same. Is this specific situation, winbindd is going to do more harm than good, if I understand correctly. Right? If it's only a member server then it would have to be getting its information from the resource domain BDC and by the definition above this information is all wrong (other than the username and password) so it would be pointless. Or am I missing something? Where does PAM fit into this? The PAM configuration files direct how authentication should be handled . Should it (application, login, etc...) authenticate of the local system or winbind etc -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] check_winbind_security: Not using winbind..samba-3.0.1
Can anyone advise as to why Samba is not using winbind? check_winbind_security: Not using winbind, requested domain was for this SAM. I can wbinfo -g -u getent group | passwd for domain users. Tim [global] workgroup = TUX realm = TUX.AK server string = Samba Server %v security = ADS auth methods = winbind obey pam restrictions = Yes password server = ipaddress log level = 3 log file = /usr/local/samba/var/log.%m max log size = 100 name resolve order = wins lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups add user script = /usr/sbin/useradd -s /bin/false '%u' os level = 0 preferred master = No local master = No domain master = No dns proxy = No wins server = ipaddress idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind use default domain = Yes printer admin = '@Domain Admins' printing = cups -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows 2000 and krb5 tickets.
Perhaps we can work together. Jerry mentioned in previous posts about
the encryption options if the krb5.conf.
The Official Samba How To states: On a Windows 2000 client, try net
use * \\server\share. You should be logged in with Kerberos without
needing to know a password. If this fails then run klist tickets. Did
you get a tecket for the server? Does it have an encryption type of
DES-CBC-MD5?
Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5
encoding.
I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as
Jerry sugested:
/etc/krb5.conf:
[EMAIL PROTECTED] samba3]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = LABOR.AK
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
permitted_enctypes = des-cbc-md5 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
LABOR.AK = {
kdc = MY-KDC.LABOR.AK:88
admin_server = MY-KDC.LABOR.AK:749
default_domain = LABOR.AK
}
[domain_realm]
.LABOR.AK = LABOR.AK
[kdc]
profile = /etc/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[login]
krb4_convert = false
krb4_get_tickets = fals
It did change the encryption ticket I'm getting when kinit as my
username.
Valid starting ExpiresService principal
12/11/03 16:00:49 12/12/03 02:01:00 krbtgt/[EMAIL PROTECTED]
renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode with RSA-MD5,
DES cbc mode with RSA-MD5
Kerberos 4 ticket cache: /tmp/tkt0
Notice I'm getting DES cbc mode with RSA-MD5.
This did not solve the underlying problem of being able to view the samba shares from
a w2k or xp client.
How would I be able to tell if I'm using MIT or Hemidal kerberos?
I did get this working on a Gentoo system, so I know it works.
Who knows encryption on the list that can adviseanyone?
Tim
On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote:
Same problem. I have been with it for weeks. I can connect using IP
address from the Win2k clients however with the netbios name I get the
error.
Someone has told me today that this was solved in the new release
samba-3.0.1rc2-1 , however I've already tested it and I still have the
same problem.
Please any more clues.
Thanks,
Fernando.
On Fri, 2003-12-12 at 00:26, Tim Jordan wrote:
I'm getting same error about encryption ...
I have taken Tom's lead and have provided the output below. Is there a
certain version of krb5 that we should be running?
[EMAIL PROTECTED] tim]# smbd3 --version
Version 3.0.1pre3
[EMAIL PROTECTED] tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND
KRB5_BRAND: krb5-1-3-final 1.3 20030708
I'm running Mandrake 9.2
Thank You Samba Team!
Tim
On Thu, 2003-12-11 at 13:59, Tom Dickson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OK. I've done some more research, and here's what I get.
smbd --version
Version 3.0.0
strings libkrb5.so.3.2 | grep BRAND
KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
Everything seems to work, but trying to access the Samba server results in:
[2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(308)
~ ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt
integrity check failed
[2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(316)
~ ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
~ Failed to verify incoming ticket!
[2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109)
~ error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
This is the same error you get if you're running the wrong KRB5 libs,
but I've the right ones. The windows 2000 machine is 5.00.2195
Windows 2000 clients connect to the ADS server fine, and will connect to
the Samba server if you enter Username/Password. The 2000 server cannot
connect to the Samba machine at all, even with the right username/pass.
Is there a magic registry setting I'm missing? I've changed the
Administrator password at least once.
- -Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2-nr2 (Windows 2000)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO
F9F+8BTOPIyoybZBYIlCouU=
=94FA
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions
Re: [Samba] Windows 2000 and krb5 tickets...SOLVED
Browsing is working from my W2K and XP clients to the samba server using
kerberos.
Samba Server is joined to Active Directory as a Domain Member server.
I commented out the following line of my krb5.conf:
#permitted_enctypes = des-cbc-crc des-cbc-md5
Make sure these lines are correct:
default_tgs_enctypes = des-cbc-crc des-cbc-md5
efault_tkt_enctypes = des-cbc-crc des-cbc-md5
*Make sure to stop and restart smbd, nmbd, and winbindd. These changes
did nothing for me until I restarted at least winbindd.
I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586 rpm's
from:
http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/
I'm working on a final write up of my configuration if anyone is
interested in creating an Active Directory member server running Samba
3.
Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for
lending his Windows expertise!
Tim
On Fri, 2003-12-12 at 08:07, Tom Dickson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
You can try running the
strings /usr/lib/libkrb5.so.3.2 | grep BRAND
command and looking at what you get. 1-3-1 or something is MIT.
Also, I'm wondering if the fact that you can connect by IP and not by
name indicates that the 2000 server is looking up the name in, say, DNS
only and ignoring WINS. Perhaps my WINS server is misconfigured.
Well, I have to run Netbench tests, so I just dropped back to NT4 style
auth, which works fine for me.
- -Tom
Tim Jordan wrote:
| Perhaps we can work together. Jerry mentioned in previous posts about
| the encryption options if the krb5.conf.
| The Official Samba How To states: On a Windows 2000 client, try /net
| use * \\server\share/. You should be logged in with Kerberos without
| needing to know a password. If this fails then run /klist tickets./
| Did you get a tecket for the server? Does it have an encryption type of
| DES-CBC-MD5?
|
| Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5
| encoding.
|
| I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as
| Jerry sugested:
|
| /etc/krb5.conf:
|
|[EMAIL PROTECTED] samba3]# cat /etc/krb5.conf
|[logging]
| default = FILE:/var/log/kerberos/krb5libs.log
| kdc = FILE:/var/log/kerberos/krb5kdc.log
| admin_server = FILE:/var/log/kerberos/kadmind.log
|
|[libdefaults]
| ticket_lifetime = 24000
| default_realm = LABOR.AK
| default_tgs_enctypes = des-cbc-md5 des-cbc-crc
| default_tkt_enctypes = des-cbc-md5 des-cbc-crc
| permitted_enctypes = des-cbc-md5 des-cbc-crc
| dns_lookup_realm = false
| dns_lookup_kdc = false
| kdc_req_checksum_type = 2
| checksum_type = 2
| ccache_type = 1
| forwardable = true
| proxiable = true
|
|[realms]
| LABOR.AK = {
| kdc = MY-KDC.LABOR.AK:88
| admin_server = MY-KDC.LABOR.AK:749
| default_domain = LABOR.AK
| }
|
|[domain_realm]
| .LABOR.AK = LABOR.AK
|
|[kdc]
| profile = /etc/kerberos/krb5kdc/kdc.conf
|
|[pam]
| debug = false
| ticket_lifetime = 36000
| renew_lifetime = 36000
| forwardable = true
| krb4_convert = false
|
| [login]
| krb4_convert = false
| krb4_get_tickets = fals
|
| It did change the encryption ticket I'm getting when /kinit/ as my
username.
|
|Valid starting ExpiresService principal
|12/11/03 16:00:49 12/12/03 02:01:00 krbtgt/[EMAIL PROTECTED]
|renew until 12/12/03 16:00:49, Etype (skey, tkt): DES cbc mode
with RSA-MD5, DES cbc mode with RSA-MD5
|
|
|Kerberos 4 ticket cache: /tmp/tkt0
|
| Notice I'm getting DES cbc mode with RSA-MD5.
|
| This did not solve the underlying problem of being able to view the
samba shares from a w2k or xp client.
|
| How would I be able to tell if I'm using MIT or Hemidal kerberos?
|
| I did get this working on a Gentoo system, so I know it works.
|
| Who knows encryption on the list that can adviseanyone?
|
| Tim
|
| On Fri, 2003-12-12 at 05:18, Fernando Ruza wrote:
|
|/Same problem. I have been with it for weeks. I can connect using IP
|address from the Win2k clients however with the netbios name I get the
|error.
|
|Someone has told me today that this was solved in the new release
|samba-3.0.1rc2-1 , however I've already tested it and I still have the
|same problem.
|
|Please any more clues.
|
|Thanks,
|
|Fernando.
|
|
|On Fri, 2003-12-12 at 00:26, Tim Jordan wrote:
| I'm getting same error about encryption ...
|
| I have taken Tom's lead and have provided the output below. Is there a
| certain version of krb5 that we should be running?
|
|
| [EMAIL PROTECTED] tim]# smbd3 --version
| Version 3.0.1pre3
|
| [EMAIL PROTECTED] tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND
| KRB5_BRAND: krb5-1-3-final 1.3 20030708
|
| I'm running Mandrake 9.2
|
| Thank You Samba Team!
| Tim
|
| On Thu, 2003-12-11 at 13:59, Tom Dickson wrote:
|
| -BEGIN PGP SIGNED MESSAGE-
| Hash: SHA1
|
| OK. I've done some more research, and here's what I
Re: [Samba] Windows 2000 and krb5 tickets.
I'm getting same error about encryption ... I have taken Tom's lead and have provided the output below. Is there a certain version of krb5 that we should be running? [EMAIL PROTECTED] tim]# smbd3 --version Version 3.0.1pre3 [EMAIL PROTECTED] tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND KRB5_BRAND: krb5-1-3-final 1.3 20030708 I'm running Mandrake 9.2 Thank You Samba Team! Tim On Thu, 2003-12-11 at 13:59, Tom Dickson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OK. I've done some more research, and here's what I get. smbd --version Version 3.0.0 strings libkrb5.so.3.2 | grep BRAND KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730 Everything seems to work, but trying to access the Samba server results in: [2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(308) ~ ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(316) ~ ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) ~ Failed to verify incoming ticket! [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109) ~ error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE This is the same error you get if you're running the wrong KRB5 libs, but I've the right ones. The windows 2000 machine is 5.00.2195 Windows 2000 clients connect to the ADS server fine, and will connect to the Samba server if you enter Username/Password. The 2000 server cannot connect to the Samba machine at all, even with the right username/pass. Is there a magic registry setting I'm missing? I've changed the Administrator password at least once. - -Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2-nr2 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO F9F+8BTOPIyoybZBYIlCouU= =94FA -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba 3 mandrake rpms...feedback
Hello again, I'm just getting back to testing your rpm builds for samba. Question: What kerberoes package are you using with your build? I'm doing a wbinfo -u and getting all users in domains that my AD domain trusts and the local account but none from the domain I'm a Domain Member Server of. I get the same result with getent passwd | grep username I do have a kerberoes ticket for my domain. I can log into a smb share on an XP workstation and 2K server... Here is my current smb.conf: #=== Global Settings = [global] # 1. Server Naming Options: workgroup = LABOR realm = LABOR.AK server string = Samba Server %v # 2. Printing Options: printcap name = cups load printers = yes printing = cups # This should work well for winbind: printer admin = @Domain Admins # 3. Logging Options: log file = /var/log/samba3/log.%m max log size = 50 log level = 3 # 4. Security and Domain Membership Options: security = ads password server = IP OF PDC encrypt passwords = yes # 5. Winbind winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes template homedir = /home/%D/%U ; obey pam restrictions = yes template shell = /bin/bash # 5. Browser Control and Networking Options: socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no os level = 0 domain master = no preferred master = no # 6. Domain Control Options: domain logons = no add user script = /usr/sbin/useradd -s /bin/false '%u' idmap uid = 1-2 idmap gid = 1-2 # 7. Name Resolution Options: name resolve order = wins lmhosts bcast wins server = IP OF WINS SERVER dns proxy = no # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba3 browseable = no # to allow user 'guest account' to print. guest ok = yes writable = no printable = yes create mode = 0700 # = # print command: see above for details. # = print command = lpr-cups -P %p -o raw %s -r # using client side printer drivers. [print$] path = /var/lib/samba3/printers browseable = yes read only = yes write list = @adm root guest ok = yes [pdf-generator] path = /var/tmp guest ok = No printable = Yes comment = PDF Generator (only valid users) #print command = /usr/share/samba3/scripts/print-pdf file path win_path recipient IP print command = /usr/share/samba3/scripts/print-pdf %s ~%u //%L/%u %m %I %J -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba 3 mandrake rpms...feedback
Samba list please help me... Do I have to have DES-CBC-MD5 to connect from a windows xp or 2k pc? I noticed the Official Samba How-To say Samba can use both DES-CBC-MD5 ARCFOUR-HMAC-MD5. The later doesn't seem to work for me. Mandrake 9.2 samba3.0.1-0.pre3.2.mkd [2003/12/09 17:13:20, 3] libads/kerberos_verify.c:ads_verify_ticket(325) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2003/12/09 17:13:20, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! [2003/12/09 17:13:20, 3] smbd/error.c:error_packet(118) error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2003/12/09 17:13:20, 3] smbd/process.c:timeout_processing(1099) timeout_processing: End of file from client (client has disconnected). This is my klist -e: alid starting ExpiresService principal 12/09/03 14:31:15 12/10/03 00:31:47 krbtgt/[EMAIL PROTECTED] renew until 12/10/03 14:31:15, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 12/09/03 14:32:12 12/10/03 00:31:47 [EMAIL PROTECTED] renew until 12/10/03 14:31:15, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 12/09/03 14:32:34 12/10/03 00:31:47 [EMAIL PROTECTED] renew until 12/10/03 14:31:15, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I'm going crazy trying to get this to work... Thank you, Tim smb.conf #=== Global Settings = [global] # 1. Server Naming Options: workgroup = MYDOMAIN realm = MYDOMAIN.AK server string = Samba Server %v # 2. Printing Options: printcap name = cups load printers = yes printing = cups # This should work well for winbind: printer admin = @Domain Admins # 3. Logging Options: log file = /var/log/samba3/log.%m max log size = 50 log level = 3 # 4. Security and Domain Membership Options: security = ads password server = IP OF PDC encrypt passwords = yes # 5. Winbind winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes allow trusted domains = no template homedir = /home/%D/%U obey pam restrictions = yes template shell = /bin/bash # 5. Browser Control and Networking Options: socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no os level = 0 domain master = no preferred master = no # 6. Domain Control Options: domain logons = no add user script = /usr/sbin/useradd -s /bin/false '%u' idmap uid = 1-2 idmap gid = 1-2 # 7. Name Resolution Options: name resolve order = wins lmhosts bcast wins server = IP OF WINS SERVER dns proxy = no # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 3 mandrake rpms...where is net tool?
Hello, I have installed the latest samba rpms from your site. I verified that winbind works properly and the getent issue is resolved. After starting the samba server I can browse out against the Windows network. The samba server is a member server of an Active Directory domain. Problem: windows clients on network can not browse to samba server. I can ping, do dns lookups, and can see the box in network neighborhood from a windows client. The samba server wants credentials to display shares. I have tried root credentials, domain credentials, and local unix acct. credentials with no success. I understand a guest account is used in this situation, which I have added to the local unix accounts. Can you advise? # Global parameters [global] workgroup = LABOR realm = LABOR.AK server string = Samba Server %v security = ADS obey pam restrictions = Yes smb passwd file = /etc/samba/smbpasswd guest account = guest log file = /var/log/samba/log.%m max log size = 50 name resolve order = wins lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups os level = 0 preferred master = No local master = No domain master = No dns proxy = No wins server = 192.168.1.20 idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind use default domain = Yes printer admin = @Domain Admins printing = cups [homes] comment = Home Directories read only = No browseable = yes guest ok = yes [printers] comment = All Printers path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes print command = lpr-cups -P %p -o raw %s -r # using client side printer drivers. browseable = No [print$] path = /var/lib/samba/printers write list = @adm, root guest ok = Yes 2003-12-02 at 23:21, Buchan Milne wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim Jordan wrote: Hello, I took your advice and installed Mandrake 9.2 then pulled down the rpms from your site. I have joined our Active Directory Domain with no problem. Kerberoes is working. I can use wbinfo3 -g -u to query domain groups and users but I can't seem to use getent for domain groups and users. Do I need to change a pam file to enable this? I checked everything I know like verifying the nsswitch.conf is correct, libnss_winbind.so libnss_winbind.so.2, is present... I have the following in my smb.conf idmap uid idmap gid winbind enum users winbind enum groups template homedir template shell winbind use default domain When viewing my samba server from a windows workstation it wants a username and password. I take it this is because I'm missing something??? Can you advise? I think this is due to one error, the renaming of libnss_winbind.so and libnss_winbind.so.2 to libnss_winbind3.so and libnss_winbind3.so.2 (which should work AFAIK). Others have reported that just linking libnss_winbind.so.2 to libnss_winbin3.so.2, and changing all occurences of winbind3 in /etc/nsswitch.conf to winbind should do the trick. I have adjusted this in the new packages of 3.0.1pre3: rpm -qlp public_html/mandrake/9.2/samba-3.0.1/samba3-winbind-3.0.1-0.pre3.2mdk.i586.rpm /etc/pam.d/system-auth-winbind /etc/rc.d/init.d/winbind /lib/libnss_winbind.so /lib/libnss_winbind.so.2 /lib/security/pam_winbind.so /usr/bin/wbinfo /usr/sbin/winbind /usr/sbin/winbindd /usr/share/man/man1/wbinfo.1.bz2 /usr/share/man/man8/winbindd.8.bz2 So, this should not be necessary in future builds for Mandrake 9.2 and older (in Mandrake 10 and on - as is the case in Mandrake cooker already, samba-3.0.x will be called samba, and samba-2.2.x will be called samba2 if we still ship it). It may be easier just to use these packages (and feedback on them would be good ...) http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/ Regards, Buchan - -- |--Another happy Mandrake Club member--| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/zZ0QrJK6UGDSBKcRAjwfAJ9I4PcOSp9simLK/oZkn7YwZBOQbACeP896 cvwy+qVkabL0ssKRz7beKwU= =y/PH -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman
[Samba] getent not working samba3rc1
I have winbind up and running. wbinfo -g and wbinfo -u can resolve domain users and groups getent only brings back local unix users and groups. I have: /etc/nsswitch.conf: passwd: files winbind group: files winbind /lib/libnss_winbind.so /lib/libnss_winbind.so.2 /lib/security/pam_winbind.so # Global parameters [global] workgroup = LABOR realm = LABOR.AK server string = Samba3 on ANC-Gentoo1.4 security = ADS #hosts allow = load printers = yes password server = * log file = /usr/local/samba/var/log.%m max log size = 50 name resolve order = wins bcast socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 0 preferred master = no local master = no domain master = no wins support = no wins server = 192.168.1.20 dns proxy = yes #winbind separator = + winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash winbind use default domain = yes #client signing = yes #server signing = yes #client use spnego = yes debuglevel = 1 [test] comment = test path = /tmp read only = yes guest ok = yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba 3 mandrake rpms...where is net tool?
I installed the RPMS from samba web site for Mandrake 9.1. Configuration is weird as things are labeled smbd3 or winbind3... Testparm runs against /etc/samba/smb.conf yet swat configures the smb.conf in a different location...hmm But really my problem is joining the AD domain as a member server. I can't locate the net tool. How is this done? How does testparm know to test against /etc/samba3/smb.conf instead of /etc/samba/smb.conf? Perhaps there are two versions of samba here? I loaded a clean mandrake 9.1 install and then loaded the RPM's. Should I scrap this idea and compile from scratch on Mandrake? Please advise if possible, Tim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Which Linux best suits Samba3?
I just tried installing Samba 3 rpm from samba.org on a fedora1 box and it failed to install missing libcom_err.so.3 I take it Fedora is using a different set of libs. Any advice on how to resolve this or do I roll back to redhat 8 or 9? I've been trying and trying to get samba 3 to work with Gentoono joy! Tim On Fri, 2003-11-21 at 14:26, Andrew Bartlett wrote: On Sat, 2003-11-22 at 05:40, Eric Geater 11/18/03 wrote: In a discussion with one of the main answer people, of whose time I am greatly appreciative, it was suggested that some of my problem (or solution) may be to run Samba on a distro that's better suited for it. Problem is, I don't have the time nor the inclination to download a bunch of distros just to install, test, fdisk, repeat. So I ask. what is a recommended recent distro that works well with Samba 3? Drake? Debian? SuSE? RH9? All answers welcome, with explanations or not. A particular point to consider is the native support for MIT kerberos 1.3.1, or the right Heimdal version. Fedora Core 1 has this, and I think the latest SUSE does, Debian Testing and Debain Unstable do have the right krb5, but naturally Debian Stable does not. In particular, note RH9 does NOT, and this can get in your way. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is smbpasswd against windows 2003 server working?
Andrew, what is a good way to troubleshoot winbind? I can login using w2k domain accts, I can use w2k domain groups on shares, but I can't seem to use a domain account on a share: [test] path = /test valid users = BUZZ write list = BUZZ The user on the windows client is promted for credentials but nothing works Please advise, Tim On Thu, 2003-11-20 at 19:42, Andrew Bartlett wrote: On Fri, 2003-11-21 at 13:24, Vandeir Eduardo wrote: Hi guys, me again. Please, I would like to know if this is a bug/ incompatibility with windows 2003 server. I would like that someone that has accounts stored on windows 2003 server make a test and try to change a password of one of those users from a linux box using smbpasswd -r w2k3_host -U username. For me it always complains about invalid username or password. This work if I change a password of an user account stored on a NT server, but not 2003 server. Or anyone know another way to change an user password stored on windows 2003 server from a linux box? I'm deseperate and would appreciate any hint. It is quite possible that they are not fully compatible, given some of the new 'security settings' that Win2k3 PDCs use by default. In particular, smbpasswd -U -r uses a 'null session', which is defeated by 'restrict anonymous'. A kerberos password change might still work, and pam_winbind is certainly a good option (Samba 3.0) Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Solved: Samba 3 w/ADS on Slackware
Hi Ron, I took a look at your How To for ADS intergration. I have implemented this in our domain but your how to left me with a question In addition to these files, there are a few more things that need to be done. First, the root user must exist in the smbpasswd database: smbpasswd -a root What is the need to have root in the smbpasswd database if you are using AD for authentication? Also, I'm curious how you set up your PAM config files. Finally, are you able to use domain user account when when creating shares on the samba server? For example I can do this: [software] comment = open source path = /software printable = no valid users =@Domain Admins write list =@Domain Admins It works as only Domain Admins are allowed into the samba share. But when I try this with a domain user it does not work: [Linux Games] comment = Linux ISO Games path = /samba/games force user = JON #Jon is a domain acct, there is no local JON user force group =@Domain Users guest ok = yes Thanks for your time, Tim On Sun, 2003-11-09 at 08:19, Ron Gage wrote: Hi folks: We have finally solved the problem. We have figured out how to correctly install Samba 3 with Active Directory Support on Slackware (and presumably on any other non-RPM based distro). The howto has been published on my website. Please visit http://www.rongage.org/manual_samba_howto.html for the step-by-step instructions on how to manually install Samba 3 from scratch with Active Directory Support. The instructions are based on Slackware 9.1 but should be generic enough to work on just about any platform. A great many thanks are in order for John Terpstra for his invaluable assistance in getting this all working. I really doubt I could have done this without his assistance. -- Ron Gage - LPIC1, A+, Net+ Pontiac, Michigan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] pam_krb5.so in pam.d/login
Does using the pam_krb module give the authenticated user a valid kerberoes ticket upon loggin into the domain? Instead of doing kinit from the shell? Tim On Tue, 2003-11-04 at 10:53, Thron Havens wrote: I know what everyone is busy and there are a lot of requests here but can someone give me any ideas why I can't get private shares to work? Right now I get prompted with a logon and password but I cannot connect. Under my share config I have used user(s) = user-name valid users = user-name and username = user-name None of them will let me in. I'm running samba 2.5 on a FreeBSD box using winbind to do authentication with my PDC/BDC and I'm able to configure global shares that everyone on the NT network can access. SMB.conf workgroup = domain-name netbios name = comp-name server string = comp-name security = domain log file = /var/log/sambalog.%m encrypt passwords = yes local master = no os level = 0 domain master = no preferred master = no wins support = no wins server = 0.0.0.0 wins proxy = no dns proxy = no log level = 3 max log size = 1 load printers = no winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind separator = . winbind use default domain = yes template homedir = /usr/share/%U template shell = /bin/false password server = * name resolve order = hosts lmhosts wins bcast nt acl support = yes [share] comment = temporary file space path = path browsable = yes read only = no public = yes printable = no writeable = yes [temp] comment = another share path = /usr/report username = user-name browsable = yes read only = no #public = yes printable = no writeable = yes Pam.conf auth requiredpam_nologin.so no_warn auth sufficient pam_winbind.so auth sufficient pam_opie.so no_warn no_fake_prompts auth requisitepam_opieaccess.sono_warn allow_local #authsufficient pam_krb5.so no_warn try_first_pass #authsufficient pam_ssh.so no_warn try_first_pass auth requiredpam_unix.so no_warn try_first_pass # account #account requiredpam_krb5.so account sufficient pam_winbind.so account requiredpam_unix.so # session #session optional pam_ssh.so session requiredpam_permit.so # password password requiredpam_permit.so Thanks Thron -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] cannot su to root
I've been messing with pam and winbind. Somehow I have it so I can't su to root in a shell when I'm logged in as a non-root users. These are my pam.d configs I've been messing with, perhaps I'm missing something obvious...help please, Tim /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_env.so auth required /lib/security/pam_unix.so use_first_pass nullok accountsufficient /lib/security/pam_winbind.so accountrequired /lib/security/pam_unix.so password sufficient /lib/security/pam_cracklib.so password sufficient /lib/security/pam_unix.so shadow nullok use_authtok session required /lib/security/pam_mkhomedir.so skel=/home/LABOR/skel$se$ *** /etc/pam.d/system-auth authrequired/lib/security/pam_env.so authsufficient /lib/security/pam_winbind.so authsufficient /lib/security/pam_unix.so likeauth nullok use_f$ authrequired/lib/security/pam_deny.so account sufficient /lib/security/pam_unix.so account sufficient /lib/security/pam_winbind.so passwordrequired/lib/security/pam_cracklib.so retry=3 minlen=2 $ passwordsufficient /lib/security/pam_unix.so nullok use_authtok md$ passwordrequired/lib/security/pam_deny.so session required/lib/security/pam_limits.so session required/lib/security/pam_unix.so -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] sys_gethostbyname error
Please, Please advise if possible. I can use smbclient, mount, wbinfo, getent all from the shell with no problems. I'm trying to use LinNeighborhood to mount windows shares and this error is returned: Can't resolve address all: True/10 tdb: False/0 printdrivers:False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli:False/0 passdb: False/0 sam: False/0 auth:False/0 winbind:False/0 vfs:False/0 idmap:False/0 pm_process() returned Yes lp_servicenumber: couldn't find homes set_server_role: role = ROLE_DOMAIN_MEMBER sys_gethostbyname: Unknown host -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] browsing smb shares with KDE Konquerer
with Samba 3 I can simply type in: smb://server/share and Konquerer will open the smb share. It seems that with Samba 3, Konquerer is using the kerberoes ticket that the AD domain is providing when I kinit [EMAIL PROTECTED] Unfortunelty I noticed that when I try to open a simple text docuement from an smb share on a windows machine Konquerer seems to Stall when downloading the file. Can anyone verify this as a Konquerer or Samba issue? Thanks, Tim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] groupmap on member server
I'm not an expert please correct me if I'm wrong. With my shares I gave the unix group in question itms_office group ownership. So it looks like this: drwxrwxrwx root itms_office 4096 Oct28 14:46 test One thing to note is that my shares are not sub-directories like your are - so you may have to have the directories above test with the proper unix permissions. My current problem is that the groups I have groupmapped seem to work, but I can't specify and valid domain user account and have it just let that user in the sharejust can't seem to get it to work! Give it a try and please let me know. Tim Dean Knape wrote: drwxrwxrwx2 root root 4096 Oct 28 14:46 test dean dean Tim Jordan, Network Services wrote: How are your unix permissions set? Dean Knape wrote: Greetings, My setup is a multimaster win2k domain with full trusts established. My samba server has joined one of the master domains as a member server. smb.conf has encrypted passwords enabled and security=domain and running on Samba Version 3.0.1pre1 on Linux 2.4.20-20.9smp. Groupmap seems not to work as I was expecting it to. I am trying to map the local unix group itms_office to domain group itms office using: net groupmap add ntgroup=itms office unixgroup=itms_office type=d /etc/group contains the following line for itms_office: itms_office:x:102: The share is setup as follows: [test] comment = test share path= /export/data/test valid users = @itms_office @staff writable= yes printable = no Am I missing something? -dean -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: accessing shares
Domain Admins is a valid Active Directory group. I have it groupmapped to: Domain Admins (S-1-5-21-3417231078-1290269627-1885213793-2005) - root tim is a member of the root group [LinuxSoftware] comment = OpenSource path = /mnt/windows/Software/ public = yes writable = yes printable = no write list =@Domain Admins drwxr--r-- 57 timroot32768 Oct 8 00:49 Software (Do the unix permissions matter or just what is in the smb.conf?) For the other share is you account TIM or tim ? Unix is case sensitive as far as i know. TIM is my windows active directory account - tim is my local unix account. [TIM] comment = Tim's Service path = /home/tim/ writeable = TIM read only = No Winbind should be handling all authentication from our M$ PDC. I can log into my Samba box with a M$ domain account. I just can't seem to get the share authentication working. I'm not sure what logs to watch. I have been reviewing the smbd, nmbd, winbind, and the log that is corresponding to the workstation trying to connect to the Samba share. In the logs I noticed that winbind is trying to authenticate the microsoft workstation connecting to the Samba share. [2003/10/21 10:58:05, 10] nsswitch/winbindd.c:process_request(305) process_request: request fn GETPWNAM [2003/10/21 10:58:05, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(112) [22176]: getpwnam DOL-ANC-WTS2$ [2003/10/21 10:58:05, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(147) user 'DOL-ANC-WTS2$' does not exist Have I missed something in the HOW TO: ? I don't recall having to create machine accounts on the Samba server. I thought Samba is supposed to authenticate the user trying to access the share. If that is true perhaps I have a pam config file wrong? I don't know where to start looking at how the authentication is handled on the Samba share and more importantly what order of authentication is being done...how do I tweak that order to point authentication to my M$ PDC? I did it for the pam.d/login config file. Perhaps I'm not even on the right track... Tim Emmanuel Viennot wrote: May be you should check your write list parameter wich is @Domain Admins . Is Domain Admins a valid group and is tim a member of this group ? For the other share is you account TIM or tim ? Unix is case sensitive as far as i know. Hope that help. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] accessing shares
My experience is very limited on Unix and Samba. Please forgive me if
the answer is right in front of me.
Problems accessing shares on my Samba 3.0.1pre1 running on Gentoo1.4
I'm stuck big time! I've been trying to figure out why I cannot access
shares. The only share I can currently read write to is:
[OpenShare]
comment = Temporary file space
path = /tmp
read only = No
guest ok = Yes
Linux permissions: drwxrwxrwt 36 root root 3328 Oct 21
11:25 tmp
When I try to acces [LinuxSoftware {FAT32}] share I get:
\\anc-gentoo1\LinuxSoftware is not accessible. You may not have
permisions The network path cannot be found.
**I have verified that the path is correct.**
[LinuxSoftware]
comment = OpenSource
path = /mnt/windows/Software/
write list = @Domain Admins
read only = No
guest ok = Yes
Linux permissions: drwxr--r-- 57 tim root32768 Oct 8 00:49
Software
On this share I get a prompt for username and password; although
nothing seems to let me in. TIM is a domain user.
[TIM]
comment = Tim's Service
path = /home/bxnctej/
valid user = TIM
read only = No
Linux permissions: drwx-- 37 tim Domain Users 2048 Oct 21
11:58 bxnctej
* tim is my local linux account
I may have narrowed down the problem to this log entry. DOL-ANC-WTS2 is
the W2K server that I'm trying to access the Samba shares from. I don't
understand why GETPWNAM is looking for the machine name. I understand
GETPWNAM to look into /etc/password. I don't understand why winbind
wants to look for DOL-ANC-WTS2 in a local password file?
[2003/10/21 10:58:05, 10] nsswitch/winbindd.c:process_request(305)
process_request: request fn GETPWNAM
[2003/10/21 10:58:05, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(112)
[22176]: getpwnam DOL-ANC-WTS2$
[2003/10/21 10:58:05, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(147)
user 'DOL-ANC-WTS2$' does not exist
[2003/10/21 10:58:05, 10] nsswitch/winbindd.c:client_write(502)
client_write: wrote 1300 bytes.
[2003/10/21 10:58:05, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 1568 bytes. Need 0 more for a full request
smb.conf:
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = LABOR
realm = LABOR.AK
server string = Samba3 on ANC-Gentoo1.4
security = ADS
password server = DOL-ANC-AD1
log level = 10
log file = /usr/local/samba/var/log.%m
max log size = 50
name resolve order = wins bcast
socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 0
preferred master = No
local master = No
domain master = No
wins server = ###.###.###.###
idmap uid = 1-2
idmap gid = 1-2
template homedir = /home/LABOR/%U
template shell = /bin/bash
winbind use default domain = Yes
[OpenShare]
comment = Temporary file space
path = /tmp
read only = No
guest ok = Yes
[TIM]
comment = Tim's Service
path = /home/bxnctej/
valid users =TIM
read only = No
[LinuxSoftware]
comment = OpenSource
path = /mnt/windows/Software/
write list = @Domain Admins
read only = No
guest ok = Yes
I included my groupmap. Should I noticed two groupmappings for Domain
Admins
bash-2.05b# ./net groupmap list
System Operators (S-1-5-32-549) - sys
Replicators (S-1-5-32-552) - -1
Guests (S-1-5-32-546) - nobody
Domain Users (S-1-5-21-3417231078-1290269627-1885213793-513) - users
Domain Admins (S-1-5-21-3417231078-1290269627-1885213793-2005) - root
Power Users (S-1-5-32-547) - sys
Print Operators (S-1-5-32-550) - lp
Administrators (S-1-5-32-544) - ntadmin
Domain Admins (S-1-5-21-3417231078-1290269627-1885213793-512) - -1
Account Operators (S-1-5-32-548) - -1
Domain Guests (S-1-5-21-3417231078-1290269627-1885213793-514) - nobody
Backup Operators (S-1-5-32-551) - -1
Users (S-1-5-32-545) - users
I can do these commands with success!
wbinfo -u
wbinfo -g
getent group
getent passwd
bash-2.05b# ./nmblookup anc-07-14927xp
Got a positive name query response from 146.63.135.98 ( 146.63.135.98 )
146.63.135.98 anc-07-14927xp00
Please let me know if I can send more info.
Thank you for your time,
Tim Jordan
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] [Fwd: accessing shares]
John: I wanted to add that I have no problem logging into the samba
server with a domain account, as long as it's not through KDE. The first
time error's out complaining about DCOPServer and not being able to
write to the home directorydon't know if this is relevant.
My experience is very limited on Unix and Samba. Please forgive me if
the answer is right in front of me.
Problems accessing shares on my Samba 3.0.1pre1 running on Gentoo1.4
I'm stuck big time! I've been trying to figure out why I cannot access
shares. The only share I can currently read write to is:
[OpenShare]
comment = Temporary file space
path = /tmp
read only = No
guest ok = Yes
Linux permissions: drwxrwxrwt 36 root root 3328 Oct 21
11:25 tmp
When I try to acces [LinuxSoftware {FAT32}] share I get:
\\anc-gentoo1\LinuxSoftware is not accessible. You may not have
permisions The network path cannot be found.
**I have verified that the path is correct.**
[LinuxSoftware]
comment = OpenSource
path = /mnt/windows/Software/
write list = @Domain Admins
read only = No
guest ok = Yes
Linux permissions: drwxr--r-- 57 tim root32768 Oct 8 00:49
Software
On this share I get a prompt for username and password; although
nothing seems to let me in. TIM is a domain user.
[TIM]
comment = Tim's Service
path = /home/bxnctej/
valid user = TIM
read only = No
Linux permissions: drwx-- 37 tim Domain Users 2048 Oct 21
11:58 bxnctej
* tim is my local linux account
I may have narrowed down the problem to this log entry. DOL-ANC-WTS2 is
the W2K server that I'm trying to access the Samba shares from. I don't
understand why GETPWNAM is looking for the machine name. I understand
GETPWNAM to look into /etc/password. I don't understand why winbind
wants to look for DOL-ANC-WTS2 in a local password file?
[2003/10/21 10:58:05, 10] nsswitch/winbindd.c:process_request(305)
process_request: request fn GETPWNAM
[2003/10/21 10:58:05, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(112)
[22176]: getpwnam DOL-ANC-WTS2$
[2003/10/21 10:58:05, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(147)
user 'DOL-ANC-WTS2$' does not exist
[2003/10/21 10:58:05, 10] nsswitch/winbindd.c:client_write(502)
client_write: wrote 1300 bytes.
[2003/10/21 10:58:05, 10] nsswitch/winbindd.c:winbind_client_read(455)
client_read: read 1568 bytes. Need 0 more for a full request
smb.conf:
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = LABOR
realm = LABOR.AK
server string = Samba3 on ANC-Gentoo1.4
security = ADS
password server = DOL-ANC-AD1
log level = 10
log file = /usr/local/samba/var/log.%m
max log size = 50
name resolve order = wins bcast
socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 0
preferred master = No
local master = No
domain master = No
wins server = ###.###.###.###
idmap uid = 1-2
idmap gid = 1-2
template homedir = /home/LABOR/%U
template shell = /bin/bash
winbind use default domain = Yes
[OpenShare]
comment = Temporary file space
path = /tmp
read only = No
guest ok = Yes
[TIM]
comment = Tim's Service
path = /home/bxnctej/
valid users =TIM
read only = No
[LinuxSoftware]
comment = OpenSource
path = /mnt/windows/Software/
write list = @Domain Admins
read only = No
guest ok = Yes
I included my groupmap. Should I noticed two groupmappings for Domain
Admins
bash-2.05b# ./net groupmap list
System Operators (S-1-5-32-549) - sys
Replicators (S-1-5-32-552) - -1
Guests (S-1-5-32-546) - nobody
Domain Users (S-1-5-21-3417231078-1290269627-1885213793-513) - users
Domain Admins (S-1-5-21-3417231078-1290269627-1885213793-2005) - root
Power Users (S-1-5-32-547) - sys
Print Operators (S-1-5-32-550) - lp
Administrators (S-1-5-32-544) - ntadmin
Domain Admins (S-1-5-21-3417231078-1290269627-1885213793-512) - -1
Account Operators (S-1-5-32-548) - -1
Domain Guests (S-1-5-21-3417231078-1290269627-1885213793-514) - nobody
Backup Operators (S-1-5-32-551) - -1
Users (S-1-5-32-545) - users
I can do these commands with success!
wbinfo -u
wbinfo -g
getent group
getent passwd
bash-2.05b# ./nmblookup anc-07-14927xp
Got a positive name query response from 146.63.135.98 ( 146.63.135.98 )
146.63.135.98 anc-07-14927xp00
Please let me know if I can send more info.
Thank you for your time,
Tim Jordan
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] domain groups accessing samba share
Hey John, I've been working on this most the day. Just can't seem to nail it down! (Yes sir I did read the How To) Winbind is working fine - I can: wbinfo -g wbinfo -u getent passwd getent group Problem is when I try to use a domain group on a Samba share I get a username and password prompt; although, nothing seems to get me in! Please advise #Samba 3.0 running under Gentoo1.4 [global] workgroup = LABOR realm = LABOR.AK server string = Samba3 on ANC-Gentoo1.4 security = ADS password server = passwordserver log file = /usr/local/samba/var/log.%m max log size = 50 socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 0 preferred master = No local master = No domain master = No dns proxy = No wins server = win_server_ip idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/winnt/%D/%U template shell = /bin/bash [Linux Software] comment = Open Source Software path = /home/tim/Linux Software valid users = @LABOR\domain admins write list = @LABOR\domain admins read only = No -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Host NTFS Shares on Samba Server?
Running Samba 2.2.8a I have a secondary hard drive (100GB) full of desktop images that I would like to share. The drive is installed in my Samba server and currently setup in fstab as: /dev/hda2 /mnt/myntfs ntfs defaults 0 0 This allows root access read permissions. Can I setup my Samba server to allow domain admins to access the data on this secondary drive? Please advise, Tim Jordan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] krb5_cc_get_principal failed...
Hello, I'm not understanding the following error. Please advise if possible...Thank you. [EMAIL PROTECTED] share]# net ads testjoin [2003/06/27 09:11:27, 1] libsmb/clikrb5.c:ads_krb5_mk_req(267) krb5_cc_get_principal failed (No credentials cache found) Join is OK -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Authentication Scheme for Samba3.0beta
Hello, I'm trying to configure authentication for my Samba3.0beta box against our W2K (mixed-mode), Acitve Directory network. Is Windbind still the way to go for login authentication in Samba3.0 using my Windows domain account? I want to stay with our Acitve Directory PDC authenticating me. Is there a way to get my Kerberos ticket at login for my Samba box? Being able to easily connect to windows machines, from a shell, using the Kerberos ticket is very nice! Can I do that through a broswer such as Konqueror? My current setup still prompts me for authentication to each share. I have enjoyed working with Samba over the past few weeks (I'm very new at this!). Any info. or pointers are very appreciated. TIA, Tim -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Authentication from W2K PDC..Samba 3.0beta
Hello everyone, Can I use Ldap to authenticate against our W2K PDC? I have winbind working for Samba 2.2.8a - but the boss wants me to see about Ldap. If this is possible could you provide a starting point for me? I can use getent group to get a list of domain groups after I adjusted the /etc/ldap.conf By default Samba found our State Ldap server upon installation - I work for the State of Alaska, USA. TIA, Tim -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] why is samba3.0 server showing as PDC in W2K domain?
Please advise. I'm want to bring in Samba 3 to our existing W2K mixed-mode domain as a member server. Here is my smb.conf: realm = DEPLOY.AK ads server = xxx.xxx.xxx.xxx security = ads encrypt passwords = yes name resolve order = wins lmhosts bcast netbios name = tim-on-samba3 local master = no os level = 20 log file = /var/log/samba/log.%m socket option = TCP_NODELAY SO_SNDVUR=8192 SO_RCVBUF=8192 wins server = xxx.xxx.xxx.xxx wins support = no map to guest = bad user doman master = no template shell = /bin/bash server string = samba 3.0beta perferred master = no TIA, Tim -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Joined AD, Kerberos working, now what?
I have the kerberos working on a red hat 8.0 box. I can map to shares (in our Windows 2K domain) easly via the shell. Will kerberos let me view shared directories within our Windows 2000 (mixed-mode) domain using a browser such as Nautilus or Konquerer? Also, now that my box is a domain member and I can get a kerberos ticket for the PC - do I still setup winbind to authenticate users agains Active Directory at Log on? Tim -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
