[Samba] Samba4 - mapping Network Drives based on Group membership

2013-03-20 Thread Varoujan Avanessians 
Hi All

I have a problem running a logon script to map network drives based on
Group Membership. The script is a VBScript that resides in the netlogon
share. It Works just fine when the logged in user is a Domain Admin but
fails to get the Group information when logged in as a regular user. For
example when I login as administrator who is a member of every Group (For
test only  all the requested Drives are mapped. When I login as testuser1
who is a member of HR Group say,  only a Public drive is mapped and nothing
else.

This seems to be a permission issue querying  Active Directory, and I have
no idea on how to give users the permission to Query the AD in Samba4. Can
anyone help?

for reference here is the VBScript I use:


On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = CreateObject("Wscript.Network")

strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)

objNetwork.MapNetworkDrive "Z:", "\\10.100.1.128\Public"

For Each strGroup in objUser.MemberOf
strGroupPath = "LDAP://" & strGroup
Set objGroup = GetObject(strGroupPath)
strGroupName = objGroup.CN




Select Case strGroupName
Case "HR"
objNetwork.MapNetworkDrive "N:", "\\10.100.1.128\HR"

Case "Engineering"
objNetwork.MapNetworkDrive "y:", "\\10.100.1.128\Engineering"

Case "Payroll"
objNetwork.MapNetworkDrive "M:", "\\10.100.1.128\Payroll"

Case "IT"
objNetwork.MapNetworkDrive "O:", "\\10.100.1.128\Data"
objNetwork.MapNetworkDrive "X:", "\\10.100.1.128\IT-APS"
End Select
Next


Thanks

-- 
*Varouj (V.J.) Avanessians | Sr. Linux Sys Administrator | ACCO Engineered
Systems*
6265 San Fernando Rd | Glendale, California | 91201- 2214
(818)-730-5846 Mobile | (818)-244-6571 Main*
*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4: Need Commercial Support for Samba4

2013-02-14 Thread Varoujan Avanessians 
We are a medium size organization in the Process of Redesigning our Network
and want to replace our Novell eDirectory and Novell servers preferably
using Samba4. The organization is spread across 18 locations and We will be
using multiple AD servers and file servers. However as an Enterprise we
require commercial support  either on hourly or subscription basis. If you
know of any company or individual with Solid Samba4 experience/expertise
then I would very much appreciate if you could direct me to the entity. And
if you think you may be able to handle the task then I would love to hear
from you.

Thanks

-- 
*Varouj (V.J.) Avanessians | Sr. Linux Sys Administrator | ACCO Engineered
Systems*
6265 San Fernando Rd | Glendale, California | 91201- 2214
(818)-730-5846 Mobile | (818)-244-6571 Main*
*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4: Extending the Schema

2013-02-11 Thread Varoujan Avanessians 
Hi

We are thinking of Developing a corporate Directory application the would
pull user information from Samba4 Ad. However for our needs we need some
additional User attributes that don't seem to be available as part of the
AD-schema, such as "Hire Date" or "Emergancy contact information", so it
seems to me that I would need to Extend the Schema to make this user
attributes available. My question is: Can this be done? and if so has
anyone done something similar and can direct me to the right place for
information? Any help is greatly appreciated.

-- 
*Varouj (V.J.) Avanessians | Sr. Linux Sys Administrator | ACCO Engineered
Systems*
6265 San Fernando Rd | Glendale, California | 91201- 2214
(818)-730-5846 Mobile | (818)-244-6571 Main*
*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 Integration With Google

2013-01-16 Thread Varoujan Avanessians 
Hello everone,

In my Company we are going through a network redesign and Planning to
retire our Novel edirectory, and Novel Servers and replace them with Samba4
(Over 150 Servers). We have setup a Samba4 test environment which seems to
be working well so far. We are an organization with multiple locations and
over 1200 users, we are also very heavy users of google apps. I have couple
of questions that I need help with.

1- Is it possible to Integrate samba4 with Google Apps for Single sign-on,
I know google has and application that Integrates Microsoft Active
Directory with Google Apps, so I assume it should be possible with Samba4
too. Has anyone tried and used this feature with success?

2- We already have over 1200 accounts on Google. Is there a way to Import
these user accounts into samba4?

I would really appreciate any help in this matter and welcome any
additional suggestions that you may have for a Project of this magnitude.

-- 
*Varouj (V.J.) Avanessians | Sr. Linux Sys Administrator | ACCO Engineered
Systems*
6265 San Fernando Rd | Glendale, California | 91201- 2214
(818)-730-5846 Mobile | (818)-244-6571 Main*
*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 AD not Authenticating

2013-01-09 Thread Varoujan Avanessians 
I have already posted another issue
herethat
may be related the current issue I am having.
I have Three Samba4 AD Domain Controllers, the first one installed that was
the primary domain controller is the one having problem, the other two seem
to be working OK. I discovered the problem when I tried to set "Group
Policy" from windows 7 machine. The Current issue and the previous issue
that I have 
postedall
started after I tried to add active directory Service to FreeNAS
8.0.3.

When i run the "Group Policy Management Console" (gpmc.msc) I get the error
message:

" The domain.company.com forest could not be loaded and will be removed.
The error message was: Unspecified Error".

I stopped Samba and run it in single mode:

[root@SAMBA-AD ~]# /usr/local/samba/sbin/samba -i -M single

and then run gpmc.msc and the got the following message:

Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
e3514235-4b06-11d1-ab04-00c04fc2dcd2@ncacn_ip_tcp
:14c15c29-7c8e-4b7a-8e5a-639da645e970._msdcs.domain.company.com[1024,seal,krb5]
NT_STATUS_LOGON_FAILURE

Here are are a list of commands that I ran and the results that I got, I
hope they provide a clue of what might be going on:

[root@SAMBA-AD ~]# wbinfo -u
Error looking up domain users


[root@SAMBA-AD ~]# wbinfo -g
failed to call wbcListGroups: WBC_ERR_DOMAIN_NOT_FOUND
Error looking up domain groups

[root@SAMBA-AD var]# wbinfo -i vavanessians
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user vavanessians


[root@SAMBA-AD var]# smbtree -U Administrator -D
Enter Administrator's password:
WORKGROUP
SYS_OPS
SUNBELT
SHEETMETAL
SERVICE
SERIVCE
PURCHASING
PROJET_GROUP
PROJECT_GROUP
PROJECT
PRODUCTION
PIPING
PAYROLL
MSHOME
IT
HR
ENG
DISPATCH
CONST
BILLING
AESNB
ADMIN
ACCOUNTING
DOMAIN

[root@SAMBA-AD var]# wbinfo --domain=DOMAIN
[root@SAMBA-AD var]#


wbinfo -t
checking the trust secret for domain DOMAIN via RPC calls failed
error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc18b)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
[root@SAMBA-AD var]#

[root@SAMBA-AD ~]# smbclient -L SAMBA-AD -U Administrator
Enter Administrator's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-229d934]

Sharename   Type  Comment
-     ---
netlogonDisk
sysvol  Disk
DataDisk
IT  Disk
IPC$IPC   IPC Service (Samba 4.1.0pre1-GIT-229d934)
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-229d934]

Server   Comment
----

WorkgroupMaster
----

[root@SAMBA-AD ~]# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=SAMBA-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=COMPANY,DC=com
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=SAMBA-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=COMPANY,DC=com
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=SAMBA-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=COMPANY,DC=com
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=SAMBA-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=COMPANY,DC=com
SchemaMasterRole owner: CN=NTDS
Settings,CN=SAMBA-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DOMAIN,DC=COMPANY,DC=com
[root@SAMBA-AD ~]#

Thanks in advance for any help that you can provide.

Varouj
-- 
*Varouj (V.J.) Avanessians | Sr. Linux Sys Administrator | ACCO Engineered
Systems*
6265 San Fernando Rd | Glendale, California | 91201- 2214
(818)-730-5846 Mobile | (818)-244-6571 Main*
*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] {Samba4] Problem with Joining Samba3 to Samba4 AD Domain

2013-01-08 Thread Varoujan Avanessians 
Hello everyone
I have reached the end of my rope and desperately need help.
I recently installed two Samba4 Active Directory Domain Controllers on
CentOS 6.3 which are working perfectly, and I had joined a Samba3 Server to
this domain and everything went well. I could authenticate users on samba3
server and could see all the groups in the domain, but I was having
permissions problem accessing the share that I had created on the Samba3
server. I could see the Share but could not access it. with some poking
around I discovered that disabling the "selinux" would solve the issue.
Everything was working well before the New Year. Today when I tried to
access the share I got the Same problem, so I thought I might restart the
server and after restart I had the following error messages in
/var/log/messages.

Jan  7 15:42:58 samba3 winbindd[2346]: [2013/01/07 15:42:58.674815,  0]
libads/sasl.c:823(ads_sasl_spnego_bind)
Jan  7 15:42:58 samba3 winbindd[2346]:   kinit succeeded but
ads_sasl_spnego_krb5_bind failed: Invalid credentials

I noticed that I could no longer see the users or groups when I ran wbinf
-u and wbinfo -g.


Here are the step I took to try and resolve the problem but without success:

1- Removed the samba3 machine from Samba4 AD
2- Stopped smb and winbind on samba3
3- deleted all tdb files from /var/lib/samba
4- started the smb and winbind services
5 - ran:
root@Samba3 ~]# kinit administrator
Password for administra...@domain.company.com:
Warning: Your password will expire in 17 days on Fri Jan 25 15:00:57 2013
[root@Samba3 ~]#

6- Next I arn:
[root@Samba3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@domain.company.com

Valid starting ExpiresService principal
01/07/13 16:17:58  01/08/13 02:17:58  krbtgt/DOMAIN>
company@domain.company.com
renew until 01/08/13 16:17:28

7- Then I tried the following commands in turn

[root@Samba3 ~]# net ads join -U administrator
Enter administrator's password:
[2013/01/07 16:21:03.456721,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

[root@Samba3 ~]# net ads testjoin
[2013/01/07 16:25:09.437670,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
[2013/01/07 16:25:09.665259,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Join to domain is not valid: Invalid credentials


[root@Samba3 ~]# net rpc join -U administrator
Enter administrator's password:
Joined domain DOMAIN.

[root@Samba3 ~]# net rpc testjoin
Join to 'DOMAIN' is OK

[root@GLEN-Samba1 ~]# net ads info -U Administrator
Enter Administrator's password:
LDAP server: 192.168.1.101
LDAP server name: samba-ad.domain.company.com
Realm: DOMAIN.COMPANY.COM
Bind Path: dc=DOMAIN,dc=COMPANY,dc=COM
LDAP port: 389
Server time: Mon, 07 Jan 2013 16:27:56 PST
KDC server: 10.100.1.101
Server time offset: 26

[root@Samba3 ~]#  net rpc info -U Administrator
Enter Administrator's password:
Domain Name: DOMAIN
Domain SID: S-1-5-21-2572227374-1339717712-1008418335
Sequence number: 1
Num users: 17
Num domain groups: 12
Num local groups: 26

[root@Samba3 ~]# wbinfo -a vavanessians%somepassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

[root@Samba3 ~]# wbinfo -K 'vavanessians%somepassword'
plaintext kerberos password authentication for [vavanessians%somepassword]
succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0


but when I run "wbinfo -u" or "wbinfo -g" I get nothing

My configuration files are:


[root@Samba3 ~]# cat /etc/krb5.conf
[libdefaults]
ticket_lifetime = 24h
default_realm = DOMAIN.COMPANY.COM
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
[realms]
DOMAIN.COMPANY.COM = {
kdc = 192.168.1.101
default_domain = DOMAIN.COMPANY.COM
}
[domain_realm]
.domain.company.com = DOMAIN.COMPANY.COM
domain.company.com = DOMAIN.COMPANY.COM
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog

[root@Samba3 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.128 samba3.domain.company.com samba3
192.168.1.101 samba-ad.domain.company.com samba-ad





[root@Samba3 ~]# cat /etc/samba/smb.conf
[global]
netbios name = Samba3
workgroup = DOMAIN
realm = DOMAIN.COMPANY.COM
preferred master = no
server string = Samba File Server
security = ads
encrypt passwords = yes

log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups

winbind enum users