[Samba] Samba not announcing the correct IP address to a Windows NT Wins server
We have two systems with dual NICs that run samba 2.2.5 with winbind, and neither of them is announcing the system's primary IP address correctly to the WINS server. The systems show up in the wins database with the secondary IP address (which is the private network we use for the heartbeat/meta data on our CXFS cluster). We worked around it by entering the correct IP addresses for these systems as static IP entries in the WINS server's database, but it would be nice to know how we could get those systems to automatically announce themselves correctly. The nsswitch.conf file for these machines uses files first (local host table) then dns The primary IP addresses for these systems is in the local host table as are the hostnames for the 2nd NICs (i.e. samiam .vs. private-samiam) I think the samba name resolve order setting of host wins bcast means that I use the UNIX nameservice lookup first (as defined by nsswitch.conf), then ask the wins server, then broadcast for the information. I've told samba who the wins server is, but I don't have a remote announce parameter. Is this what I'm missing or do I need to make my netbios name = SAMIAM be lower case (or is there something else I need to do to get these systems to announce themselves correctly to the WINS server?) Thanks, Karen Wieprecht [global] workgroup = OURNTDOMAINNAME netbios name = SAMIAM server string = samiam security = DOMAIN encrypt passwords = Yes password server = * passwd program = /usr/bin/yppasswd log level = 2 log file = /usr/samba/log.%m max log size = 500 name resolve order = host wins bcast keepalive = 30 os level = 0 preferred master = False local master = No domain master = False dns proxy = No wins server = xx.xx.11.25 xx.xx.11.33 lock dir = /usr/samba/locks valid chars = - _ winbind uid = 1-2 winbind gid = 1-2 template homedir = /netshare/users/samba/%U winbind separator = _ winbind cache time = 60 username map = /usr/samba/lib/username.map guest ok = no map to guest = never hosts allow = xx.xx.11. xx.xx.12. xx.xx.17. veto files = /*.eml/*.nws/riche20.dll/*.{*}/ oplocks = No level2 oplocks = No strict locking = Yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] UNIX with samba .vs. native Windows Server , how to compare their performance for Windows-biased management
I had samba working on an old Sun Enterprise server using a JBOD that was managed with veritas volume manager (legacy stuff that had long outlived it's usefulness). Management arbitrarily decided to replace the aging Solaris server with a native Windows server without talking to me. I instead tried to persuade them to use an SGI cluster I had been putting together and use newer features of samba (winbind, domain authentication) for hosting this data, but they weren't interested. When that old Solaris system started having problems, and the new windows server wasn't online yet, I had to temporarily host the data on my SGI cluster, a duo of servers that was running samba with winbind and domain authentication. It was a very nice setup, either server in the pair could serve the files, and we made user login scripts mount the shares from whichever server reponded first. When we had to take the primary server down for maintenance, we switched the login script to point them to the secondary server's shares, had them log out and back in. While they worked happily off of the secondary server, we did a half day's worth of maintenance on the primary server without affecting the users. When we were done, we put the login script back the way it was before, and the next time they logged out and back in, they were again pointed to the primary server with the secondary as a backup. Even after demonstrating how nice my configuration was and how seemlessly we were able to do maintenance without affecting users, management and the two NT guys I work with were still sold on using the Windows native server. They claimed that it was cheaper to buy the hardware and easier to manage permissions and file access rights with the native equipment (of course, they are PC guys). My argument was that we could probably achieve the same file access flexibility with UNIX ACLs (which previous staff had not enabled on the UNIX side), and that the UNIX machines use RISC-based processors, a completely different animal than the GHZ pentium processors, so they would really have to come up with some benchmarks to compare the two systems. They also weren't originally going to accommodate any easy file interoperability with the UNIX users, they were going to make them use FTP to move files between the UNIX machine and the windows server, and I argued that this was removing capability that users were accustomed to having, not a real crowd pleasing decision. Now they are experimenting with Microsoft SFU to make the Windows box allow the UNIX machine to NFS mount its shares, and I have to say it does seem to work pretty well. It tied right into NIS nicely, automatically mapped matching usernames on either side, allows me to define mappings with usernames that do not match, etc. But it still digs in my crawl though that I never even got a chance to show what my cluster could do for them until after management had already decided to buy the windows server, and even after a nice demonstration of the UNIX cluster's capabilities, they are still sold (arbitrarily) on using the native Windows box. How can I compare the performance of the two servers? Many of you started out with Windows servers and migrated to samba to get better performance, but my collegues have done the opposite. Am I blindly biased that UNIX is better or is there a way I can get some real numbers to prove that te windows server is a slower file server? The guys are always weighing the cost and ease of management against the difference in performance (if there isn't much difference in performance, go with what is cheaper and simpler to manage), and for them that is the PC-native stuff. I feel like my UNIX skills are slowly getting pushed aside and I'm not sure how to get real performance metrics. Help, feedback, condolences are all welcome. karen -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind UID
I was told to go download tdbdump and tdbtool, but I wasn't able to get them to compile, and it's been sitting on the backburner. I don't recall what web page serves the source (sorry). Let me know if you have any luck. Karen Wieprecht -Original Message- From: Lynch, Ken [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 11:37 AM To: '[EMAIL PROTECTED]' Subject: [Samba] Winbind UID Please note that I am not on the mailing list. Please respond to [EMAIL PROTECTED] I did not want to join the list just to ask one question. I need to know what UID's are being given to a domain user when they logon. Is there any way to view the winbindd_imap.tdb or winbindd_cache.tdb. Is there any utilities that would allow me to see the mappings. Thanks for any ideas, Ken Lynch -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] libnss on solaris
You've already built the libnss_winbind.so files ... Please check the following 0. This may not have been necessary, but in our /etc/hosts table, we made an alias for the domain controller that is the name of our domain 10.0.10.11 dc.something.edu ntdomainname 1.In /etc/nsswitch.conf: passwd: files nis winbind group: files nis winbind 2. Configure smb.conf file for security = domain and set up the winbind parameters (see samples in many of the docs files) ~samba/bin/testparm 3. Join the domain a. add the system to the domain on the domain controller b. ~samba/bin/smbpasswd -j yourdomainname -r yourdomaincontroller 4. start your smbd and nmbd daemons 5. start your winbind daemons AFTER the smbd and nmbd daemons 6. test the winbind connectivity ~samba/bin/wbinfo -u -g See if any of this helps. Karen Wieprecht -Original Message- From: Terry [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 28, 2002 4:24 AM To: John H Terpstra Cc: [EMAIL PROTECTED] Subject: RE: [Samba] libnss on solaris Hello, have you ever made nss_wins work on solaris ? No. But others have. This WINS support library was built on Solaris. could you please give me a contact to such a person ? from nsswitch/README: This extension provides a wins module for NSS on glibc2/Linux. Make sure that you rename nss_wins.so to libnss_wins.so and set links accordingly. I did, as I wrote in previous email. Also, please check Solaris documentation to find how to bind dynamic link libaries so that solaris can find them. Do you have an /etc/ld.so.conf file? Maybe it is in /etc/system.{cnf,conf}. I used to run Solaris X86 and vaguely remember a file like it. i checked the docs and without any tweaking libraries are searched for in /usr/lib. you can change it with crle command, but in this case i dont think it needs any changes. Also, what happens it you have in your /etc/nsswitch.conf? hosts: wins dns file, ie: wins first. i tried even hosts: wins only, with no luck :( Please show command failure output. bash-2.05# ping cww ping: unknown host cww i have also ran snoop (sun's network sniffer) and if i do a ping i cant see any broadcasts nor wins traffic... so i guess that nss library is not even touched :( how can i debug it ? truss doesnt show anything useful :| i need it badly, terry -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] List messages using Entrust
Is there any special reason that so many people are sending messages to the list using entrust? Curious, Karen Wieprecht -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] RE: SWAT not working, can't authenticate
Did you make sure localhost resolves? Also, depending on your /etc/resolv.conf, you may have to fully qualify the host's name including the DNS domain. I seem to rember having problems with this, and some combination of using localhost or hostname.domain.edu or using the actual IP address of the host cleared up the problem. Karen Wieprecht -Original Message- From: Noel Kelly [mailto:nkelly;citrusnetworks.net] Sent: Thursday, November 07, 2002 4:48 PM To: 'Jim Myers'; [EMAIL PROTECTED] Subject: RE: [Samba] RE: SWAT not working, can't authenticate I have had this problem before. Never really got to the bottom of it but if you want to get on then just add '-a' to your swat command to disable authentication. -Original Message- From: Jim Myers [mailto:myersjj;us.ibm.com] Sent: 07 November 2002 21:08 To: [EMAIL PROTECTED] Subject: RE: [Samba] RE: SWAT not working, can't authenticate I had already done that, so it must be something more subtle... Jim Myers IBM Almaden Research Center B3-239, 408-927-2013 Irving Carrion [EMAIL PROTECTED] 11/07/2002 12:16 PM To: Jim Myers/Almaden/IBM@IBMUS, [EMAIL PROTECTED] cc: Subject:RE: [Samba] RE: SWAT not working, can't authenticate Not to sure, but I think you may need to add the root account to Samba. smbpasswd -a root -Original Message- From: [EMAIL PROTECTED] [mailto:samba-admin;lists.samba.org] On Behalf Of Jim Myers Sent: Thursday, November 07, 2002 3:08 PM To: [EMAIL PROTECTED] Subject: [Samba] RE: SWAT not working, can't authenticate I have Samba 3.0 alpha20 installed on Linux RedHat 7.3 and all works fine except for SWAT. I have /etc/xinetd.d/swat defined properly (I think) and port 901 is active and starts SWAT OK. When I try to log in to SWAT either locally or from remote browser, the authentication fails. I'm logging in as user=root with the correct password, but the authentication still fails. Is there some special password file that SWAT uses? Jim Myers IBM Almaden Research Center B3-239, 408-927-2013 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] User nobody logging in to shares instead of domain user
I am assuming that you have guest ok = yes, and that guest is the nobody account. It sounds like your name lookups are not searching winbind, do you have winbind in your nsswitch.conf file for password and group? Have you restarted your nameservice lookups (automatic on solaris, nsadmin restart on Irix, don't know about other platforms but a reboot should certainly take care of it if you don't have a platform-specific command to do this. Also, you are using + as a winbindseparator ... Are you also using NIS? If so, you may want to try using _ instead as a winbind separator, I seemed to have problems with + interacting adversely with NIS. Karen Wieprecht -Original Message- From: David Shapiro [mailto:David.Edward.Shapiro;bti.com] Sent: Monday, November 04, 2002 2:01 PM To: '[EMAIL PROTECTED]' Subject: [Samba] User nobody logging in to shares instead of domain user Hello, I have winbind and pam enabled on samba 2.2.6. The problem I am having is that the login it is using to check for authentication to a share I made is user called nobody instead of the domain user INS+DavidSha. I see in the workstation log: [2002/11/04 14:00:43, 10] lib/username.c:user_in_list(456) user_in_list: checking user nobody in list INS+DavidSha user_in_list: checking user |nobody| against |INS+DavidSha| [2002/11/04 14:00:43, 10] lib/username.c:user_in_list(456) 2002/11/04 14:00:43, 2] smbd/service.c:make_connection(331) Invalid username/password for samba-lib [nobody] [2002/11/04 14:00:43, 3] smbd/error.c:error_packet(110) error packet at smbd/reply.c(166) cmd=117 (SMBtconX) NT_STATUS_WRONG_PASSWORD [ [2002/11/04 14:00:43, 6] lib/util_sock.c:write_socket(521) getent passwd returns domain users, so I think winbind is working. The share is set up as follows: [samba-lib] comment = Samba lib path = /usr/local/samba/lib valid users = INS+DavidSha read only = No The directory has group ownership of group called users with gid of 1. I have set up several samba servers. I am stumped on this one. David -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA Clustering
I have an SGI cluster (two servers share same physical disk space). I made the username map live in clustered space and made the ~samba/locks/winbind_idmap.tdb also live in the cluster space via a symbolic link on both servers. Bother server run samba using the same smb.conf settings (different hostname of course). The PC users run a login script that tests is one server exists, if so, it maps the share to a network drive from that server, if not, it checks to see if the other server exists, and (hopefully that machine is up) maps the drive from the alternate server. If something bad happens to the primary server or we have to shut it down for maintenance, the user can simply log out and back in and get his samba services from the alternate machine. If a domain user without a corresponding UNIX account creates a file on a public share, he gets assigned a UNIX UID on the fly from the winbind range, and that is tracked in the winbind_idmap.tdb. If the other server ends up having to serve the files, we want it to get the same UID mapping info. Putting that out on the cluster was our solution, and the cluster file locking mechanism will guarantee that only one samba session write to that file at a time, plus, the pcs should only be connected through our primary server under normal circumstances, the other samba is running just in case. Keep your fingers crossed, but so far so good. karen wieprecht -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Unable to login with regular Linux accounts?
Did you try adding machinename\username to your list of valid users and/or your write list as appropriate? Karen Wieprecht -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbindd not listing users/groups
Title: Message This may be an obvious question, but we had to add the machine to the domain with winbind and samba not running, I am assuming that you have started samba and winbind before trying the wbinfo tests? Karen Wieprecht
RE: [Samba] Winbind!
Why not? It does not affect whether or not my NT user gets matched to a UNIX UID and GID (username.map does that part for me), but for files created by users with no corresponding UNIX account, it makes the domain username show up on an ls -l minus the domain prefix so I can see who owns the file, otherwise, ls -l shows a truncated version of DOMAINNAMEseparatorUSERNAME, and I can't tell who owns anything ... What is the purpose of the parameter, and why is it a bad idea to use it? Thanks, Karen Wieprecht From: Gerald (Jerry) Carter [mailto:jerry;samba.org] winbind use default domain = yes Do not use this parameter. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbindd not listing users/groups
We have had better luck adding the machine account on the NT domain controller, then joining the domain with the smbpasswd command rather than trying to do the whole thing from the smbpasswd command. You could try deleting the machine account, deleting your secrets.tdb file, and starting that process over. Karen Wieprecht -Original Message- From: Sean Patrick Ingles [mailto:ingless;visionsys.com] Sent: Thursday, October 31, 2002 10:20 AM To: Gareth Davies Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Winbindd not listing users/groups I entered wbinfo -A Administrator%password And now wbinfo -t says: Secret is bad 0xc001 Any thoughts? -SP -Original Message- From: Gareth Davies [mailto:gdavies;willowbrook.co.uk] Sent: Thursday, October 31, 2002 10:05 AM To: Sean Patrick Ingles; [EMAIL PROTECTED] Subject: Re: [Samba] Winbindd not listing users/groups Original Message - From: Sean Patrick Ingles To: [EMAIL PROTECTED] Sent: Thursday, October 31, 2002 2:43 PM Subject: [Samba] Winbindd not listing users/groups Greetings from NY! I am running SaMBa version 2.2.6 compiled from source on a RedHat 7.3 (Linux tux.#.net 2.4.19 #1 Fri Oct 25 15:39:52 EDT 2002 i686 unknown) box. I start smbd and nmbd as I usually do. Then I start winbindd I verified that they are running. I run : smbpasswd -j DOMAIN -r Windows2kDomainController -U Administrator Password: Joined domain DOMAIN. Ok, so I'm in the domain Then I run: [root@tux src]# wbinfo -t Secret is good Even better, my secret is good! Then I try and list users/groups: [root@tux src]# wbinfo -u Error looking up domain users [root@tux src]# wbinfo -g Error looking up domain groups wbinfo -A Administrator%password Please lose the HTML Shaolin - IT Systems WB Ltd. .: http://www.security-forums.com :. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Can you assist me? I have seen yours and Jennifer Fountainscorr espondence
Title: Message 1. What version of samba? You should be trying 2.2.5 or 2.2 6 for one of the more stable winbind releases. 2. Are you running NIS? Try changing the winbind separator to _ (underscore) 3.. Did you put winbind in your nsswitch.conf file? If so, did you force the system to re-read that info (happens automatically on solaris, must run nsadmin restart on Irix, don't know about other platforms). 4.. Is that a typoin your smb.conf file where the username map entry is, or just a typo in the mail message? 5. If none of these simpler things does the job, try removing the username map and the valid users first and see how far you get. You can check the client connection logs (~samba/log.hostname) to see who samba thinks you are when you try to access the share from the PC. Add your username map back into the picture and see if "who you connect as" changes. How you are being identified in the connection log should help you figure out if you need to put domainname+username or just plain username in for the valid users. Solve this piece by piece to get the exact combination that does what you want rather than adding too much complexity. Let me know how it goes, Karen Wieprecht -Original Message-From: Jennifer Crusade [mailto:[EMAIL PROTECTED]] Sent: Monday, October 28, 2002 5:03 PMTo: '[EMAIL PROTECTED]'Subject: Can you assist me? I have seen yours and Jennifer Fountains corr espondence Hello, I have a quick question you may be able to assist me with. I am doing the same thing you are I can do all of the commands winbind -u winbind -g getent passwd getent group But when I set up a share to test with one domain user account it just presents me with a password dialog box and does not accept anything. It should not prompt me but if it does it should authenticate me an it does not. I have tried it with the username map = /etc/samba/smbusers and that did not work either. I have tried the valid user = with domain name and separator and without nothing is working. i know i am missing something simple. Here is my information: #=== Global Settings = [global] workgroup = GTESS1.COM netbios name = GTDNS server string = Linux 7.3 Samba Server log file = /var/log/samba/log.%m security = domain password server = * wins server = 192.168.2.1 ;username map = /etc/samba/smbusers encrypt passwords = yes winbind separator = + winbind uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes template shell = /bin/bash winbind use default domain = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [TESTIT] comment = TESTIT path = /usr/stuff valid users = GTESS1.COM+jcrusade read only = No create mask = 0777 directory mask = 0777 Thanks, Jennifer Crusade GTESS Corp. CCNA, MCSE W2k\NT 4.0, MCP +I
RE: [Samba] Problem running ./configure
I had the same configure problem, ended up downloading a pre-built version from the SGI freeware site, but thought I'd try again after I had applied some patch updates ... Oddly enough, after the patch updates, my samba configure no longer gave me those errors. I wish I could tell you which updates actually fixed the problem, but I had the same issue whether I used the native compiler or gcc, and got it on both Solaris and Irix. When I tested after I updated my irix to 6.5.17, I tested with the native compiler, so I'm betting that it was som compiler development library patch that did the job ... Wish I had more for you, good luck. Karen wieprecht -Original Message- From: Elliot [mailto:elliot.williams;mutualinterest.com.sg] Sent: Monday, October 28, 2002 11:28 PM To: 'Samba Mailing List' Subject: [Samba] Problem running ./configure guys .. when i run ./configure for my samba 2.2.6 .. i get this error $ checking for test routines... configure: error: cant find test code. Aborting config I am not sure how to resolve it. I have posted my error log file at http://www.mutualinterest.com.sg/config.log hope someone can help me out here.. And this is my output. Sorry if it is kinda long. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Can you assist me? I have seen yours and Jennifer Fountainscorr espondence
Title: Message You can do the following: 0. Stop winbind and samba 1. Delete the hosts machine account (on the NT domain controller), verify that the machine account deletion has propagated to any backup domain controllers 2. Remove the secrets.tdb file (or MACHINE.SID if you are using an older version of samba, these are usually in ~samba/private), 3. Make a new machine account for the host on the domain controller 4. While samba and winbind are not running, re-join the machine to the domain : smbpasswd -jdomainname -rdomaincontroller this will create a new MACHINE.SID or secrets.tdb file 5. rerun your samba (first) and winbind (second) startup scripts 6. try your wbinfo and other tests, you should be in good shape. karen Wieprecht
RE: [Samba] samba and winbind issues
Are you talking about access rights (like write list = @group) ? I found a few interesting things with groups and security=domain with winbind: 1. the @group syntax applies to the UNIX group names. To give access to an NT group, you need to use something like this: write list = @WALNETNT_Domain Users @DomainnameWinbindseparatorNTgroupname 2. If I specified an NT user, it seemed that I had to prefix it with the domain name and my winbind separator to get it to work correctly write list = WALNETNT_jmacs 3. If you want to grant access to more than one user/group, separate the entries with commas: write list = WALNETNT_jmacs, @WALNETNT_Domain Users 4. If you are using a username map file to make the user's UID assignment match when he access files from either side, it seems to cause his membership to other NT groups to go un-noticed. Example: I had a read-only share that was writable by @WALNETNT_Domain Users , but user karen (NT) was being assigned the UNIX karen account UID and GID by the username mapping mechanism, and was no longer recognized as a member of the NT Domain Users group ... I was going to play with adding other UNIX groups to the write list to see if I could fix this problem. Hope this answers your question. -Original Message- From: Jennifer Fountain [mailto:JFountain;rbinc.com] Sent: Friday, October 25, 2002 5:22 PM To: 'Wieprecht, Karen M.' Subject: RE: [Samba] samba and winbind issues Thanks for the email. I finally got samba to work but now I am having issues with groups. When I do a groups jfountain, i get domain admins but no other groups. when i do a groups user1, i get nothing - and the user is in a couple groups. Any thoughts or ideas? what am i missing? -Original Message- From: Wieprecht, Karen M. [mailto:Karen.Wieprecht;jhuapl.edu] Sent: Thursday, October 24, 2002 9:04 AM To: 'Jennifer Fountain'; '[EMAIL PROTECTED]' Subject: RE: [Samba] samba and winbind issues 1. Run ~samba/bin/wbinfo -u and make sure you are actually talking to your domain controller 2. Do you have winbind entries in your nsswitch.conf file? Have you made your system re-read this info (the command is nsadmin restart on irix, don't know about other platforms). 3. The windows box isn't caching any old login data is it? (I've had problems testing samba configuration changes because windows 2000 caches some of the login stuff ... I'm not great on windows admin, don't know how to force the cache to clear without a reboot, so I've had to reboot the windows client to test... 4. One of the samba guys said that the winbind use default domain parameter might not do what I originally hoped (help me match NT username with UNIX username without having to use a username map). Recent tests seem to show that my UID's only match if I turn that parameter off and use a username map. Of course, testing has been very frustrating because I keep fighting with windows caching ... Have you tried using a username map? Karen Wieprecht -Original Message- From: Jennifer Fountain [mailto:JFountain;rbinc.com] Sent: Wednesday, October 23, 2002 9:39 AM To: [EMAIL PROTECTED] Subject: [Samba] samba and winbind issues I know winbind (i think) is working fine. i can log into a unix box with my NT userid but when i try to access shares on my samba server, i get these errors: [2002/10/23 08:47:01, 0] lib/util_sec.c:(111) Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0) [2002/10/23 08:47:01, 0] lib/util.c:(1092) PANIC: failed to set gid [2002/10/23 09:17:08, 0] lib/util_sec.c:(111) Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0) [2002/10/23 09:17:08, 0] lib/util.c:(1092) PANIC: failed to set gid log.smbd: END Here is a copy of my smb.conf # Samba config file created using SWAT # from ws09573.rb.net (10.27.52.177) # Date: 2002/10/23 08:16:35 # Global parameters [global] workgroup = domain1 netbios name = ARES server string = ARES_SAMBA interfaces = lan4 127.0.0.1 bind interfaces only = Yes security = DOMAIN encrypt passwords = Yes password server = dc1 wins server = 10.1.14.25 winbind uid = 4-4 winbind gid = 5-5 template shell = /usr/bin/ksh winbind use default domain = Yes [jf] path = /tmp/jfountain username = jfountain valid users = jfountain admin users = domain admins read only = No what am i doing wrong? any info would be greatly appreciated! thanks! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba and winbind issues
Sorry, I don't know any more, hopefully one of the samba gurus might have an explanation for the behavior. Karen Wieprecht -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] utilizing smbpasswd with two user #######URGENT#######
Title: Message use the username.map file capabilities -Original Message-From: SALOME Alexandre [mailto:[EMAIL PROTECTED]] Sent: Friday, October 25, 2002 11:17 AMTo: Samba@Lists. Samba. Org (E-mail)Cc: SAMBA KarineSubject: [Samba] utilizing smbpasswd with two user ###URGENT### Hi, I have a user in Windows (user_windows = eng.calculo). I would like that this user_windows acess the unix (solairs2.6) as a valid user unix (user_unix=cs02929) (this problem is because the admintool only create user with 8 caractheres. How I can resolve this problem ? ...OLE_Obj... , Atenciosamente Alexandre Salomé Comau System _ Sistemas Engenharia tel: 0055 031 9944 8646 fax:0055 031 3529 6533
RE: [Samba] samba and winbind issues
1. Run ~samba/bin/wbinfo -u and make sure you are actually talking to your domain controller 2. Do you have winbind entries in your nsswitch.conf file? Have you made your system re-read this info (the command is nsadmin restart on irix, don't know about other platforms). 3. The windows box isn't caching any old login data is it? (I've had problems testing samba configuration changes because windows 2000 caches some of the login stuff ... I'm not great on windows admin, don't know how to force the cache to clear without a reboot, so I've had to reboot the windows client to test... 4. One of the samba guys said that the winbind use default domain parameter might not do what I originally hoped (help me match NT username with UNIX username without having to use a username map). Recent tests seem to show that my UID's only match if I turn that parameter off and use a username map. Of course, testing has been very frustrating because I keep fighting with windows caching ... Have you tried using a username map? Karen Wieprecht -Original Message- From: Jennifer Fountain [mailto:JFountain;rbinc.com] Sent: Wednesday, October 23, 2002 9:39 AM To: [EMAIL PROTECTED] Subject: [Samba] samba and winbind issues I know winbind (i think) is working fine. i can log into a unix box with my NT userid but when i try to access shares on my samba server, i get these errors: [2002/10/23 08:47:01, 0] lib/util_sec.c:(111) Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0) [2002/10/23 08:47:01, 0] lib/util.c:(1092) PANIC: failed to set gid [2002/10/23 09:17:08, 0] lib/util_sec.c:(111) Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0) [2002/10/23 09:17:08, 0] lib/util.c:(1092) PANIC: failed to set gid log.smbd: END Here is a copy of my smb.conf # Samba config file created using SWAT # from ws09573.rb.net (10.27.52.177) # Date: 2002/10/23 08:16:35 # Global parameters [global] workgroup = domain1 netbios name = ARES server string = ARES_SAMBA interfaces = lan4 127.0.0.1 bind interfaces only = Yes security = DOMAIN encrypt passwords = Yes password server = dc1 wins server = 10.1.14.25 winbind uid = 4-4 winbind gid = 5-5 template shell = /usr/bin/ksh winbind use default domain = Yes [jf] path = /tmp/jfountain username = jfountain valid users = jfountain admin users = domain admins read only = No what am i doing wrong? any info would be greatly appreciated! thanks! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind Help : NT Group permissions don't seem to apply when using username map
Samba 2.2.5 security = domain with winbind Also Using a username map for users with a corresponding UNIX account. Username.map: Karen = WALNETNT_karen (unix) (nt) Causes karen to come onto the samba share with UID and GID matching that used on the UNIX side. This lets karen (nt) write in any areas owned by karen (UNIX), but public areas that are shared to all Domain Users (write list = WALNETNT_Domain Users) are not writable now by karen from the NT side. It seems that once the UNIX UID is assigned, the daemons lose all information about any domain group memberships that the user had. Any idea how I can fix this? Thanks, Karen Wieprecht -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Group write permissions denied when using username map
Samba 2.2.5, security = domain, using winbind and a username map for users with a corresponding UNIX account. Interesting thing: once I got my username map working and the NT users are getting their correct UNIX UID when they access the shared area from the PC, they are no longer being identified as members of the domain users NT group, which means they can write to the shared directory from the UNIX side (world writable by anyone with access to the UNIX machine), but they can't write to it from the PC side (write list = WALNETNT_Domain Users) of which they are members... Any ideas why this is? Thanks, Karen Wieprecht -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Solution for winbind problem: incorrect password or unknown username
Title: Solution for winbind problem: incorrect password or unknown username We had winbind running great, but suddenly we were getting this GUI that said: Incorrect password or unknown Username for : \\hostname Connect as: (rectangle to enter username ) Password: (rectangle to enter password) Wbinfo showed that I was talking to the domain controller successfully, but I could not get onto the samba shares. I finally isolated that this happens after I have stopped and started winbind on my Irix system. I'm not sure the exact sequence, but I believe I had stopped winbind and had forgotten to restart it before I started testing my samba share access. My theory is that the problem with winbind not running causes my nameservice to hence ignore using winbind for name lookup. A reboot would clear this up, but on Irix, you can re-run nsadmin restart To tell your name services to use winbind. The reason you never can get logged in, even if you give a correct NT username and password, is that your UNIX back-end is never using the winbind piece of nsswitch, so all authentication being passed by the PC is encrypted, but UNIX is expecting clear text, thus you will never be able to login via this window if your UNIX system has stopped using winbind. Hope this helps someone. Karen Wieprecht
[Samba] Username map and UNIX UID assignments
I'm testing Samba 2.2.5 with winbind. I can successfully authenticate domain users who do and don't have corresponding UNIX accounts as well as domain users who do have a UNIX account. Files created from PC side by usera show up in UNIX ls -l as owned by usera so I thought the automatic username mapping was working correctly, but I found out that usera isn't being assigned his UNIX User ID correctly. I found this because UserA doesn't have write access in the areas he should when he comes in through samba. I had usera write a file in a public space, and from the UNIX side did ls -n to show the UID assigned, and it is one of the Ids in the winbind range, not the user's UNIX UID ... I tried adding a username map to force the UID mapping explicitly, but even after doing that, the UID is still the winbind one, not the correct UNIX one. I'd like to get this working. Any tips would be most appreciated. Karen Wieprecht [EMAIL PROTECTED] P.S. This is the configuration I was using, I tried adding a username map, and then tried changing winbind use default domain = No at one user's suggestion, but no luck. # Global parameters [global] workgroup = WALNETNT netbios name = ROSEHORSE server string = rosehorse security = DOMAIN encrypt passwords = Yes password server = * passwd program = /usr/bin/yppasswd log level = 2 log file = /usr/samba/log.%m max log size = 500 name resolve order = host wins bcast keepalive = 30 os level = 0 preferred master = False local master = No domain master = False dns proxy = No wins server = x.x.x.x lock dir = /usr/samba/locks valid chars = - _ winbind uid = 1-2 winbind gid = 1-2 template homedir = /netshare/users/samba/%U winbind separator = _ winbind cache time = 60 winbind use default domain = Yes guest account = user1 guest ok = No map to guest = Never hosts allow = x.x.x. veto files = /*.eml/*.nws/riche20.dll/*.{*}/ strict locking = Yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] valid users and groups with winbind
Andrew, I was having the same problem with getting groups to work, so I tried your solution, but can't get it to work either. 1. I set up a read only share, made sure I didn't have write access. 2. I added write list = WALNETNT_karen and verified that I now had write access. 3. I then changed the write list to give write access to the whole domain users group (which karen is a member of), but I no longer had write permission ... I tried all of the following, but none seemed to work: write list = 'domain\domain users' write list = 'domain\Domain Users' (case sensitivity check) write list = 'WALNETNT\Domain Users' (maybe you meant for me to use my domain name?) write list = 'WALNETNT_Domain Users' (My winbind separator is _ ... Use this?) write list = 'domain_Domain Users' write list = ''domain_domain users' I didn't try taking the quotes off, I didn't think UNIX would deal with the space in the domain group name very well. I logged off and back on as various domain users while testing this to make sure the permissions weren't being cached on the client PC. I'm obviously missing something here, perhaps you can shed some light? Thanks, Karen Wieprecht -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 7:10 PM To: Michael MacIsaac Cc: [EMAIL PROTECTED] Subject: Re: [Samba] valid users and groups with winbind Michael MacIsaac wrote: Hi, Just starting on this list. I have samba (2.2.5a) on Linux/s390 and winbind authenticating and providing shares. I add the global to smb.conf: valid users = '@Domain Users' Winbind groups start with DOMAIN\, and as a quirk, don't need the @ prefix. So valid users = 'domain\domain users' should do what you want. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] 2.2.5 and NIS question
I'm not sure what happe4ned to the --with-nis option either, but it seems to work just fine. Perhaps they made it part of the default set? We use nis and winbind, and NT users with matching UN(IX accounts get assigned the UID and GID I have in NIS. Karen Wieprecht -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 30, 2002 4:06 AM To: [EMAIL PROTECTED] Subject: [Samba] 2.2.5 and NIS question Hi there, i'd like to use NIS (AIX based) to authenticate the samba-users (to implement samba enterprise wide) in using samba is an option which should be configured (--with-nis) (NOT the --with-nisplus option) now i got 2.2.5 (source) - but in configure this option is missing Was this dropped in version 2.2.5 ? Which was the last version that's able to work with NIS ? Does anyone know how i can get this thing working ? Udo E. Foth - Systemingenieur - REIFF - Management- + Service- GmbH Tuebinger Str. 2 - 6 D-72762 Reutlingen Tel.07121/323-283 Mobil 0179/2670262 Fax 07121/323-6283 Mail[EMAIL PROTECTED] Web http://www.reiff-rms.de -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] 2.2.5 and NIS question
Two things seemed to affect this for us: 1. Set the winbind use default domain parameter to yes winbind use default domain = yes 2. The winbind separator The docs show / and + as sample separators, but + is special in NIS, and / is special in UNIX. I used _ (underscore) as my winbind separator. Buchan Milne passed on the use default domain tip (thanks!). I found a NIS Reference buried in the smb.conf man page. It only refers to the NIS group definitions, but the light went off that NIS was probably being adversely affected by the + winbind separator we were using. Changing it to underscore fixed us up. Let me know if this does the job for you as well. Karen -Original Message- From: Nir Soffer [mailto:[EMAIL PROTECTED]] Sent: Monday, September 30, 2002 11:58 AM To: Wieprecht, Karen M.; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Samba] 2.2.5 and NIS question -Original Message- From: Wieprecht, Karen M. [mailto:[EMAIL PROTECTED]] Sent: Monday, September 30, 2002 2:59 PM To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: RE: [Samba] 2.2.5 and NIS question I'm not sure what happe4ned to the --with-nis option either, but it seems to work just fine. Perhaps they made it part of the default set? We use nis and winbind, and NT users with matching UN(IX accounts get assigned the UID and GID I have in NIS. How exactly do you do that? I've only managed to get winbind users when using winbind. smbd would refer to the users in winbind regardless of the users existance in other NSS databases. Nir. -- Nir Soffer -=- Software Engineer, Exanet Inc. -=- Father, why are all the children weeping? / They are merely crying son O, are they merely crying, father? / Yes, true weeping is yet to come -- Nick Cave and the Bad Seeds, The Weeping Song -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Problems with lower and uppercase filenames
I note some distinctions here: The tools you had trouble with were NT tools, and the problem didn't exist with all of them. NT is not case sensitive, and so developers of the various tools and utilities probably handle character case differently. I'm betting that it's the utility you are using that is deciding to make the file name upper case (file copy, by default, calls the output COPY OF FOO.TXT and probably doesn't try to preserve the case of the original file name, notepad may also throw away any lower case letters ... Etc.) You should try these same tests without going through the loopback to make sure you understand what behavior is introduced by the utility itself .vs. what might be getting introduced when you throw samba into the mix. If the behavior is the same in both cases, I'd blame the NT utility, not the file sharing method. Karen Wieprecht -Original Message- From: Barzilai Spinak [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 28, 2002 4:55 AM To: [EMAIL PROTECTED] Subject: [Samba] Problems with lower and uppercase filenames Hi, I just subscribed to this list to see if I can get a solution to the following problem. I've spent a couple of hours looking though the man pages, google, etc but haven't found a solution. Platform: RedHat 7.3 and Win98SE (in spanish) Samba Version 2.2.3a Ok, the problem is the following. case 1: Let's say I have a unix directory /temp shared through samba. I'm sitting at my windows machine and I can create filenames with upper/lowe/mixed cases and everything works fine case 2: There's a windows shared directory in my windows machine, let's call it MyWinShare I want to access it from unix so I do a mount -t smbfs -o username=joe //WINPUTER/MyWinShare /mnt/winputer/shareit now from the unix shell prompt I can create files in my windows machine with any kind of upper/lower case letters... so far so good... Now I create a samba share: [whatever] path=/mnt/winputer/shareit browseable = yes writable = yes create mask = 0666 directory mask = 0777 preserve case=yes; added this one just in case The problem starts now. When accessing this share from the Windows computer I can see the shared directory (although through an unnecesary loopback which is irrelevant to the problem because it still happens with a different setup without loops). * If I drag and copy a file from the windows explorer, lets say foo.txt, the new file becomes COPY OF FOO.TXT All the characters in uppercase. * If I move the file to another directory in the share, the case is kept. * If I rename a file to fOooOo.tXt, the case is kept. * If I use Notepad and save a new file in the share, it goes all to UPPERCASE!!! * If I use Wordpad, however, it respects the case... * Other programs behave in different ways... The main problem (and what started all this) is that my Java IDE has the all to uppercase problem and if I edit a file and then save it, the filename goes to UPPER which is very bad for a Java filename since it's case sensitive. So I read man smb.conf, man smbmount, etc... and saw parameters for codepages and character sets, and started trying combinations (my windows is in codepage 850 for DOS and codepage 1252 for windows, my /usr/share/samba/codepages has an entry for 1251 but not for 1252...) Nothing new happens with all the codepage changes, the problem persists. Notice that is not a problem of smb itself because other shares work fine, nor of smbmount itself because from the unix prompt I can create files in the windows machine with any case of letter. But smb+smbmount, both together, give this phenomenon!!! any ideas?? I hope this is not too confusing... it's 6:30am already and I can't even type! thanks BarZ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind UID assignments - keeping a backup
We use samba 2.2.5 in security=domain with winbind running. NT users who don't have corresponding UNIX accounts are assigned a UID on the fly based on the range specified in the smb.conf file. Are there any recommendations for keeping that file backed up or synced up with another system's samba files? We have a cluster where either of two machine could serve our critical files in the event one went down. I would like to keep this critical UID assignments file synced up (should I just use rsync?). Since it's a .tdb file, not just a text file, I wasn't sure if any host-specific stuff was written there that might become a problem if I use a copy of the file on a different samba server. Curious, Karen Wieprecht -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] What is in your PATH definition when running the samba configure?
I can't seem to get anyone to respond to this so I'm asking again ... It seems that the rest of the world is able to get past the configure step in samba 2.2.5, but I get an error (I didn't have this problem when I compiled samba 2.2.2 or 2.2.3a, so it leaves me rather stumped). ./configure --prefix=/usr/samba --with-winbind --with-automount gives me the following error on both solaris and irix: checking for conflicting AUTH_ERROR define in rpc/rpc.h ... no checking for test routines ... configure: error: can't find test code. Aborting config For those of you who have successfully run samba 2.2.5's configure on solaris and/or irix, what does your PATH definition look like, and are you running the configure as root or as a regular user? Thanks, Karen Wieprecht -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NT user name doesn't match unix username when winbindd is running
Samba team, I posted the following message on May 30 to comp.protocols.smb, but no one has responded to the posting as of yet, so I thought I'd try this email list. We are testing winbind and security=domain to authenticate NT users on our UNIX box in samba (v2.2.3a). Winbind is working correctly. Wbinfo shows users as domainname+username (we are using + as the separator), however, the NT usernames aren't automatically mapping to their corresponding UNIX usernames as expected. Perhaps I don't understand how this is supposed to work? From what I understand, security=domain WITHOUT winbind requires a corresponding UNIX user (or dummy entry in the password file) for each NT user who you want to authenticate. This works for us, my NT karen account gets matched to my Unix Karen account, new files I create from the PC side get assigned the correct Unix UID, my login directory is shared via [HOMES] correctly, etc as long as I don't run winbindd. However, when I turn on winbindd, the NT karen account now gets mapped to domainname+karen instead of karen, so UID's don't match, and my home login directory isn't being shared to my NT Karen account. Aren't the NT user names supposed to map to the UNIX user name if one exists? We want the features of winbind so we don't have to have a corresponding UNIX account for each NT user, but we want matching usernames to map automatically for those users who DO have accounts on both sides. It works when winbind is not running, why doesn't this work when I run winbind? Is there some other parameter I have to set to make this happen? Thanks for your help , Karen Wieprecht - Karen Wieprecht Senior Unix Systems Administrator 11100 Johns Hopkins Road Laurel, MD, 20723 443-778-3075 [EMAIL PROTECTED] - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NT user name doesn't match unix username when winbindd is running
We are testing winbind and security=domain to authenticate NT users on our UNIX box in samba (v2.2.3a). Winbind is working correctly. Wbinfo shows users as domainname+username (we are using + as the separator), however, the NT usernames aren't automatically mapping to their corresponding UNIX usernames as expected. Perhaps I don't understand how this is supposed to work? From what I understand, security=domain WITHOUT winbind requires a corresponding UNIX user (or dummy entry in the password file) for each NT user who you want to authenticate, otherwise they can't get on unless you have set up guest ok =yes and defined a username for guest to connect as . This works for us, my NT karen account gets matched to my Unix Karen account, new files I create from the PC side get assigned the correct Unix UID, my login directory is shared via [HOMES] correctly, etc as long as I don't run winbindd. When I turn on winbindd, the NT karen account now gets mapped to domainname+karen instead of karen, so UID's don't match, and my home login directory isn't being shared to my NT Karen account. Aren't the NT user names supposed to map to the UNIX user name if one exists? We want the features of winbind so we don't have to have a corresponding UNIX account for each NT user, but we want matching usernames to map automatically for those users who DO have accounts on both sides. It works when winbind is not running, why doesn't this work when I run winbind? Is there some other parameter I have to set to make this happen? I hope I'm missing something here and I'm not going to have to create a user map file for all of the users whose NT and Unix usernames already match ... -- Also, Is there a good discussion anywhere about configuration setting precedence and which settings may supercede or conflict with others? For instance, if you want a share to be writable, but only by certain users, you might set up writable=yes with write list = user list, when maybe what you really should be doing is readonly=yes with write list=users. The first may make the share writable by everyone who successfully authenticates, the second may actually give the desired behavior. A list of parameter precedence might help clarify the interaction between related parameters. Thanks for your help , Karen Wieprecht - Karen Wieprecht Senior Unix Systems Administrator 11100 Johns Hopkins Road Laurel, MD, 20723 443-778-3075 [EMAIL PROTECTED] - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba