[Samba] documentation for idmap backend = ad ?
I have been searching all day for documentation on the new idmap backend = ad feature. Where is it documented? I want shell and home dir templates from SFU as well as uid/gid. I have seen some examples in mailing lists for shell and home dir templates, but none seem to have acceptable syntax. Has this been implemented, and if so... what is the correct syntax to get it? I have installed samba from the fedora core 4 develop repository, but it doesn't seem to have the ad module. I guess that means I have to compile it myself. -- birger -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] configure dual samba 3.0.8 instances-one fedora box
I did this yesterday, and don't have time for testing it yet, so I'll let you do the testing :-) This is for Fedora Core 3, running samba 3.0.9-2 from the yum develop repository. Other builds may have stuff in other places. First of all you will need a new IP address. This can be done on the existing network interface. On redhat/fedora you can use redhat-config-network or system-config-network as a gui for this. If you currently use eth0, set up a new address on eth0:1. Then we have to make sure you existing domain leaves this IP address alone. And you have to decide which samba instance gets to own the loopback interface. I think I saw a note somewhere that swat cannot be used unless you bind to loopback, so only one domain may be able to use swat. In /etc/samba/smb.conf (your existing instance), add interfaces = lo /24 bind interfaces only = yes Remove lo if this instance is not the one that should own loopback. I guess you should restart this samba instance here and see that it only responds to the expected IP address(es) afterwards. Then we start with the next instance. Lets start in /etc/init.d copy smb to smb-dom2 In smb-dom2: change all references to /var/run/samba, /etc/samba, /etc/sysconfig/samba (change samba to samba-dom2) change all references to /var/lock/subsys/smb (change smb to smb-dom2) add argument to all 'daemon' lines so they look like this: daemon --check=samba-dom2/smbd smbd $SMBDOPTIONS daemon --check=samba-dom2/nmbd nmbd $NMBDOPTIONS change all killproc lines by prepending samba-dom2/ to the first argument. e.g. killproc samba-dom2/smbd similarly change all status lines If you need winbind on the domain, do something similar to the winbind startup file. Now, copy /etc/sysconfig/samba to /etc/sysconfig/samba-dom2 Edit the file and add -s /etc/samba-dom2/smb.conf -l /var/log/samba-dom2 to all 3 variables. You may want to create the various directories at this point. /var/run/samba-dom2, /var/cache/samba-dom2 and /var/log/samba-dom2. Now, set up /etc/samba-dom2/smb.conf Change or add the following settings: log file = /var/log/samba-dom2/%m.log include = /etc/samba-dom2/smb.conf.%m interfaces = /24 bind interfaces only = yes pid directory = /var/run/samba-dom2 private dir = /etc/samba-dom2 lock directory = /var/cache/samba-dom2 Any other references to files or directories must also be reviewed. E.g. if you use a username map, change it to username map = /etc/samba-dom2/smbusers You should then be able to use chkconfig and service commands to turn on and off the smb and smb-dom2 services. Check thoroughly that they stop and start the correct instances! In my setup, only the fist smb service has a winbind running, so I have not looked into setting up winbind for additional instances. There could be pitfalls! Any feedback is appreciated. I really want to know how this works for you. -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Mapping home directory share names to AD user names?
Resending this as I sent it using wrong sender and it never appeared on the list... I finally have a samba server running with security=ads and user name mapping using smbusers file. Now, to make this perfect I would like to have home directory shares show up using the users AD names instead of the unix names. Is this possible? -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - "Preauthetication failed"
Resending, as I used wrong sender and it doesn't seem to have appeared on the list. The problem is sort of solved... First, I tried stopping smb and winbind and cleaning out all cache files (/var/cache/samba). Then joining worked fine for a while. Then it didn't. Whenever it didn't I got those weird messages with [EMAIL PROTECTED]@KLIENT.UIB.NO again. Now the problem with the double realm name seems to be fixed. I still get the same errors joining (just with the correct realm name). Seen from the AD side the join succeeds, and I can authenticate against AD as expected. I'm not sure what this is, but I'll get someone on the AD side to help me clean out the credentials for IFTSMB100 completely. Does anyone here know what it takes to get completely rid of all traces of a host in the kerberos part of AD so I can really retry from scratch? To get to a working setup I had to add a domain-to-realm mapping in krb5.conf so my domain maps to a realm name (map ift.uib.no to KLIENT.UIB.NO) and match the default realm in krb5.conf to the realm in smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this setup. Users live in other domains. My new config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf I also upgraded kerberos and samba to the versions in the yum develop repo for fc3. samba*-3.0.9-2 and krb5*-1.3.5-2 Now, even with the preauthentication failures when joining I have a working server that authenticates as expected. :-) -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - "Preauthetication failed"
Sort of solved... First, I tried stopping smb and winbind and cleaning out all cache files (/var/cache/samba). Then joining worked fine for a while. Then it didn't. Whenever it didn't I got those weird messages with [EMAIL PROTECTED]@KLIENT.UIB.NO again. Now that problem seems to be fixed, but I still get errors joining. Seen from the AD side the join succeeds, and I can authenticate against AD as expected. I'm not sure what this is, but I'll get someone on the AD side to help me clean out the credentials for IFTSMB100 completely. Does anyone here know what it takes to get completely rid of all traces of a host in AD so I can really retry from scratch? To get to a working setup I had to add a domain-to-realm mapping in krb5.conf and match the default realm in krb5.conf to the realm in smb.conf (KLIENT.UIB.NO). This is the realm where computers live in this setup. Users live in other domains. My new config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- birger birger wrote: After a lot of different problems and variations of krb5.conf and samba.conf files I am currently stuck with the following error trying to join a domain net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** Fedora Core 3, Samba 3.0.9 as installed by yum. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 12/02/04 14:45:02 12/03/04 00:45:04 krbtgt/[EMAIL PROTECTED] renew until 12/03/04 14:45:02 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I have tried removing the definition in the AD server and recreating. Samba manages to create the account, but still fails like above. Note the double @KLIENT.UIB.NO. I think I'll go home now and take a break while my head clears after fighting with security = ads for 2 days... In this AD environment hosts are defined in KLIENT.UIB.NO, while users belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with trust relationships). I have had it working as far as wbinfo listing users from both worlds, but I still couldn't access shares. Then something broke, and now I can't join the domain again. What have I done wrong here? My config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join fails - "Preauthetication failed"
birger wrote: net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** I seem to have solved this part of the problem. Stop everything, move aside /var/cache/samba, create a new empty directory and retry. Worked as it should. Now I'm back to my old problems. :-/ -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net ads join fails - "Preauthetication failed"
After a lot of different problems and variations of krb5.conf and samba.conf files I am currently stuck with the following error trying to join a domain net ads join -U [EMAIL PROTECTED] 'Klienter\IT\MatNat\IFT\Samba Servers\IT-gruppen' [EMAIL PROTECTED]'s password: [2004/12/02 15:34:36, 0] libads/ldap.c:ads_add_machine_acct(1367) ads_add_machine_acct: Host account for iftsmb100 already exists - modifying old account Using short domain name -- KLIENT [2004/12/02 15:34:39, 0] libads/kerberos.c:get_service_ticket(335) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@KLIENT.UIB.NO failed: Preauthentication failed *** glibc detected *** free(): invalid pointer: 0x00632800 *** Fedora Core 3, Samba 3.0.9 as installed by yum. # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 12/02/04 14:45:02 12/03/04 00:45:04 krbtgt/[EMAIL PROTECTED] renew until 12/03/04 14:45:02 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I have tried removing the definition in the AD server and recreating. Samba manages to create the account, but still fails like above. Note the double @KLIENT.UIB.NO. I think I'll go home now and take a break while my head clears after fighting with security = ads for 2 days... In this AD environment hosts are defined in KLIENT.UIB.NO, while users belong to either UIB.NO or STUDENT.UIB.NO (a separate forest with trust relationships). I have had it working as far as wbinfo listing users from both worlds, but I still couldn't access shares. Then something broke, and now I can't join the domain again. What have I done wrong here? My config files are at http://www.ift.uib.no/~birger/krb5.conf and http://www.ift.uib.no/~birger/smb.conf -- birger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Installation du Samba 2.2.8a
Messieurs, Nous venons dinstaller Samba dans notre serveur Unix SVR4 MPRAS. Nous avons rencontré les problèmes suivants : -smbclient L ServeurSamba => session request failed -smbcontrol d4 nmbd debug 2 => fcntl_lock gave errno 13 (Permission denied) Pouvez-vous nous aider ? Remerciements, Madame Saholy RANAIVOSON. Blanche Birger Madagascar 15 bis, rue P. Lumumba - Tsaralalana - B.P: 317 101 - Antananarivo - Madagascar (GMT+3) Tél.: +261 20 22 228 02 Fax: +261 20 22 279 01 E-mail: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba