Re: [Samba] Fileserver integrated into windows domain, plus linux clients n eeded
Making an AD Domain Member Server is not difficult. However, what is difficult, is getting it to work reliably. It seems to work OK for a week or so at a time, which is not particularly robust... Cheers, H. Ben Ladd wrote: Update: Each time we set up a new user on the system, passwords need changing on the AD and the samba server. Is there a way to set permissions for the samba from the AD so that we do not need to go through this rigmarole? (most problematic at the start of a new school year). I completed this part of my task - http://ubuntuforums.org/showthread.php?t=280702. It works perfectly for me. I am amazed that I did not find it earlier. My aim is to also have some linux (probably k/ubuntu) boxes that authenticate on the network using standard AD credentials. I have tried in vain to find a way to introduce a single point of authentication, I have looked at kerberos, winbind and LDAP. I consider myself a good network technician, but the introduction of linux into a domain has thrown me. Is there a an easy way to integrate a linux fileserver with a windows controlled domain with both linux and windows clients? I am probably going to go with a kerberos and winbind mechanism to get this working. Hold out guys - Anything is possible! Ben _ Feel like a local wherever you go. http://www.backofmyhand.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a win2k3 ads fails
Hmm, you have a whole bunch of stuff in smb.conf that I would not put there. Some of them may be obsolete and won't matter, but whether it will break things is hard to tell. I think you should look at the Official Howto and pare the settings down to the bare necessities, then try again. Also have a look my guide here: http://www.aeronetworks.ca/LinuxActiveDirectory.html I have found that KISS is a very important principle with ADS. Make an OU for your Linux users, define your groups and users in that OU, then apply security policies to the OU and don't reference anything outside the OU. Also note that it is possible to do things in ADS that you are not supposed to do, which can cause Winbind to get its balls in a twist. In general, don't rename records, don't drag records from one OU to another OU, don't make a user in one OU a member of a group in another OU. You are not supposed to do those things and it may cause ADS to complain, but while WinXP clients will still work, Winbind will blow up. The only way to fix it is to find the offending records and delete them, but how to find them? It is a situation that is best avoided! Cheers, Herman Lex Brugman wrote: Hello, I'm trying to join a win2k3 ADS domain using a working config on a debian 'Lenny' (arm processor) from another machine running gentoo (x86 processor) (only changed the netbios name). Samba versions are 3.0.26a on both the machines. I'm pretty sure this is not a kerberos or ldap problem, anyone has a clue what else it could be? # net -d 3 ads join -U administrator [2007/11/07 23:31:00, 3] param/loadparm.c:lp_load(5039) lp_load: refreshing parameters [2007/11/07 23:31:00, 3] param/loadparm.c:init_globals(1438) Initialising global parameters [2007/11/07 23:31:00, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2007/11/07 23:31:00, 3] param/loadparm.c:do_section(3778) Processing section [global] [2007/11/07 23:31:01, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/dhcp.conf [2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81) added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 [2007/11/07 23:31:01, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.22 bcast=10.0.0.255 nmask=255.255.255.0 [2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: 10.0.0.2, thuis.local [2007/11/07 23:31:02, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 10.0.0.2 [2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: 10.0.0.2, thuis.local [2007/11/07 23:31:02, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: 10.0.0.2, thuis.local administrator's password: [2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: 10.0.0.2, thuis.local [2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 10.0.0.2 [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222) ads_sasl_spnego_bind: got server principal name = [EMAIL PROTECTED] [2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 08 Nov 2007 09:31:23 CET [2007/11/07 23:31:05, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: 10.0.0.2, thuis.local [2007/11/07 23:31:05, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 10.0.0.2 [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2007/11/07 23:31:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222) ads_sasl_spnego_bind: got server principal name = [EMAIL PROTECTED] [2007/11/07 23:31:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Thu, 08
Re: [Samba] Joining a win2k3 ads fails
Hmm, I hear you, but since MS Windows is involved that doesn't mean anything... ;) H. Lex Brugman wrote: Please note that the same configuration works on another box in the same network (same win2k3 PDC) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a win2k3 ads fails
I have seen things behave differently between identical boxes and eventually the problem was solved on the server side, by rolling ADS back to a previous version. So, you got to make things as simple as possible in order to rule out as many weird interactions as possible. Bear in mind that Windows is not a finite state machine - actually, I think Heisenberg used to work for Microsoft... Cheers, H. Lex Brugman wrote: The problem described in my post occurs on a debian box running on an ARM processor and is using the same configuration as on an Gentoo box running on a x86 processor (where it works fine). Both are running the same version of samba (3.0.26a). David kacuba wrote: no what do you mean */Lex Brugman [EMAIL PROTECTED]/* wrote: Please note that the same configuration works on another box in the same network (same win2k3 PDC) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: binary does not run on samba-3.0.26a
Did you remember to run 'testparm'? H. Henrik Carlqvist wrote: hce [EMAIL PROTECTED] wrote: I built the samba from source samba-3.0.26a on FC6. But when I run nmbd -F --debuglevel=5 --configfile=/home/test/smb.conf --log-basename=/home/test/log.txt, nothing happens. The process is not there, the log file is not created. What could I be missing here? Not really samba-specific, but whenever I need to track down errors like this on any program I usually try strace to see what is missing. Something like: strace nmbd -F --debuglevel=5 --configfile=/home/test/smb.conf --log-basename=/home/test/log.txt The above will show you any files it is trying to open and might give a clue why it doesn't work. If strace is not enough you might also try strace -f to follow forked processes. regards Henrik -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Disable USB storage
alejandro luna wrote: Hello Everyone! i need to know if there is a way to send to windows XP a key reg to disable the usb storage, my samba is a PDC. the key in the window's registry is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor - Comparte video en la ventana de tus mensajes (y también tus fotos de Flickr). Usa el nuevo Yahoo! Messenger versión Beta. Visita http://mx.beta.messenger.yahoo.com/ Yes, there are two methods, as far as I know: http://support.microsoft.com/kb/823732 http://www.windowsdevcenter.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html Cheers, Herman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] BUILTIN groups mapping via winbind!!
Kaustubh Chaudhari wrote: Hi Herman. This is really a helpful information, but i am not able to understand why in built group we cant see a mapping for a normal user, as if we look Builtin is also a OU and we have some Builtin users and groups in it. If i create a OU and groups or users in it than i can see all those but just not with Buitin. Feel free to correct me, if you find i am wrong. Thanks for your interest in this. Regards, Kaustubh. Well, I have found that Winbind can get confused when you do things in ADS that you should not do - for example cross linked users and groups after you dragged records around. WinXP clients may still work, but the only way to fix Winbind is to delete the offending records in ADS. The problem is that how you are supposed to find the offending records is impossible to say. Sometimes you can fix it by trying to remember when it last worked and deleting everything that was changed since. Sometimes, the only way to fix things is to give up and re-install ADS. Sooo, try to roll back till you get to a working situation, then make your changes very carefully and with frequent backups. I run ADS on VMware and take a snapshot before every change I make to it, so I can roll back without too much hassle as soon as things stop working. Unfortunately, Winbind is still immature and not as robust as one may like it to be. Cheers, Herman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Active Directory member problem
Frank Van Damme wrote: Hello I have added a Linux member server (my laptop) to our production Windows 2003 ADS domain (with net ads join, not net rpc join). Yet, when I browse to it from an Xp client (member of the domain) I still get a username/password dialog. What works: - wbinfo -g and wbinfo -u show usernames and passwords (without DOMAIN+ prefix) - getent passwd works - smbclient and logging in to the member server with a valid domain username/pwd works What does not work: # wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret I can see the host in AD users and computers but something still seems to be wrong with the machine account... how do I start to troubleshoot this? If wbinfo -t fails, then you have not joined the domain. This is usually due to wrong time. See this: http://www.aeronetworks.ca/LinuxActiveDirectory.html for troubleshooting tips. Cheers, Herman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] BUILTIN groups mapping via winbind!!
Kaustubh Chaudhari wrote: Hi all, When i create a group in AD and adds users in the same than with #getent group i can see the group and its members properly. But if i add a user to BUILTIN say BUILTIN Guests group than i dont see its members. == kktest:x:10026:kk,Administrator BUILTIN+Guests:x:10019: == Here i have added kk user to both kktest and BUILTIN+Guests group. But i cant see kk associated with BUILTIN Guests. I know that BUILTIN groups have pre defined sid by microsoft, and its mapping is done separately.(I found this in idmap.c) Is this a normal behavior? Would appreciate if someone can explain the reasons for this. Regards, Kaustubh. In general you need to define an Organizational Unit (OU), then define your groups and users inside that OU. It should then show up with Samba winbind. Some don'ts: Don't rename anything. Don't drag and drop anything from one OU to another OU. Don't make a user in one OU a member of a group in another OU. It is even not a good idea to delete anything. If you need to fix a typing mistake, define a new record - don't try to edit the mistake. Make frequent backups of ADS. Some dos: Apply security policies to OUs, not to users. Run ADS on VMware, so that you can take snapshots as backups. The reason for the above cautions is that ADS (mostly) work using the GUIDs, while Samba uses the text strings. So you don't want to get in a situation where ADS re-use an old GUID and changes to text strings are applied inconsistently, which confuses winbind, so changing any text string after it has been defined can also screw things up. 'Hope that helps! Herman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't remove groups in AD
Martin Hauptmann wrote: Hi, I set up a samba 3.0.26a as an ads-member of a windows 2003 Small Business Server. Every windows user in the domain can read and write their files, everyone's happy. My Problem is, that I cannot set up security groups in the AD. When I try, I do not get an error message, but my changes are being silently ignored. I cannot set rights exceeding read,write, execute and owner. E.g. I cannot remove the group 'everyone' from the file access list. When I do and confirm I do not get an error message, but when I review the settings, nothing has changed, 'everyone' is still in the list. It is the same when I try to set or unset full access to files - no error message, but no success. I tried different settings concerning heritage, but that did not help. There are some other postings in the mailing list that sound quite similar, related to versions 3.0.25. Maybe there is a bug in these versions? My smb.conf: http://www.pastebin.ca/753491 Regards Martin Did you perhaps change anything in ADS? I have found that one should NEVER change the spelling of a record, or drag a user or group somewhere else. Doing so totally screws up winbind. To fix it, I suggest that you create a new OU with groups and users in the OU, ensure everything works, then set the security policy of the OU and finally delete the old dud users and groups. Only delete the users and groups afterwards, to ensure that the GUIDs won't get re-used for the new records. I actually never delete records - I have a special OU called 'trash' and I drag and drop trashed users and groups there - to prevent GUID re-use and consequent side effects. I don't know whether that is strictly necessary, but I was losing a lot of hair at one point so I became paranoid about never changing *anything* in ADS once created, and it really seems to work better this way. Cheers, Herman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Compile samba to ARM cross compiler
hce wrote: Hi, Can the samba be compiled by ARM cross compiler (arm/3.4.1/arm-linux)? I am currently downloaded samba-3.0.26a tar ball. I guess I have following two choices, please advice which one make sense. 1. Run configurate under a linux pc distribution such as FC6, then modify Makefile to the cross compiler path and lib. 2. Modify configurate to directly run under ARM cross compiler. Thank you. Jim 1 and 2 amounts to the same thing. I have compiled Samba for the Arm about 5 years ago, so it can probably still be done. Please don't ask me anything about it though... :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba hijack the connection?
Fajar Priyanto wrote: On Monday 22 October 2007 08:31:46 Fajar Priyanto wrote: Dear all, I have 2 domains: JUPITER.COM (Samba 3.0.23c - Centos5) and WIN.COM (Windows 2000 Adv Srv). I join a windows XP SP1 (MOON), first to Windows domain and then to Samba's. The problem is when I join the XP to Samba's and then try to logon to WIN.COM, the XP is instead logon to Samba, thus the username is not found. The DNS is not a problem, I set the DNS of the XP to Windows' DNS. Why does Samba still handle the logon request? One more info, if I then join the XP back to Windows' and then try to logon both to Samba and Windows, the logon process is OK. Any insight and comments are very welcome. From google I found this: http://www.5starsupport.com/xp-faq/1-102.htm Problem: In Windows XP Pro, is it possible to have multiple domains to login to? Currently, I only have a single domain option. I would like be able to choose from a list of domains when I login. Answer: In one word, no. A computer can only be part of a single domain. However, multiple users from other trusted domains may have permissions to access certain domains while still being logged in to their own domain. This is all part of an Active Directory process. Is that true? In Win XP, you can log into any one of a list of domains. However, you cannot be logged into more than one at a time. Cheers, H. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba hijack the connection?
Fajar Priyanto wrote: On Monday 22 October 2007 11:24:47 herman wrote: In Win XP, you can log into any one of a list of domains. However, you cannot be logged into more than one at a time. Hello Herman, Thanks for the reply. No, I don't want to logon to more than one domain at a time. The reason why we need this is because we're in the migration process. There is already a w2k domain (WIN) and then we setup a samba domain (Jupiter.com). We migrate the users little by little by joining them to Jupiter.com. However, there is a requirement when the management want they would still able to logon back to WIN. This is when the error occurs. Here's the screenshot. You can force WinXP to leave the Samba domain and join another using the 'netdom' command. The syntax of this command is: NETDOM JOIN machine /Domain:domain [/OU:ou path][/UserD:user] [/PasswordD:[password | *]] [UserO:user] [/PasswordO:[password | *]] [/REBoot[:Time in seconds]] NETDOM JOIN Joins a workstation or member server to the domain. machine is the name of the workstation or member server to be joined /Domain Specifies the domain which the machine should join. You can specify a particular domain controller by entering /Domain:domain\dc. If you specify a domain controller, you must also include the user's domain. For example: /UserD:domain\user /UserD User account used to make the connection with the domain specified by the /Domain argument /PasswordD Password of the user account specified by /UserD. A * means to prompt for the password /UserO User account used to make the connection with the machine to be joined /PasswordO Password of the user account specified by /UserO. A * means to prompt for the password /OU Organizational unit under which to create the machine account. This must be a fully qualified RFC 1779 DN for the OU. If not specified, the account will be created under the default organization unit for machine objects for that domain. /REBoot Specifies that the machine should be shutdown and automatically rebooted after the Join has completed. The number of seconds before automatic shutdown can also be provided. Default is 30 seconds Windows Professional machines with the ForceGuest setting enabled (which is the default for machines not joined to a domain during setup) cannot be remotely administered. Thus the join operation must be run directly on the machine when the ForceGuest setting is enabled. When joining a machine running Windows NT version 4 or before to the domain the operation is not transacted. Thus, a failure during the operation could leave the machine in an undetermined state with respect to the domain it is joined to. The act of joining a machine to the domain will create an account for the machine on the domain if it does not already exist. NETDOM HELP command | MORE displays Help one screen at a time. The command completed successfully. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with Net join
bind failed on port 445 socket_addr = 0.0.0.0. Error = Address already in use I think that you are trying to run smb multiple times. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: ham, [Samba] getent passwd not listing domain users, nsswitch.conf is configured
Peter Baumgartner wrote: Peter, Comment the idmap backend and winbind nss info parameters to let samba/winbind use the defaults. If it now works, this means that samba was not retrieving the info from the AD server. I ran into this problem, gave up, and used the defaults. You may be more persistent than me and prefer to dig deeper. Also, you will need to set values for idmap uid and idmap gid. Try using the values that you currently have commented out. Still no luck. Any other thoughts? I've tried running winbind in interactive mode and didn't get any response from the getent command. Where can I find log info? Try changing the Administrator password on the Windows AD Server. This will cause Kerberos to fix some things - see the Official Howto for details on this trick. Cheers, H. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] username with @ (at character) - problems with authentication (CUPS)
Piotr Kierklo wrote: Hi all I tried to set up a printer, which I need to acces using my username. Unfortunatelly, username contains @ (at) inside. I tried different form of escaping (using backslash, unicode value, quotes etc). Nothing works. Yup, Samba doesn't like funny characters. In general, if you stick to the POSIX portable character set then you'll be OK. For anything outside of that, you are on your own. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] FIXED AGAIN: Win2003 ADS, wbinfo -u and -g bug
System: Win2003 ADS, Samba 3.0.26a on RHEL5. I thought I had this fixed but sadly no - it came back. The situation changes when I reboot the PC, or cycle power on the PC. This indicates to me that there is a structure in winbind that is not initialized properly. wbinfo -t: OK, shows domain joined fine. wbinfo -g: Shows all groups, or only the first two BUILTIN groups, or nothing at all. wbinfo -u: Shows all users, or no users. Login works if wbinfo -g shows all groups, fails otherwise. kinit [EMAIL PROTECTED]: works wbinit -a user%domain: works --- This weird Winbind/Kerberos problem has been fixed again - hopefully for good. I started to read the source code, followed the log messages at debug level 10 and sniffed the network with tcpdump. Eventually, I figured out that Kerberos is generating an inordinate amount of traffic, with the result that the Windows server doesn't always get around to answering the LDAP request and the user/group query then times out. The solution is to reset the Windows Administrator password. I remembered reading in the Samba howto guide that the Administrator password reset also does something to Kerberos, so I tried it and it worked. I haven't been able to break it again for the rest of the day. Cheers, Herman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] NOT FIXED: Win2003 ADS, wbinfo -u and -g bug
System: Win2003 ADS, Samba 3.0.26a on RHEL5. I thought I had this fixed but sadly no - it came back. The situation changes when I reboot the PC, or cycle power on the PC. This indicates to me that there is a structure in winbind that is not initialized properly. wbinfo -t: OK, shows domain joined fine. wbinfo -g: Shows all groups, or only the first two BUILTIN groups, or nothing at all. wbinfo -u: Shows all users, or no users. Login works if wbinfo -g shows all groups, fails otherwise. kinit [EMAIL PROTECTED]: works wbinit -a user%domain: works [EMAIL PROTECTED] ~]# wbinfo -t checking the trust secret via RPC calls succeeded [EMAIL PROTECTED] ~]# wbinfo -g BUILTIN+administrators BUILTIN+users [EMAIL PROTECTED] ~]# wbinfo -u Error looking up domain users [EMAIL PROTECTED] pam.d]# tail -f /var/log/messages Oct 3 15:29:51 ggg-mmm-w48 winbindd[3288]: [2007/10/03 15:29:51, 0] libsmb/smb_signing.c:signing_good(253) Oct 3 15:29:51 ggg-mmm-w48 winbindd[3288]: signing_good: BAD SIG: seq 1 Oct 3 15:29:51 ggg-mmm-w48 winbindd[3288]: [2007/10/03 15:29:51, 0] libsmb/cliconnect.c:cli_session_setup_blob(586) Oct 3 15:29:51 ggg-mmm-w48 winbindd[3288]: cli_session_setup_blob: recieve failed (NT_STATUS_LOGON_TYPE_NOT_GRANTED) Does anyone have any better ideas, or should I get the source code and debug it myself? Cheers, Herman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem
I'm looking into the same kind of problem. I have found that it is related to something on the AD Server itself. By rolling the Windows server back a few days, things work again, without making any changes in Linux. It seems to have something to do with the definition of Security groups or policies in Windows, causing Winbind on Linux to blow up. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] FIXED: Win2003 ADS, wbinfo -u and -g almost works
Unless I'm overlooking it in your smb.conf, I don't see winbind enum users = Yes winbind enum groups = Yes These should allow you to view the domain users and groups. Keep in mind that if you have a large number of users, this will be slow. --- FIXES: Firstly, I forgot the parameters above. Secondly, an upgrade to Samba 3.0.26a is also required. RedHat EL5 ships with Samba 3.0.23c and this version is simply bad news when used with an Active Directory server. The Fedora 7 RPM on the Samba FTP server does not work with RedHat 5, but the source RPM will recompile without any modifications and then it works. Thanks guys! H. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win2003 ADS, wbinfo -u and -g almost works
Do authentication etc work? My 'wbinfo -u' only return Error looking up domain users and always had. Nope, I get the same error and authentication also doesn't work, so I have to fix this. It is a bit hard to get the data from the lab to here - I'll copy things to a memory stick or something and post another message tonight. Cheers, H. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win2003 ADS, wbinfo -u and -g almost works
Hi guys, So far, I have figured out that it has something to do with the definition of security groups in ADS. WinXP clients work perfectly so the setup is valid, but Winbind blows up, as shown below. I have ADS running on VMware, so I can switch between working and non-working versions and I'll try to figure out exactly what causes the problem. What happens is that 'wbinfo -g' only shows 2 groups then raises an error, while 'wbinfo -u' shows nothing at all. Here is my setup: Windows Server 2003 R2 Standard Edition [EMAIL PROTECTED] ~]# smbd -V Version 3.0.26a [EMAIL PROTECTED] ~]# winbindd -V Version 3.0.26a [EMAIL PROTECTED] ~]# uname -a Linux ggg-mmm-w48.mmm.ddd..ca 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] ~]# testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [printers] Processing section [export] Loaded services file OK. 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER [global] workgroup = MMM realm = MMM.DDD.CCC.CA server string = System Samba Server security = ADS password server = 192.168.1.100 log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups preferred master = No dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/ads/%D/%U template shell = /bin/bash winbind separator = + winbind use default domain = Yes winbind offline logon = Yes hosts allow = 192.168., 127. printing = cups cups options = raw print command = lpq command = %p lprm command = [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [export] path = /export force user = GGG-user force group = GGG-group read only = No force create mode = 0775 force directory mode = 01775 printable = Yes [EMAIL PROTECTED] ~]# [EMAIL PROTECTED] ~]# wbinfo -t checking the trust secret via RPC calls succeeded [EMAIL PROTECTED] ~]# wbinfo -g BUILTIN+administrators BUILTIN+users [EMAIL PROTECTED] ~]# wbinfo -u Error looking up domain users [EMAIL PROTECTED] ~]# tail -f /var/log/samba/winbindd [2007/10/03 15:30:11, 3] nsswitch/winbindd_group.c:get_sam_group_entries(859) get_sam_group_entries: Failed to enumerate domain local groups! [2007/10/03 15:30:11, 3] nsswitch/winbindd_group.c:get_sam_group_entries(828) get_sam_group_entries: could not enumerate domain groups! Error: NT_STATUS_UNSUCCESSFUL [2007/10/03 15:30:25, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [10389]: request interface version [2007/10/03 15:30:25, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [10389]: request location of privileged pipe [2007/10/03 15:30:25, 3] nsswitch/winbindd_user.c:winbindd_list_users(754) [10389]: list users [EMAIL PROTECTED] ~]# smbclient -k ggg-mmm-w48\\export -U johndoe%Sup3rs3cr1t cli_session_setup_blob: recieve failed (NT_STATUS_LOGON_FAILURE) session setup failed: NT_STATUS_LOGON_FAILURE [EMAIL PROTECTED] pam.d]# tail -f /var/log/messages Oct 3 15:29:51 ggg-mmm-w48 winbindd[3288]: [2007/10/03 15:29:51, 0] libsmb/smb_signing.c:signing_good(253) Oct 3 15:29:51 ggg-mmm-w48 winbindd[3288]: signing_good: BAD SIG: seq 1 Oct 3 15:29:51 ggg-mmm-w48 winbindd[3288]: [2007/10/03 15:29:51, 0] libsmb/cliconnect.c:cli_session_setup_blob(586) Oct 3 15:29:51 ggg-mmm-w48 winbindd[3288]: cli_session_setup_blob: recieve failed (NT_STATUS_LOGON_TYPE_NOT_GRANTED) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and AD: Still problem with conection
It looks to me like a windbindd problem in Samba 3.0.23c shipped with RedHat EL5. I'm trying to build an RPM for the 3.0.26a stable version on RHEL5, but I'm having trouble since the 3.0.23c SRPM supplied with RHEL5 won't build. It looks like RedHat built it on Fedora and simply chucked the package into RHEL5 - the more I use RedHat, the less I like them since they are very shoddy with their releases. I actually managed to compile it, but it still won't run - smbd, nmbd and winbindd simply exists without any error messages, so it may take a few more days before I'll be able to tell whether the newer version of Samba behaves better. Another option is to see what version ships with Mandriva 2008 - it is bound to be newer than the RedHat version and Mandriva RPMs generally work on RedHat. Cheers, H. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Win2003 ADS, wbinfo -u and -g almost works
I've been chasing this problem for several days. I have taken the 3.0.26a Fedora 7 SRPM from the Samba FTP site and rebuilt it on RedHat EL5 and installed it. It runs, but it has exactly the same problem as the original 3.0.23c version. I can join the domain and 'wbinfo -t' returns OK. However, 'wbinfo -g' returns only two groups then gives a failure message and 'wbinfo -u', doesn't return anything. So, it almost works. Can anyone give me a clue on where to look for this problem? Cheers, Herman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] wbinfo -u fails on RHEL5
Hi guys, Pulling my hair out... Version: RHEL5 straight off the CDs, no patches. Active Directory: Win2003 with SP2 I'm experiencing confusing problems when logging onto an Active Directory system. I have gotten it to work perfectly, but after a few days/weeks it screws up for no apparent reason. Windows XP clients still work perfectly. Linux clients show signature and packet errors, 'wbinfo -u' is unable to retrieve user information and login fails. I have installed everything from scratch on a test machine on Friday and it fails right off the bat with the same errors as the systems that worked before. I am now installing the whole kettle of fish on VMware so I can experiment better. Has anyone seen this and know where I should start digging? Cheers, Herman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] wbinfo -u fails on RHEL5
Matthew Nelson wrote: make sure that you have ntp setup to sync with your DC and do a 'net time set' I'm aware of the Kerberos time requirements and do a 'net time set -S w.x.y.z' with the ADS from cron.hourly, so this is not the issue. I can join the domain, which uses Kerberos, so Kerberos is happy. I can also do 'kinit [EMAIL PROTECTED]', but 'smbclient -k ...' fails, 'wbinfo -u' returns nothing and login doesn't work since the username isn't found. I'm beginning to suspect that it is an ADS configuration issue and has something to do with how I define security groups, which causes winbindd to blow up. So, I'm going to try the latest version of Samba and see how that goes, if I can just figure out how to compile the thing with the options that RedHat needs. Anyhoo, glad to hear that it is stable for you, so it must be something I do different in the configuration. Cheers, H. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind to more than one Domain
Dear all, I am using Winbind for my squid box authentication. The problem is that my squid users are distributed in two different Windows Domain (AD), do anyone know to enable Winbind authenticating with two different domains ? Thank you very much. Regards, herman -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind to more than one Domain [HELP]
Dear all, Anybody can help me ? I want my samba box to be able to join two different domain and authenticate to those different domains using Winbind. Thank's. Regards, herman -Original Message- From: Herman (ISTD) [mailto:[EMAIL PROTECTED] Sent: 04 Juni 2004 16:41 To: [EMAIL PROTECTED] Subject: [Samba] Winbind to more than one Domain Dear all, I am using Winbind for my squid box authentication. The problem is that my squid users are distributed in two different Windows Domain (AD), do anyone know to enable Winbind authenticating with two different domains ? Thank you very much. Regards, herman -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
