[Samba] Samba ads member
Hi, I have few Problems with a Samba 3.6.7, The first is if the Windows is shut down over the night they can't autificate on the next day. [2013/04/13 13:03:10.538406, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [jefe] - [jefe] FAILED with error NT_STATUS_NO_SUCH_USE After I restart winbindd it works up to the next morning. Sometimes we have few Problems with looking our users saying, that every second day can open a document only in read-only-mode then from an another client is the same they have to save the changes in a new name delete the old name and rename the changes file to the old name [global] log level = 2 realm = ed.xxx.de security = ADS encrypt passwords = yes client use spnego = yes workgroup = ED netbios name = DATENSERVER wins support = yes idmap uid = 1-2 idmap gid = 1-2 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes we use folder redirection with gpo in windows server 2008 r2 and windows 7 clients on \\DATENSERVER\Profiles\username [profiles] path = /var/lib/samba/profiles browsable = no read only = no create mode = 0600 directory mode = 0700 force group = domänen-benutzer veto files = /$RECYCLE.BIN/desktop.ini/ our shares looking like that [Studio] path = /var/lib/samba/studio browsable = yes read only = no create mode = 0660 directory mode = 0770 force create mode = 0060 force directory mode = 0070 force group = domänen-benutzer valid users = administrator @ED+geschaeftsleitung whith posibility have I to set posix acls from the windows clients? Felipe -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba ADS security mode not accesible by work group computer
Dear Concern, I have little problem regerding samba share i had tried my best to search it from internet but cant get it.samba security mode is ADS and domain (Server 2003 SP2) is joined successfully each domain member/user can access its shares but i cant access these shares from a work group(not joined domain) computer windows having XP or win 7.i had chaged the security options on workgroup computer's console Send unencrypted password to third party SMB srver i have enabled this option and also changed the second option NETWORK SECURITY:LAN MANAGER AUTHENTICATION LEVEL:SEND LM NTLM-USE NTLMV2 SESSION SECURITY IF NEGOTIATED and important thing to mention here is that iam using fedora 14.kernal 3.5.5-68. before this i was using RHEL 5.1 and it doesnot create such kind of problem for this same configuration... plz help me about this i am stuck up and having a lot of problem ... i waiting for your kind response -- Regards, ADNAN JAHANGIR -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ADS security mode not accesible by work group computer
From: Adnan Jahangir writetooad...@googlemail.com Date: Mon, 7 May 2012 11:17:20 +0500 Dear Concern, I have little problem regerding samba share i had tried my best to search it from internet but cant get it.samba security mode is ADS and domain (Server 2003 SP2) is joined successfully each domain member/user can access its shares but i cant access these shares from a work group(not joined domain) computer windows having XP or win 7. How did you input your username when you accessed from workgroup computers? I think if you input DOMAIN\UserName pattern and correct password, you would access without any security changes. See map untrusted to domain parameter in smb.conf(5) --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ADS-based authentication fails with NT_STATUS_NO_SUCH_USER but wbinfo works
On 18 February 2011 17:35, Geoff Winkless sa...@geoff.dj wrote: On 18 February 2011 17:28, Andrew Masterson andrew.master...@nuvistaenergy.com wrote: Your krb5.conf files looks pretty much the same Added those to the libdefaults section and can't see any difference :( Thanks for your help and your suggestion to compare testparm -a. It turns out that he'd neglected to mention (grr) that he'd modified his install since he took the copy of the file he sent me and we were missing the windbind separator = + line. Once added, all serene. Cheers Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba ADS-based authentication fails with NT_STATUS_USER_UNKNOWN but wbinfo works
Hi I've found a few list posts with this problem but none of their solutions helped. Apologies for the long mail but I've no idea which section of the various logs will be the important part. I've set up a RHEL5.3 server (with Samba 3.0.33) to authenticate to an existing active directory realm on our local network. The AD server is Windows-based and works fine for a couple of hundred users on their windows clients (mix of XP, Vista, Win7); it also works ok with an existing Samba install. I'm trying to set it up to authenticate those users to access a second server; unfortunately the authentication fails. I copied the krb5.conf and smb.conf files from the working server, then followed the various ADS howtos (to join the machine to the AD and obtain krb tickets) and have got to the point where klist behaves as expected, as does wbinfo, which implies that the machine account is set up correctly, yes? (I've replaced company name with in all these logs). [root@pd-pistachio samba]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: geoff.winkl...@lan..co.uk Valid starting Expires Service principal 02/18/11 10:48:32 02/18/11 20:48:34 krbtgt/lan..co...@lan..co.uk renew until 02/19/11 10:48:32 02/18/11 11:08:48 02/18/11 20:48:34 dc1$@LAN..CO.UK renew until 02/19/11 10:48:32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@pd-pistachio samba]# wbinfo -t checking the trust secret via RPC calls succeeded [root@pd-pistachio samba]# wbinfo -a geoff.winkless Enter geoff.winkless's password: plaintext password authentication succeeded Enter geoff.winkless's password: challenge/response password authentication succeeded If I try to log onto a share on pd-pistachio from my XP machine (named -001119) I get: [2011/02/18 13:05:24, 3] smbd/oplock.c:init_oplocks(863) init_oplocks: initializing messages. [2011/02/18 13:05:24, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(234) Linux kernel oplocks enabled [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) Transaction 0 of length 137 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) switch message SMBnegprot (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [PC NETWORK PROGRAM 1.0] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [LANMAN1.0] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [Windows for Workgroups 3.1a] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [LM1.2X002] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [LANMAN2.1] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [NT LM 0.12] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_nt1(364) using SPNEGO [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(606) Selected protocol NT LM 0.12 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) Transaction 1 of length 240 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) wct=12 flg2=0xc807 [2011/02/18 13:05:24, 2] smbd/sesssetup.c:setup_new_vc_session(1212) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) reply_spnego_negotiate: Got secblob of size 40 [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0xa2088207 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) Transaction 2 of length 272 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) wct=12 flg2=0xc807 [2011/02/18 13:05:24, 2] smbd/sesssetup.c:setup_new_vc_session(1212) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3]
Re: [Samba] samba ADS-based authentication fails with NT_STATUS_USER_UNKNOWN but wbinfo works
First thing I would do is a testparm -v on both the old and new boxes, and do a diff -a on those files to see what has changed. Samba changes default options between versions so what may have worked on an older version is not guaranteed to work on the new ones. Also, what does your krb5.conf file look like? -=Andrew -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, February 18, 2011 6:53 AM To: samba Subject: [Samba] samba ADS-based authentication fails with NT_STATUS_USER_UNKNOWN but wbinfo works Hi I've found a few list posts with this problem but none of their solutions helped. Apologies for the long mail but I've no idea which section of the various logs will be the important part. I've set up a RHEL5.3 server (with Samba 3.0.33) to authenticate to an existing active directory realm on our local network. The AD server is Windows-based and works fine for a couple of hundred users on their windows clients (mix of XP, Vista, Win7); it also works ok with an existing Samba install. I'm trying to set it up to authenticate those users to access a second server; unfortunately the authentication fails. I copied the krb5.conf and smb.conf files from the working server, then followed the various ADS howtos (to join the machine to the AD and obtain krb tickets) and have got to the point where klist behaves as expected, as does wbinfo, which implies that the machine account is set up correctly, yes? (I've replaced company name with in all these logs). [root@pd-pistachio samba]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: geoff.winkl...@lan..co.uk Valid starting Expires Service principal 02/18/11 10:48:32 02/18/11 20:48:34 krbtgt/lan..co...@lan..co.uk renew until 02/19/11 10:48:32 02/18/11 11:08:48 02/18/11 20:48:34 dc1$@LAN..CO.UK renew until 02/19/11 10:48:32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@pd-pistachio samba]# wbinfo -t checking the trust secret via RPC calls succeeded [root@pd-pistachio samba]# wbinfo -a geoff.winkless Enter geoff.winkless's password: plaintext password authentication succeeded Enter geoff.winkless's password: challenge/response password authentication succeeded If I try to log onto a share on pd-pistachio from my XP machine (named -001119) I get: [2011/02/18 13:05:24, 3] smbd/oplock.c:init_oplocks(863) init_oplocks: initializing messages. [2011/02/18 13:05:24, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(234) Linux kernel oplocks enabled [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) Transaction 0 of length 137 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) switch message SMBnegprot (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [PC NETWORK PROGRAM 1.0] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [LANMAN1.0] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [Windows for Workgroups 3.1a] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [LM1.2X002] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [LANMAN2.1] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [NT LM 0.12] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_nt1(364) using SPNEGO [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(606) Selected protocol NT LM 0.12 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) Transaction 1 of length 240 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) wct=12 flg2=0xc807 [2011/02/18 13:05:24, 2] smbd/sesssetup.c:setup_new_vc_session(1212) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) reply_spnego_negotiate: Got secblob of size 40 [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0xa2088207 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) Transaction 2 of length 272 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241
Re: [Samba] samba ADS-based authentication fails with NT_STATUS_NO_SUCH_USER but wbinfo works
Once again, I forgot to change the To: line so apologies to Andrew,
who will have this twice
Hi Andrew, thanks for the response.
(I've modified the subject line because I just realised I
mis-remembered the error message when I typed the subject line
before...)
I was running 3.0.33 on both boxes with identical conf files; it
wasn't working then, so I updated to 3.5 in case it improved matters
(it didn't). I can't get onto the first box right now cos I don't have
admin rights on it and the owner's not here, but I'll try to get the
output from testparm on Monday.
krb5.conf file looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LAN..CO.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
LAN..CO.UK = {
kdc = 192.168.3.1
admin_server = 192.168.3.1
default_domain = LAN..CO.UK
}
[domain_realm]
.lan..co.uk = LAN..CO.UK
lan..co.uk = LAN..CO.UK
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Thanks again
Geoff
On 18 February 2011 16:32, Andrew Masterson
andrew.master...@nuvistaenergy.com wrote:
First thing I would do is a testparm -v on both the old and new boxes, and do
a diff -a on those files to see what has changed.
Samba changes default options between versions so what may have worked on an
older version is not guaranteed to work on the new ones.
Also, what does your krb5.conf file look like?
-=Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ADS-based authentication fails with NT_STATUS_NO_SUCH_USER but wbinfo works
On 18 February 2011 16:32, Andrew Masterson
andrew.master...@nuvistaenergy.com wrote:
First thing I would do is a testparm -v on both the old and new
boxes, and do a diff -
a on those files to see what has changed.
Samba changes default options between versions so what may have
worked on an
older version is not guaranteed to work on the new ones.
Also, what does your krb5.conf file look like?
-=Andrew
-Original Message-
From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org]
On Behalf Of Geoff Winkless
Sent: Friday, February 18, 2011 10:14 AM
To: samba
Subject: Re: [Samba] samba ADS-based authentication fails with
NT_STATUS_NO_SUCH_USER but wbinfo works
Once again, I forgot to change the To: line so apologies to Andrew,
who will have this twice
Hi Andrew, thanks for the response.
(I've modified the subject line because I just realised I
mis-remembered the error message when I typed the subject line
before...)
I was running 3.0.33 on both boxes with identical conf files; it
wasn't working then, so I updated to 3.5 in case it improved matters
(it didn't). I can't get onto the first box right now cos I don't have
admin rights on it and the owner's not here, but I'll try to get the
output from testparm on Monday.
krb5.conf file looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LAN..CO.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
LAN..CO.UK = {
kdc = 192.168.3.1
admin_server = 192.168.3.1
default_domain = LAN..CO.UK
}
[domain_realm]
.lan..co.uk = LAN..CO.UK
lan..co.uk = LAN..CO.UK
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Thanks again
Geoff
Your krb5.conf files looks pretty much the same, except I had to modify
mine to get it to work with 2008DCs, I specify the ports in the realms
section, and have no kdc profile. Did you copy that kdc.conf file over
as well (if it is needed at all?)
default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
-=Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ADS-based authentication fails with NT_STATUS_NO_SUCH_USER but wbinfo works
On 18 February 2011 17:28, Andrew Masterson andrew.master...@nuvistaenergy.com wrote: Your krb5.conf files looks pretty much the same, except I had to modify mine to get it to work with 2008DCs, I specify the ports in the realms section, and have no kdc profile. Did you copy that kdc.conf file over as well (if it is needed at all?) Yes, it's identical to the one on the server that works. default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 Added those to the libdefaults section and can't see any difference :( Cheers Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba ADS on AIX 6.1 TL04
On Wed, Apr 28, 2010 at 12:29 AM, William Jojo w.j...@hvcc.edu wrote: Sorry about that. All of my package were initially 32-bit, then I offered the 64-bit code as BETA for about 6 months, and after some testing and feedback from users, I marked it as production quality. The Samba Team makes no guarantees whatsoever on what I produce. This is simply a statement of usability. I will remove that line from the site. I thought some more information should be provided, which shall help visitors clearly if they can use 64bit samba into the production. 3. After changing mehtods.cfg, user file, Is there any program need to be restarted apart from samba or server reboot? The most you may need to do is stop Samba and run slibclean, then restart Samba. I have installed samba 3.4.3, 32bit Path: /usr/lib/objrepos pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3 pware53.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25 pware53.cyrus-sasl.rte 2.1.23.1 COMMITTED cyrus-sasl 2.1.23 pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1 pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1 pware53.ncurses.rte 5.7.0.1 COMMITTED ncurses 5.7.0.1 pware53.openldap.rte 2.4.21.1 COMMITTED OpenLDAP 2.4.21 pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 pware53.samba.rte 3.4.3.0 COMMITTED Samba 3.4.3 pware53.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4 I got these errors-- - [2010/04/28 10:50:44, 1] winbindd/idmap_tdb.c:445(idmap_tdb_allocate_id) Fatal Error: GID range full!! (max: 50) [2010/04/28 10:50:44, 3] winbindd/idmap.c:695(idmap_new_mapping) Could not allocate id: NT_STATUS_UNSUCCESSFUL . log.winbindd: lookupname_recv: lookup_name() failed! log.winbindd: Could not lookup name for user MYGRP\USER1 log.winbindd:[2010/04/29 10:28:30, 3] winbindd/winbindd_sid.c:107(winbindd_lookupname) log.winbindd: [160060]: lookupname MYGRP\USER1 - Once I copied the winbind_idmap.tdb from other server like you suggested, and keep the same idmap uid/gid range as on the server, I could able to list SID for users. In my case wbinfo -t/-m/-p/-g works but wbinfo -u doesn't work!. I'am not sure what is the reason, but the same works Okay on the other server. wbinfo -u - returns - Error looking up domain users. net ads users - too lists all the users but wbinfo -u doesn't. GID range full!! - Error persists no matter, I remove all the *.tdb or even if I change the larger GID range as well. I used the following to create machine account. net ads join -S DOMSERVER -Uuser_adm createcomputer=/Servers/Non Windows Servers I have repated this command replacing DOMSERVER with other DC names into the TDK.DK realm which I think has helped to keep machine account trust OK. My smb.conf is [global] workgroup = MYGRP server string = Samba Server security = ADS log level = 5 netbios name = FOO log file = /var/log/samba/log.%m max log size = 500 password server = * realm = AA.DK allow trusted domains = no encrypt passwords = yes client use spnego = yes client ntlmv2 auth = yes local master = no domain master = no wins server = namesrv04 namesrv03 dns proxy = no idmap uid = 10-99 idmap gid = 100-199 restrict anonymous = yes name resolve order = wins bcast winbind enum groups = no winbind enum users = no winbind cache time = 300 winbind use default domain = yes I think I was missing client ntlmv2 auth = yes. At present I'm able to authenticate with the AD Users, and shares are give permission based upon AD groups which is working Ok. My question now are - 1. Since I have copied the winbind_idmap.tdb from other working servers, will it be updating the existing and adding new SID? 2. what is reason for user lookup errors in winbindd.log, I have noticed they only appear which one get NT_STATUS_UNSUCCESSFUL 3. User who has logged into MYGRP domain, are able to see the shares without any prompt since they have already logged into the domain, but those shares which they don't have access, I'm prompted for authentication - Then I provide a valid user credentials but it doesn't give the access to the shares, Is it normal? Many thanks for your help! Yash -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba ADS on AIX 6.1 TL04
Hi All I'm trying to intergrate samba server with ADS on AIX 6.1 TL04, for last one week, with idmap / winbind but no satisfactory results. I have gone through various links at samba.org relating to winbind, idmapper and followed http://pware.hvcc.edu/ for precompiled binaries and http://pware.hvcc.edu/AIX-Samba.pdf which is for AIX 6.1 TL03 though. I have found the samba which is provided by IBM with expansion pack doesn't have support for ADS. The binaries I have tried with is both 32 bit and 64bit of samba, neither of them has worked for me. ADS join is ok, I am able to see all good ouput for wbinfo -t/-m/-p etc. I have copied the WINBIND module under /usr/lib/security and changed /usr/lib/security/methods.cfg as WINBIND: program = /usr/lib/security/WINBIND options = authonly the /etc/security/user the default stanza with SYSTEM = WINBIND OR compat The errors I have repeatedly encountered is -- Could not trigger lookup sid sid2gid returned an error Could not lookup name for user MYDOMAIN\USER1 Some other errors are Error GID range is full!! No matter I removed *.tdb files, specified new ranges etc, this GID error persistenly appears. I have reached to the point where user autentication is successful but sid to gig mapping doesn't work, or lookup for that AD user fails. The AD seems to be OK , as another server AIX 5.2 is already working with samba compiled with ADS support. What I would like to know. 1. How do we compile samba from scratch, I tried 3.5.2 , ./configure was OK, but this didn;t created any makefile! , I understand I need to compile kerbros , db, openldap before compiling samba, which version of the dependent software (kerbros, db, openldap) be used? 2. How can I resolve this GID range full error. 3. what shall be done to have sid to gid mapping. Best Regards, Yash -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba ADS on AIX 6.1 TL04
Yashpal Nagar wrote: Hi All I'm trying to intergrate samba server with ADS on AIX 6.1 TL04, for last one week, with idmap / winbind but no satisfactory results. I have gone through various links at samba.org relating to winbind, idmapper and followed http://pware.hvcc.edu/ for precompiled binaries and http://pware.hvcc.edu/AIX-Samba.pdf which is for AIX 6.1 TL03 though. It shouldn't matter. The TL's are just IBM's way of drawing lines for patch sets. The documentation was updated when TL-03 was released. The code compiled on 5.3 should run just fine under 6.1. I have found the samba which is provided by IBM with expansion pack doesn't have support for ADS. The binaries I have tried with is both 32 bit and 64bit of samba, neither of them has worked for me. ADS join is ok, I am able to see all good ouput for wbinfo -t/-m/-p etc. I have copied the WINBIND module under /usr/lib/security and changed /usr/lib/security/methods.cfg as WINBIND: program = /usr/lib/security/WINBIND options = authonly Please remove the authonly, it's not necessary. the /etc/security/user the default stanza with SYSTEM = WINBIND OR compat The errors I have repeatedly encountered is -- Could not trigger lookup sid sid2gid returned an error Could not lookup name for user MYDOMAIN\USER1 Some other errors are Error GID range is full!! This is an indication that the winbind configuration may be incorrect. In general, the AD configurations work as expected on AIX. Could you post your smb.conf for review? Also, are you using the LDAP backend or TDB? The IDMAP piece has been significantly modified from 3.3.x through 3.5.x, so some docs (including my own) may need some revision and depending on how yours is written may be getting misinterpreted. I am posting info from one of my (old - 5.3-TL6-SP4) AIX machines running 3.5.2 joined to w2k8R2: [aixdev:/] # oslevel -s 5300-06-04-0748 [aixdev:/] # lslpp -l pware* Fileset Level State Description Path: /usr/lib/objrepos pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3 pware53.bash.rte 4.0.35.0 COMMITTED GNU bash 4.0 pware53.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25 pware53.cyrus-sasl.rte2.1.23.1 COMMITTED cyrus-sasl 2.1.23 pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1 pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1 pware53.ncurses.rte5.7.0.1 COMMITTED ncurses 5.7.0.1 pware53.openldap.rte 2.4.21.1 COMMITTED OpenLDAP 2.4.21 pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1 pware53.samba.rte 3.5.2.0 COMMITTED Samba 3.5.2 pware53.tar.rte 1.22.0.0 COMMITTED GNU tar 1.22 pware53.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4 [aixdev:/] # cat /opt/pware/lib/smb.conf [global] security = ads realm = DEV35.LOCAL password server = 151.103.35.21 workgroup = DEV35 winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes log level = 3 template homedir = /home/%D/%U template shell = /opt/pware/bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 [netlogon] path = /netlogon [aixdev:/] # net ads testjoin Join is OK [aixdev:/] # wbinfo -u administrator guest krbtgt w.jojo [aixdev:/] # wbinfo -g domain computers domain controllers schema admins enterprise admins cert publishers domain admins domain users domain guests group policy creator owners ras and ias servers allowed rodc password replication group denied rodc password replication group read-only domain controllers enterprise read-only domain controllers dnsadmins dnsupdateproxy ctxpilot [aixdev:/] # lsuser w.jojo w.jojo id=1 pgrp=domain users home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash gecos=William Jojo login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=compat or WINBIND logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=-1 stack=-1 core=2097151 rss=-1 nofiles=-1 roles= id=1 pgrp=domain users home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash pgid=1 gecos=William Jojo shell=/opt/pware/bin/bash pgrp=domain users SID=S-1-5-21-2261283086-3937381662-459627218-1113
Re: [Samba] Samba ADS on AIX 6.1 TL04
On Tue, Apr 27, 2010 at 5:32 PM, William Jojo w.j...@hvcc.edu wrote: Yashpal Nagar wrote: Hi All I'm trying to intergrate samba server with ADS on AIX 6.1 TL04, for last one week, with idmap / winbind but no satisfactory results. I have gone through various links at samba.org relating to winbind, idmapper and followed http://pware.hvcc.edu/ for precompiled binaries and http://pware.hvcc.edu/AIX-Samba.pdf which is for AIX 6.1 TL03 though. It shouldn't matter. The TL's are just IBM's way of drawing lines for patch sets. The documentation was updated when TL-03 was released. The code compiled on 5.3 should run just fine under 6.1. I have found the samba which is provided by IBM with expansion pack doesn't have support for ADS. The binaries I have tried with is both 32 bit and 64bit of samba, neither of them has worked for me. ADS join is ok, I am able to see all good ouput for wbinfo -t/-m/-p etc. I have copied the WINBIND module under /usr/lib/security and changed /usr/lib/security/methods.cfg as WINBIND: program = /usr/lib/security/WINBIND options = authonly Please remove the authonly, it's not necessary. the /etc/security/user the default stanza with SYSTEM = WINBIND OR compat The errors I have repeatedly encountered is -- Could not trigger lookup sid sid2gid returned an error Could not lookup name for user MYDOMAIN\USER1 Some other errors are Error GID range is full!! This is an indication that the winbind configuration may be incorrect. In general, the AD configurations work as expected on AIX. Could you post your smb.conf for review? Also, are you using the LDAP backend or TDB? The IDMAP piece has been significantly modified from 3.3.x through 3.5.x, so some docs (including my own) may need some revision and depending on how yours is written may be getting misinterpreted. I am posting info from one of my (old - 5.3-TL6-SP4) AIX machines running 3.5.2 joined to w2k8R2: [aixdev:/] # oslevel -s 5300-06-04-0748 [aixdev:/] # lslpp -l pware* Fileset Level State Description Path: /usr/lib/objrepos pware53.base.rte 5.3.0.0 COMMITTED pWare base for 5.3 pware53.bash.rte 4.0.35.0 COMMITTED GNU bash 4.0 pware53.bdb.rte 4.7.25.4 COMMITTED Berkeley DB 4.7.25 pware53.cyrus-sasl.rte2.1.23.1 COMMITTED cyrus-sasl 2.1.23 pware53.gettext.rte 0.17.0.0 COMMITTED GNU gettext 0.17 pware53.krb5.rte 1.7.1.1 COMMITTED MIT Kerberos 1.7.1 pware53.libiconv.rte 1.13.1.0 COMMITTED GNU libiconv 1.13.1 pware53.ncurses.rte5.7.0.1 COMMITTED ncurses 5.7.0.1 pware53.openldap.rte 2.4.21.1 COMMITTED OpenLDAP 2.4.21 pware53.openssl.rte 0.9.8.13 COMMITTED OpenSSL 0.9.8m pware53.popt.rte 1.10.4.0 COMMITTED popt 1.10.4 pware53.readline.rte 6.1.0.0 COMMITTED GNU readline 6.1 pware53.samba.rte 3.5.2.0 COMMITTED Samba 3.5.2 pware53.tar.rte 1.22.0.0 COMMITTED GNU tar 1.22 pware53.zlib.rte 1.2.4.0 COMMITTED zlib 1.2.4 [aixdev:/] # cat /opt/pware/lib/smb.conf [global] security = ads realm = DEV35.LOCAL password server = 151.103.35.21 workgroup = DEV35 winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes log level = 3 template homedir = /home/%D/%U template shell = /opt/pware/bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 [netlogon] path = /netlogon [aixdev:/] # net ads testjoin Join is OK [aixdev:/] # wbinfo -u administrator guest krbtgt w.jojo [aixdev:/] # wbinfo -g domain computers domain controllers schema admins enterprise admins cert publishers domain admins domain users domain guests group policy creator owners ras and ias servers allowed rodc password replication group denied rodc password replication group read-only domain controllers enterprise read-only domain controllers dnsadmins dnsupdateproxy ctxpilot [aixdev:/] # lsuser w.jojo w.jojo id=1 pgrp=domain users home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash gecos=William Jojo login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=WINBIND SYSTEM=compat or WINBIND logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=-1 stack=-1 core=2097151 rss=-1 nofiles=-1 roles= id=1 pgrp=domain users home=/home/DEV35/w.jojo shell=/opt/pware/bin/bash
Re: [Samba] Samba ADS on AIX 6.1 TL04
Yashpal Nagar wrote: Thanks a lot Bill for your reply. My smb.conf - [global] As a member server, I would have expected workgroup to be AA, that is, the prefix of the realm. workgroup = MYGRP domain master = no local master = no server string = Test Samba Server netbios name = FOO realm = AA.DK http://AA.DK allow trusted domains = no security = ADS encrypt passwords = yes password server = * dns proxy = no log level = 3 max log size = 100 log file = /var/log/samba/%m.log client use spnego = yes Remove the following: idmap domains = MYGRP idmap config MYGRP:default = yes idmap config MYGRP:backend = tdb idmap config MYGRP:range = 20 - 50 idmap alloc backend = tdb idmap alloc config:range = 20 - 50 Add the following: idmap uid = 20-50 idmap gid = 20-50 Please see the following: http://samba.org/samba/docs/man/manpages-3/idmap_tdb.8.html But ignore the last example. :-) The idmap alloc is only necessary if the allocator it not going to the tdb model specified by idmap backend The man pages are very out of sync with the reality of IDMAP, but IDMAP is not a simple component and not always easy to debug, but I think it is in a better place now than previously. restrict anonymous = yes wins server = namesrv04 namesrv03 name resolve order = wins bcast - When I run testparm, it say unrecognised idmap domains = MYGRP. If I comment that out this throws no error for 'net ads testjoin' etc. No matter whichever samba ver I use it complains about this line, I may notice you have mentioned same example in one of your examples in your pdf, under IDMAP_TDB. Yeah, as of 3.3, that's not the case any longer. I will update my docs to reflect the truth. :-) Other smb.conf, I have tried which works well on AIX 5.2, but didn't work with precompiled binaries on AIX 6.1 --- [global] workgroup = MYGRP domain master = no local master = no server string = Test Samba Server netbios name = foo realm = AA.DK http://AA.DK allow trusted domains = no security = ADS encrypt passwords = yes password server = * dns proxy = no log level = 1 max log size = 100 log file = /var/log/samba/%m.log idmap uid = 10-99 idmap gid = 100-199 restrict anonymous = yes wins server = namesrv04 namesrv03 name resolve order = wins bcast winbind enum groups = no winbind enum users = no winbind cache time = 300 winbind use default domain = yes -- Since the existing setup (AIX5.2) works well with tdb backend, though it is not explicitly mentioned into the config above, But i can see a large winbindd_idmap.tdb under $SAMBA/var. I would keep the same tdb (default?) backend. The default is TDB, so yes, it would stay the same. You should (and probably want to) copy the winbindd_idmap.tdb to the new server to keep your mappings unless this is not desired. What I would like know - 1. Which samba binaries you have installed, I believe it is 32 bit. Can I use 64 bit binaries on a production server? You have mentioned *The 64-bit code is to be treated as PRODUCTION. * what does this mean? if this PRODUCTION means it shall be used for production servers or it is for you/SAMBA development team currently using for development/production of samba. Some more information here on your website surely would help more. Sorry about that. All of my package were initially 32-bit, then I offered the 64-bit code as BETA for about 6 months, and after some testing and feedback from users, I marked it as production quality. The Samba Team makes no guarantees whatsoever on what I produce. This is simply a statement of usability. I will remove that line from the site. 3. After changing mehtods.cfg, user file, Is there any program need to be restarted apart from samba or server reboot? The most you may need to do is stop Samba and run slibclean, then restart Samba. 4. I understand AIX uses LAM, instead of PAM which is used on Linux. Is there any setting related to LAM we got to do on AIX. There is no nsswitch.conf file as well, I assume since these binaries are already compiled for that platform, it should take care automatically? The package(s) I provide also support PAM. The IBM LAM framework is in use with the WINBIND product Andrew Tridgell wrote some time ago. You are correct that there no nsswitch.conf. Effectively, methods.cfg and /etc/security/user are the equivalent. Let me know how you get on. Cheers, Bill -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + ADS - Filepermissions home directories
I configured winbind, samba and pam.d to authenticate via our Windows Active Directory Server. Everything works fine, I can log on to the system using my Windows Account credentials, I am also able to access the samba home share, but I have no write permissions there. What I don't get is: When I give read-write-access to everybody (chmod 777 /home/%USER%), I am able to create and delete files. If I than create a new file (via the network share), the file is created by the owner of /home/%USER%. But If the system identifies myself as the owner, why was I not able to create the file before changig the file permissions? /etc/samba/smb.conf [global] workgroup = WORKGROUP realm = INT.WORKGROUP.COM server string = %h security = ADS winbind separator = + winbind cache time = 10 password server = 192.168.1.1 encrypt passwords = yes client use spnego = yes idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash template homedir = /home/%U winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [homes] comment = Home Directories browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = WORKGROUP+%S after chmod 777: debian:/home/USER# ls -la -rwx-- 1 USER domain-user0 15. Jul 16:45 test -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + ADS - Filepermissions home directories
Mona Meyer wrote: I configured winbind, samba and pam.d to authenticate via our Windows Active Directory Server. Everything works fine, I can log on to the system using my Windows Account credentials, I am also able to access the samba home share, but I have no write permissions there. What I don't get is: When I give read-write-access to everybody (chmod 777 /home/%USER%), I am able to create and delete files. If I than create a new file (via the network share), the file is created by the owner of /home/%USER%. But If the system identifies myself as the owner, why was I not able to create the file before changig the file permissions? When I first setup our file server I remember running into something like that, I fixed it by writing a preexex script to set the permissions correctly. If you are interested I would be happy to send you our script. -- Brian Gregorcy IT Manager University of Utah Department of Chemical Engineering 801.585.7170 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba, ADS and privileges management
Hello list. I once had a samba server acting as a PDC, a mapping between my NT 'Domain admins' and Unix 'admins' groups, and everything worked perfectly. Now I got a new shiny samba server acting as a print server only, member of an AD domain, and I can't have the members of 'Domain admins' group manage printing drivers on the server, whereas the Administrator account can. Here is my smb.conf: [global] workgroup = MSR-INRIA realm = MSR-INRIA.IDF security = ads printcap name = cups load printers = yes printing = cups ... [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = yes writable = no printable = yes create mode = 0700 print command = lpr-cups -P %p -o raw %s -r use client driver = yes [print$] comment = Windows print drivers path = /var/lib/samba/printers browseable = yes write list = root, @admins guest ok = yes inherit permissions = yes AD membership is fine: - 'net ads testjoin' is OK [r...@etoile samba]# net ads testjoin Join is OK - I can get a tgt for the administrator account: [r...@etoile samba]# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: administrat...@msr-inria.idf Issued Expires Principal Jan 27 16:07:12 Jan 28 02:07:12 krbtgt/msr-inria@msr-inria.idf Jan 27 16:15:11 Jan 28 02:07:12 concor...@msr-inria.idf - I can get ADS groups and users list [r...@etoile samba]# net ads group HelpServicesGroup TelnetClients IIS_WPG Administrateurs Utilisateurs ... So basically, AD membership seems to be OK. I'm using this file for mapping Unix and Windows user[2]: !root = MSR-INRIA.IDF\Administrateur MSR-INRIA\Administrateur !rousse = MSR-INRIA.INRIA.FR\rousse MSR-INRIA.IDF\rousse MSR-INRIA\rousse By construction, every 'MSR-INRIA.IDF\foo' windows user exists as 'foo' unix user, as we sync the AD ldap tree from our Unix tree, so I may as well use a script, but I guess that's just another way to achieve the same result. When connecting to my printing share, samba seems to recognize I'm member of the special domain admins group (rid 512), from my kerberos ticket: 009/01/27 16:53:11, 3] smbd/process.c:switch_message(927) switch message SMBtconX (pid 15236) conn 0x0 [2009/01/27 16:53:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/01/27 16:53:11, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2009/01/27 16:53:11, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2009/01/27 16:53:11, 5] smbd/uid.c:change_to_root_user(288) change_to_root_user: now uid=(0,0) gid=(0,0) [2009/01/27 16:53:11, 4] smbd/reply.c:reply_tcon_and_X(506) Client requested device type [?] for share [IPC$] [2009/01/27 16:53:11, 5] smbd/service.c:make_connection(1205) making a connection to 'normal' service ipc$ [2009/01/27 16:53:11, 5] lib/username.c:Get_Pwnam_alloc(131) Finding user rousse [2009/01/27 16:53:11, 5] lib/username.c:Get_Pwnam_internals(75) Trying _Get_Pwnam(), username as lowercase is rousse [2009/01/27 16:53:11, 5] lib/username.c:Get_Pwnam_internals(108) Get_Pwnam_internals did find user [rousse]! [2009/01/27 16:53:11, 3] smbd/service.c:make_connection_snum(806) Connect path is '/var/tmp' for service [IPC$] [2009/01/27 16:53:11, 4] lib/sharesec.c:get_share_security(132) get_share_security: using default secdesc for IPC$ [2009/01/27 16:53:11, 3] lib/util_seaccess.c:se_access_check(250) [2009/01/27 16:53:11, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-22-1-5012 se_access_check: also S-1-5-21-911279556-1797085143-1335962226-512 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-22-2-5005 se_access_check: also S-1-22-2-5000 However, the buttons allowing to change drivers are greyed out, either from global printing server properties windows, or from individual printer 'advanced' setting. I tried to add explicit group mappings, as explained at http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html#id2572028: [r...@etoile ~]# net groupmap list Domain Admins (S-1-5-21-911279556-1797085143-1335962226-512) - admins Domain Guests (S-1-5-21-911279556-1797085143-1335962226-514) - guests Domain Users (S-1-5-21-911279556-1797085143-1335962226-513) - users However, the same documentation says 'Group mappings are essentail only if the Samba servers is running as a PDC/BDC', which is not my case, so i assume it's useless. Also, I wonder if I'm supposed to use localized group names 'Admins du domaine' rather than english ones 'Domain admins' for the mapping, or if the use of rid is enough. I also tried to set explicit privileges, without success: [r...@etoile samba]# net -w MSR-INRIA.IDF -U Administrateur rpc rights grant 'MSR-INRIA.IDF\rousse'
[Samba] Samba + ADS + Kerberos ticket problem
Hi... I have working a setup with samba + kerberos + ads Everything works great... BUT every time i reboot the machine the kerberos ticket.. is lost, so I have to do: kinit administra...@domain and net join ads administrator%pass_domain_admin And, all the setup works again... Somebody knows how to solve this? Thanks a lot for any input. Michael.- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ADS Error Session setup failed: Call returned zero bytes (EOF)
Thanks for your response Volker, I will inv further .. -- View this message in context: http://www.nabble.com/Samba-ADS-Error-%22Session-setup-failed%3A-Call-returned-zero-bytes-%28EOF%29%22-tp20793719p20810286.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS Error Session setup failed: Call returned zero bytes (EOF)
Hi Samba Bods,
Sorry for re-posting this one but I got no response to my last post except
for a level 10 logs request which I uploaded last week.
I have been looking at numerous howtos and newsgroup postings and I cannot
spot what the issue is. I am sure its a simple config issue, but I am lost
..
I am using Samba 3.2.4 compiled from source on AIX 5.3 TL8 and using
security = SERVER in the smb.conf works fine, however I am having
some issues when using security = ADS ..
I have followed numerous HOWTOs and newsgroup listings and seem to be
going round in circles ..
I think I can authenticate ok against the domain win2k3 server, but
then Samba bombs out with the following errors fvrom smbclient on the
host:
$ LIBPATH=/opt/pware/lib:/usr/local/samba/lib /usr/local/samba/bin/
smbclient -L myhostname -U UK+myusername
Enter UK+myusername's password: mypassword
Receiving SMB: Server stopped responding
session setup failed: Call returned zero bytes (EOF)
Also mapping from a windows system just gives the message The mapped
network drive could not be created because the following error has
occured: The specified network name is no longer available.
Excuse the LIBPATH stuff it is to get around kinit and klist not
working if I set the variable permanently. I was originally using
3.0.28 pre-compiled from samba.org and got the same issues.
So, I think I am authenticating ok .. but where to go from here
because I get the session setup failed: Call returned zero bytes
(EOF) error and I can see the following errors in the smbd.log
$ cat smbd.log
snip
[2008/11/25 14:49:43, 2] lib/messages_local.c:message_notify(270)
message to process 94214 failed - No such process
[2008/11/25 14:49:43, 2] lib/messages_local.c:messaging_tdb_send(358)
pid 94214 doesn't exist - deleting messages record
[2008/11/25 14:49:43, 2] lib/messages.c:traverse_fn(127)
pid 94214 doesn't exist - deleting connections -1 []
snip
###-###
... some back ground and config ..
######
$ cat /etc/smb.conf
# Samba config file created using SWAT
# from ##.##.223.72 (##.##.223.72)
# Date: 2008/11/21 16:29:18
[global]
workgroup = UK
realm = UK.DOMAIN.NET
netbios name = myhostname
netbios aliases = MYHOSTNAME
server string = Samba: version %v, host %h
security = ADS
encrypt passwords = yes
log file = /var/log/samba/log.%m
log level = 10
max log size = 2048
auth methods = winbind
password server = my_password_server.uk.domain.net
max log size = 2048
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
passdb backend = tdbsam
idmap backend = ad
idmap uid = 1-2
idmap gid = 1-2
winbind nss info = rfc2307
winbind separator = +
winbind use default domain = Yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/ksh
ldap suffix = dc=uk,dc=domain.net
client use spnego = yes
client signing = yes
[sambatest]
path = /tmp/sambatest
valid users = UK+username
read only = No
writable=yes
browseable=yes
create mask = 0770
[homes]
comment = Home Directories
browseable = no
writeable = yes
create mask = 0640
$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = UK.DOMAIN.NET
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
[realms]
UK.DOMAIN.NET = {
kdc = my_password_server.uk.domain.net
admin_server = my_password_server.uk.domain.net
default_domain = uk.domain.net
}
[domain_realm]
.uk.domain.net = UK.DOMAIN.NET
uk.domain.net = UK.DOMAIN.NET
$ cat /usr/lib/security/methods.cfg
WINBIND:
program = /usr/lib/security/WINBIND
options = debug
KRB5A:
program = /usr/lib/security/KRB5A
options = authonly
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A
## WINBIND copied in from /usr/local/samba/sbin
$ ls -l /usr/lib/security/WINBIND
-rwxr-xr-x1 root system 9381212 25 Nov 09:57 /usr/lib/
security/WINBIND
$ grep -p WINBIND /etc/security/user
default:
admin = false
login = true
su = false
daemon = true
rlogin = false
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 027
expires = 0
SYSTEM = WINBIND or compat
logintimes =
pwdwarntime = 0
account_locked =
Re: [Samba] Samba ADS Error Session setup failed: Call returned zero bytes (EOF)
On Tue, Dec 02, 2008 at 06:51:31AM -0800, Mark Taylor wrote: Sorry for re-posting this one but I got no response to my last post except for a level 10 logs request which I uploaded last week. The logfile stops at [2008/11/27 12:16:40, 5] lib/username.c:Get_Pwnam_internals(77) Trying _Get_Pwnam(), username as lowercase is uk+myusername This means it is very likely you have a problem with winbindd or other more severe system problems. Try a getent passwd uk+myusername or whatever asks the NSS subsystem for the user entry of uk+myusername. I would suspect that this hangs. If it hangs, fix the hang and try again. If it does not hang, please send in the complete log files. Thanks, Volker pgpG4U7F31QX7.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba + ADS in native mode
Hello, friends.
Before change Active Directory Server mode to native mode user
authentification dont' work. In native ADS mode i need use kerberos.
OS: RHEL 4 (x86)
Samba: 3.0.10-1.4E
Kerberos: 1.3.4-9
Domain controller: Win 2003 ADS in native mode
# more /etc/samba/smb.conf
[global]
workgroup = DOMAIN
server string = FTP Server
netbios name = SRVFTP
log file = /var/log/samba/%m.log
log level = 3 auth:5 passdb:5
max log size = 500
security = ADS
realm = CORP.DOMAIN.COM
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
auth methods = winbind
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
winbind nested groups = yes
password server = dc1.domain.local
case sensitive = no
# more /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CORP.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CORP.DOMAIN.COM = {
kdc = dc1.domain.local:88
admin_server = dc1.domain.local:749
default_domain = CORP.DOMAIN.COM
}
[domain_realm]
.domain.local = CORP.DOMAIN.COM
domain.local = CORP.DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
10/02/08 10:20:43 10/02/08 20:20:50 krbtgt/[EMAIL PROTECTED]
renew until 10/02/08 20:20:43
10/02/08 10:24:30 10/02/08 20:20:50 [EMAIL PROTECTED]
renew until 10/02/08 20:20:43
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
# wbinfo -a [EMAIL PROTECTED]
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user [EMAIL PROTECTED] with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user [EMAIL PROTECTED] with challenge/response
# wbinfo -g
and
# wbinfo -u
work correct.
---
Best regards, Sergey Ivanov.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ADS in native mode
Hi Sergey,
Sergey Pororegnik wrote:
Hello, friends.
Before change Active Directory Server mode to native mode user
authentification dont' work. In native ADS mode i need use kerberos.
OS: RHEL 4 (x86)
Samba: 3.0.10-1.4E
Kerberos: 1.3.4-9
Domain controller: Win 2003 ADS in native mode
# wbinfo -a [EMAIL PROTECTED]
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user [EMAIL PROTECTED] with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user [EMAIL PROTECTED] with challenge/response
You have set winbind use default domain = yes, so what does
wbinfo -a username give you? And wbinfo -a DOMAIN+username
(where you use your short Domain name not the realm name).
# wbinfo -g
and
# wbinfo -u
work correct.
So I assume, you have successfully done net ads join?
Cheers - Michael
PS: You could also consider upgrading. 3.0.10 is quite old.
AD-Support has evolved a lot since that release.
# more /etc/samba/smb.conf
[global]
workgroup = DOMAIN
server string = FTP Server
netbios name = SRVFTP
log file = /var/log/samba/%m.log
log level = 3 auth:5 passdb:5
max log size = 500
security = ADS
realm = CORP.DOMAIN.COM
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
auth methods = winbind
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
winbind nested groups = yes
password server = dc1.domain.local
case sensitive = no
# more /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CORP.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CORP.DOMAIN.COM = {
kdc = dc1.domain.local:88
admin_server = dc1.domain.local:749
default_domain = CORP.DOMAIN.COM
}
[domain_realm]
.domain.local = CORP.DOMAIN.COM
domain.local = CORP.DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
10/02/08 10:20:43 10/02/08 20:20:50 krbtgt/[EMAIL PROTECTED]
renew until 10/02/08 20:20:43
10/02/08 10:24:30 10/02/08 20:20:50 [EMAIL PROTECTED]
renew until 10/02/08 20:20:43
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
--
Michael Adam [EMAIL PROTECTED] [EMAIL PROTECTED]
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
pgpedrT580i0Q.pgp
Description: PGP signature
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba + ads / user and group update-probem
Hi Volker, now that we´re running winbindd with -n that seems to help. I thought that wbinfo would access AD to authenticate when winbindd is running without caching, but apparently it doesn´t. Thank you for your help. Anian -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] Sent: Montag, 18. August 2008 22:34 To: Anian Wurzenberger Cc: samba@lists.samba.org Subject: Re: [Samba] samba + ads / user and group update-probem On Mon, Aug 18, 2008 at 03:41:50PM +0200, Anian Wurzenberger wrote: Thank you for your answer. Where should the user log in? Into a share? Into an AD-connected Computer? For example into a share. Anthing that makes Samba authenticate against the DC. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba + ads / user and group update-probem
Hello subscribers,
we have a problem with keeping our group memberships up to date. If we e.g.
remove a group membership from a user, we don´t see any change when trying
wbinfo -r j.doe or groups j.doe. Even after hours there ist no update. We
also tried restarting smb, nmb, winbindd.
Anyone has an idea?
Some additional info:
|samba/winbind-version: 3.2.0-17.fc9
|Here our smb.conf
|
|[global]
|winbind cache time = 1m
|workgroup = xy-gmbh
|netbios name = smbtestfc9
|realm = TRANSACT-GMBH.DE
|idmap uid = 1-15000
|idmap gid = 1-15000
|winbind separator = /
|winbind use default domain = Yes
|security = ADS
|encrypt passwords = yes
|#Optional. Use only if Samba cannot determine the Kerberos server
automatically.
|#password server = 192.168.2.50
|client use spnego = yes
|log level = 3
|winbind enum users = yes
|winbind enum groups = yes
|
|[test]
|comment = test
|path = /tmp
|browseable = yes
|read only = no
|guest ok = no
|valid users = XY-GMBH/a.someone, XY-GMBH/j.someoneelse,
XY-GMBH/m.anotherguy
|create mask = 0770
|directory mask = 0770
|and our krb5.conf
|
|[logging]
| default = FILE:/var/log/krb5libs.log
| kdc = FILE:/var/log/krb5kdc.log
| admin_server = FILE:/var/log/kadmind.log
|
|[libdefaults]
| default_realm = XY-GMBH.DE
| dns_lookup_realm = false
| dns_lookup_kdc = false
| ticket_lifetime = 24h
| forwardable = yes
|
|[realms]
| XY-GMBH.DE = {
| kdc = 192.168.1.11:88
| default_domain = xy-gmbh.de
| }
|
|[domain_realm]
| .transact-gmbh.de = XY-GMBH.DE
| transact-gmbh.de = XY-GMBH.DE
|
|[appdefaults]
| pam = {
| debug = false
| ticket_lifetime = 36000
| renew_lifetime = 36000
| forwardable = true
| krb4_convert = false
| }
|# wbinfo -p
|Ping to winbindd succeeded
|# net ads testjoin
|Join is OK
|# klist
|Ticket cache: FILE:/tmp/krb5cc_0
|Default principal: [EMAIL PROTECTED]
|
|Valid starting ExpiresService principal
|08/14/08 15:37:03 08/15/08 01:37:05 krbtgt/[EMAIL PROTECTED]
|renew until 08/15/08 15:37:03
|
|
|Kerberos 4 ticket cache: /tmp/tkt0
|klist: You have no tickets cached
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ads / user and group update-probem
On Mon, Aug 18, 2008 at 02:13:10PM +0200, Anian Wurzenberger wrote: we have a problem with keeping our group memberships up to date. If we e.g. remove a group membership from a user, we don´t see any change when trying wbinfo -r j.doe or groups j.doe. Even after hours there ist no update. We also tried restarting smb, nmb, winbindd. Anyone has an idea? Does it still fail if j.doe logs in? If that one fixes it, then you see effects of the netsamlogon_cache.tdb. Volker pgpxtWm8sPeS0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba + ads / user and group update-probem
Thank you for your answer. Where should the user log in? Into a share? Into an AD-connected Computer? Anian -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] Does it still fail if j.doe logs in? If that one fixes it, then you see effects of the netsamlogon_cache.tdb. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ads / user and group update-probem
On Mon, Aug 18, 2008 at 03:41:50PM +0200, Anian Wurzenberger wrote: Thank you for your answer. Where should the user log in? Into a share? Into an AD-connected Computer? For example into a share. Anthing that makes Samba authenticate against the DC. Volker pgp6lv4n5ldRC.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA + ADS + Kerberos Problem...
Hi, I am trying to join a samba to ADS with kerberos + Winbind
Everything is right, i mean, when i do the following:
kinit [EMAIL PROTECTED]
(Ask for the password) and OK.
Then:
debian:/etc/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
07/30/08 16:49:17 07/31/08 02:49:21 krbtgt/[EMAIL PROTECTED]
renew until 07/31/08 02:49:17
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Then:
net ads join -Uadministrator%pass
Is correct, the machine is joined to the AD
getent passwd Show the ADS users...
getent group show the ADS groups...
wbinfo -t
checking the trust secret via RPC calls succeeded
with:
smbclient //adspc/c\$ -k
Connect to the adspc without password and show the directories
The Big BUT is:
When I connect with a M$ user with smbclient to a local share on the
samba server i got:
smbclient //localhost/eee/ -Uadministrator
session setup failed: NT_STATUS_ACCESS_DENIED
The logs show:
[2008/07/30 17:01:32, 5] rpc_parse/parse_prs.c:prs_ntstatus(767)
001c status : NT_STATUS_ACCESS_DENIED
[2008/07/30 17:01:32, 10] libsmb/credentials.c:creds_client_check(325)
creds_client_check: credentials check OK.
[2008/07/30 17:01:32, 3]
nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1546)
winbindd_pam_auth: sam_logon returned ACCESS_DENIED. Maybe the trust
account password was changed and we didn't know it. Killing connections
to domain DOMAIN
When i do:
wbinfo -u: Show the ADS user BUT not show the DOMAIN I mean:
Does not show: DOMAIN + ADS_USER only show ADS_USER
The same with wbinfo -g
Other think, every time i reset the machine i lost the ticket for
kerberos. This is not normal.
The krb5.conf:
[libdefaults]
default_realm = DOMAIN.CL
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN = {
kdc = 191.9.200.1
admin_server = adspc
default_domain = DOMAIN.CL
}
[domain_realm]
.domain.cl = DOMAIN.CL
domain.cl = DOMAIN.CL
[login]
krb4_convert = true
krb4_get_tickets = false
-
* smb.conf:
[global]
security = ADS
netbios name = debian
realm = DOMAIN.CL
#username map = /etc/samba/smbusers
encrypt passwords = yes
password server = 191.9.200.1
workgroup = DOMAIN
idmap uid = 1-2
idmap gid = 1-2
ldap ssl = no
log level = 20
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
#domain master = no
* nssswitch.conf
passwd: files winbind
group: files winbind
shadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc:db files
netgroup: nis
The /pam.d/ Files..
* common-account
auth sufficient pam_winbind.so
account requiredpam_unix.so
* common-auth
auth sufficient pam_winbind.so
auth required pam_unix.so nullok_secure use_first_pass
* common-password
password required pam_unix.so nullok obscure min=4 max=50 md5
* common-session
session requiredpam_unix.so
session requiredpam_mkhomedir.so skel=/etc/skel umask=0022
Well i hope somebody can help me with this! i tried to gave all the
information.
THANKS!! a LOT!!
Michael.-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba ADS and ms licenses
Hi, a quick question. Im running samba, but i want to use ads for auth. I have 1 windows 2000 ( or 2003 ) available, but without extra licences ( just the default 5 users ) in my current enviroment im having about 70 users. now my question. I want to install the windows 2000 or 2003 and use only the ADS install my samba, connect it with the ads of windows. Now its al about, my pc's are going to auth against samba ( ads ) do i have licensing problemen with my MS server or not, it this legal ? Louis http://www.bazuin.nl _ De informatie verzonden in en met dit e-mail bericht is uitsluitend bestemd voor de geadresseerde(n) en is mogelijk vertrouwelijk van aard. Gebruik van deze informatie door anderen dan de geadresseerde is niet toegestaan. Het is voorts niet toegestaan deze informatie openbaar te maken, te verveelvoudigen, te verspreiden en/of aan derden te verstrekken. Bazuin en Partners staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden e-mail, noch voor de tijdige ontvangst ervan. The information contained in this e-mail and in any attachments is intended solely for the attention and use of the named addressee(s) and may be confidential. The use of this information by others than the named addressee(s) is not allowed. Moreover, it is not allowed to disclose, copy or distribute this information. Bazuin en Partners is neither liable for the proper and complete transmission of the information contained in this e-mail, nor for any delay in its receipt. _ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba ADS and ms licenses
Hi, I think its discutable. because you pay for licence, for computer or user. but non of the computers/users ( accept 1 of 2 for the administrator ) connect to the windows server, all auth must go throug samba. i'll go investigate this. thanx for the quick answhere. Louis -Oorspronkelijk bericht- Van: Jakub Zubielik [mailto:[EMAIL PROTECTED] Verzonden: maandag 23 juni 2008 12:24 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] samba ADS and ms licenses Now its al about, my pc's are going to auth against samba ( ads ) do i have licensing problemen with my MS server or not, it this legal ? According to MS consultant it's not :( Best regards JZ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba ADS and ms licenses
I think its discutable. I agree. Users account are in Windows directory (point for MS), but they are only authenticated on Windows machine so they don't actually connect to any shared resources (point for Samba). Going this way... You can create as many accounts as You wish in ADS but if You exceed max connection limit they just can't connect. To me it's self-explanatory, if Samba does not hit this limitation it's ok with MS licencing. Best regards JZ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba, ads, winbind and active directory
That is correct. Some more information so that I might receive some help with this. I can perform the following commands without problem: wbinfo -t wbinfo -m wbinfo -g wbinfo -u wbinfo --krb5auth=user%password I am not able to do the following: getent group getent passwd net use x: \\valhalla\test /user:user (from a windows machine) Anyone know what I am doing wrong or could perhaps provide some more insight? I am definitely seeing somethings in the logs that I am unsure of how to fix. Any help, pointers etc are appreciated. Some log data: [log.winbindd-idmap] [2008/05/27 14:20:18, 10] nsswitch/idmap_util.c:idmap_sid_to_uid(125) sid [S-1-5-21-2868754479-89028146-2101856903-88475] not mapped to an uid [2,1,2885498664] Contents of my smb.conf [global] workgroup = scl realm = SCL.UTAH.EDU server string = valhalla.scl.utah.edu netbios name = valhalla password server = * encrypt passwords = true security = ads os level = 20 allow trusted domains = no auth methods = winbind ldap ssl = no interfaces = eth0, lo bind interfaces only = yes socket options = TCP_NODELAY log level = 20 log file = /var/log/samba3/log.%m max log size = 50 client signing = yes client schannel = no client use spnego = yes preferred master = no local master = no domain master = no wins proxy = no dns proxy = No template shell = /bin/bash nt acl support = yes inherit permissions = yes create mask = 0775 template homedir = /home/%U winbind uid = 1000-200 winbind gid = 500-200 winbind separator = / winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = yes winbind offline logon = true winbind nss info = sfu idmap uid = 1000-200 idmap gid = 500-200 idmap domains = THEDOMAIN idmap config THEDOMAIN:backend = ad idmap config THEDOMAIN:default = yes idmap config THEDOMAIN:schema_mode = rfc2307 idmap config THEDOMAIN:range = 1000 - 3 printcap name = cups printing = cups load printers = yes cups options = raw print command = lpq command = %p lprm command = [test] comment = testing browsable = yes read only = yes create mode = 0644 path = /home/jason David Molina Cuevas wrote: Do you not get any result for a 'getent passwd', and yes for 'wbinfo -u' ? I think I had the same problem before, I'll try to remember it. David Molina On Tue, May 27, 2008 at 3:25 PM, Jason Gerfen [EMAIL PROTECTED] wrote: I can enumerate users and groups from the domain but I cannot authenticate the users. Any help? -- Jas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Jas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba, ads, winbind and active directory
Do you not get any result for a 'getent passwd', and yes for 'wbinfo -u' ? I think I had the same problem before, I'll try to remember it. David Molina On Tue, May 27, 2008 at 3:25 PM, Jason Gerfen [EMAIL PROTECTED] wrote: I can enumerate users and groups from the domain but I cannot authenticate the users. Any help? -- Jas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA ADS integration - windows user account rights
Bert Verhaeghe wrote: Hi all, first of all is it possible to join a Linux machine to AD using a windows user account that is not a member of the group Domain Admins? Cause when I do this I get the following error while executing `net ads join -d 3 -U syncuser`: #net ads join -d 3 -U syncuser [2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953) lp_load: refreshing parameters [2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418) Initialising global parameters [2007/12/11 13:47:12, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing section [global] [2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 octopussync's password: [2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426) get_dc_list: preferred server list: , DC [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939) resolve_lmhosts: Attempting lmhosts lookup for name DC0x20 [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836) resolve_wins: Attempting wins lookup for name DC0x20 [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839) resolve_wins: WINS server resolution selected and no WINS servers listed. [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002) resolve_hosts: Attempting host lookup for name DC0x20 [2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to LDAP server 10.0.0.1 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Tue, 11 Dec 2007 23:47:05 UTC [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426) Connecting to host= DC.domain.local [2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting to 10.0.0.1 at port 445 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session setup (blob length=107) [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018 1 2 2 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 3 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1 311 2 2 10 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc [EMAIL PROTECTED] [2007/12/11 13:47:17, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos session setup [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Tue, 11 Dec 2007 23:47:05 UTC [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c bind request returned ok. [2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) lsa_io_sec_qos: length c does not match size 8 [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a bind request returned ok. Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) Failed to join domain! [2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1 But when the user is added to the Domain Admins group, the join is successful. And if the latter is possible, which permissions should the windows user account have? Thx in advance bert Hi Bert, I do not know about the Domain Admins group angle, but if you want to know what the minimal user rights necessary for a net ads join are, then this whitepaper explains it. It says HP CIFS Server, but holds true for Opensource Samba as well. http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA ADS integration - windows user account rights
Hi all, first of all is it possible to join a Linux machine to AD using a windows user account that is not a member of the group Domain Admins? Cause when I do this I get the following error while executing `net ads join -d 3 -U syncuser`: #net ads join -d 3 -U syncuser [2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953) lp_load: refreshing parameters [2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418) Initialising global parameters [2007/12/11 13:47:12, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing section [global] [2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 octopussync's password: [2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426) get_dc_list: preferred server list: , DC [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939) resolve_lmhosts: Attempting lmhosts lookup for name DC0x20 [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836) resolve_wins: Attempting wins lookup for name DC0x20 [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839) resolve_wins: WINS server resolution selected and no WINS servers listed. [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002) resolve_hosts: Attempting host lookup for name DC0x20 [2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to LDAP server 10.0.0.1 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Tue, 11 Dec 2007 23:47:05 UTC [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426) Connecting to host= DC.domain.local [2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting to 10.0.0.1 at port 445 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session setup (blob length=107) [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018 1 2 2 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 3 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1 311 2 2 10 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc [EMAIL PROTECTED] [2007/12/11 13:47:17, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos session setup [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Tue, 11 Dec 2007 23:47:05 UTC [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c bind request returned ok. [2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) lsa_io_sec_qos: length c does not match size 8 [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a bind request returned ok. Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) Failed to join domain! [2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1 But when the user is added to the Domain Admins group, the join is successful. And if the latter is possible, which permissions should the windows user account have? Thx in advance bert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA ADS integration - windows user account rights
You may be running into this issue: http://support.microsoft.com/kb/251335 -- Aaron Bert Verhaeghe wrote: Hi all, first of all is it possible to join a Linux machine to AD using a windows user account that is not a member of the group Domain Admins? Cause when I do this I get the following error while executing `net ads join -d 3 -U syncuser`: #net ads join -d 3 -U syncuser [2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953) lp_load: refreshing parameters [2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418) Initialising global parameters [2007/12/11 13:47:12, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing section [global] [2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 octopussync's password: [2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426) get_dc_list: preferred server list: , DC [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939) resolve_lmhosts: Attempting lmhosts lookup for name DC0x20 [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836) resolve_wins: Attempting wins lookup for name DC0x20 [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839) resolve_wins: WINS server resolution selected and no WINS servers listed. [2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002) resolve_hosts: Attempting host lookup for name DC0x20 [2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to LDAP server 10.0.0.1 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219) ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED] [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Tue, 11 Dec 2007 23:47:05 UTC [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426) Connecting to host= DC.domain.local [2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting to 10.0.0.1 at port 445 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session setup (blob length=107) [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018 1 2 2 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 3 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1 311 2 2 10 [2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc [EMAIL PROTECTED] [2007/12/11 13:47:17, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos session setup [2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Tue, 11 Dec 2007 23:47:05 UTC [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c bind request returned ok. [2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) lsa_io_sec_qos: length c does not match size 8 [2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a bind request returned ok. Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) Failed to join domain! [2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1 But when the user is added to the Domain Admins group, the join is successful. And if the latter is possible, which permissions should the windows user account have? Thx in advance bert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/ADS Question
Any further word on this for me? tnx. On 10/11/07, Chris Nighswonger [EMAIL PROTECTED] wrote: On 10/11/07, simo [EMAIL PROTECTED] wrote: Are you using pam_winbindd to log in? I think so... (I'm very new to samba and have been following docs and tutorials...) Here is the output of a grep through the pam.d files: [EMAIL PROTECTED] cnighswonger]# grep -E pam_winbind.so /etc/pam.d/* /etc/pam.d/system-auth:authsufficientpam_winbind.so use_first_pass /etc/pam.d/system-auth:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/system-auth:passwordsufficientpam_winbind.so use_authtok /etc/pam.d/system-auth-ac:authsufficientpam_winbind.so use_first_pass /etc/pam.d/system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/system-auth-ac:passwordsufficientpam_winbind.so use_authtok If so you can configure /etc/security/pam_winbind.conf to use krb5_auth = yes and krb5_ccache_type = FILE, this would store your kerberos credentials so that libsmbclient should be able to pick them up when browsing servers and use them. I uncommented these two lines in pam_winbind.conf and then restarted nmbd, smbd, and winbindd. After loggin back in, I am still prompted when browsing to windows shares. Maybe I am not really using pam_winbindd after all? Thanks for the help. Regards, Chris -- Chris Nighswonger Network Systems Director Foundations Bible College Seminary www.foundations.edu www.fbcradio.org [EMAIL PROTECTED] V:910-892-8761 C:919-820-5473 - NOTICE: The information contained in this electronic mail message is intended only for the use of the intended recipient, and may also be protected by the Electronic Communications Privacy Act, 18 USC Sections 2510-2521. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please reply to the sender, and delete the original message. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/ADS Question
I have successfully joined a Fedora7 client to a W2K AD domain. Everything thus far works as it should. All of my ADS members can log onto the machine, etc. However, when using Nautilus to browse the network, Windows shares are visible, but the user is always prompted for authentication regardless of the permissioning on the the windows share. It appears that samba is using the guest account to attempt the access. I cannot seem to get Google to turn up anything significant on this one. Any help is appreciated. Regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/ADS Question
On Thu, 2007-10-11 at 11:59 -0400, Chris Nighswonger wrote: I have successfully joined a Fedora7 client to a W2K AD domain. Everything thus far works as it should. All of my ADS members can log onto the machine, etc. However, when using Nautilus to browse the network, Windows shares are visible, but the user is always prompted for authentication regardless of the permissioning on the the windows share. It appears that samba is using the guest account to attempt the access. I cannot seem to get Google to turn up anything significant on this one. Any help is appreciated. Are you using pam_winbindd to log in? If so you can configure /etc/security/pam_winbind.conf to use krb5_auth = yes and krb5_ccache_type = FILE, this would store your kerberos credentials so that libsmbclient should be able to pick them up when browsing servers and use them. Simo. -- Simo Sorce Samba Team GPL Compliance Officer [EMAIL PROTECTED] Senior Software Engineer at Red Hat Inc. [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/ADS Question
On 10/11/07, simo [EMAIL PROTECTED] wrote: Are you using pam_winbindd to log in? I think so... (I'm very new to samba and have been following docs and tutorials...) Here is the output of a grep through the pam.d files: [EMAIL PROTECTED] cnighswonger]# grep -E pam_winbind.so /etc/pam.d/* /etc/pam.d/system-auth:authsufficientpam_winbind.so use_first_pass /etc/pam.d/system-auth:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/system-auth:passwordsufficientpam_winbind.so use_authtok /etc/pam.d/system-auth-ac:authsufficientpam_winbind.so use_first_pass /etc/pam.d/system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_winbind.so /etc/pam.d/system-auth-ac:passwordsufficientpam_winbind.so use_authtok If so you can configure /etc/security/pam_winbind.conf to use krb5_auth = yes and krb5_ccache_type = FILE, this would store your kerberos credentials so that libsmbclient should be able to pick them up when browsing servers and use them. I uncommented these two lines in pam_winbind.conf and then restarted nmbd, smbd, and winbindd. After loggin back in, I am still prompted when browsing to windows shares. Maybe I am not really using pam_winbindd after all? Thanks for the help. Regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS join dropping after reboot?
Hi all, I've been searching around and asking in IRC to no avail to solve this problem, and I don't know how to go about fixing it. I recently finally got my Ubuntu 7.04 computer joined to a Windows 2k3 server via samba/winbind/kerberos, mainly with the assistance of SADMS. I've also got PAM set up to authenticate users. It works great - I can issue a net ads join -U:Adminstrator and it'll go through successfully, and afterwards I can log out, or issue a login prompt, and login as an ADS domain user. That part all works just fine, and things are great when I'm joined to the domain. But if I reboot, my machine drops the domain membership, and so I can't login as a domain user with PAM (presumably because I'm not joined to the domain). If I log in as a local user and re-join the domain, things work just fine. What do I need to do to get my machine to either stay joined to the domain, or at least join on start up? Is there anything I'm missing? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA ADS to NIS mapping
I am working in an environment with an HP-UX NIS that my Red Hat ES 4.x system is using for Unix access controls. My Red Hat system is serving as an NFS server for the HP-UX users who also could be Windows users coming from a Windows Server 2003 active directory. I have tested some configurations of SAMBA using winbind, but I don't get the results I want. What happens when using winbind (via authconfig) is that if I have the template directory for homedir configured as per below, the home directory must be owned by REALM\user, rather than mapping over to the NIS user owned directory in the same location. For now, I've disabled winbind since we don't actually have need for it outside of helping to map usernames from Windows ADS to Unix NIS (if we are actually supposed to use it there). What I want to have happen is that REALM\username maps over to a user from the NIS. As an example, what I am expecting is that I need to have an smbpasswd file that includes all of the users from my NIS. I have done that via instructions taken from http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/custom-guide/s1-samb a-configuring.html that instruct to do: ypcat passwd | mksmbpasswd.sh /etc/samba/smbpasswd I have set username map = /etc/samba/smbusers and have added a few specific users (for testing) to the mapping there with unixname = windowsname for the users I am testing on. The Red Hat server has been joined to the Windows domain, kerberos is working fine, and when I have winbind running I can successfully use wbinfo -g or wbinfo -u to dump the group or user names. (Though I have winbind off at the moment). Again though, what I really want to have happen is for windows usernames to be mapped over to NIS usernames so that when a Windows user attempts to access their home directory they will be able to. Anyone able to help clear up my confusion here and point me in the proper direction to have names from one side mapped to names on the other side? Snippets from smb.conf [global] security = ADS username map = /etc/samba/smbusers # WINBIND stuff template homedir = /exports/home/%u template shell = /bin/bash # Share Definitions == # idmap uid = 16777216-33554431 # idmap gid = 16777216-33554431 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 password server = WINDOWSPASSWORDSERVER realm = REALM # winbind use default domain = no Thanks in advance! Bcd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA ADS to NIS mapping
D'oh! I think I have things figured out actually, but have a remaining issue to unburden if someone is able to help. First, the username mapping (without winbind in effect) seems to be working for me now. I had thought it wasn't functioning properly because when I browsed to \\sambaserver I would see my named folder (home directory there) showing up, but couldn't access same. I was not paying enough attention to see that the real problem there is that samba was trying to map my home folder based on the path noted in the NIS ( which is just /home/username ) rather than the path that the samba server is using to get there currently ( /exports/home/username ) I updated the path under the [homes] tag in the samba.conf to get that resolved and woohoo! Things work there now. But, I'm left with a final issue, or what I think is a final issue. My Windows names typically do not exactly match the Unix usernames. As an example I have users in Windows in the following format: FirstInitialMiddleInitialLastname so Joe The User would be JTUSER. Over on Unix I have that same user as JUSER. During earlier testing, even with the smbusers file noting that juser = REALM\jtuser jtuser the mapping that samba was doing for the home directory always seemed to be attempting to go to a folder named after the windows user, rather than one named after the NIS username. How do I make sure that the home directory that is shown is the properly named NIS username folder, rather than one that doesn't exist (the longer windows named folder)? Thanks in advance again for helping to clear this all up for me. Bcd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Barry Dowell Sent: Thursday, July 05, 2007 6:24 PM To: samba@lists.samba.org Subject: [Samba] SAMBA ADS to NIS mapping I am working in an environment with an HP-UX NIS that my Red Hat ES 4.x system is using for Unix access controls. My Red Hat system is serving as an NFS server for the HP-UX users who also could be Windows users coming from a Windows Server 2003 active directory. I have tested some configurations of SAMBA using winbind, but I don't get the results I want. What happens when using winbind (via authconfig) is that if I have the template directory for homedir configured as per below, the home directory must be owned by REALM\user, rather than mapping over to the NIS user owned directory in the same location. For now, I've disabled winbind since we don't actually have need for it outside of helping to map usernames from Windows ADS to Unix NIS (if we are actually supposed to use it there). What I want to have happen is that REALM\username maps over to a user from the NIS. As an example, what I am expecting is that I need to have an smbpasswd file that includes all of the users from my NIS. I have done that via instructions taken from http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/custom-guide/s1-samb a-configuring.html that instruct to do: ypcat passwd | mksmbpasswd.sh /etc/samba/smbpasswd I have set username map = /etc/samba/smbusers and have added a few specific users (for testing) to the mapping there with unixname = windowsname for the users I am testing on. The Red Hat server has been joined to the Windows domain, kerberos is working fine, and when I have winbind running I can successfully use wbinfo -g or wbinfo -u to dump the group or user names. (Though I have winbind off at the moment). Again though, what I really want to have happen is for windows usernames to be mapped over to NIS usernames so that when a Windows user attempts to access their home directory they will be able to. Anyone able to help clear up my confusion here and point me in the proper direction to have names from one side mapped to names on the other side? Snippets from smb.conf [global] security = ADS username map = /etc/samba/smbusers # WINBIND stuff template homedir = /exports/home/%u template shell = /bin/bash # Share Definitions == # idmap uid = 16777216-33554431 # idmap gid = 16777216-33554431 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 password server = WINDOWSPASSWORDSERVER realm = REALM # winbind use default domain = no Thanks in advance! Bcd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba: ads join to win2003 AD.
On Monday 11 June 2007 10:57, [EMAIL PROTECTED] wrote: All, I have a RedHat Enterprise 3 update 5 server. This server has the rpm binaries provided from a link off the samba.org site. I am attempting to join the AD tree, and getting the error, NT_STATUS_WRONG_PASSWORD. smb.conf: [global] workgroup = REMOVEME realm=REALM security = ADS preferred master = no bind interfaces only = yes interfaces = eth0 admin users = @REMOVEME+Admin log level = 1 use spnego = yes client use spnego = yes encrypt passwords = yes deadtime = 15 local master = no prefered master = no socket options = TCP_NODELAY idmap uid = 4-25 idmap gid = 4-25 winbind enum users = no winbind enum groups = no winbind separator = + winbind use default domain = no winbind trusted domains only = yes disable netbios = yes password server=domainController wins server = a1.a2.a3.a4 b1.b2.b3.b4 [temp] path = /tmp valid users = @REMOVEME+Admin public = no writeable = yes create mode = 770 directory mode = 770 force user = nobody force group = nobody I perform the following commands: kinit [EMAIL PROTECTED] net -d3 ads [EMAIL PROTECTED] And I see the following: ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2007/06/11 10:22:49, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Mon, 11 Jun 2007 20:22:48 EDT [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_start_connection(1426) Connecting to host=domainController [2007/06/11 10:22:49, 3] lib/util_sock.c:open_socket_out(874) Connecting to 3.170.65.210 at port 445 [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session setup (blob length=117) [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018 1 2 2 [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 3 [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1 311 2 2 10 [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(754) got [EMAIL PROTECTED] [2007/06/11 10:22:49, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos session setup [2007/06/11 10:22:50, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Mon, 11 Jun 2007 20:22:49 EDT [2007/06/11 10:22:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine domainController pipe \lsarpc fnum 0xc00f bind request returned ok. [2007/06/11 10:22:50, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) lsa_io_sec_qos: length c does not match size 8 [2007/06/11 10:22:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine domainController pipe \samr fnum 0xd bind request returned ok. Failed to set password for machine account (NT_STATUS_WRONG_PASSWORD) Failed to join domain! [2007/06/11 10:22:50, 2] utils/net.c:main(988) return code = -1 The line, lsa_io_sec_qos: length c does not match size 8, seems like something is funky with my machine trust password. Guessing there is an issues with crypting/decrypting it, or Password policy enforcers on the 2003 AD server is rejecting the password. Just guessing though, Any ideas or thoughts are most welcomed. ~Steve If no one has any ideas on this, does anyone know of any commercial support offered for Samba/AD integration. I was looking for someone with indepth knowledge experience with Samba AD integration. Now I looked at the samba.org Commercial support page, and that data contained appears old (confirmed samba list maintainer that US list was update 3 years ago). So my questions, can anyone refer me to anyone they know that offers commercial grade support ? Location would be North East United States, ideally Connecticut or upstate New York. ~Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba: ads join to win2003 AD.
On Tue, 2007-12-06 at 11:57 -0400, [EMAIL PROTECTED] wrote: I perform the following commands: kinit [EMAIL PROTECTED] net -d3 ads [EMAIL PROTECTED] Shouldn't this be net ads join [EMAIL PROTECTED] Looks like you forgot the join key word. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba: ads join to win2003 AD.
On Tuesday 12 June 2007 12:30, George Farris wrote: On Tue, 2007-12-06 at 11:57 -0400, [EMAIL PROTECTED] wrote: I perform the following commands: kinit [EMAIL PROTECTED] net -d3 ads [EMAIL PROTECTED] Shouldn't this be net ads join [EMAIL PROTECTED] Looks like you forgot the join key word. type-o, I do do a net ads join -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba: ads join to win2003 AD.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: [2007/06/11 10:22:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine domainController pipe \samr fnum 0xd bind request returned ok. Failed to set password for machine account (NT_STATUS_WRONG_PASSWORD) Failed to join domain! [2007/06/11 10:22:50, 2] utils/net.c:main(988) return code = -1 If no one has any ideas on this, does anyone know of any commercial support offered for Samba/AD integration. Steve, What version of the MIT krb5 libs ship with RH 3. It was 1.2 right ? There's a known bug with the DES session keys and schannel connections. My suggestions it to install a newer version of the krb5 libs in something like /opt/krb5 and compile Samba against that. Sorry. I'm afraid I never went back and solved the DES session issue after rewriting the join code in 3.0.23. You'll be happier with libs that have RC4-HMAC support anyways. :-) cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGbu87IR7qMdg1EfYRAmFOAJ4s2gg37BCflWDqoHTbm/NJtkDX4gCglnLy QoQKp2UyKpmfMLcgtY96CvM= =b/BJ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba: ads join to win2003 AD.
All, I have a RedHat Enterprise 3 update 5 server. This server has the rpm binaries provided from a link off the samba.org site. I am attempting to join the AD tree, and getting the error, NT_STATUS_WRONG_PASSWORD. smb.conf: [global] workgroup = REMOVEME realm=REALM security = ADS preferred master = no bind interfaces only = yes interfaces = eth0 admin users = @REMOVEME+Admin log level = 1 use spnego = yes client use spnego = yes encrypt passwords = yes deadtime = 15 local master = no prefered master = no socket options = TCP_NODELAY idmap uid = 4-25 idmap gid = 4-25 winbind enum users = no winbind enum groups = no winbind separator = + winbind use default domain = no winbind trusted domains only = yes disable netbios = yes password server=domainController wins server = a1.a2.a3.a4 b1.b2.b3.b4 [temp] path = /tmp valid users = @REMOVEME+Admin public = no writeable = yes create mode = 770 directory mode = 770 force user = nobody force group = nobody I perform the following commands: kinit [EMAIL PROTECTED] net -d3 ads [EMAIL PROTECTED] And I see the following: ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2007/06/11 10:22:49, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration Mon, 11 Jun 2007 20:22:48 EDT [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_start_connection(1426) Connecting to host=domainController [2007/06/11 10:22:49, 3] lib/util_sock.c:open_socket_out(874) Connecting to 3.170.65.210 at port 445 [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session setup (blob length=117) [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018 1 2 2 [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554 1 2 2 3 [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1 311 2 2 10 [2007/06/11 10:22:49, 3] libsmb/cliconnect.c:cli_session_setup_spnego(754) got [EMAIL PROTECTED] [2007/06/11 10:22:49, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos session setup [2007/06/11 10:22:50, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Mon, 11 Jun 2007 20:22:49 EDT [2007/06/11 10:22:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine domainController pipe \lsarpc fnum 0xc00f bind request returned ok. [2007/06/11 10:22:50, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) lsa_io_sec_qos: length c does not match size 8 [2007/06/11 10:22:50, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine domainController pipe \samr fnum 0xd bind request returned ok. Failed to set password for machine account (NT_STATUS_WRONG_PASSWORD) Failed to join domain! [2007/06/11 10:22:50, 2] utils/net.c:main(988) return code = -1 The line, lsa_io_sec_qos: length c does not match size 8, seems like something is funky with my machine trust password. Guessing there is an issues with crypting/decrypting it, or Password policy enforcers on the 2003 AD server is rejecting the password. Just guessing though, Any ideas or thoughts are most welcomed. ~Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba+ADS+groups32 = broken Samba
I've got a strange problem with certain Active Directory user accounts that are members of more than 32 groups. It seems that Samba (or winbind?) completely ignores extended groups if it crosses over 32 groups. This seems to be a Samba specific issue; * When the AD user is logs in via ssh, it can perform writes to the resource; the same user browsing via Samba will get an Access Denied error. * Additionally, same user, same groups, same resource, writes will occur if it uses vsftpd, writes won't if its through Samba. * If the primary group is changed to the group of the resource, the user can write via Samba; however if the primary group is something else yet the user is a member of the resource group in extended groups, Access Denied again. Everything works perfectly. Wibind is returning all the proper users and groups of AD. This is debian-sarge. Samba 3.0.14a-3sarge4. Kernel 2.6.20. Windows Server 2000 SP4 - Active Directory. Any help is greatly appreciated. smb.conf: [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = XYZ realm = XYZ.LOCAL netbios name = A-WHITEWATER netbios aliases = netbios scope = server string = interfaces = bind interfaces only = No security = ADS auth methods = winbind encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = No hosts equiv = min password length = 5 map to guest = Never null passwords = No obey pam restrictions = Yes password server = xxx.xxx.xxx.yyy smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba passdb backend = smbpasswd algorithmic rid base = 1000 root directory = guest account = nobody enable privileges = No pam password change = No passwd program = passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No passwd chat timeout = 2 check password script = username map = password level = 0 username level = 0 unix password sync = No restrict anonymous = 0 lanman auth = Yes ntlm auth = Yes client NTLMv2 auth = No client lanman auth = Yes client plaintext auth = Yes preload modules = use kerberos keytab = No log level = 3 syslog = 1 syslog only = No log file = /var/log/samba/%m max log size = 0 debug timestamp = Yes debug hires timestamp = No debug pid = No debug uid = No smb ports = 445 139 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No acl compatibility = defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 16644 name resolve order = host bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = No unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego = Yes change notify timeout = 60 deadtime = 0 getwd cache = Yes keepalive = 300 kernel change notify = Yes lpq cache time = 30 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 1 socket options = TCP_NODELAY use mmap = Yes hostname lookups = Yes name cache timeout = 660 load printers = No printcap cache time = 0 printcap name = cups server = disable spoolss = No enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = mangling method = hash2 mangle prefix = 1 stat cache = Yes machine password timeout = 604800 add user script = delete user script = add group script = delete group script = add user to group script = delete user from group script = set primary group script = add machine script = shutdown script = abort shutdown script = logon script = logon path = \\%N\%U\profile logon drive = logon home = \\%N\%U domain logons = No os level = 20 lm announce = Auto lm interval = 60 preferred master = No local master = No domain master = No browse list = Yes enhanced browsing =
[Samba] Samba ADS domain member issues
This is a repost. Hi, I am having problems configuring my Centos 4 server as an ADS domain member of our 2003 AD. I've followed the instructions on samba.org and did quite a bit of Google'ing and haven't found an answer to the problems. Basically I used the configuration illustrated in this section of the howto, and of course a number of other suggestions I've found along the way: http://us3.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm Here's the installed software versions: rpm -qa | grep samba samba-common-3.0.10-1.4E samba-swat-3.0.10-1.4E.9 samba-client-3.0.10-1.4E samba-3.0.10-1.4E.9 rpm -qa | grep krb5 krb5-libs-1.3.4-33 krb5-devel-1.3.4-33 pam_krb5-2.1.8-1 krb5-workstation-1.3.4-33 What happens is that I am able to join the domain successfully: net ads join -U Administrator%pass [2006/12/12 19:16:25, 0] libads/ldap.c:ads_add_machine_acct(1368) ads_add_machine_acct: Host account for development already exists - modifying old account Using short domain name -- B2LLC Joined 'DEVELOPMENT' to realm 'B2LLC.LOCAL' As far as the tests from the article go: *wbinfo -u, and wbinfo -g seem to work fine *getent passwd and getent group doesn't work as described in the article. It simply lists my local users. I have gotten it to work by modifying krb5.conf, but I can't seem to find the magic configuration for that as it seems to be touch and go. *net ads info and net ads status -UAdministrator% both work fine *When I go to the one of my domain controllers I can see the computer listed, but when I try to manage it and click on the shares I get a You do not have permissions to see the list of shares from Windows clients error. *When I try to browse to the machine from one of the computers on the domain it simply prompts me for a password dialog, and none of the domain or machine passwords work. *When I check the errors for the IP address of the computer I tried it from I usually get one of these two errors: [2006/12/12 17:44:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) Username B2LLC\crobin01 is invalid on this system [2006/12/12 17:44:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! I've tried the exact same configuration files on multiple machines and I seem to get different results depending on the server even though they all run Centos 4 (although there could be some dot level version differences, I do use their most updated Samba and Kerberos packages). I have one machine that the config files are actually working on, although the rights don't work the way I would expect them to work...not a big deal though for my needs. Any help would be greatly appreciated. If I've been going down the wrong path altogether I'm more than happy to RTFM if someone would be so kind to point me in the right direction. Thanks very much for any assistance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS domain member issues
Hi, I am having problems configuring my Centos 4 server as an ADS domain member of our 2003 AD. I've followed the instructions on samba.org and did quite a bit of Google'ing and haven't found an answer to the problems. Basically I used the configuration illustrated in this section of the howto, and of course a number of other suggestions I've found along the way: http://us3.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm Here's some of the details of my config: rpm -qa | grep samba samba-common-3.0.10-1.4E samba-swat-3.0.10-1.4E.9 samba-client-3.0.10-1.4E samba-3.0.10-1.4E.9 rpm -qa | grep krb5 krb5-libs-1.3.4-33 krb5-devel-1.3.4-33 pam_krb5-2.1.8-1 krb5-workstation-1.3.4-33 What happens is that I am able to join the domain successfully: net ads join -U Administrator%bVoIPrules2 [2006/12/12 19:16:25, 0] libads/ldap.c:ads_add_machine_acct(1368) ads_add_machine_acct: Host account for development already exists - modifying old account Using short domain name -- B2LLC Joined 'DEVELOPMENT' to realm 'B2LLC.LOCAL' As far as the tests from the article go: wbinfo -u, and wbinfo -g seem to work fine getent passwd and getent group doesn't work as described in the article. It simply lists my local users. net ads info and net ads status -UAdministrator% both work fine When I go to the one of my domain controllers I can see the computer listed, but when I try to manage it and click on the shares I get a You do not have permissions to see the list of shares from Windows clients error. When I try to browse to the machine from one of the computers on the domain it simply prompts me for a password dialog, and none of the domain or machine passwords work. When I check the errors for the IP address of the computer I tried it from I usually get one of these two errors: [2006/12/12 17:44:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(250) Username B2LLC\crobin01 is invalid on this system [2006/12/12 17:44:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! Any help would be greatly appreciated. If I've been going down the wrong path altogether I'm more than happy to RTFM if someone would be so kind to point me in the right direction. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re:[Samba] Samba ads not refreshing domain controller group modifications
thanks for the answer you are right .. it is a domain controller in 2003 with a forest and 5 domains in it ... i set up the winbind cache to 1 earlier (i tought that would be the problem) but the same result .. not refreshing domain controller group modifications _ Bogdan Fiscutean - Network Administrator Contor Zenner S.A. Calea Bodrogului 2-4 2900 Arad, Romania Office Phone: +40 257 208521 Company Fax: +40 257 208555 Mobile: +40 728105043 mailto:[EMAIL PROTECTED] http://www.contorgroup.ro _ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re:[Samba] Samba ads not refreshing domain controller group modifications
Helo Hi My problem can be described in the following way. - getent group and getent passwd work well , when I add or delete a user from one group the modification is displayed with getent - I chown user:group over a file in samba the user from that group can access it - BUT when I delete the user from the group in my DC ,he/she can still acces the share even after 24hours until I restart samba and winbind - after restart he/she is denied according to group to access the share Can anyone give me a tip ? Thanks in advance for any answer I think it's winbind cache problem. Try to set winbind cache time = 10 on your global conf and restart. winbind cache reply from ad server for only 10 seconds. If your ad is a forest with multidomain the situation is different, the gc cache reply from other domains and i don't know how to solve this. Is my problem. Bye. ___ Vuoi sapere cosa realmente succede a casa o ufficio quando non ci sei ? Ora puoi farlo ...e senza spendere un capitale! http://click.libero.it/dmail2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re:[Samba] Samba ads not refreshing dom ain controller group modifications
It's my problem too. I tryed many configuration with samba and gc, but nothing. It took about 12 hours to refresh group membership. A workaround is to create local domain group in forest GC, and nest group from domain children. But it's not what i want ... thanks for the answer you are right .. it is a domain controller in 2003 with a forest and 5 domains in it ... i set up the winbind cache to 1 earlier (i tought that would be the problem) but the same result .. not refreshing domain controller group modifications ___ Vuoi sapere cosa realmente succede a casa o ufficio quando non ci sei ? Ora puoi farlo ...e senza spendere un capitale! http://click.libero.it/dmail2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ads not refreshing domain controller group modifications
Helo I have a big problem with samba and windows 2003 ads. I have a DC in win 2003 and centos4.3 with samba ADS. Registration of samba in ads has gone well , kinit gives no error and also net ads join worked well I can access shares based on the user in my DC, I am not using ACL, only the permission in the system and DC. My problem can be described in the following way. - getent group and getent passwd work well , when I add or delete a user from one group the modification is displayed with getent - I chown user:group over a file in samba the user from that group can access it - BUT when I delete the user from the group in my DC ,he/she can still acces the share even after 24hours until I restart samba and winbind - after restart he/she is denied according to group to access the share Someone says that it could be from my DC but I installed a new DC and a new CentOS 4.3 connected over a crossover cable without any policy and the same problem. Last year I had DC with 2000 server and it worked, any modification in 2-3 minutes was refreshed in samba. Can anyone give me a tip ? Thanks in advance for any answer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ads not refreshing domain controller group modifications
Helo I have a big problem with samba 3.0.10 (checked also with 3.0.22) and windows 2003 ads. I have a DC in win 2003 and centos4.3 with samba ADS. Registration of samba in ads has gone well , kinit gives no error and also net ads join worked well I can access shares based on the user in my DC, I am not using ACL, only the permission in the system and DC. My problem can be described in the following way. - getent group and getent passwd work well , when I add or delete a user from one group the modification is displayed with getent - I chown user:group over a file in samba the user from that group can access it - BUT when I delete the user from the group in my DC ,he/she can still acces the share even after 24hours until I restart samba and winbind - after restart he/she is denied according to group to access the share Someone says that it could be from my DC but I installed a new DC and a new CentOS 4.3 connected over a crossover cable without any policy and the same problem. Last year I had DC with 2000 server and it worked, any modification in 2-3 minutes was refreshed in samba. Can anyone give me a tip ? Thanks in advance for any answer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re:[Samba] [SAMBA+ADS] Getent passwd does not show AD computers
getent passwd only shows the local users + the AD users, from my understanding it should return the computers in the domain also. One more thing... getent shadow shows the computers... How is it possible to see the machine names in shadow but not in passwd ? Accédez au courrier électronique de La Poste : www.laposte.net 3615 LAPOSTENET (0,34 /mn) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] [SAMBA+ADS] Getent passwd does not show AD computers
Hi everybody, I'll try to make it quick... Our configuration : -1 x Windows 2003 Active Directory Server + LDAP Server -1 x SuSE 10 SAMBA Server Authentication = LDAP + Kerberos. Everything is running smothly : AD Users can authenticate and browse the network shares presented by Samba. However, it seems that the AD computers are not recognized... getent passwd only shows the local users + the AD users, from my understanding it should return the computers in the domain also. Also my smb log is full of messages like : smbd/sesssetup.c:reply_spnego_kerberos(303) Username ADS SERVER NAME/MACHINE NAME is invalid on this system where ADS SERVER NAME is the name of our AD server and MACHINE NAME is the name of the machine browsing the share. '/' is the windbind separator defined in smb.conf (I don't want to use winbind and nothing is configured for winbind). We have 3 or 4 of these message every time a user is opening a shared folder for example. Appreciate your help ;-) Accédez au courrier électronique de La Poste : www.laposte.net 3615 LAPOSTENET (0,34 /mn) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS member: using local groups
Hi. I have problems using local groups on a SAMBA ADS member. I encountered the problem when I switched from Fedora Core 4 to Fedora Core 5. I'm using the FC5 samba-3.0.22-1.fc5 package. The SELinux is set to permissive mode (SELINUX=permissive), so this should not cause problems. I'm using same scripts for generating group mapping and add users to groups, as I used on FC4. The problem is I can not access to a newly created share. I'm getting access denied. Details: smb.conf: workgroup = MYAD realm = MYAD.SI security = ads netbios name = SRV use kerberos keytab = True local master = no domain master = no preferred master = no domain logons = no winbind cache time = 150 template shell = /bin/false template homedir = /dev/null idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 enable privileges = no allow trusted domains = yes winbind trusted domains only = no winbind use default domain = no acl group control = no winbind enum groups = yes winbind enum users = yes winbind nested groups = yes [testg] path = /tmp/testg browsable = yes # net groupmap list | grep testg testg (S-1-5-21-36326577-213813108-2479972072-35181) - testg # net rpc group members testg -U MYAD\\damird%pass MYAD\damird # grep testg /etc/group testg:x:17090:MYAD\damird # getent group testg testg:x:17090:MYAD\damird # getent group SRV\\testg testg:*:16777937:MYAD\damird # chown root:testg /tmp/testg # chmod 770 /tmp/testg # ls -ald /tmp/testg drwxrwx--- 17 root testg 4096 Jun 23 11:26 /tmp/testg # sudo -u MYAD\\damird ls -al /tmp/testg total 16 drwxrwx--- 2 root testg 4096 Jun 23 11:43 . drwxrwxrwt 8 root root 4096 Jun 23 11:39 .. # cat /var/log/samba/10.10.10.100.log [2006/06/23 11:44:25, 1] smbd/service.c:make_connection_snum(693) 10.10.10.100 (10.10.10.100) connect to service testg initially as user MYAD\damird (uid=16777217, gid=16777217) (pid 6509) [2006/06/23 11:44:25, 0] smbd/service.c:set_current_service(49) chdir (/tmp/testg) failed [2006/06/23 11:44:25, 0] smbd/service.c:set_current_service(49) chdir (/tmp/testg) failed [2006/06/23 11:44:26, 0] smbd/service.c:set_current_service(49) chdir (/tmp/testg) failed Any hint will be appreciated :) Thanks and best regards, Dezo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ads and local users
Hi All, I have a network that's slowly being moved over to Active Directory. Having used samba all this time though, im reluctant to let them go. So I've setup a test Samba server to use the ADS, which allows all my domain users to connect directly to the samba server for the home drives and other shares (working perfect!). However, I have a lot of other users that won't be on the domain for quite some time. Is there anyway to have them still connect to the samba server using the user share access that they've had all along (i.e. their account in the smbpasswd file). If it is one or the other, is there any suggested method I can use to get around this (barring adding all the users to the domain, and still using samba for some ads authentication)? Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ads and local users
However, I have a lot of other users that won't be on the domain for quite some time. Is there anyway to have them still connect to the samba server using the user share access that they've had all along (i.e. their account in the smbpasswd file). If it is one or the other, is there any suggested method I can use to get around this (barring adding all the users to the domain, and still using samba for some ads authentication)? There's probably a better way of doing this, but you could always run two Samba servers - one using AD, one using smbpasswd. You would have to direct your users to connect to a different server depending on their access, but that may not be so bad. Alternatively you can still connect to smbpasswd accounts even if the Samba server is on a domain, provided you use the machine's hostname as if it's another domain, e.g. if most users connect to the machine \\SAMBA as DOMAIN\user then you can also connect to \\SAMBA as SAMBA\localuser and providing localuser is mentioned in smbpasswd it'll let you in. It does mean that you'll have to get everyone to enter their username differently, so this may or may not be a problem. Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ADS problem
Hi Fabio, Thanks for ur response. I tried with out adding the winbind use default domain = Yes in smb.conf file using chown SE\\selvara /home/jselvaraj. I am getting the same eror. I added this value in the file and tried chown selvara /home/jselvaraj.The problem exists for this case too. FYI..no nscd process is running. I cant guess what is making this complicated. Jasmine -- View this message in context: http://www.nabble.com/Samba-ADS-problem-t1610406.html#a4452172 Sent from the Samba - General forum at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ADS problem
But what happens if you try: #id SE\\selvara? Can you see a uid for the user? And if you try: #getent passwd | grep selvara ? Fabio On Thu, 2006-05-18 at 07:48 -0700, jasmine mary wrote: Hi Fabio, Thanks for ur response. I tried with out adding the winbind use default domain = Yes in smb.conf file using chown SE\\selvara /home/jselvaraj. I am getting the same eror. I added this value in the file and tried chown selvara /home/jselvaraj.The problem exists for this case too. FYI..no nscd process is running. I cant guess what is making this complicated. Jasmine -- View this message in context: http://www.nabble.com/Samba-ADS-problem-t1610406.html#a4452172 Sent from the Samba - General forum at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ADS problem
Fabio, Thanks for ur imm response. #getent passwd | grep selvara SE\selvara:x:10022:10001:selvara:/home/SE/selvara:/bin/false # id SE\\selvara id: invalid user name: SE\selvara Please help me out. Jasmine -- View this message in context: http://www.nabble.com/Samba-ADS-problem-t1610406.html#a4453126 Sent from the Samba - General forum at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba ADS problem
Jasmine, I think the problem is that Solaris can't accept username longer than 8 chars. You can try chown with uid: #chown 10022 /home/jselvaraj I don't know if the problem you have in share access is for the same reason. If you defined winbind use default domain = Yes in smb.conf, it is strange you obtain usernames with domain in getent passwd. Fabio On Thu, 2006-05-18 at 11:38 -0400, Selvaraj, Jasmine wrote: Fabio, Thanks for ur imm response. #getent passwd | grep selvara SE\selvara:x:10022:10001:selvara:/home/SE/selvara:/bin/false # id SE\\selvara id: invalid user name: SE\selvara Please help me out. Jasmine -Original Message- From: Fabio Bucciarelli [mailto:[EMAIL PROTECTED] Sent: Thursday, May 18, 2006 11:22 AM To: Selvaraj, Jasmine Subject: Re: [Samba] Samba ADS problem But what happens if you try: #id SE\\selvara? Can you see a uid for the user? And if you try: #getent passwd | grep selvara ? Fabio On Thu, 2006-05-18 at 07:48 -0700, jasmine mary wrote: Hi Fabio, Thanks for ur response. I tried with out adding the winbind use default domain = Yes in smb.conf file using chown SE\\selvara /home/jselvaraj. I am getting the same eror. I added this value in the file and tried chown selvara /home/jselvaraj.The problem exists for this case too. FYI..no nscd process is running. I cant guess what is making this complicated. Jasmine -- View this message in context: http://www.nabble.com/Samba-ADS-problem-t1610406.html#a4452172 Sent from the Samba - General forum at Nabble.com. ** This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies. You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. TIAA-CREF ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ADS problem
What u said is correct. chown 10022 /home/jselvaraj is working. But when i tried with the short name,it is giving the same issue of longer names (more than 8). chown SE\\jas /home/jselvaraj is not working.but works with UID # ./wbinfo -n SE\\jas Could not lookup name SE\jas It is not returning SID from AD.Some UID and SIP mapping problem? Jasmine -- View this message in context: http://www.nabble.com/Samba-ADS-problem-t1610406.html#a4458343 Sent from the Samba - General forum at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ADS problem
Hi Jasmine. For chown, if you don't use the winbind use default domain = Yes in smb.conf file, you must specify the name of windows domain: chown SE\\username /home/jselvaraj I can't help you about the account locked out error. Fabio On Fri, 2006-05-12 at 14:30 -0700, jasmine mary wrote: Hi I am working with the implementation of Samba(3.0.7) against AD. I compliled Samba after compiling LDAP, kerberos.I can execute the following commands successfully. wbinfo -u, -g -t netads info, testjoin getent passwd group But i cant use chown to use the owner as AD user, even after shutting down the nscd daemon. I am giving the my smb.conf file [global] workgroup = SE realm = SE.JASMINE.ORG security = ADS password server = SE.JASMINE.ORG log level = 3 log file = /var/log/samba/%m wins server = ackdc02-coa.jasmine.org idmap uid = 1-2 idmap gid = 1-2 [jmj] path = /home/jselvaraj When i try to get the jmj share, i am getting the error that The referenced account is currently locked out and may not be logged in. Even i am not specifying the valid users attribute for the jmj share, i am getting this error. If i set the valid user as selara, the account is locked at the windows while i am accessing the share. Is it the problem with WINDOWS AD side or My Samba Server side? Please help me out of this problem. Jasmine -- View this message in context: http://www.nabble.com/Samba-ADS-problem-t1610406.html#a4365961 Sent from the Samba - General forum at Nabble.com. -- Fabio Bucciarelli Servizio Sviluppo telematica regionale e gestione delle infrastrutture informatiche(st.4.23) DIREZIONE GENERALE ORGANIZZAZIONE, SISTEMI INFORMATIVI E TELEMATICA Regione Emilia-Romagna Viale Aldo Moro, 52 - 40127 Bologna Telefono ++39 051 6395658 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS problem
Hi I am working with the implementation of Samba(3.0.7) against AD. I compliled Samba after compiling LDAP, kerberos.I can execute the following commands successfully. wbinfo -u, -g -t netads info, testjoin getent passwd group But i cant use chown to use the owner as AD user, even after shutting down the nscd daemon. I am giving the my smb.conf file [global] workgroup = SE realm = SE.JASMINE.ORG security = ADS password server = SE.JASMINE.ORG log level = 3 log file = /var/log/samba/%m wins server = ackdc02-coa.jasmine.org idmap uid = 1-2 idmap gid = 1-2 [jmj] path = /home/jselvaraj When i try to get the jmj share, i am getting the error that The referenced account is currently locked out and may not be logged in. Even i am not specifying the valid users attribute for the jmj share, i am getting this error. If i set the valid user as selara, the account is locked at the windows while i am accessing the share. Is it the problem with WINDOWS AD side or My Samba Server side? Please help me out of this problem. Jasmine -- View this message in context: http://www.nabble.com/Samba-ADS-problem-t1610406.html#a4365961 Sent from the Samba - General forum at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + ADS File Security Problem
Hai All, I have a setup with Samba share + ADS.. All my Windows XP machine is login to ADS Server also my samba share machine Everything working fine.. except some security permission, Users can access all share with out username and password.. once if they login to Windows2003 ADS. In almost all share I allow read write permission in group wise All my need is... who ever creating a file or folder... they must not be the owner only administer must be.. then only we can restrict the deletion of Valuable Data most of my share is more then 1000GB If I change the ownership from Linux with some scripts crontab its creating a big accessing problem from WindowsXP systems and I have to setup all the security permission again from Windows.. Is there any way to create files and folders only with the ownership of administer and with stickybit permission Here is my correct samba share configuration... #=== Global Settings [global] workgroup = MYDOMAIN server string = Samba Server log file = /var/log/samba/%m.log max log size = 50 security = ads encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no #=== Share Definitions == #ldap idmap suffix = ou=emplist,dc=dqe,dc=com password server = 172.16.20.200 http://172.16.20.200 realm = MYDOMAIN.COM http://MYDOMAIN.COM idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash template homedir = /home/%D/%U allow trusted domains = no idmap backend = idmap_rid:DQE=16777216-33554431 winbind use default domain = yes [vol08] path = /vol08_700 writable = yes public = yes nt acl support = yes create mask = 0755 security mask = 0755 inherit permissions = yes inherit acls = yes force security mode = 0 directory security mask = 0777 force directory security mode = 0 = Please Share Your knowledge to solve this problem... Thank You in Advance, -- regards, Jerrynikki --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + ADS File Security Problem
just take a look into the man page of smb.conf and search for 'force'. i suppose what you are seeking is 'force user = auser'. updatemyself . schrieb: Hai All, I have a setup with Samba share + ADS.. All my Windows XP machine is login to ADS Server also my samba share machine Everything working fine.. except some security permission, Users can access all share with out username and password.. once if they login to Windows2003 ADS. In almost all share I allow read write permission in group wise All my need is... who ever creating a file or folder... they must not be the owner only administer must be.. then only we can restrict the deletion of Valuable Data most of my share is more then 1000GB If I change the ownership from Linux with some scripts crontab its creating a big accessing problem from WindowsXP systems and I have to setup all the security permission again from Windows.. Is there any way to create files and folders only with the ownership of administer and with stickybit permission Here is my correct samba share configuration... #=== Global Settings [global] workgroup = MYDOMAIN server string = Samba Server log file = /var/log/samba/%m.log max log size = 50 security = ads encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no #=== Share Definitions == #ldap idmap suffix = ou=emplist,dc=dqe,dc=com password server = 172.16.20.200 http://172.16.20.200 realm = MYDOMAIN.COM http://MYDOMAIN.COM idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash template homedir = /home/%D/%U allow trusted domains = no idmap backend = idmap_rid:DQE=16777216-33554431 winbind use default domain = yes [vol08] path = /vol08_700 writable = yes public = yes nt acl support = yes create mask = 0755 security mask = 0755 inherit permissions = yes inherit acls = yes force security mode = 0 directory security mask = 0777 force directory security mode = 0 = Please Share Your knowledge to solve this problem... Thank You in Advance, -- regards, Jerrynikki --- -- -- Markus Klimke Technische Universität Hamburg-Harburg AB Modellierung und Berechnung Denickestr. 17, Raum 3043 21073 Hamburg Tel.: 040/42878-4482 -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + ADS File Security Problem
Something like this chown root /root/root chmod -R ug+s /root/root if I remember right ;) -- Med venlig hilsen / Kind Regards Daniel Hindbo Jensen Direkte Telefon / Direct Phone: +45 87 113 110 Ingeniørfirmaet Poul Tarp A/S - http://www.tarp.dk/ http://www.tarp.dk Telekæden A/S - http://www.telekaeden.dk/ http://www.telekaeden.dk / http://www.tkmobil.dk http://www.tkmobil.dk/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + ADS File Security Problem
Hai All, I have a setup with Samba share + ADS.. All my Windows XP machine is login to ADS Server also my samba share machine Everything working fine.. except some security permission, Users can access all share with out username and password.. once if they login to Windows2003 ADS. In almost all share I allow read write permission in group wise All my need is... who ever creating a file or folder... they must not be the owner only administer must be.. then only we can restrict the deletion of Valuable Data most of my share is more then 1000GB If I change the ownership from Linux with some scripts crontab its creating a big accessing problem from WindowsXP systems and I have to setup all the security permission again from Windows.. Is there any way to create files and folders only with the ownership of administer and with stickybit permission Here is my correct samba share configuration... #=== Global Settings [global] workgroup = MYDOMAIN server string = Samba Server log file = /var/log/samba/%m.log max log size = 50 security = ads encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no #=== Share Definitions == #ldap idmap suffix = ou=emplist,dc=dqe,dc=com password server = 172.16.20.200 realm = MYDOMAIN.COM idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash template homedir = /home/%D/%U allow trusted domains = no idmap backend = idmap_rid:DQE=16777216-33554431 winbind use default domain = yes [vol08] path = /vol08_700 writable = yes public = yes nt acl support = yes create mask = 0755 security mask = 0755 inherit permissions = yes inherit acls = yes force security mode = 0 directory security mask = 0777 force directory security mode = 0 = Please Share Your knowledge to solve this problem... Thank You in Advance, Regards, Jerrynikki. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS member.
Hi all, I don't have understand if I have to set PAM module to authenticate my windows users ADS to a share on Samba ADS member. If I'm right only If i have to connect by a linux client, is it alright? Also is posssible to force NTLM authentication by W2K client to W3K ADServer operating in native mode, so escluding kerberos authentication? Is it possible that it cause me some problems related ACL? Thanks. Marco. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS Problem
Hi Everyone, Has anyone seen an issue where WinBind does not work after a reboot (or a restart of the WinBind service) until you issue a wbinfo -u command? This is what is happening on my system. The PAM modules are all in place and configured correctly as they work once the wbinfo command is issued. I get a very fast user unknown to underlying authentication module that flashes up at the login prompt unless the wbinfo command is run first. The odd thing is that logging in with the wrong password gives an invalid login message, so I know that WinBind is communicating with AD to some degree. I can provide more details if necessary; just figured maybe someone else had this exact problem as I'm running a very stock configuration. Thanks, Coz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS member server confusion.
Hi all, I've been reading docs and am a little confused. I'm in an organization that uses ADS and I am in a remote location. I want to configure a member samba server that can authenticate with ADS, also have local accounts and see shares all the way around. So I want to configure a Samba server that will allow students with accounts on ADS which is remote from our location (we are a satellite campus) to be able to login from Windows workstations in our lab and have access to their shares. I also want to be able to create local student accounts on the Samba server and authenticate locally with local shares. Accounts should be reachable from a Linux as well as Windows workstations. It would be nice to be able to see our Samba server from the remote network that has the ADS server on it and access the shares. From reading I'm thinking samba should be configured with LDAP, Kerberos and windbind but there is **so* much documentation on the net and it all talks about various different scenarios, it's very confusing. All I nee is a top level view and then I should be able to configure the stuff lower down, I hope:-) All help appreciated. -- George Farris [EMAIL PROTECTED] Malaspina University-College -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ads authentification
Hi, I try to configure a samba server w/ authentification against a Wk3 ADS controler. I think that I resolve many problems but at this time it doesnt work at all. When I try to acces a share on the ADS server: no problem (on the linux client I tpe this commands: kinit administrator - it ask for password and ok smbclient -k \\server\share -- OK ) Then when i try to access the share on the linux box from the w2k3 controler, I always have a wonderful banner :enter username and password. I can try all username and password.. Nothing to do, the system does not want to let me in in the linux shares. On the W2k3 server, in the security event, I dont see any errors, and in fact, I can see succes on the account connection. My first question is: Is it possible to autenticate against an ADS server to acces a share on a linux samba joined onto the domain? 2nd ]if its possible, what are the configuration file I must modify/create to create this system. At this time, I modify/create this configuration file (and if someone ask me, i will send it): /etc/krb5.conf /usr/lib/smb.conf (manually and via SWAT) /etc/resolv.conf /etc/pam.d/winbindd If you have any suggestion, tell me :) Best regards. Guillaume __ Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba, ADS and Failed to verify incoming ticket!
On Fri, 2005-04-08 at 16:16 +0200, Buozis, Martynas wrote: Hello I think I found problem. When I put secrets.tdb and lock directory NOT on NFS share it worked ! Isn't possible to put all SAMBA running files on NFS share ? Any comments ? This is explicitly known to break, corrupt data and cause many many bad things to happen. Samba TDBs must be on a local filesystem, where read()/write()/mmap() are coherent. If these are not, then we bust, badly. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba, ADS and Failed to verify incoming ticket!
Hello I have Samba that joined Windows 2003 based ADS. At least net ads testjoin and net rpc testjoin gives that Join is OK. Alas clients can't connect to Samba server. In a log I see following messages : [2005/04/08 14:51:41, 0] tdb/tdbutil.c:(725) tdb(/web/opt/etc/smbprivate//secrets.tdb): tdb_lock failed on list 2 ltype=2 (Resource temporarily unavailable) [2005/04/08 14:51:41, 1] libads/kerberos_verify.c:(312) ads_verify_ticket: unable to protect replay cache with mutex. [2005/04/08 14:51:41, 1] smbd/sesssetup.c:(173) Failed to verify incoming ticket! [2005/04/08 14:51:41, 3] smbd/error.c:(105) error string = Resource temporarily unavailable [2005/04/08 14:51:41, 3] smbd/error.c:(129) error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2005/04/08 14:51:41, 3] smbd/process.c:(1334) timeout_processing: End of file from client (client has disconnected). Other net ads based commands are working fine. I can get ads status displayed without any suspicious entries, I can get users/groups lists. But client (that is member of same domain) connections always end with above shown entries in log file. Any ideas what can be wrong ? With best regards Martynas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba, ADS and Failed to verify incoming ticket!
Hello I think I found problem. When I put secrets.tdb and lock directory NOT on NFS share it worked ! Isn't possible to put all SAMBA running files on NFS share ? Any comments ? With best regards Martynas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Buozis, Martynas Sent: Friday, April 08, 2005 3:06 PM To: samba@lists.samba.org Subject: [Samba] Samba, ADS and Failed to verify incoming ticket! Hello I have Samba that joined Windows 2003 based ADS. At least net ads testjoin and net rpc testjoin gives that Join is OK. Alas clients can't connect to Samba server. In a log I see following messages : [2005/04/08 14:51:41, 0] tdb/tdbutil.c:(725) tdb(/web/opt/etc/smbprivate//secrets.tdb): tdb_lock failed on list 2 ltype=2 (Resource temporarily unavailable) [2005/04/08 14:51:41, 1] libads/kerberos_verify.c:(312) ads_verify_ticket: unable to protect replay cache with mutex. [2005/04/08 14:51:41, 1] smbd/sesssetup.c:(173) Failed to verify incoming ticket! [2005/04/08 14:51:41, 3] smbd/error.c:(105) error string = Resource temporarily unavailable [2005/04/08 14:51:41, 3] smbd/error.c:(129) error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2005/04/08 14:51:41, 3] smbd/process.c:(1334) timeout_processing: End of file from client (client has disconnected). Other net ads based commands are working fine. I can get ads status displayed without any suspicious entries, I can get users/groups lists. But client (that is member of same domain) connections always end with above shown entries in log file. Any ideas what can be wrong ? With best regards Martynas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba, ADS and Failed to verify incoming ticket!
I think I found problem. When I put secrets.tdb and lock directory NOT on NFS share it worked ! Isn't possible to put all SAMBA running files on NFS share ? Any comments ? What would you hope to gain by doing this? Please say you aren't trying to run several servers with the same backend data files... (hitting reply to all is good ;) apparenlty I am not) With best regards Martynas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Buozis, Martynas Sent: Friday, April 08, 2005 3:06 PM To: samba@lists.samba.org Subject: [Samba] Samba, ADS and Failed to verify incoming ticket! Hello I have Samba that joined Windows 2003 based ADS. At least net ads testjoin and net rpc testjoin gives that Join is OK. Alas clients can't connect to Samba server. In a log I see following messages : [2005/04/08 14:51:41, 0] tdb/tdbutil.c:(725) tdb(/web/opt/etc/smbprivate//secrets.tdb): tdb_lock failed on list 2 ltype=2 (Resource temporarily unavailable) [2005/04/08 14:51:41, 1] libads/kerberos_verify.c:(312) ads_verify_ticket: unable to protect replay cache with mutex. [2005/04/08 14:51:41, 1] smbd/sesssetup.c:(173) Failed to verify incoming ticket! [2005/04/08 14:51:41, 3] smbd/error.c:(105) error string = Resource temporarily unavailable [2005/04/08 14:51:41, 3] smbd/error.c:(129) error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2005/04/08 14:51:41, 3] smbd/process.c:(1334) timeout_processing: End of file from client (client has disconnected). Other net ads based commands are working fine. I can get ads status displayed without any suspicious entries, I can get users/groups lists. But client (that is member of same domain) connections always end with above shown entries in log file. Any ideas what can be wrong ? With best regards Martynas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba, ADS and Failed to verify incoming ticket!
For ability to failover from one machine to another in case of hardware failures I put whole SAMBA installation on highly available NAS. Isn't that possible ? I am not trying to run several servers, just have all files on NAS to have ability actually run on any machine in cluster. Martynas -Original Message- From: Paul Gienger [mailto:[EMAIL PROTECTED] Sent: Friday, April 08, 2005 4:19 PM To: Buozis, Martynas Subject: Re: [Samba] Samba, ADS and Failed to verify incoming ticket! I think I found problem. When I put secrets.tdb and lock directory NOT on NFS share it worked ! Isn't possible to put all SAMBA running files on NFS share ? Any comments ? What would you hope to gain by doing this? Please say you aren't trying to run several servers with the same backend data files... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba, ADS and Failed to verify incoming ticket!
fre, 08.04.2005 kl. 16.23 skrev Buozis, Martynas: For ability to failover from one machine to another in case of hardware failures I put whole SAMBA installation on highly available NAS. Isn't that possible ? I am not trying to run several servers, just have all files on NAS to have ability actually run on any machine in cluster. NAS is not SAN. NAS is *not*,necessarily, permanently available. SAN is. If you want your files to be permanently available, whether through an Act of God, or whatever, you might consider SAN with accompanying backup routines, collocations, etc. I hope that your pocket book is suitably fat. Because this is going to *squeez* it. --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: [EMAIL PROTECTED] http://www.billy.demon.nl They love us, don't they, They feed us, won't they ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba, ADS and Failed to verify incoming ticket!
Tony I clearly understand what is SAN and what is NAS. I have both here from EMC. And our NAS based on Cellera never had NFS outages because of hardware failures. Also I use two Cisco switches with dual paths on SUN box (using IP Multipathing) to protect against network failures. So believe me - NAS in some cases is highly available storage. And, openly, I see no difference from HA point of view between NAS and SAN - it only depends what you use and how you design infrastructure. But sorry - this is not advertisement. I simply would like to have ability and run Samba from NFS, but it looks like this is not option and at least something should be stored on local disks. Well, I think I can live with this. With best regards Martynas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Earnshaw Sent: Friday, April 08, 2005 5:52 PM To: samba@lists.samba.org Subject: RE: [Samba] Samba, ADS and Failed to verify incoming ticket! fre, 08.04.2005 kl. 16.23 skrev Buozis, Martynas: For ability to failover from one machine to another in case of hardware failures I put whole SAMBA installation on highly available NAS. Isn't that possible ? I am not trying to run several servers, just have all files on NAS to have ability actually run on any machine in cluster. NAS is not SAN. NAS is *not*,necessarily, permanently available. SAN is. If you want your files to be permanently available, whether through an Act of God, or whatever, you might consider SAN with accompanying backup routines, collocations, etc. I hope that your pocket book is suitably fat. Because this is going to *squeez* it. --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: [EMAIL PROTECTED] http://www.billy.demon.nl They love us, don't they, They feed us, won't they ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba ads problem
I follow the procedure for the integration of Samba 3.0.13 in Ads environement, but when I enter the command net ads join -U administrator system return me this error: --errror morgoth:/usr/local/samba/bin# ./net ads join -U administrator administrateur's password: [2005/04/01 16:34:48, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory morgoth:/usr/local/samba/bin# --- Do you have any idea? does the installation of samba was bad? thanks, guillaume __ Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba ads problem
Guillaume; Nice name! We need a little more informaiton to help. :7) Did you compile support for Active Directory use into Samba? What platform, what version of Samba, and what version of supporting software (like Kerberos and OpenLDAP) are you using? Are you using RPMs? -wde -- Will Enestvedt UNIX System Administrator Johnson Wales University -- Providence, RI -Original Message- Sent: Friday, April 01, 2005 9:46 AM To: samba@lists.samba.org Subject: [Samba] samba ads problem I follow the procedure for the integration of Samba 3.0.13 in Ads environement, but when I enter the command net ads join -U administrator system return me this error: --errror morgoth:/usr/local/samba/bin# ./net ads join -U administrator administrateur's password: [2005/04/01 16:34:48, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory morgoth:/usr/local/samba/bin# --- Do you have any idea? does the installation of samba was bad? thanks, guillaume __ Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba ads problem
OK... :) I compile all of the progs module that i need... open ldap, kerberos, and samba 1) kerberos was just build like that: ./configure, make, make install 2)I compile configure OpenLdap like that: ./configure --enable-syslog --disable-slapd 3) and finally, samba was configured with this options: --with-krb5=/usr/local --with-pam,ads,ldap,winbind,acl-suppport,quotas. all compilation were a success (with no critical error) . Maybe, I have this error because I tune my installation folder for samba (its not in the path). I was on this project for many month, and I hope that it will work some days :) --- William Enestvedt [EMAIL PROTECTED] wrote: Guillaume; Nice name! We need a little more informaiton to help. :7) Did you compile support for Active Directory use into Samba? What platform, what version of Samba, and what version of supporting software (like Kerberos and OpenLDAP) are you using? Are you using RPMs? -wde -- Will Enestvedt UNIX System Administrator Johnson Wales University -- Providence, RI -Original Message- Sent: Friday, April 01, 2005 9:46 AM To: samba@lists.samba.org Subject: [Samba] samba ads problem I follow the procedure for the integration of Samba 3.0.13 in Ads environement, but when I enter the command net ads join -U administrator system return me this error: --errror morgoth:/usr/local/samba/bin# ./net ads join -U administrator administrateur's password: [2005/04/01 16:34:48, 0] utils/net_ads.c:ads_startup(191) ads_connect: No such file or directory morgoth:/usr/local/samba/bin# --- Do you have any idea? does the installation of samba was bad? thanks, guillaume __ Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba __ Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba / ADS / LDAP 'unknown' Domain Groups
Hi all Situation: Samba 3.0.11 FreeBSD 5 nss_ldap pam_krb5 Connecting to W2k3 ADS with installed MSSFU. (LDAP Posix Schema) pw user show -a pw group show -a both work. Authentication via Kerberos works fine. Users have access via samba to the files and directories that belong to them. But not to the Files belonging to their group. The 'Security' Tab under Windows shows the groups as local groups on the Unix System instead as domain groups. I know, when I use winbindd as NSS, I should get an output of the form: DOMAIN+Group:*:gid:users With nss_ldap I get: Group:*:gid:users This could be confusing the Windows Client and make them think that those are local groups. How can I fix this problem? We cannot use winbindd for ID-Mapping as we have a mixed Unix/Windows environement and this would completely mess up Unix ID's on all systems. Regards -- Benoît Panizzon, [EMAIL PROTECTED] ImproWare AG, UNIXSP ISP Phone: +41 61 826 93 00 Zurlindenstrasse 29Fax: +41 61 826 93 01 CH-4133 Pratteln Net: http://www.imp.ch/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS ticket problem
I've got samba-3.0.0-14.3E, and am trying to connect to a Windows 2000 domain using security = ADS After following the instructions in the Samba-HOWTO-Collection, I've got kinit working, and am able to browse the Windows 2000 machines shares with smbclient //win2kmixed/c\$ -k without a password. However, if I try to connect to the machine, either through network neighborhood or with (on w2k net use * \\server\share), it fails (asks for username/password). The HOWTO says to run klist tickets, which shows no tickets. It doesn't say what to do if that happens. The log files for the machine trying to connect say: [2003/07/24 14:58:09, 1] libads/kerberos_verify.c:ads_verify_ticket(69) failed to fetch machine password [2003/07/24 14:58:09, 1] smbd/sesssetup.c:reply_spnego_kerberos(178) Failed to verify incoming ticket! smb.conf has: # Global parameters [global] workgroup = DOMAIN realm = DOMAIN.LOCAL netbios name = SAM server string = SAMBA security = ADS password server = win2kmixed log file = /var/log/samba/log.%m max smbd processes = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 enhanced browsing = No idmap uid = 1-12000 idmap gid = 1-12000 template homedir = /dev/null template shell = /sbin/nologin winbind separator = + create mask = 0700 directory mask = 0700 directory security mask = 0700 max connections = 1000 map archive = No follow symlinks = No [share1] comment = share1 path = /mnt/floppy/share1 write list = DOMAIN+Administrator read only = No inherit permissions = Yes inherit acls = Yes map acl inherit = Yes klist tickets returns: klist: No credentials cache found (ticket cache FILE:tickets) klist returns: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ADMINISTRATOR at DOMAIN.LOCAL Valid starting ExpiresService principal 07/24/03 14:18:34 02/25/05 00:18:34 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL 07/24/03 14:54:22 02/25/05 00:18:34 [EMAIL PROTECTED] Even trying to connect from the Linux machine fails with [root at mp3box pty/s0] smbclient //mp3box2/share1 -k session setup failed: NT_STATUS_LOGON_FAILURE Any help would be appreciated; the documentation here is not quite clear. Ramadass __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS
Hi all, I have a samba server that authenticates users against a AD Domain controler on a different machine and everything works fine. However, i would find ever so often this machine would stop authenticating people for now apparent reason. Usually i would restart winbind, and samba and everything would start working but even that seems not to work anymore. Are there any other processess i should be stopping/starting/restarting to have my samba server talk to the DC again? Regards, R. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ADS
MORE INFO: I just noticed that in my samba logs when i get a user that is denied access to my share i get and error message similar to: smbd/service.c:reply_spnego_kerberos(250) Username Domain+Machinename is invalid on this system Why is this happeneing? Why is it specifying the machine name and not the username? My understanding is that my machine should contact the DC and pass the authentication info to the DC for access. Why isnt this happening? - Original Message - From: Rashaad S. Hyndman [EMAIL PROTECTED] To: samba@lists.samba.org Sent: Wednesday, January 12, 2005 1:35 PM Subject: [Samba] Samba ADS Hi all, I have a samba server that authenticates users against a AD Domain controler on a different machine and everything works fine. However, i would find ever so often this machine would stop authenticating people for now apparent reason. Usually i would restart winbind, and samba and everything would start working but even that seems not to work anymore. Are there any other processess i should be stopping/starting/restarting to have my samba server talk to the DC again? Regards, R. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS NT4 trusted domains not working .
RH 3.0 ES
krb5 1.2.7
Samba 3.0.9
I am trying to use Samba, Winbind and Kerberos to configure single sign
in and allow users from both Windows and Linux (RH 3.0 ES) platforms to
use shares from either platform. I can not see users from my primary
domain but can see the trusted NT4 groups and users. I have been trying
to get this right for the last week and keep thinking I am missing
something easy. I followed the following doc for setup procedures. Any
help would be appreciated.
http://www.wlug.org.nz/ActiveDirectorySamba
Primary QG.COM
AD = W2K3 running in W2K native mode. With two way trusts with the
following.
3 - W2K3 AD in W2K3 native
5 - NT4 trusted domains
[EMAIL PROTECTED] rhn-packages]# wbinfo -t
checking the trust secret via RPC calls succeeded
[EMAIL PROTECTED] rhn-packages]# wbinfo -m
SXEC2
BUILTIN
QMED
CORPORATE
QG_INKJET
QUADTECH
HIGHTECH
IMAGING
QUADMED
CUSTOMERS
[EMAIL PROTECTED] rhn-packages]# wbinfo --sequence
SXEC2 : 1
BUILTIN : 1
QMED : DISCONNECTEDW2K3 Native
CORPORATE : 1031564NT
QG_INKJET : 95442 NT
QUADTECH : 9281NT
HIGHTECH : 164705 NT
IMAGING : 60026NT
QUADMED : DISCONNECTEDW2K3
CUSTOMERS : DISCONNECTEDW2K3
QG : DISCONNECTEDW2K3 in W2K native
wbinfo -g
BUILTIN\System Operators
BUILTIN\Replicators
BUILTIN\Guests
BUILTIN\Power Users
BUILTIN\Print Operators
BUILTIN\Administrators
BUILTIN\Account Operators
BUILTIN\Backup Operators
BUILTIN\Users
QMED\Domain Admins
QMED\Domain Users
QMED\Domain Guests
QMED\Domain Computers
QMED\Domain Controllers
QMED\Schema Admins
QMED\Enterprise Admins
QMED\Group Policy Creator Owners
QMED\DnsUpdateProxy
QUADTECH\AbnAmro
QUADTECH\Domain Admins
QUADTECH\Domain Guests
QUADTECH\Domain Users
QUADTECH\Organisatie
HIGHTECH\Domain Admins
HIGHTECH\Domain Guests
HIGHTECH\Domain Users
IMAGING\Domain Admins
IMAGING\Domain Guests
IMAGING\DOMAIN POLICY
IMAGING\DOMAIN PROD
IMAGING\Domain Users
CUSTOMERS\Domain Admins
CUSTOMERS\Domain Users
CUSTOMERS\Domain Guests
CUSTOMERS\Domain Computers
CUSTOMERS\Domain Controllers
CUSTOMERS\Schema Admins
CUSTOMERS\Enterprise Admins
CUSTOMERS\Group Policy Creator Owners
CUSTOMERS\DnsUpdateProxy
SMB.conf
[global]
netbios name = SXEC2
workgroup = QG
encrypt passwords = yes
realm = QG.COM
server string = Enterprise Computing Linux Server
security = ADS
password server = IP of my AD server
log level = 3
os level = 0
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
krb5.conf
[logging]
default = FILE:/var/log/krb5/krb5libs.log
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = QG.COM
default_tgs_enctypes = RC4-HMAC des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = RC4-HMAC des3-hmac-sha1 des-cbc-crc des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
QG.COM = {
kdc = IP of my AD server
default_domain = qg.com
}
[domain_realm]
.qg.com = QG.COM
qg.com = QG.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Duane Ochs
Enterprise Computing
Quad/Graphics Inc.
Sussex, Wisconsin
414-566-2375 phone
414-566-4010 pin# 2375 beeper
[EMAIL PROTECTED]
www.QG.com outbind://8/www.QG.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS Winbind unable to join SuSe 9.1
Hi all,
We are trying to add SuSe 9.1 file server to Windows Domain. Here is
our configuration.
Windows 2000 Active Directory
SuSe 9.1 with Samba 3.0.8
When I try to add Linux file server to windows domain using net
command, net command dies with segment fault message. While starting
winbind process, it dies with segment fault error message.
Here is my configuration files and error message on this problem.
smb.conf:
# Global parameters
[global]
workgroup = xyz
realm = xyz.COM
security = ADS
map to guest = Bad User
password server = 192.168.1.201
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
local master = No
domain master = No
wins server = 192.168.1.201
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
winbind separator = /
winbind use default domain = Yes
printer admin = @ntadmin, root, administrator
[homes]
comment = Home Directory
valid users = xyz/%S
read only = No
browseable = No
net as join -UAdministrator -d 10 command output
=
ads_try_connect: trying ldap server port 389
[2004/11/17 20:11:24, 3] libads/ldap.c:ads_connect(247)
Connected to LDAP server 192.168.1.201
[2004/11/17 20:11:24, 3] libads/ldap.c:ads_server_info(2431)
got ldap server name [EMAIL PROTECTED], using bind path: dc=XYZ,dc=COM
[2004/11/17 20:11:24, 4] libads/ldap.c:ads_server_info(2437)
time offset is -86 seconds
[2004/11/17 20:11:24, 4] libads/sasl.c:ads_sasl_bind(447)
Found SASL mechanism GSS-SPNEGO
[2004/11/17 20:11:24, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2004/11/17 20:11:24, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2004/11/17 20:11:24, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2004/11/17 20:11:24, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2004/11/17 20:11:24, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED]
[2004/11/17 20:11:24, 3] libsmb/clikrb5.c:ads_krb5_mk_req(382)
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2004/11/17 20:11:24, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(319)
Ticket in ccache[MEMORY:net_ads] expiration Thu, 18 Nov 2004 06:09:58 GMT
[2004/11/17 20:11:24, 10] libsmb/clikrb5.c:ads_krb5_mk_req(409)
ads_krb5_mk_req: Ticket ([EMAIL PROTECTED]) in ccache
(MEMORY:net_ads) is valid until: (Thu, 18 Nov 2004 06:09:58 GMT -
1100776198)
[2004/11/17 20:11:24, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(511)
Got KRB5 session key of length 16
[2004/11/17 20:11:24, 10] lib/util.c:name_to_fqdn(2506)
name_to_fqdn: lookup for filesrv1 - filesrv1.XYZ.com.
[2004/11/17 20:11:24, 0] libads/ldap.c:ads_add_machine_acct(1366)
ads_add_machine_acct: Host account for filesrv1 already exists -
modifying old account
[2004/11/17 20:11:24, 5] libads/ldap_utils.c:ads_do_search_retry(56)
Search for (objectclass=*) gave 1 replies
[2004/11/17 20:11:25, 3] libads/ldap.c:ads_workgroup_name(2526)
Found alternate name 'XYZ' for realm 'XYZ.COM'
net command strace output:
=
# strace -v -f -F -o /tmp/aa net ads join -UAdministrator
6418 fcntl64(3, F_SETLKW64, {type=F_WRLCK, whence=SEEK_SET,
start=324, len=1}, 0xbfffe370) = 0
6418 fcntl64(3, F_SETLKW64, {type=F_UNLCK, whence=SEEK_SET,
start=324, len=1}, 0xbfffe370) = 0
6418 fcntl64(3, F_SETLKW64, {type=F_WRLCK, whence=SEEK_SET,
start=344, len=1}, 0xbfffe470) = 0
6418 fcntl64(3, F_SETLKW64, {type=F_UNLCK, whence=SEEK_SET,
start=344, len=1}, 0xbfffe470) = 0
6418 time(NULL)= 1100740285
6418 fcntl64(3, F_SETLKW64, {type=F_WRLCK, whence=SEEK_SET,
start=532, len=1}, 0xbfffe470) = 0
6418 fcntl64(3, F_SETLKW64, {type=F_UNLCK, whence=SEEK_SET,
start=532, len=1}, 0xbfffe470) = 0
6418 fcntl64(3, F_SETLKW64, {type=F_WRLCK, whence=SEEK_SET,
start=552, len=1}, 0xbfffe470) = 0
6418 fcntl64(3, F_SETLKW64, {type=F_UNLCK, whence=SEEK_SET,
start=552, len=1}, 0xbfffe470) = 0
6418 getuid32()= 0
6418 geteuid32() = 0
6418 getgid32()= 0
6418 getegid32() = 0
6418 open(/etc/krb5.conf, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
6418 getuid32()= 0
6418 geteuid32() = 0
6418 getgid32()= 0
6418 getegid32() = 0
6418 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
6418 +++ killed by SIGSEGV +++
#tcpdump output:
=
20:11:24.603653 IP (tos 0x0, ttl 64, id 52256, offset 0, flags [DF],
length: 77) 172.68.1.53.32772 172.68.1.201.53:
[Samba] Samba ADS -- works with XP Pro, but not 2000 Pro
I am using Samba with Active Directory. I have successfully joined my
Samba server to the domain D1 ( net ads join -U [EMAIL PROTECTED]
). I am able to succesfully connect from Windows XP clients ( with no
password ), but not from Windows 2000 ( even when specifying a password
). With w2k, I always get Failed to verify incoming ticket!.
I think it has something to do with the key type of the Kerberos tickets
( etype or enctype in krb5.conf ). Does Windows 2000 speak the same
Kerberos 5 as Windows XP? Which key types are used by Windows? How do
I know which enctype I need, and why doesn't the default enctype setting
negotiate something that works?
It might also have something to do with trust relationships, since my
samba machine is in domain D1.DOMAIN.COM, but my users are in domain
D2.DOMAIN.COM. (And my client machine is in D3.DOMAIN.COM). Each of
these domains is an active directory tree, with trust relationships
between them...
But it works with an XP client, so what's different between XP and
Windows 2000?
Thanks,
Gordon
Configuration files follow.
-
# smb.conf:
[global]
workgroup = D1
realm = D1.DOMAIN.COM
security = ADS
password server = d1dc02.d1.domain.com
log file = /etc/samba/samba.log
[t]
comment = Test Share
path = /tmp
read only = No
guest ok = Yes
browseable = Yes
-
# krb5.conf:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
default_realm = D1.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
# According to
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
# the only supported encryption types are des3-hmac-sha1 and des-cbc-crc.
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
# However, http://lists.samba.org/archive/samba/2004-October/093761.html
suggests:
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
[realms]
D1.DOMAIN.COM = {
kdc = d1dc01.d1.domain.com
}
D2.DOMAIN.COM = {
kdc = d2dc01.d2.domain.com
}
--
# from an XP machine in the d2 Domain
C:\net use * \\samba07\t
Drive Y: is now connected to \\samba07\t .
The command completed successfully.
-
# from an XP machine NOT in the Domain
C:\net use * \\samba07\t
The password or user name is invalid for \\samba07\t .
Enter the user name for 'samba07': d2\username
Enter the password for samba07:
Drive Z: is now connected to \\samba07\t .
The command completed successfully.
--
# from a Windows 2000 machine in the d2 Domain:
C:\net use * \\samba07\t
The password or user name is invalid for \\samba07\t.
Type the password for \\samba07\t:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
C:\net use * \\samba07\t /USER:d2\username
The password or user name is invalid for \\samba07\t .
Type the password for \\samba07\t :
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
# I get this message in the samba.log:
[2004/10/13 17:44:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
# List of relevant packages (These are the latest updates available for
RHEL 3)
$ rpm -qa | egrep 'krb5|samba'
krb5-devel-1.2.7-28
krb5-libs-1.2.7-28
krb5-workstation-1.2.7-28
samba-3.0.7-1.3E
samba-client-3.0.7-1.3E
samba-common-3.0.7-1.3E
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ADS -- works with XP Pro, but not 2000 Pro
Hi,
AFAIR, this is a known problem with w2k clients.
You have to upgrade your kerberos to something 1.3
preferably to the latest available version.
Christoph
Gordon Hopper schrieb:
I am using Samba with Active Directory. I have successfully joined my
Samba server to the domain D1 ( net ads join -U [EMAIL PROTECTED]
). I am able to succesfully connect from Windows XP clients ( with no
password ), but not from Windows 2000 ( even when specifying a password
). With w2k, I always get Failed to verify incoming ticket!.
I think it has something to do with the key type of the Kerberos tickets
( etype or enctype in krb5.conf ). Does Windows 2000 speak the same
Kerberos 5 as Windows XP? Which key types are used by Windows? How do
I know which enctype I need, and why doesn't the default enctype setting
negotiate something that works?
It might also have something to do with trust relationships, since my
samba machine is in domain D1.DOMAIN.COM, but my users are in domain
D2.DOMAIN.COM. (And my client machine is in D3.DOMAIN.COM). Each of
these domains is an active directory tree, with trust relationships
between them...
But it works with an XP client, so what's different between XP and
Windows 2000?
Thanks,
Gordon
Configuration files follow.
-
# smb.conf:
[global]
workgroup = D1
realm = D1.DOMAIN.COM
security = ADS
password server = d1dc02.d1.domain.com
log file = /etc/samba/samba.log
[t]
comment = Test Share
path = /tmp
read only = No
guest ok = Yes
browseable = Yes
-
# krb5.conf:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
default_realm = D1.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
# According to
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
# the only supported encryption types are des3-hmac-sha1 and des-cbc-crc.
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
# However, http://lists.samba.org/archive/samba/2004-October/093761.html
suggests:
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
[realms]
D1.DOMAIN.COM = {
kdc = d1dc01.d1.domain.com
}
D2.DOMAIN.COM = {
kdc = d2dc01.d2.domain.com
}
--
# from an XP machine in the d2 Domain
C:\net use * \\samba07\t
Drive Y: is now connected to \\samba07\t .
The command completed successfully.
-
# from an XP machine NOT in the Domain
C:\net use * \\samba07\t
The password or user name is invalid for \\samba07\t .
Enter the user name for 'samba07': d2\username
Enter the password for samba07:
Drive Z: is now connected to \\samba07\t .
The command completed successfully.
--
# from a Windows 2000 machine in the d2 Domain:
C:\net use * \\samba07\t
The password or user name is invalid for \\samba07\t.
Type the password for \\samba07\t:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
C:\net use * \\samba07\t /USER:d2\username
The password or user name is invalid for \\samba07\t .
Type the password for \\samba07\t :
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
# I get this message in the samba.log:
[2004/10/13 17:44:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
# List of relevant packages (These are the latest updates available for
RHEL 3)
$ rpm -qa | egrep 'krb5|samba'
krb5-devel-1.2.7-28
krb5-libs-1.2.7-28
krb5-workstation-1.2.7-28
samba-3.0.7-1.3E
samba-client-3.0.7-1.3E
samba-common-3.0.7-1.3E
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ADS -- works with XP Pro, but not 2000 Pro
Gordon Hopper wrote: # According to http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17 # the only supported encryption types are des3-hmac-sha1 and des-cbc-crc. default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc # However, http://lists.samba.org/archive/samba/2004-October/093761.html suggests: # default_tgs_enctypes = des-cbc-crc des-cbc-md5 # default_tkt_enctypes = des-cbc-crc des-cbc-md5 At the time, I was working from the MS KB article on permitted enctypes http://support.microsoft.com/default.aspx?scid=kb;en-us;296842 and the IBM AIX security guide for authenticating to a 2000 ADS domain controller with an older version kerberos http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixbman/security/securitytfrm.htm It may very well be the only acceptable enctype is des-cbc-crc considering the limitation of that version of kerberos. But MS seems to suggest the only acceptable ecntypes for AD are rc4-hmac, des-cbc-crc and des-cbc-md5 Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba - ADS Auth.
I having some problems trying to get samba to authenticate in Windows 2000 AD Server. I have added UNIX schemes in AD (using AD$Unix from CSS Solutions). Log on with AD users works fine (ssh / tty login), as you can see: [EMAIL PROTECTED] root]# ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Last login: Wed Aug 4 15:02:50 2004 from tta34-arcon -bash-2.05b$ I have configured Samba as documentation says (Samba by examples chapter 11, and others), see my config file below. NTLM_AUT (from samba3) works fine too. [EMAIL PROTECTED] root]# ntlm_auth --username=prtest password: NT_STATUS_OK: Success (0x0) But smbclient doesn't works :-( [EMAIL PROTECTED] root]# smbclient -L //applinux/ -U prtest -W proderj -I 10.10.1.10 Password: session setup failed: Call timed out: server did not respond after 2 milliseconds Why this happens? How can I solve it? (I'm using pam_mount too, my pam files are below too) Here goes confs, logs and outputs. [EMAIL PROTECTED] root]# cat /etc/redhat-release Red Hat Linux release 9 (Shrike) [EMAIL PROTECTED] root]# uname -a Linux APPLINUX 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] root]# rpm -qi samba Name: sambaRelocations: /usr Version : 3.0.5 Vendor: Samba Team Release : 2 Build Date: Tue 20 Jul 2004 02:59:05 PM BRT Install Date: Tue 03 Aug 2004 03:23:51 PM BRT Build Host: rh9 Group : System Environment/DaemonsSource RPM: samba-3.0.5-2.src.rpm Size: 44476449 License: GNU GPL version 2 Signature : DSA/SHA1, Tue 20 Jul 2004 03:28:53 PM BRT, Key ID d7790a5f2f87af6f Packager: Gerald Carter [Samba-Team] [EMAIL PROTECTED] Summary : The Samba SMB server. Description : Samba is the protocol by which a lot of PC-related machines share files, printers, and other information (such as lists of available files and printers). The Windows NT, OS/2, and Linux operating systems support this natively, and add-on packages can enable the same thing for DOS, Windows, VMS, UNIX of all kinds, MVS, and more. This package provides an SMB server that can be used to provide network services to SMB (sometimes called Lan Manager) clients. Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need the NetBEUI (Microsoft Raw NetBIOS frame) protocol. [EMAIL PROTECTED] root]# cat /etc/samba/smb.conf [global] workgroup = PRODERJ netbios name = APPLINUX server string = Servidor de Aplicacao Linux # Authentication realm = PRODERJ.RJ.GOV.BR security = ADS password server = 10.10.1.5 encrypt passwords = yes winbind separator = / idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /tmp template shell = /bin/bash # printing printcap name = /etc/printcap load printers = yes printing = cups # Log log file = /var/log/samba/%m.log max log size = 0 username level = 8 # Password unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* pam password change = yes # User username map = /etc/samba/smbusers obey pam restrictions = yes # Networking wins server = 10.10.1.5 dns proxy = no [homes] comment = Home Directories browseable = no writeable = yes valid users = %S create mode = 0664 directory mode = 0775 [printers] comment = All Printers path = /var/spool/samba browseable = no printable = yes [floppy] comment = Disquete do servidor path = /mnt/floppy read only = yes public = yes preexec = /bin/mount /mnt/floppy postexec = /bin/umount /mnt/floppy [cdrom] comment = CD-ROM do servidor path = /mnt/cdrom read only = yes public = yes preexec = /bin/mount /mnt/cdrom postexec = /bin/umount /mnt/cdrom [EMAIL PROTECTED] root]# cat /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so [EMAIL PROTECTED] root]# cat /etc/pam.d/samba #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth-winbind accountrequired pam_stack.so service=system-auth-winbind sessionrequired pam_stack.so service=system-auth-winbind password required pam_stack.so service=system-auth-winbind [EMAIL PROTECTED] root]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth
Re: [Samba] Samba + ADS + User Accounts
Hi, yes, samba can do that, kindof;-) What you want is realized via pam. You need to install the pam_mkhomedir module and configure it for all services your users use to connect to your server. After that the home-dir for each user will be created automagically the first time the user trys to access the server. But don't ask me how to do it on fedora, cause i don't know it. pam with all its tricks and traps is verry distribution-specific. if you used debian i could tell you more... Christoph Dan Strohschein schrieb: Hello, We have a windows 2003 server hosting ADS. We also have a fedora core 2 file server running samba 3.0.2a. We have it currently configured to join the ADS domain. We Can use Winbind to see users, groups, etc. We can even browse samba shares from windows computers. However one thing we don't know: What we want to do is when a user is added to ADS for samba to create a user directory (like it does when you run adduser in linux) with proper ownership of that dirrectory. Can samba do this? If so, how do we set up samba to do that?? Thanks Dan Strohschein Director of Software The Wifi Link -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + ADS + User Accounts
Hello, We have a windows 2003 server hosting ADS. We also have a fedora core 2 file server running samba 3.0.2a. We have it currently configured to join the ADS domain. We Can use Winbind to see users, groups, etc. We can even browse samba shares from windows computers. However one thing we don't know: What we want to do is when a user is added to ADS for samba to create a user directory (like it does when you run adduser in linux) with proper ownership of that dirrectory. Can samba do this? If so, how do we set up samba to do that?? Thanks Dan Strohschein Director of Software The Wifi Link -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba ADS Help
I have been having a hard time login into a RH AS 3.0 using my MS AD account and password. I did successfully setup winbind, krb5 and samba w/out any major complications. But when it came to login I investigate as to why I am not able to log into the linux box using my AD account and password. I used the following URL example to setup winbind and samba. http://www.wlug.org.nz/ActiveDirectorySamba http://www.wlug.org.nz/ActiveDirectorySamba As well here is my /etc/pam.d/login file. #%PAM-1.0 authrequired pam_securetty.so authsufficient pam_winbind.so authsufficient pam_unix.so use_first_pass authrequired pam_stack.so service=system-auth authrequired pam_nologin.so account sufficient pam_winbind.so account required pam_stack.so service=system-auth passwordrequired pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so -- Puneet Talwar Contractor - CIPS UNIX Administrator Rockledge 6610/2058 301-451-9971 (c) 301-252-5366 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
