[Samba] SaMBa and Active Directory Functional Level
Hi all, We have an Active Directory domain with two Windows Server 2008 R2 domain controllers, but our domain functional level is still Windows Server 2003. We would like to raise the functional level to Windows Server 2008 R2, but due to the age of some of our SaMBa installations, I would like to know which is the earliest version of SaMBa which supported Active Directory at the Windows Server 2008 R2 functional level. Raising the functional level is irreversible, and one of the SaMBa installations is on a SUN (now Oracle) server running a version of SaMBa (3.6.8) which is unlikely to be upgraded anytime soon; so if it turns out to be incompatible, we will be in deep trouble. Thank you for your help. Yours, David del Campo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba with Active directory integration problem
What is the lwopen idmap backend? First I've heard of that one:-) Also, why are you setting your homedir template as /dev/null, and yet shell as /bin/true? That's pretty goofy..=-O On 07/10/2012 07:20 AM, velusamy Krishnan wrote: Hi, I have followed the all the steps given, in https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. to integrate the samba with active directory. I have the following configuration file, [global] workgroup = ASSURANCE security = ads realm = ASSURANCE.LOCAL encrypt passwords = yes winbind separator = + idmap backend = lwopen idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /dev/null template shell = /bin/true [adshare] path = */home/velusamy/Pictures/* writable = yes valid users = ASSURANCE+velu browseable = yes Now, executed the smb-clinet. smbclient //192.168.5.136/adshare -U velu It asked password, given, it connected to the share. But, I was unable to access the share form different machine which is connected in the same network. It said the following error. smbclient //192.168.5.136/adshare -U velu Enter velu's password: session setup failed: NT_STATUS_LOGON_FAILURE Kindly anyone please help me out form this problem.. I could not solve this issue for las two days. Please help me out. Thanks, Velusamy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba with Active directory integration problem
Hi, I have followed the all the steps given, in https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. to integrate the samba with active directory. I have the following configuration file, [global] workgroup = ASSURANCE security = ads realm = ASSURANCE.LOCAL encrypt passwords = yes winbind separator = + idmap backend = lwopen idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /dev/null template shell = /bin/true [adshare] path = */home/velusamy/Pictures/* writable = yes valid users = ASSURANCE+velu browseable = yes Now, executed the smb-clinet. smbclient //192.168.5.136/adshare -U velu It asked password, given, it connected to the share. But, I was unable to access the share form different machine which is connected in the same network. It said the following error. smbclient //192.168.5.136/adshare -U velu Enter velu's password: session setup failed: NT_STATUS_LOGON_FAILURE Kindly anyone please help me out form this problem.. I could not solve this issue for las two days. Please help me out. Thanks, Velusamy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba with Active directory integration problem
Hi, I have followed the all the steps given, in https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. to integrate the samba with active directory. I have the following configuration file, [global] workgroup = ASSURANCE security = ads realm = ASSURANCE.LOCAL encrypt passwords = yes winbind separator = + idmap backend = lwopen idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /dev/null template shell = /bin/true [adshare] path = */home/velusamy/Pictures/* writable = yes valid users = ASSURANCE+velu browseable = yes Now, executed the smb-clinet. smbclient //192.168.5.136/adshare -U velu It asked password, given, it connected to the share. But, I was unable to access the share form different machine which is connected in the same network. It said the following error. smbclient //192.168.5.136/adshare -U velu Enter velu's password: session setup failed: NT_STATUS_LOGON_FAILURE Kindly anyone please help me out form this problem.. I could not solve this issue for las two days. Please help me out. Thanks, Velusamy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba with Active directory integration problem
Hi, I have followed the all the steps given, in https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto. to integrate the samba with active directory. I have the following configuration file, [global] workgroup = ASSURANCE security = ads realm = ASSURANCE.LOCAL encrypt passwords = yes winbind separator = + idmap backend = lwopen idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /dev/null template shell = /bin/true [adshare] path = /home/velusamy/Pictures/ writable = yes valid users = ASSURANCE+velu browseable = yes Now, executed the smb-clinet. smbclient //192.168.5.136/adshare -U velu It asked password, given, it connected to the share. But, I was unable to access the share form different machine which is connected in the same network. It said the following error. smbclient //192.168.5.136/adshare -U velu Enter velu's password: session setup failed: NT_STATUS_LOGON_FAILURE Kindly anyone please help me out form this problem.. I could not solve this issue for las two days. Please help me out. Thanks, Velusamy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and Active Directory 2008
Yeah, i've got files/compat and winbind in the nssconfig.conf file, still cant get it to pull the UID from active directory. I'm going to keep trying various options, but if anyone had any suggestions that would be great Thanks On Tue, Jul 12, 2011 at 3:43 AM, Puyal Tolosa, Noé npu...@valls.cat wrote: The important part is that you insert winbind keyword just after the files keyword -Missatge original- De: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] En nom de Keith Enviat: lunes, 11 de julio de 2011 17:33 Per a: samba@lists.samba.org Tema: Re: [Samba] Samba and Active Directory 2008 Yeah, but i'm not using compat, but files. Not sure if it makes a big difference? Thanks On Mon, Jul 11, 2011 at 10:06 AM, Robert Freeman-Day pres...@gmail.comwrote: Have you also edited your /etc/nsswitch.conf file to pull those entries properly? You should at least have it looking like below: passwd: compat winbind group: compat winbind shadow: compat -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and Active Directory 2008
The important part is that you insert winbind keyword just after the files keyword -Missatge original- De: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] En nom de Keith Enviat: lunes, 11 de julio de 2011 17:33 Per a: samba@lists.samba.org Tema: Re: [Samba] Samba and Active Directory 2008 Yeah, but i'm not using compat, but files. Not sure if it makes a big difference? Thanks On Mon, Jul 11, 2011 at 10:06 AM, Robert Freeman-Day pres...@gmail.comwrote: Have you also edited your /etc/nsswitch.conf file to pull those entries properly? You should at least have it looking like below: passwd: compat winbind group: compat winbind shadow: compat smime.p7s Description: S/MIME cryptographic signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and Active Directory 2008
I was wondering if anyone has had any luck getting samba working with a Windows 2008 domain? I've got mine working for the most part except for UID lookups. I've got identity management for unix installed on on the windows box and have several users configured with custom home directories, login shell, and UID on the Unix attributes tab. My samba server is joined to the domain, wbinfo -u and -g both provide a list of users and groups. When i run getent passwd i get a list of local users and domain users. With the domain users it pulls the home directory and login shell just fine from active directory, but i cant get it to pull the UID. I've got it setup and working using RID, which is ok, but we would rather get it working with the UID. I'm using samba version 3.5.4 and here is a copy of the global settings workgroup=test realm=pizza.com security=ads password server = password-server.pizza.com idmap uid = 1 - 2 idmap guid = 1 - 2 idmap backend = rid:pizza.com=1-2 winbind use default domain = yes winbind enum users = yes winbind refresh tickets = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 winbind nss info = rfc2307 client ldap sasl wrapping = sign Any help would be greatly appreciated. Thanks Keith -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and Active Directory 2008
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/11/2011 10:09 AM, Keith wrote: I was wondering if anyone has had any luck getting samba working with a Windows 2008 domain? I've got mine working for the most part except for UID lookups. I've got identity management for unix installed on on the windows box and have several users configured with custom home directories, login shell, and UID on the Unix attributes tab. My samba server is joined to the domain, wbinfo -u and -g both provide a list of users and groups. When i run getent passwd i get a list of local users and domain users. With the domain users it pulls the home directory and login shell just fine from active directory, but i cant get it to pull the UID. I've got it setup and working using RID, which is ok, but we would rather get it working with the UID. I'm using samba version 3.5.4 and here is a copy of the global settings workgroup=test realm=pizza.com security=ads password server = password-server.pizza.com idmap uid = 1 - 2 idmap guid = 1 - 2 idmap backend = rid:pizza.com=1-2 winbind use default domain = yes winbind enum users = yes winbind refresh tickets = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 winbind nss info = rfc2307 client ldap sasl wrapping = sign Any help would be greatly appreciated. Thanks Keith Have you also edited your /etc/nsswitch.conf file to pull those entries properly? You should at least have it looking like below: passwd: compat winbind group: compat winbind shadow: compat - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4bEVYACgkQup357T5MfTbSqQCcDtAAg1/PR4mc4Q5urgUoOcP4 LCEAn10m5/LFF/Ttvu/13OGYUvD3AbOM =zDL1 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and Active Directory 2008
Yeah, but i'm not using compat, but files. Not sure if it makes a big difference? Thanks On Mon, Jul 11, 2011 at 10:06 AM, Robert Freeman-Day pres...@gmail.comwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/11/2011 10:09 AM, Keith wrote: I was wondering if anyone has had any luck getting samba working with a Windows 2008 domain? I've got mine working for the most part except for UID lookups. I've got identity management for unix installed on on the windows box and have several users configured with custom home directories, login shell, and UID on the Unix attributes tab. My samba server is joined to the domain, wbinfo -u and -g both provide a list of users and groups. When i run getent passwd i get a list of local users and domain users. With the domain users it pulls the home directory and login shell just fine from active directory, but i cant get it to pull the UID. I've got it setup and working using RID, which is ok, but we would rather get it working with the UID. I'm using samba version 3.5.4 and here is a copy of the global settings workgroup=test realm=pizza.com security=ads password server = password-server.pizza.com idmap uid = 1 - 2 idmap guid = 1 - 2 idmap backend = rid:pizza.com=1-2 winbind use default domain = yes winbind enum users = yes winbind refresh tickets = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 winbind nss info = rfc2307 client ldap sasl wrapping = sign Any help would be greatly appreciated. Thanks Keith Have you also edited your /etc/nsswitch.conf file to pull those entries properly? You should at least have it looking like below: passwd: compat winbind group: compat winbind shadow: compat - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4bEVYACgkQup357T5MfTbSqQCcDtAAg1/PR4mc4Q5urgUoOcP4 LCEAn10m5/LFF/Ttvu/13OGYUvD3AbOM =zDL1 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and active Directory
hi all, yes the good old topic where most people have a problem with :) I have a Windows 2003 Active Directory Server und want that users on this directory are able to login on a Samba Share. The authentication with wbinfo -a user%password works and I already joined the domain with net ads join I am also able to authenticate as directory user with his directory password, BUT only if this username also exists in the /etc/passwd file. Users which username is not in the lokal passwd file cannot login. I use samba Version 3.0.37 on Solaris 10, here is my smb.conf: [global] workgroup = ABC realm = ABC.DE server string = Samba Server security = ADS map to guest = Bad User password server = ABCDC01.abc.de ABCDC02.abc.de use kerberos keytab = Yes log file = /var/log/samba/log.%m max log size = 50 time server = Yes os level = 65 local master = No domain master = No wins support = Yes idmap uid = 1-2 idmap gid = 1-2 winbind separator = + winbind use default domain = Yes [test] comment = test path = /test valid users = ABC+corpus, ABC+ahu read only = No [/code] The user ABC+corpus also exists locally and I am able to logon with his Directory password on the share, but not with the user ABC+ahu If I just do useradd ahu I am able to logon with this user! What am I doing wrong? I also want that users from the directory will be mapped to the local user corpus from the access rights and would do this with force user = corpus on the share, would this be right? Thanks for any help -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and active Directory
On Friday 14 May 2010 5:11:20 am Andreas Hubert wrote: hi all, yes the good old topic where most people have a problem with :) I have a Windows 2003 Active Directory Server und want that users on this directory are able to login on a Samba Share. The authentication with wbinfo -a user%password works and I already joined the domain with net ads join I am also able to authenticate as directory user with his directory password, BUT only if this username also exists in the /etc/passwd file. Users which username is not in the lokal passwd file cannot login. I use samba Version 3.0.37 on Solaris 10, here is my smb.conf: [global] workgroup = ABC realm = ABC.DE server string = Samba Server security = ADS map to guest = Bad User password server = ABCDC01.abc.de ABCDC02.abc.de use kerberos keytab = Yes log file = /var/log/samba/log.%m max log size = 50 time server = Yes os level = 65 local master = No domain master = No wins support = Yes idmap uid = 1-2 idmap gid = 1-2 winbind separator = + winbind use default domain = Yes [test] comment = test path = /test read only = No [/code] The user ABC+corpus also exists locally and I am able to logon with his Directory password on the share, but not with the user ABC+ahu If I just do useradd ahu I am able to logon with this user! What am I doing wrong? I also want that users from the directory will be mapped to the local user corpus from the access rights and would do this with force user = corpus on the share, would this be right? Thanks for any help Firstly, did you configure Kerberos properly. Nextly, and I could be wrong on this, but I think you need to change: valid users = ABC+corpus, ABC+ahu to: valid users = @ABC+corpus @ABC+ahu Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and active Directory
On Friday 14 May 2010 11:28:05 am Dimitri Yioulos wrote: On Friday 14 May 2010 5:11:20 am Andreas Hubert wrote: hi all, yes the good old topic where most people have a problem with :) I have a Windows 2003 Active Directory Server und want that users on this directory are able to login on a Samba Share. The authentication with wbinfo -a user%password works and I already joined the domain with net ads join I am also able to authenticate as directory user with his directory password, BUT only if this username also exists in the /etc/passwd file. Users which username is not in the lokal passwd file cannot login. I use samba Version 3.0.37 on Solaris 10, here is my smb.conf: [global] workgroup = ABC realm = ABC.DE server string = Samba Server security = ADS map to guest = Bad User password server = ABCDC01.abc.de ABCDC02.abc.de use kerberos keytab = Yes log file = /var/log/samba/log.%m max log size = 50 time server = Yes os level = 65 local master = No domain master = No wins support = Yes idmap uid = 1-2 idmap gid = 1-2 winbind separator = + [test] comment = test path = /test read only = No [/code] The user ABC+corpus also exists locally and I am able to logon with his Directory password on the share, but not with the user ABC+ahu If I just do useradd ahu I am able to logon with this user! What am I doing wrong? I also want that users from the directory will be mapped to the local user corpus from the access rights and would do this with force user = corpus on the share, would this be right? Thanks for any help Firstly, did you configure Kerberos properly. Nextly, and I could be wrong on this, but I think you need to change: valid users = ABC+corpus, ABC+ahu to: valid users = @ABC+corpus @ABC+ahu Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Oops, sorry on the valid users piece. What I told you applies to groups. But, since you have: winbind use default domain = Yes perhaps you only need to specify the user names in valid users. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and Active directory groups
Hi list, I have successfully authenticated active directory users with samba. Now I need to create some Active directory security groups and authenticate and redirect those users to a specific directory. Ex: IT_GROUP - user x , user y FIN_group - user a, user b If the user x , access the samba server, that user will be redirected to the specific directory (that's in the samba stanza). This is my smb.conf [global] workgroup = xxx realm = xxx.COM preferred master = no server string = Samba file and print server security = ADS encrypt passwords = yes password server = * log level = 3 log file = /var/log/samba/%m max log size = 50 winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes auth methods = winbind printcap name = cups printing = cups [homes] comment = Home Directories path = /home/IT browseable = no writable = yes inherit acls = yes inherit permissions = yes #valid users = @ADGROUP+domain users valid users = @ADGROUP+domain test_access1 #create mode = 0664 #directory mode = 0775 [IT] comment = Home Directories path = /home/IT browseable = no writable = yes #valid users = @ADGROUP+domain users directory mode = 0775 valid users = @ADGROUP+domain test_access2 write list = @ADGROUP+domain test_access2 read list = @ADGROUP+domain test_access2 If someone try to access the samba server (\\sambaserverfile:///\\sambaserver) it will create ADusername directory on the server. (user Mary access the server it will create a directory named mary automatically ) I need to redirect them to a specific directory based on the Active directory group access . Can someone help to me solve the issue. Thanks, Tharanga -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba and active directory groups
Hi list, I have successfully authenticated active directory users with samba. Now I need to create some Active directory security groups and authenticate and redirect those users to a specific directory. Ex: IT_GROUP - user x , user y FIN_group - user a, user b If the user x , access the samba server, that user will be redirected to the specific directory (that's in the samba stanza). This is my smb.conf [global] workgroup = xxx realm = xxx.COM preferred master = no server string = Samba file and print server security = ADS encrypt passwords = yes password server = * log level = 3 log file = /var/log/samba/%m max log size = 50 winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes auth methods = winbind printcap name = cups printing = cups [homes] comment = Home Directories path = /home/IT browseable = no writable = yes inherit acls = yes inherit permissions = yes #valid users = @ADGROUP+domain users valid users = @ADGROUP+domain test_access1 #create mode = 0664 #directory mode = 0775 [IT] comment = Home Directories path = /home/IT browseable = no writable = yes #valid users = @ADGROUP+domain users directory mode = 0775 valid users = @ADGROUP+domain test_access2 write list = @ADGROUP+domain test_access2 read list = @ADGROUP+domain test_access2 If someone try to access the samba server (\\sambaserverfile:///\\sambaserver) it will create ADusername directory on the server. (user Mary access the server it will create a directory named mary automatically ) I need to redirect them to a specific directory based on the Active directory group access . Can someone help to me solve the issue. Thanks, Tharanga -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba and active directory groups
humm am assuming that you want a share that is dynamic and that the group is defined by the primary unix group of the user if so try adding a share like this. [group] comment = my group folder %g path = /path/to/folder/%g browseable = yes writable = yes -- Damien Dye BSC(hon) On 29 April 2010 23:55, Tharanga Abeyseela (RGA) tharanga.abeyse...@rexelga.com.au wrote: Hi list, I have successfully authenticated active directory users with samba. Now I need to create some Active directory security groups and authenticate and redirect those users to a specific directory. Ex: IT_GROUP - user x , user y FIN_group - user a, user b If the user x , access the samba server, that user will be redirected to the specific directory (that's in the samba stanza). This is my smb.conf [global] workgroup = xxx realm = xxx.COM preferred master = no server string = Samba file and print server security = ADS encrypt passwords = yes password server = * log level = 3 log file = /var/log/samba/%m max log size = 50 winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes auth methods = winbind printcap name = cups printing = cups [homes] comment = Home Directories path = /home/IT browseable = no writable = yes inherit acls = yes inherit permissions = yes #valid users = @ADGROUP+domain users valid users = @ADGROUP+domain test_access1 #create mode = 0664 #directory mode = 0775 [IT] comment = Home Directories path = /home/IT browseable = no writable = yes #valid users = @ADGROUP+domain users directory mode = 0775 valid users = @ADGROUP+domain test_access2 write list = @ADGROUP+domain test_access2 read list = @ADGROUP+domain test_access2 If someone try to access the samba server (\\sambaserverfile:///\\sambaserver) it will create ADusername directory on the server. (user Mary access the server it will create a directory named mary automatically ) I need to redirect them to a specific directory based on the Active directory group access . Can someone help to me solve the issue. Thanks, Tharanga -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and Active Directory
Hi all. We currently have WinXP users connecting to a RHEL4 samba share authenticating to active directory. (the WinXP clients are NOT part of the domain, and are out of our control). It all works fine. We are now testing a CentOS5 samba share, with the sama domain controller as before, but the WinXP users must login to the share as DOMAIN\username. As long as they prefix the login wth the domain, it works all ok. But we'd prefer for this not to happen. I tried to use the same smb.conf/krb/nsswitch etc, but it seems a lot has changed. our RHEL4 runs samba-3.0.10-1.4E.11 our new CentOS5 runs samba-3.0.25c-1.2.el5 What changes do i need to get it working again? I'm a bit fuzzy on winbind.. but i did try winbind use default domain = Yes So just to be sure, With samba 3.0.xx could users still authenticate to AD WITHOUT prefixing the domain like we used to do on RHEL4? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
FW: [Samba] samba and active directory on win 2003
Victor, I just spent hours searching for the solution to the same problem you are having using samba version 3.0.25b after an upgrade from version 3.0.10. the resolution for me was posted by Volker Lendecke: Make sure that the fully qualified domain name and your host name differ in the sense that you actually have a domain appended. Under Linux, hostname and hostname -f need to return different things, hostname -f should preferrably show your AD domain name appended. Volker My /etc/hosts had an alias that made hostname hostname -r return the same value. broken: 127.0.0.1 zelda localhost.localdomain localhost 172.16.1.29 zelda.ournetwork.org zelda Works: 127.0.0.1 localhost.localdomain localhost 172.16.1.29 zelda.ournetwork.org zelda Hope this helps -jaan -Original Message- From: Victor Sterpu [mailto:[EMAIL PROTECTED] Sent: Saturday, March 08, 2008 3:36 PM To: samba@lists.samba.org Subject: [Samba] samba and active directory on win 2003 I use samba Version 3.0.25b-1.el5_1.4. When I try to join the domain adtest.ro I receive the following error: [EMAIL PROTECTED] samba]# net ads join -U Administrator Administrator's password: Using short domain name -- ADTEST Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'ZIMBRA' in realm 'ADTEST.RO' Failed to join domain: Type or value exists In the process of joining the domain samba refers to ADTEST-U5HTDLBY.ADTEST.RO instead adtest.ro. I don't know why but I belive this is the cause of the problem. hosts.conf contain this: 192.168.1.1 adtest.ro ADTEST-U5HTDLBY.ADTEST.RO Kerberos authentication is ok: kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: returns no error. samba.conf contains this configuration: [global] workgroup = ADTEST realm = ADTEST.RO password server = ADTEST-U5HTDLBY.ADTEST.RO preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 600-2 idmap gid = 600-2 ;template primary group = Domain Users template shell = /bin/bash [homes] comment = Home Direcotries valid users = %S read only = No browseable = No [printers] comment = All Printers path = /var/spool/cups browseable = no printable = yes guest ok = yes Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and Active Directory
Hi All- Is there a way to authenticate samba shares using Active Directory? I don't want to add the Linux server to AD, I just want to be able to use Active Directory for the authentication of the Samba shares. Is there a good how-to? Thanks, MS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory
Is there a way to authenticate samba shares using Active Directory? I don't want to add the Linux server to AD, I just want to be able to use Active Directory for the authentication of the Samba shares. Is there a good how-to? Yes, and yes. See the documentation. http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ http://us3.samba.org/samba/docs/man/Samba-Guide/ -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory
On Monday 10 March 2008 08:03:04 am Mary Steiner wrote: Hi All- Is there a way to authenticate samba shares using Active Directory? I don't want to add the Linux server to AD, I just want to be able to use Active Directory for the authentication of the Samba shares. Is there a good how-to? Thanks, MS Mary, Could perhaps give us an example in practive (from the user's perspective) how this would work? Please start at the very beginning: A user logs onto ... and then does the following to access shares on the Samba server ... What documents have you referred to understand the issues at heart of the question you are asking? - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory
Hi All, I am facing one problem the SMB service is failed. The following is smbd log as below [EMAIL PROTECTED] samba]# tail -f smbd.log [2008/03/08 23:43:13, 0] smbd/server.c:main(760) smbd version 3.0.10-1.4E.12.2 started. Copyright Andrew Tridgell and the Samba Team 1992-2004 [2008/03/08 23:43:13, 1] auth/auth_util.c:make_server_info_sam(822) User Guest in passdb, but getpwnam() fails! [2008/03/08 23:44:11, 0] smbd/server.c:main(760) smbd version 3.0.10-1.4E.12.2 started. Copyright Andrew Tridgell and the Samba Team 1992-2004 [2008/03/08 23:44:11, 1] auth/auth_util.c:make_server_info_sam(822) User Guest in passdb, but getpwnam() fails! [EMAIL PROTECTED] samba]# tail -f smbd.log [2008/03/08 23:43:13, 0] smbd/server.c:main(760) smbd version 3.0.10-1.4E.12.2 started. Copyright Andrew Tridgell and the Samba Team 1992-2004 [2008/03/08 23:43:13, 1] auth/auth_util.c:make_server_info_sam(822) User Guest in passdb, but getpwnam() fails! [2008/03/08 23:44:11, 0] smbd/server.c:main(760) smbd version 3.0.10-1.4E.12.2 started. Copyright Andrew Tridgell and the Samba Team 1992-2004 [2008/03/08 23:44:11, 1] auth/auth_util.c:make_server_info_sam(822) User Guest in passdb, but getpwnam() fails! Sachin Ghormade System Operation Lead Specialist OZONE-1 Pune [EMAIL PROTECTED] 9766321056 Mary Steiner [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/10/2008 06:33 PM To samba@lists.samba.org cc Subject [Samba] Samba and Active Directory Hi All- Is there a way to authenticate samba shares using Active Directory? I don't want to add the Linux server to AD, I just want to be able to use Active Directory for the authentication of the Samba shares. Is there a good how-to? Thanks, MS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory
Hi John, Basically this is what I would like to happen: I have a Windows 2003 Active Directory server and a Fedora Linux server. I have set up Samba on the Fedora server. I would like for users to be able to map a Samba share using their login and password from Active Directory. I have read a lot of posts regarding kerberos, pam and samba, but most of them involved creating new users on active directory and installing Unix services on the windows server. I would like to not have to make any changes to the active directory server, just changes to the linux server. Any ideas? Thanks, MS On Mon, Mar 10, 2008 at 9:13 AM, Mary Steiner [EMAIL PROTECTED] wrote: Hi John, Basically this is what I would like to happen: I have a Windows 2003 Active Directory server and a Fedora Linux server. I have set up Samba on the Fedora server. I would like for users to be able to map a Samba share using their login and password from Active Directory. I have read a lot of posts regarding kerberos, pam and samba, but most of them involved creating new users on active directory and installing Unix services on the windows server. I would like to not have to make any changes to the active directory server, just changes to the linux server. Any ideas? Thanks, MS On Mon, Mar 10, 2008 at 8:20 AM, John H Terpstra [EMAIL PROTECTED] wrote: On Monday 10 March 2008 08:03:04 am Mary Steiner wrote: Hi All- Is there a way to authenticate samba shares using Active Directory? I don't want to add the Linux server to AD, I just want to be able to use Active Directory for the authentication of the Samba shares. Is there a good how-to? Thanks, MS Mary, Could perhaps give us an example in practive (from the user's perspective) how this would work? Please start at the very beginning: A user logs onto ... and then does the following to access shares on the Samba server ... What documents have you referred to understand the issues at heart of the question you are asking? - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba and active directory on win 2003
I use samba Version 3.0.25b-1.el5_1.4. When I try to join the domain adtest.ro I receive the following error: [EMAIL PROTECTED] samba]# net ads join -U Administrator Administrator's password: Using short domain name -- ADTEST Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Deleted account for 'ZIMBRA' in realm 'ADTEST.RO' Failed to join domain: Type or value exists In the process of joining the domain samba refers to ADTEST-U5HTDLBY.ADTEST.RO instead adtest.ro. I don't know why but I belive this is the cause of the problem. hosts.conf contain this: 192.168.1.1 adtest.ro ADTEST-U5HTDLBY.ADTEST.RO Kerberos authentication is ok: kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: returns no error. samba.conf contains this configuration: [global] workgroup = ADTEST realm = ADTEST.RO password server = ADTEST-U5HTDLBY.ADTEST.RO preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 600-2 idmap gid = 600-2 ;template primary group = Domain Users template shell = /bin/bash [homes] comment = Home Direcotries valid users = %S read only = No browseable = No [printers] comment = All Printers path = /var/spool/cups browseable = no printable = yes guest ok = yes Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and ACTIVE DIRECTORY
I am trying to join authenticate a linux machine from a Windows 2003 SP2 ADS domain with Microsoft service for unix version 3.5 running I have prior to SP2 been able to connect to the domain with no problem I actually have a machine that was connected prior to the install of SP2 still running and have the same krb5.conf, smb.conf and nsswitch.conf files on both machines. Both machines are running the exact same Distrubution of Linux and Samba and yet machine one authenticates and machine two does not. the error message that I currently get is ads_join_realm: Operations error has anyone got any ideas as to a resolution to this problem I have included the following smb.conf [global] wins server = workgroup=domainname server string=%h (Xandros Desktop) dns proxy=no name resolve order=hosts lmhosts host wins bcast log file=/var/log/samba/log.%m max log size=1000 syslog=0 panic action=/usr/share/samba/panic-action %d security=ADS encrypt passwords=true passdb backend=tdbsam guest obey pam restrictions=yes invalid users=root map to guest=Bad User passwd program=/usr/bin/passwd %u passwd chat=*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client use spnego=no load printers=no printing=cups printcap name=cups dos filetimes=yes socket options=TCP_NODELAY display charset=iso8859-1 unix charset=iso8859-1 winbind enum users=no idmap uid=1-2 winbind enum groups=no winbind separator=+ allow trusted domains=yes template homedir=/home/%D/%U password server=ADSSERVER preserve case=yes template shell=/opt/Shellloader.sh realm=DOMAINNAME case sensitive=no short preserve case=yes os level=20 idmap gid=1-2 ; preexec = /bin/mount /cdrom ; postexec = /bin/umount /cdrom nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis krb5.conf [realms] DOMANNAME = { kdc = ADSSERVER } DOMAINSHORTNAME = { kdc = ADSSERVER } [login] krb4_convert = true krb4_get_tickets = true All these files are identical on both machines and both machines are identical in time. ANY SUGGESTIONS... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA and ACTIVE DIRECTORY
I am trying to join and authenticate a linux machine to a Windows 2003 SP2 ADS domain with Microsoft service for unix version 3.5 running I have prior to SP2 been able to connect to the domain with no problem I actually have a machine that was connected prior to the install of SP2 still running and has the same krb5.conf, smb.conf and nsswitch.conf files as the machine I'm trying to connect save the machine name. Both machines are running the exact same Distrubution of Linux and Samba and yet machine one authenticates and machine two does not. the error message that I currently get is ads_join_realm: Operations error has anyone got any ideas as to a resolution to this problem I have included the following smb.conf [global] wins server = workgroup=domainname server string=%h (Xandros Desktop) dns proxy=no name resolve order=hosts lmhosts host wins bcast log file=/var/log/samba/log.%m max log size=1000 syslog=0 panic action=/usr/share/samba/panic-action %d security=ADS encrypt passwords=true passdb backend=tdbsam guest obey pam restrictions=yes invalid users=root map to guest=Bad User passwd program=/usr/bin/passwd %u passwd chat=*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client use spnego=no load printers=no printing=cups printcap name=cups dos filetimes=yes socket options=TCP_NODELAY display charset=iso8859-1 unix charset=iso8859-1 winbind enum users=no idmap uid=1-2 winbind enum groups=no winbind separator=+ allow trusted domains=yes template homedir=/home/%D/%U password server=ADSSERVER preserve case=yes template shell=/opt/Shellloader.sh realm=DOMAINNAME case sensitive=no short preserve case=yes os level=20 idmap gid=1-2 ; preexec = /bin/mount /cdrom ; postexec = /bin/umount /cdrom nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis krb5.conf [realms] DOMANNAME = { kdc = ADSSERVER } DOMAINSHORTNAME = { kdc = ADSSERVER } [login] krb4_convert = true krb4_get_tickets = true All these files are identical on both machines and both machines are identical in time. ANY SUGGESTIONS... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba on active Directory domain issues
Hi all, I have rebuilt the gentoo linux samba server that I was having trouble with and I'm trying to again add the samba server to a windows 2003 active directory but I am still running into all of the same symptoms. I am able to see the machine in NetBeui/NetBios (My network Places on 2000/XP) and I can navigate inside the server to the public folder thatI have set up but I can not get into the home directory for the for my domain profile (/home/DOMAINNAME/USERNAME). Looking at the log.machinename log file from samba, I see this from trying to connect to the public folder: init msg_type=0x81 msg_flags=0x0 [2006/03/07 13:08:07, 0] lib/util_sock.c:write_data(557) write_data: write failure in writing to client 10.11.7.56. Error Connection reset by peer [2006/03/07 13:08:07, 0] lib/util_sock.c:send_smb(765) Error writing 4 bytes to client. -1. (Connection reset by peer) [2006/03/07 13:08:07, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/03/07 13:08:07, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/03/07 13:08:07, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/03/07 13:08:07, 5] smbd/uid.c:change_to_root_user(324) change_to_root_user: now uid=(0,0) gid=(0,0) [2006/03/07 13:08:07, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/07 13:08:07, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/03/07 13:08:07, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2006/03/07 13:08:07, 3] smbd/server.c:exit_server(655) Server exit (process_smb: send_smb failed.) I am using samba 3.0.21c on Gentoo Linux kernel 2.6.15-r1. I can send the contents of my smb.conf or other config files if needed. Please help, I am quickly getting to the end of my rope. TIA, Guillermo Gutierrez Development Systems Engineer Market Scan Information Systems (818) 575-2000 x2427 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and Active directory
Hello guys :-) Last week I was configuring a samba server here in my linux box to act as a AD Domain member. Using Samba, kerberos5 and winbind i finally did it. Now, i have another problem, for each machine that i wanna do this, i need to add this machine in the Win2k AD Server (with the command net ads join -UAdmin etc) but, the problem is that i dont have the permission (or the admin account) to do this, so everytime i create a new machine in vmware i need to call the infra structure guys, and i dont want this, so the solution was, to create a new samba server that will be a domain controller, and my Virtual Machines would auth against this serverm and this server would auth each user against the AD. Example: $USER auth check the $USER and passwd @ AD VM - Samba - AD Resuming, the AD will be just a passwd server for samba. Does anyone knows if it is possible? Is there a way ? Thanks! Bruno Gola -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.20, Active Directory, Debian: Username ... is invalid on this system
Hello List, I have a strange problem: I have successfully added my debian system to the local active directory domain. Winbind works and gives me Users, Groups, and relations when I call wbinfo. However, Users cannot connect to a share I prepared. It makes no difference if there is no valid user = entry, or if I put an correct entry with my test user. All I get in log.winbindd is: Username DOMAIN+test is invalid on this system (just like there was a valid user entry.) I have successfully checked the password of this user with wbinfo, user data is handed over correctly, wbinfo -t is successful, domain membership works. What is wrong? Thanks!! -- Mit freundlichen Grüßen Markus Feilner -- Feilner IT Linux GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg Untere Hauptstr 2 85386 Eching fon regensburg +49 941 8107989 fon eching +49 89 379 956 3 fax +49 89 379 956 444 mobil + +49 170 3027092 skype ID: mfeilner mail: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba 3.0. Active Directory on AIX 5.2
I need to re-compile samba to join a Windows Active Directory domain. This is on AIX 5.2 server. here are the steps I am following - Install Openssl - Install OpenLDAP - Install MIT Kerberos - re-compile samba After all this, is editing the /etc/krbd5.conf and smb.conf enough or do I need to make changes on the AIX side? I see on Solaris, we need to change /etc/nsswitch.conf but what do we need to do on AIX side for this to work? I appreciate any ideas. Thanks -D -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba with Active Directory on AIX
Hi All, I just built samba 3.0.14 on AIX and it is working fine with users created on the server. Now I need to change it to use Active directory authentication. I am new to Samba. is there any info on how I can do this with the changes I need to make on the samba configuration and on AIX? Thanks in advance, -Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba and active directory
Hi to all, I have a problem. I have 2 servers the first is an unix server with samba and ldap that is a domain controller, and the second is a windows server with active directory.. My problem is: is it possible to share the active directory tree with ldap tree? Or can i have an unique tree to share between samba and active directory? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and Active Directory
Paolo wrote: Hi to all, I have a problem. I have 2 servers the first is an unix server with samba and ldap that is a domain controller, and the second is a windows server with active directory.. My problem is: is it possible to share the active directory tree with ldap tree? Or can i have an unique tree to share between samba and active directory? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba and Active Directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Can someone provide a definitive answer please Question: Can a Samba 3 server be introduced into my AD forest when the forest runs in a functional level of Windows 2003 server ? 'security = ads' support mixed, native 2000 and native 2003 mode domains. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCji22IR7qMdg1EfYRAm3SAKCdjqa7WAI5h9o0eVi2Eme25EVI9ACg8Qzn uqlH3YruMBtlPxU7eBiIPa4= =Dvz/ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba and Active Directory
Can someone provide a definitive answer please Question: Can a Samba 3 server be introduced into my AD forest when the forest runs in a functional level of Windows 2003 server ? Thanks Bernie McCauley IT Consultant Computer Sciences Corporation 15 National Cct Barton ACT 2600 Ph: (02) 6270 8334 alternate email: [EMAIL PROTECTED] This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and Active Directory
Hello, Is there a way to push a Solaris machine onto a Active Directory domain? If so, what software do I need to upgrade to? I am currently using Solaris 9. Rick Mattier Systems Analyst II Windriver Systems 120 Royall St Canton, Ma 02021 [EMAIL PROTECTED] Canton: 781 364-2002 Nashua: 603 897-2084 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba and Active Directory
Hello, I have samba2.2.3 in a AIX4.3.3, Whow can i do to join this machine to Active Directory? _ Descubre la descarga digital con MSN Music. Más de medio millón de canciones. http://music.msn.es/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and Active Directory
Hi, I'm trying to join my Linux file server to an AD domain. I've looked at several different documents describing how to do this, but I still am not able to get everything to work correctly. I am able to join my domain, but I cannot use smbclient to connect to another file server in the domain, nor can I connect to the samba server from my desktop PC. My kerberos tickets seem to be in order: $ kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/19/04 12:26:21 10/19/04 22:26:25 krbtgt/[EMAIL PROTECTED] renew until 10/19/04 13:26:21 $ smbclient -U [EMAIL PROTECTED] -k //fs02/Share session setup failed: NT_STATUS_LOGON_FAILURE Even with debug enabled, I don't get any clues: $ smbclient -U [EMAIL PROTECTED] -k -d 4 //fs02/Share lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] doing parameter local master = no doing parameter realm = MY.BIG.DOMAIN.LOC doing parameter password server = 10.109.40.128 doing parameter workgroup = MYDOMAIN doing parameter netbios name = FS01 handle_netbios_name: set global_myname to: FS01 doing parameter encrypt passwords = yes doing parameter security = ads doing parameter log file = /var/log/samba.log doing parameter server string = doing parameter winbind separator = + doing parameter winbind uid = 1-2 doing parameter winbind gid = 1-2 doing parameter template shell = /bin/bash doing parameter wins server = 10.109.40.128 doing parameter client use spnego = no doing parameter use spnego = yes pm_process() returned Yes added interface ip=10.109.40.77 bcast=10.109.41.255 nmask=255.255.254.0 Client started (version 3.0.7-2.FC2). Connecting to 10.109.40.59 at port 445 session request ok Serverzone is 25200 session setup failed: NT_STATUS_LOGON_FAILURE /var/log/samba.log has three error messages which might be related to my problem: [2004/10/19 11:46:21, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No credentials cache found) [2004/10/19 11:51:31, 1] libads/ldap.c:ads_connect(251) Failed to get ldap server info [2004/10/19 12:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) user 'root' does not exist My smb.conf: [global] local master = no realm = MY.BIG.DOMAIN.LOC password server = 10.109.40.128 workgroup = MYDOMAIN netbios name = FS01 encrypt passwords = yes security = ads log file = /var/log/samba.log server string = winbind separator = + winbind uid = 1-2 winbind gid = 1-2 template shell = /bin/bash wins server = 10.109.40.128 client use spnego = no use spnego = yes [Share] comment = Share browseable = yes writable = yes guest ok = no path = /smb/share I'm running Fedora Core 2, Samba Version 3.0.7-2.FC2, and kernel 2.6.5-1.358. Active Directory lives on 10.109.40.128. The samba server is FS01 at 10.109.40.77. A windows fileserver is FS02 at 10.109.40.59. Does anyone have any suggestions about what I might do to get samba working correctly? Thanks, Mike (: -- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba and Active Directory
I had to add the following lines to the [libdefaults] section of my /etc/krb5.conf file to get it working: default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac dns_lookup_realm = false dns_lookup_kdc = false This assumes you are trying to connect to a Win2K Domain Controller. I don't know if it works with a 2003 server. Also, since your kinit was successful, the -U parameter is unnecessary when using smbclient -k. ex. smbclient -k //fs02/Share Kevin -Original Message- From: Mike Kelly [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 2:42 PM To: [EMAIL PROTECTED] Subject: [Samba] Samba and Active Directory Hi, I'm trying to join my Linux file server to an AD domain. I've looked at several different documents describing how to do this, but I still am not able to get everything to work correctly. I am able to join my domain, but I cannot use smbclient to connect to another file server in the domain, nor can I connect to the samba server from my desktop PC. My kerberos tickets seem to be in order: $ kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/19/04 12:26:21 10/19/04 22:26:25 krbtgt/[EMAIL PROTECTED] renew until 10/19/04 13:26:21 $ smbclient -U [EMAIL PROTECTED] -k //fs02/Share session setup failed: NT_STATUS_LOGON_FAILURE Even with debug enabled, I don't get any clues: $ smbclient -U [EMAIL PROTECTED] -k -d 4 //fs02/Share lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] doing parameter local master = no doing parameter realm = MY.BIG.DOMAIN.LOC doing parameter password server = 10.109.40.128 doing parameter workgroup = MYDOMAIN doing parameter netbios name = FS01 handle_netbios_name: set global_myname to: FS01 doing parameter encrypt passwords = yes doing parameter security = ads doing parameter log file = /var/log/samba.log doing parameter server string = doing parameter winbind separator = + doing parameter winbind uid = 1-2 doing parameter winbind gid = 1-2 doing parameter template shell = /bin/bash doing parameter wins server = 10.109.40.128 doing parameter client use spnego = no doing parameter use spnego = yes pm_process() returned Yes added interface ip=10.109.40.77 bcast=10.109.41.255 nmask=255.255.254.0 Client started (version 3.0.7-2.FC2). Connecting to 10.109.40.59 at port 445 session request ok Serverzone is 25200 session setup failed: NT_STATUS_LOGON_FAILURE /var/log/samba.log has three error messages which might be related to my problem: [2004/10/19 11:46:21, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No credentials cache found) [2004/10/19 11:51:31, 1] libads/ldap.c:ads_connect(251) Failed to get ldap server info [2004/10/19 12:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1059) user 'root' does not exist My smb.conf: [global] local master = no realm = MY.BIG.DOMAIN.LOC password server = 10.109.40.128 workgroup = MYDOMAIN netbios name = FS01 encrypt passwords = yes security = ads log file = /var/log/samba.log server string = winbind separator = + winbind uid = 1-2 winbind gid = 1-2 template shell = /bin/bash wins server = 10.109.40.128 client use spnego = no use spnego = yes [Share] comment = Share browseable = yes writable = yes guest ok = no path = /smb/share I'm running Fedora Core 2, Samba Version 3.0.7-2.FC2, and kernel 2.6.5-1.358. Active Directory lives on 10.109.40.128. The samba server is FS01 at 10.109.40.77. A windows fileserver is FS02 at 10.109.40.59. Does anyone have any suggestions about what I might do to get samba working correctly? Thanks, Mike (: -- [EMAIL PROTECTED] --- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory
On Tue, Oct 19, 2004 at 03:05:52PM -0500, Michael Wray wrote: Make sure signed traffic is disabled on the AD server (at least for traffic from your samba) under domain and local policies. And that LM,NTLM,NTLM2 when negotiated are enabled on the AD server. Unfortuntely, the signed traffic setting affects the entire domain, and I don't think that I will be able to sell my company's AD admins on decreasing company-wide security for a single branch office server. I read this message which says that samba 3 supports signing, and that it doesn't need to be disabled in AD. http://lists.samba.org/archive/samba/2003-October/000341.html Is this mesage inaccurate? Also check your log.winbindd file for errors. (usually /var/log/log.winbindd or /var/log/samba/log.winbindd some servers have both.) I have /var/log/samba/winbindd.log, which consistantly states: [2004/10/19 11:46:21, 1] nsswitch/winbindd.c:main(854) winbindd version 3.0.7-2.FC2 started. Copyright The Samba Team 2000-2004 Thanks, Mike (: -- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory
On Tue, Oct 19, 2004 at 03:01:05PM -0500, Kevin Riggins wrote: I had to add the following lines to the [libdefaults] section of my /etc/krb5.conf file to get it working: default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac dns_lookup_realm = false dns_lookup_kdc = false I already had: default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 dns_lookup_realm = false dns_lookup_kdc = false But adding rc4-hmac did not help. This assumes you are trying to connect to a Win2K Domain Controller. I don't know if it works with a 2003 server. My AD server is running 2003 Server, so I guess this means that the above doesn't work with 2003. ): I'm open to any other ideas you might have. Thanks, Mike (: -- [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Kelly wrote: | On Tue, Oct 19, 2004 at 03:05:52PM -0500, Michael Wray wrote: | | Make sure signed traffic is disabled on the AD server | (at least for traffic from your samba) under domain | and local policies. And that LM,NTLM,NTLM2 | when negotiated are enabled on the AD server. | | | Unfortuntely, the signed traffic setting affects the | entire domain, and I don't think that I will be able to | sell my company's AD admins on decreasing | company-wide security for a single branch office server. | | I read this message which says that samba 3 supports signing, | and that it doesn't need to be disabled in AD. | http://lists.samba.org/archive/samba/2003-October/000341.html | | Is this mesage inaccurate? Samba 3.0.x does support SMB signing. cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc If we're adding to the noise, turn off this song--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBdY2JIR7qMdg1EfYRAsg6AJ9BUizsCjMfQY8TaMvj76ip+AdJogCfZpoJ UoGKkcTAljVT790EXEJ9/Zw= =FEGD -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as Active Directory replacement - is it possible?
Andrew Bartlett wrote: On Tue, 2004-09-21 at 20:49, Tomasz Chmielewski wrote: Where can I find any HOWTOS/documents on this? I spent an hour googling but found nothing promising so far. It all very much depends on what you want to do with it. Samba 3.0 is an NT4 level domain controller, as far as windows clients see it, but is fully backed by whatever directory server you attach it to. OK, so at the bottom I describe more or less what I want. So, if you just want to move to a directory based system, with the benefits of directory management, then the standard Samba 3.0 will do what you want. If you would like to add kerberos, then it is possible with snapshots of I don't think kerberos is needed in my case. The other area of ongoing work is in Samba4, were we have demonstrated an 'Active Directory' join of WinXP SP2 to Samba4. This is an ongoing area of research, but also an area that is moving surprisingly fast. More assistance (programming wise) is always appreciated :-) This is what I actually want from this AD replacement: - it has to store users, groups and passwords - it has to store computer accounts - it has to store policies - for users, computers So by example: Clients are purely Windows machines. Now with Active Directory the below can be achieved: 1) PC1 (client) is booted. 2) it connects to the server, reads its computer account and policy: - what settings should it have, what programs installed - and if a program is missing, it should be automatically installed/deinstalled (according to the policy) 3) login box appears - user logs in - he/she is authenticated against the server, and his/her settings are applied Well, I'm certain that I can store passwords, users, groups, either with Samba or Samba + OpenLDAP, but what I'm afraid of, is how can I set different policies for users and computers with Samba/OpenLDAP. Any help if it's possible is appreciated. Tomek -- Bar w Internecie wciaz bez cenzury! http://link.interia.pl/f1835 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba as Active Directory replacement - is it possible?
Hello, I've been trying to figure out if it's possible to replace Active Directory with Samba (+ OpenLDAP, Kerberos, DNS etc.) on Linux - but from what I've found I'm not sure. Is it possible, or partially possible (I don't need every feature of AD)? What additional software (besides Samba) will I need? What functionality will I loose? Where can I find any HOWTOS/documents on this? I spent an hour googling but found nothing promising so far. Tomek -- Startuj z INTERIA.PL... http://link.interia.pl/f1834 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as Active Directory replacement - is it possible?
On Tuesday 21 September 2004 04:49, Tomasz Chmielewski wrote: Hello, I've been trying to figure out if it's possible to replace Active Directory with Samba (+ OpenLDAP, Kerberos, DNS etc.) on Linux - but from what I've found I'm not sure. Is it possible, or partially possible (I don't need every feature of AD)? What additional software (besides Samba) will I need? What functionality will I loose? Where can I find any HOWTOS/documents on this? I spent an hour googling but found nothing promising so far. http://www.samba.org/samba/docs/Samba-Guide.pdf Check chapters 5,6,7,9 If you need more information contact me direct. - John T. Tomek -- Startuj z INTERIA.PL... http://link.interia.pl/f1834 -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba as Active Directory replacement - is it possible?
I'm actually considering a similar exercise. I understand to run OpenLDAP you would need some database like PostGRE or mySQL (someone, can't remember who, said you need PostGRE) Roland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John H Terpstra Sent: 21 September 2004 17:36 To: [EMAIL PROTECTED] Subject: Re: [Samba] Samba as Active Directory replacement - is it possible? On Tuesday 21 September 2004 04:49, Tomasz Chmielewski wrote: Hello, I've been trying to figure out if it's possible to replace Active Directory with Samba (+ OpenLDAP, Kerberos, DNS etc.) on Linux - but from what I've found I'm not sure. Is it possible, or partially possible (I don't need every feature of AD)? What additional software (besides Samba) will I need? What functionality will I loose? Where can I find any HOWTOS/documents on this? I spent an hour googling but found nothing promising so far. http://www.samba.org/samba/docs/Samba-Guide.pdf Check chapters 5,6,7,9 If you need more information contact me direct. - John T. Tomek -- Startuj z INTERIA.PL... http://link.interia.pl/f1834 -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as Active Directory replacement - is it possible?
On Tue, 2004-09-21 at 20:49, Tomasz Chmielewski wrote: Hello, I've been trying to figure out if it's possible to replace Active Directory with Samba (+ OpenLDAP, Kerberos, DNS etc.) on Linux - but from what I've found I'm not sure. Is it possible, or partially possible (I don't need every feature of AD)? What additional software (besides Samba) will I need? What functionality will I loose? Where can I find any HOWTOS/documents on this? I spent an hour googling but found nothing promising so far. It all very much depends on what you want to do with it. Samba 3.0 is an NT4 level domain controller, as far as windows clients see it, but is fully backed by whatever directory server you attach it to. So, if you just want to move to a directory based system, with the benefits of directory management, then the standard Samba 3.0 will do what you want. If you would like to add kerberos, then it is possible with snapshots of Heimdal kerberos for unix clients to use their 'Samba' passwords for keberos. These are kept in the same directory (and indeed same entries) as Samba's passwords. https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap The other area of ongoing work is in Samba4, were we have demonstrated an 'Active Directory' join of WinXP SP2 to Samba4. This is an ongoing area of research, but also an area that is moving surprisingly fast. More assistance (programming wise) is always appreciated :-) Andrew Bartlett signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory
I am having the same exact issue. I have not tried assigning permissions using DOMAINPREFIX\\username, but like you I can get Kerberos tickets, use smbclient to connect to windows shares, but from a windows client, I cannot connect to the Samba server. I'm using Suse 9.1, and the latest version of SAMBA that I've tried was 3.05. Jason On Thu, 19 Aug 2004 15:48:55 -0400, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have setup my linux machine (Fedora Core2) to kinit to my windows 2003 server. It has added itself to the active directory with no errors I can use smbclient //server/c$ -k and view all the files on the server. I installed and configured winbind. I can do a wbinfo -u and wbinfo -g and return the list of users and groups from the active directory. I have done a getent passwd and getgroups and winbind has assigned the active directory users and groups the proper unix uid's and gid's. I can even assign ownership to files but I must use DOMAINPREFIX\\username in order to do so. IS THIS THE CORRECT WAY TO DO THAT? I can add the user to the smbpasswd file using smbpasswd -a DOMAINPREFIX\\username and it gets added. This tells me that unix knows the user exits. Whether I add the username to the smbpasswd file or not I still cannot access any of the samba shares. It continuously prompts me for a username and password when I access it from a windows machine. I guessing that the password isn't getting pulled from the active directory for the user accounts. But I'm not sure. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and Active Directory
I have setup my linux machine (Fedora Core2) to kinit to my windows 2003 server. It has added itself to the active directory with no errors I can use smbclient //server/c$ -k and view all the files on the server. I installed and configured winbind. I can do a wbinfo -u and wbinfo -g and return the list of users and groups from the active directory. I have done a getent passwd and getgroups and winbind has assigned the active directory users and groups the proper unix uid's and gid's. I can even assign ownership to files but I must use DOMAINPREFIX\\username in order to do so. IS THIS THE CORRECT WAY TO DO THAT? I can add the user to the smbpasswd file using smbpasswd -a DOMAINPREFIX\\username and it gets added. This tells me that unix knows the user exits. Whether I add the username to the smbpasswd file or not I still cannot access any of the samba shares. It continuously prompts me for a username and password when I access it from a windows machine. I guessing that the password isn't getting pulled from the active directory for the user accounts. But I'm not sure. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3, Active Directory and LDAP
I don't know if the following is possible. Definitive yes/no would be appreciated, with pointers to how to do it if the answer is yes. At present our lab PCs (c. 250 dual boot *nix/W2K boxes) get file served by our Solaris file/LDAP/mail server; NFS for *nix, samba 2 for local user files in W2K. The W2K is centrally managed with more user filestore so the W2K PCs always have at least 3 shares mounted. In *nix they authenticate against our departmental LDAP, in W2K against the campus AD and use a local smbpasswd for samba. Samba is used solely to share a users *nix home directory to his/her PC when it is in W2K; i.e. in smb.conf after the usual pre-amble there is only: [homes] comment = Home Directories browseable = no writable = yes What I'd like to do is: move to samba 3 continue to authenticate *nix (including server) to local LDAP authenticate samba to central AD (preferably via LDAP) get information for the home share from local LDAP (as obviously the central AD doesn't know anything about where the user's local *nix filestore is) From RingTFM I believe that this is possible using kerberos rather than LDAP to authenticate samba but I really want to go the LDAP route. Is is possible? Thanks John Landamore School of Mathematics Computer Science University of Leicester University Road, LEICESTER, LE1 7RH [EMAIL PROTECTED] Phone: +44 (0)116 2523410 Fax: +44 (0)116 2523604 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory Permissions RESOLUTION
Hi everyone. I'm running into the same problem. I've set up slackware 9.1 with kernel 2.6.4 to have acl support for ext3 (tried also to work with kernel 2.4.25 + patch acl), samba 3.0.2a. Joined the domain as a member and followed instructions in the acl howto. Samba is working and I can set up shares using winbind authentication, just fine. The problem is with acl if I try to set from a win2k box. I can change permissions only on files and not on folders, and only on the already present users (can't add or remove anyone). I've been testing many options (security mask, directory security mask, create mask/directory) and I have set admin users '@DOMAIN\Domain Admins' but still no success. Here's my share conf: [acl] path = /samba/acl the folder is owned by user simone that is part of the Domain Admin group valid users = DOMAIN\simone read only = no browseable = yes admin users = DOMAIN\simone create mask = 0770 directory mask = 0770 directory security mask = 0700 What am I missing? I can get into the share and create new folders, but when I try to change permissions I get error unable to save permissions. I've been searching through the last 6158 messages on the list and followed hints but unsuccessful. Any help would be greatly appreciated since I am lost at the moment. PS I have not created any local samba user, not even root, users are only from domain Thanks Simone - Original Message - From: John Petro [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 8:58 PM Subject: RE: [Samba] Samba and Active Directory Permissions RESOLUTION All, Thanks for the responses. There were two things I had to do to get this to work. The first thing was I had to change the readonly attribute in the smb.conf to NO. I also noticed that there was an error in my /etc/fstab so that the options were not read in for some reason. Once I fixed this and re-mounted the filesystem with the ACL option, I was able to do what I needed to do. Thanks again for all your responses. --John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Petro Sent: Thursday, March 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: [Samba] Samba and Active Directory Permissions All, I am currently running Samba 3.0.2a on a RHEL3 server. I would like to use the extended file systems permissions through windows, but I haven't had much luck. Here is how I am set up My linux box is joined to my AD domain and appears to be functioning correctly. I also have winbind set up, and functioning, although I still have some tweaking to do, it is assigning user and group ids as I would expect it to. I can create a share ok via Samba or active directory users and computers with out a problem. However, once I create this share, and I mount it on a windows client, I can't do anything as far as setting or deligating permissions. When I look at the folder properties, it says the folder it owned by root on my linux server. It will not let me change the ownership to any other user. I get a error that says something to the effect that I don't have the rights to change the permissions. Has anyone had this issue, and do you know what I can do to get around this. I really don't want to go to a windows platform for my fileservices. --John -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.631 / Virus Database: 404 - Release Date: 18/03/2004 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory Permissions
Thank you very much for your reply. I'm trying to change permissions on a folder underneath. Basically I create a folder in /acl and then I try to change permissions. I will try to have a local unix user to be admin and I'll post back if it's the answer. Once again thanks for your help Simone - Original Message - From: John Petro [EMAIL PROTECTED] To: Simone [EMAIL PROTECTED] Sent: Saturday, March 20, 2004 5:13 PM Subject: RE: [Samba] Samba and Active Directory Permissions RESOLUTION Are you setting the permissions on the /acl directory? Or a folder underneath. It sounds like a permission problem. I ended up having a local unix user be the admin user and so I haven't seen the same issue you are having. --John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simone Sent: Saturday, March 20, 2004 7:07 AM To: [EMAIL PROTECTED] Subject: Re: [Samba] Samba and Active Directory Permissions RESOLUTION Hi everyone. I'm running into the same problem. I've set up slackware 9.1 with kernel 2.6.4 to have acl support for ext3 (tried also to work with kernel 2.4.25 + patch acl), samba 3.0.2a. Joined the domain as a member and followed instructions in the acl howto. Samba is working and I can set up shares using winbind authentication, just fine. The problem is with acl if I try to set from a win2k box. I can change permissions only on files and not on folders, and only on the already present users (can't add or remove anyone). I've been testing many options (security mask, directory security mask, create mask/directory) and I have set admin users '@DOMAIN\Domain Admins' but still no success. Here's my share conf: [acl] path = /samba/acl the folder is owned by user simone that is part of the Domain Admin group valid users = DOMAIN\simone read only = no browseable = yes admin users = DOMAIN\simone create mask = 0770 directory mask = 0770 directory security mask = 0700 What am I missing? I can get into the share and create new folders, but when I try to change permissions I get error unable to save permissions. I've been searching through the last 6158 messages on the list and followed hints but unsuccessful. Any help would be greatly appreciated since I am lost at the moment. PS I have not created any local samba user, not even root, users are only from domain Thanks Simone - Original Message - From: John Petro [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 19, 2004 8:58 PM Subject: RE: [Samba] Samba and Active Directory Permissions RESOLUTION All, Thanks for the responses. There were two things I had to do to get this to work. The first thing was I had to change the readonly attribute in the smb.conf to NO. I also noticed that there was an error in my /etc/fstab so that the options were not read in for some reason. Once I fixed this and re-mounted the filesystem with the ACL option, I was able to do what I needed to do. Thanks again for all your responses. --John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Petro Sent: Thursday, March 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: [Samba] Samba and Active Directory Permissions All, I am currently running Samba 3.0.2a on a RHEL3 server. I would like to use the extended file systems permissions through windows, but I haven't had much luck. Here is how I am set up My linux box is joined to my AD domain and appears to be functioning correctly. I also have winbind set up, and functioning, although I still have some tweaking to do, it is assigning user and group ids as I would expect it to. I can create a share ok via Samba or active directory users and computers with out a problem. However, once I create this share, and I mount it on a windows client, I can't do anything as far as setting or deligating permissions. When I look at the folder properties, it says the folder it owned by root on my linux server. It will not let me change the ownership to any other user. I get a error that says something to the effect that I don't have the rights to change the permissions. Has anyone had this issue, and do you know what I can do to get around this. I really don't want to go to a windows platform for my fileservices. --John -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.631 / Virus Database: 404 - Release Date: 18/03/2004 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman
RE: [Samba] Samba and Active Directory Permissions RESOLUTION
All, Thanks for the responses. There were two things I had to do to get this to work. The first thing was I had to change the readonly attribute in the smb.conf to NO. I also noticed that there was an error in my /etc/fstab so that the options were not read in for some reason. Once I fixed this and re-mounted the filesystem with the ACL option, I was able to do what I needed to do. Thanks again for all your responses. --John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Petro Sent: Thursday, March 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: [Samba] Samba and Active Directory Permissions All, I am currently running Samba 3.0.2a on a RHEL3 server. I would like to use the extended file systems permissions through windows, but I haven't had much luck. Here is how I am set up My linux box is joined to my AD domain and appears to be functioning correctly. I also have winbind set up, and functioning, although I still have some tweaking to do, it is assigning user and group ids as I would expect it to. I can create a share ok via Samba or active directory users and computers with out a problem. However, once I create this share, and I mount it on a windows client, I can't do anything as far as setting or deligating permissions. When I look at the folder properties, it says the folder it owned by root on my linux server. It will not let me change the ownership to any other user. I get a error that says something to the effect that I don't have the rights to change the permissions. Has anyone had this issue, and do you know what I can do to get around this. I really don't want to go to a windows platform for my fileservices. --John -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and Active Directory Permissions
All, I am currently running Samba 3.0.2a on a RHEL3 server. I would like to use the extended file systems permissions through windows, but I haven't had much luck. Here is how I am set up My linux box is joined to my AD domain and appears to be functioning correctly. I also have winbind set up, and functioning, although I still have some tweaking to do, it is assigning user and group ids as I would expect it to. I can create a share ok via Samba or active directory users and computers with out a problem. However, once I create this share, and I mount it on a windows client, I can't do anything as far as setting or deligating permissions. When I look at the folder properties, it says the folder it owned by root on my linux server. It will not let me change the ownership to any other user. I get a error that says something to the effect that I don't have the rights to change the permissions. Has anyone had this issue, and do you know what I can do to get around this. I really don't want to go to a windows platform for my fileservices. --John -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba and Active Directory Permissions
I have had similar problems. I was able to set permissions on shares from Windows by adding: admin users = DOMAIN_Domain Admins to my smb.conf file. ( _ is my Winbind separator character). The problem is that once they are set and the everyone group is removed, the users cannot connect to the share with kerberos authentication. (They can connect via ip address, which causes samba to use NTLM? authentication). I always get Access Denied. Setting logging to 10 I can see the authentication checks in the log, but the user sid captured does not match the user's actual sid so it doesn't match the sid in the acl. Hopefully you do not have the same problem. I have had this problem for over two weeks and haven't been able to solve it. Even on a totally clean install of everything in my lab including the W2K AD server and the Samba server. Steve Aden Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS -Original Message- From: John Petro [mailto:[EMAIL PROTECTED] Sent: Thursday, March 18, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: [Samba] Samba and Active Directory Permissions All, I am currently running Samba 3.0.2a on a RHEL3 server. I would like to use the extended file systems permissions through windows, but I haven't had much luck. Here is how I am set up My linux box is joined to my AD domain and appears to be functioning correctly. I also have winbind set up, and functioning, although I still have some tweaking to do, it is assigning user and group ids as I would expect it to. I can create a share ok via Samba or active directory users and computers with out a problem. However, once I create this share, and I mount it on a windows client, I can't do anything as far as setting or deligating permissions. When I look at the folder properties, it says the folder it owned by root on my linux server. It will not let me change the ownership to any other user. I get a error that says something to the effect that I don't have the rights to change the permissions. Has anyone had this issue, and do you know what I can do to get around this. I really don't want to go to a windows platform for my fileservices. --John -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba _ This message was content-scanned by IXC Shield Powered by GatewayDefender - BH08999c2f.0001.mml -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory Permissions
John Petro [EMAIL PROTECTED] wrote on 03/18/2004 12:13:08 PM: All, I am currently running Samba 3.0.2a on a RHEL3 server. I would like to use the extended file systems permissions through windows, but I haven't had much luck. Here is how I am set up My linux box is joined to my AD domain and appears to be functioning correctly. I also have winbind set up, and functioning, although I still have some tweaking to do, it is assigning user and group ids as I would expect it to. I can create a share ok via Samba or active directory users and computers with out a problem. However, once I create this share, and I mount it on a windows client, I can't do anything as far as setting or deligating permissions. When I look at the folder properties, it says the folder it owned by root on my linux server. It will not let me change the ownership to any other user. I get a error that says something to the effect that I don't have the rights to change the permissions. If the files and folders are owned by root, only root can change the ownership. One way around this is to add admin users = your domain username or groupname to your smb.conf for that share. This will give your user root permissions. Has anyone had this issue, and do you know what I can do to get around this. I really don't want to go to a windows platform for my fileservices. --John -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba and Active Directory Permissions
Yeah I tried that.. I get an error that says that it can't save permissions on the folder (or file) in this case. Any other ideas? --John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 18, 2004 2:12 PM To: John Petro Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Samba and Active Directory Permissions John Petro [EMAIL PROTECTED] wrote on 03/18/2004 12:13:08 PM: All, I am currently running Samba 3.0.2a on a RHEL3 server. I would like to use the extended file systems permissions through windows, but I haven't had much luck. Here is how I am set up My linux box is joined to my AD domain and appears to be functioning correctly. I also have winbind set up, and functioning, although I still have some tweaking to do, it is assigning user and group ids as I would expect it to. I can create a share ok via Samba or active directory users and computers with out a problem. However, once I create this share, and I mount it on a windows client, I can't do anything as far as setting or deligating permissions. When I look at the folder properties, it says the folder it owned by root on my linux server. It will not let me change the ownership to any other user. I get a error that says something to the effect that I don't have the rights to change the permissions. If the files and folders are owned by root, only root can change the ownership. One way around this is to add admin users = your domain username or groupname to your smb.conf for that share. This will give your user root permissions. Has anyone had this issue, and do you know what I can do to get around this. I really don't want to go to a windows platform for my fileservices. --John -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba and Active Directory Permissions
server. It will not let me change the ownership to any other user. I get a error that says something to the effect that I don't have the rights to change the permissions. Do you have ACL's enabled on the filesystem with the shared files? http://www.bluelightning.org/linux/samba_acl_howto/ ~ Daniel --- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0 + Active Directory + Win2000
Hi! I have a strange question! I would like to write my diploma work this theme. The questoin is: it works? Really can I put samba into AD? Has anybody tried? what is the experiences? It is not problem to me, that the configuration is difficultly but I am a newbie. ;) So I want to learn... Thanks! Bye, Roland -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory Implications
1.) How having linux boxes in AD affects replication The question is: How would it possibly effect replication? Do they know what they are talking about? 2.) If it is possible to authenticate against the Linux boxes without actually joining the AD domain Do you mean authenticate against AD without joining the Linux box to the AD realm? You'd probably have to mangle the security on AD a bit, but kerberos is not going to work unless the KDC (in this case AD) knows about the client. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Active Directory Implications
Adam, The question is: How would it possibly effect replication? Do they know what they are talking about? First of all thanks for your input. I agree with your above statement, it is what I told them. The Linux boxes don't send or receive any type of replication requests, so it shouldn't matter. Do you mean authenticate against AD without joining the Linux box to the AD realm? You'd probably have to mangle the security on AD a bit, but kerberos is not going to work unless the KDC (in this case AD) knows about the client. Agreed again, I'm just trying to make sure what I'm telling them is in line with how it actually works. If it comes down to it, it might be a pissing contest between them making me prove it will work and have no problems, and me telling them to prove it will have problems. -- Thanks, Rob [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba 3 active directory
Hello, I'm posting this only in the event somebody else does a search in the mlist archive for such keywords (I know I did), hope you won't mind. Status: IT WORKS! :) Steps taken: Install Slackware (well, that was already in place). Install PAM (Linux-PAM-0.77, plain ./configure) - this I will need later for Postfix SMTP auth against AD. Install Kerberos (krb5-1.2.8, ./configure --prefix=/usr/local/kerberos --without-krb4 --enable-dns --enable-dns-for-kdc --enable-dns-for-realm --enable-shared). Install OpenLDAP (openldap-2.1.22, ./configure --disable-slapd --disable-slurpd). Install Samba (samba-3.0.0beta3, ./configure --prefix=/usr/local/samba --with-smbwrapper --with-dce-dfs --with-ads --with-smbmount --with-pam --with-libsmbclient --with-acl-support --with-winbind --with-krb5=/usr/local/kerberos --without-quotas --with-ldap) joe /etc/krb5.conf [realms] DOM.AIN = { kdc = DC.DOM.AIN } test with kinit [EMAIL PROTECTED] joe /usr/local/samba/lib/smb.conf [global] security = ADS realm = DOM.AIN winbind use default domain = yes wins server = dc.dom.ain encrypt passwords = yes password server = dc.dom.ain net ads join domain -U Administrator nmbd -D smbd -D winbindd ..that's all I think PS. Thanks to the Samba team for the great work -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0 + Active Directory + Debian + Profiles?
How on earth do i make Debian/Unstable play nice and use Samba 3.0 as a member server in a AD-Domain running in Native Mode, and be able to store user profiles on the Samba server? I just can make no heads nor tails from any documentation, have I missed something fundamental? Adding the server to the domain was easy enough. But then user authentication does not seem to work? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3.0 + Active Directory + Debian + Profiles?
How on earth do i make Debian/Unstable play nice and use Samba 3.0 as a member server in a AD-Domain running in Native Mode, and be able to store user profiles on the Samba server? I just can make no heads nor tails from any documentation, have I missed something fundamental? Adding the server to the domain was easy enough. But then user authentication does not seem to work? Maybe I am closer then I thought. I removed samba completely, reinstalled it, joined it to the domain, and net ads sort of started to work, I got a no credential in cache from Kerberos. And when doing a net view from a windows box, I get access denied and the following in my logs. == log.nwl105 == [2003/07/23 10:49:02, 1] libads/kerberos_verify.c:ads_verify_ticket(91) krb5_parse_name(HOST/ndc5-router-1@) failed (Malformed representation of principal) [2003/07/23 10:49:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(175) Failed to verify incoming ticket! == log.smbd == [2003/07/23 10:49:02, 1] sam/idmap_tdb.c:db_idmap_init(487) idmap uid range missing or invalid idmap will be unable to map foreign SIDs [2003/07/23 10:49:02, 1] sam/idmap_tdb.c:db_idmap_init(499) idmap gid range missing or invalid idmap will be unable to map foreign SIDs where should I be looking? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3.0 + Active Directory + Debian + Profiles?
How on earth do i make Debian/Unstable play nice and use Samba 3.0 as a member server in a AD-Domain running in Native Mode, and be able to store user profiles on the Samba server? I just can make no heads nor tails from any documentation, have I missed something fundamental? Adding the server to the domain was easy enough. But then user authentication does not seem to work? Ok, now I added realm = NWL.SE to my smb.conf, and now I get == log.ndc2-w2k-1 == [2003/07/23 11:00:01, 1] smbd/sesssetup.c:reply_spnego_kerberos(221) Username Administrator is invalid on this system [2003/07/23 11:00:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(221) Username Administrator is invalid on this system Seem to be a step forward, but not there yet -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3.0 + Active Directory + Debian + Profiles?
Hi Jan, Jan Johansson wrote on Wednesday, 23 July 2003 8:49 p.m.: == log.smbd == [2003/07/23 10:49:02, 1] sam/idmap_tdb.c:db_idmap_init(487) idmap uid range missing or invalid idmap will be unable to map foreign SIDs [2003/07/23 10:49:02, 1] sam/idmap_tdb.c:db_idmap_init(499) idmap gid range missing or invalid idmap will be unable to map foreign SIDs Add the following settings in smb.conf and restart winbind: idmap uid = 1-65000 idmap gid = 1-65000 One good way to test if you have things set right is to use the wbinfo command (eg. wbinfo -u). If this correctly lists domain users, great. If not, check the winbind log file for details. Cheers, Paul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/Solaris/Active Directory
I'm about to install the latest version of Samba on a Solaris8 machine, with an Active Directory MS environment. Haven't done this before, and am looking for: - cookbook howto - things that will break and how to get around them - dope slaps Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba