Re: [Samba] Security = ADS and uidnumbers
On Thu, 2013-06-06 at 10:19 +0100, Jonathan Buzzard wrote: So given the OP wants consistent UID's on presumably his Samba file server running a 3.6.x variant of Samba how does sssd help? Hi sssd is an alternative to using winbind to extract information from AD. It may help the OP to try it instead of winbind. Here are a few of the advantages we have found. - sssd is supported: if you have a problem, it will be resolved one day to the next. - It has only one branch which gives the same results with the same configuration for both samba and smbd. - It does not need entries in smb.conf At the moment, winbind seems to be under development. I'm sure that once it is finished, it will be just as good as sssd at extracting consistent information from AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Wed, 2013-06-05 at 23:13 +0100, Jonathan Buzzard wrote: On 05/06/13 17:56, steve wrote: On Wed, 2013-06-05 at 16:22 +0100, Jonathan Buzzard wrote: On Wed, 2013-06-05 at 15:42 +0100, Rowland Penny wrote: I never said that I couldn't get it to work, I just said that it is just too complicated. Yes I can read and there was no need to get personal You said you gave up because it was too complicated. Also if you are setting up a Samba file server and need UID/GID to SID mappings the only supported option is Winbind if sssd works at all. Hi Why don't we simply store the uid in the directory along with everything else concerming the user? Why store that information somewhere else? You do store the UID in the directory along with everything else. You just need some way of looking it up. No, it doesn't. Unless you intervene and force them into the directory yourself, it stores them separately. Try it. Add a user using samba-tool user. Then ldbsearch him. All the OP wants is consistent uidNumbers. Actually that is not clear. They want consistent UID's on a machine that is running Samba which complicates things because it might mean they want consistent and secure SID to UID mapping as well as consistent UID's. I think we all need a sid that is glued to a uid. How would we work with a user having uid x one session, and then having uid y the next session. I've missed something I know. I'm not a theorist nor coder. Anyone who has tried sssd is unlikely to return to winbind. Really, don't think so. Then you can't have tried it. It also has the advantage that it works fully on a S4 DC, not just for uid and gid but for the whole of rfc2307. For good measure, it throws in dynamic dns updates for fwd and reverse zones. For free. Your file servers have dynamic DNS!!! No, but our Linux clients do. Luxury on just one line of a config file. sssd does what it says on the tin. With winbind, there are too many different tins;) The reason for the ranges, which is why winbind is better than sssd for a Samba file server is that Samba has some builtin SID's that it needs to assign UID/GID's to. With winbind you can make sure that these don't incorrectly overlap which would be a security issue. There are a few built in sids which remain in the idmap database. I can't see any reason why they couldn't be put in the directory too. If you take the same xid which is assigned to the sid when the domain is provioned, how could there be overlap? I've mentioned the counter object in idmap which takes care of unique xid's. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Wed, 2013-06-05 at 23:13 +0100, Jonathan Buzzard wrote: As far as I can tell sssd does not provide a mechanism for the smbd on at least 3.5 (the 4.x series might be different but the OP is running 3.6) to see an incoming SID and work out the UID. It would be pretty useless without. It does the same job as nss-ldapd and idmap_rid. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Thu, 2013-06-06 at 10:25 +0200, steve wrote: On Wed, 2013-06-05 at 23:13 +0100, Jonathan Buzzard wrote: As far as I can tell sssd does not provide a mechanism for the smbd on at least 3.5 (the 4.x series might be different but the OP is running 3.6) to see an incoming SID and work out the UID. It would be pretty useless without. It does the same job as nss-ldapd and idmap_rid. Not really, sssd is primarily designed for attaching a Linux/Unix box to a domain and getting a UID/GID, group membership etc. for a username. I can attach my Linux workstation to AD and everything is good, and there is absolutely no need to do anything with a SID. Excepting internally the libsss_ad backend might want to turn a UID into a SID to check on group membership. However there would be no need to expose this outside the backend. You only need to be able to turn a SID into a UID or GID or username if you have a Windows client attaching to your Linux/Unix box wanting file serving. Looking at the Samba 3.x source (specifically 3.6.15) I can find absolutely no reference whatsoever to sssd. I am somewhat at a loss to understand how a smbd process can therefore use sssd to turn a SID into a UID etc. For the OP who is running Debian the sssd packages are not a dependency or even suggested for any of the Samba packages. So given the OP wants consistent UID's on presumably his Samba file server running a 3.6.x variant of Samba how does sssd help? JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
Hi JAB I've tried this every whichway, including making ranges not overlap. It looks to me to depend on this line: idmap config BECAUSE : range = 1000-8000 If I add it, wbinfo SID-ToUID option for jingram gives a UID of 2338, but no getent passwd entry. If I remove it, getent passwd jingram gives a uidnumber in the idmap config * : range =... range. I can't replicate the state of affairs I had in the first email where one user had the correct uidnumber - no users have the correct number now. Does it make any difference that the BECAUSE domain trusts another domain? I've tried it on samba4 as well now. what goes on? Does anyone have this setup working? If anyone could send me a complete smb.conf that works for them, I could start narrowing down where the problem is here. cheers Jim On 4 June 2013 13:57, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-06-04 at 13:20 +0100, Jim Potter wrote: [SNIP] idmap config * : base_rid = 0 idmap config * : backend = tdb idmap config * : range = 1000 - 6 # idmap config BECAUSE : default = yes # idmap config BECAUSE : backend = ad # idmap config BECAUSE : schema_mode = rfc2307 # idmap config BECAUSE : range= 1000-8000 # idmap config BECAUSE : cache time = 1800 ### idmap alloc config:range = 5000- Two backends with overlapping ranges, won't work. The ranges *must* be orthogonal. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
Hi, I gave up on winbind, it is just too complicated and most, if not all, of the webpages I found via google are incomplete or just down right wrong. Why not try sssd, it just works, all you need to do is add uidNumbers to your users, set up sssd and away you go, have a look here: http://linuxcostablanca.blogspot.co.uk/2013/04/sssd-in-samba-40.html On 5 June 2013 13:15, Jim Potter jimpot...@orange.net wrote: Hi JAB I've tried this every whichway, including making ranges not overlap. It looks to me to depend on this line: idmap config BECAUSE : range = 1000-8000 If I add it, wbinfo SID-ToUID option for jingram gives a UID of 2338, but no getent passwd entry. If I remove it, getent passwd jingram gives a uidnumber in the idmap config * : range =... range. I can't replicate the state of affairs I had in the first email where one user had the correct uidnumber - no users have the correct number now. Does it make any difference that the BECAUSE domain trusts another domain? I've tried it on samba4 as well now. what goes on? Does anyone have this setup working? If anyone could send me a complete smb.conf that works for them, I could start narrowing down where the problem is here. cheers Jim On 4 June 2013 13:57, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-06-04 at 13:20 +0100, Jim Potter wrote: [SNIP] idmap config * : base_rid = 0 idmap config * : backend = tdb idmap config * : range = 1000 - 6 # idmap config BECAUSE : default = yes # idmap config BECAUSE : backend = ad # idmap config BECAUSE : schema_mode = rfc2307 # idmap config BECAUSE : range= 1000-8000 # idmap config BECAUSE : cache time = 1800 ### idmap alloc config:range = 5000- Two backends with overlapping ranges, won't work. The ranges *must* be orthogonal. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
Why not use the rid backend for your idmap. That is what I use for my member servers and my accounts have identical ids across machines. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
Yes, he could do that, providing his users never go anywhere near any files or directories stored on a samba4 server, if they do, they will suddenly find that have a different id on the server, I have been there and it is just a mess, it took me a bit to realise why users did not own the files they had just created on a cifs mount. Go with sssd, it is a lot less bother. On 5 June 2013 14:18, Franz Strebel franz.stre...@gmail.com wrote: Why not use the rid backend for your idmap. That is what I use for my member servers and my accounts have identical ids across machines. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Wed, 2013-06-05 at 13:30 +0100, Rowland Penny wrote: Hi, I gave up on winbind, it is just too complicated and most, if not all, of the webpages I found via google are incomplete or just down right wrong. It's actually dead simple, and these days the manual page is actually accurate. Really if you cannot get it working you cannot read. Now assuming that the BECAUSE domain actually has the uidNumber field populated a working configuration would be (this was taken from a working configuration and modified to change the domain). # deal with NSS and the whole UID/SID id mapping stuff idmap config * : backend = tdb idmap config * : range = 200 - 299 idmap config BECAUSE : backend = ad idmap config BECAUSE : schema_mode = rfc2307 idmap config BECAUSE : readonly = yes idmap config BECAUSE : range = 500 - 199 idmap cache time = 604800 idmap negative cache time = 20 winbind cache time = 600 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = false Noting of cause that you must have a valid join to the domain, that winbind is running, that nscd is *NOT* running and you have an appropriate /etc/nsswitch.conf You might also have badly messed up tdb files from previous experiments. I would recommend nuking them from orbit and starting afresh. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
I never said that I couldn't get it to work, I just said that it is just too complicated. Yes I can read and there was no need to get personal You can have an smb.conf like this: [global] workgroup = DOMAIN security = ADS realm = DOMAIN.LAN encrypt passwords = yes client signing = yes client use spnego = yes kerberos method = secrets and keytab The main part of sssd.conf: [domain/domain.lan] description = AD domain with Samba 4 server cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap # Where is the AD server etc? krb5_server = domainserver.domain.lan krb5_kpasswd = domainserver.domain.lan krb5_realm = DOMAIN.LAN ldap_referrals = false ldap_sasl_mech = GSSAPI ldap_schema = rfc2307bis ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true # Change a few default settings ldap_user_object_class = user ldap_user_name = sAMAccountName ldap_user_home_directory = unixdomainDirectory ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = sAMAccountName There is no messing with ranges, making sure that they do not overlap etc. I know what I think is easier, and it isn't winbind On 5 June 2013 14:23, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Wed, 2013-06-05 at 13:30 +0100, Rowland Penny wrote: Hi, I gave up on winbind, it is just too complicated and most, if not all, of the webpages I found via google are incomplete or just down right wrong. It's actually dead simple, and these days the manual page is actually accurate. Really if you cannot get it working you cannot read. Now assuming that the BECAUSE domain actually has the uidNumber field populated a working configuration would be (this was taken from a working configuration and modified to change the domain). # deal with NSS and the whole UID/SID id mapping stuff idmap config * : backend = tdb idmap config * : range = 200 - 299 idmap config BECAUSE : backend = ad idmap config BECAUSE : schema_mode = rfc2307 idmap config BECAUSE : readonly = yes idmap config BECAUSE : range = 500 - 199 idmap cache time = 604800 idmap negative cache time = 20 winbind cache time = 600 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = false Noting of cause that you must have a valid join to the domain, that winbind is running, that nscd is *NOT* running and you have an appropriate /etc/nsswitch.conf You might also have badly messed up tdb files from previous experiments. I would recommend nuking them from orbit and starting afresh. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Wed, 2013-06-05 at 15:42 +0100, Rowland Penny wrote: I never said that I couldn't get it to work, I just said that it is just too complicated. Yes I can read and there was no need to get personal You said you gave up because it was too complicated. Also if you are setting up a Samba file server and need UID/GID to SID mappings the only supported option is Winbind if sssd works at all. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
Oh yes it works ok on the samba4 server, using winbind getent passwd user DOMAIN\user:*:3001106:20513::/home/DOMAIN/user:/bin/bash uid=3001106(DOMAIN\user) gid=20513(DOMAIN\Domain Users) groups=20513(DOMAIN\Domain Users),21110(DOMAIN\linuxusers) change to sssd getent passwd user user:*:3001106:20513:user:/home/DOMAIN/user:/bin/bash id user uid=3001106(user) gid=20513(Domain Users) groups=20513(Domain Users),21110(linuxusers) on the client, using sssd user:*:3001106:20513:user:/home/DOMAIN/user:/bin/bash id user uid=3001106(user) gid=20513(Domain Users) groups=20513(Domain Users),21110(linuxusers) As far as I can see, the only difference when you use winbind on the server is you cannot turn of the displaying the domain name otherwise the outputs are identical. On 5 June 2013 16:22, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Wed, 2013-06-05 at 15:42 +0100, Rowland Penny wrote: I never said that I couldn't get it to work, I just said that it is just too complicated. Yes I can read and there was no need to get personal You said you gave up because it was too complicated. Also if you are setting up a Samba file server and need UID/GID to SID mappings the only supported option is Winbind if sssd works at all. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Wed, 2013-06-05 at 16:22 +0100, Jonathan Buzzard wrote: On Wed, 2013-06-05 at 15:42 +0100, Rowland Penny wrote: I never said that I couldn't get it to work, I just said that it is just too complicated. Yes I can read and there was no need to get personal You said you gave up because it was too complicated. Also if you are setting up a Samba file server and need UID/GID to SID mappings the only supported option is Winbind if sssd works at all. Hi Why don't we simply store the uid in the directory along with everything else concerming the user? Why store that information somewhere else? All the OP wants is consistent uidNumbers. The only way I know how to do that is to store the uidNumber in the DN of the object. All DC's pull the same attribute at all times. Forget idmap ranges. You can use winbind to do that and prolly pull stuff from AD too. However, those of us who have tried alternatives for pulling rfc2307 from AD find the alternatives easier to install and configure. Anyone who has tried sssd is unlikely to return to winbind. It also has the advantage that it works fully on a S4 DC, not just for uid and gid but for the whole of rfc2307. For good measure, it throws in dynamic dns updates for fwd and reverse zones. For free. sssd does what it says on the tin. With winbind, there are too many different tins;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
Well said Steve From what I have read on the two samba mailing lists, Samba 4 is supposed to be a clone of windows AD, well windows AD does not have winbind, so I suppose this begs the question, why when running as a DC controller does Samba4? On 5 June 2013 17:56, steve st...@steve-ss.com wrote: On Wed, 2013-06-05 at 16:22 +0100, Jonathan Buzzard wrote: On Wed, 2013-06-05 at 15:42 +0100, Rowland Penny wrote: I never said that I couldn't get it to work, I just said that it is just too complicated. Yes I can read and there was no need to get personal You said you gave up because it was too complicated. Also if you are setting up a Samba file server and need UID/GID to SID mappings the only supported option is Winbind if sssd works at all. Hi Why don't we simply store the uid in the directory along with everything else concerming the user? Why store that information somewhere else? All the OP wants is consistent uidNumbers. The only way I know how to do that is to store the uidNumber in the DN of the object. All DC's pull the same attribute at all times. Forget idmap ranges. You can use winbind to do that and prolly pull stuff from AD too. However, those of us who have tried alternatives for pulling rfc2307 from AD find the alternatives easier to install and configure. Anyone who has tried sssd is unlikely to return to winbind. It also has the advantage that it works fully on a S4 DC, not just for uid and gid but for the whole of rfc2307. For good measure, it throws in dynamic dns updates for fwd and reverse zones. For free. sssd does what it says on the tin. With winbind, there are too many different tins;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On Wed, 2013-06-05 at 18:32 +0100, Rowland Penny wrote: Well said Steve From what I have read on the two samba mailing lists, Samba 4 is supposed to be a clone of windows AD, well windows AD does not have winbind, so I suppose this begs the question, why when running as a DC controller does Samba4? I think it's still needed because not everything is stored in the directory. sids are stored alongside (what become) their uid or gid in the idmap database, rather than AD. As end users, we can choose to work only with AD, however, every object we add also ends up in idmap too. I can see one of the reasons is so that a unique sid to uid can be guaranteed. There's a counter object in idmap which gets incremented each time we add something ourselves. However, once the xid from idmap has been transferred to AD, or we've allocated our own, we can then delete the idmap entry. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
On 05/06/13 17:56, steve wrote: On Wed, 2013-06-05 at 16:22 +0100, Jonathan Buzzard wrote: On Wed, 2013-06-05 at 15:42 +0100, Rowland Penny wrote: I never said that I couldn't get it to work, I just said that it is just too complicated. Yes I can read and there was no need to get personal You said you gave up because it was too complicated. Also if you are setting up a Samba file server and need UID/GID to SID mappings the only supported option is Winbind if sssd works at all. Hi Why don't we simply store the uid in the directory along with everything else concerming the user? Why store that information somewhere else? You do store the UID in the directory along with everything else. You just need some way of looking it up. All the OP wants is consistent uidNumbers. Actually that is not clear. They want consistent UID's on a machine that is running Samba which complicates things because it might mean they want consistent and secure SID to UID mapping as well as consistent UID's. The only way I know how to do that is to store the uidNumber in the DN of the object. All DC's pull the same attribute at all times. Forget idmap ranges. You can use winbind to do that and prolly pull stuff from AD too. However, those of us who have tried alternatives for pulling rfc2307 from AD find the alternatives easier to install and configure. Anyone who has tried sssd is unlikely to return to winbind. Really, don't think so. It also has the advantage that it works fully on a S4 DC, not just for uid and gid but for the whole of rfc2307. For good measure, it throws in dynamic dns updates for fwd and reverse zones. For free. Your file servers have dynamic DNS!!! sssd does what it says on the tin. With winbind, there are too many different tins;) As far as I can tell sssd does not provide a mechanism for the smbd on at least 3.5 (the 4.x series might be different but the OP is running 3.6) to see an incoming SID and work out the UID. Why would it, a SID is an entirely Windows concept and sssd is a Linux/Unix thing. Samba 3.x requires as far as I have been able to tell a running winbind or bad things happen. The reason for the ranges, which is why winbind is better than sssd for a Samba file server is that Samba has some builtin SID's that it needs to assign UID/GID's to. With winbind you can make sure that these don't incorrectly overlap which would be a security issue. With sssd you can't. In fact if you have more than one AD domain in a forest then sssd is probably not a good idea anyway. Now if you have random Linux box that is not acting as a Samba file server then by all means use sssd. But this is a Samba mailing list and presumably the majority of people are trying to get a Samba file server working. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Security = ADS and uidnumbers
Hi all, I'm trying to set up a samba (3.6.6, debian wheezy 64bit) member server on a 2008R2 domain. I'd like to be able to specify the uidnumbers users get on here in AD but I'm getting really erratic results. I've tried changing various range options, and as far as I can tell it works sometimes, but not others - don't know why. I have 2 users I've specifically set up, with uidnumbers in their AD objects set: jpotter - uidnumber 2449 jingram - uidnumber 2337 Here is an excerpt from getent passwd: jingram:*:2338:2:June Ingram:/home/BECAUSE/jingram:/bin/false jpotter:*:20007:2:Jim Potter:/home/BECAUSE/jpotter:/bin/false - so it works for June but not Jim... I've tried deleting all tdb files in /var/lib/samba and /var/cache/samba and rejoined domain, and these uidnumbers seem to stick. I can't find them in AD anywhere. Does anyone know what gives here? cheers Jim Here is the smb.conf file: [global] security = ADS workgroup = because realm = BECAUSE.ORG.UK log level = 3 log file = /var/log/samba/log load printers = no idmap cache time = 1800 winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 winbind use default domain = Yes winbind refresh tickets = yes winbind normalize names = yes idmap config * : base_rid = 0 idmap config * : backend = tdb idmap config * : range = 1000 - 6 # idmap config BECAUSE : default = yes # idmap config BECAUSE : backend = ad # idmap config BECAUSE : schema_mode = rfc2307 # idmap config BECAUSE : range= 1000-8000 # idmap config BECAUSE : cache time = 1800 ### idmap alloc config:range = 5000- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] security=ads
Dear samba-mailinglist, We're using samba 4.0.5 as an active directory domain controller. We used to set up some file shares on basis security=user in the old samba version. I was able to set up the shares as they used to be . My Question: How can I set up wich user kan read/write which share? Do I have to do this in den Active Directory or in smb.conf? This maybe a trivial question, but I lokked around the manuals a lot and found nothing. smb.conf [global] workgroup = GYM-FEU realm = gym-feu.local netbios name = SERVER server role = active directory domain controller [netlogon] path = /usr/local/samba/var/locks/sysvol/gym-feu.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [austausch] path = /home/samba/austausch create mask = 0700 directory mask = 0700 force user = schueler force group = schueler comment = zum freien Austausch public = yes writeable = yes Ulrich Schneider -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security: ads - net ads user works, wbinfo -u does not
On 6 February 2013 01:24, Vladimir Levijev vladimir.levi...@gmail.com wrote: I have Debian Squeeze running Samba being a member of the domain (PDC and BDC are Windows servers) and it's users are authenticated against AD using winbind for years. Now there is a need to setup another virtual Debian box exactly like that. So the name of the first is STUDENT, I named the virtual STUDENT2. I'm trying to set up the virtual box exactly the same, using exactly the same configs (smb.conf, krb5.conf) as on the working box, but this is what I get: STUDENT2, I can: - create kerberos tickets (kinit Administrator@FOO.LOCAL) - list kerberos tickets (klist) - join the domain (net ads join -U Administrator) Here I get next output: Using short domain name -- FOO Joined 'STUDENT2' to realm 'FOO.Local' DNS update failed! But as I understand the last message is not something to worry about. - (here I start samba, then winbind) And at this point strange thing happen. I cannot get domain users using wbinfo (wbinfo -u returns nothing) but I get them all using net ads user -U Administrator. Of course, getent passwd lists only local users too. I believe my winbind is not working properly. Here are the questions: 1). How to effectively debug why wbinfo is acting this way? 2). Could the problem be because of 2 machines conflicting because of one letter difference (STUDENT vs STUDENT2)? I can't delete the first box from domain in order to test it as it's in production. STUDENT2 details: - Debian Squeeze up-to-date (6.0.6) - standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep ^ii ii samba 2:3.5.6~dfsg-3squeeze9 ii samba-common 2:3.5.6~dfsg-3squeeze9 ii samba-common-bin 2:3.5.6~dfsg-3squeeze9 ii winbind2:3.5.6~dfsg-3squeeze9 - # wbinfo -p Ping to winbindd succeeded PDC and BDCs are running Windows Server 2008 R2. I can post the configs in case it helps. However I feel like I have tried all the possible variations of the configs (from so many good howto's) with no effect at all. More info. STUDENT: # wbinfo -D foo Name : FOO Alt_Name : FOO.Local SID : S-1-5-21-831812219-1424057545-2139100090 Active Directory : Yes Native: Yes Primary : Yes STUDENT2: # wbinfo -D foo Name : FOO Alt_Name : FOO.LOCAL SID : S-1-5-21-831812219-1424057545-2139100090 Active Directory : No Native: No Primary : Yes Firstly, why is Alt_Name different (both boxes have identical configs) and where does it come from exactly? And secondly, what do Active Directory, Native and Primary mean? OK, just for those that will encounter the same problem, port 445 from linux box running Samba to Active Directory was blocked by firewall. Cheers, VL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security: ads - net ads user works, wbinfo -u does not
On 4 February 2013 21:38, Vladimir Levijev vladimir.levi...@gmail.com wrote: I have Debian Squeeze running Samba being a member of the domain (PDC and BDC are Windows servers) and it's users are authenticated against AD using winbind for years. Now there is a need to setup another virtual Debian box exactly like that. So the name of the first is STUDENT, I named the virtual STUDENT2. I'm trying to set up the virtual box exactly the same, using exactly the same configs (smb.conf, krb5.conf) as on the working box, but this is what I get: STUDENT2, I can: - create kerberos tickets (kinit Administrator@FOO.LOCAL) - list kerberos tickets (klist) - join the domain (net ads join -U Administrator) Here I get next output: Using short domain name -- FOO Joined 'STUDENT2' to realm 'FOO.Local' DNS update failed! But as I understand the last message is not something to worry about. - (here I start samba, then winbind) And at this point strange thing happen. I cannot get domain users using wbinfo (wbinfo -u returns nothing) but I get them all using net ads user -U Administrator. Of course, getent passwd lists only local users too. I believe my winbind is not working properly. Here are the questions: 1). How to effectively debug why wbinfo is acting this way? 2). Could the problem be because of 2 machines conflicting because of one letter difference (STUDENT vs STUDENT2)? I can't delete the first box from domain in order to test it as it's in production. STUDENT2 details: - Debian Squeeze up-to-date (6.0.6) - standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep ^ii ii samba 2:3.5.6~dfsg-3squeeze9 ii samba-common 2:3.5.6~dfsg-3squeeze9 ii samba-common-bin 2:3.5.6~dfsg-3squeeze9 ii winbind2:3.5.6~dfsg-3squeeze9 - # wbinfo -p Ping to winbindd succeeded PDC and BDCs are running Windows Server 2008 R2. I can post the configs in case it helps. However I feel like I have tried all the possible variations of the configs (from so many good howto's) with no effect at all. More info. STUDENT: # wbinfo -D foo Name : FOO Alt_Name : FOO.Local SID : S-1-5-21-831812219-1424057545-2139100090 Active Directory : Yes Native: Yes Primary : Yes STUDENT2: # wbinfo -D foo Name : FOO Alt_Name : FOO.LOCAL SID : S-1-5-21-831812219-1424057545-2139100090 Active Directory : No Native: No Primary : Yes Firstly, why is Alt_Name different (both boxes have identical configs) and where does it come from exactly? And secondly, what do Active Directory, Native and Primary mean? Cheers, dimir -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Security: ads - net ads user works, wbinfo -u does not
Hi, I have Debian Squeeze running Samba being a member of the domain (PDC and BDC are Windows servers) and it's users are authenticated against AD using winbind for years. Now there is a need to setup another virtual Debian box exactly like that. So the name of the first is STUDENT, I named the virtual STUDENT2. I'm trying to set up the virtual box exactly the same, using exactly the same configs (smb.conf, krb5.conf) as on the working box, but this is what I get: STUDENT2, I can: - create kerberos tickets (kinit Administrator@FOO.LOCAL) - list kerberos tickets (klist) - join the domain (net ads join -U Administrator) Here I get next output: Using short domain name -- FOO Joined 'STUDENT2' to realm 'FOO.Local' DNS update failed! But as I understand the last message is not something to worry about. - (here I start samba, then winbind) And at this point strange thing happen. I cannot get domain users using wbinfo (wbinfo -u returns nothing) but I get them all using net ads user -U Administrator. Of course, getent passwd lists only local users too. I believe my winbind is not working properly. Here are the questions: 1). How to effectively debug why wbinfo is acting this way? 2). Could the problem be because of 2 machines conflicting because of one letter difference (STUDENT vs STUDENT2)? I can't delete the first box from domain in order to test it as it's in production. STUDENT2 details: - Debian Squeeze up-to-date (6.0.6) - standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep ^ii ii samba 2:3.5.6~dfsg-3squeeze9 ii samba-common 2:3.5.6~dfsg-3squeeze9 ii samba-common-bin 2:3.5.6~dfsg-3squeeze9 ii winbind2:3.5.6~dfsg-3squeeze9 - # wbinfo -p Ping to winbindd succeeded PDC and BDCs are running Windows Server 2008 R2. I can post the configs in case it helps. However I feel like I have tried all the possible variations of the configs (from so many good howto's) with no effect at all. P. S. One more (possibly important) detail. When I was playing with different configs I sometimes was getting different output from 'wbinfo -u', which looked like this: STUDENT2+joe STUDENT2+nobody This looked very strange to me as my domain is 'FOO.LOCAL', not 'STUDENT2' (the latter is a hostname of the new box) and these 2 users are local users. Thanks in advance, dimir -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] security = ads, username map and valid users
I would like to use Samba (3.5.10 as supplied with RHEL6 if possible) to make some directories accessible as a filesystem to (some of) our developers. However, those directories are read and written by a web server, and all files and directories in there should belong to www-data:www-data. The obvious solution is a username map - just map everyone to www-data - but then valid users or user only doesn't work anymore, since those are evaluated against the mapped user, not the username that was used to authenticate against ADS. I have found no combination of username map, force user/force group, valid users and/or username + only user that would do exactly what I want. The closest thing so far is a username map plus a (locked) local Unix user and UID of www-data. However I'd prefer not to add local users. Is there any switch that allows meaningful valid users together with a username map such as www-data = * ? Thanks, rainer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] security = ads, username map and valid users
Hi there, On Thu, 24 Jan 2013, Rainer Canavan wrote: I would like to use Samba (3.5.10 as supplied with RHEL6 if possible) to make some directories accessible as a filesystem to (some of) our developers. However, those directories are read and written by a web server, and all files and directories in there should belong to www-data:www-data. The obvious solution is a username map ... The username map feature is broken in current Samba 3 (although possibly not in your preferred version) and AFAICT it is likely to remain so for the forseeable future: https://bugzilla.samba.org/show_bug.cgi?id=8881 My recommendation would be to avoid relying on the feature, which I know is a royal pain because that's what I'm having to do, but if you do find that you have to upgrade from your currently preferred version then you might get bitten by the bug. If enough people subscribe to the CC list on the bugzilla page maybe it will get onto the radar screen of someone who is capable of doing something about it. -- 73, Ged. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] security=ADS related question
Hi all, I am just struggling with SAMBA design and i was wondering whether anyone here can help. In my environment, there is an AD server and my SAMBA server is on an AIX box. I need to set up SAMBA so that it will use AD authentication AND few particular users found in AD (but not yet in AIX) will need to own the files within SAMBA shares. Is that possible? The thing is.. other than those 2 or 3 AD users being able to authenticate for SAMBA (and SAMBA ONLY), I really do not want it to be used for AIX authentication. So what kind of configuration do I need to try? I got a server that's checking AD for the password and it appears to be successful but currently it requires for me to create an entry in /etc/passwd file *testuser:!:500:100::/dev/null:/bin/false* (but no password given). And my smb.conf looks like below. *[global]* *workgroup = TEST* *security = ADS* *encrypt passwords = Yes* *realm = TEST.TESTDOMAIN.COM* *winbind separator = +* *log file = /opt/pware/var/log.%m* *lock directory = /opt/pware/var/locks/samba* *client schannel = no* * * *idmap config TEST:default = yes* *idmap config TEST:backend = tdb* *idmap config TEST:range = 900 50* *idmap alloc backend = tdb* *idmap alloc config:range = 900 50* Am I doing this correctly? I do not mind creating an entry in AIX but if anyone can either confirm or disagree what I am doing is correct, that will be great. I've ordered Using SAMBA - 3rd edition but if someone is using a resource that's better than that, please point me to it. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Security ADS and clearcase
Hello @List, We have a pretty complex problem; In our company AD is the one and only directory service, all other clients need to follow the given settings and guidelines. We are connected via security ADS , but every patch session on the PDC `s is a nightmare , does it still work or not. So we think about alternatives to the existent situation, pls note , we do not have any influence on AD settings. Only security ads is allowed , due to security guidelines from HQ. Now my question, is there a way to bypass this situation, we thought about an ldap gateway, or install an standalone PDC in a dummy domain ,which sources the AD for passwd and group settings , because we need a seamless mounting of samba shares in order to provide our clearcase vobs to the XP clients. Maybe someone is in a similar situation and can shre his (here) knowledge to the community. Thanks in advanceMartin Schreiber Martin Schreiber Siemens IT Solutions and Services GmbH Gudrunstrasse 11 A-1101 Wien Tel: +43(0)51707 47565 Fax: +43(0) 51707 57560 martin.a.schrei...@siemens.com http://www.siemens.at/it-solutions Siemens IT Solutions and Services GmbH, DVR 1009192, FN 180547k, Handelsgericht Wien, Firmensitz Wien Wichtiger Hinweis: Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. Important Note: This e-mail may contain trade secrets or privileged, undisclosed or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] security = ads problems
Hi all,
I have setup a Samba server (3.0.24-6etch9) which I wish to integrate in
an Active Directory domain using security = ads. I have followed the
section in chapter 6 of the Samba documentation as well as the O'Reilly
Samba book by Jerry et al. (3rd ed in french).
Everything seems to be fine. net join is ok. I can see domain user
accounts using wbinfo -u and -g and using -p, -t and -a work fine too.
getent mypassword DOM\user gives me the proper reply. kinit for domain
users works fine. Time synchronisation is done by ntp against the DC. I
have a test (browseable) and a homes (valid users = %S) share.
A domain user logged on a client workstation can see and browse the test
share just fine. There is also a share corresponding to the users' name
but when I want to open this share, a popup asking for the user name and
password appears. Not only should I not get this, but even if I give the
proper user name (in the form DOM\user) and password, I cannot open
the share.
I think I have narrowed the problem down to an idmap backend problem,
since the only error I find in the logs is :
[2008/03/05 07:40:27, 0] sam/idmap.c:idmap_init(152)
idmap_init: could not load remote backend 'tdb'
[2008/03/05 07:40:27, 1] nsswitch/winbindd.c:main(986)
Could not init idmap -- netlogon proxy only
I can't find any working solution to this (I have also tried using idmap
backend = rid, same result but no errors are recorded in the logs)
despite having sifted through the list archives, googled this way and
that and re-read many a time the Samba doc and Jerry's book. I am at a
loss as to what I can do to solve this so I'd be very grateful for any
help provided. I have attached my config files for Samba and Kerberos.
Thanks in advance.
Cheers,
Oliver
--
Oliver Henriot, UMS MI2S, http://mi2s.imag.fr/
Moyens Informatiques et Multimédia
Domaine universitaire BP53 / 38041 Grenoble cedex 9 / France
tel.: +33 4 76 51 43 48 fax: +33 4 76 51 47 15
Trust in CNRS's certificates
http://igc.services.cnrs.fr/Doc/General/trust.html
[libdefaults]
default_realm = DOM.CHEZMOI.FR
dns_lookup_kdc = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
default_tkt_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
preferred_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[ realms ]
DOM.CHEZMOI.FR = {
kdc = srv.dom.chezmoi.fr
kdc = srv2.dom.chezmoi.fr
admin_server = srv.dom.chezmoi.fr
}
[domain_realm]
.dom.chezmoi.fr = DOM.CHEZMOI.FR
dom.chezmoi.fr = DOM.CHEZMOI.FR
[login]
krb4_convert = true
krb4_get_tickets = false
[global]
workgroup = DOM
server string = %h
dns proxy = no
security = ads
realm = DOM.CHEZMOI.FR
allow trusted domains = no
password server = srv.dom.chezmoi.fr
idmap uid = 1-2
idmap gid = 1-2
idmap backend = tdb
template shell = /bin/false
template homedir = /home/%U
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
load printers = no
socket options = TCP_NODELAY
[test_smb]
comment = Test integration ADS
browseable = yes
writable = no
path = /tmp/test_smb
[homes]
comment = Home Directories
browseable = no
writable = yes
create mask = 0700
directory mask = 0700
valid users = %S
smime.p7s
Description: S/MIME Cryptographic Signature
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] security = ads -- invalide user
Hello I try to run SAMBA with security = ads on AIX 5.3 with SAMBA 3.0.23d. net ads join was successful and the machine is now visible in the Domain with the netbios name. When I try to access the shares on the machine the log.smbd files says: (...) [2007/05/10 08:58:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(310) Username MYDOMAIN/MYUSERNAME is invalid on this system [2007/05/10 08:58:16, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE (...) ** smb.conf: [global] winbind separator = / netbios name = MYNETBIOSNAME winbind enum users = yes workgroup = MYDOMAIN winbind enum groups = yes #password server = * password server = MYPASSWORDSERVER encrypt passwords = yes dns proxy = no realm = MYREALM security = ADS wins proxy = no winbind use default domain = Yes client use spnego = yes #idmap uid = 1-2 #winbind gid = 1-2 preferred master = no log level = 3 wins server = x.x.x.x #auth methods = guest sam winbind #idmap uid = 1-2 idmap gid = 1-2 [testsamba] comment = Samba testfolder path = /testsamba read only = no valid users = MYDOMAIN/USERNAME ** I also maped the domain groups with net groupmap # ./net groupmap list Domain Users (S-1-5-21-3687956107-1621720357-3427760348-513) - domainusers Domain Guests (S-1-5-21-3687956107-1621720357-3427760348-997) - nobody Administrators (S-1-5-32-544) - 5000 mygroup (S-1-5-21-3687956107-1621720357-3427760348-14001) - mygroup Users (S-1-5-32-545) - 5001 -- MYDOMAIN/USERNAME is a member of MYDOMAIN/mygroup Why does it say invalide user? I think I should also be able to browse the shares without a valid user... any help is much appreciated!!! Regards Urs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
R: [Samba] security = ads -- invalide user
-Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] conto di Urs Golla Inviato: giovedì 10 maggio 2007 9.44 A: samba@lists.samba.org Oggetto: [Samba] security = ads -- invalide user Hello I try to run SAMBA with security = ads on AIX 5.3 with SAMBA 3.0.23d. net ads join was successful and the machine is now visible in the Domain with the netbios name. When I try to access the shares on the machine the log.smbd files says: (...) [2007/05/10 08:58:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(310) Username MYDOMAIN/MYUSERNAME is invalid on this system [2007/05/10 08:58:16, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE (...) ** smb.conf: [global] winbind separator = / netbios name = MYNETBIOSNAME winbind enum users = yes workgroup = MYDOMAIN winbind enum groups = yes #password server = * password server = MYPASSWORDSERVER encrypt passwords = yes dns proxy = no realm = MYREALM security = ADS wins proxy = no winbind use default domain = Yes client use spnego = yes #idmap uid = 1-2 #winbind gid = 1-2 preferred master = no log level = 3 wins server = x.x.x.x #auth methods = guest sam winbind #idmap uid = 1-2 idmap gid = 1-2 [testsamba] comment = Samba testfolder path = /testsamba read only = no valid users = MYDOMAIN/USERNAME ** I also maped the domain groups with net groupmap # ./net groupmap list Domain Users (S-1-5-21-3687956107-1621720357-3427760348-513) - domainusers Domain Guests (S-1-5-21-3687956107-1621720357-3427760348-997) - nobody Administrators (S-1-5-32-544) - 5000 mygroup (S-1-5-21-3687956107-1621720357-3427760348-14001) - mygroup Users (S-1-5-32-545) - 5001 -- MYDOMAIN/USERNAME is a member of MYDOMAIN/mygroup Why does it say invalide user? I think I should also be able to browse the shares without a valid user... any help is much appreciated!!! Regards Urs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba I would check winbind separator = / to my knowlegde it should be winbind separator = \ or could be commented as its default is \ I've setup a samba 3.0.24,1 on freebsd with ads against a Windows2003 Server and I did not specified Winbind Separator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: R: [Samba] security = ads -- invalide user
Hi Still the same problem... I think the connection to the domain is ok. because if i use a non existent user, the log says: FAILED with error NT_STATUS_NO_SUCH_USER If I use a wrong password is gives me also a different error message. cheers On 5/10/07, Gianluca Culot [EMAIL PROTECTED] wrote: -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] conto di Urs Golla Inviato: giovedì 10 maggio 2007 9.44 A: samba@lists.samba.org Oggetto: [Samba] security = ads -- invalide user Hello I try to run SAMBA with security = ads on AIX 5.3 with SAMBA 3.0.23d. net ads join was successful and the machine is now visible in the Domain with the netbios name. When I try to access the shares on the machine the log.smbd files says: (...) [2007/05/10 08:58:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(310) Username MYDOMAIN/MYUSERNAME is invalid on this system [2007/05/10 08:58:16, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE (...) ** smb.conf: [global] winbind separator = / netbios name = MYNETBIOSNAME winbind enum users = yes workgroup = MYDOMAIN winbind enum groups = yes #password server = * password server = MYPASSWORDSERVER encrypt passwords = yes dns proxy = no realm = MYREALM security = ADS wins proxy = no winbind use default domain = Yes client use spnego = yes #idmap uid = 1-2 #winbind gid = 1-2 preferred master = no log level = 3 wins server = x.x.x.x #auth methods = guest sam winbind #idmap uid = 1-2 idmap gid = 1-2 [testsamba] comment = Samba testfolder path = /testsamba read only = no valid users = MYDOMAIN/USERNAME ** I also maped the domain groups with net groupmap # ./net groupmap list Domain Users (S-1-5-21-3687956107-1621720357-3427760348-513) - domainusers Domain Guests (S-1-5-21-3687956107-1621720357-3427760348-997) - nobody Administrators (S-1-5-32-544) - 5000 mygroup (S-1-5-21-3687956107-1621720357-3427760348-14001) - mygroup Users (S-1-5-32-545) - 5001 -- MYDOMAIN/USERNAME is a member of MYDOMAIN/mygroup Why does it say invalide user? I think I should also be able to browse the shares without a valid user... any help is much appreciated!!! Regards Urs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba I would check winbind separator = / to my knowlegde it should be winbind separator = \ or could be commented as its default is \ I've setup a samba 3.0.24,1 on freebsd with ads against a Windows2003 Server and I did not specified Winbind Separator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
R: R: [Samba] security = ads -- invalide user
-Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] conto di Urs Golla Inviato: giovedì 10 maggio 2007 10.04 A: samba@lists.samba.org Oggetto: Re: R: [Samba] security = ads -- invalide user Hi Still the same problem... I think the connection to the domain is ok. because if i use a non existent user, the log says: FAILED with error NT_STATUS_NO_SUCH_USER If I use a wrong password is gives me also a different error message. cheers On 5/10/07, Gianluca Culot [EMAIL PROTECTED] wrote: -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] conto di Urs Golla Inviato: giovedì 10 maggio 2007 9.44 A: samba@lists.samba.org Oggetto: [Samba] security = ads -- invalide user Hello I try to run SAMBA with security = ads on AIX 5.3 with SAMBA 3.0.23d. net ads join was successful and the machine is now visible in the Domain with the netbios name. When I try to access the shares on the machine the log.smbd files says: (...) [2007/05/10 08:58:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(310) Username MYDOMAIN/MYUSERNAME is invalid on this system [2007/05/10 08:58:16, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE (...) ** smb.conf: [global] winbind separator = / netbios name = MYNETBIOSNAME winbind enum users = yes workgroup = MYDOMAIN winbind enum groups = yes #password server = * password server = MYPASSWORDSERVER encrypt passwords = yes dns proxy = no realm = MYREALM security = ADS wins proxy = no winbind use default domain = Yes client use spnego = yes #idmap uid = 1-2 #winbind gid = 1-2 preferred master = no log level = 3 wins server = x.x.x.x #auth methods = guest sam winbind #idmap uid = 1-2 idmap gid = 1-2 [testsamba] comment = Samba testfolder path = /testsamba read only = no valid users = MYDOMAIN/USERNAME ** I also maped the domain groups with net groupmap # ./net groupmap list Domain Users (S-1-5-21-3687956107-1621720357-3427760348-513) - domainusers Domain Guests (S-1-5-21-3687956107-1621720357-3427760348-997) - nobody Administrators (S-1-5-32-544) - 5000 mygroup (S-1-5-21-3687956107-1621720357-3427760348-14001) - mygroup Users (S-1-5-32-545) - 5001 -- MYDOMAIN/USERNAME is a member of MYDOMAIN/mygroup Why does it say invalide user? I think I should also be able to browse the shares without a valid user... any help is much appreciated!!! Regards Urs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba I would check winbind separator = / to my knowlegde it should be winbind separator = \ or could be commented as its default is \ I've setup a samba 3.0.24,1 on freebsd with ads against a Windows2003 Server and I did not specified Winbind Separator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Why did you mapped only GROUPS idmap gid = 1-2 and NOT users ? #idmap uid = 1-2 why have you set client use spnego = yes what AD server are you connecting to ? Here is my copy of smb.conf have a look, and check differences... My only problem at the moment is that LS (list file) comand doesn't show me AD users and group names, but only IDs. not a Problem, but makes server management extremely dificult to not Pro people. [global] workgroup = MYDOMAIN realm = MYDOMAIN.IT server string = mail security = ADS password server = server.MYDOMAIN.it passdb backend = tdbsam log file = /var/log/samba/log.%m add user script = /usr/sbin/pw useradd %u delete user script = /usr/sbin/pw userdel %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/pw groupdel %g preferred master = No idmap uid = 1-4 idmap gid = 1-4 template homedir = /home/%U template shell = /bin/csh winbind cache time = 3600 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 idmap config DMSWARE:range = 1 - 4 idmap config DMSWARE:base_rid = 1000 idmap config DMSWARE:backend = ad -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: R: R: [Samba] security = ads -- invalide user
Hi Gianluca Thanks a lot for your response! spnego: *From the Official Samba-3 HOWTO (Section 6.6.3, page 80): * Windows 2003 requires SMB signing. Client-side SMB signing has been implemented in Samba 3.0. Set client use spnego = yes when communicating with a Windows 2003 server. AD is 2003 I map now groups AND users. -- It still does not work... any idea? On 5/10/07, Gianluca Culot [EMAIL PROTECTED] wrote: -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] conto di Urs Golla Inviato: giovedì 10 maggio 2007 10.04 A: samba@lists.samba.org Oggetto: Re: R: [Samba] security = ads -- invalide user Hi Still the same problem... I think the connection to the domain is ok. because if i use a non existent user, the log says: FAILED with error NT_STATUS_NO_SUCH_USER If I use a wrong password is gives me also a different error message. cheers On 5/10/07, Gianluca Culot [EMAIL PROTECTED] wrote: -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] conto di Urs Golla Inviato: giovedì 10 maggio 2007 9.44 A: samba@lists.samba.org Oggetto: [Samba] security = ads -- invalide user Hello I try to run SAMBA with security = ads on AIX 5.3 with SAMBA 3.0.23d . net ads join was successful and the machine is now visible in the Domain with the netbios name. When I try to access the shares on the machine the log.smbd files says: (...) [2007/05/10 08:58:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(310) Username MYDOMAIN/MYUSERNAME is invalid on this system [2007/05/10 08:58:16, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE (...) ** smb.conf: [global] winbind separator = / netbios name = MYNETBIOSNAME winbind enum users = yes workgroup = MYDOMAIN winbind enum groups = yes #password server = * password server = MYPASSWORDSERVER encrypt passwords = yes dns proxy = no realm = MYREALM security = ADS wins proxy = no winbind use default domain = Yes client use spnego = yes #idmap uid = 1-2 #winbind gid = 1-2 preferred master = no log level = 3 wins server = x.x.x.x #auth methods = guest sam winbind #idmap uid = 1-2 idmap gid = 1-2 [testsamba] comment = Samba testfolder path = /testsamba read only = no valid users = MYDOMAIN/USERNAME ** I also maped the domain groups with net groupmap # ./net groupmap list Domain Users (S-1-5-21-3687956107-1621720357-3427760348-513) - domainusers Domain Guests (S-1-5-21-3687956107-1621720357-3427760348-997) - nobody Administrators (S-1-5-32-544) - 5000 mygroup (S-1-5-21-3687956107-1621720357-3427760348-14001) - mygroup Users (S-1-5-32-545) - 5001 -- MYDOMAIN/USERNAME is a member of MYDOMAIN/mygroup Why does it say invalide user? I think I should also be able to browse the shares without a valid user... any help is much appreciated!!! Regards Urs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba I would check winbind separator = / to my knowlegde it should be winbind separator = \ or could be commented as its default is \ I've setup a samba 3.0.24,1 on freebsd with ads against a Windows2003 Server and I did not specified Winbind Separator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Why did you mapped only GROUPS idmap gid = 1-2 and NOT users ? #idmap uid = 1-2 why have you set client use spnego = yes what AD server are you connecting to ? Here is my copy of smb.conf have a look, and check differences... My only problem at the moment is that LS (list file) comand doesn't show me AD users and group names, but only IDs. not a Problem, but makes server management extremely dificult to not Pro people. [global] workgroup = MYDOMAIN realm = MYDOMAIN.IT server string = mail security = ADS password server = server.MYDOMAIN.it passdb backend = tdbsam log file = /var/log/samba/log.%m add user script = /usr/sbin/pw useradd %u delete user script = /usr/sbin/pw userdel %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/pw groupdel %g preferred master = No idmap uid = 1-4 idmap gid = 1-4 template homedir = /home/%U template shell = /bin/csh winbind cache time = 3600 winbind
Re: R: R: R: [Samba] security = ads -- invalide user
Hi Gianluca * *How did you define your shares in the smb.conf? Can you send me an example? thanks Urs * * On 5/10/07, Urs Golla [EMAIL PROTECTED] wrote: If I set client use spnego = no in the smb.conf it says: Requested protocol [LANMAN2.1] [2007/05/10 13:00:57, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [NT LM 0.12] [2007/05/10 13:00:57, 3] smbd/negprot.c:reply_nt1(357) using SPNEGO [2007/05/10 13:00:57, 3] smbd/negprot.c:reply_negprot(580) Selected protocol NT LM 0.12 [2007/05/10 13:00:57, 3] smbd/process.c:process_smb(1110) Transaction 1 of length 250 ...but testparm tells me, it is set to no. What does that mean? On 5/10/07, Gianluca Culot [EMAIL PROTECTED] wrote: YES :D Remove spnego... I tried to use spnego... never worked without... runs smoothly and perfectly -- *Gianluca Culot** **DMS Multimedia* Via delle Arti e dei Mestieri, 6 20050 Sulbiate (Mi) - Italy Tel: +39 039 5968925 Fax: +39 039 3309813 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] www.dmsware.com http://www.dmsware.com/ Ai sensi del D.Lgs. 196/2003 si precisa che le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Qualora il messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo e a non inoltrarlo a terzi, dandocene gentilmente comunicazione. Il mittente comunica che il presente messaggio ed ogni suo allegato, al momento dell'invio, era esente da ogni tipo di virus, worm, trojan e/o ogni altri tipo di codice software dannoso. Questo messaggio e i suoi allegati potrebbero essere stati infettati durante la trasmissione. Leggendo il messaggio e/o aprendo gli allegati, il Destinatario si prende la piena responsabilità nei confronti di ogni azione protettiva o di rimedio per la rimozione di virus ed altri difetti. DMS Multimedia non potrà essere considerata responsabile per qualsivoglia danno o perdita derivata qualunque modo da questo messaggio o dai suoi allegati. The information in this electronic mail message, including any attachments, is confidential and may be legally privileged. It is intended solely for the addressee(s). Access to this Internet electronic mail message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The sender believes that this E-mail and any attachments were free of any virus, worm, Trojan horse, and/or malicious code when sent. This message and its attachments could have been infected during transmission. By reading the message and opening the attachments, the recipient accepts full responsibility for taking protective and remedial action about viruses and other defects.DMS Multimedia is not liable for any loss or damage arising in any way from this message or its attachments -Messaggio originale- *Da:* Urs Golla [mailto:[EMAIL PROTECTED] *Inviato:* giovedì 10 maggio 2007 11.47 *A:* Gianluca Culot *Cc:* samba@lists.samba.org *Oggetto:* Re: R: R: [Samba] security = ads -- invalide user Hi Gianluca Thanks a lot for your response! spnego: *From the Official Samba-3 HOWTO (Section 6.6.3, page 80): * Windows 2003 requires SMB signing. Client-side SMB signing has been implemented in Samba 3.0. Set client use spnego = yes when communicating with a Windows 2003 server. AD is 2003 I map now groups AND users. -- It still does not work... any idea? On 5/10/07, Gianluca Culot [EMAIL PROTECTED] wrote: -Messaggio originale- Da: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] conto di Urs Golla Inviato: giovedì 10 maggio 2007 10.04 A: samba@lists.samba.org Oggetto: Re: R: [Samba] security = ads -- invalide user Hi Still the same problem... I think the connection to the domain is ok. because if i use a non existent user, the log says: FAILED with error NT_STATUS_NO_SUCH_USER If I use a wrong password is gives me also a different error message. cheers On 5/10/07, Gianluca Culot [EMAIL PROTECTED] wrote: -Messaggio originale- Da: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ]Per conto di Urs Golla Inviato: giovedì 10 maggio 2007 9.44 A: samba@lists.samba.org Oggetto: [Samba] security = ads -- invalide user Hello I try to run SAMBA with security = ads on AIX 5.3 with SAMBA 3.0.23d. net ads join was successful and the machine is now visible in the Domain with the netbios name. When I try to access the shares on the machine the log.smbd files says: (...) [2007/05/10 08:58:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(310) Username MYDOMAIN/MYUSERNAME is invalid on this system [2007/05/10 08:58:16, 3] smbd/error.c:error_packet(146) error
R: R: R: R: [Samba] security = ads -- invalide user
here is [Home] path = /home read only = No [websites] path = /usr/local/www/ valid users = DMSWARE\gianlucaculot write list = DMSWARE\gianlucaculot, @DMSWARE\software, @DMSWARE\softwarespv read only = No create mask = 0775 directory mask = 0775 and I'l bald enough to add an explanation (HEY ! I'm NOT a pro ! I started with samba two weeks ago!) [Home] path = /home read only = No the home share is peculiar it is open... as every subdirectory in it (user1 , user2 , user3) is owned by each user and has 700 permission (only owner user can get in), and the owner is DOMAIN\userxxx Please NOTE the \ Open means that every user could create a subdir in Home ??? well... at this right moment YES ! in the future I'll change it, when testing will be over. [websites] path = /usr/local/www/ valid users = DMSWARE\gianlucaculot write list = DMSWARE\gianlucaculot, @DMSWARE\software, @DMSWARE\softwarespv read only = No create mask = 0775 directory mask = 0775 that's more complicated ;) no... I use it to manage websites (currently only webmail) from my intranet. please note again the \ in the usernames for groups use @, which means all users inside the file/group IF the groupname (or username) has a space (or other special chars inside) use @DOMAIN\spaced group name here is the listing of the /usr/local/www drwxr-xr-x 11 root wheel 512 May 10 11:30 . drwxr-xr-x 19 root wheel 512 May 7 15:16 .. drwxr-xr-x 2 root wheel 512 May 7 14:29 DMScmf drwxr-xr-x 6 root wheel 512 May 7 15:17 apache22 drwxr-xr-x 8 root wheel 512 May 4 12:40 awstats drwxr-xr-x 2 root wheel 512 May 9 18:00 cgi-bin drwxr-xr-x 11 root wheel 512 May 10 14:35 downloads drwxr-xr-x 14 root wheel 512 May 3 15:32 squirrelmail as you can see everything belongs to root:wheel no user permission granted at OS level. HEY... but these infos should be reserved... ;) well I trust a LOT my firewalls :-D and I trust a lot OpenSource community ;-P Regards And if some skilled guy notes something wrong... PLEASE LET ME KNOW ! -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] conto di Urs Golla Inviato: giovedì 10 maggio 2007 13.14 A: samba@lists.samba.org Oggetto: Re: R: R: R: [Samba] security = ads -- invalide user Hi Gianluca * *How did you define your shares in the smb.conf? Can you send me an example? thanks Urs * * On 5/10/07, Urs Golla [EMAIL PROTECTED] wrote: If I set client use spnego = no in the smb.conf it says: Requested protocol [LANMAN2.1] [2007/05/10 13:00:57, 3] smbd/negprot.c:reply_negprot(487) Requested protocol [NT LM 0.12] [2007/05/10 13:00:57, 3] smbd/negprot.c:reply_nt1(357) using SPNEGO [2007/05/10 13:00:57, 3] smbd/negprot.c:reply_negprot(580) Selected protocol NT LM 0.12 [2007/05/10 13:00:57, 3] smbd/process.c:process_smb(1110) Transaction 1 of length 250 ...but testparm tells me, it is set to no. What does that mean? On 5/10/07, Gianluca Culot [EMAIL PROTECTED] wrote: YES :D Remove spnego... I tried to use spnego... never worked without... runs smoothly and perfectly -- *Gianluca Culot** **DMS Multimedia* Via delle Arti e dei Mestieri, 6 20050 Sulbiate (Mi) - Italy Tel: +39 039 5968925 Fax: +39 039 3309813 mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] www.dmsware.com http://www.dmsware.com/ Ai sensi del D.Lgs. 196/2003 si precisa che le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Qualora il messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo e a non inoltrarlo a terzi, dandocene gentilmente comunicazione. Il mittente comunica che il presente messaggio ed ogni suo allegato, al momento dell'invio, era esente da ogni tipo di virus, worm, trojan e/o ogni altri tipo di codice software dannoso. Questo messaggio e i suoi allegati potrebbero essere stati infettati durante la trasmissione. Leggendo il messaggio e/o aprendo gli allegati, il Destinatario si prende la piena responsabilità nei confronti di ogni azione protettiva o di rimedio per la rimozione di virus ed altri difetti. DMS Multimedia non potrà essere considerata responsabile per qualsivoglia danno o perdita derivata qualunque modo da questo messaggio o dai suoi allegati. The information in this electronic mail message, including any attachments, is confidential and may be legally privileged. It is intended solely for the addressee(s). Access to this Internet electronic mail message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or action taken or omitted to be taken in reliance on it is prohibited and may be unlawful
Re: [Samba] Security = ADS and 3.0.23 Upgrade
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale Schroeder wrote: I've attached the screenshots, but I think my confusion was expecting the pdc to display the FQDN from its DNS records for the samba system, not the hosts file on the samba system. I will almost guarantee that you have host a broken /etc/hosts on you Samba box. The machine's hostname should not be listed in the 127.0.0.1 line. This will also break Krb5 authentication. Fix this on the Unix box and rejoin the domain. Should be fine. You are quite correct that adding the missing parameter to the hosts file and rejoining the domain would fix this problem. That leaves only the 'valid users' bug you mentioned. Of the three parameters following: 1. 'valid users' had to be disabled 2. 'write list' had to be present 3. 'admin users' had no effect either way in order for me to access the test share. I used all three quite frequently in 3.0.22 and prior, so I surely do hope it is something that can be remedied. I greatly appreciate your time and your help. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security = ADS and 3.0.23 Upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale Schroeder wrote: You are quite correct that adding the missing parameter to the hosts file and rejoining the domain would fix this problem. That leaves only the 'valid users' bug you mentioned. Of the three parameters following: 1. 'valid users' had to be disabled 2. 'write list' had to be present 3. 'admin users' had no effect either way Fixed in 3.0.23a: http://viewcvs.samba.org/cgi-bin/viewcvs.cgi?rev=17022view=rev Please test the svn://svnanon.samba.org/samba/branches/SAMBA_3_0_23 tree to be sure. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv9dBIR7qMdg1EfYRAgjJAKCysDrXXi4+VtXKsOKVFXdlB9nM9QCg7yIh ZJ9ucaWzZluYG9oq/K7ty2c= =ABLv -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Security = ADS and 3.0.23 Upgrade
Since upgrading to 3.0.23 I have encountered several problems. (latest Debian Sarge with deb's from samba.org and security = ADS). All was working flawlessly before. *1.* getent passwd no longer lists machine accounts. *2.* On the Win2K pdc, the samba system's DNS name on the general tab is now listed as localhost.localdomain, and the operating system is still listed as Samba 3.0.22. (In the DNS mmc, the DNS records are correct.) *3.* Old shares are accessible, newly created ones are not. I need to know what's going on before I deploy to my production systems. I've read all the emails and have not seen this issue mentioned. I initially thought it might be the ldap issue mentioned in the release notes, but my installation of openldap has not been using the samba.schema. Thanks, Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security = ADS and 3.0.23 Upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale Schroeder wrote: Since upgrading to 3.0.23 I have encountered several problems. (latest Debian Sarge with deb's from samba.org and security = ADS). All was working flawlessly before. *1.* getent passwd no longer lists machine accounts. Only machines? Or no domain users at all? Please read the release notes. 'winbind enum users' was disabled by default in 3.0.23. *2.* On the Win2K pdc, the samba system's DNS name on the general tab is now listed as localhost.localdomain, and the operating system is still listed as Samba 3.0.22. (In the DNS mmc, the DNS records are correct.) Did you rejoin the domain ? If so, looks like you have a broken /etc/hosts file ni the Samba box. Fix you hostname. We don't set the Operating system attribute any more. Just delete that. *3.* Old shares are accessible, newly created ones are not. Not enough detail here. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEvi6gIR7qMdg1EfYRArW1AKCEh3bjS9W9ZZpLLkf4BrbsQ8TzqACgnWOB p1FuVq6ggjZ4e5I/7jMZUrE= =6k6Q -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security = ADS and 3.0.23 Upgrade
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale Schroeder wrote: Since upgrading to 3.0.23 I have encountered several problems. (latest Debian Sarge with deb's from samba.org and security = ADS). All was working flawlessly before. *1.* getent passwd no longer lists machine accounts. Only machines? Or no domain users at all? Please read the release notes. 'winbind enum users' was disabled by default in 3.0.23. Domain users are listed, machines are not. /winbind enum users = Yes/ is and has been set, as has /winbind enum groups = Yes/. *2.* On the Win2K pdc, the samba system's DNS name on the general tab is now listed as localhost.localdomain, and the operating system is still listed as Samba 3.0.22. (In the DNS mmc, the DNS records are correct.) Did you rejoin the domain ? If so, looks like you have a broken /etc/hosts file ni the Samba box. Fix you hostname. We don't set the Operating system attribute any more. Just delete that. I did not rejoin the domain. I checked, and both hosts and hostname files are correct. I now understand that this is the current default behavior. *3.* Old shares are accessible, newly created ones are not. Not enough detail here. Sorry for the lack of clarity and detail. A share with /valid users = DOMAIN+%S/ works as before. A new share with /valid users = @DOMAIN+Domain Users, DOMAIN+dale/ fails where it previously worked. A username/password dialog opens and refuses all credentials. This particular valid user directive worked seamlessly in 3.0.22. net groupmap list only retrieves the two BUILTIN groups (administrator and user), so it appears that it no longer finds all the Windows domain groups. The release notes said default group mapping changes affected only tdbsam and smbpasswd backends. Is this correct? If so, perhaps I do need to rejoin the domain. Thank you for the reply, Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security = ADS and 3.0.23 Upgrade
You need to set winbind enum users = yes winbind enum groups = yes winbind nested groups = no [ not certain about the last but it worked for me ] Howard. Dale Schroeder wrote: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale Schroeder wrote: Since upgrading to 3.0.23 I have encountered several problems. (latest Debian Sarge with deb's from samba.org and security = ADS). All was working flawlessly before. *1.* getent passwd no longer lists machine accounts. Only machines? Or no domain users at all? Please read the release notes. 'winbind enum users' was disabled by default in 3.0.23. Domain users are listed, machines are not. /winbind enum users = Yes/ is and has been set, as has /winbind enum groups = Yes/. *2.* On the Win2K pdc, the samba system's DNS name on the general tab is now listed as localhost.localdomain, and the operating system is still listed as Samba 3.0.22. (In the DNS mmc, the DNS records are correct.) Did you rejoin the domain ? If so, looks like you have a broken /etc/hosts file ni the Samba box. Fix you hostname. We don't set the Operating system attribute any more. Just delete that. I did not rejoin the domain. I checked, and both hosts and hostname files are correct. I now understand that this is the current default behavior. *3.* Old shares are accessible, newly created ones are not. Not enough detail here. Sorry for the lack of clarity and detail. A share with /valid users = DOMAIN+%S/ works as before. A new share with /valid users = @DOMAIN+Domain Users, DOMAIN+dale/ fails where it previously worked. A username/password dialog opens and refuses all credentials. This particular valid user directive worked seamlessly in 3.0.22. net groupmap list only retrieves the two BUILTIN groups (administrator and user), so it appears that it no longer finds all the Windows domain groups. The release notes said default group mapping changes affected only tdbsam and smbpasswd backends. Is this correct? If so, perhaps I do need to rejoin the domain. Thank you for the reply, Dale -- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 London, United Kingdom, EC1V 0HL Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security = ADS and 3.0.23 Upgrade
Howard, I had already set the 1st two from day 1. Unfortunately, adding the last directive had no effect either. Thanks anyway, Dale Howard Wilkinson wrote: You need to set winbind enum users = yes winbind enum groups = yes winbind nested groups = no [ not certain about the last but it worked for me ] Howard. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security = ADS and 3.0.23 Upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale, *1.* getent passwd no longer lists machine accounts. Only machines? Or no domain users at all? Please read the release notes. 'winbind enum users' was disabled by default in 3.0.23. Domain users are listed, machines are not. 'winbind enum users = Yes' is and has been set, as has 'winbind enum groups = Yes'. HmmThat makes no sense to me. Maybe we filtered them from the getpwent() output. As long as a 'getent passwd machine' works you should be fine. For example, # getent passwd color\\suse10$ COLOR\suse10$:*:10004:10004:suse10:/home/COLOR/suse10_:/bin/bash *2.* On the Win2K pdc, the samba system's DNS name on the general tab is now listed as localhost.localdomain, and the operating system is still listed as Samba 3.0.22. (In the DNS mmc, the DNS records are correct.) Did you rejoin the domain ? If so, looks like you have a broken /etc/hosts file ni the Samba box. Fix you hostname. We don't set the Operating system attribute any more. Just delete that. I did not rejoin the domain. I checked, and both hosts and hostname files are correct. I now understand that this is the current default behavior. Do you mean the dNSHostName attribute on the machine's account localhost.localdomain? Could you send me a screen shot of exactly what you are referring to? Thanks. *3.* Old shares are accessible, newly created ones are not. Sorry for the lack of clarity and detail. A share with 'valid users = DOMAIN+%S' works as before. A new share with 'valid users = @DOMAIN+Domain Users, DOMAIN+dale' fails where it previously worked. A username/password dialog opens and refuses all credentials. This particular valid user directive worked seamlessly in 3.0.22. There have been some issues with 'valid users' in 3.0.23 description doesn't appear to match the bug reports but you might want to test the SAMBA_3_0_23 svn branch to make sure that you aren't just hitting a bug here. net groupmap list only retrieves the two BUILTIN groups (administrator and user), so it appears that it no longer finds all the Windows domain groups. The release notes said default group mapping changes affected only tdbsam and smbpasswd backends. Is this correct? If so, perhaps I do need to rejoin the domain. This is correct behavior. net groupmap lists local mappings and has nothing to do with domain groups managed by Winbind. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEvncoIR7qMdg1EfYRAj0LAJ9uIk5iQ7YgFO5Fj5xiPhEjysQ3AgCfZjQJ 03pWt3+gW26QMt1EvVrtBz8= =Gu6I -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security = ADS and 3.0.23 Upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (added the list back to CC) Dale Schroeder wrote: I've attached the screenshots, but I think my confusion was expecting the pdc to display the FQDN from its DNS records for the samba system, not the hosts file on the samba system. I will almost guarantee that you have host a broken /etc/hosts on you Samba box. The machine's hostname should not be listed in the 127.0.0.1 line. This will also break Krb5 authentication. Fix this on the Unix box and rejoin the domain. Should be fine. This is correct behavior. net groupmap lists local mappings and has nothing to do with domain groups managed by Winbind. The reason I questioned this at all is because the following is my 'net groupmap list' output on a 3.0.22 system showing all the standard domain groups listed on the pdc: System Operators (S-1-5-32-549) - -1 ... Here is the output on the 3.0.23 system: Administrators (S-1-5-32-544) - BUILTIN+administrators Users (S-1-5-32-545) - BUILTIN+users This is correct output. A -1 gid entry was an the indication of an unmapped SID so we just cleaned them out. The local Administrators and Users groups is used for authorization purpose. For example, $ net sam listmem Administrators BUILTIN\Administrators has 3 members COLOR\Centeris Admins SUSE10\root COLOR\Domain Admins Then we can simplem check internally for membership in Administrators to do things like manage services or grant privileges. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEvqxvIR7qMdg1EfYRAlhlAKCnIL1nmZ2T8esuoXjZ11PD69nJPACfSXGY TxpQfsJaWFhHq6VvVHowCnI= =514r -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] security = ads or domain
hey friends, I have 2 problems in samba I am narrating my problems below: a) I have configured samba with security =ads in FC3 workstation and my domain controller is windows 2003 ,the samba is working fine with the configured options.As my domain consists of windows ,linux and unix clients and few of the users uses windows as well as Linux or Unix each user having its different machines. Now i want the users which uses both Linux/Unix and windows should be able to see their home directories and other folders through windows.Just like a normal configured samba as File server and users frm the network neighbourhood can see their home directories and other folders. Is it possible if the security = ads is setup and if then a user wants to see his/her home directories and other folders from the windows.I have created a directory for my domain in home folder and if any users who is first time logging its directory is created under /home/mydomain/user. If it is possible then please let me know. b) I have setup the linux box (FC3) with samba with security = domain and password server = s1.sun.com(internal).The domain controller is Windows 2003 and my system is FC3 server. I have created one folder in which i have created some directories.There are different types of users in my company some in development, some in administration , som e in top management.I have created some folders in which users can put their data to share among their colleagues or team. What happens is that when somebody clicks on samba server all the folders which i have explicitly mentioned in the smb.conf are shown .Whereas what i want is that only those folders should come when the user access the samba server on which he has the right to access it. Suppose james is a user having access rights on folders cpms, manager. Now when he clicks on the samba server he sees his home directory where he can put his data, a cpms folder which is shared among the other development team members(have set it with suid) and manager(have set it this also with suid) and all other folders (specified in smb.conf) on which he does not have the rights.He can't access those folders in which he don't have the rights but i don't want to show the james those folders on which he does not have any kind of right. Ideally is should be when james accesses the samba server he should see his home directory,his cpms and manager folder nothing else.So that he should know that he can access and only have access to these folders. I tried with u% variable but this variable works for only primary group not for secondary group.I hope that many of u have faced the same problem. Please anyone of you can give me solution. Thanks in advance . Regards Ankush -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 'security = ads' 'valid users ='
I will be upgrading my Samba server from 2.2.8a to 3.0.10. I currently have security set to 'share' and plan on migrating to 'ads' for improved authentication. I have one snag, though... I have remote users who reside in and are managed by a Windows domain that is not in my control. There is no trust relationship at all. If I use 'ads' security, can I add a 'valid users' line for shares they need to access? So that when they fail domain authentication, Samba would check against UNIX accounts I set up specifically for those (2) users... Example smb.conf: [global] security = ads [share1] comment = share for local users path = /some/path/share1 ... [share2] comment = share for remote users path = /some/path/share2 valid users = fred,barney ... ry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] 'security = ads' 'valid users ='
I think as long as the passwords are the same, your approach of creating the domain users you need as local users will work. -Marc -Original Message- From: Ryan Frantz [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 11:04 AM To: samba@lists.samba.org Subject: [Samba] 'security = ads' 'valid users =' I will be upgrading my Samba server from 2.2.8a to 3.0.10. I currently have security set to 'share' and plan on migrating to 'ads' for improved authentication. I have one snag, though... I have remote users who reside in and are managed by a Windows domain that is not in my control. There is no trust relationship at all. If I use 'ads' security, can I add a 'valid users' line for shares they need to access? So that when they fail domain authentication, Samba would check against UNIX accounts I set up specifically for those (2) users... Example smb.conf: [global] security = ads [share1] comment = share for local users path = /some/path/share1 ... [share2] comment = share for remote users path = /some/path/share2 valid users = fred,barney ... ry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] 'security = ads' 'valid users ='
Would it be feasible to use the options 'guest account' and 'guest ok' for shares along with ADS security? Or is additional configuration even necessary? When domain authentication fails, Samba will prompt the user for a username/password combination (http://www.samba.org/samba/docs/man/smb.conf.5.html#VALIDATIONSECT), correct? The user can then enter credentials I have given them that will match UNIX accounts I will create for them. ry -Original Message- From: Kaplan, Marc [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 2:19 PM To: Ryan Frantz; samba@lists.samba.org Subject: RE: [Samba] 'security = ads' 'valid users =' I think as long as the passwords are the same, your approach of creating the domain users you need as local users will work. -Marc -Original Message- From: Ryan Frantz [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 11:04 AM To: samba@lists.samba.org Subject: [Samba] 'security = ads' 'valid users =' I will be upgrading my Samba server from 2.2.8a to 3.0.10. I currently have security set to 'share' and plan on migrating to 'ads' for improved authentication. I have one snag, though... I have remote users who reside in and are managed by a Windows domain that is not in my control. There is no trust relationship at all. If I use 'ads' security, can I add a 'valid users' line for shares they need to access? So that when they fail domain authentication, Samba would check against UNIX accounts I set up specifically for those (2) users... Example smb.conf: [global] security = ads [share1] comment = share for local users path = /some/path/share1 ... [share2] comment = share for remote users path = /some/path/share2 valid users = fred,barney ... ry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] 'security = ads' 'valid users ='
If you're fine with users being prompted to enter their login credentials, then yes the passwords can be different. If you want it to be seamless, keep the passwords synced. -Marc -Original Message- From: Ryan Frantz [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 11:28 AM To: samba@lists.samba.org Subject: RE: [Samba] 'security = ads' 'valid users =' Would it be feasible to use the options 'guest account' and 'guest ok' for shares along with ADS security? Or is additional configuration even necessary? When domain authentication fails, Samba will prompt the user for a username/password combination (http://www.samba.org/samba/docs/man/smb.conf.5.html#VALIDATIONSECT), correct? The user can then enter credentials I have given them that will match UNIX accounts I will create for them. ry -Original Message- From: Kaplan, Marc [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 2:19 PM To: Ryan Frantz; samba@lists.samba.org Subject: RE: [Samba] 'security = ads' 'valid users =' I think as long as the passwords are the same, your approach of creating the domain users you need as local users will work. -Marc -Original Message- From: Ryan Frantz [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 11:04 AM To: samba@lists.samba.org Subject: [Samba] 'security = ads' 'valid users =' I will be upgrading my Samba server from 2.2.8a to 3.0.10. I currently have security set to 'share' and plan on migrating to 'ads' for improved authentication. I have one snag, though... I have remote users who reside in and are managed by a Windows domain that is not in my control. There is no trust relationship at all. If I use 'ads' security, can I add a 'valid users' line for shares they need to access? So that when they fail domain authentication, Samba would check against UNIX accounts I set up specifically for those (2) users... Example smb.conf: [global] security = ads [share1] comment = share for local users path = /some/path/share1 ... [share2] comment = share for remote users path = /some/path/share2 valid users = fred,barney ... ry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] 'security = ads' 'valid users ='
I don't mind the users being prompted; there are only two of them. This is a real pain because they're accessing my site through a dedicated line and they reside in their own domain... -Original Message- From: Kaplan, Marc [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 2:35 PM To: Ryan Frantz; samba@lists.samba.org Subject: RE: [Samba] 'security = ads' 'valid users =' If you're fine with users being prompted to enter their login credentials, then yes the passwords can be different. If you want it to be seamless, keep the passwords synced. -Marc -Original Message- From: Ryan Frantz [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 11:28 AM To: samba@lists.samba.org Subject: RE: [Samba] 'security = ads' 'valid users =' Would it be feasible to use the options 'guest account' and 'guest ok' for shares along with ADS security? Or is additional configuration even necessary? When domain authentication fails, Samba will prompt the user for a username/password combination (http://www.samba.org/samba/docs/man/smb.conf.5.html#VALIDATIONSECT), correct? The user can then enter credentials I have given them that will match UNIX accounts I will create for them. ry -Original Message- From: Kaplan, Marc [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 2:19 PM To: Ryan Frantz; samba@lists.samba.org Subject: RE: [Samba] 'security = ads' 'valid users =' I think as long as the passwords are the same, your approach of creating the domain users you need as local users will work. -Marc -Original Message- From: Ryan Frantz [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 11:04 AM To: samba@lists.samba.org Subject: [Samba] 'security = ads' 'valid users =' I will be upgrading my Samba server from 2.2.8a to 3.0.10. I currently have security set to 'share' and plan on migrating to 'ads' for improved authentication. I have one snag, though... I have remote users who reside in and are managed by a Windows domain that is not in my control. There is no trust relationship at all. If I use 'ads' security, can I add a 'valid users' line for shares they need to access? So that when they fail domain authentication, Samba would check against UNIX accounts I set up specifically for those (2) users... Example smb.conf: [global] security = ads [share1] comment = share for local users path = /some/path/share1 ... [share2] comment = share for remote users path = /some/path/share2 valid users = fred,barney ... ry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] security = ADS with libkrb53.
Hello Mat, first , I compiled and installed the binaries Version 1.3.3 by myself on my Debian Woody without any problems, then Samba worked fine. But before you upgrade to Debian sarge, you should uninstall these libraries, because ist was a little bit difficult to solve all my problems after the dist-upgrade to sarge. Now Samba runs fine on sarge on a server in production environment. From: Mat Allgood [mailto:[EMAIL PROTECTED] I've been trying to get samba to integrate with a Win2000 ADS, with very limited success.. but from recent postings I think I have found my problem. I am only using libkrb 1.2.4. I know I need 1.3.3, but don't particularly want to compile from source. I'm running a Debian Stable machine, so was wondering if anyone knows of where I can get a backport to woody of the newest Kerberos packages. I've tried the normal places and even a few not so normal. Anyone? TIA.. Mat Allgood Mit freundlichen Grüßen Wolfgang Wagner -- Systemadministration Riwa GmbH, Zwingerstraße 1, 87435 Kempten, +49-831-52 29 63-537 eMail:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] security = ADS with libkrb53.
I've been trying to get samba to integrate with a Win2000 ADS, with very limited success.. but from recent postings I think I have found my problem. I am only using libkrb 1.2.4. I know I need 1.3.3, but don't particularly want to compile from source. I'm running a Debian Stable machine, so was wondering if anyone knows of where I can get a backport to woody of the newest Kerberos packages. I've tried the normal places and even a few not so normal. Anyone? TIA.. Mat Allgood -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ADS
HErE arE my ConF file
SMB.conf--
#=== Global Settings ===
[global]
netbios name = smbserver_name
realm = MYREALM.NET
workgroup = mydomain
server string = %h server (Samba %v)
password server = addc01.MYREALM.NET
security = ADS
wins support = yes
include = /etc/samba/dhcp.conf
dns proxy = no
name resolve order = lmhosts host wins bcast
Debugging/Accounting
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
### Authentication ###
encrypt passwords = yes
passdb backend = tdbsam guest
obey pam restrictions = yes
guest account = guest
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:*
%n\n .
#=== Share Definitions ===
[homes]
comment = Home Directories
browseable = yes
writable = yes
preserver case = yes
short preserve case = yes
[public]
comment = Software and tool downloads
browseable = yes
path = /usr/share/public
writable = no
public = yes
writable = no
create mask = 0700
directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
===
--krb5.conf--
==
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
default_realm = MYREALM.NET
[relams]
MYREALM.NET= {
kdc = addc01.MYREALM.NET
}
[domain_realms]
.addc01.myrealm.net = MYREALM.NET
==
These are the only files that i have editted to get to this point. I really
appreciate your help.
- Original Message -
From: Tom Skeren
To: Rashaad S. Hyndman
Sent: Thursday, July 22, 2004 7:25 PM
Subject: Re: [Samba] security = ADS
Rashaad S. Hyndman wrote:
That seems to be an interesting concept but does work in this case for some
reason. Here is what i did:
C:\Documents and Settings\rshyndmannet use * \\10.55.222.82\public\
System error 67 has occurred.
The network name cannot be found.Try right clicking on My Computer and use
map-network-drive function.
C:\Documents and Settings\rshyndmanping 10.55.222.82
Pinging 10.55.222.82 with 32 bytes of data:
Reply from 10.55.222.82: bytes=32 time10ms TTL=64
Reply from 10.55.222.82: bytes=32 time10ms TTL=64
Interesting thing here is that is says name not found but i can ping both by
name and ip. You think mapping name to ip in the hosts file will help? Hmmm
:-(
- Original Message -
From: Tom Skeren [EMAIL PROTECTED]
To: Rashaad S. Hyndman [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 4:07 PM
Subject: Re: [Samba] security = ADS
Yes I've seen this behavior a LOT. I've replied to it. For some
reason, the Samba when joined to ads needs to contacted for shares by IP
addy. The XP shares then authenticate properly.
Try \\ipaddy-samba-server\share-name. If you connect, do a netstat -an
on the samba server. You'll see the XP box connected to port 445. I
suspect that in an ads environment, the XP boxes default to connecting
to shares on 445. I suspect smbd, or nmbd are mishandling this when
netbios names are used.
Rashaad S. Hyndman wrote:
Hi all,
I've been fighting with joining my samba server (debian) to my active
directory domain for 4 days now. The problem here is that users in my
active directory domain on windows machines are not able to browse my samba
shares without being prompted for authentication.
I can:
- Join the domain from samba server using net ads
- View list of tickets when brownsing window shares with klist
- list window shares without being prompted with smbclient -k -L
windows_servername
I can NOT:
- use net use * \\smb_servername\share from window based machine.
(this resultes in The password or user name is invalid for
\\delshare\public (delshare being my samba server name)
I have no clue what to do from here. I've looked over my smb.conf file 20
times likewise my krb5.conf file
Any suggestions would be greatly appreciated. I've arn out of tests.
R.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ADS - IT WORKS!!!!!!!!!
sorry about that last email that did not contain the resource i used. I think it was because i copied the contents of a website which could have been considered advertisement because of some of images. In either case enjoy: http://www.wlug.org.nz/HowtoSamba3AndActiveDirectory - Original Message - From: Rashaad S. Hyndman [EMAIL PROTECTED] To: Rashaad S. Hyndman [EMAIL PROTECTED]; Tom Skeren [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, July 23, 2004 2:18 PM Subject: Re: [Samba] security = ADS - IT WORKS! Halleluiah! It works. With all the documentation I've read including the official samba-3 howto for setting up ADS none of them mentioned what happened to be the most critical piece of information, winbind! Now I've seen a couple post that mentioned this daemon but it was not included in the official howto's so I skipped over it. In Either case I've included the article that I used to get my samba ADS implementation working. If you have followed other howto's you have probably got 99% of the work done. If you happen to have more questions please feel free to email me and I'll dictate exactly what I have in my environment. Thanks for your input, R. Howto Samba 3 And Active Directory G o o g l e users: We have detected that you were searching for howto samba ads. The Waikato Linux Users Group hope that this page answers your questions, but, if it doesn't, we politely request that if/when you find the answer to your question you contibute your information back into this Wiki (via the Edit button at the bottom of the page) so that others can also find this information easier. We also suggest that if this page doesn't answer your question, try Searching the wiki, or, to find pages similar to this one, try or . What's this? It's a near-copy of ActiveDirectorySamba, but not linked from anywhere and with a lot of stuff deleted? Please don't DisagreeByDeleting. Can someone who has Samba3 experience shed light on the changes between this page and the other? --AristotlePagaltzis ActiveDirectorySamba is a correct howto for setting up Samba 3 with ActiveDirectory. So it's basically a copy paste from there to here and delete the other. -- GerwinVanDeSteeg -- This simple guide is a mostly accurate way to set up a Samba machine as a DomainMember in a Windows 2000 or Windows 2003 ActiveDirectory Domain. The following setup is used: 192.168.0.1 test1.thinclient.test.org (the AD server, hereafter known as the server) 192.168.0.209 mail.thinclient.test.org (samba3 machine) The Samba system is based upon a stock standard RedHat 9 system with the samba software upgraded to Samba3 (using RPM) The following steps are needed to get the system functioning: 1.. configure name resolution using either dns or a hosts file 2.. configure samba and winbindd 3.. configure kerberos 4.. testing the kerberos configuration 5.. good luck Configure name resolution ActiveDirectory relies HEAVILY on DNS to resolve not only host names but services they provide as well. To set up DNS on the linux box, see the DNSHowTo, otherwise consult necessary Windows documentation on setting up forward AND reverse DNS zones. As a temporarily solution, you can use hosts based authentication, this is ugly and hacky, and should be avoided at all costs. -- JamesSpooner The first step is to configure name resolution for our systems. The kerberos authentication system, which we will configure later on, requires us to be able to do a reverse lookup on an IP address to get a fully qualified domain name (FQDN). There are two ways to do this, the cheap and nasty method is to use a hosts file on both systems, which will have entries similar to the following. Samba machine /etc/hosts 127.0.0.1 mailmail.thinclient.test.org localhost.localdomain localhost 192.168.0.1 test1 test1.thinclient.test.org 192.168.0.209 mailmail.thinclient.test.org Surely it would be better to put the FQDN first, and not alias localhost to a name other than localhost? -- PerryLorier Windows Active Directory server %Systemroot%\System32\drivers\etc\hosts[1] 127.0.0.1 test1 test1.thinclient.test.org localhost.localdomain localhost 192.168.0.1 test1 test1.thinclient.test.org 192.168.0.209 mailmail.thinclient.test.org The correct method is to setup DNS on the server which can be done through the DNS console in the AdministrativeTools section of Windows 2000/2003 Server. We won't go into the details of setting this up here, but we will specify the linux side of that here. /etc/resolv.conf search thinclient.test.org
Re: [Samba] security = ADS - IT WORKS!!!!!!!!!
Rashaad, While all this is fresh in your mind, and you are still and expert, would you please send me patches for the Samba-HOWTO-Collection and for Samba-Guide so that we can update the documentation. By fixing the documentation others may avoid the pain you went through. - John T. On Friday 23 July 2004 12:40, Rashaad S. Hyndman wrote: sorry about that last email that did not contain the resource i used. I think it was because i copied the contents of a website which could have been considered advertisement because of some of images. In either case enjoy: http://www.wlug.org.nz/HowtoSamba3AndActiveDirectory - Original Message - From: Rashaad S. Hyndman [EMAIL PROTECTED] To: Rashaad S. Hyndman [EMAIL PROTECTED]; Tom Skeren [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, July 23, 2004 2:18 PM Subject: Re: [Samba] security = ADS - IT WORKS! Halleluiah! It works. With all the documentation I've read including the official samba-3 howto for setting up ADS none of them mentioned what happened to be the most critical piece of information, winbind! Now I've seen a couple post that mentioned this daemon but it was not included in the official howto's so I skipped over it. In Either case I've included the article that I used to get my samba ADS implementation working. If you have followed other howto's you have probably got 99% of the work done. If you happen to have more questions please feel free to email me and I'll dictate exactly what I have in my environment. Thanks for your input, R. Howto Samba 3 And Active Directory G o o g l e users: We have detected that you were searching for howto samba ads. The Waikato Linux Users Group hope that this page answers your questions, but, if it doesn't, we politely request that if/when you find the answer to your question you contibute your information back into this Wiki (via the Edit button at the bottom of the page) so that others can also find this information easier. We also suggest that if this page doesn't answer your question, try Searching the wiki, or, to find pages similar to this one, try or . What's this? It's a near-copy of ActiveDirectorySamba, but not linked from anywhere and with a lot of stuff deleted? Please don't DisagreeByDeleting. Can someone who has Samba3 experience shed light on the changes between this page and the other? --AristotlePagaltzis ActiveDirectorySamba is a correct howto for setting up Samba 3 with ActiveDirectory. So it's basically a copy paste from there to here and delete the other. -- GerwinVanDeSteeg - - This simple guide is a mostly accurate way to set up a Samba machine as a DomainMember in a Windows 2000 or Windows 2003 ActiveDirectory Domain. The following setup is used: 192.168.0.1 test1.thinclient.test.org (the AD server, hereafter known as the server) 192.168.0.209 mail.thinclient.test.org (samba3 machine) The Samba system is based upon a stock standard RedHat 9 system with the samba software upgraded to Samba3 (using RPM) The following steps are needed to get the system functioning: 1.. configure name resolution using either dns or a hosts file 2.. configure samba and winbindd 3.. configure kerberos 4.. testing the kerberos configuration 5.. good luck Configure name resolution ActiveDirectory relies HEAVILY on DNS to resolve not only host names but services they provide as well. To set up DNS on the linux box, see the DNSHowTo, otherwise consult necessary Windows documentation on setting up forward AND reverse DNS zones. As a temporarily solution, you can use hosts based authentication, this is ugly and hacky, and should be avoided at all costs. -- JamesSpooner The first step is to configure name resolution for our systems. The kerberos authentication system, which we will configure later on, requires us to be able to do a reverse lookup on an IP address to get a fully qualified domain name (FQDN). There are two ways to do this, the cheap and nasty method is to use a hosts file on both systems, which will have entries similar to the following. Samba machine /etc/hosts 127.0.0.1 mailmail.thinclient.test.org localhost.localdomain localhost 192.168.0.1 test1 test1.thinclient.test.org 192.168.0.209 mailmail.thinclient.test.org Surely it would be better to put the FQDN first, and not alias localhost to a name other than localhost? -- PerryLorier Windows Active Directory server %Systemroot%\System32\drivers\etc\hosts[1] 127.0.0.1 test1 test1.thinclient.test.org
Re: [Samba] security = ADS - IT WORKS!!!!!!!!!
For sure. I'll do that on the weekend! - Original Message - From: John H Terpstra [EMAIL PROTECTED] To: Rashaad S. Hyndman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, July 23, 2004 3:05 PM Subject: Re: [Samba] security = ADS - IT WORKS! Rashaad, While all this is fresh in your mind, and you are still and expert, would you please send me patches for the Samba-HOWTO-Collection and for Samba-Guide so that we can update the documentation. By fixing the documentation others may avoid the pain you went through. - John T. On Friday 23 July 2004 12:40, Rashaad S. Hyndman wrote: sorry about that last email that did not contain the resource i used. I think it was because i copied the contents of a website which could have been considered advertisement because of some of images. In either case enjoy: http://www.wlug.org.nz/HowtoSamba3AndActiveDirectory - Original Message - From: Rashaad S. Hyndman [EMAIL PROTECTED] To: Rashaad S. Hyndman [EMAIL PROTECTED]; Tom Skeren [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, July 23, 2004 2:18 PM Subject: Re: [Samba] security = ADS - IT WORKS! Halleluiah! It works. With all the documentation I've read including the official samba-3 howto for setting up ADS none of them mentioned what happened to be the most critical piece of information, winbind! Now I've seen a couple post that mentioned this daemon but it was not included in the official howto's so I skipped over it. In Either case I've included the article that I used to get my samba ADS implementation working. If you have followed other howto's you have probably got 99% of the work done. If you happen to have more questions please feel free to email me and I'll dictate exactly what I have in my environment. Thanks for your input, R. Howto Samba 3 And Active Directory G o o g l e users: We have detected that you were searching for howto samba ads. The Waikato Linux Users Group hope that this page answers your questions, but, if it doesn't, we politely request that if/when you find the answer to your question you contibute your information back into this Wiki (via the Edit button at the bottom of the page) so that others can also find this information easier. We also suggest that if this page doesn't answer your question, try Searching the wiki, or, to find pages similar to this one, try or . What's this? It's a near-copy of ActiveDirectorySamba, but not linked from anywhere and with a lot of stuff deleted? Please don't DisagreeByDeleting. Can someone who has Samba3 experience shed light on the changes between this page and the other? --AristotlePagaltzis ActiveDirectorySamba is a correct howto for setting up Samba 3 with ActiveDirectory. So it's basically a copy paste from there to here and delete the other. -- GerwinVanDeSteeg - - This simple guide is a mostly accurate way to set up a Samba machine as a DomainMember in a Windows 2000 or Windows 2003 ActiveDirectory Domain. The following setup is used: 192.168.0.1 test1.thinclient.test.org (the AD server, hereafter known as the server) 192.168.0.209 mail.thinclient.test.org (samba3 machine) The Samba system is based upon a stock standard RedHat 9 system with the samba software upgraded to Samba3 (using RPM) The following steps are needed to get the system functioning: 1.. configure name resolution using either dns or a hosts file 2.. configure samba and winbindd 3.. configure kerberos 4.. testing the kerberos configuration 5.. good luck Configure name resolution ActiveDirectory relies HEAVILY on DNS to resolve not only host names but services they provide as well. To set up DNS on the linux box, see the DNSHowTo, otherwise consult necessary Windows documentation on setting up forward AND reverse DNS zones. As a temporarily solution, you can use hosts based authentication, this is ugly and hacky, and should be avoided at all costs. -- JamesSpooner The first step is to configure name resolution for our systems. The kerberos authentication system, which we will configure later on, requires us to be able to do a reverse lookup on an IP address to get a fully qualified domain name (FQDN). There are two ways to do this, the cheap and nasty method is to use a hosts file on both systems, which will have entries similar to the following. Samba machine /etc/hosts 127.0.0.1 mailmail.thinclient.test.org localhost.localdomain localhost
[Samba] security = ADS
Hi all, I've been fighting with joining my samba server (debian) to my active directory domain for 4 days now. The problem here is that users in my active directory domain on windows machines are not able to browse my samba shares without being prompted for authentication. I can: - Join the domain from samba server using net ads - View list of tickets when brownsing window shares with klist - list window shares without being prompted with smbclient -k -L windows_servername I can NOT: - use net use * \\smb_servername\share from window based machine. (this resultes in The password or user name is invalid for \\delshare\public (delshare being my samba server name) I have no clue what to do from here. I've looked over my smb.conf file 20 times likewise my krb5.conf file Any suggestions would be greatly appreciated. I've arn out of tests. R. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ADS
Yes I've seen this behavior a LOT. I've replied to it. For some reason, the Samba when joined to ads needs to contacted for shares by IP addy. The XP shares then authenticate properly. Try \\ipaddy-samba-server\share-name. If you connect, do a netstat -an on the samba server. You'll see the XP box connected to port 445. I suspect that in an ads environment, the XP boxes default to connecting to shares on 445. I suspect smbd, or nmbd are mishandling this when netbios names are used. Rashaad S. Hyndman wrote: Hi all, I've been fighting with joining my samba server (debian) to my active directory domain for 4 days now. The problem here is that users in my active directory domain on windows machines are not able to browse my samba shares without being prompted for authentication. I can: - Join the domain from samba server using net ads - View list of tickets when brownsing window shares with klist - list window shares without being prompted with smbclient -k -L windows_servername I can NOT: - use net use * \\smb_servername\share from window based machine. (this resultes in The password or user name is invalid for \\delshare\public (delshare being my samba server name) I have no clue what to do from here. I've looked over my smb.conf file 20 times likewise my krb5.conf file Any suggestions would be greatly appreciated. I've arn out of tests. R. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ADS
On Thursday 22 July 2004 14:07, Tom Skeren wrote: Yes I've seen this behavior a LOT. I've replied to it. For some reason, the Samba when joined to ads needs to contacted for shares by IP addy. The XP shares then authenticate properly. No way, your ADS server is answering on port 445 - the port for netbios-less SMB. Try \\ipaddy-samba-server\share-name. If you connect, do a netstat -an on the samba server. You'll see the XP box connected to port 445. I suspect that in an ads environment, the XP boxes default to connecting to shares on 445. I suspect smbd, or nmbd are mishandling this when netbios names are used. Nope. To avoid this, in your smb.conf [globals] set: smb port = 139 - John T. Rashaad S. Hyndman wrote: Hi all, I've been fighting with joining my samba server (debian) to my active directory domain for 4 days now. The problem here is that users in my active directory domain on windows machines are not able to browse my samba shares without being prompted for authentication. I can: - Join the domain from samba server using net ads - View list of tickets when brownsing window shares with klist - list window shares without being prompted with smbclient -k -L windows_servername I can NOT: - use net use * \\smb_servername\share from window based machine. (this resultes in The password or user name is invalid for \\delshare\public (delshare being my samba server name) I have no clue what to do from here. I've looked over my smb.conf file 20 times likewise my krb5.conf file Any suggestions would be greatly appreciated. I've arn out of tests. R. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ADS
John H Terpstra wrote: On Thursday 22 July 2004 14:07, Tom Skeren wrote: Yes I've seen this behavior a LOT. I've replied to it. For some reason, the Samba when joined to ads needs to contacted for shares by IP addy. The XP shares then authenticate properly. No way, your ADS server is answering on port 445 - the port for netbios-less SMB. Try \\ipaddy-samba-server\share-name. If you connect, do a netstat -an on the samba server. You'll see the XP box connected to port 445. I suspect that in an ads environment, the XP boxes default to connecting to shares on 445. I suspect smbd, or nmbd are mishandling this when netbios names are used. Nope. To avoid this, in your smb.conf [globals] set: smb port = 139 Doesn't work as the XP box is the source of the problem. In the following, all the port 445 requests are from XP boxes. 1/3 of them are part of an ads domain. All the XP boxes try 445 first. However the ADS joined machines always fail to connect, unless 445 is available. PRiSM# netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 48 x.199.7.138.22y.174.106.82.49787ESTABLISHED tcp4 0 0 x.199.7.138.445 z.120.237.222.1434ESTABLISHED tcp4 0 0 x.199.7.138.445 y.174.106.82.1081 ESTABLISHED tcp4 0 0 x.199.7.138.139 y.174.106.82.1027 ESTABLISHED tcp4 0 0 x.199.7.138.445 y.174.106.82.2720 ESTABLISHED tcp4 0 0 x.199.7.138.445 y.174.106.82.4095 ESTABLISHED tcp4 0 0 x.199.7.138.445 y.174.106.82.1818 ESTABLISHED tcp4 0 0 x.199.7.138.445 y.174.106.82.1906 ESTABLISHED tcp4 0 0 x.199.7.138.139 y.174.106.82.1433 ESTABLISHED tcp4 0 0 x.199.7.138.445 y.174.106.82.3v0 ESTABLISHED tcp4 0 0 x.199.7.138.445 y.174.106.82.3180 ESTABLISHED tcp4 0 0 x.199.7.138.445 z.15.79.153.1027 ESTABLISHED tcp4 0 0 x.199.7.138.445 y.174.106.82.3834 ESTABLISHED tcp4 0 0 x.199.7.138.445 y.174.106.82.1913 ESTABLISHED tcp4 0 0 x.199.7.138.445 z.120.237.222.1035ESTABLISHED tcp4 0 0 x.199.7.138.445 z.15.79.153.4435 ESTABLISHED tcp4 0 0 x.199.7.138.139 y.174.106.82.11x ESTABLISHED tcp4 0 0 x.199.7.138.445 z.15.79.153.1030 ESTABLISHED tcp4 0 0 x.199.7.138.445 z.15.79.153.3165 ESTABLISHED tcp4 0 0 x.199.7.138.445 z.15.79.153.2037 ESTABLISHED tcp4 0 0 192.1w.y.1.22192.1w.y.2.1876 ESTABLISHED tcp4 0 0 192.1w.y.1.445 192.1w.y.2.1808 ESTABLISHED tcp4 0 0 x.199.7.138.445 w.120.237.222.1070ESTABLISHED tcp4 0 0 x.199.7.138.445 w.120.237.222.1039ESTABLISHED tcp4 0 0 192.1w.y.1.49161 192.1w.0.1.139ESTABLISHED tcp4 0 0 x.199.7.138.445 v.194.126.54.1050 ESTABLISHED tcp4 0 0 x.199.7.138.445 w.120.237.222.1037ESTABLISHED tcp4 0 0 x.199.7.138.445 v.194.126.54.42y ESTABLISHED tcp4 0 0 x.199.7.138.445 v.194.126.54.2752 ESTABLISHED tcp4 0 0 x.199.7.138.139 y.174.106.82.55888ESTABLISHED tcp4 0 0 x.199.7.138.139 y.174.106.82.55887ESTABLISHED tcp4 0 0 x.199.7.138.139 y.174.106.82.55886ESTABLISHED tcp4 0 0 x.199.7.138.445 v.194.126.54.4272 ESTABLISHED tcp4 0 0 x.199.7.138.445 v.194.126.54.2296 ESTABLISHED tcp4 0 0 x.199.7.138.139 y.174.106.82.49760ESTABLISHED - John T. Rashaad S. Hyndman wrote: Hi all, I've been fighting with joining my samba server (debian) to my active directory domain for 4 days now. The problem here is that users in my active directory domain on windows machines are not able to browse my samba shares without being prompted for authentication. I can: - Join the domain from samba server using net ads - View list of tickets when brownsing window shares with klist - list window shares without being prompted with smbclient -k -L windows_servername I can NOT: - use net use * \\smb_servername\share from window based machine. (this resultes in The password or user name is invalid for \\delshare\public (delshare being my samba server name) I have no clue what to do from here. I've looked over my smb.conf file 20 times likewise my krb5.conf file Any suggestions would be greatly appreciated. I've arn out of tests. R. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ADS
That seems to be an interesting concept but does work in this case for some reason. Here is what i did: C:\Documents and Settings\rshyndmannet use * \\10.55.222.82\public\ System error 67 has occurred. The network name cannot be found. C:\Documents and Settings\rshyndmanping 10.55.222.82 Pinging 10.55.222.82 with 32 bytes of data: Reply from 10.55.222.82: bytes=32 time10ms TTL=64 Reply from 10.55.222.82: bytes=32 time10ms TTL=64 Interesting thing here is that is says name not found but i can ping both by name and ip. You think mapping name to ip in the hosts file will help? Hmmm :-( - Original Message - From: Tom Skeren [EMAIL PROTECTED] To: Rashaad S. Hyndman [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 4:07 PM Subject: Re: [Samba] security = ADS Yes I've seen this behavior a LOT. I've replied to it. For some reason, the Samba when joined to ads needs to contacted for shares by IP addy. The XP shares then authenticate properly. Try \\ipaddy-samba-server\share-name. If you connect, do a netstat -an on the samba server. You'll see the XP box connected to port 445. I suspect that in an ads environment, the XP boxes default to connecting to shares on 445. I suspect smbd, or nmbd are mishandling this when netbios names are used. Rashaad S. Hyndman wrote: Hi all, I've been fighting with joining my samba server (debian) to my active directory domain for 4 days now. The problem here is that users in my active directory domain on windows machines are not able to browse my samba shares without being prompted for authentication. I can: - Join the domain from samba server using net ads - View list of tickets when brownsing window shares with klist - list window shares without being prompted with smbclient -k -L windows_servername I can NOT: - use net use * \\smb_servername\share from window based machine. (this resultes in The password or user name is invalid for \\delshare\public (delshare being my samba server name) I have no clue what to do from here. I've looked over my smb.conf file 20 times likewise my krb5.conf file Any suggestions would be greatly appreciated. I've arn out of tests. R. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] security = ads: problem join XP Pro?
Hi Paul, Finally, I got a new hard disk and reinstalled my XP workstation. I'm now able to join the domain correctly. I've also been able to add my printer driver on the PDC. So, everything is working great now. Here's my smb.conf for those who would like a working configuration of a PDC with LDAP smb.conf [global] workgroup = cyberspicace netbios name = fs01 server string = fs01 socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 wins support = yes ;PDC and master browser settings os level = 64 preferred master = yes local master = yes domain master = yes domain logons = yes ;security and logging settings security = user encrypt passwords = yes unix password sync = yes passdb backend = ldapsam:ldap://servername.domain username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 445 ;security - interface interfaces = eth0 192.168.1.0/24 lo 127/8 bind interfaces only = yes ;services name resolve order = wins bcast hosts time server = yes load printers = yes printcap name = cups printing = cups show add printer wizard = yes ;various scripts passwd program = /var/lib/samba/sbin/smbldap-passwd.pl -o %u passwd chat = *new*password* %n\n *new*password* %n\n *successfully* add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl %u add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%'g add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' %g' delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x %u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' %u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' logon script = scripts\logon.bat logon path = \\%L\profiles\%U logon drive = X: ;access admin users = @Domain\ Admins printer admin = root, @Domain\ Admins ;ldap backend ldap suffix = dc=domainname,dc=com ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap admin dn = cn=Manager,dc=domainname,dc=com map acl inherit = Yes include = /etc/samba/shares.conf - Where shares.conf is having [IPC$] path = /tmp hosts allow = 192.168.1.0/24, 127.0.0.1 hosts deny = 0.0.0.0/0 [homes] comment = Home Directories ;valid users = %S writable = yes browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writable = no locking = no [profiles] comment = Profile Share path = /home/samba/profiles writable = yes profile acls = yes browseable = no guest ok = yes [printers] comment = SMB Print Spool path = /var/spool/samba guest ok = yes public = yes writable = no printable = yes use client driver = no browseable = no [print$] comment = Printer Drivers path = /var/lib/samba/drivers browseable = yes guest ok = no read only = yes write list = administrator, root - This is a really long config file but it's working. Thank you for your help. It has been really appreciated. Etienne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Etienne-Hugues Fortin Sent: June 10, 2004 08:50 To: Paul Gienger Cc: [EMAIL PROTECTED] Subject: Re: [Samba] security = ads: problem join XP Pro? Hi Paul, Where are you getting with adding the machines? You should get a posix user added with machinename$ for the uid, then that user will be modified to include the sambaSamAccount data. That's what I got when I tried joining the domain while security was set to domain. However, I've not been able to retest this with security set to user as you suggested. My test workstation hard disk crashed yesterday. I'm expecting my replacement drive tomorrow so I should be able to test this during the weekend. I would suggest these for 'official' resources: http://us2.samba.org/samba/docs/man/howto/samba-pdc.html* *and http://us2.samba.org/samba/docs/man/guide/ ** I'll have a look at those. Until now, I've use the Samba by example and that's where I got the security = ads which seems to be the cause of my problem. there are a couple of comments below: Yes, the smbldap-tools are installed and working. I've also setted the secret with smbpasswd -w. As I said, the join worked after I tried security = domain. I'm pretty sure it will work as well with security = user. I just have to wait for my new hard disk... I'll keep you posted as soon as I'm having tested it. Have a nice day. Etienne-Hugues -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ads: problem join XP Pro?
Hi Paul, Where are you getting with adding the machines? You should get a posix user added with machinename$ for the uid, then that user will be modified to include the sambaSamAccount data. That's what I got when I tried joining the domain while security was set to domain. However, I've not been able to retest this with security set to user as you suggested. My test workstation hard disk crashed yesterday. I'm expecting my replacement drive tomorrow so I should be able to test this during the weekend. I would suggest these for 'official' resources: http://us2.samba.org/samba/docs/man/howto/samba-pdc.html* *and http://us2.samba.org/samba/docs/man/guide/ ** I'll have a look at those. Until now, I've use the Samba by example and that's where I got the security = ads which seems to be the cause of my problem. there are a couple of comments below: Yes, the smbldap-tools are installed and working. I've also setted the secret with smbpasswd -w. As I said, the join worked after I tried security = domain. I'm pretty sure it will work as well with security = user. I just have to wait for my new hard disk... I'll keep you posted as soon as I'm having tested it. Have a nice day. Etienne-Hugues -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] security = ads: problem join XP Pro?
Hi, I've configured Samba 3.0.4 with Openldap 2.1.22 to use my samba server as a PDC. At first, I had some problem with the user administrator. I've then found the workaround a few days ago. Now that this is fixed, I'm trying to join a XP Pro workstation to my domain. I've done multiple test and never succeeded. I'm always getting XP Pro to complain about not being able to find a domain and talking about a SRV entry in my DNS (which is dynamic as required when using dhcp at the same time). So, this morning, in a desesperate attempt, I changed security = ads to security = domain and retry to join the domain from XP Pro. To my surprise, it worked fine. I've reread the documentation and it's still saying that we should use security = domain when our server is acting as a BDC, not a PDC. I still have to do more test tonight to see if everything is working but right now, I'm more curious to understand why my samba server (which is now acting as a BDC) is accepting a join request while it's not when it's acting as a PDC. Is that normal? Should I keep my server in security = domain mode? Thank you. Etienne-Hugues Fortin -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ads: problem join XP Pro?
Does your DNS server have the following entries: If not it won't work. _ldap._tcp.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.pdc._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.gc._msdcs.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _ldap._tcp.dddc-59fe-434d-8cca-f00ca06b564d.domains._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. gc._msdcs.fsklaw.net. 600 IN A 192.168.62.1 42254cae-00e0-4814-a063-af2189b41e2b._msdcs.fsklaw.net. 600 IN CNAME server.fsklaw.net. _kerberos._tcp.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _ldap._tcp.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _kerberos._tcp.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _kerberos._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _gc._tcp.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _gc._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _kerberos._udp.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _kpasswd._tcp.fsklaw.net. 600 IN SRV 0 100 464 server.fsklaw.net. _kpasswd._udp.fsklaw.net. 600 IN SRV 0 100 464 server.fsklaw.net. fsklaw.net. 600 IN A 192.168.61.1 gc._msdcs.fsklaw.net. 600 IN A 192.168.61.1 Etienne-Hugues Fortin wrote: Hi, I've configured Samba 3.0.4 with Openldap 2.1.22 to use my samba server as a PDC. At first, I had some problem with the user administrator. I've then found the workaround a few days ago. Now that this is fixed, I'm trying to join a XP Pro workstation to my domain. I've done multiple test and never succeeded. I'm always getting XP Pro to complain about not being able to find a domain and talking about a SRV entry in my DNS (which is dynamic as required when using dhcp at the same time). So, this morning, in a desesperate attempt, I changed security = ads to security = domain and retry to join the domain from XP Pro. To my surprise, it worked fine. I've reread the documentation and it's still saying that we should use security = domain when our server is acting as a BDC, not a PDC. I still have to do more test tonight to see if everything is working but right now, I'm more curious to understand why my samba server (which is now acting as a BDC) is accepting a join request while it's not when it's acting as a PDC. Is that normal? Should I keep my server in security = domain mode? Thank you. Etienne-Hugues Fortin -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ads: problem join XP Pro?
Does your DNS server have the following entries: If not it won't work. It's the first time I'm seeing this list. I know that XP Pro was asking for something like _ldap._tcp.domainname but even googling on this didn't helped me getting what you just sent. I'll add this to my DNS. Just to make sure everything is clear, I have to replace the first fsklwaw.net with my own domain and then, I'm replacing the server.fsklaw.net with my fully qualified hostname for my samba server acting as the PDC. Everything else would stay identical. Is that right? Etienne-Hugues _ldap._tcp.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.pdc._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.gc._msdcs.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _ldap._tcp.dddc-59fe-434d-8cca-f00ca06b564d.domains._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. gc._msdcs.fsklaw.net. 600 IN A 192.168.62.1 42254cae-00e0-4814-a063-af2189b41e2b._msdcs.fsklaw.net. 600 IN CNAME server.fsklaw.net. _kerberos._tcp.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _ldap._tcp.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _kerberos._tcp.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _kerberos._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _gc._tcp.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _gc._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _kerberos._udp.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _kpasswd._tcp.fsklaw.net. 600 IN SRV 0 100 464 server.fsklaw.net. _kpasswd._udp.fsklaw.net. 600 IN SRV 0 100 464 server.fsklaw.net. fsklaw.net. 600 IN A 192.168.61.1 gc._msdcs.fsklaw.net. 600 IN A 192.168.61.1 Etienne-Hugues Fortin wrote: Hi, I've configured Samba 3.0.4 with Openldap 2.1.22 to use my samba server as a PDC. At first, I had some problem with the user administrator. I've then found the workaround a few days ago. Now that this is fixed, I'm trying to join a XP Pro workstation to my domain. I've done multiple test and never succeeded. I'm always getting XP Pro to complain about not being able to find a domain and talking about a SRV entry in my DNS (which is dynamic as required when using dhcp at the same time). So, this morning, in a desesperate attempt, I changed security = ads to security = domain and retry to join the domain from XP Pro. To my surprise, it worked fine. I've reread the documentation and it's still saying that we should use security = domain when our server is acting as a BDC, not a PDC. I still have to do more test tonight to see if everything is working but right now, I'm more curious to understand why my samba server (which is now acting as a BDC) is accepting a join request while it's not when it's acting as a PDC. Is that normal? Should I keep my server in security = domain mode? Thank you. Etienne-Hugues Fortin -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ads: problem join XP Pro?
Are you running any windows servers in your setup or just one samba box and the clients? Assuming the latter, which sounds like you unless I'm badly mis-reading you here, you don't *need* any special DNS entries to make things work. Perhaps you could attach your smb.conf file? It sounds like your security parameter is way out of whack, which could be causing your issues. security = domain is for when you have a functioning NT network to add this machine to that holds your login info. I've successfully added a 3.0 machine to a 2.2.x network and then not had to do any passdb setup on it. security = ads is for configuring authentication against an existing 2000 (/2003?) AD network, which you haven't mentioned here. You probably want (from TOSHaRG): preferred master = yes domain master = yes local master = yes security = user domain logons = yes Etienne-Hugues Fortin wrote: Does your DNS server have the following entries: If not it won't work. It's the first time I'm seeing this list. I know that XP Pro was asking for something like _ldap._tcp.domainname but even googling on this didn't helped me getting what you just sent. I'll add this to my DNS. Just to make sure everything is clear, I have to replace the first fsklwaw.net with my own domain and then, I'm replacing the server.fsklaw.net with my fully qualified hostname for my samba server acting as the PDC. Everything else would stay identical. Is that right? Etienne-Hugues _ldap._tcp.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.pdc._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.gc._msdcs.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _ldap._tcp.dddc-59fe-434d-8cca-f00ca06b564d.domains._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. gc._msdcs.fsklaw.net. 600 IN A 192.168.62.1 42254cae-00e0-4814-a063-af2189b41e2b._msdcs.fsklaw.net. 600 IN CNAME server.fsklaw.net. _kerberos._tcp.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _ldap._tcp.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net. _kerberos._tcp.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _kerberos._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _gc._tcp.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _gc._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net. _kerberos._udp.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net. _kpasswd._tcp.fsklaw.net. 600 IN SRV 0 100 464 server.fsklaw.net. _kpasswd._udp.fsklaw.net. 600 IN SRV 0 100 464 server.fsklaw.net. fsklaw.net. 600 IN A 192.168.61.1 gc._msdcs.fsklaw.net. 600 IN A 192.168.61.1 Etienne-Hugues Fortin wrote: Hi, I've configured Samba 3.0.4 with Openldap 2.1.22 to use my samba server as a PDC. At first, I had some problem with the user administrator. I've then found the workaround a few days ago. Now that this is fixed, I'm trying to join a XP Pro workstation to my domain. I've done multiple test and never succeeded. I'm always getting XP Pro to complain about not being able to find a domain and talking about a SRV entry in my DNS (which is dynamic as required when using dhcp at the same time). So, this morning, in a desesperate attempt, I changed security = ads to security = domain and retry to join the domain from XP Pro. To my surprise, it worked fine. I've reread the documentation and it's still saying that we should use security = domain when our server is acting as a BDC, not a PDC. I still have to do more test tonight to see if everything is working but right now, I'm more curious to understand why my samba server (which is now acting as a BDC) is accepting a join request while it's not when it's acting as a PDC. Is that normal? Should I keep my server in security = domain mode? Thank you. Etienne-Hugues Fortin -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- Paul Gienger Office:701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.commailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ads: problem join XP Pro?
Hi Paul, It's the second option that I'm having. I'm pretty sure security = user will fix the problem. Is it me or in previous version of samba, security = user was for workgroup only? Below is my smb.conf. Note that I've changed the security to reflect what you suggested but it was exactly the same before except for the security = ads that was there. It's has now became a very long file based on the various documents that I read, trying to figure what was my problem. However, now that I made a lot of cleanup in the file and regrouped the settings by section, I think it make sense. Thank you for your time. Etienne-Hugues [global] ;unix charset = LOCALE workgroup = cyberspicace netbios name = fs01 server string = fs01 socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 wins support = yes ;PDC and master browser settings os level = 64 preferred master = yes local master = yes domain master = yes domain logons = yes ;security and logging settings security = user encrypt passwords = yes unix password sync = yes passdb backend = ldapsam:ldap://fs01.cyberspicace.com username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 445 ;security - interface interfaces = eth0 192.168.1.0/24 lo 127/8 bind interfaces only = yes ;services name resolve order = wins bcast hosts time server = yes printcap name = CUPS printing = cups show add printer wizard = yes ;various scripts passwd program = /var/lib/samba/sbin/smbldap-passwd.pl -o %u passwd chat = *new*password* %n\n *new*password* %n\n *successfully* add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl %u add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%'g add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' logon script = scripts\logon.bat logon path = \\%L\profiles\%U logon drive = X: ;access admin users = @Domain Admins printer admin = @Domain Admins ;ldap backend ldap suffix = dc=cyberspicace,dc=com ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=cyberspicace,dc=com idmap backend = ldap:ldap://fs01.cyberspicace.com idmap uid = 1-2 idmap gid = 1-2 map acl inherit = Yes include = /etc/samba/shares.conf Are you running any windows servers in your setup or just one samba box and the clients? Assuming the latter, which sounds like you unless I'm badly mis-reading you here, you don't *need* any special DNS entries to make things work. Perhaps you could attach your smb.conf file? It sounds like your security parameter is way out of whack, which could be causing your issues. security = domain is for when you have a functioning NT network to add this machine to that holds your login info. I've successfully added a 3.0 machine to a 2.2.x network and then not had to do any passdb setup on it. security = ads is for configuring authentication against an existing 2000 (/2003?) AD network, which you haven't mentioned here. You probably want (from TOSHaRG): preferred master = yes domain master = yes local master = yes security = user domain logons = yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] security = ads: problem join XP Pro?
Where are you getting with adding the machines? You should get a posix user added with machinename$ for the uid, then that user will be modified to include the sambaSamAccount data. I would suggest these for 'official' resources: http://us2.samba.org/samba/docs/man/howto/samba-pdc.html* *and http://us2.samba.org/samba/docs/man/guide/ ** there are a couple of comments below: [global] ;unix charset = LOCALE workgroup = cyberspicace netbios name = fs01 server string = fs01 socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 wins support = yes ;PDC and master browser settings os level = 64 preferred master = yes local master = yes domain master = yes domain logons = yes ;security and logging settings security = user encrypt passwords = yes unix password sync = yes passdb backend = ldapsam:ldap://fs01.cyberspicace.com username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 445 ;security - interface interfaces = eth0 192.168.1.0/24 lo 127/8 bind interfaces only = yes not necessarily related to your problem, but you could probably do away with these if you're on a protected LAN. Lets try to not be any more restrictive than we have to, at least not while testing. ;services name resolve order = wins bcast hosts time server = yes printcap name = CUPS printing = cups show add printer wizard = yes ;various scripts passwd program = /var/lib/samba/sbin/smbldap-passwd.pl -o %u passwd chat = *new*password* %n\n *new*password* %n\n *successfully* add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl %u add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%'g add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' You didn't mention, did you configure the smbldap-tools package? I would assume that you did, but covering all the bases here. logon script = scripts\logon.bat logon path = \\%L\profiles\%U logon drive = X: ;access admin users = @Domain Admins printer admin = @Domain Admins ;ldap backend ldap suffix = dc=cyberspicace,dc=com ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=cyberspicace,dc=com Did you store the password for the admin dn with smbpasswd -w ... idmap backend = ldap:ldap://fs01.cyberspicace.com idmap uid = 1-2 idmap gid = 1-2 Don't need these unless you're using winbind. map acl inherit = Yes include = /etc/samba/shares.conf Are you running any windows servers in your setup or just one samba box and the clients? Assuming the latter, which sounds like you unless I'm badly mis-reading you here, you don't *need* any special DNS entries to make things work. Perhaps you could attach your smb.conf file? It sounds like your security parameter is way out of whack, which could be causing your issues. security = domain is for when you have a functioning NT network to add this machine to that holds your login info. I've successfully added a 3.0 machine to a 2.2.x network and then not had to do any passdb setup on it. security = ads is for configuring authentication against an existing 2000 (/2003?) AD network, which you haven't mentioned here. You probably want (from TOSHaRG): preferred master = yes domain master = yes local master = yes security = user domain logons = yes -- Paul Gienger Office:701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.commailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
