subject:"Re\: \[Samba\] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL \(Added info\)"

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

2010-10-13 Thread Douglas Phillipson


On 10/12/2010 01:05 PM, Douglas Phillipson wrote:
To create a Trust between Samba and a W2003 AD Domain, does the 
Samba machine have to be a domain member also?


Doug P

I'm not clear on something.  My goal is to have our AD users access a 
samba share without having to enter a second set of credentials.  So 
this is where the trust comes in.  Our Samba machine is a PDC of a 
different domain that our Win2003 PDC.


I'm told the samba machine has to be a member server in the W2003 domain 
for the trust to work.  I thought trusts were between PDC's.  Can my 
samba machine be a PDC and a member server of a W2003 domain?


Confused...

Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

2010-10-13 Thread Gaiseric Vandal


Trusts are between domains.


If you configure a trust so that DomainA trusts DomainB,  a machine 
account for DomainA is created in DomainB-  this allows DomainA to 
retreive a list of user names that it can trust.



WHen you configure the outgoing trust in Windows (i.e. to you ask 
another domain to trust you) Windows will create the machine account.  
In samba, you need to create the machine account in unix with useradd 
(or the approp command.)


 And you have to make sure idmap, nsswitch and winbind are working.

And my experience was that Samba 3.0.x didn't handle play nice with 
Windows 2003 anyway.   The trusts were set up fine but the idmap caching 
was buggy.   You may be better off with samba 3.4 or later.   (Though I 
also had issues with that.)


If Windows 2003 is in native mode you may not get it working with samba 
3.0.x.



On 10/13/2010 10:14 AM, Douglas Phillipson wrote:

On 10/12/2010 01:05 PM, Douglas Phillipson wrote:
To create a Trust between Samba and a W2003 AD Domain, does the 
Samba machine have to be a domain member also?


Doug P

I'm not clear on something.  My goal is to have our AD users access a 
samba share without having to enter a second set of credentials.  So 
this is where the trust comes in.  Our Samba machine is a PDC of a 
different domain that our Win2003 PDC.


I'm told the samba machine has to be a member server in the W2003 
domain for the trust to work.  I thought trusts were between PDC's.  
Can my samba machine be a PDC and a member server of a W2003 domain?


Confused...

Doug P


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

2010-10-12 Thread Daniel Müller

http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrust
s.html#id2621046

Problems with LDAP ldapsam and Older Versions of smbldap-tools
If you use the smbldap-useradd script to create a trust account to set up
interdomain trusts, the process of setting up the trust will fail. The
account that was created in the LDAP database will have an account flags
field that has [W ], when it must have [I ] for interdomain trusts to work. 

Here is a simple solution. Create a machine account as follows: 

root#  smbldap-useradd -w domain_name

Then set the desired trust account password as shown here: 

root#  smbldap-passwd domain_name\$

Using a text editor, create the following file: 

dn: uid=domain_name$,ou=People,dc={your-domain},dc={your-top-level-domain}
changetype: modify
sambaAcctFlags: [I ]

Then apply the text file to the LDAP database as follows: 

root#  ldapmodify -x -h localhost \
 -D cn=Manager,dc={your-domain},dc={your-top-level-domain} \
 -W -f /path-to/foobar

Create a single-sided trust under the NT4 Domain User Manager, then execute:


root#  net rpc trustdom establish domain_name  - important


It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows
200x ADS in mixed mode. Both domain controllers, Samba and NT must have the
same WINS server; otherwise, the trust will never work. ---important


---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Gaiseric Vandal
Gesendet: Montag, 11. Oktober 2010 21:17
An: samba@lists.samba.org
Betreff: Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL
(Added info)

I would try disabling the machine account scripts, and manually creating 
the unix level account  domain trust with what ever tools you use to for 
ldap accounts.  That should help eliminate if the script is just not 
running correctly.


When you join local windows machine to the domain, are they adding 
correctly?  Is the underlying unix account for the machine created?

You could also probably run the script from the command line

 /var/lib/samba/sbin/smbldap-useradd.pl -w thedomainname



On 10/11/2010 01:43 PM, Douglas Phillipson wrote:
 oops, should be using a machine arg, tried:
 /var/lib/samba/sbin/smbldap-useradd.pl -w -c Domain Trust ECN$

 Still get error:

 failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
 497, DATA line 283.

 DOug P

 On 10/11/2010 10:29 AM, Douglas Phillipson wrote:
 When trying to add the machine account with smb-ldap, I use the syntax:
 /var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c Domain Trust ECN$

 I get the following error when adding the machine account:

 failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
 497, DATA line 283.

 Thanks
 Doug P

 On 10/11/2010 09:53 AM, Douglas Phillipson wrote:
 I'm trying to establish a two way non-transitive trust between a 
 W2003 A/D box and our SAMBA domain.

 We are using smbldap so we can log in on any of the linux boxes with 
 the same passwd.
 Samba is version 3.0.33 on Redhat Enterprise.

 It's easy to create the trust on the Windows side with AD Domains 
 and Trusts but on the Linux side I'm not sure if I need to put the 
 machine account locally in smb passwd or use the smbldap passwd on 
 the LDAP server.  Has anyone done this before?

 For the sake of example:

 My windows A/D domain is WECN
 My Linux Domain is LECN

 I've tried several putting the machine account both in the local 
 file and the LDAP passwd file but it just doesn't work.  I've got 
 the Samba 3 HowTo book and tried lots of googled suggestions but 
 still can't seem to make this work.  Any suggestions are 
 appreciated.  Is there an easier way to do this?  My end result is 
 to map a share on the SAMBA server from a WinXP client computer 
 thats in a W2003 domain without having to put in a Linux 
 username/password.

 Thanks for your time and suggestions!
 Doug P

 My smb.conf [global]


-- 

 [global]
 dos charset = CP850
 unix charset = UTF-8
 display charset = LOCALE
 workgroup = LECN
 realm =
 netbios name = RSL-PDC1
 netbios aliases =
 netbios scope =
 server string = Primary RSL Samba Server
 interfaces =
 bind interfaces only = No
 security = USER
 auth methods =
 encrypt passwords = Yes
 update encrypted = No
 client schannel = Auto
 server schannel = Auto
 allow trusted domains = Yes

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

2010-10-12 Thread Douglas Phillipson

To create a Trust between Samba and a W2003 AD Domain, does the Samba 
machine have to be a domain member also?


Doug P

On 10/11/2010 11:29 PM, Daniel Müller wrote:

http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrust
s.html#id2621046

Problems with LDAP ldapsam and Older Versions of smbldap-tools
If you use the smbldap-useradd script to create a trust account to set up
interdomain trusts, the process of setting up the trust will fail. The
account that was created in the LDAP database will have an account flags
field that has [W ], when it must have [I ] for interdomain trusts to work.

Here is a simple solution. Create a machine account as follows:

root#  smbldap-useradd -w domain_name

Then set the desired trust account password as shown here:

root#  smbldap-passwd domain_name\$

Using a text editor, create the following file:

dn: uid=domain_name$,ou=People,dc={your-domain},dc={your-top-level-domain}
changetype: modify
sambaAcctFlags: [I ]

Then apply the text file to the LDAP database as follows:

root#  ldapmodify -x -h localhost \
  -D cn=Manager,dc={your-domain},dc={your-top-level-domain} \
  -W -f /path-to/foobar

Create a single-sided trust under the NT4 Domain User Manager, then execute:


root#  net rpc trustdom establish domain_name- important


It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows
200x ADS in mixed mode. Both domain controllers, Samba and NT must have the
same WINS server; otherwise, the trust will never work.---important


---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
   


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

2010-10-11 Thread Douglas Phillipson


When trying to add the machine account with smb-ldap, I use the syntax:
/var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c Domain Trust ECN$

I get the following error when adding the machine account:

failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
497, DATA line 283.


Thanks
Doug P

On 10/11/2010 09:53 AM, Douglas Phillipson wrote:
I'm trying to establish a two way non-transitive trust between a W2003 
A/D box and our SAMBA domain.


We are using smbldap so we can log in on any of the linux boxes with 
the same passwd.

Samba is version 3.0.33 on Redhat Enterprise.

It's easy to create the trust on the Windows side with AD Domains and 
Trusts but on the Linux side I'm not sure if I need to put the machine 
account locally in smb passwd or use the smbldap passwd on the LDAP 
server.  Has anyone done this before?


For the sake of example:

My windows A/D domain is WECN
My Linux Domain is LECN

I've tried several putting the machine account both in the local file 
and the LDAP passwd file but it just doesn't work.  I've got the Samba 
3 HowTo book and tried lots of googled suggestions but still can't 
seem to make this work.  Any suggestions are appreciated.  Is there an 
easier way to do this?  My end result is to map a share on the SAMBA 
server from a WinXP client computer thats in a W2003 domain without 
having to put in a Linux username/password.


Thanks for your time and suggestions!
Doug P

My smb.conf [global]
-- 


[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = LECN
realm =
netbios name = RSL-PDC1
netbios aliases =
netbios scope =
server string = Primary RSL Samba Server
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes


map to guest = Never
null passwords = No

obey pam restrictions = Yes
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:ldap://127.0.0.1;
algorithmic rid base = 1000
root directory =
guest account = smbguest

passwd chat debug = No
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = Changing UNIX password for*\nNew password* 
%n\n *Retype new password* %n\n

passwd chat timeout = 2
check password script = /usr/sbin/crackcheck -c -d  
/usr/lib/cracklib_dict

username map =
password level = 0
username level = 0
unix password sync = Yes
ntlm auth = Yes
restrict anonymous = Yes
lanman auth = No
;ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
preload modules =
use kerberos keytab = No

log level = 3 vfs:1
syslog = 0
syslog only = No
log file = /var/log/samba/%m.log
max log size = 50
debug timestamp = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility =
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = wins hosts bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
;change notify timeout = 60
deadtime = 15
getwd cache = Yes
keepalive = 300
kernel change notify = Yes
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 1
socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap cache time = 0
printcap name = cups
cups server =
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
mangling method = hash2
mangle prefix = 1
stat cache = Yes

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

2010-10-11 Thread Douglas Phillipson


oops, should be using a machine arg, tried:
/var/lib/samba/sbin/smbldap-useradd.pl -w -c Domain Trust ECN$

Still get error:

failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
497, DATA line 283.


DOug P

On 10/11/2010 10:29 AM, Douglas Phillipson wrote:

When trying to add the machine account with smb-ldap, I use the syntax:
/var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c Domain Trust ECN$

I get the following error when adding the machine account:

failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
497, DATA line 283.


Thanks
Doug P

On 10/11/2010 09:53 AM, Douglas Phillipson wrote:
I'm trying to establish a two way non-transitive trust between a 
W2003 A/D box and our SAMBA domain.


We are using smbldap so we can log in on any of the linux boxes with 
the same passwd.

Samba is version 3.0.33 on Redhat Enterprise.

It's easy to create the trust on the Windows side with AD Domains and 
Trusts but on the Linux side I'm not sure if I need to put the 
machine account locally in smb passwd or use the smbldap passwd on 
the LDAP server.  Has anyone done this before?


For the sake of example:

My windows A/D domain is WECN
My Linux Domain is LECN

I've tried several putting the machine account both in the local file 
and the LDAP passwd file but it just doesn't work.  I've got the 
Samba 3 HowTo book and tried lots of googled suggestions but still 
can't seem to make this work.  Any suggestions are appreciated.  Is 
there an easier way to do this?  My end result is to map a share on 
the SAMBA server from a WinXP client computer thats in a W2003 domain 
without having to put in a Linux username/password.


Thanks for your time and suggestions!
Doug P

My smb.conf [global]
-- 


[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = LECN
realm =
netbios name = RSL-PDC1
netbios aliases =
netbios scope =
server string = Primary RSL Samba Server
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes


map to guest = Never
null passwords = No

obey pam restrictions = Yes
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:ldap://127.0.0.1;
algorithmic rid base = 1000
root directory =
guest account = smbguest

passwd chat debug = No
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = Changing UNIX password for*\nNew password* 
%n\n *Retype new password* %n\n

passwd chat timeout = 2
check password script = /usr/sbin/crackcheck -c -d  
/usr/lib/cracklib_dict

username map =
password level = 0
username level = 0
unix password sync = Yes
ntlm auth = Yes
restrict anonymous = Yes
lanman auth = No
;ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
preload modules =
use kerberos keytab = No

log level = 3 vfs:1
syslog = 0
syslog only = No
log file = /var/log/samba/%m.log
max log size = 50
debug timestamp = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility =
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = wins hosts bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
;change notify timeout = 60
deadtime = 15
getwd cache = Yes
keepalive = 300
kernel change notify = Yes
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 1
socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap cache time = 0
printcap name = cups

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

2010-10-11 Thread Gaiseric Vandal

I would try disabling the machine account scripts, and manually creating 
the unix level account  domain trust with what ever tools you use to for 
ldap accounts.  That should help eliminate if the script is just not 
running correctly.



When you join local windows machine to the domain, are they adding 
correctly?  Is the underlying unix account for the machine created?


You could also probably run the script from the command line

/var/lib/samba/sbin/smbldap-useradd.pl -w thedomainname



On 10/11/2010 01:43 PM, Douglas Phillipson wrote:

oops, should be using a machine arg, tried:
/var/lib/samba/sbin/smbldap-useradd.pl -w -c Domain Trust ECN$

Still get error:

failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
497, DATA line 283.


DOug P

On 10/11/2010 10:29 AM, Douglas Phillipson wrote:

When trying to add the machine account with smb-ldap, I use the syntax:
/var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c Domain Trust ECN$

I get the following error when adding the machine account:

failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
497, DATA line 283.


Thanks
Doug P

On 10/11/2010 09:53 AM, Douglas Phillipson wrote:
I'm trying to establish a two way non-transitive trust between a 
W2003 A/D box and our SAMBA domain.


We are using smbldap so we can log in on any of the linux boxes with 
the same passwd.

Samba is version 3.0.33 on Redhat Enterprise.

It's easy to create the trust on the Windows side with AD Domains 
and Trusts but on the Linux side I'm not sure if I need to put the 
machine account locally in smb passwd or use the smbldap passwd on 
the LDAP server.  Has anyone done this before?


For the sake of example:

My windows A/D domain is WECN
My Linux Domain is LECN

I've tried several putting the machine account both in the local 
file and the LDAP passwd file but it just doesn't work.  I've got 
the Samba 3 HowTo book and tried lots of googled suggestions but 
still can't seem to make this work.  Any suggestions are 
appreciated.  Is there an easier way to do this?  My end result is 
to map a share on the SAMBA server from a WinXP client computer 
thats in a W2003 domain without having to put in a Linux 
username/password.


Thanks for your time and suggestions!
Doug P

My smb.conf [global]
-- 


[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = LECN
realm =
netbios name = RSL-PDC1
netbios aliases =
netbios scope =
server string = Primary RSL Samba Server
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes


map to guest = Never
null passwords = No

obey pam restrictions = Yes
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:ldap://127.0.0.1;
algorithmic rid base = 1000
root directory =
guest account = smbguest

passwd chat debug = No
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = Changing UNIX password for*\nNew password* 
%n\n *Retype new password* %n\n

passwd chat timeout = 2
check password script = /usr/sbin/crackcheck -c -d  
/usr/lib/cracklib_dict

username map =
password level = 0
username level = 0
unix password sync = Yes
ntlm auth = Yes
restrict anonymous = Yes
lanman auth = No
;ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
preload modules =
use kerberos keytab = No

log level = 3 vfs:1
syslog = 0
syslog only = No
log file = /var/log/samba/%m.log
max log size = 50
debug timestamp = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility =
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = wins hosts bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego =

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

7 matches

Site Navigation

Mail list logo

Footer information