Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
On 10/12/2010 01:05 PM, Douglas Phillipson wrote: To create a Trust between Samba and a W2003 AD Domain, does the Samba machine have to be a domain member also? Doug P I'm not clear on something. My goal is to have our AD users access a samba share without having to enter a second set of credentials. So this is where the trust comes in. Our Samba machine is a PDC of a different domain that our Win2003 PDC. I'm told the samba machine has to be a member server in the W2003 domain for the trust to work. I thought trusts were between PDC's. Can my samba machine be a PDC and a member server of a W2003 domain? Confused... Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
Trusts are between domains. If you configure a trust so that DomainA trusts DomainB, a machine account for DomainA is created in DomainB- this allows DomainA to retreive a list of user names that it can trust. WHen you configure the outgoing trust in Windows (i.e. to you ask another domain to trust you) Windows will create the machine account. In samba, you need to create the machine account in unix with useradd (or the approp command.) And you have to make sure idmap, nsswitch and winbind are working. And my experience was that Samba 3.0.x didn't handle play nice with Windows 2003 anyway. The trusts were set up fine but the idmap caching was buggy. You may be better off with samba 3.4 or later. (Though I also had issues with that.) If Windows 2003 is in native mode you may not get it working with samba 3.0.x. On 10/13/2010 10:14 AM, Douglas Phillipson wrote: On 10/12/2010 01:05 PM, Douglas Phillipson wrote: To create a Trust between Samba and a W2003 AD Domain, does the Samba machine have to be a domain member also? Doug P I'm not clear on something. My goal is to have our AD users access a samba share without having to enter a second set of credentials. So this is where the trust comes in. Our Samba machine is a PDC of a different domain that our Win2003 PDC. I'm told the samba machine has to be a member server in the W2003 domain for the trust to work. I thought trusts were between PDC's. Can my samba machine be a PDC and a member server of a W2003 domain? Confused... Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrust s.html#id2621046 Problems with LDAP ldapsam and Older Versions of smbldap-tools If you use the smbldap-useradd script to create a trust account to set up interdomain trusts, the process of setting up the trust will fail. The account that was created in the LDAP database will have an account flags field that has [W ], when it must have [I ] for interdomain trusts to work. Here is a simple solution. Create a machine account as follows: root# smbldap-useradd -w domain_name Then set the desired trust account password as shown here: root# smbldap-passwd domain_name\$ Using a text editor, create the following file: dn: uid=domain_name$,ou=People,dc={your-domain},dc={your-top-level-domain} changetype: modify sambaAcctFlags: [I ] Then apply the text file to the LDAP database as follows: root# ldapmodify -x -h localhost \ -D cn=Manager,dc={your-domain},dc={your-top-level-domain} \ -W -f /path-to/foobar Create a single-sided trust under the NT4 Domain User Manager, then execute: root# net rpc trustdom establish domain_name - important It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows 200x ADS in mixed mode. Both domain controllers, Samba and NT must have the same WINS server; otherwise, the trust will never work. ---important --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gaiseric Vandal Gesendet: Montag, 11. Oktober 2010 21:17 An: samba@lists.samba.org Betreff: Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info) I would try disabling the machine account scripts, and manually creating the unix level account domain trust with what ever tools you use to for ldap accounts. That should help eliminate if the script is just not running correctly. When you join local windows machine to the domain, are they adding correctly? Is the underlying unix account for the machine created? You could also probably run the script from the command line /var/lib/samba/sbin/smbldap-useradd.pl -w thedomainname On 10/11/2010 01:43 PM, Douglas Phillipson wrote: oops, should be using a machine arg, tried: /var/lib/samba/sbin/smbldap-useradd.pl -w -c Domain Trust ECN$ Still get error: failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line 497, DATA line 283. DOug P On 10/11/2010 10:29 AM, Douglas Phillipson wrote: When trying to add the machine account with smb-ldap, I use the syntax: /var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c Domain Trust ECN$ I get the following error when adding the machine account: failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line 497, DATA line 283. Thanks Doug P On 10/11/2010 09:53 AM, Douglas Phillipson wrote: I'm trying to establish a two way non-transitive trust between a W2003 A/D box and our SAMBA domain. We are using smbldap so we can log in on any of the linux boxes with the same passwd. Samba is version 3.0.33 on Redhat Enterprise. It's easy to create the trust on the Windows side with AD Domains and Trusts but on the Linux side I'm not sure if I need to put the machine account locally in smb passwd or use the smbldap passwd on the LDAP server. Has anyone done this before? For the sake of example: My windows A/D domain is WECN My Linux Domain is LECN I've tried several putting the machine account both in the local file and the LDAP passwd file but it just doesn't work. I've got the Samba 3 HowTo book and tried lots of googled suggestions but still can't seem to make this work. Any suggestions are appreciated. Is there an easier way to do this? My end result is to map a share on the SAMBA server from a WinXP client computer thats in a W2003 domain without having to put in a Linux username/password. Thanks for your time and suggestions! Doug P My smb.conf [global] -- [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = LECN realm = netbios name = RSL-PDC1 netbios aliases = netbios scope = server string = Primary RSL Samba Server interfaces = bind interfaces only = No security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes
Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
To create a Trust between Samba and a W2003 AD Domain, does the Samba machine have to be a domain member also? Doug P On 10/11/2010 11:29 PM, Daniel Müller wrote: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrust s.html#id2621046 Problems with LDAP ldapsam and Older Versions of smbldap-tools If you use the smbldap-useradd script to create a trust account to set up interdomain trusts, the process of setting up the trust will fail. The account that was created in the LDAP database will have an account flags field that has [W ], when it must have [I ] for interdomain trusts to work. Here is a simple solution. Create a machine account as follows: root# smbldap-useradd -w domain_name Then set the desired trust account password as shown here: root# smbldap-passwd domain_name\$ Using a text editor, create the following file: dn: uid=domain_name$,ou=People,dc={your-domain},dc={your-top-level-domain} changetype: modify sambaAcctFlags: [I ] Then apply the text file to the LDAP database as follows: root# ldapmodify -x -h localhost \ -D cn=Manager,dc={your-domain},dc={your-top-level-domain} \ -W -f /path-to/foobar Create a single-sided trust under the NT4 Domain User Manager, then execute: root# net rpc trustdom establish domain_name- important It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows 200x ADS in mixed mode. Both domain controllers, Samba and NT must have the same WINS server; otherwise, the trust will never work.---important --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
When trying to add the machine account with smb-ldap, I use the syntax: /var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c Domain Trust ECN$ I get the following error when adding the machine account: failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line 497, DATA line 283. Thanks Doug P On 10/11/2010 09:53 AM, Douglas Phillipson wrote: I'm trying to establish a two way non-transitive trust between a W2003 A/D box and our SAMBA domain. We are using smbldap so we can log in on any of the linux boxes with the same passwd. Samba is version 3.0.33 on Redhat Enterprise. It's easy to create the trust on the Windows side with AD Domains and Trusts but on the Linux side I'm not sure if I need to put the machine account locally in smb passwd or use the smbldap passwd on the LDAP server. Has anyone done this before? For the sake of example: My windows A/D domain is WECN My Linux Domain is LECN I've tried several putting the machine account both in the local file and the LDAP passwd file but it just doesn't work. I've got the Samba 3 HowTo book and tried lots of googled suggestions but still can't seem to make this work. Any suggestions are appreciated. Is there an easier way to do this? My end result is to map a share on the SAMBA server from a WinXP client computer thats in a W2003 domain without having to put in a Linux username/password. Thanks for your time and suggestions! Doug P My smb.conf [global] -- [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = LECN realm = netbios name = RSL-PDC1 netbios aliases = netbios scope = server string = Primary RSL Samba Server interfaces = bind interfaces only = No security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes map to guest = Never null passwords = No obey pam restrictions = Yes password server = * smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba passdb backend = ldapsam:ldap://127.0.0.1; algorithmic rid base = 1000 root directory = guest account = smbguest passwd chat debug = No passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing UNIX password for*\nNew password* %n\n *Retype new password* %n\n passwd chat timeout = 2 check password script = /usr/sbin/crackcheck -c -d /usr/lib/cracklib_dict username map = password level = 0 username level = 0 unix password sync = Yes ntlm auth = Yes restrict anonymous = Yes lanman auth = No ;ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No preload modules = use kerberos keytab = No log level = 3 vfs:1 syslog = 0 syslog only = No log file = /var/log/samba/%m.log max log size = 50 debug timestamp = Yes debug hires timestamp = No debug pid = No debug uid = No smb ports = 139 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No acl compatibility = defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 65535 name resolve order = wins hosts bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = Yes unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego = Yes ;change notify timeout = 60 deadtime = 15 getwd cache = Yes keepalive = 300 kernel change notify = Yes lpq cache time = 30 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 1 socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY use mmap = Yes hostname lookups = No name cache timeout = 660 load printers = Yes printcap cache time = 0 printcap name = cups cups server = disable spoolss = No enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = mangling method = hash2 mangle prefix = 1 stat cache = Yes
Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
oops, should be using a machine arg, tried: /var/lib/samba/sbin/smbldap-useradd.pl -w -c Domain Trust ECN$ Still get error: failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line 497, DATA line 283. DOug P On 10/11/2010 10:29 AM, Douglas Phillipson wrote: When trying to add the machine account with smb-ldap, I use the syntax: /var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c Domain Trust ECN$ I get the following error when adding the machine account: failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line 497, DATA line 283. Thanks Doug P On 10/11/2010 09:53 AM, Douglas Phillipson wrote: I'm trying to establish a two way non-transitive trust between a W2003 A/D box and our SAMBA domain. We are using smbldap so we can log in on any of the linux boxes with the same passwd. Samba is version 3.0.33 on Redhat Enterprise. It's easy to create the trust on the Windows side with AD Domains and Trusts but on the Linux side I'm not sure if I need to put the machine account locally in smb passwd or use the smbldap passwd on the LDAP server. Has anyone done this before? For the sake of example: My windows A/D domain is WECN My Linux Domain is LECN I've tried several putting the machine account both in the local file and the LDAP passwd file but it just doesn't work. I've got the Samba 3 HowTo book and tried lots of googled suggestions but still can't seem to make this work. Any suggestions are appreciated. Is there an easier way to do this? My end result is to map a share on the SAMBA server from a WinXP client computer thats in a W2003 domain without having to put in a Linux username/password. Thanks for your time and suggestions! Doug P My smb.conf [global] -- [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = LECN realm = netbios name = RSL-PDC1 netbios aliases = netbios scope = server string = Primary RSL Samba Server interfaces = bind interfaces only = No security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes map to guest = Never null passwords = No obey pam restrictions = Yes password server = * smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba passdb backend = ldapsam:ldap://127.0.0.1; algorithmic rid base = 1000 root directory = guest account = smbguest passwd chat debug = No passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing UNIX password for*\nNew password* %n\n *Retype new password* %n\n passwd chat timeout = 2 check password script = /usr/sbin/crackcheck -c -d /usr/lib/cracklib_dict username map = password level = 0 username level = 0 unix password sync = Yes ntlm auth = Yes restrict anonymous = Yes lanman auth = No ;ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No preload modules = use kerberos keytab = No log level = 3 vfs:1 syslog = 0 syslog only = No log file = /var/log/samba/%m.log max log size = 50 debug timestamp = Yes debug hires timestamp = No debug pid = No debug uid = No smb ports = 139 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No acl compatibility = defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 65535 name resolve order = wins hosts bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = Yes unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego = Yes ;change notify timeout = 60 deadtime = 15 getwd cache = Yes keepalive = 300 kernel change notify = Yes lpq cache time = 30 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 1 socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY use mmap = Yes hostname lookups = No name cache timeout = 660 load printers = Yes printcap cache time = 0 printcap name = cups
Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
I would try disabling the machine account scripts, and manually creating the unix level account domain trust with what ever tools you use to for ldap accounts. That should help eliminate if the script is just not running correctly. When you join local windows machine to the domain, are they adding correctly? Is the underlying unix account for the machine created? You could also probably run the script from the command line /var/lib/samba/sbin/smbldap-useradd.pl -w thedomainname On 10/11/2010 01:43 PM, Douglas Phillipson wrote: oops, should be using a machine arg, tried: /var/lib/samba/sbin/smbldap-useradd.pl -w -c Domain Trust ECN$ Still get error: failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line 497, DATA line 283. DOug P On 10/11/2010 10:29 AM, Douglas Phillipson wrote: When trying to add the machine account with smb-ldap, I use the syntax: /var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c Domain Trust ECN$ I get the following error when adding the machine account: failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line 497, DATA line 283. Thanks Doug P On 10/11/2010 09:53 AM, Douglas Phillipson wrote: I'm trying to establish a two way non-transitive trust between a W2003 A/D box and our SAMBA domain. We are using smbldap so we can log in on any of the linux boxes with the same passwd. Samba is version 3.0.33 on Redhat Enterprise. It's easy to create the trust on the Windows side with AD Domains and Trusts but on the Linux side I'm not sure if I need to put the machine account locally in smb passwd or use the smbldap passwd on the LDAP server. Has anyone done this before? For the sake of example: My windows A/D domain is WECN My Linux Domain is LECN I've tried several putting the machine account both in the local file and the LDAP passwd file but it just doesn't work. I've got the Samba 3 HowTo book and tried lots of googled suggestions but still can't seem to make this work. Any suggestions are appreciated. Is there an easier way to do this? My end result is to map a share on the SAMBA server from a WinXP client computer thats in a W2003 domain without having to put in a Linux username/password. Thanks for your time and suggestions! Doug P My smb.conf [global] -- [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = LECN realm = netbios name = RSL-PDC1 netbios aliases = netbios scope = server string = Primary RSL Samba Server interfaces = bind interfaces only = No security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes map to guest = Never null passwords = No obey pam restrictions = Yes password server = * smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba passdb backend = ldapsam:ldap://127.0.0.1; algorithmic rid base = 1000 root directory = guest account = smbguest passwd chat debug = No passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing UNIX password for*\nNew password* %n\n *Retype new password* %n\n passwd chat timeout = 2 check password script = /usr/sbin/crackcheck -c -d /usr/lib/cracklib_dict username map = password level = 0 username level = 0 unix password sync = Yes ntlm auth = Yes restrict anonymous = Yes lanman auth = No ;ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No preload modules = use kerberos keytab = No log level = 3 vfs:1 syslog = 0 syslog only = No log file = /var/log/samba/%m.log max log size = 50 debug timestamp = Yes debug hires timestamp = No debug pid = No debug uid = No smb ports = 139 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No acl compatibility = defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 65535 name resolve order = wins hosts bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = Yes unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego =