[Samba] Samba 3.6 issues
Dear Samba Team, There are three issues happening in my Samba 3.6.6 Issue 1: After upgrade, when upload file which is more 100mb to Samba, it shows error "File name too long cannot copy" in windows xp. Tried to use 3 different pc to upload different files more than 100mb, it also fail to transfer the file and show the error. Tested to upload file which is 25mb or 50mb, it is okay, no problem . Before upgrade the samba 3.6, I am using samba 3.0.28. Issue 2: Users could logon to the pc within the domain, but the network drive could not be mapped from 15-7-16 after 18:00 around (e.g. \\dc01\netlogon). And the network drive could not be mapped through net use command in windows xp. Also, the trust relationship with anthoner domain chb lost. Attached the samba log and error screen capture for reference Issue 3. When enter the command "service smb status", it show many process id, is it normal? Thanks for your help. There my smb.conf: [global] workgroup = HB server string = DC01 netbios name = DC01 interfaces = eth0 hosts allow = 10. 172. 127.0.0.1 security = user encrypt passwords = yes unix password sync = no socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 username map = /etc/samba/smbusers admin users = root lh2 jos1 hide unreadable = yes smb ports = 139 local master = yes os level = 33 domain master = no preferred master = yes domain logons = yes logon path = logon home = #logon path = \\%L\profiles\%U #logon path = \\%L\%U\profiles logon drive = #logon home = \\%L\%U #logon home = \\%L\homes #logon script = %U.bat logon script = %g.bat wins support = yes name resolve order = wins lmhosts host dns proxy = no add user script = /usr/sbin/smbldap-useradd -a -m "%u" add machine script = /usr/sbin/smbldap-useradd -W "%u" add group script = /usr/sbin/smbldap-groupadd -a -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" passdb backend = ldapsam:ldap://127.0.0.1 ldap delete dn = yes ldap ssl = no ;winbind nested groups = no ldap suffix = dc=ch,dc=com ldap admin dn = uid=edp,dc=ch,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap passwd sync = yes ldap delete dn = no log file = /var/log/samba/%m.log log level = 5 max log size = 1 template shell = /bin/false ;winbind use default domain = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 [homes] comment = Home Directories browseable = no writable = yes valid users = %S [netlogon] comment = Network Logon Service path = /home2/samba/netlogon guest ok = yes writable = no share modes = no [testing] path = /home2/test comment = testing writable = yes browseable = no create mode = 0770 directory mode = 2770 public = no valid users = @testing -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] tab key does not complete the package name or list the packages in apt-get command
i am using debian 6.0.7. in my other debian machines when i type "apt-get install sam" it give me all item start from sam and this is a default behavour. however now for some reason key is not working. is there anyone know why. note: for other commands key is working fine. Thanks, Myk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] tab key does not complete the package name or list the packages in apt-get command
This is normal behavor, apt-get install sam(tab ) should not work. And if it does, then its because samXXX existe in one of the search folders. This is not a samba thingy.. use apt-cache search >-Oorspronkelijk bericht- >Van: sir...@gmail.com [mailto:samba-boun...@lists.samba.org] >Namens Muhammad Yousuf Khan >Verzonden: woensdag 17 juli 2013 10:11 >Aan: samba@lists.samba.org >Onderwerp: [Samba] tab key does not complete the package name >or list the packages in apt-get command > >i am using debian 6.0.7. >in my other debian machines when i type "apt-get install >sam" it give >me all item start from sam and this is a default behavour. >however now for >some reason key is not working. is there anyone know why. > >note: for other commands key is working fine. > >Thanks, > >Myk >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] tab key does not complete the package name or list the packages in apt-get command
sorry, i ask in wrong lists, see for your self what i am saying may be i can not communicate it properly. see below result it is giving me no match. means samba is not installed. root@virt-dev:~# dpkg -l | grep samba root@virt-dev:~# now check this out. root@virt-dev:~# apt-get install sam sam2psamba-docsamidare sambasamba-doc-pdfsamizdat samba-common samba-tools samplerate-programs samba-common-bin samdump2 samtools samba-dbgsamhain root@virt-dev:~# apt-get install sam when i hit sab after "sam" you can see the result for your self. Thanks, On Wed, Jul 17, 2013 at 1:23 PM, L.P.H. van Belle wrote: > This is normal behavor, > apt-get install sam(tab ) should not work. > And if it does, then its because samXXX existe in one of the search > folders. > > This is not a samba thingy.. > use apt-cache search > > > >-Oorspronkelijk bericht- > >Van: sir...@gmail.com [mailto:samba-boun...@lists.samba.org] > >Namens Muhammad Yousuf Khan > >Verzonden: woensdag 17 juli 2013 10:11 > >Aan: samba@lists.samba.org > >Onderwerp: [Samba] tab key does not complete the package name > >or list the packages in apt-get command > > > >i am using debian 6.0.7. > >in my other debian machines when i type "apt-get install > >sam" it give > >me all item start from sam and this is a default behavour. > >however now for > >some reason key is not working. is there anyone know why. > > > >note: for other commands key is working fine. > > > >Thanks, > > > >Myk > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] need soms tips for adding samba4 to windows 2008R2 domain
Hai Marc, Thanks for your reply. >-Oorspronkelijk bericht- >Van: Marc Muehlfeld [mailto:sa...@marc-muehlfeld.de] >Verzonden: maandag 15 juli 2013 19:39 >Aan: L.P.H. van Belle >CC: samba@lists.samba.org >Onderwerp: Re: [Samba] need soms tips for adding samba4 to >windows 2008R2 domain > >Hello Louis, > >Am 15.07.2013 12:48, schrieb L.P.H. van Belle: >> 1) keep my existing windows 2008 domain. ( contains dhcp + >dns + AD ) >> its a clean domain, no users yet. dhcp+dns is used already. >> >> 2) add samba4 to the windows domain dc as secondairy DC. >> ( this server wil be my zarafa mail server ) > >Setup and joining a Samba machine as DC you can find here: >http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC > This step, Im using bind, i already have windows setup to replicate the DNS to some other linux servers. can i just point samba to the windows server, or can i use the replicated dns, or do i need to setup the dns completely also for samba. Thats not clear in the howto. because this howto points to : http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC ( im using the enterprise samba packages on ubuntu 12.04 ) and http://wiki.samba.org/index.php/Dns-backend_bind Realy, im sorry to say, but for me the wiki is a maze of information. to much referendes to other locations. the, im pointed to http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC there i read. This HOWTO will assume you had configured and installed Samba in the default location of /usr/local/samba. It assumes you are joining Samba to an existing domain called 'samdom.example.com'. ??? really im lost. sorry, i think its me, :-(( > > > >> 3) add samba3/4 servers tot this domain als domain members. >( i know this for samba3 ) > >http://wiki.samba.org/index.php/Samba4/Domain_Member > > > > >> 4) for my remote location i also want to add samba4 servers, >which wil get there own share for profiles. >> ( this i know ) > >Same as 3. But for the users who should have their profiles on the >remote server, you have to specify their profile path in ADUC pointing >to this server. > >Some information about roaming profiles: >http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles > > > > >> my old environment is running samba3 +Ldap. >> I do not need the old info with clasic upgrade, because some >pc's have same sid's, and im setting this up for windows 7 pc's. > >Here's the point, where I'm not sure, if I fully understand you. In 1 >you wrote, that you are having an AD, but with no users. Here you say >you have a Samba NT4 style domain with users, etc. Yes, this is correct, i now have 1 samba domain, on which everyone is working. ( pdc+bdc ldap etc ) extra domain, 2 windows servers for my voip., no users on it, im going to use this AD, for my users, so this wil be the new domain when ready. ( with newly installed pc's ) > >Do you want to bring them together? I mean keep your Windows >Domain and >migrate the Samba3 accounts to the domain? You can export your LDAP, >script something around for the changes and import them in >your AD. But >you have to re-join your workstations then. This is not needed, because im replacing al of the pc's from XP to Win7. Clean pc's in new domain, i have a pxe setup for my pc installs so thats ok. > >Or do you want a trust. But this isn't possible in both directions yet: >http://wiki.samba.org/index.php/FAQ#Does_Samba_support_trust_re >lationship_with_AD.3F > >Or do you skip the old domain and join the PCs to the new Windows >domain? Then just follow the HowTos above. Great, im going to setup from the howto's . I dont need trusts. ( and if needed i just authenticatie with DOMAIN\user to a server ) so the trust is not needed. > >If you meant something else, please give some more details :-) > Here you are. > > > > > Question here is, do i need the registry fixes for windows 7, if my > > windows 2008 DC if domain controller. > >No registry changes, if your Domain is provided by Windows or >Samba AD. >I have read that it's necessary for a Samba NT4 style domain >only. But I >haven't used a Samba PDC with Win7 yet myself (only Samba AD). I have some win7 on the NT4 style domain, but i didnt use any registry fixed. and, it works, > > > > >Regards, >Marc > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Classicupgrade "set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER"
Hi, This trick don't resolve the problem regards Stéphane --- Stéphane PURNELLE Admin. Systèmes et Réseaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467 Marc Muehlfeld wrote on 16/07/2013 17:52:32: > De : Marc Muehlfeld > A : Stéphane PURNELLE , > Cc : "samba@lists.samba.org" > Date : 16/07/2013 17:52 > Objet : Re: [Samba] Classicupgrade "set_nt_acl_no_snum: fset_nt_acl > returned NT_STATUS_INVALID_OWNER" > > Am 16.07.2013 09:28, schrieb Stéphane PURNELLE: > > I have the same problem with classicupgrade (samba 4.0.6) but on > > S-1-5.21---xxx-500. > > This is the domain Admin account. What happens if you remove it before > the classicupgrade? > > > Regards > Marc > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New ADC configuration
On Tuesday, July 16, 2013 06:48:07 PM Matthew Daubenspeck wrote: > On Tue, Jul 16, 2013 at 08:45:15PM +0200, Marc Muehlfeld wrote: > > Did you clean up the tdb files on your member server? I could imagine, > > that > > Samba mixes the old and new domain in it's idmap cache. If it's a new > > installation and nothing important in the member servers registry (like > > print server printer settings), just remove the whole samba installation, > > 'make install' again and rejoin. > > Well now I am out of ideas. I hosed both setups and started from > scratch. Redid the provision with the proper rfc2307 added, and I have > created test users and assigned them UIDs in ADUC. I can create groups > and give them GIDs as well. I rejoined the member server, I can list all > users, but I still get no results from id on the member server. What the > heck could I be missing? > > Does the ADC server need special idmap config/ranges, etc as well? Hello, The last time I was having this kind of error, it was because I haven't setup the gid number for the primary group for each users (domain users). I ended changing the gid of domain users for something high (the default for provision is 100) so my idmap range for idmap_ad doesn't have to go as lower as 100. And then I gave all the users the new configured gid number. it may be useful to run net cache flush on the member server while doing the test. you set idmap config NWLTECH:range = 500-4 but the default gid for domain user is 100 so I think that you need to change it (see above) or adapt your range. regards, -- Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6 issues
When I upgraded from samba 3.0.x to 3.4.x I ran into several issues. First of all, I would look through the logs. (They did not attach to your messgae.) I would also run "testparm -v" in case some default settings have changed. NTLM should be enabled. If you require NTLMv2 that may cause problems (I couldn't get it to work.) 1st, with idmap and domain trusts: With 3.0.x the idmap entries for trusted users were automatically created but they would expire in a week and have to be manually purged. With 3.4.x the idmap cache issue was fixed BUT the entries were no longer auto created. I had to manually add idmap entries in ldap for users in the trusted domain (only 5 or 6 anyway.) Do you use idmap for assigning user id's for users in primary domain? I explicitly create user and group accounts. I would verify with "pbedit -Lv username" and "pdbedit -Lv comptuername$" that the samba accounts haven't lost their unix id and that everything looks OK. I also found with 3.4.x (vs 3.0.x) that the I needed to explicitly map the guest user and group. This could affect the share permissions. Generally I leave the share permissions unrestricted and rely on the file system permissions for all the control. Also make sure that the well known groups (e.g. Domain Users) look ok with "net groupmap list" - Multiple smbd processes is normal- should be one for each connection. I also found it is better not to specify ports in the smb.conf. Although samba does not use 445 for data, windows clients NOT using wins may have problems connecting to to samba servers if 445 is not running . On 07/17/13 03:57, wong lmark wrote: Dear Samba Team, There are three issues happening in my Samba 3.6.6 Issue 1: After upgrade, when upload file which is more 100mb to Samba, it shows error "File name too long cannot copy" in windows xp. Tried to use 3 different pc to upload different files more than 100mb, it also fail to transfer the file and show the error. Tested to upload file which is 25mb or 50mb, it is okay, no problem . Before upgrade the samba 3.6, I am using samba 3.0.28. Issue 2: Users could logon to the pc within the domain, but the network drive could not be mapped from 15-7-16 after 18:00 around (e.g. \\dc01\netlogon). And the network drive could not be mapped through net use command in windows xp. Also, the trust relationship with anthoner domain chb lost. Attached the samba log and error screen capture for reference Issue 3. When enter the command "service smb status", it show many process id, is it normal? Thanks for your help. There my smb.conf: [global] workgroup = HB server string = DC01 netbios name = DC01 interfaces = eth0 hosts allow = 10. 172. 127.0.0.1 security = user encrypt passwords = yes unix password sync = no socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 username map = /etc/samba/smbusers admin users = root lh2 jos1 hide unreadable = yes smb ports = 139 local master = yes os level = 33 domain master = no preferred master = yes domain logons = yes logon path = logon home = #logon path = \\%L\profiles\%U #logon path = \\%L\%U\profiles logon drive = #logon home = \\%L\%U #logon home = \\%L\homes #logon script = %U.bat logon script = %g.bat wins support = yes name resolve order = wins lmhosts host dns proxy = no add user script = /usr/sbin/smbldap-useradd -a -m "%u" add machine script = /usr/sbin/smbldap-useradd -W "%u" add group script = /usr/sbin/smbldap-groupadd -a -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" passdb backend = ldapsam:ldap://127.0.0.1 ldap delete dn = yes ldap ssl = no ;winbind nested groups = no ldap suffix = dc=ch,dc=com ldap admin dn = uid=edp,dc=ch,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap passwd sync = yes ldap delete dn = no log file = /var/log/samba/%m.log log level = 5 max log size = 1 template shell = /bin/false ;winbind use default domain = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 [homes] comment = Home Directories browseable = no writable = yes valid users = %S [netlogon] comment = Network Logon Service path = /home2/samba/netlogon guest ok = yes writable = no share modes = no [testing] path = /home2/test comment = testing writable = yes browseable = no create mode = 0770 directory mode = 2770 public = no valid users = @testing -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] i can figure out. is it config issue or bug. please help
So you really mean Samba 2.7 or do you mean Samba 3.2.7 ? On 07/17/13 02:09, Muhammad Yousuf Khan wrote: i am using samba 3.6.5 with winbind.for active directory authentication there is a samba share folder name "Filesharing" and plethora of folders are inside it. i have been using 2.7 stable for more then 2 years with no problem however after my harddisk failure i had to restore data to new server. and install samba from zero , fortunately or unfortunately samba has been updated in debian repository to 3.5.6 root@nas:/nas/backup# smbd -V Version 3.5.6 all user including owner user and group can see shared file but only everyone/all users can not copy the file to there desktop or any other location in windows 7, they receive permission denied messages however these are the same settings that i used to work with Samba 2.7 stable. even groups who to not have "r-x" permission can not copy data. same goes for eveyone with "r-x" no user can copy the data. until i give them "rwx" this wasn't happening previously. is there anyone who can help me in this regard. Thanks, MYK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld wrote: > Hello Donny, > > Am 12.07.2013 21:34, schrieb Donny Brooks: > > On the old domain, which was setup before I got here, > > our IT section was in an ldap group that allowed us to > > join PC's to the domain ... > > http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions > > > > > > ... and when the prompt came up in windows to > > install software we could log in as ourselves. > > What do you mean by this? Do you want to have a group of users > automatically in the "administrator" group on your workstations? > > http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s > > If you mean something else, please give some more details. > > > > Regards, > Marc > > > > > Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, > our IT section was in an ldap group that allowed us to > join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions > ... and when the prompt came up in windows to > install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the "administrator" group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba Digest, Vol 127, Issue 17
Estimados, Estoy fuera de la oficina hasta el lunes 22/07/13. Ante cualquier requerimiento favor generar el ticket respectivo o comunicarse con roberto.var...@pyaing.cl, freddy.arev...@pyaing.cl, frederick.esco...@pyaing.cl o marcos.ur...@pyaing.cl atte Luis Aravena -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Does Samba Re-read Changes To smb.conf
Hi, I was told that samba will re-read the smb.conf if you make changes without restarting the smb service. Is that true, if yes how long do I need to wait before I see the new share I added to the smb.conf. Thanks Bob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal wrote: > According to the net man page > > > In order for Samba to be joined or unjoined remotely an account > must be > used that is either member of the Domain Admins group, a member > of the > local Administrators group or a user that is granted the > SeMachineAccountPrivilege privilege. > > > > > The simplest thing is probably to have the Domain IT group be a member > of the local admin group on each machine. I don't know if you would > need to grant them the SeMachineAccountPrivilege. > > > > On 07/17/13 09:44, Donny Brooks wrote: > > > > > > > > On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld > > wrote: > > > >> Hello Donny, > >> > >> Am 12.07.2013 21:34, schrieb Donny Brooks: > >>> On the old domain, which was setup before I got here, > >> > our IT section was in an ldap group that allowed us to > >> > join PC's to the domain ... > >> > >> http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions > >> > >> > >> > >> > >> > ... and when the prompt came up in windows to > >> > install software we could log in as ourselves. > >> > >> What do you mean by this? Do you want to have a group of users > >> automatically in the "administrator" group on your workstations? > >> > >> http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s > >> > >> If you mean something else, please give some more details. > >> > >> > >> > >> Regards, > >> Marc > >> > >> > >> > >> > >> > > > > Yes, on the old domain we had all of our IT staff in a group that was able > > to join pcs to the domain and install software by inputting their domain > > credentials when prompted. Looking at the first link that is for Samba 4.X. > > We are on Samba 3.5.10 so that does not apply. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does Samba Re-read Changes To smb.conf
Hallo, bhogue, Du meintest am 17.07.13: > I was told that samba will re-read the smb.conf if you make changes > without restarting the smb service. That's not true for the "[global]" section. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New ADC configuration
On Wed, Jul 17, 2013 at 12:31:54PM +0200, Ali Bendriss wrote: >The last time I was having this kind of error, it was because I haven't >setup the gid number for the primary group for each users (domain >users). > >I ended changing the gid of domain users for something high (the >default for provision is 100) so my idmap range for idmap_ad doesn't >have to go as lower as 100. And then I gave all the users the new >configured gid number. > >it may be useful to run net cache flush on the member server while >doing the test. > >you set idmap config NWLTECH:range = 500-4 > >but the default gid for domain user is 100 so I think that you need to >change it (see above) or adapt your range. The last thing it has to be is something with Arch Linux. I removed all their samba packages and rolled from source and it does the EXACT same thing. I then fired up a quick and dirty Ubuntu LTS VM, installed some samba 4.0.6 packages from a PPA, and it worked. First try. I didn't even have to set uid/gid numbers for the users. getent passwd displays all domain users and: $ id testuser3 uid=70009(testuser3) gid=70001(domain users) groups=70001(domain users),70012(BUILTIN\users) grabs all the info properly and gives them proper uid/gid as per the ranges in smb.conf. I guess I'll rework everything with Ubuntu, although I'm not overly crazy about using older packages. But if it works, whom am I to argue? I don't know what else could possibly be wrong with Arch. Do users created still need a uid/gid added in the UNIX Attributes tab? Thanks a ton to everyone that offered help, I really appreciate the effort. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] need soms tips for adding samba4 to windows 2008R2 domain
Hello, Am 17.07.2013 11:29, schrieb L.P.H. van Belle: Am 15.07.2013 12:48, schrieb L.P.H. van Belle: 1) keep my existing windows 2008 domain. ( contains dhcp + dns + AD ) its a clean domain, no users yet. dhcp+dns is used already. 2) add samba4 to the windows domain dc as secondairy DC. ( this server wil be my zarafa mail server ) Setup and joining a Samba machine as DC you can find here: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC This step, Im using bind, i already have windows setup to replicate the DNS to some other linux servers. can i just point samba to the windows server, or can i use the replicated dns, or do i need to setup the dns completely also for samba. Thats not clear in the howto. because this howto points to : http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC ( im using the enterprise samba packages on ubuntu 12.04 ) and http://wiki.samba.org/index.php/Dns-backend_bind I haven't used a Windows server yet. But if the DNS zone is stored in AD, then the directory replication will replicate it to your Samba server, too. But of course you have to run a DNS on your Samba server, too (the internal or BIND DLZ). Realy, im sorry to say, but for me the wiki is a maze of information. to much referendes to other locations. the, im pointed to http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC there i read. What exactly confuses you. Then maybe I can unravel it. Sure, there are references to other HowTos. Otherwise we had to write the same content in different HowTos again and again. And every change had to be done on all places. But if you have good suggestions I can try to do improvments and changes the HowTos. This HOWTO will assume you had configured and installed Samba in the default location of /usr/local/samba. It assumes you are joining Samba to an existing domain called 'samdom.example.com'. What is the problem with that? Because you can configure to have Samba and parts of it whereever you want (as ./configure options), /usr/local/samba is just the default location where Samba is installed in, if you don't do any changes on ./configure. For a tutorial it's best to use the default locations. Just adapt the pathes to your environment. And samdom.example.com is just a sample realm we use in our wiki HowTos. Replace it with your own one. Question here is, do i need the registry fixes for windows 7, if my windows 2008 DC if domain controller. No registry changes, if your Domain is provided by Windows or Samba AD. I have read that it's necessary for a Samba NT4 style domain only. But I haven't used a Samba PDC with Win7 yet myself (only Samba AD). I have some win7 on the NT4 style domain, but i didnt use any registry fixed. If it's working fine without any fixes, where's the problem? ;-) Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, > our IT section was in an ldap group that allowed us to > join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions > ... and when the prompt came up in windows to > install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the "administrator" group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The "net groupmap list" command is useful for validating this. You want to make sure that you do see group mapping for "Domain Admins" and "Domain Users" and other well known groups. You are more likely to have to use the "net groupmap add" command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) -> Domain Admins ... # getent group "Domain Admins" Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general "windows" issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal wrote: > On 07/17/13 14:32, Donny Brooks wrote: > > > > > > > > On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal > > wrote: > > > >> According to the net man page > >> > >> > >> In order for Samba to be joined or unjoined remotely an account > >> must be > >> used that is either member of the Domain Admins group, a member > >> of the > >> local Administrators group or a user that is granted the > >> SeMachineAccountPrivilege privilege. > >> > >> > >> > >> > >> The simplest thing is probably to have the Domain IT group be a member > >> of the local admin group on each machine. I don't know if you would > >> need to grant them the SeMachineAccountPrivilege. > >> > >> > >> > >> On 07/17/13 09:44, Donny Brooks wrote: > >>> > >>> > >>> > >>> On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld > >>> wrote: > >>> > Hello Donny, > > Am 12.07.2013 21:34, schrieb Donny Brooks: > > On the old domain, which was setup before I got here, > > our IT section was in an ldap group that allowed us to > > join PC's to the domain ... > > http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions > > > > > > ... and when the prompt came up in windows to > > install software we could log in as ourselves. > > What do you mean by this? Do you want to have a group of users > automatically in the "administrator" group on your workstations? > > http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s > > If you mean something else, please give some more details. > > > > Regards, > Marc > > > > > > >>> > >>> Yes, on the old domain we had all of our IT staff in a group that was > >>> able to join pcs to the domain and install software by inputting their > >>> domain credentials when prompted. Looking at the first link that is for > >>> Samba 4.X. We are on Samba 3.5.10 so that does not apply. > >>> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > Looks like I need to do this here: > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html > > > > And map our itgroup to the Domain Admins group. Although we do have a > > Domain Admins group in ldap. Should that cause an issue? > > Group mapping is to make sure Windows groups map to the correct unix > group. This is not like mapping a Windows user name to a different > unix user name (e.g Windows Administrator = Unix root.) > > With LDAP, group mapping is usually simpler since the LDAP object for a > group usually has the Samba SID and the unix group id. The "net > groupmap list" command is useful for validating this. You want to make > sure that you do see group mapping for "Domain Admins" and "Domain > Users" and other well known groups. You are more likely to have to use > the "net groupmap add" command when you don't have LDAP. > > > Well known groups have to specific relative ID's. The domain admin > group HAS to have a relative ID of 512 in the SID.You have to make > sure the Administrator is in the group. That behavior changes with > versions newer than 3.0.x > > > > > #net groupmap list > > Domain Admins (S-1-5-21--x-x-512) -> Domain Admins > ... > # getent group "Domain Admins" > Domain Admins::512:Administrator > # > > > I don't think you have a samba issue. I think you have a general > "windows" issue about the most practical way to provide IT group with > sufficient privileges to manage computers with out giving too much access. > > > Depending on the size of your IT department, and the necessity to > audit/control you makes what change, each IT user may need two accounts, > one that is a regular account and one that is a member of the domain > admins and local admins group. (e.g. donny and donny_admin.)this > way they can do whatever they need, but they don't run as admin for > routine tasks, and you can track who made what change (if need be) or > limit who has full admin rights. > > > > > It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://li
Re: [Samba] Administrative users on domain
On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, > our IT section was in an ldap group that allowed us to > join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions > ... and when the prompt came up in windows to > install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the "administrator" group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The "net groupmap list" command is useful for validating this. You want to make sure that you do see group mapping for "Domain Admins" and "Domain Users" and other well known groups. You are more likely to have to use the "net groupmap add" command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) -> Domain Admins ... # getent group "Domain Admins" Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general "windows" issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am looking at your original post again. I don't think you said which version you had been using. net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U superusername Is the superuser name the domain Administrator account? The problem seems to involve the superusername user, not the Domain Admins group. I think with older version of samba, the Administrator account was implicit, and you could map the windows Administrator to the unix root account and all was OK. With the current version I think you need you create an Admin
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal wrote: > On 07/17/13 15:02, Donny Brooks wrote: > > > > > > > > On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal > > wrote: > > > >> On 07/17/13 14:32, Donny Brooks wrote: > >>> > >>> > >>> > >>> On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal > >>> wrote: > >>> > According to the net man page > > > In order for Samba to be joined or unjoined remotely an account > must be > used that is either member of the Domain Admins group, a member > of the > local Administrators group or a user that is granted the > SeMachineAccountPrivilege privilege. > > > > > The simplest thing is probably to have the Domain IT group be a member > of the local admin group on each machine. I don't know if you would > need to grant them the SeMachineAccountPrivilege. > > > > On 07/17/13 09:44, Donny Brooks wrote: > > > > > > > > On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld > > wrote: > > > >> Hello Donny, > >> > >> Am 12.07.2013 21:34, schrieb Donny Brooks: > >>> On the old domain, which was setup before I got here, > >> > our IT section was in an ldap group that allowed us to > >> > join PC's to the domain ... > >> > >> http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions > >> > >> > >> > >> > >> > ... and when the prompt came up in windows to > >> > install software we could log in as ourselves. > >> > >> What do you mean by this? Do you want to have a group of users > >> automatically in the "administrator" group on your workstations? > >> > >> http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s > >> > >> If you mean something else, please give some more details. > >> > >> > >> > >> Regards, > >> Marc > >> > >> > >> > >> > >> > > > > Yes, on the old domain we had all of our IT staff in a group that was > > able to join pcs to the domain and install software by inputting their > > domain credentials when prompted. Looking at the first link that is for > > Samba 4.X. We are on Samba 3.5.10 so that does not apply. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> Looks like I need to do this here: > >>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html > >>> > >>> And map our itgroup to the Domain Admins group. Although we do have a > >>> Domain Admins group in ldap. Should that cause an issue? > >> Group mapping is to make sure Windows groups map to the correct unix > >> group. This is not like mapping a Windows user name to a different > >> unix user name (e.g Windows Administrator = Unix root.) > >> > >> With LDAP, group mapping is usually simpler since the LDAP object for a > >> group usually has the Samba SID and the unix group id. The "net > >> groupmap list" command is useful for validating this. You want to make > >> sure that you do see group mapping for "Domain Admins" and "Domain > >> Users" and other well known groups. You are more likely to have to use > >> the "net groupmap add" command when you don't have LDAP. > >> > >> > >> Well known groups have to specific relative ID's. The domain admin > >> group HAS to have a relative ID of 512 in the SID.You have to make > >> sure the Administrator is in the group. That behavior changes with > >> versions newer than 3.0.x > >> > >> > >> > >> > >> #net groupmap list > >> > >> Domain Admins (S-1-5-21--x-x-512) -> Domain Admins > >> ... > >> # getent group "Domain Admins" > >> Domain Admins::512:Administrator > >> # > >> > >> > >> I don't think you have a samba issue. I think you have a general > >> "windows" issue about the most practical way to provide IT group with > >> sufficient privileges to manage computers with out giving too much access. > >> > >> > >> Depending on the size of your IT department, and the necessity to > >> audit/control you makes what change, each IT user may need two accounts, > >> one that is a regular account and one that is a member of the domain > >> admins and local admins group. (e.g. donny and donny_admin.)this > >> way they can do whatever they need, but they don't run as admin for > >> routine tasks, and you can track who made what change (if need be) or > >> limit who has full admin rights. > >> > >> > >> > >> > >> > > > > > > It is correctly mapped and is 512. Nothing changed on the windows side > > during the domain chang
Re: [Samba] Administrative users on domain
On 07/17/13 16:12, Donny Brooks wrote: On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal wrote: On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, > our IT section was in an ldap group that allowed us to > join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions > ... and when the prompt came up in windows to > install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the "administrator" group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The "net groupmap list" command is useful for validating this. You want to make sure that you do see group mapping for "Domain Admins" and "Domain Users" and other well known groups. You are more likely to have to use the "net groupmap add" command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) -> Domain Admins ... # getent group "Domain Admins" Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general "windows" issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am looking at your original post again. I don't think you said which version you had been using. net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U superusername Is the superuser name the domain Administrator account? The problem seems to involve the superusername user, not the Domain Admins group. I think with older version of samba, the Administrator account was implicit, and you could m
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 04:33 PM CDT, Gaiseric Vandal wrote: > On 07/17/13 16:12, Donny Brooks wrote: > > > > > > > > On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal > > wrote: > > > >> On 07/17/13 15:02, Donny Brooks wrote: > >>> > >>> > >>> > >>> On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal > >>> wrote: > >>> > On 07/17/13 14:32, Donny Brooks wrote: > > > > > > > > On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal > > wrote: > > > >> According to the net man page > >> > >> > >>In order for Samba to be joined or unjoined remotely an > >> account > >> must be > >>used that is either member of the Domain Admins group, a > >> member > >> of the > >>local Administrators group or a user that is granted the > >>SeMachineAccountPrivilege privilege. > >> > >> > >> > >> > >> The simplest thing is probably to have the Domain IT group be a member > >> of the local admin group on each machine. I don't know if you would > >> need to grant them the SeMachineAccountPrivilege. > >> > >> > >> > >> On 07/17/13 09:44, Donny Brooks wrote: > >>> > >>> > >>> > >>> On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld > >>> wrote: > >>> > Hello Donny, > > Am 12.07.2013 21:34, schrieb Donny Brooks: > > On the old domain, which was setup before I got here, > > our IT section was in an ldap group that allowed us to > > join PC's to the domain ... > > http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions > > > > > > ... and when the prompt came up in windows to > > install software we could log in as ourselves. > > What do you mean by this? Do you want to have a group of users > automatically in the "administrator" group on your workstations? > > http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s > > If you mean something else, please give some more details. > > > > Regards, > Marc > > > > > > >>> > >>> Yes, on the old domain we had all of our IT staff in a group that was > >>> able to join pcs to the domain and install software by inputting > >>> their domain credentials when prompted. Looking at the first link > >>> that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. > >>> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > Looks like I need to do this here: > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html > > > > And map our itgroup to the Domain Admins group. Although we do have a > > Domain Admins group in ldap. Should that cause an issue? > Group mapping is to make sure Windows groups map to the correct unix > group. This is not like mapping a Windows user name to a different > unix user name (e.g Windows Administrator = Unix root.) > > With LDAP, group mapping is usually simpler since the LDAP object for a > group usually has the Samba SID and the unix group id. The "net > groupmap list" command is useful for validating this. You want to make > sure that you do see group mapping for "Domain Admins" and "Domain > Users" and other well known groups. You are more likely to have to use > the "net groupmap add" command when you don't have LDAP. > > > Well known groups have to specific relative ID's. The domain admin > group HAS to have a relative ID of 512 in the SID.You have to make > sure the Administrator is in the group. That behavior changes with > versions newer than 3.0.x > > > > > #net groupmap list > > Domain Admins (S-1-5-21--x-x-512) -> Domain Admins > ... > # getent group "Domain Admins" > Domain Admins::512:Administrator > # > > > I don't think you have a samba issue. I think you have a general > "windows" issue about the most practical way to provide IT group with > sufficient privileges to manage computers with out giving too much > access. > > > Depending on the size of your IT department, and the necessity to > audit/control you makes what change, each IT user may need two accounts, > one that is a regular account an
Re: [Samba] Restore samba4 backup
Hi Marc, It works. Thank you very much. Regards, Edison -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
