Re: Samba passwords
On Thu, Jul 03, 2003 at 06:36:46PM -0300, Paiva, Gilson de wrote: > And can your users changed their passwords with samba and fbsd sucessfully? > I'm facing a problem with this combination ( 4.8-Stable and 2.2.8a ) that > didn't exist before. > Users get a message regarding the domain isn't availabe at this moment. Before I ran "smbpasswd -a " as root, users were unable to change their passwords. After using the -a option as root, users were able to change their passwords. However, I was getting a different error message. My error message said something about being unable to change the passwd, or find the password, or something related. Your message suggests a configuration error. Try turning off encrypted passwords in smb.conf, and then running all the tests in DIAGNOSIS.txt. If your setup fails any of the tests that do not involve a Win box as a client, then either your network or your smb.conf file is misconfigured. At least, that's my best guess. Bob Hall ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba passwords
And can your users changed their passwords with samba and fbsd sucessfully? I'm facing a problem with this combination ( 4.8-Stable and 2.2.8a ) that didn't exist before. Users get a message regarding the domain isn't availabe at this moment. Thanks in advance, > On Tue, Jul 01, 2003 at 10:29:42AM +0100, Scott Mitchell wrote: >> On Mon, Jun 30, 2003 at 08:25:57PM -0400, Bob Hall wrote: >> > samba-2.2.8a >> > FreeBSD 4.8 > > I have Samba working with encrypted passwords. In the earlier > versions of Samba, the default location for the smbpasswd file > was > /usr/local/samba/private > It now appears to be > /usr/local/private > As near as I can tell, you create the password file with > # smbpasswd -a > This seems to create /usr/local/private/smbpasswd will all users > in /etc/passwd, and with a hashed password for the user specified > in the command. Passwords can be added for any further users with > the usual command: > # smbpasswd > > The crucial step was running smbpasswd with the -a option. After > that, the instructions in the documentation worked. > > Thanks to everyone who responded. Even though I didn't use any of > the suggestions, they prodded me in the right direction. > > Bob Hall > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Paiva, Gilson deDomingos Martins mailto:[EMAIL PROTECTED]Brazil http://www.el.com.br/ E&L Producoes de Software http://www.FreeBSD.org/ FreeBSD: The Power to Serve =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -- Aviso Legal: Esta mensagem pode nao expressar oficialmente as ideias ou vontades da empresa E&L Producoes de Software, sendo responsavel por esta exclusivamente seu autor. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba passwords
On Tue, Jul 01, 2003 at 10:29:42AM +0100, Scott Mitchell wrote: > On Mon, Jun 30, 2003 at 08:25:57PM -0400, Bob Hall wrote: > > samba-2.2.8a > > FreeBSD 4.8 I have Samba working with encrypted passwords. In the earlier versions of Samba, the default location for the smbpasswd file was /usr/local/samba/private It now appears to be /usr/local/private As near as I can tell, you create the password file with # smbpasswd -a This seems to create /usr/local/private/smbpasswd will all users in /etc/passwd, and with a hashed password for the user specified in the command. Passwords can be added for any further users with the usual command: # smbpasswd The crucial step was running smbpasswd with the -a option. After that, the instructions in the documentation worked. Thanks to everyone who responded. Even though I didn't use any of the suggestions, they prodded me in the right direction. Bob Hall ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba passwords
On Mon, Jun 30, 2003 at 08:25:57PM -0400, Bob Hall wrote: > samba-2.2.8a > FreeBSD 4.8 > > I'm trying to get samba running on my FBSD server. I've done this > previously with another server, but I can't seem to get it to > work this time. If I turn off password encryption, then I pass > all the tests in the DIAGNOSIS file, but Win2k obviously won't > allow the connection without encrypted passwords. If I turn > encryption on, I pass any test that doesn't involve a password. > > I created the password file with make_smbpasswd. I also tried > importing a password file used with an earlier version of Samba, > and editing the usernames and user ids. There is no ENCRYPTION > file included with this port, and I can't find any other > instructions for setting up the password file. I've googled and > searched, and can't find anything that goes beyond what I already > know. If someone could point me to instructions for setting this > up, I'd be grateful. > > Bob Hall Hi Bob, I'm using Samba 3.0 (the samba-devel port) and I'm not sure this is all 100% true for older versions, but these tips may be useful anyway: - Use 'swat' instead of writing the Samba config file by hand. You'll need to uncomment the relevant line at the end of /etc/inetd.conf, HUP inetd, then just point your browser at http://sambaserver:901/ Trust me, it makes life a lot easier :-) - make_smbpasswd will create entries in the smbpasswd file for all of your local users, but they won't have valid SMB passwords (there's no way of getting from an encrypted UNIX password to an encrypted SMB password). You'll need to run 'smbpasswd ' (as root) for all the users you want to have SMB logins, to give them valid SMB passwords. Keeping these in sync with the UNIX passwords is a whole other game (see my other message in this thread). You probably also want to delete the system accounts from smbpasswd -- either use 'smbpasswd -x ' or just edit the lines out by hand. - I find it easier to test things with 'smbclient' until I'm sure everything is working, before bothering with Windows clients. I've attached my smb.conf (as generated by swat) which is working fine for me, with encrypted passwords and SMB -> UNIX password sync. Cheers, Scott # Samba config file created using SWAT # from 192.168.1.6 (192.168.1.6) # Date: 2003/06/30 23:21:11 # Global parameters [global] workgroup = FISHBALLOON netbios name = LLAMA server string = Samba Server passwd program = /usr/bin/passwd %u passwd chat = *New\spassword:* %n\n *Retype\snew\spassword:* %n\n *password\shas\sbeen\schanged* unix password sync = Yes log level = 20 log file = /var/log/log.%m max log size = 50 dns proxy = No [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No -- === Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels Cambridge, England | 0x54B171B9 | don't get sucked into jet engines" scott at fishballoon.org | 0xAA775B8B | -- Anon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba passwords
On Tue, Jul 01, 2003 at 01:05:30PM +0700, Roger Merritt wrote: > I don't know how helpful this will be, because I didn't follow through on > it, but among the docfiles is one that talks about modifying /etc/pam.conf > so that for certain categories of login pam uses the smbpasswd program to > authenticate. It seems NT/Win2K/etc. use a cryptographic protocol that's > inconsistent with the rest of the world (setting the industry standard ;-) > ). Ah, take a look at > /usr/local/share/doc/samba/htmldocs/PAM-Authentication-And-Samba.html. I > found it hard to understand and the pam man page even worse. > > I played with it once because I was getting so many pam authencication > errors, but I got scared and in the next upgrade I just overwrote my edited > pam.conf with the vanilla distribution one and dropped back to plain-text > passwords. I'm still using Win98, too. It is possible to use pam_smbpass to have login, sshd, etc. authenticate against the SMB password database instead of /etc/passwd. For the 'login' service, for instance, you'd replace the /etc/pam.conf line: login authrequiredpam_unix.so try_first_pass with login authrequiredpam_smbpass.so try_first_pass (you might need to use the full path to pam_smbpass.so, depending where you installed it.) Repeat as necessary for the other services in /etc/pam.conf. Of course this only works if you're not also sharing your UNIX password file out over NIS, and there's no doubt still some non-PAMified services around that will still look in /etc/passwd. There's some other third-party modules around somewhere (pam_smb and pam_ntdom, I think) that will authenticate against a remote SMB server, so you could I suppose deploy Samba everywhere and use this instead of NIS... Also, I think you'll still need UNIX accounts to match your Samba accounts, even though they might have no passwords (Samba needs them to map usernames to UIDs). On the other hand, I wouldn't bother trying to use PAM on 4.x to keep separate UNIX and SMB password files synchronised: pam_unix.so doesn't know how to do password updates, so you can't use it to sync from SMB -> UNIX, and the 'passwd' program isn't PAMified, so you can't use it to sync UNIX -> SMB. I believe both of these issues are fixed in 5.x, though. Password syncing from SMB -> UNIX does work if you forget PAM and just provide a 'password chat' script so Samba can invoke passwd directly. This is what I'm doing -- as long as people remember to use 'smbpasswd' to change passwords, the UNIX password file gets updated as well and my NIS clients see the change as well. Merging everything into one central authentication database can wait until 5.x gets deployed on the servers :) Hope that's all useful to somebody... Scott -- === Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels Cambridge, England | 0x54B171B9 | don't get sucked into jet engines" scott at fishballoon.org | 0xAA775B8B | -- Anon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba passwords
At 11:33 AM 7/1/03, you wrote: On Tue, Jul 01, 2003 at 04:54:33AM +0200, P. U. Kruppa wrote: > On Mon, 30 Jun 2003, Bob Hall wrote: > > > samba-2.2.8a > > FreeBSD 4.8 > > > > I'm trying to get samba running on my FBSD server. I've done this > > previously with another server, but I can't seem to get it to > > work this time. If I turn off password encryption, then I pass > > all the tests in the DIAGNOSIS file, but Win2k obviously won't > > allow the connection without encrypted passwords. If I turn > > encryption on, I pass any test that doesn't involve a password. > Did you change the registry entry on you win2k machine > (i.e. did you apply > /usr/local/share/doc/samba/Registry/Win2000_PlainPassword.reg)? Thanks for responding, but I need a more secure solution. The point of setting up a samba password file is to avoid sending passwords in plain text. I was able to pass encrypted passwords in the earlier version of Samba. There should be a way of doing it with this version. What I'm hoping is that the ENCRYPTION file that was dropped from this port (or this version, whichever) was replaced with another file that documents how encrypted passwords are currently handled. Since the sh script mentioned in the ENCRYPTION file has been replaced with the undocumented make_smbpasswd file, I'm hoping that there actually is some documentation that explains it all, as the ENCRYPTION file once did. The documentation included with the port doesn't do the trick, and the tests in the DIAGNOSIS file seem to indicate that I've got everything except the encrypted passwords set up correctly. Google hasn't led to anything, nor has searching the archives. Alternately, if someone who has set up encrypted passwords successfully using the old instructions would let me know, that would help also. Knowing that I'm an idiot would give me a more accurate basis for proceeding. I don't know how helpful this will be, because I didn't follow through on it, but among the docfiles is one that talks about modifying /etc/pam.conf so that for certain categories of login pam uses the smbpasswd program to authenticate. It seems NT/Win2K/etc. use a cryptographic protocol that's inconsistent with the rest of the world (setting the industry standard ;-) ). Ah, take a look at /usr/local/share/doc/samba/htmldocs/PAM-Authentication-And-Samba.html. I found it hard to understand and the pam man page even worse. I played with it once because I was getting so many pam authencication errors, but I got scared and in the next upgrade I just overwrote my edited pam.conf with the vanilla distribution one and dropped back to plain-text passwords. I'm still using Win98, too. Hope this helps. -- Roger ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba passwords
On Mon, Jun 30, 2003 at 08:25:57PM -0400, Bob Hall wrote: > I'm trying to get samba running on my FBSD server. I've done this > previously with another server, but I can't seem to get it to > work this time. If I turn off password encryption, then I pass > all the tests in the DIAGNOSIS file, but Win2k obviously won't > allow the connection without encrypted passwords. If I turn > encryption on, I pass any test that doesn't involve a password. > > I created the password file with make_smbpasswd. I also tried > importing a password file used with an earlier version of Samba, > and editing the usernames and user ids. There is no ENCRYPTION > file included with this port, and I can't find any other > instructions for setting up the password file. I've googled and > searched, and can't find anything that goes beyond what I already > know. If someone could point me to instructions for setting this > up, I'd be grateful. fwiw my smb.conf file looks like this: # Global parameters [global] workgroup = LAN netbios name = FBSD server string = FreeBSD Samba Server encrypt passwords = Yes log level = 5 log file = /var/log/log.%m preferred master = Yes valid users = Jez munk jezhanco admin users = Jez munk jezhanco hosts allow = [homes] comment = Home Directories read only = No [all] comment = All path = / guest account = read only = No [mov] comment = Movies path = /mnt/mov guest account = read only = No [data] comment = Data path = /mnt/data guest account = read only = No [mp3] comment = MP3s path = /mnt/mp3 guest account = read only = No [avweb] comment = AVG Dev Site path = /home/avweb/ guest account = read only = No # end I then create passwords using 'smbpasswd user password ' for each of the user's in the 'valid users' list, started samba and this was enough to allow me to access shares from my win2k machine (so long as the user/password I used to login to the win2k machine matched one of the 'valid users' and the machine was in the LAN workgroup). HTH, Jez ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba passwords
On Tue, Jul 01, 2003 at 04:54:33AM +0200, P. U. Kruppa wrote: > On Mon, 30 Jun 2003, Bob Hall wrote: > > > samba-2.2.8a > > FreeBSD 4.8 > > > > I'm trying to get samba running on my FBSD server. I've done this > > previously with another server, but I can't seem to get it to > > work this time. If I turn off password encryption, then I pass > > all the tests in the DIAGNOSIS file, but Win2k obviously won't > > allow the connection without encrypted passwords. If I turn > > encryption on, I pass any test that doesn't involve a password. > Did you change the registry entry on you win2k machine > (i.e. did you apply > /usr/local/share/doc/samba/Registry/Win2000_PlainPassword.reg)? Thanks for responding, but I need a more secure solution. The point of setting up a samba password file is to avoid sending passwords in plain text. I was able to pass encrypted passwords in the earlier version of Samba. There should be a way of doing it with this version. What I'm hoping is that the ENCRYPTION file that was dropped from this port (or this version, whichever) was replaced with another file that documents how encrypted passwords are currently handled. Since the sh script mentioned in the ENCRYPTION file has been replaced with the undocumented make_smbpasswd file, I'm hoping that there actually is some documentation that explains it all, as the ENCRYPTION file once did. The documentation included with the port doesn't do the trick, and the tests in the DIAGNOSIS file seem to indicate that I've got everything except the encrypted passwords set up correctly. Google hasn't led to anything, nor has searching the archives. Alternately, if someone who has set up encrypted passwords successfully using the old instructions would let me know, that would help also. Knowing that I'm an idiot would give me a more accurate basis for proceeding. Bob Hall ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Samba passwords
On Mon, 30 Jun 2003, Bob Hall wrote: > samba-2.2.8a > FreeBSD 4.8 > > I'm trying to get samba running on my FBSD server. I've done this > previously with another server, but I can't seem to get it to > work this time. If I turn off password encryption, then I pass > all the tests in the DIAGNOSIS file, but Win2k obviously won't > allow the connection without encrypted passwords. If I turn > encryption on, I pass any test that doesn't involve a password. Did you change the registry entry on you win2k machine (i.e. did you apply /usr/local/share/doc/samba/Registry/Win2000_PlainPassword.reg)? Uli. > > I created the password file with make_smbpasswd. I also tried > importing a password file used with an earlier version of Samba, > and editing the usernames and user ids. There is no ENCRYPTION > file included with this port, and I can't find any other > instructions for setting up the password file. I've googled and > searched, and can't find anything that goes beyond what I already > know. If someone could point me to instructions for setting this > up, I'd be grateful. > > Bob Hall > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > +---+ |Peter Ulrich Kruppa| | - Wuppertal - | | Germany | +---+ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Samba passwords
Not sure if this will solve it, I just configured samba on my local FreeBSD v4.4 box to serve as a massive file server on my home network. It was giving me fits and starts until I configured it to do NT1 security protocol, then it suddenly all started working. I synced the passwords between the BSD box and my local Windows network and it all works very nicely. In fact, the files on the BSD box stream noticeably faster than off my Win2k Server (the PDC). All of the clients are WinXP boxes and have no problem streaming music, movies, etc. off samba. The only problem is that there are a lot of PAM authentication failure notices on my BSD box. I haven't had time to look into it, but since it works fine, it can wait till the long weekend. Sean J Countryman [EMAIL PROTECTED] [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Hall Sent: Monday, June 30, 2003 6:26 PM To: FreeBSD Questions List Subject: Samba passwords samba-2.2.8a FreeBSD 4.8 I'm trying to get samba running on my FBSD server. I've done this previously with another server, but I can't seem to get it to work this time. If I turn off password encryption, then I pass all the tests in the DIAGNOSIS file, but Win2k obviously won't allow the connection without encrypted passwords. If I turn encryption on, I pass any test that doesn't involve a password. I created the password file with make_smbpasswd. I also tried importing a password file used with an earlier version of Samba, and editing the usernames and user ids. There is no ENCRYPTION file included with this port, and I can't find any other instructions for setting up the password file. I've googled and searched, and can't find anything that goes beyond what I already know. If someone could point me to instructions for setting this up, I'd be grateful. Bob Hall ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
