[Samba] winbind running in PDC Samba server
Hello, HOWTO chapter 21 describes the use of winbind daemon in a Samba domain member Server, but it's possible (and desirable) to run winbind in a PDC Samba server? The question is due to it that in that case it seems it is not necessary winbind for authenticate/mapping users against a external WinNT4 PDC, the Samba PDC perform authentication itself (and the mapping its not necessary, because Samba run in UNIX, where each user/group have an UID/GID). What about when there is a trust relationship between Samba domain and an external WinNT4 domain? (I think in this case winbind could be necessary, to assign SID in the WinNT4 domain to users of the Samba PDC domain, but I'm not sure). Thanks in advance! -- Fermín -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind running in PDC Samba server
On Wed, 31 Dec 2003, [iso-8859-1] Fermín Galán Márquez wrote: Hello, HOWTO chapter 21 describes the use of winbind daemon in a Samba domain member Server, but it's possible (and desirable) to run winbind in a PDC Samba server? The question is due to it that in that case it seems it is not necessary winbind for authenticate/mapping users against a external WinNT4 PDC, the Samba PDC perform authentication itself (and the mapping its not necessary, because Samba run in UNIX, where each user/group have an UID/GID). Correct. What about when there is a trust relationship between Samba domain and an external WinNT4 domain? (I think in this case winbind could be necessary, to assign SID in the WinNT4 domain to users of the Samba PDC domain, but I'm not sure). Winbind is needed to map SIDs from foreign domains and from machines that are not domain members. That is why it is a good idea to run winbind on all servers. Cheers, John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Win 2003 Server + Samba 3 clients?
hi all specs: suse 9.0, samba 3.0.1, windows 2003 server PDC Is anyone out there running Windows 2003 Server (PDC as file server for homes profiles, printserver, AD) with linux clients authenticating users against it and accessing shares on the Windows 2003 Server from the linux clients? Clould i have a look at your smb.conf file? Regards Mynhardt -- Mr M Loubser (Network Administrator Postmaster) Stellenbosch High School Voice: +27 21 887 3082 X123 http://WWW.STELLIES.COM ...captain - my captain? -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Survey Results Thank You
The results so far are: 183 responses 96% use Samba for File and Print 73% use Samba for Domain Control Does this mean there is only 183 people using Samba? No, maybe just a little hard to find the survey, it did not stand out. Did you get a page hit count for the article? Mailed Lee P.S. It was also a good read. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Shutdown a Client
Hi, all I have a samba-3.0.1 running as pdc for a domain. I need to shutdown/restart any windows client that I have in this domain.I have tried the command net rpc shutdown -f machine.name, but it haven't worked. Is it possible to do what I want? How? Thanks in advance. Fabrício Adorno -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] libsmbclient error on SuSE 9.0
Hi! A customer of mine tries to browse his local network from kde via the smb:/ URL. He was able to do it the first times, but then he started to receive an error (I'll try to get the exact error message ASAP, sorry). The error says something of the like that it can't lookup the group or machine. Any known issues? -- Arturo Busleiman - [ i n t r a R e d e s s r l ] Piedras 264 - 2 A (C1070AAF) - Buenos Aires - ARGENTINA Te.: (54 11) 4342-0049 - http://www.intraredes.com/ mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] MS Exchange - Samba interoperability
Hello, I'm interested in use cases and experiences related with Samba and MS Exchange interoperability. In particular, my situation is as follows: Samba3 domain (domain A) and Windows NT4 (domain B) with mutual trust relationship (A trust B and B trust A). MS Exchange Server is running in a server of domain B and I want to create mailboxes in the Exchange Server for users in domain A. This doesn't works, because although I can assign rights on a mailbox for a domain A user (the trust relationship allows it), an error dialog box pops up (the number 0xc0020534 appears in the dialog as a reference) and the user account appears as Account Unknown. -- Fermín -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind login: has DOMAIN+user, wants user
Hello, I'm using RH9 with latest Samba 3.0.x-x I configured winbind as per http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html#id2935561 I use the default smb.conf with following (from URL above) added to its global section: winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes use nss_winbind = yes template homedir = /home/winnt/%D/%U template shell = /bin/bash I cannot login using Active Directory's username; instead I must use login DOMAIN+username at login prompt as recommended at http://lists.samba.org/archive/samba/2002-June/045313.html, otherwise I get the same error as mentioned at this URL. Why is that? I want to auth SMTP users via winbind so I want to be able to use user instead of DOMAIN+user. Thanks SL -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Survey Results Thank You
C.Lee, The survey is till running so it is not too late to get the hit rate up. No need to read the article, just head for the Survey at: http://www.open-mag.com/9085339824.shtml Cheers, John T. On Wed, 31 Dec 2003, C.Lee Taylor wrote: The results so far are: 183 responses 96% use Samba for File and Print 73% use Samba for Domain Control Does this mean there is only 183 people using Samba? No, maybe just a little hard to find the survey, it did not stand out. Did you get a page hit count for the article? Mailed Lee P.S. It was also a good read. Thanks. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Win2k/XP/9x and samba
Happy New Year folks!!! I have a Linux box, Red Hat 7.3, running Samba 3.0.0, since I have upgraded from Samba 2.7 every user can reach all shares, even those which are restricted, this didn't happend when the old version was running. Attached is the config file. Anyone can help? Best regards, Manuel-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind login: has DOMAIN+user, wants user
On Wed, 31 Dec 2003, Sean Lee wrote: Hello, I'm using RH9 with latest Samba 3.0.x-x I configured winbind as per http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html#id2935561 I use the default smb.conf with following (from URL above) added to its global section: winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes use nss_winbind = yes template homedir = /home/winnt/%D/%U template shell = /bin/bash Add: winbind use default domain = Yes I cannot login using Active Directory's username; instead I must use login DOMAIN+username at login prompt as recommended at http://lists.samba.org/archive/samba/2002-June/045313.html, otherwise I get the same error as mentioned at this URL. Why is that? I want to auth SMTP users via winbind so I want to be able to use user instead of DOMAIN+user. If the above change does not work for you let me know. PS: For this to work you must: 1. Make the change shown 2. Stop Samba 3. Delete your existing /var/lib/samba/*tdb files (could be in /var/cache/samba/*tdb or /usr/local/samba/var/(tdb) 4. Restart Samba Make certain that: getent passwd shows your accounts without the Domain name portion. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 3.01 FreeBSD Port/Install Makefile Config
Hello, It appears that the FreeBSD port of Samba 3.0.x may be falling behind. The port maintainter does not use Winbind and thus has not kept up with the development of it. 3.0.1 will very shortly be ported to FreeBSD, currently it is still at 3.0.0. I know there have been some recent changes to Samba that help FreeBSD out, and I wanted to make sure that the port of Samba 3.0.x on FreeBSD stays current. I would appreciate any feedback on the Makefile listed below for accuracy. For instance the Makefile still shows configuring Samba with Winbind as an option, but I am under the impression that Winbind builds by default on 3.0.x. Please correct me if I am wrong. Also if there is anything that is new or anything that is depracated that would affect building Samba on FreeBSD and should be addressed in the Makefile, those comments would be appreciated as well. Finally I believe that FreeBSD does not touch certain parts of the /usr tree when installing from ports. I believe this effects Winbind which means that certain symlinks need to be done by hand. Can anyone shed any light on this as well? Thank you, Matt Pusateri # New ports collection makefile for:samba # Date created: 11th Feb 1995 # Whom: gpalmer # # $FreeBSD: ports/net/samba-devel/Makefile,v 1.97 2003/11/25 16:12:19 trevor Exp $ # PORTNAME= samba PORTVERSION=3.0.0 PORTEPOCH= 1 CATEGORIES= net MASTER_SITES= http://us3.samba.org/samba/ftp/%SUBDIR%/ MASTER_SITE_SUBDIR= . rc #DISTNAME= ${PORTNAME}-${PORTVERSION:S/.r/rc/} MAINTAINER= [EMAIL PROTECTED] COMMENT=A free SMB and CIFS client and server for UNIX CONFLICTS= ja-samba-2.* samba-3.* samba-libsmbclient-3.* sharity-light-1.* USE_BZIP2=YES .if !defined(WITHOUT_CUPS) WITH_CUPS= yes .endif .if defined(WITH_CUPS) LIB_DEPENDS=cups.2:${PORTSDIR}/print/cups-base CONFIGURE_ENV+= CPPFLAGS=-I${LOCALBASE}/include \ LDFLAGS=-L${LOCALBASE}/lib .endif # directories VARDIR= /var SAMBA_SPOOL=${VARDIR}/spool/samba SAMBA_LOGDIR= ${VARDIR}/log SAMBA_PRIVATE= ${PREFIX}/private SAMBA_CONFDIR= ${PREFIX}/etc # sample files STARTUP_SCRIPT= ${PREFIX}/etc/rc.d/samba.sh.sample SAMPLE_CONFIG= ${SAMBA_CONFDIR}/smb.conf.default DOCSDIR=${PREFIX}/share/doc/samba NO_LATEST_LINK= yes USE_AUTOCONF= yes WANT_AUTOCONF_VER= 253 CONFIGURE_ARGS= --libdir=${SAMBA_CONFDIR} \ --localstatedir=${VARDIR} --with-swatdir=${PREFIX}/share/swat \ --with-sambabook=${PREFIX}/share/swat/using_samba \ --with-lockdir=${VARDIR}/lock --with-privatedir=${SAMBA_PRIVATE} \ --exec-prefix=${PREFIX} --with-pam --without-manpages-langs \ --with-piddir=${VARDIR}/run --with-logfilebase=${VARDIR}/log .include bsd.port.pre.mk .if defined(WITH_QUOTAS) CONFIGURE_ARGS+=--with-quotas .endif .if defined(WITH_UTMP) CONFIGURE_ARGS+=--with-utmp .endif .if defined(WITH_MSDFS) CONFIGURE_ARGS+=--with-msdfs .endif .if defined(WITH_WINBIND) CONFIGURE_ARGS+=--with-winbind .endif .if defined(WITH_WINBIND_AUTH_CHALLENGE) CONFIGURE_ARGS+=--with-winbind-auth-challenge .endif .if defined(KRB5_HOME) exists(${KRB5_HOME}) CONFIGURE_ARGS+=--with-krb5=${KRB5_HOME} .else CONFIGURE_ARGS+=--with-krb5=no .endif .if defined(WITH_ACL_SUPPORT) .if ${OSVERSION} 500018 BROKEN= Requires a recent FreeBSD 5.0-CURRENT .else CONFIGURE_ARGS+=--with-acl-support .endif .endif .if defined(WITH_LIBICONV) LIB_DEPENDS+= iconv.3:${PORTSDIR}/converters/libiconv CONFIGURE_ARGS+=--with-libiconv .endif WRKSRC= ${WRKDIR}/${DISTNAME}/source MAN1= findsmb.1 nmblookup.1 log2pcap.1 \ rpcclient.1 smbcacls.1 smbclient.1 smbcontrol.1 smbsh.1 \ smbstatus.1 smbtar.1 testparm.1 testprns.1 wbinfo.1 vfstest.1 \ editreg.1 ntlm_auth.1 profiles.1 smbcquotas.1 smbtree.1 MAN5= lmhosts.5 smb.conf.5 smbpasswd.5 MAN7= samba.7 Samba.7 MAN8= nmbd.8 smbd.8 smbmnt.8 smbmount.8 net.8 pdbedit.8 mount.cifs.8 \ smbpasswd.8 smbspool.8 smbumount.8 swat.8 winbindd.8 tdbbackup.8 post-install: ${MKDIR} ${PREFIX}/share/examples/samba ${CP} -rp ${WRKDIR}/${DISTNAME}/examples/* ${PREFIX}/share/examples/samba @if [ ! -f ${STARTUP_SCRIPT} ]; then \ ${ECHO} Installing ${STARTUP_SCRIPT} startup file. ; \ ${INSTALL_SCRIPT} ${FILESDIR}/samba.sh.sample \ ${STARTUP_SCRIPT} ; \ fi @test -d ${SAMBA_SPOOL} || ${MKDIR} ${SAMBA_SPOOL} ${CHMOD} 1777 ${SAMBA_SPOOL} @if [ ! -f ${SAMPLE_CONFIG} ]; then \ ${SED} -e 's!%%SAMBA_SPOOL%%!${SAMBA_SPOOL}!' \ -e
Re: [Samba] winbind running in PDC Samba server
On Wed, 2003-12-31 at 02:11, John H Terpstra wrote: On Wed, 31 Dec 2003, [iso-8859-1] Fermn Galn Mrquez wrote: Hello, HOWTO chapter 21 describes the use of winbind daemon in a Samba domain member Server, but it's possible (and desirable) to run winbind in a PDC Samba server? The question is due to it that in that case it seems it is not necessary winbind for authenticate/mapping users against a external WinNT4 PDC, the Samba PDC perform authentication itself (and the mapping its not necessary, because Samba run in UNIX, where each user/group have an UID/GID). Correct. What about when there is a trust relationship between Samba domain and an external WinNT4 domain? (I think in this case winbind could be necessary, to assign SID in the WinNT4 domain to users of the Samba PDC domain, but I'm not sure). Winbind is needed to map SIDs from foreign domains and from machines that are not domain members. That is why it is a good idea to run winbind on all servers. I'm sort of thinking that winbind might be an expensive process since it not only adds a layer of complexity upon nsswitch/pam but it also requires that you not use nscd. I'm still trying to evaluate it's necessity in an environment where LDAP is backend, all samba servers use the LDAP system for authentication and there are no Windows machines used that will not be 'computer accounts'. But I'm still learning these things... # mkdir test # chgrp Domain Users test ls -l total 48 drwxr-xr-x2 root Domain Users 4096 Dec 31 06:59 test Domain Users is in LDAP... # Domain Users, Groups, Mullen, US dn: cn=Domain Users,ou=Groups,o=Mullen,c=US objectClass: posixGroup objectClass: sambaGroupMapping cn: Domain Users gidNumber: 1008 sambaSID: S-1-5-21-1292501092-333717336-619646970-513 sambaGroupType: 2 displayName: Domain Users description: All domain users memberUid: root memberUid: artstation memberUid: Administrator Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: [PATCH] Add winbind-backed NTLMSSP support to Cyrus-SASL
Andrew Bartlett wrote: Windows authentication extends far beyond the CIFS protocol the Samba implements, but it only very recently that work has been done to catch up to Microsoft's extensions in this area. This has caused many administrators pain and toil that their MS counterparts simply don't have. For them, authentication 'just works', with single-sign-on and the lot. I have worked, for over a year, with the Squid development team, in extending NTLMSSP authentication to HTTP. The squid team made a very good start (as I see Cyrus-SASL now has) in including a basic NTLMSSP implementation, and even providing a proxy-mechanism to authenticate against a Windows DC. I extended on this base, providing the ntlm_auth tool, which allows them to perform this against winbind, and without having to understand NTLMSSP as anything more than BASE64 strings. This provides a much more reliable interface, as winbind is not only faster, we can also prevent man-in-the-middle attacks. The attached patch provides this for Cyrus-SASL. In the same was that Squid now uses Winbind, all Cyrus-SASL enabled applications can use Winbind (via ntlm_auth) to authenticate their users. This provides the most current NTLMSSP implementation in the Open Source arena, as it is the one that we must maintain for Samba's internal use. The plugin is designed to use ntlm_auth over a stdio interface, because as part of Samba, it is GPL'ed. The plugin provides a client, and an server implementation, but can only proxy it's server-side (I can provide a mode that allows for local passwords if it is required). Current Samba 3.0 CVS is required to find the NTLMSSP client code exposed. Here is my opinion, Rob's *may* differ: Having support for all of the latest NTLMSSP stuff is a great idea, but I don't think we want to have yet another dependency for Cyrus SASL, especially unreleased Samba code. I also think that being able to use passwords that are stored in an auxprop plugin is mandatory as there might be sites which want to support MS clients but don't have an MS server to proxy to. Can you point me to any references to Winbind, so I at least know what we are missing? Patch against current SASL CVS, but my testing was actually with 2.1.15 I wanted to take a look at your code, but this patch does not apply cleanly to CVS -- only 1 of 7 hunks succeeds. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key--http://www.oceana.com/~ken/ksm.pgp -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] %U/%u expansions in Mixed Active Directory (2000/XP/2003 Server) and NT4 environment with samba 3.0.0 and winbind
Hi all, I have had the unfortunate joy of upgrading my PDC to Windows Server 2003 and active directory, I also upgraded to samba 3.0.0 on a debian testing box. Before I was running a happy little environment with Windows NT4 and Samba 2.2.8 with winbind using the winbind use default domain = yes. Migration went smooth, switch to security = ADS and joined the directory. Everything was working fine until desktops started noticing the active directory server two days after the migration and authenticating that way. All of the Windows XP boxes are now expanding %U as lan.equinox-eng.com_username, %u as LAN.EQUINOX-ENG.COM+username. While my NT4 boxes are showing up a simply username. I have temporarily worked around this by creating a silly number of soft links but would prefer a cleaner solution. Was this fixed in 3.0.1? I know some stuff was mentioned about the winbind use default domain = yes. Thanks, Ehren Wilson Network Administrator Equinox Engineering Ltd. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Cups and Samba Access Denied
I purchased the Samba 3.0 book and it has gotten me pretty far but I finally had to go to the mailing list for this problem. Here is the issue, I am running Debian (woody) with samba 3.0.1-2 and cupsys 1.1.14-5 I have also installed cupsys-bsd cupsys-client and smbclient foomatic-bin and as2ps follwing this http://excess.org/docs/linux_windows_printing.html advice. Samba is running in Domain mode and I can log on to the network and connect to file shares just fine. Here is the issue: My printer will show up if in my xp box if I browse the entire network, but if I double click it or right click on it, I get Operation could not be completed. access denied. I have managed to connect to this printer by adding a local printer in XP and choosing the create port option. But if I choose network option it asks me for a user name and password and I get access denied. I have raw printing running and when I create the port it seems to be working fine but for some reason I cannot instlal it like a network printer on a NT box. Here the parts of my smb.conf file: ### 1.4 - Printing ### printing = cups printcap name = cups load printers = yes # If you want to automatically load your printer list rather # than setting them up individually then you'll need this. show add printer wizard = yes [printers] comment = All Printers browseable = yes path = /home/spooler printable = yes public = yes writable = no guest ok = no printer admin = jared, @IT create mode = 0700 use client driver = yes print command = lpr -r -oraw -P%p %s [print$] # Some Windows clients will look for this share to hold # printer drivers. comment = Printer Drivers path = /home/drivers browseable = yes read only = yes guest ok = yes read only = yes write list = jared, @administrators I log in as jared for testing purposes. I have the print$ share up with all the proper directories but I do not have any drivers installed, this is becuase when I try to do it through XP I get Operation could not be completed. access denied. Thanks for any insight and if you want my entire smb.conf let me know. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba 3 suse 8.2 ERROR: we did not create the shmem (owned by another user)
Hi all, When I start samba 3 on SUSE 8.2, I am gettig following error message. I re-installed the samba, also re-booted the machine, any help to fix this . [2003/12/31 12:21:19, 0] smbd/server.c:main(747) smbd version 3.0.0-SuSE started. Copyright Andrew Tridgell and the Samba Team 1992-2003 [2003/12/31 12:21:19, 0] profile/profile.c:profile_setup(140) ERROR: we did not create the shmem (owned by another user) [2003/12/31 12:21:19, 0] smbd/server.c:main(772) ERROR: failed to setup profiling SR -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cups and Samba Access Denied
Jared, I feel with you. I am the author of the book. :) On Wed, 31 Dec 2003 [EMAIL PROTECTED] wrote: I purchased the Samba 3.0 book and it has gotten me pretty far but I finally had to go to the mailing list for this problem. Here is the issue, I am running Debian (woody) with samba 3.0.1-2 and cupsys 1.1.14-5 I have also installed cupsys-bsd cupsys-client and smbclient I recommend that you update to CUPS 1.1.18 or later and make sure that your Samba-3.0.1 is linked specifically with its libraries. That will help resolve some of your issues. foomatic-bin and as2ps follwing this http://excess.org/docs/linux_windows_printing.html advice. Samba is running in Domain mode and I can log on to the network and connect to file shares just fine. Here is the issue: My printer will show up if in my xp box if I browse the entire network, but if I double click it or right click on it, I get Operation could not be completed. access denied. I have managed to connect to this printer by adding a local printer in XP and choosing the create port option. But if I choose network option it asks me for a user name and password and I get access denied. I have raw printing running and when I create the port it seems to be working fine but for some reason I cannot instlal it like a network printer on a NT box. Here the parts of my smb.conf file: ### 1.4 - Printing ### printing = cups printcap name = cups load printers = yes # If you want to automatically load your printer list rather # than setting them up individually then you'll need this. show add printer wizard = yes [printers] comment = All Printers browseable = yes path = /home/spooler printable = yes public = yes writable = no guest ok = no printer admin = jared, @IT create mode = 0700 use client driver = yes print command = lpr -r -oraw -P%p %s Given that you are using CUPS the print command will not be issued since Samba will print direct via he cups libraries. By specifying use client driver you prevent the upload of the driver files. Here is my printing section, as it is on my network: [printers] comment = All Printers path = /var/spool/samba printer admin = root, jht create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes default devmode = Yes browseable = No For this system I do not want to upload drivers. The permissions on the /var/spool/samba directory are: 1755. Also, did you make sure that you uncommented the lines in the /etc/mime.* files that have? application/octet-stream ... That will permit CUPS to print fully pre-processed jobs that your client driver file prepared to go directly to the printer. [print$] # Some Windows clients will look for this share to hold # printer drivers. comment = Printer Drivers path = /home/drivers browseable = yes read only = yes guest ok = yes read only = yes write list = jared, @administrators I log in as jared for testing purposes. I have the print$ share up with all the proper directories but I do not have any drivers installed, this is becuase when I try to do it through XP I get Operation could not be completed. access denied. The use client driver kind of defeats having this share. :) Cheers, John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Cups and Samba Access Denied
Thanks for the response pretty cool getting a reply from the author of the book you were just reading! I recommend that you update to CUPS 1.1.18 or later and make sure that your Samba-3.0.1 is linked specifically with its libraries. That will help resolve some of your issues. I was afraid of that, I will see how far I get compiling the binary on my woody system, but that may be my problem. Given that you are using CUPS the print command will not be issued since Samba will print direct via he cups libraries. I removed the line and it did not break my work around so at least I am cleaning out the junk. By specifying use client driver you prevent the upload of the driver files. Good to know, I made the driver share when I could not connect the normal way thinking that it was the problem. Also, did you make sure that you uncommented the lines in the /etc/mime.* files that have? application/octet-stream ... That will permit CUPS to print fully pre-processed jobs that your client driver file prepared to go directly to the printer. Yes I did and after I did that I added the print command thinking I had to force cups to print raw. I also added the directive to allow anybody to print incase that was causing my issue: Location /printers AuthType None Order Deny,Allow Deny From None Allow From All /Location But still I was getting the access denied. I can get a printer to add by creating a local port but I cannot seem to get ahold of the share without access denied. This prevents me from adding a printer with a logon script. Thats not normal right? I mean you are supposed to be able to add the printer with the share correct, If it's working like normal will the printer show up when you choose network printer in the printer menu and then click browse? Either way I will try to make a new cupsys binary with woodies libaries. Thanks for the book it's really nice to have and I got Roaming profiles working on Samba something we could never get to work on NT so that has to say something! Cheers, Jared -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 31, 2003 1:13 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Cups and Samba Access Denied Jared, I feel with you. I am the author of the book. :) On Wed, 31 Dec 2003 [EMAIL PROTECTED] wrote: I purchased the Samba 3.0 book and it has gotten me pretty far but I finally had to go to the mailing list for this problem. Here is the issue, I am running Debian (woody) with samba 3.0.1-2 and cupsys 1.1.14-5 I have also installed cupsys-bsd cupsys-client and smbclient I recommend that you update to CUPS 1.1.18 or later and make sure that your Samba-3.0.1 is linked specifically with its libraries. That will help resolve some of your issues. foomatic-bin and as2ps follwing this http://excess.org/docs/linux_windows_printing.html advice. Samba is running in Domain mode and I can log on to the network and connect to file shares just fine. Here is the issue: My printer will show up if in my xp box if I browse the entire network, but if I double click it or right click on it, I get Operation could not be completed. access denied. I have managed to connect to this printer by adding a local printer in XP and choosing the create port option. But if I choose network option it asks me for a user name and password and I get access denied. I have raw printing running and when I create the port it seems to be working fine but for some reason I cannot instlal it like a network printer on a NT box. Here the parts of my smb.conf file: ### 1.4 - Printing ### printing = cups printcap name = cups load printers = yes # If you want to automatically load your printer list rather # than setting them up individually then you'll need this. show add printer wizard = yes [printers] comment = All Printers browseable = yes path = /home/spooler printable = yes public = yes writable = no guest ok = no printer admin = jared, @IT create mode = 0700 use client driver = yes print command = lpr -r -oraw -P%p %s Given that you are using CUPS the print command will not be issued since Samba will print direct via he cups libraries. By specifying use client driver you prevent the upload of the driver files. Here is my printing section, as it is on my network: [printers] comment = All Printers path = /var/spool/samba printer admin = root, jht create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes default devmode = Yes browseable = No For this system I do not want to upload drivers. The permissions on the /var/spool/samba directory are: 1755. Also, did you make sure that you uncommented the lines in the /etc/mime.* files that have? application/octet-stream ... That will permit CUPS to print fully pre-processed jobs that your client driver file prepared to
Re: [Samba] Cups and Samba Access Denied
On Wed, 2003-12-31 at 14:12, John H Terpstra wrote: Jared, I feel with you. I am the author of the book. :) Hi John, I have been suffering from this problem also. Your response below has helped quite a bit. By using the use client driver = yes, I was able to at least create and talk to the printer from Windows/XP. However, this printer is a bit of a stink. I can't install the drivers locally (on Windows) unless I have the printer connected and that's not really possible (it's in use on my Linux box). So, I'd like to use the Linux drivers, as set up by 'cupsaddsmb', but Windows always complains that the host (Linux/Samba) does not have the correct drivers installed. ... catch-22 :-( On Wed, 31 Dec 2003 [EMAIL PROTECTED] wrote: I purchased the Samba 3.0 book and it has gotten me pretty far but I finally had to go to the mailing list for this problem. Here is the issue, I am running Debian (woody) with samba 3.0.1-2 and cupsys 1.1.14-5 I have also installed cupsys-bsd cupsys-client and smbclient I recommend that you update to CUPS 1.1.18 or later and make sure that your Samba-3.0.1 is linked specifically with its libraries. That will help resolve some of your issues. Can you elaborate? I'm running CUPS-1.1.17 (from my Red Hat 9 distribution) and Samba-3.0.1 (from samba.org) foomatic-bin and as2ps follwing this http://excess.org/docs/linux_windows_printing.html advice. Samba is running in Domain mode and I can log on to the network and connect to file shares just fine. Here is the issue: My printer will show up if in my xp box if I browse the entire network, but if I double click it or right click on it, I get Operation could not be completed. access denied. I have managed to connect to this printer by adding a local printer in XP and choosing the create port option. But if I choose network option it asks me for a user name and password and I get access denied. I have raw printing running and when I create the port it seems to be working fine but for some reason I cannot instlal it like a network printer on a NT box. Here the parts of my smb.conf file: ### 1.4 - Printing ### printing = cups printcap name = cups load printers = yes # If you want to automatically load your printer list rather # than setting them up individually then you'll need this. show add printer wizard = yes [printers] comment = All Printers browseable = yes path = /home/spooler printable = yes public = yes writable = no guest ok = no printer admin = jared, @IT create mode = 0700 use client driver = yes print command = lpr -r -oraw -P%p %s Given that you are using CUPS the print command will not be issued since Samba will print direct via he cups libraries. By specifying use client driver you prevent the upload of the driver files. Here is my printing section, as it is on my network: [printers] comment = All Printers path = /var/spool/samba printer admin = root, jht create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes default devmode = Yes browseable = No For this system I do not want to upload drivers. The permissions on the /var/spool/samba directory are: 1755. Also, did you make sure that you uncommented the lines in the /etc/mime.* files that have? application/octet-stream ... That will permit CUPS to print fully pre-processed jobs that your client driver file prepared to go directly to the printer. [print$] # Some Windows clients will look for this share to hold # printer drivers. comment = Printer Drivers path = /home/drivers browseable = yes read only = yes guest ok = yes read only = yes write list = jared, @administrators I log in as jared for testing purposes. I have the print$ share up with all the proper directories but I do not have any drivers installed, this is becuase when I try to do it through XP I get Operation could not be completed. access denied. The use client driver kind of defeats having this share. :) Cheers, John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- Gary Thomas [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Cups and Samba Access Denied
On Wed, 31 Dec 2003 [EMAIL PROTECTED] wrote: Thanks for the response pretty cool getting a reply from the author of the book you were just reading! I recommend that you update to CUPS 1.1.18 or later and make sure that your Samba-3.0.1 is linked specifically with its libraries. That will help resolve some of your issues. I was afraid of that, I will see how far I get compiling the binary on my woody system, but that may be my problem. Given that you are using CUPS the print command will not be issued since Samba will print direct via he cups libraries. I removed the line and it did not break my work around so at least I am cleaning out the junk. By specifying use client driver you prevent the upload of the driver files. Good to know, I made the driver share when I could not connect the normal way thinking that it was the problem. Also, did you make sure that you uncommented the lines in the /etc/mime.* files that have? application/octet-stream ... That will permit CUPS to print fully pre-processed jobs that your client driver file prepared to go directly to the printer. Yes I did and after I did that I added the print command thinking I had to force cups to print raw. I also added the directive to allow anybody to print incase that was causing my issue: Location /printers AuthType None Order Deny,Allow Deny From None Allow From All /Location But still I was getting the access denied. FWIW, here is the extract from my /etc/cupsd.conf file: Location /admin AuthType Basic AuthClass System Order Deny,Allow Deny From All Allow From 127.0.0.1 Allow From 192.168.* /Location Location / Order Deny,Allow Deny From All Allow From 127.0.0.1 Allow From 192.168.* /Location These are my only changes from the default file. I can get a printer to add by creating a local port but I cannot seem to get ahold of the share without access denied. This prevents me from adding a You must have a Microsoft network user account. You can add it using: smbpasswd -a 'username' Where 'username' is already in the /etc/passwd file. You should install the printer as if it is attached to a parallel port or via USB. Then when that has finished installing, do not print a test page! Immediately close the printer configuration dialog, reopen it, click on the Printer item on the menu bar, click Properties, click the Ports tab. Now add a local port. When prompted, add the UNC name of the printer like this: \\server\printer You should do this as the local Windows client machine Administrator. That way the printer will be ready for all users to use it. Hope this helps. Cheers, John T. printer with a logon script. Thats not normal right? I mean you are supposed to be able to add the printer with the share correct, If it's working like normal will the printer show up when you choose network printer in the printer menu and then click browse? Either way I will try to make a new cupsys binary with woodies libaries. Thanks for the book it's really nice to have and I got Roaming profiles working on Samba something we could never get to work on NT so that has to say something! Cheers, Jared -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 31, 2003 1:13 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Cups and Samba Access Denied Jared, I feel with you. I am the author of the book. :) On Wed, 31 Dec 2003 [EMAIL PROTECTED] wrote: I purchased the Samba 3.0 book and it has gotten me pretty far but I finally had to go to the mailing list for this problem. Here is the issue, I am running Debian (woody) with samba 3.0.1-2 and cupsys 1.1.14-5 I have also installed cupsys-bsd cupsys-client and smbclient I recommend that you update to CUPS 1.1.18 or later and make sure that your Samba-3.0.1 is linked specifically with its libraries. That will help resolve some of your issues. foomatic-bin and as2ps follwing this http://excess.org/docs/linux_windows_printing.html advice. Samba is running in Domain mode and I can log on to the network and connect to file shares just fine. Here is the issue: My printer will show up if in my xp box if I browse the entire network, but if I double click it or right click on it, I get Operation could not be completed. access denied. I have managed to connect to this printer by adding a local printer in XP and choosing the create port option. But if I choose network option it asks me for a user name and password and I get access denied. I have raw printing running and when I create the port it seems to be working fine but for some reason I cannot instlal it like a network printer on a NT box. Here the parts of my smb.conf file: ### 1.4 - Printing ### printing = cups printcap name = cups load printers = yes # If you want to automatically load your printer list rather # than setting them
Re: [Samba] Cups and Samba Access Denied
On Wed, 31 Dec 2003, Gary Thomas wrote: On Wed, 2003-12-31 at 14:12, John H Terpstra wrote: Jared, I feel with you. I am the author of the book. :) Hi John, I have been suffering from this problem also. Your response below has helped quite a bit. By using the use client driver = yes, I was able to at least create and talk to the printer from Windows/XP. However, this printer is a bit of a stink. I can't install the drivers locally (on Windows) unless I have the printer connected and that's not really possible (it's in use on my Linux box). So, I'd like to use the Linux drivers, as set up by 'cupsaddsmb', but Windows always complains that the host (Linux/Samba) does not have the correct drivers installed. ... catch-22 :-( That's one way to do it. The other is to use an alternative driver that does not require the printer to be attached. For example, my HP PhotoSmart P1000 requires the printer to be attached all the time. I got sick of the and now use the HP DeskJet 940C driver with perfect results. - John T. On Wed, 31 Dec 2003 [EMAIL PROTECTED] wrote: I purchased the Samba 3.0 book and it has gotten me pretty far but I finally had to go to the mailing list for this problem. Here is the issue, I am running Debian (woody) with samba 3.0.1-2 and cupsys 1.1.14-5 I have also installed cupsys-bsd cupsys-client and smbclient I recommend that you update to CUPS 1.1.18 or later and make sure that your Samba-3.0.1 is linked specifically with its libraries. That will help resolve some of your issues. Can you elaborate? I'm running CUPS-1.1.17 (from my Red Hat 9 distribution) and Samba-3.0.1 (from samba.org) foomatic-bin and as2ps follwing this http://excess.org/docs/linux_windows_printing.html advice. Samba is running in Domain mode and I can log on to the network and connect to file shares just fine. Here is the issue: My printer will show up if in my xp box if I browse the entire network, but if I double click it or right click on it, I get Operation could not be completed. access denied. I have managed to connect to this printer by adding a local printer in XP and choosing the create port option. But if I choose network option it asks me for a user name and password and I get access denied. I have raw printing running and when I create the port it seems to be working fine but for some reason I cannot instlal it like a network printer on a NT box. Here the parts of my smb.conf file: ### 1.4 - Printing ### printing = cups printcap name = cups load printers = yes # If you want to automatically load your printer list rather # than setting them up individually then you'll need this. show add printer wizard = yes [printers] comment = All Printers browseable = yes path = /home/spooler printable = yes public = yes writable = no guest ok = no printer admin = jared, @IT create mode = 0700 use client driver = yes print command = lpr -r -oraw -P%p %s Given that you are using CUPS the print command will not be issued since Samba will print direct via he cups libraries. By specifying use client driver you prevent the upload of the driver files. Here is my printing section, as it is on my network: [printers] comment = All Printers path = /var/spool/samba printer admin = root, jht create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes default devmode = Yes browseable = No For this system I do not want to upload drivers. The permissions on the /var/spool/samba directory are: 1755. Also, did you make sure that you uncommented the lines in the /etc/mime.* files that have? application/octet-stream ... That will permit CUPS to print fully pre-processed jobs that your client driver file prepared to go directly to the printer. [print$] # Some Windows clients will look for this share to hold # printer drivers. comment = Printer Drivers path = /home/drivers browseable = yes read only = yes guest ok = yes read only = yes write list = jared, @administrators I log in as jared for testing purposes. I have the print$ share up with all the proper directories but I do not have any drivers installed, this is becuase when I try to do it through XP I get Operation could not be completed. access denied. The use client driver kind of defeats having this share. :) Cheers, John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cups and Samba Access Denied
On Wed, 2003-12-31 at 15:15, John H Terpstra wrote: On Wed, 31 Dec 2003, Gary Thomas wrote: On Wed, 2003-12-31 at 14:12, John H Terpstra wrote: Jared, I feel with you. I am the author of the book. :) Hi John, I have been suffering from this problem also. Your response below has helped quite a bit. By using the use client driver = yes, I was able to at least create and talk to the printer from Windows/XP. However, this printer is a bit of a stink. I can't install the drivers locally (on Windows) unless I have the printer connected and that's not really possible (it's in use on my Linux box). So, I'd like to use the Linux drivers, as set up by 'cupsaddsmb', but Windows always complains that the host (Linux/Samba) does not have the correct drivers installed. ... catch-22 :-( That's one way to do it. The other is to use an alternative driver that does not require the printer to be attached. For example, my HP PhotoSmart P1000 requires the printer to be attached all the time. I got sick of the and now use the HP DeskJet 940C driver with perfect results. Any idea how I can determine what driver is compatible? I'm using an HP 6110 all-in-one (printer/scanner/fax). I have asked HP if it's possible to get/install the drivers without the unit physically attached, but no response so far. n.b. it works great on my Linux box, using the CUPS/hpij drivers :-) -- Gary Thomas [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] modify permissions fail on new file server.
Hello, I'm using winbindd with samba 3.0.1. Everything starts up as expected and tests return the expected results (wbinfo and getent). Files created via windows clients are create with the proper ownership and group membership. When I attempt to modify the permissions via the windows security tab (add another group, change ownership for example) I'll get a win pop up saying 'permission denied and the below out put will be wrote out to the machine.log. From a unix shell I can change perms over NFS. fetch uid from cache 3041 - S-1-5-21-861567501-1262210171-1417111838-1275 [2003/12/31 16:46:07, 3] smbd/dosmode.c:unix_mode(110) unix_mode(VFX/greg-test/foo) returning 0744 [2003/12/31 16:46:07, 2] smbd/posix_acls.c:set_canon_ace_list(2414) set_canon_ace_list: sys_acl_set_file type file failed for file VFX/greg-test/foo (Operation not supported). [2003/12/31 16:46:07, 3] smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2499) convert_canon_ace_to_posix_perms: Too many ACE entries for file VFX/greg-test/foo to convert to posix perms. [2003/12/31 16:46:07, 3] smbd/posix_acls.c:set_nt_acl(3140) set_nt_acl: failed to convert file acl to posix permissions for file VFX/greg-test/foo. [2003/12/31 16:46:07, 3] smbd/error.c:error_packet(94) error string = Operation not supported As the file appears from UNIX: drwxr-xr-x2 greg Domain Users 96 Dec 31 16:29 foo The dir this is in has a mode of 777 and is owned by 'greg'. Samba was built with: configure --with-ads --with-pam --with-winbind-auth-challenge --with-acl-support --with-winbind --prefix=/opt/samba The physical setup is as such: W2kCLIENTS---smb---SAMBA-SERVER---nfs---NFS-SERVER===DISKARRAY SAMBA-SERVER has 2 interfaces on it, one samba listens on, the other is used for NFS traffic. NFS-SERVER has the physical drives attached to it, using veritas cluster file system version 3.x SAMBA-SERVER mounts the drives under /n/fire/array. this is also defined within smb.conf. My question: Why can I not change ACL's on the file system? Is there something I can do to correct this? I see it mentions to many ACE entries to convert to posix, I used a local XFS file system a while ago and things seemed to work as expected, but this is no longer an option. Thanks for your input, greg smb.conf: [global] workgroup = CDP server string = Render Services %v security = DOMAIN interfaces = eth0 encrypt passwords = Yes log level = 1 log file = /opt/samba/log/%m.log max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 23 preferred master = No local master = No domain master = No dns proxy = No idmap uid = 3000-4000 idmap gid = 3000-4000 winbind use default domain = Yes admin users = @systems hosts allow = 172.16.92., 172.16.93., 172.16.94., 172.16.95., 127. map acl inherit = Yes # since we have 2Gs of memory, lets see how this works out. -greg write cache size = 1048576 winbind cache time = 300 template homedir = /home/winnt/%D/%U template shell = /bin/tcsh [array] path = /n/fire/array read only = No guest ok = Yes mount: fire:/export/array1 on /n/fire/array type nfs (rw,bg,vers=3,soft,intr,addr=172.16.92.90) fire:/export/array2 on /n/fire/array/VFX type nfs (rw,bg,vers=3,soft,intr,addr=172.16.92.90) Versions: SAMBA-SERVER Samba 3.0.1 kernel 2.4.23-xfs NFS-SERVER: Solaris9 12-03 sparc Veritas 3.5 Clients: NT2k w/ 500 patches. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cups and Samba Access Denied
On Wed, 31 Dec 2003, Gary Thomas wrote: On Wed, 2003-12-31 at 15:15, John H Terpstra wrote: On Wed, 31 Dec 2003, Gary Thomas wrote: On Wed, 2003-12-31 at 14:12, John H Terpstra wrote: Jared, I feel with you. I am the author of the book. :) Hi John, I have been suffering from this problem also. Your response below has helped quite a bit. By using the use client driver = yes, I was able to at least create and talk to the printer from Windows/XP. However, this printer is a bit of a stink. I can't install the drivers locally (on Windows) unless I have the printer connected and that's not really possible (it's in use on my Linux box). So, I'd like to use the Linux drivers, as set up by 'cupsaddsmb', but Windows always complains that the host (Linux/Samba) does not have the correct drivers installed. ... catch-22 :-( That's one way to do it. The other is to use an alternative driver that does not require the printer to be attached. For example, my HP PhotoSmart P1000 requires the printer to be attached all the time. I got sick of the and now use the HP DeskJet 940C driver with perfect results. Any idea how I can determine what driver is compatible? I'm using an HP 6110 all-in-one (printer/scanner/fax). I have asked HP if it's possible to get/install the drivers without the unit physically attached, but no response so far. n.b. it works great on my Linux box, using the CUPS/hpij drivers :-) In that case, try the HP DeskJet 940C driver, you might be very surprised! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: [PATCH] Add winbind-backed NTLMSSP support to Cyrus-SASL
On Wed, Dec 31, 2003 at 12:49:45PM -0500, Ken Murchison wrote: Andrew Bartlett wrote: Windows authentication extends far beyond the CIFS protocol the Samba implements, but it only very recently that work has been done to catch up to Microsoft's extensions in this area. This has caused many administrators pain and toil that their MS counterparts simply don't have. For them, authentication 'just works', with single-sign-on and the lot. I have worked, for over a year, with the Squid development team, in extending NTLMSSP authentication to HTTP. The squid team made a very good start (as I see Cyrus-SASL now has) in including a basic NTLMSSP implementation, and even providing a proxy-mechanism to authenticate against a Windows DC. I extended on this base, providing the ntlm_auth tool, which allows them to perform this against winbind, and without having to understand NTLMSSP as anything more than BASE64 strings. This provides a much more reliable interface, as winbind is not only faster, we can also prevent man-in-the-middle attacks. The attached patch provides this for Cyrus-SASL. In the same was that Squid now uses Winbind, all Cyrus-SASL enabled applications can use Winbind (via ntlm_auth) to authenticate their users. This provides the most current NTLMSSP implementation in the Open Source arena, as it is the one that we must maintain for Samba's internal use. The plugin is designed to use ntlm_auth over a stdio interface, because as part of Samba, it is GPL'ed. The plugin provides a client, and an server implementation, but can only proxy it's server-side (I can provide a mode that allows for local passwords if it is required). Current Samba 3.0 CVS is required to find the NTLMSSP client code exposed. Here is my opinion, Rob's *may* differ: Having support for all of the latest NTLMSSP stuff is a great idea, but I don't think we want to have yet another dependency for Cyrus SASL, especially unreleased Samba code. This will be in Samba 3.0.2, which I expect to be released in a reasonalbly short timeframe due to issues in 3.0.1 (but the rest is up to the release manager) (BTW, when on an MS system I suggest the use of MS's SSPI interface, as that will give you 'perfect' NTLMSSP on that platform) I was very pleased to see what appears to be a reasonably mature NTLMSSP implemenation. However, a few things stood out - common errors in most of the NTLMSSP implentations I have seen: Firstly, Unicode != ASCII plus NULL bytes. i18n is no longer an 'interesting idea', it is something that people not only want to have function, but particularly those from the MS world *expect* to just function. Secondly, domains and workstations do matter. The domains you will see as soon as you move to any 'enterprise' site, with multiple trusted domains. The the 'workstation' regards the list of workstations that a user may log into, as restricted by the DC. (It may be a lame 'security' measure, but we have to get the values right, as some sites do enforce it). Naturally, things like NTLM2, KEY_EXCH are not supported, but this doesn't supprise me, as they have not yet become mandetory. (I'm told Longhorn may change this) I also think that being able to use passwords that are stored in an auxprop plugin is mandatory as there might be sites which want to support MS clients but don't have an MS server to proxy to. They can always use a Samba server :-) But seriously, if it is required, we can add a callback. Can you point me to any references to Winbind, so I at least know what we are missing? My bigest concern is the 'proxy' implementation being developed. In my time working on authentication for the Samba Team, I have seen many attempts at intergrating windows passwords into the unix world. I have seen Samba's own 'security=server', pam_smb, mod_auth_smb, the original Apache NTLM module, the original squid helpers. All of these suffered a fundemantal failing: They are inherintly insecure to a man-in-the-middle attack between the server performing the authentication proxy and the DC with the passwords. They are also highly unreliable, in our experience. This is particularly so when 'optomisations' have been added to get around the connection setup time. Winbind provides a service for managing the connection to the DC. However, more important is the difference (in samba terms) between 'security=domain' and 'security=server'. What winbind provides to ntlm_auth is the ability to specify the challange and response in the same packet, and to send this packet over a secured link. By using only one packet, we cannot 'loose' the connection between stages of the authenticaiton protocols, and if the connection is lost, we may simply retry. We can even choose to talk to a new Domain Controller (a Backup perhaps). Winbind uses the same Domain Controller docation methods as the rst of Samba. This avoids hard-coded server
[Samba] samba / tdb recovery
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm currently in the process of recovering a system and wanted to mention my thoughts and process for feedback and, if necessary, corrections: 1) I had my original version of samba (2.2.8) compiled with: ./configure --with-fhs --prefix=/usr --sysconfdir=/etc - --with-privatedir=/etc/samba --with-lockdir=/var/state/samba - --localstatedir=/var --with-netatalk --with-smbmount --with-pam --with-syslog - --with-sambabook --with-utmp --with-acl-support --no-create --no-recursion 2) I have a copy of everything in /etc/samba, and /var/state/samba (see configuration above). Based on the backup files that I'm seeing, --with-lockdir seems to make samba store not only the lockfiles (as I would have presumed by the parameter name) but also most of the .tdb files in /var/state/samba So, when I restore to my system to my new samba configuration, I just need to make sure that all the files in /var/state/samba get restored to the - --with-lockdir location, whatever that might be (in my case /var/cache/samba)? I also presume that if I restore all the files in /etc/samba to the --with-privatedir location that I should be set. 3) When building the new system, I made sure to maintain all the user IDs and samba group IDs, so that it would match up with all the UID information specified in smbpasswd. 4) Is there anything else that I should have made sure matched up? [I guess I'll find out soon enough ;) ]. Considering that I still have all the roaming profile information (and therefore the SIDs specified in NTUSER.dat, and hopefully the correct .tdb files), I presume that if I can restore the above configuration files, that everything should still be in tact? Any other thoughts on restoring a samba system? I'm sure I have all the files, its just a matter of getting them in the right place, which was an oversite my first time through, as I didn't consider the fact that the directory structure was configured differently. Thanks for the help. - --Kaleb -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/83UVeAVt8Tl/2kURAlPXAJ0RAp5zb3Dp0q3CgR9Y9ZS5ezZ19wCgr6j5 QzndzfWekpa9H+07Fx5vyps= =Yufo -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.0 - 3.0.1 upgrade causes Failed to verify incoming ticket!
OK, I spent a bunch of time reviewing the mailing list from the last month, and I see where this was discussed quite a bit, but there was no conclusive resolution found (that I could find anyway). I have a simple network: one machine running W2K3 Standard Edition, with AD active and in W2K compatibility mode, one machine running Linux with Samba 3.0.0/3.0.1, a number of W2K and WXP Pro workstations. Samba is compiled against MIT Kerberos 1.3.1. There is no /etc/krb5.conf file at all (intentionally). I had no trouble using kinit to get a krb5 ticket from the KDC, nor did I have any trouble with net ads join. The Samba server shows up in Active Directory, reporting itself properly. There is no WINS server at all (only DNS is used for host name resolution). client use spnego and use spnego are both set to yes. klist -e shows the ticket obtained by kinit as skey DES-CBC-CRC and tkt RC4-HMAC-MD5. winbindd is running and libnss_winbind.so is in place and working properly; getent shows the AD users and groups with no problems. Time is synchronized between the machines (the Linux box is running ntpd, and the W2K3 box is using it as a time source). With Samba 3.0.0 everything is cool and I can access the shares, security works properly, etc. Upgrading to 3.0.1 (compiled using the identical configure command) causes the workstations (and the AD DC) to no longer be able to connect to Samba shares; any attempt results in a username/password dialog box popping up, and no entry in that box will work. The workstations can connect to the Samba server by using the IP address, though, just not using browsing or the server name directly. Looking at the Samba logs, Failed to verify incoming ticket! appears each time a workstation attempts to connect to a share when 3.0.1 is running. I have another problem to report against Samba, and I suspect it may have been fixed already in 3.0.1, but I can't use 3.0.1 without a resolution to this problem. Anyone have a suggestion? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] suse 8.2 Samba 3 LDAP :Cannot Log onto Domain Member Workstation After Joining Domain
Hi, Now I was not able to login to the samba3 domain from windows 2000, after refreing this document http://us3.samba.org/samba/docs/man/samba-pdc.html#id2888010 Here is my smb.conf setting. client schannel = Auto server schannel = Auto client signing = auto server signing = No What should I change to login to the domain. I am attaching smb.conf file. [global] workgroup = TUX-NET passdb backend = ldapsam:ldap://localhost debuglevel = 3 time server = yes interfaces = 127.0.0.1 eth0 bind interfaces only = true printing = cups printcap name = cups load printers = yes wins support = Yes unix charset = LOCALE local master = yes domain master = yes domain logons = yes security = user add user script = ldapsmb -a -u %u delete user script = ldapsmb -d -u %u add machine script = ldapsmb -a -w %u add group script = ldapsmb -a -g %g delete group script = ldapsmb -d -g %g add user to group script = ldapsmb -j -u %u -g %g delete user from group script = ldapsmb -j -u %u -g %g set primary group script = ldapsmb -m -u %u -gid %g ldap admin dn = cn=Manager,dc=sfgroup,dc=com ldap suffix = dc=sfgroup,dc=com ldap machine suffix = ou=People ldap group suffix = ou=Groups ldap user suffix= ou=People -SR -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
CVS update: samba/source/nsswitch
Date: Wed Dec 31 08:42:22 2003 Author: abartlet Update of /home/cvs/samba/source/nsswitch In directory dp.samba.org:/tmp/cvs-serv23626/nsswitch Modified Files: Tag: SAMBA_3_0 winbindd.h Log Message: Forgot to commit this for the 'get our primary domain' change. Revisions: winbindd.h 1.33.2.15 = 1.33.2.16 http://www.samba.org/cgi-bin/cvsweb/samba/source/nsswitch/winbindd.h.diff?r1=1.33.2.15r2=1.33.2.16
CVS update: samba/source/nsswitch
Date: Wed Dec 31 08:45:03 2003 Author: abartlet Update of /home/cvs/samba/source/nsswitch In directory dp.samba.org:/tmp/cvs-serv23672/nsswitch Modified Files: Tag: SAMBA_3_0 winbindd_pam.c winbindd_util.c Log Message: Changes to our PAM code to cope with the fact that we can't handle some domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett Revisions: winbindd_pam.c 1.44.2.33 = 1.44.2.34 http://www.samba.org/cgi-bin/cvsweb/samba/source/nsswitch/winbindd_pam.c.diff?r1=1.44.2.33r2=1.44.2.34 winbindd_util.c 1.73.2.39 = 1.73.2.40 http://www.samba.org/cgi-bin/cvsweb/samba/source/nsswitch/winbindd_util.c.diff?r1=1.73.2.39r2=1.73.2.40