Re: [Samba] Kerberos and Samba
On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote: On Sat, Apr 10, 2004 at 12:09:49PM +0200, Sensei wrote: Hi. I've built an afs cell, a kerberos kdc, an openldap server, all kerberized. Now all linux clients can login on the cell using k5 authentication, finding informations about their home dirs with ldap. Their home reside on the afs cell, which allows r/w access since it releases a token from the k5 ticket. All macosx clients can login as well... but what about windows? ^___^;;; I've been sent here from a kerberos group, telling me samba could be useful. I'd like to avoid creating windows users on every windows client... and I know I can set up an AD server, creating users on kerberos/afs/ldap AND the same users on AD... quite long... Is samba of any use? Can I grant tickets and tokens via samba, mapping windows home directories on the afs home dir? This information can be retrieved from openldap... Samba cannot use the kerberos tickets directly - not unless the KDC is Active Directory (for now). But it is possible for Samba to use the same password store. (For NTLM, but not kerberos passwords) What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP backend? If you are running Heimdal, what version? Could you run a current snapshot? While the work is still new, there is support in Heimdal to read Samba password entries in LDAP. There is also an OpenLDAP plugin to set both Samba and Kerberos passwords on password change. You would need to manually edit your LDAP database, to expose the passwords in 'Samba' format - potentially a dump and restore of the Heimdal entries might do it, if the sambaSamAccount objectClass was added, and you used a current snapshot. So doing it this way means that you do not need to modify samba in any way? Cool! Tarjei (The type 23 arcfour-hmac-md5 enctype is the Samba NT password) Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos and Samba
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sensei rta: | On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote: | | |Samba cannot use the kerberos tickets directly - not unless the KDC is |Active Directory (for now). But it is possible for Samba to use the |same password store. (For NTLM, but not kerberos passwords) | |What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP backend? | | | MIT K5. The passwords are stored only in the kerberos database. | | |While the work is still new, there is support in Heimdal to read Samba |password entries in LDAP. There is also an OpenLDAP plugin to set |both Samba and Kerberos passwords on password change. | |You would need to manually edit your LDAP database, to expose the |passwords in 'Samba' format - potentially a dump and restore of the |Heimdal entries might do it, if the sambaSamAccount objectClass was |added, and you used a current snapshot. | | | It would be nice to have just kerberos passwords. I've done this with | ldap (sasl gssapi authentication via k5) and afs (tokens are released on | ticket releasing). | | The main issue is the integrated windows login: a student must login, | gain tickets and token, and have his windows home dir set to what ldap | shows him: this means that afs must be enabled at boot. | | How would you do this? I don't have any clues... | I see a different solution here: User authenticate to a Samba controled Domain, and because Samba has the Kerberos password(=NTPassword hash) it could impersonate the user, accting to the AFS/Coda cell on behalf of her/him. In this way Samba could become a gateway between Windows clients and AFS/Coda servers. Unfortunatelly I don't know how could be that implemented. Cheers, Geza -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAem21/PxuIn+i1pIRAuJNAKCmFU8Sr+iqN3Vijm1VbepNFXVPvQCfRTLX AFLmUljvrcCfMfJt4Tmu7RY= =IAYb -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Shares and Win32 Viruses
Ow Mun Heng schrieb: -Original Message- From: [EMAIL PROTECTED] Ow Mun Heng schrieb: Hi Collective users of Samba, (does has a nice ring to it eh?) Recently I found a my samba server being infected by win32 viruses. Though it does not affect the server in any way, I do find them to be an annoyance. I understand also that I can perform veto of files like *.exe in smb.conf but find that to be a wee bit restrictive. There are some users who stores valid executables in the shares. http://hr.uoregon.edu/davidrl/samba-unofficial.html To prevent access to suspicious files (e.g., those that tend to become infected by virus'), use the following. The last bit prevents access to files with a CLSID in the file extension. veto files = /*.exe/*.dll/*.pif/*.com/*.vbs/*.{*}/ the best way will be to use vfs and antivirus software on that shares Any more info other than that? I found Clam-AV and I also found samba-vscan. How do I set things up? vfs? etc. Hi ,this is simple [files3] comment = public files path = /files3 read only = No guest ok = Yes browseable = Yes csc policy = disable vfs objects = vscan-fprotd this is for the f-prot damon, it is equal with clam. you should read man vfs with clam.( for setting up the clam daemon ) other a-vir technics are for dazuko and antivir you dont need vfs, cause it is a kernel module which will scan on the the native linux hosts filesystem. Regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos and Samba
On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote: Samba cannot use the kerberos tickets directly - not unless the KDC is Active Directory (for now). But it is possible for Samba to use the same password store. (For NTLM, but not kerberos passwords) What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP backend? MIT K5. The passwords are stored only in the kerberos database. While the work is still new, there is support in Heimdal to read Samba password entries in LDAP. There is also an OpenLDAP plugin to set both Samba and Kerberos passwords on password change. You would need to manually edit your LDAP database, to expose the passwords in 'Samba' format - potentially a dump and restore of the Heimdal entries might do it, if the sambaSamAccount objectClass was added, and you used a current snapshot. It would be nice to have just kerberos passwords. I've done this with ldap (sasl gssapi authentication via k5) and afs (tokens are released on ticket releasing). The main issue is the integrated windows login: a student must login, gain tickets and token, and have his windows home dir set to what ldap shows him: this means that afs must be enabled at boot. How would you do this? I don't have any clues... -- Senseimailto:[EMAIL PROTECTED] icqnum:241572242 msn-id:[EMAIL PROTECTED] Error: Keyboard not found. Press F1 to continue... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos and Samba
On Mon, Apr 12, 2004 at 12:05:24PM +0200, Sensei wrote: On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote: Samba cannot use the kerberos tickets directly - not unless the KDC is Active Directory (for now). But it is possible for Samba to use the same password store. (For NTLM, but not kerberos passwords) What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP backend? MIT K5. The passwords are stored only in the kerberos database. That is a pity. While the work is still new, there is support in Heimdal to read Samba password entries in LDAP. There is also an OpenLDAP plugin to set both Samba and Kerberos passwords on password change. You would need to manually edit your LDAP database, to expose the passwords in 'Samba' format - potentially a dump and restore of the Heimdal entries might do it, if the sambaSamAccount objectClass was added, and you used a current snapshot. It would be nice to have just kerberos passwords. I've done this with ldap (sasl gssapi authentication via k5) and afs (tokens are released on ticket releasing). The main issue is the integrated windows login: a student must login, gain tickets and token, and have his windows home dir set to what ldap shows him: this means that afs must be enabled at boot. How would you do this? I don't have any clues... Not possible for an intergrated kerberos solution at this stage - even MS doesn't do pure KRB5, all the time. VL's presentation at SambaXP was very interesting, he presented an AFS gateway scheme that works with NTLM passwords (hint: it fakes tickets ;-) You would still use NTLM, and need an NTLM compatible password store for Samba. (DC or access to password hashes) Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos and Samba
On Mon, Apr 12, 2004 at 12:21:41PM +0200, Gémes Géza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sensei írta: | On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote: | | |Samba cannot use the kerberos tickets directly - not unless the KDC is |Active Directory (for now). But it is possible for Samba to use the |same password store. (For NTLM, but not kerberos passwords) | |What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP backend? | | | MIT K5. The passwords are stored only in the kerberos database. | | |While the work is still new, there is support in Heimdal to read Samba |password entries in LDAP. There is also an OpenLDAP plugin to set |both Samba and Kerberos passwords on password change. | |You would need to manually edit your LDAP database, to expose the |passwords in 'Samba' format - potentially a dump and restore of the |Heimdal entries might do it, if the sambaSamAccount objectClass was |added, and you used a current snapshot. | | | It would be nice to have just kerberos passwords. I've done this with | ldap (sasl gssapi authentication via k5) and afs (tokens are released on | ticket releasing). | | The main issue is the integrated windows login: a student must login, | gain tickets and token, and have his windows home dir set to what ldap | shows him: this means that afs must be enabled at boot. | | How would you do this? I don't have any clues... | I see a different solution here: User authenticate to a Samba controled Domain, and because Samba has the Kerberos password(=NTPassword hash) it could impersonate the user, accting to the AFS/Coda cell on behalf of her/him. In this way Samba could become a gateway between Windows clients and AFS/Coda servers. Unfortunatelly I don't know how could be that implemented. See Volker's presentation to SambaXP, and the --with-fake-kaserver option to Samba. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos and Samba
On Mon, Apr 12, 2004 at 11:45:40AM +0200, Tarjei Huse wrote: So doing it this way means that you do not need to modify samba in any way? Cool! Correct. There are a few gotchas - most of them should be solved with the smbk5pwd contributed slapd plugin available from OpenLDAP CVS HEAD. I was consulted on the building of this plugin, but have not yet tested it. (When using the plugin, you need to set 'ldap password sync = only', and don't use password expirty for the timebeing). Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NT4 PDC-Samba 3.0.2 PDC
Hi all, I try to migrate NT4 to Samba. I installed following package to my Suse 9: 1 cups-libs-1.1.19-80.i586.rpm 2 libsmbclient-3.0.2-0.i586.rpm 3 libsmbclient-devel-3.0.2-0.i586.rpm 5 samba3-cifsmount-3.0.2-0.i586.rpm 4 samba3-client-3.0.2-0.i586.rpm 6 samba3-doc-3.0.2-0.i586.rpm 7 samba3-utils-3.0.2-0.i586.rpm 8 samba3-vscan-0.3.4-0.i586.rpm 9 samba3-winbind-3.0.2-0.i586.rpm --nodeps 10 samba3-3.0.2-0.i586.rpm My samba can act as PDC, but #net rpc join -S NT4PDC -w etc.etc.etc. bash: net: command not found What kind of package(s) I have to install? Does anybody have any kind of writing down NT4 PDC to Samba PDC migration? Because the Official Samba doc is a little bit sort. Thanks! Regards, Roland ICQ: 173539771 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos and Samba
Hi, See Volker's presentation to SambaXP, and the --with-fake-kaserver option to Samba. Where can I find this an the orther sambaxp presentations? I tried the sambaxp website, but no go :-( Tarjei Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 PDC-Samba 3.0.2 PDC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lancsr Roland rta: | Hi all, | | I try to migrate NT4 to Samba. | | I installed following package to my Suse 9: | 1 cups-libs-1.1.19-80.i586.rpm | 2 libsmbclient-3.0.2-0.i586.rpm | 3 libsmbclient-devel-3.0.2-0.i586.rpm | 5 samba3-cifsmount-3.0.2-0.i586.rpm | 4 samba3-client-3.0.2-0.i586.rpm | 6 samba3-doc-3.0.2-0.i586.rpm | 7 samba3-utils-3.0.2-0.i586.rpm | 8 samba3-vscan-0.3.4-0.i586.rpm | 9 samba3-winbind-3.0.2-0.i586.rpm --nodeps | 10 samba3-3.0.2-0.i586.rpm | | My samba can act as PDC, but | | #net rpc join -S NT4PDC -w etc.etc.etc. | bash: net: command not found | | What kind of package(s) I have to install? | | Does anybody have any kind of writing down NT4 PDC to Samba PDC migration? | Because the Official Samba doc is a little bit sort. | | Thanks! | | Regards, | Roland | | ICQ: 173539771 | Try net3 my Mandrake RPMS have renamed everything to the 3 suffix to avoid conflicts with possibly existing samba-2 utilities. Regards, Geza -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAenvj/PxuIn+i1pIRAqOPAJ4lwny/b71J8RX8OAK17/HYuZGp/gCgrnDQ zBTXEIpfgmT4Fiem4FOLsPE= =Q3XD -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos and Samba
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tarjei Huse rta: | Hi, | |See Volker's presentation to SambaXP, and the --with-fake-kaserver |option to Samba. | | Where can I find this an the orther sambaxp presentations? I tried the sambaxp website, but no go :-( I must agree :-( , I just wanted to ask the same question, when your e-mail arived. Cheers, Geza -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAeoMr/PxuIn+i1pIRAly6AJ464dV2ZoQZPXY+/0pHutkcNGNGbQCgnbT9 J0eflJcZIu06c4dO/8nnfro= =Imbn -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Undeliverable message returned to sender
This message was created automatically by mail delivery software. Delivery failed for the following recipients(s): [EMAIL PROTECTED] The message you sent contained an attachment which the recipient has chosen to block. Usually these sort of attachments are blocked to prevent malicious software from being sent to the recipient in question. The name(s) of the blocked file(s) follow: message_lakshmi.nagasundaram.pif To send this file, please place it in a compressed archive using WinZip (http://www.winzip.com) or the archive software of your choice. - Original Message Header - Received: by mail22-res (MessageSwitch) id 1081772619557725_1341; Mon, 12 Apr 2004 12:23:39 + (UCT) Received: from mail.sprint.com (unknown [203.129.238.173]) by mail22-res.bigfish.com (Postfix) with ESMTP id 4187D2EC149 for [EMAIL PROTECTED]; Mon, 12 Apr 2004 12:23:36 + (UCT) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Test Date: Mon, 12 Apr 2004 17:50:52 +0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0016=_NextPart_000_0016 X-Priority: 3 X-MSMail-Priority: Normal Message-Id: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Getting information from a SMB service
I want to get all the information possible from a smb server that I only have an IP address. How may I do that? (maybe using smbclient) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Getting information from a SMB service
On Mon, Apr 12, 2004 at 12:28:45PM +, HUGOMAUREIRAD wrote: I want to get all the information possible from a smb server that I only have an IP address. How may I do that? (maybe using smbclient) Tools like nessus do a pretty scary job on this... Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Password must change - 10 days
When I set password lifetime to, say 90 days using pdbedit -P maximum password age -C 7776000 Attribute Password must change is calculated using this formula : sambaPwdMustChange = sambaPwdLastSet + 90 days. Is it possible to get warning message before actually force user to change their password, I mean is it possible to get this formula: sambaPwdMustChange = (sambaPwdLastSet + 90 days) - 10 days --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with Samba 2.2.8a-107 on SuSE 9.0 and 8.3 filenames
Hi... I noticed a bug with samba 2.2.8a on my SuSE 9.0 box. I use the UltraEdit text editor to edit my php files in a samba share. By default this text editor places .bak files next to the changed file. What I now noticed was this problem: I edit a file 1234567.php and it generates a file 1234567.php.bak. I can open and edit the 1234567.php normally. I edit a file 123456789.php with the same result as the 1234567.php. But: Once I edit a file 12345678.php and the 12345678.php.bak file is generated, the text editor no longer can access the 12345678.php. If I try to open the 12345678.php any application (i.e. even notepad.exe) only opens the 12345678.php.bak file. I tried this with several file names. It only happens with filenames that have exactly 8.3 characters. This seems to me like a genuine bug in handling those files. I attached my smb.conf in case it only is a configuration error, but this behaviour seems rather strage just to be a configuration error, since it only happens with files that have the mentioned specific filename format. So long, Marc... -- Quoting, forwarding or paraphasing any of the above contents to third parties is prohibited without the express written permission of the author(s). # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2004/04/12 14:38:57 # Global parameters [global] workgroup = MYNET server string = Linux Server Homesamba interfaces = eth0 ipsec0 127.0.0.1 security = DOMAIN encrypt passwords = Yes map to guest = Bad User null passwords = Yes password server = server01.mynet.de. username map = /etc/samba/user.map log level = 1 syslog = 0 time server = Yes unix extensions = Yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY printcap name = CUPS character set = ISO8859-15 os level = 2 wins server = 192.168.123.234 remote announce = 192.168.123.234 printing = cups hide dot files = No map archive = No mangled names = No [homes] comment = Home Directories valid users = %S read only = No create mask = 0640 directory mask = 0750 browseable = No [printers] comment = All Printers path = /var/tmp create mask = 0600 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 [www] comment = Linux Files path = /srv/www/ username = root,sysadmin invalid users = admin valid users = root,sysadmin read only = No create mask = 0664 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Getting stats for logged in domain users?
Also, SWAT will display this information graphically and can be made to automatically refresh under the Status link. I have found SWAT to be fairly convenient for viewing connections, viewing current smb.conf file, and for restarting the Samba services. Just be careful if using SWAT, if you use it to change your Samba config, it will overwrite your current file, eliminating comments, and only showing nonstandard config options. Way to go depends on whether you need to use the information for another process, or if you're just monitoring. Jason McGlamary PC/LAN Specialist Washington Hospital Center Frode Lillerud [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 04/11/2004 10:52 AM To [EMAIL PROTECTED] cc Subject [Samba] Getting stats for logged in domain users? Samba 3.0.2a, Debian linux, 2.6.x kernel, PDC server, WinXP clients. Hi, I'm setting up a samba server for one of our branch offices. During the monitoring of the server I'd like to be able to view how many domain users, and which ones, are logged in on the domain at particular times. The users use WinXP. Is there any way of getting number of logged on domainusers, their IP's or usernames? My alternative way is to write a perl script to analyze the samba logfiles. Thanks Frode -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Windows 2003 problem
Im running Version 3.0.2-7 on Fedora Core 1 and I am trying to back up a windows 2003 server to this box. When I try to mount I get session setup failed:NTSTATUS_LOGON_FAILURE. I have looked all around for an answer and I see that is has happened to many other people but I have not found an answer that works. I made sure I had the right password, I have even tried administrator but this will not work. Any clues? Thanks in advance! Curt Shaffer Wireless/Network Specialist Chilitech Internet Solutions www.chilitech.com 1-800-866-chili -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Undeliverable message returned to sender
This message was created automatically by mail delivery software. Delivery failed for the following recipients(s): [EMAIL PROTECTED] The message you sent contained an attachment which the recipient has chosen to block. Usually these sort of attachments are blocked to prevent malicious software from being sent to the recipient in question. The name(s) of the blocked file(s) follow: websites01.txt.exe To send this file, please place it in a compressed archive using WinZip (http://www.winzip.com) or the archive software of your choice. - Original Message Header - Received: by mail3-haw (MessageSwitch) id 108178091340289_11139; Mon, 12 Apr 2004 14:41:53 + (UCT) Received: from crystal.cirrus.com (unknown [200.48.230.192]) by mail3-haw.bigfish.com (Postfix) with ESMTP id 22FFE2B7E09 for [EMAIL PROTECTED]; Mon, 12 Apr 2004 14:41:44 + (UCT) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Notice again Date: Mon, 12 Apr 2004 09:41:50 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0016=_NextPart_000_0016 X-Priority: 3 X-MSMail-Priority: Normal Message-Id: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] DOS Long Directory names?
Hi list, Having some trouble getting Samba to properly display directory names for a DOS machine. Basically, I have a few old DOS 6.2 boxes mapped to a Samba box to drop some files into. The folder name on the Samba box is 'filerouter' (no quotes). Under the normal DOS filename structure, I would assume the name would be adjusted to filerou~1, or something similar, to fit with the 8.3 standard. Instead, I'm getting something very strange like FF8DZ9~C. I've been trying to find out if there is any way I can control this, or get Samba to properly display the directory name under DOS, but so far I haven't had much luck. I did try playing around a bit with the 'mangled names' option in the smb.conf file. If I force mangled names to be turned off, then I can't see any folders at all unless I create them from DOS, but then I lose some functionality from other programs that look to this folder. We have a bunch of DOS scripts set up though, looking for the folder name to include the ~ in the path, so I'm hoping there is a way to get this set up properly. Anyone have any advice? I don't see why Samba is doing this, or how it could be a good thing. If I had more than 1 folder that was longer than 8 characters, there is no way I'd be able to tell which folder was which with these strange, cryptic names. Other Linux boxes and Windows boxes see the folders just fine, just not DOS. How can I specify how I want these folder displayed? BTW, the Linux box is running Fedora Core 1 with all the latest updates installed. Thanks, Brandon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] secret.tdb copied from server to server
Hello there, We have Samba 3.0.2a installed on two solaris 8 servers in a failover cluster (using Veritas Cluster Server). We're using it for windows and unix print servers. Right now, we have one server with one netbios name advertised (printserver1) and the other with a netbios name of printserver2. Both have been joined to our windows NT 4.0 domain. We have an interface that fails back and forth between the two boxes and we have the DNS name for this interfaces IP set to printserver1. Everthing is working now, but I'm wondering about making a change. Can I (or should I :) , copy the secret.tdb file from printserver1 to printserver2 as well as change the netbiosname being advertised on printserver2 to printserver1. Just don't know if this would cause problems or not. -Tim -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Initial samba + ldap howto
A couple of days ago I decided that I needed a samba and ldap setup. After reading the samba mailing list , specifically the thread Re: [Samba] Samba and LDAP backend - howto docs problems? I decided to buy the Official Samba-3 HowTo and Reference guide, (the Samba-3 By Example mentioned in that thread wasn't available in my bookstore and they could't order it for me too) expecting to find a workable example for a setup, as I made out more or less from the remarks in that thread there would be, chapter 2 specifically. That chapter has an example (page 26) but I wouldn't recommend to actually use it, it's very limited and inaccurate, lacks information of what more is needed, which additional system packages etc. It says in the beginning that a functioning os is assumed , but that's rather vague on what implies a functioning os. From page 136 on there are some more examples of ldap pwdbackend, but hardly sufficient. http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy info on how to get samba-3 and ldap working, but that document seems to be incomplete and transitioning from samba-2 to samba-3. One of the posters on the aforementioned thread remarked that an accurate, complete into detail, config file is a great help for learning to grasp what has to be done , and how things work together, I agree and following are the steps I took to get a working samba-3 + ldap install. I hardly know anything of linux or samba , let alone ldap , but from the mailling list I understood that the following is neccessary: A goal: get samba + ldap on slackware 9.1 with support for acl's in a usable state working. The means: slackware-9.1 acl-2.2.22.src.tar.gz attr-2.4.14.src.tar.gz ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz linux-2.4.24.tar.gz coreutils-5.0-attr+acl.tar.gz nss_ldap.tgz pam_ldap.tgz perl-5.8.3.tar.gz openldap-2.1.19.tgz ldap-account-manager_0.4.5.tar.gz Linux-PAM-0.77.tar.bz2 openssl-0.9.7d.tar.gz db-4.2.52.tar.gz samba-3.0.2a.tar.gz smbldap-tools-0.8.4.tgz I made the following install and configs, I don't know how correct or secure or unneccessary they were, in the end I had a complete and correct funcioning ldap + samba setup, that was usable.It was especially frustrating to get tls connection working, it kept failing with the following error: TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052 samba and ldap run on the same server. Besides the documented config for slapd: (etc/openldap/slapd.conf) TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key TLSCACertificateFile/etc/ssl/certs/ca.pem quite important it is allso that ldap knows how to verify: (/etc/ldap.conf symlink to /etc/openldap/ldap.conf): TLS_CACERT /etc/ssl/certs/ca.pem Maybe the documentation that exists mentions it, but I couldn't find it. http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually fairly helpful to get things right, including the initial populating of the ldap database. Their site mentions two config files in /etc/smbldap-tools, but I think that configuration is overruled by the file /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm, which contains the same info as those config files.I moved the /etc/smbldap-tools away and everything still worked correctly with the parameters from /usr/lib/perl5/site_perl/5.8.3/smbldap_conf.pm. Allso , I don't think pam_ldap is neccessary if you don't have linux users. Anyways, if the following example would have been in the howto, I wouldn't have wasted 4 days, figuring out what was wrong/incomplete with the current example in the howto book, but could have spent that time figuring out what it all means. Everything comes from various websites, but there is no site where it is complete in one place. -slackware 9.1 standard installation without samba and ldap etc. only basic + compiler +cups. -openssl-0.9.7d ./config --prefix=/usr --openssldir=/etc/ssl shared zlib ; make ; make install -perl-5.8.3 built with prefix=/usr , defaults accepted. perl -MCPAN -e 'shell' install Bundle::CPAN (chose follow for dependencies) install Net::LDAP install Net::SSLeay install IO::Socket::SSL Net::SSLeay failed because of ou of memory during tcp tests (I built everything on a dual P233 MMX with 104Mb of edo-ram), but manually it installed fine. -Linux-PAM-0.77 ./configure --prefix=/ --includedir=/usr/include --mandir=/usr/share/man \ --libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc \ --localstatedir=/var --infodir=/usr/share/info --sharedstatedir=/usr/share/com make install. /etc/pam.d/passwd : passwordrequired pam_cracklib.so passwordsufficientpam_ldap.so passwordsufficientpam_unix.so passwordrequired pam_deny.so /etc/pam.d/login authrequired pam_nologin.so authsufficientpam_ldap.so authsufficientpam_unix.so shadow use_first_pass authrequired pam_deny.so account sufficient
Re: [Samba] Initial samba + ldap howto
Wim, Thanks for this information . Later this week, I'm scheduled to attempt installation of SAMBA+LDAP using the by Example book. I'll let you know how it goes. They by Example books seems better than the How-To in terms of practical information needed to get a server up and running. Only problem with the by Example book is that it's a bit long. In addition, it does the same thing every other Linux book does, that is it goes into detail about too many approaches to doing things. When I searched for the word Linux on Amazon, I came up with 3,735 books. I wish one of them specifically outlined how to do what I want done, that is a book the helps me configure a SBS (microsoft small business server) replacement. I may be missing something, but in essence it would be a series of books: Replacing SBS with Linux (second edition): 1. Download install Fedora 2. Install LDAP and configure for use with SAMBA postfix 3. Download install Samba 4. Download install postfix/courier/squirrelmail 5. Download install ClamAV/Spam Assassin/TDMA 6. Download install Apache 7. Keeping system up to date with YUM 8. Appendix 1 - Updating first edition of this book Replacing linksys with Linux 1. Configuring netfilter 2. Configuring VPN - Server 3. Configuring VPN - Client 4. Download install dansguardian. 5. Configure PPPOE There could be different books for different distributions. Most people reading (myself included) don't care about many of the decisions. For example I don't care about Fedora vs SUSE vs Debian, I am going with Fedora at this time because I wanted ACLs found in Kernel 2.6. I don't care about Courier vs Dovecot. I do care about LDAP because this is the holy grail of system administration, with LDAP, you can have a central addressbook / accout store etc just like NWAdmin or Domain manager. John Wim Bakker wrote: A couple of days ago I decided that I needed a samba and ldap setup. After reading the samba mailing list , specifically the thread Re: [Samba] Samba and LDAP backend - howto docs problems? I decided to buy the Official Samba-3 HowTo and Reference guide, (the Samba-3 By Example mentioned in that thread wasn't available in my bookstore and they could't order it for me too) expecting to find a workable example for a setup, as I made out more or less from the remarks in that thread there would be, chapter 2 specifically. That chapter has an example (page 26) but I wouldn't recommend to actually use it, it's very limited and inaccurate, lacks information of what more is needed, which additional system packages etc. It says in the beginning that a functioning os is assumed , but that's rather vague on what implies a functioning os. From page 136 on there are some more examples of ldap pwdbackend, but hardly sufficient. http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy info on how to get samba-3 and ldap working, but that document seems to be incomplete and transitioning from samba-2 to samba-3. One of the posters on the aforementioned thread remarked that an accurate, complete into detail, config file is a great help for learning to grasp what has to be done , and how things work together, I agree and following are the steps I took to get a working samba-3 + ldap install. I hardly know anything of linux or samba , let alone ldap , but from the mailling list I understood that the following is neccessary: A goal: get samba + ldap on slackware 9.1 with support for acl's in a usable state working. The means: slackware-9.1 acl-2.2.22.src.tar.gz attr-2.4.14.src.tar.gz ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz linux-2.4.24.tar.gz coreutils-5.0-attr+acl.tar.gz nss_ldap.tgz pam_ldap.tgz perl-5.8.3.tar.gz openldap-2.1.19.tgz ldap-account-manager_0.4.5.tar.gz Linux-PAM-0.77.tar.bz2 openssl-0.9.7d.tar.gz db-4.2.52.tar.gz samba-3.0.2a.tar.gz smbldap-tools-0.8.4.tgz I made the following install and configs, I don't know how correct or secure or unneccessary they were, in the end I had a complete and correct funcioning ldap + samba setup, that was usable.It was especially frustrating to get tls connection working, it kept failing with the following error: TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052 samba and ldap run on the same server. Besides the documented config for slapd: (etc/openldap/slapd.conf) TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key TLSCACertificateFile/etc/ssl/certs/ca.pem quite important it is allso that ldap knows how to verify: (/etc/ldap.conf symlink to /etc/openldap/ldap.conf): TLS_CACERT /etc/ssl/certs/ca.pem Maybe the documentation that exists mentions it, but I couldn't find it. http://www.idealx.org/prj/samba/smbldap-tools.en.html was eventually fairly helpful to get things right, including the initial populating of the ldap database. Their site mentions two config files in /etc/smbldap-tools, but I think that configuration is overruled by the
[Samba] Your email message was blocked
MailMarshal (an automated content monitoring gateway) has not delivered the following message: Message: B00011e4dd.0001.mml From:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Order This is due to automatic rules that have determined that the intended recipient is not authorized to receive messages with Executable file(s) attached. If you believe the message was business related please send a message to [EMAIL PROTECTED] and request that the message be released to it's intended recipient. If no contact is made within 5 days the message will automatically be deleted. MailMarshal Rule: Inbound Messages : Block EXECUTABLE Files For more information on email virus scanning, security and content management, visit http://www.marshalsoftware.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Initial samba + ldap howto
On Monday 12 April 2004 18:33, you wrote: Wim, Thanks for this information . Later this week, I'm scheduled to attempt installation of SAMBA+LDAP using the by Example book. I'll let you know how it goes. They by Example books seems better than the How-To in terms of practical information needed to get a server up and running. Only problem with the by Example book is that it's a bit long. In addition, it does the same thing every other Linux book does, that is it goes into detail about too many approaches to doing things. The By Example book is most likely much better information to get samba + ldap running , only I couldn't get my hands on it in the short term. i suppose books have to be verbose about all kinds of different posibilities but than forget to be detailed enough for a specific setup , which leaves you with still not enough information to get the job done. example I don't care about Fedora vs SUSE vs Debian, I am going with Fedora at this time because I wanted ACLs found in Kernel 2.6. I don't care about Courier vs Dovecot. I do care about LDAP because this is the holy grail of system administration, with LDAP, you can have a central addressbook / accout store etc just like NWAdmin or Domain manager. I found the acl support in 2.6 series not completely compatible . I still have to look into it deeper, but I had problems with the desired behaviour of acl support under 2.6.x. For now I stick with 2.4.x because I allso need ipsec on the same box , and ipsec on 2.6.x is quite different from 2.4.x. And 2.6.4 and higher had a funny way of dealing with , at least, intel e1000 drivers, maybe other drivers too. Good luck WB -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Windows briefcase on samba share
Try this link..Might shed some light. http://support.microsoft.com/default.aspx?scid=kb;en-us;307885#7 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Security patches for Samba 2.2.x
Dear Samba members, I am looking for a list of security weaknesses discovered in the samba 2.2.x codebase and fixes for them, starting from Samba 2.2.5. The motivation is to plug the known security loopholes in the samba component I am working on as part of a larger product. I would appreciate any pointer to it. Thanks in advance, -Arup Biswas _ Watch LIVE baseball games on your computer with MLB.TV, included with MSN Premium! http://join.msn.com/?page=features/mlbpgmarket=en-us/go/onm00200439ave/direct/01/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba / Ldap Password Issues - bump ;-)
Sorry to repost this question.. But I am at my wits end.. The server has been off line for 2 weeks. So I will have to downgrade to samba 2.X by the end of the day unless a miracle happens ;) I'm having some issues with samba 3 and my ldap passwords. First I'll tell you what I'm working with. Ldap server is RH 7.3 and openldap 2.0.25 DBM Samba 3.0.2a-1 using ldapsam_compat (Compiled from RPM source by me ) on RHEL 3 Samba 2.2.8-1.ldap on RH9 -- The Samba 2 works great. Auth against ldap no problem, has been for over a year. The Samba 3 does not work.. Well not really. If I change the users password using smbldap-passwd.pl (or the ldap webmin module) to the same (or - Jamie different) password they had before it works. When I look at the nt and lan hashes in the ldap records they have not changed! It's almost like I need to some how touch the ldap record for it to work This is really confusing.. Any one have an idea? - Jamie Heres a sample LDIF record dn: uid=mimc08,ou=People,dc=newberg,dc=k12,dc=or,dc=us shadowLastChange: 12370 rid: 11126 primaryGroupID: 11127 acctFlags: [U ] gecos: Millen Mc uidNumber: 5063 userPassword: {crypt}PIsNAk2Yp2XmU gidNumber: 501 objectClass: account objectClass: posixAccount objectClass: sambaAccount objectClass: top objectClass: shadowAccount objectClass: inetorgperson objectClass: apple-user objectClass: extensibleObject objectClass: newberg lmPassword: 57E3A052197F90B0AAD3B435B51404EE homeDirectory: /data/students/mimc08 ntPassword: DF32985352318202CC224ECFD06B0599 cn: Millen Mc sn: null loginShell: /bin/false uid: mimc08 --- Heres a copy of my smb.conf # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2004/04/05 14:33:34 # Global parameters [global] log level = 10 wins support = Yes ldap server = ldap.newberg.k12.or.us ldap port = 389 passdb backend = ldapsam_compat:ldap://ldap.newberg.k12.or.us/, guest ldap suffix = dc=newberg,dc=k12,dc=or,dc=us ldap admin dn = uid=root,ou=People,dc=newberg,dc=k12,dc=or,dc=us ldap ssl = no [homes] valid users = %S read only = No browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Computer Accounts in Samba 3.0.2a
I have a SAMBA 3.0.2a server running against AD. Everything works fine. I've modified my /etc/pam.d/samba to create account and share on the fly. What I'm looking for is for samba/pam not to create a share for the computer account accessing the share. Thanks! Here's my configs: /etc/samba/smb.conf: [global] # main - domain membership and security workgroup = CCSU_ACA_COMP server string = File Server obey pam restrictions = yes security = ADS realm = STUDENTS.CCSU.EDU encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd interfaces = lo eth0 max log size = 1 client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No load printers = No log level = 2 passdb:2 auth:2 winbind:2 # netbios config # setting to 'no' disables other domains users shares to be created # in general the user will be rejected since the account name is not # being cached by winbind # allow trusted domains = no lm announce = no local master = no domain master = no os level = 0 # winbind config winbind uid = 1-3 winbind gid = 1-3 winbind enum users = no winbind enum groups = no template homedir = /cifs/users/%U template shell = /bin/false winbind separator = # [homes] comment = Home Directory browsable = no writable = yes valid users = %D#%U invalid users = @%D#Domain Computers create mode = 0664 directory mode = 0775 /etc/pam.d/samba #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth session required pam_mkhomedir.so skel=/etc/skelfile umask=0022 #session required pam_script.so onsessionopen=/etc/samba/add_user.sh session required pam_stack.so service=system-auth password required pam_stack.so service=system-auth -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.2a configure WARNINGS on AIX 5.1 ML5
Environment: AIX 5.1 ML5 gcc-2.9 Samba 3.0.2a ids510 (IBM's ldap) I've been told that I need to compile Samba 3.0.2a with ads and ldap support so that it will athenticate with our Windows 2003 domain after NTLM is turned off. However, when I run configure I get the following warnings: configure: WARNING: libldap is needed for LDAP support configure: WARNING: Active Directory Support requires LDAP support First I used the openldap from IBM's Linux Toolkit web site, then I downloaded UCLA's openldap.2.2.8.tar and put it in /usr/local then I installed IBM's ldap, ids510. Same results. Here is the last iteration of my configure script: export LIBPATH=/usr/local/lib:$LIBPATH ./configure \ --with-libiconv=/usr/local/special \ --with-ldap=/usr/ldap \ --with-ads=/usr/ldap configure completes, with the WARNINGS I mention above, and I'm able to run make and make install but when NTLM is shut off Samba no longer works. Thank you in advance for your assistance. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Restricting printer views
Greetings Admins, We have a samba3.0.2a + cups 1.1.20 print server to serve printing for our Windows XP clients. Samba is configured with security = ADS. So when a client maps the print server (ie: \\printserver) then all the printers are displayed, available for point print. How do you hide printers from specific users? We have academic printers and administrative printers. Academic users should not be able to see administrative printers and vice versa. much appreciated, Ryan Here is my smb.conf: [global] workgroup = SOMEWORKGROUP netbios name = somename log file = /usr/local/samba/logs/%m.log max log size = 5 debug level = 5 name resolve order = wins bcast wins server = some.host.domain wins proxy = no wins support = no dns proxy = yes local master = no preferred master = no domain master = no os level = 0 security = ADS encrypt passwords = yes password server = * realm = some.host.domain interfaces = 123.45.67.8/24 allow hosts = 123.45. localhost printing = cups printcap name = cups load printers = yes socket options = TCP_NODELAY [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = yes public = yes writeable = no printable = yes printer admin = root create mode = 0700 [print$] comment = Printer Drivers path = /usr/local/samba/drivers browseable = yes guest ok = no read only = yes write list = root -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba / Ldap Password Issues - bump ;-)
Hello jamie, in Samba 3 the LDAP-Schema has changed. In example: lmPassword has changed to sambaLMPassword Please read this first: http://de.samba.org/samba/docs/man/upgrading-to-3.0.html matze Sorry to repost this question.. But I am at my wits end.. The server has been off line for 2 weeks. So I will have to downgrade to samba 2.X by the end of the day unless a miracle happens ;) I'm having some issues with samba 3 and my ldap passwords. First I'll tell you what I'm working with. Ldap server is RH 7.3 and openldap 2.0.25 DBM Samba 3.0.2a-1 using ldapsam_compat (Compiled from RPM source by me ) on RHEL 3 Samba 2.2.8-1.ldap on RH9 -- The Samba 2 works great. Auth against ldap no problem, has been for over a year. The Samba 3 does not work.. Well not really. If I change the users password using smbldap-passwd.pl (or the ldap webmin module) to the same (or - Jamie different) password they had before it works. When I look at the nt and lan hashes in the ldap records they have not changed! It's almost like I need to some how touch the ldap record for it to work This is really confusing.. Any one have an idea? - Jamie Heres a sample LDIF record dn: uid=mimc08,ou=People,dc=newberg,dc=k12,dc=or,dc=us shadowLastChange: 12370 ridctClass: sambaAccount objectClass: top objectClass: shadowAccount objectClass: inetorgperson objectClass: apple-user objectClass: extensibleObject objectClass: newberg lmPassword: 57E3A052197F90B0AAD3B435B51404EE homeDirectory: /data/students/mimc08 ntPassword: DF32985352318202CC224ECFD06B0599 cn: Millen Mc sn: null loginShell: /bin/false uid: mimc08 --- Heres a copy of my smb.conf # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2004/04/05 14:33:34 # Global parameters [global] log level = 10 wins support = Yes ldap server = ldap.newberg.k12.or.us ldap port = 389 passdb backend = ldapsam_compat:ldap://ldap.newberg.k12.or.us/, guest ldap suffix = dc=newberg,dc=k12,dc=or,dc=us ldap admin dn = uid=root,ou=People,dc=newberg,dc=k12,dc=or,dc=us ldap ssl = no [homes] valid users = %S read only = No browseable = No : 11126 primaryGroupID: 11127 acctFlags: [U ] gecos: Millen Mc uidNumber: 5063 userPassword: {crypt}PIsNAk2Yp2XmU gidNumber: 501 objectClass: account objectClass: posixAccount obje -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NT4 PDC-Samba 3.0.2 PDC
| I installed following package to my Suse 9: | 1 cups-libs-1.1.19-80.i586.rpm | 2 libsmbclient-3.0.2-0.i586.rpm | 3 libsmbclient-devel-3.0.2-0.i586.rpm | 5 samba3-cifsmount-3.0.2-0.i586.rpm | 4 samba3-client-3.0.2-0.i586.rpm | 6 samba3-doc-3.0.2-0.i586.rpm | 7 samba3-utils-3.0.2-0.i586.rpm | 8 samba3-vscan-0.3.4-0.i586.rpm | 9 samba3-winbind-3.0.2-0.i586.rpm --nodeps | 10 samba3-3.0.2-0.i586.rpm The net command is missing from these packages. Where from can I download a net's package to my suse 9? Regards, Roland ICQ: 173539771 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Error Looking up domain users
- Do you Yahoo!? Yahoo! Tax Center - File online by April 15th -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Error Looking up domain users
Sir, I am selvam from INdia. I am installed samba 3.0.2a in Redhat Linux 9.0 and is working fine. Then i am configured winbind for integration with ADS in windows 2000 server. When i am issuing command ,.wbinfo -u it given error messege as error looking up domain users. Please provide solution for that. ( previously i joined domain using net command) Please do needfull. Iam waiting for resolution. Regards selvam e. - Do you Yahoo!? Yahoo! Tax Center - File online by April 15th -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] fileshare creation method
Has anyone tried, or knows of a way that I can give authority for a person to create a share from Windows, without adding them into the Administrative Users field in the smb.conf? Or is there a way I can automate this? I have a number of admins across campus who will need access to create shares through computer management. I can do it as long as there is a valid account in the Admnistrative Users field in the smb.conf and the /etc/passwd. Any ideas would be greatly appreciated. Oh, I probably should mention that I am using Red Hat Enterprise 3. Thanks for your help. --John - John Petro System Programmer Information and Technology Services Rochester Institute of Technology 585-475-4925 [EMAIL PROTECTED] - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos and Samba
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew Bartlett írta: | On Mon, Apr 12, 2004 at 12:21:41PM +0200, Gémes Géza wrote: | |-BEGIN PGP SIGNED MESSAGE- |Hash: SHA1 | |Sensei írta: || On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote: || || ||Samba cannot use the kerberos tickets directly - not unless the KDC is ||Active Directory (for now). But it is possible for Samba to use the ||same password store. (For NTLM, but not kerberos passwords) || ||What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP |backend? || || || MIT K5. The passwords are stored only in the kerberos database. || || ||While the work is still new, there is support in Heimdal to read Samba ||password entries in LDAP. There is also an OpenLDAP plugin to set ||both Samba and Kerberos passwords on password change. || ||You would need to manually edit your LDAP database, to expose the ||passwords in 'Samba' format - potentially a dump and restore of the ||Heimdal entries might do it, if the sambaSamAccount objectClass was ||added, and you used a current snapshot. || || || It would be nice to have just kerberos passwords. I've done this with || ldap (sasl gssapi authentication via k5) and afs (tokens are released on || ticket releasing). || || The main issue is the integrated windows login: a student must login, || gain tickets and token, and have his windows home dir set to what ldap || shows him: this means that afs must be enabled at boot. || || How would you do this? I don't have any clues... || |I see a different solution here: |User authenticate to a Samba controled Domain, and because Samba has the |Kerberos password(=NTPassword hash) it could impersonate the user, |accting to the AFS/Coda cell on behalf of her/him. In this way Samba |could become a gateway between Windows clients and AFS/Coda servers. |Unfortunatelly I don't know how could be that implemented. | | | See Volker's presentation to SambaXP, and the --with-fake-kaserver | option to Samba. | Sorry for beeing so tenace on this (maybe unimportant) subject. But this is what I've understand about what fake-kaserver does: ___ __ | | | || | | Windows |--Kerberos--| Samba |---|AFS| | client | auth| server ||cel| |_| |___||___| ~ ^ ~ | ~ | ~ | ~ | ~ | _Ç__ | | |AD| | server | |__| But what I was thinking about would be: ___ __ | | | || Coda| | Windows |NTLM| Samba |---|or | | client | auth|PDC||AFS| |_| |_LDAP back_||cel| ^ | | getting ticket | for | Kerberos unaware clients __Ç__ | | | Heimdal | | current | |_LDAP back_| Thanks, Geza -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAeuyY/PxuIn+i1pIRAqqkAJ4wt0jdJc+VXOZVUdW4N8WS9LFSXACgno2o 3Qpph07Ktocc5Y8bAJ7tjGk= =xsxF -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: hi
Hi, due to german holidays on April 9 and April 12 I wont be able to read my mails until Tuesday, April 13. I'll get back to you on Tuesday as soon I find time when I get back to the office. BB -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Restricting printer views
Hello Ryan, [EMAIL PROTECTED] schrieb: So when a client maps the print server (ie: \\printserver) then all the printers are displayed, available for point print. How do you hide printers from specific users? We have academic printers and administrative printers. Academic users should not be able to see administrative printers and vice versa. You can apply every printer as an own share. [HP-Drucker] printer name = hp1 valid users = max moritz ... Futher, you can hide a printer with browseable = no. matze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] installing samba
I have installed Samba 3.0.0 for AIX 5.1. I have several other systems in the company that have a lower level installed. I am wanting to use the same data in the smb.conf from another system, but I cannot find that file in the 3.0.0 version. Where is/should this be located? I have looked in the /etc and /usr/local and a samba directory does not exist. Thanks, Jason Borghesi Distributed Systems Wellpoint Health Networks -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error Looking up domain users
Hello selvam, I am selvam from INdia. I am installed samba 3.0.2a in Redhat Linux 9.0 and is working fine. Then i am configured winbind for integration with ADS in windows 2000 server. When i am issuing command ,.wbinfo -u it given error messege as error looking up domain users. Please provide solution for that. ( previously i joined domain using net command) Please do needfull. Iam waiting for resolution. Have you read http://de.samba.org/samba/docs/man/domain-member.html#ads-member Has the machine rights (on ADS-Side) to do that? Please post the error-message. matze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos and Samba
On Mon, Apr 12, 2004 at 09:23:05PM +0200, Gémes Géza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew Bartlett írta: | On Mon, Apr 12, 2004 at 12:21:41PM +0200, Gémes Géza wrote: | |-BEGIN PGP SIGNED MESSAGE- |Hash: SHA1 | |Sensei írta: || On Sat, 2004-04-10 at 16:07, Andrew Bartlett wrote: || || ||Samba cannot use the kerberos tickets directly - not unless the KDC is ||Active Directory (for now). But it is possible for Samba to use the ||same password store. (For NTLM, but not kerberos passwords) || ||What is your KDC? MIT or Heimdal? Are you using the Heimdal LDAP |backend? || || || MIT K5. The passwords are stored only in the kerberos database. || || ||While the work is still new, there is support in Heimdal to read Samba ||password entries in LDAP. There is also an OpenLDAP plugin to set ||both Samba and Kerberos passwords on password change. || ||You would need to manually edit your LDAP database, to expose the ||passwords in 'Samba' format - potentially a dump and restore of the ||Heimdal entries might do it, if the sambaSamAccount objectClass was ||added, and you used a current snapshot. || || || It would be nice to have just kerberos passwords. I've done this with || ldap (sasl gssapi authentication via k5) and afs (tokens are released on || ticket releasing). || || The main issue is the integrated windows login: a student must login, || gain tickets and token, and have his windows home dir set to what ldap || shows him: this means that afs must be enabled at boot. || || How would you do this? I don't have any clues... || |I see a different solution here: |User authenticate to a Samba controled Domain, and because Samba has the |Kerberos password(=NTPassword hash) it could impersonate the user, |accting to the AFS/Coda cell on behalf of her/him. In this way Samba |could become a gateway between Windows clients and AFS/Coda servers. |Unfortunatelly I don't know how could be that implemented. | | | See Volker's presentation to SambaXP, and the --with-fake-kaserver | option to Samba. | Sorry for beeing so tenace on this (maybe unimportant) subject. But this is what I've understand about what fake-kaserver does: ___ __ | | | || | | Windows |--Kerberos--| Samba |---|AFS| | client | auth| server ||cel| |_| |___||___| ~ ^ ~ | ~ | ~ | ~ | ~ | _Ç__ || |AD | | server | |__| No. This is the ideal world that would not require a cludge as large as --fake-kaserver. (In thoery, a proxied/impersonation ticket would work) But what I was thinking about would be: ___ __ | | | || Coda| | Windows |NTLM| Samba |---|or | | client | auth|PDC||AFS| |_| |_LDAP back_||cel| ^ | | getting ticket | for | Kerberos unaware clients __Ç__ | | | Heimdal | | current | |_LDAP back_| This is what the fake-kaserver does, except that it does not need to access the user's passwords, it only needs to access the AFS server's password (and can spoof tickets from there). Ask volker for the fine details. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: PRINTING CUPS on Samba 3.0 - PS Driver upload
On Mon, 22 Mar 2004 22:36:40 +1100, Andrew Bartlett wrote: On Mon, 2004-03-22 at 19:19, Herbert FRIEDL wrote: Dear all samba 3.0.2pre1-1 cups 1.1.20 i am testing the CUPS printing on Samba 3.0.2pre1-1 and so far we have a good impression about the system We want to use only Postscript for our printers. The cupsaddsmb tool works great and printing with the cups driver is fine. The Add Printer Wizard for uploading vendor specific for the PCL 5 drivers is working fine and printing is working. I have some trouble with the vendor specific Post script drivers. Have you tried this method for the postscript printers? Same result? Uploading the Postscript drivers is OK but when we want to print something on the printers (hp2280, hp2300) the printer only prints the prostscript definition text and produces tons of pages. The problem is, the HP (and most other) postscript drivers output a PCL header above their postscript. CUPS doesn't think it's postscript then, and things go downhill from there. Only the CUPS and potentially the adobe drivers gets this right, but I have had other nasty problems with the CUPS drivers. I second that. I run Samba 2.2.8a and CUPS 1.1.19 and had nasty trouble using the cupsaddsmb method with the CUPS or Adobe drivers. I switched to all raw queues and vendor drivers for both PCL and postscript and watched all my problems go away. We use the Add Printer Wizard to add all of our printers. Might be worth a shot. The output file in /var/spool/cups looks ok for a postscript printer. I am a bit confused because postscript printing is working for other printers like canon-ir5000. It probably puts out real postscript (as far as CUPS is concerned). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Help Joining and NT domain
I am receiving this SAME error, any one find a way to resolve it? Joe Schoolfield FTI Domain Administrator HARRIS Corporation, GCSD (321) 309-2383 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.02a OpenLDAP Howto's
Hi guys, I searched the web for samba+OpenLDAP (ldap) howto's and i found lots of documents, but none of them fully explained the configuration of OpenLDAP ldap tools Do you guys know any good ldap howto the explains all the ldif creation, groups creation and users creation using ldap I dont mind reading, but i'm having trouble finding a good howto Thanks for your help -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] [OS X] OD authentication issue?
I am seeing very slow log-on's from our Windows clients to OS X 10.3.3 Server ( 30 seconds)- except for the 'admin' user. I have a suspicion The smb.conf file has auth methods = guest opendirectory In the OS X log I see Apr 12 13:24:37 xserveg5 PasswordService: client response doesn't match what we generated Apr 12 13:25:01 xserveg5 last message repeated 17 times Apr 12 13:27:02 xserveg5 last message repeated 60 times Apr 12 13:37:11 xserveg5 last message repeated 300 times Apr 12 13:39:11 xserveg5 last message repeated 60 times In my samba log I see stuff like search_records value(;ApplePasswordServer;0x4063a7602411818a00040004,1024 35 12101246400916075134662..etc [EMAIL PROTECTED]:192.168.0.101) Now the interesting thing is that I changed the IP of the machine during the time I was setting up the server. The IP is now 192.168.0.2 NOT 192.168.0.101 ( DNS and RDNS are correct) Perhaps this has messed up things. Do SAMBA and OD exchange keys to authenticate 'things'. Do SAMBA and OD now disagree on keys after the IP was changed?? How do I get the two to agree? This is really aggravating our Windows user base. Andrew -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] pam_stack.so for suse 9.0
I'm using suse 9.0 with samba3.xxx. I have joined the samba server to the nt domin using winbind and net join. Everything seems to be working great. I can pull domain+users as well as groups plus auto creat home directories. But every time I try to logon to the linux end it acts like it's going to work and then I get a message domian+user account disabled. In the Samba by Example book that I have they use a pam module pam_stack.so that I can't find for suse and it isn't included with the install. Is there anyone that can comment on this. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Undeliverable message returned to sender
This message was created automatically by mail delivery software. Delivery failed for the following recipients(s): [EMAIL PROTECTED] The message you sent contained an attachment which the recipient has chosen to block. Usually these sort of attachments are blocked to prevent malicious software from being sent to the recipient in question. The name(s) of the blocked file(s) follow: all_document.pif To send this file, please place it in a compressed archive using WinZip (http://www.winzip.com) or the archive software of your choice. - Original Message Header - Received: by mail20-ash (MessageSwitch) id 1081819379638411_18499; Tue, 13 Apr 2004 01:22:59 + (UCT) Received: from ziffdavis.com (unknown [202.138.184.62]) by mail20-ash.bigfish.com (Postfix) with ESMTP id 7D61D1BE271 for [EMAIL PROTECTED]; Tue, 13 Apr 2004 01:22:55 + (UCT) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Approved Date: Tue, 13 Apr 2004 09:22:57 +0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0003_7C73.035E X-Priority: 3 X-MSMail-Priority: Normal Message-Id: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Restricting printer views
Or set load printers = no and define the printers as suggested. Marcus O. On Mon, 2004-04-12 at 16:23, Matthias Spork wrote: Hello Ryan, [EMAIL PROTECTED] schrieb: So when a client maps the print server (ie: \\printserver) then all the printers are displayed, available for point print. How do you hide printers from specific users? We have academic printers and administrative printers. Academic users should not be able to see administrative printers and vice versa. You can apply every printer as an own share. [HP-Drucker] printer name = hp1 valid users = max moritz ... Futher, you can hide a printer with browseable = no. matze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NUA + MYSQL?
Hello all. I just joined the list, because I am interested in NUA features of Samba3. I got the MySQL passdb backend working, but it still requires a Unix System account. I need to use fully virtualized user accounts. Re: the release of Samba3 and NUA capabilities I have found this: snip In the development of Samba-3, a number of requests were received to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3 without the need to provide matching UNIX/Linux accounts. We called this the Non-UNIX Accounts (NUA) capability. The intent was that an administrator could decide to use the tdbsam backend and by simply specifying passdb backend = tdbsam_nua, this would allow Samba-3 to implement a solution that did not use UNIX accounts per se. Late in the development cycle, the team doing this work hit upon some obstacles that prevents this solution from being used. Given the delays with the Samba-3 release, a decision was made to not deliver this functionality until a better method of recognizing NT Group SIDs from NT User SIDs could be found. This feature may return during the life cycle for the Samba-3 series. /snip Can anyone tell me what sort of progress has been made in the NUA areas? Specifically I want something like passdb backend = mysql_nua. Does anyone know if something like this is in the works or is currently in existence? Thanks, Joel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Initial samba + ldap howto
Check out... http://sapiens.wustl.edu/~sysmain/info/openldap/openldap_configure.html for starters. Unless LDAP is configured properly nothing else will work. Then go to this one http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html Marcus O. On Mon, 2004-04-12 at 12:33, John Schmerold wrote: Wim, Thanks for this information . Later this week, I'm scheduled to attempt installation of SAMBA+LDAP using the by Example book. I'll let you know how it goes. They by Example books seems better than the How-To in terms of practical information needed to get a server up and running. Only problem with the by Example book is that it's a bit long. In addition, it does the same thing every other Linux book does, that is it goes into detail about too many approaches to doing things. When I searched for the word Linux on Amazon, I came up with 3,735 books. I wish one of them specifically outlined how to do what I want done, that is a book the helps me configure a SBS (microsoft small business server) replacement. I may be missing something, but in essence it would be a series of books: Replacing SBS with Linux (second edition): 1. Download install Fedora 2. Install LDAP and configure for use with SAMBA postfix 3. Download install Samba 4. Download install postfix/courier/squirrelmail 5. Download install ClamAV/Spam Assassin/TDMA 6. Download install Apache 7. Keeping system up to date with YUM 8. Appendix 1 - Updating first edition of this book Replacing linksys with Linux 1. Configuring netfilter 2. Configuring VPN - Server 3. Configuring VPN - Client 4. Download install dansguardian. 5. Configure PPPOE There could be different books for different distributions. Most people reading (myself included) don't care about many of the decisions. For example I don't care about Fedora vs SUSE vs Debian, I am going with Fedora at this time because I wanted ACLs found in Kernel 2.6. I don't care about Courier vs Dovecot. I do care about LDAP because this is the holy grail of system administration, with LDAP, you can have a central addressbook / accout store etc just like NWAdmin or Domain manager. John Wim Bakker wrote: A couple of days ago I decided that I needed a samba and ldap setup. After reading the samba mailing list , specifically the thread Re: [Samba] Samba and LDAP backend - howto docs problems? I decided to buy the Official Samba-3 HowTo and Reference guide, (the Samba-3 By Example mentioned in that thread wasn't available in my bookstore and they could't order it for me too) expecting to find a workable example for a setup, as I made out more or less from the remarks in that thread there would be, chapter 2 specifically. That chapter has an example (page 26) but I wouldn't recommend to actually use it, it's very limited and inaccurate, lacks information of what more is needed, which additional system packages etc. It says in the beginning that a functioning os is assumed , but that's rather vague on what implies a functioning os. From page 136 on there are some more examples of ldap pwdbackend, but hardly sufficient. http://www.unav.es/cti/ldap-smb-howto.html contains some sketchy info on how to get samba-3 and ldap working, but that document seems to be incomplete and transitioning from samba-2 to samba-3. One of the posters on the aforementioned thread remarked that an accurate, complete into detail, config file is a great help for learning to grasp what has to be done , and how things work together, I agree and following are the steps I took to get a working samba-3 + ldap install. I hardly know anything of linux or samba , let alone ldap , but from the mailling list I understood that the following is neccessary: A goal: get samba + ldap on slackware 9.1 with support for acl's in a usable state working. The means: slackware-9.1 acl-2.2.22.src.tar.gz attr-2.4.14.src.tar.gz ea+acl+nfsacl+sec-2.4.24-0.8.69.diff.gz linux-2.4.24.tar.gz coreutils-5.0-attr+acl.tar.gz nss_ldap.tgz pam_ldap.tgz perl-5.8.3.tar.gz openldap-2.1.19.tgz ldap-account-manager_0.4.5.tar.gz Linux-PAM-0.77.tar.bz2 openssl-0.9.7d.tar.gz db-4.2.52.tar.gz samba-3.0.2a.tar.gz smbldap-tools-0.8.4.tgz I made the following install and configs, I don't know how correct or secure or unneccessary they were, in the end I had a complete and correct funcioning ldap + samba setup, that was usable.It was especially frustrating to get tls connection working, it kept failing with the following error: TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052 samba and ldap run on the same server. Besides the documented config for slapd: (etc/openldap/slapd.conf) TLSCertificateFile /etc/ssl/certs/smb.ahm.nl.pem TLSCertificateKeyFile /etc/ssl/keys/smb.ahm.nl.key TLSCACertificateFile/etc/ssl/certs/ca.pem quite important it is allso that ldap knows how to verify: (/etc/ldap.conf symlink to
Re: [Samba] NUA + MYSQL?
Re: the release of Samba3 and NUA capabilities I have found this: snip [...] Late in the development cycle, the team doing this work hit upon some obstacles that prevents this solution from being used. /snip Can anyone tell me what sort of progress has been made in the NUA areas? Specifically I want something like passdb backend = mysql_nua. I would imagine the passwords would be the least of the problems. I don't know of any way you could completely do away with user accounts or at least, entries in /etc/passwd, given that most UNIX systems lookup passwd/NIS for UID/GID on file ownerships and whatnot. You might have all locked passwords in /etc/shadow [or equiv], with authentication for samba being all SQL driven, but at the end of the day, the smbd needs some EUID/EGID's for the file permissions stuff. I imagine there's quite a bit of funk to get through. =MB= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NUA + MYSQL?
Joel Holder wrote: Can anyone tell me what sort of progress has been made in the NUA areas? This feature/experiment was removed before 3.0.0 was released and is no longer supported. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc If we're adding to the noise, turn off this song --Switchfoot (2003) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] v3.0.2a: can't login into domain after switching to pdb_mysql
Hello list.samba.org FreeBSD-5.2.1, samba from port with tdbsam-backend configured as PDC Everything is working fine: i.e. registering at samba domain and logging on to it, but after I switch to mysql-backend (pdb-mysql) I can only successfully register my Windows 2k3 at Samba domain (messagebox 'Welcome to slavel.ru domain' has appiered), i.e. can successfully change domain of my workstation from WindowsNT domain to Samba domain, but after prompt to reboot and followed rebooting can't logon into domain... Mysql log shows me some strange queries to samba db with where-clause of none existing samba user Here is samba.conf and mysql logs: ** hercules# cat /usr/local/etc/smb.conf [global] workgroup = SLAVEL.RU server string = Slavel.ru Samba %v interfaces = xl0 passdb backend = mysql:mysql logon path = \\%N\homes\%u\ logon home = \\%N\homes\%u\ logon drive = H: domain logons = Yes os level = 33 preferred master = Yes domain master = Yes mysql:mysql host = localhost mysql:mysql user = root # for dbugging only mysql:mysql password = blablabla mysql:mysql database = samba admin users = nua printer admin = nua deadtime = 10 follow symlinks = no max smbd processes = 1000 [netlogon] path = /var/spool/samba/shares/netlogon read only = yes [profiles] path = /var/spool/samba/shares/homes/%u/profiles browseable = no read only = No guest ok = no create mask = 0600 directory mask = 0700 [homes] path = /var/spool/samba/shares/homes/%u browseable = no read only = No guest ok = no create mask = 0600 directory mask = 0700 ** this's registering of Windows Workstation (NUA) at domain: everything's OK! (for debugging purpose samba user is mysql root) 040413 12:29:53 59 Connect [EMAIL PROTECTED] on samba 60 Connect [EMAIL PROTECTED] on samba 60 Query SELECT logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time, pass_must_change_time,username,domain,nt_username,nt_fullname,home_dir,dir_d rive,logon_script,profile_path,acct_desc,workstations,unknown_str,munged_dia l,user_sid,group_sid,lm_pw,nt_pw,NULL,acct_ctrl,unknown_3,logon_divs,hours_l en,bad_password_count,logon_count,unknown_6 FROM user WHERE username = 'root' 60 Query SELECT logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time, pass_must_change_time,username,domain,nt_username,nt_fullname,home_dir,dir_d rive,logon_script,profile_path,acct_desc,workstations,unknown_str,munged_dia l,user_sid,group_sid,lm_pw,nt_pw,NULL,acct_ctrl,unknown_3,logon_divs,hours_l en,bad_password_count,logon_count,unknown_6 FROM user WHERE username = 'root' 040413 12:29:54 61 Connect [EMAIL PROTECTED] on samba 61 Query SELECT logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time, pass_must_change_time,username,domain,nt_username,nt_fullname,home_dir,dir_d rive,logon_script,profile_path,acct_desc,workstations,unknown_str,munged_dia l,user_sid,group_sid,lm_pw,nt_pw,NULL,acct_ctrl,unknown_3,logon_divs,hours_l en,bad_password_count,logon_count,unknown_6 FROM user WHERE username = 'root' 61 Query SELECT logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time, pass_must_change_time,username,domain,nt_username,nt_fullname,home_dir,dir_d rive,logon_script,profile_path,acct_desc,workstations,unknown_str,munged_dia l,user_sid,group_sid,lm_pw,nt_pw,NULL,acct_ctrl,unknown_3,logon_divs,hours_l en,bad_password_count,logon_count,unknown_6 FROM user WHERE username = 'root' 040413 12:29:55 61 Query SELECT logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time, pass_must_change_time,username,domain,nt_username,nt_fullname,home_dir,dir_d rive,logon_script,profile_path,acct_desc,workstations,unknown_str,munged_dia l,user_sid,group_sid,lm_pw,nt_pw,NULL,acct_ctrl,unknown_3,logon_divs,hours_l en,bad_password_count,logon_count,unknown_6 FROM user WHERE username = 'nua$' 61 Query SELECT logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time, pass_must_change_time,username,domain,nt_username,nt_fullname,home_dir,dir_d rive,logon_script,profile_path,acct_desc,workstations,unknown_str,munged_dia l,user_sid,group_sid,lm_pw,nt_pw,NULL,acct_ctrl,unknown_3,logon_divs,hours_l en,bad_password_count,logon_count,unknown_6 FROM user WHERE username = 'NUA$' 61 Query SELECT logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time,
[Samba] net groupmap list showing domain groups 3-4 times
Samba 3.0.2a When I run net groupmap list, I am seeing the domain groups 3-4 times in the list. Is this normal? If not, how Do i fix it?. System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-1627512061-3979602771-3638141843-513) - -1 Domain Guests (S-1-5-21-2115173702-1382115886-4053946157-514) - -1 Domain Admins (S-1-5-21-2115173702-1382115886-4053946157-512) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-3094946941-1063016343-518249709-513) - -1 Domain Admins (S-1-5-21-3094946941-1063016343-518249709-512) - -1 Domain Admins (S-1-5-21-1627512061-3979602771-3638141843-512) - -1 Domain Guests (S-1-5-21-3094946941-1063016343-518249709-514) - -1 Domain Users (S-1-5-21-1565338132-3089613125-211223302-513) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Domain Guests (S-1-5-21-1627512061-3979602771-3638141843-514) - -1 Domain Users (S-1-5-21-2115173702-1382115886-4053946157-513) - -1 Domain Admins (S-1-5-21-1565338132-3089613125-211223302-512) - -1 Domain Guests (S-1-5-21-1565338132-3089613125-211223302-514) - -1 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NUA + MYSQL?
How sad. It's a great idea. Having virtual user/machine accounts would open up a lot of neat possibilities. Any plans for future attempts? Is it possible? I suppose LDAP will have to do for our purposes. Thanks for your replies. If anyone else knows of any other ways to accomplish having smb users with out the need for /etc/passwd entries, I am interested. Gratzi, Joel -- Network Logistic, Inc. http://www.networklogistic.com Chamleon Appliance http://www.chameleonappliance.com/home.html pub 1024D/13B1A500 2003-08-06 Joel Holder (Developer, Chameleon Appliance) [EMAIL PROTECTED] Key Found at http://www.keyserver.net -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Monday, April 12, 2004 9:52 PM To: Joel Holder Cc: [EMAIL PROTECTED] Subject: Re: [Samba] NUA + MYSQL? Joel Holder wrote: Can anyone tell me what sort of progress has been made in the NUA areas? This feature/experiment was removed before 3.0.0 was released and is no longer supported. cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc If we're adding to the noise, turn off this song --Switchfoot (2003) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap list showing domain groups 3-4 times
Mark wrote: Samba 3.0.2a When I run net groupmap list, I am seeing the domain groups 3-4 times in the list. Is this normal? If not, how Do i fix it?. I managed to fix this by stopping Samba, deleting /var/cache/samba/* and the /etc/samba/secrets.tdb and then starting Samba again. Now my question is: if I add a linux group to Users, how would I delete this accounting group if I needed to in the future? Users (S-1-5-32-545) - accounting This is what started the whole mess.. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Case-sensitivity problems with smbmount on linux
[This seems like it should be a FAQ, but I searched for quite some time without finding anything.] Mounting a samba share using smbmount under linux leads to problems when dealing with filenames that differ in case only. These problems do not affect WinXP mounting the same share, so it looks like a client issue. The server is running Samba 3.0.1 on linux, kernel 2.4.20. The relevant part of smb.conf looks like: case sensitive = yes preserve case = yes short preserve case = yes On the server I create two files, test and TEST, as follows: [EMAIL PROTECTED] echo test test [EMAIL PROTECTED] echo TEST TEST Running some commands from the linux client, after mounting with smbmount/3.0.1 (kernel 2.4.25): [EMAIL PROTECTED] ls TEST test [EMAIL PROTECTED] cat TEST test [EMAIL PROTECTED] cat test test [EMAIL PROTECTED] mv test Test mv: overwrite `Test'? n It appears 'cat' can only see the lowercase file. Same for when you try to move the file. Instead of renaming, it thinks you want to overwrite the existing file. Other file utilities are affected in similar ways. I believe the server is properly configured, since under WinXP the behavior is as one would expect: dir . TEST . test type TEST TEST type test test move test Test ... dir . TEST . Test I find this odd, because I would expect the Linux client to be at least as capable as the WinXP client in handling the case differences (if anything I'd expect the XP machine to be the one with the problems). Have I overlooked something? Thanks, Michael Carmack [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Possible security issue with Samba 3.02 and MySQL database
I have been doing some testing with Samba and using MYSQL as the passdb backend (no it is not the security issue mentioned in the samba how-to) I found what I believe is is a serious security issue and I am not sure if this security issue is an operating system issue or a Samba issue that should be looked at by the Samba team. Is there such a place as to report such security concerns to the Samba team off list? mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Possible security issue with Samba 3.02 and MySQL database
security issues should be sent to [EMAIL PROTECTED] Mark wrote: I have been doing some testing with Samba and using MYSQL as the passdb backend (no it is not the security issue mentioned in the samba how-to) I found what I believe is is a serious security issue and I am not sure if this security issue is an operating system issue or a Samba issue that should be looked at by the Samba team. Is there such a place as to report such security concerns to the Samba team off list? mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
svn commit: samba r170 - in trunk/source: auth lib libsmb nsswitch utils
Author: abartlet Date: 2004-04-12 09:24:17 + (Mon, 12 Apr 2004) New Revision: 170 Modified: trunk/source/auth/auth_util.c trunk/source/lib/util_str.c trunk/source/libsmb/nterr.c trunk/source/libsmb/ntlm_check.c trunk/source/nsswitch/winbindd_nss.h trunk/source/nsswitch/winbindd_pam.c trunk/source/utils/ntlm_auth.c Log: Merge from 3.0: ntlm_auth: - add --require-membership-of - add and use new function for decoding hexideciaml-encoded strings into DATA_BLOBs - ntlm_auth now requests 'squashed' error codes elsewhere: - don't dereference potentially NULL pointers in ntlm_check.c WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/trunk/sourcerev=170sc=1
svn commit: samba r171 - branches/SAMBA_3_0/source/utils
Author: abartlet Date: 2004-04-12 10:17:48 + (Mon, 12 Apr 2004) New Revision: 171 Modified: branches/SAMBA_3_0/source/utils/ntlm_auth.c Log: Continue the 'rename nt_session_key' work. This attempts to rename this variable to 'user_session_key', where possible. The command line parameter is currently unchanged). Andrew Bartlett WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/rev=171sc=1
svn commit: samba r172 - trunk/source/nsswitch
Author: abartlet Date: 2004-04-12 10:34:52 + (Mon, 12 Apr 2004) New Revision: 172 Modified: trunk/source/nsswitch/winbindd_nss.h Log: Merge from 3.0 - fix comment location WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/rev=172sc=1
svn commit: samba r173 - trunk/source/utils
Author: abartlet Date: 2004-04-12 10:49:07 + (Mon, 12 Apr 2004) New Revision: 173 Modified: trunk/source/utils/ntlm_auth.c Log: Merge from 3.0: ntlm_auth: - rename nt_sesssion_key - user_session_key - when we can't contact winbindd, fall back to asking smb.conf directly for the winbind separator and domain name - exit(1) - return 1 for consistancy WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/rev=173sc=1
svn commit: samba r174 - in branches/SAMBA_4_0/source/lib/registry: reg_backend_nt4 reg_backend_w95 tools
Author: jelmer Date: 2004-04-12 11:02:38 + (Mon, 12 Apr 2004) New Revision: 174 Modified: branches/SAMBA_4_0/source/lib/registry/reg_backend_nt4/reg_backend_nt4.c branches/SAMBA_4_0/source/lib/registry/reg_backend_w95/reg_backend_w95.c branches/SAMBA_4_0/source/lib/registry/tools/gregedit.c Log: Win95 registry files (like USER.DAT) can now be partially parsed WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/branches/SAMBA_4_0/source/lib/registryrev=174sc=1
svn commit: samba r175 - branches/SAMBA_3_0/source/nsswitch
Author: abartlet Date: 2004-04-12 11:15:14 + (Mon, 12 Apr 2004) New Revision: 175 Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h Log: Move this comment to the right place... Andrew Bartlett WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/rev=175sc=1
svn commit: samba r176 - branches/SAMBA_3_0/source/libsmb
Author: abartlet Date: 2004-04-12 11:18:32 + (Mon, 12 Apr 2004) New Revision: 176 Modified: branches/SAMBA_3_0/source/libsmb/cliconnect.c branches/SAMBA_3_0/source/libsmb/passchange.c branches/SAMBA_3_0/source/libsmb/smbencrypt.c Log: Improve our fallback code for password changes - this would be better with more correct NTLMSSP support in client and server, but it will do for now. Also implement LANMAN password only in the classical session setup code, but #ifdef'ed out. In Samba4, I'll make this run-time so we can torture it. Lanman passwords over 14 dos characters long could be considered 'invalid' (they are truncated) - so SMBencrypt now returns 'False' if it generates such a password. Andrew Bartlett WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/rev=176sc=1
svn commit: samba r177 - in branches/SAMBA_3_0/source: . utils
Author: abartlet Date: 2004-04-12 14:19:48 + (Mon, 12 Apr 2004) New Revision: 177 Added: branches/SAMBA_3_0/source/utils/ntlm_auth.h branches/SAMBA_3_0/source/utils/ntlm_auth_diagnostics.c Modified: branches/SAMBA_3_0/source/Makefile.in branches/SAMBA_3_0/source/utils/ntlm_auth.c Log: Split ntlm_auth --diagnostics into a seperate file, so as not to clutter the main ntlm_auth program. It quite possibly should belong in smbtorture, but relies on the winbind client for now. Andrew Bartlett WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/branches/SAMBA_3_0/sourcerev=177sc=1
svn commit: samba r178 - trunk/source/nsswitch
Author: vlendec Date: 2004-04-12 14:56:59 + (Mon, 12 Apr 2004) New Revision: 178 Modified: trunk/source/nsswitch/wbinfo.c Log: Merge from 3_0: Fix const warning WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/rev=178sc=1
svn commit: samba r179 - in trunk/source: nsswitch param
Author: vlendec Date: 2004-04-12 15:06:16 + (Mon, 12 Apr 2004) New Revision: 179 Modified: trunk/source/nsswitch/winbindd_group.c trunk/source/nsswitch/winbindd_util.c trunk/source/param/loadparm.c Log: Merge from 3_0: winbind nested groups parameter WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/trunk/sourcerev=179sc=1
svn commit: samba r180 - in trunk: examples/LDAP source/include source/passdb source/rpc_server source/utils
Author: idra Date: 2004-04-12 16:59:35 + (Mon, 12 Apr 2004) New Revision: 180 Modified: trunk/examples/LDAP/samba.schema trunk/source/include/privileges.h trunk/source/passdb/pdb_interface.c trunk/source/passdb/pdb_ldap.c trunk/source/passdb/pdb_tdb.c trunk/source/rpc_server/srv_lsa_nt.c trunk/source/rpc_server/srv_samr_nt.c trunk/source/utils/net_privileges.c Log: Add some copyright lines here and there Fix pdb_ldap so that aliases are not forced to have also posixGroup objectclass WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/trunkrev=180sc=1
svn commit: samba r181 - in branches/SAMBA_4_0/source/lib/registry: common reg_backend_w95
Author: jelmer Date: 2004-04-12 17:43:22 + (Mon, 12 Apr 2004) New Revision: 181 Modified: branches/SAMBA_4_0/source/lib/registry/common/reg_interface.c branches/SAMBA_4_0/source/lib/registry/reg_backend_w95/reg_backend_w95.c Log: Parsing windows '95 registry files now works (including values) WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/branches/SAMBA_4_0/source/lib/registryrev=181sc=1
svn commit: samba r182 - in branches/SAMBA_4_0/source/lib/registry: . common reg_backend_w95
Author: jelmer Date: 2004-04-12 18:02:54 + (Mon, 12 Apr 2004) New Revision: 182 Modified: branches/SAMBA_4_0/source/lib/registry/TODO branches/SAMBA_4_0/source/lib/registry/common/reg_objects.c branches/SAMBA_4_0/source/lib/registry/common/reg_util.c branches/SAMBA_4_0/source/lib/registry/reg_backend_w95/reg_backend_w95.c Log: Fix a couple of segfaults WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/branches/SAMBA_4_0/source/lib/registryrev=182sc=1
svn commit: samba r183 - in branches/SAMBA_4_0/source/lib/registry: common tools
Author: jelmer Date: 2004-04-12 18:46:48 + (Mon, 12 Apr 2004) New Revision: 183 Modified: branches/SAMBA_4_0/source/lib/registry/common/reg_interface.c branches/SAMBA_4_0/source/lib/registry/tools/regshell.c Log: More bugfixes WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/branches/SAMBA_4_0/source/lib/registryrev=183sc=1
svn commit: samba r184 - in branches/SAMBA_4_0/source: include torture/raw
Author: jra Date: 2004-04-12 18:53:41 + (Mon, 12 Apr 2004) New Revision: 184 Modified: branches/SAMBA_4_0/source/include/trans2.h branches/SAMBA_4_0/source/torture/raw/search.c Log: Fix UNIX Search info level. This still needs to be added to the raw client library before this test can work. Jeremy. WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/branches/SAMBA_4_0/sourcerev=184sc=1
svn commit: samba r185 - branches/SAMBA_3_0/source
Author: jerry Date: 2004-04-12 19:00:54 + (Mon, 12 Apr 2004) New Revision: 185 Modified: branches/SAMBA_3_0/source/configure.in Log: fix linking prob surrounding --with-fake-kaserver and -lcrypto WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/rev=185sc=1
svn commit: samba r186 - trunk/source
Author: jerry Date: 2004-04-12 19:21:58 + (Mon, 12 Apr 2004) New Revision: 186 Modified: trunk/source/configure.in Log: fix linking prob surrounding --with-fake-kaserver and -lcrypto WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/rev=186sc=1
svn commit: samba r187 - in branches/SAMBA_4_0/source/lib/registry: common reg_backend_rpc tools
Author: jelmer Date: 2004-04-12 20:07:50 + (Mon, 12 Apr 2004) New Revision: 187 Modified: branches/SAMBA_4_0/source/lib/registry/common/reg_interface.c branches/SAMBA_4_0/source/lib/registry/common/reg_objects.c branches/SAMBA_4_0/source/lib/registry/reg_backend_rpc/reg_backend_rpc.c branches/SAMBA_4_0/source/lib/registry/tools/regtree.c Log: RPC registry backend fixes WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/branches/SAMBA_4_0/source/lib/registryrev=187sc=1
svn commit: samba r188 - branches/SAMBA_3_0/source/utils
Author: abartlet Date: 2004-04-12 20:46:13 + (Mon, 12 Apr 2004) New Revision: 188 Modified: branches/SAMBA_3_0/source/utils/ntlm_auth.c Log: Add a new 'helper protocol' to ntlm_auth. This protocol looks rather like SMTP headers/LDAP: NT-Domain: TESTWG Username: abartlet ... Password: foo Challenge-response passwords are in hexideciaml, while any 'plain' string can be base64 encoded when like this: Password:: Zm9vCg== (the :: indicates it, just like LDAP - I hope) The protocol is not final, so it is #ifdef DEVELOPER for now (so nobody starts to rely on it until I'm happy), but we may as well get this into subversion. My intention is to use this to power the next version of my PPP/ntlm_auth plugin, and hopefully entice a FreeRadius plugin out of the woods. Andrew Bartlett WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/rev=188sc=1
svn commit: samba r189 - in branches/SAMBA_4_0/source: include libcli/raw
Author: jra Date: 2004-04-12 21:17:58 + (Mon, 12 Apr 2004) New Revision: 189 Modified: branches/SAMBA_4_0/source/include/smb_interfaces.h branches/SAMBA_4_0/source/libcli/raw/rawsearch.c Log: Added UNIX search into tests - added client library parse code. Jeremy. WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/branches/SAMBA_4_0/sourcerev=189sc=1
svn commit: samba r190 - in branches/SAMBA_4_0/source: lib/registry/reg_backend_rpc lib/registry/tools librpc/idl torture/rpc
Author: jelmer Date: 2004-04-12 21:59:41 + (Mon, 12 Apr 2004) New Revision: 190 Modified: branches/SAMBA_4_0/source/lib/registry/reg_backend_rpc/reg_backend_rpc.c branches/SAMBA_4_0/source/lib/registry/tools/regtree.c branches/SAMBA_4_0/source/librpc/idl/winreg.idl branches/SAMBA_4_0/source/torture/rpc/winreg.c Log: More RPC updates WebSVN: http://websvn.samba.org/websvn/listing.php?rep=0path=/branches/SAMBA_4_0/sourcerev=190sc=1