[Samba] i can figure out. is it config issue or bug. please help
i am using samba 3.6.5 with winbind.for active directory authentication there is a samba share folder name Filesharing and plethora of folders are inside it. i have been using 2.7 stable for more then 2 years with no problem however after my harddisk failure i had to restore data to new server. and install samba from zero , fortunately or unfortunately samba has been updated in debian repository to 3.5.6 root@nas:/nas/backup# smbd -V Version 3.5.6 all user including owner user and group can see shared file but only everyone/all users can not copy the file to there desktop or any other location in windows 7, they receive permission denied messages however these are the same settings that i used to work with Samba 2.7 stable. even groups who to not have r-x permission can not copy data. same goes for eveyone with r-x no user can copy the data. until i give them rwx this wasn't happening previously. is there anyone who can help me in this regard. Thanks, MYK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New ADC configuration
On Tue, 2013-07-16 at 18:48 -0400, Matthew Daubenspeck wrote: On Tue, Jul 16, 2013 at 08:45:15PM +0200, Marc Muehlfeld wrote: Did you clean up the tdb files on your member server? I could imagine, that Samba mixes the old and new domain in it's idmap cache. If it's a new installation and nothing important in the member servers registry (like print server printer settings), just remove the whole samba installation, 'make install' again and rejoin. Well now I am out of ideas. I hosed both setups and started from scratch. Redid the provision with the proper rfc2307 added, and I have created test users and assigned them UIDs in ADUC. I can create groups and give them GIDs as well. I rejoined the member server, I can list all users, but I still get no results from id on the member server. What the heck could I be missing? Are the uid entries really there? ldbsearch --url=/usr/local/samba/private/sam.ldb cn=testuser | grep uidNumber BTW, you really are doing this the hard way. There is none of this fiddling with sssd. Cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.6 issues
Dear Samba Team, There are three issues happening in my Samba 3.6.6 Issue 1: After upgrade, when upload file which is more 100mb to Samba, it shows error File name too long cannot copy in windows xp. Tried to use 3 different pc to upload different files more than 100mb, it also fail to transfer the file and show the error. Tested to upload file which is 25mb or 50mb, it is okay, no problem . Before upgrade the samba 3.6, I am using samba 3.0.28. Issue 2: Users could logon to the pc within the domain, but the network drive could not be mapped from 15-7-16 after 18:00 around (e.g. \\dc01\netlogon). And the network drive could not be mapped through net use command in windows xp. Also, the trust relationship with anthoner domain chb lost. Attached the samba log and error screen capture for reference Issue 3. When enter the command service smb status, it show many process id, is it normal? Thanks for your help. There my smb.conf: [global] workgroup = HB server string = DC01 netbios name = DC01 interfaces = eth0 hosts allow = 10. 172. 127.0.0.1 security = user encrypt passwords = yes unix password sync = no socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 username map = /etc/samba/smbusers admin users = root lh2 jos1 hide unreadable = yes smb ports = 139 local master = yes os level = 33 domain master = no preferred master = yes domain logons = yes logon path = logon home = #logon path = \\%L\profiles\%U #logon path = \\%L\%U\profiles logon drive = #logon home = \\%L\%U #logon home = \\%L\homes #logon script = %U.bat logon script = %g.bat wins support = yes name resolve order = wins lmhosts host dns proxy = no add user script = /usr/sbin/smbldap-useradd -a -m %u add machine script = /usr/sbin/smbldap-useradd -W %u add group script = /usr/sbin/smbldap-groupadd -a -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u passdb backend = ldapsam:ldap://127.0.0.1 ldap delete dn = yes ldap ssl = no ;winbind nested groups = no ldap suffix = dc=ch,dc=com ldap admin dn = uid=edp,dc=ch,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap passwd sync = yes ldap delete dn = no log file = /var/log/samba/%m.log log level = 5 max log size = 1 template shell = /bin/false ;winbind use default domain = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 [homes] comment = Home Directories browseable = no writable = yes valid users = %S [netlogon] comment = Network Logon Service path = /home2/samba/netlogon guest ok = yes writable = no share modes = no [testing] path = /home2/test comment = testing writable = yes browseable = no create mode = 0770 directory mode = 2770 public = no valid users = @testing -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] tab key does not complete the package name or list the packages in apt-get command
i am using debian 6.0.7. in my other debian machines when i type apt-get install samtab it give me all item start from sam and this is a default behavour. however now for some reason tab key is not working. is there anyone know why. note: for other commands tab key is working fine. Thanks, Myk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] tab key does not complete the package name or list the packages in apt-get command
This is normal behavor, apt-get install sam(tab ) should not work. And if it does, then its because samXXX existe in one of the search folders. This is not a samba thingy.. use apt-cache search -Oorspronkelijk bericht- Van: sir...@gmail.com [mailto:samba-boun...@lists.samba.org] Namens Muhammad Yousuf Khan Verzonden: woensdag 17 juli 2013 10:11 Aan: samba@lists.samba.org Onderwerp: [Samba] tab key does not complete the package name or list the packages in apt-get command i am using debian 6.0.7. in my other debian machines when i type apt-get install samtab it give me all item start from sam and this is a default behavour. however now for some reason tab key is not working. is there anyone know why. note: for other commands tab key is working fine. Thanks, Myk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] tab key does not complete the package name or list the packages in apt-get command
sorry, i ask in wrong lists, see for your self what i am saying may be i can not communicate it properly. see below result it is giving me no match. means samba is not installed. root@virt-dev:~# dpkg -l | grep samba root@virt-dev:~# now check this out. root@virt-dev:~# apt-get install sam sam2psamba-docsamidare sambasamba-doc-pdfsamizdat samba-common samba-tools samplerate-programs samba-common-bin samdump2 samtools samba-dbgsamhain root@virt-dev:~# apt-get install sam when i hit sab after sam you can see the result for your self. Thanks, On Wed, Jul 17, 2013 at 1:23 PM, L.P.H. van Belle be...@bazuin.nl wrote: This is normal behavor, apt-get install sam(tab ) should not work. And if it does, then its because samXXX existe in one of the search folders. This is not a samba thingy.. use apt-cache search -Oorspronkelijk bericht- Van: sir...@gmail.com [mailto:samba-boun...@lists.samba.org] Namens Muhammad Yousuf Khan Verzonden: woensdag 17 juli 2013 10:11 Aan: samba@lists.samba.org Onderwerp: [Samba] tab key does not complete the package name or list the packages in apt-get command i am using debian 6.0.7. in my other debian machines when i type apt-get install samtab it give me all item start from sam and this is a default behavour. however now for some reason tab key is not working. is there anyone know why. note: for other commands tab key is working fine. Thanks, Myk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] need soms tips for adding samba4 to windows 2008R2 domain
Hai Marc, Thanks for your reply. -Oorspronkelijk bericht- Van: Marc Muehlfeld [mailto:sa...@marc-muehlfeld.de] Verzonden: maandag 15 juli 2013 19:39 Aan: L.P.H. van Belle CC: samba@lists.samba.org Onderwerp: Re: [Samba] need soms tips for adding samba4 to windows 2008R2 domain Hello Louis, Am 15.07.2013 12:48, schrieb L.P.H. van Belle: 1) keep my existing windows 2008 domain. ( contains dhcp + dns + AD ) its a clean domain, no users yet. dhcp+dns is used already. 2) add samba4 to the windows domain dc as secondairy DC. ( this server wil be my zarafa mail server ) Setup and joining a Samba machine as DC you can find here: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC This step, Im using bind, i already have windows setup to replicate the DNS to some other linux servers. can i just point samba to the windows server, or can i use the replicated dns, or do i need to setup the dns completely also for samba. Thats not clear in the howto. because this howto points to : http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC ( im using the enterprise samba packages on ubuntu 12.04 ) and http://wiki.samba.org/index.php/Dns-backend_bind Realy, im sorry to say, but for me the wiki is a maze of information. to much referendes to other locations. the, im pointed to http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC there i read. This HOWTO will assume you had configured and installed Samba in the default location of /usr/local/samba. It assumes you are joining Samba to an existing domain called 'samdom.example.com'. ??? really im lost. sorry, i think its me, :-(( 3) add samba3/4 servers tot this domain als domain members. ( i know this for samba3 ) http://wiki.samba.org/index.php/Samba4/Domain_Member 4) for my remote location i also want to add samba4 servers, which wil get there own share for profiles. ( this i know ) Same as 3. But for the users who should have their profiles on the remote server, you have to specify their profile path in ADUC pointing to this server. Some information about roaming profiles: http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles my old environment is running samba3 +Ldap. I do not need the old info with clasic upgrade, because some pc's have same sid's, and im setting this up for windows 7 pc's. Here's the point, where I'm not sure, if I fully understand you. In 1 you wrote, that you are having an AD, but with no users. Here you say you have a Samba NT4 style domain with users, etc. Yes, this is correct, i now have 1 samba domain, on which everyone is working. ( pdc+bdc ldap etc ) extra domain, 2 windows servers for my voip., no users on it, im going to use this AD, for my users, so this wil be the new domain when ready. ( with newly installed pc's ) Do you want to bring them together? I mean keep your Windows Domain and migrate the Samba3 accounts to the domain? You can export your LDAP, script something around for the changes and import them in your AD. But you have to re-join your workstations then. This is not needed, because im replacing al of the pc's from XP to Win7. Clean pc's in new domain, i have a pxe setup for my pc installs so thats ok. Or do you want a trust. But this isn't possible in both directions yet: http://wiki.samba.org/index.php/FAQ#Does_Samba_support_trust_re lationship_with_AD.3F Or do you skip the old domain and join the PCs to the new Windows domain? Then just follow the HowTos above. Great, im going to setup from the howto's . I dont need trusts. ( and if needed i just authenticatie with DOMAIN\user to a server ) so the trust is not needed. If you meant something else, please give some more details :-) Here you are. Question here is, do i need the registry fixes for windows 7, if my windows 2008 DC if domain controller. No registry changes, if your Domain is provided by Windows or Samba AD. I have read that it's necessary for a Samba NT4 style domain only. But I haven't used a Samba PDC with Win7 yet myself (only Samba AD). I have some win7 on the NT4 style domain, but i didnt use any registry fixed. and, it works, Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Classicupgrade set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER
Hi, This trick don't resolve the problem regards Stéphane --- Stéphane PURNELLE Admin. Systèmes et Réseaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467 Marc Muehlfeld sa...@marc-muehlfeld.de wrote on 16/07/2013 17:52:32: De : Marc Muehlfeld sa...@marc-muehlfeld.de A : Stéphane PURNELLE stephane.purne...@corman.be, Cc : samba@lists.samba.org samba@lists.samba.org Date : 16/07/2013 17:52 Objet : Re: [Samba] Classicupgrade set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER Am 16.07.2013 09:28, schrieb Stéphane PURNELLE: I have the same problem with classicupgrade (samba 4.0.6) but on S-1-5.21---xxx-500. This is the domain Admin account. What happens if you remove it before the classicupgrade? Regards Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New ADC configuration
On Tuesday, July 16, 2013 06:48:07 PM Matthew Daubenspeck wrote: On Tue, Jul 16, 2013 at 08:45:15PM +0200, Marc Muehlfeld wrote: Did you clean up the tdb files on your member server? I could imagine, that Samba mixes the old and new domain in it's idmap cache. If it's a new installation and nothing important in the member servers registry (like print server printer settings), just remove the whole samba installation, 'make install' again and rejoin. Well now I am out of ideas. I hosed both setups and started from scratch. Redid the provision with the proper rfc2307 added, and I have created test users and assigned them UIDs in ADUC. I can create groups and give them GIDs as well. I rejoined the member server, I can list all users, but I still get no results from id on the member server. What the heck could I be missing? Does the ADC server need special idmap config/ranges, etc as well? Hello, The last time I was having this kind of error, it was because I haven't setup the gid number for the primary group for each users (domain users). I ended changing the gid of domain users for something high (the default for provision is 100) so my idmap range for idmap_ad doesn't have to go as lower as 100. And then I gave all the users the new configured gid number. it may be useful to run net cache flush on the member server while doing the test. you set idmap config NWLTECH:range = 500-4 but the default gid for domain user is 100 so I think that you need to change it (see above) or adapt your range. regards, -- Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6 issues
When I upgraded from samba 3.0.x to 3.4.x I ran into several issues. First of all, I would look through the logs. (They did not attach to your messgae.) I would also run testparm -v in case some default settings have changed. NTLM should be enabled. If you require NTLMv2 that may cause problems (I couldn't get it to work.) 1st, with idmap and domain trusts: With 3.0.x the idmap entries for trusted users were automatically created but they would expire in a week and have to be manually purged. With 3.4.x the idmap cache issue was fixed BUT the entries were no longer auto created. I had to manually add idmap entries in ldap for users in the trusted domain (only 5 or 6 anyway.) Do you use idmap for assigning user id's for users in primary domain? I explicitly create user and group accounts. I would verify with pbedit -Lv username and pdbedit -Lv comptuername$ that the samba accounts haven't lost their unix id and that everything looks OK. I also found with 3.4.x (vs 3.0.x) that the I needed to explicitly map the guest user and group. This could affect the share permissions. Generally I leave the share permissions unrestricted and rely on the file system permissions for all the control. Also make sure that the well known groups (e.g. Domain Users) look ok with net groupmap list - Multiple smbd processes is normal- should be one for each connection. I also found it is better not to specify ports in the smb.conf. Although samba does not use 445 for data, windows clients NOT using wins may have problems connecting to to samba servers if 445 is not running . On 07/17/13 03:57, wong lmark wrote: Dear Samba Team, There are three issues happening in my Samba 3.6.6 Issue 1: After upgrade, when upload file which is more 100mb to Samba, it shows error File name too long cannot copy in windows xp. Tried to use 3 different pc to upload different files more than 100mb, it also fail to transfer the file and show the error. Tested to upload file which is 25mb or 50mb, it is okay, no problem . Before upgrade the samba 3.6, I am using samba 3.0.28. Issue 2: Users could logon to the pc within the domain, but the network drive could not be mapped from 15-7-16 after 18:00 around (e.g. \\dc01\netlogon). And the network drive could not be mapped through net use command in windows xp. Also, the trust relationship with anthoner domain chb lost. Attached the samba log and error screen capture for reference Issue 3. When enter the command service smb status, it show many process id, is it normal? Thanks for your help. There my smb.conf: [global] workgroup = HB server string = DC01 netbios name = DC01 interfaces = eth0 hosts allow = 10. 172. 127.0.0.1 security = user encrypt passwords = yes unix password sync = no socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 username map = /etc/samba/smbusers admin users = root lh2 jos1 hide unreadable = yes smb ports = 139 local master = yes os level = 33 domain master = no preferred master = yes domain logons = yes logon path = logon home = #logon path = \\%L\profiles\%U #logon path = \\%L\%U\profiles logon drive = #logon home = \\%L\%U #logon home = \\%L\homes #logon script = %U.bat logon script = %g.bat wins support = yes name resolve order = wins lmhosts host dns proxy = no add user script = /usr/sbin/smbldap-useradd -a -m %u add machine script = /usr/sbin/smbldap-useradd -W %u add group script = /usr/sbin/smbldap-groupadd -a -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u passdb backend = ldapsam:ldap://127.0.0.1 ldap delete dn = yes ldap ssl = no ;winbind nested groups = no ldap suffix = dc=ch,dc=com ldap admin dn = uid=edp,dc=ch,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap passwd sync = yes ldap delete dn = no log file = /var/log/samba/%m.log log level = 5 max log size = 1 template shell = /bin/false ;winbind use default domain = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 [homes] comment = Home Directories browseable = no writable = yes valid users = %S [netlogon] comment = Network Logon Service path = /home2/samba/netlogon guest ok = yes writable = no share modes = no [testing] path = /home2/test comment = testing writable = yes browseable = no create mode = 0770 directory mode = 2770 public = no valid users = @testing -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] i can figure out. is it config issue or bug. please help
So you really mean Samba 2.7 or do you mean Samba 3.2.7 ? On 07/17/13 02:09, Muhammad Yousuf Khan wrote: i am using samba 3.6.5 with winbind.for active directory authentication there is a samba share folder name Filesharing and plethora of folders are inside it. i have been using 2.7 stable for more then 2 years with no problem however after my harddisk failure i had to restore data to new server. and install samba from zero , fortunately or unfortunately samba has been updated in debian repository to 3.5.6 root@nas:/nas/backup# smbd -V Version 3.5.6 all user including owner user and group can see shared file but only everyone/all users can not copy the file to there desktop or any other location in windows 7, they receive permission denied messages however these are the same settings that i used to work with Samba 2.7 stable. even groups who to not have r-x permission can not copy data. same goes for eveyone with r-x no user can copy the data. until i give them rwx this wasn't happening previously. is there anyone who can help me in this regard. Thanks, MYK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba Digest, Vol 127, Issue 17
Estimados, Estoy fuera de la oficina hasta el lunes 22/07/13. Ante cualquier requerimiento favor generar el ticket respectivo o comunicarse con roberto.var...@pyaing.cl, freddy.arev...@pyaing.cl, frederick.esco...@pyaing.cl o marcos.ur...@pyaing.cl atte Luis Aravena -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Does Samba Re-read Changes To smb.conf
Hi, I was told that samba will re-read the smb.conf if you make changes without restarting the smb service. Is that true, if yes how long do I need to wait before I see the new share I added to the smb.conf. Thanks Bob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does Samba Re-read Changes To smb.conf
Hallo, bhogue, Du meintest am 17.07.13: I was told that samba will re-read the smb.conf if you make changes without restarting the smb service. That's not true for the [global] section. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] New ADC configuration
On Wed, Jul 17, 2013 at 12:31:54PM +0200, Ali Bendriss wrote: The last time I was having this kind of error, it was because I haven't setup the gid number for the primary group for each users (domain users). I ended changing the gid of domain users for something high (the default for provision is 100) so my idmap range for idmap_ad doesn't have to go as lower as 100. And then I gave all the users the new configured gid number. it may be useful to run net cache flush on the member server while doing the test. you set idmap config NWLTECH:range = 500-4 but the default gid for domain user is 100 so I think that you need to change it (see above) or adapt your range. The last thing it has to be is something with Arch Linux. I removed all their samba packages and rolled from source and it does the EXACT same thing. I then fired up a quick and dirty Ubuntu LTS VM, installed some samba 4.0.6 packages from a PPA, and it worked. First try. I didn't even have to set uid/gid numbers for the users. getent passwd displays all domain users and: $ id testuser3 uid=70009(testuser3) gid=70001(domain users) groups=70001(domain users),70012(BUILTIN\users) grabs all the info properly and gives them proper uid/gid as per the ranges in smb.conf. I guess I'll rework everything with Ubuntu, although I'm not overly crazy about using older packages. But if it works, whom am I to argue? I don't know what else could possibly be wrong with Arch. Do users created still need a uid/gid added in the UNIX Attributes tab? Thanks a ton to everyone that offered help, I really appreciate the effort. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] need soms tips for adding samba4 to windows 2008R2 domain
Hello, Am 17.07.2013 11:29, schrieb L.P.H. van Belle: Am 15.07.2013 12:48, schrieb L.P.H. van Belle: 1) keep my existing windows 2008 domain. ( contains dhcp + dns + AD ) its a clean domain, no users yet. dhcp+dns is used already. 2) add samba4 to the windows domain dc as secondairy DC. ( this server wil be my zarafa mail server ) Setup and joining a Samba machine as DC you can find here: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC This step, Im using bind, i already have windows setup to replicate the DNS to some other linux servers. can i just point samba to the windows server, or can i use the replicated dns, or do i need to setup the dns completely also for samba. Thats not clear in the howto. because this howto points to : http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC ( im using the enterprise samba packages on ubuntu 12.04 ) and http://wiki.samba.org/index.php/Dns-backend_bind I haven't used a Windows server yet. But if the DNS zone is stored in AD, then the directory replication will replicate it to your Samba server, too. But of course you have to run a DNS on your Samba server, too (the internal or BIND DLZ). Realy, im sorry to say, but for me the wiki is a maze of information. to much referendes to other locations. the, im pointed to http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC there i read. What exactly confuses you. Then maybe I can unravel it. Sure, there are references to other HowTos. Otherwise we had to write the same content in different HowTos again and again. And every change had to be done on all places. But if you have good suggestions I can try to do improvments and changes the HowTos. This HOWTO will assume you had configured and installed Samba in the default location of /usr/local/samba. It assumes you are joining Samba to an existing domain called 'samdom.example.com'. What is the problem with that? Because you can configure to have Samba and parts of it whereever you want (as ./configure options), /usr/local/samba is just the default location where Samba is installed in, if you don't do any changes on ./configure. For a tutorial it's best to use the default locations. Just adapt the pathes to your environment. And samdom.example.com is just a sample realm we use in our wiki HowTos. Replace it with your own one. Question here is, do i need the registry fixes for windows 7, if my windows 2008 DC if domain controller. No registry changes, if your Domain is provided by Windows or Samba AD. I have read that it's necessary for a Samba NT4 style domain only. But I haven't used a Samba PDC with Win7 yet myself (only Samba AD). I have some win7 on the NT4 style domain, but i didnt use any registry fixed. If it's working fine without any fixes, where's the problem? ;-) Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. -- Donny B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am looking at your original post again. I don't think you said which version you had been using. net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U superusername Is the superuser name the domain Administrator account? The problem seems to involve the superusername user, not the Domain Admins group. I think with older version of samba, the Administrator account was implicit, and you could map the windows Administrator to the unix root account and all was OK. With
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am looking at your original post again. I don't think you said which version you had been using. net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U
Re: [Samba] Administrative users on domain
On 07/17/13 16:12, Donny Brooks wrote: On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am looking at your original post again. I don't think you said which version you had been using. net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U superusername Is the superuser name the domain Administrator account? The problem seems to involve the superusername user, not the Domain Admins group. I think with
Re: [Samba] Administrative users on domain
On Wednesday, July 17, 2013 04:33 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 16:12, Donny Brooks wrote: On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am
Re: [Samba] Restore samba4 backup
Hi Marc, It works. Thank you very much. Regards, Edison -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2013-07-17-1057/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2013-07-17-1057/samba3.stderr http://git.samba.org/autobuild.flakey/2013-07-17-1057/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2013-07-17-1057/samba.stderr http://git.samba.org/autobuild.flakey/2013-07-17-1057/samba.stdout The top commit at the time of the failure was: commit 9b2aa351ceb756d6ea63f3158f0e983ae7262da8 Author: Alexander Werth alexander.we...@de.ibm.com Date: Tue Jul 9 17:14:08 2013 +0200 s3: Remove old mode special substitution. The mode special substitution now happens in a separate function. The substitution at this point is unnecessary. Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Christian Ambach a...@samba.org Autobuild-User(master): Christian Ambach a...@samba.org Autobuild-Date(master): Tue Jul 16 00:52:26 CEST 2013 on sn-devel-104
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2013-07-18-0339/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2013-07-18-0339/samba3.stderr http://git.samba.org/autobuild.flakey/2013-07-18-0339/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2013-07-18-0339/samba.stderr http://git.samba.org/autobuild.flakey/2013-07-18-0339/samba.stdout The top commit at the time of the failure was: commit 9b2aa351ceb756d6ea63f3158f0e983ae7262da8 Author: Alexander Werth alexander.we...@de.ibm.com Date: Tue Jul 9 17:14:08 2013 +0200 s3: Remove old mode special substitution. The mode special substitution now happens in a separate function. The substitution at this point is unnecessary. Reviewed-by: Andrew Bartlett abart...@samba.org Reviewed-by: Christian Ambach a...@samba.org Autobuild-User(master): Christian Ambach a...@samba.org Autobuild-Date(master): Tue Jul 16 00:52:26 CEST 2013 on sn-devel-104
[SCM] CTDB repository - branch master updated - ctdb-2.3-2-g5740155
The branch, master has been updated via 5740155cc5de1a223412e8529aa1a383a5412514 (commit) via 67c227a5d30cb8487b20b19b20bdfa4613906609 (commit) from 412bc0e20bef694d4e911dc9c984fd7716231f1f (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit 5740155cc5de1a223412e8529aa1a383a5412514 Author: Amitay Isaacs ami...@gmail.com Date: Tue Jul 16 12:53:16 2013 +1000 packaging: Bundle debug_locks.sh script in RPM Signed-off-by: Amitay Isaacs ami...@gmail.com commit 67c227a5d30cb8487b20b19b20bdfa4613906609 Author: Amitay Isaacs ami...@gmail.com Date: Tue Jul 16 12:52:00 2013 +1000 packaging: No need to check for existence of scripts, they always do Signed-off-by: Amitay Isaacs ami...@gmail.com --- Summary of changes: Makefile.in|7 --- packaging/RPM/ctdb.spec.in |1 + 2 files changed, 5 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/Makefile.in b/Makefile.in index 678141f..620ed84 100755 --- a/Makefile.in +++ b/Makefile.in @@ -389,10 +389,11 @@ install: all manpages $(PMDA_INSTALL) if [ -f doc/onnode.1 ];then ${INSTALLCMD} -m 644 doc/onnode.1 $(DESTDIR)$(mandir)/man1; fi if [ -f doc/ltdbtool.1 ]; then ${INSTALLCMD} -m 644 doc/ltdbtool.1 $(DESTDIR)$(mandir)/man1; fi if [ -f doc/ping_pong.1 ];then ${INSTALLCMD} -m 644 doc/ping_pong.1 $(DESTDIR)$(mandir)/man1; fi - if [ ! -f $(DESTDIR)$(etcdir)/ctdb/notify.sh ];then ${INSTALLCMD} -m 755 config/notify.sh $(DESTDIR)$(etcdir)/ctdb; fi + ${INSTALLCMD} -m 755 config/notify.sh $(DESTDIR)$(etcdir)/ctdb ${INSTALLCMD} -m 755 config/debug-hung-script.sh $(DESTDIR)$(etcdir)/ctdb - if [ ! -f $(DESTDIR)$(etcdir)/ctdb/ctdb-crash-cleanup.sh ];then ${INSTALLCMD} -m 755 config/ctdb-crash-cleanup.sh $(DESTDIR)$(etcdir)/ctdb; fi - if [ ! -f $(DESTDIR)$(etcdir)/ctdb/gcore_trace.sh ];then ${INSTALLCMD} -m 755 config/gcore_trace.sh $(DESTDIR)$(etcdir)/ctdb; fi + ${INSTALLCMD} -m 755 config/ctdb-crash-cleanup.sh $(DESTDIR)$(etcdir)/ctdb + ${INSTALLCMD} -m 755 config/gcore_trace.sh $(DESTDIR)$(etcdir)/ctdb + ${INSTALLCMD} -m 755 config/debug_locks.sh $(DESTDIR)$(etcdir)/ctdb install_pmda: $(INSTALLCMD) -m 755 -d $(DESTDIR)$(PMDA_DEST_DIR) diff --git a/packaging/RPM/ctdb.spec.in b/packaging/RPM/ctdb.spec.in index b87ba0b..62fc65f 100644 --- a/packaging/RPM/ctdb.spec.in +++ b/packaging/RPM/ctdb.spec.in @@ -149,6 +149,7 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) %{_sysconfdir}/ctdb/debug-hung-script.sh %config(noreplace) %{_sysconfdir}/ctdb/ctdb-crash-cleanup.sh %config(noreplace) %{_sysconfdir}/ctdb/gcore_trace.sh +%config(noreplace) %{_sysconfdir}/ctdb/debug_locks.sh %if %{with_systemd} %{_unitdir}/ctdb.service -- CTDB repository