Dear Help,
I'm currently running Samba with an LDAP passdb backend. I'm trying to figure
out how to NOT allow a particular user to change their password (through
Windows, or any interface). I've tried modifying the values for
sambaPwdCanChange and sambaPwdMustChange for a particular user, but
Third question:
The configuration file for the smbldap tools allow to
specify a slave LDAP just for the read access, and a master
for write access, thus supporting LDAP replications.
Does ldapsam support the same?
regards
Hadmut
Hi Hadmut,
I can at least help you with this one.
The problem is that he can still modify its LDAP password.
You could add acls to your slapd.conf such that only your
ldap admin dn has write acces to the userPassword attribute.
In this case the only way to change the password is via samba.
HTH,
Thierry.
Hi Thierry,
Modifying
If you add the ppolicy overlay you have a clean way to prevent password
changes for some acounts (through Windows, or any interface).
For instance one can use a pwdPolicy with pwdAllowUserChange: FALSE
Hi Thierry,
I think I have the disallow change password issue figured out.
I'm mostly
Dear Help,
I currently have a Samba PDC along with multiple BDCs using an eDirectory LDAP
backend. While trying to figure out how to get the bad password account lockout
feature to work, I managed to somehow mess up the samba PDC.
If a user attempts to authenticate against the PDC with the
Matt Anderson sokkerstud_11 at hotmail.com writes:
I currently have a Samba PDC along with multiple BDCs using an eDirectory LDAP
backend. While trying to figure out how to get the bad password account
lockout feature to work, I managed to somehow mess up the samba PDC.
For anyone who runs
Dear Help,
Initially, I thought that I had solved this problem, but it turns out that I
haven't. I currently have Samba set up as a PDC with an eDirectory/LDAP
backend. There are also a few Samba BDCs in play as well.
If a user enters the correct password, there are no issues and everything
Hello Help,
I'm currently running Samba as a PDC (and several BDCs) on our network. The
domain is currently in a testing stage and only has a small number (less than 5)
machines joined to it. However, when I go to the /var/log/samba directory,
there seems to be a log file created for virtually
I get log files for every single ip address that tries to contact the
samba server even if they are not part of the domain.
John
Hi John,
Thanks for the quick reply. Do you know why a computer not joined to the domain
(and not accessing shares/printers on the PDC) would be contacting it?
Is the windows workgroup or domain name the same as the domain name of
the samba PDC that you are testing?
John
Hi John,
Nope. The workgroup and Samba Domains have two different names. However, I
believe someone set up another Samba Domain with the same name as the workgroup.
So, just to
Yes, It does. I assume they are all on same subnet? Are you using WINS?
John
Well, there are multiple subnets, but yes, the ones generating log files are all
part of the same subnet.
And no, we're not using WINS. (At least I don't have anything specified for
wins server and wins support
My reasoning is I do not believe this is a samba configuration issue
it is more of why are these windows boxes seeking out and trying to
contact your samba server? And from the info you have provided I am
not sure.
John
Hi John,
Thanks for the info. Yeah, I'm not sure either :) Is there
I can not think of any right now. You may want to check some of these
logs to see what they are trying to access.
John
Well, in most cases, it looks like an authentication is being attempted, like
the following (full context below):
...
[2007/08/20 07:28:09, 3]
Jean-Jacques Moulis jj at isy.liu.se writes:
Windows XP automatically searches the network for shares and printers upon
connecting to the network.
To disable XP automatic discovery:
* In Explorer, click Tools
* Click Folder Options
* Click the View tab,
* Uncheck
Dear Help,
I am currently running Samba as a PDC (and several BDCs). I noticed that
there are sambaLogonTime and sambaLogoffTime LDAP attributes that are
currently unused integer values.
I would like to be able to track each user's successful logins (in terms of a
timestamp -- a hostname
Dear Help,
Here is my situation:
We have offices located in several areas around the country, all of which can
communicate with each other through VPNs we have established. I have set up a
Samba domain in which the PDC is located here in our home office, and there are
BDCs for the same domain in
Quinn Fissler qfissler at gmail.com writes:
The problem is caused by the client not having the address of the
domain controller.
On a windows client, you need to populate
%SYSTEM_ROOT%\system32\drivers\etc\lmhosts
use UPPERCASE names regardless of what the MS docs say.
Hi Guys,
Dear Help,I am running Samba 3.0.25 on AIX 5.3 (installed from the binaries
available on samba.org including the base install -- openldap, etc.) and have
set it up to authenticate to LDAP directories on two different servers (one of
them set up as a samba PDC and the other as a samba BDC) in
Dear Help,I am currently running Samba 3.0.25 on AIX 5.3 (installed from the
downloaded binaries from samba.org). I have configured Samba to authenticate
to an LDAP backend on different servers (Two other samba configurations, one
set up as PDC the other as BDC) in the usual way: workgroup =
Boaz Bezborodko boaz at mirrotek.com writes:
I have set up a logon script to run when users login. It works for me
when I log in, but my user ID is mapped to a root group as well as
administrative privileges. But it is not executing for regular users.
What am I doing wrong?
Thanks in
Dear Help,
I have discovered the fact that since 3.0.23, multiple backends
cannot bedefined by the passdb backend directive in smb.conf.
I am currently using version 3.0.25 on AIX 5.3. Does anyone
know of a way to use more than one backend?
The reason I ask is because we currently have
Any thoughts, advice and/or help would be greatly appreciated.
-Matt
In addition, this server will be set up as a Domain Member (security=domain).
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Josh Kelley joshkel at gmail.com writes:
On 6/11/07, Matt Anderson sokkerstud_11 at hotmail.com wrote:
I have discovered the fact that since 3.0.23, multiple backends
cannot bedefined by the passdb backend directive in smb.conf.
I am currently using version 3.0.25 on AIX 5.3. Does
pdbsql provides several different backends; one of the backends that
it provides, pdb_multi, is supposed to provide support for chaining
multiple backends.
I haven't used it to know how well it works.
Josh Kelley
Hi Josh,
Thanks again for the help. I see what you're talking about on
scenario #3
all workstations have to leave the old DOMAIN (does this have to be done
before the rename?). and after the renaming of the main PDC we'll have
to rejoin all windows xp pro workstations to the newly named domain?
scenario #4
any other suggestions or hints on how to best do
Dear Help,
We are currently running Samba 3.0.22 on a distributed network/domain as a PDC
(primary domain controller) and several as BDCs (Backup domain controllers) in
our branch offices located around the country.
At this point, the PDC is set up in our corporate office (where I'm located) and
Matt Anderson sokkerstud_11 at hotmail.com writes:
However, users located in the branch offices (where the BDCs are located),
they
have no trouble authenticating (via logging into windows and accessing shares)
BUT are unable to change their password through the Windows interface, getting
Adam Williams awilliam at mdah.state.ms.us writes:
in the BDC, take out:
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
unix password sync = yes
add:
ldap passwd sync = yes
encrypt passwords = yes
Dennis McLeod dmcleod at foranyauto.com writes:
Forgot to add:
http://support.microsoft.com/?kbid=242468
For details on netsh.
Awesome! Thanks!
Also -- I'm not sure, but by editing nsswitch.conf on the BDC, for the line for
hosts to include wins, like:
hosts: files dns wins
Seems to
Chris Smith smb23 at realcomputerguy.com writes:
I use a rule of thumb that with =5 computers it saves much time and
trouble to use services such as dhcp, dns, wins, etc. Set up dhcp (and
dns is you don't have it), you will be glad you did.
Hi Chris,
Thanks for the feedback -- I totally
Matt Anderson sokkerstud_11 at hotmail.com writes:
Also -- I'm not sure, but by editing nsswitch.conf on the BDC, for the line
for
hosts to include wins, like:
hosts: files dns wins
SCRATCH THAT. I waited a little longer and tried it again and it failed to find
the domain again. So, I'm
Matt Anderson sokkerstud_11 at hotmail.com writes:
However, users located in the branch offices (where the BDCs are located),
they
have no trouble authenticating (via logging into windows and accessing shares)
BUT are unable to change their password through the Windows interface, getting
Dennis McLeod dmcleod at foranyauto.com writes:
That's how this place was when I got here. The real issue was with
websurfing control. Current setup is restricting by ip address, not user
(they didn't exist before), so they set up static.
I setup a dhcp server, and used dynamically assigned
Dear Help,
We are in the process of setting up a new domain using Active Directory on
Windows Server 2003R2. One of our goals was to use Active Directory for
authentication on our AIX box (running version 6.1). I was able to successfully
set up Kerberos, and the LDAP client to connect to our AD
Jason Gerfen jason.gerfen at scl.utah.edu writes:
Have you tried to look at the user account information using ldapsearch?
Just to ensure the POSIX account data is present in AD.
If you are attempting to authenticate as a domain user try the username
as DOMAIN\Username.
Hi Jason,
Matt Anderson sokkerstud_11 at hotmail.com writes:
I think I may have solved why users were not being found. When I tried doing
wbinfo -i test01, I got an error stating that information for user could not be
found. After digging a little bit through the log files, I discovered that the
SID
Which leads me to my next question -- after making the change to the primary
group, I was able to authenticate successfully against the testing share as
user TEST+test01 from my Windows XP box... however, with an examination of the
file system, I determined that any files I created in this
Dear Help,
I'm working on building samba from source (version 3.0.29) on AIX v6.1. I used
the following configure statement:
./configure --with-shared-modules=idmap_ad --with-krb5=/etc/krb5 CC=xlc
CPPFLAGS=-I/opt/pware/include LDFLAGS=-L/opt/pware/lib
I then edited the Makefile so that the
Dear Help,
I am having a very odd problem. For some reason, I am able to browse to my
Samba share by IP address but not by host name from Windows 2008 servers in a
particular domain (the same domain the Samba server belongs to). However, I am
able to browse by host name from XP clients as well
39 matches
Mail list logo
