[Samba] SID problemRe: Moving a computer from a down domain to a new domain
OK, this is a SID problem. I built an new XP system, installed SP3 then tried to use the wizard to connect to the domain: cat homebase-dectop1 [2013/04/12 16:21:44.899424, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for rgm(S-1-5-21-4240919292-2417995422-4236335894-1000) [2013/04/12 16:21:44.899608, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [root@homebase samba]# cat homebase-dectop1 [2013/04/12 16:21:44.899424, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for rgm(S-1-5-21-4240919292-2417995422-4236335894-1000) [2013/04/12 16:21:44.899608, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2013/04/12 16:23:30.110032, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for winadmin(S-1-5-21-4240919292-2417995422-4236335894-302) [2013/04/12 16:23:30.110200, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' How do you figure out a SID problem and fix it? This was a clean Samba install. On 04/11/2013 08:39 PM, Robert Moskowitz wrote: I had been running a samba server, the AMAHI F12 distro, that has samba 3.4.9. It ran well enough, but I was planning on replacing it with ClearOS. Well monday night I lost my server harddrive, so now it is crunch time to update/upgrade. I think I have ClearOS configured properly, it is running samba 3.6.10 (Redhat 6.4 based). So far I have tried to add two of my XP systems to the new domain. The process I have been using (and what I did 4 years ago when I moved them from a REAL NT domain to the samba domain) was to first login locally as administrator and using System Properties Computer Name Domain Change to move the computer to a workgroup called SELF. I then reboot and use the same dialog to join the new domain, HOME. The old domain was HDA, but a prior domain was also HOME. This fails and in the samba logs I see: [2013/04/11 20:22:29.563127, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2013/04/11 20:26:01.504397, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for winadmin(S-1-5-21-4240919292-2417995422-4236335894-302) [2013/04/11 20:26:01.504589, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2013/04/11 20:26:44.676638, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for rgm(S-1-5-21-4240919292-2417995422-4236335894-1000) [2013/04/11 20:26:44.676804, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' rgm is a user on the system that has admin priv, and a user on the samba server that is in the domain_admin group. What is with the SID problem? How do I clean this up? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Moving a computer from a down domain to a new domain
I had been running a samba server, the AMAHI F12 distro, that has samba 3.4.9. It ran well enough, but I was planning on replacing it with ClearOS. Well monday night I lost my server harddrive, so now it is crunch time to update/upgrade. I think I have ClearOS configured properly, it is running samba 3.6.10 (Redhat 6.4 based). So far I have tried to add two of my XP systems to the new domain. The process I have been using (and what I did 4 years ago when I moved them from a REAL NT domain to the samba domain) was to first login locally as administrator and using System Properties Computer Name Domain Change to move the computer to a workgroup called SELF. I then reboot and use the same dialog to join the new domain, HOME. The old domain was HDA, but a prior domain was also HOME. This fails and in the samba logs I see: [2013/04/11 20:22:29.563127, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2013/04/11 20:26:01.504397, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for winadmin(S-1-5-21-4240919292-2417995422-4236335894-302) [2013/04/11 20:26:01.504589, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2013/04/11 20:26:44.676638, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the domain sid(S-1-5-21-4240919292-2417995422-4236335894) for rgm(S-1-5-21-4240919292-2417995422-4236335894-1000) [2013/04/11 20:26:44.676804, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' rgm is a user on the system that has admin priv, and a user on the samba server that is in the domain_admin group. What is with the SID problem? How do I clean this up? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User submitted job
On 02/18/2011 04:27 PM, Jeff Ross wrote: On 02/18/11 14:14, Christ Schlacta wrote: On 2/18/2011 05:49, Robert Moskowitz wrote: Is there a way for a user to run a job on the server? In particular, I want to implement a 'one click' backup using rsync. An icon on the desktop would do something (in a batch script maybe or some canned program) that would run a job under their ID that would rsync their home directory to a backup directory. magic files. In my experience, if you leave backups to users you're in big trouble because it doesn't matter how easy you make the backup it isn't going to get done. Oh, I already have nightly rsync in place to backup the home shares; it rsyncs the whole /home tree. But one very important user doesn't trust this (my wife!), so on top of what I am doing every night, I want an icon she can click on that would run a special backup just for her. Give her something she can 'see' did something for her... Since the home share is the user account (/home/user), I was thinking to just create a .crontab or something similar that would then run the job once and now. I would like to think there is something better than creating /home/user/.corntab, and I suspect this will not really work anyway. DeltaCopy is what you are after: http://www.aboutmyip.com/AboutMyXApp/DeltaCopy.jsp I will look at this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User submitted job
On 02/18/2011 04:15 PM, Christ Schlacta wrote: On 2/18/2011 05:49, Robert Moskowitz wrote: Is there a way for a user to run a job on the server? In particular, I want to implement a 'one click' backup using rsync. An icon on the desktop would do something (in a batch script maybe or some canned program) that would run a job under their ID that would rsync their home directory to a backup directory. magic files. What do you mean by this? One idea I had was to create a file that the hourly cronjob would watch for, that would trigger an rsync and delete this 'magic file'. But this is not immediate enough for the user in question. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] User submitted job
Is there a way for a user to run a job on the server? In particular, I want to implement a 'one click' backup using rsync. An icon on the desktop would do something (in a batch script maybe or some canned program) that would run a job under their ID that would rsync their home directory to a backup directory. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] What to backup on PDC with security=user
Burned once and all that. I am setting up rsync cron jobs to back up what I would need to completely rebuild the server. My PDC is running with security=user. I know I have to backup: /home .../netlogon .../profiles /etc/passwd (and shadow, how to do this with rsync?) /etc/groups (ditto) What else? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] What to backup on PDC with security=user
thank you for the response, see below. On 02/16/2011 08:21 AM, Helmut Hullen wrote: Hallo, Robert, Du meintest am 16.02.11: Burned once and all that. I am setting up rsync cron jobs to back up what I would need to completely rebuild the server. My PDC is running with security=user. I know I have to backup: /home /netlogon /profiles /etc/passwd (and shadow, how to do this with rsync?) /etc/groups (ditto) What else? Command: net getlocalsid localsid.txt And on a rebuild, how do I use this sid instead of whatever a new system creates? Files: /etc/samba/private/passdb.tdb /etc/samba/private/secrets.tdb These are in /var/lib/samba/private on Fedora 12; along with schannel_store.tdb And what about all the other .tdb files I see one level down? /etc/samba/smb.conf (and/or perhaps the whole /etc/samba directory) I am using the Amahi system and it builds these from its sql database that I am separately backing up. Do you use LDAP? Then there ist still more to backup. No, I thought that the 'security=user' means that it is using /etc/passwd. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] What to backup on PDC with security=user
On 02/16/2011 10:07 AM, Helmut Hullen wrote: Hallo, Robert, Du meintest am 16.02.11: Burned once and all that. I am setting up rsync cron jobs to back up what I would need to completely rebuild the server. [...] What else? Command: net getlocalsid localsid.txt And on a rebuild, how do I use this sid instead of whatever a new system creates? Command: net setlocalsidlocalsid The simpliest way to get the parameter localsid is looking into the above file localsid.txt; the SID starts with S-1. Oh, so after I rebuild a system, I then overwrite what ever SID it created with this old one with the setlocalsid command. I do not specify it in some parameter in the smb.conf... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] More Samba PDC problems
So I back up my settings for user1, by stopping smb and nmb on the server (I have to do this, rather than disconnect it, as it is also the DHCP server). I was able to get in with the local cached settings and back them up. I then logged out, started smb and nmb and logged in again. I got warned that there were no settings and local settings were being used. I then logged out, and saw the settings saved on the server in the .../profiles/user1/ directory. I go to log in again and get an error: Windows cannot connect to the domain, either becuase the domain controller is down or otherwise unavailable ... or because your computer account was not found smb and nmb are running. I try restarting them, no difference. I had created the computer account with the script: add machine script = /usr/sbin/useradd -d /dev/null -g 99 -s /bin/false -M %u where %u is the computer name followed by a $ (this is how the other computer was set up). I don't see the computer account as the problem, I did get in the first time. So I look at the permissions for .../profiles/user1 and see they are root:users, I change this down the tree to user1:users and no difference. I mv .../profiles/user1 to user1old and try again, no difference. Why might I be getting this error? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Solved - Re: More Samba PDC problems
On 02/15/2011 09:24 AM, Robert Moskowitz wrote: So I back up my settings for user1, by stopping smb and nmb on the server (I have to do this, rather than disconnect it, as it is also the DHCP server). I was able to get in with the local cached settings and back them up. I then logged out, started smb and nmb and logged in again. I got warned that there were no settings and local settings were being used. I then logged out, and saw the settings saved on the server in the .../profiles/user1/ directory. I go to log in again and get an error: Windows cannot connect to the domain, either becuase the domain controller is down or otherwise unavailable ... or because your computer account was not found smb and nmb are running. I try restarting them, no difference. I had created the computer account with the script: add machine script = /usr/sbin/useradd -d /dev/null -g 99 -s /bin/false -M %u where %u is the computer name followed by a $ (this is how the other computer was set up). I don't see the computer account as the problem, I did get in the first time. It seems this was the problem. Running the script is NOT the same as what happens when the computer is connected to the domain. I bet there is a password in there somewhere... I deleted the computer account and went through the steps, logged in locally as Administrator to move the system to a workgroup then back to the domain. I only have a few systems, but this would be an APPSOLUTE PAIN with a number of systems. Now I have to find out how to back up the /etc/passwd shadow file so if I loose the computer again, I can 'easily' rebuild things. So I look at the permissions for .../profiles/user1 and see they are root:users, I change this down the tree to user1:users and no difference. I mv .../profiles/user1 to user1old and try again, no difference. Why might I be getting this error? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Lost my Samba PDC, trying to rebuild
On 02/14/2011 12:44 AM, t...@tms3.com wrote: --- Original message --- *Subject:* Re: [Samba] Lost my Samba PDC, trying to rebuild *From:* Robert Moskowitz r...@htt-consult.com *To:* t...@tms3.com *Cc:* samba@lists.samba.org *Date:* Sunday, 13/02/2011 9:39 PM On 02/13/2011 11:42 PM, t...@tms3.com mailto:t...@tms3.com wrote: The problem comes with users. The users were user.HOME in 'Documents and Settings'. But so far on the one computer I have tried with the one user I have on that computer, it is creating a new profile for user.HDA. What controls the profile directory on the computer (btw, the OS is XP)? What do I need to do for it to use the profile of user.HOME? Disconnect the workstations from the network. Log in with the old domain user account. Run the file and programs transfer wizard (Start-All-Programs- Accessories...IIRC) and save the profile transfer locally. Log in with new domain user and import the saved profile. I disconnected the ethernet. I am logging in as the user for domain HOME. I get the error: Hmmm...you need to do a reboot without network connectivity on the Windows box. The passwords are cached locally. I used this to set up another computer properly. Now to go back to the problem child again... The system cannot log you on now because the domain HOME is not available. Before all this, if I did not have network connectivity, I could still log in locally. Hmmm, let's try disconnecting the server instead... No dice as the server is also the DHCP server. Next let's stop smb and nmb on the server, but leave it connected Just took longer, but still no login. So now why is it requiring the domain to be present to log in. No local log in? So I restarted the services and got logged in. If I log in locally as administrator, is there anyway to copy another user's files and settings? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Lost my Samba PDC, trying to rebuild
On 02/14/2011 12:44 AM, t...@tms3.com wrote: --- Original message --- *Subject:* Re: [Samba] Lost my Samba PDC, trying to rebuild *From:* Robert Moskowitz r...@htt-consult.com *To:* t...@tms3.com *Cc:* samba@lists.samba.org *Date:* Sunday, 13/02/2011 9:39 PM On 02/13/2011 11:42 PM, t...@tms3.com mailto:t...@tms3.com wrote: The problem comes with users. The users were user.HOME in 'Documents and Settings'. But so far on the one computer I have tried with the one user I have on that computer, it is creating a new profile for user.HDA. What controls the profile directory on the computer (btw, the OS is XP)? What do I need to do for it to use the profile of user.HOME? Disconnect the workstations from the network. Log in with the old domain user account. Run the file and programs transfer wizard (Start-All-Programs- Accessories...IIRC) and save the profile transfer locally. Log in with new domain user and import the saved profile. I disconnected the ethernet. I am logging in as the user for domain HOME. I get the error: Hmmm...you need to do a reboot without network connectivity on the Windows box. The passwords are cached locally. I did that. I unplugged and did the reboot. Apparently no local caching. Is there some parameter in the smb.conf that controls this? The system cannot log you on now because the domain HOME is not available. Before all this, if I did not have network connectivity, I could still log in locally. Hmmm, let's try disconnecting the server instead... No dice as the server is also the DHCP server. Next let's stop smb and nmb on the server, but leave it connected Just took longer, but still no login. So now why is it requiring the domain to be present to log in. No local log in? So I restarted the services and got logged in. If I log in locally as administrator, is there anyway to copy another user's files and settings? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Lost my Samba PDC, trying to rebuild
My PDC is based on the Amahi server in PDC mode, running on Fedora 12. I got it working previously through a bit of trial and error, and then bug fixes to Amahi. Friday I lost my drive and did not have backups of my smb.conf, or my profile directories for my roaming profiles, or most of my data. I had a rsync kind or written, but had not croned it yet So the rebuild is well underway. It looks like my server is set. So 'key' lines in smb.conf are: workgroup = HOME server string = home.htt netbios name = hda add machine script = /usr/sbin/useradd -d /dev/null -g 99 -s /bin/false -M %u so I added my first computer into the domain. I did this by logging in locally as administrator, changing it to a workgroup then changing it back to my domain. Looking at that script line, I suspect I can do add the other computers just by running that command? The problem comes with users. The users were user.HOME in 'Documents and Settings'. But so far on the one computer I have tried with the one user I have on that computer, it is creating a new profile for user.HDA. What controls the profile directory on the computer (btw, the OS is XP)? What do I need to do for it to use the profile of user.HOME? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Lost my Samba PDC, trying to rebuild
On 02/13/2011 11:42 PM, t...@tms3.com wrote: The problem comes with users. The users were user.HOME in 'Documents and Settings'. But so far on the one computer I have tried with the one user I have on that computer, it is creating a new profile for user.HDA. What controls the profile directory on the computer (btw, the OS is XP)? What do I need to do for it to use the profile of user.HOME? Disconnect the workstations from the network. Log in with the old domain user account. Run the file and programs transfer wizard (Start-All-Programs- Accessories...IIRC) and save the profile transfer locally. Log in with new domain user and import the saved profile. I disconnected the ethernet. I am logging in as the user for domain HOME. I get the error: The system cannot log you on now because the domain HOME is not available. Before all this, if I did not have network connectivity, I could still log in locally. Hmmm, let's try disconnecting the server instead... No dice as the server is also the DHCP server. Next let's stop smb and nmb on the server, but leave it connected Just took longer, but still no login. So now why is it requiring the domain to be present to log in. No local log in? So I restarted the services and got logged in. If I log in locally as administrator, is there anyway to copy another user's files and settings? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't change password where Samba users are Linux users
My PDC is set up where the users are all Linux users.
I added the following lines to my smb.conf:
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
%n\n *passwd:*all*authentication*tokens*updat
ed*successfully*
I go to C-A-D and use the change password button. I get back a message
that I do not have permission to change me password.
I do not see any messages in any of the smb or nmb logs after the
failure. What am I missing? Below is my [global section:
workgroup = Home
server string = home.home
netbios name = hda
printing = cups
printcap name = cups
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
log level = 0
max log size = 150
socket options = TCP_NODELAY
preferred master = yes
os level = 65
domain master = yes
local master = yes
admin users = u1, u2, u3
domain logons = yes
logon path = \\%L\profiles\%U
logon drive = h:
logon home = \\%N\%U
time server = yes
unix extensions = no
wide links = yes
veto files = /*.nws/riched20.dll/*.{*}/
security = user
username map script = /usr/share/hda-platform/hda-usermap
large readwrite = yes
encrypt passwords = yes
dos charset = CP850
unix charset = UTF8
display charset = LOCALE
guest account = nobody
map to guest = Bad User
wins support = yes
printer admin = root, @ntadmin, administrator
logon script = %U.bat
# FIXME - is 99 (nobody) the right group?
add machine script = /usr/sbin/useradd -d /dev/null -g 99 -s
/bin/false -M %u
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
%n\n *passwd:*all*authentication*tokens*updat
ed*successfully*
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Workgroup compared to Domain
Are there any good articles comparing features/functions of a Workgroup compared to a Domain? I am trying to put something together for the Amahi project and so far my searches have been rather slim pickins. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SOLVED -- Re: Domain user printing
Thanks to the help here and hints over on the SME forum, I got printing working. Basically you have to be logged in on the domain with an admin user and THEN install the printer drivers. So first I had to unistall the drivers, using a local admin user account. Then I had to log in to the domain with an admin user. For this I needed the line: admin users = user1 And I had to spell that right (I had 'admin user' and I did not note any error in starting smb services). Then I installed the driver from this user and it could print. I could then log in with a non-admin user and they could also print. So anyone that has some control over wiki content for Samba might want to put this in for local printer installs: At least if your printer is a network attached printer and you are printing directly to it, you install the printer drivers while logged in as a domain admin user. On 10/26/2010 01:51 PM, Dale Schroeder wrote: On 10/26/2010 11:15 AM, Robert Moskowitz wrote: On 10/26/2010 06:39 AM, Lukasz Zalewski wrote: On 25/10/2010 19:52, Robert Moskowitz wrote: It looks like a domain user has NO printing permission. Do I need Policy Editor for this? Where do I get it to run on an XP Pro system? I have seen various notes about this, but I can't make head or tails of them. Robert, Have a look at http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba This explains deployment of system policy through samba 3.X. It also outlines the difference between system policy and group policy You can still use Local Group Policy (through gpedit.msc), but as the name suggests its local to every machine, and not deployable from the Domain Controller. What good is it to know how to implement a policy for all computers on the domain if you don't know what policy is giving you the problem? How do I troubleshoot this blockage. All I get is the print failure when using a domain user. Robert, Are any of the group policies in the following section set? A previous email stated you were looking at templates under Computer Configuration, so check under *User Configuration*\Administrative Templates\Control Panel\Printers Details here: http://support.microsoft.com/kb/319939 Dale If you using samba4 have a look at http://wiki.samba.org/index.php/Samba4/HOWTO#Step_1:_Installing_Windows_Remote_Administration_Tools_onto_Windows These tools include Group Policy Management console that works very well with samba4 HTH Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain user printing
On 10/26/2010 06:39 AM, Lukasz Zalewski wrote: On 25/10/2010 19:52, Robert Moskowitz wrote: It looks like a domain user has NO printing permission. Do I need Policy Editor for this? Where do I get it to run on an XP Pro system? I have seen various notes about this, but I can't make head or tails of them. Robert, Have a look at http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba This explains deployment of system policy through samba 3.X. It also outlines the difference between system policy and group policy You can still use Local Group Policy (through gpedit.msc), but as the name suggests its local to every machine, and not deployable from the Domain Controller. Thanks for this reference. I see it is rather old as originally set up on '06 and last modified in '08. It would see that Samba PDC setup instructions would do a better job of pointing here. The 'big item' now is which policy to get the HP printer drivers loaded to use the local printer setup, as I could not find it on what is available in XP, or I just have not set the policy right yet. As well as what policy is blocking connecting to a printer share. It would be nice if there was some logging of the blocking policy. If you using samba4 have a look at http://wiki.samba.org/index.php/Samba4/HOWTO#Step_1:_Installing_Windows_Remote_Administration_Tools_onto_Windows These tools include Group Policy Management console that works very well with samba4 FC12 comes with 3.4.9, it seems. So I am staying with what the distro provides. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain user printing
On 10/26/2010 06:39 AM, Lukasz Zalewski wrote: On 25/10/2010 19:52, Robert Moskowitz wrote: It looks like a domain user has NO printing permission. Do I need Policy Editor for this? Where do I get it to run on an XP Pro system? I have seen various notes about this, but I can't make head or tails of them. Robert, Have a look at http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba This explains deployment of system policy through samba 3.X. It also outlines the difference between system policy and group policy You can still use Local Group Policy (through gpedit.msc), but as the name suggests its local to every machine, and not deployable from the Domain Controller. What good is it to know how to implement a policy for all computers on the domain if you don't know what policy is giving you the problem? How do I troubleshoot this blockage. All I get is the print failure when using a domain user. If you using samba4 have a look at http://wiki.samba.org/index.php/Samba4/HOWTO#Step_1:_Installing_Windows_Remote_Administration_Tools_onto_Windows These tools include Group Policy Management console that works very well with samba4 HTH Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain user printing
On 10/26/2010 01:51 PM, Dale Schroeder wrote: On 10/26/2010 11:15 AM, Robert Moskowitz wrote: On 10/26/2010 06:39 AM, Lukasz Zalewski wrote: On 25/10/2010 19:52, Robert Moskowitz wrote: It looks like a domain user has NO printing permission. Do I need Policy Editor for this? Where do I get it to run on an XP Pro system? I have seen various notes about this, but I can't make head or tails of them. Robert, Have a look at http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba This explains deployment of system policy through samba 3.X. It also outlines the difference between system policy and group policy You can still use Local Group Policy (through gpedit.msc), but as the name suggests its local to every machine, and not deployable from the Domain Controller. What good is it to know how to implement a policy for all computers on the domain if you don't know what policy is giving you the problem? How do I troubleshoot this blockage. All I get is the print failure when using a domain user. Robert, Are any of the group policies in the following section set? A previous email stated you were looking at templates under Computer Configuration, so check under *User Configuration*\Administrative Templates\Control Panel\Printers Details here: http://support.microsoft.com/kb/319939 This looks promising. That is exactly the error message I got when trying to connect to the PDC's print share. The kb only shows how to add this to the registry, not set it as a policy. But the links for the SPE may be a help for this... Dale If you using samba4 have a look at http://wiki.samba.org/index.php/Samba4/HOWTO#Step_1:_Installing_Windows_Remote_Administration_Tools_onto_Windows These tools include Group Policy Management console that works very well with samba4 HTH Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Domain user printing
It looks like a domain user has NO printing permission. Do I need Policy Editor for this? Where do I get it to run on an XP Pro system? I have seen various notes about this, but I can't make head or tails of them. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can I have a pointer to an XP discussion list for policies?
Obviously I am missing something major here. Or maybe just a minor thing. My smb.conf looks rather normal, and the domain user are Linux users, so there is no extra permissions. A domain user cannot print to a network attached printer that is using the HP printer port (9100). This seems to be a local policy block, as a local user can print to it. (note that a domain user CAN print to the XPS document writer 'printer'). A domain user cannot connect to a printer share, it gets an obvious policy error. So since there is no help over here to my earlier posts, perhaps an XP list might have some answers :( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Oh, that is CAN'T print -- Re: Can print when logged in as domain user
Perhaps some people were wondering from the subject what the issues were! Obviously there is a solution to this. Either there is something NOT right about my PDC setup or some special tool for getting the policies set up right. There SEEMS to be a need for a special policy to allow domain users to access the local printer or to access a printer share... I am NOT using LDAP for the PDC, all users are Linux users with their own /home/user directory as their Home share. On 10/22/2010 04:50 PM, Robert Moskowitz wrote: On 10/22/2010 04:17 PM, Robert Moskowitz wrote: On 10/22/2010 04:03 PM, Lukasz Zalewski wrote: On 22/10/2010 20:38, Robert Moskowitz wrote: On 10/22/2010 03:22 PM, Chris Smith wrote: On Fri, Oct 22, 2010 at 2:43 PM, Robert Moskowitzr...@htt-consult.com wrote: This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. No functional limitations on OEM versions, except that some were tied to specific manufacturers (they wouldn't install if the BIOS string did not identify the device as that manufacturers). The license is an OEM license (per system properties) registered to the E-Waste Recycler I bought it from. It is an IBM SFF. But why no policies for allowing printing when attacked to a domain? Why not connect when domain logged in. Robert, Are you using AD for group policy, samba (system policy) or local group policy. I have noticed, that on my XP client machines not all of the policies are present until you add appropriate templates (don't know if its SP3 feature). If you right-click on Administrative templates, there will be an option to Add/Remove templates. The required policy is part of system.adm I don't know what policy I am using. I suppose whatever is installed on the system? Oh, NOW I see what I was doing wrong. Now I have added system.adm policy and I see printers. Here goes! Well I enabled a couple of things. I disabled: Disallow install of printers using ker-mode drv I enabled: Allow print spooler to accept clients Web-based printing I could not figure out what really to do. This has not made any change to the system behaviour :( I am off now until Saturday night. I will look for help again then! I tried connecting to the server printer share from a local login, and that got past the policy block and was asking for the printer driver. So it is REALLY something tied into how a domain user acts on this system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can print when logged in as domain user
This is on an XP Pro workstation. Now I am trying to print. I can print from a local user. I added domain\user to the permisssions for the printer. I try a test print from the printer properties and get an error. Then I think, well I can print to the printer from the Samba PDC directly, and I have a print share, so lets attach it. So I go to the run dialog and enter \\server I get a windows browser window of all of my shares including the printer share. So I right click on it and check connect and I get the error: A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator (which of course is me :( ). So what policy might this be that is blocking printing and how can I fix this for printing either way... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 01:33 PM, Lukasz Zalewski wrote: On 22/10/2010 18:13, Robert Moskowitz wrote: This is on an XP Pro workstation. Now I am trying to print. I can print from a local user. I added domain\user to the permisssions for the printer. I try a test print from the printer properties and get an error. Then I think, well I can print to the printer from the Samba PDC directly, and I have a print share, so lets attach it. So I go to the run dialog and enter \\server I get a windows browser window of all of my shares including the printer share. So I right click on it and check connect and I get the error: A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator (which of course is me :( ). So what policy might this be that is blocking printing and how can I fix this for printing either way... Check Point and Print Restrictions http://technet.microsoft.com/en-us/library/cc781985%28WS.10%29.aspx I have and can't figure out what to do with this :( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 02:02 PM, Robert Moskowitz wrote: On 10/22/2010 01:33 PM, Lukasz Zalewski wrote: On 22/10/2010 18:13, Robert Moskowitz wrote: This is on an XP Pro workstation. Now I am trying to print. I can print from a local user. I added domain\user to the permisssions for the printer. I try a test print from the printer properties and get an error. Then I think, well I can print to the printer from the Samba PDC directly, and I have a print share, so lets attach it. So I go to the run dialog and enter \\server I get a windows browser window of all of my shares including the printer share. So I right click on it and check connect and I get the error: A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator (which of course is me :( ). So what policy might this be that is blocking printing and how can I fix this for printing either way... Check Point and Print Restrictions http://technet.microsoft.com/en-us/library/cc781985%28WS.10%29.aspx I have and can't figure out what to do with this :( I got group editor running, but in Computer Configuration Administrative Templates There is no Printer option at all Nor can I figure out how to add it. It is not in the list of allowable templates to add. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 02:12 PM, Robert Moskowitz wrote: On 10/22/2010 02:02 PM, Robert Moskowitz wrote: On 10/22/2010 01:33 PM, Lukasz Zalewski wrote: On 22/10/2010 18:13, Robert Moskowitz wrote: This is on an XP Pro workstation. Now I am trying to print. I can print from a local user. I added domain\user to the permisssions for the printer. I try a test print from the printer properties and get an error. Then I think, well I can print to the printer from the Samba PDC directly, and I have a print share, so lets attach it. So I go to the run dialog and enter \\server I get a windows browser window of all of my shares including the printer share. So I right click on it and check connect and I get the error: A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator (which of course is me :( ). So what policy might this be that is blocking printing and how can I fix this for printing either way... Check Point and Print Restrictions http://technet.microsoft.com/en-us/library/cc781985%28WS.10%29.aspx I have and can't figure out what to do with this :( I got group editor running, but in Computer Configuration Administrative Templates There is no Printer option at all Nor can I figure out how to add it. It is not in the list of allowable templates to add. This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. Am I going to have to reinstall? (and first remove the workstation from the domain)? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 03:22 PM, Chris Smith wrote: On Fri, Oct 22, 2010 at 2:43 PM, Robert Moskowitzr...@htt-consult.com wrote: This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. No functional limitations on OEM versions, except that some were tied to specific manufacturers (they wouldn't install if the BIOS string did not identify the device as that manufacturers). The license is an OEM license (per system properties) registered to the E-Waste Recycler I bought it from. It is an IBM SFF. But why no policies for allowing printing when attacked to a domain? Why not connect when domain logged in. I tried connecting to the server printer share from a local login, and that got past the policy block and was asking for the printer driver. So it is REALLY something tied into how a domain user acts on this system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 04:03 PM, Lukasz Zalewski wrote: On 22/10/2010 20:38, Robert Moskowitz wrote: On 10/22/2010 03:22 PM, Chris Smith wrote: On Fri, Oct 22, 2010 at 2:43 PM, Robert Moskowitzr...@htt-consult.com wrote: This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. No functional limitations on OEM versions, except that some were tied to specific manufacturers (they wouldn't install if the BIOS string did not identify the device as that manufacturers). The license is an OEM license (per system properties) registered to the E-Waste Recycler I bought it from. It is an IBM SFF. But why no policies for allowing printing when attacked to a domain? Why not connect when domain logged in. Robert, Are you using AD for group policy, samba (system policy) or local group policy. I have noticed, that on my XP client machines not all of the policies are present until you add appropriate templates (don't know if its SP3 feature). If you right-click on Administrative templates, there will be an option to Add/Remove templates. The required policy is part of system.adm I don't know what policy I am using. I suppose whatever is installed on the system? Oh, NOW I see what I was doing wrong. Now I have added system.adm policy and I see printers. Here goes! I tried connecting to the server printer share from a local login, and that got past the policy block and was asking for the printer driver. So it is REALLY something tied into how a domain user acts on this system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can print when logged in as domain user
On 10/22/2010 04:17 PM, Robert Moskowitz wrote: On 10/22/2010 04:03 PM, Lukasz Zalewski wrote: On 22/10/2010 20:38, Robert Moskowitz wrote: On 10/22/2010 03:22 PM, Chris Smith wrote: On Fri, Oct 22, 2010 at 2:43 PM, Robert Moskowitzr...@htt-consult.com wrote: This is an OEM installed XP from a resaler. I would NOT be supprised that there are some serious limitations on the XP installed. No functional limitations on OEM versions, except that some were tied to specific manufacturers (they wouldn't install if the BIOS string did not identify the device as that manufacturers). The license is an OEM license (per system properties) registered to the E-Waste Recycler I bought it from. It is an IBM SFF. But why no policies for allowing printing when attacked to a domain? Why not connect when domain logged in. Robert, Are you using AD for group policy, samba (system policy) or local group policy. I have noticed, that on my XP client machines not all of the policies are present until you add appropriate templates (don't know if its SP3 feature). If you right-click on Administrative templates, there will be an option to Add/Remove templates. The required policy is part of system.adm I don't know what policy I am using. I suppose whatever is installed on the system? Oh, NOW I see what I was doing wrong. Now I have added system.adm policy and I see printers. Here goes! Well I enabled a couple of things. I disabled: Disallow install of printers using ker-mode drv I enabled: Allow print spooler to accept clients Web-based printing I could not figure out what really to do. This has not made any change to the system behaviour :( I am off now until Saturday night. I will look for help again then! I tried connecting to the server printer share from a local login, and that got past the policy block and was asking for the printer driver. So it is REALLY something tied into how a domain user acts on this system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Revisit - Re: Default Hidden Disk Shares
On 10/21/2010 12:42 AM, Jeremy Allison wrote: On Wed, Oct 20, 2010 at 10:29:41PM -0400, Robert Moskowitz wrote: I want admin to be able to access other user data to clean up any messes they have. Kind of standard here at home with my kids getting into challenges and asking for help. Or they did an assignment from the wrong login, and now I have to move it around. More my wife tends to just use my login and access her files. Well I will have to skin this cat another way. Most likely set up some symlinks and ID groups. Look into the admin user parameter. Anyone coming in as that user is mapped to root, with full priviliges. Just create an admin user, set admin user = admin in the [global] section and don't tell anyone else the password :-). oow That is valuable. And risky. I think I will try it! And I ASSuME that admin user = admin1, admin2 works as well? Did a quick google search and did not find anything on this (sometimes I have to fix things from my wife's login; she is in the middle of something and needs a bit of help...). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] INCLUDEs in smb.conf
Do I need a separate INCLUDE in each section, or can I have one INCLUDE at the end and just include needed sections? Way 1: smb.conf: [Global] ... INCLUDE smb-global.conf [netlogon] .. smb-global.conf: sambaPwdCanChange=1 Way 2: smb.conf: [Global] ... [netlogon] .. INCLUDE smb-custom.conf smb-custom.conf: [Global] sambaPwdCanChange=1 [TestShare] . Which way??? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] INCLUDEs in smb.conf
On 10/21/2010 11:49 AM, Jefferson Diego Gomes wrote: As I know, includes on Samba are like includes at Apache: Now that actually makes sense! I have little experience editing includes in Apache, but lots in Asterisk. You don't need to separete in sections, because each include has it own section. Got it. Thanks. I don't know if you Way 1 will work, but Way 2 will. I always do something like: [global] INCLUDE share.adm.conf INCLUDE share.people.conf share.people.conf: [Person1] [Person2] share.adm.conf: [Share 1] [Share 2] (Sorry my poor enghish) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Application will not run for domain user
I have set up a Samba PDC using the Amahi.org distro, so there might be some things they still have a bit off... Anyway, I have a somewhat old program, Quicken 2000. On my old Win2K workstation on an old NT server, it ran just fine for domain users. The software is installed on the workstation, and the data is on the server. But on my new XP Pro workstation on my new Samba PDC, it only runs for a local user, and that user is a super user (I have not created a regular user on the system yet). It will not run for the domain user. I reinstalled the software while logged on as the domain user. I got prompted to supply a user with admin privs for the install, which I did. I still cannot run the program from the domain user. Where do I look to fix this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Application will not run for domain user
On 10/21/2010 11:11 PM, Gaiseric Vandal wrote: Two possible options: 1) It may not be a local vs domain user issue. It may be an administrator vs non administrator issus. Can you add the domain user to the local administrators group? OK. That was it. Though I added the user into the Power User group. Kind of hokey that was needed. Good thing there are only a couple computers here on my network. And I had to reboot twice. After the change, I still could not run the program, so on a hunch I reboot. Then XP could not access the user profile information and created a temp profile. A second reboot got everything working. 2) It may be the file permissions- samba doesn't always translate the unix acl's to windows properly. If you can run quicken with the data on the XP machines local hard drive than this is the case. What is the Samba PDC OS and File system? I found Solaris 10 ZFS was especially tricky. If you right click on a network directory or file, and check the permissions do you get an warning about permissions being incorrectly ordered? Can you check effective permissions to see if a deny group is overriding an allow user? I knew this was not the case. I was able to access the file(s) just fine from the local user by browsing and mounting the share. I got this set. Now we will see what is the next issue to pop up... -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Moskowitz Sent: Thursday, October 21, 2010 10:48 PM To: samba@lists.samba.org Subject: [Samba] Application will not run for domain user I have set up a Samba PDC using the Amahi.org distro, so there might be some things they still have a bit off... Anyway, I have a somewhat old program, Quicken 2000. On my old Win2K workstation on an old NT server, it ran just fine for domain users. The software is installed on the workstation, and the data is on the server. But on my new XP Pro workstation on my new Samba PDC, it only runs for a local user, and that user is a super user (I have not created a regular user on the system yet). It will not run for the domain user. I reinstalled the software while logged on as the domain user. I got prompted to supply a user with admin privs for the install, which I did. I still cannot run the program from the domain user. Where do I look to fix this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Revisit - Re: Default Hidden Disk Shares
Not to flog a dead horse I am building a replacement for my old NT server at home (been running undisturbed since '95) using the amahi.org distro, and turning on the advanced settings for PDC support. I have done a few things with the Amahi developers and have made mods to the DNS and DHCP setup script to suit my needs. Now for tackling the Samba stuff before configuring all new workstations as well (upgrading from W2K wrkstations to XP pro woo!). I am not so interested in C$ to access the whole drive, but to access all the user shares. So I was thinking about something like: [C$] comment = CC path = /home writeable = yes browseable = no valid users = admin1, admin2 write list = admin1, admin2 create mask = 0775 force create mode = 0664 directory mask = 0775 force directory mode = 0775 [D$] comment = DD path = /var/hda/files writeable = yes browseable = no valid users = admin1, admin2 write list = admin1, admin2 create mask = 0775 force create mode = 0664 directory mask = 0775 force directory mode = 0775 Of course, the Amahi front end won't let me name a share with a $ in it (or at least ending in one), and I am having to edit the smb.conf file to get this setup. Understanding that only Windows clients 'hide' $ shares, and given my goal of being able to view all shares from a couple shares, does this seem the way to go? On 07/05/2010 02:04 PM, Robert LeBlanc wrote: The Windows client will hide any share that ends with a '$' whether or not it is an administrator share, it's doesn't know or care. In this case there is no difference between hidden and normal because to Windows they are both hidden. Give it a try sometime. If you hit the server with a Mac client, it shows all the shares (at least it used to, I haven't tried in a long time), even the c$, d$, etc. I think the Linux SMB clients also do the same. So to rely on 'server' to 'hide' these shares, is a very false sense of security. It's the actual client that does the hiding from normal users. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Mon, Jul 5, 2010 at 2:43 AM, Atkinson, Robertratkin...@tbs-ltd.co.ukwrote: Robert, the discussion was around the hidden ‘$’ shares, not normal ones. Rob. *From:* Robert LeBlanc [mailto:rob...@leblancnet.us] *Sent:* 02 July 2010 19:15 *To:* Atkinson, Robert *Cc:* Jeremy Allison; samba@lists.samba.org *Subject:* Re: [Samba] Default Hidden Disk Shares On Fri, Jul 2, 2010 at 2:05 AM, Atkinson, Robertratkin...@tbs-ltd.co.uk wrote: Interesting to see you say it's dangerous. The way the Windows version works is that you have to be part of the Administrator group to be able to see them, which I would have thought secure enough? This is not true, the share is advertised to anyone who asks. The Windows client only hides shares that end with a '$'. By default Windows gives access only to administrators (by default), but they are by no means hidden. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University *** Any opinions expressed in email are those of the individual and not necessarily those of the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient or entity to whom they are addressed. It may contain material protected by attorney-client privilege. If you are not the intended recipient, or a person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. Random House Group + 44 (0) 20 7840 8400 http://www.randomhouse.co.uk http://www.booksattransworld.co.uk http://www.kidsatrandomhouse.co.uk Generic email address - enquir...@randomhouse.co.uk Name Registered Office: THE RANDOM HOUSE GROUP LIMITED 20 VAUXHALL BRIDGE ROAD LONDON SW1V 2SA Random House Group Ltd is registered in the United Kingdom with company No. 00954009, VAT number 102838980 *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] auto mount of home share
I have searched this list and googled for examples, but have not found the answer to this question: I would have thought that all the lines in the smb.conf was setting up an auto mount of the home share, and I did not have to put it in the logon.bat script. I have: [global] domain master = yes local master = yes domain logons = yes logon path = \\%L\profiles\%U logon drive = q: logon home = \\hda\%u [homes] comment = Home Directories read only = no writeable = yes browseable = yes create mask = 0640 directory mask = 0750 I would have thought that user john would have a share of q: of \\hda\john but this is not happening. I am seeing this share if I browse the server. Or do I HAVE to have an entry in the logon.bat of: net use q: \\hda\%u /persistent:no ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Revisit - Re: Default Hidden Disk Shares
On 10/20/2010 03:37 PM, Robert Moskowitz wrote: Not to flog a dead horse I am building a replacement for my old NT server at home (been running undisturbed since '95) using the amahi.org distro, and turning on the advanced settings for PDC support. I have done a few things with the Amahi developers and have made mods to the DNS and DHCP setup script to suit my needs. Now for tackling the Samba stuff before configuring all new workstations as well (upgrading from W2K wrkstations to XP pro woo!). I am not so interested in C$ to access the whole drive, but to access all the user shares. So I was thinking about something like: [C$] comment = CC path = /home writeable = yes browseable = no valid users = admin1, admin2 write list = admin1, admin2 create mask = 0775 force create mode = 0664 directory mask = 0775 force directory mode = 0775 Well, perhaps the masks are wrong because I see all of /home, but admin1 only can access /home/admin1 All the other directories gets access denied. So what would be the proper masks? [D$] comment = DD path = /var/hda/files writeable = yes browseable = no valid users = admin1, admin2 write list = admin1, admin2 create mask = 0775 force create mode = 0664 directory mask = 0775 force directory mode = 0775 Of course, the Amahi front end won't let me name a share with a $ in it (or at least ending in one), and I am having to edit the smb.conf file to get this setup. Understanding that only Windows clients 'hide' $ shares, and given my goal of being able to view all shares from a couple shares, does this seem the way to go? On 07/05/2010 02:04 PM, Robert LeBlanc wrote: The Windows client will hide any share that ends with a '$' whether or not it is an administrator share, it's doesn't know or care. In this case there is no difference between hidden and normal because to Windows they are both hidden. Give it a try sometime. If you hit the server with a Mac client, it shows all the shares (at least it used to, I haven't tried in a long time), even the c$, d$, etc. I think the Linux SMB clients also do the same. So to rely on 'server' to 'hide' these shares, is a very false sense of security. It's the actual client that does the hiding from normal users. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University On Mon, Jul 5, 2010 at 2:43 AM, Atkinson, Robertratkin...@tbs-ltd.co.ukwrote: Robert, the discussion was around the hidden ‘$’ shares, not normal ones. Rob. *From:* Robert LeBlanc [mailto:rob...@leblancnet.us] *Sent:* 02 July 2010 19:15 *To:* Atkinson, Robert *Cc:* Jeremy Allison; samba@lists.samba.org *Subject:* Re: [Samba] Default Hidden Disk Shares On Fri, Jul 2, 2010 at 2:05 AM, Atkinson, Robertratkin...@tbs-ltd.co.uk wrote: Interesting to see you say it's dangerous. The way the Windows version works is that you have to be part of the Administrator group to be able to see them, which I would have thought secure enough? This is not true, the share is advertised to anyone who asks. The Windows client only hides shares that end with a '$'. By default Windows gives access only to administrators (by default), but they are by no means hidden. Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University *** Any opinions expressed in email are those of the individual and not necessarily those of the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient or entity to whom they are addressed. It may contain material protected by attorney-client privilege. If you are not the intended recipient, or a person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. Random House Group + 44 (0) 20 7840 8400 http://www.randomhouse.co.uk http://www.booksattransworld.co.uk http://www.kidsatrandomhouse.co.uk Generic email address - enquir...@randomhouse.co.uk Name Registered Office: THE RANDOM HOUSE GROUP LIMITED 20 VAUXHALL BRIDGE ROAD LONDON SW1V 2SA Random House Group Ltd is registered in the United Kingdom with company No. 00954009, VAT number 102838980 *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Revisit - Re: Default Hidden Disk Shares
On 10/20/2010 09:35 PM, Jeremy Allison wrote: On Wed, Oct 20, 2010 at 09:31:39PM -0400, Robert Moskowitz wrote: On 10/20/2010 03:37 PM, Robert Moskowitz wrote: Not to flog a dead horse I am building a replacement for my old NT server at home (been running undisturbed since '95) using the amahi.org distro, and turning on the advanced settings for PDC support. I have done a few things with the Amahi developers and have made mods to the DNS and DHCP setup script to suit my needs. Now for tackling the Samba stuff before configuring all new workstations as well (upgrading from W2K wrkstations to XP pro woo!). I am not so interested in C$ to access the whole drive, but to access all the user shares. So I was thinking about something like: [C$] comment = CC path = /home writeable = yes browseable = no valid users = admin1, admin2 write list = admin1, admin2 create mask = 0775 force create mode = 0664 directory mask = 0775 force directory mode = 0775 Well, perhaps the masks are wrong because I see all of /home, but admin1 only can access /home/admin1 All the other directories gets access denied. So what would be the proper masks? The masks aren't what is denying you access, they specify the permissions created files/directories get. Remember Samba is looking at the UNIX permissions on the disk. admin1 probably only has access to /home/admin1 and no access to any other directory under /home. That's why you see what you see. oh well... I'm not clear on what exactly you're trying to do here ? I want admin to be able to access other user data to clean up any messes they have. Kind of standard here at home with my kids getting into challenges and asking for help. Or they did an assignment from the wrong login, and now I have to move it around. More my wife tends to just use my login and access her files. Well I will have to skin this cat another way. Most likely set up some symlinks and ID groups. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] auto mount of home share
On 10/20/2010 11:01 PM, Chris Smith wrote: On Wed, Oct 20, 2010 at 9:23 PM, Robert Moskowitzr...@htt-consult.com wrote: I would have thought that all the lines in the smb.conf was setting up an auto mount of the home share, and I did not have to put it in the logon.bat script. I have: The systems have to be domain members and the users must be domain users and logging on to the domain (not the local system). I added the system to the domain successfully and now I get the log onto domain option. I used a user I created on the server, is there something special to define a domain user? And yes I logged onto the domain, creating a domain user on the system (user.domain). You may also need the [netlogon] share (although the logon script does not need to explicilty create map the home drive). The logon.bat is executing. I am getting all the shares from the bat file. I see the netlogon share and can mount it and open the logon.bat file. Also your logon home looks possibly suspect, I have logon home = \\%N\%U (the default) on several servers (for years now) and they all work (for hundreds of users). Where are you getting your documentation? When in doubt don't fuck with the defaults (man smb.conf) unless you know what you're doing and have a very good reason. This is what the developers of the Amahi.org distro have set up. hda is the Netbios name of the server. Does the case (%u instead of %U) matter? There is a bit to changing this if needed; I have to edit the script that builds smb.conf. Well I just made the change and now it is working. Now to find out if it is %N (how can I find out its value?) or %U. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] auto mount of home share
On 10/20/2010 11:29 PM, Robert Moskowitz wrote: On 10/20/2010 11:01 PM, Chris Smith wrote: On Wed, Oct 20, 2010 at 9:23 PM, Robert Moskowitzr...@htt-consult.com wrote: I would have thought that all the lines in the smb.conf was setting up an auto mount of the home share, and I did not have to put it in the logon.bat script. I have: The systems have to be domain members and the users must be domain users and logging on to the domain (not the local system). I added the system to the domain successfully and now I get the log onto domain option. I used a user I created on the server, is there something special to define a domain user? And yes I logged onto the domain, creating a domain user on the system (user.domain). You may also need the [netlogon] share (although the logon script does not need to explicilty create map the home drive). The logon.bat is executing. I am getting all the shares from the bat file. I see the netlogon share and can mount it and open the logon.bat file. Also your logon home looks possibly suspect, I have logon home = \\%N\%U (the default) on several servers (for years now) and they all work (for hundreds of users). Where are you getting your documentation? When in doubt don't fuck with the defaults (man smb.conf) unless you know what you're doing and have a very good reason. This is what the developers of the Amahi.org distro have set up. hda is the Netbios name of the server. Does the case (%u instead of %U) matter? There is a bit to changing this if needed; I have to edit the script that builds smb.conf. Well I just made the change and now it is working. Now to find out if it is %N (how can I find out its value?) or %U. Testing shows it is the %u instead of %U that is the error. Seems to be case sensitive. \\hda or \\%N both work. So I will file a bug report to the Amahi developers. Thanks for pointing me in the right direction. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] FWD: Letters Only LM Hash Database
http://it.slashdot.org/article.pl?sid=04/11/02/1523212tid=93 mailto:[EMAIL PROTECTED]Petermailto:[EMAIL PROTECTED] Clark writes Disk storage has increased tremendously in the past 5 years and the blatant insecurities in the antiquated LM hashing technique have not gone away; though functionality has been added to disable LM hashes, this is not set by default. With some help from Elcomsoft, simple flat files have been created that hold http://www.beginningtoseethelight.org/ntsecurity/index.php#0FEB224E21024B8Cevery combination of LM hash for letters only passwords. Jesko has coded a server application which allows you to access this database. Simply telnet to: beginningtoseethelight.no-ip.org on port 2501 and paste in a LM hash. So how does this differ from Rainbow tables? Well this will return a password 100% of the time, using minimal processor power, in approximately less than 0.2 seconds. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Migarting an NT domain to a Fedora Samba 3 domain
I have an NT domain, and I DON'T want to go to AD, and I DO want to move off NT4 to Linux for my servers. I have set up a Fedora Core 2 server in my domain. The domain recognizes it and it the other servers (oddly enough I am having some, but not complete printer problems. Well thta is a separate question) My plan is: Run Fedora as a BDC. Take down my NT PDC (I have an NT BDC btw) Upgrade the Fedora to PDC Bring up another Fedora server as a BDC But the graphic tool in Fedora does not support these activities. I am not a UN*X person. Never found the time. I am a protocols developer. So I need some graphic tools and wish to stay away fromVI and .conf files. Pointers to instructions and tools are greatly appreciated! Oh, I also want to move my Fedora PDC to the same IP address and even hostname as my NT PDC. Will save a lot of external problems. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
