Re: [Samba] password strenght doubt
Guido Lorenzutti wrote: Maybe I can do this with the check password script. But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Just make a simple script that can check the input password must be the combination of UPPERCASE, lowercase,numb3rs and other sp3c1a!ch4r4ct3r#. --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Users that can add computers to Domain
timothy johnson wrote: Oh, this is the error I get in windows: Logon Failure: unknown user name or bad password. But this same user can logon, and gets admin rights when they do logon. On 12/1/06, timothy johnson [EMAIL PROTECTED] wrote: What does samba look for when a user trys to add a computer to the domain? I have tried everything I can think of. Putting the user in different groups, set the users primary group to different groups. Nothing has come of this. I have every else in samba working right now, except printers, but since I havent tried that, nor do I know how I can benefit from using samba for printing. Anyways any help in the right direction would help. Add this to smb.conf: enable privileges = yes and then run this on every DC: net rpc rights grant 'NTDOMAIN\myuser' SeMachineAccountPrivilege -U administrator --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: RE [Samba] How do I ask samba to synch database with ldap?
[EMAIL PROTECTED] wrote: Do you have ACL in your ldap server --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 Yes of course, but it does not prevent the samba acount to get full write access to the directory (in fact for other operation is succesfull) . --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How do I ask samba to synch database with ldap?
Samba seems did not obey changes in ldap, but used its own cache database. How do I ask samba to sync its database with ldap? Or if its not possible, can we use ldap_replace instead of ldap_delete and ldap_add? root# smbpasswd -D10 ... smbldap_modify: dn = [uid=cpklia,ou=people,ou=cempaka,dc=mydomain,dc=com] rebindproc_connect_with_state: Rebinding as cn=smbsys,ou=cempaka,dc=mydomain,dc=com ldapsam_modify_entry: Failed to modify user dn= uid=cpklia,ou=people,ou=cempaka,dc=mydomain,dc=com with: No such attribute modify/delete: sambaPwdCanChange: no such value ldapsam_update_sam_account: failed to modify user with uid = cpklia, error: modify/delete: sambaPwdCanChange: no such value (Success) Failed to modify entry for user cpklia. Failed to modify password entry for user cpklia root# pdbedit -L -v cpklia ... Logon time: 0 Logoff time: Sat, 14 Dec 1901 03:45:51 GMT Kickoff time: 0 Password last set:Tue, 22 Aug 2006 00:21:47 GMT Password can change: Tue, 22 Aug 2006 00:21:47 GMT Password must change: Sat, 21 Oct 2006 00:21:47 GMT Last bad password : 0 Bad password count : 0 Logon hours : FF root# ldapsearch uid=cpklia ... sambaPwdCanChange: 1161392946 sambaPwdMustChange: 1166576946 ... --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] unix password sync = yes, did not sync unix passwd
I'm not sure when the last time I run smbpasswd to change the user password, however when I run it only change NT and LM hash attribute, not the unix passwd attributes. smb.conf: ... passdb backend = ldapsam:ldap://127.0.0.1; unix password sync = yes passwd program = /usr/local/sbin/passwd.pl %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* However it was working find (able to change unix as well as NT password) when I run from Windows client, such as: c:\ net user example testonly /domain This is incorrect, at least per (surprise) pdbedit documentation: Note pdbedit does not call the unix password syncronisation script if unix password sync has been set. It only updates the data in the Samba user database. If you wish to add a user and synchronise the password that im- mediately, use smbpasswd's -a option. Ver: samba-3.0.20b --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] change password on 1st signon
fname lname wrote: oh, last thing is there a way to make this setting default so everything I create an user it auto flags the person to change password on signon? If you're using ldap backend, just tell your add user script to set sambaPwdMustChange attribute less than current time. btw, pls do not top post. --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Question regarding Samba rights
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 beast wrote: Where did samba store information regarding user privilege? account_policy.tdb Do I need to runs same commands to all domain controllers? For now, yes. Hi Jerry, Since account policy is unique to every user, why there is an account_policy.tdb file, why not just added to to ldap just like sambaLogonHours? --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Question regarding Samba rights
Where did samba store information regarding user privilege? It seems stored locally to server where the net rpc rights grant command runs on. Do I need to runs same commands to all domain controllers? --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to know if a SID is a User or Group
Henrik Zagerholm wrote: Hi list and sorry if this is not a specific Samba issue. I just wonder if it is possible to determine if a SID belongs to a User or a Group? No you can't. Its same as uid vs gid number. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Adding Users at BDC
mallapadi niranjan wrote: Hi all I have Samba PDC (3.0.21c) and with openldap (2.3.19), i have setup BDC also with slave ldap server. is there any way where i can create users at BDC also. ie, as we create users at pdc using smbldap-useradd , like that can we add users at BDC, which will be updated to PDC. if so how. How do you create a user? Just set those tool to master ldap server if its not support chasing referral. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba account flags
What is the equivalent flag for User Cannot Change password as produce by NT usrmgr.exe? It doesnt mentioned in this documentation: http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#accountflags -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Debug peer
Is it possible to debug selected client only? because enabling debug globaly on production machine will fill up log directory within minutes. posibly something like: debug peer = ip_address_of_client -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
printing = bsd broke smbd? [was Re: [Samba] samba 3.0.21a without printig
Gerald (Jerry) Carter wrote: - how can i disable it totaly? Set 'printing = bsd' When setting printing=bsd on my samba, client wont able to resolve the server. In windows client, it says The specified network name is no longer available. Using smbclient: [samba]# smbclient -L svr4 -Uuser Password: Anonymous login successful Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.20b] Sharename Type Comment - --- netlogonDisk Network Logon Service Pub Disk Public Share session setup failed: Call returned zero bytes (EOF) NetBIOS over TCP disabled -- no workgroup available [samba]# smbclient -L svr4 -Uuser Password: session setup failed: Call returned zero bytes (EOF) I can attach debug3 if you wish, but I found no clue in there ;-p -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Debug peer
Jeremy Allison wrote: On Fri, Jan 06, 2006 at 05:21:39PM +0700, Beast wrote: Is it possible to debug selected client only? because enabling debug globaly on production machine will fill up log directory within minutes. Use smbcontrol to send an increse debug level request to the smbd connected to that client. But how do I know which smbd process connected to which client? Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is it possible to write an smbclient automated script
Pablo Graziano wrote: I'd like to write an automated smbclient script. Something simple, like: login cd to a certain directory copy that entire directory to client logout Is this possible, and how? Why not use smbmount instead? smbmount //svr/share /mnt/samba -o username=myuser,password=mypasswd cp -r /mnt/samba/source /tmp/destination -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba 3.0.21 Available for Download
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex de Vaal wrote: A lot of my install base is still RHL9, I guess a lot of more people do. I'd appreciate the SRPMS for RHL9 to be available at the SAMBA FTP site. Yes, at least for RH9, it still has _many_ user using it. SOL -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.21 Available for Download
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Schetterer wrote: thx for the Info, is it allready in the current faqs? I thought I wrote a howto for this but I can't find it now. In any case, the info has not been integrated into the docs yet. Dennis' description pretty much covers it all. Screenshots of a working setup are at http://www.samba.org/~jerry/screenshots/ Awesome! what's next (or whats left for samba3)? -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: LDAP account management tools?
Graham Leggett wrote: Craig White wrote: If you look at the fedora directory list archives, I was asking about that. It would seem to be mostly html. But this is for LDAP management and not for editing configuration files for samba. The Fedora Directory console's tool for editing objects in the directory has views of different objectclasses, giving a more specific editing interface than the generic edit this attribute. Some of the views include groups, persons, an NT user (for their legacy Windows NT integration). The idea was to extend this into a Samba user, Samba group, Samba Domain, etc. Somthing like this might useful for fresh people migrating from NT : http://sum.i6x.org/sum/depan.html And as usual, volunteer needed ;-) -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: LDAP account management tools?
Matt Lung wrote: Are there any plans for the Samba team to implement their own set of web-based graphical tools to control accounts and servers? The Directory server that Redhat Enterprise and Fedora are pushing is looking good, but how involved is the Samba team with that? phpLdapAdmin and LAM are excellent products, but it sure would be nice if the tool was coming right from the Samba team, and it pretty much did it all. From walking you through setting up the server, initializing your LDAP directory, to administration of the directory and server. Maybe you have plans for this, maybe you don't. I'm just curious. Since samba can not works without other softwares, what we need is a full linux distro for Samba (complete replacement of Windows NT = NT Killer :-) -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] what is the SID of the domain administrator?
Tomasz Chmielewski wrote: Paul Gienger schrieb: Does the domain administrator SID always end with -1000? It should never be 1000 Please review http://support.microsoft.com/default.aspx?scid=kb;en-us;243330 Well, for me it's -1000 for two different Samba domains. Coincidence? Administrator SID should -500, but any user can be a member of domain admin (group SID -512), so as long as you add that user to Domain Admins group, it always has admin priviledge. However, to be a 'true' administrator (ie, able to join a pc to domain), you must give them unix uid of 0. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + OpenLDAP: LDAP server is running but could not respond to a search request
Steven Truong wrote: If you looked at the log, the second line where BIND dn=, I don't know if this is correct or an indication that something is missing. It means bind anonymously, make sure you give suficient raed access for anon user. What ldap * suffix in smb.conf? try searching from there, ie. ldapsearch -xLLL -b dc=sample,dc=com uid=testuser However, net groupmap list [2005/09/09 04:39:30, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2763) ldapsam_setsamgrent: LDAP search failed: No such object [2005/09/09 04:39:30, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2828) ldapsam_enum_group_mapping: Unable to open passdb Did you already run net groupmap add? http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] sambaLMPassowrd and sambaNTPassword
Hi all, I have plan to upgrade samba 3.0.2 to current release, aparently some work must be done on the user entries on LDAP since the samba.schema has change. While do some changes, I want to remove sambaLMPassword attribute so I don't need to maintain it in sync with sambaNTPassword. Will I break something if I remove this attribute? -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 2.2.5 Domain Administrator
Chris Roubekas wrote: Although I will be updating this server to Samba 3.x soon, I have to come up with a quick solution as soon as possible for the following problem: I have a WinXP user which currently is registered as a User of WinXP but must be changed to Domain Admin in order for some new software which he must use to be operable. Of course giving him the root passwd is definately out of the question. You might consider using sanur to give user permission to install software. http://www.commandline.co.uk/sanur/ -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbpasswd and LDAP backend
Paul Henry wrote: Dear List, If I have a PDC with an LDAP backend, would just running smbpasswd username update the users passwd in both the LDAP directory and smb secrets? Yes, as long as you give the correct setting for passwd program in smb.conf. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP, uidNumber, SID
Martin Renner wrote: Hi. I am upgrading a Samba 2.2 PDC (using smbpasswd as its user backend) to Samba 3.0 with LDAP. The current user uids and machine account uids are quite messed up. As the LDAP database stores the uid *and* the SID of each user and machine account, I would like to know if it would be possible to renumber the uids (uidNumber of samba.schema). The SID would remain unchanged (by using the formula oldUid * 2 + 1000). Is this possible without losing account information or machine trusts? Yes. SID and unix uid is used for different purpose. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba interface for administrative tools
Rhys Goodwin wrote: Hey Guys, It seems to me that the very best place to store all samba conf options is in the ldap dir. I got all excited when I was taking a look at the samab3 schema and saw the sambaConfigOption objectclass, found out that is not implimented yet. Maybe Im being a bit narrow minded to assume that everyone Currently not all information are stored in ldap (using ldapsam), afaik smb.conf is server dependants, hence not appropriate if stored in ldap. is using an ldap back end? I like the idea of being able to whip up a very tidy windows based (MMC?) samba console and requiring only ldap connection to the server and be able to FULLY control samba. Perhaps smbd could be setup to be quite particular about when and how it would reaload options from the directory? Not all users are using ldapsam, so this tool will not work for smba backend other than ldapsam. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba interface for administrative tools
Gerald (Jerry) Carter wrote: This is a good ways out right now. But if there is sufficient interest in this kind of thing, I'm willing to work on it. I can't speak for others, but IMO once provided, people will start developing tools to administering samba using this 'standard' API. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
libmsrpc [WAS Re: [Samba] Samba interface for administrative tools
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Beast wrote: The XMLrpc piece would require both client and server piece. That just my bare example to use 'standard' protocol instead of proprietary protocol. Understood. But if we document and implement the protocol it becomes more open. There are no IP issues that prevent us from using MS-RPC. Jerry, I was just following the samba-technical discussion, aparently there was a discussion to put embeded webserver in samba4. IMHO its not a good solutions. Samba team is only 'responsible' to deliver library for accessing samba services, need no worry about the front end. Some brilliant people outhere will have more time than the samba team to develop nice GUI for samba ;-) So, libmsrpc is the right directions (IMHO). Logging: Samba log is not parser friendly file and not (much) useful for performance monitoring, if it can gives info as in maillog or httpd.log I'm sure somebody will write program to make a report of it. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba interface for administrative tools
Hi all, I have tried to write management tools for samba, but it seems there's no standard way provided by Samba to change its configuration or modify users account other than direct modify the config file and or database backend. This make many tools less portable because it depends on the backend of samba. There might be a windows rpc call (use by usrmgr.exe and svrmgr.exe), is it the 'standard' way to access samba? Thanks. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba interface for administrative tools
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Beast wrote: Hi all, I have tried to write management tools for samba, but it seems there's no standard way provided by Samba to change its configuration or modify users account other than direct modify the config file and or database backend. This make many tools less portable because it depends on the backend of samba. There might be a windows rpc call (use by usrmgr.exe and svrmgr.exe), is it the 'standard' way to access samba? There's a lot of rpc calls available. These will get you so far. I have considered making smb.conf remotely available via the registry API but its still in the thought stage. Would that be something that people would want ? Something like [HKLM\Software\Samba.org\Configuration] [HKLM\Software\Samba.org\Configuration\global] [HKLM\Software\Samba.org\Configuration\homes] [HKLM\Software\Samba.org\Configuration\share1] ... And then editable valuename/data pairs for parameters. I prefer samba to use its own way/protocol/procedure/etc to manage server, maybe implemented using xmlrpc or anything else, but it should be simple. Not all developer(user) are interested on all available options. This will boost the number and standarized samba GUI configuration programs. In samba GUI page, I found that most program are too old and unmaintained. If it is new then it focus on modifying ldap directly. Its better to use client/server model, even if tool is running from the same machine. Just my 1 cent. PS: Link to xSMBrowser in GUI page is work: The account for the URL you have requested is inactive or no longer exists. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba interface for administrative tools
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Beast wrote: Its better to use client/server model, even if tool is running from the same machine. I was talking about a client/server model based on MS-RPC. I just commenting on some samba tools which not use c/s model yet. But first you mention xmlrpc which more of a soap/web services model. And then you mention LDAP. So you seemed to have jumped from one subject to another. That might be because my lack of english skill, sorry :-) In either case, it requires client and server support. We already have the MS-RPC server support and have someone working on a libmsrpc library easier client access. Thanks, I'll look into it. The XMLrpc piece would require both client and server piece. That just my bare example to use 'standard' protocol instead of proprietary protocol. But technically you would not need integration with smbd to do this. However, I've always found that when the external This can be implemented on separate (optional) server process to handle this request (but no, not like swat) Thanks. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba interface for administrative tools
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Beast wrote: The XMLrpc piece would require both client and server piece. That just my bare example to use 'standard' protocol instead of proprietary protocol. Understood. But if we document and implement the protocol it becomes more open. There are no IP issues that prevent us from using MS-RPC. You are correct. User/developer should not care about how they communicate as long as there is standard API to do something. libmsrpc is the answer. Pardon my ignorance :-( -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] does anyone use the enumports command for anything useful ?
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm just wondering if we should remove this enum ports command altogether. Ports are a consemtic concept in Samba for the most port since the printer is really tied to the queue name. But before I think about this anymore is there anyone actually using enumports for something other than #!/bi/sh echo LPT1: echo LPT2: echo LPT3: No, never use it. Also, is there any reason why not drop some paramater in smb.conf which has a synonym? I found arround 15 synonyms. Next is to reduce the number of parameter, it still scared me :-) -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Find out machine type
Given everything stored on ldap and tdb file, is there any way to obtain machine type (eg. Windows NT workstation, Server, PDC, BDC) without looking into broadcast network? -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help Q: Samba PDC Password changes
Shawn Parker wrote: Can someone point me in the direction of any howto documents on forcing password changes for windows clients every 'n' days and at pdbedit -P maximum password age -C 5184000 first login? Set attribute in sambaPwdMustChange -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Administrator-privileged logon scripts under limited mode on XP?
Hunter Rognstad wrote: So, the question is, is there any way to run a logon script that has local Administrator privileges while running on a Windows XP machine joined to the samba domain in limited mode? Many alternatives, such as sanur. I'm using it when need to install antivirus to W2k clients. http://www.commandline.co.uk/sanur/ -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Migrating from NT4 to Samba - correct strategy
Josir Gomes wrote: Thanks for replying. There´s just 20 clients on each domain and they have the same name and password on both domain. I could simply change the domain name on each station but all users will loose their local profiles. So I imagine that it is more productive to simply change the domain name and turn off the old NT server. Is there any pitfall that I can encounter ? Simply changing the domain name in the smb.conf is enough ? It´s easy as that ? You have to match the domain SID and machine/user SID also. Once matched, client will not able to see that they're login to samba instead of old NT. You can use net rpc vampire to obtain all information about SID and password. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating from NT4 to Samba - correct strategy
Josir Gomes wrote: Hi folks, I have 2 domains: LX01 (WinNT) e LX04 (Samba) and I want consolidate them into one domain LX01. All the stations is looking for LX01. All users are equal on both servers. Can I just turn the WinNT off and rename the Samba server to LX01 ? Is there any problem ? you forgot to mention how many clients on each domain, sometime when clients is less than 50, starting new domain from scartch is the 'correct' way. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Authenticating PPTP users against Samba/LDAP - Patch doesn't seem to be working
Alex Brown wrote: Andrew Bartlett wrote: On Wed, 2004-10-20 at 00:44, Mike Brodbelt wrote: Hi, I have a few remote user who use a PPTP based VPN. The server is running PoPToP (http://www.poptop.org/), and a pppd patched to support MPPE/MPPC for (some) added security. Currently, users authentication information is stored in plaintext in /etc/ppp/chap-secrets. I'd like to be able to put users into LDAP, and have ppp authenticate either directly against LDAP, or against Samba (with an LDAP backend). Any ideas on how I might go about this? Most of the docs I've seen suggest that you can't use PAM for authentication with CHAP, so it seems not to be as simple as I might have hoped. Not related to samba, but I'm using freeradius to authenticate vpn users againts ldap (using sambaNTpassword attribute), works fine for months, and as a bonus we get a detail report of user activities. poptop - freeradius - ldap. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] removing unused machine account
Is there anyway to find out which machine account is currently not being used anymore? half of my clients are already migrate to linux and some machine are already join using different name. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap machine suffix fixed?
Jim C. wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Did ldap machine suffix ever get fixed so that it can be in a sperate container from ldap user suffix? Is there any problem to be fix on samba side? I've been using separate container for machine without any problem ( almost 8 months now) -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap machine suffix fixed?
Tomasz Chmielewski wrote: Beast wrote: Jim C. wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Did ldap machine suffix ever get fixed so that it can be in a sperate container from ldap user suffix? Is there any problem to be fix on samba side? I've been using separate container for machine without any problem ( almost 8 months now) Yes, there was a problem, and maybe still is. You are using separate containers for users and machines, because you probably search for them in the whole LDAP tree. Yes. I did not specify filter on pam/nss_ldap. However the limitation is coming from nss_ldap not samba. On systems with lots of machines and users this can lead to a bottleneck (searching for machines first in users, then in machines etc., instead of in machines only, and in users only if looking for users). You can still use 1 dedicated (slave) ldap server for each samba server as I do on my setup or using nscd to cache passwd, group etc. Tomek -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Followed John's book, frustrating smbldap-problem
Rolf A. Vaglid wrote: These are actualle the same computer, only with different names. tkelev:/var/log/samba # id tk-02870$ uid=1001(tk-02870$) gid=553(Domain Computers) groups=553(Domain Computers) tkelev:/var/log/samba # id tk-test002870$ uid=1008(tk-test002870$) gid=553(Domain Computers) groups=553(Domain Computers) 1. Make sure that the workstation account is valid and not disabled. ldapsearch -x -LLL uid=raptor$ -h ldap.server.com sambaacctflags or using pdbedit command. 2. turn on debuging on smbd 3. Make sure no firewall blocking samba packet (both client and server) -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Followed John's book, frustrating smbldap-problem
Rolf A. Vaglid wrote: Hi all, Im having a hard time figuring whats wrong with my Samba-ldap setup. I hope somebody may point out the error. Hi, Did you join the Win2k machine? from samba server did you able to get correct id for win2k machine (using id w2kclint$)? whats the error message in W2k? -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap machine suffix = ou=Computers vs ou=Users
John Schmerold wrote: The SBMLDAP howto ( http://www.idealx.org/prj/samba/smbldap-howto.en.html ) states that: ldap machine suffix = ou=Computers Is the correct approach to defining machines in the LDAP directory. Yet the advise offered by this group seems to be that, no we should be using : ldap machine suffix = ou=Users issue is with the system itself, not with samba. so basically you can use any container for machines as long as your system is able to find it. if you're using pam_ldap from padl, just put a comment on ... base dc=example,dc=com scope sub #nss_base_passwdou=People,dc=example,dc=com?one #nss_base_shadowou=People,dc=example,dc=com?one nss_base_group ou=Group,dc=example,dc=com?one .. or if from server you can do : [EMAIL PROTECTED] root]# id raptor$ uid=10096(raptor$) gid=2005(myws) groups=2005(myws) then samba will satisfied. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.4 BDC LDAP Slave Problem
Jason C. Waters wrote: This is my setup, is something still wrong. Samba PDC machine with LDAP IP: ldap.master nss mapped to local ldap server(ldap.master) samba ldapsam:ldaps://ldap.server Samba BDC machine with LDAP, has openldap running locally for a backup ldap server IP: ldap.slave nss mapped to local ldap server(ldap.slave) samba ldapsam:ldaps://ldap.master ldaps://ldap.slave This setup doesn't work for me. But if I only use the local LDAP servers on each machine it does, but that does seem like its a backup server. Am I just thinking about this in the wrong way? Thanks for your help. Maybe ACL prevent samba to bind? try using ldapsearch -h ip_of_slave/master from samba server. Also check the LOG file, they must give you some clue. good luck. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.4 BDC LDAP Slave Problem
Jason C. Waters wrote: passdb backend = ldapsam:ldaps://ldap.masterserver.com ldaps://ldap.slaveserver.com - this does not work This is the correct one. Make sure no other service depends on master ldap when you're bring down the master (ie nss_ldap). Also plse check the log. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Peter Nyberg wrote: Hi all! I have authentication problems with samba + ldap. When I populate the list through smbldap-populate.pl a administrator account was created. I asume this is the same account as rootdn cn=Manager,dc=dbb,dc=su,dc=se. With the same password, right? No. Administrator is just plain unix and samba account. Why not just set new password for this account ? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Peter Nyberg wrote: Hi again! I did the following: [EMAIL PROTECTED]:/usr/local/sbin# smbldap-passwd.pl administrator Changing password for administrator New password : xx Retype new password : xxx [EMAIL PROTECTED]:/usr/local/samba/bin# ./net rpc group LIST global -U administrator Password: xxx The username or password was not correct. Try to get some info for this user first. root# pdbedit -L -v administrator is this mapped account? -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + ldap authentication
Peter Nyberg wrote: here's an output. I don't know if one can see anything wrong here. I don't have the account administrator in the /etc/passwd. Only in ldap. [EMAIL PROTECTED]:/usr/local/sbin# ./smbldap-usershow.pl administrator dn: uid=Administrator,ou=Users,dc=dbb,dc=su,dc=se cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSamAccount,posixAccount gidNumber: 512 uid: Administrator uidNumber: 998 homeDirectory: /home/Users/ sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\s2\home\Users sambaHomeDrive: H: sambaProfilePath: \\s2\home\profiles\ sambaPrimaryGroupSID: S-1-5-21-1027936538-659792286-2162639956-512 sambaLMPassword: XXX sambaNTPassword: XXX Oops, did not see your recent post,sorry. This both attributes should not contain XXX, this means your previous smbldappasswd command did not works. Try using smbpasswd administrator or direct modify to ldap entry. -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Administrator can't change XP environment part II
* [EMAIL PROTECTED] [EMAIL PROTECTED] menulis: change this Primary Group SID:S-1-5-21-3939155289-3141390475-2008170846-3013 to : Primary Group SID:S-1-5-21-3939155289-3141390475-2008170846-512 --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Password must change - 10 days
When I set password lifetime to, say 90 days using pdbedit -P maximum password age -C 7776000 Attribute Password must change is calculated using this formula : sambaPwdMustChange = sambaPwdLastSet + 90 days. Is it possible to get warning message before actually force user to change their password, I mean is it possible to get this formula: sambaPwdMustChange = (sambaPwdLastSet + 90 days) - 10 days --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* Andrew Bartlett [EMAIL PROTECTED] menulis: Well, congratulations. most likely you need to rejoin all of your clients before running rpc vampire. After this step is complete, you can then login from client to samba domain without rejoining again. You should *never* have to rejoin clients. Ever. That is the point of a vampired system. If there are situations where you do have to rejoin Andrew, I'd loved to be wrong here, but i'm afraid not. I've just vampiring again using latest smbldap script, but it still has weird results. Here's the summary, comparing pwdump.exe result vs rpc vampire: 1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1 NThash on rpc-Vampire, passwd is different. 2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as LANMANHASH in PWD. 3. No valid hash in PWD (only ), but has valid NTHASH in VMP. 4. Valid PWD, valid VMP and both are same. On rpc-vampire, from total of 638 machine, 448 are only having NTpassword hash entry. Is it ok for machine account to have only one hash? (i can not try it right now because the site is on another city). machines, then this is either a bug, or administrator error (such as not Bug in samba or smb-ldap script? where should I report the bug? having valid machine accounts in /etc/passwd or equiv). I'm afraid not. I've sucessfully migrating hundreds machines, so hopefully I understand what is required ;-) Andrew Bartlett --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Resolving computername from ip
* Torben Thomsen [EMAIL PROTECTED] menulis: Hi, Is there, on a intranet, any way to resolve the computername from its ip ? I have a setup where I know which users are on which ip, and I wan't to notify some events to some users with a smbclient -M. But since I don't know the computername, I don't know any way to send the popups... thanks /torben t nmblookup -A? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* Andrew Bartlett [EMAIL PROTECTED] menulis: 1. Machine has valid passwords (NT+LANMAN) in PWDUMP but only 1 NThash on rpc-Vampire, passwd is different. 2. Valid PWD, only NThash on VMP, but NTHASH in VMP is *same* as LANMANHASH in PWD. 3. No valid hash in PWD (only ), but has valid NTHASH in VMP. 4. Valid PWD, valid VMP and both are same. On rpc-vampire, from total of 638 machine, 448 are only having NTpassword hash entry. Is it ok for machine account to have only one hash? (i can not try it right now because the site is on another city). Only the NT password matters, except on 3.0.2 and 3.0.2a. Later CVS fixed an issue where the NT password not being present caused a bug (account would be marked disabled). 1. In which tools we trust the output? pwdump or rpc vampire? why the output is different? 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN hash? Note: this 'feature' is mark as 'bug' by jerry and has been fixed. Is it safe to have NT hash only on production? http://lists.samba.org/archive/samba/2004-March/082989.html 3. Thanks. Andrew Bartlett --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* Andrew Bartlett [EMAIL PROTECTED] menulis: 1. In which tools we trust the output? pwdump or rpc vampire? why the output is different? Well, I understand how 'net rpc vampire' functions, and as it makes *exactly* the same calls that an NT BDC makes, I consider it to be the'correct' output. Just a wishes, is it possible to get pwdump.exe version of net rpc vampire? so we can get hashses output without installing full blown of samba and *script? It then up to administrator what to do with the output, this is the cleanest soulution if you already have existing account in ldap. Also, net rpc vampire has few advantage over pwdump, it can retrieve groups where pwdump can not. I have not looked at the pwdump source, nor had any experience using it, so I don't know why it's output would differ. 2. Is this mean I can not use 3.0.2 or 3.0.2a if I don't have LANMAN hash? This is correct. Sorry for asking again here, can I use samba 3.0.3pre1? sincei can't use older version of samba. Just to make sure... Note: this 'feature' is mark as 'bug' by jerry and has been fixed. Is it safe to have NT hash only on production? http://lists.samba.org/archive/samba/2004-March/082989.html It is safe to have NT hash only in production, on versions of Samba the support this, because for many account types (machine accounts in particular, also accounts with strlen(pw) 14) the NT hash is the only valid hash. The practise (on machine accounts) of setting the NT and LM passwords to the same value derives from the need to avoid having a NULL LM password, where that might mean 'all passwords'. Samba no longer makes those assumptions, and has not for a long time, so in the very near future, this will be removed. Thanks, you really save my life ;-) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Account with no lanman hash [ was Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* Andrew Bartlett [EMAIL PROTECTED] menulis: 'net rpc samdump' should do what you need Wew, it can dump all sam without asking for admin password ;-) However, it always gives segmentation fault error after retrieveing groups. Nevermind, it already get all acounts anyway... I'll try it on client and let you know. Also, net rpc vampire has few advantage over pwdump, it can retrieve groups where pwdump can not. pwdump was a quick hack, from what I understand... I wish i knew this tool before ;-(. However i can confirm that pwdump was able to get 100% of correct account if client is joined recently. Tested on hundreds clients on different domain. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Machine accounts, Samba 3, NT Domain migration
* M Saqib Ilyas [EMAIL PROTECTED] nulis: Greetings everyone I finally succeeded in doing the seemingly most difficult thing, following directions. I got my act together configuring the smb.conf and migrating using net rpc vampire into tdbsam. There are issues with this migration in which computer netbios names which are obviously all uppercase were not being created in /etc/passwd. I put my C cap on and converted the computer names to lowercase before handing them over to the add machine script. When I join a machine to the domain, it works beautifully, but there is a problem with the migrated machine accounts. No machine can log on because its account is not valid on the samba DC. The way I structured my add machine shell script is this: #!/bin/sh str=`/etc/samba/convert $1` useradd -d /dev/null -g machines -s /bin/false -M $str passwd -l $str compname=`echo $str | cut -f1 -d$` smbpasswd -a -m -n $compname I must be doing something unnecessary here for the migrated machine accounts not to work. Can someone throw some light on this? I am sorry if this has already been answered. It must have, but I couldnt find it using any searches that my limited intellect could come up with on the list archives. Appreciate your time. Saqib Ilyas Well, congratulations. most likely you need to rejoin all of your clients before running rpc vampire. After this step is complete, you can then login from client to samba domain without rejoining again. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.3pre1 Available for Download
* Gerald (Jerry) Carter [EMAIL PROTECTED] nulis: New features introduced in this preview release include: o Improved support for i18n character sets. o Support for account lockout policy based on bad password attempts. Great! o Improved support for long password changes (14 characters) and strong password enforcement. Great! o Continued work on support Windows aliases (i.e. nested groups). Great! - Support for grant dialin permision flag? - Impoved support for inter domain trust? Closer to Nt4 killer ;-P As always, all bugs are our responsibility. Tks! --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.3pre1 Available for Download
* Gerald (Jerry) Carter [EMAIL PROTECTED] nulis: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Beast wrote: - Support for grant dialin permision flag? We're working on it. - Impoved support for inter domain trust? We already do this. This bug is still exist in the new release? I've found nothing on the release notes. https://bugzilla.samba.org/show_bug.cgi?id=556 Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] WHATSNEW-3.0.3pre1
Found interesting info on http://us1.samba.org/samba/ftp/pre/WHATSNEW-3.0.3pre1.txt Gerald (Jerry) Carter [EMAIL PROTECTED] * Fixed iterator in tdbsam. * Fix bug that disabled accounts with a valid NT password hash, but no LanMan hash. Is this means we can have only sambaNTPassword without having sambaLMPassword attribute? it was allowed by the schema anyway. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba pdc did not advertised as DMB
* Gerald (Jerry) Carter [EMAIL PROTECTED] nulis: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Beast wrote: | I figure out that samba PDC did not advertised itself | as domain#1b (DMB), is this normal? I don't think so. Mind filing a bug report for me at https://bugzilla.samba.org/? Thanks. It solved. It was due to caching somewhere. removing wins.dat *and* restart all computer in the domain solve the problem (fortunately there only 2 computer, pdc and bdc both are samba). Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] secrets_fetch_trusted_domain_password
It apparently samba stored trusted info on secret.tdb so only samba PDC was able to retrieve this info, am I correct? (though trust account waqs stored in ldap). I can't browse samba BDC from (trusted) NT domain, it always ask for username/password again. samba domain = IRSJKT NT domain = DOMJKT msg from samba BDC : [2004/03/18 21:16:42, 5] auth/auth_util.c:make_user_info_map(216) make_user_info_map: Mapping user [DOMJKT]\[administrator] from workstation [mynt] [2004/03/18 21:16:42, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/03/18 21:16:42, 3] smbd/uid.c:push_conn_ctx(287) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/03/18 21:16:42, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/03/18 21:16:42, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/03/18 21:16:42, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/03/18 21:16:42, 5] passdb/secrets.c:secrets_fetch_trusted_domain_password(300) secrets_fetch failed! [2004/03/18 21:16:42, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/03/18 21:16:42, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(172) no entry for trusted domain DOMJKT found. Even it attempt to resolve/map the username againts IRSJKT which will failed if both username and password combination is not same. Anyone having problem with NT/Samba Trust relationship? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] secrets_fetch_trusted_domain_password
* Beast [EMAIL PROTECTED] nulis: It apparently samba stored trusted info on secret.tdb so only samba PDC was able to retrieve this info, am I correct? (though trust account waqs stored in ldap). Oh, it was already on the bugzilla. https://bugzilla.samba.org/show_bug.cgi?id=556 Any progress on this bug? any other alternative? It quiet surprising me that so many samba users but none are using inter domain trust ;-p~ --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] understanding pam_ldap vs. winbindd
* Matthias Eichler [EMAIL PROTECTED] nulis: on the member server: ---cut--- fileserver:~# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Power Users (S-1-5-32-547) - -1 Domain Admins (S-1-5-21-243015202-3338874213-4097231961-512) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Domain Guests (S-1-5-21-243015202-3338874213-4097231961-514) - -1 Domain Users (S-1-5-21-243015202-3338874213-4097231961-513) - -1 Account Operators (S-1-5-32-548) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 ---cut--- net groupmap modify sid=S-1-5-AND-SO-ON ntgroup=Domain Users unixgroup=valid_unix_group type=domain if groupmap exists for ntgroup, you either must delete it and then add it or modify it. OK, maybe this was what I was misunderstanding: I thought that with security=DOMAIN the groupmaps should be some kind of resolved between PDC and the members server or at least with groupmap = -1 I have to create them which didnt work. Groupmapping was stored on ldap (if using ldapsam), so for every samba machine you wish to obtain the mapping should using same backend. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba SID and new installation
* [EMAIL PROTECTED] nulis: Hi, I make a new installation of my server with samba 3.0.2a But I restored my LDAP tree and the SambaDomainName in LDAP is different that net getlocalsid. What can I make : - set the local sid with the old sid (from ldap) net setlocalsid .. If you want to upgrade from previous Domain SID (assuming all user rid are remain same) - Or change the SambaDomainSID on LDAP tree and all users, groups, and computers. If you want to create new domain SID. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbpasswd trying to add instead of replace attribut
I have some weird error with one of my samba installation. When modifying samba password using smbpasswd, samba seems trying to add same attribute (instead of delete and add again), pls see the MOD from log file (from different domain) : UNSUCESSFULL Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 MOD dn=uid=pwreka,ou=people,ou=purwakarta,dc=indorama,dc=com Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaPwdMustChange samb aPwdMustChange sambaLMPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet Mar 15 17:10:53 hurricane slapd[27056]: Entry (uid=pwreka,ou=people,ou=purwakarta,dc=indorama,dc=com), attribute 'sambaLMPas sword' cannot have multiple values Mar 15 17:10:53 hurricane slapd[27056]: entry failed schema check: attribute 'sambaLMPassword' cannot have multiple values Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 RESULT tag=103 err=19 text=attribute 'sambaLMPassword' cannot have m ultiple values SUCCESSFULL Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 MOD dn=uid=jktbudhi,ou=people,ou=jakarta,dc=indorama,dc=com Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaPwdMustChange samb aPwdMustChange sambaPwdLastSet sambaPwdLastSet Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 RESULT tag=103 err=0 text= Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=2 UNBIND any hints? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbpasswd trying to add instead of replace attribut
Nevermind. it was because of acl restriction on ldap. * Beast [EMAIL PROTECTED] nulis: I have some weird error with one of my samba installation. When modifying samba password using smbpasswd, samba seems trying to add same attribute (instead of delete and add again), pls see the MOD from log file (from different domain) : UNSUCESSFULL Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 MOD dn=uid=pwreka,ou=people,ou=purwakarta,dc=indorama,dc=com Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaPwdMustChange samb aPwdMustChange sambaLMPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet Mar 15 17:10:53 hurricane slapd[27056]: Entry (uid=pwreka,ou=people,ou=purwakarta,dc=indorama,dc=com), attribute 'sambaLMPas sword' cannot have multiple values Mar 15 17:10:53 hurricane slapd[27056]: entry failed schema check: attribute 'sambaLMPassword' cannot have multiple values Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 RESULT tag=103 err=19 text=attribute 'sambaLMPassword' cannot have m ultiple values SUCCESSFULL Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 MOD dn=uid=jktbudhi,ou=people,ou=jakarta,dc=indorama,dc=com Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaPwdMustChange samb aPwdMustChange sambaPwdLastSet sambaPwdLastSet Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 RESULT tag=103 err=0 text= Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=2 UNBIND any hints? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba pdc did not advertised as DMB
I figure out that samba PDC did not advertised itself as domain#1b (DMB), is this normal? smb.conf : os level = 65 preferred master = yes domain master = yes local master = yes domain logons = yes [EMAIL PROTECTED] root]# nmblookup -A 10.200.100.3 Looking up status of 10.200.100.3 LIN3PWK 00 - H ACTIVE LIN3PWK 03 - H ACTIVE LIN3PWK 20 - H ACTIVE ..__MSBROWSE__. 01 - GROUP H ACTIVE IRSPWK 00 - GROUP H ACTIVE IRSPWK 1c - GROUP H ACTIVE IRSPWK 1d - H ACTIVE IRSPWK 1e - GROUP H ACTIVE ## Lookup on NT PDC (different domain) [EMAIL PROTECTED] root]# nmblookup -A 10.1.100.16 Looking up status of 10.1.100.16 NT6-PWR 00 - M ACTIVE IRSPWR 00 - GROUP M ACTIVE IRSPWR 1c - GROUP M ACTIVE NT6-PWR 20 - M ACTIVE IRSPWR 1b - M ACTIVE IRSPWR 1e - GROUP M ACTIVE IRSPWR 1d - M ACTIVE ..__MSBROWSE__. 01 - GROUP M ACTIVE INet~Services 1c - GROUP M ACTIVE IS~NT6-PWR 00 - M ACTIVE NT6-PWR 01 - M ACTIVE --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Expiry of passwords with PDC and LDAP
* Matthias Spork [EMAIL PROTECTED] nulis: Hello list, where can I change the password-age? pdbedit -P maximum password age -C --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Expiry of passwords with PDC and LDAP
* Matthias Spork [EMAIL PROTECTED] nulis: Hello, where can I change the password-age? pdbedit -P maximum password age -C That's running! 1. Is this solution documented? Yes, pls see the -P options. Theres nothing to find in man pdbedit or pdbedit --help Why can I change this Value in LDAP (LAM)? Which values in LAM dont't work too? It was stored on secret.tdb, not ldap. 2. Where can I get the functionality, that users can use a passwords only one time? -P password history -C 1, but seems not supported yet. matze --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] migrate with rpc vampire
I've been successfully migrate my 3 site to samba (arround 400 users), all using manual work on ldap entries. Old sid and password hash are obtained using pwdump.exe. However, pwdump can not correctly obtain hash for machine account if machine was joined long time ago. I need to rejoin all clients and then run pwdump again, this way pwdump can retrieve machine hash correctly. My next site is having more than 500 clients in one site, so rejoining all client is not a good option. Anyone can confirm that net rpc vampire can obtain hashed for machine account correctly even if machine was joined 1-2 years back? btw, sid for machine account doesn't matter changed to another value, but hashes must having same value between client and server. Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] two subnets, one domain, several DCs?
* Craig White [EMAIL PROTECTED] nulis: One of the curious things that I didn't realize right away when I set up Samba and LDAP...I had wanted a BDC to provide a backup of the SAM database just in case. But if you slapcat the LDAP database regularly, all of the users/groups are thoroughly backed up and even if the system were to die a bad death, you could still set up a new machine and achieve backup portability quite simply. But still you need BDC in case of PDC is down, so there should be no down time. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] two subnets, one domain, several DCs?
* Craig White [EMAIL PROTECTED] nulis: On Fri, 2004-03-12 at 21:24, Beast wrote: * Craig White [EMAIL PROTECTED] nulis: One of the curious things that I didn't realize right away when I set up Samba and LDAP...I had wanted a BDC to provide a backup of the SAM database just in case. But if you slapcat the LDAP database regularly, all of the users/groups are thoroughly backed up and even if the system were to die a bad death, you could still set up a new machine and achieve backup portability quite simply. But still you need BDC in case of PDC is down, so there should be no down time. Win2K and WinXP Professional will at least by default cache the profiles passwords so you can still log in and function without a DC. I haven't found this in and of itself to be the biggest problem. It will solve login problem only, but not for other service that depends on NT auth. Win 9x also can not cache the password, just cancel the login will deny them accessing file/printer sharing. I still has many 9X clients, so this is a big problems (for our case at least...) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 3.0.2a (ported from 2.2.8a) with LDAP failed to add machine account
* zergio [EMAIL PROTECTED] nulis: This: ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) change to: # ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 3.0.2a (ported from 2.2.8a) with LDAP failed to add machine account
* zergio [EMAIL PROTECTED] nulis: Beast ?: * zergio [EMAIL PROTECTED] nulis: This: ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) change to: # ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) --beast According to man smb.conf if ldap filter is not set then dafault used Default: /ldap filter/ = ((uid=%u)(objectclass=sambaAccount)) man page can be wrong ;-p Quoting jerry of samba team : quote My opinion is that the 'ldap filter' option in smb.conf should never be set. There are 2 many different LDAP searches now being done (group mapping, users, etc...) and we don't use that option consistently internally anyways. Best to leave it alone IMO. /quote However, I use new samba.schema and there is no sambaAccount, thus ldap gives NO SUCH USER. Have you try it first? mine not: Mar 11 13:13:46 jambu slapd[1397]: conn=101167 op=6 SRCH base=ou=jakarta,dc=indorama,dc=com scope=2 filter=((uid=jktjalan)(objectClass=sambaSamAccount)) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] add machine script problem
* Lukas Meyer [EMAIL PROTECTED] nulis: Hello I set up a Samba 3 PDC with ldap backend. I created an script that adds machine accounts. First it adds the machine account to /etc/passwd and then it creates the user in ldap with smbpasswd -a -m machine. If I run the script by hand, it works and the account has been added. After that I can join the domain without any problems. Now I want to make this machine account creation on the fly. So I added the script to smb.conf as add user script = /path/to/createmachineaccount.sh. If I try to join a domain with a workstation that hasn't any account, the script creates the machine account but on error occurs that I can't log in because the account doesn't exist. After that if I try to join again, the logon process works because it found the machine account. IMO it was because samba can not 'see' changes in ldap. You have to set sleep time in add machine script? btw, why not putting posix account in ldap directory intead of file? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
* Graham Leggett [EMAIL PROTECTED] nulis: Excessive documentation is one of the biggest problems I have found with software projects, both open source and commercial. People begin skim reading them because they just go on too long, or by the time you've reached chapter 14, you forgot that little snippet of information that was mentioned in chapter 2. Yes, we need a samba quick start guide, which must conform to the latest release. Who will take this project? ;-) Regards, Graham -- --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP backend - howto docs problems?
* Fernando Pintabona [EMAIL PROTECTED] nulis: here: http://www.amazon.com/exec/obidos/tg/detail/-/0131472216/qid=1079009247/sr=1-1/ref=sr_1_1/103-1507164-4910244?v=glances=books A really good place to start ;) I agree, but its 384 pages is not that quick ;-p something like : http://www.openldap.org/doc/admin22/quickstart.html really quick (and dirty), but works ;) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Limit user access to one worksation at a time
* Andreas [EMAIL PROTECTED] nulis: On Wed, Mar 10, 2004 at 10:41:18AM +0700, Beast wrote: How about userWorkstations attribute? It will only allow login from one WS, which will restrict login more than once. You mean, if I list all workstations available to this user, I will also get this feature of a single login at the same time? Yes if it is only one, but no if more than one... --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] add machine script problem
* Lukas Meyer [EMAIL PROTECTED] nulis: Hello I added a sleep time to the add machine script but there's no success. IMO you really turn on log level to 5 or higher and check also ldap.log file. If it's slave ldap server, then set ldap replication sleep option. How do you mean putting a posix account in ldap instead of file? If I add a posix account to the machine-account, what file won't I need? I mean using pam/nss ldap, you won't need to store account in /etc/passwd anymore. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] No full administrator-permissions on local machines with samba 3 domain login
* Joern Frenzel [EMAIL PROTECTED] nulis: additonaly to my question. we can not add or change usres in the domain if we're loged in on a client (as domainadmin sure). and thats wht we want to do :-( What is pdbedit -Lv administrator says? esp. on primary group SID --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Limit user access to one worksation at a time
* Andreas [EMAIL PROTECTED] nulis: On Tue, Mar 09, 2004 at 10:12:56PM +0100, Wim Bakker wrote: Is there a mechanism in samba available to limit access to workstations by users to only one at a time? This is, that any given user can only be logged in at one workstation at a time. I was looking for this also, but it seems there isn't one. What some folks suggested was to use a root preexec script attached to the netlogon share and them run smbstatus and figure it out from there. How about userWorkstations attribute? It will only allow login from one WS, which will restrict login more than once. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How does samba get at OU=Computers?
* Jim C. [EMAIL PROTECTED] nulis: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How does samba get Computers out of the Computers OU with out going through nss_ldap and doing getpwent? Isn't this pretty much the only way that Samba can get Machine accounts? Yes. samba rely on pam/nss ldap. I'm looking for a way to hide them from the Linux server. You can't. If it is on different machine, you can restrict using ACL. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How do I grant dialin permissions?
* Danny Ybarra [EMAIL PROTECTED] nulis: I have samba 3 running as a PDC and using openldap to store all the user info. My problem is we are using Checkpoint Firewall and the way we let a user log into the vpn was to go to User Manager and give that permission by clicking on Grant dialin permission to user. How do I do that with Samba/Openldap? No you can't. This feature is either not supported by samba or not yet implemented. If you have NT member domain, you can setup local account for RAS users. -- Danny Ybarra Systems Administrator Southwest Research Institute - Div 18 --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Best backend for member domain
OK its not a good question, but I'm just asking for suggestions. In purely samba controlled domain (with samba3+ldapsam), what is the best backend for member domain (servers) and linux (samba) clients? tdbsam +winbind or use same ldapbackend, for performance and maintainanble reasons. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't login to Samba PDC
* Scott Gross [EMAIL PROTECTED] nulis: ... button (from Win2K network identification screen). The computer is being added to the _COMPUTERS_ container in my LDAP with the appropriate trailing $ (uid=fife3400sales02$,ou=_COMPUTERS_). The domain portion of all SID's is the same (User-Group-Computer-sambaDomainName). When the workstation tries to authenticate the user I can see the connection to IPC$ on the samba server. 'uid=root,ou=_USERS_' is a sambaSamAccount and is a member of 'cn=Domain Users,ou=_GROUPS_'. You put computer account under ou=_COMPUTER_ and users under ou=_USERS_ etc, any reason putting on funky ou name or is this just because of default value in smbldaptools? Have you set pam/nss ldap correctly (/etc/ldap.conf), whats getent passwd /group tell? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : Re: [Samba] using a master ldap server and a slave ldap server for one samba server
* [EMAIL PROTECTED] nulis: What's means, can I have some problem with this configuration ? Or it's just a speed problem ? Samba will get 2 value for same id and problem will appear soon or later. Any reason why using 2 ldapsam backend? Stéphane --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : Re: Réf. : Re: [Samba] using a master ldap server and a slave ldap server for one samba
* [EMAIL PROTECTED] nulis: If the first LDAP server faild, the second can be used directly. This server is a PDC server with more than 100 people connected and some application required domain authentification for running. For me is a critical server. You can use one ldapsam with multiple server, see previous posting for the syntax. You can also setup dedicated ldap server for samba though i dont think that samba make a intensive call to ldap server, pam/nss_ldap yes, but 100 (concurent) user will not that high :) --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: Réf. : Re: Réf. : Re: Réf. : Re: [Samba] using a master ldap server and a slave ldap server
* [EMAIL PROTECTED] nulis: The origine of my message is a problem with my local LDAP server. last thursday I upgraded my RH 8 with the glibc update from RedHAt, after sometimes the LDAP server is unreachable. In log : Mar 2 11:40:02 coradm01 slapd[5342]: warning: cannot open /etc/hosts.allow: Too many open files This is (open)ldap problem not samba, so better fix this problem first before trying to configure samba. I also fighting with these problem after implementing ldap for mailserver, many peoples has similar problem, see openldap list archive. You can compile ol without libwrap and use acl to restrict access, if your ldapserver is busy enough, use RH7.3 or 8 but never upgrade the glibc. i also has bad experience with unix domain socket too, so stick with tcp. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] * script parameter and BDC
When BDC will not make any changes in ldap, is it safe to not set any *script paramater in smb.conf? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] * script parameter and BDC
* Andrew Bartlett [EMAIL PROTECTED] nulis: On Tue, 2004-03-02 at 23:36, Beast wrote: When BDC will not make any changes in ldap, is it safe to not set any *script paramater in smb.conf? If you can keep the scripts identical between PDC and BDC, this will avoid supprises. BDCs will not normally be asked to make changes, but if asked, Samba BDCs will happily try. Is there any (not normal) cases where BDC is asked to make any changes? Thanks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ldap replication sleep seems not working
When configuring samba PDC to use slave ldap, it seems parameter ldap replication sleep did not work, setting any value did not make any different. I have samba PDC and slave/master ldap connected over fast-ethernet switch, ldap replication take less than 2 seconds, however when adding (XP) machine to domain it gives error The username could not be found. In machine log: Closing connections [2004/03/01 20:01:23, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2004/03/01 20:01:23, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. From the samba pdc : [EMAIL PROTECTED] samba]# id raptor2$ uid=10110(raptor2$) gid=2005(wsjkt) groups=2005(wsjkt) Its only posix entries created by add machine script, no samba objectclass. On the second try, it will works. replication sleep = 1 (10 secs). --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap replication sleep seems not working
* Andrew Bartlett [EMAIL PROTECTED] nulis: On the second try, it will works. replication sleep = 1 (10 secs). That means that you must make your add user script sleep. We can't control that. This parameter confuse me. What this actually does? from the man page: ... This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Running nmbd without smbd
Is it possible? just for wins server, not for file sharing. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Ldap ACL for PDC
What operation will be performed by samba PDC/BDC to ldap server? Is all operation will always bind as ldap admin dn or anonymously? I need to create necessary acl in ldap server. Tks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] remote announce and cross subnet browsing
* Andrew Bartlett [EMAIL PROTECTED] nulis: The broadcast address is what you want, I think. But really, you want a shared wins server, and a samba server on each subnet (which will ensure that browsing works well) One shared wins server is not possible, because if link is down then client can't register to wins. Andrew Bartlett --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] remote announce and cross subnet browsing
* Andrew Bartlett [EMAIL PROTECTED] nulis: On Fri, Feb 27, 2004 at 11:32:34AM +0700, Beast wrote: Hi all, Which samba server should have these parameters : remote announce = remote browse sync = PDC(DMB), BDC, WINS or any server (as many as we want?) and which server/ip should be in the remote side? I'm trying to put broadcast address of remote network but did not work. Good routers might block this, as it is a very good way to do an amplification DOS with a spoofed source. The broadcast address is what you want, I think. But really, you want a shared wins server, and a samba server on each subnet (which will ensure that browsing works well) I have 4 sites across WAN, each has its own NT/Samba domain and each has its own wins server. 1. If I put PDC as the remote target, it works for samba (will it works on NT pdc too? 2. If wins is installed on same machine as BDC, so it doesn't serve as MDB. Can I use this as remote target? 3. Broadcast address did not works (I already wait for 48 but never appears, with remote PDC it appears within less than 1 hour). 4. Can I use above parameter on many server in local site? Second is how do I tell samba to find the DC for other site? Im trying to create trust but always get same error, even the PDC of remote target are already in dns and lmhost. [EMAIL PROTECTED] root]# net rpc trustdom establish irscpk [2004/02/27 11:44:13, 0] utils/net_rpc.c:rpc_trustdom_establish(1976) Couldn't find domain controller for domain IRSCPK Andrew Bartlett Thanks. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] remote announce and cross subnet browsing
Hi all, Which samba server should have these parameters : remote announce = remote browse sync = PDC(DMB), BDC, WINS or any server (as many as we want?) and which server/ip should be in the remote side? I'm trying to put broadcast address of remote network but did not work. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Ordinary users automatically member of Domain Admins
I've just migrate existing NT users to samba, some users are having SID number 100x. The funny thing is, from NT usermanager, these users are member of Domain Admins group because of their SID? [EMAIL PROTECTED] samba]# pdbedit -L -v jktajit Unix username:jktajit NT username: jktajit Account Flags:[U ] User SID: S-1-5-21-2140563141-904681572-988572150-1012 Primary Group SID:S-1-5-21-2140563141-904681572-988572150-513 ... However, admin user which having SID 500 and Group RID 512 (uid=0,gid=0) is not member of domain admins! [EMAIL PROTECTED] samba]# pdbedit -L -v smbrootjkt Unix username:smbrootjkt NT username: smbrootjkt Account Flags:[U ] User SID: S-1-5-21-2140563141-904681572-988572150-500 Primary Group SID:S-1-5-21-2140563141-904681572-988572150-512 Full Name:SAMBA Root Account [EMAIL PROTECTED] samba]# net groupmap list Domain Users (S-1-5-21-2140563141-904681572-988572150-513) - userjkt Domain Computers (S-1-5-21-2140563141-904681572-988572150-515) - wsjkt Domain Guests (S-1-5-21-2140563141-904681572-988572150-514) - guestjkt Domain Admins (S-1-5-21-2140563141-904681572-988572150-512) - root ... Why? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba