Re: [Samba] Configure samba to not look for domain master browser
On Tue, 2011-12-06 at 17:26 +0200, Timothy Madden wrote: Hello On my network there is no domain master browser, and my nmbd is spamming my /var/log/messages file with messages that it cound not find one. Can I configure nmbd not to look for the domain master browser ? Why not configure logging to log to /var/log/samba and to syslog perhaps only level 1 or 0? see logging here... http://www.samba.org/samba/docs/using_samba/ch06.html Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mac OS X / MS Office save issues and possible .TemporaryItems fix
On Sat, 2011-10-15 at 15:53 +, Nathan A Friedl wrote: We have an issue where Macs that try to save MS Office files on our 3.5.11 samba servers occasionally get error messages such as There has been a network or file permission error. The network connection may be lost.” When this happens, the user often has to save the file to their local drive and then copy it over to the network share. After doing some research, we suspect the issue may be related to the .TemporaryItems folder that MS Office creates on any drive that it opens a file on (described here: http://prowiki.isc.upenn.edu/wiki/MS_Office_and_Network_Volumes ). MS Office apparently continually modifies the permissions on this folder and can occasionally prevent a user from opening a file due to wonky permissions. Yesterday we created a .TemporaryItems folder for every share and set the default acl to be rwx for all, as there's no way that Office should be able to change that. We're hoping that will solve the problem, but we've been unable to replicate these problems ourselves so we're just waiting to see if the errors appear again. Are we on the right track here, or do you suspect something else may be going on? Do you have any suggestions for other things to try? Additionally, we've been having a hard time determining a good logging level. When we up the logging, the Macs can rotate the logs quite quickly as they touch every file in a folder whenever the folder is opened. What would your suggestion be for a proper logging level to monitor these issues? Thanks for your time, gosh that's a real old problem and the solution is painful. You should be able to google the issue/resolution. The issue is that one each local Macintosh, the first user created is uid #500 and the next is #501, etc. On probably about 70% of the Mac's, the primary user is the only user and he is uid 500. Likewise, other users simultaneously open files on the server with the same uid # and Microsoft Office just plays havoc (I wonder if they fixed this problem with Office 2008?) Anyway, the only way to permanently fix this problem is to have unique UID's assigned to each user on each Macintosh (at one location, I used LDAP for authenticating users on each Mac). The user can also 'copy' existing files from the server to their desktop, make their changes and then move it back to the server when they are finished (ugh). Otherwise, you can use Libre Office which doesn't suffer from the same issues ;-) Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.6.0 winbind issues
On Tue, 2011-08-16 at 21:11 -0700, Linda Walsh wrote: Generally, I've more often found that for someone looking to uncover a problem, giving more information, on the average, is more helpful in eventual solving or finding the core of the problem. nothing succeeds in getting answers better than a short focused question. I tend to believe that people who post long unfocused issues on support lists are flailing to such an extent, that by the time their question gets to most on the list, they have made substantive changes and any suggestions were for conditions that probably don't still exist. One paragraph to state your problem, one paragraph to state what you have tried and after that, settings that you are currently employing if relevant. Any verbiage beyond that becomes self-defeating. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] security = SHARE
On Thu, 2010-07-08 at 02:44 +0200, José Puente wrote: Hello, Please, i need help with security mode = share. i want to configure security = share and the parameter username = user in a shared folder to avoid that everybody could access to it. f I have understood correctly the manual, this configuration enables to access if the password provided matches with the user`password. But when i try to access returns this error: smbclient //SERVER/Docs Enter user's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.7] Server not using user level security and no password supplied. tree connect failed: NT_STATUS_WRONG_PASSWORD I also tried: smbclient -U user%passwd //SERVER/Docs Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.7] Server not using user level security and no password supplied. tree connect failed: NT_STATUS_WRONG_PASSWORD smbclient -U user%passwd //SERVER/Docs -P Failed to open /var/lib/samba/secrets.tdb ERROR: Unable to open secrets database sudo smbclient -U user%passwd //SERVER/Docs -P ERROR: Unable to fetch machine password for SERVER$@ in domain WORKGROUP If i change passdb backend = smbpasswd in GLOBAL options: smbclient -U user%passwd //SERVER/Docs -P -e -A /etc/samba/smbpasswd ERROR: Unable to open credentials file! sudo smbclient -U user%passwd //SERVER/Docs -P -e -A /etc/samba/smbpasswd ERROR: Unable to fetch machine password for SERVER$@ in domain WORKGROUP My system: Linux user-laptop 2.6.32-23-generic #37-Ubuntu SMP x86_64 GNU/Linux My config: testparm Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.7] smb: \ quit u...@user-laptop:~$ testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Processing section [printers] Processing section [print$] Processing section [Docs] Processing section [printers] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] netbios name = SERVER server string = %h server (Samba, Ubuntu) map to guest = Bad User client lanman auth = Yes security = SHARE obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No browsable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [Docs] comment = Documents path = /home/user/Documentos/Docs read only = No username = user smbtree WORKGROUP \\SERVER server (Samba, Ubuntu) \\SERVER\IPC$ IPC Service (server (Samba, Ubuntu)) \\SERVER\Docs Documents \\SERVER\print$ Printer Drivers sudo pdbedit -Lw nobody:65534:::[U ]:LCT-: user:1000::CC63D87C86C99FF2FB25B31C84CF584A:[U ]:LCT-4C23B25F: smbguest:1001:::[U ]:LCT-: security = SHARE is like Windows 98 type share and there is no user considered at all, only a password. If you type 'testparm -sv' you will see all the settings and not those specifically configured in smb.conf and the default is tdb which is probably more than adequate for your purposes. Does /var/lib/samba/secrets.tdb exist? What is the permissions? If you set 'security = USER' and you seem to already have a samba user called 'user' (from pdbedit output) and some password created, if you have a posix user called 'user' and this 'user' has the ability to access /home/user/Documentos/Docs it should probably work. The Samba 'How-To' is extremely useful and you should refer to it. This is a link to the various 'security modes'... http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error looking for next uid at /usr/sbin//smbldap_tools.pm line 993.
On Sat, 2007-01-20 at 19:47 +0100, [EMAIL PROTECTED] wrote: # smbldap-useradd samba Error looking for next uid at /usr/sbin//smbldap_tools.pm line 993. here my config: i have already populated the database: # smbldap-populate Populating LDAP directory for domain Workgroup (S-1-5-21-4205727931-4131263253-1851132061) (using builtin directory structure) entry dc=GNUtoo,dc=org already exist. entry ou=Users,dc=GNUtoo,dc=org already exist. entry ou=Groups,dc=GNUtoo,dc=org already exist. entry ou=Computers,dc=GNUtoo,dc=org already exist. entry ou=Idmap,dc=GNUtoo,dc=org already exist. entry uid=root,ou=Users,dc=GNUtoo,dc=org already exist. entry uid=nobody,ou=Users,dc=GNUtoo,dc=org already exist. entry cn=Domain Admins,ou=Groups,dc=GNUtoo,dc=org already exist. entry cn=Domain Users,ou=Groups,dc=GNUtoo,dc=org already exist. entry cn=Domain Guests,ou=Groups,dc=GNUtoo,dc=org already exist. entry cn=Domain Computers,ou=Groups,dc=GNUtoo,dc=org already exist. entry cn=Administrators,ou=Groups,dc=GNUtoo,dc=org already exist. entry cn=Account Operators,ou=Groups,dc=GNUtoo,dc=org already exist. entry cn=Print Operators,ou=Groups,dc=GNUtoo,dc=org already exist. entry cn=Backup Operators,ou=Groups,dc=GNUtoo,dc=org already exist. entry cn=Replicators,ou=Groups,dc=GNUtoo,dc=org already exist. adding new entry: sambaDomainName=IDEALX-NT,dc=GNUtoo,dc=org failed to add entry: naming attribute 'sambaDomainName' is not present in entry at /usr/sbin/smbldap-populate line 471, GEN1 line 21. Please provide a password for the domain root: Changing password for root New password : Retype new password : do i need to post all the config files? seems that what you need to do is to fix smbldap.conf to match the sambaDomainName (I am quite certain that you need to change it from IDEALX-NT) and change any other configuration items in there as appropriate too. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 and Windows 2003 Active Directory
of course one could point him out the documentation that exists to do what he wants to do... http://samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-adsdc and if he wanted to upgrade to the latest version of samba, he could install from kde-redhat repository since Rex has the packages for updating samba for RHEL http://kde-redhat.sourceforge.net/ Craig On Sun, 2006-11-12 at 23:53 -0500, Aaron Kincer wrote: If you do not absolutely have to use Red Hat, I can give you a quick and easy way to get where you need to be: 0) Backup all files to a stable temporary repository or the backup media of your choice. 1) Download and install Ubuntu 6.06 Server Dapper (I haven't tried 6.10 Edgy yet) 2) Follow these instructions: http://ubuntuforums.org/showthread.php?t=91510 3) Configure your shares either by hand or use SWAT 4) Copy your files form your repository or restore them from media to the corresponding shares on your server. 5) If your backup software relies on the archive bit being properly set/cleared, follow these instructions: http://lists.samba.org/archive/samba/2006-September/125314.html I might have missed something in there, but that should be enough to get you on the right path. If you have to keep Red Hat, you aren't going to be happy. Their packages are old and in bad need of upgrading. While I was able to get an RHEL server using those old packages properly joined to a 2003 domain, it was not acceptable. I won't go into it. Just trust me on this one--if you want even close to the functionality you want, you have to use newer packages. If you do and keep Red Hat, you lose their support for those packages. Nice delimma, huh? Good luck. Aaron Kincer On 11/12/06, Michael Casale [EMAIL PROTECTED] wrote: Hi all, Thanks is advance for any help you can offer - I just inherited a Samba file server in my new position, and am familiar with Samba, but no genius in it. The problem is that we need to upgrade our Windows 2003 domain, and our Samba server - version 3.0.10-1.4E won't connect to a Windows 2003 active directory. So, we have to leave a Windows 2000 DC running to authenticate to it. I don't know if this is a problem with Kerberos or Samba - but it is the Kerberos that can't validate tickets to a windows 2003 Domain controller, according to my logs. So, I need to upgrade either Samba, or Kerberos, to work with our Windows 2003 Active Directory servers, so that we can dump our Win 2000 server and move the whole domain up to Win 2003 level and get on with other projects outside of Samba. But, the previous admin installed Samba from RPMs off Red Hat's site, and there doesn't seem to be any upgrades available through them. What do you folks recommend? Should I save my config files, and completely reinstall Samba, Kerberos, Openldap and all the rest from source? Or should I save my configs and use other RPMs to upgrade? If so, to what level? And if source, can anyone recommend an easy-to-follow guide to installing and configuring Samba with Windows 2003 AD? Thanks a million Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Password change
On Thu, 2006-11-02 at 10:29 -0200, Cleber P. de Souza wrote: As Craig told, maybe you forgot the ldap admin account. I have another question about this. And if I want that an user change him/her account in a linux desktop using passwd, how can I set up the linux so that the samba password shall be sync too? Any idea? you would have to alias the 'passwd' command to run an entirely different script/program which is capable of changing multiple attributes on your LDAP DSA or aliased over to smbpasswd (yikes!). That is not entirely practical but certainly possible - if I recall correctly, there was some mkntpasswd program that was shipped by openldap some time back but I don't know if it is still included. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Unable to open most files within Linux from a windows share
On Thu, 2006-11-02 at 14:12 +, Crystle Numan wrote: Craig White craigwhite at azapple.com writes: On Wed, 2006-11-01 at 14:03 -0500, Immanuel CRC Office wrote: I am trying to open files on my Linux box from a windows share. I can browse to the directory, see the files, copy them to my computer, edit them, save them and copy the files back (using Nautilus). I can open a text file from the windows share with Gedit. I can not open a text file with Kate: error: The file or folder smb://pastor/SHARED FILES/text.txt does not exist. I can not open an .xls file with OOo nor CXoffice Excel. They both open a blank sheet - not the file. No error message. System: Ubuntu AMD64: kernel 2.6.15-27-amd64-generic Default Samba: 3.0.22 I've searched to see what others have said, and some say it is KDE's fault. Some say it is a problem with OOo. Does anyone have any other ideas or something to try? Do I have to get this fixed by OOo and KDE? Let me know if I need to give more information. Thanks for any help! Logs are your friend...you might want to find them and see if they have any clues. Seems as though it's more of a permissions thing than a GNOME/KDE/oO thing. My guess is that you are mounting this share as 'root' and not as 'user' Did you want to share the appropriate method of mounting (perhaps it is a line in /etc/fstab)? Craig I do not have a line in /etc/fstab. I simply browse to it through my Places menu. I do not know how Ubuntu sets that up. What file info should I post? I tried to find a log file, but am not sure if I was looking in the right place. The most recently used log in /var/log/samba was log.nmbd and I watched it as I tried to open a file from the Windows share. Nothing was added to it. Is there another log file I should be watching? Would it be helpful to post my smb.conf? That doesn't quite make sense as it shows what I am sharing, and that is not the issue. I think I get it now...you are browsing the share with nautilus which is a GNOME program. GEdit works because it too is a GNOME program. Other programs such as Kate are KDE and don't pick up the permissions from GNOME. Perhaps you want to use Konqueror to browse/authenticate if you want to use KDE programs but the better way is to set up a mount in the 'fstab' with 'user' authentication which would allow any GNOME, KDE or OpenOffice.org permissions - alas, I am not familiar with Ubuntu but I would suspect that there is a 'Disk / Filesystems' tool that allows 'root' to create the mount for users - thus become a universally available network share. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] profile on a remote server
On Thu, 2006-11-02 at 17:05 -0800, timothy johnson wrote: I notice that in the LDAP the profiles are store in a network share. Is it possible to use a different samba server not setup as a PDC/BDC to share these profile. for an example maybe setup a little samba box on a remote site, that stores profiles and home dirs, but still auth against the PDC. wouldnt that help keep network traffic on the WAN down? shouldn't be difficult at all - with LDAP, each user's profile can be any path as designated. A samba member server can still use LDAP (via winbind or ldap) for authentication of users. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Password change
Not an answer to the question. The question was some user wants to change their password from Linux command line program 'passwd' Configuration within smb.conf is not material in this instance. Craig On Thu, 2006-11-02 at 11:33 -0800, timothy johnson wrote: actually the way I fixed it was in smb.conf ldap passwd sync = yes and since I am using pam on my linux boxes it works On 11/2/06, Craig White [EMAIL PROTECTED] wrote: On Thu, 2006-11-02 at 10:29 -0200, Cleber P. de Souza wrote: As Craig told, maybe you forgot the ldap admin account. I have another question about this. And if I want that an user change him/her account in a linux desktop using passwd, how can I set up the linux so that the samba password shall be sync too? Any idea? you would have to alias the 'passwd' command to run an entirely different script/program which is capable of changing multiple attributes on your LDAP DSA or aliased over to smbpasswd (yikes!). That is not entirely practical but certainly possible - if I recall correctly, there was some mkntpasswd program that was shipped by openldap some time back but I don't know if it is still included. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] profile on a remote server
Please keep replies on list... I think the solution is given in the below - which doesn't have anything to do with the Windows machine having the local user profile...the problem is the server where you are attempting to write the profile, neither the user nor the 'Administrators Group' has permissions to write the profile on that server. Probably a good idea to fix the permissions on that server share so profiles can be written there. Craig On Thu, 2006-11-02 at 17:34 -0800, timothy johnson wrote: I tired this. setup a profiles share, same permissions as the PDC. When I redir to the samba server I get the following. Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator. This is with a brand new user, so the machine doesnt have a local profile. On 11/2/06, Craig White [EMAIL PROTECTED] wrote: On Thu, 2006-11-02 at 17:05 -0800, timothy johnson wrote: I notice that in the LDAP the profiles are store in a network share. Is it possible to use a different samba server not setup as a PDC/BDC to share these profile. for an example maybe setup a little samba box on a remote site, that stores profiles and home dirs, but still auth against the PDC. wouldnt that help keep network traffic on the WAN down? shouldn't be difficult at all - with LDAP, each user's profile can be any path as designated. A samba member server can still use LDAP (via winbind or ldap) for authentication of users. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba + Mac OS 9
On Mon, 2006-10-30 at 13:27 -0800, Brian D. McGrew wrote: From MacOS 9, talking to my Windows servers and my Samba Servers, select Choose from the Apple menu, click on AppleShare and enter the IP (10.0.0.2 for example) and click OK. You should get an authorization window asking for a Username and Password. Enter the credentials correctly and it should work. My Samba configuration is stock, so I know no better :-) wishful thinking. AppleShare is for Apple Filesharing Protocol - either over AppleTalk or TCP/IP. It knows nothing about SMB protocols. The methodology your are describing is known as afpovertcp and it connects to port 548 and doesn't authenticate via any Microsoft methodology. I believe that there was a product called DAVE that allowed Macintosh OS/9 to authenticate/use Microsoft networking protocols/services. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Password change
On Wed, 2006-11-01 at 17:08 -0800, timothy johnson wrote: I dont think samba is writing to the ldap server. cause I change a users password, it did change it in samba we have tested on another machine. but when checking phpldapadmin it still shows the old password On 11/1/06, timothy johnson [EMAIL PROTECTED] wrote: Ok so when I change a password in windows it changes on the machine, but not in the ldap server. Any Ideas? logs are your friend also - be sure to set the password for the 'ldap admin' account as defined in your smb.conf by the command... 'smbpasswd -w WHATEVER_ldap_admin_PASSWORD_IS' sometimes the 'passwd chat' in your smb.conf can be of issue too. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] group policy editing
On Thu, 2006-10-26 at 11:46 +0300, [EMAIL PROTECTED] wrote: is there any significant progress with user/group policy editing in samba equiv to windows 2000/2003 server, cause as i believe nitrobit gp editor is not a solution for the most of us? Nothing that I know of beyond nitrobit but make sure you are familiar with the information at http://wiki.samba.org/index.php/Samba_and_Windows_Policies - though this isn't group policies. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join Samba Server to Windows 2003 domain
On Fri, 2006-10-27 at 15:57 -0500, George Wilson wrote: There seems to be hundreds of ways to skin this cat but I can't seem to find anyone who describes a complete process to make it work. I am using Fedora 5 and the latest build of Samba 3.0. My end goal is to have the samba server be a member of the windows 2003 domain and AD users be able to ssh into the server. You should probably refer to the Official Samba Documentation http://www.samba.org/samba/docs or more specifically, the 'By Example' http://samba.org/samba/docs/man/Samba-Guide/ or more specifically, the section titled 'Active Directory Domain with Samba Member Server' http://samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Vampire and spaces
On Tue, 2006-10-17 at 16:34 +1000, Daniel Kasak wrote: Hi all. I'm having another go at using the vampire functionality to move our NT4 domain to samba. I've hit the same problem as 3 years ago - spaces in names ( group names for us ). I believe there are some useradd scripts floating around that deal with this, but I can't find them ( spent 1/2 an hour on google, honest ). Does anyone have one handy? How about adding scripts like this to the default samba install? the useradd scripts are part of your *nix distribution. I never had problems with this because I used LDAP and thus the useradd scripts weren't part of the equation at all. If you need to modify the useradd/groupadd scripts used by your distribution, you might want to ask your distribution for suggestions on modification. You might want to add the groups yourself first by creating the posix groups, and group mapping them to the appropriate Windows name with spaces but that does defeat some of the vampire simplifications. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba with NT4 authentication
On Tue, 2006-10-17 at 16:03 +1300, Chandra Sornam wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig White Sent: Tuesday, 17 October 2006 1:29 p.m. To: samba@lists.samba.org Subject: Re: [Samba] Samba with NT4 authentication On Tue, 2006-10-17 at 08:43 +1300, Chandra Sornam wrote: Have installed Samba 3 on a Linux box with Centos OS to be a file server. Getting its authentication from a NT4 PDC. Have created samba shares and members of the NT4 PDC group can successfully access the group. The only problem is users cannot authenticate their home share on the Linux server. A webinfo -r of the domain user gives the uid of the group the user is a member of. The user can access the share successfully as well. Have gone through the smb.conf and other config files, and done extensive search on the net to figure out the problem but have hit a blank wall. There are no noticeable errors in the log files that I can see either. Regards CS Config file as below [global] workgroup = domain netbios aliases = test server string = test File Server security = DOMAIN password server = scnz-nt02 scnz-nt01 how about 'getent passwd' ? does that enumerate the users from winbind? 'getent group' ? does that enumerate the groups from winbind? if so, does a users uid from winbind match the uid from their 'home' directory? Craig Hi Craig Thanks for your assistance. How do I check if the getent passwd/group enumerates against winbind, getent passwd do Windows users show up? getent group do Windows groups show up? Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba with NT4 authentication
On Wed, 2006-10-18 at 09:49 +1300, Chandra Sornam wrote: -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Wednesday, 18 October 2006 6:56 a.m. To: [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: RE: [Samba] Samba with NT4 authentication On Tue, 2006-10-17 at 16:03 +1300, Chandra Sornam wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig White Sent: Tuesday, 17 October 2006 1:29 p.m. To: samba@lists.samba.org Subject: Re: [Samba] Samba with NT4 authentication On Tue, 2006-10-17 at 08:43 +1300, Chandra Sornam wrote: Have installed Samba 3 on a Linux box with Centos OS to be a file server. Getting its authentication from a NT4 PDC. Have created samba shares and members of the NT4 PDC group can successfully access the group. The only problem is users cannot authenticate their home share on the Linux server. A webinfo -r of the domain user gives the uid of the group the user is a member of. The user can access the share successfully as well. Have gone through the smb.conf and other config files, and done extensive search on the net to figure out the problem but have hit a blank wall. There are no noticeable errors in the log files that I can see either. Regards CS Config file as below [global] workgroup = domain netbios aliases = test server string = test File Server security = DOMAIN password server = scnz-nt02 scnz-nt01 how about 'getent passwd' ? does that enumerate the users from winbind? 'getent group' ? does that enumerate the groups from winbind? if so, does a users uid from winbind match the uid from their 'home' directory? Craig Hi Craig Thanks for your assistance. How do I check if the getent passwd/group enumerates against winbind, getent passwd do Windows users show up? getent group do Windows groups show up? Craig Hi Craig The user does show up getent passwd |grep user.kilbirnie domain\user.kilbirnie:*:10345:10049 getent group |grep user.kilbirnie domain\Domain Users:x:10049: is 'kilbirnie' home folder actually owned by user.kilbirnie ? I am unclear about the user. prefix Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba with NT4 authentication
On Tue, 2006-10-17 at 08:43 +1300, Chandra Sornam wrote: Have installed Samba 3 on a Linux box with Centos OS to be a file server. Getting its authentication from a NT4 PDC. Have created samba shares and members of the NT4 PDC group can successfully access the group. The only problem is users cannot authenticate their home share on the Linux server. A webinfo -r of the domain user gives the uid of the group the user is a member of. The user can access the share successfully as well. Have gone through the smb.conf and other config files, and done extensive search on the net to figure out the problem but have hit a blank wall. There are no noticeable errors in the log files that I can see either. Regards CS Config file as below [global] workgroup = domain netbios aliases = test server string = test File Server security = DOMAIN password server = scnz-nt02 scnz-nt01 how about 'getent passwd' ? does that enumerate the users from winbind? 'getent group' ? does that enumerate the groups from winbind? if so, does a users uid from winbind match the uid from their 'home' directory? Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Group Policies
On Thu, 2006-10-12 at 13:47 +0200, schönfeld / in-medias-res wrote: Hi there, is it possible to install group policies on a samba pdc which are automatically loaded on connecting to this PDC with a windows client? I thought i could remember that i read something like that, but i was unable to find anything about this topic in the Samba Documentations. Thanks in advance http://wiki.samba.org/index.php/Samba_and_Windows_Policies Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] my samba clients keep randomly dropping out of domain trust
On Tue, 2006-10-03 at 10:44 -0300, Felipe Augusto van de Wiel wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/27/2006 05:37 PM, Paul Raines escreveu: I have one Linux RHEL4 box setup as a PDC and several other Linux RHEL4 samba servers and Windows XP boxes joined to the domain. Ever since upgrading the Linux box to Samba 3 (they are currently running samba-3.0.10) I have problems with the Linux samba clients suddenly dropping out of the domain. Operations suddenly start failing with [2006/09/27 16:03:25, 3] libsmb/cliconnect.c:cli_session_setup(868) SPNEGO login failed: Trust relationship failure [2006/09/27 16:03:25, 1] libsmb/cliconnect.c:cli_full_connection(1476) failed session setup with NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE If I simply try running 'net join' it fails. I have to go to the PDC and remove the machine account completely from smbpasswd and /etc/passwd. Then I re-add it and can then go to the client and run 'net join' and it joins again just fine and everything if happy for another several weeks till it seems to randomly drop out again. The same machines? Or different ones? When it happens it is always after a reboot and there is evidence it might be only after a kernel change. But I never had this problem before I upgraded the boxes to RHEL4 and started using Samba 3 I have almost no contact with RHEL4, but I would suggest that you upgrade your samba version. You can use [1]Samba Enterprise, samba 3.0.23c is available for RHEL4. 1.http://www.sambaenterprise.org/ I can't see that upgrading is going to help OP It is normal for a computer account to change it's password about once a month which sounds like what is happening but it seems that the computer thinks it has successfully changed the password but the samba PDC doesn't see it that way. Thus deleting the machine account and then joining again seems to work but the changing down the road doesn't. Perhaps OP should verify the machine accounts with pdbedit but just guessing that the smb.conf on the samba member servers isn't set up correctly...try reviewing the 'By Example' documentation for member servers at http://www.samba.org/samba/docs Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: WINS over subnets
On Tue, 2006-10-03 at 04:41 +0200, Hoggins! wrote: Okay, I checked on my clients, and what I see is for the most surprising: they only display hosts within the samba server's browse.dat, not even the other hosts on the same subnet (usually, I believe they would have been discovered through broadcast). So the only machines that appear on ALL the machines of all the subnets are : - the server - the XP box, located on the same subnet as the server The other hosts' names can be successfully resolved by the server (checked with Ethereal) when explicitly typed in the explorer bar. But they are not discovered by the network browsing. Any idea of the problem ? The local masters don't seem to be doing their job, do they ? Official Samba HowTo suggests that you would need a WINS server on each subnet http://samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2588936 You might want to review the documentation - there is a possibility that 'remote browse sync = broadcast_address_of_remote_subnet' might work for you. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: WINS over subnets
On Mon, 2006-10-02 at 19:55 -0700, Craig White wrote: On Tue, 2006-10-03 at 04:41 +0200, Hoggins! wrote: Okay, I checked on my clients, and what I see is for the most surprising: they only display hosts within the samba server's browse.dat, not even the other hosts on the same subnet (usually, I believe they would have been discovered through broadcast). So the only machines that appear on ALL the machines of all the subnets are : - the server - the XP box, located on the same subnet as the server The other hosts' names can be successfully resolved by the server (checked with Ethereal) when explicitly typed in the explorer bar. But they are not discovered by the network browsing. Any idea of the problem ? The local masters don't seem to be doing their job, do they ? Official Samba HowTo suggests that you would need a WINS server on each subnet http://samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2588936 You might want to review the documentation - there is a possibility that 'remote browse sync = broadcast_address_of_remote_subnet' might work for you. OK correction...I have it on good authority that I have given bad advice above... 1 - only 1 WINS server 2 - remote browse sync is not what you want 3 - clients need to have proper configuration of WINS server address - if by DHCP, then you probably need to set the node type (option 44/46) correctly 4 - OP should check contents of wins.dat (on my RH systems, they are located in /var/cache/samba but on others, they are in /var/lib/samba YMMV) Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Several samba / ldap for a pdc/bdc setup/transition questions
On Wed, 2006-09-06 at 17:05 -0400, Bob Hetzel wrote: Greetings all, I've been researching migrating my NT4 PDC and BDC services to samba to get around the concerns we have here with NT4 no longer being patched when security holes are found. Details of my current NT4 domain... approx 300 computers, most of which can be migrated out soon either to be in no-domain or in an active directory domain approx 3000 user accounts, which need to be maintained until we can transition servers and custom built webapps to an active directory domain. I have no interest in doing shares, printers, or roaming profiles on these domain controllers. Server 2003 licenses are extremely cheap for us here in the university environment and we have to have windows to run the current commercial apps we have anyway. We're working on transitioning everything into MS Active Directory but cannot migrate using the standard MS methods for a variety of reasons and are likely to be stuck with the old NT4 domain for at least the next 6-12 months. Additionally that hardware is pretty old and I have reliability concerns with it. Conclusions and questions I've come to so far... correct these if you think there is a superior way. I've been reading lots of docs and how-tos mostly from www.samba.org 1) an LDAP backend is really required for proper operation of replication between the two domain controllers while maintaining complete redundancy 2) users and machines must be in both the LDAP and in the /etc/password files. I'd rather not have this as I do not want these users signing into my unix box under other protocols. 3) I'll enable the software firewall on the unix box to prevent unauthorized access into the LDAP servers. How should I secure the LDAP servers beyond that? I assume I need encryption on the replication traffic between the master and slave LDAP. I want to make sure anybody can't just use their own account to query the LDAP and get out other people's password hashes (or even their own if I can prevent that while still allowing them to change their own password). 4) The most common database back-end seems to be BDB which I'm not familiar with. Are there any common tools to query that directly beyond querying it through the ldap server? This is not a requirement but I'd like to know the details of what's in the database and how it's laid out for my own info. 5) Am I likely to run into any problems importing the accounts and groups from the NT4 domain? We have all of our servers set to use only NTLMv2. My goal is to make this happen in a way that end-users shouldn't notice any difference, so if their passwords change it'll be a disaster. Additionally we have automated jobs kicking off all hours of the day and night which will depend on users, passwords, and group memberships not changing. Any additional details you can provide would be wonderful. users need only be in LDAP and not in both LDAP and /etc/passwd files as you state in #2 be prepared to perform the vampire (import from NT4) many times until you get everything right. Lastly, some amount of mastery of LDAP is going to make this a whole lot easier. Learn to use LDAP command line clients such as ldapadd/ldapmodify/ldapsearch and TLS/SSL with LDAP prior to samba integration. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Setup Windows XP to print to CUPS printer on FC5
On Wed, 2006-08-09 at 19:03 -0400, Jack Gates wrote: I am quite sure this question has been asked before but I can't find anything in the archive and Google does not turn up anything useful. I have Fedora Core 5 with an HP LaserJet 5L printer connected to the LPT port. I also have the CUPS printer queue shared. I am trying to setup up a Windows XP laptop with wlan on my home network to be able to print to that printer. I have little understanding of how to make samba work. I have found a lot of information but most of it does not help me or make sense to me. I only want the win xp box to have access to the printer and nothing else. Do I have to setup a user account between FC5 and XP to make this work? I no basically nothing about XP. I don't know if I have FC5 configured to allow XP to see the printer. I have spent 9 hours trying to figure out how to setup two different OS and samba and one printer to work on both OS. I have made no progress in completing my objective. I don't know which way is up right now. Can some one help me? http://www.owlfish.com/thoughts/winipp-cups-2003-07-20.html The above link was already given to you on the Fedora list several hours ago and that seemed to be as concise instructions as possible. If you want to use samba to share the printer, then you really need to see the 'Official How-To' http://www.samba.org/samba/docs (see the howto link on the left) but recognize that using samba to share a printer requires a working samba configuration compatible with your Windows XP setup and that is likely more reading, more work than the link that was suggested to you earlier on the fedora-list Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] This list is a black hole.
On Tue, 2006-08-08 at 06:12 -0700, Steven Rice wrote: Many questions goes in, Very few answers come out. Concise questions that narrow the scope of the problem are answered most of the time. Questions with large amounts of information that take a lot of time to process and questions that demonstrate that the person hasn't spent much time to narrow the problem or the question are likely to be passed over. There is a treatise on how to ask questions the smart way... http://www.catb.org/~esr/faqs/smart-questions.html Bear in mind that this is entirely volunteer and no one is paid to solve your problems. If you want paid support, SuSE Professional, Red Hat Enterprise Linux and others provide SLA (Service Level Agreements) to solve your issues. If your question doesn't get answered in a day or two, it's likely you need to rephrase your question, hopefully reducing the volume and narrowing the scope with the additional information that you've been able to gather in the interim. Lastly, consider that just about everything is covered in the outstanding documentation available in dead tree, html or pdf form in the publications titled Official Samba 3 HowTo and Samba By Example - see http://www.samba.org/samba/docs Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble with PDC setup using Samba 3.0.23 and OpenLDAP
On Sun, 2006-07-30 at 06:40 +, Jonathan Poon wrote: Hi everyone, I am trying to setup a PDC using Samba and OpenLDAP. For some reason, I've used both the examples provided in the Official Howto and also the smbldap-tools howto developed by IDEALX. I am able to get the directory up and running. I am able to get the following working: 1. LDAP Directory server and successful Queries through Samba 2. Add user and machine accounts. 3. Login using the user account to access shares However, after adding my machine to the domain and rebooting my Windows 2000 Professional workstation, I am UNABLE to login to the domain using the same User account that I was able to use to access shares on the Samba server. Here is what I am getting in the logs for both OpenLDAP and Samba I'm getting the error bdb_equality_candidates: (uniqueMember) index_param failed (18) when its trying to obtain the attribute gidNumber from the LDAP logs. In the samba logs, Its getting a Rejecting auth request from client DELL machine account DELL$ Also when I do a net rpc info, I don't see any users or groups added... net rpc info Domain Name: POON Domain SID: S-1-5-21-2419779023-3102034070-987042703 Sequence number: 1154241602 Num users: 0 Num domain groups: 0 Num local groups: 0 I don't know where to start...Please let me know if you have had a similar experience and found a solution. I appreciate your help very much! -Jonathan P. OPENLDAP.LOG Jul 29 23:32:41 poontv slapd[6138]: conn=215 fd=10 ACCEPT from IP=127.0.0.1:38290 (IP=0.0.0.0:389) Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 BIND dn=cn=samba,ou=DSA,dc=jonathanpoon method=128 Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 BIND dn=cn=samba,ou=DSA,dc=jonathanpoon mech=SIMPLE ssf=0 Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=0 RESULT tag=97 err=0 text= Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=1 SRCH base= scope=0 deref=0 filter=(objectClass=*) Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=1 SRCH attr=supportedControl Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=2 SRCH base=dc=jonathanpoon scope=2 deref=0 filter=((uid=dell$)(objectClass=sambaSamAccount)) Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=3 SRCH base=dc=jonathanpoon scope=2 deref=0 filter=((uid=jonathan)(objectClass=sambaSamAccount)) Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=3 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Jul 29 23:32:41 poontv slapd[6138]: conn=215 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 29 23:32:41 poontv slapd[6138]: conn=216 fd=18 ACCEPT from IP=127.0.0.1:38291 (IP=0.0.0.0:389) Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 BIND dn=cn=nssldap,ou=DSA,dc=jonathanpoon method=128 Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 BIND dn=cn=nssldap,ou=DSA,dc=jonathanpoon mech=SIMPLE ssf=0 Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=0 RESULT tag=97 err=0 text= Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=1 SRCH base=ou=Users,dc=jonathanpoon scope=1 deref=0 filter=((objectClass=posixAccount)(uid=jonathan)) Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 29 23:32:41 poontv slapd[6138]: conn=217 fd=23 ACCEPT from IP=127.0.0.1:38292 (IP=0.0.0.0:389) Jul 29 23:32:41 poontv slapd[6138]: conn=216 op=2 UNBIND Jul 29 23:32:41 poontv slapd[6138]: conn=216 fd=18 closed Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=0 BIND dn=cn=nssldap,ou=DSA,dc=jonathanpoon method=128 Jul 29 23:32:41 poontv slapd[6138]: conn=217 op=0 BIND
Re: [Samba] Cross-Subnet Browsing Problem
Hi On Fri, 2006-07-14 at 19:42 -0500, Todd Pytel wrote: Hi all, I've had cross-subnet browsing working in Samba in the past, though I tend to struggle with it each time I set it up. For whatever reason, I can't seem to get things working this time. Summary: Only my desktop, not the file server, shows up in the desktop's Network Neighborhood. (I have left the machines running for several hours, in case there's a time-to-sync issue involved.) Details: The Samba server (ARISTOTLE) is in the 172.16.0.x subnet and my XP desktop (TIMAEUS) is in 192.168.0.x. There is no NAT or firewall running in between the subnets. Aristotle acts as a WINS server and is recognized as such in Timaeus' ipconfig output. Name lookups work fine, as verified by MS's nblookup tool. Also, I can browse shares on Aristotle using \\aristotle, so the problem is just that the server doesn't register for browsing. I ran a capture using ethereal, and everything in there looks OK. The desktop boots up and registers its name with WINS on the server. Shortly thereafter, the desktop looks up the DMB against WINS (which is the server - it's the only one on the network), and sends it a Backup List Request to which the server sends a Backup List Response naming itself as the backup server. And that's it. Now, from what I can tell from reading the SMB protocol specs, the desktop is supposed to contact the named backup server in order to sync up its browse list. But that doesn't happen - there's nothing else in the packet capture, and no errors anywhere in the level 3 Samba logs or in the desktop's event logs. So it seems like everything works except for the very last step. Any idea what's going on? What I'm guessing to be the relevant parts of smb.conf follow. If I can provide any more info, let me know. Thanks, Todd smb.conf: workgroup = SOPHROSUNE server string = File/Print Server security = user guest account = guest (this account exists on the server) local master = yes os level = 99 domain master = yes preferred master = yes domain logons = yes (last time I set this up, this seemed to be needed for cross-subnet browsing, but I don't really know. Something about IPC$ connections?) wins support = yes [homes] comment = Home Directories browseable = no writable = yes valid users = %S hosts allow = 192.168.0. hosts deny = 127.0.0.1 [netlogon] comment = Network Logon Service path = /usr/local/lib/samba/netlogon guest ok = yes writable = no share modes = no (Like domain logons, prior experiments seemed to show that this was needed, but I don't really know.) I believe what you want is 'remote announce' - you can get a good definition of it's usage in the man page for smb.conf Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cross-Subnet Browsing Problem
On Fri, 2006-07-14 at 20:17 -0500, Todd Pytel wrote: Craig White wrote: I believe what you want is 'remote announce' - you can get a good definition of it's usage in the man page for smb.conf I've tried that as well (using remote announce = 192.168.0.255), but it didn't seem to make any difference. That might be a routing issue - I didn't thoroughly check whether the machine doing the routing will pass broadcasts like that. But in any event, my understanding is that the remote options were basically dirty hacks that shouldn't be necessary anyway. I know that in the past when I've had this working I didn't need to use them. you probably don't need that option if the clients know where to find the WINS servers (probably can set multiple WINS servers in DHCP configuration) Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] unwanted roaming profiles
On Thu, 2006-07-13 at 10:40 -0400, Eric Evans wrote: Hello, I have a minor problem wherein Samba is creating roaming profiles for users who logon to our lab's domain. I don't want roaming profiles. Since I'm not using the logon path command in my smb.conf, and I don't have a [profile] share in my smb.conf either, I cant' figure out why Samba keeps wanting to create roaming profiles. Anyone have any ideas about this? I assure you that the answer is in the man page for smb.conf under 'logon path' Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] domain/WINS problem
On Tue, 2006-07-11 at 10:32 -0400, Eric Evans wrote: Hello, Concerning my problem with not being able to connect to our domain with our Samba clients, there is a further piece of evidence in my samba.log, and I'm hoping that someone who is more experienced in dealing with WINS and domains can clarify the nature of these messages from the log: sync_with_dmb: Initiating sync with domain master browser PLEIADES20 at IP 128.253.175.155 for workgroup PLAB [2006/07/11 10:13:45, 2] nmbd/nmbd_nameregister.c:wins_registration_timeout(184) wins_registration_timeout: WINS server 127.0.0.1 timed out registering IP 128.253.175.155 [2006/07/11 10:13:45, 2] nmbd/nmbd_nameregister.c:wins_registration_timeout(184) wins_registration_timeout: WINS server 127.0.0.1 timed out registering IP 128.253.175.155 [2006/07/11 10:13:45, 2] nmbd/nmbd_nameregister.c:wins_registration_timeout(184) wins_registration_timeout: WINS server 127.0.0.1 timed out registering IP 128.253.175.155 [2006/07/11 10:13:45, 2] nmbd/nmbd_nameregister.c:wins_registration_timeout(184) wins_registration_timeout: WINS server 127.0.0.1 timed out registering IP 128.253.175.155 [2006/07/11 10:13:45, 2] nmbd/nmbd_nameregister.c:wins_registration_timeout(184) wins_registration_timeout: WINS server 127.0.0.1 timed out registering IP 128.253.175.155 [2006/07/11 10:13:45, 2] nmbd/nmbd_nameregister.c:wins_registration_timeout(184) wins_registration_timeout: WINS server 127.0.0.1 timed out registering IP 128.253.175.155 [2006/07/11 10:13:45, 2] nmbd/nmbd_nameregister.c:wins_registration_timeout(184) wins_registration_timeout: WINS server 127.0.0.1 timed out registering IP 128.253.175.155 Has anyone else encountered this problem before while trying to run the Samba server as a WINS server? is nmbd running? ps aux|grep nmbd Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't contact domain
On Tue, 2006-07-11 at 13:27 -0400, Eric Evans wrote: Thanks Craig Vincent for your suggestions. It seems that there is definitely some kind of WINS problem but I still don't know exactly why the WINS serving is not working as it should. I should also mention that I'm occasionally getting error messages that say winbindd: idmap uid range missing or invalid and winbindd: cannot continue, exiting. at this point, you don't need winbindd on samba server command line...try smbclient -L pleiades -U Administrator This command returns the following: Domain=[PLAB] OS=[Unix] Server=[Samba 3.0.22] Sharename Type Comment - --- ADMIN$ IPC IPC Service (Samba 3.0.22) IPC$IPC IPC Service (Samba 3.0.22) scripts Disk ikalangaDisk berber Disk serbian Disk ling420 Disk netlogonDisk _defaultPrinter 128_1 Printer rootDisk Home directory of root Domain=[PLAB] OS=[Unix] Server=[Samba 3.0.22] Server Comment ---- PLEIADES Samba 3.0.22 WorkgroupMaster ---- PLAB PLEIADES and see what happens if you have problems, you might try deleting wins.dat and restarting samba services Yes, this seems like a good suggestion, but I tried this and I'm still having the problem with the client not recognizing the domain. lastly does nmbd.log reveal that pleiades is the master? It would seem so. Here is the most recent output from the log.nmbd (although I'm not so sure about what that last error message means): [2006/07/11 11:19:38, 2] nmbd/nmbd_browsesync.c:announce_local_master_browser_to_domain_master_browser(110) announce_local_master_browser_to_domain_master_browser: We are both a domain and a local master browser for workgroup PLAB. Do not announce to ourselves. [2006/07/11 11:19:38, 2] nmbd/nmbd_browsesync.c:sync_with_dmb(154) sync_with_dmb: Initiating sync with domain master browser PLEIADES20 at IP 128.253.175.155 for workgroup PLAB [2006/07/11 11:19:40, 2] nmbd/nmbd_become_dmb.c:become_domain_master_stage1(173) [2006/07/11 13:09:26, 0] nmbd/nmbd.c:main(727) Netbios nameserver version 3.0.22 started. Copyright Andrew Tridgell and the Samba Team 1992-2006 [2006/07/11 13:09:26, 0] nmbd/nmbd.c:main(746) standard input is not a socket, assuming -D option [2006/07/11 13:09:26, 2] nmbd/nmbd.c:main(751) Becoming a daemon. [2006/07/11 13:09:26, 0] nmbd/asyncdns.c:start_async_dns(151) started asyncdns process 965 [2006/07/11 13:09:26, 0] lib/pidfile.c:pidfile_create(91) ERROR: nmbd is already running. File /usr/local/samba/var/locks/nmbd.pid exists and process id 758 is running. As for Vincent's question, yes I have 'wins support = yes' in my smb.conf and I have the address of the Samba server (WINS server) defined in my client's network control panel in the list of WINS servers. Vincent, I think you have a good point about the address of the WINS server that's showing up in the samba.log though. Why is the WINS server coming up as 127.0.0.1 instead of as its regular IP address? It seems to me that if Samba is taking the IP address of the WINS server to be 127.0.0.1 instead of its real IP address then that would explain my whole problem, because obviously the client is not going to be able to locate the WINS server then by its IP address. So the question I have is, how in the world do I get the Samba server to attach the real IP address, 128.253.175.155, to the WINS server instead of the localhost address? Is there some smb.conf configuration statement that does this that I am overlooking? couldn't start nmbd because nmbd is already running...you probably need to fix that. I don't know about your smb.conf socket address = I don't ever use that. Myself, I would concentrate on hosts allow and possibly bind interfaces only commands if I had multiple ethernet interfaces instead but that's just me. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't contact domain, problem fixed (?)
On Tue, 2006-07-11 at 14:43 -0400, Eric Evans wrote: couldn't start nmbd because nmbd is already running...you probably need to fix that. Yes I'm not sure where that's coming from but I should fix that. I don't know about your smb.conf socket address = I don't ever use that. Looking back over my smb.conf, I'm not sure why I put that in there back when I first set up Samba for our lab. Maybe at the time I thought it was a desirable option for some reason, but from what I read in the documentation now it seems that this option is only useful for multi-homed machines, which we don't have. Well I finally got the thing to work! At least on the one client that I've tried it on so far. What I did was to delete the socket address command from the smb.conf, and add 'wins server = 128.152.175.155'. It's so clear in black and white in the documentation - why do you continue to fail to read the documentation... This line must not be set in the smb.conf file of the Samba server acting as the WINS server itself. If you set both the wins support = yes option and the wins server = name option then nmbd will fail to start. http://samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2554593 is this a Cornell thing? Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] very very weird problem, Samba completely broken
Samba 3 works fine for thousands if not millions of people. It is significantly better than Samba 2 and though the commands seem to be the same, the results are different. On Fri, 2006-07-07 at 17:45 -0400, Eric Evans wrote: This is very strange and frustrating. Our users complained that they weren't able to get ANY Samba access, not even being able to map a network drive (forgetting for now about that domain logon thing for a while). So I went into the /etc/samba/smb.conf and took out all of the statements that had anything to do with domain controlling and net logons, basically restoring the smb.conf to the state it was in before I started messing around with all that domain controller stuff. probably would be much easier if you understood Windows Networking principles. To my chagrin, now NOTHING works on Samba, even with my original smb.conf! You shouldn't expect Samba 3 to work with Samba 2 configuration file The only thing I'm doing differently now that I wasn't doing last week is I'm now running Samba 3 instead of Samba 2. Should I uninstall Samba 3 and put version 2 back on? If you lack the patience to learn new things, perhaps that is the easier solution This is too weird. Here's the error message I'm getting in my samba log file whenever I try to map a network drive on the Windows client: [2006/07/07 17:24:18, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(183) process_name_refresh_request: unicast name registration request received for name WORKGROUP00 from IP 128.253.175.150 on subnet UNICAST_SUBNET. [2006/07/07 17:24:18, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(184) Error - should be sent to WINS server Nothing below suggests that you are using a WINS server...not in the Windows clients, not in smb.conf. Make life easy for yourself, add 'wins support = yes' to smb.conf and change your dhcp server to use 128.253.175.150 as WINS server and node type = '8' Again...a little knowledge of Windows Networking would go a long way here. It seems that your Client VENUS tries to register itself to the WINS server it is configured to. Check what WINS server is configured using ipconfig /all in a DOS prompt. If your client's WINS server is configured to be a.b.c.d and your domain PDC IP is a.b.c.d but the wins server parameter of smb.conf is set to no then it would seem logical that the error is Should be sent to the WINS. Please post your ipconfig /all output and your smb.conf file. Here's the output from the ipconfig /all: Windows IP Configuration Host Name . . . . . . . . . . . . : cornell-emngrvm Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : phonetics.cornell.edu Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : phonetics.cornell.edu Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) Physical Address. . . . . . . . . : 00-06-5B-95-8C-15 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 128.253.175.146 Subnet Mask . . . . . . . . . . . : 255.255.255.128 Default Gateway . . . . . . . . . : 128.253.175.129 DHCP Server . . . . . . . . . . . : 132.236.56.249 DNS Servers . . . . . . . . . . . : 132.236.56.250 128.253.180.2 Lease Obtained. . . . . . . . . . : Friday, July 07, 2006 5:14:05 PM Lease Expires . . . . . . . . . . : Friday, July 07, 2006 6:14:05 PM Here's the /etc/samba/smb.conf: [global] socket address = 128.253.175.155 socket options = TCP_NODELAY invalid users = bin daemon adm sync shutdown halt mail news uucp max log size = 100 print command = /bin/lp -d%p %s; sleep 5; rm -f %s printer = 128_1 printing = SYSV log file = /var/log/samba.log log level = 2 max log size = 50 debug timestamp = yes [homes] browseable = no read only = no writeable = yes guest ok = no I'm completely mystified as to why I keep getting these Error - should be sent to WINS server messages. If anyone has any suggestions I'd love to hear them. At this point it looks to me that Samba has somehow become broken beyond repair. Please don't whine. READ the documentation...Samba by Example does excellent handholding for the impatient... http://www.samba.org/samba/docs/man/Samba-Guide/ I would suggest that you start with 'Small Office Networking' Also note that firewalls would
Re: [Samba] very very weird problem, Samba completely broken
I didn't think it was possible that you would refute everything that I said without checking a single bit of information but you definitely did that. It's obvious that you merely want to debate and that your request for help wasn't really a desire to learn anything or fix anything...just a soapbox. I'm done - anyone else - feel free to step in. Craig On Fri, 2006-07-07 at 18:34 -0400, Eric Evans wrote: probably would be much easier if you understood Windows Networking principles. I'm sure it would, I'm trying my best to learn them. In the meantime I have a bunch of users who are impatient to get this thing working ASAP and who are not patient enough to wait around while I read an entire book on Windows networking before tackling their problem. Nothing below suggests that you are using a WINS server...not in the Windows clients, not in smb.conf. That is entirely correct. I'm not using a WINS server and I have no need to use a WINS server. Make life easy for yourself, add 'wins support = yes' to smb.conf and change your dhcp server to use 128.253.175.150 as WINS server and node type = '8' I have tried adding 'wins support = yes' to the smb.conf and it has no effect on this problem. Furthermore I don't see why that should be necessary anyway since I'm not running a WINS server. Also, I can't change our DHCP server because it is controlled by a centralized agency that I have no authority over, and I don't have configuration access to it. READ the documentation...Samba by Example does excellent handholding for the impatient... http://www.samba.org/samba/docs/man/Samba-Guide/ I would suggest that you start with 'Small Office Networking' Yes I agree that the documentation is important, and I assure you that I have been reading it and I'm still reading it. I could just use a little help here, is all. Also note that firewalls would block access - probably a very good idea to run firewalls on these systems since they appear to have public IP addresses - thus a 'hosts allow = 128.253.175. ' would be a very good thing. Firewall would have to allow ports 137:139 and probably 445 from that same ip address range. Not going across a firewall, so this is not a problem. Also note that you don't have any shares that users can see in your above configuration since a HOMES share is only pertinent to those that attach to a PDC/BDC and since you have surrendered that ground in frustration, you can't have it. Now this is an interesting and surprising statement. When we were running Samba 2 we were definitely not using PDC or BDC, but we had a homes share declared in the smb.conf and people were connecting to it every day without any difficulty. But you're saying now that you can't connect to the homes share unless you are attaching to a PDC or BDC? When did this happen? Was this a change in Samba's policy that occurred when they went from version 2 to version 3? Thanks, Eric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Updating to Samba 3
On Fri, 2006-07-07 at 16:54 -0700, Huck wrote: This link may be of some assistance to those updating from Samba 2. http://www.phptr.com/articles/article.asp?p=419048rl=1 Since the official Samba documentation is authoritative and actually covers this subject, pointing to another 3rd party for reference is likely to cause confusion...especially when a confused administrator hasn't consumed the official documentation to begin with. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] New User and Which List question
On Fri, 2006-07-07 at 12:34 +0200, Cillier Burger wrote: Hi guys, I'm new so hi to everyone. Anyway, i'm having a little problem getting Samba and OpenLdap to play together nicely. Its not a Samba problem, in the sense that everything works fine using smbpasswd etc and its not an OpenLDAP problem in the sense that the lookups and so forth happen flawlessly. I would say that it is a problem with the two services talking to each other, lets say, a matter of protocol or whatever. What I would like to know is whether this is the correct list to send my query to ? Just want to find out before I drop my logs and stuff here and a long boring description of the problem. large logs and long boring descriptions are likely indicative that you haven't spent much time learning the technologies and are largely un-focused on the problems that you face. minimum snippets of logs and short questions indicate a focus of the problem and a solution is much more likely to result. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Simple Samba Configuration on FC5, Please help!
On Fri, 2006-07-07 at 21:14 -0700, DuongThanh An wrote: Hi!, I have a simple configuration for samba to have my /shared dir got shared as writable to everyone in my LAN. The configuration, however, seems not to work :(. Could someone help me out this situation? My configuration: [global] workgroup = mygroup server string = thanhan printcap name = /etc/printcap load printers = yes cups options = raw log file = /var/log/samba/%m.log max log size = 50 security = share socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no guest ok = yes guest account = root [homes] comment = Home Directories browseable = no writeable = yes [shared] path = /shared writeable = yes browseable = yes guest ok = yes The /shared dir permission is: 777 When I tried to connect to the share from a Windows machine, I have successully access the directory (without any password prompt) but when I tried to create a new directory I got an Access Denied error. My Samba version is: 3.0.21b-2 Thank you so much for help :) sounds like SELinux issue (FC-5) - check /var/log/messages, dmesg for 'denied avc' messages to confirm. If so... either, turn SELinux to 'permissive' mode or learn how to use SELinux to 'label' /shared for use with Samba http://fedora.redhat.com/docs/selinux-faq-fc5/ Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap administration tool??
On Thu, 2006-06-15 at 14:13 -0400, Dirk H Bartley wrote: Greetings I am nearing being prepared to get our corporate network from Active Directory to samba3 with ldap. The last hurdle is to get an administrative interface to the ldap repository containing the users and Groups. I,m hoping for some recommendations. I have attempted the following. Samba Console: http://imc.sourceforge.net/samba-console.html The difficulty I'm having is that it is recommended to install from rpm. Our samba servers are gentoo distributions and hence not rpm distributions. I attemted installing from source but after a good few hours of effort ran into some difficulty that I figured may take more time than I have to resolve. Gosa: https://gosa.gonicus.de/ I've gotten this to work, somewhat. It required me to change my tree structure slightly but it is running. It also requires the addition of objectclasses in ldap which I had difficulty finding documentation for. It also behaves in such a way that when I edit a user with a dn of uid=username,ou=People.. it deletes the object and adds an object with a dn of cn=First last,ou=People and the objectclasses and attributes that I have that gosa does not recognize in the user object are then gone. (heimdal kerberos keys specifically). LAM: http://lam.sourceforge.net/ Installed this and I may have set it up incorrectly but I do not see an interface to change group membership. Looks like this is intended as a supplement to some other method of managing membership?? User Manager for domains: Call me old fashioned but I'm just a bit afraid of counting on a microsoft product to manage users, groups and group membership. What I'm looking for is for some anecdotes on the most practical interface to succeed at this. I'd be perfectly comfortable with just writing a few perl scripts and using a generic ldap interface. The issue is that there are 3 other admins here that would not be comfortable with that. I'll struggle through any of these or others to get it to work. Even if it takes modifying one to get what I am looking for. Right now I feel like I am struggling through all of them and not getting where I would like to be. Looking for advice. Once again, thank you in advance for all recommendations. check out the samba wiki... http://wiki.samba.org/index.php/Samba_%26_LDAP Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OpenLDAP Versions
On Fri, 2006-06-09 at 18:57 -0700, [EMAIL PROTECTED] wrote: Ok, I may have my other problem taken care of, but now I have a more theoretical question. I'm using CentOS 4.3, which is based on RHEL 4.3 and the OpenLDAP supplied is 2.2.13. I can hand compile a newer version but then odd things happen and the RHEL directories aren't as RH expects. (In short, I feel unexperienced enough to compile OpenLDAP for CentOS 4.3 properly.) I also can't find current RPM's for the current version of OpenLDAP. Ok, that all said, is there any reason I should NOT use OpenLDAP 2.2.13. Note that I'm going to generally be doing small installations on it - Samba PDC, shared Address Book, etc - for less than say 200 users. (Probably maximum half that, but I want some serious margin.) Also, perhaps a master and slave LDAP Server, and multiple Samba Servers. none of this of course has anything to do with samba really... building it yourself, you really want to leave all the other libraries/daemons intact and build everything (cyrus-sasl, heimdal, openssl, db4, openldap) in /usr/local and run it from there and things are ok but of course, that is not why you use a distribution such as RHEL or CentOS. Symas has rpm's [1] (which I have stayed away from since they really are in the support business, and Buchan Milne has rpm's [2] that he builds on Mandriva which supposedly work on RHEL/CentOS (I'm speaking of openldap 4.3.x rpm's) but I've never used Buchan's rpm's either...I have built all from source in /usr/local following Quanah Gibson's instructions [3] but I only do that on RHEL 3/CentOS 3 systems and for small companies, I simply stick with 2.2.13 distribution rpm's but you do have to be careful about things such as regularly doing a slapcat the database, configuring DB_CONFIG for db4, live with shortcomings such as no automatic recovery from bad shutdowns, and slurp replication instead of the newer sync_replication options. Craig [1] http://www.symas.com/ [2] http://anorien.csc.warwick.ac.uk/mirrors/buchan/openldap/ [3] http://www.stanford.edu/services/directory/openldap/configuration/index.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re[2]: [Samba] NSS/PAM LDAP Config
If you enable the kde-redhat repo (kde-redhat.sourceforge.net), Rex's repo has current samba and all you need to do is yum upgrade and it works perfectly. An added benefit is more recent KDE (if you use kde) and more recent openoffice.org Craig On Thu, 2006-06-08 at 08:52 -0700, [EMAIL PROTECTED] wrote: I used the Sernet.de RPM's - they're compiled for RHEL 4, and only with minor errors they installed fine. -Greg As a side note, I am running centos 4.3 on my boxes, and I think it comes with samba 3.0.10. Where did you get your RPM for 3.0.22, or did you compile it from source? Sam Adams General Dynamics - Network Systems Phone: 210.536.5945 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 4:48 PM To: samba Subject: [Samba] NSS/PAM LDAP Config Ok, I've been literally throwing things in my effort to fix this. Please help me from damaging something valueable! :) I've installed Samba 3.0.22 and OpenLDAP etc. I've used the IDEALX scripts to create the LDAP tree etc. Everything goes swimmingly until I try to check and see if NSS/PAM is working right. I use the following command as shown in SBE to check NSS/PAM working. getent passwd | grep root getent group | grep Domain These aren't working as they should. I'm using CentOS 4.3 and I've used authconfig as the IDEALX scripts say, and thus I have the following system-auth config in /etc/pam.d/ --- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_ldap.so use_first_pass authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient/lib/security/$ISA/pam_localuser.so account sufficient/lib/security/$ISA/pam_succeed_if.so uid 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordsufficient/lib/security/$ISA/pam_ldap.so use_authtok passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so --- But that doesn't seem to work. PAM is a total mystery to me, and I have absolutely no idea how to really configure it by hand, provided the above isn't correct. Is there a good how-to on PAM somewhere I can read? I've done a number of searches, and some of those, as well as the SBE example show hand-editing the files in pam.d - like login, sshd, samba, and passwd. In desperation, I've done that too, and no joy. Can some kind soul please give me a hand here? TIA -Greg -- Best regards, listservmailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 and OS X 10.4.6
On Sat, 2006-05-13 at 07:22 -0400, andy liebman wrote: [EMAIL PROTECTED] wrote: I have sort of an odd problem that I'm hoping someone can shed a light on. I brought up a brand new Fedora Core 4 box using the default installation of Samba. The only change I made to smb.conf was to turn on encrypting passwords, and then did an smbpasswd -a for my user account and set a password. Using Windows XP, or OS X 10.3.9, I can connect to smb://server and be asked to authenticate, and then get a list of shares. With 10.4.6 (I tried several machines) when trying to connect to smb://server rather than giving me a list of shares or trying to get me to authenticate, the progress bar on the connect to server dialog shimmers basically forever. Using 10.4.6 I can connect to specific shares using smb://server/share without any problem. It only sits there when I do not specify a share. Using the same 10.4.6 machine, I can connect to a machine running Win2003 server just fine using smb://server. So basically this problem only exists when I use Tiger to connect to a Samba server. Has anyone heard about this? Any ideas? Fedora Core 4 comes with Samba 3.0.14 (or 14a) if I am not mistaken. There was a change in that particular Samba version that created show stopper issues connecting and authenticating from OS X Tiger versions. The issues were resolved with Samba 3.0.20. I suggest that you upgrade to Samba 3.0.22 or go backwards to 3.0.13 if you can find an rpm. Personally, I still find 3.0.13 to be the most stable and trouble-free of all of the Samba versions I have used with OS X. FWIW - Rex Dieter keeps a current compatible release of samba in kde-redhat repo which is available for Fedora and for RHEL. Thus if you add the kde-redhat repo to Fedora Core 4 and yum update, you will get the latest release. http://kde-redhat.sourceforge.net/ Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: OpenLDAP and Active Directory synchronize
On Wed, 2006-04-12 at 20:44 -0600, Justin Grote wrote: Paul Matthews wrote: well I looked into this about 6 months ago now and the answer then way not without a lot of effort and scripts and it was just a messy answer. But if you find an answer i'd be interested in hearing it, try http://www.ldapguru.com/ I think there is a constant topic about this. This probably isn't an option if you've already deployed OpenLDAP, but Novell's eDirectory has an addon called Identity Manager which does this kind synchronization to AD (and many, many other applications) very smoothly. Yes it's commercial, but it is relatively inexpensive and it's the best damn directory out there in my opinion if you're going to be serious about this. Fedora Directory Server can synchronize with Windows LDAP http://directory.fedora.redhat.com/wiki/Howto:WindowsSync Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Should Oplocks be enable Pershare
On Mon, 2006-04-10 at 11:50 +0530, mallapadi niranjan wrote: Hi all We have a samba pdc (samba 3.0.21c with Openldap 2.3.19) and another Linux system as Samba Domain Member server(Samba 3.0.21c). All my windows Clients are windows 2k Professional and Win XP . My query is 1Q) Should oplocks and Level2 oplocks be declared per share declaration in smb.conf or if it declared in global section of smb.conf is it enough? 2Q) Is there any enhancement of performance if the oplocks and level2 oplocks are declared in global section and also in the share declaration are you adverse to reading the documentation? If not, the topic is thoroughly covered in the official how to found here... http://samba.org/samba/docs Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Browsing problem
On Tue, 2006-04-11 at 03:12 +0200, Niki Hammler wrote: Hi, I've got a browsing problem, I'm searching the error for a long time now so I think betimes it's a bug ;-) For debugging purposes, I've left away everything in the network that's not necessary. There's now only one XP-Prof workstation (domain member) and one samba server (3.0.22, acting as PDC) anymore. Bind9 is the local DNS server; Forward and PTR entries are working. The DNS domain is the same as the NT. The problem is: Everything works (domain logons, searching the computer with the windows search feature, accessing with \\server, ...) EXCEPT the network neighbourhood. It is empty and there is no PC in it. There is no error and there is no delay while searching. Here is a copy of my smb.conf: [global] netbios name = server workgroup = INTRA.COMPANY.NET server string = server passdb backend = tdbsam os level = 128 preferred master = yes domain master = yes local master = yes security = user encrypt passwords = true domain logons = yes logon path = \\%L\profile logon drive = U: logon home = \\%N\%U logon script = logon.cmd map to guest = never ;guest account = nobody ;map to guest = Bad User ;username map = /etc/samba/users.map unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = Enter*new*UNIX*password: %n\n \nRetype*new*UNIX*password: %n\n \npasswd:*password*updated*successfully* ;time server = yes wins support = yes ;dns proxy = yes name resolve order = lmhosts wins bcast host printing = cups printcap name = cups load printers = yes preserve case = yes dos charset = CP850 create mask = 600 directory mask = 700 short preserve case = yes unix charset = ISO8859-1 log level = 3 ; log file = /var/log/samba/smb%m.log log file = /var/log/samba/SMB.log max log size = 5 [netlogon] (...) As you can see, I've configured samba as WINS-server. Clients configuration is assigned by DHCP with: option netbios-node-type 8; option netbios-name-servers 192.168.200.121; I've tried almost everything I could but I'm unable to find the error. The first strange thing is (on the server itself): $ smbclient -L server -U % Domain=[INTRA.COMPANY.NET] OS=[Unix] Server=[Samba 3.0.22] Sharename Type Comment - --- web-publish Printer publish PDF on homepage pub Disk public place IPC$IPC IPC Service (server Server) ADMIN$ IPC IPC Service (server Server) Domain=[INTRA.COMPANY.NET] OS=[Unix] Server=[Samba 3.0.22] Server Comment ---- WorkgroupMaster ---- As you can see, there is NO (!) server or workgroup although WINS, DNS etc etc is properly configured. On windows: % NET VIEW no entries in list % NBTSTAT -c LAN-Verbindung: Knoten-IP-Adresse: [192.168.200.201] Bereichskennung: [] NetBIOS-Remotecache-Namentabelle Name TypHostadresse Dauer [Sek.] - INTRA.COMPANY.NET 1C GRUPPE 192.168.200.121 72 % NBTSTAT -n LAN-Verbindung: Knoten-IP-Adresse: [192.168.200.201] Bereichskennung: [] Lokale NetBIOS-Namentabelle Name Typ Status - STYLISTIC 00 EINDEUTIG Registriert INTRA.COMPANY.NET 00 GRUPPE Registriert STYLISTIC 20 EINDEUTIG Registriert INTRA.COMPANY.NET 1E GRUPPE Registriert % NBTSTAT -a SERVER LAN-Verbindung: Knoten-IP-Adresse: [192.168.200.201] Bereichskennung: [] NetBIOS-Namentabelle des Remotecomputers Name Typ Status - SERVER 00 EINDEUTIG Registriert SERVER 03 EINDEUTIG Registriert SERVER 20 EINDEUTIG Registriert ..__MSBROWSE__. 01 GRUPPE Registriert INTRA.COMPANY.NET00 GRUPPE Registriert INTRA.COMPANY.NET1B EINDEUTIG Registriert INTRA.COMPANY.NET1C GRUPPE Registriert INTRA.COMPANY.NET1D EINDEUTIG Registriert INTRA.COMPANY.NET1E GRUPPE Registriert MAC Adresse = 00-00-00-00-00-00 % BROWSTAT STATUS Status for domain INTRA.COMPANY.NET on transport
Re: [Samba] Re: If I use valid users option, I can't log into the domain
On Sat, 2006-04-08 at 15:05 +0100, Steve A wrote: Update: I'm running FC5, and Samba was installed as a binary using yum. If I use the global option, valid users = sa, where sa is my username, I'm unable to login. The strange thing is, root can always log in. When login fails, this gets added to syslog = Apr 8 14:51:19 fedora smbd[4150]: [2006/04/08 14:51:19, 0] smbd/service.c:make_connection_snum(592) Apr 8 14:51:19 fedora smbd[4150]: Can't become connected user! = Does anyone have any ideas? SELinux http://wiki.samba.org/index.php/Samba_Troubleshooting Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming profiles cannot be used fully unless a member of Domain Admins
Are their machines joined to the domain? What is output of 'net getlocalsid' ? is it S-1-5-21-2890933770-3660815257-1026551046 ? if you check on the Windows system where roaming profiles aren't working... Start = System = Advanced = User Profiles = do they show as roaming? Craig On Sat, 2006-04-08 at 08:08 -0700, sh test wrote: Craig! Thanks for the reply. I addedd profile acls = yes csc policy = disable also, my drwxrwxrwt 4 root users 4096 Apr 7 21:48 /home/samba/samba-ntprof/ and all the users are in the users's group users:x:100:jeremy,todd,matt Restarted samba after the above change and still no-go Craig White [EMAIL PROTECTED] wrote: On Fri, 2006-04-07 at 20:36 -0700, sh test wrote: Hello! This is my setup Using 3.0.14a-3sarge on Deb. This is my smb.conf file # Global parameters [global] workgroup = MYWORKGROUP server string = Samba Server obey pam restrictions = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* #turn this on for loggin purposes #log level = 4 log file = /var/log/samba/%m.log max log size = 0 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false \ -d /dev/null %u logon path = \\%L\profiles\%u logon drive = H: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.168. ;--000 ;--keep this options disabled ;--since they generate a lot of disk space ;--000 ;recyclebin options #recycle:exclude = *.tmp *.temp *.o *.obj ~$* #recycle:keeptree = True #recycle:touch = True #recycle:versions = True #recycle:noversions = .doc|.xls|.ppt #recycle:repository = %u's_network_Recycle_Bin #recycle:maxsize = 1000 create mask = 0777 directory mask = 0777 #vfs objects = recycle [homes] comment = Home Directories read onfiltered= No create mask = 0664 directory mask = 0775 invalid users = mp3 [Shared] comment = Miscellaneous Shared Files read onfiltered= No create mask = 0664 directory mask = 0775 path = /home/samba/Shared invalid users = mp3 [tmp] comment = Temporary Share path = /tmp read onfiltered= No invalid users = mp3 [mp3s] comment = Mp3 files path = /export/mp3s [netlogon] comment = Network Logon Service path = /home/samba/netlogon browseable = No [profiles] path = /home/samba/samba-ntprof read onfiltered= No create mask = 0600 directory mask = 0700 browseable = No invalid users = mp3 [backup] comment = backup files path = /export/backup read onfiltered= No create mask = 0600 directory mask = 0700 valid users = john invalid users = mp3 -- net groupmap list shows System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-2890933770-3660815257-1026551046-514) - -1 Domain Admins (S-1-5-21-2890933770-3660815257-1026551046-512) - domainadmins Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-2890933770-3660815257-1026551046-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 /etc/group contains domainadmins:x:112:john users:x:100:jeremy,todd,matt
Re: [Samba] Re: Re: If I use valid users option, I can't log intothe domain
On Sat, 2006-04-08 at 17:24 +0100, Steve A wrote: Craig White wrote: SELinux http://wiki.samba.org/index.php/Samba_Troubleshooting Thanks Craig, but... [EMAIL PROTECTED] ~]# grep -i SELINUX= /etc/selinux/config # SELINUX= can take one of these three values: SELINUX=disabled have your rebooted since you 'disabled' SELinux? have you added a samba user sa ? smbpasswd -a sa Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Re: Re: If I use valid users option, I can't logintothe domain
On Sat, 2006-04-08 at 17:41 +0100, Steve A wrote: Craig White wrote: have your rebooted since you 'disabled' SELinux? Yes. have you added a samba user sa ? Yes. I can still access the shares when logged in locally using the same name/password I use when I try to log into the domain. OK - from your original dump of smb.conf, I don't see any shares other than netlogon...do you have others? Do they show in command... smbclient -L samba -U sa does output of 'testparm -s -v' give you any errors? Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming profiles cannot be used fully unless a member of Domain Admins
what is output of ls -l /home/samba/samba-ntprof I'm wondering of the profiles have been created with permissions that aren't usable without adjustment. Craig On Sat, 2006-04-08 at 09:36 -0700, sh test wrote: Craig, Yup. sid shows as S-1-5-21-2890933770-3660815257-1026551046 and Start = System = Advanced = User Profiles shows the users as Roaming Craig White [EMAIL PROTECTED] wrote: Are their machines joined to the domain? What is output of 'net getlocalsid' ? is it S-1-5-21-2890933770-3660815257-1026551046 ? if you check on the Windows system where roaming profiles aren't working... Start = System = Advanced = User Profiles = do they show as roaming? Craig On Sat, 2006-04-08 at 08:08 -0700, sh test wrote: Craig! Thanks for the reply. I addedd profile acls = yes csc policy = disable also, my drwxrwxrwt 4 root users 4096 Apr 7 21:48 /home/samba/samba-ntprof/ and all the users are in the users's group users:x:100:jeremy,todd,matt Restarted samba after the above change and still no-go Craig White wrote: On Fri, 2006-04-07 at 20:36 -0700, sh test wrote: Hello! This is my setup Using 3.0.14a-3sarge on Deb. This is my smb.conf file # Global parameters [global] workgroup = MYWORKGROUP server string = Samba Server obey pam restrictions = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n \n *passwd:*all*authentication*tokens*updated*successfully* #turn this on for loggin purposes #log level = 4 log file = /var/log/samba/%m.log max log size = 0 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false \ -d /dev/null %u logon path = \\%L\profiles\%u logon drive = H: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.168. ;--000 ;--keep this options disabled ;--since they generate a lot of disk space ;--000 ;recyclebin options #recycle:exclude = *.tmp *.temp *.o *.obj ~$* #recycle:keeptree = True #recycle:touch = True #recycle:versions = True #recycle:noversions = .doc|.xls|.ppt #recycle:repository = %u's_network_Recycle_Bin #recycle:maxsize = 1000 create mask = 0777 directory mask = 0777 #vfs objects = recycle [homes] comment = Home Directories read onfiltered= No create mask = 0664 directory mask = 0775 invalid users = mp3 [Shared] comment = Miscellaneous Shared Files read onfiltered= No create mask = 0664 directory mask = 0775 path = /home/samba/Shared invalid users = mp3 [tmp] comment = Temporary Share path = /tmp read onfiltered= No invalid users = mp3 [mp3s] comment = Mp3 files path = /export/mp3s [netlogon] comment = Network Logon Service path = /home/samba/netlogon browseable = No [profiles] path = /home/samba/samba-ntprof read onfiltered= No create mask = 0600 directory mask = 0700 browseable = No invalid users = mp3 [backup] comment = backup files path = /export/backup read onfiltered= No create mask = 0600 directory mask = 0700 valid users = john invalid users = mp3 -- net groupmap list shows
Re: [Samba]
On Sat, 2006-04-08 at 17:57 +0100, Steve A wrote: Craig White wrote: OK - from your original dump of smb.conf, I don't see any shares other than netlogon...do you have others? Do they show in command... Yes, I didn't think they were applicable, but here's the shares: == [netlogon] path = /export/netlogon browseable = No [profiles] comment = User profiles path = /export/profiles read only = No create mask = 0600 directory mask = 0700 browseable = No [homes] comment = Home Directory for %u path = /home/%u read only = No browseable = No == smbclient -L samba -U sa == [EMAIL PROTECTED] ~]# smbclient -L samba -U sa Password: Domain=[SAMBA-DOMAIN] OS=[Unix] Server=[Samba 3.0.22-1.fc5] Sharename Type Comment - --- ADMIN$ IPC IPC Service (KJN Server) IPC$IPC IPC Service (KJN Server) sa Disk Home Directory for sa Domain=[SAMBA-DOMAIN] OS=[Unix] Server=[Samba 3.0.22-1.fc5] Server Comment ---- SAMBAKJN Server WorkgroupMaster ---- GEORGE GEORGINA SAMBA-DOMAIN SAMBA WORKGROUPDANGERMOUSE == does output of 'testparm -s -v' give you any errors? None at all. I did my changes using swat anyway. Is there a particular logging setup with Samba that I can change to to give the necessary verbose messages? OK netlogon, homes and profiles are all special shares. They really only mean something to users who log on to the domain via Windows computers that have been 'joined' to the domain. Have you 'joined' any computers to the domain yet? I would suspect not since in the list above created by smbclient -L Samba -U sa, I see 3 different computers with 3 different 'workgroups' I would suggest that you read through the documentation at http://www.samba.org/samba/docs (the Official HowTo and By Example) Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba]
On Sat, 2006-04-08 at 17:57 +0100, Steve A wrote: Craig White wrote: OK - from your original dump of smb.conf, I don't see any shares other than netlogon...do you have others? Do they show in command... Yes, I didn't think they were applicable, but here's the shares: == [netlogon] path = /export/netlogon browseable = No [profiles] comment = User profiles path = /export/profiles read only = No create mask = 0600 directory mask = 0700 browseable = No [homes] comment = Home Directory for %u path = /home/%u read only = No browseable = No == smbclient -L samba -U sa == [EMAIL PROTECTED] ~]# smbclient -L samba -U sa Password: Domain=[SAMBA-DOMAIN] OS=[Unix] Server=[Samba 3.0.22-1.fc5] Sharename Type Comment - --- ADMIN$ IPC IPC Service (KJN Server) IPC$IPC IPC Service (KJN Server) sa Disk Home Directory for sa Domain=[SAMBA-DOMAIN] OS=[Unix] Server=[Samba 3.0.22-1.fc5] Server Comment ---- SAMBAKJN Server WorkgroupMaster ---- GEORGE GEORGINA SAMBA-DOMAIN SAMBA WORKGROUPDANGERMOUSE == does output of 'testparm -s -v' give you any errors? None at all. I did my changes using swat anyway. Is there a particular logging setup with Samba that I can change to to give the necessary verbose messages? Thanks Craig, Steve :) forgot to mention... (and this only applies to roaming 'profiles' - the 'profiles' share for users logging in to domain with Windows computers that have been joined to the domain) you would want to add... profile acls = yes csc policy = disable to the profile section Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: If I use valid users option, I can't log into the domain
On Sat, 2006-04-08 at 18:24 +0100, Steve A wrote: Craig White wrote: OK netlogon, homes and profiles are all special shares. They really only mean something to users who log on to the domain via Windows computers that have been 'joined' to the domain. I can still see my home shares even though I'm not logged onto the domain. Windows does prompt me for user/password when I access it though, because my Windows password isn't the same as my Unix one. Have you 'joined' any computers to the domain yet? I would suspect not since in the list above created by smbclient -L Samba -U sa, I see 3 different computers with 3 different 'workgroups' Yes, I've joined a computer called VALIANT. Actually, it joined itself because of the add machine script = line in my smb.conf. I would suggest that you read through the documentation at http://www.samba.org/samba/docs (the Official HowTo and By Example) I've got the Samba 3 Howto and Reference Guide book here with me. As far as I can tell, it doesn't provide the answer. To recap: - The computer called VALIANT is joined to my Samba domain. - I can log in with any user I've added using pdbedit (I'm using tdbsam) - These users also have a true Unix account - I can change password for both Windows/Linux, from Windows because of passwd program = and passwd chat = in my smb.conf. - If I add valid users = sa to my smb.conf, I can still access my shares but cannot log into the domain. - root can always log into the domain regardless of the valid users options. see Jerry's answer pertaining to valid users = sa in [global] which picked up on something I didn't consider. also note that 'Valiant' didn't show up in the list when you performed the 'smbclient -L Samba -U sa' command so I'm not convinced it is joined to domain. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: RES: [Samba] Preventing Multiple Logins in Samba
It wouldn't be a login. You have the start of a script methodology, I would suppose you could experiment with it. Craig On Sat, 2006-04-08 at 20:53 -0300, Wilson A. Galafassi Jr. wrote: I have found this solution: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AdvancedNetworkMa nagement.html#id2624319 but is necessary to do in all shares? Doesn´t exist some other solution? Very thanks to all. wilson -Mensagem original- De: Ryan Novosielski [mailto:[EMAIL PROTECTED] Enviada em: sábado, 8 de abril de 2006 13:03 Para: Wilson A. Galafassi Jr. Cc: samba@lists.samba.org Assunto: Re: [Samba] Preventing Multiple Logins in Samba Search the list archives. The short answer is by implementing a login script that will check if the user is logged in and deny the second login. Wilson A. Galafassi Jr. wrote: Hello to all. Samba is the PDC on my network. My question is: It´s possible to don´t permit multiple login of the same user on the PDC? Thanks Wilson ___ Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. http://br.info.mail.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba ___ Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. http://br.info.mail.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net drive mapping not working in login script
On Fri, 2006-04-07 at 14:32 +0100, Chris Boyd wrote: Would there be a problem with the path in the tdb db? before you worry about scripts running automatically, you should confirm... 1 - that the scripts work if you can run them from the XP system manually as that user 2 - that the machines have been 'joined' to the domain as that is the only way automatic scripts in netlogon will run Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net drive mapping not working in login script
OK then, if the user can execute the script out of netlogon and the
system is joined to the domain, then I would suggest that you comment
out the the 'login scipt' (note misspelling) in smb.conf and then see if
the script is automatically run (the one called for by your pdbedit
entry).
I don't know if having the script named starting with a '.' would make a
difference either.
Also as a note, I don't reference the path for a login script, but
rather the login script name itself as it is assumed to be in the
'netlogon' share of the server providing logon services.
i.e. 'logon.bat' and not '\\server\netlogon\logon.bat'
I am not stating these things to be empiricallly correct, but rather as
this works for me.
Craig
On Fri, 2006-04-07 at 16:03 +0100, Chris Boyd wrote:
The machine (rds7) is showing up as a domain member and the scripts do work
under the users.
smbclient -L ucd01:
Sharename Type Comment
- ---
protel Disk Protel Data Folder
share Disk Shared Folder
profilesDisk Network Profiles Service
users Disk All users
groups Disk All groups
print$ Disk Printer Drivers
IPC$IPC IPC Service (Samba 3.0.20-4-SUSE)
ADMIN$ IPC IPC Service (Samba 3.0.20-4-SUSE)
rootDisk Home Directories
Domain=[UCD] OS=[Unix] Server=[Samba 3.0.20-4-SUSE]
Server Comment
----
RDS7
UCD01Samba 3.0.20-4-SUSE
WorkgroupMaster
----
UCD UCD01
before you worry about scripts running automatically, you should
confirm...
1 - that the scripts work if you can run them from the XP system
manually as that user
2 - that the machines have been 'joined' to the domain as that is the
only way automatic scripts in netlogon will run
Craig
Chris Boyd
Systems Engineer
USIT
19-21 Aston Quay
Dublin 2
Ireland
Tel: +353 1 6021670
Fax: +353 1 6771602
www.usit.ie
Ed Kasky [EMAIL PROTECTED] 04/07/06 2:56 PM
I have the following config that works well for me:
logon script = %u.bat
and under /shared/netlogon I have [user].bat for each user as we are
a small operation...
HTH
Ed
At 06:24 AM Friday, 4/7/2006, EHines wrote -=
I'm shotgunning here, since I'm not much more experienced than you,
but I think setting login script to netlogon/%U.bat makes Geraldine,
for instance, run the script geraldine.bat.bat. Try using
netlogon/%U (although I'm not sure this construction works).
Eric Hines
Chris Boyd wrote:
No they are in the /var/lib/samba/netlogon/ directory...see
ls -la /var/lib/samba/netlogon/
total 21
drwxr-xr-x 2 root root 200 Apr 7 14:20 .
drwxr-xr-x 6 root root 680 Apr 7 14:15 ..
-rwxr-xr-x 1 root root 179 Apr 7 12:10 aillin.bat
-rwxr--r-- 1 root root 179 Apr 7 12:10 geraldine.bat
-rwxr--r-- 1 root root 179 Apr 7 12:10 kay.bat
-rwxr--r-- 1 root root 179 Apr 7 12:10 reception.bat
-rwxr-xr-x 1 root root 181 Apr 7 12:09 robin.bat
I've tried chmod 755, changing the {netlogon} in smb.conf:
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
login scipt = netlogon/%U.bat
write list = root
admin users = root
guest ok = Yes
browseable = No
doesn't work for some reason.
Chris Boyd
Systems Engineer
USIT 19-21 Aston Quay
Dublin 2
Ireland
Tel: +353 1 6021670
Fax: +353 1 6771602
www.usit.ie
E [EMAIL PROTECTED] 04/07/06 2:00 PM
You haven't placed your scripts in the .../netlogon directory;
you've placed them, it seems from your ls listing, in your
.../netlogon/scripts directory. You need to correct your [netlogon] path.
Eric Hines
Chris Boyd wrote:
To answer craig. I've corrected the dos syntax in the login
scripts but they don't seem to be running.
Here's the whole smb.conf
snip
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
admin users = root
guest ok = Yes
browseable = No
ls -la /var/lib/samba/netlogon/
total 21
drwxr-xr-x 3 root root 224 Apr 7 12:13 .
drwxr-xr-x 6 root root 680 Apr 7 12:16 ..
-rwxr--r-- 1 root root 179 Apr 7 12:10 aillin.bat
-rwxr--r-- 1 root root 179 Apr 7 12:10 geraldine.bat
-rwxr--r-- 1 root root 179 Apr 7 12:10 kay.bat
-rwxr--r-- 1 root root 179 Apr 7 12:10 reception.bat
-rwxr--r-- 1 root root 181 Apr 7 12:09 robin.bat
drwxr-xr-x 2 root root 80 Apr 6 12:05 scripts
Chris Boyd
Systems Engineer
USIT 19-21 Aston Quay
Dublin 2
Ireland
Tel: +353 1 6021670
Fax: +353 1 6771602
www.usit.ie
snip
--
The mode in which the
Re: [Samba] Roaming profiles cannot be used fully unless a member of Domain Admins
On Fri, 2006-04-07 at 20:36 -0700, sh test wrote: Hello! This is my setup Using 3.0.14a-3sarge on Deb. This is my smb.conf file # Global parameters [global] workgroup = MYWORKGROUP server string = Samba Server obey pam restrictions = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* #turn this on for loggin purposes #log level = 4 log file = /var/log/samba/%m.log max log size = 0 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false \ -d /dev/null %u logon path = \\%L\profiles\%u logon drive = H: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.168. ;--000 ;--keep this options disabled ;--since they generate a lot of disk space ;--000 ;recyclebin options #recycle:exclude = *.tmp *.temp *.o *.obj ~$* #recycle:keeptree = True #recycle:touch = True #recycle:versions = True #recycle:noversions = .doc|.xls|.ppt #recycle:repository = %u's_network_Recycle_Bin #recycle:maxsize = 1000 create mask = 0777 directory mask = 0777 #vfs objects = recycle [homes] comment = Home Directories read onfiltered= No create mask = 0664 directory mask = 0775 invalid users = mp3 [Shared] comment = Miscellaneous Shared Files read onfiltered= No create mask = 0664 directory mask = 0775 path = /home/samba/Shared invalid users = mp3 [tmp] comment = Temporary Share path = /tmp read onfiltered= No invalid users = mp3 [mp3s] comment = Mp3 files path = /export/mp3s [netlogon] comment = Network Logon Service path = /home/samba/netlogon browseable = No [profiles] path = /home/samba/samba-ntprof read onfiltered= No create mask = 0600 directory mask = 0700 browseable = No invalid users = mp3 [backup] comment = backup files path = /export/backup read onfiltered= No create mask = 0600 directory mask = 0700 valid users = john invalid users = mp3 -- net groupmap list shows System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Guests (S-1-5-21-2890933770-3660815257-1026551046-514) - -1 Domain Admins (S-1-5-21-2890933770-3660815257-1026551046-512) - domainadmins Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Users (S-1-5-21-2890933770-3660815257-1026551046-513) - users Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 /etc/group contains domainadmins:x:112:john users:x:100:jeremy,todd,matt - Issue is: All besides john, who's a member of Domain Admins can login just fine. However, the roaming profile seem not to be writeable to it, since any changes, say a bookmark on Firefox would not be saved during next login. Also, if one were to hit Start button, there'd be no history of previously run programs that displays generally. My Start-Run history also is not there Please advice on what I'm doing wrong/missing. Appreciate the assistance in advance try adding [profiles] path = /home/samba/samba-ntprof read onfiltered= No create mask = 0600 directory mask = 0700 browseable = No invalid users = mp3 profile acls = yes csc policy = disable also - check permissions on directory... ls -ld /home/samba/samba-ntprof s/b something like rwxrwxr_x root users chmod 775 /home/samba/samba-ntprof chown root:users /home/samba/samba-ntprof and I am assuming that all 'users' are added to the 'users' group Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net drive mapping not working in login script
On Thu, 2006-04-06 at 17:19 +0100, Chris Boyd wrote: I've set the path for each user in pdbedit and created a login script with drive mapping etc etc The network drives aren't being mapped when I login each user: smb.conf [global] printcap name = cups cups options = raw map to guest = Bad User # include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: [protel] comment = Protel Data Folder path = /protel # drive = K: read only = no [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root admin users = root guest ok = Yes browseable = No pdbedit -L -v Unix username:aillin NT username: Account Flags:[U ] User SID: S-1-5-21-1439502771-4027299746-1242570080-3004 Primary Group SID:S-1-5-21-1439502771-4027299746-1242570080-513 Full Name:aillin Home Directory: \\ucd01\aillin\.9xprofile HomeDir Drive:P: Logon Script: \\ucd01\netlogon\aillin.bat Profile Path: \\ucd01\profiles\.msprofile Domain: UCD Account desc: Workstations: vim /vavr/lib/samba/netlogon/aillin.bat echo Setting Current Time... net time UCD01 /set /yes echo Mapping Network Drives to StressFree File Server UCD01... net use k: UCD01protel net use s: UCD01share #net use t: EXAMPLESERVERtemp do the scripts work if you run them manually? Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net drive mapping not working in login script
On Thu, 2006-04-06 at 09:51 -0700, Mont Rothstein wrote: Do your user's home directories already exist? Then need to. Samba does not by defult auto-create them. If you want to auto-create them options include: 1) A preexec in the [homes] section shouldn't be necessary 2) Create them as part of the add user script shouldn't be necessary 3) Use pam_mkhomedir shouldn't be necessary Samba documentation covers this very clearly. A reference to the documentation would probably be better than the above advice. see Samba 3 Official HowTo http://www.samba.org/samba/docs FWIW - I see neither a [homes] or [profiles] share in your setup and I didn't see mention of the fact that you have 'joined' the Windows computers to the domains. Craig -Mont On 4/6/06, Chris Boyd [EMAIL PROTECTED] wrote: I've set the path for each user in pdbedit and created a login script with drive mapping etc etc The network drives aren't being mapped when I login each user: smb.conf [global] printcap name = cups cups options = raw map to guest = Bad User # include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: [protel] comment = Protel Data Folder path = /protel # drive = K: read only = no [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root admin users = root guest ok = Yes browseable = No pdbedit -L -v Unix username:aillin NT username: Account Flags:[U ] User SID: S-1-5-21-1439502771-4027299746-1242570080-3004 Primary Group SID:S-1-5-21-1439502771-4027299746-1242570080-513 Full Name:aillin Home Directory: \\ucd01\aillin\.9xprofile HomeDir Drive:P: Logon Script: \\ucd01\netlogon\aillin.bat Profile Path: \\ucd01\profiles\.msprofile Domain: UCD Account desc: Workstations: vim /vavr/lib/samba/netlogon/aillin.bat echo Setting Current Time... net time UCD01 /set /yes echo Mapping Network Drives to StressFree File Server UCD01... net use k: UCD01protel net use s: UCD01share #net use t: EXAMPLESERVERtemp Chris Boyd Systems Engineer USIT 19-21 Aston Quay Dublin 2 Ireland Tel: +353 1 6021670 Fax: +353 1 6771602 www.usit.ie - This email message is intended only for the addressee(s) and contains information that may be confidential and/or copyrighted. If you are not the intended recipient please notify the sender by reply email and immediately delete this email. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited. USIT has scanned this email for viruses and dangerous content and believes it to be clean. However, virus scanning is ultimately the responsibility of the recipient. - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net drive mapping not working in login script
On Thu, 2006-04-06 at 12:17 -0700, Mont Rothstein wrote: I made a possibly bad assumption that Chris was adding users by some mechanism other than on the unix box, and therefore that the user's home directories had not been created. Still, your strong response seems to imply that even in this case there is some way to have the unix home directories auto-created. I've pored through the samba docs, googled, and asked questions. The three answers I found/got were those that I listed. If there is in fact a way to do this would you be so kind as to point me to the section of the doc that discusses it? I can't find it. Thanks, -Mont On 4/6/06, Craig White [EMAIL PROTECTED] wrote: On Thu, 2006-04-06 at 09:51 -0700, Mont Rothstein wrote: Do your user's home directories already exist? Then need to. Samba does not by defult auto-create them. If you want to auto-create them options include: 1) A preexec in the [homes] section shouldn't be necessary 2) Create them as part of the add user script shouldn't be necessary 3) Use pam_mkhomedir shouldn't be necessary Samba documentation covers this very clearly. A reference to the documentation would probably be better than the above advice. see Samba 3 Official HowTo http://www.samba.org/samba/docs FWIW - I see neither a [homes] or [profiles] share in your setup and I didn't see mention of the fact that you have 'joined' the Windows computers to the domains. since his [global] configuration included no definition of 'security =' one has to assume the default of 'security = user' which means that there should have been a local UNIX account with a home directory already. Whatever tools you use to create the accounts in the first place should make the user home directory. had he listed something like winbindd, security = server|domain|ads then a mechanism such as you described would probably be useful. For a reference to documentation, I would suppose for his purposes, this example in the 'By Example' would be appropriate - see item #10 http://samba.org/samba/docs/man/Samba3-ByExample/small.html Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] DOS/Windows Archive bits, and file ownership
On Thu, 2006-04-06 at 15:46 -0700, Greg Sloop wrote: Preamble: I've done a lot of looking round news-group archives etc, and I haven't found a definitive answer on this question: My environment: Clients are all Windows boxes. Assume backup of the share is a Windows based client. It relies on the DOS Archive bit to determine Diff/Incr backup selections. (User Execute bit in Linux) Goal: Allow users to own their files and allow for automagic modification of the archive bit by non-owners of the file when they modify the file using the Windows application or by the backup application. Example: Joe creates a file called JoeFile.txt Joe is listed as the owner, but the group is AdmGroup for example. Fred is also a member of AdmGroup Thus, Fred can modify/delete/etc JoeFile.txt The problem comes when we look at the archive bit. As above, Fred can modify JoeFile.txt even though he's not the owner, but he can't change permissions and modify the archive bit. Create mask on the share is: 770 (I know, 760 would be sufficient for just the archive bit, but I'll take the system bit too, a long as I'm here...) This will allow the owner to change the archive bits, but no-one else. I believe I've tested, albeit a while back, the dos filemode parameter too. IIRC, it would allow you to manually change the archive bits, by going and setting the properties directly - say via Windows Exploter. It wouldn't, however, allow for the applications, at least for those that I tested, to change the archive bits on files unless the user doing the modifications was also the owner. --- I have ways around this, by using force user for the whole share, but this really seems like a brute-force way to do things. It also makes it impossible to determine who really owns the files, and who is killing us on space - which always happens. Further, the force-user there are other reasons which I won't bore you with, why I don't care for force user. --- So, is this a live-with-it, as-designed bug that I just have to work around, or is there some more elegant solution that I've not recognized yet? (Or, perhaps more likely, have I just missed something really stupid that I'm doing wrong.) If more details are required, I'll be glad to provide what's needed. I think 'create mask' would give you what you want. see the details for its usage in the man page for smb.conf Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating an existing NT domain to samba
On Tue, 2006-04-04 at 08:32 -0500, Chris Garrigues wrote: What is the best path to follow to migrate an existing NT domain to a Samba server. I've got several other Samba domains elsewhere, but none of them started as NT domains so I didn't have to do a migration. The existing network has several servers, all of which I intend to retire from fileservice once this migration is finished. At the moment I have my samba server on the network in a bogus domain and of course there's no useful communication. The samba server is set up to use LDAP and is running 3.0.13 under Mandriva. I believe that the entire vampire operation is described in 'Samba by Example' http://www.samba.org/samba/docs Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb-ldap or not to smb-ldap
On Sat, 2006-04-01 at 12:56 +0100, Antony Gelberg wrote: [Sorry for my previous empty post, lost it for a second.] Craig White wrote: On Fri, 2006-03-31 at 16:30 +0100, Antony Gelberg wrote: Hi all, We are deploying a Linux server and desktops for a customer. We will have the users and groups in LDAP on the server, and files shared via NFS. However, one never knows if Windows desktops will be needed in the future. Is it a good idea to add users with smb-ldap even if samba is not initially used, as adding the samba attributes to an existing LDAP database is painful, and the smb-ldap created users will have the relevant POSIX credentials to be able to login anyway? It would seem to me that a successful LDAP implementation is going to have an administrator who can script changes to the users attributes when necessary, otherwise, it's not just a down the road implementation of samba that will make things difficult. My thinking is that time spent now to acquire skill sets is better than spending time to configure an imagined samba implementation which may happen down the road. You're right, but time is not always that easy to come by and smbldap-tools is a real time-saver, being so powerful. That being said, it probably won't hurt anything to implement smbldap-tools but consider that the real issue is the tool sets you use to create/modify existing users outside of the samba realm must all anticipate the samba schema because the smbldap-tools are for samba based tools. There is no requirement to have users who aren't part of the samba realm i.e. with POSIX login only, so we can always use the smbldap-tools toolset. Or did I misunderstand your point? yeah, I think you did miss the point - not that it was very important. He's asking about pre-configuring smbldap-tools without an intention or a plan to implement for the near future as a just in case proposition because he doesn't know how to go back in add attributes/objectclasses to his existing DSA. I'm suggesting that learning to do that would likely be a better investment in time than trying to calculate what an unneeded samba setup would look like so he can configure it now in anticipation. I'm suggesting that the problem down the road won't be because he didn't configure smbldap-tools out now, but more likely to be not knowing how to manipulate the entries in LDAP on a mass scale. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb-ldap or not to smb-ldap
On Fri, 2006-03-31 at 16:30 +0100, Antony Gelberg wrote: Hi all, We are deploying a Linux server and desktops for a customer. We will have the users and groups in LDAP on the server, and files shared via NFS. However, one never knows if Windows desktops will be needed in the future. Is it a good idea to add users with smb-ldap even if samba is not initially used, as adding the samba attributes to an existing LDAP database is painful, and the smb-ldap created users will have the relevant POSIX credentials to be able to login anyway? It would seem to me that a successful LDAP implementation is going to have an administrator who can script changes to the users attributes when necessary, otherwise, it's not just a down the road implementation of samba that will make things difficult. My thinking is that time spent now to acquire skill sets is better than spending time to configure an imagined samba implementation which may happen down the road. That being said, it probably won't hurt anything to implement smbldap-tools but consider that the real issue is the tool sets you use to create/modify existing users outside of the samba realm must all anticipate the samba schema because the smbldap-tools are for samba based tools. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] \\server\share is not accessible. The network path was not found.
On Fri, 2006-03-31 at 19:45 +0100, Steve A wrote: I am running Samba 3.0.21b-2 on Fedora Core 5. I created a new Unix user called sa using useradd -G users -m sa, and added the smbuser using smbpasswd -a sa (and set the same password just in case). The password is also the same as my Windows password. When I try to access the shares on Samba from my XP-SP2 machine, I get the following error: \\server\share is not accessible. You might nor have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The network path was not found. Either Yes/No to the encrypted passwords = option, and also specifying the location of the Samba password file with the smb passwd file = option, makes no difference. The same configuration works on a seperate XP/Gentoo box. Can anyone help please? - http://fedoraproject.org/wiki/SELinux Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: \\server\share is not accessible. The network pathwas not found.
On Fri, 2006-03-31 at 22:09 +0100, Steve A wrote: Craig White [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] http://fedoraproject.org/wiki/SELinux Thank you so much Craig... I have disabled SELinux for now, it is too much to learn SELinux and Linux at the same time! I suggest that you change it from enforcing mode to permissive mode rather than turning it off altogether. That way, software that you install, policy and contexts continue to be retained so if you actually do intend to turn selinux on, you won't have to do massive relabeling. I would also recommend that you keep selinux on and learn how to fix the issues but it is your system. The purpose of selinux is security and by turning it off, you are depriving yourself of a layer of security. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: \\server\share is not accessible. The network pathwas not found.
On Fri, 2006-03-31 at 22:09 +0100, Steve A wrote: Craig White [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] http://fedoraproject.org/wiki/SELinux Thank you so much Craig... I have disabled SELinux for now, it is too much to learn SELinux and Linux at the same time! and it just occurred to me that I should add something to the wiki about this. In the troubleshooting section, I added a few links... http://wiki.samba.org/index.php/Samba_Troubleshooting This should allow most everyone to function with samba and keep using SELinux. My guess is that you only needed to run either (or both - you weren't specific about the shares) of these commands... setsebool -P samba_enable_home_dirs 1 chcon -t samba_share_t /path/to/share/non/homes/share or you could have done these steps... setsebool -P smbd_disable_trans 1 service smb restart and that would have allowed you to keep running selinux without enforcement of restrictions on samba daemons at all (in the thought that selinux on but not minding samba is better than off altogether) I think one of the things we like is to consider the notion that a Linux system is more secure than a Windows system but it won't remain that way if we turn off the security layers because we don't understand them. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
I'm keeping this on list. On Thu, 2006-03-30 at 08:52 -0500, Gary Dale wrote: Craig White wrote: if I was going to guess...I think your problems are... http://samba.org/samba/docs/man/Samba3-ByExample/small.html#id2525330 see items #3 through #7 you don't have a passwd chat script as I recall. That's probably important. your setup should track this setup as I see it. http://samba.org/samba/docs/man/Samba3-ByExample/secure.html since you have no interest in advancing your skills, count me out next time unless you learn to ask simple questions. The simple truth is, if you want know little, point and click Windows network administration, you are probably better off using a Microsoft Windows server. My interest is in helping people that actually are interested in learning something, yes gasp, those that actually do want to become expert. Lastly, I would heavily suggest you forget about LDAP until your attitude changes because it is hostile to administrators that don't want to become knowledgdable. Craig Thanks Craig. I think you'll see a problem here. You suggest that the issue may be a lack of a passwd chat script, while two others suggest I remove the passwd chat script - which is almost identical to the one in the second URL you just gave. The issue isn't about whether people want to learn. It's about how much they have to learn to get things to work. If something takes too much effort, in the real world it doesn't get done. There is nothing inherently complicated about managing a directory service. Look at the simple Linux tools for user or printer administration for proof. I see no virtue in making Samba-LDAP configuration a black art. A basic setup should be easy to achieve. In fact, from what I have been reading, LDAP should be the standard Samba backend. That won't happen if people have to spend a week or more learning how to use it. You completely do not get it. Samba is infinitely configurable. Windows - at the moment of setup you have to choose the role for a server, whether a domain controller or a member server. The workstation is sold separately. Samba provides all of those roles including a Windows 95/98 server too. There is no way that anyone can solve your problem with any certainty without suitable logs, an inspection of your tdbsam and your /etc/passwd files AND the smb.conf, the whole of which you dumped on us last night and undoubtedly have changed many times since. Proper mail list etiquette and a commitment to demonstrating that you are actually focused on the problem would dictate that you limit those items to only the minimum necessary logs, smb.conf, etc. Your information is incomplete and as I stated last night, I am not going to speculate any further on your problems. In fact, your reply has made me sorry that I even speculated on the solution to your problem. As for my 'seeing' the problem - that being in your mind - different suggestions to solve your problem - that is absolutely absurd. ***The problem*** is you don't know how to provide the information with which someone can tell you what the definitive solution would be. As for your suggestion that Samba-LDAP a black art...Samba is Samba and LDAP is LDAP - you understand neither package so expecting them to work for you is a rather pointless endeavor. Knowledge is power and you appear to be lacking both. Yet you expect them to work for you even though you don't understand them nor wish to understand them - I wish you luck. Let me be blunt - you are a help vampire. Please don't email me any more until you change your ways. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] File versioning with Samba (on a Linux filesystem)?
On Wed, 2006-03-29 at 10:20 -0500, Barry, Christopher wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Terry Jones Sent: Tuesday, March 28, 2006 12:39 PM To: samba@lists.samba.org Subject: [Samba] File versioning with Samba (on a Linux filesystem)? Apologies if this question is answered somewhere obvious. I just spent a couple of hours surfing around trying to find an answer. I'd like to provide windows clients with access to files via samba and have samba (or other) do file versioning. In the case that a user happens to delete a file or we want to return to an earlier version, that should be possible. Is there a standard solution for this? I can think of various ways it might be done, but there doesn't seem to be much on the net about doing it in practice. Support at the (in this case Linux) filesystem level would be good. If Samba had an option to do it automatically, that would be good. I saw something about making a .recycle bin for file removal, but I didn't get the impression this was going to provide file versioning. Less good would be having Samba hooks allowing external scripts to be run pre or post file save, so that one could use an external source code control system. Least good is to simply rely on your backup schedule to hopefully allow recovery. I do something like this nightly. It's not 'real-time', and I store the versions on another box, but the effect is pretty similar. I have everyone map this box via the logon script, so they all have access to their older stuff. Letting people restore their own files is nice. ;) It's done with a combination of glastree http://www.igmus.org/code/#glastree, and custom scripting I wrote to create a doubly-nested DFS tree, and to create all of the samba configuration files and acl files on the fly. I'm using NIS, and I'm setting access perms based on this - so it may need serious hacking if your environment is totally different. If anyone is interested, I can tar up all of the scripts and send them out. There's nothing approaching documentation for it, but I can probably give limited help to anyone who has questions. lemme know. don't know that you're interested but we do have a wiki for that type of thing... http://wiki.samba.org which is ideal for that type of information exchange. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] domain controller cannot be contacted
This too would be a good candidate for samba wiki http://wiki.samba.org since it comes up often. Craig On Wed, 2006-03-29 at 16:56 +0200, Louis van Belle wrote: You know User Hive Cleanup Service for XP, if not install it. http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18- B570-42470E2F3582displaylang=en I experienced problemen with loggin's because some programs badly closes the registry, of a old connection with samba stays open. Louis -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Mark Rutherford Verzonden: woensdag 29 maart 2006 16:45 Aan: samba@lists.samba.org Onderwerp: [Samba] domain controller cannot be contacted Hi everyone, I have struggled with this problem for awhile now. randomly and intermittently a workstation or bunch of workstations will not be able to log in. This is pretty much reproduceable at will, and here is what you need to do to get this little issue to show up: 1. Log out and try to log in as a different user 2. Attempt to login immediately after the machine is booted. To ensure you can log in, if you boot your workstation in the morning and wait 2-3 minutes before trying to log in you can log in no problem. I have replaced our switch, cabling, network cards, tried many many things.. I took this a step further. I got 3 machines rounded up and built a mini network with its own switch. Only these 3 machines were on this switch. Of these 3 machines I installed a fresh copy of windows xp with sp2 on two of them. Took our current config and slapped it onto the third machine running gentoo + samba These 3 machines had not been exposed to our main network... what makes this all so interesting. I was able to join these 2 workstations no problem with default settings, no registry patches, nothing and it just worked. I tried to reproduce this problem with this little test network and our smb.conf for hours on end. It just never happened. On our main network I can get this to occur every 2 minutes if I wanted to. Our samba machine is doing wins as well, and the machines get this wins server info with their dhcp info. Any ideas? Anything at all? This issue is.. just too hard to me to figure out. Also, no indication of an error in any logs. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: Back to square 1! I stripped out my unsuccessful attempts to get Samba working with LDAP on my Debian Sarge server and am back with a tdbsam backend. I actually tried to purge as much of the old Samba LDAP as I could then reinstalled fresh. This included removing the Windows groups and users and even the old tdbsam data. Unfortunately, I'm back where I started - users can't change their own passwords using the Windows password change dialogue. Their system will go away for a very long time (more than 15 minutes) then silently fail to change the password. For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) on a 2.6.8 kernel. This should mean that this is NOT the old Windows security patch issue. I've attached my smb.conf (minus the shares definitions) if that helps. Also, for what it's worth, the user accounts are all in Domain Users and users. All but mine use /bin/false as the login shell (but none of us can change passwords). My account is also in Domain Admins - and I can add machine accounts with it. Any ideas anyone? I kept my mouth shut because you were following someone's step by step and not the samba official documentation. If you want to follow the Samba By Example, methodology, you will probably find a lot more people willing to help. Changing passwords seems to only require that samba, smbldap-tools be properly configured for your ldap setup and a script referenced in your smb.conf The smb.conf you attached of course has nothing to do with LDAP and it isn't clear what you are trying to do. I would suggest that you familiarize yourself with the Samba By Example book (dead tree form) or pdf or html from the samba.org web site and figure out what you are trying to do so someone could actually help. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] changing passwords from Windows XP Pro workstations
On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote: Craig White wrote: On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: Back to square 1! I stripped out my unsuccessful attempts to get Samba working with LDAP on my Debian Sarge server and am back with a tdbsam backend. I actually tried to purge as much of the old Samba LDAP as I could then reinstalled fresh. This included removing the Windows groups and users and even the old tdbsam data. Unfortunately, I'm back where I started - users can't change their own passwords using the Windows password change dialogue. Their system will go away for a very long time (more than 15 minutes) then silently fail to change the password. For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) on a 2.6.8 kernel. This should mean that this is NOT the old Windows security patch issue. I've attached my smb.conf (minus the shares definitions) if that helps. Also, for what it's worth, the user accounts are all in Domain Users and users. All but mine use /bin/false as the login shell (but none of us can change passwords). My account is also in Domain Admins - and I can add machine accounts with it. Any ideas anyone? I kept my mouth shut because you were following someone's step by step and not the samba official documentation. If you want to follow the Samba By Example, methodology, you will probably find a lot more people willing to help. Changing passwords seems to only require that samba, smbldap-tools be properly configured for your ldap setup and a script referenced in your smb.conf The smb.conf you attached of course has nothing to do with LDAP and it isn't clear what you are trying to do. I would suggest that you familiarize yourself with the Samba By Example book (dead tree form) or pdf or html from the samba.org web site and figure out what you are trying to do so someone could actually help. Craig I've followed the Samba by example in this case. It was not very helpful. Between the typos, omissions, errors, and general lack of content, it's hard to get anything to work following it. Sorry to be so negative about it, but it seems to assume that if you just install the packages, things work. Now a plain vanilla Debian Sarge system is hardly esoteric, but my experience has been that things only work if you are doing a virgin setup. In my case, Samba was originally vampired from my old W2K server and I've always had the password problem. Trying to install LDAP on a system that previously had a not-quite-working tdbsam backend also isn't something that the howto writers seem to have tried. The other howto I followed was one of several that were written specifically for people trying to get Samba+LDAP to work on a Debian system. After several days of trying to get it to work, even following idealx.org's howto, it still wouldn't. So I ripped everything out and went back to a basic Samba setup without LDAP. And now I'm back to the same old problem I had before - users can't change their passwords. And yes, my current setup was following the Samba by Example - html form. I also have the dead-tree Samba Howto collection. According to them, I have a working system. :) The basic by example says in some very elegant story telling, after assuming that you have Samba installed, to smbpasswd -a root, map the Administrator account to it, add some groupmaps, stir in some users and voila, everything works. My setup passes the validation and the troubleshooting. It works, except that it doesn't. Again, I'll admit that this probably does work on a fresh system. I've set up Samba PDCs from scratch before without problems. However, it doesn't seem to want to work on this existing server, even after I sacrificed my old accounts vampired from W2K to try to get this working. I shouldn't have to rebuild my entire server just to be able to change passwords! Finally, you need to recognize that Debian does things its way. It has installation scripts that ask you questions up front and put the answers in multiple files scattered across your system. Samba by Example doesn't actually tell you what to put where or why. In fact, it's actually difficult to tell exactly which program or file you need to be using at any given moment. We're not all Samba developers, after all. SWAT, smbpasswd, pdbedit, etc. all seem to do the similar things but heaven help the poor user who's trying to find out when or why you should use one over the other. What I'm basically trying to say is you can't assume that everyone is going to get to place by a particular route. Debian howtos are useful for those of us with Debian-based systems because they give Debian package names and follow Debian installation dialogues. If there is something in the howto that you think is wrong or missing, then identify it. It's
Re: [Samba] changing passwords from Windows XP Pro workstations
On Wed, 2006-03-29 at 23:33 -0500, Gary Dale wrote: Craig White wrote: On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote: Craig White wrote: On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: Back to square 1! I stripped out my unsuccessful attempts to get Samba working with LDAP on my Debian Sarge server and am back with a tdbsam backend. I actually tried to purge as much of the old Samba LDAP as I could then reinstalled fresh. This included removing the Windows groups and users and even the old tdbsam data. Unfortunately, I'm back where I started - users can't change their own passwords using the Windows password change dialogue. Their system will go away for a very long time (more than 15 minutes) then silently fail to change the password. For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) on a 2.6.8 kernel. This should mean that this is NOT the old Windows security patch issue. I've attached my smb.conf (minus the shares definitions) if that helps. Also, for what it's worth, the user accounts are all in Domain Users and users. All but mine use /bin/false as the login shell (but none of us can change passwords). My account is also in Domain Admins - and I can add machine accounts with it. Any ideas anyone? I kept my mouth shut because you were following someone's step by step and not the samba official documentation. If you want to follow the Samba By Example, methodology, you will probably find a lot more people willing to help. Changing passwords seems to only require that samba, smbldap-tools be properly configured for your ldap setup and a script referenced in your smb.conf The smb.conf you attached of course has nothing to do with LDAP and it isn't clear what you are trying to do. I would suggest that you familiarize yourself with the Samba By Example book (dead tree form) or pdf or html from the samba.org web site and figure out what you are trying to do so someone could actually help. Craig I've followed the Samba by example in this case. It was not very helpful. Between the typos, omissions, errors, and general lack of content, it's hard to get anything to work following it. Sorry to be so negative about it, but it seems to assume that if you just install the packages, things work. Now a plain vanilla Debian Sarge system is hardly esoteric, but my experience has been that things only work if you are doing a virgin setup. In my case, Samba was originally vampired from my old W2K server and I've always had the password problem. Trying to install LDAP on a system that previously had a not-quite-working tdbsam backend also isn't something that the howto writers seem to have tried. The other howto I followed was one of several that were written specifically for people trying to get Samba+LDAP to work on a Debian system. After several days of trying to get it to work, even following idealx.org's howto, it still wouldn't. So I ripped everything out and went back to a basic Samba setup without LDAP. And now I'm back to the same old problem I had before - users can't change their passwords. And yes, my current setup was following the Samba by Example - html form. I also have the dead-tree Samba Howto collection. According to them, I have a working system. :) The basic by example says in some very elegant story telling, after assuming that you have Samba installed, to smbpasswd -a root, map the Administrator account to it, add some groupmaps, stir in some users and voila, everything works. My setup passes the validation and the troubleshooting. It works, except that it doesn't. Again, I'll admit that this probably does work on a fresh system. I've set up Samba PDCs from scratch before without problems. However, it doesn't seem to want to work on this existing server, even after I sacrificed my old accounts vampired from W2K to try to get this working. I shouldn't have to rebuild my entire server just to be able to change passwords! Finally, you need to recognize that Debian does things its way. It has installation scripts that ask you questions up front and put the answers in multiple files scattered across your system. Samba by Example doesn't actually tell you what to put where or why. In fact, it's actually difficult to tell exactly which program or file you need to be using at any given moment. We're not all Samba developers, after all. SWAT, smbpasswd, pdbedit, etc. all seem to do the similar things but heaven help the poor user who's trying to find out when or why you should use one over the other. What I'm basically trying to say is you can't assume that everyone is going to get to place by a particular route. Debian howtos are useful for those of us with Debian-based systems because they give Debian package names and follow Debian
Re: [Samba] changing passwords from Windows XP Pro workstations
On Wed, 2006-03-29 at 23:12 -0500, Gary Dale wrote: Craig White wrote: On Wed, 2006-03-29 at 21:49 -0500, Gary Dale wrote: Craig White wrote: On Wed, 2006-03-29 at 17:36 -0500, Gary Dale wrote: Back to square 1! I stripped out my unsuccessful attempts to get Samba working with LDAP on my Debian Sarge server and am back with a tdbsam backend. I actually tried to purge as much of the old Samba LDAP as I could then reinstalled fresh. This included removing the Windows groups and users and even the old tdbsam data. Unfortunately, I'm back where I started - users can't change their own passwords using the Windows password change dialogue. Their system will go away for a very long time (more than 15 minutes) then silently fail to change the password. For those not familiar with Debian Sarge, it uses Samba 3.0.14a (Debian) on a 2.6.8 kernel. This should mean that this is NOT the old Windows security patch issue. I've attached my smb.conf (minus the shares definitions) if that helps. Also, for what it's worth, the user accounts are all in Domain Users and users. All but mine use /bin/false as the login shell (but none of us can change passwords). My account is also in Domain Admins - and I can add machine accounts with it. Any ideas anyone? I kept my mouth shut because you were following someone's step by step and not the samba official documentation. If you want to follow the Samba By Example, methodology, you will probably find a lot more people willing to help. Changing passwords seems to only require that samba, smbldap-tools be properly configured for your ldap setup and a script referenced in your smb.conf The smb.conf you attached of course has nothing to do with LDAP and it isn't clear what you are trying to do. I would suggest that you familiarize yourself with the Samba By Example book (dead tree form) or pdf or html from the samba.org web site and figure out what you are trying to do so someone could actually help. Craig I've followed the Samba by example in this case. It was not very helpful. Between the typos, omissions, errors, and general lack of content, it's hard to get anything to work following it. Sorry to be so negative about it, but it seems to assume that if you just install the packages, things work. Now a plain vanilla Debian Sarge system is hardly esoteric, but my experience has been that things only work if you are doing a virgin setup. In my case, Samba was originally vampired from my old W2K server and I've always had the password problem. Trying to install LDAP on a system that previously had a not-quite-working tdbsam backend also isn't something that the howto writers seem to have tried. The other howto I followed was one of several that were written specifically for people trying to get Samba+LDAP to work on a Debian system. After several days of trying to get it to work, even following idealx.org's howto, it still wouldn't. So I ripped everything out and went back to a basic Samba setup without LDAP. And now I'm back to the same old problem I had before - users can't change their passwords. And yes, my current setup was following the Samba by Example - html form. I also have the dead-tree Samba Howto collection. According to them, I have a working system. :) The basic by example says in some very elegant story telling, after assuming that you have Samba installed, to smbpasswd -a root, map the Administrator account to it, add some groupmaps, stir in some users and voila, everything works. My setup passes the validation and the troubleshooting. It works, except that it doesn't. Again, I'll admit that this probably does work on a fresh system. I've set up Samba PDCs from scratch before without problems. However, it doesn't seem to want to work on this existing server, even after I sacrificed my old accounts vampired from W2K to try to get this working. I shouldn't have to rebuild my entire server just to be able to change passwords! Finally, you need to recognize that Debian does things its way. It has installation scripts that ask you questions up front and put the answers in multiple files scattered across your system. Samba by Example doesn't actually tell you what to put where or why. In fact, it's actually difficult to tell exactly which program or file you need to be using at any given moment. We're not all Samba developers, after all. SWAT, smbpasswd, pdbedit, etc. all seem to do the similar things but heaven help the poor user who's trying to find out when or why you should use one over the other. What I'm basically trying to say is you can't assume that everyone is going to get to place by a particular route. Debian howtos are useful for those of us with Debian-based systems because they give Debian package names and follow Debian
Re: [Samba] File versioning with Samba (on a Linux filesystem)?
On Tue, 2006-03-28 at 17:18 -0500, simo wrote: On Tue, 2006-03-28 at 14:12 -0800, Jeremy Allison wrote: On Tue, Mar 28, 2006 at 10:40:20PM +0200, Henrik Zagerholm wrote: 28 mar 2006 kl. 22:27 skrev Tomasz Chmielewski: Henrik Zagerholm wrote: I'm pretty sure this can be done with a VFS module. I couldn't say exactly which one though. I guess there is no such VFS module :) OK, but as he also asked for deleted recycle support, I'm about 50% correct as there is a recycle VFS module :) But wouldn't it be possible to write a version control VFS module? That intercept saves of existing files and saves the old one with a different name? I might be really wrong here :) No you're correct - this is a perfect use for a VFS module. It is, but it is not easy at all to properly handle all cases, think for example of how some MS Office apps handle documents: open original file crete a temp file with modifications delete original file rename temp file to original ideally these operations should end up just being a single commit of a new version of the original file in a versioning system, no deletes, no renames. Any VFS should have some exclusions and IIRC, '$' in the file name is Microsoft's method of marking a temp file. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble with Homes
On Mon, 2006-03-27 at 11:23 -0500, Trimble, Ronald D wrote: I am having trouble with getting my Homes section to work properly. When I browse to the server from a Windows client, I can see my home directory. However, when I try to access it, it challenges me for a userID and password. No matter what I enter, I will not allow me access. Can someone point me in the right direction to solve this? Here are the errors... [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) 192.63.212.176 (192.63.212.176) couldn't find service . [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:32, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) And here is the relevant section of the smb.conf... [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0660 directory mask = 0770 try putting a valid path that the users have write access to their home... [homes] comment = Home Directories path = /home/samba/homes browseable = no writable = yes valid users = %S create mask = 600 directory mask = 700 # ls -ld /home/samba/homes drwxrwx--- 2 root dom_users 4096 Jun 23 2003 /home/samba/homes maybe even get crazy enough to create directories in /home/samba/homes for each user... Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Trouble with Homes
get rid of the homes definition...why do you need it on a member server? Craig On Mon, 2006-03-27 at 12:44 -0500, Trimble, Ronald D wrote: Domain member. -Original Message- From: Guillermo Gutierrez [mailto:[EMAIL PROTECTED] Sent: Monday, March 27, 2006 12:44 PM To: Trimble, Ronald D; Daniel Northam; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes do you have this samba server as a domain member or is it a standalone? -Original Message- From: Trimble, Ronald D [mailto:[EMAIL PROTECTED] Sent: Monday, March 27, 2006 9:39 AM To: Daniel Northam; Guillermo Gutierrez; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes I am not using LDAP, so the SIDs shouldn't be an issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Northam Sent: Monday, March 27, 2006 11:49 AM To: Guillermo Gutierrez; Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes Check your SID's I had that same problem and samba was advising Auth succeeded but it still wouldn't let me in. Checked my SID's and somewhere down the line I had changed one of my SID's. I corrected that in LDAP and then I was able to login. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guillermo Gutierrez Sent: Monday, March 27, 2006 8:45 AM To: Craig White; samba@lists.samba.org Subject: RE: [Samba] Trouble with Homes If you are integrating the samba server into a windows domain, you might want to try setting the valid users line like this: valid users = %D\%S that was my problem until I did that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig White Sent: Monday, March 27, 2006 8:34 AM To: samba@lists.samba.org Subject: Re: [Samba] Trouble with Homes On Mon, 2006-03-27 at 11:23 -0500, Trimble, Ronald D wrote: I am having trouble with getting my Homes section to work properly. When I browse to the server from a Windows client, I can see my home directory. However, when I try to access it, it challenges me for a userID and password. No matter what I enter, I will not allow me access. Can someone point me in the right direction to solve this? Here are the errors... [2006/03/27 11:19:22, 0] smbd/service.c:make_connection(798) 192.63.212.176 (192.63.212.176) couldn't find service . [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:23, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:24, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) [2006/03/27 11:19:32, 2] smbd/service.c:make_connection_snum(318) user 'NA\trimblrd' (from session setup) not permitted to access this share (trimblrd) And here is the relevant section of the smb.conf... [homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0660 directory mask = 0770 try putting a valid path that the users have write access to their home... [homes] comment = Home Directories path = /home/samba/homes browseable = no writable = yes valid users = %S create mask = 600 directory mask = 700 # ls -ld /home/samba/homes drwxrwx--- 2 root dom_users 4096 Jun 23 2003 /home/samba/homes maybe even get crazy enough to create directories in /home/samba/homes for each user... Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman
Re: [Samba] Virtual Servers Workaround?
On Tue, 2006-03-28 at 14:52 +1030, Andrew Galdes wrote: Hello all, I am in a situation where I need Samba to be a DC server (logons and file/printer services) for multiple domains - from a single machine. The documentation states that Only the primary server can be a domain member or a domain controller. Are there any work arounds for this? Research at: http://us1.samba.org/samba/docs/man/Samba3-HOWTO/cfgsmarts.html#id263984 5 try this...samba Wiki http://wiki.samba.org/index.php/Multiple_Server_Instances Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Linux box talks to XP Pro, XP Pro permissions deniedon LinuxBox
Let's keep this on list please... See if you can connect as samba user from samba box... smbclient -L WHATEVER_YOUR_SERVER_NAME -U Administrator smbclient -L WHATEVER_YOUR_SERVER_NAME -U Michael but note - casing is rather odd and might be your problem. UNIX is case sensitive but Windows/Samba is not case sensitive... therefore Samba will see 'Michael' as 'michael' and 'Administrator' as 'administrator' and you don't have a UNIX user 'michael' or 'administrator' and thus, you are setting things up to fail. Make all your UNIX/Linux users lower case (the logical easy thing to do) or you can remap them using smbusers (totally unlogical way to do things). Craig On Sat, 2006-03-25 at 12:58 -0500, Michael Munger wrote: Craig, Thanks for the reply. I appreciate it. getent passwd|grep Michael Michael:X:500:500:Michael Munger:/home/Michael:/bin/bash pdbedit -L Michael Michael:500:Michael Munger Everything there seems to be in order. Now, the Windows box is logged in as Administrator, so I created an account on the Linux box with an idential username / password. (Administrator/*) So I used: Smbpasswd -a Administrator, and added the password so it is identical to the Windows box. Then ... getent passwd|grep Administrator Administrator:X:501:501::/home/Administrator:/bin/bash pdbedit -L Administrator Administrator:501:Administrator Still no victory. Did I do something wrong? Yours, Michael -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Saturday, March 25, 2006 8:50 AM To: Michael Munger Subject: Re: [Samba] Linux box talks to XP Pro, XP Pro permissions deniedon LinuxBox On Sat, 2006-03-25 at 03:10 -0500, Michael Munger wrote: My linux box can see, browse, and copy files from an XP Share. However, when I try to access the box either via its network name (\\linuxbox file:///\\linuxbox ) or by ip address (\\192.168.1.231 file:///\\192.168.1.231 ) Windows shows me an error stating I don't have permissions to access the resource. I have been through the HowTo, and the Troubleshooting section of the Sam's book recommended in the docs section of samba.org. No firewall problems, machines see each other fine. Network names resolve, subnet is fine, etc. What am I missing? you must have an samba user that matches a Linux user. for example... # getent passwd|grep craig craig:x:500:500:Craig White:/home/craig:/bin/bash # pdbedit -L craig craig:500:Craig White The first command verifies my Linux/UNIX user The second command verifies my samba user. If I needed to add the samba user craig, I would simply do... smbpasswd -a craig As for the SAM's book - It may be a very good book but not known to most of the list members. The official Samba documentation is here...http://www.samba.org/samba/docs Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem creating Samba Admin account
On Thu, 2006-03-23 at 13:19 -0800, Mont Rothstein wrote: I am trying to create a Samba Admin account in FDS as per the final steps of http://directory.fedora.redhat.com/wiki/Howto:Samba I've asked about this on the FDS mailing list with no luck, I am hoping someone here will be able to help me. I've created a file with contents: Administrator:x:0:0:Samba Admin:/root:/bin/bash I then ran: /usr/share/openldap/migration/migrate_passwd.pl /tmp/sambaAdmin /tmp/sambaAdmin.ldif but when I get to converting the ldif to ldap via: /opt/fedora-ds/slapd-server/ldif2ldap cn=Directory manager password /tmp/sambaAdmin.ldif I get the following error: adding new entry uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com ldap_add: Object class violation ldap_add: additional info: unknown object class kerberosSecurityObject As far as I know I haven't enabled kerberos anywhere. Does anyone know what I need to do to resolve this? wrong list - not a samba question... but if you actually post that question to an LDAP list...you might actually want to show the contents of /tmp/sambaAdmin.ldif my wild guess is that you have an objectclass within that file that isn't supported by your setup. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Wed, 2006-03-22 at 08:43 -0500, Matt Ingram wrote: Craig White wrote: -- why fly by the seat of your pants on this when the documentation tells you what you need to know? see http://www.samba.org/samba/docs - the By Example where it discusses PDC's and BDC's and how to manage them hmm are you referring to the chapter on Making Happy Users? That chapter does not address the the scenario I am going for. The sample given is still using home drives that reside on the PDC and mounted on the BDC via NFS; which is not what I'm looking for. What I'm looking for is, Site one's users home drives exclusively running off of BDC1; site 2's users home drives exclusively running off of BDC2, and so on. Here's what I've tried: on the BDC's smbldap-tools I've set the smbldap-tools.conf SID to that of the PDC instead of the BDC's SID, while things like the home drive are pointing to the BDC, instead of the PDC. This seems to work, the way I was hoping.. are you aware of any problems having the setup like this? let's keep this on list please. doesn't sound remotely like the samba documentation describes it and if it works for you - great. The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. Since a passdb of LDAP or tdb types actually permit you to have user home drives and profiles set individually, it really isn't much effort to assign these paths individually for users to whichever server you want them to use. Am I aware of any problems having the setup like you have described yours to be? No - but I tend towards setting things up as they were intended to be done. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Wed, 2006-03-22 at 10:01 -0500, Matt Ingram wrote: hmm are you referring to the chapter on Making Happy Users? That chapter does not address the the scenario I am going for. The sample given is still using home drives that reside on the PDC and mounted on the BDC via NFS; which is not what I'm looking for. What I'm looking for is, Site one's users home drives exclusively running off of BDC1; site 2's users home drives exclusively running off of BDC2, and so on. Here's what I've tried: on the BDC's smbldap-tools I've set the smbldap-tools.conf SID to that of the PDC instead of the BDC's SID, while things like the home drive are pointing to the BDC, instead of the PDC. This seems to work, the way I was hoping.. are you aware of any problems having the setup like this? let's keep this on list please. doesn't sound remotely like the samba documentation describes it and if it works for you - great. The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. which is what I'm doing. The BDC still does have its own SID and it uses the exact same ldap data as the PDC. It's just in the /etc/smbldap-tools/smbldap.conf file on the BDC, I set the SID to use that of the PDC. When I had the SID set to the BDC (in the smbldap.conf), logons didn't work when an account was generated with the smbldap-useradd on the BDC. I'm assuming the SID of a user on the domain has to have the SID prefix of the PDC, not any other server on the domain. Since a passdb of LDAP or tdb types actually permit you to have user home drives and profiles set individually, it really isn't much effort to assign these paths individually for users to whichever server you want them to use. you're right, it isn't much effort to modify the home drives a users on different servers. But being able to use the smbldap-tools to do all of that for you, is a smoother solution, imo - assuming there is no issues in doing it. Am I aware of any problems having the setup like you have described yours to be? No - but I tend towards setting things up as they were intended to be done. I don't think I'm doing anything that strange here.. I've just added the smbldap-tools to the BDC as well, and modified the smbldap.conf file so that it will create users home drives and ldap settings to use a home drive on the BDC. If I am doing something strange here, in a way samba is not intended to be used, please point it out to me. I don't want to shoot myself in the foot later on ;). That sort of makes sense. How are the scripts being accessed on the BDC? Are you running them from command line on each BDC? I hope that the LDAP referenced in your smb.conf is your 'master' LDAP server and that the changes to the master propogate to the 'slaves' (your BDC) and that make take a few seconds. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
It should have the same DOMAIN and SID (Simo made me check) ;-) Craig On Wed, 2006-03-22 at 10:07 -0500, Matt Ingram wrote: if I run # net getdomainsid is get this: PDC (hostname home): SID for domain HOME is: S-1-5-21-3186883984-1813041273-1898769360 SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 BDC: SID for domain BDC is: S-1-5-21-1908730498-1878741769-688260909 SID for domain MYDOMAIN is: S-1-5-21-3186883984-1813041273-1898769360 Simo, are you saying that my BDC should have the SID of S-1-5-21-3186883984-1813041273-1898769360 ? Thanks, Matt simo wrote: On Wed, 2006-03-22 at 07:16 -0700, Craig White wrote: The intent of samba software is that PDC and any/all BDC's have the exact same LDAP data - at least as far as all Samba user/group/computer attributes are concerned and a BDC would have it's own SID, not the same SID as the PDC. That would track the methodology of a Windows NT 4 type DOMAIN. Sorry to get into the discussion, the previous statement is not clear to me and I would like to make it clear that in an NT4 style domain all the DCs must have the same SID, as the DCs have only the DOMAIN SID, this is different from domain members which have a local machine SID but recognize domain users with the domain SID. Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem joining a domain.
On Tue, 2006-03-21 at 10:41 +0100, David Moron wrote: Hi, I've just tried to fix the SID for my domain and actually both have the same value, but still doesn't work: SID for domain PDC-SRV is: S-1-5-21-27105391-1648776033-2601101416 SID for domain OPENWIRED is: S-1-5-21-27105391-1648776033-2601101416 I also want to know the correct syntax for the file smb.conf, i mean, in the smb logs apears these lines when i try to log from my windows machine: [...] [2005/03/21 10:21:29, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580) Returning domain sid for domain OPENWIRED - S-1-5-21-27105391-1648776033-2601101416 sh: -c: line 0: unexpected EOF while looking for matching `'' sh: -c: line 1: syntax error: unexpected end of file [2005/03/21 10:21:29, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324) _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w 'pc4$' gave 2 [2005/03/21 10:21:29, 2] smbd/server.c:exit_server(609) Closing connections Those errors are from this line in smb.conf: add machine script = /usr/local/sbin/smbldap-useradd -w '%u there is a missing ' at the end of the line but when i add it: [...] [2005/03/21 10:29:07, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324) _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w 'pc4$'' gave 9 [2005/03/21 10:29:07, 2] smbd/server.c:exit_server(609) Closing connections and if i use the log is: [...] [2005/03/21 10:33:56, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580) Returning domain sid for domain OPENWIRED - S-1-5-21-27105391-1648776033-2601101416 [2005/03/21 10:33:57, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324) _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w pc4$' gave 9 [2005/03/21 10:33:57, 2] smbd/server.c:exit_server(609) Closing connections I think all the problem came from this file, so i would like to know the correct syntax for it. Thank you in advance. first of all...I can't think of a single system that would require unbalanced quotes so it would be either 'value' or value Generally the difference in most languages/interpreters is variables inside of single quotes are expanded while those inside double quotes can. From your explanation, it would appear that you have edited your smbldap configuration file but lost one of the quotation marks inside of the configuration file and thus have created a problem. If you aren't capable of examining the configuration file that you edited, you might want to obtain another copy (hopefully you made a copy of the original before you hacked it). In short - you need to fix your smbldap configuration file. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] multiple samba server
On Tue, 2006-03-21 at 09:04 +, ict wrote: i have spent the last three days setting up a samba PDC with openldap, i finally seem to have gotten this working, but require some info on setting up additional servers this is the layout i am after. samba PDC / directory server all user accounts here maybe some shared areas secondary file server student home directorys and profiles for windows and linux third file server teachers home directories and profiles for linux and windows i will either use the third server for printing or set it up on another machine. what i would like info about is how to integrate the other servers into the samba PDC like info on how to configure samba on these machines. if some one can point me in the right direction, most of the info i have found seems to be aimed at a single server. I don't know what 'most of the info that you have found' is, but the official documentation can be found at http://www.samba.org/samba/docs and the 'By Example' has everything you need to know to make a BDC or member server within this setup. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba/LDAP Domains and multiple File Servers
On Tue, 2006-03-21 at 09:26 -0500, Matt Ingram wrote: Hi All, I have a domain setup soon to go into production. We have 3 buildings, each containing a fileserver for that buildings users (home drives/share drives). I've been using the smbldap-tools on the PDC, which is all working fine. Is it possible to join another server to the domain, also using the smbldap-tools, with a different config, that will setup a users home drive, etc on that server, or will a setup like this need to be done manually? I have a test BDC that I've been playing with trying to do this, but if I do smbldap-useradd from the BDC the user can't get logged on with an error message A device attached to the system is not functioning on the windows client (the account does get setup in ldap). In the smbldap-tools config I used the SID of the BDC, which I'm guessing might be my problem... should I change that to the SID of the PDC? why fly by the seat of your pants on this when the documentation tells you what you need to know? see http://www.samba.org/samba/docs - the By Example where it discusses PDC's and BDC's and how to manage them Also, with a samba/ldap domains setup - how can I allow a user to have shell access on one server on the domain, but not on the other servers on the domain? Can this be done through the domain/ldap, or in this scenario will shell logons have to be managed locally on the individual servers ? I'm quite certain that is possible but I haven't done it. It is not a samba question at all but working through your LDAP implementation as it relates to the posix structures on each UNIX/Linux system that you offer shell accounts and thus, well out of the scope of this list. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Storing passwords in LDAP, but not a PDC
On Mon, 2006-03-20 at 09:22 +, Robert Mortimer wrote: Hello, Is it possible to store samba passwords in ldap without configuring samba as a PDC? All the documents/references I've come across are related to using LDAP as a samba PDC backend, not as just a db file replacement. Thanks, LDAP is a heavyweight store for massive amounts of passwords and extended data needed to for 100s or 1000s of PCs. In a workgroup there is no central password store. In a workgroup each windows (LINUX/Samba) machine has local users and would never consult a central authentication database so the LDAP would only hold accounts for the local Linux machine's users. This is a Sledgehammer + nut situation I suggest you look at the normal samba database I'm not entirely certain that I agree with the characterizations that you have used. LDAP is a lightweight database system that is optimized for frequent reads and infrequent writes. There are implementations of LDAP that can be utilized for account management in UNIX/Linux (aka posix) and in Windows (Samba - Microsoft Active Directory) and these implementations often permit essentially complete integration into the underlying user/group account management. There are implementations that permit this structure to be shared among other servers so that you can attain consistent user/group account management across some/all host systems in a networked environment which makes it attractive for thoughtful application. It's not a sledgehammer + nut situation...it might be more trouble than it's worth for some administrators to learn but I use it even on networks with a small amount of users and computers because I have gotten over the hurdle of learning the implementation and have enough tools to manage things like user accounts and actually find it valuable, even in small scale deployments. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba FDS backend groupmap error
On Mon, 2006-03-20 at 09:00 -0700, Peter Merritt wrote: Hello all, Having difficulty with setup of samba with FDS backend. Probably some thing simple, but I can't figure it out, any help would be greatly appreciate, Groupmap command fails, abbreviate debug out follows. Peter 2006/03/20 08:56:02, 5] lib/charcnv.c:charset_name(81) Substituting charset 'UTF-8' for LOCALE [2006/03/20 08:56:02, 5] lib/util.c:init_names(260) Netbios name list:- my_netbios_names[0]=DAYSTAR [2006/03/20 08:56:02, 2] lib/interface.c:add_interface(81) added interface ip=192.168.0.5 bcast=192.168.0.255 nmask=255.255.255.0 [2006/03/20 08:56:02, 10] intl/lang_tdb.c:lang_tdb_init(135) lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory Can't lookup UNIX group Domain Admins [2006/03/20 08:56:02, 2] utils/net.c:main(878) return code = -1 getent group abbreviated output. mysql:x:27: Domain Admins:x:2512: Domain Users:x:2513: Domain Guests:x:2514: Domain Computers:x:2515: seems like an nss/ldap problem what do you get when you... grep 'dc=weirdwaterorg,dc=local' /etc/ldap.conf seems like your 'base_group' isn't set correctly. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentification problem with LDAP
On Mon, 2006-03-20 at 12:55 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 16:14 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote: The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? not very likely to be an ACL problem. net groupmap list|grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines net getlocalsid [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494) Can't fetch domain SID for name: HIPPOLYTE this is a MAJOR problem...it should look like dn: sambaDomainName=EXAMPLE,dc=example,dc=net sambaAlgorithmicRidBase: 1000 structuralObjectClass: sambaDomain objectClass: sambaDomain objectClass: sambaUnixIdPool sambaSID: S-1-5-21-89274850-471284788-6498272 sambaDomainName: EXAMPLE gidNumber: 1021 uidNumber: 1095 and should have been created either by hand or by idealx 'populate' script if you followed someones directions somewhere. Craig Here is what I have now : [EMAIL PROTECTED] openldap]# net groupmap list | grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines [EMAIL PROTECTED] openldap]# net getlocalsid SID for domain HIPPOLYTE is: S-1-5-21-3194588850-3670737847-3710085093 ... but I still cannot join an xp workstation to the domain, and a domain user on windows 98 cannot logon to the domain, althought a domain admin can. By the way, HIPPOLYTE is the name of the server; the domain name is INTAIR. Why is the command net getlocalsid returning SID for domain HIPPOLYTE can you edit it with some type of GUI editor like phpldapmin or gq? can you fetch it with ldapsearch, modify it with ldapmodify? can you delete it and then fix it by running smbldap-populate again? (assuming that you have smbldap-tools configuration file fixed) Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba FDS backend groupmap error
Seems proper to me as long as the Groups are truly put into ou=Groups,dc=weirdwaterorg,dc=local by the way... rootbinddn should probably be cn=Directory Manager not cn=directory manager,dc=wierdwaterorg,dc=local unless you have created an entry within the dc=weirdwaterorg,dc=local tree with the dn, it won't exist. that may have been in your smb.conf too, but I have deleted the original email that had your smb.conf and I suspect if it was used wrongly in smb.conf, you would have asked about that. as for your error about tdb_lang_init - I don't know. Craig On Mon, 2006-03-20 at 11:27 -0700, Peter Merritt wrote: I thought of that, seems proper to me ? Peter grep 'dc=weirdwaterorg,dc=local' /etc/ldap.conf base dc=weirdwaterorg,dc=local bindn cn=directory manager,dc=weirdwaterorg,dc=local #rootbinddn cn=directory manager,dc=weirdwaterorg,dc=local nss_base_passwd ou=People,dc=weirdwaterorg,dc=local?one nss_base_shadow ou=People,dc=weirdwaterorg,dc=local?one nss_base_group ou=Groups,dc=weirdwaterorg,dc=local?one On Mon, 2006-03-20 at 09:26 -0700, Craig White wrote: On Mon, 2006-03-20 at 09:00 -0700, Peter Merritt wrote: Hello all, Having difficulty with setup of samba with FDS backend. Probably some thing simple, but I can't figure it out, any help would be greatly appreciate, Groupmap command fails, abbreviate debug out follows. Peter 2006/03/20 08:56:02, 5] lib/charcnv.c:charset_name(81) Substituting charset 'UTF-8' for LOCALE [2006/03/20 08:56:02, 5] lib/util.c:init_names(260) Netbios name list:- my_netbios_names[0]=DAYSTAR [2006/03/20 08:56:02, 2] lib/interface.c:add_interface(81) added interface ip=192.168.0.5 bcast=192.168.0.255 nmask=255.255.255.0 [2006/03/20 08:56:02, 10] intl/lang_tdb.c:lang_tdb_init(135) lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory Can't lookup UNIX group Domain Admins [2006/03/20 08:56:02, 2] utils/net.c:main(878) return code = -1 getent group abbreviated output. mysql:x:27: Domain Admins:x:2512: Domain Users:x:2513: Domain Guests:x:2514: Domain Computers:x:2515: seems like an nss/ldap problem what do you get when you... grep 'dc=weirdwaterorg,dc=local' /etc/ldap.conf seems like your 'base_group' isn't set correctly. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentification problem with LDAP
On Mon, 2006-03-20 at 14:36 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Mon, 2006-03-20 at 12:55 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 16:14 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote: The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? not very likely to be an ACL problem. net groupmap list|grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines net getlocalsid [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494) Can't fetch domain SID for name: HIPPOLYTE this is a MAJOR problem...it should look like dn: sambaDomainName=EXAMPLE,dc=example,dc=net sambaAlgorithmicRidBase: 1000 structuralObjectClass: sambaDomain objectClass: sambaDomain objectClass: sambaUnixIdPool sambaSID: S-1-5-21-89274850-471284788-6498272 sambaDomainName: EXAMPLE gidNumber: 1021 uidNumber: 1095 and should have been created either by hand or by idealx 'populate' script if you followed someones directions somewhere. Craig Here is what I have now : [EMAIL PROTECTED] openldap]# net groupmap list | grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines [EMAIL PROTECTED] openldap]# net getlocalsid SID for domain HIPPOLYTE is: S-1-5-21-3194588850-3670737847-3710085093 ... but I still cannot join an xp workstation to the domain, and a domain user on windows 98 cannot logon to the domain, althought a domain admin can. By the way, HIPPOLYTE is the name of the server; the domain name is INTAIR. Why is the command net getlocalsid returning SID for domain HIPPOLYTE can you edit it with some type of GUI editor like phpldapmin or gq? yes, we use gq can you fetch it with ldapsearch, modify it with ldapmodify? well, I guest not, because this is what I get when I try to execute the command : [EMAIL PROTECTED] openldap]# ldapsearch -LLL (dc=intair) SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database can you delete it and then fix it by running smbldap-populate again? (assuming that you have smbldap-tools configuration file fixed) The server is a slave ldap server, so we use slapcat on the master, then slapadd on the slave to populate it. you do recognize that this is really a one time proposition and from that point forward, slurpd replicates changes on the master to the slave, right? Therefore, the changes must be made to the master and replicated to the slave. You should probably verify... - the objectclass sambaDomain on the master - the objectclass sambaDomain on the slave that they are correct and the same, and then finally, - that replication is working properly from master to slave ... do you have an idea why a member of the group Domain Admins is able to access the shares, but not a member of the Domain Users group ? What is the difference for samba between the two's ? I wouldn't know that but perhaps it's in the permissions of the share or in the general section itself. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem joining a domain.
On Mon, 2006-03-20 at 21:24 +0100, David Moron wrote: Hi, I'm running Samba/openLDAP on a FC4 and I'm trying to make it work as a PDC. I installed all the software using yum instead smbldap-tools. I've done all the configuration but, when I try to join a Windows XP Professional named 'pc4' to the domain it fails with Error joining the domain OPENWIRED. Username not found. And no machine account is created under ou=Computers,dc=openwired,dc=net If I run /usr/local/sbin/smbldap-useradd -w 'pc4$' it works OK. smbd.log at the end. When I start SAMBA it binds OK to the LDAP using the cn=root,dc=openwired,dc=net account and it has all privileges granted in slapd.conf. What's happening Thank you in advance, # net getlocalsid SID for domain PDC-SRV is: S-1-5-21-1518432643-1164322876-3946144605 # net getdomainsid SID for domain PDC-SRV is: S-1-5-21-1518432643-1164322876-3946144605 SID for domain OPENWIRED is: S-1-5-21-27105391-1648776033-2601101416 presuming that PDC-SRV is the PDC for OPENWIRED DOMAIN, then those should be the same and you need to fix it in LDAP Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Username could not be found
On Mon, 2006-03-20 at 21:40 +0200, Hakan BAYINDIR wrote: Hello, I've asked this question before, and somebody helped me after sending my logs. I thank them very much. I've solved these problems but I still can't join the domain. I cannot see any major problem in the logs except the logging user cannot be found in the ldap DB but it's there. To summarize the problem to first tmie readers; We have a windows PDC in our organization. We want to migrate this pdc to linux / samba. I've set up one, on a openSuSE 10.0. Windows machine request a log-in when trying to join domain as expected. after supplying user root and it's password, it tries to connect and says username could not be found wrong basswords return with Bad user name or passwrd error and also the shares are working as expected. I'm attaching the samba logs (level 10), system messages (the slapd messages), my latest smb conf in a tar.gz to not to bug the reader's eye. Thank you for reading and trying to help. I'm woring on this for a long time and I don't have too much time. Help will be very appreciated. I'm not looking at you enclosure. can you access your LDAP via the command line...i.e. ldapsearch? ldapsearch -x -h localhost -D 'your_rootbind_dn' -W '(ou=People)' ? Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: xsolved - Re: [Samba] problems adding machines after upgrade - sambaSID attribute incomplete!
On Sun, 2006-03-19 at 13:35 -0500, Pablo Chamorro C. wrote: the DOMAIN SID stored in LDAP is ok, so I'm gonna set the proper SID for DOMAIN and to see if this solves the problem. I exported the whole ldap directory to ldif and found something weird, look: sambaSID:: Uy0xLTUtMjEtMjUwMjY5ODI4OS0zNjM5ODc5MDY1LTM1NDQ3NzQ4Mzcg but from phpldapadmin the sambaSID *seemed* ok, but not, it had one trailing blank!. Now it works. recognize that the :: after sambaSID represents a base64 encoding which may or may not be of consequence but a trailing blank as you discovered is of consequence. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] problems adding machines after upgrade - sambaSID attribute incomplete!
On Sat, 2006-03-18 at 16:50 -0500, Pablo Chamorro C. wrote: #2 - what do you get from command... 'net getlocalsid' ? I get this: SID for domain XXX is: S-1-5-21-2502698289-3639879065-7544774837 and the output of 'net getlocalsid DOMAIN' is: SID for domain DOMAIN is: S-1-5-21-2502698289-3639879065 oops! it seems the error is here, XXX is our PDC name. I kept a copy of the previous secrets.tdb. Comparing, I can see two differences: the INFO\sandom_seed key changed and so does the SECRETS/SID/DOMAIN key! and I can see that both the DOMAIN and PDC SID were the same!. Is it ok to change the SID for my DOMAIN as it was before in spite of the fact that that SID is the same PDC SID? or do I need to change the PDC SID too? No - but it would seem to me that the DOMAIN SID is stored in LDAP and not in secrets.tdb... The PDC is the DOMAIN and obviously the SID for a PDC and the DOMAIN should be the same. I appreciate very much your help. We're gonna update our samba.schema and to review our smbldap-tools config. sounds like it might not be the config at all...but you better verify that the smbldap-config file has the right SID Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: security=share, who needs it ?
On Fri, 2006-03-17 at 09:12 -0600, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tom, I've got to step up for Carsten here. Tom Schaefer wrote: Carsten Schaub [EMAIL PROTECTED] wrote: the security=shre setting does not behave as many admins expect. Access It behaves exactly as this admin expects and I would absolutely hate to see it to go. No. it really doesn't. For the record, Carsten brought this issue up on the samba-technical ml. Every developer agrees that our security = share code is fundamentally broken because it tries to shoe horn a userless security model onto a user/password authentication system. People try to do all sorts of silly things with security = share like using a 'write list' option. What is that supposed to mean? You want a userless authentication but a user based authorization system? That's just wrong. If the only think people need is a guest server, we can do that very easily with 'security = user'. We can even mix guest and non-guest servers using virtual servers. to all shares are mapped to the guest account and if the underlying unix permissions don't permit that access you get errors and the access doesn't work as expected. Thats wrong. You connect to a Samba server using security=share as the guest account or as any user you want. The method used for determining whom you connect to a particular share as is spelled out in the section NOTE ABOUT USERNAME/PASSWORD VALIDATION of the smb.conf man page. Tom, I think it is a little more complicated that you realize. The problem is not getting 'security = share' to work with the current code base, but rather how easy it is to misconfigure the server. And I'll add that if we implemented share mode security as it should be, your configuration would probably not work any more. Also is security=share a global parameter. This given, there is no distinction between guest and authenticated access per share possible yet. No, no. Here are a few shares from the smb.conf file of a single security=share server I have. Homes only works for a given user if they give their correct password , the second share anyone who knows what the password is can access, and the guest share is a guest share so it works for everybody with no authentication. [Homes] comment = Home Directories username = %S valid users = %S writeable = Yes map archive = No browseable = No See? This this exactly what I'm talking about. Why are you serving user home directories from a share mode based server? The two model do not mix. I will not support this type of configuration if something doesn't work as you expect because you are mixing userless authentication with user-based authorization. And I go to a lot of lengths to support strange things. One nice thing about security=share is that in an environment I'm in where there is little to no correlation between MS Windows usernames and UNIX account usernames I don't have to worry about trying to keep it all sorted out in some behometh username map file thanks to username = %S. Another nice thing about it is I don't have to worry about the way MS Windows clients will only let you connect to a single server as a single user at a time. With share level security I can have people authenticate to a single UNIX system as several different UNIX usernames from a single Windows box. This is a buggy by product of the current code. It make the code mind-numbingly hard to follow and really should work at all. In true share mode security you only have a readonly password and a write password. Most like, we will either (a) implement a correct userless authentication/authorization model, or (b) mark 'security = share' as deprecated (along with 'security = server'). I'm still waiting for someone to give me a valid need to keep share security and I'm afraid this one doesn't qualify if only because it relies upon the obtuse behavior we want to get rid of. It does not really make user of share mode security at all. No offense :-) I can only think of one reason...I ran into that last night on [EMAIL PROTECTED] User was connecting an old DOS client system to samba and had to use 'security = share' of course, he was confused why the users homes directory didn't work ;-) So I agree with you that the issue of 'security = share' isn't the problem itself, it's the lack of understanding what the real nature of the configuration represents and how it essentially obviates large amounts of the other samba configuration details. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Making Share Visible To Particular Users Only
Linux clients 'mount' as root which complicates things a bit. If you put the mount in fstab as 'user', and set the users 'credentials' to be a file in their home directory (which contains their username and password), then those that have that file could actually 'mount it' and those without wouldn't know the difference. In this case, the users who could 'mount' the samba share would have to know where on the filesystem the mount is made. Craig On Fri, 2006-03-17 at 11:48 -0300, Guillermo Dalla Vecchia wrote: Sorry, I didn't check the reply address. How about Linux Clients?? could it be done something similar for them? (logon scripts only work with Windows Clients). On 3/17/06, Craig White [EMAIL PROTECTED] wrote: Let's keep this on list please. A logon script is a script so yes, it could be done that way. A share that isn't browseable is still there, it just doesn't show up in a network browser. You can still connect to it, access privileges permitting. Similar to ADMIN$ or C$ from a Windows 'server' Craig On Fri, 2006-03-17 at 02:42 -0300, Guillermo Dalla Vecchia wrote: Could it be done with the logon scripts option?? I think this works with windows clients. For Linux clients could it be done setting up correctly fstab (to mount the share at boot time)?? the shares require username and password though... Regards On 3/16/06, Craig White [EMAIL PROTECTED] wrote: On Thu, 2006-03-16 at 23:19 -0300, Guillermo Dalla Vecchia wrote: Dear Friends, Is It Possible to Make a *Share* Visible to a List of Users *Only* ? e.g. If have shares Likes Account, Sales, Support Then I would Like make respective *share* visible *only* to persons in respective dept. Thanks and Best Regards. not that I know of but you can set browsable to off (less visibility) and have those users mount the share by a script or individually set by 'reconnect at logon' and of course you can control read and write access within each share. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Making Share Visible To Particular Users Only
Workgroup, you would probably have to distribute specific scripts to specific users on specific machines. Are you trying to make an argument for why setting Samba up as a domain controller is a good thing? If so, you are succeeding. Craig On Fri, 2006-03-17 at 12:19 -0300, Guillermo Dalla Vecchia wrote: Also, logon scripts only work with a domain configuration whereas I have a workgroup. Is there some way to this in a workgroup?? Regards On 3/17/06, Guillermo Dalla Vecchia [EMAIL PROTECTED] wrote: Sorry, I didn't check the reply address. How about Linux Clients?? could it be done something similar for them? (logon scripts only work with Windows Clients). On 3/17/06, Craig White [EMAIL PROTECTED] wrote: Let's keep this on list please. A logon script is a script so yes, it could be done that way. A share that isn't browseable is still there, it just doesn't show up in a network browser. You can still connect to it, access privileges permitting. Similar to ADMIN$ or C$ from a Windows 'server' Craig On Fri, 2006-03-17 at 02:42 -0300, Guillermo Dalla Vecchia wrote: Could it be done with the logon scripts option?? I think this works with windows clients. For Linux clients could it be done setting up correctly fstab (to mount the share at boot time)?? the shares require username and password though... Regards On 3/16/06, Craig White [EMAIL PROTECTED] wrote: On Thu, 2006-03-16 at 23:19 -0300, Guillermo Dalla Vecchia wrote: Dear Friends, Is It Possible to Make a *Share* Visible to a List of Users *Only* ? e.g. If have shares Likes Account, Sales, Support Then I would Like make respective *share* visible *only* to persons in respective dept. Thanks and Best Regards. not that I know of but you can set browsable to off (less visibility) and have those users mount the share by a script or individually set by 'reconnect at logon' and of course you can control read and write access within each share. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: security=share, who needs it ?
On Fri, 2006-03-17 at 11:53 -0600, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig White wrote: I can only think of one reason...I ran into that last night on [EMAIL PROTECTED] User was connecting an old DOS client system to samba and had to use 'security = share' Hey Craig, I'd have to see some evidence here. My experience is that the DOS Network client (even the basic redirector) works with user mode security. I'm not aware of a modern (still in use) client that doesn't support user mode security at all. not from me - I am not using it. The questioner on fedora list got what he wanted working once he switched to share mode and I was willing to let it go as that made him happy and I have little to no recollection of the DOS Network client at all. Your anticipation that the DOS client can be happy in user mode is probably correct...it was difficult to guide him on a client that I can't possibly see. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain authentification problem with LDAP
James - this is the second time you have made that reference to the smbldap-useradd script. There have been a lot and lot of versions of the smbldap-tools and perhaps the version that you are looking at is missing something like that but I assure you that most versions aren't. Craig On Fri, 2006-03-17 at 10:03 -0800, James Taylor wrote: The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Tousignant Sent: Friday, March 17, 2006 9:11 AM To: samba@lists.samba.org Subject: [Samba] Domain authentification problem with LDAP We use samba 3.0.13 and openldap 2.3.6 Members of the ldap group Domain Admins are working fine, but members of the group Domain Users can not login to the domain, and do not have access to the shares. Also, we are unable to join a windows xp workstation to the domain. Can anyone give me a hint where to start looking ... Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
