Re: [Samba] [3.6.8] XP fails with error 1326
Does the unix level nobody account exist? Does it work with Win 7 clients? On 10/07/13 11:08, Winfried wrote: Hello I've googled and experimented for the past few hours but am still stuck trying to simply share a temporary directory in read-only with anyone on the LAN. Here's the smb.conf I'm using: == /etc/samba# cat smb.conf [global] workgroup = WORKGROUP encrypt passwords = yes ;wins support = yes ;log level = 1 ;max log size = 1000 ;read only = no guest account = nobody ;[homes] ;browsable = no ;map archive = yes [test] path = /tmp browsable = yes read only = yes guest ok = yes ;public = yes == Neither smbd nor nmbd show any error in the log files, so I guess things are fine on this end. But the share isn't displayed in XP's NetHood and net view returns this: System error 1326 has occurred. Logon failure: unknown user name or bad password. Any idea what could prevent XP from reading the share? Thank you. -- View this message in context: http://samba.2283325.n4.nabble.com/3-6-8-XP-fails-with-error-1326-tp4654631.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: RE: [3.6.8] XP fails with error 1326
Original Message Subject:RE: [Samba] [3.6.8] XP fails with error 1326 Date: Mon, 7 Oct 2013 12:46:04 -0500 From: JUAN EDUARDO DELGADILLO CHAVEZ j...@idec.edu.mx To: gaiseric.van...@gmail.com Re: [Samba] [3.6.8] XP fails with error 1326 Did you create the smb user and password? You must create users with smbpasswd –a username to connect to the share *De:*samba-boun...@lists.samba.org mailto:samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org mailto:samba-boun...@lists.samba.org] *En nombre de *Gaiseric Vandal *Enviado el:* lunes, 07 de octubre de 2013 10:21 a.m. *Para:* samba@lists.samba.org mailto:samba@lists.samba.org *Asunto:* Re: [Samba] [3.6.8] XP fails with error 1326 Does the unix level nobody account exist? Does it work with Win 7 clients? On 10/07/13 11:08, Winfried wrote: Hello I've googled and experimented for the past few hours but am still stuck trying to simply share a temporary directory in read-only with anyone on the LAN. Here's the smb.conf I'm using: == /etc/samba# cat smb.conf [global] workgroup = WORKGROUP encrypt passwords = yes ;wins support = yes ;log level = 1 ;max log size = 1000 ;read only = no guest account = nobody ;[homes] ;browsable = no ;map archive = yes [test] path = /tmp browsable = yes read only = yes guest ok = yes ;public = yes == Neither smbd nor nmbd show any error in the log files, so I guess things are fine on this end. But the share isn't displayed in XP's NetHood and net view returns this: System error 1326 has occurred. Logon failure: unknown user name or bad password. Any idea what could prevent XP from reading the share? Thank you. -- View this message in context: http://samba.2283325.n4.nabble.com/3-6-8-XP-fails-with-error-1326-tp4654631.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ Información de ESET Endpoint Antivirus, versión de la base de datos de firmas de virus 8886 (20131007) __ El mensaje fue verificado por ESET Endpoint Antivirus. http://www.eset-la.com __ Información de ESET Endpoint Antivirus, versión de la base de datos de firmas de virus 8886 (20131007) __ El mensaje fue verificado por ESET Endpoint Antivirus. http://www.eset-la.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Use LDAP for passwords ONLY
If you have an existing LDAP structure, there will still be a separate field for the Windows password. For samba 3.x, you can specify either an local backend or an ldap backend. You can not specify some attributes in ldap but not others. If you want to set up Samba to use LDAP backend you will need to have some admin privileges to on the LDAP server. On 10/03/13 14:32, Garey wrote: Donny Brooks dbrooks at mdah.state.ms.us writes: Hello, Am 03.10.2013 18:17, schrieb Garey: I am trying to figure out if I can setup samba to verify only passwords against LDAP and keep everything else local. Can you be a bit more specific what you intend to do? Regards, Marc I want all group and user info local on the samba server, but verify passwords against LDAP. So the only thing LDAP is used for is verify the password. LDAP still will need a username to go with the password. Could you tell us exactly why you want users local instead of in LDAP? Large corporate LDAP server that keeps passwords. Just want to use it for passwords so users don't have another one to keep track of. But I need to control the users who can access the server and local groups that set their rights to information. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] TLS between winbind and openldap
Did you try using LDAPS (ldap over SSL, typically on port 636.) I can't speak specifically about it with winbind BUT I have found that in other situations LDAPS creates less headaches with CA cert issues. On 08/06/13 05:27, thierry DeTheGeek wrote: Hi, I found a possible workaround to my issue myself. It seems to be working. After reading one more time about ldap.conf I tried to export environment variables to set my private key and my certificate. This seems to be working on both debian 6 and debian 7: I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that winbind cannot work with OpenLDAP in debug mode, as expected. I edited /etc/defaults/winbind and added the following lines export LDAPTLS_CERT=/etc/ssl/certs/omv-domain-local.crt export LDAPTLS_KEY=/etc/ssl/private/omv-domain-local.key I restarted winbind with the command line service winbind restart. Now wbinfo -i user is working and I get an uid for the user. I will check further to ensure there is no more related issue. 2013/8/5 thierry DeTheGeek detheg...@gmail.com Hi, I'm working hard to setup winbind and openLDAP work together with TLS My networks contains: - a windows server 2008 R2 domain controller - a debian 6 based file server (openmediavault v0.4) running OpenLDAP 2.4.23 and Samba v3.5.6 - a debian 7 computer running winbind 3.6.6 I want to let OpenLDAP store SID = uig/gid mapping to ensure constant uid and gid for users on all linux based computers and then use both CIFS and NFS. I'm trying to solve my issue on openmediavault (debian 6) only for now, because I get the exact same issue when trying to establish communication between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6). I created a self signed certificate authority with openssl and created a private key and a certificate for te file server. I used the same certificate authority to create an other key and certificate for my debian 7 computer. OpenLDAP uses his key and is configured to check clients certificates. winbind on the same computer uses the same key and certificate to communicate with openLDAP and is configured to check the openLDAP's certificate. When running winbind in interactive debug mode everything is running file and wbinfo -i user is able to allocate an uid to the user. an other try shows the uid assigned is effectively retrived from openLDAP. The command line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried also to run openLDAP in debug mode with the command line slapd -d 1. the logs produced show that openLDAP and winbind work together with encryption in both directions. When I run winbind daemon with the command line service winbind start, the TLS connection cannot be initiated and I cannot allocate a uid to any user using wbinfo -i user. Let's see the configuration files (domain name obsfucated) : ##cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65 creatorsName: cn=config createTimestamp: 20130803105505Z olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt olcTLSVerifyClient: demand entryCSN: 20130803125708.704922Z#00#000#00 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130803125708Z ##smb.conf #=== Global Settings === [global] workgroup = DOMAIN server string = %h server include = /etc/samba/dhcp.conf dns proxy = no log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = no null passwords = no local master = yes time server = no wins support = no password server = * realm = DOMAIN.LOCAL security = ads allow trusted domains = no ; ; samba 3.5.6 idmap configuration ; idmap backend = ldap:ldap://omv.domain.local ldap admin dn = cn=winbind-idmap,dc=domain,dc=local ldap idmap suffix = ou=Idmap ldap suffix = dc=domain,dc=local ldap ssl = start tls ldap debug level = 4 ldap debug threshold = 1 idmap uid = 16777216-5000 idmap gid = 16777216-5000 idmap config * : backend = ldap idmap config * : ldap_url = ldap://omv.domain.local idmap config * : ldap_anon = no idmap
Re: [Samba] UIDs/GIDs Mapping and Permissions in Samba
I have never quite got uid/gid consistency working with member servers. My domain controllers use an LDAP backend so they don't have an issue. All the unix uid and gid is also in LDAP. This keeps file permissions correct on the member servers when accessing from windows clients. However you can NOT manage the file permissions from windows. The existing permissions show up in windows a Unix\someuser or unix\somegroup.If you try to change permissions or add a domain user, the permissions don't stick. This limits the flexibility of member servers since users can only change permissions via a unix session. This has been with samba 3.4.x and 3.5.x. My understanding of the documentation is that samba should be able to use the unix uid/gid info to create a consistent sid-to-uidNumber and sid-to-gidNumber mapping but that hasn't been the case for me. I have tried to configure the member servers to look up the id mapping info from the PDC ldap server in read only mode- haven't got it working set but I think this is the way to go. On 07/31/13 21:05, Chris Hayes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm wondering how essential it is to ensure that Samba User/Group to UIDs/GIDs mapping across various Samba servers remain consistent. I realise that Samba uses the extended ACLs and also uses extended attributes to store blobs of Windows ACL information; specifically the reason for this is that Windows ACLs don't map 1:1 with POSIX ones. Basically, I want to know more about which Samba uses, how much it tries to keep the two in sync, etc. For example, a moment ago I changed the POSIX ACLs on a file that already had a security.NTACL glob in the extended attributes; and my change to the POSIX ACL didn't show up in the Security Properties information for that file. By far the best documentation that I've found so far is this thread, which might be out of date now and still leaves me unsure; as this suggests that the security.NTACL glob should have been updated. https://lists.samba.org/archive/samba/2011-February/160799.html For that specific test, I was running quite an old file server (Samba 3.4.7) because it was what I had installed on an old machine. Any information would be greatly appreciated. Kind regards, - -- Chris Hayes -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJR+bRsAAoJELgO0A8EguAKXpEH/Awlyq1856PAzRpGSRWGZ9Aw nuY85q3yrOWq1MkjAti4GLa34gu39HAHaw6kaz06rpZPlVOfR1ICFbq08GbPzR3j RCBRbVG7Ai/zUx99ey8ByINq5OmkClW5h9uJCGfPuM6+keJwwj4gT6BiY8FrM3mB Vk1BeYhzZciEXoy/uyP3dnbxWmV9LYGZWXSqwR2lC3ge6jFWRQyL9IES+1+7Ab/7 d+Qj+ObBZffLP5Gxmw3ETPpCMvrexM33B2VAIF5XLMaG+bbukFt8o2uW1UpFiaah AWMdHJbqqAlT7IZD87U5io+ZfKrDvz8tmej4m6LzzJSJD49VzDCAV/4h0sW6U8c= =soq+ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nmbd is not running
Can you show the ifconfig -a output on your server (or whatever the appropriate command for your OS .) The bind failed on ... 255 suggests the IP of the server is set wrong. On 07/31/13 05:17, Kevin Sha wrote: Hi I have samba domain controller in my network. and recently I have changed the netmask of the network. Then nmbd is not working could you please help me to solve this issue nmbd -i nmbd version 3.5.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 Unknown parameter encountered: wide symlinks Ignoring unknown parameter wide symlinks Unknown parameter encountered: wide symlinks Ignoring unknown parameter wide symlinks standard input is not a socket, assuming -D option bind failed on port 137 socket_addr = 172.17.255.255. Error = Cannot assign requested address nmbd_subnetdb:make_subnet() Failed to open nmb bcast socket on interface 172.17.255.255 for port 137. Error was Cannot assign requested address ERROR: Failed when creating subnet lists. Exiting. - /etc/init.d/samba status nmbd is not running ... failed! smbd is running. My samba configuration file --- [global] workgroup = KEVIN netbios name = KEVINDC server string = KEVIN Domain controller obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 name resolve order = lmhosts host wins bcast unix extensions = No add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u add group script = /usr/sbin/addgroup --force-badname %g add machine script = /usr/sbin/useradd -g machines -c %u machine account -d /var/lib/samba -s /bin/false %u logon path = logon home = domain logons = Yes os level = 33 preferred master = Auto domain master = Yes dns proxy = No panic action = /usr/share/samba/panic-action %d [homes] comment = Home Directories valid users = %S create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes share modes = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers Thank you kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nmbd is not running
It looks like you have are using a block of private class B's as a contiguous CIDR range including 172.16.x.x and 172.17.x.x I played around with the IP's using various on line subnet calculators http://jodies.de/ipcalc?host=172.16.30.4mask1=15mask2= Address: 172.16.30.4 Netmask: 255.254.0.0 = 15 Network: 172.16.0.0/15 Broadcast: 172.17.255.255 HostMin: 172.16.0.1 HostMax: 172.17.255.254 It looks to me like the broadcast address is wrong. Or are you trying to treat 172.16.x.x and 172.17.x.x as separate class B subnets? On 07/31/13 08:54, Kevin Sha wrote: root@srv:~# ifconfig -a eth0 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.17.30.4 Bcast:172.31.255.255 Mask:255.254.0.0 inet6 addr: fe80::bc27:29ff:fed3:c733/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:48965895 errors:0 dropped:0 overruns:0 frame:0 TX packets:1460501 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1888712573 (1.7 GiB) TX bytes:785972618 (749.5 MiB) eth0:1 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.3 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:2 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.5 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:3 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.6 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:4 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.17 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:5 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.8 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:6 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.30 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:7 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.4 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:8 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.6.10 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:9 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.6.11 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:10 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.18 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:11 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.20 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:12 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.21 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:13 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.29 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:14 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.6.13 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:15 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.0 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:16 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.6.14 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:5532 errors:0 dropped:0 overruns:0 frame:0 TX packets:5532 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:369954 (361.2 KiB) TX bytes:369954 (361.2 KiB) On Wed, Jul 31, 2013 at 6:18 PM, Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com wrote: Can you show the ifconfig -a output on your server (or whatever the appropriate command for your OS .) The bind failed on ... 255 suggests the IP of the server is set wrong. On 07/31/13 05:17, Kevin Sha wrote: Hi I have samba domain controller in my network. and recently I have changed the netmask of the network. Then nmbd is not working could you please help me to solve this issue nmbd -i nmbd version 3.5.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 Unknown parameter encountered: wide symlinks Ignoring unknown parameter wide symlinks Unknown parameter encountered: wide symlinks Ignoring unknown parameter wide symlinks standard input is not a socket, assuming -D option bind failed
Re: [Samba] ./configure LDAP checks failing on AIX
You may also want to set LD_LIBRARY_PATH to include /usr/local/openldap/lib On 07/30/13 02:31, Andrew Bartlett wrote: On Thu, 2013-07-25 at 14:40 +, Gilles Pion wrote: Samba version 4.0.7 Aix 6.1 Compiler: IBM xlc Last lines of ./configure output: Checking for ldap_init : not found Checking for ldap_init_fd : not found Checking for ldap_initialize : not found Checking for ldap_set_rebind_proc : not found Checking for ldap_add_result_entry : ok Checking whether ldap_set_rebind_proc takes 3 arguments : ok Active Directory support not available: LDAP support ist not available. path/wscript:760: error: Active Directory support not found. Use --without-ads for building without Active Directory support. Reason (verified) the generated test.c file user in configure checks doesn't have the required ldap include: #include ldap.h I've not found a clean way to patch configure to fix this Anyone able to help? Where is ldap.h on your system. It may be enough to just specify CFLAGS=-I/usr/local/openldap/include ./configure (if that is where ldap.h is). If we have found ldap.h, it will be added to those tests. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
For what it is worth - it looks like NT4 does NOT use kerberos even with the Active Directory client installed. http://www.petri.co.il/dsclient_for_win98_nt.htm# Windows 2003 Active Directory had some compatibility with NT4 domain controllers. I don't think Samba 4 does.Your best bet may be to try putting the NT4 machine in a separate NT4/Samba 3 domain and establishing trusts. Or more realistically take it OUT of the domain and just create local user accounts with same passwords as the network accounts. The only legit reason I could see to be running NT4 is if it is managing a specialized piece of equipment (e.g. on a manufacturing floor.)In that case the machine(s) should be airgapped from any regular network with internet access. If you follow security news you can imagine why it is important to keep unpatched systems physically isolated from the internet or other networks. On 07/30/13 05:33, Ryan Bair wrote: Hi Andrew, To clarify, it is the Win7 client sending the TGS request to the DC and the DC responds positively. I now have a more complete understanding of what's going on: 1. Win7 initiates a session with NT4. Nothing interesting. 2. Win7 sends the negotiate protocol response. Of note, we state that we support extended security. 3. NT4 responds that it does not support extended security. More precisely, when NT4 dinosaurs roamed the earth, that bit was likely still reserved. 4. Win7 issues a TGS request to the _DC_ to see if the host with that name really doesn't support extended security, or if the NT4 machine is trying to subject it to some sort of elaborate ruse. (i) 5. DC responds positively to the TGS req. (!!!) 6. Win7 closes the connection, and displays the error to the user. i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx state: 94 Section 3.2.5.2: http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94When the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB clients query the Key Distribution Center (KDC) http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC to verify whether a service ticket is registered for the given security principal name (SPN) http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn. If the query indicates that the SPN http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn is registered with the KDC http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC, then the SMB client terminates the connection and returns an implementation-specific security downgrade error to the caller. Since the Samba DC replies that the SPN is available (by fulfilling the request), I'm assuming we're triggering this documented behavior in the Win7 client. Also of note, `klist` on the client has an entry for cifs/nt4test which `setspn -Q cifs/nt4test` confirms does not exist. I can't confirm the behavior in #5 is a bug, but it certainly seems suspect. On Jul 30, 2013 1:07 AM, Andrew Bartlett abart...@samba.org mailto:abart...@samba.org wrote: On Mon, 2013-07-29 at 19:29 -0400, Ryan Bair wrote: Yes, AD has explicit support for pre-2000 clients. WINS is alive and well and name resolution is working. I really think the bogus TGS reply is messing things up, but I'd like to have someone more knowledgeable confirm the behavior is incorrect. NT4 doesn't know about Kerberos, I think any TGS traffic is highly likely a red herring. Are you really sure the client is issuing it, and you have not additional software installed on the NT4 machine? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ http://samba.org/%7Eabartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to install a replacement PDC?
Run the testparm -v to see full details, including defaults that may not have been explicitly specified in smb.conf. You want to look out for the passdb backend value. On samba 3.4 or later tdbsam is probably the only valid local option. If you were using the smbpasswd file (text?) format on 3.0.x you may need to use the smbpasswd command to export / import to the TDB (trivial data base) format. With the old primary domain server running you should join the new machine to the domain as a member server. (net join.) The localsid on all dc's should match the domainsid. You can probably then make the new machine a DC by changing the smb.conf to allow domain logons and by changing the localsid to be the domain sid.Verify that they user accounts are the same on each DC with pdbedit -Lv. You may find that some accounts did not export properly. Also make sure that each domain controller has the same group mappings (net rpc groupmap list ?) From 3.0. to 3.4 or later you may find you need to explicitly some of the well known groups. You may also need to create an explicit nobody user in linux (and specify guest account = nobody in smb.conf.) Search for earlier post by me that cover DC migration and 3.0x to 3.4. upgrades. On 07/29/13 11:24, sam...@nym.hush.com wrote: Also, here are the 'global' sections from the 'testparm' command. Existing Unix server [global] workgroup = DDOMAIN server string = Samba Server PDC smb passwd file = /etc/smbpasswd log file = /usr/lib/samba/var/log.%m max log size = 50 time server = Yes keepalive = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No disable spoolss = Yes logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes hosts allow = 192.0.0., 127. New Debian server [global] workgroup = DDOMAIN server string = %h server (Samba %v) interfaces = 127.0.0.0/8, eth0 bind interfaces only = Yes obey pam restrictions = Yes smb passwd file = /etc/smbpasswd ### I added this, but the file doesn’t exit pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = %U.bat logon drive = G: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 clients
I wouldn't have even guessed that NT4 would join a modern AD domain. It looks like MS did provide client software to join a Windows 2000 AD domain.Or does the NT4 machine think it is in an NT4 / Samba3 type domain? Presumably you can see the domain users in the local user manager program on the NT4 machine? And verify the security options. http://www.windowsnetworking.com/articles-tutorials/windows-nt/nt4user.html Do you have a a WINS server running? With XP/Windows 7 when you join an AD domain, the machine name usually gets set to a fully qualified domain name. e.g. mypc.mydomain.com. Does the host name of the NT4 machine match the expected AD fully qualified domain name (does nslookup ip_address on the NT4 machine return the expected hostname? ) Are all machines in DNS? I think a hostname or dns mismatch could cause problems validating AD kerberos tickets. I am running Samba 3, not 4, but found that using a WINS server and making sure key systems were in DNS helped solve some issues. On 07/29/13 17:05, Ryan Bair wrote: Oh, forgot to mention. Samba 4.0.7-4 Sernet packages running on CentOS 6.4. On Mon, Jul 29, 2013 at 5:00 PM, Ryan Bair ryandb...@gmail.com wrote: I'm attempting to get an old NT4 client participating in a Samba4 domain. Users can logon to the machine locally and access network shares on other machines in the network. However, no one can access shares on the NT4 machine using the machine name. Attempting this results in an error The account is not authorized to log in from this station. Using the IP address does work however. The clients are configured to allow no smb signing and NTLMv1, I think I have all the security settings covered. I noticed while looking at wireshark though that the client is doing TGS-REQ for cifs/nt4test and Samba is returning a full TGS-REP. This feels very odd to me since there is no such SPN cifs/nt4test on the network. 'setspn -Q cifs/nt4test' confirms this. I've also noticed that the MS docs state: 94 Section 3.2.5.2: http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94When the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB clients query the Key Distribution Center (KDC)http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDCto verify whether a service ticket is registered for the given security principal name (SPN)http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn. If the query indicates that the SPNhttp://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spnis registered with the KDChttp://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC, then the SMB client terminates the connection and returns an implementation-specific security downgrade error to the caller. The client does have CAP_EXTENDED_SECURITY set and I'm guessing the TGS-REQ is how Windows is testing the presence of the SPN. Since the test is succeeding and the server doesn't advertise the extended security capability, Windows disconnects. Can someone confirm my hypothesis? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6 issues
When I upgraded from samba 3.0.x to 3.4.x I ran into several issues. First of all, I would look through the logs. (They did not attach to your messgae.) I would also run testparm -v in case some default settings have changed. NTLM should be enabled. If you require NTLMv2 that may cause problems (I couldn't get it to work.) 1st, with idmap and domain trusts: With 3.0.x the idmap entries for trusted users were automatically created but they would expire in a week and have to be manually purged. With 3.4.x the idmap cache issue was fixed BUT the entries were no longer auto created. I had to manually add idmap entries in ldap for users in the trusted domain (only 5 or 6 anyway.) Do you use idmap for assigning user id's for users in primary domain? I explicitly create user and group accounts. I would verify with pbedit -Lv username and pdbedit -Lv comptuername$ that the samba accounts haven't lost their unix id and that everything looks OK. I also found with 3.4.x (vs 3.0.x) that the I needed to explicitly map the guest user and group. This could affect the share permissions. Generally I leave the share permissions unrestricted and rely on the file system permissions for all the control. Also make sure that the well known groups (e.g. Domain Users) look ok with net groupmap list - Multiple smbd processes is normal- should be one for each connection. I also found it is better not to specify ports in the smb.conf. Although samba does not use 445 for data, windows clients NOT using wins may have problems connecting to to samba servers if 445 is not running . On 07/17/13 03:57, wong lmark wrote: Dear Samba Team, There are three issues happening in my Samba 3.6.6 Issue 1: After upgrade, when upload file which is more 100mb to Samba, it shows error File name too long cannot copy in windows xp. Tried to use 3 different pc to upload different files more than 100mb, it also fail to transfer the file and show the error. Tested to upload file which is 25mb or 50mb, it is okay, no problem . Before upgrade the samba 3.6, I am using samba 3.0.28. Issue 2: Users could logon to the pc within the domain, but the network drive could not be mapped from 15-7-16 after 18:00 around (e.g. \\dc01\netlogon). And the network drive could not be mapped through net use command in windows xp. Also, the trust relationship with anthoner domain chb lost. Attached the samba log and error screen capture for reference Issue 3. When enter the command service smb status, it show many process id, is it normal? Thanks for your help. There my smb.conf: [global] workgroup = HB server string = DC01 netbios name = DC01 interfaces = eth0 hosts allow = 10. 172. 127.0.0.1 security = user encrypt passwords = yes unix password sync = no socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 username map = /etc/samba/smbusers admin users = root lh2 jos1 hide unreadable = yes smb ports = 139 local master = yes os level = 33 domain master = no preferred master = yes domain logons = yes logon path = logon home = #logon path = \\%L\profiles\%U #logon path = \\%L\%U\profiles logon drive = #logon home = \\%L\%U #logon home = \\%L\homes #logon script = %U.bat logon script = %g.bat wins support = yes name resolve order = wins lmhosts host dns proxy = no add user script = /usr/sbin/smbldap-useradd -a -m %u add machine script = /usr/sbin/smbldap-useradd -W %u add group script = /usr/sbin/smbldap-groupadd -a -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u passdb backend = ldapsam:ldap://127.0.0.1 ldap delete dn = yes ldap ssl = no ;winbind nested groups = no ldap suffix = dc=ch,dc=com ldap admin dn = uid=edp,dc=ch,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap passwd sync = yes ldap delete dn = no log file = /var/log/samba/%m.log log level = 5 max log size = 1 template shell = /bin/false ;winbind use default domain = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 [homes] comment = Home Directories browseable = no writable = yes valid users = %S [netlogon] comment = Network Logon Service path = /home2/samba/netlogon guest ok = yes writable = no share modes = no [testing] path = /home2/test comment = testing writable = yes browseable = no create mode = 0770 directory mode = 2770 public = no valid users = @testing -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] i can figure out. is it config issue or bug. please help
So you really mean Samba 2.7 or do you mean Samba 3.2.7 ? On 07/17/13 02:09, Muhammad Yousuf Khan wrote: i am using samba 3.6.5 with winbind.for active directory authentication there is a samba share folder name Filesharing and plethora of folders are inside it. i have been using 2.7 stable for more then 2 years with no problem however after my harddisk failure i had to restore data to new server. and install samba from zero , fortunately or unfortunately samba has been updated in debian repository to 3.5.6 root@nas:/nas/backup# smbd -V Version 3.5.6 all user including owner user and group can see shared file but only everyone/all users can not copy the file to there desktop or any other location in windows 7, they receive permission denied messages however these are the same settings that i used to work with Samba 2.7 stable. even groups who to not have r-x permission can not copy data. same goes for eveyone with r-x no user can copy the data. until i give them rwx this wasn't happening previously. is there anyone who can help me in this regard. Thanks, MYK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Administrative users on domain
On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am looking at your original post again. I don't think you said which version you had been using. net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U superusername Is the superuser name the domain Administrator account? The problem seems to involve the superusername user, not the Domain Admins group. I think with older version of samba, the Administrator account was implicit, and you could map the windows Administrator to the unix root account and all was OK
Re: [Samba] Administrative users on domain
On 07/17/13 16:12, Donny Brooks wrote: On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 15:02, Donny Brooks wrote: On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: On 07/17/13 14:32, Donny Brooks wrote: On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote: According to the net man page In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege. The simplest thing is probably to have the Domain IT group be a member of the local admin group on each machine. I don't know if you would need to grant them the SeMachineAccountPrivilege. On 07/17/13 09:44, Donny Brooks wrote: On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote: Hello Donny, Am 12.07.2013 21:34, schrieb Donny Brooks: On the old domain, which was setup before I got here, our IT section was in an ldap group that allowed us to join PC's to the domain ... http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions ... and when the prompt came up in windows to install software we could log in as ourselves. What do you mean by this? Do you want to have a group of users automatically in the administrator group on your workstations? http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s If you mean something else, please give some more details. Regards, Marc Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html And map our itgroup to the Domain Admins group. Although we do have a Domain Admins group in ldap. Should that cause an issue? Group mapping is to make sure Windows groups map to the correct unix group. This is not like mapping a Windows user name to a different unix user name (e.g Windows Administrator = Unix root.) With LDAP, group mapping is usually simpler since the LDAP object for a group usually has the Samba SID and the unix group id. The net groupmap list command is useful for validating this. You want to make sure that you do see group mapping for Domain Admins and Domain Users and other well known groups. You are more likely to have to use the net groupmap add command when you don't have LDAP. Well known groups have to specific relative ID's. The domain admin group HAS to have a relative ID of 512 in the SID.You have to make sure the Administrator is in the group. That behavior changes with versions newer than 3.0.x #net groupmap list Domain Admins (S-1-5-21--x-x-512) - Domain Admins ... # getent group Domain Admins Domain Admins::512:Administrator # I don't think you have a samba issue. I think you have a general windows issue about the most practical way to provide IT group with sufficient privileges to manage computers with out giving too much access. Depending on the size of your IT department, and the necessity to audit/control you makes what change, each IT user may need two accounts, one that is a regular account and one that is a member of the domain admins and local admins group. (e.g. donny and donny_admin.)this way they can do whatever they need, but they don't run as admin for routine tasks, and you can track who made what change (if need be) or limit who has full admin rights. It is correctly mapped and is 512. Nothing changed on the windows side during the domain change other than removing the machines from the old domain and rejoining them to the new one. We don't have to have the accounting trail that two accounts would give us right now. I just want to be able to tell my other people they can join computers to the domain and perform software upgrades with their own credentials. OK I am looking at your original post again. I don't think you said which version you had been using. net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S enterprise -U superusername Is the superuser name the domain Administrator account? The problem seems to involve the superusername user, not the Domain Admins group. I think
Re: [Samba] 3.5.6 to 3.6.6: session setup failed
Does pdbedit -Lv still show users? You want to verify that samba is able to access LDAP. On 07/12/13 08:51, Thiago Parolin wrote: Hi, I think that someone has the solution for my problem! ;) After i did the upgrade process in a samba server, from debian squeeze to wheezy, the new samba version (3.6.6) is not working. Searching on web, there are many causes for this error, and i dont know what is mine. I can't connect with smbclient -L host -U ldapuser, that give me error session setup failed: NT_STATUS_UNSUCCESSFUL How can i fix this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] About NAS versus Samba
With Samba 3.x (I think it was samba 3.4.x when we started deploying Windows 7) I found that offline folders on Windows 7 broke offline authentication. On 07/12/13 02:43, Jim Potter wrote: I use a Netgear readynas1500 as a fileserver for my Samba3/ldap domain which I' ve just upgraded to AD and it works fine in both cases (lots of users, though with relatively few active connections). It runs a bog standard Samba3 + winbind member server (NT or ADS) as far as I can tell. Having said that, the 2 shortcomings I have found are with windows 7 clients... troubles doing offline files (there are bunch of tweaks, but none work perfectly) and it doesnt work too well with the libraries feature in win7 (it needs indexing o some sort that isn't povided by samba I think) BTW, would a Samba4 member server setup help with these issues? If it did, I'd upgrade even if it did invaidate warranty... cheers Jim On 11/07/2013 05:03, ferna...@lozano.eti.br wrote: Hi Cris, Hi there, Has anyone tried to configure a NAS server to authenticate users using a Samba PDC, or even a Samba4 DC (AD-compatible) or an IPA server? not in a while, but I have done a samba 3 DC This was not my question. I'm ok running samba 3 DCs. :-) Have you ever configured a NAS so it would authenticate users from your Samba DC and them serve SMB file shares (aka network drives) to Windows desktops? I'm evaluating replacing some Linux file server for a NAS product, but all them make me nervous when the vendor talks about Active Directory support and nothing else. if 3rd party support is your concern, why are you using fedora instead of RHEL? Are you trying to sell me RHEL subscriptions or help me with my question? ;-) Anything wrong about asking about Fedora on a Fedora list, or any server issue is forbidden for Fedora users? ;-) AFAIK it shouldn't matter, from a technical perspective, if the samba DC runs Fedora, Debian, Slackware, RHEL, SuSE, Ubuntu, Solaris, whatever. I am not talking about OS level FC drivers or iSCSI initiators. Either a NAS will be compatible with Samba3, Samba4, both or neither. This depends on the SMB and MSRPC features needed by the NAS, all them application level protocols, not kernel modules. If I'll need Red Hat support for managing this system is another, unrelated, question. If the NAS vendors state they suṕport RHEL, that's not que question either, as supporting RHEL could mean the RHEL linux kernel smbfs and cifsfs driver talks to the NAS, not the NAS talks to the Samba DC. Or else, RHEL support may mean just that the NAS talks NFS and so a RHEL machine can mount volumes from tne NAS. That's not what I want. Most times I see linux servers they are simply members of a MSAD domain, not the DC themselves. But mine are. All vendors I talked to assume MSAD, and don't know about Samba. :-( Anyway Fedora is my desktop system and development workstation. The DC in question runs RHEL. But if this works I can try someday using Fedora or CentOS with the same (or other) NAS. In theory, many NASes are Linux boxes running samba, so there shouldn't be a problem, except if the web admin interface won't support a samba DC setup and I won't have SSH access to configure the NAS samba myself a cheaper nas will probably use samba, but not all NASs do. there are several commercial SMB/CIFS implementation out there. At least iomega/lenovo/emc state their NAS runs Samba. And a lot of less know vendors also. I'll buy a single, cheap NAS, not a high end EMC rack full of boxes. :-) But... will any NAS you know work with a Samba DC, or else, using an IPA server? Or will they only work with Microsoft Windows Server AD? All vendors I contacted talk only about MS Active Directory. They don't even know about NT4-style domains, which would mean a Samba3 DC should work. Besides, AFAIK a Samba4 DC isn't supported by RHEL at all -- that's why I included IPA in my question -- I'd have to use Sernet packages for Samba4. Even then, Samba4 is very new, I don't know if a NAS implementation would accept it in place of a MSAD DC. Most vendors talk to me about vmware, exchange and sql server support. They offer me windows-only backup servers and the like. Some even offer me SAP R/3 agents, while my ERP is another one. They can only follow their standard script for windows shops. So I ask for the collective knowledge from the Fedora and Samba lists... can anyone tell me I tried this NAS and it worked? Or should I better forget about this and keep using cheap intel boxes as file servers? Am I the first linux sysadmin in the world who's considering to have a NAS replacing some file servers but keeping his samba DCs? []s, Fernando Lozano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] About NAS versus Samba
On 07/11/13 11:50, Jeremy Allison wrote: On Thu, Jul 11, 2013 at 08:01:20AM -0500, Chris Weiss wrote: On Wed, Jul 10, 2013 at 11:00 PM, Jeremy Allison j...@samba.org wrote: but not all NASs do. there are several commercial SMB/CIFS implementation out there. Sure, but non available to buy as a software-only product to my knowledge. They all come with hardware attached :-). right, *I* can't buy the software, but a NAS vendor can license it for a product that I can buy. No, they all write their own these days. None available to license as far as I'm aware. I had an small iomega personal/workgroup NAS box (I think it was a snapserver.) It did run linux but the samba version didn't work with our samba 3.x PDC's.I think both were 3.0.x so it could have been some issue with our samba implementation.It did work with a Windows 2003 AD but that wasn't much use. Some of the NAS's are now based on Windows Server.But I don't think any vendor will talk about samba compatibility (let alone promise it.) The Oracle/Sun NAS servers are based on on Solaris11 or OpenSolaris. Even if a NAS works with your current environment there is no guarantee the vendor will provide patches to keep it working in the future as you apply security fixes or patches to your samba servers.For samba users implementing a NAS might not simplify things. If you were a windows only show them a NAS is probably great for a small site. I would stick with a real linux/samba server- you then have complete configuration control. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] About NAS versus Samba
On 07/11/13 12:29, Fernando Lozano wrote: Hi, what about the samba running on your NAS. I did a lot of NAS hacking pointing a running samba/winbind config of the vendor to my nt-style samba/ldap domain . But if you do so be aware you are loosing your support :-). So if you can change the samba on your NAS you are up and running. I don't have the NAS box yet. I wish advice on which one to buy based on compatibility with a Samba 3 PDC (or Samba 4 DC, or IPA). Vendors I talked to tell me it won't work, I'd have to use Microsoft AD. Knowing the Linux and Windows side (protocols, software) this doesn't make sense to me, I'm guessing the sales people I talked to simply doesn't know and doesn't want to learn. And it's not easy to tell the boss I'll buy a somewhat expensive box (for a small business) just to hack and see if it'll work the way I want. :-( It would help if you simply tell me which NAS you had success and which one was easier, out-of-the-box, or had to hack. []s, Fernando Lozano It seems common that vendors (esp the sales guys) assume you are running Windows 200x and AD.I think the logic is that none of our customers use linux so we won't support it. It becomes self-fulfilling when anyone wanting something besides the basic Windows AD support looks for other solutions. Getting samba to work sometimes requires fiddling with protocol versions, WINS and DNS. For example windows 7 won't work with Samba 3.x until you tweek the registry. You can probably put together a price-comparable equivalent of the Buffalo using a white-box PC tower and linux. You can even set up software raid. It is more likely to work the way you want than a NAS box. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] About NAS versus Samba
If you use raid you should either use a true hardware raid (e.g from LSI or Adaptec) or true software raid. The firmware raid (aka fake raid) included on some motherboards is just asking for trouble.For the price of the true hardware raid card you might as well stick with software raid. Hot swap bays for SATA disks that you can use with a tower PC fairly cheap. http://www.supermicro.com/products/accessories/mobilerack/CSE-M35T-1.cfm Don't cheap out of the disks though.Get 7200 RPM server or raid disks. I set up something Solaris which gave me the benefits of ZFS. If you don't need the zfs functionality I would stick with a linux distro that are comfortable with. Supermicro (and other) also was a range for whitebox tower and servers that are cheaper than buying from Dell or HP.Of course there is no customer support or extended warranty. On 07/11/13 12:59, Scott Lovenberg wrote: On Thu, Jul 11, 2013 at 12:55 PM, Fernando Lozano ferna...@lozano.eti.br wrote: But you know, everyone buys NASes today, it's getting harder to explaing a common PC would be better. Here a server box with a RAID controller and a hot-swappable disk bays is way more expensive than an iomega NAS in a rack form factory. I've found the performance of those cheap NAS boxes (even the cheap ones are relatively expensive) to be sub-par. Most of them max out at a few MB/second. A reasonable set of hardware in a 2U with hot-swap drives will absolutely smoke a cheap NAS and the price/performance ratio is much better. Plus, you can use ZFS/BTRFS/etc as your backing store if you'd like on your own dedicated box. -- Peace and Blessings, -Scott. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Messed up SIDs: How to change machine SID?
I have an LDAP backend. In LDAP, the machine accounts for my windows and linux clients so show the same base SID as the domain SID (ie.. all but the last digits.) However I also have the mismatch with net getdomainsid - which definately explains why they don't behave as I would expect. You may want to try fixing this with net setlocalsid. I guess when you joing unix or linux member server to the domain the localsid is not updated. Re the BUILTIN groups you may want to explicitly map these to unix groups rather than relying on winbind to do it e.g. I created unix groups #getent group Builtin Admins::544: Builtin Users::545: Builtin Guests::546: Then mapped the well know built-in Windows groups to the unix groups #net groupmap add ntgroup=Administrators unixgroup=544 sid=S-1-5-32-544 type=builtin #net groupmap add ntgroup=Users unixgroup=545 sid=S-1-5-32-545 type=builtin #net groupmap add ntgroup=Guests unixgroup=546 sid=S-1-5-32-546 type=builtin # net groupmap list | grep -i builtin Administrators (S-1-5-32-544) - Builtin Admins Users (S-1-5-32-545) - Builtin Users Guests (S-1-5-32-546) - Builtin Guests The linux samba member servers I use mostly for IT use anyway so I never shook out all the bugs. On 07/03/13 11:49, Marcus Mundt wrote: Dear Samba Gurus, I got the following errors: tail -f /var/log/samba/log.wb-DOM1 [2013/07/02 15:49:19.990168, 2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid) name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED log.smbd [2013/07/02 15:40:51.809516, 2] auth/token_util.c:455(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? [2013/07/02 15:40:51.811330, 2] auth/token_util.c:479(finalize_local_nt_token) WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? I guess the reason might be this: net getdomainsid SID for local machine M1 is:S-1-5-21-3981825222-1828954701-2606613544 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 net getdomainsid SID for local machine M2 is:S-1-5-21-2913448378-2543514743-1508345481 SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449 Shouldn't the SIDs be the same except the last digits??? Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server or member server?
On a very general level , a member server is joined to the domain so that it can use the domain accounts.A member server is typically a file server but does not have to be (you could be using it as a web server, or application server or even a workstation.) A domain controller can be a file server, although in many cases a domain controller will only provide authentication and logon functions.It does need to have file shares to provide access to to the logon scripts and profile directories used by Windows clients but that doesn't really make a a file server. A server that is not a member server or a domain controller is considered to be a standalone server.These concepts apply to Windows/Samba domains whether you are running domains based on Samba 3, Samba 4, Windows 200x or Windows NT. On 07/01/13 04:27, steve wrote: Hi everyone What's the difference between a file server and a member server? I have a 4.0.6 DC which is a file server for sysvol. I also have a 4.0.6 file server for the other folders which go out to the clients. Do I have a member server? Or is a member server one upon which all files are served from the DC? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server or member server?
I don't think it necessarily makes it a member a member server BUT if it isn't a member server it is going to be pretty useless for serving profiles. I have not worked with Samba4 myself- I have worked with Samba 3 (and Windows 200x AD , and NT4) so you may want to review the samba 4 specific docn fir basic config. In samba 3 a quick review of the smb.conf file (or the output of testparm -v will reveal the type of setup. Did you inherit these machines from someone else? On 07/01/13 14:18, steve wrote: On Mon, 2013-07-01 at 17:04 +0100, Jonathan Buzzard wrote: On Mon, 2013-07-01 at 09:59 -0400, Gaiseric Vandal wrote: [SNIP] A domain controller can be a file server, although in many cases a domain controller will only provide authentication and logon functions.It does need to have file shares to provide access to to the logon scripts and profile directories used by Windows clients but that doesn't really make a a file server. The profile directories can be located on a server other than a domain controller. Hi Our profile directories are stored on what I call our file server. Does that make it a member server? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file server or member server?
Good explanation. Better than mine. I tend to think of the roaming profiles as part of the logon experience, since they sync with your computer when you logon. Actually, I found roaming profiles to be more trouble than they were worth so I don't use them anyway. On 07/01/13 17:36, Jonathan Buzzard wrote: On 01/07/13 19:56, steve wrote: [SNIP] Yes. We take stand alone machines and network them by adding a DC and what we call a file server. What I'd like to know is why some guys here call what seems to be what we call a file server, a member server. I feel we're missing out on something. In both NT4 style and AD domains you have servers called domain servers that serve identification information and provide authentication services. These servers may also do other things such as serve files, but it is the identification and authentication services that make them domain servers. Any server providing identification and authentication services is a domain server regardless of anything else it does. You can then have other servers, such as file servers, print servers, web servers etc. that are joined to the domain, and thus you can use your domain credentials to authenticate to these servers, in the case of an AD domain using the Kerberos ticket you got when you logged onto your workstation. However crucially they don't provide identification or authentication services. These servers are called member servers. With larger domains it makes sense to separate out your file and print servers from your domain servers, so that the domain servers are effectively only providing the identification and authentication services and your file and print services are handed off to dedicated machines for the task. There is no way a domain server is going to cope at a large University for example with tens of thousands of users. This however is very basic Windows domain terminology/knowledge which I would expect anyone offering advice on Samba to fully understand first. JAB. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) Long and short - I found it easiest to have LDAP server on the same machine as the DC. I have one PDC and one BDC (sometimes 2 BDC's.) Each PDC uses its own ldap server and the ldap servers are configure for replication. The simplest solution may be to set the local and domain sid of the LDAP server to the same sid as the DC, and join the LDAP server to the domain as a DC. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error NT_STATUS_UNSUCCESSFUL What I see here is that the samba server does not recognize the primary group of the user (which is an existing group in the LDAP) and therefor maps the primary group to its local Domain Users group which then obviously does not match the domainSID of the userid. But why doesn't the samba server recognize the group? Or is there a different underlying problem? What I tried so far: Changing the SID of the samba server to the SID of the LDAP server, but `net setlocalsid S-...` did not change the local SID. No error message, just executed successfully but getlocalsid returned the old SID. Setting the domainsid of the samba server to the SID of the ldap server. `net setdomainsid S-...` was successful but the samba server still refuses to authenticate the users. Tried adding the server to the domain with `net join XXX` but the answer was just standalone server cannot join domain. I tried to run `smbpasswd -a` to add the user to the local samba db (even though this would not be an option for the final solution, but that's what other users recommended), but the error didn't change. How can I either tell samba to ignore the domain SID mismatch or force samba to have the same SID as the LDAP? Or would this cause
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
OK. I understand (at least a little better.) So the correct behaviour would be for the standalone workgroup machines to say I don't know who DOMAIN/user1 is, so I will map to local user1. The standalone servers should be using LDAP for unix accounts put I don't think you really should use the common LDAP backend for samba accounts.You would need to use smbpasswd or pdbedit to create local samba users on each member server, which means the member server would each use a local tdb database not ldap for samba. If you want to centralize the samba accounts I think the proper way would be to use member servers. That being said, if the current set up is working on some machines but not others, I would run testparm -v on each domain member and see if there are differences on mapping behavior. Different os's may have slightly different versions of samba and the default smb.conf paramaters may have changed. Also run net groupmap list on each member server. You may need to explicitly set group mappings for key windows groups.(i.e. the group sid maps to a unix group.) e.g. # net groupmap list ... Administrators (S-1-5-32-544) - Builtin Admins Users (S-1-5-32-545) - Builtin Users getent group Builtin Admins Builtin Admins::544: # getent group Builtin Admins On 06/20/13 10:40, Philipp Lies wrote: On 20.06.2013 15:04, Gaiseric Vandal wrote: If I follow correctly the LDAP server is NOT in the domain? The Samba accounts should be using the SID of the Samba PDC not the SID of the LDAP server. This of course means that a Samba member server can't use the same LDAP back end (at least for Samba authentication.) The LDAP server is the PDC, however, there are no domain members. All my samba servers are standalone servers which are not domain members. This seems to work nicely with my debian machines but not the centos ones. On 06/20/13 04:26, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap server. getent passwd/group returns all users and ssh to the samba machine works for all users. Samba is v3.6.9-151.el6. Now here's the smb.conf (I removed the shares): [global] workgroup = X security = user passdb backend = ldapsam:ldap://myldapserver ldap suffix = dc=mydomain,dc=com ldap admin dn = cn=replicator,dc=mydomain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = start tls The ldap connection works, as `pdbedit -L` shows pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected smbldap_search_paged: base = [dc=mydomain,dc=com], filter = [((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain and then the last message repeats for all uids. Using `smbclient -L localhost -U someid` the log file says: check_ntlm_password: Checking password for unmapped user [XXX]\[someid]@[SAMBAHOST] with the new password interface check_ntlm_password: mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server The LDAP server is successfully connected init_sam_from_ldap: Entry found for user: someid Home server: SAMBAHOST Home server: SAMBAHOST init_group_from_ldap: Entry found for group: 1011 init_group_from_ldap: Entry found for group: 1011 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN and not a domain group Forcing Primary Group to 'Domain Users' for someid ntlm_password_check: Checking NTLMv2 password with domain [CIN] sam_account_ok: Checking SMB password for user someid The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' check_ntlm_password: Authentication for user [someid] - [someid] FAILED with error
Re: [Samba] Problems when saving AutoCAD files
Is this on all saves ? Can you do a save as and create a new doc? I had an issue with Office 2003 on Samba 3.0.x , Solaris 10 with ZFS file system.For the 1st 6 saves the MS app would modify the file. Every 7th (?) save MS would delete the file and write a new one. The probably would be that MS would try set file permissions- most apps would just let the OS handle the file permissions. Users had the appropriate permissions to create and delete files but not modify ACL's. This had not been an issues with the older UFS file system. In terms of how samba and UFS played together, the unix file perms were the classic ugo / rwx. the ZFS acl's are closer to the Windows ACL's than UFS ACL's were. I am guessing if Autocad is the only app affected then autocad is trying to write out some more complex file permissions. I haven't worked with samba 4. Can you adjust acl options in samba config? On 06/20/13 17:15, Santiago Pestarini wrote: 2013/6/14 Santiago Pestarini santiago...@gmail.com: Hi! I was searching for info about this issue and found almost nothing. So, let's go directly to the matters... - Problem: AutoCAD says You do not have permission to save to this location. when trying to save the file in the samba share dir. (This problem only occur with AutoCAD.) - Scenary: Running AutoCAD in a WinXP/Win7 PC, opening a DWG AutoCAD file from samba share dir in Zentyal Linux server. I have Samba 4.0.5 running in my Zentyal 3.0.21, both recently updated. - smb.conf contents: [global] workgroup = ESTUDIO realm = ESTUDIO.LAN netbios name = zentyal server string = Zentyal File Server server role = dc server role check:inhibit = yes server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate server signing = auto interfaces = lo,eth0 bind interfaces only = yes log level = 3 log file = /var/log/samba/samba.log guest ok = yes map to guest = bad user guest account = nobody auth methods = guest sam_ignoredomain [profiles] path = /home/samba/profiles browseable = no read only = no [netlogon] path = /opt/samba4/var/locks/sysvol/estudio.lan/scripts browseable = no read only = yes [sysvol] path = /opt/samba4/var/locks/sysvol read only = no [homes] comment = Directorios de usuario path = /home/%S read only = no browseable = no create mask = 0611 directory mask = 0711 vfs objects = acl_xattr full_audit scannedonly recycle # Shares [expedientes] comment = Expedientes path = /home/samba/shares/expedientes browseable = Yes read only = No force create mode = 0660 force directory mode = 0660 vfs objects = acl_xattr full_audit scannedonly recycle Also read this where Autodesk wash their hands, blaming the server, the client, the network, etc: http://forums.autodesk.com/t5/Installation-Licensing/Unable-to-save-drawing/td-p/72075 Please Help! What about this? Did I make some mistake in my question? Please, can someone throw me anything? I really need some help... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP: Issue adding machine.
I would compare the LDAP attributes between a problem machine and a working machine.Each machine has to have a unique unix account name and SID. Normally you don't need to precreate the samba acct with smbpasswd -a -m or pdbedit. However it may help with the diagnostics to see what is not getting created. If you use smbpasswd or pdbedit to create the account, then use the ldap editor to fill in the missing attributes then you should be able to join the domain. Also double check that machine accounts are not being created in some other LDAP ou than you expected.you might be trying to fix one ldap entry while samba is creating one somewhere else. It gets tricky when you use smbpasswd or pdbedit to create an account and it sees some attributes ther On 06/14/13 07:49, Luis H. Forchesatto wrote: Hi Gaiseric Thanks for the reply. I believe the problem is not the flags but I will check them again as you suggested. I've found quite annoying this problem because is not on my network, it's on a remote network and I need to move physically to another place in order to test the environment, quite boring also. Regarding the sambaPrimaryGroupSID I'll check again but I believe it MAY be the problem :) Also, can this cause this problem? Another machine was already created previously... something like? 2013/6/10 Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com I found that Samba 3.5.x has trouble creating the LDAP attributes correctly on new machine accounts . I think Samba 3.4.x was OK. Rejoining a machine to a domain was usually OK. You need may need to do a mix of account creation with smbpasswd and LDAP modification with the LDAP editor. It appears to incorrectly set sambaAccountFlags as [U] (user) instead of [W] (workstation). When attempting to join a machine to the domain you may get an error that the account already exists. Use an LDAP editor to make sure sambaAccountFlags is set to [W]. (You can used pbedit to verify the setting but not to change it to [W].) type: sambaAccountFlags value: [W ] If, when joining a domain, you get an error that the the specified network password is not correct. you may need to precreate the samba account attribues with the pdbedit or smbpasswd commands .Try the following on spooky #smbpasswd -x -m machinename #smbpasswd -a -m machinename You MAY also need to make sure that the sambaPrimaryGroupSID is also set. It should end with 515. type: sambaPrimaryGroupSID value:S-1-5-21-xxx-xxx-xxx-515 On 06/10/13 08:33, Luis H. Forchesatto wrote: Greetings. I've run into a trouble when trying to add a new Win7 machine on a domain. The domain is controlled by a server running Samba + LDAP (samba compiled with ldap support), on a Debian 5 OS at the local network. I've added the machine name to the LDAP three through phpldapadmin using the option Samba3 Machine on the related submenu and via terminal on samba. Then I renamed the new machine to match the computer name and tried to add it to the domain. When prompted for credentials to add the new machine I've informed the admin login and password and hit enter. The windows then returned the following error (something like): The junction operation was not well succeded. Maybe another existent machine account machine_account_name was created previously using anothet set of credentials. User another computer name or contact the admin to remove any obsolete conflicting account. Error: Access denied. Any ideas for the troubleshoot will be welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Att.* * Luis H. Forchesatto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP: Issue adding machine.
I found that Samba 3.5.x has trouble creating the LDAP attributes correctly on new machine accounts . I think Samba 3.4.x was OK. Rejoining a machine to a domain was usually OK. You need may need to do a mix of account creation with smbpasswd and LDAP modification with the LDAP editor. It appears to incorrectly set sambaAccountFlags as [U] (user) instead of [W] (workstation). When attempting to join a machine to the domain you may get an error that the account already exists. Use an LDAP editor to make sure sambaAccountFlags is set to [W]. (You can used pbedit to verify the setting but not to change it to [W].) type: sambaAccountFlags value: [W ] If, when joining a domain, you get an error that the the specified network password is not correct. you may need to precreate the samba account attribues with the pdbedit or smbpasswd commands .Try the following on spooky #smbpasswd -x -m machinename #smbpasswd -a -m machinename You MAY also need to make sure that the sambaPrimaryGroupSID is also set. It should end with 515. type: sambaPrimaryGroupSID value:S-1-5-21-xxx-xxx-xxx-515 On 06/10/13 08:33, Luis H. Forchesatto wrote: Greetings. I've run into a trouble when trying to add a new Win7 machine on a domain. The domain is controlled by a server running Samba + LDAP (samba compiled with ldap support), on a Debian 5 OS at the local network. I've added the machine name to the LDAP three through phpldapadmin using the option Samba3 Machine on the related submenu and via terminal on samba. Then I renamed the new machine to match the computer name and tried to add it to the domain. When prompted for credentials to add the new machine I've informed the admin login and password and hit enter. The windows then returned the following error (something like): The junction operation was not well succeded. Maybe another existent machine account machine_account_name was created previously using anothet set of credentials. User another computer name or contact the admin to remove any obsolete conflicting account. Error: Access denied. Any ideas for the troubleshoot will be welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Configuring New Replacement Server For Samba
run the testparm -v command - that will show you the location of key files and directories including smb.conf private directory (which typically contains the smb passwd file) the lock and cache directory or directories (which include various TDB files.) netlogon directory (including netlogon scripts) profile directory (if applicable) You should not need to rejoin. But you should assume that the config for 3.5.x. may need to be tweaked to work with 3.6.x. Non-samba files will include things like /etc/host and /etc/resolv.conf. When you replace one machine with another machine with the same ip, existing machines may not be able to connect to the new machine until the old arp entries expire. Shd be less than one hour but more than 30 seconds. On 06/03/13 10:29, bhogue wrote: Hi, I did not get a response for the below, I was just wondering if this is not the right place for this question can someone suggest another mailing list. Thanks Bob On 05/30/2013 12:46 PM, bhogue wrote: Hi, I am replacing my current RHEL 6 clustered samba server with new servers. The IP's and hostnames will be the same. The samba version on the old config is: samba-3.5.10-115.el6_2.x86_64 The samba version on the new config is: samba-3.6.9-151.el6.x86_64 What do I need to do to copy the samba configuration to the new servers. Will I need to do a net join again? or will it just work because the ip's and hostnames are the same. Thanks Bob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Looking for compiled version 1.9 of Samba - revised
What do you mean bridge? Are you trying to make files accessible to windows users ? It looks like GCC binaries are availble for SCO- althou maybe not your version. http://gcc.gnu.org/install/binaries.html ftp://ftp2.sco.com/pub/skunkware/odt3/CD-ROM/bin/ On 05/29/13 19:52, Paul Davis wrote: Much thanks to all respondents. Since 1.9 is a very old version, I have the source code but am looking (close to begging) for someone who has a compiler to create an executable for me. I would be glad to send along the source , if you could compile and return an executable. This is the better request than to ask someone for their compiler. Thank you Paul Davis Sr. Business Development Manager CONNX Solutions - www.connx.comhttp://www.connx.com/ Direct -(425) 519-6670 Mobile -(425) 269-3956 Toll free - (888) 882-6669 x6670 From: Paul Davis Sent: Thursday, May 23, 2013 3:48 PM To: 'samba@lists.samba.org' Subject: Looking for compiled version 1.9 of Samba I am trying to assist a client who need a compiled version of Samba 1.9 for his SCO ODT 3.2 v4.2 environment. We are trying to connect an old version of DataFlex on SCO and need the bridge. Anybody have an old compiled version? Thanks Paul Davis Sr. Business Development Manager CONNX Solutions - www.connx.comhttp://www.connx.com/ Direct -(425) 519-6670 Mobile -(425) 269-3956 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] BDC needs a [profile] and [netlogon] share ?
I looked through the smb.conf man page.It looks like login script should be relative to the netlogon directory.I would set up identical netlogon directories on both PDC and BDC. Bothe machines have the same login script parameter .e.g. logon script = %U.bat This means that you need to keep the login scripts in sync. If you update on the PDC, you should copy to the BDC netlogon directory. I don't use the login script param on my system. Instead, I use pdbedit to specify the login script used by each user.Each user uses the same login script any way so when I update it on the PDC I only have to replicate that one script to the other machines. It also makes it easy to have a test login script for one or two users only. Alternately, rather than having a separate login script for all users you could just have logon script = common.bat From a windows machine make sure you can see the netlogon share on each DC. On 05/24/13 06:55, ?icro MEGAS wrote: Hi all, I have a BDC which uses the LDAP backend of my PDC. Unfortunately all the users who log-in in the morning and who are processed by this BDC, do not get their logon script executed. The BDC logs this error message: [2013/05/24 07:28:11.946577, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [foobar] - [foobar] - [foobar] succeeded [2013/05/24 07:28:11.948108, 0] param/loadparm.c:8686(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed. File or directory not found [2013/05/24 07:28:12.976867, 0] param/loadparm.c:8686(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed. Access denied [2013/05/24 07:28:12.979372, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: foobar I did not understand, why the BDC looks for the netlogon at /var/lib/samba/usershares/netlogon so I double-checked my smb.conf, on both PDC and BDC. Here are the relevant option in smb.conf: ***PDC***smb.conf: [global] ... security = user passdb backend = ldapsam:ldap://172.16.0.1 logon script = %U.bat logon path = \\pdc\profiles\%U logon drive = U: domain logons = Yes preferred master = Yes local master = Yes domain master = Yes os level = 254 wins support = Yes ... [netlogon] comment = Logon batch path = /file01/netlogon write list = @Domain Admins [profiles] comment = Centralized Roaming Profiles path = /file01/profile read only = No browseable = No ***BDC***smb.conf: [global] ... security = user passdb backend = ldapsam:ldap://172.16.0.1/ logon script = \\pdc\netlogon\%U.bat logon path = \\pdc\profiles\%U logon drive = U: domain logons = Yes preferred master = No local master = No domain master = No os level = 20 password server = * ; wins server = 172.16.0.1 I realized that no [netlogon] and [profiles] share exist on the BDC. But there are no problems with profiles known for users who were handled by the BDC. Only logon scripts don't work? Is it possible that the option logon script = DOES NOT ALLOW the use of UNC path like I am using it? So this is the problem and samba falls back to the default path /var/lib/samba/usershares/netlogon and tries there to look for the logon script ??? If so, how should my [netlogon] share on the BDC look like? Do I have to rsync/copy the content of pdc://file01/netlogon to bdc:/somedir/netlogon and use following line on BDC's smb.conf? logon script = %U.bat [netlogon] comment = BDC Logon batch path = /somedir/netlogon write list = @Domain Admins Will that be enough or am I wrong? I would also like to know if I could use os level = 0 on the BDC, because I don't need/want that the BDC handles domain logon procedures,that would be the easiest way in my case. Now you ask why the heck I need it to run as BDC :-) It's because I don't can use winbind on the BDC and I need the correct mappings for user/groups. And that's only possible either by using winbind on BDC and idmapping, or you run as BDC and it uses the locally managed database of the PDC. In my case it was really much more easy to use the BDC method, because if I would use winbind it will result in different ids (these of winbind idmapping ranges) and access would be denied to lots of my existing shares. So in result I would have to chmod all of my used dirs/paths which is a lot of work. That's why I choosed the much more easy way as a BDC. But that's not very important, I'd just like to know if os level = 0 would be ok or cause some other troubles ? Any help and feedback really appreciated. Thanks to all Lucas -- To unsubscribe from this list go to
Re: [Samba] Samba 3.x server with LDAP backend doesn't work
Did you try w/o start TLS support? I realize this can have security implications, so this is only to see if the problem is with TLS or with the configuration in general. It the LDAP server is on the same server as the samba server then I don't think you will need TLS encryption, since there isn't LAN traffic to snoop. don't forget to set set the ldap password with smbpasswd -w Also I think ldaps means ldap over SSL, not ldap+tls. I would also use ldapclient tools (e.g. the command line ldapsearch or the gui Apache Directory Studio ldap browser and editor) to make sure you can connect to the ldap server via LDAP, LDAP+TLS and/or LDAPS-over-SSL. You need to make sure you have all the certificates configured correctly. On 05/16/13 11:27, Gollapalli, Prakash wrote: We have a central LDAP server for our enterprise on a Linux box. I have installed Samba 3.4.4 server on an AIX server and trying to get users authenticated via LDAP server. So far my efforts have been unsuccessful. Here is my ldap section of the smb.conf file: passdb backend = ldapsam:ldaps://company_ldap_server/ ldap ssl = start tls ldap suffix = dc=xxx,dc=yyy,dc=zzz ldap delete dn = no ldap user suffix = ou=People ldap group suffix = ou=Groups Here is the error I am seeing in the Samba errorlog: [2013/05/16 11:08:14, 0] lib/smbldap.c:656(smb_ldap_start_tls) Failed to issue the StartTLS instruction: Can't contact LDAP server [2013/05/16 11:08:14, 1] lib/smbldap.c:1231(another_ldap_try) Connection to LDAP server failed for the 1 try! Is there a documented procedure on how to connect samba users to a backend ldap server? Any help with is greatly appreciated Thanks, Prakash ** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.x server with LDAP backend doesn't work
And just to clarify you can use ldapsearch with the samba admin credentials as well? What is the ldap server? (Openldap ?) On 05/16/13 16:44, Gollapalli, Prakash wrote: Did you try w/o start TLS support? I realize this can have security implications, so this is only to see if the problem is with TLS or with the configuration in general. I have tried without TLS support and without SSL (replaced ldaps with ldap) passdb backend = ldapsam:ldap://company_ldap_server/ ldap ssl = off ldap admin dn = cn=Adminid,dc=xxx,dc=yyy,dc=zzz ldap suffix = dc=xxx,dc=yyy,dc=zzz ldap delete dn = no ldap user suffix = ou=People ldap group suffix = ou=Groups Now I get the following error: [2013/05/16 16:38:14, 0] lib/smbldap.c:1052(smbldap_connect_system) failed to bind to server ldap://company_ldap_server/ with dn=cn=Adminid,dc=xxx,dc=yyy,dc=zzz Error: Confidentiality required (unknown) It the LDAP server is on the same server as the samba server then I don't think you will need TLS encryption, since there isn't LAN traffic to snoop. Our LDAP server is not on the same server. It is a central enterprise server don't forget to set set the ldap password with smbpasswd -w I did this part for the Adminid Also I think ldaps means ldap over SSL, not ldap+tls. I would also use ldapclient tools (e.g. the command line ldapsearch or the gui Apache Directory Studio ldap browser and editor) to make sure you can connect to the ldap server via LDAP, LDAP+TLS and/or LDAPS-over-SSL. You need to make sure you have all the certificates configured correctly. LDAP authentication works perfectly directly from our AIX server. I can do ldapsearches and can login with my ldap credentials etc.. Only samba authentication doesn't work Thanks, Prakash ** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] win 7 client can't map drive: getpeername failed
That suggests either a configuration difference with some of the win 7 machines or a difference with some of the AD accounts for the machines. On the NAS, does the getent passwd command display user and machine accounts? Is it may be showing only some machine accounts and not others? It might be possible that samba has been unable to account an idmap entry for newer machines. All though I would think this would affect authentication issues, not connection issues. I have found idmapping to be one of the less reliable functions in samba. Are all the Win 7 machines configured with identical network settings (apart from the IP address itself of course.) this should be the case if you use DHCP. Are their any security settings on the problem Win 7 machines that are different? If you use gpedit.msc - computer - security settings , you may want to review things like NTLMv2 settings. Are all the machine accounts in the same AD container ? If this is all AD, then you should not need to use WINS. Although it may also help resolve confusion about which machine is the local master browser.Which shouldn't really matter either. I use samba 3.x as a non-AD PDC so the WINS and browser stuff is more important. Is the Microsoft server is the AD PDC it may expect to be the local master browser. I think there can only be one local master browser per subnet.And if you look thru the nmbd logs (?) on the NAS as well as the logs on the Win 2008 server . you may see results of a browser election. the testparm -v will show you all the config settings, including those set by default even if not explicitly set in smb.conf On 05/13/13 08:44, Ed Strong wrote: Hi, all XP clients work fine. As do most win 7 clients. Just a handful of win7 clients have this issue. We only have one Microsoft server: 2008 R2, it does not have the WINS server feature installed. The qnap box is called saturn and is a member of the domain telnet saturn 139 results in blank screen, blinking cursor so port open I guess. NAS uses our Microsoft server for it's DNS and registers itself in DNS Also on the NAS I have: Enable WINS server NOT checked Local master browser checked Allow only NTLMv2 authentication NOT checked DNS has a reverse lookup zone with a PTR record for client This is my foray into samba so I'm not familiar with the config file structure but here is the global section: [global] log level = 3 passdb backend = smbpasswd workgroup = OUR_DOMAIN security = ADS server string = encrypt passwords = Yes username level = 0 map to guest = Bad User null passwords = yes max log size = 50 socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=262144 SO_RCVBUF=131072 os level = 20 preferred master = no dns proxy = No smb passwd file=/etc/config/smbpasswd username map = /etc/config/smbusers guest account = guest directory mask = 0777 create mask = 0777 oplocks = yes locking = yes disable spoolss = yes load printers = no display charset = UTF8 force directory security mode = veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/ delete veto files = yes map archive = no map system = no map hidden = no map read only = no deadtime = 10 use sendfile = yes unix extensions = no store dos attributes = yes client ntlmv2 auth = yes dos filetime resolution = no inherit acls = yes wide links = yes force unknown acl user = yes template homedir = /share/homes/DOMAIN=%D/%U domain logons = no min receivefile size = 4096 case sensitive = auto domain master = auto local master = yes enhance acl v1 = yes remove everyone = yes kernel oplocks = no mangled names = no realm = OUR_DOMAIN.local password server = SERVER.OUR_DOMAIN.local pam password change = yes winbind separator = + winbind enum users = yes winbind enum groups = yes winbind cache time = 3600 idmap uid = 41-50 idmap gid = 41-50 idmap config OUR_DOMAIN : backend = rid idmap config OUR_DOMAIN : range = 1001-2000 wins support = no name resolve order = host bcast On 10 May 2013 16:19, Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com wrote: Are XP clients having the same problem? Trying with an XP client would help indicate if there was something specific to XP. (I skipped vista.) Can you check in smb.conf - is the server a member server, AD member server, standalone server, or domain controller. - Are ports explicitly defined - how is name resolution configured? - is NTLMv2 required (I couldn't get NTLMv2 support working.) Domain membership shouldn't matter at this point since you aren't even getting to the authentication phase. Can you telnet port 139 to make sure it is open? Do you have a WINS server
Re: [Samba] win 7 client can't map drive: getpeername failed
I think the Error was Transport endpoint is not connected warnings are sometimes misleading. Do you have any control over the samba config (smb.conf) on the NAS ?On regular samba installs, changing the default port settings can cause more problems. Windows 7 will try to connect on port 445 (SMB or CIFS over tcp/ip), and will then reconnect to ports 137/138/139 (SMB over netbios over tcp/ip) since samba 3.x doesn't handle the newer SMB-over-tcp/ip. Disabling 445 on the server seems to cause more problems than it solves. Are you able to connect via IP ? e.g net use \\qnap_ip\share ? I had problems in the past when I disabled port 445 on samba servers. Remote users (no netbios broadcasts permitted) could connect via IP but not via name. For the name only connections, packet monitoring would show packets getting thru the the server but the exchange between client and server not being completed. For clients connecting via IP, the client would send packets to server, server respond, and then clients responded. On 05/07/13 03:53, Ed Strong wrote: Hi, I'm re-posting this (with some more info) as I don't think the original got through as I wasn't signed up to the samba list. this is my first foray in samba (and newsgroups) so go easy :) I've started reading the o'reilly samba book but finding it hard going. Anyway I'm trying to map a network drive from a windows 7 pro client to a QNAP NAS with the command: net use s: \\qnap\share I've posted on several forums and got good advice but the problem remains. Rather than repost all the detail, please see my original posts: http://forum.qnap.com/viewtopic.php?f=185t=74639 http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/11d35b0c-ac95-489f-b5d1-0486b9774603 http://www.edugeek.net/forums/windows-7/112309-map-network-drive-nas-but-get-error-64-58-a.html I've managed to ssh onto the QNAP via putty and found this in the logs (getpeername failed) [/var/log] # pwd /var/log [/var/log] # tail -f log.smbd [2013/05/01 09:36:17.135999, 0] lib/util_sock.c:474(read_fd_ with_timeout) [2013/05/01 09:36:17.136096, 0] lib/util_sock.c:1440(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2013/05/01 09:36:17.137700, 1] smbd/server.c:299(remove_child_pid) Scheduled cleanup of brl and lock database after unclean shutdown [2013/05/01 09:36:17.178522, 1] smbd/service.c:1073(make_connection_snum) 172.24.120.139 (172.24.120.139) connect to service Staff initially as user DOMAIN+admin (uid=10001423, gid=1514) (pid 25771) [2013/05/01 09:36:17.179093, 0] lib/util_sock.c:474(read_fd_with_timeout) [2013/05/01 09:36:17.179173, 0] lib/util_sock.c:1440(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2013/05/01 09:36:17.179289, 1] smbd/service.c:1254(close_cnum) 172.24.120.139 (172.24.120.139) closed connection to service Staff [2013/05/01 09:36:37.142714, 1] smbd/server.c:272(cleanup_timeout_fn) Cleaning up brl and lock database after unclean shutdown The QNAP's samba version appears to be 3.5.2: [/var/log] # ps -ef | grep smb 4016 admin 3104 S /usr/local/samba/sbin/winbindd -s /etc/config/smb.conf 4017 admin 3728 S /usr/local/samba/sbin/winbindd -s /etc/config/smb.conf 4366 admin 1840 S /usr/local/samba/sbin/winbindd -s /etc/config/smb.conf 4877 admin 3300 S /usr/local/samba/sbin/winbindd -s /etc/config/smb.conf 4902 admin 3952 S /usr/local/samba/sbin/winbindd -s /etc/config/smb.conf 4978 admin 4132 S /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf 4979 admin 3356 S /usr/local/samba/sbin/winbindd -s /etc/config/smb.conf 4980 admin 1224 S /usr/local/samba/sbin/winbindd -s /etc/config/smb.conf 4995 admin 1016 S /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf 5063 admin 2068 S /usr/local/samba/sbin/winbindd -s /etc/config/smb.conf 9509 admin 1664 S /usr/local/samba/sbin/nmbd -l /var/log -D -s /etc/config/smb.conf 25540 admin 544 S grep smb [/var/log] # /usr/local/samba/sbin/smbd -V Version 3.5.2 I've also installed MS network monitor on two clients and did a capture whilst running the command net use s:\ \\saturn\staff I've posted three screenshots here: https://plus.google.com/photos/108734482620454690509/albums/5875135861918839393?authkey=CJ3lwKu2xJqMyQE Basically, Worked.png shows the SMB frames on a PC where the net use command worked and Failed.png shows the SMB frames on a PC where the net use command did not work It looks to me like the first 6 SMB frames are identical. Then things start to change On the working client we continue with frame 10113 which is a Dfsc: Get DFS Referral Request but
Re: [Samba] win 7 client can't map drive: getpeername failed
Are XP clients having the same problem? Trying with an XP client would help indicate if there was something specific to XP.(I skipped vista.) Can you check in smb.conf - is the server a member server, AD member server, standalone server, or domain controller. - Are ports explicitly defined - how is name resolution configured? - is NTLMv2 required (I couldn't get NTLMv2 support working.) Domain membership shouldn't matter at this point since you aren't even getting to the authentication phase. Can you telnet port 139 to make sure it is open? Do you have a WINS server defined?If so make sure client and NAS are using the same WINS server.Is your NAS configured to use a DNS server? Do you have a reverse lookup zone defined in DNS?the NAS maybe trying to do a reverse lookup on the IP of the client. There doesn't need to be a PTR entry for the client but you are least want the zone. If DNS tries to lookup an IP and gets an immediate host not found that is OK. If it times out because it can't even locate a DNS server then that could cause problems for other services dependent on DNS. On 05/10/13 10:58, Ed Strong wrote: Hi, Thanks for the info, I'm replying to you in gmail to samba@lists.samba.org, hope that is correct ? Yes I can edit the config file on the NAS Looking at the network packets all communication to NAS seems to be on port microsoft-ds (445) I can't see any traffic on ports 137/138/139 If i use the IP I get exactly the same error :( On 10 May 2013 15:01, Gaiseric Vandal gaiseric.van...@gmail.com wrote: I think the Error was Transport endpoint is not connected warnings are sometimes misleading. Do you have any control over the samba config (smb.conf) on the NAS ?On regular samba installs, changing the default port settings can cause more problems. Windows 7 will try to connect on port 445 (SMB or CIFS over tcp/ip), and will then reconnect to ports 137/138/139 (SMB over netbios over tcp/ip) since samba 3.x doesn't handle the newer SMB-over-tcp/ip. Disabling 445 on the server seems to cause more problems than it solves. Are you able to connect via IP ? e.g net use \\qnap_ip\share ? I had problems in the past when I disabled port 445 on samba servers. Remote users (no netbios broadcasts permitted) could connect via IP but not via name. For the name only connections, packet monitoring would show packets getting thru the the server but the exchange between client and server not being completed. For clients connecting via IP, the client would send packets to server, server respond, and then clients responded. On 05/07/13 03:53, Ed Strong wrote: Hi, I'm re-posting this (with some more info) as I don't think the original got through as I wasn't signed up to the samba list. this is my first foray in samba (and newsgroups) so go easy :) I've started reading the o'reilly samba book but finding it hard going. Anyway I'm trying to map a network drive from a windows 7 pro client to a QNAP NAS with the command: net use s: \\qnap\share I've posted on several forums and got good advice but the problem remains. Rather than repost all the detail, please see my original posts: http://forum.qnap.com/**viewtopic.php?f=185t=74639http://forum.qnap.com/viewtopic.php?f=185t=74639 http://social.technet.**microsoft.com/Forums/en-US/** winservergen/thread/11d35b0c-**ac95-489f-b5d1-0486b9774603http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/11d35b0c-ac95-489f-b5d1-0486b9774603 http://www.edugeek.net/forums/**windows-7/112309-map-network-** drive-nas-but-get-error-64-58-**a.htmlhttp://www.edugeek.net/forums/windows-7/112309-map-network-drive-nas-but-get-error-64-58-a.html I've managed to ssh onto the QNAP via putty and found this in the logs (getpeername failed) [/var/log] # pwd /var/log [/var/log] # tail -f log.smbd [2013/05/01 09:36:17.135999, 0] lib/util_sock.c:474(read_fd_ with_timeout) [2013/05/01 09:36:17.136096, 0] lib/util_sock.c:1440(get_peer_**addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2013/05/01 09:36:17.137700, 1] smbd/server.c:299(remove_**child_pid) Scheduled cleanup of brl and lock database after unclean shutdown [2013/05/01 09:36:17.178522, 1] smbd/service.c:1073(make_** connection_snum) 172.24.120.139 (172.24.120.139) connect to service Staff initially as user DOMAIN+admin (uid=10001423, gid=1514) (pid 25771) [2013/05/01 09:36:17.179093, 0] lib/util_sock.c:474(read_fd_** with_timeout) [2013/05/01 09:36:17.179173, 0] lib/util_sock.c:1440(get_peer_**addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2013/05/01 09:36:17.179289, 1] smbd/service.c:1254(close_**cnum) 172.24.120.139 (172.24.120.139
Re: [Samba] Building 3.6.12
Had you posted about this last month? For active directory support you will need to compile OpenLDAP. The ldap functionality in Solaris is NOT openldap. I would that you will need to specify the path to the kerberos directory. Solaris 9 and Solaris 10 have kerberos installed by default. Not sure about Solaris 8 - it used to be part of the SEAM tool kit? If kerberos is not installed you will need to either download it from Sun/Oracle or compile from source. --with-ads=yes \ --with-ldap=yes \ --with-krb5=/usr Also make sure winbind and nsswitch support is enabled. . You may want to uninstall the samba 3.0.x packages to avoid confusing on which winbind/nsswitch libraries are being used. I would also make sure that your Solaris 8 server is configured to use the Windows AD PDC as the DNS master.I did not configure my systems as AD members BUT I did configure trusts with AD servers. Need to make sure the samba server can locate the AD server. Doesn't hurt to make sure all servers are using the same WINS server- although it shouldn't be relevant with AD. You may also want to setup a Solaris 10 test machine as well. Assuming you get Samba 3.6.x compile on Solaris 8, and you can't get it to join the AD domain, you will want some way to determine if the problem is with the samba config or if the problem is with the samba compile. If the identical config works on Solaris 10 but not Solaris 8, then you know you have a problem with the compile.Solaris 10 will be diagnostic tool, not the production system. On 05/08/13 08:52, Shaw, Kevin wrote: All, I'm trying to build Samba 3.6.12 on Solaris 8 sparc using studio 12. Is this the correct forum to ask questions? This is my first build so any tips/tricks are appreciated. What are the prerequisites to get samba to compile so that it will join an AD domain? TIA, -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Build 3.6.12 on Solaris 8
Longer term you might just want to look at moving to Solaris 10, since it has samba 3.6.x included already.So much simpler than compiling.Although ZFS support does add new complications. That being said, I did have some luck compiling samba 3.4.x on Solaris 10 (prior to Sun/Oracle releasing an update for its bundled version.)I had to use Sun studio and dmake. (Ideally you would use gcc but the version of make included with solaris breaks things.) According to my notes CC='/usr/bin/cc -xc99' CXX=/usr/bin/CC I don't remember why but I think that tells Sun Studio to compile stuff with open source compatibility in mind. If you LDAP for an account backend, domain trusts or idmapping you may need to compile openldap first. The sun ldap may be ok for some dependencies but not others. Instead of the make command, use dmake or dmake -serial. Samba source should include some of its own dependencies ( tdb, talloc etc) you may need to cd into the subdirectories and run dmake or dmake -serial first. Otherwise samba build may fail because of the dependencies. I used the following config command ./configure --prefix=/usr/local/samba-3.4.12 \ --with-privatedir=/etc/samba/private \ --with-lockdir=/var/samba/locks \ --with-configdir=/etc/samba \ --with-libtalloc=no \ --with-libtdb=yes \ --with-ads=no \ --with-ldap=yes \ --with-krb5=/usr If you don't have trusts or ADS support required you can skip kerberos support. Libtalloc might be required for idmapping. You may have to say no for most config options, config and compile, then enable options one at a time and config and compile again. On 05/01/13 10:41, Shaw, Kevin wrote: All, I need to build samba 3.6.12 on solaris 8 using studio 12. Has anyone accomplished this and willing to share tips, tricks, or notes? -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Build 3.6.12 on Solaris 8
I had to build OpenLDAP for full ldap functionality. The solaris version of kerberos should be sufficient. But you don't need LDAP so you can even disable ldap and krb5 in configure. samba should have a configure script ./configure --help will show you the options.If you don't specify prefix it will build in /usr/local (/usr/local/sbin, /usr/local/lib etc) which may not be what you want. I usually like the specify something like --prefix=/usr/local/samba-3.6.12 then symlink /usr/local/samba-3.6.12 to /usr/local/samba. This lets me build new versions with out breaking the running version. Just make sure you have LD_LIBRARY_PATH and PATH set correctly. Configure will see what prereqs are installed. It will also see which version of cc, gcc and make are available. configure will create a make script. make or dmake will use that file to compile and link stuff in the correct order. I wouldn't have thought you needed a map file, assuming the windows user names match the unix user names. On 05/01/13 12:01, Shaw, Kevin wrote: Thanks so much for the reply! I've just updated my solaris 10 samba server to 3.6.12 (119757-27 sparc or 119758-27 x86). The solaris 8 system is out of my control. My problem is that I know very little about building S/W. I do have studio12 setup. Hopefully this will work: CC='/auto/studio12/sparc/SUNWspro/bin/cc -xc99' CXX= auto/studio12/sparc/SUNWspro/bin I use user.map file to map unix to windows accounts so LDAP is not necessary. Did you build Kerberos or any other S/W before samba? TIA -Kevin -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Wednesday, May 01, 2013 8:29 AM To: samba@lists.samba.org Subject: Re: [Samba] Build 3.6.12 on Solaris 8 Longer term you might just want to look at moving to Solaris 10, since it has samba 3.6.x included already.So much simpler than compiling.Although ZFS support does add new complications. That being said, I did have some luck compiling samba 3.4.x on Solaris 10 (prior to Sun/Oracle releasing an update for its bundled version.)I had to use Sun studio and dmake. (Ideally you would use gcc but the version of make included with solaris breaks things.) According to my notes CC='/usr/bin/cc -xc99' CXX=/usr/bin/CC I don't remember why but I think that tells Sun Studio to compile stuff with open source compatibility in mind. If you LDAP for an account backend, domain trusts or idmapping you may need to compile openldap first. The sun ldap may be ok for some dependencies but not others. Instead of the make command, use dmake or dmake -serial. Samba source should include some of its own dependencies ( tdb, talloc etc) you may need to cd into the subdirectories and run dmake or dmake -serial first. Otherwise samba build may fail because of the dependencies. I used the following config command ./configure --prefix=/usr/local/samba-3.4.12 \ --with-privatedir=/etc/samba/private \ --with-lockdir=/var/samba/locks \ --with-configdir=/etc/samba \ --with-libtalloc=no \ --with-libtdb=yes \ --with-ads=no \ --with-ldap=yes \ --with-krb5=/usr If you don't have trusts or ADS support required you can skip kerberos support. Libtalloc might be required for idmapping. You may have to say no for most config options, config and compile, then enable options one at a time and config and compile again. On 05/01/13 10:41, Shaw, Kevin wrote: All, I need to build samba 3.6.12 on solaris 8 using studio 12. Has anyone accomplished this and willing to share tips, tricks, or notes? -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
A few things aren't clear- - Are Solaris and RHEL servers mounting shares from the primary server as samba clients or NFS clients? - Are people running SVN and Eclipse on Windows or RHEL systems? - Are you using samba to reshare NFS shares? I run a mixed environment of Windows and Linux clients with Solaris servers running samba. The linux clients use NFS (v4 is now the default.) Some of the things I have found are that - It is worth patch solaris to get later version of Samba - if you are using ZFS (not ufs) and you have a complex environment with LDAP and domain trusts.But you really have to test carefully before an upgrade. -Do not use samba to reshare NFS or autofs shares. How are clients checking stuff out from SVN? Via a nfs file share, samba file share, sftp or ssh? I understand the need to maintain stability with a server OS. But I think you do have to plan for an eventual OS upgrade/patch otherwise you end up with a system that you can't get support on. Are you also looking at output of vmstat or iostat ?If disk i/o gets too high, clients may repeat read/write requests which just causes a feedback loop exacerbating the situation.I have seen this with nfs clients. It is like everyone yelling louder to get heard because everyone is yelling. On 03/06/13 08:47, Simo wrote: On 03/06/2013 08:28 AM, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Do not ascribe to the whole community the shortcomings of an individuals the volunteers 'his' opinion please. This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. So with that being said, anyone have any experience with what I am dealing with? Unless you have 15000 servers connected the fact you have that many processes indicates a serious issue with the server or at least one of the clients. Samba creates just 1 single process per client and all its requests are served by that process. If you are seeing multiple processes it means the client is opening multiple connections. That is wrong and indicate there is probably a bug with either server processes crashing, becoming unresponsive or both, or the client misbehaving.. You may want to consider trying playing with the following parameters on your samba server: - deadtime - max connections - keepalive - reset on zero vc You may also want to prevent samba from dumping core if that is activated as it could put pressure on disks and the kernel if too many processes core all at once. HTH, Simo. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt
Presuming you have a RHEL subscription, you should be able to download the ISO's and patches on an internet machine and xfr via sneaker net (USB drive, DVD) to the internal network. You can even set up an internal yum repository. Even with out an internet connection, you still have to consider internal security concerns. With Solaris, you can also download the latest monthly patch cluster (assuming you have a support contract.) This will bring up to samba 3.5.x. or 3.6.x. It also fixes some issues with max group membership, and I recall some mention of kernel and nfs bug fixes. Just make sure you backup all your samba config before patching. On 03/06/13 09:12, Jonathan Buzzard wrote: On Wed, 2013-03-06 at 08:28 -0500, Joseph, Matthew (EXP) wrote: Hello JAB, Thank you for taking the time to respond to this in a very helpful manner... If the SAMBA community does not care about helping someone with a wildly out of date server then they should state that before letting someone join the mailing list. Given you are running RHEL, you should have been over the last four years been reading the security bulletins for RHEL and responding to them appropriately. It should be apparent to any sensible person that the first step would be to check that my distribution does not have fixes for the problems that I am seeing. (hint I am 99% certain it does). This is a production server on a closed LAN which we don't have the option of upgrading it to RHEL 5.9 or greater in the near future. No lan is that closed. That you have no procedure for upgrading the OS on your server which suffers from a number of remote root security holes that require nothing more than a connection to your network is very bad practice. So with that being said, anyone have any experience with what I am dealing with? Read your distro release and security notes. I am 99% certain that this is a known problem that can be fixed by upgrading. JAB. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] no network interfaces found on OpenIndiana (Illumos)
Solaris 11 added a CIFS server - I don't know if it is openindiana. check the svcs -a command to make sure that there isn't a preexisting CIFS or samba server already running. FYI The latest Solaris 10 + updates has samba 3.5.x or 3.6.x . I had issues with older samba packages from sunfreeware.com and opencsw with 64-bit support, LDAP compatibility and ZFS support. On 03/06/13 12:56, Jeremy Allison wrote: On Wed, Mar 06, 2013 at 11:42:02AM +0100, Joeri Vanthienen wrote: Hi, I've downloaded the samba 3.6.12 OpenCSW package. I joined openindiana to the the active directory, winbind seems to work fine, I see all the users with wbinfo -u. However, my samba server is not starting. It seems that there is no network card found. 2013/03/06 10:40:39.068405, 0] lib/interface.c:543(load_interfaces) WARNING: no network interfaces found [2013/03/06 10:40:39.072795, 0] smbd/server.c:1082(main) standard input is not a socket, assuming -D option ... [2013/03/06 10:40:39.205210, 0] smbd/server.c:746(open_sockets_smbd) open_sockets_smbd: No sockets available to bind to. Is there some problem that the get_interfaces(talloc_tos(), ifaces); call returns no interfaces on solaris/openindiana ? Any idea? Use gdb to step through the code and see why it's failing to find interfaces, or add debug statements to the places we return from querying an interface. Sorry, no other easy answer. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap/shared address books
Can you use an LDAP Browser/Editor (e.g Apache Directory Studio) to manage the samba ldap server? Maybe see what attributes you can add/modify?I have used Apache Directory Studio to modify LDAP attributes with Microsoft AD on Win 2003/2008. I would guess the samba 4 ldap schema has to support many of the same attributes. I have not played with samba 4 yet so just a guess. On 03/06/13 13:14, Terry Austin wrote: After struggling through the HowTo for quite a while (I have some . . . comments, if anyone is interested), I have a working active directory domain, for which I (and my bosses, who sign the checks) thank everyone. Now is integration time. Is there a way to make a shared address book through Samba? Or am I stuck with beating my head against ldap again? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] BDC Rejecting auth request from client + Windows 7
I don't quite understand- why does the BDC have a dynamic IP address. Or have a I misunderstood? The DHCP server can provide the IP of the WINS servers to DHCP clients.Are the XP and Win 7 workstations on a separate subnet than the servers? What version are the samba servers?Do both samba server point to a single LDAP server or do they each have their own LDAP server in replication?Does pdbedit -Lv show the same accounts on each DC? Is it possible that the Windows 7 machine accounts have not replicated to the BDC? Have to specificied the ports in the smb.conf file- by default samba uses ports 137,138, and 445. In theory you can disable port 445 (it reduces some the transport warnings) but I find that causes problems with name resolution when a router or vpn is involved. So better off just sticking with the defaults. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of David Noriega Sent: Friday, February 08, 2013 1:56 PM To: samba@lists.samba.org Subject: [Samba] BDC Rejecting auth request from client + Windows 7 Just some background: In our environment, we are running both a PDC and BDC. The local network setup has static ips on a different subnet from dhcp ips, thus the PDC has a static ip and the BDC has a dynamic one so the Windows machines are able to see the domain without hardcoding in the ip of the PDC as a wins on each machine. This has worked fine for Windows XP. We are also using ldap as the backend. Now we have a Windows 7 box and I have followed various instructions and modified entries within the registry as everyone else has specified. While I can join the domain, after reboot I get the trust relationship failed error(or on a rare occasion it will say no logon servers available). Checking the logs I have mapped out the following: 1. Win7 client asks to join the domain 2. PDC responds and adds machine to ldap 3. Win7 accepts and tests machine account 4. BDC rejects auth request 5. Win7 logs this, but still shows successful join message and reboots 6. Win7 then refused to login on the domain. I can type in gibberish and still get the trust relationship failed message. Here is the following from the BDC: [2013/02/08 13:11:05.458750, 2] lib/smbldap.c:950(smbldap_open_connection) smbldap_open_connection: connection opened [2013/02/08 13:11:05.504483, 2] ../libcli/auth/credentials.c:307(netlogon_creds _server_check_internal) credentials check failed [2013/02/08 13:11:05.504529, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth enticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLASSROOM machine account CLASSROOM$ [2013/02/08 13:11:05.524195, 2] ../libcli/auth/credentials.c:307(netlogon_creds _server_check_internal) credentials check failed [2013/02/08 13:11:05.524235, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth enticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLASSROOM machine account CLASSROOM$ [2013/02/08 13:11:15.914207, 0] lib/util_sock.c:474(read_fd_with_timeout) [2013/02/08 13:11:15.914316, 0] lib/util_sock.c:1441(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3 master browser on two networks plus WINS
Is samba bound to a subnet1 interface only or all interfaces. Can subnet2 clients connect to samba via either IP? Are subnet2 clients supposed to be using samba services via the subnet1 IP or the subnet2 IP on the server?The first would involve going thru the firewall, which seems unnecessary with a dual homed samba server.The 2nd, however, probably rules out using WINS for the subnet2 clients since you would NOT want traffic going thru the firewall. What IP are the clients on subnet2 using for a WINS server? Can you try having the clients on subnet2 use samba server subnet1 IP as the WINS server? I haven't tried running WINS on a dual homed system. I would guess it you cat the wins.dat file (or tdbdump wins.tbd) you will only see registrations for subnet1. Have you specified any ports in the smb.conf file? Samba 3 uses NT4 type smb-over-NBT (ports 137,138,139 and not 445) BUT I have found that explicitly specifying ports in smb.conf breaks more things than it fixes. On 01/03/13 04:01, Gala Dragos wrote: I'm banging my head against the wall here with a problem that I have. I have one Samba 3 server on a linux box with 2 ethernet interfaces, each given a different subnet. The same box does dhcp leases on both networks, with wins option pointing to this server. Firewall was configured to allow the best unobtrusive communication between the two subnets, I can ping between the subnets and receive response, I can also access some other services, like http, from one subnet to the other. I have setup on this server a common Public share, which works. Now I'm trying to get the Samba PC from subnet 1 to see the Samba PC from subnet 2 and viceversa, but to no avail. On subnet 1 I can see access the server via it's NetBIOS name, but on subnet 2 I can only see the server and access it via it's IP. No other Samba PC's can be seen across the subnets! All pc's have the same workgroup. What to enable in configuration in order to be able to do cross subnet browsing with samba ? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3 master browser on two networks plus WINS
Presumably pc on subnet1 does NOT need to access a share from 192.168.7.1 since it can access 192.168.5.1. Presumably pc on subnet2 does NOT need to access a share from 192.168.5.1 since it can access 192.168.7.1. If you have a dual homed server + a router between subnets your routing could get a little tricky when access shares on the other subnet IP of the samba server. Or is the samba server also the router? But to clarify your issue is that a /*single-homed client */ PC on subnet1 (e.g. LIVINGROOM) can not access shares on single-homed client PC on subnet2 (e.g. ACERJUNKI)- even though they can ping each other? It seems that WINS is not the problem. On 01/03/13 15:41, Gala Dragos wrote: Subnet 1 : 192.168.5.1/24, wins 192.168.5.1 subnet 2: 192.168.7.1/24, wins 192.168.7.1 all pc are allocated ip's from their respective subnet via dhcp. a pc on subnet 1 cannot access a share from e pc on subnet 2, not even by ip. Same happens from subnet 2 to subnet 1. The firewall is setup as to allow all traffic between the 2 subnets, effectively considering them as a single zone (I use shorewall as an UI to iptables) I have not specified any ports in smb.conf, but I have binded samba to the required ethernet interface. Here is the wins.dat. I can see references from both subnets. wins.dat follows VERSION 1 0 WORKGROUP#1e 1357503758 0.0.0.0 e4R ARCHROUTEUSB#03 1357503758 192.168.5.1 192.168.7.1 66R WORKGROUP#00 1357503758 0.0.0.0 e4R ROUTERJUNKIE#03 1357503758 192.168.5.1 192.168.7.1 64R LIVINGROOM#20 1357541821 192.168.5.91 64R LINUXJUNKIE#00 1357511721 192.168.5.118 64R ROUTERJUNKIE#00 1357503758 192.168.5.1 192.168.7.1 64R ARCHROUTEUSB RO#03 1357258441 192.168.5.1 192.168.7.1 64R FUJILAPPY#20 1357497461 192.168.7.16 64R ARCHROUTEUSB#00 1357503758 192.168.5.1 192.168.7.1 66R WORKGROUP#1b 1357503758 192.168.5.1 192.168.7.1 64R LIVINGROOM#00 1357541816 192.168.5.91 64R LINUXJUNKIE#20 1357511723 192.168.5.118 64R ARCHROUTEUSB RO#20 1357258441 192.168.5.1 192.168.7.1 64R WORKGROUP#1c 1357503758 192.168.5.1 192.168.7.1 e4R ACERJUNKIE#00 1357381531 192.168.7.15 64R FUJILAPPY#00 1357497461 192.168.7.16 64R ACERJUNKIE#20 1357381531 192.168.7.15 64R ARCHROUTEUSB RO#00 1357258441 192.168.5.1 192.168.7.1 64R ARCHROUTEUSB#20 1357503758 192.168.5.1 192.168.7.1 66R ROUTERJUNKIE#20 1357503758 192.168.5.1 192.168.7.1 64R end wins.dat -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3 master browser on two networks plus WINS
WINS is not the issue since you can't connect via IP either. Routing is not the issue since you can connect to other services. Are all clients showing 5.1 or 7.1 as default gw? It could be a firewall configuration issue on your server- although that does not seem likely. Did you have to specifically add rules to allow HTTPS? Can you temporarily disable the firewall on the server? Are their firewalls enabled on the PC's? Presuming clients don't have problems accessing shares from other clients on the same subnet? The default XP firewall behavior may be to block network shares.I think it is possible to configure the XP firewall to allow access from some IP's but not others- but that is something you would have had to explicitly set up. Fedora typically has a firewall enabled as well- on fedora you have the system-config-firewall command to provide a gui front end (I think this is iptables.) It may have specific ports and services enabled or disabled by default but I don't think it would have rules that filter by source ip enabled by default. Can you telnet somehost 139 ? On 01/03/13 16:16, Gala Dragos wrote: The samba server also acts as the router. That is correct, a pc on subnet 1 cannot access a pc on subnet 2 through samba, but works fine using other protocols. Both subnet 1 and subnet 2 have pc that run Windows 7 x64, or Windows XP, or Linux (usually Fedora 17). The server itself runs on Archlinux. It seems that WINS is not the problem. Then what is ? From: Gaiseric Vandal gaiseric.van...@gmail.com To: samba@lists.samba.org Sent: Thursday, January 3, 2013 11:02 PM Subject: Re: [Samba] Samba 3 master browser on two networks plus WINS Presumably pc on subnet1 does NOT need to access a share from 192.168.7.1 since it can access 192.168.5.1. Presumably pc on subnet2 does NOT need to access a share from 192.168.5.1 since it can access 192.168.7.1. If you have a dual homed server + a router between subnets your routing could get a little tricky when access shares on the other subnet IP of the samba server. Or is the samba server also the router? But to clarify your issue is that a /*single-homed client */ PC on subnet1 (e.g. LIVINGROOM) can not access shares on single-homed client PC on subnet2 (e.g. ACERJUNKI)- even though they can ping each other? It seems that WINS is not the problem. On 01/03/13 15:41, Gala Dragos wrote: Subnet 1 : 192.168.5.1/24, wins 192.168.5.1 subnet 2: 192.168.7.1/24, wins 192.168.7.1 all pc are allocated ip's from their respective subnet via dhcp. a pc on subnet 1 cannot access a share from e pc on subnet 2, not even by ip. Same happens from subnet 2 to subnet 1. The firewall is setup as to allow all traffic between the 2 subnets, effectively considering them as a single zone (I use shorewall as an UI to iptables) I have not specified any ports in smb.conf, but I have binded samba to the required ethernet interface. Here is the wins.dat. I can see references from both subnets. wins.dat follows VERSION 1 0 WORKGROUP#1e 1357503758 0.0.0.0 e4R ARCHROUTEUSB#03 1357503758 192.168.5.1 192.168.7.1 66R WORKGROUP#00 1357503758 0.0.0.0 e4R ROUTERJUNKIE#03 1357503758 192.168.5.1 192.168.7.1 64R LIVINGROOM#20 1357541821 192.168.5.91 64R LINUXJUNKIE#00 1357511721 192.168.5.118 64R ROUTERJUNKIE#00 1357503758 192.168.5.1 192.168.7.1 64R ARCHROUTEUSB RO#03 1357258441 192.168.5.1 192.168.7.1 64R FUJILAPPY#20 1357497461 192.168.7.16 64R ARCHROUTEUSB#00 1357503758 192.168.5.1 192.168.7.1 66R WORKGROUP#1b 1357503758 192.168.5.1 192.168.7.1 64R LIVINGROOM#00 1357541816 192.168.5.91 64R LINUXJUNKIE#20 1357511723 192.168.5.118 64R ARCHROUTEUSB RO#20 1357258441 192.168.5.1 192.168.7.1 64R WORKGROUP#1c 1357503758 192.168.5.1 192.168.7.1 e4R ACERJUNKIE#00 1357381531 192.168.7.15 64R FUJILAPPY#00 1357497461 192.168.7.16 64R ACERJUNKIE#20 1357381531 192.168.7.15 64R ARCHROUTEUSB RO#00 1357258441 192.168.5.1 192.168.7.1 64R ARCHROUTEUSB#20 1357503758 192.168.5.1 192.168.7.1 66R ROUTERJUNKIE#20 1357503758 192.168.5.1 192.168.7.1 64R end wins.dat -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows Authentication
How are you trying to connection? From a Windows 7 machine? A Windows XP machine? Are you using the net use command in windows? On 01/01/13 14:36, samba.1...@9ox.net wrote: Greetings Samba: I thought I knew something about servers and networks but Samba has me stumped... I built a clean Fedora 17 server, disabled the firewall and then followed install instructions from http://www.howtoforge.com/fedora-17-samba-standalone-server-with-tdbsam-backend. When I try to connect I receive windows security (login) screen but no mater what I do, I never connect. I am on the same network, have tried verified my workgroups match, but do not see samba on the browser and can not get map to drive to get past UID and PW. I have tried host name and IP address for domain portion. Any suggestions on where to look next? Gerald -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows 8 jointo samba 3 domain
Samba 3 emulates an NT4-type domain. So the NETBIOS version of the domain name (XX) is correct. The DNS name is would only be for an Active Directory type domain (Windows 200x or Samba 4 servers.) On 12/18/12 09:27, Alexandr Seidl wrote: Hi ... I have problem join win 8 pro to samba domain after patch registry join to domain name XX work OK bud join domain .YYY don't work windows send only DNS request to SRV record any Idea? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] static only wins server
If your windows clients use login scripts to map drives, then they don't need WINS at all, since they resolve hosts via DNS. However, if a client isn't using wins it will still use netbios browser to locate resource on the network.I am not sure if you can totally defeat this by pointing the windows clients to an inactive WINS server. If you don't have file and print sharing enable on the windows client that should prevent them from showing up a netbios resources. On 12/18/12 13:47, Chris Smith wrote: Since there's only a couple of server systems on the network that actually need name resolution or to be seen via NetBIOS browsing. Is there any reason not to run a static only WINS server with just the information for those systems listed? If not, then how can one stop the other systems from registering themselves? Thanks, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] not able to log on (PDC with ldap backend)
Hi Attachments are not supported on the mailing list. Does the pdbedit -Lv /machinename$/ command on the samba server show the machine account?The account flags should be [W ] only. In LDAP, you should see the following attributes objectClass=sambaSamAccount sambaNTPassword samabSID sambaAccountFlags= [W ] sambaPrimaryGroupSID I found that with Samba 3.5.x some of the ldap attributes were not set correctly and I had to manually fix the sambaAccountFlags entry. Have you specified any ports in the smb.conf. You should stay with the default smb ports = 445 139 Windows clients may try initially connecting on port 445 (SMB over TCP) then connect to 139 (SMB over Netbios over TCP.) In theory, you shouldn't need 445 but find disabling in on samba sometimes confuses windows clients. On 12/17/12 04:31, ingo.schm...@binarysignals.net wrote: Hello, I set up my first PDC with LDAP as backend. I'm able to join a vista client to the domain. However, when want to log onto after rebooting the client, it claims that the logon server is n/a. My smb and slapd.confs are attached. Any ideas what i did wrong or missed to configure? Thx, Ingo My samba Version is: 3.5.4-5.11.1-2573-SUSE-SL11.3 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] not able to log on (PDC with ldap backend)
But do you see Account Flags: [W ] for the Vista machine account? Did you also see a machine account for the samba PDC itself? It should include Account Flags:[S ] Are is the Vista client configured to use WINS? On 12/17/12 10:29, ingo.schm...@binarysignals.net wrote: Hi, I just posted my smb.conf to pastebin: http://pastebin.com/r29mgMcK I haven't specified ports - I assumed the default ones should do. I guess I ran more into a client side issue but I actually don't know. pdbedit -Lv shows the Administrator and the respective machine account. The only attribute I miss is the [A] for the Administrator account, it shows a [U] only. But thats cannot be the reason why I cannot logon. Im also able to ping the client from the server. So the client is basically able to connect. Thx, Ingo Hi Attachments are not supported on the mailing list. Does the pdbedit -Lv /machinename$/ command on the samba server show the machine account?The account flags should be [W ] only. In LDAP, you should see the following attributes objectClass=sambaSamAccount sambaNTPassword samabSID sambaAccountFlags= [W ] sambaPrimaryGroupSID I found that with Samba 3.5.x some of the ldap attributes were not set correctly and I had to manually fix the sambaAccountFlags entry. Have you specified any ports in the smb.conf. You should stay with the default smb ports = 445 139 Windows clients may try initially connecting on port 445 (SMB over TCP) then connect to 139 (SMB over Netbios over TCP.) In theory, you shouldn't need 445 but find disabling in on samba sometimes confuses windows clients. On 12/17/12 04:31, ingo.schm...@binarysignals.net wrote: Hello, I set up my first PDC with LDAP as backend. I'm able to join a vista client to the domain. However, when want to log onto after rebooting the client, it claims that the logon server is n/a. My smb and slapd.confs are attached. Any ideas what i did wrong or missed to configure? Thx, Ingo My samba Version is: 3.5.4-5.11.1-2573-SUSE-SL11.3 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - Windows 200x DNS Migration
Windows 200x AD DC's do not require that the DNS master is on a WIn 2003 AD server. You need a BIND9 compatible server with dynamic updates preferably enabled. If dynamic updates are not enabled then when a Windows machine joins the DC it will dump out DNS records that need to be added to the DNS master. As long as the Samba4 DNS server support dynamic updates it should work fine for supporting other domains. On 12/13/12 13:56, Adam Tauno Williams wrote: Has anyone been able to migrate DNS from a Samba4 DC to a Windows 200x server? I've looked around the wiki, etc... and haven't found any pertaining to moving DNS between platforms. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba file server using ldap backend without AD or PDC?
Can you clarify one thing - why are you using the sambaNTPassword in openldap if openldap is not currently used samba authentication? I would have thought that you would use the standard password field. I use Samba 3.x DC's with an ldap back end. I also use the ldap backend for unix authentication as well as authentication to various other systems that support LDAP authentication. If you are using one or more BDC's you really do have to use an LDAP back end. But there is no reason why member server's can use an LDAP backend. If the underlying unix account for each samba account is in /etc/passwd and not LDAP, you should consolidate it all into LDAP. Do the sambaNTPassword (and other samba attributes) in LDAP match those in the tdb backend?You may find you want to blast away the existing sambaNTPassword entries in LDAP before you migrate the TDB data to LDAP. On 11/30/12 08:28, Brian Gold wrote: Hi all, I've been using samba for a few years now on a couple of file servers with a tdbsam backend for our user accounts. We use openldap for the vast majority of our identity management, so I would love to be able to tie into this. We recently started using sambaNTPassword in openldap for radius authentication, so this is populated for most of our users now. From reading through some of the documentation though, I'm a bit confused as to how this would be implemented. We don't currently have Active Directory and don't have any samba PDC/BDCs set up. Would it be necessary for us to have a PDC/BDC in order to use openldap as our backend? Thanks, Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba file server using ldap backend without AD or PDC?
On 11/30/12 09:42, Brian Gold wrote: On 2012-11-30 9:22 am, Gaiseric Vandal wrote: Can you clarify one thing - why are you using the sambaNTPassword in openldap if openldap is not currently used samba authentication? I would have thought that you would use the standard password field. We are using the standard userPassword field for most things, but for radius authentication via PEAP/MSCHAPv2, we needed to use sambaNTPassword instead. That makes sense I use Samba 3.x DC's with an ldap back end. I also use the ldap backend for unix authentication as well as authentication to various other systems that support LDAP authentication. If you are using one or more BDC's you really do have to use an LDAP back end. But there is no reason why member server's can use an LDAP backend. If the underlying unix account for each samba account is in /etc/passwd and not LDAP, you should consolidate it all into LDAP. We currently don't want to deploy a PDC or BDC if we don't need to. All we want to do is have a file server that can authenticate using the username/password stored in openldap. Should be no problem. Do the sambaNTPassword (and other samba attributes) in LDAP match those in the tdb backend?You may find you want to blast away the existing sambaNTPassword entries in LDAP before you migrate the TDB data to LDAP. No, our current Samba file server has a totally separate set of passwords. When we transition over to this new Samba file server, we will be having all our users use their openldap password instead. We do not want to sync their existing tdb passwords over to LDAP. No, you wouldn't sync passwords to TDB. Does your LDAP entry for each user currently have a SambaSID value? Also, when you type pdbedit -Lv someuser you should see the unix account for the user. The unix account is either explicitly created (e.g. in /etc/passwd or ldap or nis) or dynamically created by winbind. # pdbedit -Lv someuser Unix username:someuser NT username: someuser Account Flags:[U ] User SID: S-1-5-21-x Primary Group SID:S-1-5-21-xxx Full Name:Some User Home Directory: \\someserver\users\someuser HomeDir Drive:X: Logon Script: logon.bat Profile Path: Domain: SOMEDOMAIN Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 0 Kickoff time: 0 Password last set:Fri, 30 Sep 2011 09:40:43 EDT Password can change: Fri, 30 Sep 2011 09:40:43 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF # Assuming you are not using winbind to allocate uid's and gid's for samba users, your LDAP user entry will eventually look something like dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: Some User gidNumber: xx homeDirectory: /home/someuser sambaSID: S-1-5-21- sn: UserLastName uid: someuser uidNumber: 123 displayName: Some User gecos: Some User givenName: Some User loginShell: /bin/tcsh sambaAcctFlags: [UX ] sambaHomeDrive: X: sambaHomePath: \\someserver\users\someuser sambaLogonScript: logon.bat sambaNTPassword: sambaPasswordHistory: 00 00 sambaPwdLastSet: 1291843237 st: xx street: x telephoneNumber: x userPassword:: Although the login script and network home directory probably not relevant in a non-DC setup. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba file server using ldap backend without AD or PDC?
So when you run pdbedit -Lv for a user, is the Unix user name is an account in ldap? If that is the case, then you probably just want to have a script that runs that runs thru a list of user names and they runs ldapmodify to add the appropriate samba attributes.In theory you can use pdbedit to export the data, then change the backend, then import it back. I found that didn't quite work. I had originally used nis backend for unix accounts and TBD backend for samba. I moved from NIS to LDAP for unix accounts. Then when I added a BDC I moved the samba data into ldap.I had used smbpasswd to dump the data to a text file, then wrote a perl script to parse the file into user name, samba SID, and samba password and then rewrite it into an ldapmodify ldif file. I used this file to update the existing LDAP accounts. You MAYBE can use smbpasswd or pdbedit to create the samba accounts in LDAP but I suspect that either it won't preserve the existing password OR it may refuse to create the account. On 11/30/12 12:38, Brian Gold wrote: On 2012-11-30 11:15 am, Gaiseric Vandal wrote: No, you wouldn't sync passwords to TDB. Does your LDAP entry for each user currently have a SambaSID value? Also, when you type pdbedit -Lv someuser you should see the unix account for the user. The unix account is either explicitly created (e.g. in /etc/passwd or ldap or nis) or dynamically created by winbind. No, currently our users do not have SambaSID values in ldap. # pdbedit -Lv someuser Unix username:someuser NT username: someuser Account Flags:[U ] User SID: S-1-5-21-x Primary Group SID:S-1-5-21-xxx Full Name:Some User Home Directory: \\someserver\users\someuser HomeDir Drive:X: Logon Script: logon.bat Profile Path: Domain: SOMEDOMAIN Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 0 Kickoff time: 0 Password last set:Fri, 30 Sep 2011 09:40:43 EDT Password can change: Fri, 30 Sep 2011 09:40:43 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF # Assuming you are not using winbind to allocate uid's and gid's for samba users, your LDAP user entry will eventually look something like dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: Some User gidNumber: xx homeDirectory: /home/someuser sambaSID: S-1-5-21- sn: UserLastName uid: someuser uidNumber: 123 displayName: Some User gecos: Some User givenName: Some User loginShell: /bin/tcsh sambaAcctFlags: [UX ] sambaHomeDrive: X: sambaHomePath: \\someserver\users\someuser sambaLogonScript: logon.bat sambaNTPassword: sambaPasswordHistory: 00 00 sambaPwdLastSet: 1291843237 st: xx street: x telephoneNumber: x userPassword:: Although the login script and network home directory probably not relevant in a non-DC setup. We are not using winbind at all currently. Here is a sample user's ldap data: dn: uid=tstaff,ou=people,dc=simons-rock,dc=edu uid: tstaff sn: Staff uinSR: tstaff-false givenName: Test genderSR: m loginShell: /bin/false cn: Test Staff gecos: Test Staff mailSR: test...@simons-rock.edu homeDirectory: /home/testaff objectClass: person objectClass: top objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: personSR objectClass: extensibleObject objectClass: posixAccount objectClass: shadowAccount shadowLastChange: 11551 shadowWarning: 7 gidNumber: 100 shadowMax: 9 uidNumber: 7391 mail: test...@simons-rock.edu groupSR: staff groupSR: hidden employeeNumber: 991991991 sambaNTPassword: REDACTED sambaPwdLastSet: 1354296936 userPassword:: REDACTED -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba file server using ldap backend without AD or PDC?
On 11/30/12 16:11, Brian Gold wrote: On 2012-11-30 4:01 pm, Gaiseric Vandal wrote: So when you run pdbedit -Lv for a user, is the Unix user name is an account in ldap? If that is the case, then you probably just want to have a script that runs that runs thru a list of user names and they runs ldapmodify to add the appropriate samba attributes.In theory you can use pdbedit to export the data, then change the backend, then import it back. I found that didn't quite work. I had originally used nis backend for unix accounts and TBD backend for samba. I moved from NIS to LDAP for unix accounts. Then when I added a BDC I moved the samba data into ldap.I had used smbpasswd to dump the data to a text file, then wrote a perl script to parse the file into user name, samba SID, and samba password and then rewrite it into an ldapmodify ldif file. I used this file to update the existing LDAP accounts. You MAYBE can use smbpasswd or pdbedit to create the samba accounts in LDAP but I suspect that either it won't preserve the existing password OR it may refuse to create the account. Here is the output for that same user when I do a pdbedit. The unix username is being pulled from ldap. pdbedit -Lv testaff Unix username:testaff NT username: Account Flags:[U ] User SID: S-1-5-21-2531268310-2106678637-3833209162-15782 Primary Group SID: S-1-5-21-2531268310-2106678637-3833209162-513 Full Name:Test Staff Home Directory: \\elephant\testaff HomeDir Drive: Logon Script: Profile Path: \\elephant\testaff\profile Domain: ELEPHANT Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Fri, 27 Jun 2008 16:50:45 EDT Password can change: Fri, 27 Jun 2008 16:50:45 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF Worth a try I guess. As it is, I'm planning on totally scrapping this existing samba file server when we move to using ldap passwords. The only things that need to carry over are the files on the file server itself. I'm totally fine with not using any of the data that is in tbd currently. Is there a way to autogenerate the samba SID (since I don't necessarily need the one that is being used in my current samba file server) and whatever other samba fields might be needed for all of my existing ldap accounts? If you write a script you could probably increment the SID for each entry. The pdbedit and smbpasswd commands will create all the necessary fields , including automatically creating a unique SID. But I just know if it will complain the account already exsits. I think it won't complain the account exists (since not all the necessary fields are there) BUT it will probably complain that the account could not be created.I don't think you will know til you test it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Local Administrator access
With Windows7, the 1st account you create during the initial setup is typically a member of the local admin group. The actual Administrator account is normally disabled. Did this 1st account get deleted? When you joined the domain, the Domain Admin's groups should have been added to the local Admin group. This can get messed up if your group mappings are not set up correctly. Also, I think when running the net command you may want to use -U Administrator to use the credentials of your domain Administrator account (assuming one has been defined.) In my setup the unix root does not have a samba account. On 11/26/12 10:03, Knut Olav Bøhmer wrote: Hi, I have a windows 7 machine withouth local administrator account. I need to create such an account. I can log in to the machine with a user on my samba domain. What do I need to do in order to get administrator access, or access to create an local administrator account? I have tried to do this: [root@float samba]# net rpc group addmem Administrators 'DOMAIN\username' Enter root's password: Could not add SKOLELINUX\knobo to Administrators: NT_STATUS_NO_SUCH_ALIAS I have tried to give some rights this way: net rpc rights grant 'DOMAIN\username' SeMachineAccountPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege SeUndockPrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SePrintOperatorPrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeUndockPrivilege SeTakeOwnershipPrivilege And it does what I tell it: [root@float samba]# net rpc rights list knobo Enter root's password: SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemProfilePrivilege SeUndockPrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege But I'm still promptet for username and password, when I try to access the user accounts in windows 7. Any suggestions? Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Local Administrator access
Have you tried logging into the PC using the samba domain administrator account? Assuming the PC was properly joined to the domain then you should be able to configure the local accounts and groups. You can create domain group that is then a member of the PC's local administrator group. This will allow you do defined samba users who are PC administrators but NOT domain administrators. Whomever joins a PC to a domain needs to be both a local administrator on that computer and (in most cases) have domain administrator credentials. (If the machine account was created in advance then the domain administrator credentials should not be needed.) Are you sure the PC was joined to the domain? On 11/26/12 10:51, Knut Olav Bøhmer wrote: 2012/11/26 Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com With Windows7, the 1st account you create during the initial setup is typically a member of the local admin group. The actual Administrator account is normally disabled. Did this 1st account get deleted? I did not install the computer. How can I find out if there is such a user? But, I don't have the password anyway. When you joined the domain, the Domain Admin's groups should have been added to the local Admin group. Ok, so the trick is to get my user a member of the Domain Admins group. This can get messed up if your group mappings are not set up correctly. Also, I think when running the net command you may want to use -U Administrator to use the credentials of your domain Administrator account (assuming one has been defined.) In my setup the unix root does not have a samba account. On 11/26/12 10:03, Knut Olav Bøhmer wrote: Hi, I have a windows 7 machine withouth local administrator account. I need to create such an account. I can log in to the machine with a user on my samba domain. What do I need to do in order to get administrator access, or access to create an local administrator account? I have tried to do this: [root@float samba]# net rpc group addmem Administrators 'DOMAIN\username' Enter root's password: Could not add SKOLELINUX\knobo to Administrators: NT_STATUS_NO_SUCH_ALIAS I have tried to give some rights this way: net rpc rights grant 'DOMAIN\username' SeMachineAccountPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege SeUndockPrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SePrintOperatorPrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege SeUndockPrivilege SeTakeOwnershipPrivilege And it does what I tell it: [root@float samba]# net rpc rights list knobo Enter root's password: SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemProfilePrivilege SeUndockPrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege But I'm still promptet for username and password, when I try to access the user accounts in windows 7. Any suggestions? Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Knut Olav Bøhmer 41 000 108 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] help
Is this samba 3.x Samba 3.x domains and domain controllers function like Windows NT4 domains. They are not like Windows 200x Active Directory servers and domains. The domain name has to be a simple netbios compatible name. A single name not fqdn. I do not believe that . are a valid character. I think the domain name can not exceed 15 or 15 characters. On 11/15/12 14:38, Hanganu Sergiu wrote: hello i m not speaking very well english i m trying to configure samba .i m using debian as O.S. my problem is : i want to configure a local domain as PDC this is a part of a little example /|workgroup = MIDEARTH|/ /|domain logons = Yes|/ /|domain master = Yes|/ /|security = User |/ /|workgroup = MIDEARTH.MILANO|/ /|domain logons = Yes|/ /|domain master = Yes|/ /|security = User|/ my domain will be MIDEARTH This is working, but if i will change in MIDEARH.MILANO ...is not working when i m trying to connect a xp pro client with the domain name MIDEARTH is working but if i change in MIDEARTH.MILANO like fqnd is not working and i don t understand why.. i m trying to find on google same example but i can t find anything like this.. PLEASE HELP ME THANK YOU -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] using samba similar to windows shares
You can have the share permissions granting access to everyone , and then use file system permissions to limit the access to the appropriate groups for each folder. This is the same approach you would use with a real Windows server. On 10/09/12 16:17, 鱼 wrote: Hi, I would like to share a main folder (main) with everyone but have different access rights to a subfolder of main (subfolder) with 2 groups. Is it possible that this can be done with samba? Regards LC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Share working with IP not with hostname
On 09/10/12 13:52, Nitin Thakur wrote: hi guys I managed to setup the share. I am able to access the share with IP address, but as soon as I try to do it via hostname, I get a user name and password pop up, which always fail to authenticate. Any setting I am missing? Thanks nitin What version of Samba? My guess is there is some sort of name lookup mismatch.Are you using a domain or workgroup? Are you using WINS? Are you using DNS?If the samba server is the WINS server you should be able to cat wins.dat and tdbdump wins.tbd to verify that the names are the same. In smb.conf, does the samba server netbios name match the DNS name? What is the client OS? The only other thing that might be happening is that the client and server are mismatching on using NTLM vs NTLM v2. The samba logs should show that. I could NOT get NTLMv2 to work on my samba servers I had to explicitly disable it in smb.conf. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba complie problem
Compiling Samba on Solaris 10 can be a real challenge. A lot of the issues seem to be related to the old version of ld. I would expect that you would have more luck on Solaris 11 but I have not tried it yet. I ended up using Sun Studio and dmake. If you can look for older posts from me there should be notes on what I did. Solaris 10 (with the latest updates) should include samba 3.5.x .A lot less aggravation than compiling IF it meets your needs. On 08/31/12 12:16, Nitin Thakur wrote: Well managed to fix it, it was openladap. Now I have problem with make: - SONAMEFLAG = -Wl,-soname= Linking shared library bin/libtalloc.so.2 /usr/local/lib/gcc/sparc-sun-solaris2.10/3.4.6/../../../../sparc-sun-solaris2.10/bin/ld: anonymous version tag cannot be combined with other version tags collect2: ld returned 1 exit status *** Error code 1 The following command caused the error: gcc -I/opt/local/samba/include -I/opt/local/samba/include -I. -I/opt/local/samba-3.6.7/source3 -I/opt/local/samba-3.6.7/source3/../lib/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/tevent -I./librpc -I./.. -I./../lib/talloc -I../lib/tdb/include -DHAVE_CONFIG_H -I/opt/local/samba/include -I/opt/local/samba/include -I/usr/local/inclue -I/usr/sfw/include -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLDAP_DEPRECATED -DSUNOS5-I/opt/local/samba-3.6.7/source3/lib -I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -shared -Wl,-z,relro -L/opt/local/samba/lib -R/opt/local/samba/lib -L/opt/local/samba/lib -R/opt/local/samba/lib -L/usr/local/lib -L/usr/sfw/lib -R/usr/local/lib -R/usr/sfw/lib -R/usr/lib -lthread -L./bin -lc -Wl,-z,defs -Wl,--version-script,/opt/local/samba-3.6.7/source3/exports/`basename bin/libtalloc.so.2 | sed 's:\.so[\.0-9]*$:.syms:'` -o bin/libtalloc.so.2 ../lib/talloc/talloc.o ./../lib/replace/replace.o ./../lib/repla ce /snprintf.o ./../lib/replace/getpass.o ./../lib/replace/strptime.o ./../lib/replace/timegm.o ./../lib/replace/getifaddrs.o -lnsl -lsocket -Wl,-soname=`basename bin/libtalloc.so.2` make: Fatal error: Command failed for target `bin/libtalloc.so.2' Any idea? Thanks Nitin From: nitintha...@hotmail.com To: samba@lists.samba.org Date: Thu, 30 Aug 2012 18:49:50 + Subject: Samba complie problem hi all Samba build problem when compiling with --with-ads I have complid, kerberos and openldap in /opt/local/samba and I am using gcc with gnu binutils. Its a solaris 10 sparc. Configure gives me following error: - checking for LDAP support... yes checking ldap.h usability... yes checking ldap.h presence... yes checking for ldap.h... yes checking lber.h usability... yes checking lber.h presence... yes checking for lber.h... yes checking for ber_tag_t... yes checking for ber_scanf in -llber... yes checking for ber_sockbuf_add_io... yes checking for LDAP_OPT_SOCKBUF... yes checking for LBER_OPT_LOG_PRINT_FN... yes checking for ldap_init in -lldap... no checking for ldap_set_rebind_proc... no checking whether ldap_set_rebind_proc takes 3 arguments... 3 checking for ldap_initialize... no configure: error: libldap is needed for LDAP support Config.log output: - configure:25335: gcc -o conftest -I/opt/local/samba/include -I/opt/local/samba/include -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include -L/opt/local/samba/lib -R/opt/local/samba/lib -lthread -L./bin -L/usr/lib conftest.c -lldap -llber -lresolv -lrt-lnsl -lsocket -lmd5 -lrt -liconv 5 /usr/local/lib/gcc/sparc-sun-solaris2.10/3.4.6/../../../../sparc-sun-solaris2.10/bin/ld: /opt/local/samba/lib/libldap.so: dladdr: invalid version 12 (max 0) /opt/local/samba/lib/libldap.so: could not read symbols: Bad value I installed openldap in /opt/local/samba. # find /opt/local/samba -name libldap\* /opt/local/samba/lib/libldap_r.a /opt/local/samba/lib/libldap.so /opt/local/samba/lib/libldap.la /opt/local/samba/lib/libldap-2.4.so.2 /opt/local/samba/lib/libldap.a /opt/local/samba/lib/libldap_r.so /opt/local/samba/lib/libldap_r-2.4.so.2 /opt/local/samba/lib/libldap-2.4.so.2.8.4 /opt/local/samba/lib/libldap_r-2.4.so.2.8.4 /opt/local/samba/lib/libldap_r.la Thanks Nitin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] join domain from different subnet (VPN)
Did you try a packet capture on the samba server? Try adding a entry for the XP machine in the server's /etc/hosts file. I am guessing there is some sort of weird name resolution issue going on with the server.I don't think there is any reason the server should need to resolve the name of the client machine but I have had weird issues with VPN connections before. This is a site-to-site VPN? On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote: Hello everybody, we have a problem joining a domain from a remote location. The remote location is connected via VPN. Everything is working as exspected but joining the samba domain from the remote location does not work. - Server Samba Version is 3.5.10 - Windows Client is XP SP3 - Joining the domain locally works without problems - ping does work in both directions - WINS is running on the local PDC and resolves across VPN (I tested with a Linux client using nbmlookup) - the WINS server is configured on the client - NetBIOS over TCP/IP is enabled on the client - Windows on the client firewall is OFF - even adding entries to the client's lmhosts file didn't solve the problem Any suggestions? thx Carsten -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] join domain from different subnet (VPN)
Do the routers block any ports or netbios traffic? Did you restrict the samba ports in smb.conf - samba I think listens by default on 137, 138, 139 + 445 . 445 is for SMB-over-ip, which isn't actually used by samba 3.x/ XP machines will try to connect to 445 then redirect to 137-139 for classic smb-over-NBT. Restricting the ports may cause more issues then it solves. I can't think of anything else that would cause issues with a routed environment. On 08/30/12 11:09, real-men-dont-cl...@gmx.net wrote: Hi, I already tried that, no success. The VPN connects two subnets via OpenVPN with dedicated routers on each side. thx Carsten -Original message- To: samba@lists.samba.org; From: Gaiseric Vandal gaiseric.van...@gmail.com Sent: Thu 30-08-2012 14:58 Subject: Re: [Samba] join domain from different subnet (VPN) Did you try a packet capture on the samba server? Try adding a entry for the XP machine in the server's /etc/hosts file. I am guessing there is some sort of weird name resolution issue going on with the server.I don't think there is any reason the server should need to resolve the name of the client machine but I have had weird issues with VPN connections before. This is a site-to-site VPN? On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote: Hello everybody, we have a problem joining a domain from a remote location. The remote location is connected via VPN. Everything is working as exspected but joining the samba domain from the remote location does not work. - Server Samba Version is 3.5.10 - Windows Client is XP SP3 - Joining the domain locally works without problems - ping does work in both directions - WINS is running on the local PDC and resolves across VPN (I tested with a Linux client using nbmlookup) - the WINS server is configured on the client - NetBIOS over TCP/IP is enabled on the client - Windows on the client firewall is OFF - even adding entries to the client's lmhosts file didn't solve the problem Any suggestions? thx Carsten -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC: Admin tools?
I use apache directory studio for LDAP management. It is not samba specific but it is easy enough to use existing user, group or machine objects as templates for new ones. It runs on Windows and Linux (and maybe on Mac.) On 08/25/12 16:39, John Drescher wrote: On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno ports...@gmail.com wrote: Guys. I have use smbldap-tools to handle my accounts for my PDC with samba+openldap. Now, I ask here because a lot of people have PDC running on their networks, what tools do u use to manage your openldap db for samba: users, machines, groups? Working with Centos 6.x. Any input will be appreciated, thanks!!! I use ldap account manager to manage my users / machines / group accounts. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
The Domain Users group should have automatically been added to the local users group when you joined the domain. When I upgraded from Samba 3.0.x to 3.5.x I had a error in the group mappings on one of the DC's that cause problems for a while. I also had to explicitly add a mapping for the nobody user and group. I think I may have explicitly granted the domain administrator the privileged to add machines to the domain http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html#rp-privs But I think I only had to do that because the administrator was not recognized as being a domain admin (or local admin) because the group mapping was broken. If you add a network user to the local admin group, and login works, then there is definitely a local security issue.My guess is that the OS creates the new user local profile directory but then has problems assigning file permissions/ownership for the network user. On XP , if you right click My Computer and look at profiles, you could see if the profile for a user was local, roaming or temporary. Win 7 should have the same option. On 08/09/12 18:03, Brandon wrote: Are your group mappings correct? I ask because it may be that the Domain Users is not properly recognized as a member of the Users group on the PC. Can you login as the domain (or local) admins and explicitly add domain users and domain groups to a local group? An update to this: I was able to add domain users after a reboot. So I've added MYWORKGROUP\myadmin to my Users group on the local machine. I was also able to search my domain for users, and came up with a list of my users, a nobody user, and a Domain Admins group. I've added MYWORKGROUP\myadmin (user) and MYWORKGROUP\Domain Admins (group) to the User group on the local machine. I am still getting the same errors when logging on though. It seems to me like it's trying to pull a roaming profile when I have roaming profiles disabled (or I thought I did), and/or windows doesn't actually know the netbios name, based on the series of these events: Windows cannot copy file \\?\C:\Users\Default\Documents to location \\?\C:\Users\TEMP.MYWORKGROUP\Documents. This error may be caused by network problems or insufficient security rights. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Add machines for join a domain
Do you mean when you join a Linux machine to the domain? Or do you mean when you join a Windows machine to the domain. You do need a unix account for all machines that will be in the domain. You can configure samba to automatically create the LDAP accounts for machines when they are added. I haven't done this. The procedure is somewhere in the documentation.I just created machine accounts as need as I added the machines. On 08/10/12 14:56, rodrigo tavares wrote: Hello ! I configured samba and ldap, when I join the domain, come this error: not possible locate the name of user. Search about this error, I search in Google, and the solution is create the name machines in Linux System. But I have 50 machines, and create all machine users is very bad. Have Another solution ? Thanks Rodrigo Faria -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samber server in openvz container - venet oder veth0?
If you don't use WINS, and you are trying to log into the domain, the client will broadcast for a DC server. This normally works OK if everything is on the same LAN. If broadcast doesn't work, the using WINS helps find the DC's- since the WINS database on the WINS server includes name-to-ip entries for DC's as well as hosts. For simpler things like connecting to network shares , Windows clients can use dns to find machine names. So if you want to map a user drive (e.g. net use R: \\someserver\someshare) this should work fine with out wins. Afterall, the client is doing all the name resolution. This is supposing of course that the servers IP name and netbios name are the same. however, in practice there does seem to be a server side issue.I have several samba servers and I ran into the following problem: from a VPN client, I could use net use \\server1_hostname and net use \\server2_hostname to connect to shared resources. I could NOT use net use \\server3_hostname. VPN clients did not use WINS, and NETBIOS broadcasts were blocked for VPN clients, even tho the VPN client appeared to be on the same subnet.VPN clients could resolve host names via DNS. They could even connect with net use \\server3_IP_address. Packet captures showed that the clients were in fact reaching server3_hostname but that server3 would not respond. The server should NOT be attempting to resolve the client names but, for some reason, it was. On 08/10/12 14:44, Birgit Berger (UV Wien) wrote: sorry, to bother you again. I cannot join win7 or winXP clients to my samba domain sever located on a debian server in a VE (openvz) unless I set up the server and clients to use WINS. But the recommendation is not to use WINS. openvz natively uses venet. venet makes broadcasting impossible. I guess DNS is sufficient for name-IP resolution but not for NetBios name-IP resolution (it doesn' know name types and maybe that's why it cannot find DMB and logon server?) and that's why my win7 and winXP clients cannot join the domain. So given my virtual server setup with openvz, do you rather suggest to use WINS or to set up veth so I can use normal broadcasting? Or are there other ways to do name resolution with a samba server installed in a VE container which I oversaw. I'm a newbie and netbios name resolution is hard to understand. so I would be very happy to get any suggestions from people already using samba server in an open vz container do you guys use venet or veth or do you just activate WINS? birgit === thank you Johannes. no, I don't really need WINS but it was the only way I could join clients to the domain so far. so I activated it. DNS should be available and working too. /etc/nsswitch.conf looks like this: hosts: files dns Can I use venet with samba or should I change to veth? regards, birgit Johannes Truschnigg johan...@truschnigg.info schreibt: Hi Birgit, On Tue, Aug 07, 2012 at 01:38:32PM +0200, Birgit Berger (UV Wien) wrote: I'm new to the list. hopefully my question is correctly placed here... I'd installed my samba server 3.5.6 on debian squeeze in a openvz container that uses venet. I'd love to keep it that way but I'm not sure if that is ok. Do you use samba server with venet or do I have to change to veth? I already read http://wiki.openvz.org/Differences_between_venet_and_veth and I don't want to intall shorewall in every container (VE). Also venet seems easier to administrate and is faster. I read http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html and nmblookup (chapters 4,5,6 and 10) doesn't work. This is because of venet, I suppose. Because with venet broadcasting doesn't work. But do I really need it for the Samba server or can I just use DNS (on other servers than the samba server) and WINS server (on the samba server)? Can I stick to venet or should I use veth? Do you have clients on the network that you know absolutely require WINS for resolving names? (I'd actually have a hard time believing that, but who knows...) Other than that, not having WINS but DNS as its modern and sensible replacement in working condition should be perfectly sufficient for your day to day Samba (and other networking) needs. I've been running Samba without nmbd enabled for a few years now (with Windows XP, Windows 7 and GNU/Linux as clients) and did not run into any problems becasue of that. Grüße aus und nach Wien ;) -- with best regards: - Johannes Truschnigg ( johan...@truschnigg.info ) www: http://johannes.truschnigg.info/ phone: +43 650 2 17 xmpp: johan...@truschnigg.info Please do not bother me with HTML-email or attachments. Thank you. Johannes Truschnigg johan...@truschnigg.info schreibt: Hello again, On Tue, Aug 07, 2012 at 02:28:24PM +0200, Birgit Berger (UV Wien) wrote: thank you Johannes. no, I don't really need WINS but it was the only
Re: [Samba] 3.0.9-3.0.37 Deleting files not working
I ran into issues when I switched to zfs. the problem is that ZFS ACL's seem be more similar to NTFS ACL's (compared to UFS-NTFS compatibility.) But you can run into an issue were perms that are additive in unix are interpreted as least permissive or deny trumps all in Windows. For example, a 770 perm in unix means user and group are granted full perms, no perms are granted to anyone else.In Windows this can get interpreted as deny the world even if the user or group had explicitly been granted permissions. Samba 3.0.x from source code does not include the zfs modules. The version bundled with the OS (from Sun) has it backported.Assuming you are using the version from Sun? They should be up to 3.5.x. I added some vfs and nfs parameters in my share configs. I had to open a support ticket with Sun/Oracle, since Office files would get deleted on the 5th or 7th save when Office tried to rewrite the entire file. [projects] path = /export/Projects #valid users = @group1, user1 read only = No create mask = 0770 force create mode = 0600 directory mask = 0775 force directory mode = 0600 vfs objects = zfsacl nfs4: mode = special zfsacl: acesort = dontcare inherit acls = Yes nfs4:acedup = merge nfs4:chown = yes The inheritance thing is also a little tricky - even tho zfs supports inheritance, I think the Window inheritance rules are uses for the Windows clients- which is fine. (the latest kernel update seems to have changed something tho.) Setting zfs ACL perms via command line is a PITA. It is probably easier for the windows owner of the file to reset permissions- he or she may get a message that the perms are incorrectly ordered, and he/she may need to clear out explicit deny access control entries. I skipped the valid users entry in the share config , since the permissions are enforced via ACL's anyway. Samba permissions with UFS did not cause as much headache for me. On 08/09/12 03:02, ing...@gmx.net wrote: x86 zfs and Sparc ufs. Problem happens on both platforms though. On 08/08/12 08:01, gaiseric.van...@gmail.com wrote: zfs or ufs? On 08/08/12 08:01, ing...@gmx.net wrote: Hello, we were using Samba 3.0.9 on Solaris 10 x86 and Sparc in a productive environment and upgraded to 3.0.37 to fix a security vulnerability. Now we experience problems in some circumstances when we try to delete a file from a share mounted by a Windows Client. The share is named ZENTRAL. This is the share entry: [ZENTRAL] comment=Ablage ZENTRAL path=/daten/ablagen/ZENTRAL case sensitive=no create mask=0770 valid users=@ZENTRAL write list=@ZENTRAL force group=ZENTRAL These are the unix rights: drwxrwx--- 2 root other512 Aug 8 11:15 . drwxrwx--x 35 rootZENTRAL 2048 Aug 8 10:26 .. (This is the share root directory: /daten/ablagen/ZENTRAL) -rwxrwxrwx 1 user1 ZENTRAL0 Aug 8 11:15 neu.txt user1 belongs to the groups other and ZENTRAL and is able to delete this file Using a unix shell and navigate to the directory but he is not able to delete it using the samba share. He gets a permission denied. This behaviour is new. With 3.0.9 it is possible to delete this file. When i chgrp the directory . to ZENTRAL everything works as expected with 3.0.37 too. The problem only exists, when the . directory does not have the same group as the share. If needed, here is our global section. Some of these entries could be plain wrong respectively not needed, but we are not able to change them easily because of company guidelines. [global] os level=65 password level=1 security=user encrypt passwords=yes smb passwd file=/usr/local/samba/private/smbpasswd workgroup=ourgroup guest account=nobody max log size=30 share modes=yes locking=yes strict locking=yes lock directory=/var/adm/samba/locks ; max log size = 5000 log level=1 log file=/var/adm/samba/smb.log pid directory=/var/run server string=%h force directory mode=0770 browseable=no follow symlinks=no preserve case=no short preserve case=no case sensitive=no oplocks=no level2 oplocks=no wins support=yes The question is: Is this a bug or feature? If feature, then what is the intention behind this feature, as the user has delete rights for this file using unix and so should have this rights using samba too i think. Is there a conf parameter that we can set to get back the old behaviour? With kind regards, Björn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
did you make the appropriate registry changes on Win 7 as per http://wiki.samba.org/index.php/Windows7 On 08/09/12 09:28, Brandon wrote: Here's some more information on my problem: smb.conf: --- begin smb.conf --- [global] workgroup = MYWORKGROUP server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 add machine script = /usr/sbin/useradd -g machines -c %u machine account -d /var/lib/samba -s /bin/false %u logon script = logon.cmd logon path = logon home = domain logons = Yes dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [homes] comment = Home Directories valid users = %S read only = No create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /srv/samba/netlogon guest ok = Yes [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers --- end smb.conf --- Here's the pdbedit -Lv spitout for my user: --- begin output--- Unix username:myadmin NT username: Account Flags:[U ] User SID: S-1-5-21-2762049607-2166809996-183419993-1000 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name: Home Directory: HomeDir Drive: Logon Script: logon.cmd Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 17:54:50 EDT Password can change: Wed, 08 Aug 2012 17:54:50 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- end output --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.3.4 - Win7 Latency with MS Office files
Did you try enabling the name service caching daemon on the server? (has its pros can cons.) I would also try XP+Office 2010 and WIn 7+ Office 2007 to see if you can shake out which is the actual problem. Also, can you configure office to store temp files on the local PC, and not the same directory as the office file is located. On 08/08/12 16:51, John Goubeaux wrote: Folks, I am running a 3.3.4 version of Samba ( stand alone) on Solaris 10 configured to auth against LDAP for user auth and have recently, after migrating a variety of user desktops to Win7 and MS Office 2010, began seeing an increased latency in opening files. ie previous 3 times are now 30-45 Users were previously running WinXP and using MS office 2007. Question: Is an upgrade to the latest stable 3.x Ver likely to resolve this OR am I also missing some more stringent security settings I need to address b/c of Win7 ? Any ideas or clues appreciated. -john -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP - Samba password synchronization
The best approach is to configure samba to change the ldap password when a samba password changes. See the smb.conf man page and password sync and password chat options. If you have unix users who want to change their ldap passwords, tell them to use the smbpasswd -r pdc_server_name command- if password sync is enabled in samba then both their ldap and samba passwords will change. Samba and Unix use different password hash mechanisms so you have to have separate password fields. The only other secure way may be to configure Windows clients to use kerberos authentication- but that is a much bigger project. On 08/09/12 09:55, RAKESH PRITMANI wrote: Is there a way to syncronize SambaLmPassword NTLMpassword from LDAP password. ldap passwd sync allows to sync ldap passwd from samba, I need the other way. I already have external LDAP server with CRYPT passwords and need to set SambaLMPasswd with these LDAP passwords. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
that looks OK. You should not need a login script defined for a computer account. Are you able to login as the Domain Administrator? Are your group mappings correct? I ask because it may be that the Domain Users is not properly recognized as a member of the Users group on the PC. Can you login as the domain (or local) admins and explicitly add domain users and domain groups to a local group? On 08/09/12 10:37, Brandon wrote: did you make the appropriate registry changes on Win 7 as per http://wiki.samba.org/index.php/Windows7 Yes, I've downloaded the 3.6.3 script and ran it on the client, as well as manually checked that the settings were only the two described in the wiki article Have you tried adding a machine account for your CLIENTPC i.e. # pdbedit -a -m -u CLIENTPC Yes, I let the account be auto-generated when connecting to the domain. I should have specified that there are other users I didn't include in the print out. Here is the machine account from pdbedit (note that I changed the logon script in smb.conf from .cmd to .bat a few minutes ago, and the update can be seen here): --- Unix username:CLIENTPC$ NT username: Account Flags:[W ] User SID: S-1-5-21-2762049607-2166809996-183419993-1001 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name:CLIENTPC$ Home Directory: HomeDir Drive: Logon Script: logon.bat Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 13:44:36 EDT Password can change: Wed, 08 Aug 2012 13:44:36 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- Also, I've got a bit more information from the log.CLIENTPC: [2012/08/09 10:14:56.686577, 0] rpc_server/srv_pipe.c:500(pipe_schannel_auth_bind) pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2 [2012/08/09 10:14:56.794994, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENTPC machine account CLIENTPC$ There are also a number of windows events: --- begin windows events paste --- The winlogon notification subscriber Profiles failed a critical notification event. Windows cannot copy file C:\Users\Default\NTUSER.DAT to location C:\Users\myadmin\NTUSER.DAT. This error may be caused by network problems or insufficient security rights. Windows cannot copy file \\?\C:\Users\Default\Videos to location \\?\C:\Users\myadmin\Videos. This error may be caused by network problems or insufficient security rights. Windows cannot copy file \\?\C:\Users\Default\Saved Games to location \\?\C:\Users\myadmin\Saved Games. This error may be caused by network problems or insufficient security rights. Note: To keep e-mail shorter I won't paste them all, but the last events repeat with a bunch of similar directories There are too many profile copy errors. Refer to the previous events for details. Windows will not log any additional copy errors for this copy process. Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. Windows cannot copy file C:\Users\Default\NTUSER.DAT to location C:\Users\TEMP.MYWORKGROUP\NTUSER.DAT. This error may be caused by network problems or insufficient security rights. Note: This last event again repeats with a number of similar directories There are too many profile copy errors. Refer to the previous events for details. Windows will not log any additional copy errors for this copy process. Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. The winlogon notification subscriber Sens failed a notification event. --- end windows events paste --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.3.4 - Win7 Latency with MS Office files
name service works at unix level- it caches user and group looks (e.g. results of getent passwd and getent group.) So that could include winbind if nsswitch.conf includes winbind. On solaris, it is defined as follows. bash-3.00# svcs -a | grep name disabled Jul_18 svc:/system/name-service-cache:default Actual executable is nscd (same as linux.) A DC normally doesn't need winbind since the samba users map directly to local unix accounts. However, the delay could be in the ldap user retrieval. I don't use nameservice cache myself because I found that group changes did not come into effect quick enough. On 08/09/12 14:14, John Goubeaux wrote: Thanks for the ideas ! Does enabling nameservice cacheing mean starting winbindd ? Wondering what the implications of having this running on a network with an actual Win DC running as well are ? Meaning this is a standalone instance of a samba server that I am trbl shooting. I have a development version running the latest, 3.6.7 build and am testing with Win7 clients but seem to still be getting latency after multiple files are opened. I will try the temp file default location change though as well. -john At 9:50 AM -0400 8/9/12, Gaiseric Vandal wrote: Did you try enabling the name service caching daemon on the server? (has its pros can cons.) I would also try XP+Office 2010 and WIn 7+ Office 2007 to see if you can shake out which is the actual problem. Also, can you configure office to store temp files on the local PC, and not the same directory as the office file is located. On 08/08/12 16:51, John Goubeaux wrote: Folks, I am running a 3.3.4 version of Samba ( stand alone) on Solaris 10 configured to auth against LDAP for user auth and have recently, after migrating a variety of user desktops to Win7 and MS Office 2010, began seeing an increased latency in opening files. ie previous 3 times are now 30-45 Users were previously running WinXP and using MS office 2007. Question: Is an upgrade to the latest stable 3.x Ver likely to resolve this OR am I also missing some more stringent security settings I need to address b/c of Win7 ? Any ideas or clues appreciated. -john -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] password change problem and no logon servers available
Is this a single domain controller environment (1 PDC) or do you also have one or more BDC's? Are you using WINS? that should help clients find domain controllers. Is there is difference between XP and Windows 7 clients? As you probably know, you can login to a windows machine with cached credentials even if it is not connected to the network. I found with Windows 7 machines sometimes you may have logged into the computer with your network account, the domain controller was not reached, you get authenticated with cached credentials and you don't know there is an issue until you try changing your password. This is more likely to happen with laptops that may get disconnected and reconnected from the network with out doing a complete shutdown 1st. pdbedit -Lv username should show you if the X flag is set for the user- if the X flag is set the user's password should never expire even if the domain policy sets a max password age. If you have an ldap browser, look at the top level sambaDomainObject. There may be a sambamaxpwdage (n seconds) param. On 08/08/12 06:12, Florian Scholz wrote: Hi, we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend and manage the users, groups and computer by using the smbldap-tools. Currently we are experiencing the following problems: 1. changing the passwords takes longer than 30 seconds - That's bad because we are using a gigabit ethernet network! 2. sometimes windows tells us that the user can't change their passwords at the current point of time 3. sometimes windows foces the users to change their passwords (we never told samba to do it!) 4. sometimes windows tells us that there are no logon server available! Are there any known bugs regarding to these problems? Do you need further information to investigate this problem? Florian Scholz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.0.9-3.0.37 Deleting files not working
zfs or ufs? On 08/08/12 08:01, ing...@gmx.net wrote: Hello, we were using Samba 3.0.9 on Solaris 10 x86 and Sparc in a productive environment and upgraded to 3.0.37 to fix a security vulnerability. Now we experience problems in some circumstances when we try to delete a file from a share mounted by a Windows Client. The share is named ZENTRAL. This is the share entry: [ZENTRAL] comment=Ablage ZENTRAL path=/daten/ablagen/ZENTRAL case sensitive=no create mask=0770 valid users=@ZENTRAL write list=@ZENTRAL force group=ZENTRAL These are the unix rights: drwxrwx--- 2 root other512 Aug 8 11:15 . drwxrwx--x 35 rootZENTRAL 2048 Aug 8 10:26 .. (This is the share root directory: /daten/ablagen/ZENTRAL) -rwxrwxrwx 1 user1 ZENTRAL0 Aug 8 11:15 neu.txt user1 belongs to the groups other and ZENTRAL and is able to delete this file Using a unix shell and navigate to the directory but he is not able to delete it using the samba share. He gets a permission denied. This behaviour is new. With 3.0.9 it is possible to delete this file. When i chgrp the directory . to ZENTRAL everything works as expected with 3.0.37 too. The problem only exists, when the . directory does not have the same group as the share. If needed, here is our global section. Some of these entries could be plain wrong respectively not needed, but we are not able to change them easily because of company guidelines. [global] os level=65 password level=1 security=user encrypt passwords=yes smb passwd file=/usr/local/samba/private/smbpasswd workgroup=ourgroup guest account=nobody max log size=30 share modes=yes locking=yes strict locking=yes lock directory=/var/adm/samba/locks ; max log size = 5000 log level=1 log file=/var/adm/samba/smb.log pid directory=/var/run server string=%h force directory mode=0770 browseable=no follow symlinks=no preserve case=no short preserve case=no case sensitive=no oplocks=no level2 oplocks=no wins support=yes The question is: Is this a bug or feature? If feature, then what is the intention behind this feature, as the user has delete rights for this file using unix and so should have this rights using samba too i think. Is there a conf parameter that we can set to get back the old behaviour? With kind regards, Björn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] password change problem and no logon servers available
3. If you were able to join domain and log in to your PC, then your registry settings should not be an issue. I meant do you have this problem with XP and Win 7 or only Win 7? On 08/08/12 12:05, Florian Scholz wrote: 1. Only one PDC per subnetwork (physically another town) 2. I don't know if I'm using WINS but I don't think so. 3. Yes, there are some registry settings you have to apply to Windows 7 to make it compatible with SAMBA 3.6 4. Yes but I don't get the temporary session message :) 5. The X-flag isn't set. # ASTA, asta.lan dn: sambaDomainName=ASTA,dc=asta,dc=lan objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: ASTA sambaSID: S-1-5-21-3963991337-2686100338-2601203207 sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 sambaLockoutThreshold: 0 sambaRefuseMachinePwdChange: 0 sambaLogonToChgPwd: 0 sambaMinPwdAge: 0 sambaForceLogoff: -1 sambaMinPwdLength: 4 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 gidNumber: 1049 sambaNextRid: 1028 uidNumber: 1209 2012/8/8 Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com Is this a single domain controller environment (1 PDC) or do you also have one or more BDC's? Are you using WINS? that should help clients find domain controllers. Is there is difference between XP and Windows 7 clients? As you probably know, you can login to a windows machine with cached credentials even if it is not connected to the network. I found with Windows 7 machines sometimes you may have logged into the computer with your network account, the domain controller was not reached, you get authenticated with cached credentials and you don't know there is an issue until you try changing your password. This is more likely to happen with laptops that may get disconnected and reconnected from the network with out doing a complete shutdown 1st. pdbedit -Lv username should show you if the X flag is set for the user- if the X flag is set the user's password should never expire even if the domain policy sets a max password age. If you have an ldap browser, look at the top level sambaDomainObject. There may be a sambamaxpwdage (n seconds) param. On 08/08/12 06:12, Florian Scholz wrote: Hi, we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend and manage the users, groups and computer by using the smbldap-tools. Currently we are experiencing the following problems: 1. changing the passwords takes longer than 30 seconds - That's bad because we are using a gigabit ethernet network! 2. sometimes windows tells us that the user can't change their passwords at the current point of time 3. sometimes windows foces the users to change their passwords (we never told samba to do it!) 4. sometimes windows tells us that there are no logon server available! Are there any known bugs regarding to these problems? Do you need further information to investigate this problem? Florian Scholz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] password change problem and no logon servers available
I would look at the windows event log. It may be of help. Also nbtstat -a should show you the IP addresses for the domain , DC's and master browser. I found with both Samba and NT4 domains that using WINS helped- it shouldn't cause new problems at least. On 08/08/12 12:17, Florian Scholz wrote: I'm not using XP anymore.. and I meant that I applied the http://wiki.samba.org/index.php/Windows7 stuff before adding the computers to the domain 2012/8/8 Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com 3. If you were able to join domain and log in to your PC, then your registry settings should not be an issue. I meant do you have this problem with XP and Win 7 or only Win 7? On 08/08/12 12:05, Florian Scholz wrote: 1. Only one PDC per subnetwork (physically another town) 2. I don't know if I'm using WINS but I don't think so. 3. Yes, there are some registry settings you have to apply to Windows 7 to make it compatible with SAMBA 3.6 4. Yes but I don't get the temporary session message :) 5. The X-flag isn't set. # ASTA, asta.lan dn: sambaDomainName=ASTA,dc=asta,dc=lan objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: ASTA sambaSID: S-1-5-21-3963991337-2686100338-2601203207 sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 sambaLockoutThreshold: 0 sambaRefuseMachinePwdChange: 0 sambaLogonToChgPwd: 0 sambaMinPwdAge: 0 sambaForceLogoff: -1 sambaMinPwdLength: 4 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 gidNumber: 1049 sambaNextRid: 1028 uidNumber: 1209 2012/8/8 Gaiseric Vandal gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com Is this a single domain controller environment (1 PDC) or do you also have one or more BDC's? Are you using WINS? that should help clients find domain controllers. Is there is difference between XP and Windows 7 clients? As you probably know, you can login to a windows machine with cached credentials even if it is not connected to the network. I found with Windows 7 machines sometimes you may have logged into the computer with your network account, the domain controller was not reached, you get authenticated with cached credentials and you don't know there is an issue until you try changing your password. This is more likely to happen with laptops that may get disconnected and reconnected from the network with out doing a complete shutdown 1st. pdbedit -Lv username should show you if the X flag is set for the user- if the X flag is set the user's password should never expire even if the domain policy sets a max password age. If you have an ldap browser, look at the top level sambaDomainObject. There may be a sambamaxpwdage (n seconds) param. On 08/08/12 06:12, Florian Scholz wrote: Hi, we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly) and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend and manage the users, groups and computer by using the smbldap-tools. Currently we are experiencing the following problems: 1. changing the passwords takes longer than 30 seconds - That's bad because we are using a gigabit ethernet network! 2. sometimes windows tells us that the user can't change their passwords at the current point of time 3. sometimes windows foces the users to change their passwords (we never told samba to do it!) 4. sometimes windows tells us that there are no logon server available! Are there any known bugs regarding to these problems? Do you need further information to investigate this problem? Florian Scholz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba User authentication from external LDAP server
You need to configure smb.conf with either unix password sync (along with passwd chat and passwd program) or with pam password change I use the unix password sync option- it passes the new password value to a shell script which then calls an ldap server command to change the password.The script includes the user ID and pw of an account in the LDAP server with appropriate permissions to set the password. I don't know if pam password change would work in LDAP. The root account (under which samba runs) has the ability to change local or NIS passwords with the passwd command without knowing the old password. But the unix root account is not by default an LDAP admin. If you truly want to use only the LDAP password for Samba authentication then you need to configure plain-text password storage for everything. Which is probably a bad idea. On 08/07/12 11:35, RAKESH PRITMANI wrote: I need to authenticate samba users from external LDAP server, tried a few options but when I change LDAP password, the samba password does not change. Is it possible to do away with Samba password and only use LDAP password Rakesh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB+LDAP
I have a Sun (Oracle) Directory Server directory server backend. I also use it for unix level authentication. Are you configuring samba as a domain controller or standalone server? I have uid and uidNumber attributes- you want to make sure that the samba account maps to a unix account somehow. pdbedit -Lv username will verify this. I think with an LDAP backend it will expect ldap admin dn entry. This is not usually a regular user in your company LDAP branch but is instead an administrator.Samba will need to write to LDAP if you add or remove a samba user using smbpasswd or pdbedit, or if you change a user's samba password with samba command line tools or from windows, or if you join or remove a Windows PC the domain, and if you join the samba server to the domain. (this will create domain object.s) You can of course use LDAP tools to create the user's samba attributes. I don't know how you would easily set the user's samba password. You could probably have a dummy samba machine with a local backend, set a password, then use smbpasswd -e to extract the hashed value.Maybe there are additional tools for creating an NT password hash. Machines will also have accounts with passwords. the passwords may automatically change. On 08/07/12 17:37, Frans Lanting - IT Admin wrote: Hi Folks, A couple of questions about making SMB (3 or 4) authenticate to an external (anonymous) LDAP server: 1) A typical LDAP user record is below. Is there anything lacking in this record that would prevent Samba from authenticating against our LDAP server? Note the sambaSID is as is, gobblygook info: dsAttrTypeNative:eduPersonAffiliation: Employee Member dsAttrTypeNative:givenName: David dsAttrTypeNative:homeDirectory: /afs/cats.csux.edu/users/t/dsixpack dsAttrTypeNative:mail: dsixp...@csux.edu dsAttrTypeNative:objectClass: posixAccount organizationalPerson csuxPerson top sambaSamAccount person inetOrgPerson csuxMain eduPerson dsAttrTypeNative:sambaSID: S-1-5-21-XX-XX-XX dsAttrTypeNative:sn: Sixpack dsAttrTypeNative:csuxPersonGuID: G000242316 AppleMetaNodeLocation: /LDAPv3/ldap-99.soe.csux.edu AppleMetaRecordName: uid=dsixpack,ou=People,dc=crm,dc=csux,dc=edu NFSHomeDirectory: /Users/dsixpack Password: PrimaryGroupID: 12 RealName: David Sixpack RecordName: dsixpack RecordType: dsRecTypeStandard:Users UniqueID: 9239 UserShell: /bin/bash 2) Regarding the sudo smbpasswd -w secret step, does this smb user need to exist in our LDAP or that local to the machine running the SMB daemon? I wasn't clear on how this step in the process is supposed to work. 3) Is the ldap admin dn = also required? Note we have read-only access to our LDAP server, though a record could be created for us if absolutely needed. Any help or ideas MUCH appreciated! Thanks! David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB+LDAP
You also need sambaAccountFlags: [UX] for user account and sambaAccountFlags: [W] for machine accounts. On 08/07/12 17:37, Frans Lanting - IT Admin wrote: Hi Folks, A couple of questions about making SMB (3 or 4) authenticate to an external (anonymous) LDAP server: 1) A typical LDAP user record is below. Is there anything lacking in this record that would prevent Samba from authenticating against our LDAP server? Note the sambaSID is as is, gobblygook info: dsAttrTypeNative:eduPersonAffiliation: Employee Member dsAttrTypeNative:givenName: David dsAttrTypeNative:homeDirectory: /afs/cats.csux.edu/users/t/dsixpack dsAttrTypeNative:mail: dsixp...@csux.edu dsAttrTypeNative:objectClass: posixAccount organizationalPerson csuxPerson top sambaSamAccount person inetOrgPerson csuxMain eduPerson dsAttrTypeNative:sambaSID: S-1-5-21-XX-XX-XX dsAttrTypeNative:sn: Sixpack dsAttrTypeNative:csuxPersonGuID: G000242316 AppleMetaNodeLocation: /LDAPv3/ldap-99.soe.csux.edu AppleMetaRecordName: uid=dsixpack,ou=People,dc=crm,dc=csux,dc=edu NFSHomeDirectory: /Users/dsixpack Password: PrimaryGroupID: 12 RealName: David Sixpack RecordName: dsixpack RecordType: dsRecTypeStandard:Users UniqueID: 9239 UserShell: /bin/bash 2) Regarding the sudo smbpasswd -w secret step, does this smb user need to exist in our LDAP or that local to the machine running the SMB daemon? I wasn't clear on how this step in the process is supposed to work. 3) Is the ldap admin dn = also required? Note we have read-only access to our LDAP server, though a record could be created for us if absolutely needed. Any help or ideas MUCH appreciated! Thanks! David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba solaris 8 package with Windows 2008 support?
You can check for a precompiled version on blastwave.org. It looks like sunfreeware.com doesn't have the Solaris 8 binaries online anymore. I suspect you will have to compile from source which can be a major PITA on solaris. (if you look for other posts from me on this list you will see this.) You may be better off moving to Solaris 10, which includes Samba 3.5.x - depending on how old your hardware is. I have a 5 year old Sun V210 ( 1 GB RAM?) running Solaris 10 comfortably On 08/02/12 08:00, Michaels, Stephen P. wrote: Hi- I am running Samba 2.2.8 on Solaris 8. Our Windows team has upgraded Windows 2003 servers Active Directory to Windows 2008. Samba is not working now. Can someone suggest the best Samba version for Solaris 8 that I can upgrade to that will support the new Windows 2008 authentication mechanism. Thanks -Steve Stephen P. Michaels ITSD Server Systems Group The Johns Hopkins University Applied Physics Laboratory 11100 Johns Hopkins Rd. Laurel, MD. 20723-6099 (443) 778-7527 Office (443) 324-2686 Mobile -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Access and group issues on domain member server (PDC is Samba as well)
I think there are two components- 1st I think the domain member does need to run winbind to retrieve windows users and groups from the DC. 2nd, the domain member needs to have idmap configured correctly to make sure that the windows users are properly mapped to the local unix users, so that the unix/windows mappings are the same as on the DC.. (the fact that the local unix users are actually ldap accounts is not known to the samba sevrer.) In theory the idmap_nss backend should help keep idmap entries consistent across Samba servers with a common LDAP backend. The idmap_nss man page shows some examples.If you use idmap_nss on both DC and server it should be consistent. The other option is to use ldap for the idmap backend. See man idmap_ldap.Your PDC should create idmap entries. I found I had to then edit the entries to correct the uid or gid values to match the ldap user values. I then tried configuring the member servers to use the same ldap idmap backend, but read-only.It didn't really work and this was before the idmap_nss option was available.In the end I found it easier to convert some of my member servers to BDC's. On 08/01/12 05:51, Philipp Felix Hoefler wrote: Hi List, I created a domain member server in my samba domain. I start to realize that there are some issues when colleagues could not access some folders in the their shares. After searching for a solution I found that on that member server I have no samba groups available. First of all my setup: Domain controller: CentOS 6.2 x86_64, latest updates installed Samba 3.5.10 (from CentOS repo: samba-3.5.10-116.el6_2.x86_64) LDAP backend (OpenLDAP from CentOS repo: openldap-2.4.23-20.el6.x86_64) Domain member: exact same OS and versions as on domain controller also with LDAP backend I followed the instructions from http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html ( Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution) for adding the member server. (BTW: If anyone on this list has access to this guide: Paragraph 8: the wbinfo --set-auth-user= has been replaced with net setauthuser) Both servers access the same LDAP directory for the linux accounts and for Samba incl. IDMAPs Everything in this guide worked as described. getent passwd and getent groups works successfully on both servers (shows all entries from LDAP) net rpc group list shows all groups correctly on the PDC net groupmap list shows all group mappings correctly on the PDC On the member server though: net rpc group list only gives me Administrators and Users net groupmap list only gives me: Administrators (S-1-5-32-544) - 16777216 Users (S-1-5-32-545) - 16777217 I also tried to run winbind on the domain member, domain member+PDC and whithout winbind at all (We only have this one domain, do I even need winbind then? As I understood it would only be needed if I have multiple domains running. Is this correct?) But these commands always show me the same output on the member server. Should this commands even produce more output on domain members? Or is it just for PDCs? smb.confs from both servers are added at the end. Thanks in advance! best regards, philipp PS: some additional info to our folder sharing system: All users only connect to their home-share. Inside this share we add symbolic links to the allowed group shares of the user. This group share folders are owned by root, group is one of the (allowed) Usergroups. Directory mask is 770, group-sticky bit is set. smb.conf from PDC: [root@srvad1 samba]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [netlogon] WARNING: The share modes option is deprecated Processing section [printers] Processing section [print$] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = ATV server string = SRVAD1 interfaces = 192.168.249.0/24, 127.0.0.1/8 passdb backend = ldapsam:ldap://192.168.249.7/ log file = /var/log/samba/%m.log max log size = 50 smb ports = 139 time server = Yes unix extensions = No socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = CUPS add user script = /usr/sbin/smbldap-useradd -m add group script = /usr/sbin/smbldap-groupadd -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = login.bat logon path = logon drive = U: logon home = \\SRVFILE1\%U domain logons = Yes os level = 65 preferred master = Auto domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=Manager,dc=at-visions,dc=com ldap delete dn
Re: [Samba] Samba and LDAP
You can use smbpasswd or pdbedit to add a samba user. Actually, if the LDAP user already exists the smbpasswd or pdbedit command adds various samba attributes. You should look at the LDAP properties of a user before and after you run the smbpasswd -a or pdbedit -a command. I like the Apache Directory Studio ldap editor/browser, although you can also use ldapsearch from the command line. You will see that the samba-enabled LDAP accounts have additional object classes and attributes. I have Samba 3.x with an LDAP backend. Not all LDAP users are Samba users, since we use LDAP for other things besides samba. By default, samba expects that the ldap user already exisits. However, it is possible for samba to be configured to automatically create and delete the ldap user. On 07/31/12 08:18, rodrigo tavares wrote: Hello ! I have a doubt. I´m configured LDAP whith Samba, the LDAP is run. But I can't login in one domain, I change the password user with smbldap-passwd. But it's not sufficient to login. Then I have to use smbpasswd -a username, so i get autenticate in domain with user. Use the smbpasswd. It´s wrong ? Thanks Rodrigo Faria Tavares Administrator System Linux -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Phantom Domain Master Browser
In the /var/samba/locks directory you may have browse.dat file or wins.* (if this is a WINS server) files that have incorrect info. You should be able to name/backup these files and restart nmbd. Is the phantom master browser a samba server or a Windows machine? the Samba DC normally should win browser elections but it is not always the case. On 07/20/12 09:08, Robert Adkins II wrote: I brought up the old server and have been reviewing the log files. There is no indication of the phantom master browser existing in the old log files. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II Sent: Friday, July 20, 2012 8:50 AM To: samba@lists.samba.org Subject: [Samba] Phantom Domain Master Browser There's a phantom domain master browser showing up in my Samba nmbd.log file. I keep thinking that maybe it is left over in one of the files that I transferred over from the old server to the new server and it isn't clearing itself out. Is there a way to clear that and is it possible to have a phantom browser fighting over the Domain from a copied over file? I transferred all of the Samba files found in /etc/samba to the new server. This was also an upgrade from Samba 3.2.7 to Samba 3.6.3 I have noticed some additional files in the /var/log/Samba directory as well as some additional files in the /etc/samba directory on the new server. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help infomation to build the system as Microsoft Active Directory !
Many of your questions should be answered on www.samba.org and wiki.samba.org Samba4 provides Active Directory functionality. It is free - you don't have to pay for it, but there is the cost of your time. On 07/24/12 08:08, Ha Minh Ai wrote: Dear Mr/Madam, We have wanted to build the system for centralizal management: User account, printer, policy, deploy softwares to client, manage update OS, Single Sign On, I know there have a same system as Micrsoft Active Directory, but we haven't a lot dollars. Please help me to answer some questions as the below: - How is the solution (*OpenLDAP + Samba*) on Ubuntu, RHEL/CentOS or SUSE server ? - How many user can the system support maximum ? - Could i build the system include Primary Domain Controller Server and Additional Domain Controller ? - Does Samba/OpenLDAP has cost-edition for enterprise ? If yes, what is it different from free-edition ? I'm looking forward to supporting from you. Thanks so much Best regards, Aihm -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 AD What's the difference between a Domain and a Forest
A forest contains one or tree, with each tree containing one or more domains. In an AD, you need at least one forest. You would have additional branches if you needed a different top level DNS space. Domains are trusted and trusting. When you install active directory on a server it will ask if you are joining a domain, setting up a new domain in existing tree, or setting up a new tree (and domain) in an existing forest, or creating a whole new forest. On 07/21/12 15:39, steve wrote: Is a Forest more than one domain joined? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange behaviour of clients after changing Full Name via pdbedit
Are network drives handled by a login script? If the network script tries to use the username variable to map drives, changing name could break somthing. Are these roaming profiles or local? For local profiles, the local profile name should match the user name. Did that change? Can you check the perms on the local profile directory? On 07/23/12 08:23, Dr. Harry Knitter wrote: Hallo, after having changed the Full Name of a user via pdbedit the user profile of this user is not loaded properly any more by the XP clients. So we renamed again back to the original Full Name and the profile could be loaded. However, something went wrong All settings like network drives were gone. Then we restored the whole profile folder from backup (The user was logged out). Again, however, we got troubles. Situation didn´t change. The profile was loaded but the settings still were gone. We had to restore the drives manually. In Addition now the client has only an English keybord layout and there is no possibility to get the original German one back. There is nothing to see in the systray nor can the classical view of the control panel be switched on to change keybord layout for this specific user. The local Admin can change everything and has the right keyboard layout. We had to change the Full Name of this user, because Windows 7 doesn´t support Umlauts in Full Name and we want to move this user from XP now to Windows 7 in near future. Our samba version is 3.5.6 on a debian squeeze system. Thanks in advance Harry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Suggestions? Multiple servers/storages one domain
File storage and user authentication are (sort of) separate issues.I would generally avoid true standalone servers, and still use the domain authentication model as much as possible. The additional servers can be member servers or backup domain controllers. I had trouble keeping user id mappings consistent on member servers (in my environment it is necessary that the id mapping is consistent between all domain controllers and key member servers.) I found it was easier just to make sure that my key storage servers were also domain controllers. This is only two machines . Each domain controller is also an LDAP server. The LDAP servers are configured for replication. Each domain controller therefore uses its own LDAP server for the samba back end. (Nt. I started with samba 3.0.x - newer releases may have simplified idmapping for member servers.) When you configure a samba user, you can specify the absolute path to their profile directory and home directory. #pdbedit -Lv thisuser ... Home Directory: \\server1\users\thisuser HomeDir Drive:X: Logon Script: logon.bat Profile Path: #pdbedit -Lv thatuser ... Home Directory: \\server2\users\thatuser HomeDir Drive:X: Logon Script: logon.bat Profile Path: I then use the login script to map the users home directory drive letter to the appropriate home share. E.g net use x: /delete /y net use x: %homeshare% I believe windows batch files should also have the option to do something similar to if member of group then if you want to have different drive mappings for different groups. I don't use profiles in my network. You need to make sure that each DC has the same logon script files. I also have a drive letter mapped to a top level Projects directory on one server. But then I use dfs links to redirect users to sub directories located on the 2nd servers. server1# cd /export/Projects server1# ls -ld * drwxrwx---+ 37 root group1 42 May 18 09:00 Project1 lrwxrwxrwx 1 root root 19 Feb 11 2011 Project2 - msdfs:server2\Projects\Project2 On 07/06/12 07:55, Götz Reinicke wrote: Hi, currently we do have one samba3x-3.5.10-0.109.el5_8 RH EL 5.8 PDC authenticating by our central LDAP server. This PDS also hosts the central fileserver storage for all our +- 600 users, some group shares and roaming profiles. The clients are OS X, Win XP and Win 7. We hope to have all XP 'killed' by end of the year. Furthermore we do have a second stand alone samba server for some projects needing more space and with local smb users. As we think about splitting up the central PDC storage and setting up an other filestorage too, I was researching for the 'best' setup. I wanted to separate the two main user groups to use one server each, so the stuff members do get some more performance. But on the other hand I like to use our current setup as much as possible. So I hoped that there is some tutorial (there are so many ... :) luckily! ) which describes a setup like we are looking for. - We will still have one central LDAP and one domain to login. - If users belong to stuff, they have access to the profile and user files shared by the server 1 - If users belong to students, they have access to the profile and user files shared by the server 2 - Furthermore we do have a third/++ BIG FILES server whose shares can be accessed by users in an user group but authenticate as well by the PDC. May be someone can point me to some tutorials or can give other advises and suggestions? I cant buy new e.g. 10G server/storage hardware, but can use some 'old' some-core-lots-of-RAM-1G systems Thanks a lot and best regards . Götz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS issue.
Does your DNS server allow client machines to update? I can't speak for Samba 4 but I would with Windows 200x DC's it was simpler to temporarily allow DNS updates while adding a DC. On 06/26/12 23:59, Pradeep Pal wrote: Hi All; Can any one help me, i am facing DNS related issue. this is my configuration. Centos 6.2 32bit OS samba4beta3 bind-9.8.3-P1 First i configure samba4 as a domain controller. then i configure other machine as a Additional domain controller, with samba4. but when i run this command it give errors. /usr/local/samba/bin/samba-tool drs showrepl Default-First-Site-Name\PDC DSA Options: 0x0001 DSA object GUID: 56003cd3-d15b-4825-915f-37b9e2952f2a DSA invocationId: ec8a9ed7-ce1a-449e-8321-97c715375445 INBOUND NEIGHBORS DC=DomainDnsZones,DC=abc,DC=com Default-First-Site-Name\BDC via RPC DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2 Last attempt @ Wed Jun 27 08:51:47 2012 IST failed, result 2 (WERR_BADFILE) 216 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=abc,DC=com Default-First-Site-Name\BDC via RPC DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2 Last attempt @ Wed Jun 27 08:51:47 2012 IST failed, result 2 (WERR_BADFILE) 216 consecutive failure(s). Last success @ NTTIME(0) DC=abc,DC=com Default-First-Site-Name\BDC via RPC DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2 Last attempt @ Wed Jun 27 08:51:47 2012 IST failed, result 2 (WERR_BADFILE) 216 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=abc,DC=com Default-First-Site-Name\BDC via RPC DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2 Last attempt @ Wed Jun 27 08:51:48 2012 IST failed, result 2 (WERR_BADFILE) 216 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=abc,DC=com Default-First-Site-Name\BDC via RPC DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2 Last attempt @ Wed Jun 27 08:51:48 2012 IST failed, result 2 (WERR_BADFILE) 216 consecutive failure(s). Last success @ NTTIME(0) OUTBOUND NEIGHBORS DC=DomainDnsZones,DC=abc,DC=com Default-First-Site-Name\BDC via RPC DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2 Last attempt @ Wed Jun 27 08:54:11 2012 IST failed, result 2 (WERR_BADFILE) 4 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=abc,DC=com Default-First-Site-Name\BDC via RPC DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2 Last attempt @ Wed Jun 27 08:54:12 2012 IST failed, result 2 (WERR_BADFILE) 4 consecutive failure(s). Last success @ NTTIME(0) DC=abc,DC=com Default-First-Site-Name\BDC via RPC DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2 Last attempt @ Wed Jun 27 08:54:12 2012 IST failed, result 2 (WERR_BADFILE) 4 consecutive failure(s). Last success @ NTTIME(0) CN=Schema,CN=Configuration,DC=abc,DC=com Default-First-Site-Name\BDC via RPC DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2 Last attempt @ Wed Jun 27 08:54:12 2012 IST failed, result 2 (WERR_BADFILE) 4 consecutive failure(s). Last success @ NTTIME(0) CN=Configuration,DC=abc,DC=com Default-First-Site-Name\BDC via RPC DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2 Last attempt @ Wed Jun 27 08:54:12 2012 IST failed, result 2 (WERR_BADFILE) 4 consecutive failure(s). Last success @ NTTIME(0) KCC CONNECTION OBJECTS Connection -- Connection name: 251b24ae-5b5c-454a-834a-c2b3d7dc3f6f Enabled: TRUE Server DNS name : pdc.abc.com Server DN name : CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abc,DC=com TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! but when i add its numeric id in DNS _msdcs.abc.com with additional domain controller name it works but after, this i getting new error please help me to resolved this issue. /source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_NOT_SAME_DEVICE this error show in additional domain controller log file... Regards Pradeep Pal -- To unsubscribe from this list go to the following URL and read the instructions:
Re: [Samba] unable to log on to Samba shares remotely
When you say remotely you mean from another computer. Or do you mean from another subnet? If you recreated both samba accounts, and the two accounts behave differently, then the problem may be in the underlying unix account. Are the unix accounts defined in /etc/passwd? I also find it interesting that the two users do NOT have user SID's that are sequential (or at least in a closer range.) Are you using idmap to allocate Can you run #wbinfo -n user1 #wbinfo -n user2 This will show the user sids of the users # wbinfo -s sid_of_user_one # wbinfo -s sid_of_user_two The name-to-sid and sid-to-name assignment should match up. Also try the following #id user1 # id YOURDOMAIN\user1 (if you are using winbind) #id user2 # id YOURDOMAIN\user2 On 06/26/12 08:25, Claesen Dirk wrote: Dear, I have a working Samba 3.5.6 running on one of my servers onto which (existing) users can successfully log on. Recently, I needed to add some projects and some users but I cannot succeed in letting these new users access the shares. The smb.conf file is very small and I had only 4 users until now. In the following smb.conf, projA_dirs is only accessed by user1, while projB_dirs is the new project I need to add and this one will be accessed by user2 user1 is accessing projA_dirs since years without any problem, user2 is the one I fail to add. Contents of smb.conf: [global] workgroup = TECH_GRP server string = Samba %v on (%h) log level = 3 log file = /usr/local/samba/var/log.%m max log size = 50 dns proxy = No ldap ssl = no hosts allow = 192.168.5., 192.168.4., 192.168.3., 192.168.100. [all_dirs] comment = All directories on Server1 path = / read only = No [projA_dirs] comment = All ProjectA directories on Server1 path = /disk/projA/prod read only = No [projB_dirs] comment = All ProjectB directories on Server1 path = /disk/projB/prod read only = No The initial samba setup was a migration from a Samba 2 server which used the smbpasswd file. In order to convert this into a tdbsam, I used the command pdbedit -i smbpasswd -e tdbsam at the time I set up the server. As written earlier in this mail, this never caused any problems. Now that I need user2 to access projB_dirs, I did the following: - Add projB_dirs to the smb.conf file - Ran pdbedit -a user2 and provided the password After having added the share and the user I could access the new share with the new user when working directly on the Samba server (server1). However, when I try to connect from another Samba 3.5.6 server or from a Windows XP PC I get respectively a session setup failed: NT_STATUS_LOGON_FAILURE or System error 1326 has occurred. Logon failure: unknown user name or bad password. error message. (there is no firewall blocking any ports between the servers or between the PC and server1) The output of pdbedit does not show any major differences for the two users to me: # ../bin/pdbedit -v -u user1 Unix username:user1 NT username: Account Flags:[UX ] User SID: S-1-5-21-1956562905-4024769754-4182693708-1500 Primary Group SID:S-1-5-21-1956562905-4024769754-4182693708-513 Full Name:user1 server1 Home Directory: \\server1\user1 HomeDir Drive: Logon Script: Profile Path: \\server1\user1\profile Domain: SERVER1 Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Tue, 26 Jun 2012 13:38:36 CEST Password can change: Tue, 26 Jun 2012 13:38:36 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF # ../bin/pdbedit -v -u user2 Unix username:user2 NT username: Account Flags:[UX ] User SID: S-1-5-21-1956562905-4024769754-4182693708-1004 Primary Group SID:S-1-5-21-1956562905-4024769754-4182693708-513 Full Name:user2 server1 Home Directory: \\server1\user2 HomeDir Drive: Logon Script: Profile Path: \\server1\user2\profile Domain: SERVER1 Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Tue, 19 Jun 2012 17:20:33 CEST Password can change: Tue, 19 Jun 2012 17:20:33 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF. Logging in with debug level 10 using smbclient from the other server gives me: ... got smb length of 35 size=35 smb_com=0x73 smb_rcls=109 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51203 smb_tid=0
[Samba] Fwd: Trying to update samba
Typically, RPM's from RedHat or Fedora are pretty dependent on glibc and other system libraries. Newer version of RedHat will have newer versions of glibc, so the official packages are often not compatible with older versions. Sernet may have precompiled RPM's that may be useful. http://sernet.de/en/samba/samba-3/ If not you will probably need to compile from source. Or move to a newer version of RHEL. Original Message Subject:[Samba] Trying to update samba Date: Tue, 26 Jun 2012 10:45:55 -0500 (CDT) From: j...@brewtoncityschools.org To: samba@lists.samba.org I have a server running samba-3.0.9-1.3E.10. And I'm trying to update that so I can now add windows 7 pcs to my network. The server is a Dell Poweredge 2850 running Red Hat Enterprise Linux EX release 3 (taroon update 8). It's also running Webmin version 1.580. I wanted to download the update as an .rmp thinking it would be easier and I would be able to run it from my webmin command line. I went to http://rpmfind.net/linux/rpm2html/search.php?query=samba to the .rmp. I wasn't sure which one to try so I tried a few. I would like to stay away fedora if possible. I ran the rmp from my command shell using rpm -U command. That ended up giving me the error error: Failed dependencies: libacl.so.1(ACL_1.0) is needed by samba-3.6.3-34.12.1 libattr.so.1(ATTR_1.0) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.11) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.3.4) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.4) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.5) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.6) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.8) is needed by samba-3.6.3-34.12.1 libgssapi_krb5.so.2(gssapi_krb5_2_MIT) is needed by samba-3.6.3-34.12.1 libk5crypto.so.3(k5crypto_3_MIT) is needed by samba-3.6.3-34.12.1 libkrb5.so.3(krb5_3_MIT) is needed by samba-3.6.3-34.12.1 liblber-2.4.so.2 is needed by samba-3.6.3-34.12.1 libldap-2.4.so.2 is needed by samba-3.6.3-34.12.1 libnscd.so.1 is needed by samba-3.6.3-34.12.1 libnscd.so.1(LIBNSCD_1.0) is needed by samba-3.6.3-34.12.1 libpam.so.0(LIBPAM_1.0) is needed by samba-3.6.3-34.12.1 libpam.so.0(LIBPAM_EXTENSION_1.0) is needed by samba-3.6.3-34.12.1 libpopt.so.0(LIBPOPT_0) is needed by samba-3.6.3-34.12.1 libtalloc.so.2 is needed by samba-3.6.3-34.12.1 libtdb.so.1 is needed by samba-3.6.3-34.12.1 libwbclient.so.0 is needed by samba-3.6.3-34.12.1 samba-client = 3.6.3 is needed by samba-3.6.3-34.12.1 rpmlib(PayloadIsLzma) = 4.4.6-1 is needed by samba-3.6.3-34.12.1 Then I tried rpm -U --nodeps. The new error message I received was error: unpacking of archive failed: cpio: Bad magic I'm not really familiar with this os so any help would greatly be appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: Trying to update samba
If you don't want to spend money on RHEL, you can always look at CentOS (which is a clone of RHEL) or Fedora. I don't now if you can do an upgrade installation from RHEL to CentOS or Fedora. I think not. But since either OS will support the ext3 file system used by RHEL, you should be able to backup your configuration files, install RHEL or Fedora while preserving your data partitions. Nt. I found out the hard way that Fedora does NOT necessarily support the same firmware raid drivers as RHEL. Make sure you have backup of your data just in case. On 06/26/12 13:01, j...@brewtoncityschools.org wrote: Thanks I'll check and see what a newer version of RHEL is going to cost me. I was thinking that was the problem. I'll also look into Sernet. Thanks again Typically, RPM's from RedHat or Fedora are pretty dependent on glibc and other system libraries. Newer version of RedHat will have newer versions of glibc, so the official packages are often not compatible with older versions. Sernet may have precompiled RPM's that may be useful. http://sernet.de/en/samba/samba-3/ If not you will probably need to compile from source. Or move to a newer version of RHEL. Original Message Subject: [Samba] Trying to update samba Date:Tue, 26 Jun 2012 10:45:55 -0500 (CDT) From:j...@brewtoncityschools.org To: samba@lists.samba.org I have a server running samba-3.0.9-1.3E.10. And I'm trying to update that so I can now add windows 7 pcs to my network. The server is a Dell Poweredge 2850 running Red Hat Enterprise Linux EX release 3 (taroon update 8). It's also running Webmin version 1.580. I wanted to download the update as an .rmp thinking it would be easier and I would be able to run it from my webmin command line. I went to http://rpmfind.net/linux/rpm2html/search.php?query=samba to the .rmp. I wasn't sure which one to try so I tried a few. I would like to stay away fedora if possible. I ran the rmp from my command shell using rpm -U command. That ended up giving me the error error: Failed dependencies: libacl.so.1(ACL_1.0) is needed by samba-3.6.3-34.12.1 libattr.so.1(ATTR_1.0) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.11) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.3.4) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.4) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.5) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.6) is needed by samba-3.6.3-34.12.1 libc.so.6(GLIBC_2.8) is needed by samba-3.6.3-34.12.1 libgssapi_krb5.so.2(gssapi_krb5_2_MIT) is needed by samba-3.6.3-34.12.1 libk5crypto.so.3(k5crypto_3_MIT) is needed by samba-3.6.3-34.12.1 libkrb5.so.3(krb5_3_MIT) is needed by samba-3.6.3-34.12.1 liblber-2.4.so.2 is needed by samba-3.6.3-34.12.1 libldap-2.4.so.2 is needed by samba-3.6.3-34.12.1 libnscd.so.1 is needed by samba-3.6.3-34.12.1 libnscd.so.1(LIBNSCD_1.0) is needed by samba-3.6.3-34.12.1 libpam.so.0(LIBPAM_1.0) is needed by samba-3.6.3-34.12.1 libpam.so.0(LIBPAM_EXTENSION_1.0) is needed by samba-3.6.3-34.12.1 libpopt.so.0(LIBPOPT_0) is needed by samba-3.6.3-34.12.1 libtalloc.so.2 is needed by samba-3.6.3-34.12.1 libtdb.so.1 is needed by samba-3.6.3-34.12.1 libwbclient.so.0 is needed by samba-3.6.3-34.12.1 samba-client = 3.6.3 is needed by samba-3.6.3-34.12.1 rpmlib(PayloadIsLzma) = 4.4.6-1 is needed by samba-3.6.3-34.12.1 Then I tried rpm -U --nodeps. The new error message I received was error: unpacking of archive failed: cpio: Bad magic I'm not really familiar with this os so any help would greatly be appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Two attempts required to join domain
You could put the machines in a sub container under people- , or have people and computers as subs under user accounts- that way samba can search the entire accounts or people subtree BUT you can restrict other LDAP services that use people to not be recursive. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Bill Arlofski Sent: Sunday, June 17, 2012 4:16 PM To: samba@lists.samba.org Subject: Re: [Samba] Two attempts required to join domain bump I'd prefer to not have to put machine accounts into the People OU for all the obvious reasons, but I may be forced to in order to have the end-user (e.g. our customer) experience to be a smooth one. Any idea on what might cause the behavior I am seeing described on the 13th below? Thanks for any help! -- Bill Arlofski Reverse Polarity, LLC On 06/13/12 18:55, Bill Arlofski wrote: Hi Everyone. I have run across an issue that is driving me crazy. This is a new deployment of Samba v3.6.5 with openldap v2.4.30 and smbldap-tools v0.9.8 When trying to join the domain, on the first attempt the machine account is properly created in the correct ou - e.g. ou=Computers,dc=domain,dc=local But the failed to join domain pop-up with reason of The user name could not be found is displayed (which really means the machine name was not found in LDAP) and of course the machine is not yet a domain member. However, a 2nd attempt to join the domain with the same credentials, immediately after the failure results in a Welcome to the X domain and the machine is now a domain member. Setting the openldap slapd loglevel to 416 to show the queries during this process reveals the following: On 1st join attempt Samba searches the whole directory from dc=domain,dc=local with a scope of 2 (sub) for uid=MyMachine, objectClass=sambaSamAccount. It of course does not find it, so the smbldap-useradd script is called and the machine account is properly added to ou=Computers. Then Samba immediately searches _ONLY_ ou=People,dc=domain,dc=local for the newly created machine account and of course does not find it. And the failed to join domain pop-up is displayed on the WinXP machine. On the second join attempt, Samba _ONLY_ searches ou=Computers,dc=domain,dc=local, which is where it SHOULD search for machines as defined everywhere in my configs and it finds the machine and the machine successfully joins the domain. If I set all configs - samba, smbldap etc to be such that computers are in the People organizational unit, then joining the domain works on the first try, every time. Also, if I un-join the domain, but leave the machine account in LDAP in ou=Computers and then re-join the domain, this always works on first try too since Samba's initial scope 2 sub search of the directory starting at the top will find the machine account under ou=Computers. Can someone offer guidance as to why during the new machine creation process (joining a domain) Samba does not look for the machine in the defined machines ou but always in the People ou? Thank you in advance for any help on this! -- Bill Arlofski Reverse Polarity, LLC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 64 bit compilation
This is probably a compiler question rather than a Samba question. For GCC, I believe that you want to pass the m64 flag to CPPFLAGS, CFLAGS and other environmental variables. On 06/15/12 08:44, prabu.muru...@emc.com wrote: It is for Solaris 9 and 10 Sparc machines. Thanks, Prabu -Original Message- From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] Sent: Thursday, June 14, 2012 2:49 AM To: Murugan, Prabu; Samba Subject: Re: Samba 64 bit compilation Which platform? If on Solaris 10 sparc, GCC (either from Sun or sunfreeware.com) should be 64-bit by default. GCC from Sunfreeware for Solaris 10 x86 will compile 32-bit by default. For Solaris, you are better off using Sun Studio and Dmake. Actually, you are better off just using the compiled version from Oracle/Sun. On 06/13/12 02:08, prabu.muru...@emc.com wrote: Hi, Have tried to compile samba 64 bit. By default it is compiling 32 bit. Google doesn't give much info about it. Please share your experience on 64bit samba. Thanks, Prabu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to automount a kerberos cifs share
How about if you use NFS v4 with kerberos instead of CIFS? On 06/13/12 14:58, steve wrote: Hi I have an automount map: * -fstype=cifs,sec=krb5 ://server/share/ It works fine, but only if Administrator has tickets. I can't do that on every client! Is there any way I can store the Administrator key in a keytab and use that? Or any other solution? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba