Re: [Samba] [3.6.8] XP fails with error 1326

2013-10-07 Thread Gaiseric Vandal



Does the unix level nobody account exist?


Does it work with Win 7 clients?



On 10/07/13 11:08, Winfried wrote:

Hello

I've googled and experimented for the past few hours but am still stuck
trying to simply share a temporary directory in read-only with anyone on the
LAN.

Here's the smb.conf I'm using:
==
/etc/samba# cat smb.conf
[global]
workgroup = WORKGROUP
encrypt passwords = yes
;wins support = yes
;log level = 1
;max log size = 1000
;read only = no
guest account = nobody

;[homes]
;browsable = no
;map archive = yes

[test]
path = /tmp
browsable = yes
read only = yes
guest ok = yes
;public = yes
==

Neither smbd nor nmbd show any error in the log files, so I guess things are
fine on this end.

But the share isn't displayed in XP's NetHood and net view returns this:
System error 1326 has occurred. Logon failure: unknown user name or bad
password.

Any idea what could prevent XP from reading the share?

Thank you.



--
View this message in context: 
http://samba.2283325.n4.nabble.com/3-6-8-XP-fails-with-error-1326-tp4654631.html
Sent from the Samba - General mailing list archive at Nabble.com.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Fwd: RE: [3.6.8] XP fails with error 1326

2013-10-07 Thread Gaiseric Vandal




 Original Message 
Subject:RE: [Samba] [3.6.8] XP fails with error 1326
Date:   Mon, 7 Oct 2013 12:46:04 -0500
From:   JUAN EDUARDO DELGADILLO CHAVEZ j...@idec.edu.mx
To: gaiseric.van...@gmail.com



Re: [Samba] [3.6.8] XP fails with error 1326

Did you create the smb user and password?

You must create users with smbpasswd –a username to connect to the share

*De:*samba-boun...@lists.samba.org 
mailto:samba-boun...@lists.samba.org 
[mailto:samba-boun...@lists.samba.org 
mailto:samba-boun...@lists.samba.org] *En nombre de *Gaiseric Vandal

*Enviado el:* lunes, 07 de octubre de 2013 10:21 a.m.
*Para:* samba@lists.samba.org mailto:samba@lists.samba.org
*Asunto:* Re: [Samba] [3.6.8] XP fails with error 1326

Does the unix level nobody account exist?


Does it work with Win 7 clients?



On 10/07/13 11:08, Winfried wrote:
 Hello

 I've googled and experimented for the past few hours but am still stuck
 trying to simply share a temporary directory in read-only with anyone 
on the

 LAN.

 Here's the smb.conf I'm using:
 ==
 /etc/samba# cat smb.conf
 [global]
 workgroup = WORKGROUP
 encrypt passwords = yes
 ;wins support = yes
 ;log level = 1
 ;max log size = 1000
 ;read only = no
 guest account = nobody

 ;[homes]
 ;browsable = no
 ;map archive = yes

 [test]
 path = /tmp
 browsable = yes
 read only = yes
 guest ok = yes
 ;public = yes
 ==

 Neither smbd nor nmbd show any error in the log files, so I guess 
things are

 fine on this end.

 But the share isn't displayed in XP's NetHood and net view returns 
this:

 System error 1326 has occurred. Logon failure: unknown user name or bad
 password.

 Any idea what could prevent XP from reading the share?

 Thank you.



 --
 View this message in context: 
http://samba.2283325.n4.nabble.com/3-6-8-XP-fails-with-error-1326-tp4654631.html

 Sent from the Samba - General mailing list archive at Nabble.com.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba



__ Información de ESET Endpoint Antivirus, versión de la base de 
datos de firmas de virus 8886 (20131007) __


El mensaje fue verificado por ESET Endpoint Antivirus.

http://www.eset-la.com



__ Información de ESET Endpoint Antivirus, versión de la base de 
datos de firmas de virus 8886 (20131007) __


El mensaje fue verificado por ESET Endpoint Antivirus.

http://www.eset-la.com



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Use LDAP for passwords ONLY

2013-10-03 Thread Gaiseric Vandal
If you have an existing LDAP structure, there will still be a separate 
field for the Windows password.


For samba 3.x,  you can specify either an local backend or an ldap 
backend.  You can not specify some attributes in ldap but not 
others. If you want to set up Samba to use LDAP backend you will 
need to have some admin privileges to on the LDAP server.


On 10/03/13 14:32, Garey wrote:

Donny Brooks dbrooks at mdah.state.ms.us writes:


Hello,

Am 03.10.2013 18:17, schrieb Garey:

I am trying to figure out if I can setup samba to verify only passwords
against LDAP and keep everything else local.

Can you be a bit more specific what you intend to do?

Regards,
Marc

I want all group and user info local on the samba server, but verify
passwords against LDAP. So the only thing LDAP is used for is verify the
password.

LDAP still will need a username to go with the password. Could you tell us

exactly why you want users local

instead of in LDAP?

Large corporate LDAP server that keeps passwords. Just want to use it for
passwords so users don't have another one to keep track of. But I need to
control the users who can access the server and local groups that set their
rights to information.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] TLS between winbind and openldap

2013-08-06 Thread Gaiseric Vandal
Did you try using LDAPS (ldap over SSL, typically on port 636.) I 
can't speak specifically about it with winbind BUT I have found that in 
other situations LDAPS creates less headaches with CA cert issues.




On 08/06/13 05:27, thierry DeTheGeek wrote:

Hi,

I found a possible workaround to my issue myself. It seems to be working.

After reading one more time about ldap.conf I tried to export environment
variables to set my private key and my certificate.

This seems to be working on both debian 6 and debian 7:

I dommented out TLS_KEY and TLS_CERT in /root/ldaprc and checked that
winbind cannot work with OpenLDAP in debug mode, as expected.

I edited /etc/defaults/winbind and added the following lines

export LDAPTLS_CERT=/etc/ssl/certs/omv-domain-local.crt
export LDAPTLS_KEY=/etc/ssl/private/omv-domain-local.key

I restarted winbind with the command line service winbind restart. Now
wbinfo -i user is working and I get an uid for the user.

I will check further to ensure there is no more related issue.



2013/8/5 thierry DeTheGeek detheg...@gmail.com


Hi,

I'm working hard to setup winbind and openLDAP work together with TLS

My networks contains:
- a windows server 2008 R2 domain controller
- a debian 6 based file server (openmediavault v0.4) running OpenLDAP
2.4.23 and Samba v3.5.6
- a debian 7 computer running winbind 3.6.6

I want to let OpenLDAP store SID = uig/gid mapping to ensure constant
uid and gid for users on all linux based computers and then use both CIFS
and NFS.

I'm trying to solve my issue on openmediavault (debian 6) only for now,
because I get the exact same issue when trying to establish communication
between winbind 3.6.6 (on debian 7) and OpenLDAP (on Debian 6).

I created a self signed certificate authority with openssl and created a
private key and a certificate for te file server. I used the same
certificate authority to create an other key and certificate for my debian
7 computer.

OpenLDAP uses his key and is configured to check clients certificates.
winbind on the same computer uses the same key and certificate to
communicate with openLDAP and is configured to check the openLDAP's
certificate.

When running winbind in interactive debug mode everything is running file
and wbinfo -i user is able to allocate an uid to the user. an other try
shows the uid assigned is effectively retrived from openLDAP. The command
line I'm using to test winbind is : winbindd -F -i -d idmap:10. I tried
also to run openLDAP in debug mode with the command line slapd -d 1.

the logs produced show that openLDAP and winbind work together with
encryption in both directions.

When I run winbind daemon with the command line service winbind start, the
TLS connection cannot be initiated and I cannot allocate a uid to any user
using wbinfo -i user.

Let's see the configuration files (domain name obsfucated) :

##cn=config.ldif

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: e61f99ae-9076-1032-9144-9f2ad5621c65
creatorsName: cn=config
createTimestamp: 20130803105505Z
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
olcTLSCertificateKeyFile: /etc/ssl/private/omv-domain-local.key
olcTLSCertificateFile: /etc/ssl/certs/omv-domain-local.crt
olcTLSVerifyClient: demand
entryCSN: 20130803125708.704922Z#00#000#00
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20130803125708Z

##smb.conf
#=== Global Settings ===
[global]
workgroup = DOMAIN
server string = %h server
include = /etc/samba/dhcp.conf
dns proxy = no
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = no
null passwords = no
local master = yes
time server = no
wins support = no
password server = *
realm = DOMAIN.LOCAL
security = ads
allow trusted domains = no

;
; samba 3.5.6 idmap configuration
;

idmap backend = ldap:ldap://omv.domain.local
ldap admin dn = cn=winbind-idmap,dc=domain,dc=local
ldap idmap suffix = ou=Idmap
ldap suffix = dc=domain,dc=local
ldap ssl = start tls
ldap debug level = 4
ldap debug threshold = 1

idmap uid = 16777216-5000
idmap gid = 16777216-5000
idmap config * : backend = ldap
idmap config * : ldap_url = ldap://omv.domain.local
idmap config * : ldap_anon = no
idmap 

Re: [Samba] UIDs/GIDs Mapping and Permissions in Samba

2013-08-01 Thread Gaiseric Vandal
I have never quite got uid/gid consistency working with member 
servers.  My domain controllers use an LDAP backend so they don't 
have an issue.   All the unix uid and gid is also in LDAP. This 
keeps file permissions correct on the member servers when accessing from 
windows clients.  However you can NOT manage the file permissions from 
windows.  The existing permissions show up in windows a Unix\someuser 
or unix\somegroup.If you try to change permissions or add a domain 
user, the permissions don't stick. This limits the flexibility of member 
servers since users can only change permissions via a unix session.


This has been with samba 3.4.x and 3.5.x.   My understanding of the 
documentation is that samba should be able to use the unix uid/gid info 
to create a consistent sid-to-uidNumber and sid-to-gidNumber mapping  
but that hasn't been the case for me. I have tried to configure the 
member servers to look up the id mapping info from the PDC ldap server 
in read only mode-  haven't got it working set but I think this is the 
way to go.





On 07/31/13 21:05, Chris Hayes wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I'm wondering how essential it is to ensure that Samba User/Group to
UIDs/GIDs mapping across various Samba servers remain consistent.

I realise that Samba uses the extended ACLs and also uses extended
attributes to store blobs of Windows ACL information; specifically the
reason for this is that Windows ACLs don't map 1:1 with POSIX ones.

Basically, I want to know more about which Samba uses, how much it
tries to keep the two in sync, etc. For example, a moment ago I
changed the POSIX ACLs on a file that already had a security.NTACL
glob in the extended attributes; and my change to the POSIX ACL didn't
show up in the Security Properties information for that file.

By far the best documentation that I've found so far is this thread,
which might be out of date now and still leaves me unsure; as this
suggests that the security.NTACL glob should have been updated.

https://lists.samba.org/archive/samba/2011-February/160799.html

For that specific test, I was running quite an old file server (Samba
3.4.7) because it was what I had installed on an old machine.

Any information would be greatly appreciated.

Kind regards,
- -- 
Chris Hayes

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR+bRsAAoJELgO0A8EguAKXpEH/Awlyq1856PAzRpGSRWGZ9Aw
nuY85q3yrOWq1MkjAti4GLa34gu39HAHaw6kaz06rpZPlVOfR1ICFbq08GbPzR3j
RCBRbVG7Ai/zUx99ey8ByINq5OmkClW5h9uJCGfPuM6+keJwwj4gT6BiY8FrM3mB
Vk1BeYhzZciEXoy/uyP3dnbxWmV9LYGZWXSqwR2lC3ge6jFWRQyL9IES+1+7Ab/7
d+Qj+ObBZffLP5Gxmw3ETPpCMvrexM33B2VAIF5XLMaG+bbukFt8o2uW1UpFiaah
AWMdHJbqqAlT7IZD87U5io+ZfKrDvz8tmej4m6LzzJSJD49VzDCAV/4h0sW6U8c=
=soq+
-END PGP SIGNATURE-


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] nmbd is not running

2013-07-31 Thread Gaiseric Vandal
Can you show the ifconfig -a output on your server (or whatever the 
appropriate  command for your OS .)


The bind failed on ... 255 suggests the IP of the server is set wrong.


On 07/31/13 05:17, Kevin Sha wrote:

Hi

I have samba domain controller in my network. and recently I have changed
the netmask of the network. Then nmbd is not working


could you please help me to solve this issue




nmbd -i
nmbd version 3.5.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
Unknown parameter encountered: wide symlinks
Ignoring unknown parameter wide symlinks
Unknown parameter encountered: wide symlinks
Ignoring unknown parameter wide symlinks
standard input is not a socket, assuming -D option
bind failed on port 137 socket_addr = 172.17.255.255.
Error = Cannot assign requested address
nmbd_subnetdb:make_subnet()
Failed to open nmb bcast socket on interface 172.17.255.255 for port 137.
Error was Cannot assign requested address
ERROR: Failed when creating subnet lists. Exiting.

-
/etc/init.d/samba status
nmbd is not running ... failed!
smbd is running.



My samba configuration file
---

[global]
workgroup = KEVIN
netbios name = KEVINDC
server string = KEVIN Domain controller
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = lmhosts host wins bcast
unix extensions = No
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos 
%u
add group script = /usr/sbin/addgroup --force-badname %g
add machine script = /usr/sbin/useradd -g machines -c %u machine account
-d /var/lib/samba -s /bin/false %u
logon path =
logon home =
domain logons = Yes
os level = 33
preferred master = Auto
domain master = Yes
dns proxy = No
panic action = /usr/share/samba/panic-action %d

[homes]
comment = Home Directories
valid users = %S
create mask = 0700
directory mask = 0700
browseable = No

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = Yes
share modes = No

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers




Thank you
kevin


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] nmbd is not running

2013-07-31 Thread Gaiseric Vandal
It looks like you have are using a block of private class B's as a 
contiguous CIDR range including 172.16.x.x and 172.17.x.x


I played around with the IP's using various on line subnet calculators

http://jodies.de/ipcalc?host=172.16.30.4mask1=15mask2=

Address:   172.16.30.4
Netmask:   255.254.0.0 = 15
Network:   172.16.0.0/15
Broadcast: 172.17.255.255
HostMin:   172.16.0.1
HostMax:   172.17.255.254


It looks to me like the broadcast address is wrong.


Or are you trying to treat 172.16.x.x and 172.17.x.x as separate class B 
subnets?



On 07/31/13 08:54, Kevin Sha wrote:


root@srv:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.17.30.4 Bcast:172.31.255.255 Mask:255.254.0.0
inet6 addr: fe80::bc27:29ff:fed3:c733/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48965895 errors:0 dropped:0 overruns:0 frame:0
TX packets:1460501 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1888712573 (1.7 GiB) TX bytes:785972618 (749.5 MiB)

eth0:1 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.3 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:2 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.5 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:3 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.6 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:4 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.17 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:5 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.8 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:6 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.30 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:7 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.4 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:8 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.6.10 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:9 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.6.11 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:10 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.18 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:11 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.20 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:12 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.21 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:13 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.29 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:14 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.6.13 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:15 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.2.0 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0:16 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
inet addr:172.16.6.14 Bcast:172.31.255.255 Mask:255.254.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5532 errors:0 dropped:0 overruns:0 frame:0
TX packets:5532 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:369954 (361.2 KiB) TX bytes:369954 (361.2 KiB)



On Wed, Jul 31, 2013 at 6:18 PM, Gaiseric Vandal 
gaiseric.van...@gmail.com mailto:gaiseric.van...@gmail.com wrote:


Can you show the ifconfig -a output on your server (or whatever
the appropriate  command for your OS .)

The bind failed on ... 255 suggests the IP of the server is set
wrong.



On 07/31/13 05:17, Kevin Sha wrote:

Hi

I have samba domain controller in my network. and recently I
have changed
the netmask of the network. Then nmbd is not working


could you please help me to solve this issue




nmbd -i
nmbd version 3.5.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
Unknown parameter encountered: wide symlinks
Ignoring unknown parameter wide symlinks
Unknown parameter encountered: wide symlinks
Ignoring unknown parameter wide symlinks
standard input is not a socket, assuming -D option
bind failed

Re: [Samba] ./configure LDAP checks failing on AIX

2013-07-30 Thread Gaiseric Vandal

You may also want to set LD_LIBRARY_PATH to include /usr/local/openldap/lib

On 07/30/13 02:31, Andrew Bartlett wrote:

On Thu, 2013-07-25 at 14:40 +, Gilles Pion wrote:

Samba version 4.0.7
Aix 6.1
Compiler: IBM xlc

Last lines of ./configure output:
Checking for ldap_init : not found
Checking for ldap_init_fd : not found
Checking for ldap_initialize : not found
Checking for ldap_set_rebind_proc : not found
Checking for ldap_add_result_entry : ok
Checking whether ldap_set_rebind_proc takes 3 arguments : ok
Active Directory support not available: LDAP support ist not available.
path/wscript:760: error: Active Directory support not found.
Use --without-ads for building without Active Directory support.


Reason (verified)
the generated test.c file user in configure checks doesn't have the required
ldap include:
#include ldap.h


I've not found a clean way to patch configure to fix this

Anyone able to help?

Where is ldap.h on your system.  It may be enough to just specify
CFLAGS=-I/usr/local/openldap/include ./configure

(if that is where ldap.h is).

If we have found ldap.h, it will be added to those tests.

Andrew Bartlett


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] NT4 clients

2013-07-30 Thread Gaiseric Vandal
For what it is worth -  it looks like NT4 does NOT use kerberos even 
with the Active Directory client installed.


http://www.petri.co.il/dsclient_for_win98_nt.htm#


Windows 2003 Active Directory had some compatibility with NT4 domain 
controllers. I don't think Samba 4 does.Your best bet may be to 
try putting the NT4 machine in a separate NT4/Samba 3 domain and 
establishing trusts.   Or more realistically take it OUT of the domain 
and just create local user accounts with same passwords as the network 
accounts.


The only legit reason I could see  to be running NT4 is if it is 
managing a specialized piece of equipment (e.g. on a manufacturing 
floor.)In that case the machine(s) should be airgapped from any 
regular network with internet access.   If you follow security news 
you can imagine why it is important to keep unpatched systems physically 
isolated from the internet or other networks.






On 07/30/13 05:33, Ryan Bair wrote:

Hi Andrew,

To clarify, it is the Win7 client sending the TGS request to the DC 
and the DC responds positively. I now have a more complete 
understanding of what's going on:


1. Win7 initiates a session with NT4. Nothing interesting.
2. Win7 sends the negotiate protocol response. Of note, we state that 
we support extended security.
3. NT4 responds that it does not support extended security. More 
precisely, when NT4 dinosaurs roamed the earth, that bit was likely 
still reserved.
4. Win7 issues a TGS request to the _DC_ to see if the host with that 
name really doesn't support extended security, or if the NT4 machine 
is trying to subject it to some sort of elaborate ruse. (i)

5. DC responds positively to the TGS req. (!!!)
6. Win7 closes the connection, and displays the error to the user.

i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx 
state:
94 Section 3.2.5.2: 
http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94When 
the server completes negotiation and returns the CAP_EXTENDED_SECURITY 
flag as not set, Windows-based SMB clients query the Key Distribution 
Center (KDC) 
http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC 
to verify whether a service ticket is registered for the given 
security principal name (SPN) 
http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn. 
If the query indicates that the SPN 
http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn 
is registered with the KDC 
http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC, 
then the SMB client terminates the connection and returns an 
implementation-specific security downgrade error to the caller.


Since the Samba DC replies that the SPN is available (by fulfilling 
the request), I'm assuming we're triggering this documented behavior 
in the Win7 client.


Also of note, `klist` on the client has an entry for cifs/nt4test 
which `setspn -Q cifs/nt4test` confirms does not exist. I can't 
confirm the behavior in #5 is a bug, but it certainly seems suspect.


On Jul 30, 2013 1:07 AM, Andrew Bartlett abart...@samba.org 
mailto:abart...@samba.org wrote:


On Mon, 2013-07-29 at 19:29 -0400, Ryan Bair wrote:
 Yes, AD has explicit support for pre-2000 clients.

 WINS is alive and well and name resolution is working.

 I really think the bogus TGS reply is messing things up,  but
I'd like to
 have someone more knowledgeable confirm the behavior is incorrect.

NT4 doesn't know about Kerberos, I think any TGS traffic is highly
likely a red herring.  Are you really sure the client is issuing
it, and
you have not additional software installed on the NT4 machine?

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/ http://samba.org/%7Eabartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] How to install a replacement PDC?

2013-07-29 Thread Gaiseric Vandal
Run the testparm -v to see full details, including defaults that may 
not have been explicitly specified in smb.conf.  You want to look 
out for the passdb backend value.  On samba 3.4 or later tdbsam is 
probably the only valid local option.  If you were using the smbpasswd 
file (text?) format on 3.0.x you may need to use the smbpasswd command 
to export / import to the TDB  (trivial data base) format.




With the old primary domain server running you should join the new 
machine to the domain as a member server.  (net join.)   The localsid on 
all dc's should match the domainsid. You can probably then make the 
new machine a DC by changing the smb.conf to allow domain logons and by 
changing the localsid to be the domain sid.Verify that they user 
accounts are the same on each DC with pdbedit -Lv.  You may find that 
some accounts did not export properly.


Also make sure that each domain controller has the same group mappings 
(net rpc groupmap list ?)   From 3.0. to 3.4 or later you may find you 
need to explicitly some of the well known groups. You may also need to 
create an explicit  nobody user in linux (and specify guest account 
= nobody in smb.conf.)



Search for earlier post by me that cover DC migration and 3.0x to 3.4. 
upgrades.







On 07/29/13 11:24, sam...@nym.hush.com wrote:

Also, here are the 'global' sections from the 'testparm' command.

Existing Unix server

[global]
 workgroup = DDOMAIN
 server string = Samba Server PDC
 smb passwd file = /etc/smbpasswd
 log file = /usr/lib/samba/var/log.%m
 max log size = 50
 time server = Yes
 keepalive = 0
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 load printers = No
 disable spoolss = Yes
 logon script = %U.bat
 logon drive = G:
 domain logons = Yes
 os level = 64
 preferred master = Yes
 domain master = Yes
 dns proxy = No
 wins support = Yes
 hosts allow = 192.0.0., 127.


New Debian server

[global]
 workgroup = DDOMAIN
 server string = %h server (Samba %v)
 interfaces = 127.0.0.0/8, eth0
 bind interfaces only = Yes
 obey pam restrictions = Yes
 smb passwd file = /etc/smbpasswd  ### I added this, but the
file
doesn’t exit
 pam password change = Yes
 passwd program = /usr/bin/passwd %u
 passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
.
 unix password sync = Yes
 syslog = 0
 log file = /var/log/samba/log.%m
 max log size = 1000
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 logon script = %U.bat
 logon drive = G:
 domain logons = Yes
 os level = 64
 preferred master = Yes
 domain master = Yes
 dns proxy = No
 wins support = Yes
 panic action = /usr/share/samba/panic-action %d



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NT4 clients

2013-07-29 Thread Gaiseric Vandal
I wouldn't  have even guessed that NT4 would join a modern AD domain.   
It looks like MS did provide client software to join a Windows 2000 AD 
domain.Or does the NT4 machine think it is in an NT4 / Samba3 type 
domain?



Presumably you can see the domain users in the local user manager 
program on the NT4 machine?   And verify the security options.


http://www.windowsnetworking.com/articles-tutorials/windows-nt/nt4user.html


Do you have a a WINS server running?  With XP/Windows 7 when you 
join an AD domain, the machine name usually gets set to a fully 
qualified domain name.  e.g. mypc.mydomain.com. Does the host name 
of the NT4 machine match the expected AD fully qualified domain name 
(does nslookup ip_address on the NT4 machine return the expected 
hostname? )   Are all machines in DNS? I think a hostname or dns 
mismatch could cause  problems validating AD kerberos tickets.


I am running Samba 3, not 4, but found that using a WINS server and 
making sure key systems were in DNS helped solve some issues.







On 07/29/13 17:05, Ryan Bair wrote:

Oh, forgot to mention. Samba 4.0.7-4 Sernet packages running on CentOS 6.4.


On Mon, Jul 29, 2013 at 5:00 PM, Ryan Bair ryandb...@gmail.com wrote:


I'm attempting to get an old NT4 client participating in a Samba4 domain.
Users can logon to the machine locally and access network shares on other
machines in the network. However, no one can access shares on the NT4
machine using the machine name. Attempting this results in an error The
account is not authorized to log in from this station. Using the IP
address does work however.

The clients are configured to allow no smb signing and NTLMv1, I think I
have all the security settings covered.

I noticed while looking at wireshark though that the client is doing
TGS-REQ for cifs/nt4test and Samba is returning a full TGS-REP. This feels
very odd to me since there is no such SPN cifs/nt4test on the network.
'setspn -Q cifs/nt4test' confirms this.

I've also noticed that the MS docs state:
94 Section 3.2.5.2:
http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94When
the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag
as not set, Windows-based SMB clients query the Key Distribution Center
(KDC)http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDCto
 verify whether a service ticket is registered for the given security
principal name 
(SPN)http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn.
If the query indicates that the 
SPNhttp://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spnis
 registered with the
KDChttp://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC,
then the SMB client terminates the connection and returns an
implementation-specific security downgrade error to the caller.

The client does have CAP_EXTENDED_SECURITY set and I'm guessing the
TGS-REQ is how Windows is testing the presence of the SPN. Since the test
is succeeding and the server doesn't advertise the extended security
capability, Windows disconnects.

Can someone confirm my hypothesis?





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 3.6 issues

2013-07-17 Thread Gaiseric Vandal




When I upgraded from samba 3.0.x to 3.4.x I ran into several issues.

First of all, I would look through the logs.   (They did not attach to 
your messgae.)  I would also run testparm -v in case some default 
settings have changed.   NTLM should be enabled.  If you require NTLMv2 
that may cause problems (I couldn't get it to work.)


1st, with  idmap and domain trusts:  With 3.0.x the idmap entries 
for trusted users were automatically created but they would expire in a 
week and have to be manually purged.   With 3.4.x the idmap cache issue 
was fixed BUT the entries were no longer auto created.   I had to 
manually add idmap entries in ldap for users in the trusted domain (only 
5 or 6 anyway.)


Do you use idmap for assigning user id's for users in primary domain?  I 
explicitly create user and group accounts.  I would verify with 
pbedit -Lv username and pdbedit -Lv comptuername$ that  the samba 
accounts haven't lost their unix id and that everything looks OK.


I also found with 3.4.x (vs 3.0.x) that the  I needed to explicitly map 
the guest user and group. This could affect the share permissions.  
Generally I leave the share permissions unrestricted and rely on the 
file system permissions for all the control.



Also make sure that the well known groups (e.g. Domain Users) look ok 
with net groupmap list -


Multiple smbd processes is normal-  should be one for each connection.

I also found it is better not to specify ports in the smb.conf. 
Although samba does not use 445 for data, windows clients NOT using 
wins  may have problems connecting to to samba servers if 445 is not 
running .




On 07/17/13 03:57, wong lmark wrote:

Dear Samba Team,

There are three issues happening in my Samba 3.6.6

Issue 1: After upgrade, when upload file which is more 100mb to Samba, it
shows error File name too long cannot copy in windows xp. Tried to use 3
different pc to upload different files more than 100mb, it also fail to
transfer the file and show the error. Tested to upload file which is 25mb
or 50mb, it is okay, no problem . Before upgrade the samba 3.6, I am using
samba 3.0.28.

Issue 2: Users could logon to the pc within the domain, but the network
drive could not be mapped from 15-7-16 after 18:00 around (e.g.
\\dc01\netlogon). And the network drive could not be mapped through net use
command in windows xp. Also, the trust relationship with anthoner domain
chb lost. Attached the samba log and error screen capture for reference

Issue 3. When enter the command service smb status, it show many process
id, is it normal?

Thanks for your help.

There my smb.conf:

[global]
workgroup = HB
server string = DC01
netbios name = DC01
interfaces = eth0
hosts allow = 10. 172. 127.0.0.1
 security = user
encrypt passwords = yes
unix password sync = no
socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
username map = /etc/samba/smbusers
admin users = root lh2 jos1
hide unreadable = yes
smb ports = 139

local master = yes
os level = 33
domain master = no
preferred master = yes

domain logons = yes
logon path =
logon home =
#logon path = \\%L\profiles\%U
#logon path = \\%L\%U\profiles
logon drive =
#logon home = \\%L\%U
#logon home = \\%L\homes
#logon script = %U.bat
logon script = %g.bat

wins support = yes
name resolve order = wins lmhosts host
dns proxy = no

add user script = /usr/sbin/smbldap-useradd -a -m %u
add machine script = /usr/sbin/smbldap-useradd -W %u
add group script = /usr/sbin/smbldap-groupadd -a -p %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u

passdb backend = ldapsam:ldap://127.0.0.1
ldap delete dn = yes
ldap ssl = no
;winbind nested groups = no

ldap suffix = dc=ch,dc=com
ldap admin dn = uid=edp,dc=ch,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap passwd sync = yes
ldap delete dn = no

log file = /var/log/samba/%m.log
log level = 5
max log size = 1

template shell = /bin/false
;winbind use default domain = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S

[netlogon]
comment = Network Logon Service
path = /home2/samba/netlogon
guest ok = yes
writable = no
share modes = no

[testing]
 path = /home2/test
 comment = testing
 writable = yes
 browseable = no
 create mode = 0770
 directory mode = 2770
 public = no
 valid users = @testing


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] i can figure out. is it config issue or bug. please help

2013-07-17 Thread Gaiseric Vandal

So you really mean Samba 2.7 or do you mean Samba 3.2.7 ?




On 07/17/13 02:09, Muhammad Yousuf Khan wrote:

i am using samba 3.6.5 with winbind.for active directory authentication

there is a samba share folder name Filesharing and plethora of folders
are inside it.
i have been using 2.7 stable for more then 2 years with no problem however
after my harddisk failure i had to restore data to new server. and install
samba from zero , fortunately or unfortunately samba has been updated in
debian repository to 3.5.6

root@nas:/nas/backup# smbd -V
Version 3.5.6

all user including owner user and group can see shared file but only
everyone/all users can not copy the file to there desktop or any other
location in windows 7, they receive permission denied
messages however these are the same settings that i used to work with Samba
2.7 stable.


even groups who to not have r-x permission can not copy data.
same goes for eveyone with r-x no user can copy the data.
until i give them rwx

this wasn't happening previously.

is there anyone who can help me in this regard.

Thanks,

MYK


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Administrative users on domain

2013-07-17 Thread Gaiseric Vandal

According to the net man page


   In order for Samba to be joined or unjoined remotely an account 
must be
   used that is either member of the Domain Admins group, a member 
of the

   local Administrators group or a user that is granted the
   SeMachineAccountPrivilege privilege.




The simplest thing is probably to have the Domain IT group be a member 
of the local admin group on each machine.  I don't know if you would 
need to grant them the  SeMachineAccountPrivilege.




On 07/17/13 09:44, Donny Brooks wrote:
  

  
On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote:
  

Hello Donny,

Am 12.07.2013 21:34, schrieb Donny Brooks:

On the old domain, which was setup before I got here,

   our IT section was in an ldap group that allowed us to
   join PC's to the domain ...

http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions




   ... and when the prompt came up in windows to
   install software we could log in as ourselves.

What do you mean by this? Do you want to have a group of users
automatically in the administrator group on your workstations?

http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s

If you mean something else, please give some more details.



Regards,
Marc





  
Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Administrative users on domain

2013-07-17 Thread Gaiseric Vandal

On 07/17/13 14:32, Donny Brooks wrote:
  
  
  
On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote:
  

According to the net man page


 In order for Samba to be joined or unjoined remotely an account
must be
 used that is either member of the Domain Admins group, a member
of the
 local Administrators group or a user that is granted the
 SeMachineAccountPrivilege privilege.




The simplest thing is probably to have the Domain IT group be a member
of the local admin group on each machine.  I don't know if you would
need to grant them the  SeMachineAccountPrivilege.



On 07/17/13 09:44, Donny Brooks wrote:
   

   
On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote:
   

Hello Donny,

Am 12.07.2013 21:34, schrieb Donny Brooks:

On the old domain, which was setup before I got here,

our IT section was in an ldap group that allowed us to
join PC's to the domain ...

http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions




... and when the prompt came up in windows to
install software we could log in as ourselves.

What do you mean by this? Do you want to have a group of users
automatically in the administrator group on your workstations?

http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s

If you mean something else, please give some more details.



Regards,
Marc





   
Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
  
Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html


And map our itgroup to the Domain Admins group. Although we do have a Domain 
Admins group in ldap. Should that cause an issue?


Group mapping is to make sure Windows groups map to the correct unix 
group.  This is not like mapping a Windows user name to a different 
unix user name (e.g Windows Administrator = Unix root.)


With LDAP, group mapping is usually simpler since the LDAP object for a 
group usually has the Samba SID and the unix group id. The net  
groupmap list command is useful for validating this.   You want to make 
sure that you do see group mapping for Domain Admins and Domain 
Users and other well known groups.  You are more likely to have to use 
the net groupmap add command when you don't have LDAP.



Well known groups have to specific relative ID's.  The domain admin 
group HAS to have a relative ID of 512 in the SID.You have to make 
sure the Administrator is in the group.   That behavior changes with 
versions newer than 3.0.x





#net  groupmap list

Domain Admins (S-1-5-21--x-x-512) - Domain Admins
...
# getent group Domain Admins
Domain Admins::512:Administrator
#


I don't think you have a samba issue.  I think you have a general 
windows issue about the most practical way to provide IT group with 
sufficient privileges to manage computers with out giving too much access.



Depending on the size of your IT department, and the necessity to 
audit/control you makes what change, each IT user may need two accounts, 
one that is a regular account and one that is a member of the domain 
admins and local admins  group.  (e.g. donny and donny_admin.)this 
way they can do whatever they need, but they don't run as admin for 
routine tasks, and you can track who made what change (if need be)  or 
limit who has full  admin rights.






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Administrative users on domain

2013-07-17 Thread Gaiseric Vandal

On 07/17/13 15:02, Donny Brooks wrote:
  
  
  
On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote:
  

On 07/17/13 14:32, Donny Brooks wrote:
   
   
   
On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote:
   

According to the net man page


  In order for Samba to be joined or unjoined remotely an account
must be
  used that is either member of the Domain Admins group, a member
of the
  local Administrators group or a user that is granted the
  SeMachineAccountPrivilege privilege.




The simplest thing is probably to have the Domain IT group be a member
of the local admin group on each machine.  I don't know if you would
need to grant them the  SeMachineAccountPrivilege.



On 07/17/13 09:44, Donny Brooks wrote:



On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote:


Hello Donny,

Am 12.07.2013 21:34, schrieb Donny Brooks:

On the old domain, which was setup before I got here,

 our IT section was in an ldap group that allowed us to
 join PC's to the domain ...

http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions




 ... and when the prompt came up in windows to
 install software we could log in as ourselves.

What do you mean by this? Do you want to have a group of users
automatically in the administrator group on your workstations?

http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s

If you mean something else, please give some more details.



Regards,
Marc






Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
   
Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html


And map our itgroup to the Domain Admins group. Although we do have a Domain 
Admins group in ldap. Should that cause an issue?

Group mapping is to make sure Windows groups map to the correct unix
group.  This is not like mapping a Windows user name to a different
unix user name (e.g Windows Administrator = Unix root.)

With LDAP, group mapping is usually simpler since the LDAP object for a
group usually has the Samba SID and the unix group id. The net
groupmap list command is useful for validating this.   You want to make
sure that you do see group mapping for Domain Admins and Domain
Users and other well known groups.  You are more likely to have to use
the net groupmap add command when you don't have LDAP.


Well known groups have to specific relative ID's.  The domain admin
group HAS to have a relative ID of 512 in the SID.You have to make
sure the Administrator is in the group.   That behavior changes with
versions newer than 3.0.x




#net  groupmap list

Domain Admins (S-1-5-21--x-x-512) - Domain Admins
...
# getent group Domain Admins
Domain Admins::512:Administrator
#


I don't think you have a samba issue.  I think you have a general
windows issue about the most practical way to provide IT group with
sufficient privileges to manage computers with out giving too much access.


Depending on the size of your IT department, and the necessity to
audit/control you makes what change, each IT user may need two accounts,
one that is a regular account and one that is a member of the domain
admins and local admins  group.  (e.g. donny and donny_admin.)this
way they can do whatever they need, but they don't run as admin for
routine tasks, and you can track who made what change (if need be)  or
limit who has full  admin rights.





  


It is correctly mapped and is 512. Nothing changed on the windows side during 
the domain change other than removing the machines from the old domain and 
rejoining them to the new one. We don't have to have the accounting trail that 
two accounts would give us right now. I just want to be able to tell my other 
people they can join computers to the domain and perform software upgrades with 
their own credentials.



OK
I am looking at your original post again.  I don't think you said 
which version you had been using.


net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S 
enterprise -U superusername



Is the superuser name the domain Administrator account?   The problem 
seems to involve the superusername user, not the Domain Admins 
group. I think with older version of samba, the Administrator 
account was implicit, and  you could map the windows Administrator to 
the unix root account and all was OK

Re: [Samba] Administrative users on domain

2013-07-17 Thread Gaiseric Vandal

On 07/17/13 16:12, Donny Brooks wrote:
  
  
  
On Wednesday, July 17, 2013 02:39 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote:
  

On 07/17/13 15:02, Donny Brooks wrote:
   
   
   
On Wednesday, July 17, 2013 01:53 PM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote:
   

On 07/17/13 14:32, Donny Brooks wrote:



On Wednesday, July 17, 2013 10:11 AM CDT, Gaiseric Vandal gaiseric.van...@gmail.com wrote:


According to the net man page


   In order for Samba to be joined or unjoined remotely an account
must be
   used that is either member of the Domain Admins group, a member
of the
   local Administrators group or a user that is granted the
   SeMachineAccountPrivilege privilege.




The simplest thing is probably to have the Domain IT group be a member
of the local admin group on each machine.  I don't know if you would
need to grant them the  SeMachineAccountPrivilege.



On 07/17/13 09:44, Donny Brooks wrote:
 

 
On Saturday, July 13, 2013 04:43 AM CDT, Marc Muehlfeld sa...@marc-muehlfeld.de wrote:
 

Hello Donny,

Am 12.07.2013 21:34, schrieb Donny Brooks:

On the old domain, which was setup before I got here,

  our IT section was in an ldap group that allowed us to
  join PC's to the domain ...

http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO/AD_Delegation#Delegating_.27Joining_Computers_to_the_domain.27-permissions




  ... and when the prompt came up in windows to
  install software we could log in as ourselves.

What do you mean by this? Do you want to have a group of users
automatically in the administrator group on your workstations?

http://community.spiceworks.com/how_to/show/2123-add-an-active-directory-group-to-the-local-administrator-group-of-workstation-s

If you mean something else, please give some more details.



Regards,
Marc





 
Yes, on the old domain we had all of our IT staff in a group that was able to join pcs to the domain and install software by inputting their domain credentials when prompted. Looking at the first link that is for Samba 4.X. We are on Samba 3.5.10 so that does not apply.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Looks like I need to do this here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html


And map our itgroup to the Domain Admins group. Although we do have a Domain 
Admins group in ldap. Should that cause an issue?

Group mapping is to make sure Windows groups map to the correct unix
group.  This is not like mapping a Windows user name to a different
unix user name (e.g Windows Administrator = Unix root.)

With LDAP, group mapping is usually simpler since the LDAP object for a
group usually has the Samba SID and the unix group id. The net
groupmap list command is useful for validating this.   You want to make
sure that you do see group mapping for Domain Admins and Domain
Users and other well known groups.  You are more likely to have to use
the net groupmap add command when you don't have LDAP.


Well known groups have to specific relative ID's.  The domain admin
group HAS to have a relative ID of 512 in the SID.You have to make
sure the Administrator is in the group.   That behavior changes with
versions newer than 3.0.x




#net  groupmap list

Domain Admins (S-1-5-21--x-x-512) - Domain Admins
...
# getent group Domain Admins
Domain Admins::512:Administrator
#


I don't think you have a samba issue.  I think you have a general
windows issue about the most practical way to provide IT group with
sufficient privileges to manage computers with out giving too much access.


Depending on the size of your IT department, and the necessity to
audit/control you makes what change, each IT user may need two accounts,
one that is a regular account and one that is a member of the domain
admins and local admins  group.  (e.g. donny and donny_admin.)this
way they can do whatever they need, but they don't run as admin for
routine tasks, and you can track who made what change (if need be)  or
limit who has full  admin rights.





   


It is correctly mapped and is 512. Nothing changed on the windows side during 
the domain change other than removing the machines from the old domain and 
rejoining them to the new one. We don't have to have the accounting trail that 
two accounts would give us right now. I just want to be able to tell my other 
people they can join computers to the domain and perform software upgrades with 
their own credentials.


OK
I am looking at your original post again.  I don't think you said
which version you had been using.

net rpc rights grant 'MDAH\Domain Admins' SeMachineAccountPrivilege -S 
enterprise -U superusername



Is the superuser name the domain Administrator account?   The problem
seems to involve the superusername user, not the Domain Admins
group. I think

Re: [Samba] 3.5.6 to 3.6.6: session setup failed

2013-07-12 Thread Gaiseric Vandal
Does pdbedit -Lv still show users? You want to verify that samba is 
able to access LDAP.







On 07/12/13 08:51, Thiago Parolin wrote:

Hi,
I think that someone has the solution for my problem! ;)
After i did the upgrade process in a samba server, from debian squeeze to
wheezy, the new samba version (3.6.6) is not working.
Searching on web, there are many causes for this error, and i dont know
what is mine.
I can't connect with smbclient -L host -U ldapuser, that give me error
session setup failed: NT_STATUS_UNSUCCESSFUL


How can i fix this?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] About NAS versus Samba

2013-07-12 Thread Gaiseric Vandal
With Samba 3.x (I think it was samba 3.4.x when we started deploying 
Windows 7)  I found that offline folders on Windows 7 broke offline 
authentication.



On 07/12/13 02:43, Jim Potter wrote:
I use a Netgear readynas1500 as a fileserver for my Samba3/ldap domain 
which I' ve just upgraded to AD and it works fine in both cases (lots 
of users, though with relatively few active connections). It runs a 
bog standard Samba3 + winbind member server (NT or ADS) as far as I 
can tell.


Having said that, the 2 shortcomings I have found are with windows 7 
clients...  troubles doing offline files (there are  bunch of tweaks, 
but none work perfectly) and it doesnt work too well with the 
libraries feature in win7 (it needs indexing o some sort that isn't 
povided by samba I think)


BTW, would a Samba4 member server setup help with these issues? If it 
did, I'd upgrade even if it did invaidate warranty...


cheers

Jim

On 11/07/2013 05:03, ferna...@lozano.eti.br wrote:

Hi Cris,


Hi there, Has anyone tried to configure a NAS server to authenticate
users using a Samba PDC, or even a Samba4 DC (AD-compatible) or an IPA
server?


not in a while, but I have done a samba 3 DC


This was not my question. I'm ok running samba 3 DCs. :-)

Have you ever configured a NAS so it would authenticate users from 
your Samba DC and them serve SMB file shares (aka network drives) to 
Windows desktops?




I'm evaluating replacing some Linux file server for a NAS product, but
all them make me nervous when the vendor talks about Active Directory
support and nothing else.


if 3rd party support is your concern, why are you using fedora 
instead of

RHEL?


Are you trying to sell me RHEL subscriptions or help me with my 
question? ;-) Anything wrong about asking about Fedora on a Fedora 
list, or any server issue is forbidden for Fedora users? ;-)


AFAIK it shouldn't matter, from a technical perspective, if the samba 
DC runs Fedora, Debian, Slackware, RHEL, SuSE, Ubuntu, Solaris, 
whatever. I am not talking about OS level FC drivers or iSCSI 
initiators. Either a NAS will be compatible with Samba3, Samba4, both 
or neither. This depends on the SMB and MSRPC features needed by the 
NAS, all them application level protocols, not kernel modules. If 
I'll need Red Hat support for managing this system is another, 
unrelated, question.


If the NAS vendors state they suṕport RHEL, that's not que question 
either, as supporting RHEL could mean the RHEL linux kernel smbfs and 
cifsfs driver talks to the NAS, not the NAS talks to the Samba DC. Or 
else, RHEL support may mean just that the NAS talks NFS and so a RHEL 
machine can mount volumes from tne NAS. That's not what I want.


Most times I see linux servers they are simply members of a MSAD 
domain, not the DC themselves. But mine are. All vendors I talked to 
assume MSAD, and don't know about Samba. :-(


Anyway Fedora is my desktop system and development workstation. The 
DC in question runs RHEL. But if this works I can try someday using 
Fedora or CentOS with the same (or other) NAS.




In theory, many NASes are Linux boxes running samba, so there
shouldn't be a problem, except if the web admin interface won't 
support
a samba DC setup and I won't have SSH access to configure the NAS 
samba

myself



a cheaper nas will probably use samba, but not all NASs do. there are
several commercial SMB/CIFS implementation out there.


At least iomega/lenovo/emc state their NAS runs Samba. And a lot of 
less know vendors also. I'll buy a single, cheap NAS, not a high end 
EMC rack full of boxes. :-)


But... will any NAS you know work with a Samba DC, or else, using an 
IPA server? Or will they only work with Microsoft Windows Server AD?


All vendors I contacted talk only about MS Active Directory. They 
don't even know about NT4-style domains, which would mean a Samba3 DC 
should work. Besides, AFAIK a Samba4 DC isn't supported by RHEL at 
all -- that's why I included IPA in my question -- I'd have to use 
Sernet packages for Samba4. Even then, Samba4 is very new, I don't 
know if a NAS implementation would accept it in place of a MSAD DC.


Most vendors talk to me about vmware, exchange and sql server 
support. They offer me windows-only backup servers and the like. Some 
even offer me SAP R/3 agents, while my ERP is another one. They can 
only follow their standard script for windows shops. So I ask for the 
collective knowledge from the Fedora and Samba lists... can anyone 
tell me I tried this NAS and it worked? Or should I better forget 
about this and keep using cheap intel boxes as file servers?


Am I the first linux sysadmin in the world who's considering to have 
a NAS replacing some file servers but keeping his samba DCs?



[]s, Fernando Lozano





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] About NAS versus Samba

2013-07-11 Thread Gaiseric Vandal



On 07/11/13 11:50, Jeremy Allison wrote:

On Thu, Jul 11, 2013 at 08:01:20AM -0500, Chris Weiss wrote:

On Wed, Jul 10, 2013 at 11:00 PM, Jeremy Allison j...@samba.org wrote:

but not all NASs do.  there are
several commercial SMB/CIFS implementation out there.

Sure, but non available to buy as a software-only
product to my knowledge. They all come with hardware
attached :-).

right, *I* can't buy the software, but a NAS vendor can license it for
a product that I can buy.

No, they all write their own these days. None available
to license as far as I'm aware.
I had an small iomega personal/workgroup NAS box (I think it was a 
snapserver.)   It did run linux but the samba version didn't  work with 
our samba 3.x PDC's.I think both were 3.0.x so it could have been 
some issue with our samba implementation.It did work with a Windows 
2003 AD but that wasn't  much use. Some of the NAS's are now based 
on Windows Server.But I don't think any vendor will talk about samba 
compatibility (let alone promise it.) The Oracle/Sun NAS servers are 
based on on Solaris11 or OpenSolaris.


Even if a NAS works with your current environment there is no guarantee 
the vendor will provide patches to keep it working in the future as you 
apply security fixes or patches to your samba servers.For samba 
users implementing a NAS might not simplify things.  If you were a 
windows only show them a NAS is probably great for a small site.   I 
would stick with a real linux/samba server-   you then have complete 
configuration control.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] About NAS versus Samba

2013-07-11 Thread Gaiseric Vandal

On 07/11/13 12:29, Fernando Lozano wrote:

Hi,

what about the samba running on your NAS. I did a lot of NAS hacking 
pointing  a running samba/winbind config of the vendor to my nt-style 
samba/ldap domain .

But if you do so be aware you are loosing your support :-).
So if you can change the samba on your NAS you are up and running.
I don't have the NAS box yet. I wish advice on which one to buy based 
on compatibility with a Samba 3 PDC (or Samba 4 DC, or IPA).


Vendors I talked to tell me it won't work, I'd have to use Microsoft 
AD.  Knowing the Linux and Windows side (protocols, software) this 
doesn't make sense to me, I'm guessing the sales people I talked to 
simply doesn't know and doesn't want to learn.


And it's not easy to tell the boss I'll buy a somewhat expensive box 
(for a small business) just to hack and see if it'll work the way I 
want. :-(


It would help if you simply tell me which NAS you had success and 
which one was easier, out-of-the-box, or had to hack.



[]s, Fernando Lozano



It seems common that vendors (esp the sales guys) assume you are running 
Windows 200x and AD.I think the logic is that none of our customers 
use linux so we won't support it. It becomes self-fulfilling when 
anyone wanting something besides the basic Windows AD support looks for 
other solutions.


Getting samba to work sometimes requires fiddling with protocol 
versions, WINS and DNS.  For example windows 7 won't work with Samba 
3.x until you tweek the registry.   You can probably put together a 
price-comparable equivalent of the Buffalo using a white-box PC tower 
and linux.  You can even set up software raid.   It is more likely 
to work the way you want than a NAS box.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] About NAS versus Samba

2013-07-11 Thread Gaiseric Vandal
If you use raid you should either use a true hardware raid (e.g from LSI 
or Adaptec)  or true software raid.  The firmware raid (aka fake raid) 
included on some motherboards is just asking for trouble.For the 
price of the true hardware raid card you might as well stick with 
software raid.


Hot swap bays for SATA disks that you can use with a tower PC fairly cheap.

http://www.supermicro.com/products/accessories/mobilerack/CSE-M35T-1.cfm


Don't cheap out of the disks though.Get 7200 RPM  server or raid disks.

I set up something Solaris which gave me the benefits of ZFS.  If you 
don't need the zfs functionality I would stick with a linux distro that 
are comfortable with.


Supermicro (and other) also was a range for whitebox tower and servers 
that are cheaper than buying from Dell or HP.Of course there is no 
customer support or extended warranty.





On 07/11/13 12:59, Scott Lovenberg wrote:

On Thu, Jul 11, 2013 at 12:55 PM, Fernando Lozano
ferna...@lozano.eti.br wrote:


But you know, everyone buys NASes today, it's getting harder to explaing a
common PC would be better. Here a server box with a RAID controller and a
hot-swappable disk bays is way more expensive than an iomega NAS in a rack
form factory.


I've found the performance of those cheap NAS boxes (even the cheap
ones are relatively expensive) to be sub-par.  Most of them max out at
a few MB/second.  A reasonable set of hardware in a 2U with hot-swap
drives will absolutely smoke a cheap NAS and the price/performance
ratio is much better.  Plus, you can use ZFS/BTRFS/etc as your backing
store if you'd like on your own dedicated box.

--
Peace and Blessings,
-Scott.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Messed up SIDs: How to change machine SID?

2013-07-03 Thread Gaiseric Vandal

I have an LDAP backend.

In LDAP, the machine accounts for my  windows and linux clients so show 
the same base SID as the domain SID (ie.. all but the last digits.)


However I also have the mismatch with net getdomainsid -  which 
definately explains why they don't behave as I would expect.   You may 
want to try fixing this with net setlocalsid.   I guess when you joing 
unix  or linux member server to the domain the localsid is not updated.


Re the BUILTIN groups you may want to explicitly map these to unix 
groups rather than relying on winbind to do it



e.g.   I created  unix groups

#getent group 
Builtin Admins::544:
Builtin Users::545:
Builtin Guests::546:

Then mapped the well know built-in Windows groups to the unix groups


#net groupmap add ntgroup=Administrators unixgroup=544 
sid=S-1-5-32-544   type=builtin
#net groupmap add ntgroup=Users unixgroup=545   sid=S-1-5-32-545 
type=builtin
#net groupmap add ntgroup=Guests unixgroup=546 sid=S-1-5-32-546 
type=builtin


# net groupmap list | grep -i builtin

Administrators (S-1-5-32-544) - Builtin Admins
Users (S-1-5-32-545) - Builtin Users
Guests (S-1-5-32-546) - Builtin Guests



The linux samba member servers I use mostly for IT use anyway so I never 
shook out all the bugs.





On 07/03/13 11:49, Marcus Mundt wrote:

Dear Samba Gurus,

I got the following errors:
tail -f /var/log/samba/log.wb-DOM1
[2013/07/02 15:49:19.990168,  2] winbindd/winbindd_rpc.c:320(rpc_name_to_sid)
   name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED

log.smbd
[2013/07/02 15:40:51.809516,  2] auth/token_util.c:455(finalize_local_nt_token)
   WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind 
allocate gids?
[2013/07/02 15:40:51.811330,  2] auth/token_util.c:479(finalize_local_nt_token)
   WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?


I guess the reason might be this:
net getdomainsid
SID for local machine M1 is:S-1-5-21-3981825222-1828954701-2606613544
SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449

net getdomainsid
SID for local machine M2 is:S-1-5-21-2913448378-2543514743-1508345481
SID for domain DOM1 is: S-1-5-21-2762780445-1763757571-3541238449


Shouldn't the SIDs be the same except the last digits???

Cheers,
Marcus


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] file server or member server?

2013-07-01 Thread Gaiseric Vandal
On a very general level ,   a member server is joined to the domain so 
that it can use the domain accounts.A member server is typically 
a file server but does not have to be (you could be using it as a web 
server, or application server or even a workstation.)



A domain controller   can be a file server, although in many cases a 
domain controller will only provide authentication and logon 
functions.It does need to have file shares to provide access to to 
the logon scripts and profile directories used by Windows clients but 
that doesn't really make a a file server.



A server that is not a member server or a domain controller is 
considered to be a standalone server.These concepts apply to 
Windows/Samba domains whether you are running domains based on Samba 3, 
Samba 4, Windows 200x or Windows NT.



On 07/01/13 04:27, steve wrote:

Hi everyone

What's the difference between a file server and a member server?

I have a 4.0.6 DC which is a file server for sysvol. I also have a 4.0.6
file server for the other folders which go out to the clients.

Do I have a member server? Or is a member server one upon which all
files are served from the DC?

Cheers, Steve
  



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] file server or member server?

2013-07-01 Thread Gaiseric Vandal
I don't think it necessarily makes it a member a member server BUT if it 
isn't a member server it is going to be pretty useless for serving profiles.


I have not worked with Samba4 myself-  I have worked with Samba 3 (and 
Windows 200x AD , and NT4)  so you may want to review the samba 4 
specific docn fir basic config.  In samba 3 a quick review of the 
smb.conf file (or the output of testparm -v  will reveal the type of 
setup.



Did you inherit these machines from someone else?




On 07/01/13 14:18, steve wrote:

On Mon, 2013-07-01 at 17:04 +0100, Jonathan Buzzard wrote:

On Mon, 2013-07-01 at 09:59 -0400, Gaiseric Vandal wrote:

[SNIP]


A domain controller   can be a file server, although in many cases a
domain controller will only provide authentication and logon
functions.It does need to have file shares to provide access to to
the logon scripts and profile directories used by Windows clients but
that doesn't really make a a file server.

The profile directories can be located on a server other than a domain
controller.

Hi
Our profile directories are stored on what I call our file server. Does
that make it a member server?




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] file server or member server?

2013-07-01 Thread Gaiseric Vandal

Good explanation.  Better than mine.


I tend to think of the roaming profiles as part of the logon experience, 
since they sync with your computer when you logon. Actually, I found 
roaming profiles to be more trouble than they were worth so I don't use 
them anyway.




On 07/01/13 17:36, Jonathan Buzzard wrote:

On 01/07/13 19:56, steve wrote:

[SNIP]


Yes. We take stand alone machines and network them by adding a DC and
what we call a file server. What I'd like to know is why some guys here
call what seems to be what we call a file server, a member server. I
feel we're missing out on something.


In both NT4 style and AD domains you have servers called domain 
servers that serve identification information and provide 
authentication services. These servers may also do other things such 
as serve files, but it is the identification and authentication 
services that make them domain servers. Any server providing 
identification and authentication services is a domain server 
regardless of anything else it does.


You can then have other servers, such as file servers, print servers, 
web servers etc. that are joined to the domain, and thus you can use 
your domain credentials to authenticate to these servers, in the case 
of an AD domain using the Kerberos ticket you got when you logged onto 
your workstation. However crucially they don't provide identification 
or authentication services. These servers are called member servers.


With larger domains it makes sense to separate out your file and print 
servers from your domain servers, so that the domain servers are 
effectively only providing the identification and authentication 
services and your file and print services are handed off to dedicated 
machines for the task. There is no way a domain server is going to 
cope at a large University for example with tens of thousands of users.


This however is very basic Windows domain terminology/knowledge which 
I would expect anyone offering advice on Samba to fully understand first.


JAB.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

2013-06-20 Thread Gaiseric Vandal
If I follow correctly the LDAP server is NOT in the domain?   The Samba 
accounts should be using the SID of the Samba PDC not the SID of the  
LDAP server. This of course means that a Samba member server can't 
use the same LDAP back end (at least for Samba authentication.)




Long and short -  I found it easiest to have LDAP server on the same 
machine as the DC.  I have one PDC and one BDC  (sometimes 2 BDC's.)  
Each PDC uses its own ldap server and the ldap servers are configure for 
replication.


The simplest solution may be to set the local and domain sid of the LDAP 
server to the same sid as the DC, and join the LDAP server to the domain 
as a DC.






On 06/20/13 04:26, Philipp Lies wrote:

Hi,

I'm trying to get my new samba server running for a few days now and I
start losing my mind over not figuring out what I'm doing wrong. Here's
my setup:

OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a unix
and a samba NT password stored in the LDAP as well as a User SID and
Primary Group SID assigned and stored in the LDAP, derived from the SID
of the LDAP Server.

Now I want several samba servers to use the LDAP server to authenticate
users.
One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
server. getent passwd/group returns all users and ssh to the samba
machine works for all users. Samba is v3.6.9-151.el6. Now here's the
smb.conf (I removed the shares):

 [global]
 workgroup = X
 security = user
 passdb backend = ldapsam:ldap://myldapserver
 ldap suffix = dc=mydomain,dc=com
 ldap admin dn = cn=replicator,dc=mydomain,dc=com
 ldap user suffix = ou=users
 ldap group suffix = ou=groups
 ldap machine suffix = ou=computers
 ldap ssl = start tls

The ldap connection works, as `pdbedit -L` shows

 pm_process() returned Yes
 smbldap_search_domain_info: Searching
for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
 StartTLS issued: using a TLS connection
 smbldap_open_connection: connection opened
 ldap_connect_system: successful connection to the LDAP server
 The LDAP server is successfully connected
 smbldap_search_paged: base = [dc=mydomain,dc=com], filter =
[((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024]
 smbldap_search_paged: search was successful
 sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain

and then the last message repeats for all uids.
Using `smbclient -L localhost -U someid` the log file says:

 check_ntlm_password:  Checking password for unmapped user
[XXX]\[someid]@[SAMBAHOST] with the new password interface
 check_ntlm_password:  mapped user is: [SAMBAHOST]\[someid]@[SAMBAHOST]
 StartTLS issued: using a TLS connection
 smbldap_open_connection: connection opened
 ldap_connect_system: successful connection to the LDAP server
 The LDAP server is successfully connected
 init_sam_from_ldap: Entry found for user: someid
 Home server: SAMBAHOST
 Home server: SAMBAHOST
 init_group_from_ldap: Entry found for group: 1011
 init_group_from_ldap: Entry found for group: 1011
 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
and not a domain group
 Forcing Primary Group to 'Domain Users' for someid
 ntlm_password_check: Checking NTLMv2 password with domain [CIN]
 sam_account_ok: Checking SMB password for user someid
 The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not match
the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
 check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
 check_ntlm_password:  Authentication for user [someid] - [someid]
FAILED with error NT_STATUS_UNSUCCESSFUL

What I see here is that the samba server does not recognize the primary
group of the user (which is an existing group in the LDAP)  and therefor
maps the primary group to its local Domain Users group which then
obviously does not match the domainSID of the userid.
But why doesn't the samba server recognize the group? Or is there a
different underlying problem?


What I tried so far:

Changing the SID of the samba server to the SID of the LDAP server, but
`net setlocalsid S-...` did not change the local SID. No error message,
just executed successfully but getlocalsid returned the old SID.

Setting the domainsid of the samba server to the SID of the ldap server.
`net setdomainsid S-...` was successful but the samba server still
refuses to authenticate the users.

Tried adding the server to the domain with `net join XXX` but the answer
was just standalone server cannot join domain.

I tried to run `smbpasswd -a` to add the user to the local samba db
(even though this would not be an option for the final solution, but
that's what other users recommended), but the error didn't change.

How can I either tell samba to ignore the domain SID mismatch or force
samba to have the same SID as the LDAP? Or would this cause 

Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch

2013-06-20 Thread Gaiseric Vandal

OK.  I understand (at least a little better.)

So the correct behaviour would be for the standalone workgroup machines 
to say  I don't know who DOMAIN/user1 is, so I will map to local 
user1. The standalone  servers should be using LDAP for unix 
accounts put I don't think you really should use the common LDAP backend 
for samba accounts.You would need to use smbpasswd or pdbedit to 
create local samba users on each member server, which means the member 
server would each use a local tdb database not ldap for samba.


If you want to centralize the samba accounts I think the proper way 
would be to  use member servers.



That being said, if the current set up is working on some machines but 
not  others, I would run testparm -v on each domain member and see if 
there are differences on mapping behavior.   Different os's may have 
slightly different versions of samba and the default smb.conf paramaters 
may have changed.  Also run net groupmap list
 on each member server.   You may need to explicitly set group mappings 
for key windows groups.(i.e. the group sid maps to a unix group.)




e.g.
# net groupmap list
...
Administrators (S-1-5-32-544) - Builtin Admins
Users (S-1-5-32-545) - Builtin Users

 getent group Builtin Admins
Builtin Admins::544:
# getent group Builtin Admins




On 06/20/13 10:40, Philipp Lies wrote:

On 20.06.2013 15:04, Gaiseric Vandal wrote:
If I follow correctly the LDAP server is NOT in the domain?   The 
Samba accounts should be using the SID of the Samba PDC not the SID 
of the  LDAP server. This of course means that a Samba member 
server can't use the same LDAP back end (at least for Samba 
authentication.)
The LDAP server is the PDC, however, there are no domain members. All 
my samba servers are standalone servers which are not domain members. 
This seems to work nicely with my debian machines but not the centos 
ones.









On 06/20/13 04:26, Philipp Lies wrote:

Hi,

I'm trying to get my new samba server running for a few days now and I
start losing my mind over not figuring out what I'm doing wrong. Here's
my setup:

OpenLDAP 2.4.21 server with ~15 groups and 100 users, all having a 
unix

and a samba NT password stored in the LDAP as well as a User SID and
Primary Group SID assigned and stored in the LDAP, derived from the SID
of the LDAP Server.

Now I want several samba servers to use the LDAP server to authenticate
users.
One samba server is a CentOS 6.3 configured with NSS/PAM using the ldap
server. getent passwd/group returns all users and ssh to the samba
machine works for all users. Samba is v3.6.9-151.el6. Now here's the
smb.conf (I removed the shares):

 [global]
 workgroup = X
 security = user
 passdb backend = ldapsam:ldap://myldapserver
 ldap suffix = dc=mydomain,dc=com
 ldap admin dn = cn=replicator,dc=mydomain,dc=com
 ldap user suffix = ou=users
 ldap group suffix = ou=groups
 ldap machine suffix = ou=computers
 ldap ssl = start tls

The ldap connection works, as `pdbedit -L` shows

 pm_process() returned Yes
 smbldap_search_domain_info: Searching
for:[((objectClass=sambaDomain)(sambaDomainName=SAMBAHOSTNAME))]
 StartTLS issued: using a TLS connection
 smbldap_open_connection: connection opened
 ldap_connect_system: successful connection to the LDAP server
 The LDAP server is successfully connected
 smbldap_search_paged: base = [dc=mydomain,dc=com], filter =
[((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = 
[1024]

 smbldap_search_paged: search was successful
 sid S-1-5-21-[LDAPSID]-5168 does not belong to our domain

and then the last message repeats for all uids.
Using `smbclient -L localhost -U someid` the log file says:

 check_ntlm_password:  Checking password for unmapped user
[XXX]\[someid]@[SAMBAHOST] with the new password interface
 check_ntlm_password:  mapped user is: 
[SAMBAHOST]\[someid]@[SAMBAHOST]

 StartTLS issued: using a TLS connection
 smbldap_open_connection: connection opened
 ldap_connect_system: successful connection to the LDAP server
 The LDAP server is successfully connected
 init_sam_from_ldap: Entry found for user: someid
 Home server: SAMBAHOST
 Home server: SAMBAHOST
 init_group_from_ldap: Entry found for group: 1011
 init_group_from_ldap: Entry found for group: 1011
 Primary group S-1-5-21-[LDAPSID]-1000 for user someid is a UNKNOWN
and not a domain group
 Forcing Primary Group to 'Domain Users' for someid
 ntlm_password_check: Checking NTLMv2 password with domain [CIN]
 sam_account_ok: Checking SMB password for user someid
 The primary group domain sid(S-1-5-21-[LOCALSID]-513) does not 
match

the domain sid(S-1-5-21-[LDAPSID]) for someid(S-1-5-21-[LDAPSID]-5708)
 check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
 check_ntlm_password:  Authentication for user [someid] - [someid]
FAILED with error

Re: [Samba] Problems when saving AutoCAD files

2013-06-20 Thread Gaiseric Vandal

Is this on all saves ?  Can you do a save as and create a new doc?

I had an issue with Office 2003 on Samba 3.0.x , Solaris 10 with ZFS 
file system.For the 1st 6 saves  the MS app would modify the file.  
Every 7th (?)  save MS would delete the file and write a new one.   The 
probably would be that MS would try set file permissions-  most apps 
would just let the OS handle the file permissions.  Users had the 
appropriate permissions to create and delete files but not modify ACL's.


This had not been an issues with the older UFS file system.   In terms 
of how samba and UFS played together, the unix file perms were the 
classic ugo / rwx.   the ZFS acl's are closer to the Windows ACL's than 
UFS ACL's were.



I am guessing if Autocad is the only app affected then autocad is trying 
to write out some more complex file permissions. I haven't 
worked with samba 4.   Can you adjust acl options in samba config?



On 06/20/13 17:15, Santiago Pestarini wrote:

2013/6/14 Santiago Pestarini santiago...@gmail.com:

Hi!
I was searching for info about this issue and found almost nothing.
So, let's go directly to the matters...

- Problem:
AutoCAD says You do not have permission to save to this location.
when trying to save the file in the samba share dir.
(This problem only occur with AutoCAD.)

- Scenary:
Running AutoCAD in a WinXP/Win7 PC, opening a DWG AutoCAD file from
samba share dir in Zentyal Linux server.

I have Samba 4.0.5 running in my Zentyal 3.0.21, both recently updated.

- smb.conf contents:
[global]
 workgroup = ESTUDIO
 realm = ESTUDIO.LAN
 netbios name = zentyal
 server string = Zentyal File Server
 server role = dc
 server role check:inhibit = yes
 server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
 server signing = auto

 interfaces = lo,eth0
 bind interfaces only = yes

 log level = 3
 log file = /var/log/samba/samba.log

 guest ok = yes
 map to guest = bad user
 guest account = nobody
 auth methods = guest sam_ignoredomain


[profiles]
 path = /home/samba/profiles
 browseable = no
 read only = no

[netlogon]
 path = /opt/samba4/var/locks/sysvol/estudio.lan/scripts
 browseable = no
 read only = yes

[sysvol]
 path = /opt/samba4/var/locks/sysvol
 read only = no

[homes]
 comment = Directorios de usuario
 path = /home/%S
 read only = no
 browseable = no
 create mask = 0611
 directory mask = 0711
 vfs objects = acl_xattr full_audit scannedonly recycle

# Shares
[expedientes]
 comment = Expedientes
 path = /home/samba/shares/expedientes
 browseable = Yes
 read only = No
 force create mode = 0660
 force directory mode = 0660
 vfs objects = acl_xattr full_audit scannedonly recycle



Also read this where Autodesk wash their hands, blaming the server,
the client, the network, etc:
http://forums.autodesk.com/t5/Installation-Licensing/Unable-to-save-drawing/td-p/72075

Please Help!

What about this?
Did I make some mistake in my question?
Please, can someone throw me anything?

I really need some help...


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba + LDAP: Issue adding machine.

2013-06-14 Thread Gaiseric Vandal
I would compare the LDAP attributes between a problem machine and a 
working machine.Each machine has to have a unique unix account name 
and SID.


Normally you don't need to precreate the samba acct with smbpasswd -a 
-m or pdbedit.  However it may help with the diagnostics to see 
what is not getting created.  If you use smbpasswd or pdbedit to create 
the account, then use the ldap editor to fill in the missing attributes 
then you should be able to join the domain.



Also double check that machine accounts are not being created in some 
other LDAP ou than you expected.you might be trying to fix one ldap 
entry while samba is creating one somewhere else.



It gets tricky when you use smbpasswd or pdbedit to create an account 
and it sees some attributes ther



On 06/14/13 07:49, Luis H. Forchesatto wrote:

Hi Gaiseric

Thanks for the reply.

I believe the problem is not the flags but I will check them again as 
you suggested. I've found quite annoying this problem because is not 
on my network, it's on a remote network and I need to move physically 
to another place in order to test the environment, quite boring also.


Regarding the sambaPrimaryGroupSID I'll check again but I believe it 
MAY be the problem :) Also, can this cause this problem? Another 
machine was already created previously... something like?



2013/6/10 Gaiseric Vandal gaiseric.van...@gmail.com 
mailto:gaiseric.van...@gmail.com


I found that Samba 3.5.x has trouble creating the LDAP attributes
correctly on new machine accounts . I think Samba 3.4.x was OK.  
  Rejoining a machine to a domain was usually OK. You need may

need to do a mix of account creation with smbpasswd and LDAP
modification with the LDAP editor.


  It appears to incorrectly set sambaAccountFlags as [U] (user)
instead of  [W] (workstation).   When attempting to join a
machine to the domain you may get an error that the account
already exists.  Use an LDAP editor to make sure sambaAccountFlags
is set to  [W].   (You can used pbedit to verify the setting but
not to change it to [W].)

type:  sambaAccountFlags
value: [W ]

If, when joining a domain,  you get an error that the the
specified network password is not correct.  you may need to
precreate the samba account attribues with the pdbedit or
smbpasswd commands .Try the following on spooky

#smbpasswd -x -m machinename

#smbpasswd -a -m machinename


You MAY also need to make sure that the sambaPrimaryGroupSID is
also set.  It should end with 515.

type:  sambaPrimaryGroupSID
value:S-1-5-21-xxx-xxx-xxx-515







On 06/10/13 08:33, Luis H. Forchesatto wrote:

Greetings.

I've run into a trouble when trying to add a new Win7 machine
on a domain.
The domain is controlled by a server running Samba + LDAP
(samba compiled
with ldap support), on a Debian 5 OS at the local network.

I've added the machine name to the LDAP three through
phpldapadmin using
the option Samba3 Machine on the related submenu and via
terminal on
samba. Then I renamed the new machine to match the computer
name and tried
to add it to the domain. When prompted for credentials to add
the new
machine I've informed the admin login and password and hit
enter.

The windows then returned the following error (something
like): The
junction operation was not well succeded. Maybe another
existent machine
account machine_account_name was created previously using
anothet set of
credentials. User another computer name or contact the admin
to remove any
obsolete conflicting account. Error: Access denied.

Any ideas for the troubleshoot will be welcome.


-- 
To unsubscribe from this list go to the following URL and read the

instructions: https://lists.samba.org/mailman/options/samba




--
Att.*
*
Luis H. Forchesatto



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba + LDAP: Issue adding machine.

2013-06-10 Thread Gaiseric Vandal
I found that Samba 3.5.x has trouble creating the LDAP attributes 
correctly on new machine accounts . I think Samba 3.4.x was OK. 
Rejoining a machine to a domain was usually OK. You need may need to 
do a mix of account creation with smbpasswd and LDAP modification with 
the LDAP editor.



  It appears to incorrectly set sambaAccountFlags as [U] (user) 
instead of  [W] (workstation).   When attempting to join a machine to 
the domain you may get an error that the account already exists.  Use an 
LDAP editor to make sure sambaAccountFlags is set to  [W].   (You can 
used pbedit to verify the setting but not to change it to [W].)


type:  sambaAccountFlags
value: [W ]

If, when joining a domain,  you get an error that the the specified 
network password is not correct.  you may need to precreate the samba 
account attribues with the pdbedit or smbpasswd commands .Try the 
following on spooky


#smbpasswd -x -m machinename

#smbpasswd -a -m machinename


You MAY also need to make sure that the sambaPrimaryGroupSID is also 
set.  It should end with 515.


type:  sambaPrimaryGroupSID
value:S-1-5-21-xxx-xxx-xxx-515






On 06/10/13 08:33, Luis H. Forchesatto wrote:

Greetings.

I've run into a trouble when trying to add a new Win7 machine on a domain.
The domain is controlled by a server running Samba + LDAP (samba compiled
with ldap support), on a Debian 5 OS at the local network.

I've added the machine name to the LDAP three through phpldapadmin using
the option Samba3 Machine on the related submenu and via terminal on
samba. Then I renamed the new machine to match the computer name and tried
to add it to the domain. When prompted for credentials to add the new
machine I've informed the admin login and password and hit enter.

The windows then returned the following error (something like): The
junction operation was not well succeded. Maybe another existent machine
account machine_account_name was created previously using anothet set of
credentials. User another computer name or contact the admin to remove any
obsolete conflicting account. Error: Access denied.

Any ideas for the troubleshoot will be welcome.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Configuring New Replacement Server For Samba

2013-06-03 Thread Gaiseric Vandal
run the testparm -v command - that will show you the location of key 
files and directories including


smb.conf
private directory (which typically contains the  smb passwd file)
the lock and cache directory or directories (which include various TDB 
files.)

netlogon directory (including netlogon scripts)
profile directory (if applicable)

You should not need to rejoin.  But you should assume that the config 
for 3.5.x. may need to be tweaked to work with 3.6.x.



Non-samba files will include things like /etc/host  and /etc/resolv.conf.

When you replace one machine with another machine with the same ip,  
existing machines may not be able to connect to the new machine until 
the old arp entries expire.  Shd be less than one hour but more than 30 
seconds.






On 06/03/13 10:29, bhogue wrote:

Hi,

I did not get a response for the below, I was just wondering if this 
is not the right place for this question can someone suggest another 
mailing list.


Thanks
Bob

On 05/30/2013 12:46 PM, bhogue wrote:

Hi,

I am replacing my current RHEL 6 clustered samba server with new 
servers. The IP's and hostnames will be the same.


The samba version on the old config is: samba-3.5.10-115.el6_2.x86_64
The samba version on the new config is: samba-3.6.9-151.el6.x86_64

What do I need to do to copy the samba configuration to the new servers.

Will I need to do a net join again? or will it just work because the 
ip's and hostnames are the same.


Thanks
Bob





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Looking for compiled version 1.9 of Samba - revised

2013-05-30 Thread Gaiseric Vandal
What do you mean bridge?  Are you trying to make files accessible to 
windows users ?



It looks like GCC binaries are availble for SCO-  althou maybe not your 
version.


http://gcc.gnu.org/install/binaries.html
ftp://ftp2.sco.com/pub/skunkware/odt3/CD-ROM/bin/



On 05/29/13 19:52, Paul Davis wrote:

Much thanks to all respondents. Since 1.9 is a very old version, I have the 
source code but am looking (close to begging) for someone who has a compiler to 
create an executable for me.

I would be glad to send along the source , if you could compile and return an 
executable. This is the better request than to ask someone for their compiler.

Thank you


Paul Davis
Sr. Business Development Manager
CONNX Solutions - www.connx.comhttp://www.connx.com/
Direct -(425) 519-6670
Mobile -(425) 269-3956
Toll free - (888) 882-6669 x6670

From: Paul Davis
Sent: Thursday, May 23, 2013 3:48 PM
To: 'samba@lists.samba.org'
Subject: Looking for compiled version 1.9 of Samba

I am trying to assist a client who need a compiled version of Samba 1.9 for his 
SCO ODT 3.2 v4.2 environment. We are trying to connect an old version of 
DataFlex on SCO and need the bridge.

Anybody have an old compiled version?

Thanks

Paul Davis
Sr. Business Development Manager
CONNX Solutions - www.connx.comhttp://www.connx.com/
Direct -(425) 519-6670
Mobile -(425) 269-3956



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] BDC needs a [profile] and [netlogon] share ?

2013-05-24 Thread Gaiseric Vandal
I looked through the smb.conf man page.It looks like login script 
should be relative to the netlogon directory.I would set up 
identical netlogon directories on both PDC and BDC.   Bothe machines 
have the same login script parameter  .e.g.


logon script = %U.bat


This means that you need to keep the login scripts in sync.  If you 
update on the PDC, you should copy to the BDC netlogon directory.


I don't use the login script param on my system.  Instead, I use pdbedit 
to specify the login script used by each user.Each user uses the 
same login script any way so when I update it on the PDC  I only have to 
replicate that one script to the other machines.  It also makes it easy 
to have a test login script for one or two users only.   Alternately, 
rather than having a separate login script for all users you could just have


logon script = common.bat


From a windows machine make sure you can see the netlogon share on each 
DC.





On 05/24/13 06:55, ?icro MEGAS wrote:

Hi all,

I have a BDC which uses the LDAP backend of my PDC. Unfortunately all the users 
who log-in in the morning and who are processed by this BDC, do not get their 
logon script executed. The BDC logs this error message:

[2013/05/24 07:28:11.946577,  2] auth/auth.c:304(check_ntlm_password)
   check_ntlm_password:  authentication for user [foobar] - [foobar] - 
[foobar] succeeded
[2013/05/24 07:28:11.948108,  0] param/loadparm.c:8686(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed. 
File or directory not found
[2013/05/24 07:28:12.976867,  0] param/loadparm.c:8686(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/netlogon failed. 
Access denied
[2013/05/24 07:28:12.979372,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
   init_sam_from_ldap: Entry found for user: foobar

I did not understand, why the BDC looks for the netlogon at 
/var/lib/samba/usershares/netlogon so I double-checked my smb.conf, on both PDC 
and BDC. Here are the relevant option in smb.conf:

***PDC***smb.conf:
[global]
  ...
 security = user
 passdb backend = ldapsam:ldap://172.16.0.1
 logon script = %U.bat
 logon path = \\pdc\profiles\%U
 logon drive = U:
 domain logons = Yes
 preferred master = Yes
 local master = Yes
 domain master = Yes
 os level = 254
 wins support = Yes
 ...

[netlogon]
 comment = Logon batch
 path = /file01/netlogon
 write list = @Domain Admins

[profiles]
 comment = Centralized Roaming Profiles
 path = /file01/profile
 read only = No
 browseable = No

***BDC***smb.conf:
[global]
 ...
security = user
 passdb backend = ldapsam:ldap://172.16.0.1/
logon script = \\pdc\netlogon\%U.bat
 logon path = \\pdc\profiles\%U
 logon drive = U:
 domain logons = Yes
preferred master = No
local master = No
domain master = No
os level = 20
password server  = *
;   wins server = 172.16.0.1

I realized that no [netlogon] and [profiles] share exist on the BDC. But there are no 
problems with profiles known for users who were handled by the BDC. Only logon scripts 
don't work? Is it possible that the option logon script =  DOES NOT ALLOW the 
use of UNC path like I am using it? So this is the problem and samba falls back to the 
default path /var/lib/samba/usershares/netlogon and tries there to look for the logon 
script ???

If so, how should my [netlogon] share on the BDC look like? Do I have to 
rsync/copy  the content of pdc://file01/netlogon to bdc:/somedir/netlogon and 
use following line on BDC's smb.conf?

logon script = %U.bat
[netlogon]
comment = BDC Logon batch
 path = /somedir/netlogon
write list = @Domain Admins

Will that be enough or am I wrong? I would also like to know if I could use os level = 
0 on the BDC, because I don't need/want that the BDC handles domain logon procedures,that 
would be the easiest way in my case. Now you ask why the heck I need it to run as BDC :-) It's 
because I don't can use winbind on the BDC and I need the correct mappings for user/groups. And 
that's only possible either by using winbind on BDC and idmapping, or you run as BDC and it uses 
the locally managed database of the PDC. In my case it was really much more easy to use the BDC 
method, because if I would use winbind it will result in different ids (these of winbind idmapping 
ranges) and access would be denied to lots of my existing shares. So in result I would have to 
chmod all of my used dirs/paths which is a lot of work. That's why I choosed the much more easy way 
as a BDC. But that's not very important, I'd just like to know if os level = 0 would be 
ok or cause some other troubles ?

Any help and feedback really appreciated. Thanks to all
Lucas



--
To unsubscribe from this list go to 

Re: [Samba] Samba 3.x server with LDAP backend doesn't work

2013-05-16 Thread Gaiseric Vandal
Did you try w/o start TLS support?   I realize this can have security 
implications, so this is only to see if the problem is with TLS or with 
the configuration in general.


It the LDAP server is on the same server as the samba server then I 
don't think you will need TLS encryption, since there isn't LAN traffic 
to snoop.


don't forget to set set the ldap password with smbpasswd -w

Also I think ldaps means ldap over SSL, not ldap+tls.   I would also 
use ldapclient tools (e.g. the command line ldapsearch or the gui Apache 
Directory Studio ldap browser and editor) to make sure you can connect 
to the ldap server via LDAP, LDAP+TLS and/or LDAPS-over-SSL. You 
need to make sure you have all the certificates configured correctly.






On 05/16/13 11:27, Gollapalli, Prakash wrote:

We have a central LDAP server for our enterprise on a Linux box.  I have 
installed Samba 3.4.4 server on an AIX server and trying to get users 
authenticated via LDAP server.   So far my efforts have been unsuccessful.  
Here is my ldap section of the smb.conf file:

passdb backend = ldapsam:ldaps://company_ldap_server/
ldap ssl = start tls
ldap suffix = dc=xxx,dc=yyy,dc=zzz
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups

Here is the error I am seeing in the Samba errorlog:

[2013/05/16 11:08:14,  0] lib/smbldap.c:656(smb_ldap_start_tls)
   Failed to issue the StartTLS instruction: Can't contact LDAP server
[2013/05/16 11:08:14,  1] lib/smbldap.c:1231(another_ldap_try)
   Connection to LDAP server failed for the 1 try!

Is there a documented procedure on how to connect samba users to a backend ldap 
server?

Any help with is greatly appreciated

Thanks, Prakash
**
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 3.x server with LDAP backend doesn't work

2013-05-16 Thread Gaiseric Vandal
And just to clarify you can use ldapsearch with the samba admin 
credentials as well?



What is the ldap server?  (Openldap ?)




On 05/16/13 16:44, Gollapalli, Prakash wrote:

Did you try w/o start TLS support?   I realize this can have security

implications, so this is only to see if the problem is with TLS or with
the configuration in general.

I have tried without TLS support and without SSL (replaced ldaps with ldap)

passdb backend = ldapsam:ldap://company_ldap_server/
ldap ssl = off
ldap admin dn = cn=Adminid,dc=xxx,dc=yyy,dc=zzz
ldap suffix = dc=xxx,dc=yyy,dc=zzz
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups

Now I get the following error:
[2013/05/16 16:38:14,  0] lib/smbldap.c:1052(smbldap_connect_system)
   failed to bind to server ldap://company_ldap_server/ with 
dn=cn=Adminid,dc=xxx,dc=yyy,dc=zzz Error: Confidentiality required
 (unknown)


It the LDAP server is on the same server as the samba server then I

don't think you will need TLS encryption, since there isn't LAN traffic
to snoop.

Our LDAP server is not on the same server. It is a central enterprise server


don't forget to set set the ldap password with smbpasswd -w

I did this part for the Adminid


Also I think ldaps means ldap over SSL, not ldap+tls.   I would also

use ldapclient tools (e.g. the command line ldapsearch or the gui Apache
Directory Studio ldap browser and editor) to make sure you can connect
to the ldap server via LDAP, LDAP+TLS and/or LDAPS-over-SSL. You
need to make sure you have all the certificates configured correctly.

LDAP authentication works perfectly directly from our AIX server. I can do 
ldapsearches and can login with my ldap credentials etc.. Only samba 
authentication doesn't work

Thanks, Prakash
**
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] win 7 client can't map drive: getpeername failed

2013-05-13 Thread Gaiseric Vandal
That suggests either a configuration difference with some of the win 7 
machines or a difference with some of the AD accounts for the machines.


On the NAS, does the getent passwd command display user and machine 
accounts?   Is it may be showing only some machine accounts and not 
others?  It might be possible that samba has been unable to account an 
idmap entry for newer machines.   All though I  would think this would 
affect authentication issues, not connection issues.  I have found 
idmapping to be one of the less reliable functions in samba.


Are all the Win 7 machines configured with identical network settings  
(apart from the IP address itself of course.) this should be the case if 
you use DHCP.
Are their any security settings on the problem  Win 7 machines that are 
different?  If you use gpedit.msc - computer - security settings ,   
you may want to review things like NTLMv2 settings.   Are all the 
machine accounts in the same AD container ?


If this is all AD, then you should not need to use WINS. Although it may 
also help resolve confusion about which machine is the local master 
browser.Which shouldn't really matter either.  I use samba 3.x as a 
non-AD PDC  so the WINS and browser stuff is more important.


Is the Microsoft server is the AD PDC it may expect to be the local 
master browser.   I think there can only be one local master browser per 
subnet.And if you look thru the nmbd logs (?) on the NAS as well as 
the logs on the Win 2008 server . you may see results of a browser 
election.



the testparm -v will show you all the config settings, including those 
set by default even if not explicitly set in smb.conf



On 05/13/13 08:44, Ed Strong wrote:

Hi,

all XP clients work fine. As do most win 7 clients.  Just a handful of 
win7 clients have this issue.


We only have one Microsoft server: 2008 R2, it does not have the WINS 
server feature installed.

The qnap box is called saturn and is a member of the domain
  telnet saturn 139
results in blank screen, blinking cursor so port open I guess.
NAS uses our Microsoft server for it's DNS and registers itself in DNS
Also on the NAS I have:
   Enable WINS server NOT checked
   Local master browser checked
Allow only NTLMv2 authentication NOT checked
DNS has a reverse lookup zone with a PTR record for client


This is my foray into samba so I'm not familiar with the config file 
structure but here is the global

section:

[global]
log level = 3
passdb backend = smbpasswd
workgroup = OUR_DOMAIN
security = ADS
server string =
encrypt passwords = Yes
username level = 0
map to guest = Bad User
null passwords = yes
max log size = 50
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=262144 
SO_RCVBUF=131072

os level = 20
preferred master = no
dns proxy = No
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = yes
load printers = no
display charset = UTF8
force directory security mode = 
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network 
Trash Folder/Temporary 
Items/TheVolumeSettingsFolder/.@__thumb/.@__desc/:2e*/

delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
deadtime = 10
use sendfile = yes
unix extensions = no
store dos attributes = yes
client ntlmv2 auth = yes
dos filetime resolution = no
inherit acls = yes
wide links = yes
force unknown acl user = yes
template homedir = /share/homes/DOMAIN=%D/%U
domain logons = no
min receivefile size = 4096
case sensitive = auto
domain master = auto
local master = yes
enhance acl v1 = yes
remove everyone = yes
kernel oplocks = no
mangled names = no
realm = OUR_DOMAIN.local
password server = SERVER.OUR_DOMAIN.local
pam password change = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 3600
idmap uid = 41-50
idmap gid = 41-50
idmap config OUR_DOMAIN : backend = rid
idmap config OUR_DOMAIN : range = 1001-2000
wins support = no
name resolve order = host bcast



On 10 May 2013 16:19, Gaiseric Vandal gaiseric.van...@gmail.com 
mailto:gaiseric.van...@gmail.com wrote:


Are XP clients having the same problem?  Trying with an XP
client would help indicate if there was something specific to XP.
   (I skipped vista.)


Can you check in smb.conf
-  is the server a member server, AD member server, standalone
server, or domain controller.
-   Are ports explicitly defined
-  how is name resolution configured?
   - is NTLMv2 required (I couldn't get NTLMv2 support working.)


Domain membership shouldn't matter at this point since you aren't
even getting to the authentication phase.

Can you  telnet port 139 to make sure it is open?


Do you have a WINS server

Re: [Samba] win 7 client can't map drive: getpeername failed

2013-05-10 Thread Gaiseric Vandal
I think the Error was Transport endpoint is not connected warnings are 
sometimes misleading. Do you have any control over the samba config 
(smb.conf) on the NAS ?On regular samba installs, changing the 
default port settings can cause more problems.


Windows 7 will try to connect on port 445  (SMB or CIFS over tcp/ip), 
and will then reconnect to ports 137/138/139 (SMB over netbios over 
tcp/ip) since samba 3.x doesn't handle the newer 
SMB-over-tcp/ip. Disabling 445 on the server seems to cause more 
problems than it solves.



Are you able to connect via IP ?  e.g net use \\qnap_ip\share ?

I had problems in the past when I disabled port 445 on samba servers.  
Remote users (no netbios broadcasts permitted) could connect via IP but 
not via name. For the name only connections, packet monitoring would 
show packets getting thru the the server but the exchange between client 
and server not being completed.  For clients connecting via IP, the 
client would send packets to server, server respond, and then clients 
responded.











On 05/07/13 03:53, Ed Strong wrote:

Hi,

I'm re-posting this (with some more info) as I don't think the original got
through as I wasn't
signed up to the samba list.

this is my first foray in samba (and newsgroups) so go easy :)
I've started reading the o'reilly samba book but finding it hard going.

Anyway I'm trying to map a network drive from a windows 7 pro client to a
QNAP NAS with the command:
   net use s: \\qnap\share

I've posted on several forums and got good advice but the problem remains.
Rather than repost all the detail, please see my original posts:

http://forum.qnap.com/viewtopic.php?f=185t=74639
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/11d35b0c-ac95-489f-b5d1-0486b9774603
http://www.edugeek.net/forums/windows-7/112309-map-network-drive-nas-but-get-error-64-58-a.html

I've managed to ssh onto the QNAP via putty and found this in the logs
(getpeername failed)

[/var/log] # pwd
/var/log
[/var/log] # tail -f log.smbd
[2013/05/01 09:36:17.135999,  0] lib/util_sock.c:474(read_fd_
with_timeout)
[2013/05/01 09:36:17.136096,  0]
lib/util_sock.c:1440(get_peer_addr_internal)
   getpeername failed. Error was Transport endpoint is not connected
   read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2013/05/01 09:36:17.137700,  1] smbd/server.c:299(remove_child_pid)
   Scheduled cleanup of brl and lock database after unclean shutdown
[2013/05/01 09:36:17.178522,  1] smbd/service.c:1073(make_connection_snum)
   172.24.120.139 (172.24.120.139) connect to service Staff initially as
user DOMAIN+admin (uid=10001423, gid=1514) (pid

25771)
[2013/05/01 09:36:17.179093,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2013/05/01 09:36:17.179173,  0]
lib/util_sock.c:1440(get_peer_addr_internal)
   getpeername failed. Error was Transport endpoint is not connected
   read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2013/05/01 09:36:17.179289,  1] smbd/service.c:1254(close_cnum)
   172.24.120.139 (172.24.120.139) closed connection to service Staff
[2013/05/01 09:36:37.142714,  1] smbd/server.c:272(cleanup_timeout_fn)
   Cleaning up brl and lock database after unclean shutdown


The QNAP's samba version appears to be 3.5.2:

[/var/log] # ps -ef | grep smb
  4016 admin  3104 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
  4017 admin  3728 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
  4366 admin  1840 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
  4877 admin  3300 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
  4902 admin  3952 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
  4978 admin  4132 S   /usr/local/samba/sbin/smbd -l /var/log -D -s
/etc/config/smb.conf
  4979 admin  3356 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
  4980 admin  1224 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
  4995 admin  1016 S   /usr/local/samba/sbin/smbd -l /var/log -D -s
/etc/config/smb.conf
  5063 admin  2068 S   /usr/local/samba/sbin/winbindd -s
/etc/config/smb.conf
  9509 admin  1664 S   /usr/local/samba/sbin/nmbd -l /var/log -D -s
/etc/config/smb.conf
25540 admin   544 S   grep smb
[/var/log] # /usr/local/samba/sbin/smbd -V
Version 3.5.2


I've also installed MS network monitor on two clients and did a capture
whilst running the command
net use s:\ \\saturn\staff

I've posted three screenshots here:

https://plus.google.com/photos/108734482620454690509/albums/5875135861918839393?authkey=CJ3lwKu2xJqMyQE

Basically, Worked.png shows the SMB frames on a PC where the net use
command worked
and Failed.png shows the SMB frames on a PC where the net use command did
not work

It looks to me like the first 6 SMB frames are identical. Then things start
to change

On the working client we continue with frame 10113 which is a
   Dfsc: Get DFS Referral Request

but 

Re: [Samba] win 7 client can't map drive: getpeername failed

2013-05-10 Thread Gaiseric Vandal
Are XP clients having the same problem?  Trying with an XP client 
would help indicate if there was something specific to XP.(I skipped 
vista.)



Can you check in smb.conf
-  is the server a member server, AD member server, standalone 
server, or domain controller.

-   Are ports explicitly defined
-  how is name resolution configured?
   - is NTLMv2 required (I couldn't get NTLMv2 support working.)


Domain membership shouldn't matter at this point since you aren't even 
getting to the authentication phase.


Can you  telnet port 139 to make sure it is open?


Do you have a WINS server defined?If so make sure client and NAS are 
using the same WINS server.Is your NAS configured to use a DNS 
server?   Do you have a reverse lookup zone defined in DNS?the NAS 
maybe trying to do a reverse lookup on the IP of the client.   There 
doesn't need to be a PTR entry for the client but you are least want the 
zone. If DNS tries to lookup an IP and gets an immediate host not 
found   that is OK.  If it times out because it can't even locate a DNS 
server then that could cause problems for other services dependent on DNS.












On 05/10/13 10:58, Ed Strong wrote:

Hi,

Thanks for the info, I'm replying to you in gmail to samba@lists.samba.org,
hope that is correct ?

Yes I can edit the config file on the NAS

Looking at the network packets all communication to NAS seems to be on port
microsoft-ds (445)
I can't see any traffic on ports 137/138/139

If i use the IP I get exactly the same error :(


On 10 May 2013 15:01, Gaiseric Vandal gaiseric.van...@gmail.com wrote:


I think the Error was Transport endpoint is not connected warnings are
sometimes misleading. Do you have any control over the samba config
(smb.conf) on the NAS ?On regular samba installs, changing the default
port settings can cause more problems.

Windows 7 will try to connect on port 445  (SMB or CIFS over tcp/ip), and
will then reconnect to ports 137/138/139 (SMB over netbios over tcp/ip)
since samba 3.x doesn't handle the newer SMB-over-tcp/ip. Disabling
445 on the server seems to cause more problems than it solves.


Are you able to connect via IP ?  e.g net use \\qnap_ip\share ?

I had problems in the past when I disabled port 445 on samba servers.
  Remote users (no netbios broadcasts permitted) could connect via IP but
not via name. For the name only connections, packet monitoring would
show packets getting thru the the server but the exchange between client
and server not being completed.  For clients connecting via IP, the client
would send packets to server, server respond, and then clients responded.











On 05/07/13 03:53, Ed Strong wrote:


Hi,

I'm re-posting this (with some more info) as I don't think the original
got
through as I wasn't
signed up to the samba list.

this is my first foray in samba (and newsgroups) so go easy :)
I've started reading the o'reilly samba book but finding it hard going.

Anyway I'm trying to map a network drive from a windows 7 pro client to a
QNAP NAS with the command:
net use s: \\qnap\share

I've posted on several forums and got good advice but the problem remains.
Rather than repost all the detail, please see my original posts:

http://forum.qnap.com/**viewtopic.php?f=185t=74639http://forum.qnap.com/viewtopic.php?f=185t=74639
http://social.technet.**microsoft.com/Forums/en-US/**
winservergen/thread/11d35b0c-**ac95-489f-b5d1-0486b9774603http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/11d35b0c-ac95-489f-b5d1-0486b9774603
http://www.edugeek.net/forums/**windows-7/112309-map-network-**
drive-nas-but-get-error-64-58-**a.htmlhttp://www.edugeek.net/forums/windows-7/112309-map-network-drive-nas-but-get-error-64-58-a.html

I've managed to ssh onto the QNAP via putty and found this in the logs
(getpeername failed)

[/var/log] # pwd
/var/log
[/var/log] # tail -f log.smbd
[2013/05/01 09:36:17.135999,  0] lib/util_sock.c:474(read_fd_
with_timeout)
[2013/05/01 09:36:17.136096,  0]
lib/util_sock.c:1440(get_peer_**addr_internal)
getpeername failed. Error was Transport endpoint is not connected
read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2013/05/01 09:36:17.137700,  1] smbd/server.c:299(remove_**child_pid)
Scheduled cleanup of brl and lock database after unclean shutdown
[2013/05/01 09:36:17.178522,  1] smbd/service.c:1073(make_**
connection_snum)
172.24.120.139 (172.24.120.139) connect to service Staff initially as
user DOMAIN+admin (uid=10001423, gid=1514) (pid

25771)
[2013/05/01 09:36:17.179093,  0] lib/util_sock.c:474(read_fd_**
with_timeout)
[2013/05/01 09:36:17.179173,  0]
lib/util_sock.c:1440(get_peer_**addr_internal)
getpeername failed. Error was Transport endpoint is not connected
read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2013/05/01 09:36:17.179289,  1] smbd/service.c:1254(close_**cnum)
172.24.120.139 (172.24.120.139

Re: [Samba] Building 3.6.12

2013-05-08 Thread Gaiseric Vandal

Had you posted about this last month?

For active directory support you will need to compile OpenLDAP. The ldap 
functionality in Solaris is NOT openldap.   I would that you will need 
to specify the path to the kerberos directory. Solaris 9 and Solaris 10 
have kerberos installed by default.  Not sure about Solaris 8 -  it used 
to be part of the SEAM tool kit?  If kerberos is not installed you 
will need to either download it from Sun/Oracle or compile from source.



--with-ads=yes \
--with-ldap=yes \
--with-krb5=/usr



Also make sure winbind and nsswitch support  is enabled. . You may 
want to uninstall the samba 3.0.x packages to avoid confusing on which 
winbind/nsswitch libraries are being used.



I would also make sure that your Solaris 8 server is configured to use 
the Windows AD PDC as the DNS  master.I did not configure my systems 
as AD members BUT I did configure trusts with AD servers.   Need to 
make sure the samba server can locate the AD server.  Doesn't hurt 
to make sure all servers are using the same WINS server-  although it 
shouldn't be relevant with AD.




You may also want to setup a  Solaris 10 test machine as well. Assuming 
you get Samba 3.6.x compile on Solaris 8, and you can't get it to join 
the AD domain, you will want some way to determine if the problem is 
with the samba config or if the problem is with the samba compile.   
If the identical config works on Solaris 10 but not Solaris 8, then you 
know you have a problem with the compile.Solaris 10 will be 
diagnostic tool, not the production system.




On 05/08/13 08:52, Shaw, Kevin wrote:

All,

I'm trying to build Samba 3.6.12 on Solaris 8 sparc using studio 12. Is this 
the correct forum to ask questions?

This is my first build so any tips/tricks are appreciated.

What are the prerequisites to get samba to compile so that it will join an AD 
domain?

TIA,
-Kevin


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Build 3.6.12 on Solaris 8

2013-05-01 Thread Gaiseric Vandal
Longer term you might just want to look at moving to Solaris 10, since 
it has samba 3.6.x included already.So much simpler than 
compiling.Although ZFS support does add new complications.



That being said,   I did have some luck compiling samba 3.4.x on Solaris 
10 (prior to Sun/Oracle  releasing an update for its bundled 
version.)I had to use Sun studio and dmake. (Ideally you would use 
gcc but the version of make included with solaris  breaks things.)



According to my notes

CC='/usr/bin/cc -xc99'
CXX=/usr/bin/CC


I don't remember why but I think that tells  Sun Studio to compile stuff 
with open source compatibility in mind.



If you LDAP for an account backend, domain trusts or idmapping you may 
need to compile openldap first. The sun ldap may be ok for some 
dependencies but not others.



Instead of the make command, use dmake or dmake -serial. Samba 
source should include some of its own dependencies ( tdb, talloc etc)  
you may need to cd into the subdirectories and run dmake or dmake 
-serial first.  Otherwise samba build may fail because of the dependencies.





I used the following config command

./configure --prefix=/usr/local/samba-3.4.12  \

--with-privatedir=/etc/samba/private  \
--with-lockdir=/var/samba/locks  \
--with-configdir=/etc/samba \
--with-libtalloc=no \
--with-libtdb=yes  \
--with-ads=no \
--with-ldap=yes \
--with-krb5=/usr


If you don't have trusts or ADS support required you can skip kerberos 
support.   Libtalloc might be required for idmapping.


You may have to say no for most config options, config and compile, then 
enable options one at a time and config and compile again.



On 05/01/13 10:41, Shaw, Kevin wrote:

All,

I need to build samba 3.6.12 on solaris 8 using studio 12. Has anyone 
accomplished this and willing to share tips, tricks, or notes?

-Kevin


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Build 3.6.12 on Solaris 8

2013-05-01 Thread Gaiseric Vandal
I had to build OpenLDAP for full ldap functionality. The solaris 
version of kerberos should be sufficient.   But you don't need LDAP so 
you can even disable ldap and krb5 in configure.


samba should have a configure script

./configure --help  will show you the options.If you don't specify 
prefix it will build in /usr/local (/usr/local/sbin, /usr/local/lib 
etc)   which may not be what you want.   I usually like the specify 
something like


  --prefix=/usr/local/samba-3.6.12

then symlink /usr/local/samba-3.6.12 to /usr/local/samba.

This lets me build new versions with out breaking the running version.  
Just make sure you have LD_LIBRARY_PATH and PATH set correctly.



Configure will see what prereqs are installed.   It will also see which 
version of cc, gcc and make are available.  configure will create a make 
script.  make or dmake will use that file to compile and link stuff in 
the correct order.



I wouldn't have thought you needed a map file, assuming the windows user 
names match the unix user names.






On 05/01/13 12:01, Shaw, Kevin wrote:

Thanks so much for the reply!

I've just updated my solaris 10 samba server to 3.6.12 (119757-27 sparc or 
119758-27 x86). The solaris 8 system is out of my control. My problem is that I 
know very little about building S/W.

I do have studio12 setup. Hopefully this will work:

CC='/auto/studio12/sparc/SUNWspro/bin/cc -xc99'
CXX= auto/studio12/sparc/SUNWspro/bin

I use user.map file to map unix to windows accounts so LDAP is not necessary.

Did you build Kerberos or any other S/W before samba?

TIA

-Kevin

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Gaiseric Vandal
Sent: Wednesday, May 01, 2013 8:29 AM
To: samba@lists.samba.org
Subject: Re: [Samba] Build 3.6.12 on Solaris 8

Longer term you might just want to look at moving to Solaris 10, since
it has samba 3.6.x included already.So much simpler than
compiling.Although ZFS support does add new complications.


That being said,   I did have some luck compiling samba 3.4.x on Solaris
10 (prior to Sun/Oracle  releasing an update for its bundled
version.)I had to use Sun studio and dmake. (Ideally you would use
gcc but the version of make included with solaris  breaks things.)


According to my notes

CC='/usr/bin/cc -xc99'
CXX=/usr/bin/CC


I don't remember why but I think that tells  Sun Studio to compile stuff
with open source compatibility in mind.


If you LDAP for an account backend, domain trusts or idmapping you may
need to compile openldap first. The sun ldap may be ok for some
dependencies but not others.


Instead of the make command, use dmake or dmake -serial. Samba
source should include some of its own dependencies ( tdb, talloc etc)
you may need to cd into the subdirectories and run dmake or dmake
-serial first.  Otherwise samba build may fail because of the dependencies.




I used the following config command

./configure --prefix=/usr/local/samba-3.4.12  \

--with-privatedir=/etc/samba/private  \
--with-lockdir=/var/samba/locks  \
--with-configdir=/etc/samba \
--with-libtalloc=no \
--with-libtdb=yes  \
--with-ads=no \
--with-ldap=yes \
--with-krb5=/usr


If you don't have trusts or ADS support required you can skip kerberos
support.   Libtalloc might be required for idmapping.

You may have to say no for most config options, config and compile, then
enable options one at a time and config and compile again.


On 05/01/13 10:41, Shaw, Kevin wrote:

All,

I need to build samba 3.6.12 on solaris 8 using studio 12. Has anyone 
accomplished this and willing to share tips, tricks, or notes?

-Kevin


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt

2013-03-06 Thread Gaiseric Vandal

A few things aren't clear-

 - Are Solaris and RHEL servers mounting shares from the primary server 
as samba clients or NFS clients?

 - Are people running SVN and Eclipse on Windows or RHEL systems?
  -  Are you using samba to reshare NFS shares?



I run a mixed environment of Windows and Linux clients with Solaris 
servers running samba. The linux clients use NFS (v4 is now the 
default.)  Some of the things I have found are that
-   It is worth patch solaris to get later version of Samba -  if you 
are using ZFS (not ufs) and you have a complex environment with LDAP and 
domain trusts.But you really have to test carefully before an upgrade.

-Do not use samba to reshare NFS or autofs shares.


How are clients checking stuff out from SVN?   Via a nfs file share, 
samba file share, sftp or ssh?



I understand the need to maintain stability with a server OS. But I 
think you do have to plan for an eventual OS upgrade/patch otherwise you 
end up with a system that you can't get support on.


Are you also looking at output of vmstat or iostat  ?If disk i/o 
gets too high, clients may repeat read/write requests which just causes 
a feedback loop exacerbating the situation.I have seen this with nfs 
clients. It is like everyone yelling louder to get heard because 
everyone is yelling.









On 03/06/13 08:47, Simo wrote:

On 03/06/2013 08:28 AM, Joseph, Matthew (EXP) wrote:

Hello JAB,

Thank you for taking the time to respond to this in a very helpful 
manner... If the SAMBA community does not care about helping someone 
with a wildly out of date server then they should state that before 
letting someone join the mailing list.


Do not ascribe to the whole community the shortcomings of an 
individuals the volunteers 'his' opinion please.


This is a production server on a closed LAN which we don't have the 
option of upgrading it to RHEL 5.9 or greater in the near future.


So with that being said, anyone have any experience with what I am 
dealing with?


Unless you have 15000 servers connected the fact you have that many 
processes indicates a serious issue with the server or at least one of 
the clients. Samba creates just 1 single process per client and all 
its requests are served by that process. If you are seeing multiple 
processes it means the client is opening multiple connections. That is 
wrong and indicate there is probably a bug with either server 
processes crashing, becoming unresponsive or both, or the client 
misbehaving..


You may want to consider trying playing with the following parameters 
on your samba server:

- deadtime
- max connections
- keepalive
- reset on zero vc

You may also want to prevent samba from dumping core if that is 
activated as it could put pressure on disks and the kernel if too many 
processes core all at once.


HTH,
Simo.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] EXTERNAL: Re: SAMBA bringing NFS server to a halt

2013-03-06 Thread Gaiseric Vandal
Presuming you have a RHEL subscription, you should be able to download 
the ISO's and patches on an internet machine and xfr via sneaker net 
(USB drive, DVD) to the internal network.   You can even set up an 
internal yum repository.   Even with out an internet connection, you 
still have to consider internal security concerns.


With Solaris, you can also download the latest monthly patch cluster 
(assuming you have a support contract.)  This will bring up to samba 
3.5.x. or 3.6.x. It also fixes some issues with max group 
membership, and I recall some mention of kernel and nfs bug fixes.  Just 
make sure you backup all your samba config before patching.






On 03/06/13 09:12, Jonathan Buzzard wrote:

On Wed, 2013-03-06 at 08:28 -0500, Joseph, Matthew (EXP) wrote:

Hello JAB,

Thank you for taking the time to respond to this in a very helpful
  manner... If the SAMBA community does not care about helping someone
  with a wildly out of date server then they should state that before
  letting someone join the mailing list.

Given you are running RHEL, you should have been over the last four
years been reading the security bulletins for RHEL and responding to
them appropriately.

It should be apparent to any sensible person that the first step would
be to check that my distribution does not have fixes for the problems
that I am seeing. (hint I am 99% certain it does).


This is a production server on a closed LAN which we don't have the
  option of upgrading it to RHEL 5.9 or greater in the near future.


No lan is that closed. That you have no procedure for upgrading the OS
on your server which suffers from a number of remote root security holes
that require nothing more than a connection to your network is very bad
practice.


So with that being said, anyone have any experience with what I am
  dealing with?

Read your distro release and security notes. I am 99% certain that this
is a known problem that can be fixed by upgrading.

JAB.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] no network interfaces found on OpenIndiana (Illumos)

2013-03-06 Thread Gaiseric Vandal
Solaris 11 added a CIFS server -  I don't know if it is openindiana.   
check the svcs -a command to make sure that there isn't a preexisting 
CIFS or samba server already running.


FYI The latest Solaris 10 + updates has samba 3.5.x or 3.6.x . I had 
issues with older samba packages from sunfreeware.com and opencsw  with 
64-bit support, LDAP compatibility and ZFS support.



On 03/06/13 12:56, Jeremy Allison wrote:

On Wed, Mar 06, 2013 at 11:42:02AM +0100, Joeri Vanthienen wrote:

Hi,

I've downloaded the samba 3.6.12 OpenCSW package.
I joined openindiana to the the active directory, winbind seems to
work fine, I see all the users with wbinfo -u.
However, my samba server is not starting. It seems that there is no
network card found.

2013/03/06 10:40:39.068405,  0] lib/interface.c:543(load_interfaces)
   WARNING: no network interfaces found
[2013/03/06 10:40:39.072795,  0] smbd/server.c:1082(main)
   standard input is not a socket, assuming -D option
...
[2013/03/06 10:40:39.205210,  0] smbd/server.c:746(open_sockets_smbd)
   open_sockets_smbd: No sockets available to bind to.

Is there some problem that the get_interfaces(talloc_tos(), ifaces);
call returns  no interfaces on solaris/openindiana ?
Any idea?

Use gdb to step through the code and see why it's failing
to find interfaces, or add debug statements to the places
we return from querying an interface. Sorry, no other easy
answer.

Jeremy.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] ldap/shared address books

2013-03-06 Thread Gaiseric Vandal
Can you use an LDAP Browser/Editor (e.g Apache Directory Studio) to 
manage the samba ldap server?   Maybe see what attributes you can 
add/modify?I have used Apache Directory Studio to modify LDAP 
attributes with  Microsoft AD on Win 2003/2008.   I would guess the 
samba 4 ldap schema has to support many of the same attributes.


I have not played with samba 4 yet so just a guess.






On 03/06/13 13:14, Terry Austin wrote:

After struggling through the HowTo for quite a while (I have some . . .
comments, if anyone is interested), I have a working active directory
domain, for which I (and my bosses, who sign the checks) thank everyone.
Now is integration time.

Is there a way to make a shared address book through Samba? Or am I stuck
with beating my head against ldap again?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] BDC Rejecting auth request from client + Windows 7

2013-02-08 Thread Gaiseric Vandal
I don't quite understand-  why does the BDC have a dynamic IP address.  Or
have a I misunderstood?   The DHCP server can provide the IP of the WINS
servers to DHCP clients.Are the XP and Win 7 workstations on a separate
subnet than the servers?

What version are the samba servers?Do both samba server point to a
single LDAP server or do they each have their own LDAP server in
replication?Does pdbedit -Lv show the same accounts on each DC?
Is it possible that the Windows 7 machine accounts have not replicated to
the BDC? 

Have to specificied the ports in the smb.conf file-  by default samba uses
ports 137,138, and 445.  In theory you can disable port 445 (it reduces some
the transport warnings) but I find that causes problems with name resolution
when a router or vpn is involved.   So better off just sticking with the
defaults.   


-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of David Noriega
Sent: Friday, February 08, 2013 1:56 PM
To: samba@lists.samba.org
Subject: [Samba] BDC Rejecting auth request from client + Windows 7

Just some background: In our environment, we are running both a PDC and BDC.
The local network setup has static ips on a different subnet from dhcp ips,
thus the PDC has a static ip and the BDC has a dynamic one so the Windows
machines are able to see the domain without hardcoding in the ip of the PDC
as a wins on each machine. This has worked fine for Windows XP. We are also
using ldap as the backend.

Now we have a Windows 7 box and I have followed various instructions and
modified entries within the registry as everyone else has specified. While I
can join the domain, after reboot I get the trust relationship failed
error(or on a rare occasion it will say no logon servers available).
Checking the logs I have mapped out the following:

1. Win7 client asks to join the domain
2. PDC responds and adds machine to ldap 3. Win7 accepts and tests machine
account 4. BDC rejects auth request 5. Win7 logs this, but still shows
successful join message and reboots 6. Win7 then refused to login on the
domain. I can type in gibberish and still get the trust relationship failed
message.

Here is the following from the BDC:

[2013/02/08 13:11:05.458750,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2013/02/08 13:11:05.504483,  2]
../libcli/auth/credentials.c:307(netlogon_creds
_server_check_internal)
  credentials check failed
[2013/02/08 13:11:05.504529,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth
enticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client CLASSROOM machine account CLASSROOM$
[2013/02/08 13:11:05.524195,  2]
../libcli/auth/credentials.c:307(netlogon_creds
_server_check_internal)
  credentials check failed
[2013/02/08 13:11:05.524235,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth
enticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client CLASSROOM machine account CLASSROOM$
[2013/02/08 13:11:15.914207,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2013/02/08 13:11:15.914316,  0]
lib/util_sock.c:1441(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 3 master browser on two networks plus WINS

2013-01-03 Thread Gaiseric Vandal


Is samba bound to a subnet1 interface only or all interfaces.  Can 
subnet2 clients connect to samba via either IP?  Are subnet2 clients 
supposed to be using samba services via the subnet1 IP or the subnet2 IP 
on the server?The first  would involve going thru the firewall, 
which seems unnecessary with a dual homed samba server.The 2nd, 
however, probably rules out using WINS for the subnet2 clients since you 
would NOT want traffic going thru the firewall.



What IP are the clients on subnet2 using for a WINS server?  Can you try 
having the clients on subnet2 use samba server subnet1 IP as the WINS 
server?  I haven't tried running WINS on a dual homed system.  I would 
guess it you cat the wins.dat file (or tdbdump wins.tbd) you will only 
see registrations for subnet1.



Have you specified any ports in the smb.conf file?  Samba 3 uses NT4 
type smb-over-NBT (ports 137,138,139 and not 445) BUT I have found that 
explicitly specifying ports in smb.conf breaks more things than it fixes.






On 01/03/13 04:01, Gala Dragos wrote:

I'm banging my head against the wall here with a problem that I have.

I have one Samba 3 server on a linux box with 2 ethernet interfaces, each given 
a different subnet. The same box does dhcp leases on both networks, with wins 
option pointing to this server.

Firewall was configured to allow the best unobtrusive communication between the 
two subnets, I can ping between the subnets and receive response, I can also 
access some other services, like http, from one subnet to the other.

I have setup on this server a common Public share, which works.

Now I'm trying to get the Samba PC from subnet 1 to see the Samba PC from 
subnet 2 and viceversa, but to no avail. On subnet 1 I can see access the 
server via it's NetBIOS name, but on subnet 2 I can only see the server and 
access it via it's IP. No other Samba PC's can be seen across the subnets! All 
pc's have the same workgroup.

What to enable in configuration in order to be able to do cross subnet browsing 
with samba ?

Thanks.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 3 master browser on two networks plus WINS

2013-01-03 Thread Gaiseric Vandal
Presumably pc on subnet1 does NOT need to access a share from 
192.168.7.1 since it can access 192.168.5.1.
Presumably pc on subnet2 does NOT need to access a share from 
192.168.5.1 since it can access 192.168.7.1.



If you have a dual homed server + a router between subnets your routing 
could get a little tricky when access shares on the other subnet IP of 
the samba server.   Or is the samba server also the router?


But to clarify your issue is that a /*single-homed client */ PC on 
subnet1 (e.g. LIVINGROOM)  can not access shares on single-homed client 
PC on subnet2 (e.g. ACERJUNKI)- even though they can ping each other?



It seems that WINS is not the problem.





On 01/03/13 15:41, Gala Dragos wrote:

Subnet 1 :
192.168.5.1/24, wins 192.168.5.1

subnet 2:
192.168.7.1/24, wins 192.168.7.1

all pc are allocated ip's from their respective subnet via dhcp.

a pc on subnet 1 cannot access a share from e pc on subnet 2, not even by ip. 
Same happens from subnet 2 to subnet 1.


The firewall is setup as to allow all traffic between the 2 subnets, 
effectively considering them as a single zone (I use shorewall as an UI to 
iptables)

I have not specified any ports in smb.conf, but I have binded samba to the 
required ethernet interface.

Here is the wins.dat. I can see references from both subnets.


wins.dat follows 

VERSION 1 0

WORKGROUP#1e 1357503758 0.0.0.0 e4R
ARCHROUTEUSB#03 1357503758 192.168.5.1 192.168.7.1 66R
WORKGROUP#00 1357503758 0.0.0.0 e4R
ROUTERJUNKIE#03 1357503758 192.168.5.1 192.168.7.1 64R
LIVINGROOM#20 1357541821 192.168.5.91 64R
LINUXJUNKIE#00 1357511721 192.168.5.118 64R
ROUTERJUNKIE#00 1357503758 192.168.5.1 192.168.7.1 64R
ARCHROUTEUSB RO#03 1357258441 192.168.5.1 192.168.7.1 64R
FUJILAPPY#20 1357497461 192.168.7.16 64R
ARCHROUTEUSB#00 1357503758 192.168.5.1 192.168.7.1 66R
WORKGROUP#1b 1357503758 192.168.5.1 192.168.7.1 64R
LIVINGROOM#00 1357541816 192.168.5.91 64R
LINUXJUNKIE#20 1357511723 192.168.5.118 64R
ARCHROUTEUSB RO#20 1357258441 192.168.5.1 192.168.7.1 64R
WORKGROUP#1c 1357503758 192.168.5.1 192.168.7.1 e4R
ACERJUNKIE#00 1357381531 192.168.7.15 64R
FUJILAPPY#00 1357497461 192.168.7.16 64R
ACERJUNKIE#20 1357381531 192.168.7.15 64R
ARCHROUTEUSB RO#00 1357258441 192.168.5.1 192.168.7.1 64R
ARCHROUTEUSB#20 1357503758 192.168.5.1 192.168.7.1 66R
ROUTERJUNKIE#20 1357503758 192.168.5.1 192.168.7.1 64R

end wins.dat 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 3 master browser on two networks plus WINS

2013-01-03 Thread Gaiseric Vandal

WINS is not the issue since you can't connect via IP either.
Routing is not the issue since you can connect to other services.   Are 
all clients showing 5.1 or 7.1 as default gw?


It could be a firewall configuration issue on your server- although that 
does not seem likely.  Did you have to specifically add rules to allow 
HTTPS?  Can you temporarily disable the firewall on the server?


Are their firewalls enabled on the PC's?  Presuming clients don't have 
problems accessing shares from other clients on the same subnet?   The 
default XP firewall behavior may be to block network shares.I think 
it is possible to configure the XP firewall to allow access from some 
IP's but not others-  but that is something you would have had to 
explicitly set up.


Fedora typically has a firewall enabled as well-   on fedora you have 
the system-config-firewall command to provide a gui front end (I think 
this is iptables.)  It may have specific ports and services enabled or 
disabled by default but I don't think it would have rules that filter by 
source ip enabled by default.


Can you telnet somehost 139 ?


On 01/03/13 16:16, Gala Dragos wrote:

The samba server also acts as the router.

That is correct, a pc on subnet 1 cannot access a pc on subnet 2 through samba, 
but works fine using other protocols.

Both subnet 1 and subnet 2 have pc that run Windows 7 x64, or Windows XP, or 
Linux (usually Fedora 17).

The server itself runs on Archlinux.


  It seems that WINS is not the problem.

Then what is ?



  From: Gaiseric Vandal gaiseric.van...@gmail.com
To: samba@lists.samba.org
Sent: Thursday, January 3, 2013 11:02 PM
Subject: Re: [Samba] Samba 3 master browser on two networks plus WINS
  
Presumably pc on subnet1 does NOT need to access a share from

192.168.7.1 since it can access 192.168.5.1.
Presumably pc on subnet2 does NOT need to access a share from
192.168.5.1 since it can access 192.168.7.1.


If you have a dual homed server + a router between subnets your routing
could get a little tricky when access shares on the other subnet IP of
the samba server.   Or is the samba server also the router?

But to clarify your issue is that a /*single-homed client */ PC on
subnet1 (e.g. LIVINGROOM)  can not access shares on single-homed client
PC on subnet2 (e.g. ACERJUNKI)- even though they can ping each other?


It seems that WINS is not the problem.





On 01/03/13 15:41, Gala Dragos wrote:

Subnet 1 :
192.168.5.1/24, wins 192.168.5.1

subnet 2:
192.168.7.1/24, wins 192.168.7.1

all pc are allocated ip's from their respective subnet via dhcp.

a pc on subnet 1 cannot access a share from e pc on subnet 2, not even by ip. 
Same happens from subnet 2 to subnet 1.


The firewall is setup as to allow all traffic between the 2 subnets, 
effectively considering them as a single zone (I use shorewall as an UI to 
iptables)

I have not specified any ports in smb.conf, but I have binded samba to the 
required ethernet interface.

Here is the wins.dat. I can see references from both subnets.


wins.dat follows 

VERSION 1 0

WORKGROUP#1e 1357503758 0.0.0.0 e4R
ARCHROUTEUSB#03 1357503758 192.168.5.1 192.168.7.1 66R
WORKGROUP#00 1357503758 0.0.0.0 e4R
ROUTERJUNKIE#03 1357503758 192.168.5.1 192.168.7.1 64R
LIVINGROOM#20 1357541821 192.168.5.91 64R
LINUXJUNKIE#00 1357511721 192.168.5.118 64R
ROUTERJUNKIE#00 1357503758 192.168.5.1 192.168.7.1 64R
ARCHROUTEUSB RO#03 1357258441 192.168.5.1 192.168.7.1 64R
FUJILAPPY#20 1357497461 192.168.7.16 64R
ARCHROUTEUSB#00 1357503758 192.168.5.1 192.168.7.1 66R
WORKGROUP#1b 1357503758 192.168.5.1 192.168.7.1 64R
LIVINGROOM#00 1357541816 192.168.5.91 64R
LINUXJUNKIE#20 1357511723 192.168.5.118 64R
ARCHROUTEUSB RO#20 1357258441 192.168.5.1 192.168.7.1 64R
WORKGROUP#1c 1357503758 192.168.5.1 192.168.7.1 e4R
ACERJUNKIE#00 1357381531 192.168.7.15 64R
FUJILAPPY#00 1357497461 192.168.7.16 64R
ACERJUNKIE#20 1357381531 192.168.7.15 64R
ARCHROUTEUSB RO#00 1357258441 192.168.5.1 192.168.7.1 64R
ARCHROUTEUSB#20 1357503758 192.168.5.1 192.168.7.1 66R
ROUTERJUNKIE#20 1357503758 192.168.5.1 192.168.7.1 64R

end wins.dat 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Windows Authentication

2013-01-02 Thread Gaiseric Vandal
How are you trying to connection?  From a Windows 7 machine?  A Windows 
XP machine?  Are you using the net use  command in windows?




On 01/01/13 14:36, samba.1...@9ox.net wrote:

Greetings Samba: I thought I knew something about servers and networks
but Samba has me stumped... I built a clean Fedora 17 server, disabled
the firewall and then  followed install instructions from
http://www.howtoforge.com/fedora-17-samba-standalone-server-with-tdbsam-backend.
When I try to connect I receive windows security (login) screen but no
mater what I do, I never connect. I am on the same network, have tried
verified my workgroups match, but do not see samba on the browser and
can not get map to drive to get past UID and PW.  I have tried host
name and IP address for domain portion.  Any suggestions on where to
look next?

Gerald



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] windows 8 jointo samba 3 domain

2012-12-18 Thread Gaiseric Vandal
Samba 3 emulates an NT4-type domain. So the NETBIOS version of the 
domain name (XX)  is correct. The DNS name is would only be for an 
Active Directory type domain (Windows 200x or Samba 4 servers.)



On 12/18/12 09:27, Alexandr Seidl wrote:

Hi ...

I have problem join win 8 pro to samba domain
after patch registry
join to domain name XX work OK

bud join domain .YYY don't work
windows send only DNS request to SRV record


any Idea?




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] static only wins server

2012-12-18 Thread Gaiseric Vandal
If your windows clients use login scripts to map drives, then they don't 
need WINS at all, since they resolve hosts via DNS.


However, if a client isn't using wins it will still use netbios 
browser to locate resource on the network.I am not sure if you can 
totally defeat this by pointing the windows clients to an inactive WINS 
server.


If you don't have file and print sharing enable on the windows client 
that should prevent them from showing up a netbios resources.





On 12/18/12 13:47, Chris Smith wrote:

Since there's only a couple of server systems on the network that
actually need name resolution or to be seen via NetBIOS browsing. Is
there any reason not to run a static only WINS server with just the
information for those systems listed? If not, then how can one stop
the other systems from registering themselves?

Thanks,

Chris


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] not able to log on (PDC with ldap backend)

2012-12-17 Thread Gaiseric Vandal

Hi

Attachments are not supported on the mailing list.


Does the  pdbedit -Lv /machinename$/ command on the samba server show 
the machine account?The account flags should be [W  ] only.


In LDAP, you should see the following attributes

objectClass=sambaSamAccount
sambaNTPassword
samabSID
sambaAccountFlags= [W ]
sambaPrimaryGroupSID


I found that with Samba 3.5.x some of the ldap attributes were not set 
correctly and I had to manually fix the sambaAccountFlags entry.



Have you specified any ports in the smb.conf.  You should stay with the 
default


smb ports = 445 139


Windows clients may try initially connecting on port 445 (SMB over TCP) 
then connect to 139 (SMB over Netbios over TCP.)  In theory, you 
shouldn't need 445 but  find disabling in on samba sometimes confuses 
windows clients.






On 12/17/12 04:31, ingo.schm...@binarysignals.net wrote:

Hello,

I set up my first PDC with LDAP as backend. I'm able to join a vista
client to the domain. However, when want to log onto after rebooting the
client, it claims that the logon server is n/a. My smb and slapd.confs are
attached.

Any ideas what i did wrong or missed to configure?

Thx,
Ingo


My samba Version is: 3.5.4-5.11.1-2573-SUSE-SL11.3




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] not able to log on (PDC with ldap backend)

2012-12-17 Thread Gaiseric Vandal
But do you see  Account Flags: [W  ]  for the Vista machine 
account?


Did you also see a machine account for the samba PDC  itself?  It should 
include


Account Flags:[S  ]



Are is the Vista client configured to use WINS?




On 12/17/12 10:29, ingo.schm...@binarysignals.net wrote:

Hi, I just posted my smb.conf to pastebin: http://pastebin.com/r29mgMcK

I haven't specified ports - I assumed the default ones should do.
I guess I ran more into a client side issue but I actually don't know.

pdbedit -Lv shows the Administrator and the respective machine account.
The only attribute I miss is the [A] for the Administrator account, it
shows a [U] only. But thats cannot be the reason why I cannot logon. Im
also able to ping the client from the server. So the client is basically
able to connect.

Thx,
Ingo


Hi

Attachments are not supported on the mailing list.


Does the  pdbedit -Lv /machinename$/ command on the samba server show
the machine account?The account flags should be [W  ] only.

In LDAP, you should see the following attributes

objectClass=sambaSamAccount
sambaNTPassword
samabSID
sambaAccountFlags= [W ]
sambaPrimaryGroupSID


I found that with Samba 3.5.x some of the ldap attributes were not set
correctly and I had to manually fix the sambaAccountFlags entry.


Have you specified any ports in the smb.conf.  You should stay with the
default

  smb ports = 445 139


Windows clients may try initially connecting on port 445 (SMB over TCP)
then connect to 139 (SMB over Netbios over TCP.)  In theory, you
shouldn't need 445 but  find disabling in on samba sometimes confuses
windows clients.





On 12/17/12 04:31, ingo.schm...@binarysignals.net wrote:

Hello,

I set up my first PDC with LDAP as backend. I'm able to join a vista
client to the domain. However, when want to log onto after rebooting the
client, it claims that the logon server is n/a. My smb and slapd.confs
are
attached.

Any ideas what i did wrong or missed to configure?

Thx,
Ingo


My samba Version is: 3.5.4-5.11.1-2573-SUSE-SL11.3



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba4 - Windows 200x DNS Migration

2012-12-13 Thread Gaiseric Vandal
Windows 200x AD DC's do not require that the DNS master is on a WIn 2003 
AD server.   You need a BIND9 compatible server with dynamic updates 
preferably enabled.   If dynamic updates are not enabled then when a 
Windows machine joins the DC it will dump out DNS records that need to 
be added to the DNS master.


As long as the Samba4 DNS server support dynamic updates it should work 
fine for supporting other domains.



On 12/13/12 13:56, Adam Tauno Williams wrote:
Has anyone been able to migrate DNS from a Samba4 DC to a Windows 200x 
server?


I've looked around the wiki, etc... and haven't found any pertaining 
to moving DNS between platforms.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba file server using ldap backend without AD or PDC?

2012-11-30 Thread Gaiseric Vandal
Can you clarify one thing -  why are you using the sambaNTPassword in 
openldap if openldap is not currently used samba authentication?   I 
would have thought that you would use the standard password field.


I use Samba 3.x DC's with an ldap back end.   I also use the ldap 
backend for unix authentication as well as authentication to various 
other systems that support LDAP authentication.   If you are using 
one or more BDC's you really do have to use an LDAP back end.  But there 
is no reason why member server's can use an LDAP backend.  If the 
underlying unix account for each samba account is in /etc/passwd and not 
LDAP, you should consolidate it all into LDAP.


Do the sambaNTPassword (and other samba attributes)  in LDAP match those 
in the tdb backend?You may find you want to blast away the existing 
sambaNTPassword entries in LDAP before  you migrate the TDB data to LDAP.






On 11/30/12 08:28, Brian Gold wrote:

Hi all,

  


I've been using samba for a few years now on a couple of file servers with a
tdbsam backend for our user accounts. We use openldap for the vast majority
of our identity management, so I would love to be able to tie into this. We
recently started using sambaNTPassword in openldap for radius
authentication, so this is populated for most of our users now.

  


 From reading through some of the documentation though, I'm a bit confused as
to how this would be implemented. We don't currently have Active Directory
and don't have any samba PDC/BDCs set up. Would it be necessary for us to
have a PDC/BDC in order to use openldap as our backend?

  


Thanks,

Brian



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba file server using ldap backend without AD or PDC?

2012-11-30 Thread Gaiseric Vandal

On 11/30/12 09:42, Brian Gold wrote:



On 2012-11-30 9:22 am, Gaiseric Vandal wrote:

Can you clarify one thing -  why are you using the sambaNTPassword in
openldap if openldap is not currently used samba authentication?   I
would have thought that you would use the standard password field.


We are using the standard userPassword field for most things, but for 
radius authentication via PEAP/MSCHAPv2, we needed to use 
sambaNTPassword instead.



That makes sense




I use Samba 3.x DC's with an ldap back end.   I also use the ldap
backend for unix authentication as well as authentication to various
other systems that support LDAP authentication.   If you are using
one or more BDC's you really do have to use an LDAP back end. But
there is no reason why member server's can use an LDAP backend.
If the underlying unix account for each samba account is in
/etc/passwd and not LDAP, you should consolidate it all into LDAP.


We currently don't want to deploy a PDC or BDC if we don't need to. 
All we want to do is have a file server that can authenticate using 
the username/password stored in openldap.




Should be no problem.



Do the sambaNTPassword (and other samba attributes)  in LDAP match
those in the tdb backend?You may find you want to blast away the
existing sambaNTPassword entries in LDAP before  you migrate the TDB
data to LDAP.


No, our current Samba file server has a totally separate set of 
passwords. When we transition over to this new Samba file server, we 
will be having all our users use their openldap password instead. We 
do not want to sync their existing tdb passwords over to LDAP.



No, you wouldn't sync passwords to TDB.  Does your LDAP entry for 
each user currently have a SambaSID value?  Also, when you type pdbedit 
-Lv someuser you should see the unix account for the user.   The unix 
account is either explicitly created (e.g. in /etc/passwd or ldap or 
nis) or dynamically created by winbind.



# pdbedit -Lv someuser

Unix username:someuser
NT username:  someuser
Account Flags:[U  ]
User SID: S-1-5-21-x
Primary Group SID:S-1-5-21-xxx
Full Name:Some User
Home Directory:   \\someserver\users\someuser
HomeDir Drive:X:
Logon Script: logon.bat
Profile Path:
Domain:   SOMEDOMAIN
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  0
Kickoff time: 0
Password last set:Fri, 30 Sep 2011 09:40:43 EDT
Password can change:  Fri, 30 Sep 2011 09:40:43 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF
#

Assuming you are not using winbind to allocate uid's and gid's for samba 
users, your LDAP  user entry will eventually look something like


dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Some User
gidNumber: xx
homeDirectory: /home/someuser
sambaSID: S-1-5-21-
sn: UserLastName
uid: someuser
uidNumber: 123
displayName: Some User
gecos: Some User
givenName: Some User
loginShell: /bin/tcsh
sambaAcctFlags: [UX ]
sambaHomeDrive: X:
sambaHomePath: \\someserver\users\someuser
sambaLogonScript: logon.bat
sambaNTPassword: 
sambaPasswordHistory: 00
 00
sambaPwdLastSet: 1291843237
st: xx
street: x
telephoneNumber: x
userPassword:: 


Although the login script and network home directory probably not 
relevant in a non-DC setup.







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba file server using ldap backend without AD or PDC?

2012-11-30 Thread Gaiseric Vandal
So when you run pdbedit -Lv for a user, is the Unix user name is an 
account in ldap?   If that is the case, then you probably just want to 
have a script that runs that runs thru a list of user names and they 
runs ldapmodify to add the appropriate samba attributes.In theory 
you can use pdbedit to export the data, then change the backend, then 
import it back. I found that didn't quite work.



I had originally used nis backend for unix accounts and TBD backend for 
samba.   I moved from NIS to LDAP for unix accounts. Then when I added a 
BDC I moved the samba data into ldap.I had used smbpasswd to dump 
the data to a text file, then wrote a perl script to parse the file into 
user name,  samba SID, and samba password and then rewrite it into an 
ldapmodify ldif file.  I used this file to update the existing LDAP 
accounts.


You MAYBE can use smbpasswd or pdbedit to create the samba accounts in 
LDAP but I suspect that either it won't preserve the existing password 
OR it may refuse to create the account.









On 11/30/12 12:38, Brian Gold wrote:



On 2012-11-30 11:15 am, Gaiseric Vandal wrote:

No, you wouldn't sync passwords to TDB.  Does your LDAP entry for
each user currently have a SambaSID value?  Also, when you type
pdbedit -Lv someuser you should see the unix account for the user.
The unix account is either explicitly created (e.g. in /etc/passwd or
ldap or nis) or dynamically created by winbind.



No, currently our users do not have SambaSID values in ldap.



# pdbedit -Lv someuser

Unix username:someuser
NT username:  someuser
Account Flags:[U  ]
User SID: S-1-5-21-x
Primary Group SID:S-1-5-21-xxx
Full Name:Some User
Home Directory:   \\someserver\users\someuser
HomeDir Drive:X:
Logon Script: logon.bat
Profile Path:
Domain:   SOMEDOMAIN
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  0
Kickoff time: 0
Password last set:Fri, 30 Sep 2011 09:40:43 EDT
Password can change:  Fri, 30 Sep 2011 09:40:43 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF
#

Assuming you are not using winbind to allocate uid's and gid's for
samba users, your LDAP  user entry will eventually look something like

dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Some User
gidNumber: xx
homeDirectory: /home/someuser
sambaSID: S-1-5-21-
sn: UserLastName
uid: someuser
uidNumber: 123
displayName: Some User
gecos: Some User
givenName: Some User
loginShell: /bin/tcsh
sambaAcctFlags: [UX ]
sambaHomeDrive: X:
sambaHomePath: \\someserver\users\someuser
sambaLogonScript: logon.bat
sambaNTPassword: 
sambaPasswordHistory: 
00

 00
sambaPwdLastSet: 1291843237
st: xx
street: x
telephoneNumber: x
userPassword:: 


Although the login script and network home directory probably not
relevant in a non-DC setup.


We are not using winbind at all currently.

Here is a sample user's ldap data:

dn: uid=tstaff,ou=people,dc=simons-rock,dc=edu
uid: tstaff
sn: Staff
uinSR: tstaff-false
givenName: Test
genderSR: m
loginShell: /bin/false
cn: Test Staff
gecos: Test Staff
mailSR: test...@simons-rock.edu
homeDirectory: /home/testaff
objectClass: person
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: personSR
objectClass: extensibleObject
objectClass: posixAccount
objectClass: shadowAccount
shadowLastChange: 11551
shadowWarning: 7
gidNumber: 100
shadowMax: 9
uidNumber: 7391
mail: test...@simons-rock.edu
groupSR: staff
groupSR: hidden
employeeNumber: 991991991
sambaNTPassword: REDACTED
sambaPwdLastSet: 1354296936
userPassword:: REDACTED


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba file server using ldap backend without AD or PDC?

2012-11-30 Thread Gaiseric Vandal

On 11/30/12 16:11, Brian Gold wrote:

On 2012-11-30 4:01 pm, Gaiseric Vandal wrote:

So when you run pdbedit -Lv for a user, is the Unix user name is an
account in ldap?   If that is the case, then you probably just want to
have a script that runs that runs thru a list of user names and they
runs ldapmodify to add the appropriate samba attributes.In theory
you can use pdbedit to export the data, then change the backend, then
import it back. I found that didn't quite work.


I had originally used nis backend for unix accounts and TBD backend
for samba.   I moved from NIS to LDAP for unix accounts. Then when I
added a BDC I moved the samba data into ldap.I had used smbpasswd
to dump the data to a text file, then wrote a perl script to parse the
file into user name,  samba SID, and samba password and then rewrite
it into an ldapmodify ldif file.  I used this file to update the
existing LDAP accounts.

You MAYBE can use smbpasswd or pdbedit to create the samba accounts
in LDAP but I suspect that either it won't preserve the existing
password OR it may refuse to create the account.



Here is the output for that same user when I do a pdbedit. The unix 
username is being pulled from ldap.

pdbedit -Lv testaff
Unix username:testaff
NT username:
Account Flags:[U  ]
User SID: S-1-5-21-2531268310-2106678637-3833209162-15782
Primary Group SID: S-1-5-21-2531268310-2106678637-3833209162-513
Full Name:Test Staff
Home Directory:   \\elephant\testaff
HomeDir Drive:
Logon Script:
Profile Path: \\elephant\testaff\profile
Domain:   ELEPHANT
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  never
Kickoff time: never
Password last set:Fri, 27 Jun 2008 16:50:45 EDT
Password can change:  Fri, 27 Jun 2008 16:50:45 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF



Worth a try I guess.

As it is, I'm planning on totally scrapping this existing samba file 
server when we move to using ldap passwords. The only things that need 
to carry over are the files on the file server itself. I'm totally 
fine with not using any of the data that is in tbd currently.
Is there a way to autogenerate the samba SID (since I don't 
necessarily need the one that is being used in my current samba file 
server) and whatever other samba fields might be needed for all of my 
existing ldap accounts?



If you write a script you could probably increment the SID for each 
entry.   The pdbedit and smbpasswd commands will create all the 
necessary fields , including automatically creating a unique SID. But I 
just know if it will complain the account already exsits.   I think it 
won't complain the account exists (since not all the necessary fields 
are there) BUT it will probably complain that the account could not be 
created.I don't think you will know til you test it.





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Local Administrator access

2012-11-26 Thread Gaiseric Vandal
With Windows7, the 1st account you create  during the initial setup is 
typically a member of the local admin group.  The actual Administrator 
account is normally disabled.  Did this 1st account get deleted?


When you joined the domain, the Domain Admin's groups should have been 
added to the local Admin group.


This can get messed up if your group mappings are not set up correctly.

Also, I think when running the net command you may want to use -U 
Administrator to use the credentials of your domain Administrator 
account  (assuming one has been defined.)  In my setup the unix root 
does not have a samba account.





On 11/26/12 10:03, Knut Olav Bøhmer wrote:

Hi,

I have a windows 7 machine withouth local administrator account.
I need to create such an account. I can log in to the machine with a user
on my samba domain.

What do I need to do in order to get administrator access, or access to
create an local administrator account?

I have tried to do this:

[root@float samba]# net rpc group addmem Administrators 'DOMAIN\username'
Enter root's password:
Could not add SKOLELINUX\knobo to Administrators: NT_STATUS_NO_SUCH_ALIAS

I have tried to give some rights this way:

net rpc rights grant 'DOMAIN\username' SeMachineAccountPrivilege
SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege
SeUndockPrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege
SePrintOperatorPrivilege SeCreateGlobalPrivilege
SeEnableDelegationPrivilege  SeUndockPrivilege  SeTakeOwnershipPrivilege

And it does what I tell it:
[root@float samba]# net rpc rights list knobo
Enter root's password:
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemProfilePrivilege
SeUndockPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege


But I'm still promptet for username and password, when I try to access the
user accounts in windows 7.

Any suggestions?


Regards


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Local Administrator access

2012-11-26 Thread Gaiseric Vandal
Have you tried logging into the PC using the samba domain administrator 
account?


Assuming the PC was properly joined to the domain then you should be 
able to configure the local accounts and groups.


You can create domain group that is then a member of the PC's local 
administrator group.  This will allow you do defined samba users who are 
PC administrators but NOT domain administrators.


Whomever joins a PC to a domain needs to be both a local administrator 
on that computer and (in most cases) have domain administrator 
credentials.  (If the machine account was created in advance then the 
domain administrator credentials should not be needed.)


Are you sure the PC was joined to the domain?



On 11/26/12 10:51, Knut Olav Bøhmer wrote:
2012/11/26 Gaiseric Vandal gaiseric.van...@gmail.com 
mailto:gaiseric.van...@gmail.com


With Windows7, the 1st account you create  during the initial
setup is typically a member of the local admin group.  The actual
Administrator account is normally disabled.  Did this 1st
account get deleted?


I did not install the computer. How can I find out if there is such a 
user? But, I don't have the password anyway.


When you joined the domain, the Domain Admin's groups should have
been added to the local Admin group.


Ok, so the trick is to get my user a member of the Domain Admins group.

This can get messed up if your group mappings are not set up
correctly.

Also, I think when running the net command you may want to use
-U Administrator to use the credentials of your domain
Administrator account  (assuming one has been defined.)  In my
setup the unix root does not have a samba account.





On 11/26/12 10:03, Knut Olav Bøhmer wrote:

Hi,

I have a windows 7 machine withouth local administrator account.
I need to create such an account. I can log in to the machine
with a user
on my samba domain.

What do I need to do in order to get administrator access, or
access to
create an local administrator account?

I have tried to do this:

[root@float samba]# net rpc group addmem Administrators
'DOMAIN\username'
Enter root's password:
Could not add SKOLELINUX\knobo to Administrators:
NT_STATUS_NO_SUCH_ALIAS

I have tried to give some rights this way:

net rpc rights grant 'DOMAIN\username' SeMachineAccountPrivilege
SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege
SeUndockPrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege
SePrintOperatorPrivilege SeCreateGlobalPrivilege
SeEnableDelegationPrivilege  SeUndockPrivilege
 SeTakeOwnershipPrivilege

And it does what I tell it:
[root@float samba]# net rpc rights list knobo
Enter root's password:
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemProfilePrivilege
SeUndockPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege


But I'm still promptet for username and password, when I try
to access the
user accounts in windows 7.

Any suggestions?


Regards


-- 
To unsubscribe from this list go to the following URL and read the

instructions: https://lists.samba.org/mailman/options/samba




--
Knut Olav Bøhmer
41 000 108



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] help

2012-11-16 Thread Gaiseric Vandal

Is this samba 3.x

Samba 3.x  domains and domain controllers function like Windows NT4 
domains.  They are not like Windows 200x Active Directory servers and 
domains.


The domain name has to be a simple netbios compatible name.  A single 
name not fqdn.   I do not believe that . are a valid character.  I 
think the domain name can not exceed 15 or 15 characters.




On 11/15/12 14:38, Hanganu Sergiu wrote:

hello
i m not speaking very well english

i m trying to configure samba .i m using debian as O.S.
my problem is :

i want to configure a local domain as PDC

this is a part of a little example
/|workgroup = MIDEARTH|/
/|domain logons = Yes|/
/|domain master = Yes|/
/|security = User
|/



/|workgroup = MIDEARTH.MILANO|/
/|domain logons = Yes|/
/|domain master = Yes|/
/|security = User|/


my domain will be MIDEARTH

This is working, but if i will change in MIDEARH.MILANO ...is not 
working when i m trying to connect a xp pro client
with the domain name MIDEARTH is working but if i change in 
MIDEARTH.MILANO like fqnd is not working and

i don t understand why..
i m trying to find on google same example but i can t find anything 
like this..




PLEASE HELP ME
THANK YOU



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] using samba similar to windows shares

2012-10-09 Thread Gaiseric Vandal
You can have the share permissions granting access to everyone , and 
then use file system permissions to limit the access to the appropriate 
groups for each folder.


This is the same approach you would use with a real Windows server.



On 10/09/12 16:17, 鱼 wrote:

Hi,

I would like to share a main folder (main) with everyone but have different
access rights to a subfolder of main (subfolder) with 2 groups. Is it
possible that this can be done with samba?

Regards
LC





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Share working with IP not with hostname

2012-09-12 Thread Gaiseric Vandal

On 09/10/12 13:52, Nitin Thakur wrote:

hi guys

I managed to setup the share. I am able to access the share with IP address, 
but as soon as I try to do it via hostname, I get a user name and password pop 
up, which always fail to authenticate. Any setting I am missing?

Thanks

nitin



What version of Samba?

My guess is there is some sort of name lookup mismatch.Are you using 
a domain or workgroup?  Are you using WINS?  Are you using DNS?If 
the samba server is the WINS server you should be able to cat wins.dat 
and tdbdump wins.tbd to verify that the names are the same.   In 
smb.conf, does the samba server netbios name match the DNS name?



What is the client OS?

The only other thing that might be happening is that the client and 
server are mismatching on using NTLM vs NTLM v2.  The samba logs should 
show that.   I could NOT get NTLMv2 to work on my samba servers I had to 
explicitly disable it in smb.conf.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba complie problem

2012-08-31 Thread Gaiseric Vandal
Compiling Samba on Solaris 10 can be a real challenge.  A lot of the
issues seem to be related to the old version of ld. I would expect
that you would have more luck on Solaris 11 but I have not tried it yet. 

I ended up using Sun Studio and dmake. If you can look for older
posts from me there should be notes on what I did.

Solaris 10 (with the latest updates) should include samba 3.5.x .A
lot less aggravation than compiling IF it meets your needs.  

On 08/31/12 12:16, Nitin Thakur wrote:
 Well managed to fix it, it was openladap. Now I have problem with make: -

   SONAMEFLAG = -Wl,-soname=
 Linking shared library bin/libtalloc.so.2
 /usr/local/lib/gcc/sparc-sun-solaris2.10/3.4.6/../../../../sparc-sun-solaris2.10/bin/ld:
  anonymous version tag cannot be combined with other version tags
 collect2: ld returned 1 exit status
 *** Error code 1
 The following command caused the error:
 gcc -I/opt/local/samba/include -I/opt/local/samba/include -I.  
 -I/opt/local/samba-3.6.7/source3  
 -I/opt/local/samba-3.6.7/source3/../lib/iniparser/src  -Iinclude -I./include  
 -I. -I. -I./../lib/replace -I./../lib/tevent -I./librpc -I./.. 
 -I./../lib/talloc -I../lib/tdb/include  -DHAVE_CONFIG_H  
 -I/opt/local/samba/include -I/opt/local/samba/include -I/usr/local/inclue 
 -I/usr/sfw/include -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 
 -DLDAP_DEPRECATED -DSUNOS5-I/opt/local/samba-3.6.7/source3/lib  -I..  
 -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -shared -Wl,-z,relro 
 -L/opt/local/samba/lib -R/opt/local/samba/lib -L/opt/local/samba/lib 
 -R/opt/local/samba/lib -L/usr/local/lib -L/usr/sfw/lib -R/usr/local/lib 
 -R/usr/sfw/lib -R/usr/lib -lthread -L./bin -lc -Wl,-z,defs 
 -Wl,--version-script,/opt/local/samba-3.6.7/source3/exports/`basename 
 bin/libtalloc.so.2 | sed 's:\.so[\.0-9]*$:.syms:'` -o bin/libtalloc.so.2 
 ../lib/talloc/talloc.o ./../lib/replace/replace.o ./../lib/repla
 ce
  /snprintf.o ./../lib/replace/getpass.o ./../lib/replace/strptime.o 
 ./../lib/replace/timegm.o  ./../lib/replace/getifaddrs.o -lnsl -lsocket 
 -Wl,-soname=`basename bin/libtalloc.so.2`
 make: Fatal error: Command failed for target `bin/libtalloc.so.2'

 Any idea?

 Thanks

 Nitin

 From: nitintha...@hotmail.com
 To: samba@lists.samba.org
 Date: Thu, 30 Aug 2012 18:49:50 +
 Subject: Samba complie problem

 hi  all

 Samba build problem when compiling with --with-ads

 I have complid, kerberos and openldap in /opt/local/samba and I am using gcc 
 with gnu binutils. Its a solaris 10 sparc.

 Configure gives me following error: -

 checking for LDAP support... yes
 checking ldap.h usability... yes
 checking ldap.h presence... yes
 checking for ldap.h... yes
 checking lber.h usability... yes
 checking lber.h presence... yes
 checking for lber.h... yes
 checking for ber_tag_t... yes
 checking for ber_scanf in -llber... yes
 checking for ber_sockbuf_add_io... yes
 checking for LDAP_OPT_SOCKBUF... yes
 checking for LBER_OPT_LOG_PRINT_FN... yes
 checking for ldap_init in -lldap... no
 checking for ldap_set_rebind_proc... no
 checking whether ldap_set_rebind_proc takes 3 arguments... 3
 checking for ldap_initialize... no
 configure: error: libldap is needed for LDAP support

 Config.log output: -

 configure:25335: gcc -o conftest -I/opt/local/samba/include 
 -I/opt/local/samba/include -D_REENTRANT -D_LARGEFILE_SOURCE 
 -D_FILE_OFFSET_BITS=64 -I/usr/include -L/opt/local/samba/lib 
 -R/opt/local/samba/lib -lthread -L./bin -L/usr/lib conftest.c -lldap -llber  
  -lresolv -lrt-lnsl -lsocket  -lmd5 -lrt  -liconv 5
 /usr/local/lib/gcc/sparc-sun-solaris2.10/3.4.6/../../../../sparc-sun-solaris2.10/bin/ld:
  /opt/local/samba/lib/libldap.so: dladdr: invalid version 12 (max 0)
 /opt/local/samba/lib/libldap.so: could not read symbols: Bad value

 I installed openldap in /opt/local/samba.

 # find /opt/local/samba -name libldap\*
 /opt/local/samba/lib/libldap_r.a
 /opt/local/samba/lib/libldap.so
 /opt/local/samba/lib/libldap.la
 /opt/local/samba/lib/libldap-2.4.so.2
 /opt/local/samba/lib/libldap.a
 /opt/local/samba/lib/libldap_r.so
 /opt/local/samba/lib/libldap_r-2.4.so.2
 /opt/local/samba/lib/libldap-2.4.so.2.8.4
 /opt/local/samba/lib/libldap_r-2.4.so.2.8.4
 /opt/local/samba/lib/libldap_r.la

 Thanks

 Nitin
 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] join domain from different subnet (VPN)

2012-08-30 Thread Gaiseric Vandal
Did you try a packet capture on the samba server? 

Try adding a entry for the XP machine in the server's /etc/hosts file. 

I am guessing there is some sort of weird name resolution issue going on
with the server.I don't think there is any reason the server should
need to resolve the name of the client machine but I have had weird
issues with VPN connections before. 

This is a site-to-site VPN?  

On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote:
 Hello everybody,

 we have a problem joining a domain from a remote location.

 The remote location is connected via VPN. Everything is working as exspected 
 but joining the samba domain from the remote location does not work.

 - Server Samba Version is 3.5.10
 - Windows Client is XP SP3
 - Joining the domain locally works without problems
 - ping does work in both directions
 - WINS is running on the local PDC and resolves across VPN (I tested with a 
 Linux client using nbmlookup)
 - the WINS server is configured on the client
 - NetBIOS over TCP/IP is enabled on the client
 - Windows on the client firewall is OFF
 - even adding entries to the client's lmhosts file didn't solve the problem


 Any suggestions?


 thx

 Carsten


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] join domain from different subnet (VPN)

2012-08-30 Thread Gaiseric Vandal
Do the routers block any ports or netbios traffic?

Did you restrict the samba ports in smb.conf  -  samba I think  listens
by default on 137, 138, 139  + 445 .   445 is for SMB-over-ip, which
isn't actually used by samba 3.x/   XP machines will try to connect to
445 then redirect to 137-139 for classic smb-over-NBT.
Restricting the ports may cause more issues then it solves. 

I can't think of anything else that would cause issues with a routed
environment. 





On 08/30/12 11:09, real-men-dont-cl...@gmx.net wrote:
 Hi,

 I already tried that, no success.

 The VPN connects two subnets via OpenVPN with dedicated routers on each side.


 thx

 Carsten



 -Original message-
 To:   samba@lists.samba.org; 
 From: Gaiseric Vandal gaiseric.van...@gmail.com
 Sent: Thu 30-08-2012 14:58
 Subject:  Re: [Samba] join domain from different subnet (VPN)
 Did you try a packet capture on the samba server? 

 Try adding a entry for the XP machine in the server's /etc/hosts file. 

 I am guessing there is some sort of weird name resolution issue going on
 with the server.I don't think there is any reason the server should
 need to resolve the name of the client machine but I have had weird
 issues with VPN connections before. 

 This is a site-to-site VPN?  

 On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote:
 Hello everybody,

 we have a problem joining a domain from a remote location.

 The remote location is connected via VPN. Everything is working as 
 exspected 
 but joining the samba domain from the remote location does not work.
 - Server Samba Version is 3.5.10
 - Windows Client is XP SP3
 - Joining the domain locally works without problems
 - ping does work in both directions
 - WINS is running on the local PDC and resolves across VPN (I tested with a 
 Linux client using nbmlookup)
 - the WINS server is configured on the client
 - NetBIOS over TCP/IP is enabled on the client
 - Windows on the client firewall is OFF
 - even adding entries to the client's lmhosts file didn't solve the problem


 Any suggestions?


 thx

 Carsten

 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba PDC: Admin tools?

2012-08-30 Thread Gaiseric Vandal
I use apache directory studio for LDAP management.  It is not samba
specific but  it is easy enough to use existing user, group or machine
objects as templates for new ones.  It runs on Windows and Linux (and
maybe on Mac.)



On 08/25/12 16:39, John Drescher wrote:
 On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno ports...@gmail.com wrote:
  Guys.

  I have use smbldap-tools to handle my accounts for my PDC with 
 samba+openldap.

  Now, I ask here because a lot of people have PDC running on their
 networks, what tools do u use to manage your openldap db for samba:
 users, machines, groups?

  Working with Centos 6.x.

  Any input will be appreciated, thanks!!!

 I use ldap account manager to manage my users / machines / group accounts.

 John


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Problems connecting win7 client to new Samba PDC

2012-08-10 Thread Gaiseric Vandal
The Domain Users group should have automatically been added to the local
users group when you joined the domain. 

When I upgraded from Samba 3.0.x to 3.5.x I had a error in the group
mappings on one of the DC's that cause problems for a while.   I also
had to explicitly add a mapping for the nobody user and group.

I think I may have  explicitly granted the domain administrator the
privileged to add machines to the domain

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html#rp-privs

But I think I only had to do that because the administrator was not
recognized as being a domain admin (or local admin) because the group
mapping was broken.

If you add a network user to the local admin group, and login works,
then there is definitely a local security issue.My guess is that the
OS creates the new user local profile directory but then has problems
assigning file permissions/ownership for the network user. 


On XP , if you right click My Computer and look at profiles, you could
see if the profile for a user was local, roaming or temporary.  Win 7
should have the same option.




On 08/09/12 18:03, Brandon wrote:
 Are your group mappings correct?   I ask because it may be that the
 Domain Users is not properly recognized as a member of the Users
 group on the PC.  Can you login as the domain (or local) admins and
 explicitly add domain users and domain groups to a local group?

 An update to this: I was able to add domain users after a reboot.  So
 I've added MYWORKGROUP\myadmin to my Users group on the local machine.

 I was also able to search my domain for users, and came up with a list
 of my users, a nobody user, and a Domain Admins group.  I've added
 MYWORKGROUP\myadmin (user) and MYWORKGROUP\Domain Admins (group) to
 the User group on the local machine.  I am still getting the same
 errors when logging on though.

 It seems to me like it's trying to pull a roaming profile when I have
 roaming profiles disabled (or I thought I did), and/or windows doesn't
 actually know the netbios name, based on the series of these events:

 Windows cannot copy file \\?\C:\Users\Default\Documents to location
 \\?\C:\Users\TEMP.MYWORKGROUP\Documents. This error may be caused by
 network problems or insufficient security rights.




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Add machines for join a domain

2012-08-10 Thread Gaiseric Vandal
Do you mean when you join a Linux machine to the domain?  Or do you mean
when you join a Windows machine to the domain.

You do need a unix account for all machines that will be in the
domain.  You can configure samba to automatically create the LDAP
accounts for machines when they are added.  I haven't done this. The
procedure is somewhere in the documentation.I just created machine
accounts as need as I added the machines.   

On 08/10/12 14:56, rodrigo tavares wrote:
 Hello !

 I configured samba and ldap, when I join the domain, come this error: not 
 possible locate the name of user.

 Search about this error, I search in Google, and the solution is create  the 
 name machines in Linux System. 

 But I have 50 machines, and create all machine users is very bad.

 Have Another solution ?

 Thanks

 Rodrigo Faria  


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] samber server in openvz container - venet oder veth0?

2012-08-10 Thread Gaiseric Vandal

If you don't use WINS, and you are trying to log into the domain, the
client will broadcast for a DC server.   This normally works OK if
everything is on the same LAN.   If broadcast doesn't work, the using
WINS helps find the DC's-  since the WINS database on the WINS server
includes name-to-ip entries for DC's as well as hosts.



For simpler things like connecting to network shares , Windows clients
can use dns to find machine names.   So if you want to map a user drive
(e.g. net use R: \\someserver\someshare) this should work fine with
out wins.  Afterall, the client is doing all the name resolution.  This
is supposing of course that the servers IP name and netbios name are the
same.


however, in practice there does seem to be a server side issue.I
have several samba servers and I ran into the following problem:

from a VPN client, I could use net use \\server1_hostname and net use
\\server2_hostname to connect to shared resources.  I could NOT use
net use \\server3_hostname.  VPN clients did not use WINS, and NETBIOS
broadcasts were blocked for VPN clients, even tho the VPN client
appeared to be on the same subnet.VPN clients could resolve host
names via DNS.  They could even connect with  net use
\\server3_IP_address.  Packet captures showed that the clients were in
fact reaching server3_hostname but that server3  would not respond.
The server should NOT be attempting to resolve the client names but, for
some reason, it was.  






On 08/10/12 14:44, Birgit Berger (UV Wien) wrote:
 sorry, to bother you again.

 I cannot join win7 or winXP clients to my samba domain sever located on a
 debian server in a VE (openvz) unless I set up the server and clients to
 use WINS. But the recommendation is not to use WINS. openvz natively uses
 venet. venet makes broadcasting impossible.

 I guess DNS is sufficient for name-IP resolution but not for NetBios
 name-IP resolution (it doesn' know name types and maybe that's why it
 cannot find DMB and logon server?) and that's why my win7 and winXP
 clients cannot join the domain.

 So given my virtual server setup with openvz, do you rather suggest to use
 WINS or to set up veth so I can use normal broadcasting?
 Or are there other ways to do name resolution with a samba server
 installed in a VE container which I oversaw.

 I'm a newbie and netbios name resolution is hard to understand. so I would
 be very happy to get any suggestions from people already using samba
 server in an open vz container do you guys use venet or veth or do you
 just activate WINS?

 birgit 





 ===

 thank you Johannes. no, I don't really need WINS but it was the only way I
 could join clients to the domain so far. so I activated it. DNS should be
 available and working too.

 /etc/nsswitch.conf looks like this:
 hosts: files dns

 Can I use venet with samba or should I change to veth? 

 regards, birgit



 Johannes Truschnigg johan...@truschnigg.info schreibt:
 Hi Birgit,

 On Tue, Aug 07, 2012 at 01:38:32PM +0200, Birgit Berger (UV Wien) wrote:
 I'm new to the list. hopefully my question is correctly placed here...

 I'd installed my samba server 3.5.6 on debian squeeze in a openvz
 container that uses venet. I'd love to keep it that way but I'm not sure
 if that is ok. Do you use samba server with venet or do I have to change
 to veth?

 I already read http://wiki.openvz.org/Differences_between_venet_and_veth
 and I don't want to intall shorewall in every container (VE). Also venet
 seems easier to administrate and is faster.

 I read

 http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html
 and nmblookup (chapters 4,5,6 and 10) doesn't work. This is because of
 venet, I suppose. Because with venet broadcasting doesn't work. But do I
 really need it for the Samba server or can I just use DNS (on other
 servers than the samba server) and WINS server (on the samba server)?
 Can
 I stick to venet or should I use veth?
 Do you have clients on the network that you know absolutely require WINS
 for
 resolving names? (I'd actually have a hard time believing that, but who
 knows...) Other than that, not having WINS but DNS as its modern and
 sensible
 replacement in working condition should be perfectly sufficient for your
 day
 to day Samba (and other networking) needs. I've been running Samba without
 nmbd enabled for a few years now (with Windows XP, Windows 7 and
 GNU/Linux as
 clients) and did not run into any problems becasue of that.

 Grüße aus und nach Wien ;)

 -- 
 with best regards:
 - Johannes Truschnigg ( johan...@truschnigg.info )

 www:   http://johannes.truschnigg.info/
 phone: +43 650 2 17
 xmpp:  johan...@truschnigg.info

 Please do not bother me with HTML-email or attachments. Thank you.


 Johannes Truschnigg johan...@truschnigg.info schreibt:
 Hello again,

 On Tue, Aug 07, 2012 at 02:28:24PM +0200, Birgit Berger (UV Wien) wrote:
 thank you Johannes. no, I don't really need WINS but it was the only
 

Re: [Samba] 3.0.9-3.0.37 Deleting files not working

2012-08-09 Thread Gaiseric Vandal
I ran into issues when I switched to zfs.  the problem is that ZFS
ACL's seem be more similar to NTFS ACL's (compared to UFS-NTFS
compatibility.) But you can run into an issue were perms that are
additive in unix are interpreted as least permissive or deny trumps
all in Windows.

For example, a 770 perm in unix means user and group are granted full
perms, no perms are granted to anyone else.In Windows this can get
interpreted as deny the world even if the user or group had explicitly
been granted permissions.

Samba 3.0.x from source code does not include the zfs modules.  The
version bundled with the OS (from Sun) has it backported.Assuming
you are using the version from Sun?   They should be up to 3.5.x.

I added some vfs and nfs parameters in my share configs.   I had to open
a support ticket with Sun/Oracle, since Office files would get deleted
on the 5th or 7th save when Office tried to rewrite the entire file.



[projects]
path = /export/Projects
#valid users = @group1, user1
read only = No
create mask = 0770
force create mode = 0600
directory mask = 0775
force directory mode = 0600
   vfs objects = zfsacl
   nfs4: mode = special
zfsacl: acesort = dontcare
inherit acls = Yes
nfs4:acedup = merge
nfs4:chown = yes



The inheritance thing is also a little tricky -  even tho zfs supports
inheritance, I think the Window inheritance rules are uses for the
Windows clients-  which is fine.   (the latest kernel update seems to
have changed something tho.)  

Setting zfs ACL perms via command line is a PITA.   It is probably
easier for the windows owner of the file to reset permissions- he or she
may get a message that the perms are incorrectly ordered, and he/she may
need to clear out explicit deny access control entries.

I skipped the valid users entry in the share config , since the
permissions are enforced via ACL's anyway.


Samba permissions with UFS did not cause as much headache for me.



On 08/09/12 03:02, ing...@gmx.net wrote:
 x86 zfs and Sparc ufs. Problem happens on both platforms though.

 On 08/08/12 08:01, gaiseric.van...@gmail.com wrote:

 zfs or ufs?

 On 08/08/12 08:01, ing...@gmx.net wrote:
 Hello,

 we were using Samba 3.0.9 on Solaris 10 x86 and Sparc in a productive
 environment and upgraded to 3.0.37 to fix a security vulnerability.
 Now we experience problems in some circumstances when we try to delete a
 file from a share mounted by a Windows Client.
 The share is named ZENTRAL. This is the share entry:
 [ZENTRAL]
 comment=Ablage ZENTRAL
 path=/daten/ablagen/ZENTRAL
 case sensitive=no
 create mask=0770
 valid users=@ZENTRAL
 write list=@ZENTRAL
 force group=ZENTRAL

 These are the unix rights:
 drwxrwx---   2 root other512 Aug  8 11:15 .
 drwxrwx--x  35 rootZENTRAL 2048 Aug  8 10:26 .. (This is the
 share root directory: /daten/ablagen/ZENTRAL)
 -rwxrwxrwx   1 user1  ZENTRAL0 Aug  8 11:15 neu.txt

 user1 belongs to the groups other and ZENTRAL and is able to delete this
 file Using a unix shell and navigate to the directory but he is not able
 to delete it using the samba share. He gets a permission denied.
 This behaviour is new. With 3.0.9 it is possible to delete this file.
 When i chgrp the directory . to ZENTRAL everything works as expected with
 3.0.37 too. The problem only exists, when the . directory does not have
 the same group as the share.
 If needed, here is our global section. Some of these entries could be
 plain wrong respectively not needed, but we are not able to change them
 easily because of company guidelines.
 [global]
 os level=65
 password level=1
 security=user
 encrypt passwords=yes
 smb passwd file=/usr/local/samba/private/smbpasswd
 workgroup=ourgroup
 guest account=nobody
 max log size=30
 share modes=yes
 locking=yes
 strict locking=yes
 lock directory=/var/adm/samba/locks
 ;   max log size = 5000
 log level=1
 log file=/var/adm/samba/smb.log
 pid directory=/var/run
 server string=%h
 force directory mode=0770
 browseable=no
 follow symlinks=no
 preserve case=no
 short preserve case=no
 case sensitive=no
 oplocks=no
 level2 oplocks=no
 wins support=yes


 The question is: Is this a bug or feature? If feature, then what is the
 intention behind this feature, as the user has delete rights for this file
 using unix and so should have this rights using samba too i think.
 Is there a conf parameter that we can set to get back the old behaviour?

 With kind regards,
 Björn


 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems connecting win7 client to new Samba PDC

2012-08-09 Thread Gaiseric Vandal
did you make the appropriate registry changes on Win 7 as per

http://wiki.samba.org/index.php/Windows7





On 08/09/12 09:28, Brandon wrote:
 Here's some more information on my problem:

 smb.conf:
 --- begin smb.conf ---
 [global]
 workgroup = MYWORKGROUP
 server string = %h server (Samba, Ubuntu)
 map to guest = Bad User
 obey pam restrictions = Yes
 pam password change = Yes
 passwd program = /usr/bin/passwd %u
 passwd chat = *Enter\snew\s*\spassword:* %n\n
 *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 unix password sync = Yes
 syslog = 0
 log file = /var/log/samba/log.%m
 max log size = 1000
 add machine script = /usr/sbin/useradd -g machines -c %u
 machine account -d /var/lib/samba -s /bin/false %u
 logon script = logon.cmd
 logon path =
 logon home =
 domain logons = Yes
 dns proxy = No
 usershare allow guests = Yes
 panic action = /usr/share/samba/panic-action %d
 idmap config * : backend = tdb

 [homes]
 comment = Home Directories
 valid users = %S
 read only = No
 create mask = 0700
 directory mask = 0700
 browseable = No

 [netlogon]
 comment = Network Logon Service
 path = /srv/samba/netlogon
 guest ok = Yes

 [printers]
 comment = All Printers
 path = /var/spool/samba
 create mask = 0700
 printable = Yes
 print ok = Yes
 browseable = No

 [print$]
 comment = Printer Drivers
 path = /var/lib/samba/printers
 --- end smb.conf ---

 Here's the pdbedit -Lv spitout for my user:

 --- begin output---
 Unix username:myadmin
 NT username:
 Account Flags:[U  ]
 User SID: S-1-5-21-2762049607-2166809996-183419993-1000
 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513
 Full Name:
 Home Directory:
 HomeDir Drive:
 Logon Script: logon.cmd
 Profile Path:
 Domain:   MYWORKGROUP
 Account desc:
 Workstations:
 Munged dial:
 Logon time:   0
 Logoff time:  Wed, 06 Feb 2036 10:06:39 EST
 Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
 Password last set:Wed, 08 Aug 2012 17:54:50 EDT
 Password can change:  Wed, 08 Aug 2012 17:54:50 EDT
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours : FF
 --- end output ---




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 3.3.4 - Win7 Latency with MS Office files

2012-08-09 Thread Gaiseric Vandal
Did you try enabling the name service caching daemon on the server? 
(has its pros can cons.)

I would also try XP+Office 2010 and WIn 7+ Office 2007 to see if you can
shake out which is the actual problem.

Also, can you configure office to store temp files on the local PC, and
not the same directory as the office file is located.



On 08/08/12 16:51, John Goubeaux wrote:
 Folks,

 I am running a  3.3.4 version of  Samba ( stand alone) on Solaris 10
 configured to auth against  LDAP for user auth and have recently,
 after migrating a variety of user desktops to Win7 and MS Office
 2010,  began seeing an increased latency in opening files.  ie
 previous 3 times are now  30-45 

 Users were previously running WinXP and using MS office 2007.

 Question:  Is an upgrade to the latest stable 3.x  Ver  likely to
 resolve this OR am I also missing some more stringent security
 settings I need to address b/c of Win7 ?

 Any ideas or clues appreciated.

 -john




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] LDAP - Samba password synchronization

2012-08-09 Thread Gaiseric Vandal
The best approach is to configure samba to change the ldap password when
a samba password changes.  See the smb.conf man page and password sync
and password chat options.

If you have unix users who want to change their ldap passwords, tell
them to use the smbpasswd -r pdc_server_name command-  if password
sync is enabled in samba then both their ldap and samba passwords will
change.

Samba and Unix use different password hash mechanisms so you have to
have separate password fields. The only other secure way may be to
configure Windows clients to use kerberos authentication-  but that is a
much bigger project.


On 08/09/12 09:55, RAKESH PRITMANI wrote:
 Is there a way to syncronize SambaLmPassword   NTLMpassword from LDAP
 password. ldap passwd sync allows to sync ldap passwd from samba, I
 need the other way. I already have external LDAP server with CRYPT
 passwords and need to set SambaLMPasswd with these LDAP passwords.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Problems connecting win7 client to new Samba PDC

2012-08-09 Thread Gaiseric Vandal
that looks OK.

You should not need a login script defined for a computer account.

Are you able to login as the Domain Administrator?

Are your group mappings correct?   I ask because it may be that the
Domain Users is not properly recognized as a member of the Users
group on the PC.  Can you login as the domain (or local) admins and
explicitly add domain users and domain groups to a local group?



On 08/09/12 10:37, Brandon wrote:
  did you make the appropriate registry changes on Win 7 as per
  http://wiki.samba.org/index.php/Windows7

 Yes, I've downloaded the 3.6.3 script and ran it on the client, as
 well as manually checked that the settings were only the two described
 in the wiki article

  Have you tried adding a machine account for your CLIENTPC
  i.e.  # pdbedit -a -m -u CLIENTPC

 Yes, I let the account be auto-generated when connecting to the
 domain.  I should have specified that there are other users I didn't
 include in the print out.  Here is the machine account from pdbedit
 (note that I changed the logon script in smb.conf from .cmd to .bat a
 few minutes ago, and the update can be seen here):

 ---
 Unix username:CLIENTPC$
 NT username:
 Account Flags:[W  ]
 User SID: S-1-5-21-2762049607-2166809996-183419993-1001
 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513
 Full Name:CLIENTPC$
 Home Directory:
 HomeDir Drive:
 Logon Script: logon.bat
 Profile Path:
 Domain:   MYWORKGROUP
 Account desc:
 Workstations:
 Munged dial:
 Logon time:   0
 Logoff time:  Wed, 06 Feb 2036 10:06:39 EST
 Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
 Password last set:Wed, 08 Aug 2012 13:44:36 EDT
 Password can change:  Wed, 08 Aug 2012 13:44:36 EDT
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours : FF
 ---

 Also, I've got a bit more information from the log.CLIENTPC:

 [2012/08/09 10:14:56.686577,  0]
 rpc_server/srv_pipe.c:500(pipe_schannel_auth_bind)
   pipe_schannel_auth_bind: Attempt to bind using schannel without
 successful serverauth2
 [2012/08/09 10:14:56.794994,  0]
 rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
   _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
 Rejecting auth request from client CLIENTPC machine account CLIENTPC$


 There are also a number of windows events:

 --- begin windows events paste ---
 The winlogon notification subscriber Profiles failed a critical
 notification event.
 Windows cannot copy file C:\Users\Default\NTUSER.DAT to location
 C:\Users\myadmin\NTUSER.DAT. This error may be caused by network
 problems or insufficient security rights.
 Windows cannot copy file \\?\C:\Users\Default\Videos to location
 \\?\C:\Users\myadmin\Videos. This error may be caused by network
 problems or insufficient security rights.
 Windows cannot copy file \\?\C:\Users\Default\Saved Games to location
 \\?\C:\Users\myadmin\Saved Games. This error may be caused by network
 problems or insufficient security rights.
 Note: To keep e-mail shorter I won't paste them all, but the last
 events repeat with a bunch of similar directories
 There are too many profile copy errors. Refer to the previous events
 for details. Windows will not log any additional copy errors for this
 copy process.
 Windows cannot find the local profile and is logging you on with a
 temporary profile. Changes you make to this profile will be lost when
 you log off.
 Windows cannot copy file C:\Users\Default\NTUSER.DAT to location
 C:\Users\TEMP.MYWORKGROUP\NTUSER.DAT. This error may be caused by
 network problems or insufficient security rights.
 Note: This last event again repeats with a number of similar
 directories
 There are too many profile copy errors. Refer to the previous events
 for details. Windows will not log any additional copy errors for this
 copy process.
 Windows cannot log you on because your profile cannot be loaded. Check
 that you are connected to the network, and that your network is
 functioning correctly.
 The winlogon notification subscriber Sens failed a notification event.
 --- end windows events paste ---








-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 3.3.4 - Win7 Latency with MS Office files

2012-08-09 Thread Gaiseric Vandal
name service works at unix level-  it caches user and group looks (e.g.
results of getent passwd and getent group.)   So that could include
winbind if nsswitch.conf includes winbind.


On solaris, it is defined as follows.  

bash-3.00# svcs -a | grep name
disabled   Jul_18   svc:/system/name-service-cache:default


Actual executable is nscd (same as linux.)


A DC normally doesn't need winbind since the samba users map directly to
local  unix accounts.  However, the delay could be in the ldap user
retrieval.


I don't use nameservice cache myself because I found that group changes
did not come into effect quick enough.






On 08/09/12 14:14, John Goubeaux wrote:
 Thanks for the ideas !

 Does enabling nameservice cacheing mean starting  winbindd   ?
 Wondering what the implications of having this running on a network
 with an actual Win DC running as well are ?  Meaning this is a
 standalone instance of  a samba server that I am trbl shooting.

 I have a development version running the latest, 3.6.7 build and am
 testing with Win7 clients but seem to  still be getting latency after
 multiple files are opened.

 I will try the temp file default location change  though as well.

 -john



 At 9:50 AM -0400 8/9/12, Gaiseric Vandal wrote:
 Did you try enabling the name service caching daemon on the server?
 (has its pros can cons.)

 I would also try XP+Office 2010 and WIn 7+ Office 2007 to see if you can
 shake out which is the actual problem.

 Also, can you configure office to store temp files on the local PC, and
 not the same directory as the office file is located.



 On 08/08/12 16:51, John Goubeaux wrote:
  Folks,

  I am running a  3.3.4 version of  Samba ( stand alone) on Solaris 10
  configured to auth against  LDAP for user auth and have recently,
  after migrating a variety of user desktops to Win7 and MS Office
  2010,  began seeing an increased latency in opening files.  ie
  previous 3 times are now  30-45 

  Users were previously running WinXP and using MS office 2007.

  Question:  Is an upgrade to the latest stable 3.x  Ver  likely to
  resolve this OR am I also missing some more stringent security
  settings I need to address b/c of Win7 ?

  Any ideas or clues appreciated.

  -john




 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] password change problem and no logon servers available

2012-08-08 Thread Gaiseric Vandal
Is this a single domain controller environment (1 PDC) or do you also
have one or more BDC's?

Are you using WINS?  that should help clients find domain controllers.

Is there is difference between XP and Windows 7 clients?   As you
probably know,  you can login to a windows machine with cached
credentials even if it is not connected to the network.   I found with
Windows 7 machines sometimes you may have logged into the computer with
your network account, the domain controller was not reached, you get
authenticated with cached credentials and you don't know there is an
issue until you try changing your password.  This is more likely to
happen with laptops that may get disconnected and reconnected from the
network with out doing a complete shutdown 1st.


pdbedit -Lv username should show you if the X flag is set for the
user-  if the X flag is set the user's password should never expire
even if the domain policy sets a max password age. 

If you have an ldap browser, look at the top level sambaDomainObject. 
There may be  a sambamaxpwdage (n seconds) param.  


On 08/08/12 06:12, Florian Scholz wrote:
 Hi,

 we are using SAMBA 3.6.1-1 (updating this archlinux machine is tooo ugly)
 and 3.6.6-1 on archlinux with the LDAP (Server version is 2.4.26-3) backend
 and manage the users, groups and computer by using the smbldap-tools.

 Currently we are experiencing the following problems:

 1. changing the passwords takes longer than 30 seconds - That's bad
 because we are using a gigabit ethernet network!
 2. sometimes windows tells us that the user can't change their passwords at
 the current point of time
 3. sometimes windows foces the users to change their passwords (we never
 told samba to do it!)
 4. sometimes windows tells us that there are no logon server available!

 Are there any known bugs regarding to these problems? Do you need further
 information to investigate this problem?

 Florian Scholz




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] 3.0.9-3.0.37 Deleting files not working

2012-08-08 Thread Gaiseric Vandal
zfs or ufs?

On 08/08/12 08:01, ing...@gmx.net wrote:
 Hello,

 we were using Samba 3.0.9 on Solaris 10 x86 and Sparc in a productive 
 environment and upgraded to 3.0.37 to fix a security vulnerability.
 Now we experience problems in some circumstances when we try to delete a file 
 from a share mounted by a Windows Client.

 The share is named ZENTRAL. This is the share entry:
 [ZENTRAL]
 comment=Ablage ZENTRAL
 path=/daten/ablagen/ZENTRAL
 case sensitive=no
 create mask=0770
 valid users=@ZENTRAL
 write list=@ZENTRAL
 force group=ZENTRAL

 These are the unix rights:
 drwxrwx---   2 root other512 Aug  8 11:15 .
 drwxrwx--x  35 rootZENTRAL 2048 Aug  8 10:26 .. (This is the share 
 root directory: /daten/ablagen/ZENTRAL)
 -rwxrwxrwx   1 user1  ZENTRAL0 Aug  8 11:15 neu.txt

 user1 belongs to the groups other and ZENTRAL and is able to delete this file 
 Using a unix shell and navigate to the directory but he is not able to delete 
 it using the samba share. He gets a permission denied.

 This behaviour is new. With 3.0.9 it is possible to delete this file. When i 
 chgrp the directory . to ZENTRAL everything works as expected with 3.0.37 
 too. The problem only exists, when the . directory does not have the same 
 group as the share.

 If needed, here is our global section. Some of these entries could be plain 
 wrong respectively not needed, but we are not able to change them easily 
 because of company guidelines.

 [global]
 os level=65
 password level=1
 security=user
 encrypt passwords=yes
 smb passwd file=/usr/local/samba/private/smbpasswd
 workgroup=ourgroup
 guest account=nobody
 max log size=30
 share modes=yes
 locking=yes
 strict locking=yes
 lock directory=/var/adm/samba/locks
 ;   max log size = 5000
 log level=1
 log file=/var/adm/samba/smb.log
 pid directory=/var/run
 server string=%h
 force directory mode=0770
 browseable=no
 follow symlinks=no
 preserve case=no
 short preserve case=no
 case sensitive=no
 oplocks=no
 level2 oplocks=no
 wins support=yes


 The question is: Is this a bug or feature? If feature, then what is the 
 intention behind this feature, as the user has delete rights for this file 
 using unix and so should have this rights using samba too i think.
 Is there a conf parameter that we can set to get back the old behaviour? 

 With kind regards,
 Björn



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] password change problem and no logon servers available

2012-08-08 Thread Gaiseric Vandal
3.  If you were able to join domain and log in to your PC, then your
registry settings should not be an issue.   I meant do you have this
problem with XP and Win 7 or only Win 7?


On 08/08/12 12:05, Florian Scholz wrote:
 1. Only one PDC per subnetwork (physically another town)
 2. I don't know if I'm using WINS but I don't think so.
 3. Yes, there are some registry settings you have to apply to Windows
 7 to make it compatible with SAMBA 3.6
 4.  Yes but I don't get the temporary session message :)
 5. The X-flag isn't set.

 # ASTA, asta.lan
 dn: sambaDomainName=ASTA,dc=asta,dc=lan
 objectClass: top
 objectClass: sambaDomain
 objectClass: sambaUnixIdPool
 sambaDomainName: ASTA
 sambaSID: S-1-5-21-3963991337-2686100338-2601203207
 sambaPwdHistoryLength: 0
 sambaMaxPwdAge: -1
 sambaLockoutThreshold: 0
 sambaRefuseMachinePwdChange: 0
 sambaLogonToChgPwd: 0
 sambaMinPwdAge: 0
 sambaForceLogoff: -1
 sambaMinPwdLength: 4
 sambaLockoutDuration: 30
 sambaLockoutObservationWindow: 30
 gidNumber: 1049
 sambaNextRid: 1028
 uidNumber: 1209


 2012/8/8 Gaiseric Vandal gaiseric.van...@gmail.com
 mailto:gaiseric.van...@gmail.com

 Is this a single domain controller environment (1 PDC) or do you also
 have one or more BDC's?

 Are you using WINS?  that should help clients find domain
 controllers.

 Is there is difference between XP and Windows 7 clients?   As you
 probably know,  you can login to a windows machine with cached
 credentials even if it is not connected to the network.   I found with
 Windows 7 machines sometimes you may have logged into the computer
 with
 your network account, the domain controller was not reached, you get
 authenticated with cached credentials and you don't know there is an
 issue until you try changing your password.  This is more
 likely to
 happen with laptops that may get disconnected and reconnected from the
 network with out doing a complete shutdown 1st.


 pdbedit -Lv username should show you if the X flag is set for the
 user-  if the X flag is set the user's password should never expire
 even if the domain policy sets a max password age.

 If you have an ldap browser, look at the top level sambaDomainObject.
 There may be  a sambamaxpwdage (n seconds) param.


 On 08/08/12 06:12, Florian Scholz wrote:
  Hi,
 
  we are using SAMBA 3.6.1-1 (updating this archlinux machine is
 tooo ugly)
  and 3.6.6-1 on archlinux with the LDAP (Server version is
 2.4.26-3) backend
  and manage the users, groups and computer by using the
 smbldap-tools.
 
  Currently we are experiencing the following problems:
 
  1. changing the passwords takes longer than 30 seconds - That's bad
  because we are using a gigabit ethernet network!
  2. sometimes windows tells us that the user can't change their
 passwords at
  the current point of time
  3. sometimes windows foces the users to change their passwords
 (we never
  told samba to do it!)
  4. sometimes windows tells us that there are no logon server
 available!
 
  Are there any known bugs regarding to these problems? Do you
 need further
  information to investigate this problem?
 
  Florian Scholz
 
 


 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] password change problem and no logon servers available

2012-08-08 Thread Gaiseric Vandal
I would look at the windows event log.  It may be of help.

Also nbtstat -a should show you the IP addresses for the domain , DC's
and master browser. I found with both Samba and NT4 domains that
using WINS helped-  it shouldn't cause new problems at least.





On 08/08/12 12:17, Florian Scholz wrote:
 I'm not using XP anymore.. and I meant that I applied the
 http://wiki.samba.org/index.php/Windows7 stuff before adding the
 computers to the domain

 2012/8/8 Gaiseric Vandal gaiseric.van...@gmail.com
 mailto:gaiseric.van...@gmail.com

 3.  If you were able to join domain and log in to your PC, then
 your registry settings should not be an issue.   I meant do you
 have this problem with XP and Win 7 or only Win 7?



 On 08/08/12 12:05, Florian Scholz wrote:
 1. Only one PDC per subnetwork (physically another town)
 2. I don't know if I'm using WINS but I don't think so.
 3. Yes, there are some registry settings you have to apply to
 Windows 7 to make it compatible with SAMBA 3.6
 4.  Yes but I don't get the temporary session message :)
 5. The X-flag isn't set.

 # ASTA, asta.lan
 dn: sambaDomainName=ASTA,dc=asta,dc=lan
 objectClass: top
 objectClass: sambaDomain
 objectClass: sambaUnixIdPool
 sambaDomainName: ASTA
 sambaSID: S-1-5-21-3963991337-2686100338-2601203207
 sambaPwdHistoryLength: 0
 sambaMaxPwdAge: -1
 sambaLockoutThreshold: 0
 sambaRefuseMachinePwdChange: 0
 sambaLogonToChgPwd: 0
 sambaMinPwdAge: 0
 sambaForceLogoff: -1
 sambaMinPwdLength: 4
 sambaLockoutDuration: 30
 sambaLockoutObservationWindow: 30
 gidNumber: 1049
 sambaNextRid: 1028
 uidNumber: 1209


 2012/8/8 Gaiseric Vandal gaiseric.van...@gmail.com
 mailto:gaiseric.van...@gmail.com

 Is this a single domain controller environment (1 PDC) or do
 you also
 have one or more BDC's?

 Are you using WINS?  that should help clients find domain
 controllers.

 Is there is difference between XP and Windows 7 clients?   As you
 probably know,  you can login to a windows machine with cached
 credentials even if it is not connected to the network.   I
 found with
 Windows 7 machines sometimes you may have logged into the
 computer with
 your network account, the domain controller was not reached,
 you get
 authenticated with cached credentials and you don't know
 there is an
 issue until you try changing your password.  This is more
 likely to
 happen with laptops that may get disconnected and reconnected
 from the
 network with out doing a complete shutdown 1st.


 pdbedit -Lv username should show you if the X flag is set
 for the
 user-  if the X flag is set the user's password should
 never expire
 even if the domain policy sets a max password age.

 If you have an ldap browser, look at the top level
 sambaDomainObject.
 There may be  a sambamaxpwdage (n seconds) param.


 On 08/08/12 06:12, Florian Scholz wrote:
  Hi,
 
  we are using SAMBA 3.6.1-1 (updating this archlinux machine
 is tooo ugly)
  and 3.6.6-1 on archlinux with the LDAP (Server version is
 2.4.26-3) backend
  and manage the users, groups and computer by using the
 smbldap-tools.
 
  Currently we are experiencing the following problems:
 
  1. changing the passwords takes longer than 30 seconds -
 That's bad
  because we are using a gigabit ethernet network!
  2. sometimes windows tells us that the user can't change
 their passwords at
  the current point of time
  3. sometimes windows foces the users to change their
 passwords (we never
  told samba to do it!)
  4. sometimes windows tells us that there are no logon
 server available!
 
  Are there any known bugs regarding to these problems? Do
 you need further
  information to investigate this problem?
 
  Florian Scholz
 
 


 --
 To unsubscribe from this list go to the following URL and
 read the
 instructions:  https://lists.samba.org/mailman/options/samba







-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba User authentication from external LDAP server

2012-08-07 Thread Gaiseric Vandal
You need to configure smb.conf with either

unix password sync  (along with passwd chat and passwd program)

or with

pam password change 


I use the unix password sync option-  it passes the new password value
to a shell script which then calls an ldap server command to change the
password.The script includes the user ID and pw of an account in the
LDAP server with appropriate permissions to set the password.

I don't know if pam password change would work in LDAP. The root
account (under which samba runs) has the ability to change local or NIS
passwords with the passwd command without knowing the old password. 
But the unix root account is not by default an LDAP admin.


If you truly want to use only the LDAP password for Samba authentication
then you need to configure plain-text password storage for everything. 
Which is probably a bad idea.  





On 08/07/12 11:35, RAKESH PRITMANI wrote:
 I need to authenticate samba users from external LDAP server, tried a
 few options but when I change LDAP password, the samba password does
 not change. Is it possible to do away with Samba password and only use
 LDAP password

 Rakesh


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] SMB+LDAP

2012-08-07 Thread Gaiseric Vandal
I have a Sun (Oracle) Directory Server directory server backend.  I also
use it for unix level authentication.


Are you configuring samba as a domain controller or standalone server?

I have uid and uidNumber attributes-   you want to make sure that the
samba account maps to a unix account somehow.  pdbedit -Lv username 
will verify this.

I think with an LDAP backend it will expect ldap admin dn entry. This
is not usually a regular user in your company LDAP branch  but is
instead an administrator.Samba will need to write to LDAP if you add
or remove a samba user using smbpasswd or pdbedit, or if you change a
user's samba password with samba command line tools or from windows, or
if you join or remove a Windows PC the domain, and if you join the samba
server to the domain.  (this will create domain object.s)


You can of course use LDAP tools to create the user's samba attributes. 
I don't know how you would easily set the user's samba password.  You
could probably have a dummy samba machine with a local backend, set a
password, then use smbpasswd -e to extract the hashed value.Maybe
there are additional tools for creating an NT password hash.


Machines will also have accounts with passwords.  the passwords may
automatically change.  




On 08/07/12 17:37, Frans Lanting - IT Admin wrote:
 Hi Folks,

 A couple of questions about making SMB (3 or 4) authenticate to an
 external (anonymous) LDAP server:

 1) A typical LDAP user record is below. Is there anything  lacking in
 this record that would prevent Samba from authenticating against our
 LDAP server? Note the sambaSID is as is, gobblygook info:


 dsAttrTypeNative:eduPersonAffiliation: Employee Member
 dsAttrTypeNative:givenName: David
 dsAttrTypeNative:homeDirectory: /afs/cats.csux.edu/users/t/dsixpack
 dsAttrTypeNative:mail: dsixp...@csux.edu
 dsAttrTypeNative:objectClass: posixAccount organizationalPerson
 csuxPerson top sambaSamAccount person inetOrgPerson csuxMain eduPerson
 dsAttrTypeNative:sambaSID: S-1-5-21-XX-XX-XX
 dsAttrTypeNative:sn: Sixpack
 dsAttrTypeNative:csuxPersonGuID: G000242316
 AppleMetaNodeLocation: /LDAPv3/ldap-99.soe.csux.edu
 AppleMetaRecordName: uid=dsixpack,ou=People,dc=crm,dc=csux,dc=edu
 NFSHomeDirectory: /Users/dsixpack
 Password: 
 PrimaryGroupID: 12
 RealName:
  David Sixpack
 RecordName: dsixpack
 RecordType: dsRecTypeStandard:Users
 UniqueID: 9239
 UserShell: /bin/bash

 2) Regarding the sudo smbpasswd -w secret step, does this smb user
 need to exist in our LDAP or that local to the machine running the SMB
 daemon? I wasn't clear on how this step in the process is supposed to
 work.

 3) Is the ldap admin dn = also required?

 Note we have read-only access to our LDAP server, though a record
 could be created for us if absolutely needed.

 Any help or ideas MUCH appreciated! Thanks!

 David


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] SMB+LDAP

2012-08-07 Thread Gaiseric Vandal
You also need

sambaAccountFlags: [UX] for user account and
sambaAccountFlags: [W] for machine accounts.




On 08/07/12 17:37, Frans Lanting - IT Admin wrote:
 Hi Folks,

 A couple of questions about making SMB (3 or 4) authenticate to an
 external (anonymous) LDAP server:

 1) A typical LDAP user record is below. Is there anything  lacking in
 this record that would prevent Samba from authenticating against our
 LDAP server? Note the sambaSID is as is, gobblygook info:


 dsAttrTypeNative:eduPersonAffiliation: Employee Member
 dsAttrTypeNative:givenName: David
 dsAttrTypeNative:homeDirectory: /afs/cats.csux.edu/users/t/dsixpack
 dsAttrTypeNative:mail: dsixp...@csux.edu
 dsAttrTypeNative:objectClass: posixAccount organizationalPerson
 csuxPerson top sambaSamAccount person inetOrgPerson csuxMain eduPerson
 dsAttrTypeNative:sambaSID: S-1-5-21-XX-XX-XX
 dsAttrTypeNative:sn: Sixpack
 dsAttrTypeNative:csuxPersonGuID: G000242316
 AppleMetaNodeLocation: /LDAPv3/ldap-99.soe.csux.edu
 AppleMetaRecordName: uid=dsixpack,ou=People,dc=crm,dc=csux,dc=edu
 NFSHomeDirectory: /Users/dsixpack
 Password: 
 PrimaryGroupID: 12
 RealName:
  David Sixpack
 RecordName: dsixpack
 RecordType: dsRecTypeStandard:Users
 UniqueID: 9239
 UserShell: /bin/bash

 2) Regarding the sudo smbpasswd -w secret step, does this smb user
 need to exist in our LDAP or that local to the machine running the SMB
 daemon? I wasn't clear on how this step in the process is supposed to
 work.

 3) Is the ldap admin dn = also required?

 Note we have read-only access to our LDAP server, though a record
 could be created for us if absolutely needed.

 Any help or ideas MUCH appreciated! Thanks!

 David


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba solaris 8 package with Windows 2008 support?

2012-08-02 Thread Gaiseric Vandal
You can check for a precompiled version on blastwave.org.  It looks like
sunfreeware.com doesn't have the Solaris 8 binaries online anymore.  I
suspect you will have to compile from source which can be a major PITA
on solaris. (if you look for other posts from me on this list  you
will see this.)


You may be better off moving to Solaris 10, which includes Samba 3.5.x
-  depending on how old your hardware is. I have a 5 year old Sun
V210  ( 1 GB RAM?)   running Solaris 10 comfortably

On 08/02/12 08:00, Michaels, Stephen P. wrote:
 Hi-
 I am running Samba 2.2.8 on Solaris 8. Our Windows team has upgraded Windows 
 2003 servers Active Directory to Windows 2008. Samba is not working now. Can 
 someone suggest the best
 Samba version for Solaris 8 that I can upgrade to that will support the new 
 Windows 2008 authentication mechanism.
 Thanks
 -Steve

 Stephen P. Michaels
 ITSD Server Systems Group
 The Johns Hopkins University
 Applied Physics Laboratory
 11100 Johns Hopkins Rd.
 Laurel, MD. 20723-6099
 (443) 778-7527 Office
 (443) 324-2686 Mobile






-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Access and group issues on domain member server (PDC is Samba as well)

2012-08-01 Thread Gaiseric Vandal
I think there are two components-


1st I think the domain member does need to run winbind to retrieve
windows users and groups from the DC.  
2nd, the domain member needs to have idmap configured correctly to make
sure that the windows users are properly mapped to the local  unix
users, so that the unix/windows mappings are the same as on the DC..  
(the fact that the local unix users are actually ldap accounts is not
known to the samba sevrer.)  


In theory the idmap_nss backend should help keep idmap entries
consistent across Samba servers with a common LDAP backend.   The
idmap_nss man page shows some examples.If you use idmap_nss on
both DC and server it should be consistent. 


The other option is to use ldap for the idmap backend.  See man
idmap_ldap.Your PDC should create idmap entries.  I found I had to
then edit the entries to correct the uid or gid values to match the ldap
user values.  I then tried configuring the member servers to use the
same ldap idmap backend, but read-only.It didn't really work and
this was before the idmap_nss option was available.In the end I
found it easier to convert some of my member servers to BDC's. 




On 08/01/12 05:51, Philipp Felix Hoefler wrote:
 Hi List,

 I created a domain member server in my samba domain.
 I start to realize that there are some issues when colleagues could
 not access some folders in the their shares.
 After searching for a solution I found that on that member server I
 have no samba groups available.

 First of all my setup:
 Domain controller:
 CentOS 6.2 x86_64, latest updates installed
 Samba 3.5.10 (from CentOS repo: samba-3.5.10-116.el6_2.x86_64)
 LDAP backend (OpenLDAP from CentOS repo: openldap-2.4.23-20.el6.x86_64)

 Domain member:
 exact same OS and versions as on domain controller
 also with LDAP backend

 I followed the instructions from
 http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html (
 Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution)
 for adding the member server.
 (BTW: If anyone on this list has access to this guide: Paragraph 8:
 the wbinfo --set-auth-user= has been replaced with net setauthuser)
 Both servers access the same LDAP directory for the linux accounts and
 for Samba incl. IDMAPs
 Everything in this guide worked as described.

 getent passwd and getent groups works successfully on both servers
 (shows all entries from LDAP)
 net rpc group list shows all groups correctly on the PDC
 net groupmap list shows all group mappings correctly on the PDC

 On the member server though:
 net rpc group list only gives me Administrators and Users
 net groupmap list only gives me:
 Administrators (S-1-5-32-544) - 16777216
 Users (S-1-5-32-545) - 16777217

 I also tried to run winbind on the domain member, domain member+PDC
 and whithout winbind at all (We only have this one domain, do I even
 need winbind then? As I understood it would only be needed if I have
 multiple domains running. Is this correct?)
 But these commands always show me the same output on the member server.

 Should this commands even produce more output on domain members? Or is
 it just for PDCs?

 smb.confs from both servers are added at the end.

 Thanks in advance!
 best regards,
 philipp

 PS: some additional info to our folder sharing system:
 All users only connect to their home-share. Inside this share we add
 symbolic links to the allowed group shares of the user.
 This group share folders are owned by root, group is one of the
 (allowed) Usergroups. Directory mask is 770, group-sticky bit is set.


 smb.conf from PDC:

 [root@srvad1 samba]# testparm
 Load smb config files from /etc/samba/smb.conf
 rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
 Processing section [netlogon]
 WARNING: The share modes option is deprecated
 Processing section [printers]
 Processing section [print$]
 Loaded services file OK.
 Server role: ROLE_DOMAIN_PDC
 Press enter to see a dump of your service definitions

 [global]
 workgroup = ATV
 server string = SRVAD1
 interfaces = 192.168.249.0/24, 127.0.0.1/8
 passdb backend = ldapsam:ldap://192.168.249.7/
 log file = /var/log/samba/%m.log
 max log size = 50
 smb ports = 139
 time server = Yes
 unix extensions = No
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 printcap name = CUPS
 add user script = /usr/sbin/smbldap-useradd -m
 add group script = /usr/sbin/smbldap-groupadd -p %g
 add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
 set primary group script = /usr/sbin/smbldap-usermod -g %g %u
 add machine script = /usr/sbin/smbldap-useradd -w %u
 logon script = login.bat
 logon path =
 logon drive = U:
 logon home = \\SRVFILE1\%U
 domain logons = Yes
 os level = 65
 preferred master = Auto
 domain master = Yes
 dns proxy = No
 wins support = Yes
 ldap admin dn = cn=Manager,dc=at-visions,dc=com
 ldap delete dn 

Re: [Samba] Samba and LDAP

2012-07-31 Thread Gaiseric Vandal
You can use smbpasswd or pdbedit to add a samba user.   Actually, if the
LDAP user already exists the smbpasswd or pdbedit command adds various
samba attributes.  

You should look at the LDAP properties of a user before and after you
run the smbpasswd -a or pdbedit -a command.   I like the Apache
Directory Studio ldap editor/browser, although you can also use
ldapsearch from the command line.  You will see that the samba-enabled
LDAP accounts have additional object classes and attributes. 

I have Samba 3.x with an LDAP backend.  Not all LDAP users are Samba
users, since we use LDAP for other things besides samba.  By default,
samba expects that the ldap user already exisits.   However, it is
possible for samba to be configured to automatically create and delete
the ldap user.


On 07/31/12 08:18, rodrigo tavares wrote:
 Hello !

 I have a doubt.


 I´m configured LDAP whith Samba, the LDAP is run. But I can't login in one 
 domain, I change the password user with smbldap-passwd. But it's not 
 sufficient to login. Then I have to use smbpasswd -a username, so i get 
 autenticate in domain with user.

 Use the smbpasswd. It´s wrong ?


 Thanks

 Rodrigo Faria Tavares
 Administrator System Linux


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Phantom Domain Master Browser

2012-07-31 Thread Gaiseric Vandal
In the /var/samba/locks directory you may have browse.dat file  or
wins.*  (if this is a WINS server) files that have incorrect info.   
You should be able to name/backup these  files and restart nmbd.  

Is the phantom master browser a samba server or a Windows machine?  the
Samba DC normally should win browser elections but it is not always the
case.

 


On 07/20/12 09:08, Robert Adkins II wrote:
 I brought up the old server and have been reviewing the log files.

 There is no indication of the phantom master browser existing in the old log
 files.

 --

 Regards,
 Robert Adkins II
 IT Manager/Buyer
 Impel Industries, Inc.
 586-254-5800

  

 -Original Message-
 From: samba-boun...@lists.samba.org 
 [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II
 Sent: Friday, July 20, 2012 8:50 AM
 To: samba@lists.samba.org
 Subject: [Samba] Phantom Domain Master Browser

 There's a phantom domain master browser showing up in my 
 Samba nmbd.log file.
  
 I keep thinking that maybe it is left over in one of the 
 files that I transferred over from the old server to the new 
 server and it isn't clearing itself out. Is there a way to 
 clear that and is it possible to have a phantom browser 
 fighting over the Domain from a copied over file?
  
 I transferred all of the Samba files found in /etc/samba to 
 the new server.
  
 This was also an upgrade from Samba 3.2.7 to Samba 3.6.3
  
 I have noticed some additional files in the /var/log/Samba 
 directory as well as some additional files in the /etc/samba 
 directory on the new server.
  
  
  


 -- 

 Regards,
 Robert Adkins II
 IT Manager/Buyer
 Impel Industries, Inc. 
 586-254-5800 

  
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Help infomation to build the system as Microsoft Active Directory !

2012-07-26 Thread Gaiseric Vandal
Many of your questions should be answered on www.samba.org and
wiki.samba.org


Samba4 provides Active Directory functionality.   It is free -  you
don't have to pay for it, but there is the cost of your time.   





On 07/24/12 08:08, Ha Minh Ai wrote:
 Dear Mr/Madam,
 We have wanted to build the system for centralizal management: User
 account, printer, policy, deploy softwares to client, manage update OS,
 Single Sign On, 
 I know there have a same system as Micrsoft Active Directory, but we
 haven't a lot dollars.
 Please help me to answer some questions as the below:
  - How is the solution (*OpenLDAP + Samba*) on Ubuntu, RHEL/CentOS or SUSE
 server ?
  - How many user can the system support maximum ?
  - Could i build the system include Primary Domain Controller Server and
 Additional Domain Controller ?
  - Does Samba/OpenLDAP has cost-edition for enterprise ? If yes, what is it
 different from free-edition ?
 I'm looking forward to supporting from you. Thanks so much

 Best regards,
 Aihm


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 4 AD What's the difference between a Domain and a Forest

2012-07-23 Thread Gaiseric Vandal
A forest contains one or tree,  with each tree containing one or more
domains.  In an AD, you need at least one forest.  You would have
additional branches if you needed a different top level DNS space.  
Domains are trusted and trusting.  When you install  active
directory on a server it will ask if you are joining a domain, setting
up a new domain in existing tree, or setting up a new tree (and domain)
in an existing forest, or creating a whole new forest.








On 07/21/12 15:39, steve wrote:
 Is a Forest more than one domain joined?

 Cheers,
 Steve



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Strange behaviour of clients after changing Full Name via pdbedit

2012-07-23 Thread Gaiseric Vandal
Are network drives handled by a login script? If the network script
tries to use the username variable to map drives, changing name could
break somthing.

Are these roaming profiles or local?  For local profiles, the local
profile name should match the user name.   Did that change?  Can you
check the perms on the local profile directory? 

On 07/23/12 08:23, Dr. Harry Knitter wrote:
 Hallo,

 after having changed the Full Name of a user via pdbedit the user profile of 
 this user is not loaded properly any more by the XP clients.

 So we renamed again back to the original Full Name and the profile could be 
 loaded. However, something went wrong
 All settings like network drives were gone.

 Then we restored the whole profile folder from backup (The user was logged 
 out).

 Again, however, we got troubles. Situation didn´t change. The profile was 
 loaded but the settings still were gone.

 We had to restore  the drives manually.
 In Addition now the client has only an English keybord layout and there is no 
 possibility to get the original German one back. There is nothing to see in 
 the systray nor can the classical view of the control panel be switched on to 
 change keybord layout for this specific user.
 The local Admin can change everything and has the right keyboard layout.
   
 We had to change the Full Name of this user, because Windows 7 doesn´t 
 support 
 Umlauts in Full Name and we want to move this user from XP now to Windows 7 
 in 
 near future.

 Our samba version is 3.5.6 on a debian squeeze system.

 Thanks in advance

 Harry


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Suggestions? Multiple servers/storages one domain

2012-07-06 Thread Gaiseric Vandal
File storage and user authentication are (sort of) separate issues.I
would generally avoid true standalone servers, and still use the domain
authentication model as much as possible. 

The additional servers can be member servers or backup domain
controllers.   I had trouble keeping user id mappings consistent on
member servers  (in my environment it is necessary that the id mapping
is consistent between all domain controllers and key member servers.)   
I found it was easier just to make sure that my key storage servers were
also domain controllers.  This is only two machines .   Each domain
controller is also an LDAP server.  The LDAP servers are configured for
replication.  Each domain controller therefore uses its own LDAP server
for the samba back end.  (Nt. I started with samba 3.0.x -  newer
releases may have simplified idmapping for member servers.)

When you configure a samba user, you can specify the absolute path to
their profile directory and home directory.  

#pdbedit -Lv thisuser
...
Home Directory:   \\server1\users\thisuser
HomeDir Drive:X:
Logon Script: logon.bat
Profile Path: 

#pdbedit -Lv thatuser
...
Home Directory:   \\server2\users\thatuser
HomeDir Drive:X:
Logon Script: logon.bat
Profile Path: 



I  then use the login script to map the users home directory drive
letter to the appropriate home share. 


E.g

net use x: /delete /y
net use x: %homeshare%

I believe windows batch files should also have the option to do
something similar to  if member of group then    if you want to
have different drive mappings for different groups. 


I don't use profiles in my network.  You need to make sure that each DC
has the same logon script files.

I also have a drive letter mapped to a top level Projects directory on
one server.  But then I use dfs links to redirect users to sub
directories located on the 2nd servers. 


server1# cd /export/Projects
server1# ls -ld *
drwxrwx---+ 37 root  group1   42 May 18 09:00  Project1
lrwxrwxrwx   1 root root  19 Feb 11  2011 Project2 -
msdfs:server2\Projects\Project2





On 07/06/12 07:55, Götz Reinicke wrote:
 Hi,

 currently we do have one samba3x-3.5.10-0.109.el5_8 RH EL 5.8 PDC
 authenticating by our central LDAP server.

 This PDS also hosts the central fileserver storage for all our +- 600
 users, some group shares and roaming profiles.

 The clients are OS X, Win XP and Win 7. We hope to have all XP 'killed'
 by end of the year.

 Furthermore we do have a second stand alone samba server for some
 projects needing more space and with local smb users.

 As we think about splitting up the central PDC storage and setting up an
 other filestorage too, I was researching for the 'best' setup.

 I wanted to separate the two main user groups to use one server each, so
 the stuff members do get some more performance.

 But on the other hand I like to use our current setup as much as possible.

 So I hoped that there is some tutorial (there are so many ... :)
 luckily! ) which describes a setup like we are looking for.

 - We will still have one central LDAP and one domain to login.

 - If users belong to stuff, they have access to the profile and user
 files shared by the server 1

 - If users belong to students, they have access to the profile and user
 files shared by the server 2

 - Furthermore we do have a third/++ BIG FILES server whose shares can be
 accessed by users in an user group but authenticate as well by the PDC.


 May be someone can point me to some tutorials or can give other advises
 and suggestions?

 I cant buy new e.g. 10G server/storage hardware, but can use some 'old'
 some-core-lots-of-RAM-1G systems

   Thanks a lot and best regards . Götz




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] DNS issue.

2012-06-27 Thread Gaiseric Vandal
Does your DNS server allow client machines to update?   I can't speak
for Samba 4 but I would with Windows 200x DC's it was simpler to
temporarily allow DNS updates while adding a DC.



On 06/26/12 23:59, Pradeep Pal wrote:
 Hi All;

 Can any one help me, i am facing DNS related issue. this is my
 configuration.

 Centos 6.2 32bit OS
 samba4beta3
 bind-9.8.3-P1

 First i configure samba4 as a domain controller.

 then i configure other machine as a Additional domain controller, with
 samba4. but when i run this command it give errors.

  /usr/local/samba/bin/samba-tool drs showrepl
 Default-First-Site-Name\PDC
 DSA Options: 0x0001
 DSA object GUID: 56003cd3-d15b-4825-915f-37b9e2952f2a
 DSA invocationId: ec8a9ed7-ce1a-449e-8321-97c715375445

  INBOUND NEIGHBORS 

 DC=DomainDnsZones,DC=abc,DC=com
 Default-First-Site-Name\BDC via RPC
 DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2
 Last attempt @ Wed Jun 27 08:51:47 2012 IST failed, result
 2 (WERR_BADFILE)
 216 consecutive failure(s).
 Last success @ NTTIME(0)

 DC=ForestDnsZones,DC=abc,DC=com
 Default-First-Site-Name\BDC via RPC
 DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2
 Last attempt @ Wed Jun 27 08:51:47 2012 IST failed, result
 2 (WERR_BADFILE)
 216 consecutive failure(s).
 Last success @ NTTIME(0)

 DC=abc,DC=com
 Default-First-Site-Name\BDC via RPC
 DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2
 Last attempt @ Wed Jun 27 08:51:47 2012 IST failed, result
 2 (WERR_BADFILE)
 216 consecutive failure(s).
 Last success @ NTTIME(0)

 CN=Schema,CN=Configuration,DC=abc,DC=com
 Default-First-Site-Name\BDC via RPC
 DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2
 Last attempt @ Wed Jun 27 08:51:48 2012 IST failed, result
 2 (WERR_BADFILE)
 216 consecutive failure(s).
 Last success @ NTTIME(0)

 CN=Configuration,DC=abc,DC=com
 Default-First-Site-Name\BDC via RPC
 DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2
 Last attempt @ Wed Jun 27 08:51:48 2012 IST failed, result
 2 (WERR_BADFILE)
 216 consecutive failure(s).
 Last success @ NTTIME(0)

  OUTBOUND NEIGHBORS 

 DC=DomainDnsZones,DC=abc,DC=com
 Default-First-Site-Name\BDC via RPC
 DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2
 Last attempt @ Wed Jun 27 08:54:11 2012 IST failed, result
 2 (WERR_BADFILE)
 4 consecutive failure(s).
 Last success @ NTTIME(0)

 DC=ForestDnsZones,DC=abc,DC=com
 Default-First-Site-Name\BDC via RPC
 DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2
 Last attempt @ Wed Jun 27 08:54:12 2012 IST failed, result
 2 (WERR_BADFILE)
 4 consecutive failure(s).
 Last success @ NTTIME(0)

 DC=abc,DC=com
 Default-First-Site-Name\BDC via RPC
 DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2
 Last attempt @ Wed Jun 27 08:54:12 2012 IST failed, result
 2 (WERR_BADFILE)
 4 consecutive failure(s).
 Last success @ NTTIME(0)

 CN=Schema,CN=Configuration,DC=abc,DC=com
 Default-First-Site-Name\BDC via RPC
 DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2
 Last attempt @ Wed Jun 27 08:54:12 2012 IST failed, result
 2 (WERR_BADFILE)
 4 consecutive failure(s).
 Last success @ NTTIME(0)

 CN=Configuration,DC=abc,DC=com
 Default-First-Site-Name\BDC via RPC
 DSA object GUID: adf1d7c5-4e92-400f-9bfb-17986c6d20a2
 Last attempt @ Wed Jun 27 08:54:12 2012 IST failed, result
 2 (WERR_BADFILE)
 4 consecutive failure(s).
 Last success @ NTTIME(0)

  KCC CONNECTION OBJECTS 

 Connection --
 Connection name: 251b24ae-5b5c-454a-834a-c2b3d7dc3f6f
 Enabled: TRUE
 Server DNS name : pdc.abc.com
 Server DN name  : CN=NTDS
 Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abc,DC=com
 TransportType: RPC
 options: 0x0001
 Warning: No NC replicated for Connection!


 but when i add its numeric id in DNS _msdcs.abc.com

 with additional domain controller name it works but after, this
 i getting new error please help me to resolved this issue.

 /source4/dsdb/dns/dns_update.c:294: Failed DNS update -
 NT_STATUS_NOT_SAME_DEVICE

 this error show in additional domain controller log file...

 Regards
 Pradeep Pal






-- 
To unsubscribe from this list go to the following URL and read the
instructions:  

Re: [Samba] unable to log on to Samba shares remotely

2012-06-26 Thread Gaiseric Vandal
When you say remotely you mean from another computer.  Or do you mean
from another subnet?



If you recreated both samba accounts, and the two accounts behave
differently, then the problem may be in the underlying unix account. 
Are the unix accounts defined in /etc/passwd?  

I also find it interesting that the two users do NOT have user SID's
that are sequential (or at least in a closer range.)  Are you using
idmap to allocate


Can you run
#wbinfo -n user1
#wbinfo -n user2

This will show the user sids of the users

   # wbinfo -s sid_of_user_one
   # wbinfo -s sid_of_user_two


The name-to-sid and sid-to-name assignment should match up.

Also try the following
#id user1
# id YOURDOMAIN\user1  (if you are using winbind)

#id user2
# id YOURDOMAIN\user2




On 06/26/12 08:25, Claesen Dirk wrote:
 Dear,

 I have a working Samba 3.5.6 running on one of my servers onto which 
 (existing) users can successfully log on.
 Recently, I needed to add some projects and some users but I cannot succeed 
 in letting these new users access the shares.

 The smb.conf file is very small and I had only 4 users until now.
 In the following smb.conf, projA_dirs is only accessed by user1, while 
 projB_dirs is the new project I need to add and this one will be accessed by 
 user2
 user1 is accessing projA_dirs since years without any problem, user2 is the 
 one I fail to add.

 Contents of smb.conf:

 [global]
 workgroup = TECH_GRP
 server string = Samba %v on (%h)
 log level = 3
 log file = /usr/local/samba/var/log.%m
 max log size = 50
 dns proxy = No
 ldap ssl = no
 hosts allow = 192.168.5., 192.168.4., 192.168.3., 192.168.100.

  [all_dirs]
 comment = All directories on Server1
 path = /
 read only = No

 [projA_dirs]
 comment = All ProjectA directories on Server1
 path = /disk/projA/prod
 read only = No

 [projB_dirs]
 comment = All ProjectB directories on Server1
 path = /disk/projB/prod
 read only = No


 The initial samba setup was a migration from a Samba 2 server which used the 
 smbpasswd file. In order to convert this into a tdbsam, I used the command 
 pdbedit -i smbpasswd -e tdbsam at the time I set up the server. As written 
 earlier in this mail, this never caused any problems.

 Now that I need user2 to access projB_dirs, I did the following:
 -   Add projB_dirs to the smb.conf file
 -   Ran pdbedit -a user2 and provided the password

 After having added the share and the user I could access the new share with 
 the new user when working directly on the Samba server (server1). However, 
 when I try to connect from another Samba 3.5.6 server or from a Windows XP PC 
 I get respectively a session setup failed: NT_STATUS_LOGON_FAILURE or 
 System error 1326 has occurred. Logon failure: unknown user name or bad 
 password. error message. (there is no firewall blocking any ports between 
 the servers or between the PC and server1)


 The output of pdbedit does not show any major differences for the two users 
 to me:

 # ../bin/pdbedit -v -u user1
 Unix username:user1
 NT username:
 Account Flags:[UX ]
 User SID: S-1-5-21-1956562905-4024769754-4182693708-1500
 Primary Group SID:S-1-5-21-1956562905-4024769754-4182693708-513
 Full Name:user1 server1
 Home Directory:   \\server1\user1
 HomeDir Drive:
 Logon Script:
 Profile Path: \\server1\user1\profile
 Domain:   SERVER1
 Account desc:
 Workstations:
 Munged dial:
 Logon time:   0
 Logoff time:  never
 Kickoff time: never
 Password last set:Tue, 26 Jun 2012 13:38:36 CEST
 Password can change:  Tue, 26 Jun 2012 13:38:36 CEST
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours : FF

 # ../bin/pdbedit -v -u user2
 Unix username:user2
 NT username:
 Account Flags:[UX ]
 User SID: S-1-5-21-1956562905-4024769754-4182693708-1004
 Primary Group SID:S-1-5-21-1956562905-4024769754-4182693708-513
 Full Name:user2 server1
 Home Directory:   \\server1\user2
 HomeDir Drive:
 Logon Script:
 Profile Path: \\server1\user2\profile
 Domain:   SERVER1
 Account desc:
 Workstations:
 Munged dial:
 Logon time:   0
 Logoff time:  never
 Kickoff time: never
 Password last set:Tue, 19 Jun 2012 17:20:33 CEST
 Password can change:  Tue, 19 Jun 2012 17:20:33 CEST
 Password must change: never
 Last bad password   : 0
 Bad password count  : 0
 Logon hours : FF.


 Logging in with debug level 10 using smbclient from the other server gives me:

 ...
 got smb length of 35
 size=35
 smb_com=0x73
 smb_rcls=109
 smb_reh=0
 smb_err=49152
 smb_flg=136
 smb_flg2=51203
 smb_tid=0
 

[Samba] Fwd: Trying to update samba

2012-06-26 Thread Gaiseric Vandal
Typically, RPM's from RedHat or Fedora are pretty dependent on glibc and
other system libraries.  Newer version of RedHat will have newer
versions of glibc, so the official packages are often not compatible
with older versions. 

Sernet may have precompiled RPM's that may be useful.

http://sernet.de/en/samba/samba-3/


If not you will probably need to compile from source.   Or move to a
newer version of RHEL.



 Original Message 
Subject:[Samba] Trying to update samba
Date:   Tue, 26 Jun 2012 10:45:55 -0500 (CDT)
From:   j...@brewtoncityschools.org
To: samba@lists.samba.org



I have a server running samba-3.0.9-1.3E.10.  And I'm trying to update that so I
can now add windows 7 pcs to my network.  The server is a Dell Poweredge 2850
running Red Hat Enterprise Linux EX release 3 (taroon update 8).  It's also
running Webmin version 1.580.  I wanted to download the update as an .rmp
thinking it would be easier and I would be able to run it from my webmin command
line.  I went to http://rpmfind.net/linux/rpm2html/search.php?query=samba to the
.rmp.  I wasn't sure which one to try so I tried a few.  I would like to stay
away fedora if possible.  I ran the rmp from my command shell using rpm -U
command.  That ended up giving me the error

error: Failed dependencies:
libacl.so.1(ACL_1.0) is needed by samba-3.6.3-34.12.1
libattr.so.1(ATTR_1.0) is needed by samba-3.6.3-34.12.1
libc.so.6(GLIBC_2.11) is needed by samba-3.6.3-34.12.1
libc.so.6(GLIBC_2.3.4) is needed by samba-3.6.3-34.12.1
libc.so.6(GLIBC_2.4) is needed by samba-3.6.3-34.12.1
libc.so.6(GLIBC_2.5) is needed by samba-3.6.3-34.12.1
libc.so.6(GLIBC_2.6) is needed by samba-3.6.3-34.12.1
libc.so.6(GLIBC_2.8) is needed by samba-3.6.3-34.12.1
libgssapi_krb5.so.2(gssapi_krb5_2_MIT) is needed by samba-3.6.3-34.12.1
libk5crypto.so.3(k5crypto_3_MIT) is needed by samba-3.6.3-34.12.1
libkrb5.so.3(krb5_3_MIT) is needed by samba-3.6.3-34.12.1
liblber-2.4.so.2 is needed by samba-3.6.3-34.12.1
libldap-2.4.so.2 is needed by samba-3.6.3-34.12.1
libnscd.so.1 is needed by samba-3.6.3-34.12.1
libnscd.so.1(LIBNSCD_1.0) is needed by samba-3.6.3-34.12.1
libpam.so.0(LIBPAM_1.0) is needed by samba-3.6.3-34.12.1
libpam.so.0(LIBPAM_EXTENSION_1.0) is needed by samba-3.6.3-34.12.1
libpopt.so.0(LIBPOPT_0) is needed by samba-3.6.3-34.12.1
libtalloc.so.2 is needed by samba-3.6.3-34.12.1
libtdb.so.1 is needed by samba-3.6.3-34.12.1
libwbclient.so.0 is needed by samba-3.6.3-34.12.1
samba-client = 3.6.3 is needed by samba-3.6.3-34.12.1
rpmlib(PayloadIsLzma) = 4.4.6-1 is needed by samba-3.6.3-34.12.1



Then I tried rpm -U --nodeps.  The new error message I received was

error: unpacking of archive failed: cpio: Bad magic




I'm not really familiar with this os so any help would greatly be appreciated.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Fwd: Trying to update samba

2012-06-26 Thread Gaiseric Vandal
If you don't want to spend money on RHEL, you can always look at CentOS
(which is a clone of RHEL) or Fedora.  

I don't now if you can do an upgrade installation  from RHEL to CentOS
or Fedora.   I think not.  But since either OS will support the ext3
file system used by RHEL, you should be able to backup your
configuration files, install RHEL or Fedora while preserving your data
partitions.

Nt.  I found out the hard way that Fedora does NOT necessarily support
the same firmware raid drivers as RHEL.   Make sure you have backup of
your data just in case.




On 06/26/12 13:01, j...@brewtoncityschools.org wrote:
 Thanks I'll check and see what a newer version of RHEL is going to cost me.  I
 was thinking that was the problem.  I'll also look into Sernet.

 Thanks again


 Typically, RPM's from RedHat or Fedora are pretty dependent on glibc and
 other system libraries.  Newer version of RedHat will have newer
 versions of glibc, so the official packages are often not compatible
 with older versions.

 Sernet may have precompiled RPM's that may be useful.

 http://sernet.de/en/samba/samba-3/


 If not you will probably need to compile from source.   Or move to a
 newer version of RHEL.



  Original Message 
 Subject: [Samba] Trying to update samba
 Date:Tue, 26 Jun 2012 10:45:55 -0500 (CDT)
 From:j...@brewtoncityschools.org
 To:  samba@lists.samba.org



 I have a server running samba-3.0.9-1.3E.10.  And I'm trying to update that 
 so I
 can now add windows 7 pcs to my network.  The server is a Dell Poweredge 2850
 running Red Hat Enterprise Linux EX release 3 (taroon update 8).  It's also
 running Webmin version 1.580.  I wanted to download the update as an .rmp
 thinking it would be easier and I would be able to run it from my webmin 
 command
 line.  I went to http://rpmfind.net/linux/rpm2html/search.php?query=samba to 
 the
 .rmp.  I wasn't sure which one to try so I tried a few.  I would like to stay
 away fedora if possible.  I ran the rmp from my command shell using rpm -U
 command.  That ended up giving me the error

 error: Failed dependencies:
  libacl.so.1(ACL_1.0) is needed by samba-3.6.3-34.12.1
  libattr.so.1(ATTR_1.0) is needed by samba-3.6.3-34.12.1
  libc.so.6(GLIBC_2.11) is needed by samba-3.6.3-34.12.1
  libc.so.6(GLIBC_2.3.4) is needed by samba-3.6.3-34.12.1
  libc.so.6(GLIBC_2.4) is needed by samba-3.6.3-34.12.1
  libc.so.6(GLIBC_2.5) is needed by samba-3.6.3-34.12.1
  libc.so.6(GLIBC_2.6) is needed by samba-3.6.3-34.12.1
  libc.so.6(GLIBC_2.8) is needed by samba-3.6.3-34.12.1
  libgssapi_krb5.so.2(gssapi_krb5_2_MIT) is needed by samba-3.6.3-34.12.1
  libk5crypto.so.3(k5crypto_3_MIT) is needed by samba-3.6.3-34.12.1
  libkrb5.so.3(krb5_3_MIT) is needed by samba-3.6.3-34.12.1
  liblber-2.4.so.2 is needed by samba-3.6.3-34.12.1
  libldap-2.4.so.2 is needed by samba-3.6.3-34.12.1
  libnscd.so.1 is needed by samba-3.6.3-34.12.1
  libnscd.so.1(LIBNSCD_1.0) is needed by samba-3.6.3-34.12.1
  libpam.so.0(LIBPAM_1.0) is needed by samba-3.6.3-34.12.1
  libpam.so.0(LIBPAM_EXTENSION_1.0) is needed by samba-3.6.3-34.12.1
  libpopt.so.0(LIBPOPT_0) is needed by samba-3.6.3-34.12.1
  libtalloc.so.2 is needed by samba-3.6.3-34.12.1
  libtdb.so.1 is needed by samba-3.6.3-34.12.1
  libwbclient.so.0 is needed by samba-3.6.3-34.12.1
  samba-client = 3.6.3 is needed by samba-3.6.3-34.12.1
  rpmlib(PayloadIsLzma) = 4.4.6-1 is needed by samba-3.6.3-34.12.1



 Then I tried rpm -U --nodeps.  The new error message I received was

 error: unpacking of archive failed: cpio: Bad magic




 I'm not really familiar with this os so any help would greatly be 
 appreciated.



 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba

 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba

 --
 This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Two attempts required to join domain

2012-06-17 Thread Gaiseric Vandal
You could put the machines in a sub container under people-  , or have
people and computers as subs under user accounts-  that way samba can
search the entire accounts or people subtree BUT you can restrict other LDAP
services that use people to not be recursive.

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Bill Arlofski
Sent: Sunday, June 17, 2012 4:16 PM
To: samba@lists.samba.org
Subject: Re: [Samba] Two attempts required to join domain

bump

I'd prefer to not have to put machine accounts into the People OU for all
the obvious reasons, but I may be forced to in order to have the end-user
(e.g.
our customer) experience to be a smooth one.

Any idea on what might cause the behavior I am seeing described on the 13th
below?

Thanks for any help!

--
Bill Arlofski
Reverse Polarity, LLC

On 06/13/12 18:55, Bill Arlofski wrote:
 Hi Everyone.
 
 I have run across an issue that is driving me crazy. This is a new 
 deployment of Samba v3.6.5 with openldap v2.4.30 and smbldap-tools 
 v0.9.8
 
 
 When trying to join the domain, on the first attempt the machine 
 account is properly created in the correct ou - e.g. 
 ou=Computers,dc=domain,dc=local
 
 But the failed to join domain pop-up with reason of The user name 
 could not be found is displayed (which really means the machine name 
 was not found in
 LDAP)  and of course the machine is not yet a domain member.
 
 However, a 2nd attempt to join the domain with the same credentials, 
 immediately after the failure results in a Welcome to the X domain 
 and the machine is now a domain member.
 
 
 Setting the openldap slapd loglevel to 416 to show the queries during 
 this process reveals the following:
 
 On 1st join attempt Samba searches the whole directory from 
 dc=domain,dc=local with a scope of 2 (sub) for uid=MyMachine,
objectClass=sambaSamAccount.
 
 It of course does not find it, so the smbldap-useradd script is called 
 and the machine account is properly added to ou=Computers.
 
 Then Samba immediately searches _ONLY_ ou=People,dc=domain,dc=local 
 for the newly created machine account and of course does not find it. 
 And the failed to join domain pop-up is displayed on the WinXP machine.
 
 On the second join attempt, Samba _ONLY_ searches 
 ou=Computers,dc=domain,dc=local, which is where it SHOULD search for 
 machines as defined everywhere in my configs and it finds the machine 
 and the machine successfully joins the domain.
 
 If I set all configs - samba, smbldap etc to be such that computers 
 are in the People organizational unit, then joining the domain works 
 on the first try, every time.
 
 Also, if I un-join the domain, but leave the machine account in LDAP 
 in ou=Computers and then re-join the domain, this always works on 
 first try too since Samba's initial scope 2 sub search of the 
 directory starting at the top will find the machine account under
ou=Computers.
 
 Can someone offer guidance as to why during the new machine creation 
 process (joining a domain) Samba does not look for the machine in the 
 defined machines ou but always in the People ou?
 
 Thank you in advance for any help on this!
 
 --
 Bill Arlofski
 Reverse Polarity, LLC

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba 64 bit compilation

2012-06-15 Thread Gaiseric Vandal
This is probably a compiler  question rather than a Samba question.   
For GCC,  I believe that you want to pass the m64 flag to CPPFLAGS,
CFLAGS and other environmental variables. 

On 06/15/12 08:44, prabu.muru...@emc.com wrote:
 It is for Solaris 9 and 10 Sparc machines. 

 Thanks,
 Prabu

 -Original Message-
 From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] 
 Sent: Thursday, June 14, 2012 2:49 AM
 To: Murugan, Prabu; Samba
 Subject: Re: Samba 64 bit compilation

 Which platform?

 If on Solaris 10 sparc, GCC (either from Sun or sunfreeware.com) should be 
 64-bit by default.

 GCC from Sunfreeware for Solaris 10 x86 will compile 32-bit by default.

 For Solaris, you are better off using Sun Studio and Dmake.  Actually, you 
 are better off just using the compiled version from Oracle/Sun.




 On 06/13/12 02:08, prabu.muru...@emc.com wrote:
 Hi,

 Have tried to compile samba 64 bit. By default it is compiling 32 bit. 
 Google doesn't give much info about it.
 Please share your experience on 64bit  samba.

 Thanks,
 Prabu



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] how to automount a kerberos cifs share

2012-06-13 Thread Gaiseric Vandal
How about if you use NFS v4 with kerberos instead of CIFS?



On 06/13/12 14:58, steve wrote:
 Hi

 I have an automount map:
 * -fstype=cifs,sec=krb5 ://server/share/

 It works fine, but only if Administrator has tickets. I can't do that
 on every client!

 Is there any way I can store the Administrator key in a keytab and use
 that? Or any other solution?

 Cheers,
 Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


  1   2   3   4   5   6   7   >