Re: [Samba] AD + Samba/OpenLDAP
Raul da Silva {Sp4wn} sp4wn.r...@gmail.com wrote in message
news:aanlktiktb3-jgczndyivjarfmj0soodqpfebmi3yo...@mail.gmail.com...
Hi all,
Somebody knows if is it possible implement a replica sync between AD and
Samba3x/OpenLDAP using idmap backend to authenticate clients in
Samba3x/OpenLDAP server once was synchronized with AD ?
The ability to replicate is done at the directory services level and not at
the samba level.When last I checked, OpenLDAP did not support
replication with AD.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP problem for find user name
Bruno Steven aspe...@gmail.com wrote in message news:c6bf33680910270225n6b5423e5te193e27399144...@mail.gmail.com... I have samba integrated with openldap , all process are up and I am trying add one machine Windows XP with SP3 in domain Samba , but windows show this message Error while the attempt of entry in domain amblivre.com Is not possible find user name I am tired because I don´t found any solution about this problem , I need some idea .. Thanks ... Have you set up nss ldap? When you type getent passwd do you see the users created in ldap as well as those in the /etc/passwd file? When you type getent group do you see the groups created in ldap as well as those in the /etc/group file? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password-less share, for certain users.
Michael Heydon micha...@jaswin.com.au wrote in message news:4a9f440c.4010...@jaswin.com.au... On 3/09/2009 11:04 AM, Jamrock wrote: Try the valid users option in the smb.conf. If I remember correctly, you can set this to a group. That way only the members of the group should have access to the share. valid users = @accounts If they connect as a guest, then there is nothing to compare against the valid users setting. If they connect as guest there is no way to restrict specific users to the share. All users would be logged in as guest. If they are on a network and are authenticated, they can access the share without having to enter an additional password. The valid users command would then restrict specific users to the share. Another way to do this is to use the Linux security logic to restrict access to the share. I prefer this approach. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question regarding access to shares from LOCALadministrator account
Jobst Schmalenbach jo...@barrett.com.au wrote in message news:20090903032607.ga4...@senna.barrett.com.au... Hi. How do I give access to shares from the LOCAL administrator account to a share(s) on the samba server? (workstation is domain member, without the need to specify a password). -- smb.conf domain logons = Yes os level = 200 domain master = Yes security = user -- I have read chapters 12,13,15 but there seems to be no way I can put the local administrator into /etc/group nor mapping it via net groupmap. I can do it the other way around i.e. mapping a local group to a group on the server, but for one share only I need to have access for the local administrator to the share on the server. Jobst I hope I understand your question. I think you want the local administrator on a workstation to access a share on a server. The local administrator account on a workstation exists only on that workstation. It cannot access shares on another machine. This is so with Samba and Windows. I would do the following: Create a domain user account Add it to the local administrator's group on the workstation Grant it access to the share on the Samba server -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password-less share, for certain users.
JDE soc...@gmail.com wrote in message news:7378bb590909021452g60ffb721o5b21d1bd38fb...@mail.gmail.com... Is it possible to have a password-less share available to only certain users? I've been searching all over and could not find anything. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Try the valid users option in the smb.conf. If I remember correctly, you can set this to a group. That way only the members of the group should have access to the share. valid users = @accounts -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap? Samba? Nss?
sgm...@mail.bloomfield.k12.mo.us wrote in message news:1247.204.184.27.217.1251396091.squir...@mail.bloomfield.k12.mo.us... It seems my logins are taking a long time to get logged in. I am guessing that it is worse when classes start and a lot of the kids try to login at once. My old server did not seem to have this problem though and we have the same number of students. Where should I start looking at this? I am guessing that it is ldap, but want to make sure. If I log in at a computer and go to start-run and type \\server, it may take 1-2 minutes until I can see my shares which is the same thing the students are seeing when logging into the domain. I just wanted to leave any profile copying out of the equation so I just did it this way. Do you have a db_config file set up? This usually makes a significant improvement in Openldap's performance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Version of OpenLDAP to use with Samba
I have been using an old version of OpenLDAP on my Samba servers. I am setting up a new server and want to use a more recent version. What versions of OpenLDAP are people on the forum using with Samba? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Version of OpenLDAP to use with Samba
jamrock news_jamr...@yahoo.com wrote in message news:h4pdri$c9...@ger.gmane.org... I have been using an old version of OpenLDAP on my Samba servers. I am setting up a new server and want to use a more recent version. What versions of OpenLDAP are people on the forum using with Samba? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Thanks for all the answers. What version of Berkeley database are you using with OpenLDAP? I have read of issues with certain versions of this database. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: can't access samba PDC after power cut
Leonardo Carneiro lscarne...@veltrac.com.br wrote in message news:4a5268e1.2080...@veltrac.com.br... hello guys, after a power cut in this weekend, the filesystem of the machine running samba+ldap currupted. i did a fsck and every other services in the machine are running fine now, but i cannot access the samba shares and cannot join/log in the domain. in the windows machines it just show a message the network path is not found. Can you search the ldap directory using the standard ldap tools. e.g. ldapsearch? If not, the problem could be with ldap and not Samba. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Moving premises, new server at new building
Michael Heydon micha...@jaswin.com.au wrote in message news:4a0b63cc.1080...@jaswin.com.au... Hi all, Our company is looking at moving premises some time next year, the plan at the moment is to have a new server room with all new servers set up at the new building prior to moving the workstations over. I'm wondering if anyone has done anything like this and what the best way to proceed is. We are using an LDAP backend. I am not completely averse to unix UIDs changing (although I would rather they didn't), I *REALLY* don't want to have to manually rejoin everyone to the domain though. We have two internet connections at the old building, one is slow and cheap, the other is faster and relatively expensive. The connection at the new building will be fast and cheap. So it would be possible to sync data between systems in the lead up to the change over as long as it wasn't too much data. All the user/computer names and passwords are stored in your LDAP directory. I would take the following approach. Make sure the new server is not on the network. You do not want two machines with the same Netbios name on a network. Install LDAP on a new machine Install Samba on a new machine. Copy across your smb.conf file to the new server Use the net setlocalsid command to set the SID to the same one used by the existing Samba machine. See Managing Security Identifiers in the Official How To. Use the smbldap tools to create your intial LDAP entries. Export your existing LDAP directory to a ldif file. You may want to remove the intial LDAP entries created by the smbldap tools. Import your existing LDAP directory into LDAP on the new server. You should now have a duplicate of your existing server. You should not need to re-add the machines to the network. I used this approach when I needed to re-install my domain controller from scratch. Let us know if it works. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Re: net vampire and WIn2003 AD
Liutauras Adomaitis liutauras.adomai...@gmail.com wrote in message news:c1ec9ac0905110017g50d7042fn458e7e5e9b209...@mail.gmail.com... On Mon, May 11, 2009 at 5:16 AM, jamrock news_jamr...@yahoo.com wrote: Liutauras Adomaitis liutauras.adomai...@gmail.com wrote in message news:c1ec9ac0905090805j37fd0255ge2a1f44915326...@mail.gmail.com... Hello Samba People, it is my first letter to Samba ML, so first of all - thanks Samba team for a great SW. Now the question: I want to migrate from Win2003 AD to Samba 3.3.2. I want to use net vampire feature to import all account information (is there any other way to do it?). When last I checked, net vampire only worked with Windows NT 4. Seamless migration from Windows 200x is only expected with Samba 4. Are you saying, that I should forget for now migration from AD? It is a pity then. Liutauras There is one option you can try. I have read of it but never tried it. The directory structure of Active Directory is based on LDAP technology. Microsoft has a document entitled Active Directory LDAP Compliance which explains this. Active Directory contains a tool called LDIFDE which can be used to export AD objects to a ldif file. Go to http://support.microsoft.com/ and do a search for ldif to find some documentation. The LDAP naming conventiions for AD are different from OpenLDAP so I suspect you will have to edit the file. I guess you would need to use the dos2linux command to change the file to a format Linux could use. You would then need to find and replace things like the object's SID. Let me know how it works out. Just one of those things I have never gotten around to testing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: net vampire and WIn2003 AD
Liutauras Adomaitis liutauras.adomai...@gmail.com wrote in message news:c1ec9ac0905090805j37fd0255ge2a1f44915326...@mail.gmail.com... Hello Samba People, it is my first letter to Samba ML, so first of all - thanks Samba team for a great SW. Now the question: I want to migrate from Win2003 AD to Samba 3.3.2. I want to use net vampire feature to import all account information (is there any other way to do it?). When last I checked, net vampire only worked with Windows NT 4. Seamless migration from Windows 200x is only expected with Samba 4. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Samba and LDAP
Pete Clapham peteclap...@sbcglobal.net wrote in message news:992435.73367...@web80508.mail.mud.yahoo.com... Hi, all -- I am trying to set up an additional domain server within my network using SAMBA and LDAP. There's a problem that I think is with LDAP. If any of you have set up a system like this, I would appreciate your expertise. What documentation are you using? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Domain Server Problem
Pete Clapham peteclap...@sbcglobal.net wrote in message news:850942.27310...@web80503.mail.mud.yahoo.com... Hi -- I am trying to set up an additional domain server (not PDC or BDC), so that students can get to the material on the server. When I type net use w: \\water\archive (where water is the domain server and archive is a share), I invariably get the message that I need to input a user ID and password. If I put in my own ID/Password for the server (even though it's identical with the ID/password on the PDC) it goes through fine. However, if I am logged on to the network as another user and put in his/her ID/Password it doesn't work. My User ID/Password are the only combination on both the PDC and the additional server. If I try to log onto the additional server with a User ID/Password that's valid on the domain it doesn't work; If I try to log onto the additional server with a User ID/Password that's valid on the additional server it doesn't work. It would seem that SAMBA is looking at the Unix ID/Password on the PDC and the SMBPasswd on the additional so far that's mine. Does this make sense to anybody? And what do I need to do? I do have authentication set on the Additional Domain server to DOMAIN. Doesn't this mean that SAMBA should be reading both the Unix and SMBPasswd files on the PDC? Perhaps I can shed some light on this. Samba runs as a service on a Linux box. In this way it is different from Windows which is the underlying operating system. For a user to access a Linux machine and its services, he must have a username and password on that machine. One option is to use the /etc/passwd file and another is to use LDAP. Either way, the Linux box will have to authenticate the user before he can access the box or its services. Samba gets around this by mapping the Samba account to the underlying Linux account. When you create a Samba user, the corresponding Linux account is created with the same name. If LDAP is not being used, the user exists in the smbpasswd and passwd files. If LDAP is being used, the Samba and Linux account information are both stored in a single LDAP record. This is easy to understand on a PDC since Samba creates both accounts on the machine. If you want to access an additional Linux machine, you must add the users to the file/database against which the machine is authenticating users. If you are using LDAP it is easy. Simply configure the additional machine to authenticate users against the same LDAP directory that the PDC uses. As far as the Linux box is concerned, the user is authorized for access since his account can be authenticated against a user/password source. If LDAP is not being used, one needs to find a way to automatically add the users to the additional Linux box. One can create add user scripts to achieve this. Chapter 7 of Samba by Example explains your options. Read the entire chapter. Pay special attention to the section entitled NT4/Samba Domain with Samba Domain Member Server without NSS Support It explains how the add user script automatically creates the Linux user acccounts when the users try to gain access to the additional machine. The following steps may be followed to implement Samba with support for local accounts. In this configuration Samba is made a domain member server. All incoming connections to the Samba server will cause the look-up of the incoming username. If the account is found, it is used. If the account is not found, one will be automatically created on the local machine so that it can then be used for all access controls. We used this approach in the Samba 2.x days when LDAP support was not as extensive as it is today. I would recommend using LDAP for authenticating against multiple Samba servers. It is a much cleaner solution since only a single username/password source is required. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error when subscribing to list
When I try to subscribe to the Samba mailing list at https://lists.samba.org/mailman/ I get the following message in Firefox: Secure Connection Failed lists.samba.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Is this normal? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: some question about BDCs
I have the exact same questions. I had a PDC usisng a master LDAP server and a few BDCs using slave LDAP servers. Now, I upgraded LDAP to replicate in multi-master mode and set PDC and BDCs point to these LDAP servers. In my current setup, what is the difference between the PDC and a BDC? Nothing has changed as far as Samba is concerned. The rules for updating the LDAP databases are now governed by the standard rules governing multi-master replication for the LDAP software. When an administrator add a computer or user to the domain from a Windows machine, how does the Windows machine decides which DC to contact? The machine will contact the PDC and the PDC will contact the LDAP server specified in its smb.conf file. The LDAP software will take it from that point. Take a look at chapter 5 in the Official Samba Howto. Pay special attention to the section entitled LDAP Configuration Notes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: some question about BDCs
So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP), can BDC update machine and/or user information or not? As I understood, only the LDAP solution is suitable for a PDC-BDC setup, because domain member servers and workstations periodically change the Machine Trust Account password, so BDC has to update some data. As I understood, BDC can change at least Machine Trust Account passwords. Here is my understanding of the situation. Samba does not manage replication. Replication is managed by the LDAP software that is used with Samba. The rules governing replication are the same rules that apply to any other LDAP database. If you set up master/slave replication on OpenLDAP, requests sent to the BDC to update records will be redirected to the master LDAP server. When the master server has been updated, the changes will be propagated to the slave LDAP server. The process is no different from any other OpenLDAP database. Additional question: can a user change his/her login password, when he/she connected to the BDC (in case PDC is available and in case PDC is temporarily unavailable)? I read in TOSHARG2 too that in the BDC's smb.conf, I don't need user/group modification scripts, so I guess, I cannot add/modify them from the BDC. You do not need the user/group modification scripts on a BDC because the slave LDAP server does not update the database. The rules governing multi-master replication will depend on the rules governing multi-master replication for the LDAP software you implement. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Some questions about Samba and LDAP
Olivier Nicole o...@cs.ait.ac.th wrote in message news:200904101109.n3ab9lai026...@banyan.cs.ait.ac.th... - in slapd configuration, what are the minimum accesses (ACL) that should be granted to the various attributes of samba schema? By default my LDAP server is quite protected and allows no access to any attribute, unless specified otherwise. I could find: ## allow the ldap admin dn access, but deny everyone else access to attrs=SambaLMPassword,SambaNTPassword by dn=cn=Samba Admin,ou=People,dc=quenya,dc=org write by * none You may want to add the following: by self write by * auth This should allow the user to change his password and authenticate against his password. But what about the other attributes? From what I have seen the users do not need access to the other attributes. Samba checks them but not the user. - I have my users database existing in LDAP, how can I add Samba support? I don't know of any easy way. I would do it the other way around. I would create a new Samba ldap directory using the standard approach. I would then add the Samba accounts. I would dump out the existing ldap directory to a ldif file and then use ldapmodify to add the other attributes to the samba accounts. I have never tested this but this is the approach I would try. I understand that I should modify the objectClass of each user to include sambaSamAccount, but then each user must also have an attribute sambaSID. How can I generate that attribute? The smb-ldap tools are the best way to create the initial ldap entries for Samba. They create the standard Windows groups such as domain administrators, guests, domain users, etc. In addition, they allow you to manage the addition and deletion of Samba accounts via ldap. The SID is created the first time you start Samba. The scripts add the SID to each ldap account. See chapter 5 Making Happy Users of Samba by Example. The book is available on www.samba.org. - Is there a way to implement filter on the list of users? Nss_ldap, pam_ldap for example allow to configure an optional filter, so only the users with the correct attribute will have access to a specific service (I separate the users that can log to their Unix account onto the machine from the suers that can use a specific service on that machine). Is there a similar filter with Samba or should I differenciate with the use/unuse of objectClass sambaSamAccount? AFAIK, accounts that do not have the Samba specific attributes will not be recognized by Samba. - All what I read so far mention updating the sambaLMPassword and sambaNTPassword with the command smbpasswd. I already have a set of tools that I use to manage the users account (and that synchronize account/password on many systems (database, radius, etc)), what can I use to manage sambaLM/NTPassword within my local tools? I use the Windows NT tools User Manager for Domains and Server Manager. They should be located on a Samba share and accessed from a Windows workstation. I manage user passwords differently from you. I put the following line in my smb.conf file ldap passwd sync = yes When a user changes his Windows password, it changes the standard passwd value in ldap. Best regards, Olivier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: A question about BDC
Germán Bobr ger...@tybsa.com wrote in message news:1238684268.6802.1.ca...@german64... ¿Is it possible to set up a PDC in the office and a BDC in a datacenter to allow remote clients connect at high speed? Yes it is. You can use a LDAP database to store your usernames and passwords. You can use the native LDAP replication to update your BDC when changes to user accounts are made on the PDC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: What is the purpose of add user script?
MargoAndTodd margoandt...@gmail.com wrote in message news:49d03571.8040...@gmail.com... Hi All, I am confused. In one of the examples of a PDC, the following smb.conf parameter is given: add user script = /usr/sbin/useradd -m -G users '%u' If you have passdb backend = tdbsam and the way to add users to tdbsam is pdbedit -a -u username, what is the purpose of the add user script? I am thinking it is to add the user to /etc/passwd, but why? I add my users from the command line. I invoke useradd then pdbedit. What is the purpose of the add user script? Many thanks, -T -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba To use a Linux box, a user must have a Linux account. Samba runs as a service on a Linux box. Each Samba user must have a Linux account in order to access the Linux box. When your create a Samba user, the add user script creates a Linux user with the same name. If LDAP is not being used, the Linux user is created in the /etc/passwd file. If LDAP is being used, the Linux specific attributes are added to the LDAP entry. When you set security on a Linux folder, you are actually setting security on the user's Linux account. The Samba user is mapped to the Linux account. Therefore security restrictions that apply to the Linux user, apply to the Samba user. Take a look at chapters 12 and 13 in the Official Samba Howto. It is available at www.samba.org. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Win XP Client password change nightmare.
Arturo Limon limonav...@gmail.com wrote in message news:a8671ab0903251632ob882235ofbd1c4e92bd6e...@mail.gmail.com... Hello, I have setup a Samba server with CentOS 5.2 and Samba 3.0.28-1.el5_2.1 (the CentOS included versión). I have configured Samba as a PDC following Samba-3 by example chapter 3, Secure Office Networking. No DNS or DHCP active, as far as for now this is just a test environment. Most of it works fine, but trying to change user passwords for a MS-Windows test computer (USRMGR.EXE from SRVTOOLS), has proved to be a nightmare. I always get an Access Denied (Aceso denegado) error message. Connection from MS-Windows computer is done as Administrator (root). Make sure that the usrmgr.exe and srvtools.exe are located on a Samba share and not on the workstation. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Samba LDAP troubleshooting
Brad C bradleydanec...@gmail.com wrote in message news:2d2102ba0903130148g251b0e70l7fc2f48894730...@mail.gmail.com... Hello On the topic, anyone have a good book to recommend on Samba, I feel I am only using 10% of its capability and not really well at that... something is staring me in the face and Im missing it. The best books I have seen are the Official How To and Samba by Example. Both are available in the Learn Samba section at www.samba.org. You can purchase Samba by Example in book stores. It is also available online at Amazon or Barnes and Noble. Samba by Example gives you step by step instructions re: setting up various types of Samba machines. The Official How To explains a lot of the concepts re: how Samba works. You can use Samba by Example to learn how to set up a PDC. You can then use the Offical How To in order to get a deeper understanding of how SID's work or how Linux to Windows user mapping works. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Changing Domain Passwords
Nigel Allen d...@edrs.com.au wrote in message news:49b4665b.9010...@edrs.com.au... Greetings Can anyone tell me if this is possible? Given a network of Linux based servers with a Linux based PDC (Centos 3.9) running samba 3.0.26a and NIS with Windows-XP clients, we want to enforce password changing policies for the Windows Domain. We want to have users able to change their own passwords at required but with some control over minimum complexity, re-use etc. We want them to be able to change their passwords from the XP workstations and have that change propagated to samba and to NIS without any intervention. I have tried to implement this but seem to constantly run into problems with PAM. If we switch off pam password change in smb.conf, we can change passwords from the workstation but they don't get propagated. The only way I have been able to achieve what we want is by getting someome with root access to change passwords for the end users (not something we want to make a habit of). Any input would be /very/ gratefullt accepted. Rgds Nigel. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I find it a lot easier to set up Samba using OpenLDAP for authentication. I use the NT 4.0 tool User Manager for Domains to manage users. Take a look at Samba by Example for detailed information on creating a PDC with Samba and LDAP. Chapter 5 Making Happy Users has this info. and more. It is important to set all of this up in a test environment before making changes to your production system. You may also want to use more recent versions of CentOS and Samba. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: problem when PDC machine name equals domain name
robert rottermann rob...@redcor.ch wrote in message news:49ae7fde.4040...@redcor.ch... is it not possible, that a machine name and a the domain name are the same? thanks for your help robert -- I would not recommend using the same name for the PDC and the domain on a Windows or Samba network. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Rename a PDC
David Wells d.we...@vitalcan.com.ar wrote in message news:499db663.3050...@vitalcan.com.ar... Hi all I'm faced with the task to rename (it's fqdn and it's netbios name) a samba server runing on Linux that acts as a PDC for a domain that has it's information in an LDAP backend and I was wondering, if anyone knows, what complications could I expect from this, for example, regarding the SID of the domain users and their roaming profiles. Any input will be greatly appreciated. Best regards, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I haven't done this in a while. I don't remember all the issues. Changing the name of the server is likely to change the machine's sid. You could take a look at the net setlocalsid command to reset the new sid back to the one that exists in your ldap database. Take a look at the Samba How To. Chapter 13 has a section Managing Security Identifiers (SIDS) Another option is to modify the ldap database and replace the old sid with the new one. I would try the net setlocalsid command first. This may cause some issues with the roaming profiles. I would recommend setting up a test domain and testing these options properly before making changes to your production domain. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Samba AD auth - Backup?
Mark Adams m...@campbell-lange.net wrote in message news:20090227122641.ga4...@campbell-lange.net... Hi All, I haven't been able to track down any info on this so would be appreciative of any input. Links to any info on this would also be appreciated. Samba 3.2.5, Debian 5.0 Question 1; Is there any way of setting up a backup windows domain controller in the samba config? so if they main dc is not available, it automatically queries the backup? Take a look at Samba by Example chapter 5 Making Happy Users. Great info. on setting up PDC's and BDC's. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: samba can not contact the ldap server
robert rottermann rob...@redcor.ch wrote in message news:499bffca.8070...@redcor.ch... hi there, I am working trough a tutorial on setting up samba and ldbap on a suses 11.1 box everything worked fine so far but now samba can not contact the the ldap server. all command trying it issue the following error message. Failed to issue the StartTLS instruction: Can't contact LDAP server how can I trace down what causes this? Have you configured nss_ldap? You could try testing Samba without ssl enabled in LDAP or the smb.conf. If it can connect without using ssl then you need to trouble shoot ssl. If it cannot connect without ssl then you need to look at your nss_ldap settings. Setting up nss_ldap involves configuring the /etc/ldap.conf and /etc/nsswitch.conf files. I would recommend using Samba by Example. It is available at www.samba.org in the Learn Samba section. Take a look at Chapter 5 Making Happy Users. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: ldap.conf
Thomas Vito [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] A while ago i posted that i couldn't get samba working from Windows XP clients. I finally get it working just by adding the base dc and binddn stuff in ldap.conf I guess it is mandatory as i couldn't get samba working without it. MY question is: how come doesn't it figure in the documentation, it might be useful for beginners. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba This is clearly stated in the documentation. Sample files are provided. The documentation also talks alot about using the getent command to test the ldap configuration. Until the getent passwd and getent group commands work, there is little to be gained by moving forward. Incorrect configuration of nss_ldap is perhaps the most common reason for Samba authentication to fail. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: do i need posix users/groups in ldap
Collen Blijenberg [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all, i'm a bit confused, can i setup samba (3.0.30) with LDAP backend, and have the posix/local linux users and groups reside in the /etc/groups /etc/shadow ect. ect (the standard linux files) ??? or do i have to put them in ldap also ?? (is there a choice?) Greets, Collen I have done this in the past. I haven't tried this on a recent version so I don't know if it will still work. Back then I didn't understand how to use the smbldap-tools. As the others have suggested, keeping everything in ldap makes management of your user accounts much easier. To achieve your goal, try the following: Look at the smbldap-tools files to identify the ldif file that the tools import into ldap. Import that file into ldap using your standard ldap commands. In your smb.conf file, your add user script should be the standard Linux adduser command. You can look at the Samba documentation to find the adduser script you should be using if you are not using ldap. That should work. When you add a user, the POSIX info. should be added to the /etc/passwd and the Windows info. should be added to ldap. Make sure to try this out on a test server before using it on a production box. Remember that putting everything in ldap is a better approach. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba + terminal services
Andy [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello everyone, I was wondering if there is any support for samba and terminal services? I currently have two windows boxes, one with terminal services installed and the other with active directory. From what I have seen terminal services relies heavily upon AD and DNS. Could anyone point me in the direction of any informative sources that will help me get my Terminal services box pulling credential information from a samba PDC. Is it as simple as moving my terminal services box from my windows domain to the samba domain? Or is there some deeper integration between AD, DNS and terminal services. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba We just add the terminal services machine to the Samba domain. We have not had any issues. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3.0.25b as a domain member to a Samba PDC
Greg Zartman [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I've been using Samba for about 7 years of so, but have hit a hurdle I just can't seem to figure out. I want to setup samba domain member servers to be members of a samba 3.0.25 (NT4 type) domain. No windbind, LDAP, or any other of the more complex authentication mechanism. This is the same functionality going way back to Samba 2.2, or so. In fact, I successfully did this on samba 2.2, but simply can't get it to work on samba 3. I've been hammering away for two days and I would recommend having a look at Chapter 7 in Samba by Example. The book is available at www.samba.org. Here are a few points to keep in mind. A user cannot access a Linux machine unless he is authenticated by the machine. A samba user account is mapped to a Linux user account. The security and authentication of the Samba account is related to security and authentication of the related Linux user account. Linux has several options for authenticating users. These include the /etc/file, Winbind and LDAP. With LDAP you basically configure Linux to use LDAP as an additional means of authentication. The LDAP database can be stored locally on the Linux box or on another Linux box. For your Samba users to authenticate against the Linux member server, the member server must have a means of authenticating the Linux account to which they are associated. With LDAP, you can configure Linux to authenticate against the same LDAP database that the domain controller uses. That way, you have a single sign on. LDAP and Winbind are the best options to achieve your goal. If you don't want to use them, you must create a user account for each user on the Linux member server. To automate the process and let it happen automatically, you can use an add user script in the member server's smb.conf file. Basically this script will add a user once he is authenticated by the domain controller. The following article shows one option of automating the process. This is how I used to do it back in the Samba 2.x days. http://www.samag.com/documents/s=7666/sam0211e/0211e.htm -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba with ldap backend password change trigger
Madars Vitolins [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello, For samba acting as PDC with ldap backend (openldap) is it possible to hook some how password change event? So that if user in windows changes domain user password, it will update ldap account as usual but is it possible to trigger for some shell script to receive username and *plain* new password password? This could help for automation to update password in other systems. I am using smbldap-tools for samba ldap backend management I hope I am understanding your question. You can configure the smb.conf file so that when a user changes his Windows (Samba) password, it changes the other ldap password. I don't know if it will change the password in the /etc/passwd file. This works when you are using OpenLDAP for authentication with a number of LDAP aware applications such as Samba, qmail-ldap and Openfire. You can put the following command in your smb.conf file: ldap passwd sync = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: User restriction on some client machines
Mesterhazy Attila [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, we have a Samba 3.0.24 server on a Fedora Core 5 system and we use it as PDC. I have client machines with Windows XP SP2. What I want: - some machines (for example machine1) should be used only by user1 and user2 - allow user3 to use ONLY some machines (for example machine2) If you are using ldap for authentication, you can use the sambaUserWorkstations parameter. Have a look at this http://www.usenetlinux.com/archive/topic.php/t-891223.html Look also at this suggestion for tdbsam. http://dunedin.lug.net.nz/forums/archive/index.php/t-148867.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Importing Accounts from Windows?
Kyle Schmitt [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Is there some automated system to import windows accounts into a samba or a samba ldap situation? I've got a few hundred users on an NT domain, and I'd like to migrate them sometime before the last piece of hardware supported by NT4 rusts. Right now several linux based samba servers are doing all of the heavy lifting (shared files printers etc), but they are all looking at the domain controller for authentication. Considering the multiple vulns for NT, I know I could just run a password cracker against it, then create new accounts for everyone with their old passwords, but I'm reluctant to do that. Is there a way to transfer the account info from the PDC to samba then just shut the old thing off? Thanks, Kyle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Samba 3.x comes with a migration tool designed to pull user and machine information from NT 4.0. I have used it before with Samba and OpenLDAP. It works well. We set up the Samba machine as a domain controller. We migrated the user and machine information. We shut down the NT machine and we were good to go. Have a look at Chapter 9 of Samba by Example. It is available at www.samba.org. Be sure to set up a test environment before trying to migrate your production data. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Windows 2000 pro doesn't join a domain with Samba+Ldap(linux)
Hector Blanco [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello people... I had to sign up in the list because I don't know what else I could do... I can't find my error anywhere!! :( Hi Hector, Can you post your /etc/ldap.conf file and your /etc/nsswitch.conf file? Are there any other ldap.conf files in the /etc directory? Are you able to add users to the the domain? Please post the output from getent passwd group. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Windows 2000 pro doesn't join a domain withSamba+Ldap(linux)
Jamrock [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hector Blanco [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello people... I had to sign up in the list because I don't know what else I could do... I can't find my error anywhere!! :( Hi Hector, Can you post your /etc/ldap.conf file and your /etc/nsswitch.conf file? Are there any other ldap.conf files in the /etc directory? Are you able to add users to the the domain? Please post the output from getent passwd group. Sorry... That should have read Please post the output from getent group -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Adding a machine account to Samba PCD + LDAP?
Kyle Schmitt [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] How does one go about adding a machine account, or even a normal samba account, on a Samba PDC with LDAP back end? I wanted to avoid using something like smbldap-useradd, because I want to actually understand what's going on. I'm assuming it's just some sort of small ldif to add, like I would for adding user, am I wrong? Thanks, Kyle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba I use the Windows NT 4.0 tools Window Manager for Domains and Server Manager to manage users and servers on my Samba domain. These GUI tools interface with the smbldap-tools . I set up LDAP and Samba in the normal way. I use the smb-ldap tools to add and remove users and machines. I place the User Manager for Domains utility on a Samba share and access it from a Windows 2000 or XP workstation. I add computers to the domain the same way I add them in Windows. I go to My Computer, choose properties and join the domain. Samba works quite well for us. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Subfolders and permissions
Paul Rijke [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have currently a department called HRM which have their own share /data/hrm Within that share is a folder called recruitment. We recently hired an external recruiter to do some work for us. The folder is /data/hrm/recruitment How can I enforce that this person can only read and write in this directory? Look below, is this the way to go? How would you handle this? A Samba account is linked to a Linux account. I would set the security on the Linux account. I would do this using regular Linux file and directory permissions. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: everyone acl
Christian McHugh [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Howdy all, I was wondering if there was a known bug with the everyone acl. When looking at the security tab on windows the everyone acl has the read permission. If I unselect it to give everyone no permission and hit apply, read becomes checked again. If I select deny everyone read, then a warning pops up saying this will deny read for all users and it does. If after that I give read to another user, then everyone has read selected again. It seems the only way to unset read on everyone is to do it unix side. Is this a known problem or is there any solution? I'm tried running samba 3.0.27 and 3.0.28 on solaris 10 with these results. Thanks, Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Perhaps this article will shed some light on the issue. It explains how Samba works with Windows ACL's. http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1080966,00.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Access denied when setting permissions
Steven Whaley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have a windows 2003 AD domain and a server joined to that domain. Winbind is being used as an idmap. Most everything seems to work fine. My user can connect to the samba share from a windows host without entering credentials, so kerberos and authentication is working properly. But whenever I try to set permissions on the share, with a member of the Domain Admins group, from the Computer Management snap in I always get access denied errors. I have nt acl support turned on for the share. Perhaps this article will shed some light on the issue. It explains how Samba works with Windows ACL's. http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1080966,00.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Member Server creates sambaDomainName LDAP entry
Brian High [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Short version: Why does my domain member server create a sambaDomainName entry in LDAP? Long Version: I have created a Domain Member Server for a NT4 style Samba domain with an LDAP backend. It is a print server, running Winbind (because it solved a group SID mapping problem and an 'invalid SID' error in syslog), and it works fine in all other respects, but this: After joining the domain, the member server creates a sambaDomainName entry in LDAP that I don't think should be there. It is of the form: sambaDomainName=HOSTNAME,dc=example,dc=com ... where HOSTNAME is the hostname of the domain member server. I have Googled this and have come up with some posts to this list: To which LDAP server is your smb.conf file pointing? The one on the member server or the one on the domain controller? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba still asking password
Marcelo Bossoni [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi All, I need some help. I installed Samba 3.0.26a from Ubuntu Gutsy repository under kubuntu, and make a share with share permissions (LAN), but he always asks for a password Can you guys have any idea about what is wrong. I am going crazy with this. Share control does not mean that a password is not required. I have used user security and share security with Samba in a Windows workgroup. With user security, the prompt appears for the username and password when someone tries to access the Samba server in network neighborhood. With share security, the prompt appears for the username and password when someone tries to access a share on the Samba server in network neighborhood. In the first case, security is set on the machine. In the second case, security is set on the share. In general, a user cannot access a Linux machine unless he has an account on it. He has access to specific folders when the administrator of the machine gives him access to those folders. Samba runs as a service on the Linux machine. Each user must have a Samba account to access the Linux machine through Samba. Each Samba account is mapped to a Linux user account. Security on the Samba account is set by setting security on the Linux account to which it has been mapped. To access a share on the Linux/Samba box, do the following: Create a Linux user account on the machine. Set a password for it. Create a Samba account on the machine with the same username. Give the Linux user security access to the folder to which the Samba share is mapped. The only way to avoid the prompt for the username and password is to create a username and password on the Samba machine that is the same as the username and password on the Windows machine from which you accessing the Samba machine. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: SID problem with working samba
toni [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] this server has also a ldap server to resolve system users (via nsswitch), and the contents are replicated from a master ldap in the PDC (i think this is what you are proposing, isn't it?) Not really. On a Windows 2003 domain, there are a few domain controllers that contain Active Directory. Active Directory is not loaded on member servers. No replication takes place there. The member server is configured to redirect all authentication requests to a domain controller. Chapter 7 discusses the various ways that Samba member servers can be configured to redirect authentication requests to a single database of usernames and passwords. You can use NSS/LDAP. You can use NSS and Winbind. You can use an adduser script if you don't want to use NSS. The common factor in all three approaches is the fact that the pdc contains the authoritative list of usernames and passwords. Member servers query that list. The member server will cache the data it sees on the pdc but the pdc is the definitive source. Look at the smb.conf file in example 7.1.. It simply tells the member server to look to the ldap installation on the pdc when it needs to authenticate users. The /etc/nsswitch.conf is configured to use ldap for authentication. The only difference here is that the ldap is stored on another machine. I am not looking at my member server now, but I think your /etc/ldap.conf file should also point to the pdc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: SID problem with working samba
toni [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] hello, i have 1 PDC and 1 BDC using smbldap, and now i'm adding a server (as a domain member, not BDC) that will have shares to be mounted by the clients. this server also uses smbldap and, at this moment, the service is working almost normally. the problem seems to be the typical SID problem, but my new samba reports to have the same SID that the PDC and BDC have, and users can log into the domain and map shares. however, when mapping shares log file prints these lines: I would not expect you to need smbldap on a member server. Typically, member servers authenticate against a pdc or bdc. They do not authenticate locally. One option is to load ldap on the server. Load Samba so it can configure against ldap. You can then configure the machine to use the ldap on the pdc for authentication. Chapter 7 of Samba by Example shows a few options re: setting up a member server to authenticate against a pdc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Now that MS has to play nice...
Douglas Phillipson [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Being that you SAMBA developers had to work so hard to reverse engineer the AD protocols. Will there soon be improvements and more full featured functionality in SAMBA now that you have access to more documentation? Is anything on the order of a fully feature AD clone in the works. Also, how do you dance around patented protocols? Can you still implement them? Do you have to avoid them? So anything patented is taboo functionality, never to be seen in SAMBA. Thanks for all your hard work over the years guys. I hope it gets much easier now. Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba I agree. I want to send a big shout out to all the developers of Samba. We really appreciate all the hard work you do. I know this is not the development newsgroup. But since I don't understand much that is said on that newsgroup, I will ask the question here. How will the change affect the development of Samba 4? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticating a linux samba client to a win2k domain
Newscrawler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello crew, I'm having troubles with authenticating a linux samba client to a win2k domain. Without creating local users I want to be able to log on using a user and pass valid only in the windows domain. Cheers Joost Take a look at Chapter 7 of Samba by Example. Adding Domain Member Servers and Clients. It shows a few ways to do this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: The use of goup policies in XP and Vista
Samba News [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all, Can anyone point me in the right direction to apply Group Policies from a Samba 3.0.26 PDC to my Windows XP and Vista clients. I read chapter 26 of the Samba manual (dated April 3 2003) and I was wondering if the NTConfig.POL file in the NETLOGON share is the way to go here? Regards, Joost. You can use the NT 4.0 System Policy Editor with the Windows 200x policies to implement GPO's. I know this can be done with XP and Windows 2000. Not sure about Vista. The main difference is that System Policy Editor writes the policies to the relevant sections of the registry on the workstation. Windows 200x server's GPO's do not. Have a look at these articles http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba http://www.novell.com/coolsolutions/tools/15478.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Migrate Windows 2000 (Active Directory Integrated) Domainto Samba
Charles Marcus [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I read everywhere about migrating an NT4 domain, but nowhere says you can do the same with a Windows 2000 (NOT mixed mode) domain... This client does NOT currently use AD for anything special (GPO, etc). Is this possible? Advised? -- Best regards, Charles Samba 3.x cannot migrate data from Windows 200x. This is one of the proposed features of Samba 4.x which is currently in development. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: Simple LDAP backend question
Ryan Novosielski [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jamrock wrote: Ryan Novosielski [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is it required to use LDAP for both POSIX/UNIX accounts and for Samba, or can one move only the smbpasswd file to LDAP without impacting the standard UNIX passwd file at all? Interesting question. Just a little background info. so we are all on the same page. Each Samba user must have a Linux (POSIX) account in order to access the Linux machine. It must also have some Samba (Windows) information for it to work as a Windows domain controller. If you use the smbldap tools to manage the addition and deletion of users, they will add the POSIX and the Samba user info to the LDAP directory. This will happen because your add user script in the smb.conf file will point to the relevant smbldap add user script. You would typically configure the /etc/nsswitch.conf file to tell the Linux machine to look for user names and passwords in the LDAP directory. That way the user does not need to exist in the /etc/passwd file. So far so good. I understand from what you are saying that you want to separate the POSIX (Linux) information from the Samba information. You want to keep the POSIX information in the /etc/passwd file and the Samba information in the LDAP directory. Each user's authentication information will be stored in both locations. To do this you should not use the add user script from the smbldap tools. Instead use the standard Linux add user command in a script to add the user. I have done this in the past. It adds Samba info. to LDAP and creates the user account in the /etc/passwd file. Your smb.conf file should look something like add user script = /usr/sbin/useradd -m '%u' add machine script = /usr/sbin/useradd -M '%u' add group script = /usr/sbin/groupadd '%g' Typically I use the User Manager for Domains to add and delete users. Not sure how things will work with other tools. I guess you can use the smbldap tools to populate the LDAP database with the standard Windows users and groups but use the Linux commands in the add user script. I haven't tried this since the early versions of Samba 3.x. Let me know how it works out. Sounds rather much like what I'm looking for. I really don't use the add user/group script right now anyway, just add machine. What is seems like you're saying is that I can migrate all of the stuff from /etc/passwd to LDAP and then just never change nsswitch for UNIX and only make Samba use the ldap, and setting the parameters as above. Yes. In the early days I didn't understand how to use the smbldap scripts. So I ended up with that mixed configuration. I would not recommend it for a typical install of Samba though. Keeping everyting in LDAP makes it easy to backup user information. It also makes it easier to transfer user information to another server. However, it sounds as if it is a requirement in your environment. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Rename Samba Domain?
Quinn Fissler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I've done it - it can be done without pain. I was using ldap - I backed up my db first - I also change SIDs by using a large scale edit and re-imported. If you want client machines to stay joined to the domain, you have a bigger problem - depending on the number of clients, it might be easier to unjoin before the name change and rejoin afterwards, otherwise, the clients will look for the old DC, even to leave the domain. Have fun :-) On 03/01/2008, Charles Marcus [EMAIL PROTECTED] wrote: Is it possible? Is it advised? Is there a 'right way'? Thanks, -- Best regards, Charles You can also change the new SID back to the old one using the net setlocalsid command. Here is an extract from Chapter 13 of The Official Howto. If ever it becomes necessary to restore the SID that has been stored in the my-sid file, simply copy the SID (the string of characters that begins with S-1-5-21) to the command line shown here: root# net setlocalsid S-1-5-21-1385457007-882775198-1210191635 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Simple LDAP backend question
Ryan Novosielski [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is it required to use LDAP for both POSIX/UNIX accounts and for Samba, or can one move only the smbpasswd file to LDAP without impacting the standard UNIX passwd file at all? Interesting question. Just a little background info. so we are all on the same page. Each Samba user must have a Linux (POSIX) account in order to access the Linux machine. It must also have some Samba (Windows) information for it to work as a Windows domain controller. If you use the smbldap tools to manage the addition and deletion of users, they will add the POSIX and the Samba user info to the LDAP directory. This will happen because your add user script in the smb.conf file will point to the relevant smbldap add user script. You would typically configure the /etc/nsswitch.conf file to tell the Linux machine to look for user names and passwords in the LDAP directory. That way the user does not need to exist in the /etc/passwd file. So far so good. I understand from what you are saying that you want to separate the POSIX (Linux) information from the Samba information. You want to keep the POSIX information in the /etc/passwd file and the Samba information in the LDAP directory. Each user's authentication information will be stored in both locations. To do this you should not use the add user script from the smbldap tools. Instead use the standard Linux add user command in a script to add the user. I have done this in the past. It adds Samba info. to LDAP and creates the user account in the /etc/passwd file. Your smb.conf file should look something like add user script = /usr/sbin/useradd -m '%u' add machine script = /usr/sbin/useradd -M '%u' add group script = /usr/sbin/groupadd '%g' Typically I use the User Manager for Domains to add and delete users. Not sure how things will work with other tools. I guess you can use the smbldap tools to populate the LDAP database with the standard Windows users and groups but use the Linux commands in the add user script. I haven't tried this since the early versions of Samba 3.x. Let me know how it works out. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba AD LDAP
Ed Murray [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have windows XP clients that do domain login against a Windows SBS 2003 server. I also have a samba server using LDAP for authentication. Is is possible to use groups on the LDAP server for file permissions on the samba server? The samba server has previously been set up as a PDC so all the relevant schema should already be applied. Regards Ed Murray Take a look at Chapter 7 of Samba-3 By Example. It is available at www.samba.org. It gives a good, detailed explanation of domain member servers. It shows how to configure different types of domain member servers. I used it to set one up yesterday. Real nice!!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Domain server unavailable
Walmiro Muzzi [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all. I'm having a serious problem with my samba/ldap server. It was working well till the last week and today stops definitly. Nothing has changed. Now my network is down and nobody can log in. Are you using OpenLDAP? If so, run it in debug mode and watch the output for errors. That should give you a clue re: what is happening. Check you samba log files to look for clues. How long was the network up and running? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Automatically adding users to Member Server
I want to add a Samba member server to a Samba or Windows domain. I want Samba to automatically add the Linux user accounts when domain users try to access the member server. I would want the creation of accounts to be limited to users authenticated by the domain controller. Years ago, when I was using Samba 2.x, I would use a command similar to: add user script = useradd -c Account from PDC -s /bin/false \ -d /home_directory_root/%u -m -n -g net_users %uI got this from this article:http://www.samag.com/documents/s=7666/sam0211e/0211e.htmThe Official Samba 3.x documentation talks about using Windbind to accomplish the same thing.What are the disadvantages of using the add user script?Also sending best regards to John Terpstra. He helped me quite a bit in the early days.Not sure he is still active on this forum. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Automatically adding users to Member Server
My last post had some formatting issues. The link for the article is http://www.samag.com/documents/s=7666/sam0211e/0211e.htm . . The command to add the users is . . add user script = useradd -c Account from PDC -s /bin/false \ -d /home_directory_root/%u -m -n -g net_users %u -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: managing permissions from windows (is it possible?)
Juan Miscaro [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have a FreeBSD Samba box running as PDC for a WinXP network. Is it possible for the Windows administrators to modify permissions (right-click of folders...) from their own computers? I have already mapped windows groups to unix groups. When I try to do this I either get a lack-of-permissions error or all the little boxes become unchecked again after clicking OK). This document should help. http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1080966,00.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Need help: Centos 5, Samba as file server + ACL for WORKGROUP
notinh notien [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, all. I could not add any additional users to a file or directory using the Windows Security tab in Windows XP Sp2. Here is my configuration for samba-3.0.23c-2.el5.2.0.2. Perhaps this article will assist you. http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1080966,00.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Can't write to a Samba shared directory from windows XP
Talal jaafar [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have setup a linux shared directory using Samba. From windows XP, I can see the shared directory, browse it, read files from it; however, I can't write to it. I have changed the ownership of the shared directory in linux to nobody, changed the group to nobody, and chmod it 777. Try setting ownership to the windows group Domain Users. Let's call your share payroll. chown root:Domain Users payroll All Windows users are automatically placed in the Domain Users group. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Successful migration NT4-SAMBA3 domain, anyone?
Davide Cervella [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Saulius G wrote: Thanks Davide :) just one more question, did you have windows xp in your NT domain? Yes, all workstations were Win XP pro. DaC -- We have done this. It works quite well. Follow the instructions in Samba by Example. Take it step by step. There were somewhere between 20 and 30 XP pro machines. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Complicated question
Jason Baker [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm not sure if this is the right place to post this, but here goes. I just put together a PDC using Samba. I have given users the ability to change their passwords (once every 7 days) if they wish. I used to keep a list of usernames and passwords in a spread-sheet, so I could keep track of the servers that I needed to update with the correct password if anything changed. That being said. What do I do about authentication if I want to add a NAS? I basically won't know what user's passwords are and if/when they change them. How do I allow them access to the NAS shares with the proper permissions, while still maintaining the flexibility of allowing them to change their passwords? It sounds as if you were using a workgroup logic before. Are you saying that each server had its own list of users and passwords? With a PDC there is one list of usernames and passwords. This is stored on the PDC. You give access to specific shares on each server to specific users or groups. When a user logs on to the network, the PDC verifies his password. When he tries to access a share, the relevant server checks to see if he has access to the share and if he has been authenticated by the PDC. Each server does not authenticate the user's password. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: usrmgr.exe issues
Eddy Parris [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi I have set up my own domain on Debian stable (3.0.14a-3sarge2) and can log in etc. I have just gone to administrate my user accounts using the server tool (usrmgr.exe) from microsoft (i know it is not the problem of samba to support these but...) when i select my new domain 'EDDU' i get the error: the specified local group does not exist Make sure that the usrmgr.exe is located on a Samba share. You can map a shortcut from the Windows XP machine to the file. ___ All new Yahoo! Mail The new Interface is stunning in its simplicity and ease of use. - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Migration NT4 domain to Samba/LDAP howto
Paul van Noort [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] folks, Been searching the web and learned i can add samba to my Current NT4 domain. I guess i can promote my Samba machine to PDC afterwards then depreciating the NT machines (finally).. I have an LDAP driven mailserver and i would like to have an one key fits all system where my LDAP directory handles the accounts for Samba And Postfix/imap on my mailserver (and in a later stage the intranet). Any thoughts on the best way to migrate the NT4 domain into the new situation? Help, links to cookbooks, general tips are appreciated Vriendelijke groeten, Paul van Noort Have a look at Samba 3 by Example. http://us4.samba.org/samba/docs/man/Samba-Guide/ Chapter 9 tells you how to do this. You may also want to look at Chapter 5. This has info. on using LDAP with Samba 3. You can migrate all the user and computer info. from your NT 4.0 PDC straight to Samba. When you shutdown your NT box and activate your Samba box, the users/client machines will not know the difference. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Sambas as PDC, remote and mobile users question
daniel parkes [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hy, I have removed, my win2000 servers, and now i am using samba as the pdc. I have a problem with users and their profile, i am using a configuration where the profiles are allways local(on the laptop) not on the server. And the prob is, when a user takes his laptop home, and the company network is not accesible, he cant logon to the domain, so he cant use his domain profile, he has to logon to logon to the local computer with his local profile, which is outofdate(emails,docs,etc) because the profile he uses all the time is the domain one. I didnt have this problem working with win2000 and AD, because it would permit 5 logons, even if the domain wasnt accesible, so they could work with their domain profile at home. Any idea if you can tune this in Samba? Any idea of a workaround, or how do you handel this situation? thnx a lot for your HELP!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba What happens when he tries to logon to the domain when he is not attached to the network? Remove the network cable from the laptop and let us know what happens. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Migrate nt4 domain to samba
Les Stott [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi All, I'm looking for some guidance. My client currently has an NT4 domain. It controls domain logons for all users, although all data is stored on another windows 2000 member server in the domain. The logon script that runs on the nt4 domain server maps drives to the other windows server. Its time to upgrade the NT4 system and replace with Linux/Samba. initially my plan was to create a new domain, make samba the master browser of that domain and migrate users into that new domain. In order to do this i would do a files and settings transfer wizard, change each pc to logon to the new domain, then do a files and settings transfer wizard restore, once logged on to the new domain. Ofcourse thats going to take some time, and it means a visit to each pc. Has anyone done this sort of a migration before? Is there any quick and easy steps to migrate users and profiles across? can i keep the same domain and have samba take over all the user profiles, domain logons etc etc? Would it be easier to just promote the windows 2000 server and make it the domain logon server? TIA, Les -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Check Samba 3 by Example for detailed instructions on how to replace a NT server with a Samba and LDAP server. I have done it before and works quite well. Basically the Samba server imports all the users, passwords and computers from the NT domain controller. When the process is complete, you can shut down the NT machine and replace it with the Samba machine. The Windows machines will not notice the difference. There is no need to change domains or anything else. I would recommend learning the following: OpenLDAP Samba Migration from NT Do all of this on a test network first. There are a lot of new things to be learnt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: domain user types
Enos D'Andrea [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Please how can I set user types in a Samba PDC? (users, power users, etc) My problem is that domain users have now administrator rights on the clients, and I don't want that! I cannot set the rights on all the clients because there are hundreds of users and tens of clients. Thank you, -- By default, users don't have administrator rights. Do you know how they got them? What groups are the users in? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Domain SID does not match built in domain groups SIDs...
Jason Shaw [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Would remapping them correct the SIDs? Can I just use a LDAP editor and manually change the SID to what it should be without screwing up other things? To my understanding, all the important Samba data is stored in LDAP. So I shouldn't have to worry about the contents of smbpasswd, secrets.tdb, or anything of that nature, right? Given I can just edit the SIDs, I do know that I may have to restart the SMB daemon, rejoin some users to groups, correct the local administrators group on workstations, etc. I understand the clean up, I don't want to ruin anything else that's not a simple text edit or command call. There is a utility that allows you to change the domain's SID. Search the archives and the documentation for net setlocalsid I do not want to change the domain or the server SID. Doing so would invalid the users I have already entered. I just want to fix a couple of groups that have bad SIDs. It sounds as if you are saying that the users have the same SID as the domain. However some groups have incorrect SID's. If you are keeping the POSIX and Windows user information in LDAP, you can do the following: Make a backup of the folder containing the ldap data. Use ldapsearch to export the contents of the ldap directory to a file. This provides a second backup Use ldapsearch to dump the group information to a file. Modify the SID information in the second (group) file and use ldapmodify to bring the correct information back into the ldap directory. This is based on the assumption that the domain's SID is correct and the users' SID's are correct. Only the groups' SID's are incorrect. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Domain SID does not match built in domain groups' SIDs...
Would remapping them correct the SIDs? Can I just use a LDAP editor and manually change the SID to what it should be without screwing up other things? To my understanding, all the important Samba data is stored in LDAP. So I shouldn't have to worry about the contents of smbpasswd, secrets.tdb, or anything of that nature, right? Given I can just edit the SIDs, I do know that I may have to restart the SMB daemon, rejoin some users to groups, correct the local administrators group on workstations, etc. I understand the clean up, I don't want to ruin anything else that's not a simple text edit or command call. There is a utility that allows you to change the domain's SID. Search the archives and the documentation for net setlocalsid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Installing Samba4
Montervino, Mariano [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] We have trouble installing samba4 and we can´t found documentation about setup, join domains, etc... Is this is a test installation? No production grade version of Samba 4 has been released. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba instead of SBS2k+3
Przemyslaw Smiejek [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I'm a teacher and I have got 20 computers with Windows XP and server Windows SBS 2003 with Active Directory. I use AD to set policy tu WinXP and to authorize users. Is it possible to set up Samba to this instead AD? Can someone help me in this? -- Przemyslaw Adam Smiejek -- I share your concerns. GPO's are useful. Some work has been done in this area but we still have work to do. Have a look at this document. You should implement this in a test environment first. Only try it in a production environment when you have gotten it to work. I am about to start testing stuff like this so please post your findings to the list. I do not know yet how well this works. http://www.novell.com/coolsolutions/tools/15478.html Basically, the author uses NT 4.0's System Policy Editor. SPE allows you to create custom policies. He has included some sample policies that are similar to those available with GPO. These documents provide an overview of his approach http://www.pcc-services.com/articles/implement_sys_policies.html http://www.pcc-services.com/articles/create_custom_spe_templates.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Password expiry for samba posix accounts in LDAP
Plant, Dean [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Can someone install some confidence in me that the way I am dealing with syncing password expiry dates between Samba and Posix accounts in LDAP is correct. The question has come up on the list a couple of times but the answer, using unix password sync = Yes and changing the ShadowLastChange LDAP attribute via an external script seems rather clunky. Is this really the correct way to do it, when only allowing changing of passwords via Windoze? or am I missing something obvious that enables this to be done within the Samba/OpenLDAP configuration. Thanks Dean. We have used a single Openldap directory to authenticate Samba, qmail and Jabber. We add the line ldap passwd sync = yes to our smb.conf file. When the users change their Windows passwords from a Windows workstation, the Samba and ldap passwords are both changed. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: LDAP+Samba only posixaccount possible?
Juha-Matti Ung [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi!Is it possible to get the samba authenticate a user and map to his homedirectory only using posixaccount or are there some attributes that windows absolutely require like in the samba-objectclasses?Any configuration examples if this is possible.I have been experimenting with pam.d/samba using pam_ldap.so module, but no success so far.Currently I have setup the server so it can authenticate a ssh user from ldap, using posixaccount attributes. and that works great.Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Not as far as I know. Windows networking needs Windows specific authentication information. At the same time any user on a Linux box needs Linux specific authentication (posix). Samba essentially creates a Windows user and a Linux user with the same user ID. The accounts are mapped to each other. Some will argue that it is one account, but for all intents and purposes it is two accounts. The process is more obvious when you look at the creation of Windows groups. The Windows group maps to a Linux group. When I set up my first domain controller, I did not use the smbldap add user script. I used standard Linux useradd commands. When I added a user via User Manager for Domains, it created the Windows information in the ldap directory and the Linux information in the /etc/passwd file. User authentication worked quite well. When I started using the smbldap scripts, both the Windows info. and the Linux info were stored in ldap. Since the Windows user account is mapped to the Linux user account, any security/access restrictions you place on the Linux account will apply to the Windows account. In other words, you can set user access to shares using Linux and the Windows account will be restricted. So to answer your question, if you only use posix values, you are missing half of the equation. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Can't join a computer to my Samba PDC.
Benoit Callebaut [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello, I have installed Samba 3.0.22 amd 64 from Debian installed. Samba is working perfectly well a file server. But I can't join a computer to it either via a Win2K client or using the net rpc join command. Winbind,smbd and nmbd are running. I receive messages like given identification informations conflict with existing one Make sure you have no drives mapped to the server before joining the workstation to the domain. I have seen messages similar to this when mapped drives exist. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to set ACLs using Windows Security Dialog Box
Linefeed Feed [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I configured Samba to act as a file server on RHEL4, Samba 3.0.10. Everything worked as I expected except owning issue. If an NT user created a folder on the share, it was getting its owner and changing Owner Group from root to Domain Users. I wanted to keep Owner and Owning Group through newly created folders as well as subfolders. So I compiled Samba 3.0.20 ,because of its inherit owner option that supported since this version. But after this upgrade, I could not set any acl on the Samba Server from Windows explorer and I get Unable to save permission changes on Folder_Name. Access is denied message. Another issue is that although I have added some named users and named groups as Access ACL and Default ACL using setfacl command on the Samba Server, only 3 access ACLs (owner,owner group,other) are shown in Windows Security dialog box for the folder, but others are not. Any idea or clue? Prompt response appreciated..Thanks, Perhaps this will help. It is an article written by John Terpstra http://searchopensource.techtarget.com/tip/0,289483,sid39_gci1080966,00.html I find it easier to set ownership via the Linux commands on the server. I think there is a create mask command that may help you. You should be able to set it in the smb.conf file. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: USRMGR, groups, and ldap
James Money [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I currently have samba version 3.0.23 installed using ldap as the backend. I am experiencing the same problems as Holger Wesser mentioned in his posting USRMGR.exe not working properly. However, it appears that the fix of creating the group mappings does not work. They appear to be mapped correctly on my setup. My net groupmap list is: Domain Admins (S-1-5-21-1882045844-2771900506-1057560041-512) - Domain Admins Domain Users (S-1-5-21-1882045844-2771900506-1057560041-513) - Domain Users Domain Guests (S-1-5-21-1882045844-2771900506-1057560041-514) - Domain Guests Domain Computers (S-1-5-21-1882045844-2771900506-1057560041-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators However, there are no groups listed in usrmgr.exe or any of the dialog boxes for adding users/groups in XP. The users are listed correctly in usrmgr.exe but with none of the group memberships. In addition, net rpc group members Administrators reports: Couldn't list alias members I was hoping for some direction on how to diagnose and correct the problem. -James Can the workstations read the group information from LDAP? This issue is sometimes caused by the incorrect configuration of nss_ldap. Make sure you can see the ldap group entries when you type getent group -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: USRMGR, groups, and ldap
James Money [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Yes, I see all the ldap groups from the machine. Matter of fact, I have several machines already using ldap for authentication on the unix side. -James Jamrock [EMAIL PROTECTED] 07/21/06 9:57 AM James Money [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I currently have samba version 3.0.23 installed using ldap as the backend. I am experiencing the same problems as Holger Wesser mentioned in his posting USRMGR.exe not working properly. However, it appears that the fix of creating the group mappings does not work. They appear to be mapped correctly on my setup. My net groupmap list is: Domain Admins (S-1-5-21-1882045844-2771900506-1057560041-512) - Domain Admins Domain Users (S-1-5-21-1882045844-2771900506-1057560041-513) - Domain Users Domain Guests (S-1-5-21-1882045844-2771900506-1057560041-514) - Domain Guests Domain Computers (S-1-5-21-1882045844-2771900506-1057560041-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators However, there are no groups listed in usrmgr.exe or any of the dialog boxes for adding users/groups in XP. The users are listed correctly in usrmgr.exe but with none of the group memberships. In addition, net rpc group members Administrators reports: Couldn't list alias members I was hoping for some direction on how to diagnose and correct the problem. -James Can the workstations read the group information from LDAP? This issue is sometimes caused by the incorrect configuration of nss_ldap. Make sure you can see the ldap group entries when you type getent group -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Is usrmgr.exe located on a share on the Samba server? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to add computer to domain
User 1 [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] This is the last progress: When trying to join to domain (I am using Win 2000 Pro SP4 and use root) .. I met the following: The user name could not be found .. Please help .. Thanks Regards Winanjaya Make sure that your workstations can authenticate against ldap. When you type getent passwd and getent group do you see the entries from the ldap directory? See Samba by Example for more information. See the chapter on Making users happy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: Joining Windows XP Prof Client To Domain
zdennis [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jamrock, Thanks for your reply. I just got my windows xp client to join the domain. After some alterations that Robert had me make in another thread, I believe that fixed my samba issues. However, I can only join a domain with the user root, and not with the user administrator. If I try to join with the user administrator I get... [2006/07/12 11:10:07, 0] lib/smbldap.c:smbldap_open(922) smbldap_open: cannot access LDAP when not root.. Do I need to give administrator specific permissions to query ldap? I have never tried. I have used root for administrative purposes. Typically, I give administrative rights to users by putting them as members of the Doman Admins group. You can try that. BTW, I use the NT 4.0 User Manager for Domains tool to manage my users and groups. It works quite well with the smb-ldap tools. Put the tool on a Samba share and run it from a workstation. You can find it here http://support.microsoft.com/kb/173673/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: mapping well known groups problem (net groupmap)
Piotr Legiecki [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi I have samba 3.0.14a (debian/stable) and wonder where the problem is that running this command: # net groupmap add ntgroup=Domain Admins unixgroup=ntadmins rid=512 type=d gives: adding entry for group Domain Admins failed! but (note changed rid) # net groupmap add ntgroup=Domain Admins unixgroup=ntadmins rid=1000 type=d works fine. Hm, winbind is not working, but I suppose it is not needed here. So what is the problem with mapping? You have the option of using the Windows NT tool User Manager for Domains to manage your users and groups. You will need to set up your add user and add group scripts in the smb.conf file. You can find the tool here http://support.microsoft.com/kb/173673/ Put User Manager for Domains on a Samba share and run it from a workstation. I have never used the mapping command. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Joining Windows XP Prof Client To Domain
zdennis [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have my PDC up, but I cannot join any windows clients to it. I get prompted for the username/password to join the domain with but everything that is returned is a bad username/password. Type the following two commands and let me know if you see entries from the ldap directory. The first command should show the users from the /etc/passwd and then the users from the ldap directory. The second should show the groups from the /etc/group and then the groups from the ldap directory. getent passwd getent group -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Stable Network Down
EHines [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I eventually cleared the problem by rebooting the Samba server--everything is running properly, now. However, rebooting seems excessive. In future, what sorts of things typically go wrong to produce this type of failure? For what should I be looking? Thanks Eric Hines Did you apply an updates to the computer recently? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: User Manager Tools
Michael Barnes [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I loaded the NT4 Domain Manager tools and tried to use UserMgr to add some users. The add users sections of the menu are grayed out and I cannot do the deed. I've tried a variety of things. The machine was a member of the domain, I was logged in a administrator, which seemed to map as root in Samba, but still all I could do is look, not touch. Any ideas what I did wrong this time? User Manager for Domains needs to be placed in a share on the Samba server. Create a shortcut to the tool from the Windows machine. I have used it on Windows XP and 2000 workstations. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Remote Authentication server
CJ [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all I have two samba server and I would like to set up one of them as a central authentication server (server a) and the other one (server b) to send username/password requests to server a I have followed the instruction on http://www.skippy.net/linux/2000/smb-howto.html However it doesn't seem to function properly. Has anyone been able to achieve remote authentication You could have a look at using LDAP as the user/password database. You can use LDAP to create a PDC and BDC. See the documentation at www.samba.org for more info. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba without netbios
John H Terpstra [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] OK - I'll try to answer this. Very useful explanations. I got the impression that Microsoft disabled Netbios over TCP/IP for some kind of security reasons. Just some general reading I was doing. Is there any truth to this? Also Microsoft anti-spyware software warned me once that Netbios was enabled on a XP workstation. It made it sound like a bad thing. Whats up with that? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: MS SQL server and samba
Hans du Plooy [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Sunday 09 October 2005 03:47, jamrock wrote: Note that most people use Enterprise Manager to backup from SQL to the local drive. They then use backup software to backup from disk to tape or disk to disk. Thanks for the link - gives me an idea of where to start hacking on it. We are actually using another product, Cortex Backupassist, which works like a charm and has no problem backup up to a samba share. But the guys who set up the SQL server before us had Enterprise Manager do the backups to local disc. These backups are now getting to big, and fill up the disc with every round. And for the life of me I cannot get Enterprise Manager to delete that backup schedule. So I thought, well, double backups isn't such a bad idea, I just need to get them diverted somewhere else... Thanks Hans -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Have you configured Enterprise Manager to remove backups older than a specified number of days? How have you tried to remove the Database Maintenance Schedule? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: MS SQL server and samba
Perhaps this will help. It shows the conditions under which SQL Server will backup to a remote drive. http://support.microsoft.com/default.aspx?scid=kb;en-us;555128 UNC pathnames are preferred. Mapped drives are unreliable. Note that most people use Enterprise Manager to backup from SQL to the local drive. They then use backup software to backup from disk to tape or disk to disk. Backup up over the network from within SQL server uses up a lot of network bandwidth. Let me know if this works with Samba. Hans du Plooy [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi guys, I setup a Samba box to act as a backup server (storage), for the windows servers to dump their backups on. The MS SQL 2000 server won't see the samba box. Windows it self does, but SQL not. Even if I map a network path to a local drive, it still doesn't see it, so I cannot point the backups that way. Is there any special trick to getting this to work? Thanks Hans -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba/OpenLDAP reliability issue: backend experience needed
Gerd-Christian Michalke [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi this is more of an OpenLDAP issue, but since it is mostly used with Samba, some experience would be helpful. We have a SLES9 PDC, running samba-3.0.14a, openldap 2.2.6 Sometimes, the OpenLDAP gets corrupted, no ideas why. It's a bad thing. We have 100+ computers, 300+ users, which shall get 350 computers and 800 users. What would you suggest in order to be reliable ? Reliability is more important than speed for us. I used to work with a bdb backend, had problems; the SuSE consultant told us to use ldbm, but it isn't any better. Any advice would be helpful since googleling gives mostly contradictory information about that. Kind regard, Gerd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Do a search on the ldap mailing list for db_recover. If your server reboots without a proper shutdown, you may need to run db_recover before you can access your data. You can find the mailing list here: http://marc.theaimsgroup.com/?l=openldap-softwarer=1w=2 I put the db_recover command in my /etc/rc.local so it just runs automatically when my server starts. I think the command automatically runs when some of the newer versions of Openldap start up. You could also have a look at setting up a secondary ldap server. That way you can replicate your database as new entries are added. We really haven't had any problems with Openldap. Bdb is generally considered to be the better database. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SID's and RID's - It is starting to make sense now
It took me a while to understand how SID's and RID's worked. The recent discussion SIDs and UIDs and RIDS - Oh My! helped quite a bit. Here are two Microsoft documents that I have found to be useful. http://support.microsoft.com/default.aspx?scid=kb;en-us;243330 http://support.microsoft.com/default.aspx?scid=kb;en-us;297951 The entries placed by the smbldap tool into the LDAP directory make a lot more sense to me now. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: No more able to change ACL From Windows ??
BTW I still have problems myself to change the permissions from W2K/WXP (see my recent posts)... and I cannot find any help on this. It seems either it works for everyone else, either nobody ever tried to change the permissions from Windows, either the ones who know are currently offline. Pierre Here is some information on Samba and Windows ACLs. It is an article written by John H Terpstra . It should shed some light on the issue. I haven't tried it yet. Please post your results on the list. http://searchenterpriselinux.techtarget.com/tip/0,289483,sid39_gci1080966,00.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Using Microsoft User Manager
Giuliano Silva de Oliveira [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi everybody, I'm try to use the microsoft user manager tool with the samba 3.0.10, I can view the users and groups, but a I can't change and create anything, when try to do this I receive the message Permission Denied. Has someone knows some how to or check list to do this work? Please post the add user script from your smb.conf file. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: urgent - samba+ldap PDC
Adrian Sender [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello members I really have ran out of options here, and I don't know how to resolve this issue. I have a Samba LDAP primary domain controller. I have been using LAM - LDAP Account Manager to manage the accounts. The command line appears to be working correctly ie - getent passwd, getent group, id username, id computer, adding and removing accounts. Problem: When I logon to the LAM page (ldap account manager) and try to login I get an error LDAP error, server says: (-1) Can't contact LDAP server LAM is configured correctly, and it used to work. I am almost positive this is not a LAM issue. Can you contact the server using the LDAP command line utilities? What happens when you try ldapsearch? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba3+LDAP: Can't join domain.
When you type getent group do you see a list of groups from the ldap directory? Please post your /etc/ldap.conf file. davidszanto [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] El Lunes, 4 de Julio de 2005 18:33, escribió: Hi Fabio! Thanks for the quick response!! El Lunes, 4 de Julio de 2005 17:12, escribió: Hi! I manage a PDC with the same configuration. I suggest you to check SID in LDAP directory and smbldap configuration. net groupmap list shows errors? I've tried it again, just to make sure, and it doesn't show any errors... except that last time I so such a configuration samba groups maped correctly to their posix group name, and now I only get gidNumbers?? I've double checked my nsswitch.conf and libnss-ldap.conf files and I can't see what's wrong: -- begin # net groupmap list Gerencia (S-1-5-21-1243414039-471885888-144306045-21015) - 10007 Ventas y Comerciales (S-1-5-21-1243414039-471885888-144306045-21025) - 10012 Contabilidad (S-1-5-21-1243414039-471885888-144306045-5007) - 10005 Recambios (S-1-5-21-1243414039-471885888-144306045-21021) - 10010 Chapa y Pintura (S-1-5-21-1243414039-471885888-144306045-21009) - 10004 Administracion (S-1-5-21-2139989288-483860436-2398042574-21003) - 10001 Imperial de AutomBritFujiyama Motor (S-1-5-21-1243414039-471885888-144306045-21013) - 10006 Vook Rent a Car (S-1-5-21-1243414039-471885888-144306045-21027) - 10013 British Car (S-1-5-21-2139989288-483860436-2398042574-21007) - 10003 Talleres y Mecanicos (S-1-5-21-1243414039-471885888-144306045-21023) - 10011 Todos (S-1-5-21-2139989288-483860436-2398042574-21029) - 10014 London Taxi Company (S-1-5-21-1243414039-471885888-144306045-21019) - 10009 Informatica (S-1-5-21-2139989288-483860436-2398042574-21031) - 10015 Domain Admins (S-1-5-21-2139989288-483860436-2398042574-512) - 512 Domain Users (S-1-5-21-2139989288-483860436-2398042574-513) - 513 Domain Guests (S-1-5-21-2139989288-483860436-2398042574-514) - 514 Domain Computers (S-1-5-21-2139989288-483860436-2398042574-515) - 515 Administrators (S-1-5-32-544) - 544 Account Operators (S-1-5-32-548) - 548 Print Operators (S-1-5-32-550) - 550 Backup Operators (S-1-5-32-551) - 551 Replicators (S-1-5-32-552) - 552 -- end -- nsswitch.conf - passwd: files ldap group: files ldap shadow: files ldap ... -- end -- -- libnss-ldap.conf --- base dc=gicomm,dc=iberica,dc=esp uri ldap://127.0.0.1/ ldap_version 3 rootbinddn cn=admin,dc=gicomm,dc=iberica,dc=esp scope sub -- end -- The SID I get from net getlocalsid is: SID for domain GICOMM is: S-1-5-21-2139989288-483860436-2398042574 And I've compared it to the entries in my LDAP directory and they seem correct. Examples: User XXX has : sambaPrimaryGroupSID: S-1-5-21-2139989288-483860436-2398042574-513 sambaSID: S-1-5-21-2139989288-483860436-2398042574-3204 Any ideas? THANX a LOT!!! David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Demote old NT4 PDC to member of Samba domain?
Mi [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, When installing Samba, I made it a PDC in a new domain. Now I would like the old NT4 PDC in the old domain to become a plain host in my Samba domain. Is this possible? I need to keep the old NT4 machine because it's running the Symantec Corporate Edition NAV. In other words, I have NEWDOMAIN with Samba PDC and all clients OLDDOMAIN with NT4 PDC alone, no client Can my NT4 PDC become a plain client in NEWDOMAIN? Thanks, Mi -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Windows 2000 allows you to demote a domain controller to a member server. You will need to reinstall an NT 4.0 domain controller to turn it into a member server. A member server can join a Samba domain just like any other machine. I would recommend getting another machine and testing the entire process before making changes to your production machine. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: LDAP shared files error
Tony Earnshaw [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Jamrock wrote: I am installing Samba 3.0.14a on Whitebox Linux 3.0 with Openldap 2.2.24. Openldap is working well and we can query the entries that we have in our addressbook. I have installed Samba from source. The configure, make and make install appear to go okay. When I try to start Samba with /usr/local/samba/sbin/smbd -D I ge the following error /usr/local/samba/sbin/smbd: error while loading shared libraries: libldap.2.2.so.7: cannot open shared object file: no such file or directory I see the libldap.2.2.so.7 in /usr/local/lib and /usr/local/openldap-2.2.24/libraries/libldap/.libs My include/config.h file contains the line #define HAVE_LDAP 1 What am I missing? This is for Red Hat 3.0: Firstly, you'd be far better off using the official Samba RH srpm, installing the spec file, changing that to suit your needs and rpmbuilding -bb from that. That's my experience on RHAS3, anyway - even though I've got OL 2.2.4 installed from source, just as you have :) Secondly, have you added /usr/local/lib to /etc/ld.so.conf and run ldconfig? Presumably you have, and /usr/local/BerkeleyDB.4.2/lib, etc also, otherwise OL 2.2.4 wouldn't work. Otherwise, try try to start the smbd daemon by hand from the CLI after doing 'export LD_LIBRARY_PATH=/usr/local/lib' and see what happens. If that works, try adding 'LDFLAGS=-L/usr/local/lib' to your Samba configure options. Although I have the RH 2.0.27 client libraries on my test and production rigs, Samba seems to want the latest libraries of everything I have. Best, --Tonni Secondly, have you added /usr/local/lib to /etc/ld.so.conf and run ldconfig? Thanks Tonni. Worked like a charm. Need to read up on ldconfig. man ldconfig looks interesting. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba + LDAP as a PDC - unable to log in (but able tojoin a domain)
Tomasz Chmielewski [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] John H Terpstra wrote: a) Your configuration information. From this someone may be able to see things that are not as they need to be. That may help you to find a solution. In case anyone wondered, here's my smb.conf and slapd.conf. As I said, without LDAP, I can join a domain, log in as a user, roaming profiles work etc, With OpenLDAP added, I can join the domain, but then I'm unable to log in as a user from the Windows workstation (w2k SP4). Samba logs say that user authentication was successful, but Windows says that user/password were wrong. Those IBM tutorials relate to Samba 2.x. There have been significant changes since then. Please have a look at the www.samba.org for documents relevant to Samba 3.x. The Official Howto and By Example would be good places to start. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samb3-ldap PDC and BDC
Mihai Costache [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] hi, until now (about 1 year ago) i was working only with samba3+ldap PDC, but in near future my company enlarge his network with 6 new branchs spreaded all oever the country and i must build a scalable network with Samba-3 PDCs and BDCs, implement LDAP replication and multiple LDAP backends, all this over some VPNs(ipsec) . so, can tell me anyone how work the relationship beetwen a samba3-ldap PDC and a samba3-ldap BDC and how openldap server must replicate ? thanks, Mihai Here are a few things to keep in mind... Any user logging onto Samba has to pass the Samba authentication as well as the Linux authentication. Ater all, the samba service is running on the Linux box. I know of two ways to achieve this with LDAP. One way is to keep the Samba authentication info. in LDAP and to keep the Linux authentication info (POSIX) in the /etc/passwd and /etc/group files. The other way is to keep both the Samba and POSIX authentication info. in LDAP. This approach requires the use of the nss_ldap software from www.padl.com. The /etc/nsswitch.conf file is used to tell Linux to search for the user's authentication info. in the LDAP directory. If you use the second approach, you will have all the user's information in a single location. Configure LDAP to replicate the directory to another Samba machine, make the appropriate entries in the smb.conf files of both machines and you have a PDC and BDC. Documentation on the Samba website will show you how to configure the smb.conf files. Along the way you will have to get familiar with the scripts from Idealx which add the user's POSIX info. to LDAP. Configuring LDAP for replication is off topic for this list but is a well documented process. Try and get hold of a good LDAP book. Verify that the machine is authenticating POSIX info. against LDAP before attempting the replication. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: NT and XP clients cannot reach Samba PDC
M Middleton [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] When attempting to join my domain, the NT 4 Workstation and XP Pro clients cannot contact the domain controller. What error message do you get? The Samba server is running normally, and can be connected to via IP address, but not by name. What command are you using to connect to the server by IP address? What command are you using to connect to the server by name? What replies do you receive? Additionally, when I set up a DNS, it still could not contact the Samba server. The clients and server are on the same subnet. What command are you using and what message do you receive? Is there a firewall running on the Samba server or on any of the workstations? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: problem with samba, ldap and windows
Samuele Giovanni Tonon [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] hi, i have read that someone has similar problem to mines, however i didn't find how it solved them . The problem is this: samba as a PDC for a window domain. The authentication is managed with openldap. if i try to change the password of any ldap account with smbpassword i have no error. if i try to access to the shared folder of samba, with windows, it asks me for authentication and it all work. The only thing i'm not able to do is to manage the windows authentication through domain: when i try to join the domain using Administrator it says to me Can't find user but in samba log i have: Make sure that the ou=machines exists in LDAP. It sounds as if Samba is trying to create the trust account but cannot find something that it needs. I have gotten this message when using /etc/passwd and /etc/group to store POSIX information. This will happen when I have forgotten to create the group machines in the /etc/group file. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Groupmapping doesn't work
I could never get group mapping to work. After reading Samba 3 by example, I realized that I needed to migrate the relevant groups from /etc/group to LDAP. I have set up a few servers since then and have not had any problems. I use the migration tools from padl.com to migrate the /etc/group entries to LDAP. I only migrate the ones I need to map to Windows groups. See http://www.padl.com/OSS/MigrationTools.html This is clearly stated in Samba 3 by example but I did not see it in the Official Samba 3 How To. Tilo Lutz [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi I got a problem with groupmapping. It doesn't work correct: Wilma2:/home/root # net groupmap list | grep 512 Domain Admins (S-1-5-21-3371203057-3264423045-2392767973-512) - domadm ldapsearch -x cn=domadm: # domadm, groups, wms-hn.de dn: cn=domadm,ou=groups,dc=my-domain objectClass: posixGroup objectClass: sambaGroupMapping cn: domadm gidNumber: 65669 memberUid: tilo sambaSID: S-1-5-21-3371203057-3264423045-2392767973-512 sambaGroupType: 2 displayName: Domain Admins description: Domain Admins The problem is tilo doesn't have any administrator rights. Any idea whats wrong? I use samba 3.0.7 Cheers Tilo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: Groupmapping doesn't work
John H Terpstra [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Tuesday 12 October 2004 05:05, jamrock wrote: I could never get group mapping to work. After reading Samba 3 by example, I realized that I needed to migrate the relevant groups from /etc/group to LDAP. I have set up a few servers since then and have not had any problems. I use the migration tools from padl.com to migrate the /etc/group entries to LDAP. I only migrate the ones I need to map to Windows groups. See http://www.padl.com/OSS/MigrationTools.html This is clearly stated in Samba 3 by example but I did not see it in the Official Samba 3 How To. Please provide a documentation patch, or else clearly indicate what needs to be updated and your fixes will be applied. Please don't just tell us what to fix but rather give us an update that we can add. Thanks. - John T. Hmmm... I am not sure I understand the process well enough to do that. All I know is that I have found a way to get group mapping to work based on Section 6.3.5 of Samba 3 by example. At this time, Samba-3 requires that on a PDC all UNIX (Posix) group accounts that are mapped (linked) to Windows Domain Group accounts must be in the LDAP database. I don't know how or why. I just know that since I have done this, group mapping works beautifully on the systems that I have installed. See also chapter 6 of LDAP System Administration by Gerald Carter. The section on Information Migration gives detailed instructions on how to use the migration tools from www.padl.com. I copy the /etc/group account to another directory. I delete all the groups that don't map to Windows groups. (It is important to make sure that you are working with the copy when doing this). I then migrate the groups to a LDIF file and use the standard LDAP commands to import them into the directory. I will have a look at the Samba Howto and see if I can find a good place to stick in that sentence. I think it makes or breaks the process. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Usermanager for domains 3.0.2a... This a known bug?
You will need to give us some information about the nature of the difficulty you are facing. Jim C. [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have Samba version 3.0.2a-3mdk with an LDAP backend. Works great but I can't seem to get user manager for domains to work with it. I'm thinking that perhaps it might be a samba bug that has probably since been corrected. Can anyone validate this idea? Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED] | - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
