Re: [Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC
On Wed, Feb 6, 2013 at 4:45 PM, Andrew Bartlett abart...@samba.org wrote: On Mon, 2013-02-04 at 16:20 -0500, Matt Carey wrote: I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm able to successfully join the client: I think this comes down to a fundamental misunderstanding of what an RODC can do. It is indeed 'read only'! You don't join Samba to a DC, you join Samba to a domain. If the RODC is the most favourable server to use for authentication after that, then we will use it, but we will need to contact a read-write DC from time to time. If the object CN=vm-ae67a,CN=Computers,DC=receiptiq,DC=com has already been created within AD and the Password Replication Policy has been set such that the object is replicated to the RODC, then what attributes on that object is the net ads join trying to update/write? I was hoping to perform the functional equivalent of the MS djoin.exe process and use winbind to authenticate the AD users against the RODC. [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234 libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'DOMAIN' dns_domain_name : 'domain.com' forest_name : 'domain.com' dn : NULL domain_sid : * domain_sid : S-1-5-21-2999212452-478241430-698296220 modified_config : 0x00 (0) error_string : 'Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) ' domain_is_ad : 0x01 (1) result : WERR_NOT_SUPPORTED Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) You should allow Samba and krb5 to find the closest DC to use, and not force a particular server. This not only improves redundancy, it makes Samba much more likely to 'just work'. Remove all these configuration lines: Configuration files: [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq [global] workgroup = DOMAIN password server = wegsfes19234.domain.com [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } domain.com = { kdc = wegsfes19234.domain.com } DOMAIN.COM = { kdc = wegsfes19234.domain.com kdc = wegsfes19234.domain.com } That is, remove the kdc, dns_lookup_kdc and password server configuration options from smb.conf and krb5.conf files. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Configuration files have been updated and it finds the RODC via broadcast rather then being hard coded: [root@vm-ae67a ~]# net ads lookup dc Information for Domain Controller: 10.100.0.168 Response Type: LOGON_SAM_LOGON_RESPONSE_EX GUID: a7654231-d835-420a-bba8-b2d78722b056 Flags: Is a PDC: no Is a GC of the forest: yes Is an LDAP server: yes Supports DS:yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable:no Has a hardware clock: no Is a non-domain NC serviced by LDAP server: no Is NT6 DC that has some secrets:yes Is NT6 DC that has all secrets: no Forest: domain.com Domain: domain.com Domain Controller: WEGSFES19234.domain.com Pre-Win2k Domain: DOMAIN Pre-Win2k Hostname: WEGSFES19234 Server Site Name : Default-First-Site-Name Client Site Name : Default-First-Site-Name NT Version: 5 LMNT Token: LM20 Token: -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Able to join Samba client as MEMBER server to Windows 2008 R2 RWDC but not to RODC
I'm trying to join a RHEL 5 client to a Windows 2008 R2 AD, I've tried both Samba 3.6.6 and 4.0.2. When pointing the client to a RWDC(wegsfes19123) I'm able to successfully join the client: [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19123 ... libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'DOMAIN' dns_domain_name : 'domain.com' forest_name : 'domain.com' dn : 'CN=vm-ae67a,CN=Computers,DC=domain,DC=com' domain_sid : * domain_sid : S-1-5-21-2999212452-478241430-698296220 modified_config : 0x00 (0) error_string : NULL domain_is_ad : 0x01 (1) result : WERR_OK Using short domain name -- DOMAIN Joined 'VM-AE67A' to realm 'domain.com' DNS Update for vm-ae67a.**INTERNAL*** failed: ERROR_DNS_GSS_ERROR DNS update failed! [root@vm-ae67a log]# net ads info LDAP server: 10.100.0.231 LDAP server name: wegsfes19123.domain.com Realm: DOMAIN.COM Bind Path: dc=DOMAIN,dc=COM LDAP port: 389 Server time: Sun, 03 Feb 2013 11:45:05 EST KDC server: 10.100.0.231 Server time offset: 0 However pointing the same client to a RODC(wegsfes19234), for the same domain, I'm unable to join (/etc/krb5.conf and /etc/samba/smb.conf were updated to point to the RODC server for authentication): [root@vm-ae67a log]# kinit administra...@domain.com Password for administra...@domain.com: [root@vm-ae67a log]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@domain.com Valid starting ExpiresService principal 02/03/13 12:31:17 02/03/13 22:31:24 krbtgt/domain@domain.com renew until 02/04/13 12:31:17 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@vm-ae67a ~]# net ads join -U Administrator -d1 -Swegsfes19234 libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'DOMAIN' dns_domain_name : 'domain.com' forest_name : 'domain.com' dn : NULL domain_sid : * domain_sid : S-1-5-21-2999212452-478241430-698296220 modified_config : 0x00 (0) error_string : 'Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) ' domain_is_ad : 0x01 (1) result : WERR_NOT_SUPPORTED Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED) Any help with this matter would be greatly appreciated. Regards, Matt Configuration files: [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/samba/smb.conf | uniq [global] workgroup = DOMAIN password server = wegsfes19234.domain.com realm = DOMAIN.COM security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash idmap backend = nss template homedir = /home/%U winbind nss info = rfc2307 winbind use default domain = true server string = vm-ae67a netbios name = vm-ae67a encrypt passwords = true # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 # the login script name depends on the machine name # the login script name depends on the unix user used # disables profiles support by specifing an empty path load printers = yes cups options = raw #obtain list of printers automatically on SystemV [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [root@vm-ae67a ~]# grep -v -e ^# -e ^; /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 clockskew = 300 [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } domain.com = { kdc = wegsfes19234.domain.com } DOMAIN.COM = { kdc = wegsfes19234.domain.com kdc = wegsfes19234.domain.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM domain.com = DOMAIN.COM .domain.com = DOMAIN.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true
[Samba] password expiration
Hello all, I have a test system with CentOS 6.2 running samba 3.5.10_125.el6 and OpenLDAP 2.4.23_20.el6. Password expiration is set as sambaMaxPwdAge: 5184000 and password aging works with a Windows 7 client. On a production system, I've got samba 3.5.10_115.el6_2 and openldap 2.4.23_20.el6 running on RHEL6.2. I have set sambaMaxPwdAge to 5184000 and it does not work consistently with clients. To illustrate, on the production system as an account's password expiration was approaching some Windows 7 and 2008 clients would report that it was due to expire soon and would I like to change it now. Since it was odd that only some would display the message, I let it go to see what would happen when the password expired. The time and date came and went, still able to log in. Until, that is, I added a new samba client (domain member server, added to the domain after the test account's password had expired) and got the password expired message when attempting to connect with smbclient. Older clients still allowed me to log in with an aged password. The test system displayed the message as soon as I made the change in LDAP and then tried to sign in to a client. If the password had expired, I was prompted to change it on log in. I didn't see anything in the release notes to indicate a difference in the two samba packages, but of course there could be one. If someone could point me in the right direction, I would appreciate it. Take care, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] printer preferences admin
Samba 3.5.9. We have printers exported to Windows and have the following options configured: enable privileges = yes load printers = yes printing = cups printcap name = cups cups options = raw [printers] admin users = @printer-admins comment = All Printers browseable = yes path = /var/spool/samba printable = yes public = yes [print$] admin users = @printer-admins write list = @printer-admins comment = Printer Drivers path = /var/lib/samba/printers browseable = yes guest ok = no create mode = 2777 root preexec = /usr/bin/renice +18 -p %d and net rpc rights list: .. BUILTIN\Print Operators No privileges assigned BUILTIN\Account Operators No privileges assigned BUILTIN\Backup Operators No privileges assigned BUILTIN\Server Operators No privileges assigned BUILTIN\Administrators SeMachineAccountPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Unix Group\printer-admins SePrintOperatorPrivilege SeDiskOperatorPrivilege Everyone No privileges assigned .. Everything works great, including printing and installing printers on clients, EXCEPT when members of @printer-admins go into the printer properties via a Windows machine, all administrative options are grayed out. The only way I've determined that fixes this is to add @printer-admins to the [global] admin users. Having them as admin users under [printers] and [print$] doesn't seem to do it, nor does the rights assignment. Is this expected? Am I missing a setting? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PANIC - running two instances
]: [2011/04/15 08:00:11, 0] lib/fault.c:fault_report(41) Apr 15 08:00:11 shalimar smbd[28735]: === Apr 15 08:00:11 shalimar smbd[28735]: [2011/04/15 08:00:11, 0] lib/fault.c:fault_report(42) Apr 15 08:00:11 shalimar smbd[28735]: INTERNAL ERROR: Signal 11 in pid 28735 (3.0.36-7.1-2365-SUSE-CODE10) Apr 15 08:00:11 shalimar smbd[28735]: Please read the Trouble-Shooting section of the Samba3-HOWTO Apr 15 08:00:11 shalimar smbd[28735]: [2011/04/15 08:00:11, 0] lib/fault.c:fault_report(44) Apr 15 08:00:11 shalimar smbd[28735]: Apr 15 08:00:11 shalimar smbd[28735]: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf Apr 15 08:00:11 shalimar smbd[28735]: [2011/04/15 08:00:11, 0] lib/fault.c:fault_report(45) Apr 15 08:00:11 shalimar smbd[28735]: === Apr 15 08:00:11 shalimar smbd[28735]: [2011/04/15 08:00:11, 0] lib/util.c:smb_panic(1633) Apr 15 08:00:11 shalimar smbd[28735]: PANIC (pid 28735): internal error Apr 15 08:00:19 shalimar smbd[28735]: BACKTRACE: 17 stack frames: Apr 15 08:00:19 shalimar smbd[28735]:#0 /usr/sbin/smbd(log_stack_trace+0x1c) [0x55773f8c] Apr 15 08:00:19 shalimar smbd[28735]:#1 /usr/sbin/smbd(smb_panic+0x41) [0x55774081] Apr 15 08:00:19 shalimar smbd[28735]:#2 /usr/sbin/smbd [0x55761ea2] Apr 15 08:00:20 shalimar smbd[28735]:#3 /lib64/libc.so.6 [0x2b2fdfbadc10] Apr 15 08:00:20 shalimar smbd[28735]:#4 /usr/sbin/smbd(Get_Pwnam_alloc+0x2b) [0x5576693b] Apr 15 08:00:20 shalimar smbd[28735]:#5 /usr/sbin/smbd(Get_Pwnam+0xb) [0x55766c9b] Apr 15 08:00:20 shalimar smbd[28735]:#6 /usr/sbin/smbd(get_user_home_dir+0x9) [0x55766cd9] Apr 15 08:00:20 shalimar smbd[28735]:#7 /usr/sbin/smbd [0x55779fb4] Apr 15 08:00:20 shalimar smbd[28735]:#8 /usr/sbin/smbd(standard_sub_advanced+0x26) [0x5577a866] Apr 15 08:00:20 shalimar smbd[28735]:#9 /usr/sbin/smbd [0x55794d0e] Apr 15 08:00:20 shalimar smbd[28735]:#10 /usr/sbin/smbd(print_queue_status+0x38a) [0x5579547a] Apr 15 08:00:20 shalimar smbd[28735]:#11 /usr/sbin/smbd(update_monitored_printq_cache+0x43) [0x556a1293] Apr 15 08:00:20 shalimar smbd[28735]:#12 /usr/sbin/smbd [0x55628a6b] Apr 15 08:00:20 shalimar smbd[28735]:#13 /usr/sbin/smbd(smbd_process+0x430) [0x55629640] Apr 15 08:00:20 shalimar smbd[28735]:#14 /usr/sbin/smbd(main+0x1203) [0x55828903] Apr 15 08:00:20 shalimar smbd[28735]:#15 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2b2fdfb9b154] Apr 15 08:00:20 shalimar smbd[28735]:#16 /usr/sbin/smbd [0x555bc779] Apr 15 08:00:20 shalimar smbd[28735]: [2011/04/15 08:00:20, 0] lib/fault.c:dump_core(181) Apr 15 08:00:20 shalimar smbd[28735]: dumping core in /var/log/samba/cores/smbd Apr 15 08:00:20 shalimar smbd[28735]: -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] open printer driver files
When serving printer drivers to Windows 7 hosts, under what circumstances is it normal for the Windows clients to be locking driver files? Using smbstatus, I see clients constantly touching these files, even in cases where it is highly unlikely that the user is actively installing a printer. I expect that the driver files would be downloaded during the initial printer installation, but it seems that Windows continues to grab at the drivers even after the fact. Is this documented behavior? In the majority of cases the clients seem to release the files quickly, but in a few problematic edge cases I have clients just repeatedly download the drivers over and over. It would be easier to troubleshoot these problem cases if I understood why so many healthy clients are also requesting drivers frequently. Thanks, M@ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] reducing smbd memory footprint
On Sat, Dec 25, 2010 at 5:49 AM, Andrew Bartlett abart...@samba.org wrote: On Fri, 2010-12-24 at 09:17 -0500, Nico Kadel-Garcia wrote: On Thu, Dec 23, 2010 at 7:00 PM, Matt LaPlante ma...@google.com wrote: I'm currently compiling Samba 3.3.X with the following: CFLAGS = -g -Wall -O2 ./configure --cache-file=./config.cache \ --with-fhs \ --enable-shared \ --prefix=/usr \ --sysconfdir=/etc \ --libdir=/usr/lib/samba \ --with-privatedir=/etc/samba \ --with-piddir=/var/run/samba \ --localstatedir=/var \ --with-rootsbindir=/sbin \ --with-syslog \ --with-utmp \ --with-readline \ --with-libsmbclient \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash \ --without-automount \ --with-ldap \ --with-ads \ --without-smbmount \ --without-dnsupdate \ --without-libtalloc \ --without-libtdb \ --without-libnetapi \ --with-modulesdir=/usr/lib/samba \ --datarootdir=/usr/share \ --with-lockdir=/var/run/samba \ --disable-avahi \ --disable-swat \ --with-cifsmount \ --without-acl-support \ --without-quotas The resulting smbd is about 6663656 in size. I'd love to be able to whittle this down more to stretch my system resource usage. Does anyone have recommendations for alterations that would reduce the ultimate size of the running process? Turn off the -g option and run strip on it, and look up those options and tools. This won't help anything except the on-disk size, as those pages are only mapped in by the debugger in the case that they are needed. Otherwise, they just stay on disk. It may help to explain what you are trying to do, and why the current size is a problem. Very simply, trying to sustain as many user connections as possible on systems with limited memory allocated, and on which smbd processes consume the majority of existing resources. Also, never versions of Samba may be better, there is a general effort to make Samba's per-connection overhead lower where possible, driven by the high-end requirements of big clustered Samba installations. This is the longer-term goal for sure; unfortunately known issues in the current versions are preventing an upgrade at the moment. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] reducing smbd memory footprint
I'm currently compiling Samba 3.3.X with the following: CFLAGS = -g -Wall -O2 ./configure --cache-file=./config.cache \ --with-fhs \ --enable-shared \ --prefix=/usr \ --sysconfdir=/etc \ --libdir=/usr/lib/samba \ --with-privatedir=/etc/samba \ --with-piddir=/var/run/samba \ --localstatedir=/var \ --with-rootsbindir=/sbin \ --with-syslog \ --with-utmp \ --with-readline \ --with-libsmbclient \ --with-winbind \ --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash \ --without-automount \ --with-ldap \ --with-ads \ --without-smbmount \ --without-dnsupdate \ --without-libtalloc \ --without-libtdb \ --without-libnetapi \ --with-modulesdir=/usr/lib/samba \ --datarootdir=/usr/share \ --with-lockdir=/var/run/samba \ --disable-avahi \ --disable-swat \ --with-cifsmount \ --without-acl-support \ --without-quotas The resulting smbd is about 6663656 in size. I'd love to be able to whittle this down more to stretch my system resource usage. Does anyone have recommendations for alterations that would reduce the ultimate size of the running process? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error 0x000003e6 when trying to connect to a printer from w2k8 (x64)
I've run into this with every version 3.3. Very hard to isolate. I suggest adding to https://bugzilla.samba.org/show_bug.cgi?id=7567 On Wed, Sep 22, 2010 at 4:27 PM, Bryan Hodgson hodg...@cse.lehigh.eduwrote: Same problem (0x03e6) here, W7 (but not XP) 32 and 64-bit using the Ricoh native RPCS drivers for Aficio 6001 with Samba 3.5.4. Very reproduceable; it fails 100% of the time. It worked successfully with 3.5.3 in early testing; am contemplating down-rev'ing. Bryan On Tue, Sep 21, 2010 at 05:03:28PM +0100, Mark Adams wrote: Hi, I am also having this issue, with Win7 x64 printing to Xerox machines. Did you get to the bottom of it? I am using raw cups printers. Regards, Mark On Tue, Jul 13, 2010 at 12:37:16PM +0200, Thorsten Leiser wrote: Am 13.07.2010 11:15, schrieb Sean Crosby: On 07/12/2010 08:09 AM, Thorsten Leiser wrote: Hello, I'm trying to connect my W2k8 (x64) Server farm to our new installed printserver based on debian lenny with sernet samba 3.5.4 installed. Everytime i try to connect to a printer share via point and print, it fails with error 0x03e6. When i do the same from Windows XP or from our old w2k3 (x64) server farm everything works excellent. Does anybody know a workaround. I installed nearly 80 printers on the samba server and i don't want to do this again. Regards Thorsten -- Hi Thorsten, I had the same problem as you with a 2k8R2 server, and I fixed it by changing the version of pscript5.dll (and the other ps* files) on my samba server (in /usr/share/cups/drivers/x64). I was using the Win7/Vista 64bit pscript5.dll file, but I had to change it to the version shipped with 2k8 64bit. Once I did that, the problems disappeared (and the driver still works win Win7 64bit and Vista 64bit). Sean Hi Sean, I replaced the drivers without success. I don't think it's a drivers problem in my case. The driver works perfect on our old samba 3.2.5 server. Thanks for your effort. Regards Thorsten -- Thorsten Leiser IT-Systembetreuung SYNCHRON Gesellschaft für betriebswirtschaftliche Beratung und Informationssysteme mbH Liebknechtstr. 50 70565 Stuttgart-Vaihingen Fon: 0711/7868-356 Fax: 0711/7868-446 www.synchron-is.de Sitz der Gesellschaft: Stuttgart Registergericht: Amtsgericht Stuttgart, HRB 8619 GF: Michael Schober -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba for AD client?
On 09/05/2010 05:14 PM, Ken D'Ambrosio wrote: 1) Are there any known issues with BTRFS? 2) Which version of Samba would be most appropriate for this? 3) AD integration: I've never really done it (with success); any pointers? [I've googled a bit, but bump into a zillion different HOWTO's and/or utilities, some of which seem to be mutually exclusive.) Can't help you with 1, but I've got a couple of Samba servers running as members in an AD domain: 3.2.5 and 3.4.8. Both integrated into the domain fairly easily. I have some internal docs that I can post once I clean them up. I haven't done any ACL testing yet because groups have been sufficient. -- Matt Richardson IT Consultant College of Arts and Letters CSU San Bernardino work: (909)537-7598 fax: (909)537-5926 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Non-domain MFPs cannot access server
I have a Samba 3.4.7 server with ADS authentication. Windows clients have no issues, but non-domain MFPs cannot access shares, even with guest ok = yes. The MFPs can scan to a Samba 3.2.7 server, configured with Openfiler. This line is the same on both servers Got user=[printers] domain=[] workstation=[RNPE96472] len1=24 len2=24 This is what comes next on the working, 3.2.7 server: check_ntlm_password: Checking password for unmapped user [wcnb]\[printe...@[rnpe96472] with the new password interface This is what comes next from the failing server: check_ntlm_password: Checking password for unmapped user []\[printe...@[rnpe96472] with the new password interface I have turned on winbind use default domain = yes, as the working server has. I have tried various username permutations - WCNB\printers, print...@wcnb. Those names remain whole in the logs, rather than being split. The printers account appears in getent passwd. The MFPs are Ricoh/Aficio MP 5000. Portion of log level 3 for the device on failing server: 2010/08/19 14:47:03, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego) NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2010/08/19 14:47:03, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth) Got user=[printers] domain=[] workstation=[RNPE96472] len1=24 len2=24 [2010/08/19 14:47:03, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []\[printe...@[rnpe96472] with the new password interface [2010/08/19 14:47:03, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [datasvr2]\[printe...@[rnpe96472] [2010/08/19 14:47:03, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/08/19 14:47:03, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/08/19 14:47:03, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/08/19 14:47:03, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/08/19 14:47:03, 3] auth/auth_sam.c:282(check_sam_security) check_sam_security: Couldn't find user 'printers' in passdb. [2010/08/19 14:47:03, 3] auth/auth_winbind.c:54(check_winbind_security) check_winbind_security: Not using winbind, requested domain [DATASVR2] was for this SAM. [2010/08/19 14:47:03, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [printers] - [printers] FAILED with error NT_STATUS_NO_SUCH_USER Globals from smb.conf on failing server: # Samba config file created using SWAT # from UNKNOWN (192.168.0.23) # Date: 2010/08/19 14:37:44 [global] workgroup = WCNB realm = WCNB.LOCAL server string = Data Server security = ADS map to guest = Bad User obey pam restrictions = Yes password server = dc.wcnb.local, * pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes log level = 3 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 server signing = auto load printers = No local master = No domain master = No dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap uid = 100-200 idmap gid = 100-200 template homedir = /mnt/users/homes/%U winbind cache time = 15 winbind enum users = Yes winbind enum groups = Yes winbind refresh tickets = Yes This e-mail and attachment(s) may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copy of this message is strictly prohibited. If received in error, please notify the sender immediately and delete/destroy the message and any copies thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 'nobody' account and windows dc
I'm using ads security. Everything is working fine, but the logs show that the samba servers regularly try to authenticate user 'nobody' against the DC. I know that these are part of standard operation, but it seems suboptimal to be constantly doing these checks on a large network... generating traffic and using DC and samba server resources to verify a domain account that never has and never will exist. domain_client_validate: unable to validate password for user nobody in domain DOMAIN to Domain controller DOMAIN.CONTROLLER.COM. Error was NT_STATUS_NO_SUCH_USER. Is there a way to tell samba to filter these from AD checking? It would seem quicker and simpler for samba to just recognize that any time someone uses 'nobody' in my setup to skip the verification and insert the NT_STATUS_NO_SUCH_USER itself. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] kerberos_kinit_password: preauthentication failed
Hi, This is the first time i've tried to register a samba server to a domain (previously i've connected using another program, likewise, i think). I've been following http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id257 I got to the point where i've configured smb.conf [global]: realm = domain.internal workgroup = DOMAIN password server = * encrypt passwords = true security = ads I then ran net ads join -U administrator And it said that it had successfully registered hostname to domain.internal (however, when I looked in AD it wasn't there, i take it it should have appeared after that step?) It also said that it said it couldn't update the dns records, so i googled it and was told to enter my FQDN hostname against 127.0.0.1 in /etc/hosts. I then realised that my hostname was wrong, so changed it in /etc/hostname and /etc/hosts, and restarted then tried to rejoin the domain using net ads join -U administrator It said: kerberos_kinit_password newhostna...@domain.internal failed: Preauthentication failed So i tried: net ads join -U administrator -w domain.internal and it didn't report any warnings or errors. I'm just slightly confused, because the first time i ran net ads join -U administrator it went through fine, but when i ammended the hostname and ran it again, it errored with preauthentication failed, but net ads join -U administrator -w domain.internal went through with no errors. Does it matter that the first time net ads join -U administrator worked, but the second time I needed net ads join -U administrator -w domain.internal for it to work? Could anyone explain why it changed? Thanks, Matthew Millar ** Note : This E-Mail is sent in confidence for the addressee only. Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by telephone and then delete the message without copying or storing it or disclosing its contents to any other person. We have taken all reasonable precautions to ensure that no viruses are transmitted to any third party. Any liability (in negligence or otherwise) arising from any party acting, or refraining from acting on any information contained in this e mail is hereby excluded. Should you communicate with anyone at this address by e-mail, you consent to us monitoring and reading any such correspondence. Printing this email? Please think environmentally and only print when essential! ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Settings up a Domain Member server, to act as a file server
Hi, I'm trying to piece together a way of making a debian samba domain member file server, but i can't work out how to do it. We currently have a windows file server, which i'm trying to replace, with a linux samba server. We have a AD domain, with all the users and groups that will need access to the samba server. I'm hoping that i can register the samba server onto the domain, and then configure a share to only access to domain\staff. Can anyone help me with this? I've configured smb.conf: realm = domain.internal workgroup = DOMAIN password server = * security = ads encrypt passwords = true I've run: net ads join -U administrator -w congleton.internal And it said that the server has registered onto the domain (although it doesn't show up in AD?) I've then updated smb.conf with share details: [staff_shared_area] comment = Staff Shared Area path = /mnt/sdb/staff_shared_area valid users =...@congleton\staff public = no writable = yes browseable = yes However, when i try and access the share from a windows machine it says bad username or password Does anyone have any ideas why i'm having problems? Thanks, Matthew Millar ** Note : This E-Mail is sent in confidence for the addressee only. Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by telephone and then delete the message without copying or storing it or disclosing its contents to any other person. We have taken all reasonable precautions to ensure that no viruses are transmitted to any third party. Any liability (in negligence or otherwise) arising from any party acting, or refraining from acting on any information contained in this e mail is hereby excluded. Should you communicate with anyone at this address by e-mail, you consent to us monitoring and reading any such correspondence. Printing this email? Please think environmentally and only print when essential! ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] strange couldn't find service error message
Hi All. This has got me stumped!!! I created a share the other day like I do all the time. There's about 10 users in the group. All of them can access the share fine, except for one guy. He's a valid user and has many other share drives on this system that are working fine. All 10 users are using a Windows XP platform. The log.smbd has an entry like this for his requests: username (192.168.1.145) couldn't find service share-name for the folder The for the folder part of the error stands out to me, but I don't know what it means. using smbclient locally (and remotely) I can map to this share using his credentials fine.. the share in smb.conf looks like this [share-name] path=/usr/local/share/groups/share-name valid users = @share-name @ntadmin admin users = @ntadmin force group = share-name create mask = 0660 directory mask = 0770 any thoughts ? Matt. -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Other users home share contains contents of my home share
I have 3.2.7 as part of an Openfiler install. I have a homes share setup, but when I view any other users home share (\\server\otherusername) I see the contents of my own home share. I have the server joined to AD with winbind, and I am in a group that is listed as the owner of the other users home share, with rwx. What I am trying to do is allow a domain group access to all of the home shares via SMB. [homes] path = /mnt/users/%U read only = no writeable = yes oplocks = yes level2 oplocks = yes force security mode = 0 dos filemode = yes dos filetime resolution = yes dos filetimes = yes fake directory create times = yes browseable = yes csc policy = manual share modes = yes veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/ veto files = /*:Zone.Identifier:*/ store dos attributes = yes map acl inherit = yes create mode = 0700 directory mode = 0700 printable = no guest ok = no hosts allow = 0.0.0.0/0 hosts readonly allow = admin users = matt.everson Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP clients cannot find profile after logout when re-login
I have double-checked this and it still occures: $ls -lna total 12 drwxr-xr-x 300 4096 2010-03-13 01:03 . drwxr-xr-x 400 4096 2010-03-13 00:59 .. drwx-- 21 1001 1001 4096 2010-03-18 09:38 username Are there other options that I can check ? I have the profiles and remapped paths in seperate folders. So in my remapped folder for the user there are only: -Desktop -Local Settings -My Documents Where the userfolder for these redirects has the following rights: ls -lna total 12 drwxr-xr-x 300 4096 2010-03-13 01:03 . drwxr-xr-x 400 4096 2010-03-13 00:59 .. drwx-- 21 1001 1001 4096 2010-03-18 09:38 username I can't follow this issue. Adam schreef: check the perms of /var/lib/samba/profiles/username set to atleast 700 and owned by that user? Matt wrote: I'm facing a problem with logins on XP (only used by now) clients when a user has logged out first. The user starts his PC, he is able to login to the domain and igets his profile in a proper way. Now the user wants to logout, he get's the login screen again, he tries to login again and the message appears that windows was not able to find the profile. Please contact your sysadmin or check your network. It seems that all connections to the PDC are closed/removed after the user logs out. When the user restarts his PC, he is able to login again. It's known that a Client needs to have some connection to the PDC to actually check the login details and get the profile, this part seems to be closed when the user logsoff. I'm lost in finding a solution for this as most Can't find profile errors are based on usernames or whatever don't exist on Linux, but this is all good and works. What I have changed in the config is that all Paths that you can redirect to the userhome using a NTConfig.pol are set to the server and after this, this problem started. I hope someone can help out. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] XP clients cannot find profile after logout when re-login
I'm facing a problem with logins on XP (only used by now) clients when a user has logged out first. The user starts his PC, he is able to login to the domain and igets his profile in a proper way. Now the user wants to logout, he get's the login screen again, he tries to login again and the message appears that windows was not able to find the profile. Please contact your sysadmin or check your network. It seems that all connections to the PDC are closed/removed after the user logs out. When the user restarts his PC, he is able to login again. It's known that a Client needs to have some connection to the PDC to actually check the login details and get the profile, this part seems to be closed when the user logsoff. I'm lost in finding a solution for this as most Can't find profile errors are based on usernames or whatever don't exist on Linux, but this is all good and works. What I have changed in the config is that all Paths that you can redirect to the userhome using a NTConfig.pol are set to the server and after this, this problem started. I hope someone can help out. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Looking for AIX Users of Winbind -- Authorization and SSHProblems
On 13/11/2009 at 9:54 am, Kevin Newman kevinjnew...@gmail.com wrote: 2. Authorization (e.g., who can log into the box ... NOT just all of AD). I'm pretty good at configuring Winbind on Linux, and on Linux there's a pam_winbind.conf file that I usually use to lock down the box to specific AD users or groups -- I use the require_membership_of line and it works just fine. Unfortunately, I don't see any pam_winbind.conf file in AIX by default. I've tried placing it in /etc/security/ or in other locations, but it doesn't seem to be used. I've also tried adding pam_winbind lines to the /etc/pam.conf and manually adding the require_membership_of after the stanza, like so: telnet account required/usr/lib/security/pam_winbind.so require_membership_of=someGroup How I use winbind to lock down group membership is by using the /etc/security/access.conf file and to restrict the groups who can log in. This does mean you will have to use the pam_access module as well. This works quite well for me under Linux and may (I stress may as I haven't worked with AIX) provide a solution under AIX. Hope this helps. Thanks, Matt Delves -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Bind, DHCPD and Samba
Hey Folks, I currently have bind and dhcpd configured to allow for dynamic updates, though when I try to manually add in the srv records required for correctly identifying the samba pdc, they get overwritten when bind starts. How can I modify the bind configuration so that it writes the correct information? Also, is there a way to have samba write the correct information to bind? As for the samba version, I'm using the default that comes with OpenSuSE 11.1. The same goes with the packages for bind and dhcpd. Thanks, Matt Delves -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Share authentication via AD
Thanks for your reply Adam, I solved the problem by removing the force group parameter. As for other quirks, I had to put the domain in before the user or group. Thanks, Matt Delves -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba] Share authentication via AD
Hey folks, I've got a server setup that uses samba to join to the Windows 2k3 Active Directory. I've also created a shared folder on that server. The problem I'm experiencing is that I'm unable to authenticate to the share and thus browse it. The smb.conf file is: == [global] workgroup = domain server string = Samba Server Version %v security = ads local master = no preferred master = no load printers = yes cups options = raw idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = yes password server = AD Servers realm = Kerberos Realm winbind nested groups = yes [rpms] Comment = SLES 10 RPMs path = /srv/www/htdocs/sles read only = No force group = bob force user = bob create mask = 0664 == As far as the basics, the server is joined successfully to the domain and I can browse to it from a windows box. I know that winbind is functioning as I can login (via local or ssh) using my Active Directory username and password. Any help in identifying problems with this configuration would be appreciated. Thanks, Matt Delves -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Best way to setup Samba + OpenLDAP + Linux to use a different partition for /home?
Thanks in advance! I can't believe the level of service / help I've gotten from this group. Anyway, I have a Samba server acting as a PDC on a network. The server has a small OS drive and one very large RAID array for data / files. Right now, I have Ubuntu 8.04 installed and Samba is using openLDAP for authentication. The person who will add new users is not very technical and needs a simple way to add new users. Right now, I have him adding users via the Webmin LDAP Users and Groups modules. It's working just fine. However, it creates home directories on the small OS drive and he would like to have them all moved to the large RAID array. I have a couple of questions - 1) Would it be better to only have the Samba users files on the large RAID drive, leaving the admin and root homes on the OS drive? 2) If it is, how would I set up for the admin account. For example, the admin is a user named 'fred' and he will also be logging onto the Samba server. Should I create a separate admin account? Or could I simply create two different home directories - one for the regular users and one for the admins? 3) What is the easiest way to set this up so a person with little technical background can do it fairly easily? Thanks! -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does this tell me anything? Traffic report
On Tue, 2009-06-09 at 14:33 +1000, Chris Smart wrote: 2009/6/8 Matt Burkhardt m...@imparisystems.com: Just a few thoughts: Is Samba only listening on localhost rather than your ethernet device? Have you set anything for interfaces in your /etc/samba/smb.conf? If so, try taking it out or ensuring it's correct. I searched for interface in smb.conf and came up with nothing - here's my smb.conf from SWAT # Samba config file created using SWAT # from 192.168.1.105 (192.168.1.105) # Date: 2009/06/09 08:31:42 [global] server string = %h server (Samba, Ubuntu) map to guest = Bad User passdb backend = ldapsam:ldap://localhost passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 name resolve order = lmhosts host bcast server signing = auto printcap name = cups add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u logon script = logon.cmd logon path = \\%N\profiles\%U logon drive = H: domain logons = Yes os level = 35 dns proxy = No ldap admin dn = cn=admin,dc=imparisystems,dc=local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap suffix = dc=imparisystems,dc=local ldap ssl = no ldap user suffix = ou=Users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d [homes] comment = Home Directories valid users = %S read only = No browseable = No [Profiles] comment = Users profiles path = /samba/profiles read only = No profile acls = Yes browseable = No [printers] comment = All Printers path = /var/spool/samba admin users = root write list = root read only = No create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers admin users = root write list = root, @Administrators create mask = 0664 directory mask = 0775 [tmp] path = /tmp guest ok = Yes I was thinking that might be the problem, but I don't know how to check / fix it... What does 'sudo netstat -lt' show? Unless I'm mistaken, I can't see Samba listening on your machine. You should have something like: tcp 0 0 *:netbios-ssn *:* tcp 0 0 *:microsoft-ds *:* Can you also try netstat -ltu? Maybe it's UDP only. Here's what I get netstat -ltu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 *:amanda*:* LISTEN tcp0 0 localhost:8100 *:* LISTEN tcp0 0 *:swat *:* LISTEN tcp0 0 *:ldap *:* LISTEN tcp0 0 *:sane-port *:* LISTEN tcp0 0 *:mysql *:* LISTEN tcp0 0 *:sunrpc*:* LISTEN tcp0 0 *:webmin*:* LISTEN tcp0 0 *:www *:* LISTEN tcp0 0 *:81*:* LISTEN tcp0 0 *:82*:* LISTEN tcp0 0 *:8083 *:* LISTEN tcp0 0 *:83*:* LISTEN tcp0 0 ubuntu.imparisys:domain *:* LISTEN tcp0 0 localhost:domain*:* LISTEN tcp0 0 *:ipp *:* LISTEN tcp0 0 *:postgresql*:* LISTEN tcp0 0 localhost:smtp *:* LISTEN tcp0 0 localhost:953 *:* LISTEN tcp0 0 *:https *:* LISTEN tcp0 0 *:49852 *:* LISTEN tcp6 0 0 localhost:8005 [::]:* LISTEN tcp6 0 0 [::]:ldap [::]:* LISTEN tcp6 0 0 [::]:8009 [::]:* LISTEN tcp6 0 0 [::]:5001 [::]:* LISTEN tcp6 0 0 [::]:webcache [::]:* LISTEN tcp6
Re: [Samba] Does this tell me anything? Traffic report
On Tue, 2009-06-09 at 10:31 -0600, gregorcy wrote: [global] server string = %h server (Samba, Ubuntu) map to guest = Bad User passdb backend = ldapsam:ldap://localhost passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 name resolve order = lmhosts host bcast server signing = auto printcap name = cups add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u logon script = logon.cmd logon path = \\%N\profiles\%U logon drive = H: domain logons = Yes os level = 35 dns proxy = No ldap admin dn = cn=admin,dc=imparisystems,dc=local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap suffix = dc=imparisystems,dc=local ldap ssl = no ldap user suffix = ou=Users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d I am not to familiar with the passdb backend that you are using but don't you need a: security = SOMETHING In there somewhere. The documentation says that it defaults to security = users, but I'll go ahead and put it in. My biggest problem is that I'm still not listening on ports 137 and 139 with no error messages in either log.smbd or log.nmbd -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does this tell me anything? Traffic report
On Tue, 2009-06-09 at 11:52 -0600, gregorcy wrote: Matt Burkhardt wrote: On Tue, 2009-06-09 at 10:31 -0600, gregorcy wrote: [global] server string = %h server (Samba, Ubuntu) map to guest = Bad User passdb backend = ldapsam:ldap://localhost passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 name resolve order = lmhosts host bcast server signing = auto printcap name = cups add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u logon script = logon.cmd logon path = \\%N\profiles\%U logon drive = H: domain logons = Yes os level = 35 dns proxy = No ldap admin dn = cn=admin,dc=imparisystems,dc=local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap suffix = dc=imparisystems,dc=local ldap ssl = no ldap user suffix = ou=Users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d I am not to familiar with the passdb backend that you are using but don't you need a: security = SOMETHING In there somewhere. The documentation says that it defaults to security = users, but I'll go ahead and put it in. My biggest problem is that I'm still not listening on ports 137 and 139 with no error messages in either log.smbd or log.nmbd Is the samba server also the WINS server or is it supposed to use a different box. If the samba server is the WINS server I think you would need something like this defined, in the global section: wins support = yes name resolve order = wins lmhosts hosts bcast If it is not, I think you would need this: wins server = x.x.x.x I had turned wins support = off because I read that you only needed it for Windows boxes pre-XP. I went ahead and re-added them and put in the name resolve order. I'm still having the problem with getting Error connecting to 192.168.1.100 (Connection refused) Connection to Ubuntu failed (Error NT_STATUS_CONNECTION_REFUSED) but here's my nmap sudo nmap -sUT Ubuntu Starting Nmap 4.53 ( http://insecure.org ) at 2009-06-09 15:46 EDT Interesting ports on ubuntu.imparisystems.local (192.168.1.100): Not shown: 3177 closed ports PORT STATE SERVICE 22/tcpopen ssh 53/tcpopen domain 80/tcpopen http 81/tcpopen hosts2-ns 82/tcpopen xfer 83/tcpopen mit-ml-dev 111/tcp open rpcbind 389/tcp open ldap 443/tcp open https 631/tcp open ipp 901/tcp open samba-swat 3306/tcp open mysql 5001/tcp open commplex-link 5432/tcp open postgres 8009/tcp open ajp13 8080/tcp open http-proxy 1/tcp open snet-sensor-mgmt 53/udpopen|filtered domain 67/udpopen|filtered dhcps 69/udpopen|filtered tftp 111/udp open|filtered rpcbind 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 631/udp open|filtered unknown 636/udp open|filtered unknown -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Does this tell me anything? Traffic report
On Mon, 2009-06-08 at 12:25 +1000, Chris Smart wrote: 2009/6/8 Matt Burkhardt m...@imparisystems.com: I'm trying to get Samba up and running and having a terrible time. It says that I should be able to run nmap and see that 137 and 139 are open - which they are not. I have not added any restrictions in smb.conf, do not have a firewall running and I have increased the log level to 5 to see all of the messages. It says that it is talking on 137 but it kind of looks like it's not talking back. Just a few thoughts: Is Samba only listening on localhost rather than your ethernet device? I was thinking that might be the problem, but I don't know how to check / fix it... What does 'sudo netstat -lt' show? sudo netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 *:amanda*:* LISTEN tcp0 0 localhost:8100 *:* LISTEN tcp0 0 *:swat *:* LISTEN tcp0 0 *:ldap *:* LISTEN tcp0 0 *:sane-port *:* LISTEN tcp0 0 *:mysql *:* LISTEN tcp0 0 *:sunrpc*:* LISTEN tcp0 0 *:webmin*:* LISTEN tcp0 0 *:www *:* LISTEN tcp0 0 *:81*:* LISTEN tcp0 0 *:82*:* LISTEN tcp0 0 *:8083 *:* LISTEN tcp0 0 *:83*:* LISTEN tcp0 0 192.168.1.100:domain*:* LISTEN tcp0 0 localhost:domain*:* LISTEN tcp0 0 *:ipp *:* LISTEN tcp0 0 *:postgresql*:* LISTEN tcp0 0 localhost:smtp *:* LISTEN tcp0 0 localhost:953 *:* LISTEN tcp0 0 *:58426 *:* LISTEN tcp0 0 *:https *:* LISTEN tcp6 0 0 localhost:8005 [::]:* LISTEN tcp6 0 0 [::]:ldap [::]:* LISTEN tcp6 0 0 [::]:8009 [::]:* LISTEN tcp6 0 0 [::]:5001 [::]:* LISTEN tcp6 0 0 [::]:webcache [::]:* LISTEN tcp6 0 0 [::]:domain [::]:* LISTEN tcp6 0 0 [::]:ssh[::]:* LISTEN tcp6 0 0 [::]:ipp[::]:* LISTEN tcp6 0 0 [::]:postgresql [::]:* LISTEN Is the daemon running? 'sudo ps aux |grep smb' sudo ps -e | grep mb 31686 ?00:00:01 nmbd 31688 ?00:00:00 smbd Are you blocking anything in /etc/hosts.deny or /etc/hosts.allow? They both contain only commented lines - no information other than that -x -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Does this tell me anything? Traffic report
18 (54 bytes on wire, 54 bytes captured) Ethernet II, Src: Cisco-Li_15:1c:11 (00:18:39:15:1c:11), Dst: Intel_6d:d7:6a (00:04:23:6d:d7:6a) Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 192.168.1.105 (192.168.1.105) Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 36377 (36377), Seq: 1, Ack: 1, Len: 0 No. TimeSourceDestination Protocol Info 19 20.093060 192.168.1.105 192.168.1.100 TCP 45084 netbios-ssn [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=1977451 TSER=0 WS=6 Frame 19 (74 bytes on wire, 74 bytes captured) Ethernet II, Src: Intel_6d:d7:6a (00:04:23:6d:d7:6a), Dst: Cisco-Li_15:1c:11 (00:18:39:15:1c:11) Internet Protocol, Src: 192.168.1.105 (192.168.1.105), Dst: 192.168.1.100 (192.168.1.100) Transmission Control Protocol, Src Port: 45084 (45084), Dst Port: netbios-ssn (139), Seq: 0, Len: 0 No. TimeSourceDestination Protocol Info 20 20.095051 192.168.1.100 192.168.1.105 TCP netbios-ssn 45084 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0 Frame 20 (54 bytes on wire, 54 bytes captured) Ethernet II, Src: Cisco-Li_15:1c:11 (00:18:39:15:1c:11), Dst: Intel_6d:d7:6a (00:04:23:6d:d7:6a) Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 192.168.1.105 (192.168.1.105) Transmission Control Protocol, Src Port: netbios-ssn (139), Dst Port: 45084 (45084), Seq: 1, Ack: 1, Len: 0 No. TimeSourceDestination Protocol Info 21 25.145799 Cisco-Li_15:1c:11 Intel_6d:d7:6aARP Who has 192.168.1.105? Tell 192.168.1.100 Frame 21 (42 bytes on wire, 42 bytes captured) Ethernet II, Src: Cisco-Li_15:1c:11 (00:18:39:15:1c:11), Dst: Intel_6d:d7:6a (00:04:23:6d:d7:6a) Address Resolution Protocol (request) No. TimeSourceDestination Protocol Info 22 25.145836 Intel_6d:d7:6aCisco-Li_15:1c:11 ARP 192.168.1.105 is at 00:04:23:6d:d7:6a Frame 22 (42 bytes on wire, 42 bytes captured) Ethernet II, Src: Intel_6d:d7:6a (00:04:23:6d:d7:6a), Dst: Cisco-Li_15:1c:11 (00:18:39:15:1c:11) Address Resolution Protocol (reply) I'm running Ubuntu 8.04, DHCP, DNS and OpenLDAP on the server. Please - any help greatly appreciated! Thanks! -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] I am so frustrated - Samba ports not opening and no error message
Okay - I've been plugging away and it got to the point that running smbclient was returning information about an Alfresco install that I never used, so I went ahead and deleted everything I could find on my machine that said alfresco. I then removed samba using apt-get from the machine by typing apt-get remove --purge samba I deleted the /etc/samba directory and re-installed samba. So now I've made sure that DHCP, DNS and OpenLDAP are now working correctly and I started to reconfigure Samba. I start it up and I look at the log.smbd and log.nmbd files, don't see a single error message and when I run nmap - there's nothing listening on the ports that Samba is supposed to be using. I have no firewall set up and nothing between me and the server. Here's showing that the daemons are running: ps -e | grep mb 6984 ?00:00:00 nmbd 6986 ?00:00:00 smbd Here's the results from nmap nmap ubuntu Starting Nmap 4.53 ( http://insecure.org ) at 2009-06-05 17:34 EDT Interesting ports on 192.168.1.100: Not shown: 1697 closed ports PORT STATE SERVICE 22/tcpopen ssh 53/tcpopen domain 80/tcpopen http 81/tcpopen hosts2-ns 82/tcpopen xfer 83/tcpopen mit-ml-dev 111/tcp open rpcbind 389/tcp open ldap 443/tcp open https 631/tcp open ipp 901/tcp open samba-swat 3306/tcp open mysql 5001/tcp open commplex-link 5432/tcp open postgres 8009/tcp open ajp13 8080/tcp open http-proxy 1/tcp open snet-sensor-mgmt Nmap done: 1 IP address (1 host up) scanned in 0.151 seconds I have attached the log.smbd, log.nmbd and smb.conf files. Any ideas? I can't logon - just says Connection refused. On a side note - I can't stop samba by running sudo /etc/init.d/samba stop It kills the nmbd daemon but not the smbd daemon Thanks! -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com [2009/06/05 17:33:17, 0] nmbd/nmbd.c:main(721) Netbios nameserver version 3.0.28a started. Copyright Andrew Tridgell and the Samba Team 1992-2008 [2009/06/05 17:33:17, 3] nmbd/nmbd.c:reload_nmbd_services(298) services not loaded [2009/06/05 17:33:17, 2] nmbd/nmbd.c:main(745) Becoming a daemon. [2009/06/05 17:33:17, 2] lib/tallocmsg.c:register_msg_pool_usage(105) Registered MSG_REQ_POOL_USAGE [2009/06/05 17:33:17, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2009/06/05 17:33:17, 3] nmbd/nmbd.c:main(783) Opening sockets 137 [2009/06/05 17:33:17, 3] nmbd/nmbd.c:open_sockets(639) open_sockets: Broadcast sockets opened. [2009/06/05 17:33:17, 2] lib/interface.c:add_interface(81) added interface ip=192.168.1.100 bcast=192.168.1.255 nmask=255.255.255.0 [2009/06/05 17:33:17, 2] nmbd/nmbd_subnetdb.c:make_subnet(144) making subnet name:192.168.1.100 Broadcast address:192.168.1.255 Subnet mask:255.255.255.0 [2009/06/05 17:33:17, 2] nmbd/nmbd_subnetdb.c:make_subnet(144) making subnet name:UNICAST_SUBNET Broadcast address:192.168.1.100 Subnet mask:192.168.1.100 [2009/06/05 17:33:17, 2] nmbd/nmbd_subnetdb.c:make_subnet(144) making subnet name:REMOTE_BROADCAST_SUBNET Broadcast address:0.0.0.0 Subnet mask:0.0.0.0 [2009/06/05 17:33:17, 2] nmbd/nmbd_subnetdb.c:make_subnet(144) making subnet name:WINS_SERVER_SUBNET Broadcast address:0.0.0.0 Subnet mask:0.0.0.0 [2009/06/05 17:33:17, 2] nmbd/nmbd_lmhosts.c:load_lmhosts_file(41) load_lmhosts_file: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory [2009/06/05 17:33:17, 3] nmbd/nmbd.c:main(802) Loaded hosts file /etc/samba/lmhosts [2009/06/05 17:33:17, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name *00 with first IP 192.168.1.100 ttl=0 nb_flags=60 to subnet WINS_SERVER_SUBNET [2009/06/05 17:33:17, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name *20 with first IP 192.168.1.100 ttl=0 nb_flags=60 to subnet WINS_SERVER_SUBNET [2009/06/05 17:33:17, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name __SAMBA__20 with first IP 192.168.1.100 ttl=0 nb_flags=60 to subnet WINS_SERVER_SUBNET [2009/06/05 17:33:17, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name __SAMBA__00 with first IP 192.168.1.100 ttl=0 nb_flags=60 to subnet WINS_SERVER_SUBNET [2009/06/05 17:33:17, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name UBUNTU03 with first IP 192.168.1.100 ttl=259053 nb_flags=66 to subnet WINS_SERVER_SUBNET [2009/06/05 17:33:17, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name UBUNTU20 with first IP 192.168.1.100 ttl=259053 nb_flags=66 to subnet WINS_SERVER_SUBNET [2009/06/05 17:33:17, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name WORKGROUP1b
Re: [Samba] Printer Question
Johan 'yosh' Marklund wrote: Hi! Not sure that this is the right list, but has anyone had any experience setting up a Konica Minolta Bizhub printer to use ldap authentication through samba? I know that the bizhub 250 that i have has built-in authentication, but it's really ridiculous when using the official linux drivers (they only support a one number username and a one number password e.g. 1:5 or similar). And since I'm setting up an ldap server it would be nice to handle all the authentication there instead of in the printer :/ /yosh If you already have samba and ldap working, you should be able to follow Chapter 22[1] and the cupsaddsmb man page, using the PPD from Minolta for your cups queue. I had some weird issues with exporting the queues to samba, but eventually it worked and the clients automatically download the driver from the print server. If the client is on the domain and is allowed to use that print queue, they are in. If the client is not on the domain, the user is asked to authenticate before the print queue pops up. The cupsaddsmb man page is more current than the section regarding the cups PS driver section in the how-to (it lists different files), so read that before trying to do the export to samba from the cups web interface or running cupsaddsmb directly. [1]http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/CUPS-printing.html good luck, Matt ps I didn't mean to direct you from one list to another only to try to answer you here. I thought someone here would have had a more relevant answer for you than I have. -- Matt Richardson IT Consultant College of Arts and Letters CSU San Bernardino work: (909)537-7598 fax: (909)537-5926 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem with reboot of machine with openLDAP
I'm having a problem with the reboot of a machine. I can get a list of the shares by running smbclient -L BGCFC but if I reboot, I get smbclient -L BGCFC Error connecting to 192.168.10.100 (Connection refused) Connection to BGCFC failed (Error NT_STATUS_CONNECTION_REFUSED) but if I restart slapd it works correctly again. What could be wrong? Thanks -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with reboot of machine with openLDAP
On Fri, 2009-05-29 at 17:09 -0400, Adam Tauno Williams wrote: On Fri, 2009-05-29 at 16:02 -0400, Matt Burkhardt wrote: I'm having a problem with the reboot of a machine. I can get a list of the shares by running smbclient -L BGCFC but if I reboot, I get smbclient -L BGCFC Error connecting to 192.168.10.100 (Connection refused) Connection to BGCFC failed (Error NT_STATUS_CONNECTION_REFUSED) but if I restart slapd it works correctly again. What could be wrong? Can you perform an ldapsearch after rebooting? If not then your problem is with OpenLDAP or DNS and doesn't have anything to do with Samba. Samba is probably failing merely as a consumer of the failed LDAP service. Yes, I can do an ldapsearch - it works fine. -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Client driver installation
Gary L. Greene, Jr. wrote: I've an OpenSuSE based server installed at work that uses Samba to share out the prrinters for our users on the AD that will be replacing our aging Windows 2000 print server. I'm in the process of getting the printer drivers installed for Windows clients. At present, I'm installing the drivers for the RICOH Aficio we have. When I run the following command: printmaster:/var/lib/samba/drivers/W32X86 # rpcclient -U ggreene -c adddriver 'Windows NT x86' 'RICOH:RIC641K.DLL:RIC641K.DLL:RIC641U.DLL:RIC641.HLP:NULL:RAW:RIC641K.DLL,RIC641U.DLL,RIC641.HLP,RIC641P.DLL,RIC641C.DLL,RIC641L.DLL,RIC641X.DLL,RIC641S.DLL,RIC641J.DLL,RIC641Q.EXE,RIC641ZU.DLL,RIC641ZK.DLL,RIC641WU.DLL,RIC641WK.DLL,RIC641PI.DLL,RIC641SR.EXE,RIC641CF.DLL,RIC641X.EXE,TrackID.DLL,TIBase64.dll,TIFmtA.dll,RICJC32.dll,JCUI.exe' 3 printmaster I get the following output: result was WERR_UNKNOWN_PRINTER_DRIVER Posting mostly to put some more info in the mailing list archive on this issue. Some magic happened, so I'm afraid this may not be of much help. I had a similar issue setting up a couple of HP LaserJet printers last week using cupsaddsmb. The CUPS queue used HPLIP drivers and the CUPS postscript drivers listed in the cupsaddsmb man page were installed in /usr/share/cups/drivers. The system is Debian Lenny with samba 3.2.5-4lenny2 and cups 1.3.8-1lenny5. It is an AD member server with all the winbind goodness working. OK, hope that wasn't too verbose. The output showed adddriver succeeding and setdriver failed WERR_INVALID_PARAM. Trying to do it manually with rpcclient adddriver succeeded, but setdriver failed with the error WERR_UNKNOWN_PRINTER_DRIVER. From the CUPS web interface, exporting printers to samba returned a success message, but in reality only the adddriver had succeeded, still no setdriver success. Just because nothing else seemed to be working, I changed permissions to 777 for the /var/lib/samba directories where all the printer stuff was supposed to land. Still no joy. After leaving it for a few days, I got back to it yesterday, dumped the print queues from CUPS and readded one. enumprinters showed samba recognized the queues. From the CUPS web interface, export printers to samba reported success. Verifying that with enumprinters and enumdrivers showed that it had indeed succeeded. Adding the second queue to CUPS, enumprinters would not show the second queue. Go through the usual stop and start of services, enumprinters then sees the second queue. Exporting to samba from CUPS web interface succeeds and enumdrivers verifies this to be true. From the client, connecting to \\myawesomesmbserver\myawesomeprinter succeeds, no dialogs about the server not having the driver, and I can print a test page. Now there is joy. So the magic happened somewhere between Friday afternoon when I quit working on it and yesterday when I got back to it and did the same thing I had tried previously. While I do want to know what occurred, I am happy for the moment with knowing that I can now add print queues to samba with drivers. I need to set up quotas, so raw printing isn't going to cut it. Matt -- Matt Richardson IT Consultant College of Arts and Letters CSU San Bernardino work: (909)537-7598 fax: (909)537-5926 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Having problems with Samba and openLDAP Groups
Thanks for the help! I appreciate you taking the time! On Thu, 2009-05-28 at 00:02 +0300, Liutauras Adomaitis wrote: [2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616) user 'mlb' (from session setup) not permitted to access this share (Staff) [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED i guess your user mib is not in group @Staff. What do you get with commands: smbldap-tools works only with ldap, it doesn't mean system sees those users. id mib getent passwd | grep mib getent group | grep -i staff id mlb uid=1000(mlb) gid=1000(mlb) groups=1000(mlb),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),33(www-data),44(video),46(plugdev),107(fuse),113(lpadmin),115(admin),116(sambashare),1001(musicshare),1002(printer-admin),1008(subversion),1012(Staff),513(Domain Users),1014(Staff) getent passwd | grep mlb mlb:x:1000:1000:Matt Burkhardt,,,:/home/mlb:/bin/bash mlb:x:1009:544:mlb:/home/mlb:/bin/bash mlb-laptop$:*:1014:515:Computer:/dev/null:/bin/false getent group | grep -i Staff staff:x:50: Staff:x:1012:alex,mlb Staff:*:1014:mlb,alex Run testparm - it will show some errors you have in your smb.conf file. Also run testparm command, it will show you some errors in your smb.conf file you have. testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [netlogon] Processing section [profiles] Processing section [printers] Processing section [print$] Processing section [bigdrive] Processing section [Business] Processing section [Editors] Processing section [Members] Processing section [Staff] WARNING: The only user option is deprecated Processing section [tmp] Loaded services file OK. Server role: ROLE_DOMAIN_PDC -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Configuration
On Mon, 2009-05-25 at 23:06 +0300, Liutauras Adomaitis wrote: On Mon, May 25, 2009 at 10:29 PM, Matt Burkhardt m...@imparisystems.com wrote: Maybe I'm missing this - but I'm having problems setting up some file shares that are limited to certain groups. I've done countless searches on setups and on the tree connnect failed error message, and just haven't found anything that solves my problem. I am able to create shares that are basically open to the public, but I know the security is all messed up. I have openLDAP set up, can log onto the Samba server, but when I try to set up the security, I just end up with smbclient //Ubuntu/Staff Enter mlb's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a] tree connect failed: NT_STATUS_ACCESS_DENIED I think there is a number of possible answers or potential problems. your smb.conf, logs (level 10 it is not necessary probably, but 3 atleast - I think) is needed. Liutauras Ok - I set log level = 3 in /etc/samba/smb.conf and restarted the Samba server, then tried to logon with smbclient //Ubuntu/Staff and then stopped the server and here are smbd and nmbd only with the time stamp from after the restart -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com [2009/05/27 09:02:16, 0] nmbd/nmbd.c:main(721) Netbios nameserver version 3.0.28a started. Copyright Andrew Tridgell and the Samba Team 1992-2008 [2009/05/27 09:02:16, 3] nmbd/nmbd.c:reload_nmbd_services(298) services not loaded [2009/05/27 09:02:16, 2] nmbd/nmbd.c:main(745) Becoming a daemon. [2009/05/27 09:02:16, 2] lib/tallocmsg.c:register_msg_pool_usage(105) Registered MSG_REQ_POOL_USAGE [2009/05/27 09:02:16, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2009/05/27 09:02:16, 3] nmbd/nmbd.c:main(783) Opening sockets 137 [2009/05/27 09:02:16, 3] nmbd/nmbd.c:open_sockets(639) open_sockets: Broadcast sockets opened. [2009/05/27 09:02:16, 2] lib/interface.c:add_interface(81) added interface ip=192.168.1.100 bcast=192.168.1.255 nmask=255.255.255.0 [2009/05/27 09:02:16, 2] nmbd/nmbd_subnetdb.c:make_subnet(144) making subnet name:192.168.1.100 Broadcast address:192.168.1.255 Subnet mask:255.255.255.0 [2009/05/27 09:02:16, 2] nmbd/nmbd_subnetdb.c:make_subnet(144) making subnet name:UNICAST_SUBNET Broadcast address:192.168.1.100 Subnet mask:192.168.1.100 [2009/05/27 09:02:16, 2] nmbd/nmbd_subnetdb.c:make_subnet(144) making subnet name:REMOTE_BROADCAST_SUBNET Broadcast address:0.0.0.0 Subnet mask:0.0.0.0 [2009/05/27 09:02:16, 2] nmbd/nmbd_subnetdb.c:make_subnet(144) making subnet name:WINS_SERVER_SUBNET Broadcast address:0.0.0.0 Subnet mask:0.0.0.0 [2009/05/27 09:02:16, 2] nmbd/nmbd_lmhosts.c:load_lmhosts_file(41) load_lmhosts_file: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory [2009/05/27 09:02:16, 3] nmbd/nmbd.c:main(802) Loaded hosts file /etc/samba/lmhosts [2009/05/27 09:02:16, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name *00 with first IP 192.168.1.100 ttl=0 nb_flags=60 to subnet WINS_SERVER_SUBNET [2009/05/27 09:02:16, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name *20 with first IP 192.168.1.100 ttl=0 nb_flags=60 to subnet WINS_SERVER_SUBNET [2009/05/27 09:02:16, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name __SAMBA__20 with first IP 192.168.1.100 ttl=0 nb_flags=60 to subnet WINS_SERVER_SUBNET [2009/05/27 09:02:16, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name __SAMBA__00 with first IP 192.168.1.100 ttl=0 nb_flags=60 to subnet WINS_SERVER_SUBNET [2009/05/27 09:02:16, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name UBUNTU03 with first IP 192.168.1.100 ttl=258536 nb_flags=66 to subnet WINS_SERVER_SUBNET [2009/05/27 09:02:16, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name WORKGROUP20 with first IP 192.168.1.100 ttl=294187 nb_flags=66 to subnet WINS_SERVER_SUBNET [2009/05/27 09:02:16, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name UBUNTU20 with first IP 192.168.1.100 ttl=258536 nb_flags=66 to subnet WINS_SERVER_SUBNET [2009/05/27 09:02:16, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name WORKGROUP1b with first IP 192.168.1.100 ttl=258536 nb_flags=66 to subnet WINS_SERVER_SUBNET [2009/05/27 09:02:16, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name WORKGROUP1c with first IP 192.168.1.100 ttl=258536 nb_flags=e6 to subnet WINS_SERVER_SUBNET [2009/05/27 09:02:16, 3] nmbd/nmbd_namelistdb.c:add_name_to_subnet(247) add_name_to_subnet: Added netbios name
[Samba] Having problems with Samba and openLDAP Groups
) : sec_ctx_stack_ndx = 2 [2009/05/27 13:34:52, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2009/05/27 13:34:52, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/05/27 13:34:52, 3] lib/util_sid.c:string_to_sid(223) string_to_sid: Sid @Staff does not start with 'S-'. [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/05/27 13:34:52, 0] smbd/share_access.c:user_ok_token(221) 'only user = yes' and no 'username =' [2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616) user 'mlb' (from session setup) not permitted to access this share (Staff) [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED [2009/05/27 13:34:52, 3] smbd/process.c:timeout_processing(1329) timeout_processing: End of file from client (client has disconnected). [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/05/27 13:34:52, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2009/05/27 13:34:52, 3] smbd/server.c:exit_server_common(768) Server exit (normal exit) So I figure something must be wrong with my group definition, but I haven't found anything. How am I supposed to create groups to use with Samba? Does there need to be an entry in for Unix? Any help appreciated Thanks -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Configuration
Maybe I'm missing this - but I'm having problems setting up some file shares that are limited to certain groups. I've done countless searches on setups and on the tree connnect failed error message, and just haven't found anything that solves my problem. I am able to create shares that are basically open to the public, but I know the security is all messed up. I have openLDAP set up, can log onto the Samba server, but when I try to set up the security, I just end up with smbclient //Ubuntu/Staff Enter mlb's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a] tree connect failed: NT_STATUS_ACCESS_DENIED So I started working through the Samba checklist at http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html Is there some place that walks through a file share setup. I want to create a share called Staff that's only accessible by members of that group. I need to know how to set that up across Linux (Ubuntu 8.04), openLDAP and Samba and also how to do the setup for Wndows clients. I would also like an easy method to turn this over to the folks - it's volunteer work for our local Boys and Girls Club. Thanks again! smbclient //Ubuntu/tmp Enter mlb's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a] smb: \ -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Unable to browse Samba share by hostname from certain clients...
Dear Help, I am having a very odd problem. For some reason, I am able to browse to my Samba share by IP address but not by host name from Windows 2008 servers in a particular domain (the same domain the Samba server belongs to). However, I am able to browse by host name from XP clients as well as Windows 2008 servers in a different domain. Even stranger, if I add an alias (using the netbios aliases configuration option) on that same samba server, I can browse by name using the alias. I have spent countless hours searching on Google, etc., but just can't seem to figure out what's going on. Here is the global config on the Samba server: [global] workgroup = DOMAIN netbios name = HOST1 server string = HOST1 netbios aliases = HOST2 map to guest = Bad User obey pam restrictions = Yes password level = 5 username level = 5 log level = 2 log file = /usr/local/samba/var/samba.log logon path = logon home = preferred master = No domain master = No ldap ssl = no idmap backend = tdb idmap uid = 1-2 idmap gid = 1-2 template homedir = /homes/%U print command = qprt -dp -r -#v -#j -P %p -T '%J' %f veto files = /.?*/ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd msdfs root = Yes I also took logs from browsing to the Samba server by hostname, and then by alias name, and found a couple things. When browsing by hostname, I end up getting the error: Failed to parse NTLMSSP packet, could not extract NTLMSSP command And then, during the set up before that, I noticed the following: Got secblob of size 1469 However, when I was browsing by Alias name, the log reported the following: Got secblob of size 40 So, I'm not entirely sure what's going on. If anyone has any advice, tips, or anything, I'd be glad to hear them! Thanks! Matt Log from browsing by host name: [2009/04/16 08:03:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) Doing spnego session setup [2009/04/16 08:03:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2009/04/16 08:03:01, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 48018 1 2 2 [2009/04/16 08:03:01, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 113554 1 2 2 [2009/04/16 08:03:01, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 3 6 1 4 1 311 2 2 10 [2009/04/16 08:03:01, 3] smbd/sesssetup.c:reply_spnego_negotiate(447) Got secblob of size 1469 [2009/04/16 08:03:01, 5] auth/auth.c:make_auth_context_subsystem(480) Making default auth method list for standalone security=user, encrypt passwords = yes [2009/04/16 08:03:01, 5] auth/auth.c:load_auth_module(384) load_auth_module: Attempting to find an auth method to match guest [2009/04/16 08:03:01, 5] auth/auth.c:load_auth_module(409) load_auth_module: auth method guest has a valid init [2009/04/16 08:03:01, 5] auth/auth.c:load_auth_module(384) load_auth_module: Attempting to find an auth method to match sam [2009/04/16 08:03:01, 5] auth/auth.c:load_auth_module(409) load_auth_module: auth method sam has a valid init [2009/04/16 08:03:01, 1] libsmb/ntlmssp.c:ntlmssp_update(245) Failed to parse NTLMSSP packet, could not extract NTLMSSP command [2009/04/16 08:03:01, 2] lib/util.c:dump_data(1995) [000] 60 82 05 B9 06 09 2A 86 48 86 F7 12 01 02 02 01 `.*. H... [010] 00 6E 82 05 A8 30 82 05 A4 A0 03 02 01 05 A1 03 .n...0.. [020] 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 04 A2 ... [030] 61 82 04 9E 30 82 04 9A A0 03 02 01 05 A1 0C 1B a...0... [040] 0A 50 48 53 59 45 53 2E 43 4F 4D A2 25 30 23 A0 .DOMAIN. COM.%0#. [050] 03 02 01 02 A1 1C 30 1A 1B 04 63 69 66 73 1B 12 ..0. ..cifs.. [060] 70 68 73 2D 6F 6E 65 2E 70 68 73 79 65 73 2E 63 HOST1. DOMAIN.c [070] 6F 6D A3 82 04 5C 30 82 04 58 A0 03 02 01 17 A1 om...\0. .X.. [080] 03 02 01 02 A2 82 04 4A 04 82 04 46 FF 4D 65 BB ...J ...F.Me. [090] 4E 69 4C E5 72 CB 5C AE 62 67 75 BF B3 2E 3C 0E NiL.r.\. bgu [0A0] 3A 67 FE 27 01 BC 03 C7 08 AE D6 5C 71 23 57 12 :g.' ...\q#W. [0B0] 1D 32 4A 68 5D 3C 36 23 33 26 80 0F D7 31 44 3E .2Jh]6# 3...1D [0C0] 51 AA 8A 8B BA 7A CC 92 79 7A 34 F8 BD AF 6B 3B Qz.. yz4...k; [0D0] FA F7 00 3C DD 76 97 74 9A 02 4A 85 E2 BF 81 E8 v.t ..J. [0E0] F4 75 15 9F FC 00 C6 4F A9 E0 01 05 35 A9 0C CC .u.O 5... [0F0] FD 55 C4 00 DD 6A 6E D4 77 BE C9 25 CA 6D 78 0B .U...jn. w..%.mx. [100] 72 78 51 47 1E E9 A0 78 28 8A 40 5C EF EA 2A CC rxQG...x (@\..*. [110] E2 FE 17 3A EE 6F 10 34 D7 86 E0 8B 9D 79 7E F9 ...:.o.4 .y~. [120] 87 94 E9 B5 51 CE 5A F9 89 61 75 A7 B2 5F D3 2E Q.Z. .au.._.. [130] 6E 66 8B 6D 9D 3F 7B A3 57 E0 BE 8B DE E7 3E 2E nf.m.?{. W.. [140] F3 08 41 90 9F D8 1F B7 5B 4D 5F
[Samba] Re: Problem with smbpasswd on Mac OS X
On Mon, Nov 10, 2008 at 7:55 PM, Baniz Daymov [EMAIL PROTECTED] wrote: If there's any more info that would be useful, please let me know. D'oh, like the samba version number eh? It's Samba version 3.0.10. Sorry! -- Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] high cpu load
Jeremy, - Thanks for your help... We use a default user profile stored in the netlogon share. NTUSER.DAT does redirect the following folders: Registry = [Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders] Value AppData of type REG_EXPAND_SZ, data length 74 [0x4a] H:\.windows_settings\Application Data Value Desktop of type REG_EXPAND_SZ, data length 56 [0x38] H:\.windows_settings\Desktop Value Personal of type REG_EXPAND_SZ, data length 30 [0x1e] H:\My Documents Value Programs of type REG_EXPAND_SZ, data length 80 [0x50] H:\.windows_settings\Start Menu\Programs Value Recent of type REG_EXPAND_SZ, data length 54 [0x36] H:\.windows_settings\Recent Value Start Menu of type REG_EXPAND_SZ, data length 62 [0x3e] H:\.windows_settings\Start Menu Value Startup of type REG_EXPAND_SZ, data length 96 [0x60] H:\.windows_settings\Start Menu\Programs\Startup Value My Pictures of type REG_EXPAND_SZ, data length 54 [0x36] H:\My Documents\My Pictures We also add a REG_DWORD value named DeleteRoamingCache to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon \DeleteRoamingCache we also change the grouppolicy to exclude these directories in the roaming profile: Local Settings;Temporary Internet Files;History;Temp;My Documents;Desktop;Recent;Start Menu;Application Data Shouldn't the combination of these things prevent excess network traffic related to loading a roaming profile? We are using a default profile that was prepared on Win2k but all our machines are fully patched XPpro. Should we freshen up the Default User items in the netlogon folder? - Thanks, Matt Finlayson School of Engineering and Computer Science WSU Vancouver 360-546-9226 - Thanks, Matt Finlayson School of Engineering and Computer Science WSU Vancouver 360-546-9226 -Original Message- From: Jeremy Allison [EMAIL PROTECTED] Reply-To: Jeremy Allison [EMAIL PROTECTED] To: Cochran, Wayne Owen [EMAIL PROTECTED] Cc: samba@lists.samba.org, Jeremy Allison [EMAIL PROTECTED] Subject: Re: [Samba] high cpu load Date: Thu, 23 Oct 2008 16:36:55 -0700 On Thu, Oct 23, 2008 at 04:22:52PM -0700, Cochran, Wayne Owen wrote: By client I assume you mean the user is explicitly asking for all this data to be transferred. This is very unlikely since this is happening frequently throughout the day -- sometimes 5 or 6 clients simultanously -- so it must be something thats happening automatically. No I don't mean the user is requesting this, I mean the client redirector on the Windows box. Of course none of this explains why the RTF file is being stat'ed thousands of times! Turn up the debug level on an affected smbd using smbcontrol pid debug 10 and then see if the client is actually requesting this data transfer. smbd doesn't stat files unless it's a client request so this may be a client issue, not a server one. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldapsam:editposix
Sent this direct to the poster again, and not to the list. Here it is for the list. On 12/10/2008, at 3:53 AM, Norberto Bensa wrote: Hello list, I'm trying to setup Samba to use: ldapsam:editposix = yes but I'm having problems to add users via smbpasswd -a. It seems smbpasswd tries to modify an existing entry (and falling of course) instead of adding a new entry. Is that a bug, a configuration problem, or intended behavior? Do I need to create a postixaccount entry prior to use smbpasswd -a? Yes, you do. Or, at least, that's the way I've always had to do it. I have a small script with an LDAP template that makes the minimal entries in the ldap for a posixAccount and shadowAccount for the user, then create the samba account. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba+AD: Drives will not map on login
I've just setup a Linux server running Samba (3.0.25b) to authenticate through our office's Active Directory server (Server 2003). It seems to work well, and I have no problem manually connecting to shares on the Linux box. However, our users all execute a login VB Script on the Windows PCs (XP Pro, SP3), and that script attempts to map a network drive to a Samba share. The drive mapping from the login script invariably fails, and the samba logs report NT_STATUS_WRONG_PASSWORD. Anyone have any ideas why this might be? Thanks. Matt -- Do not go where the path may lead; go instead where there is no path and leave a trail. -- Ralph Waldo Emerson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Server Migration Problem
Gidday I am in the process of finishing a server migration (to a new server), and am having problems with samba on the new server. The old server was running samba 3.0.22-r3 on a Gentoo machine, and the new server is running Samba 3.0.25a on a Solaris 10 machine. I have copied the files across OK, I have copied the samba configuration OK, samba runs fine, connects to the ldap backend fine, seems to check passwords fine, and even lets me connect to the file shares just fine. The problem is that the clients don't recognise the new server as their domain controller. Attempts to log in with a username that is not already cached on the client returns a The domain DOMAIN is not available error. If I remove the computer from the domain, and then try reconnect it, it brings up the error saying A domain controller for domain DOMAIN could not be contacted, and an advanced info button seems to indicate that I should check that my domain is registered properly in WINS. Doing a smbclient -L //NEWSERVERNAME/ gives me: Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.25a] Sharename Type Comment - --- tempDisk testDisk c Disk blah Disk stuff Disk IPC$IPC IPC Service (Allstaff Fileserver) someuserDisk Home Directories Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.25a] Server Comment ---- BROTHER-COLOUR BROTHER1 BROTHER2 OLDSERVERNAME Fileserver NEWSERVERNAME New Fileserver WorkgroupMaster ---- DOMAIN OLDSERVERNAME (I've changed the names here to protect the innocent, but I think I've kept it unambiguous). If I log onto the clients, (using a username whose password is cached by the client) I notice that the environment variable LOGONSERVER is still set to the name of the old server. That may just be part of the caching, however - I'm not sure. Any ideas on what I should do? Do I need to change the sambaSID entry in the sambaDomainName=DOMAIN,LDAPBASE entry of my ldap server? Included here is a copy of my smb.conf, if that helps. [global] workgroup = DOMAIN realm = DOMAIN server string = Fileserver map to guest = Bad User # smb passwd file = /etc/samba/private/smbpasswd passdb backend = ldapsam:ldap://ldap.dns.domain/ socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = logon.cmd logon path = \\%N\profiles\%U logon drive = H: logon home = \\fileserver\%U domain logons = Yes os level = 255 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=IT_Administrator,LDAP SUFFIX ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers,ou=Users ldap suffix = LDAP SUFFIX #ldap ssl = start tls ldap user suffix = ou=People,ou=Users template homedir = /dev/null nt acl support = Yes ea support = Yes map acl inherit = Yes print command = /usr/bin/lp -d '%p' %s; rm %s lpq command = /usr/bin/lpstat -o '%p' lprm command = /usr/bin/cancel '%p-%j' lppause command = lp -i '%p-%j' -H hold lpresume command = lp -i '%p-%j' -H resume queuepause command = /usr/bin/disable '%p' queueresume command = /usr/bin/enable '%p' hide files = /thumbs.db/Thumbs.db/ Thanks in advance. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Server Migration Problem
Oops - I accidently sent this reply direct to Helmut, isntead of to the list. Here it is for the list. My most humble apologies to you Helmut - I neglected to check which address the reply was going to. On 02/10/2008, at 7:02 PM, Helmut Hullen wrote: Hallo, Matt, Gidday, and thankyou for your reply. Have you transferred the localsid from the old to the new server? I just tried this then, and it didn't seem to make a difference. The old server has two SID's ... Here's the output [EMAIL PROTECTED] ~ $ sudo net getlocalsid SID for domain CORWIN2 is: S-1-5-21-2514297305-1808913229-953362460 [EMAIL PROTECTED] ~ $ sudo net getlocalsid ALLSTAFF SID for domain ALLSTAFF is: S-1-5-21-3463326904-3566436207-4149259612 (I'm not going to bother hiding the domain and computer names anymore). ALLSTAFF is the name of the samba domain. CORWIN2 is the name of the old server. The name of the new server is INFRASTRUCTURE. The localsid on INFRASTRUCTURE used to be S-1-5-21-1308997507-3478987709-343013683 I tried using net setlocalsid to change the SID on the new server, and tried both of the SID's above form CORWIN2, but the clients still did not see the domain controller in either case. I have the following entries in my ldap database for the domains (from a ldapsearch sambaDomainName=* ): # INFRASTRUCTURE, Allstaff Recruitment, Hamilton, NSW, AU dn: sambaDomainName=INFRASTRUCTURE,o=Allstaff Recruitment,l=Hamilton,st=NSW,c= AU sambaDomainName: INFRASTRUCTURE sambaSID: S-1-5-21-1308997507-3478987709-343013683 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 1000 sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 # ALLSTAFF, Allstaff Recruitment, Hamilton, NSW, AU dn: sambaDomainName=ALLSTAFF,o=Allstaff Recruitment,l=Hamilton,st=NSW,c=AU sambaDomainName: ALLSTAFF sambaSID: S-1-5-21-3463326904-3566436207-4149259612 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 1000 sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 Should I try and set the sambaSID entry for the ALLSTAFF domain to be the SID for INFRASTRUCTURE? Sometimes that helps: change domain logon to workgroup; new start change workgroup to domain logon; new start Sometimes you may need to change the computername too. But that leeds to problems with the profile ... The background may be some information about the old server is stored somewhere in the client's registry. Yes, I've been trying this , and it's not working :(. ... I'm just about at the stage where I'm going to set the NETBIOS name of the new server to be the same as the old server ;) -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Server Migration Problem
Problem solved! Apparently the SID for the domain doesn't matter when there's an LDAP server, as samba reads the sid from the LDAP entry for the domain (it does a search for sambaDomainName=DOMAIN). My problem was rather patheticly simple. Turns out that solaris seperates out the nmbd and smbd process. I had turned on samba (smbd) but not wins (nmbd). I've enabled wins, and everything's fine now - except that I feel dreadfully embarrassed ;) On 02/10/2008, at 6:26 PM, Matt Skerritt wrote: Gidday I am in the process of finishing a server migration (to a new server), and am having problems with samba on the new server. The old server was running samba 3.0.22-r3 on a Gentoo machine, and the new server is running Samba 3.0.25a on a Solaris 10 machine. I have copied the files across OK, I have copied the samba configuration OK, samba runs fine, connects to the ldap backend fine, seems to check passwords fine, and even lets me connect to the file shares just fine. snip -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Public share with samba/ Winbind
Hi, my samba server work fine for all user in my domain (security = ads) but i have to create a public share wich is RWX for all user ( wich are not logged into the domain)... Guest ok = yes and browseable = yes too but if the user is not record on the DC, i am ejected ... Thanks for your help I just set that up yesterday. In the global section, try adding map to guest = Bad Password take care, -- Matt Richardson IT Consultant College of Arts and Letters CSU San Bernardino work: (909)537-7598 fax: (909)537-5926 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Error loading module ad.so on AIX
Dear Help, I'm working on building samba from source (version 3.0.29) on AIX v6.1. I used the following configure statement: ./configure --with-shared-modules=idmap_ad --with-krb5=/etc/krb5 CC=xlc CPPFLAGS=-I/opt/pware/include LDFLAGS=-L/opt/pware/lib I then edited the Makefile so that the following libraries were included: LIBS=-liconv -ldl -lcom_err -lnsl And then to fix an AIX specific error I updated a line in /usr/include/sys/stropts.h to read: #define mod_filename ... instead of: #define mod_name I was able to successfully compile and link everything and start samba up. However, I'm unable to get user info from winbind (using wbinfo -i) or convert SIDs to uids, uids to SIDs, SIDs to usernames or usernames to SIDs. However, wbinfo -u and wbinfo -g work just fine. When I looked at log.winbindd-idmap, I found the following error: Error loading module '/usr/local/samba/lib/idmap/ad.so': rtld: 0712-001 Symbol _talloc_zero_zeronull was referenced from the module /usr/local/samba/lib/idmap/ad.so(), but a runtime definition of the symbol was not found. So, I'm wondering if I'm just missing a library in the LIBS line in Makefile, or if it's something on the AIX side that needs to be updated for this for winbind to work properly with Active Directory. Any help would be greatly appreciated. smb.conf is below... Thanks! -Matt SMB.CONF == # Global parameters [global] workgroup = TEST realm = TEST.LOCAL security = ADS encrypt passwords = yes password server = IP.OF.AD.SERVER log level = 3 log file = /usr/local/samba/var/%m.log max log size = 50 idmap domains = TEST idmap config TEST:backend = ad idmap config TEST:default = yes idmap config TEST:schema_mode = rfc2307 # idmap config DOMAIN:range = 10-4000 winbind separator = + winbind use default domain = Yes winbind nested groups = Yes winbind enum users = yes winbind enum groups = yes winbind nss info = rfc2307 passdb backend = tdbsam [anyone] path = /home/anyone guest ok = yes browseable = yes [testing] path = /home/testing guest ok = no valid users = @TEST+testgrp2 TEST+test05 write list = @TEST+testgrp2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD on 2003R2 NT_STATUS_NO_SUCH_USER
Dear Help, We are in the process of setting up a new domain using Active Directory on Windows Server 2003R2. One of our goals was to use Active Directory for authentication on our AIX box (running version 6.1). I was able to successfully set up Kerberos, and the LDAP client to connect to our AD server so that you can now log in to the AIX box with users found in Active Directory. However, no matter what I try, I am unable to get Samba (also running on the same AIX box) to authenticate against the same AD server. Oh, and I'm running Samba 3.0.28 (from the AIX binaries available on the Samba website). When I try and connect from a test machine (running Windows XP SP2) I get the following in the logs (machine: Novel-Idea, username: test01, domain: TEST): check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2008/08/08 09:55:29, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2008/08/08 09:55:29, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2008/08/08 09:55:29, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2008/08/08 09:55:29, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2008/08/08 09:55:29, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/08 09:55:29, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [test01] - [test01] FAILED with error NT_STATUS_NO_SUCH_USER [2008/08/08 09:55:29, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE However, I can get successful results using wbinfo: From wbinfo -u: administrator guest support_388945a0 krbtgt test02 host_aixplay1 test01 testcopy From wbinfo -g: BUILTIN+administrators BUILTIN+users domain computers domain controllers schema admins enterprise admins domain admins domain users domain guests group policy creator owners dnsupdateproxy testgrp1 testgrp2 testgrp3 staff From wbinfo -a test01%password: plaintext password authentication succeeded challenge/response password authentication succeeded From wbinfo -K test01%password plaintext kerberos password authentication for [test01%password] succeeded (requ esting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 So, it makes me think that I'm missing something obvious in my smb.conf, but after searching around, I haven't found much. Any help would be greatly appreciated. See my configs below: SMB.CONF # Global parameters [global] workgroup = TEST realm = TEST.LOCAL security = ADS encrypt passwords = yes password server = IP.OF.AD.SERVER log level = 3 log file = /opt/pware/samba/3.0.28/var/log.%m max log size = 50 # idmap backend = ad # idmap uid = 10-4000 # idmap gid = 10-4000 idmap domains = TEST idmap config TEST:backend = ad idmap config TEST:default = yes idmap config TEST:schema_mode = rfc2307 idmap config DOMAIN:range = 10-4000 # auth methods = winbind # use kerberos keytab = yes # ldap ssl = no winbind separator = + winbind use default domain = Yes winbind nested groups = Yes winbind enum users = yes winbind enum groups = yes # winbind nss info = rfc2307 [anyone] path = /home/anyone guest ok = yes browseable = yes [testing] path = /home/testing guest ok = no valid users = test01 admin users = test01 write list = test01 KRB5.CONF [libdefaults] default_realm = TEST.LOCAL default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des-cbc-md5 des-cbc-crc default_tgs_enctypes = des-cbc-md5 des-cbc-crc [realms] TEST.LOCAL = { kdc = adtest.test.local:88 admin_server = adtest.test.local:749 default_domain = test.local } [domain_realm] .test.local = TEST.LOCAL adtest.test.local = TEST.LOCAL [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log default = FILE:/var/krb5/log/krb5lib.log -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: AD on 2003R2 NT_STATUS_NO_SUCH_USER
Jason Gerfen jason.gerfen at scl.utah.edu writes: Have you tried to look at the user account information using ldapsearch? Just to ensure the POSIX account data is present in AD. If you are attempting to authenticate as a domain user try the username as DOMAIN\Username. Hi Jason, Thanks for the quick reply. I haven't tried using ldapsearch, but I have used the lsldap command to list the attributes for test01 (which includes the R2 rfc2307 schema): aixplay1-root /opt/pware/bin lsldap -a passwd test01 dn: CN=test01,OU=MIS,OU=Temecula-CA,OU=People,DC=test,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test01 givenName: test01 distinguishedName: CN=test01,OU=MIS,OU=Temecula-CA,OU=People,DC=test,DC=local instanceType: 4 whenCreated: 20080807000211.0Z whenChanged: 20080808170937.0Z displayName: test01 uSNCreated: 20660 uSNChanged: 32974 name: test01 objectGUID: |*[_B Ud'' VQ userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 128626909010102324 lastLogoff: 0 lastLogon: 128629403833937446 pwdLastSet: 128626889779722918 primaryGroupID: 513 objectSid: accountExpires: 9223372036854775807 logonCount: 28 sAMAccountName: test01 sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local dSCorePropagationData: 20080807001936.0Z dSCorePropagationData: 20080807001936.0Z dSCorePropagationData: 20080807001936.0Z dSCorePropagationData: 20080807001150.0Z dSCorePropagationData: 16010108151056.0Z uid: test01 msSFU30Name: test01 msSFU30NisDomain: test uidNumber: 50002 gidNumber: 1 unixHomeDirectory: /home/test01 loginShell: /usr/bin/ksh And then regarding using the domain in the username (such as DOMAIN\user) -- I have tried that on the Windows side, and that's what's failing. However, if you're referring the wbinfo tests, it's failing with the same NT_STATUS_NO_SUCH_USER error: aixplay1-root /opt/pware/bin wbinfo -a TEST\test01%password plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user TESTtest01%password with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user TESTtest01 with challenge/response I'm not sure why it's removing the '\' in the error message between the domain and the username, but I also tried it with two backslashes, and a forward slash, and they all failed. What am I missing here? Thanks again for your help, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: AD on 2003R2 NT_STATUS_NO_SUCH_USER
Matt Anderson sokkerstud_11 at hotmail.com writes: I think I may have solved why users were not being found. When I tried doing wbinfo -i test01, I got an error stating that information for user could not be found. After digging a little bit through the log files, I discovered that the SID for the Windows Primary Group was being returned, instead of gidNumber for the user's primary group. So, I updated the Windows Primary Group in Active Directory to match the one specified by gidNumber -- and at that point, I was able to run wbinfo -i test01 and get the following result: test01:*:50002:1:test01:/home/TEST/test01:/bin/false The username, uid, and gecos are correct, however the home directory and shell are incorrect. If you look back at the previous post, the attributes in Active Directory are as follows: uid: test01 msSFU30Name: test01 msSFU30NisDomain: test uidNumber: 50002 gidNumber: 1 unixHomeDirectory: /home/test01 loginShell: /usr/bin/ksh So, my question is, what do I have to do to get Samba to retrieve the correct attributes? Or, is it even necessary? (Again, I'm using Windows Server 2003 R2) Which leads me to my next question -- after making the change to the primary group, I was able to authenticate successfully against the testing share as user TEST+test01 from my Windows XP box... however, with an examination of the file system, I determined that any files I created in this samba session end up having root permissions assigned to them (instead of test01). For example: -rwxr--r--1 root staff 0 Aug 11 13:28 deleteme.txt -rwxr--r--1 root staff 0 Aug 11 13:28 test1234.txt The group staff is correct, since that is gidNumber 1, however, the owner should be test01 instead of root. What am I doing wrong? Thanks again for your help! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: AD on 2003R2 NT_STATUS_NO_SUCH_USER
Which leads me to my next question -- after making the change to the primary group, I was able to authenticate successfully against the testing share as user TEST+test01 from my Windows XP box... however, with an examination of the file system, I determined that any files I created in this samba session end up having root permissions assigned to them (instead of test01). For example: -rwxr--r--1 root staff 0 Aug 11 13:28 deleteme.txt -rwxr--r--1 root staff 0 Aug 11 13:28 test1234.txt The group staff is correct, since that is gidNumber 1, however, the owner should be test01 instead of root. What am I doing wrong? I solved the issue regarding writing as root -- I didn't realize that I had the admin users property set on that share (or what it did exactly). However, I'm still curious about the LDAP attributes, so if anyone has any insight, I'd really appreciate it. Thanks! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Unable to join Samba
On 5/15/08 Augustin wrote: When I execute net ads join -U Administrator I get the following error /libexec/ld-elf.so.1: /usr/lib/libkrb5.so.8: Undefined symbol init_error_table It sounds like you're missing some libraries. Did you compile krb5 yourself or is it an rpm? If you compiled it yourself, you'll need to modify the configure or makefile scripts to point to the correct libraries. Also make sure you have the necessary devel libraries before you compile. As another check, run ldd on winbind and make sure you have all the library files listed. Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Server 2003 Domain Controller Search w/ Workgroup Setup
Hi, I hope someone might understand the problem I am seeing. I will simplify the setup that I have which reproduces the problem: 1) Computer 1 is running Server 2003 with 2 NICS. One is a WAN link with IP address 192.168.1.12. It has a private link with IP 10.0.0.12. 2) Computer 2 is running Centos OS 5.1 with 2 NICS. WAN is at 192.168.1.11, private is at 10.0.0.11. 3) The WAN links are connected via a switch/router while the private links are connected via a null ethernet cable. 4) CentOS 5.1 is running a very basic guest access Samba share. Here is smb.conf: [global] workgroup = WORKGROUP netbios name = repl1 interfaces = eth1 10.0.0.11 guest account = hacluster security = share local master = no preferred master = no wins support = no wins proxy = no dns proxy = no [Content] path = /mnt/content writeable = yes guest ok = yes Here is the problem: I am seeing a roughly 3-5 second daily on initial connection to the Samba share. If I repeat quickly there is no delay. I have used Wireshark to look at a capture on the private link. It appears that the Server 2003 machine is doing a NBNS query for a domain controller for WORKGROUP. It seems to wait several seconds before timeing out and then just connecting directly. The normal NBNS query where 2003 looks for Repl1 (CentOS) works fine. The response immediately comes back as 10.0.0.11. I have tried many permutations and I can't seem to figure how to stop 2003 from trying to find a domain controller in this very simple configuration. Any help would be appreciated here. I'm not sure if this is a 2003 configuration problem or a Samba configuration problem. Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as nonroot
Oops, I accidently sent this to Michael's own email, not to the list. Here it is again in the right place. On 14/05/2008, at 9:48 AM, Michael Heydon wrote: [EMAIL PROTECTED] wrote: Hi, Im trying to run samba as a non-root user and I was wondering if this is even possible No, it's not. and if not what is preventing it from being ran as a normal user?? You couldn't bind to privileged ports would be the big one. You might be able to modify the source so it runs on different ports (although that would mean windows systems couldn't connect, you might be able to coax another samba machine into it), you would then have issues with permissions (you couldn't suid/sgid to the connecting user). Also, I think samba needs to be able to fork and execute. It ought to be possible on Solaris 10 using privileges - I intend to test this myself in the next few weeks. (I currently have a DHCP server running successfully as a non-root user, binding to privileged ports etc etc). I'll report my findings if anybody is actually curious. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3.0.28 failing to authenticate on Win2003 ServerActive Directory
http://www.howtoforge.com/samba-domaincontroller-swat-fedora8-p3 I believe these directions are for setting up Samba as an NT4 style PDC. From your description it sounds like you want the samba server to be a domain member server in a Win2003 AD and use winbind to authenticate users. If that's the case and you followed the directions on that website, then your samba config is definitely not going to work for you. I suggest reading chapters 3 and 6 here if you haven't already: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ Here's some good troubleshooting tips: http://us3.samba.org/samba/docs/using_samba/ch12.html#samba2-CHP-12-SECT -2.5.3 Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Langdon Stevenson Sent: Sunday, May 11, 2008 11:36 PM To: samba@lists.samba.org Subject: [Samba] Samba 3.0.28 failing to authenticate on Win2003 ServerActive Directory I have set up a Fedora 8 server running Samba 3.0.28a-0.fc8 (the Fedora yum package version). I have successfully joined the server to the AD realm of a Win2003 server on the office network. Configuration was done following this guide: http://www.howtoforge.com/samba-domaincontroller-swat-fedora8-p3 However Authentication against the AD server does not work. When I test winbind with: # wbinfo -u I get: Error looking up domain users I have also found the following output in /var/log/messages/ It is generated each time Samba is started (note: date and time have been removed for clarity) srv winbindd[6850]: [2008/05/06 11:18:14, 0] param/loadparm.c:service_ok(3031) srv winbindd[6850]: WARNING: No path in service public - making it unavailable! srv winbindd[6851]: [2008/05/06 11:18:14, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache() srv winbindd[6851]: initialize_winbindd_cache: clearing cache and re-creating with version number 1 srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(41) srv winbindd[6853]: === srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(42) srv winbindd[6853]: INTERNAL ERROR: Signal 11 in pid 6853 (3.0.28a-0.fc8) srv winbindd[6853]: Please read the Trouble-Shooting section of the Samba3-HOWTO srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(44) srv winbindd[6853]: srv winbindd[6853]: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:fault_report(45) srv winbindd[6853]: === srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/util.c:smb_panic(1655) srv winbindd[6853]: PANIC (pid 6853): internal error srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/util.c:log_stack_trace(1759) srv winbindd[6853]: BACKTRACE: 19 stack frames: srv winbindd[6853]:#0 winbindd(log_stack_trace+0x2d) [0xb7d5de9d] srv winbindd[6853]:#1 winbindd(smb_panic+0x5d) [0xb7d5dfcd] srv winbindd[6853]:#2 winbindd [0xb7d48a4a] srv winbindd[6853]:#3 [0x12d420] srv winbindd[6853]:#4 winbindd(pwd_get_cleartext+0x18) [0xb7d9b638] srv winbindd[6853]:#5 winbindd(cm_connect_sam+0x156) [0xb7ce89f6] srv winbindd[6853]:#6 winbindd [0xb7cea8f9] srv winbindd[6853]:#7 winbindd [0xb7ced6e7] srv winbindd[6853]:#8 winbindd [0xb7cd2649] srv winbindd[6853]:#9 winbindd [0xb7cd2d29] srv winbindd[6853]:#10 winbindd [0xb7cd31a8] srv winbindd[6853]:#11 winbindd(winbindd_dual_list_trusted_domains+0x78) [0xb7ce3008] srv winbindd[6853]:#12 winbindd [0xb7cf3622] srv winbindd[6853]:#13 winbindd(init_child_connection+0x19a) [0xb7ccfdaa] srv winbindd[6853]:#14 winbindd(async_domain_request+0xb6) [0xb7cf4f86] srv winbindd[6853]:#15 winbindd(rescan_trusted_domains+0x110) [0xb7cd03f0] srv winbindd[6853]:#16 winbindd(main+0x75d) [0xb7cc5e0d] srv winbindd[6853]:#17 /lib/libc.so.6(__libc_start_main+0xe0) [0x2e3390] srv winbindd[6853]:#18 winbindd [0xb7cc42a1] srv winbindd[6853]: [2008/05/06 11:18:14, 0] lib/fault.c:dump_core(181) srv winbindd[6853]: dumping core in /var/log/samba/cores/winbindd srv winbindd[6853]: The Samba config file /etc/samba/smb.conf [global] log file = /var/log/samba/log.%m workgroup = SLA realm = SLA.COM.AU preferred master = no server string = Merit1 security = ADS encrypt passwords = yes log level = 3 max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 600-2 idmap gid = 600-2 template shell = /bin/bash template homedir = /home/domain/%D/%U [homes] comment = Home Direcotries valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path
[Samba] winbind, mod_auth_pam, and plaintext passwords
We have a working samba file server using winbind to authenticate with a Win2003 server in native mode. [2008/05/10 18:22:54, 5] nsswitch/winbindd_cm.c:set_dc_type_and_flags(1651) set_dc_type_and_flags: domain STARTREK is in native mode. [2008/05/10 18:22:54, 5] nsswitch/winbindd_cm.c:set_dc_type_and_flags(1654) set_dc_type_and_flags: domain STARTREK is running active directory. I now want to allow the apache web server (running on the same machine as samba) to utilize winbind to authenticate users with domain credentials. I have installed and configured apache with mod_auth_pam. When I access a protected website I get a login box but it doesn't allow me to login with my domain user/pass. The apache log gives the following error: [Sat May 10 22:47:20 2008] [error] [client 192.168.1.48] PAM: user 'matt.humrick' - not authenticated: User not known to the underlying authentication module This along with an strace of apache shows that winbind is being used via mod_auth_pam for authentication with no obvious errors. Tcpdump also shows packets being exchanged between winbind and the AD Windows server. The following error appears in the winbind log: [2008/05/10 22:39:09, 6] nsswitch/winbindd.c:new_connection(628) accepted socket 19 [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn INTERFACE_VERSION [2008/05/10 22:39:09, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [31171]: request interface version [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2008/05/10 22:39:09, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [31171]: request location of privileged pipe [2008/05/10 22:39:09, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn PAM_AUTH [2008/05/10 22:39:09, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(751) [31171]: pam auth matt.humrick [2008/05/10 22:39:09, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth(764) Plain text authentication for matt.humrick returned NT_STATUS_NO_SUCH_USER (PAM: 10) I get a similar plaintext authentication error with wbinfo -a: wbinfo -a matt.humrick%x plaintext password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: Access denied Could not authenticate user matt.humrick%x with plaintext password challenge/response password authentication succeeded So, challenge/response authentication succeeded but plaintext authentication fails. This appears to be a configuration issue to me. Obviously apache gives a plaintext user/pass to winbind vs. the challenge/response method used by an WinXP client (which is working fine). What do I need to do to allow apache to authenticate with winbind? I've read through the smb.conf man page and looked at several settings relating to plaintext passwords. However, I'm a bit confused as to when these settings should be used and whether they will break the existing functionality between the WinXP clients, winbind, and Win2003 AD server. Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba shares and active directory
I've had this happen occasionally. Give these smb.conf settings a try: netbios name = xxx password server = xxx client signing = yes server signing = yes use spnego = yes client use spnego = no Whenever I encountered this problem adjusting the signing/spnego options fixed it. Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ekul taylor Sent: Friday, May 09, 2008 3:49 PM To: samba@lists.samba.org Subject: [Samba] samba shares and active directory I'm hoping someone can point me in the right direction. I know I'm very close but I'm missing one little piece. I have added a samba machine to my domain using net ads and winbind and it's working lovely. I can log into the linux server with my active directory credentials but I am unable to access shares on the samba server from windows using active directory credentials. When I try to connect to the samba server from windows I can see the share listed but choosing it gives me a password box even though I am logged into windows as a user who is a member of the squid group smb.conf: [global] workgroup = GLCC realm = GLCC.ON.CA preferred master = no server string = Linux Test Machine security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash [squidlog] comment = squid logs path = /var/log/squid valid users = @GLCC+squid read only = No browsable = yes wbinfo -u wbinfo -g shows the domain user and group information and getent group shows the squid group with my user as a member any help would be greatly appreciated Luke Taylor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] File Lock Issue
Hi All, I've seen a few messages similar to my problem, looking back through the mailing list but the issue I'm having is a little more unique. We have a user, who uses both wireless and wired connection. He uses truecrypt, that has the encrypted file sitting on a samba share. What I think is happening is he will unplugged his wired connection and move to a meeting room and connect through the wireless (might be worth noting - our wireless sits in our DMZ and users have to VPN into the inside of our network). When he connects to the wireless and tries to access his truecrypt drive, if complains that the file is already in use - and upon checking smbstatus -L the file is indeed locked. I was looking at the //|reset on zero vc|/ = |no |/option, but that seem to be for a connection of the same IP Address. Once he switches to wireless, he will have a different IP Address, so I don't think this option will help him. This server is running Samba Version 3.0.24-2.23-1296-SUSE-CODE10 on SUSE SLES 10 and the client is using Windows XP. I've seen many people asking this... what is the default time for a file to be locked if the connection is dropped? Also, is there a configurable option to change that time? If anyone has any idea for this issue, I'd be grateful to hear them! Thanks, Matt. -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [EMAIL PROTECTED] - Email found in subject - RE: [Samba] Files over 4GB not listing properly. Cannot getCIFSworking.
The default smbclient doesn't list the files properly either. I've been romping through the configure script, and it turns out that certain flags weren't being properly set in config.h, due to the fact that samba was being cross-compiled and the test programs couldn't be run. So far, I've set dev_t to be a u_quad type, and enabled 64-bit versions of: dirent, ino, off_t, SMB_STRUCT_DIR, flock, and SMB_F_SETLKW/GETLKW. Is there anything i missed? -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 06, 2008 7:38 PM To: Matt Boyle Cc: samba@lists.samba.org Subject: [EMAIL PROTECTED] - Email found in subject - RE: [Samba] Files over 4GB not listing properly. Cannot getCIFSworking. On Tue, 2008-05-06 at 11:07 -0400, Matt Boyle wrote: Put this in the wrong thread, sorry! UPDATE: I've realized that this seems to be an issue with the compiler flags used to build samba. I've realized that i need to define _LARGEFILE_SOURCE, _LARGEFILE64_SOURCE, and _FILE_OFFSET_BITS=64. I've done this, but still have no luck reading files larger than 4GB. Anyone have suggestions? smbfs the in-kernel filesystem, (particularly old versions such as in Linux 2.4) never did files over 4GB well. 'Fixing' the userspace samba won't change the in-kernel limitations. I suggest you find a different way to move the files, perhaps use smbclient - the default compile should be perfectly fine for large files (Samba itself has done large files for many years). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] PDC migration: printing trouble. Summary.
UPDATE: I've realized that this seems to be an issue with the compiler flags used to build samba. I've realized that i need to define _LARGEFILE_SOURCE, _LARGEFILE64_SOURCE, and _FILE_OFFSET_BITS=64. I've done this, but still have no luck reading files larger than 4GB. Anyone have suggestions? Thanks, Matt Hi guys, I'm attempting to move large files (4GB) from a PowerPC-based embedded system running a 2.4 kernel architecture to an PC running a 2.6 kernel. I've got samba compiled, installed, and running on the embedded box. I also have the directories from the PPC system mounted and accessible from the PC. I have two problems: larger file sizes do not list correctly, and large files transferred from the embedded box to the PC are not complete; IE they're dropping data along the way. I'm familiar with the 2GB file size limit on samba, and have mounted the PC side using the lfs flag. Problem 1: Incorrect listing Here's a list of the directory from the embedded box: -r--r--r-- 1 root root 52646396 Jan 5 06:46 file1.ch10 -r--r--r-- 1 root root 60755936 Jan 5 06:46 file2.ch10 -r--r--r-- 1 root root 47606684 Jan 5 06:46 file3.ch10 -r--r--r-- 1 root root 4920604376 Jan 5 05:51 file4.ch10 Here's that same listing, but of the samba mount of that directory on the PC: -r-xr-xr-x 1 root root 52646396 Jan 5 2007 file1.ch10 -r-xr-xr-x 1 root root 60755936 Jan 5 2007 file2.ch10 -r-xr-xr-x 1 root root 47606684 Jan 5 2007 file3.ch10 -r-xr-xr-x 1 root root 625637080 Jan 5 2007 file4.ch10 As you can see, files 1-3 list fine, but file4 is showing way short. I'm guessing this might be some sort of overflow condition, any ideas? Problem 2: Loss of data during transfer of large files. When I try to transfer file4, i only get 41 or so of the total file size. This is the more pressing issue. Also, I cannot mount the samba share using CIFS. I use the line mount -t smbfs //server/share/ path/to/local/ -o user=u,pass=p,lfs to mount with SMBFS, and it works correctly, just doesn't display the large files. However, when using the following: mount -t smbfs //server/share/ path/to/local/ -o user=u,pass=p,lfs I get Mount error 5= Input/output error Any thoughts? Thanks, Matt ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Files over 4GB not listing properly. Cannot get CIFSworking.
Put this in the wrong thread, sorry! UPDATE: I've realized that this seems to be an issue with the compiler flags used to build samba. I've realized that i need to define _LARGEFILE_SOURCE, _LARGEFILE64_SOURCE, and _FILE_OFFSET_BITS=64. I've done this, but still have no luck reading files larger than 4GB. Anyone have suggestions? Thanks, Matt Hi guys, I'm attempting to move large files (4GB) from a PowerPC-based embedded system running a 2.4 kernel architecture to an PC running a 2.6 kernel. I've got samba compiled, installed, and running on the embedded box. I also have the directories from the PPC system mounted and accessible from the PC. I have two problems: larger file sizes do not list correctly, and large files transferred from the embedded box to the PC are not complete; IE they're dropping data along the way. I'm familiar with the 2GB file size limit on samba, and have mounted the PC side using the lfs flag. Problem 1: Incorrect listing Here's a list of the directory from the embedded box: -r--r--r-- 1 root root 52646396 Jan 5 06:46 file1.ch10 -r--r--r-- 1 root root 60755936 Jan 5 06:46 file2.ch10 -r--r--r-- 1 root root 47606684 Jan 5 06:46 file3.ch10 -r--r--r-- 1 root root 4920604376 Jan 5 05:51 file4.ch10 Here's that same listing, but of the samba mount of that directory on the PC: -r-xr-xr-x 1 root root 52646396 Jan 5 2007 file1.ch10 -r-xr-xr-x 1 root root 60755936 Jan 5 2007 file2.ch10 -r-xr-xr-x 1 root root 47606684 Jan 5 2007 file3.ch10 -r-xr-xr-x 1 root root 625637080 Jan 5 2007 file4.ch10 As you can see, files 1-3 list fine, but file4 is showing way short. I'm guessing this might be some sort of overflow condition, any ideas? Problem 2: Loss of data during transfer of large files. When I try to transfer file4, i only get 41 or so of the total file size. This is the more pressing issue. Also, I cannot mount the samba share using CIFS. I use the line mount -t smbfs //server/share/ path/to/local/ -o user=u,pass=p,lfs to mount with SMBFS, and it works correctly, just doesn't display the large files. However, when using the following: mount -t smbfs //server/share/ path/to/local/ -o user=u,pass=p,lfs I get Mount error 5= Input/output error Any thoughts? Thanks, Matt ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Files over 4GB not listing properly. Cannot get CIFS working.
Hi guys, I'm attempting to move large files (4GB) from a PowerPC-based embedded system running a 2.4 kernel architecture to an PC running a 2.6 kernel. I've got samba compiled, installed, and running on the embedded box. I also have the directories from the PPC system mounted and accessible from the PC. I have two problems: larger file sizes do not list correctly, and large files transferred from the embedded box to the PC are not complete; IE they're dropping data along the way. I'm familiar with the 2GB file size limit on samba, and have mounted the PC side using the lfs flag. Problem 1: Incorrect listing Here's a list of the directory from the embedded box: -r--r--r-- 1 root root 52646396 Jan 5 06:46 file1.ch10 -r--r--r-- 1 root root 60755936 Jan 5 06:46 file2.ch10 -r--r--r-- 1 root root 47606684 Jan 5 06:46 file3.ch10 -r--r--r-- 1 root root 4920604376 Jan 5 05:51 file4.ch10 Here's that same listing, but of the samba mount of that directory on the PC: -r-xr-xr-x 1 root root 52646396 Jan 5 2007 file1.ch10 -r-xr-xr-x 1 root root 60755936 Jan 5 2007 file2.ch10 -r-xr-xr-x 1 root root 47606684 Jan 5 2007 file3.ch10 -r-xr-xr-x 1 root root 625637080 Jan 5 2007 file4.ch10 As you can see, files 1-3 list fine, but file4 is showing way short. I'm guessing this might be some sort of overflow condition, any ideas? Problem 2: Loss of data during transfer of large files. When I try to transfer file4, i only get 41 or so of the total file size. This is the more pressing issue. Also, I cannot mount the samba share using CIFS. I use the line mount -t smbfs //server/share/ path/to/local/ -o user=u,pass=p,lfs to mount with SMBFS, and it works correctly, just doesn't display the large files. However, when using the following: mount -t smbfs //server/share/ path/to/local/ -o user=u,pass=p,lfs I get Mount error 5= Input/output error Any thoughts? Thanks, Matt ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Unable to change Windows password on Samba BDC
Dear Help, We are currently running Samba 3.0.22 on a distributed network/domain as a PDC (primary domain controller) and several as BDCs (Backup domain controllers) in our branch offices located around the country. At this point, the PDC is set up in our corporate office (where I'm located) and users have no trouble authenticating (via logging into windows and accessing shares) and also have no trouble changing passwords (either when they expire or manually) through the Windows interface. However, users located in the branch offices (where the BDCs are located), they have no trouble authenticating (via logging into windows and accessing shares) BUT are unable to change their password through the Windows interface, getting the error that The system cannot change your password now because the domain name is not available. All clients are Windows XP with SP2 installed. I have added (see below) the smb.conf for our PDC as well as the BDC that's causing problems -- all BDCs basically have the exact same config. I've tried raising the log level to 3 on the BDC that's not working properly, but it turns out that trying to change the password doesn't generate ANY log. However, I know that the domain is available since immediately before attempting to change password I logged on to Windows using the domain... I've poked around various forums and newsgroups but haven't found anything that has stuck (or particularly pertains to BDCs). If anyone has ANY suggestions whatsoever, I'd be glad to hear them! Thanks, Matt === PDC smb.conf (global section only) = [global] netbios name = ds-tem-1 workgroup = DOMAIN server string = Samba PDC %v %h obey pam restrictions = Yes passdb backend = ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here security = user log level = 3 log file = /var/log/samba/%m.log max log size = 5000 add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null/ -g machine -c 'Machine Account for %u' -s /bin/false %u logon path = logon home = domain logons = Yes os level = 128 preferred master = Yes domain master = Yes ldap admin dn = cn=name,o=organization ldap group suffix = ou=Groups ldap idmap suffix = ou=IDMap ldap machine suffix = ou=Workstations ldap user suffix = ldap filter = (uid=%u) ldap suffix = o=organization ldap passwd sync = No unix password sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n idmap backend = ldaps://ip.goes.here ldaps://ip.goes.here idmap uid = 1-2 idmap gid = 1-2 veto files = /.?*/ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd wins support = Yes encrypt passwords = Yes logon script = %U.bat map to guest = Bad User BDC smb.conf (global section only) = [global] workgroup = DOMAIN server string = Samba BDC %v %h obey pam restrictions = Yes passdb backend = ldapsam:ldaps://ip.goes.here ldaps://ip.goes.here log level = 2 log file = /var/log/samba/%m.log max log size = 1000 logon path = logon home = domain logons = Yes domain master = No preferred master = Yes ldap admin dn = cn=name,o=organization ldap group suffix = ou=Groups ldap idmap suffix = ou=IDMap ldap machine suffix = ou=Workstations ldap suffix = o=organization ldap passwd sync = No ldap filter = (uid=%u) unix password sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n idmap backend = ldaps://ip.goes.here ldaps://ip.goes.here idmap uid = 1-2 idmap gid = 1-2 veto files = /.?*/ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd wins server = ip.of.PDC.here map to guest = Bad User -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbindd hangs up while retreiving usernames.
This sounds similar to a problem I was having. Have a look at the following thread to see if it fixes your problem: http://lists.samba.org/archive/samba/2008-April/140109.html Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to change Windows password on Samba BDC
Matt Anderson sokkerstud_11 at hotmail.com writes: However, users located in the branch offices (where the BDCs are located), they have no trouble authenticating (via logging into windows and accessing shares) BUT are unable to change their password through the Windows interface, getting the error that The system cannot change your password now because the domain name is not available. All clients are Windows XP with SP2 installed. Okay, so I figured out why it wasn't working. I needed to add the IP address of the PDC to the WINS tab in the user's TCP/IP connection settings for it to be able to resolve the Primary domain controller to change the password (at least, that's what I'm assuming the problem was). Once I added the PDC's IP address to the WINS tab I could change passwords no problem. However, we currently assign all IP addresses manually (no DHCP server). Is there any way (I'm guessing not) I can accomplish this without having to physically change the network connection settings on hundreds of client PCs manually? On a side note, I tried adding the BDC's IP address to the WINS tab first and was unsuccessful... which I think is expected. Again, any thoughts would be greatly appreciated. Thanks! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to change Windows password on Samba BDC
Adam Williams awilliam at mdah.state.ms.us writes: in the BDC, take out: passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n unix password sync = yes add: ldap passwd sync = yes encrypt passwords = yes update encrypted = Yes unix password sync = no Hi Adam, Thanks for the quick response -- I'm not sure if you saw my follow up: Okay, so I figured out why it wasn't working. I needed to add the IP address of the PDC to the WINS tab in the user's TCP/IP connection settings for it to be able to resolve the Primary domain controller to change the password (at least, that's what I'm assuming the problem was). Once I added the PDC's IP address to the WINS tab I could change passwords no problem. However, we currently assign all IP addresses manually (no DHCP server). Is there any way (I'm guessing not) I can accomplish this without having to physically change the network connection settings on hundreds of client PCs manually? On a side note, I tried adding the BDC's IP address to the WINS tab first and was unsuccessful... which I think is expected. Again, any thoughts would be greatly appreciated. Thanks! Would your suggestion address this? I know that I initially had it set up that way since I was using the idealx scripts... Thanks! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to change Windows password on Samba BDC
Dennis McLeod dmcleod at foranyauto.com writes: Forgot to add: http://support.microsoft.com/?kbid=242468 For details on netsh. Awesome! Thanks! Also -- I'm not sure, but by editing nsswitch.conf on the BDC, for the line for hosts to include wins, like: hosts: files dns wins Seems to have done the same thing, without the need for manually adding it to the user's local connection (unless something was cached...) Does that make sense/sound right? -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to change Windows password on Samba BDC
Chris Smith smb23 at realcomputerguy.com writes: I use a rule of thumb that with =5 computers it saves much time and trouble to use services such as dhcp, dns, wins, etc. Set up dhcp (and dns is you don't have it), you will be glad you did. Hi Chris, Thanks for the feedback -- I totally agree. Unfortunately, our network administrator doesn't feel the same way (that it's not too much trouble). He has set up everything with static IP addresses for security reasons so we don't have a DHCP server... and with that no DNS server, since Dynamic DNS would require maintaining both the files for forward and reverse lookup... However, I have at least set up WINS on my Samba PDC :) Thanks again, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to change Windows password on Samba BDC
Matt Anderson sokkerstud_11 at hotmail.com writes: Also -- I'm not sure, but by editing nsswitch.conf on the BDC, for the line for hosts to include wins, like: hosts: files dns wins SCRATCH THAT. I waited a little longer and tried it again and it failed to find the domain again. So, I'm back to Dennis' suggestion... thanks! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to change Windows password on Samba BDC
Matt Anderson sokkerstud_11 at hotmail.com writes: However, users located in the branch offices (where the BDCs are located), they have no trouble authenticating (via logging into windows and accessing shares) BUT are unable to change their password through the Windows interface, getting the error that The system cannot change your password now because the domain name is not available. All clients are Windows XP with SP2 installed. Is it true that user password changes (when initiated from Windows) have to go through the PDC and can't be done through the BDC? Thanks in advance, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to change Windows password on Samba BDC
Dennis McLeod dmcleod at foranyauto.com writes: That's how this place was when I got here. The real issue was with websurfing control. Current setup is restricting by ip address, not user (they didn't exist before), so they set up static. I setup a dhcp server, and used dynamically assigned static addresses for those machines. Gives me the flexibility to make these kind of changes. AND registers with DNS Also, check out psexec to do this. (run the netsh command remotely..) You can add it to a logon script and then kick off the logon script remotely, or just run it remotely directly on each machine. Hi Dennis, Thanks for your input... I appreciate it! That sounds like it would make life a bit less trouble indeed. I'll have to look into that and pass it on to our network administrator, and maybe I can convince him :) Thanks again, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] select() timeout on winbindd_privileged pipe
On 4/24/08 Jerry wrote: You are tracing the client. But the log only shows the parent winbindd process. I would check the child processes because I'll bet you have more traffic that will illuminate what is going on in those logs. Thanks for the tip. I took your advice and ran 'strace -ff' on winbind and found the problem. It was trying to use mDNS to locate the kdc. However, our domain is unicast and uses the .local extension. I added the line 'mdns off' to the /etc/host.conf file (apparently it defaults to on) and it eliminated the 30 second timeout pause :) Here's the line in the strace output that tipped me off: 17:24:34 sendto(20, \241q\1\0\0\1\0\0\0\0\0\0\20_kerberos-master\4_u..., 54, 0, {sa_family=AF_INET, sin_port=htons(5353), sin_addr=inet_addr(224.0.0.251)}, 28) = 54 17:24:34 poll([{fd=20, events=POLLIN}], 1, 5000) = 0 This poll() call is what was actually timing out. The timeout was 5s and it did this multiple times. Now that mDNS is turned off it makes this request directly to the kdc rather than trying to search for it. WoooHooo! Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] select() timeout on winbindd_privileged pipe
I have an issue where winbind will occasionally pause for 30 seconds. # strace -T -t ls -l /share 16:52:20 read(4, /var/lib/samba/winbindd_privileg..., 35) = 35 0.09 16:52:20 lstat(/var/lib/samba/winbindd_privileged, {st_mode=S_IFDIR|0750, st_size=72, ...}) = 0 0.11 16:52:20 lstat(/var/lib/samba/winbindd_privileged/pipe, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 0.11 16:52:20 socket(PF_FILE, SOCK_STREAM, 0) = 5 0.11 16:52:20 fcntl(5, F_GETFL) = 0x2 (flags O_RDWR) 0.06 16:52:20 fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 0.07 16:52:20 fcntl(5, F_GETFD) = 0 0.06 16:52:20 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 0.06 16:52:20 connect(5, {sa_family=AF_FILE, path=/var/lib/samba/winbindd_privileged/pipe}, 110) = 0 0.18 16:52:20 close(4) = 0 0.11 16:52:20 select(6, [5], NULL, NULL, {0, 0}) = 0 (Timeout) 0.07 16:52:20 write(5, (\10\0\0\4\0\0\0d\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0..., 2088) = 2088 0.11 16:52:20 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.997279 16:52:25 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999895 16:52:30 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999885 16:52:35 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.14 16:52:40 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.999891 16:52:45 select(6, [5], NULL, NULL, {5, 0}) = 0 (Timeout) 4.16 16:52:50 select(6, [5], NULL, NULL, {5, 0}) = 1 (in [5], left {4, 968000}) 0.033682 16:52:50 read(5, \354\f\0\0\2\0\0\0STARTREK-phx_api_release..., 3240) = 3240 0.14 Notice the chain of select() calls between 16:52:20 and 16:52:50 that all timeout after 5 seconds for a total of 30 seconds! The winbind log has the following error when this occurs: [2008/04/18 16:52:20, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2008/04/18 16:52:50, 4] libsmb/clikrb5.c:ads_krb5_mk_req(610) ads_krb5_mk_req: Advancing clock by 13 seconds to cope with clock skew [2008/04/18 16:52:50, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Fri, 18 Apr 2008 17:13:03 MST The ads_krb5_mk_req function has a while loop that loops 3 times 'while (!creds_ready (i maxtries))' (i=0, maxtries=3). This corresponds with 3 requests to the kdc for info during the period of the pause: 16:52:20.839894 IP 192.168.1.210.32891 192.168.1.207.88: v5 16:52:20.840419 IP 192.168.1.207.88 192.168.1.210.32891: 16:52:30.837599 IP 192.168.1.210.32891 192.168.1.207.88: v5 16:52:30.838482 IP 192.168.1.207.88 192.168.1.210.32891: v5 16:52:40.837652 IP 192.168.1.210.32891 192.168.1.207.88: 16:52:40.838606 IP 192.168.1.207.88 192.168.1.210.32891: I don't understand why the select call appears to continue to block even though the Samba machine (192.168.1.210) gets a response from the Windows server (maybe I'm just interpreting the data wrong??). I used 'net ads -U username keytab create to generate my keytab file (it looks good as far as I can tell). 'net cache list' also reveals several entries. Klist also shows a default principal entry. I'm not sure why it can't find a credentials cache. I've upgraded my krb5 from 1.4.3 to 1.6.2 without effect. Here's version info: Samba 3.0.28 (3.0.25a and 3.0.25c also had this problem) Linux 2.6.16 (x64) At this point I have no idea how to fix this problem. I've read more samba how-to's than I thought possible and checked the relevant config files. Everything is working ok except for this pause. I've upgraded the relevant software but the problem persists. Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Convert ssha password to sambaNTpassword?
Scott Lovenberg wrote: Matt Richardson wrote: Is it possible to take a SSHA password from an ldif and create a proper sambaNTpassword from it? Here's the scenario: the ldap servers in our organization do not have the samba schema installed and the likelihood of that happening is slim. I still want to provide clients with as close to a single sign on solution as possible and I can get an ldif of the accounts I need. However, the password field is SSHA and I will still need to generate sambaLMpassword and sambaNTpasswd fields (along with the rest, but that part is a wrapper script around smbldap-utils away.) There is a remote possibility of getting these hashes generated by an Identity Management Server, which would make the problem go away. The IDM solution is remote, as the admin for it is already overworked, so parsing an ldif seems to be the best solution at the moment. Any suggestions would be appreciated. Are PAM modules a viable route and/or one that you'd consider? I have no idea how it would work, but it seems to me that it's a good loosely coupled interface from both sides of the problem. To be honest, I run Slackware and PAM isn't included as Patric V. strong believes PAM is a security risk, so I can't comment on how easy an implementation might be as I've only toyed with it on a few occasions. I know, however, that Samba uses PAM for syncing the passwd/shadow files, so there must be some sort of interfacing capabilities native to Samba. I would totally go with PAM, but have not heard of one to deal with this issue. It's a good idea, so off to google I go. -- Matt Richardson IT Consultant College of Arts and Letters CSU San Bernardino work: (909)537-7598 fax: (909)537-5926 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Convert ssha password to sambaNTpassword?
Is it possible to take a SSHA password from an ldif and create a proper sambaNTpassword from it? Here's the scenario: the ldap servers in our organization do not have the samba schema installed and the likelihood of that happening is slim. I still want to provide clients with as close to a single sign on solution as possible and I can get an ldif of the accounts I need. However, the password field is SSHA and I will still need to generate sambaLMpassword and sambaNTpasswd fields (along with the rest, but that part is a wrapper script around smbldap-utils away.) There is a remote possibility of getting these hashes generated by an Identity Management Server, which would make the problem go away. The IDM solution is remote, as the admin for it is already overworked, so parsing an ldif seems to be the best solution at the moment. Any suggestions would be appreciated. -- Matt Richardson IT Consultant College of Arts and Letters CSU San Bernardino work: (909)537-7598 fax: (909)537-5926 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Annoying Winbind Pause While Looking Up Permissions
:20, 4] libads/sasl.c:ads_sasl_bind(521) Found SASL mechanism GSS-SPNEGO [2008/04/18 16:52:20, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 [2008/04/18 16:52:20, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 [2008/04/18 16:52:20, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 [2008/04/18 16:52:20, 3] libads/sasl.c:ads_sasl_spnego_bind(213) ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 [2008/04/18 16:52:20, 3] libads/sasl.c:ads_sasl_spnego_bind(222) ads_sasl_spnego_bind: got server principal name = [EMAIL PROTECTED] [2008/04/18 16:52:20, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2008/04/18 16:52:50, 4] libsmb/clikrb5.c:ads_krb5_mk_req(610) ads_krb5_mk_req: Advancing clock by 13 seconds to cope with clock skew [2008/04/18 16:52:50, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Fri, 18 Apr 2008 17:13:03 MST [2008/04/18 16:52:50, 5] libads/ldap_utils.c:ads_do_search_retry_internal(64) Search for (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\5F\52\F4\2D\49\0D\1F\07\ 7F\6C\71\4D\C6\1F\00\00) in dc=STARTREK,dc=LOCAL gave 1 replies This shows that at the start of the pause I have the following error: krb5_cc_get_principal failed (No credentials cache found) This is what I think is happening: 1.) winbind is unable to find it's info in the Kerberos cache 2.) winbind queries the Windows domain controller (via port 88) 3.) the select on this socket times out for 30 seconds (even though the domain controller responds??) 4.) winbind defaults back to search_retry_internal and finds what it needs to continue The weird thing is it only does this once every 5-10 minutes. Every other time I don't get the krb5_cc_get_principal failed (No credentials cache found) error that leads to the 30 second timeout. If I run kinit for a domain user, that user shows up when I klist. However, that's the only ticket that shows up. If anyone could shed some light on this issue I would greatly appreciate it. Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Vista Read/Write performance
Hello. I am setting up a smb server running debian etch for a small office. Due to circumstances outside my control, most of the client machines are running Windows Vista Ultimate. The shares are all set up properly, security is set, and we're good to go. Except that the throughput from any of the Vista machines to the server is at best slow and at worst abysmal. After tweaking the socket options, turning off various services in windows (Remote Differential Compression), and even installing the freshly-released SP1, the best I've been able to get is 12.5 MB/s reading from the samba server. SCP gets 35-40 MB/s, and Vista to Vista transfers using SMB get 35-40 MB/s. I'm in the unfortunate position of having to recommend to my boss that we put the data on another Vista machine and use that as a makeshift file server until this problem can be ironed out. I very much do not want to tell him that. Any help anyone can offer would be greatly appreciated. Thank you, Matt Harris smb.conf excerpt below. [global] workgroup = UTOPIA server string = %h (file server) obey pam restrictions = Yes passdb backend = tdbsam passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . client NTLMv2 auth = Yes log file = /var/log/samba/log.%m max log size = 1000 smb ports = 445 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 250 lm announce = Yes preferred master = Yes domain master = No dns proxy = No ldap ssl = no panic action = /usr/share/samba/panic-action %d invalid users = root write cache size = 65536 include = /etc/samba/dhcp.conf [shares here] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Administration Tool recommendations
Hi All, I have a project which is to build a customized Linux distribution with a focus on deploying a Samba as Primary Domain Controller. It's pretty much like Trixbox but instead of Asterisk and VOIP, will be focused on Samba. Right now, I am looking for a solution for an administrator to easily manage the service. Of particular importance would be to easily add workstations and set up users for Roaming Profiles. Any recommendations on this? I have already looked at SWAT and Webmin (and I will be including them on the package list). However, I would like a tool that is focused on just Samba as a PDC. The base system I have is Ubuntu Server so it would be great if such a recommendation would be web-based although if a desktop application is what I need, then changing the base system is an option. Thanks in advance, Matt -- Stand before it and there is no beginning. Follow it and there is no end. Stay with the ancient Tao, Move with the present. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How to give user access to only 1 directory on a share?
Hello, Is there a way to give a single user access to a single directory on a given share, and yet prevent that user from accessing the rest of the data on that share? All users on the system are within the *same* group, and if possible, I'd like to keep it this way. Would I have to go with ACLs to implement this? Any and all suggestions are appreciated! Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't access dirs with subgroups of a samba share
Hi all! Here's the problem we have since patching Monday night. Tuesday morning Samba wasn't running, but started fine, and everything seemed to be working. Were currently running samba3.0.24-2.23 and I believe before the patch we were running samba3.0.22-13.30. We have some samba shares where we have subgroups that only a select group of people of the parent group are allowed to access. For example: The parent folder will be accessible to groupa with 770 permissions. In the folder we will have a subfolder accessible to groupb only, also with 770. (members of groupb belong to groupa) The smb.conf for the giving share looks like this [share] path = /usr/local/share/groups/share valid users = @groupa admin users = @smbadmin force group = groupa create mask = 0770 directory mask = 0770 And these settings always worked fine. Groupb users would be able to access their subfolder with no problems. Since the night the patch was installed, this no longer happens. In windows the user is getting the error message M:\subfolder is not accessible. Access is Denied. I've been double and triple checking all the permission and group memberships (all handled locally on the server), etc and everything looks fine. I've also been looking in the samba logs and not seeing relating to the error. I would appreciate any help/advice! Matt. Here's what the smb.conf GLOBAL looks like: [global] workgroup = WORKGROUP netbios name = SERVER server string = SERVER encrypt passwords = Yes map to guest = Bad User passwd program = /usr/bin/passwd name resolve order = wins lmhosts host bcast log level = 2 log file = /var/log/log.smbd time server = Yes deadtime = 10 load printers = Yes os level = 34 preferred master = Yes domain master = No local master = Yes wins support = No wins server = 192.168.100.100 remote browse sync = 192.168.100.100 kernel oplocks = No read only = No browseable = Yes printing = lprng use client driver = Yes create mask = 0660 directory mask = 0770 unix extensions = no follow symlinks = yes smb ports = 139 -- Matt Ingram Intermediate Unix Administrator, IS Canadian Bank Note Company, Limited \m/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Single Sign On, authentication, and Windows XP Home
Yes, this is all correct and I fully agree with everything that Gaiseric has said. However, the problem I'm dealing with is that I *still* have XP Home machines that I need to work with. Until these are phased out, and replaced with Pro Ed., I'm stuck if I want to implement SSO -- I think, unless I run an LDAP server and install pGina with the LDAP plugin. I didn't want to have to go this route, but I think that it may be the only option available! Thank you to everyone for their input -- --- Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gaiseric Vandal Sent: Thursday, December 27, 2007 8:46 AM To: samba@lists.samba.org Subject: Re: [Samba] Single Sign On, authentication, and Windows XP Home To the best of my knowledge, you can't join XP Home machines to a domain. Which would be a major argument against ever using XP Home in a work environment. (I realize many businesses buy this because they think it is cheaper.) If you don't use a domain setup, if you have a user account for each user on the server at set the password to be the same user's account on his or her own machine, the file access should be pretty transparent. My experience is that once you have more than 3 machines in a workgroup, switching to the domain model is well worth the effort. (And I would suspect less effort then going with an LDAP or NIS client.) just my 2c. On Dec 21, 2007 3:11 PM, Matt Lozier [EMAIL PROTECTED] wrote: Hello, I have a small (medium?) sized network of about 30 XP machines. About 2/3 of these machines are running Home Ed. while the other 1/3 are running Professional Ed. I currently have two samba shares, and I'm using 'user' security. I want to implement single sign on, some way, somehow. I've considered: NIS and LDAP, but I can't get the NIS pGina plugin to work with my NIS server, and LDAP seems like a beast to setup, though I'm willing to go for it if it means that I'll be able to get SSO working. Does any one have any suggestions / recommendations? Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.22 and SUSE Linux 10.1
Hello, This has recently happened a couple of times on our network: A user is working on a file stored on the Samba share, and when they go to save it, a pop-up comes to their screen saying: The file 'FileNameGoesHere.xls' may have been changed by another user since you last saved it. In that case, what do you want to do? There are two options: o Save a copy o Overwrite changes I did a Google search for this and found in the archives of this list that the problem was corrected in Samba 3.0.11 (http://lists.samba.org/archive/samba/2005-January/098341.html), but we're using 3.0.22 - granted the version that comes with SUSE Linux 10.1, but 3.0.22 none the less. Anyone else run into this problem? Microsoft has put out a KB article acknowledging this problem, but they recommend not making any registry changes until one is certain of the underlying cause - I don't know what's causing this! Any help is appreciated. Thank you, --- Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Single Sign On, authentication, and Windows XP Home
Hi Rune, I just want to provide a means to allow all users who use the machines on the LAN to be able to login to *any* machine and have access to their Samba share. As it is now, there is only local authentication for each machine on the LAN (no Windows Domain here, only a workgroup) -- so if a user wants to be able to use a computer other than what they normally use, an account needs to be created for that user on the new machine, and then they will be able to access their Samba share. I want to allow any user to login to any machine, and be able to access their Samba share. Any suggestions? Thanks, --- Matt -Original Message- From: Rune Tønnesen [mailto:[EMAIL PROTECTED] Sent: Friday, December 21, 2007 4:16 PM To: Matt Lozier Cc: samba@lists.samba.org Subject: Re: [Samba] Single Sign On, authentication, and Windows XP Home Matt Lozier skrev: Hello, I have a small (medium?) sized network of about 30 XP machines. About 2/3 of these machines are running Home Ed. while the other 1/3 are running Professional Ed. I currently have two samba shares, and I'm using 'user' security. I want to implement single sign on, some way, somehow. I've considered: NIS and LDAP, but I can't get the NIS pGina plugin to work with my NIS server, and LDAP seems like a beast to setup, though I'm willing to go for it if it means that I'll be able to get SSO working. Does any one have any suggestions / recommendations? Thanks, Matt What applications do you want sso for? You might be interested in Mandriva directory server http://mds.mandriva.org/wiki/Documentation -- Rune Tønnesen Bedste Hilsner/Best Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Single Sign On, authentication, and Windows XP Home
Hello, I have a small (medium?) sized network of about 30 XP machines. About 2/3 of these machines are running Home Ed. while the other 1/3 are running Professional Ed. I currently have two samba shares, and I'm using 'user' security. I want to implement single sign on, some way, somehow. I've considered: NIS and LDAP, but I can't get the NIS pGina plugin to work with my NIS server, and LDAP seems like a beast to setup, though I'm willing to go for it if it means that I'll be able to get SSO working. Does any one have any suggestions / recommendations? Thanks, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Unanswered question
Hi Michael, Yeah, if someone is writing to a file in a Samba share, and another user opens it up, they'll be notified that the file is currently in use, and that it's available for read only. This happens all of the time where I work (unfortunately). Depending on what kind of information is stored in your file, you may want to look into storing your data in a database. Hope this helps! --- Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Dykstra Sent: Wednesday, December 19, 2007 10:20 PM To: samba@lists.samba.org Subject: [Samba] Unanswered question How long does one have to typically wait for an answer to a post? Tomorrow my message will have been up a week, and I've gotten no replies. It was about whether a file, while it was being written to, could subsequently be opened by another client for reading. I used a DVR with chasing play as an example. Didn't seem like that difficult of a question, but maybe it isn't geeky enough for some. (Or perhaps the answer is No and people are too embarrassed to admit Samba can't do it.) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] smbclient printout
Hi Michael, Yes, basically I'm trying to get a continuous log of who accesses which files, and when. Any and all suggestions are greatly appreciated! Thanks, --- Matt -Original Message- From: Michael Heydon [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 28, 2007 6:33 PM To: Matt Lozier Cc: samba@lists.samba.org Subject: Re: [Samba] smbclient printout Can I suggest that you explain the problem you are trying to solve rather than how you plan on solving it? I suspect that the audit vfs module would be a far better option...but without knowing exactly what you want to do its a bit hard to say for sure. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Matt Lozier wrote: Hello, Sorry, I guess my first post wasn't allowed - perhaps because I had HTML embedded in it? Question: Is there a way that I can have the output of smbclient be redirected to a file and have it updated every time someone opens / closes a file in the share? The only idea that I have thus far is to write a script that would output this data to a log file, and have the script run every 5 min. or so. I suppose that I could use diff to compare the changes, and only update the log file with the changes? Any and all input is greatly appreciated! Thank you, --- Matt Lozier Network Administrator 972.644.2581, ext. 248 972.661.2701 fax -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Access control question.
Josh, Very cool. This works! Thank you so much -- I really appreciate this! This made my day! All the Best, --- Matt Lozier Network Administrator 972.644.2581, ext. 248 972.661.2701 fax The information contained in this message or any attached document is confidential and intended only for the individual(s) or entity to which it is addressed. The information should be considered privileged and confidential. If you are not the intended recipient, you are hereby notified that any unauthorized use of the information contained in or transmitted with the communication, or dissemination, distribution, or copying of this communication is strictly prohibited by law. If you have received this communication in error, please inform the sender by immediately returning this communication to the sender and then deleting the original message and any copy of it in your possession. -Original Message- From: Josh Kelley [mailto:[EMAIL PROTECTED] Sent: Monday, November 26, 2007 9:30 PM To: Matt Lozier Cc: samba@lists.samba.org Subject: Re: [Samba] Access control question. On Nov 26, 2007 3:13 PM, Matt Lozier [EMAIL PROTECTED] wrote: Thanks for this. I did think about using ACLs, but even if I set this up (for *every* directory that our users need access to) won't they still be able to *see* those directories even if they don't have r/w/x permission? Add hide unreadable = yes to your smb.conf. Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smbclient printout
Hello, Sorry, I guess my first post wasn't allowed - perhaps because I had HTML embedded in it? Question: Is there a way that I can have the output of smbclient be redirected to a file and have it updated every time someone opens / closes a file in the share? The only idea that I have thus far is to write a script that would output this data to a log file, and have the script run every 5 min. or so. I suppose that I could use diff to compare the changes, and only update the log file with the changes? Any and all input is greatly appreciated! Thank you, --- Matt Lozier Network Administrator 972.644.2581, ext. 248 972.661.2701 fax -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] smbclient printout
I'm sorry -- I didn't mean smbclient, I meant _smbstatus_ !! My apologies --- Matt Lozier Network Administrator 972.644.2581, ext. 248 972.661.2701 fax The information contained in this message or any attached document is confidential and intended only for the individual(s) or entity to which it is addressed. The information should be considered privileged and confidential. If you are not the intended recipient, you are hereby notified that any unauthorized use of the information contained in or transmitted with the communication, or dissemination, distribution, or copying of this communication is strictly prohibited by law. If you have received this communication in error, please inform the sender by immediately returning this communication to the sender and then deleting the original message and any copy of it in your possession. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Lozier Sent: Wednesday, November 28, 2007 4:22 PM To: samba@lists.samba.org Subject: [Samba] smbclient printout Hello, Sorry, I guess my first post wasn't allowed - perhaps because I had HTML embedded in it? Question: Is there a way that I can have the output of smbclient be redirected to a file and have it updated every time someone opens / closes a file in the share? The only idea that I have thus far is to write a script that would output this data to a log file, and have the script run every 5 min. or so. I suppose that I could use diff to compare the changes, and only update the log file with the changes? Any and all input is greatly appreciated! Thank you, --- Matt Lozier Network Administrator 972.644.2581, ext. 248 972.661.2701 fax -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Access control question.
Hi Andrew, Thanks for this. I did think about using ACLs, but even if I set this up (for *every* directory that our users need access to) won't they still be able to *see* those directories even if they don't have r/w/x permission? I'm looking for a way to setup user permissions so that they can only see that which they have access to. Thanks again for the pointer, and if any thought come to mind, please do share! --- Matt Lozier IT Analyst 972.644.2581, ext. 248 972.661.2701 fax The information contained in this message or any attached document is confidential and intended only for the individual(s) or entity to which it is addressed. The information should be considered privileged and confidential. If you are not the intended recipient, you are hereby notified that any unauthorized use of the information contained in or transmitted with the communication, or dissemination, distribution, or copying of this communication is strictly prohibited by law. If you have received this communication in error, please inform the sender by immediately returning this communication to the sender and then deleting the original message and any copy of it in your possession. -Original Message- From: Andrew Sherlock-CF [mailto:[EMAIL PROTECTED] Sent: Thursday, November 22, 2007 8:34 AM To: Matt Lozier; samba@lists.samba.org Subject: RE: [Samba] Access control question. Hi Matt, You may wish to look into the 'setfacl' command. http://bama.ua.edu/cgi-bin/man-cgi?setfacl+1 Hope this helps! --- -Original Message- From: Matt Lozier [mailto:[EMAIL PROTECTED] Sent: 21 November 2007 17:39 To: Andrew Sherlock-CF; samba@lists.samba.org Subject: RE: [Samba] Access control question. Hi Andrew, Thank you for your response. The only problem with going this route is that I really need to have finer grain control over what the users are able to access. I have situations where user1 needs to have access to /smbshare/dir1 and dir3 then user2 needs to have access to /smbshare/dir1/subdir1 and /smbshare/dir3, but *no* access to /smbshare/dir1. I suppose that the real problem lies in the poor setup of the root /smbshare. However, any changes to this configuration are out of the question because too many people who are resistant to change already understand things the way they are ;-) If I understand LDAP properly (I'm new to this technology) then I should be able to store user permissions in the LDAP database, no? Thanks, Matt -Original Message- From: Andrew Sherlock-CF [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 21, 2007 11:07 AM To: Matt Lozier; samba@lists.samba.org Subject: RE: [Samba] Access control question. Is it out of the question to create many different shares and then secure the system on a per-share basis? I'm securing shares individually using Active Directory. In each share config I have: valid [EMAIL PROTECTED] @MR_ADGROUP_FOR_READING write [EMAIL PROTECTED] read [EMAIL PROTECTED] Create different groups for each share and you're golden. Of course, this model can be followed without AD. --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Matt Lozier Sent: 21 November 2007 15:58 To: samba@lists.samba.org Subject: [Samba] Access control question. Hello, I have a general administrative question concerning Samba shares. I have a large amount of data that about 25 users have limited access to. I only want these users to have access to a sub-set of this data, but I also only want the users to see that which they have access to. So, for example, suppose that the share looks like thus: /smbshare /smbshare/dir1 /smbshare/dir2 /smbshare/dir3 And I only want the users to see that they have access to /smbshare/dir1 and /smbshare/dir3. The way that this is currently setup is that I have symlinks from the user's home directory to /smbshare/dir1 and /smbshare/dir3. That way then the user maps their home share, they only see dir1 and dir3 - dir2 is out of sight, and thus (hopefully) out of mind. Is there a better way to implement what I'm trying to do? I'm currently looking into setting up permissions as an LDAP directory and using this as the means to control access to the data - have also considered using ACLs - not sure which way to go! Any and all help / input is appreciated. Thank you, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from
[Samba] Access control question.
Hello, I have a general administrative question concerning Samba shares. I have a large amount of data that about 25 users have limited access to. I only want these users to have access to a sub-set of this data, but I also only want the users to see that which they have access to. So, for example, suppose that the share looks like thus: /smbshare /smbshare/dir1 /smbshare/dir2 /smbshare/dir3 And I only want the users to see that they have access to /smbshare/dir1 and /smbshare/dir3. The way that this is currently setup is that I have symlinks from the user's home directory to /smbshare/dir1 and /smbshare/dir3. That way then the user maps their home share, they only see dir1 and dir3 - dir2 is out of sight, and thus (hopefully) out of mind. Is there a better way to implement what I'm trying to do? I'm currently looking into setting up permissions as an LDAP directory and using this as the means to control access to the data - have also considered using ACLs - not sure which way to go! Any and all help / input is appreciated. Thank you, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Access control question.
Hi Andrew, Thank you for your response. The only problem with going this route is that I really need to have finer grain control over what the users are able to access. I have situations where user1 needs to have access to /smbshare/dir1 and dir3 then user2 needs to have access to /smbshare/dir1/subdir1 and /smbshare/dir3, but *no* access to /smbshare/dir1. I suppose that the real problem lies in the poor setup of the root /smbshare. However, any changes to this configuration are out of the question because too many people who are resistant to change already understand things the way they are ;-) If I understand LDAP properly (I'm new to this technology) then I should be able to store user permissions in the LDAP database, no? Thanks, Matt -Original Message- From: Andrew Sherlock-CF [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 21, 2007 11:07 AM To: Matt Lozier; samba@lists.samba.org Subject: RE: [Samba] Access control question. Is it out of the question to create many different shares and then secure the system on a per-share basis? I'm securing shares individually using Active Directory. In each share config I have: valid [EMAIL PROTECTED] @MR_ADGROUP_FOR_READING write [EMAIL PROTECTED] read [EMAIL PROTECTED] Create different groups for each share and you're golden. Of course, this model can be followed without AD. --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Matt Lozier Sent: 21 November 2007 15:58 To: samba@lists.samba.org Subject: [Samba] Access control question. Hello, I have a general administrative question concerning Samba shares. I have a large amount of data that about 25 users have limited access to. I only want these users to have access to a sub-set of this data, but I also only want the users to see that which they have access to. So, for example, suppose that the share looks like thus: /smbshare /smbshare/dir1 /smbshare/dir2 /smbshare/dir3 And I only want the users to see that they have access to /smbshare/dir1 and /smbshare/dir3. The way that this is currently setup is that I have symlinks from the user's home directory to /smbshare/dir1 and /smbshare/dir3. That way then the user maps their home share, they only see dir1 and dir3 - dir2 is out of sight, and thus (hopefully) out of mind. Is there a better way to implement what I'm trying to do? I'm currently looking into setting up permissions as an LDAP directory and using this as the means to control access to the data - have also considered using ACLs - not sure which way to go! Any and all help / input is appreciated. Thank you, Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Unable to join domain in remote subnet...
Quinn Fissler qfissler at gmail.com writes: The problem is caused by the client not having the address of the domain controller. On a windows client, you need to populate %SYSTEM_ROOT%\system32\drivers\etc\lmhosts use UPPERCASE names regardless of what the MS docs say. Hi Guys, Thanks for the input... I was also able to solve the problem by pointing the client's WINS server setting to the PDC in the TCP/IP settings for their Network Connection. Have a great weekend! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Unable to join domain in remote subnet...
Dear Help, Here is my situation: We have offices located in several areas around the country, all of which can communicate with each other through VPNs we have established. I have set up a Samba domain in which the PDC is located here in our home office, and there are BDCs for the same domain in each of the remote offices. I have been able to successfully join machines here in our home office to the domain through Windows, but am not having any luck when I try to join the domain at one of the remote locations. When I go through the manual process of joining the domain on a Windows XP machine, I get a password prompt for the domain user that can add the machine (so I know it's at least finding the BDC)... but then after I type in the username and password, I get the following error: The following error occurred attempting to join the domain ourdomain: The specified domain either does not exist or could not be contacted. I've searched Google for this error and have not found anything useful. I've gone back through the Samba-HowTo on BDC configuration and have not yet found anything. Any help would be greatly appreciated! -Matt Here are my configuration files. (Oh, and for whatever reason, even with a log level of 5, whenever I attempt to join the machine to the domain, no log entry is created). For the PDC: [global] netbios name = ds-pdc-1 workgroup = OURDOMAIN server string = Samba PDC %v %h obey pam restrictions = Yes passdb backend = ldapsam:ldaps://IP.HERE ldaps://IP.HERE security = user log level = 3 log file = /var/log/samba/%m.log max log size = 5000 add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null/ -g machine -c 'Machine Account for %u' -s /bin/false %u logon path = logon home = domain logons = Yes os level = 128 preferred master = Yes domain master = Yes ldap admin dn = cn=admin,o=ORGANIZATION ldap group suffix = ou=Groups ldap idmap suffix = ou=IDMap ldap machine suffix = ou=Workstations ldap user suffix = ldap filter = (cn=%u) ldap suffix = o=ORGANZIATION ldap passwd sync = No unix password sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n idmap backend = ldaps://IP.HERE ldaps://IP.HERE idmap uid = 1-2 idmap gid = 1-2 veto files = /.?*/ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd wins support = Yes encrypt passwords = Yes logon script = %U.bat [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root browseable = No share modes = No And here is a BDC -- located offsite: [global] workgroup = OURDOMAIN server string = Samba BDC %v %h obey pam restrictions = Yes passdb backend = ldapsam:ldaps://IP.HERE ldaps://IP.HERE log level = 2 log file = /var/log/samba/%m.log max log size = 1000 logon path = logon home = domain logons = Yes domain master = No preferred master = Yes ldap admin dn = cn=admin,o=ORGANIZATION ldap group suffix = ou=Groups ldap idmap suffix = ou=IDMap ldap machine suffix = ou=Workstations ldap suffix = o=ORGANIZATION ldap passwd sync = No unix password sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *retype*new*password* %n\n idmap backend = ldaps://IP.HERE ldaps://IP.HERE idmap uid = 1-2 idmap gid = 1-2 veto files = /.?*/ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd wins server = IP.OF.PDC.HERE [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root browseable = No share modes = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: installing Samba as non-root user at work - please help.
[EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] All I wish to achieve is being able to map my Linux home directory on my Windows PC. Speaking of ports, I specify ports of 1445 and 1139 for smdb, since I cannot use a port below 1024 without having root access. Unless you want to do something fancy like SSH port tunneling, that won't work. The Windows CIFS/SMB client will only connect to port 139 and port 445. I can't see a way to map a drive letter from your Windows box to your Linux box without cooperation from someone with root access on the Linux box. If your Linux box supports SSH access, you could use a tool like WinSCP on your Windows box to copy files to and from your Linux box. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: forcing XP clients to use CIFS
Andrew Bartlett [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... On Wed, 2007-08-29 at 21:48 +0200, Jax wrote: I guess there is a registry value for it. As I noticed winxp try to use smbfs first not cifs. In linux it's easier because you can choose when you mount your shares. smbfs v cifsvfs is a matter of two implementations of the protocol client, that happen to exist in the Linux Kernel. Windows XP only has one CIFS client, there is nothing to choose. Maybe Jax meant getting the Windows CIFS client to always use SMB Direct Host (TCP port 445), instead of using NetBIOS/TCP (TCP port 139)? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Logon Time and Logoff Time...
Dear Help, I am currently running Samba as a PDC (and several BDCs). I noticed that there are sambaLogonTime and sambaLogoffTime LDAP attributes that are currently unused integer values. I would like to be able to track each user's successful logins (in terms of a timestamp -- a hostname would be a bonus) for auditing purposes (especially for determining inactive logins). Currently, I've put together a script that searches through all of the log files for successful authentications and parses out the timestamp and hostname and then figures out if it's the most recent or not. Is there an easier way of doing this? (Or, does anyone know of any plans to start using sambaLogonTime and sambaLogoffTime for this purpose?) Thanks! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Log files created for every machine not joined to the domain...
Jean-Jacques Moulis jj at isy.liu.se writes: Windows XP automatically searches the network for shares and printers upon connecting to the network. To disable XP automatic discovery: * In Explorer, click Tools * Click Folder Options * Click the View tab, * Uncheck Automatically Search for Network Folders and Printers in Advanced settings list. Hi Jean-Jacques, Thanks so much for that info... that makes sense as to why it would create log files then, since it's attempting to access/find shares on the server. Have a great day! -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Log files created for every machine not joined to the domain...
Hello Help, I'm currently running Samba as a PDC (and several BDCs) on our network. The domain is currently in a testing stage and only has a small number (less than 5) machines joined to it. However, when I go to the /var/log/samba directory, there seems to be a log file created for virtually every machine on our network. When I open a few of the log files, it looks like authentication attempts are taking place--against both the local machine and the domain)... why is that? Is it normal for Samba to create log files for machines that aren't yet a part of the domain? Any insight would be greatly appreciated. Thanks! -Matt (BTW - I have the line /var/log/samba/%m.log in my smb.conf file, so I would expect log files to be created for each machine joined to the domain, but not every machine on the entire network) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Log files created for every machine not joined to the domain...
I get log files for every single ip address that tries to contact the samba server even if they are not part of the domain. John Hi John, Thanks for the quick reply. Do you know why a computer not joined to the domain (and not accessing shares/printers on the PDC) would be contacting it? I'm new to using Samba as a PDC/BDC, so I'm not sure what's going on here. Any thoughts would be appreciated. -Matt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba