[Samba] Samba PDC change password issue
Hi there I had samba PDC (Version 2.2.7a) running on RH 9.0 ( 2.4.20-8 #1). There are about 50+ win2k PCs and member servers. Everything has been working nicely for almost 6 month untill recently. I noticed that recently when users try to change domain password by Ctrl-Alt-Del from win2k wkstation, the windows will give an error message saying The system cannot change your password now because the domain mydomain is not available, However, the password actually does changed regardless the error message. It seems, there is no problem in login, accessing network resources etc. However, the error message is irritating, and I do see some error messages on the samba server log. It happens to all the users as far as I know. var/log/samba/bio-fs89.log *** [2004/05/11 09:40:08, 0] lib/util_sec.c:assert_gid(114) Failed to set gid privileges to (0,99) now set to (0,-1) uid=(0,99) [2004/05/11 09:40:08, 0] lib/util.c:smb_panic(1094) PANIC: failed to set gid [2004/05/11 09:40:08, 0] lib/util_sec.c:assert_gid(114) Failed to set gid privileges to (0,99) now set to (0,-1) uid=(0,99) [2004/05/11 09:40:08, 0] lib/util.c:smb_panic(1094) PANIC: failed to set gid Any suggestions/solutions?? Thank you for your help! -Ron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Moseman Sent: Friday, March 26, 2004 8:40 AM To: [EMAIL PROTECTED] Subject: RE: [Samba] Samba 3.0 2003 Active Directory Native Mode Exactly the question that I am trying to get answered, too. What I was able to accomplish: I setup Samba 3.0.2a and it was able to see the AD (users/groups) and join into the AD. BUT... I was not able to get people to authenticate against Samba. I kept getting a Kerberos ticket error, and I tried several configs that I found through Google, none worked. I am in the process of re-installing my AD (lab setup) into Mixed Mode to see if Native Mode was my problem. It seems as though finding a straight answer to this ? is not easy! Thanks, Scott Moseman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Morse Sent: Friday, March 26, 2004 10:22 AM To: [EMAIL PROTECTED] Subject: [Samba] Samba 3.0 2003 Active Directory Native Mode Does Samba 3.0.2a release integrate with Windows Active Directory running in 2003 Native Mode? The situation is that two corporate departments are joining their network infrastructure. One department runs several Samba 2.2 servers and the other is a 2003 Native Mode Active Directory. I understand that if you upgrade to Samba 3.0 this supports Windows 2000 AD, but it is unclear to me if Samba will integrate seamlessly with 2003 Native Mode AD environment. I'm looking for a straight forward non biased, no BS answer. If it works cool, I'm not afraid of the overall work involved. Any help would be greatly appreciated. David Morse --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.642 / Virus Database: 410 - Release Date: 3/24/2004 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba-ldap-pdc questions
Thank you all for your help 1. I do have a netlogon share in smb.conf. samba pdc works well if I use smbpasswd backend. I did used: smbpasswd -w ROOT_DN_PASSWORD to setup the ldap rootdn password. Also I used ldappasswd to generate the encrypted rootpw entry for slapd.conf. Is this necessary? Thanks Ron -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, January 05, 2004 11:26 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Samba-ldap-pdc questions On Mon, 2004-01-05 at 16:50, Ron Liu wrote: Hi, There I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. I used the RPMs for the installations. After setup, start both smb and ldap without problem. However when I tried to add users with smbpasswd -a userid, it gave me the following errors. Can someone point me to right direction, is there anything I can do to do more test and diagnosis. I've copied the error message, and the conf file for samba.conf and slapd.conf Thank you for your help! Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] [EMAIL PROTECTED] openldap]# smbpasswd -a bliu New SMB password: Retype new SMB password: fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Failed to add entry for user bliu. Failed to modify password entry for user bliu #=== Global Settings = [global] workgroup = mydomain netbios name = ts010 encrypt passwords = yes passdb backend = ldapsam:ldap://localhost/ ldap suffix = o=mydomain,dc=mydomain,dc=com ldap machine suffix = ou=Comupters ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=tsadmin,dc=mydomain,dc=com # ldap ssl = start tls ldap delete dn = no server string = mydomain Samba Server hosts allow = 10.101.0. 10.101.1. 127. printcap name = cups load printers = yes printing = cups log file = /var/log/samba/%m.log max log size = 50 security = user password level = 8 ; username level = 8 smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd *all*authentication*tokens*updated*successfully* ; username map = /etc/samba/smbusers ; include = /etc/samba/smb.conf.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon script = scripts\logscript.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U ; name resolve order = wins lmhosts bcast wins support = yes dns proxy = no write list = @tsadmin add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u [home] ... * my slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema #rliu, 12/31/03 include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid #argsfile //var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleload
[Samba] Samba-ldap-pdc questions
Hi, There I am setting up Samba(3.0.1-1)-ldap(openldap-2.1.22-8)-pdc on Fedora 1.0. I used the RPMs for the installations. After setup, start both smb and ldap without problem. However when I tried to add users with smbpasswd -a userid, it gave me the following errors. Can someone point me to right direction, is there anything I can do to do more test and diagnosis. I've copied the error message, and the conf file for samba.conf and slapd.conf Thank you for your help! Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] [EMAIL PROTECTED] openldap]# smbpasswd -a bliu New SMB password: Retype new SMB password: fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (unknown) (Invalid credentials) fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP Server failed for the 1 try! smbldap_search_suffix: Problem during the LDAP search: (unknown) (Invalid credentials) Failed to add entry for user bliu. Failed to modify password entry for user bliu #=== Global Settings = [global] workgroup = mydomain netbios name = ts010 encrypt passwords = yes passdb backend = ldapsam:ldap://localhost/ ldap suffix = o=mydomain,dc=mydomain,dc=com ldap machine suffix = ou=Comupters ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=tsadmin,dc=mydomain,dc=com # ldap ssl = start tls ldap delete dn = no server string = mydomain Samba Server hosts allow = 10.101.0. 10.101.1. 127. printcap name = cups load printers = yes printing = cups log file = /var/log/samba/%m.log max log size = 50 security = user password level = 8 ; username level = 8 smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd *all*authentication*tokens*updated*successfully* ; username map = /etc/samba/smbusers ; include = /etc/samba/smb.conf.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon script = scripts\logscript.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U ; name resolve order = wins lmhosts bcast wins support = yes dns proxy = no write list = @tsadmin add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u [home] ... * my slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema #rliu, 12/31/03 include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd.pid #argsfile //var/run/slapd.args # Load dynamic backend modules: # modulepath/usr/sbin/openldap # moduleloadback_bdb.la # moduleloadback_ldap.la # moduleloadback_ldbm.la # moduleloadback_passwd.la # moduleloadback_shell.la # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running make slapd.pem, and fixing permissions on # slapd.pem so that the ldap user or group can read it. # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking
RE: [Samba] Samba, Redhat 9.0, Not doign ACl.. (cannot load Userlist at this time)
I think I've seen similiar thing. Let's try a couple of things 1. on client site, try login as a brand new domain account to make sure the PDC still can do authentication. We just want to make sure the authentication communication between pdc and the client machine are OK. If the client is win xp don't forget to set the registry key. 2. If you can ssh to the RH 9 pdc with a normal user account. When this happen to me last time I found myself I can not ssh to the pdc box other than root account. The root cause is that the mod was screwed up in /etc directory. Make sure the mod of /etc is 755. Regards Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brad Langhorst Sent: Monday, September 29, 2003 7:13 AM To: Damien Roy Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Samba, Redhat 9.0, Not doign ACl.. (cannot load Userlist at this time) On Mon, 2003-09-29 at 09:01, Damien Roy wrote: this is something which every where I have searched they have said, this can't happen.. you can't get a list of users using samba as the PDC, you need to be running a 2k or higher PDC. this can work... try samba3 brad -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Please check if your are sending offending emails
Hi, There Last few weeks I've received tons of these Microsoft Security updates emails with Virus attachment. These email must be from samba or ldap mailing list. Following I listes some sender's source IP address and host names. This only very small part of list. If I have time, I will be sending more offending hosts list to you. Please take a look if your machine happened to be one of the offending hosts, please try to clean it up. You can find more information about clean up the infected machine from http://securityresponse.symantec.com/ Offending hosts list (part 1) from in.menzolit-fibron.sk ([217.118.110.162]) Received: from empcorreo.onolab.com (smtp.onored.com [62.42.230.27]) from cobalt.eux.nl (213-132-174-148.multikabel.nl [213.132.174.148]) Received: from smtp04.wxs.nl (smtp04.wxs.nl [195.121.6.59]) Received: from vsmtp12.tin.it (vsmtp12.tin.it [212.216.176.206]) Received: from fxdmfn (80.182.241.123) by vsmtp12.tin.it (7.0.019) Received: from mail.chariot.net.au (mail.chariot.net.au [203.87.95.38]) Received: from clbnqpl (ppp-080.cust203-87-121.ghr.chariot.net.au [203.87.121.80]) by mail.chariot.net.au (Postfix) with SMTP Received: from mta06bw.bigpond.com (mta06bw.bigpond.com [144.135.24.156]) Received: from qngjcj ([144.135.24.72]) by mta06bw.email.bigpond.com (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with SMTP id [EMAIL PROTECTED] for Received: from poczta.xtra.pl (poczta.xtra.pl [212.14.56.8]) Received: from zpvcvl (em21313623232.teleton.pl [213.136.232.32]) by poczta.xtra.pl (Postfix) with SMTP id 6C1591AEBC; Thu, 25 Sep 2003 14:13:05 +0200 (CEST) Received: from mail0.ewetel.de (mail0-96.ewetel.de [212.6.122.96]) Received: from pjcsj (dialin-79153.ewetel.net [212.6.79.153]) by mail0.ewetel.de (8.12.1/8.12.9) with SMTP id h8PC77jB029732; Thu, 25 Sep 2003 14:07:08 +0200 (MEST) Received: from imf21aec.mail.bellsouth.net (imf21aec.mail.bellsouth.net [205.152.59.69]) Received: from lqocotba ([68.209.11.2]) by imf21aec.mail.bellsouth.net (InterMail vM.5.01.05.27 201-253-122-126-127-20021220) with SMTP id [EMAIL PROTECTED]; Thu, 25 Sep 2003 07:49:41 -0400 Received: from torvals1.ciudadglobal.com.ar (200.69.145.126.techtelnet.net [200.69.145.126] (may be forged)) Received: from jdnhorq (asterix-nat1.ciudadglobal.com.ar [200.69.145.124] (may be forged)) by torvals1.ciudadglobal.com.ar (8.12.8/8.12.8) with SMTP id h8PEHlAB028358; Thu, 25 Sep 2003 11:17:48 -0300 Received: from mail.d-net.cz (mail.d-net.cz [194.213.244.98]) Received: from server.menu.cz (swuniv.d-net.cz [195.128.197.117] (may be forged)) by mail.d-net.cz (8.12.3/8.12.3/Debian-6.6) with ESMTP id h8PE3qLm001832; Received: from webserver.pmp.pr.gov.br ([200.163.242.234]) Received: from ywqwyrl (unknown [192.168.1.140]) by webserver.pmp.pr.gov.br (Postfix) with SMTP id A5403D81E9; Thu, 25 Sep 2003 07:59:37 -0300 (BRT) *** Thank you for your help Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] rsync problems with RH 9.0 via ssh
Hi, there I have a samba server called serv01 setup on RH 9.0 as pdc for my domain authentication and file server. It works great. I have another server called serv02 with RH 9.0. What I am trying to do is Keep serv02 sync to serv01 using rsync for the /etc/samba/ directly and /home/ directly. So that if serv01 failed. I should be able to change the ip address and host name of serv02 to be same as serv01 and the domain users should still be authenticated and accessing their home directly and shares just as if serv01. Please let me if you think it is possible. I've generated a dsa key pair on serv02 and copied the id_dsa.pub to the serv01:/root/.ssh/authorized_keys. So that I can ssh to serv01 from serv02 without password. and I can also do scp from serv02# scp serv01:/etc/samba/ /etc/samba/ However when I using following command from serv02 I got this: [EMAIL PROTECTED] samba]# rsync -av serv01:/etc/samba/ /etc/samba/ serv01: Connection refused rsync: connection unexpectedly closed (0 bytes read so far) rsync error: error in rsync protocol data stream (code 12) at io.c(150) [EMAIL PROTECTED] samba]# btw, I also tried using without public key. got same results Your help will be highly appreciated Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] XP Local Group add prblem - Object Picker Incomplete
Hi, Scott I have similar problem. I am runing RH 9.0 and smbd 2.2.7a [EMAIL PROTECTED] samba]# smbd -V Version 2.2.7a [EMAIL PROTECTED] samba]# uname -a Linux Bobolink 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux It is a samba PDC, It have been working great. I had no problem to login from both windows XP prof and widnows 2000 prof, and no problem login to the linux box using putty with my account (rontest). However started from yesterday afternoon, I noticed that I can only login to the linux box with root, when every I tried to login as rontest, as soon as I type in the password for rontest, the putty windows closed right away, and the /var/log/messages say authentication OK. I totally clueless. Now, after I reboot my winXP machine, I login to rontest of mydomain, all my profile are lost and rontest is not in the administrator group anymore. I login to the XP machine with another domain admin account. and Try to add rontest to the local administrator group, I got the exact same message you were getting!! One more note: I can ssh to the linux PDC box as root without problem, but when I do su - rontest I got this: [EMAIL PROTECTED] samba]# su - rontest -bash: /etc/profile: Permission denied Please let me kwnow if you have any clue Thank you very much Ron Liu Information Technology Consultant Biology Department San Jose State University 408-924-4860 [EMAIL PROTECTED] Hey troops! Well, it seems that I'm the one that needs some helps this time. Here's the situation. I've got a suXP Pro box with SP1 on it that whenever I try to add any 'domain_user' to any 'local_group' it gives me the following error message: Information returned from the object picker for object username was incomplete. The object will not be processed. A couple notes: 1. This is not a problem on Windoze 2K or NT 2. I have fixed the three relevant Registry keys: (HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX\Services\Netlogon\Parameters\re quiresignorseal = 0) (HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX\Services\Netlogon\Parameters\re quirestrongkey = 0) 3. I changed the following Group policy to 'enabled': Computer Configuration\Administrative Templates\System\User Profiles\Do not check for user ownership of Roaming Profile Folders 4. The XP box is a domain member with a machine$ account. It has Domain Admins in the Local Admins Group, as well as Domain Users in the Local Users Group. If I add the user to the 'domain admin group' on Samba she does inherit Local Admin rights. So every thing is working fine **except** the ability to add a user specifically from the Domain to the Local Group! 4. I have Googled for days, and nobody has come up with an answer in previous postings. FYI: An example search http://www.mail-archive.com/cgi-bin/htsearch?method=andformat=shortcon fig=samba_lists_samba_orgrestrict=exclude=words=object+picker+ Thank's! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
