[Samba] Mapping directories based on group membership
I'm using Samba 3.0.2 and LDAP backend. I have users assigned to groups based on their departments. I also have a directory created for each department. What I want to do is map a drive letter to a user's department directory. The groups are also secondary groups as the primary group for every user is 'Domain Users'. Does anyone know a way to accomplish this? What I'm kind of looking for is a group home directory type situation? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble
The machine accounts will show with the users they will be suffixed with a $. In the LDAP backend I have an SID for the domain name and an SID for the server itself which is not contained in LDAP. Then each computer and each user had two SID's (sambaSID and sambaPrimaryGroupSID) and the groups only have one SID (sambaSID). My discrepancy was in the domain name SID which was different than the servers SID. The groups and users matched the servers SID but the computers matched both the servers SID (sambaPrimaryGroupSID) and the wrong domain name SID from the LDAP entry (sambaSID). When I made all match the servers SID everything started working. I haven't worked with the smbpasswd as a PDC so I'm not sure where all the SID's are stored. -Original Message- From: Stumpfl Markus [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 11:30 PM To: 'Scott Gross' Cc: MailingList_Samba Subject: AW: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble Oh, so you are using ldap..., well I'm still working with smbpasswd as backend :-( Anyway, I tried 'net getlocalsid' for the domain-sid - ok Next 'net usersidlist' which should show me the user-sids - didn't work: [2004/03/04 06:40:05, 0, pid=31232, effective(0, 0), real(0, 0)] utils/net_rpc.c:net_usersidlist(2158) Could not get the user/sid list So used 'net user' instead, which then gave me the user list!? What am I missing here? And is there a way to see the machine sids too? Or are they included in the users? Thanks in advance, Markus -Ursprüngliche Nachricht- Von: Scott Gross [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 03. März 2004 18:29 An: Stumpfl Markus Betreff: RE: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble Wichtigkeit: Hoch I use a little windows gui program called LDAP browser to look at my LDAP entries and I was just looking through the entries at the SID's since someone suggested it might be an SID problem and noticed the discrepancy on the domain name entry. I changed it to match all the others just to see if it would have any effect and wallah it worked. -Original Message- From: Stumpfl Markus [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 10:52 PM To: 'Scott Gross' Subject: AW: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble Thx, but how did you find out? With what commands? Sry for the stupid questions, but I'm kinda knew to samba. Thanks in advance, Stumpfl Markus -Ursprüngliche Nachricht- Von: Scott Gross [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 02. März 2004 18:14 An: Stumpfl Markus; Scott Gross Betreff: RE: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble I got mine working it was SID mismatch. The Domain name SID was different from the server and the users. -Original Message- From: Stumpfl Markus [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 11:22 PM To: 'Scott Gross' Subject: AW: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble Do you get the problem (when trying domain logon): invalid password or domain? I've got the same prob... I'll tell you, when it's working and vice versa, hopefully ;-) Stumpfl Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Scott Gross Gesendet: Freitag, 27. Februar 2004 18:25 An: [EMAIL PROTECTED] Betreff: [Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble I have a Samba 3 PDC running with an LDAP backend on Red Hat 8. All authentication appears to be working correctly but I can't login to the domain from a W2K or WXP Pro workstation after I have successfully joined them to the domain. If I login locally to the workstation I can browse the Samba shares just fine. I have checked the schannel and sign or seal settings on both the workstations and the server and made sure they were set to disable but still no luck. Can anyone give me any ideas on how to solve this problem. TIA Scott Smb.conf # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2003/11/25 10:42:04 # Global parameters [global] workgroup = FIFEDEV netbios name = Dev null passwords = Yes passdb backend = ldapsam passwd program = /usr/local/bin/smbldap-passwd.pl -o %u passwd chat = *new*password* %n\n *new*password:* %n\ *successfully* passwd chat debug = Yes log file = /var/log/samba/%m.log
RE: [Samba] Workstation crash after login to PDC
No reference to Unicode, I was trying to log in as root to the workstation as I hadn't created any other users except Administrator. When I log in as the Administrator the clients don't crash only when I log in as root. I created other users and they work too. This isn't a problem as I was going to disable root to log into samba anyway. -Original Message- From: Andrew Bartlett [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 4:19 AM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Workstation crash after login to PDC On Tue, 2004-03-02 at 11:12, Scott Gross wrote: Finally figured out why I couldn't login to my samba 3.0.2a PDC, I had a mismatch in one of the SID's. Now that I have that figured out my workstations crash when logging in after applying the personal settings. The error is in a window titled SAS window:winlogon.exe - Application Error with the message being instruction at 0x00450056 referenced memory at 0x the memory could not be written. That is on the WinXP workstation. The Win2K workstation just reboots. Anyone have any ideas? Ensure you have no reference to 'unicode' in your smb.conf. It must be 'yes', which is the default. Anything else can and *will* crash clients. I intend to remove it in future versions of Samba. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't login to Samba PDC
Sorry, when I was hitting reply I thought it was going back to the list not just to you. I wasn't paying attention to the address line in the e-mail. I'm not using the windows wizard to join the domain but I am doing the join from the windows workstation. I'm not big on some of the wizards so I use the change button (from windows XP computer name screen) or the properties button (from Win2K network identification screen). The computer is being added to the _COMPUTERS_ container in my LDAP with the appropriate trailing $ (uid=fife3400sales02$,ou=_COMPUTERS_). The domain portion of all SID's is the same (User-Group-Computer-sambaDomainName). When the workstation tries to authenticate the user I can see the connection to IPC$ on the samba server. 'uid=root,ou=_USERS_' is a sambaSamAccount and is a member of 'cn=Domain Users,ou=_GROUPS_'. I did just notice that 'cn=Domain Computers,ou=_GROUPS_' doesn't have any members in it. Do I need to add the computers to this group? -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 10:16 AM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC On Mon, 2004-03-01 at 10:42, Scott Gross wrote: First thing is what list do you keeping talking about? Am I not supposed to be asking about Samba things in this list? --- The Samba list is the list I am specifically referring to. Everytime you hit the 'reply' button, it replies only to me. If you hit 'reply to all' it will also reply to the samba list. Every reply I have hit, I have added the [EMAIL PROTECTED] to the address because you seem to only want to reply to me. Thus, you would be asking Samba things to the samba list if you would only include the samba list in your replies. --- Second is the domain names are different. That is how you can tell which domain you are logging into. Why don't you try helping with the problem or let someone else if you don't want to. --- I would be happy to let someone else help you - you have to actually post to the list instead of just emailing me. If the domain names are different, then your usage of the term migrate in your original email was misleading and I'm sorry it took me 4 emails to get this information out of you. Evidently, the method you are using to 'join' the domain with the computer isn't functioning properly. Are you putting the computer accounts in the 'People' container? Is root a samba member? Do you use the Win2K/WinXP wizard to join the domain? Craig -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 9:43 AM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC First thing is...please keep this on list Second thing is...if NT is a PDC, then machine accounts should be created on that system - You can't simulataneously have a Windows Samba PDC/BDC of any combination. How would you be sure which machine is getting the machine accounts and which machine is handling the authentication? Craig On Mon, 2004-03-01 at 09:48, Scott Gross wrote: First thing is first. I need to be able to join a machine to the domain and be able to login to the domain. This is just to test and make sure the new Samba server is working. This is the problem I'm having and what I'm looking for help on. Not how to migrate my users. -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 8:52 AM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC Please keep this on list... The logical thing to do would be to keep your NT server as the PDC. Set up samba not to be a domain controller at all but as a member server to the domain (join that machine to the domain - using password server = PDC / security = domain and net join ...) That way, you can create all of the users, join all the machines, set up roaming profiles (on the 'member' server) and get all ready. Then, when you are ready, you can do the net rpc vampire command and suck all of the user accounts/machine accounts/groups into your LDAP. Craig On Mon, 2004-03-01 at 09:34, Scott Gross wrote: I was planning to do each machine manually rather than using scripts to move the users as I have to change a lot of things on the users PC to keep them running after I move them to the new domain. So my intention was to join the computer to the new domain, add the user to the Samba domain then configure their PC for the new e-mail system and such. I have to do about 100 workstations in many different locations and a slow change over with no problems is preferable
RE: [Samba] WinXP PDC logon problem...
Check your domain SID's. I was having similar problem and found that somehow I had a different SID for the SambaDomainName entry in my LDAP. I'm finally able to get passed the username/password error but my workstations now crash hard during the login. -Original Message- From: Ryan Lohan [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 3:41 PM To: Spam Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Samba] WinXP PDC logon problem... The only change here is the requiresignorseal value, which I've changed - it doesn't work on WinXP (SP1). Still can't login to the domain after joining it successfully. Cheers, Ryan :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- ,-_|\ Ryan LohanEmail : [EMAIL PROTECTED] / \ Systems Engineer Phone : +61 2 9466 9400 \_,-\_* NSW Sales, North Sydney Direct : +61 2 9466 9716 v Sun Microsystems AustraliaFax : +61 2 9466 9415 :-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:- It may be that the sole purpose of your life is simply to serve as a warning to others... - Original Message - From: Spam [EMAIL PROTECTED] Date: Monday, March 1, 2004 4:46 pm Subject: Re: [Samba] WinXP PDC logon problem... There was a registry file distributed with Samba before. This is the one I have from Samba 2.x: PDCLogon.reg: ~~~START~~~ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters] DisablePasswordChange=dword: maximumpasswordage=dword:001e requiresignorseal=dword: requirestrongkey=dword: sealsecurechannel=dword:0001 signsecurechannel=dword:0001 Update=no ~~~END~~~ Hi all, I've seen this raised as an issue on other mailing lists, but I've not seen a solution, and I've seen a number of notes to post to this alias instead, so here I am. I've setup Samba as a PDC running on Solaris. I have a WinXP (latest patch levels) PC which I want to join to the domain. I can successfully join the domain using root authentication, but I am unable to logon with any of my NIS users (stored in both /etc/passwd and smbpasswd)...? I've seen a comment to edit a Windows registry setting (requiresignorseal) and I tried this, but nothing changed. Is there a solution to this issue, or will I be fored back to the hell of an Active Directory/WinNT PDC? :( Cheers, Ryan UTS CRICOS Provider Code: 00099F DISCLAIMER This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Workstation crash after login to PDC
Finally figured out why I couldn't login to my samba 3.0.2a PDC, I had a mismatch in one of the SID's. Now that I have that figured out my workstations crash when logging in after applying the personal settings. The error is in a window titled SAS window:winlogon.exe - Application Error with the message being instruction at 0x00450056 referenced memory at 0x the memory could not be written. That is on the WinXP workstation. The Win2K workstation just reboots. Anyone have any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble
I have a Samba 3 PDC running with an LDAP backend on Red Hat 8. All authentication appears to be working correctly but I can't login to the domain from a W2K or WXP Pro workstation after I have successfully joined them to the domain. If I login locally to the workstation I can browse the Samba shares just fine. I have checked the schannel and sign or seal settings on both the workstations and the server and made sure they were set to disable but still no luck. Can anyone give me any ideas on how to solve this problem. TIA Scott Smb.conf # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2003/11/25 10:42:04 # Global parameters [global] workgroup = FIFEDEV netbios name = Dev null passwords = Yes passdb backend = ldapsam passwd program = /usr/local/bin/smbldap-passwd.pl -o %u passwd chat = *new*password* %n\n *new*password:* %n\ *successfully* passwd chat debug = Yes log file = /var/log/samba/%m.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/local/sbin/smbldap-useradd.pl -a %u delete user script = /usr/local/sbin/smbldap-useradd.pl -d %u add group script = /usr/local/sbin/smbldap-useradd.pl -a -g %g% delete group script = /usr/local/sbin/smbldap-useradd.pl -d -g %g add user to group script = /usr/local/sbin/smbldap-useradd.pl -j -u %u -g %g delete user from group script = /usr/local/sbin/smbldap-useradd.pl -j -u %u -g %g set primary group script = /usr/local/sbin/smbldap-useradd.pl -m -u %u -gid %g add machine script = /usr/local/sbin/smbldap-useradd.pl -a -w %m logon script = logon.bat logon path = logon drive = domain logons = Yes os level = 22 preferred master = Yes domain master = Yes wins support = Yes wins proxy = No ldap suffix = dc=test,dc=com ldap machine suffix = ou=_COMPUTERS_ ldap user suffix = ou=_USERS_ ldap group suffix = ou=_GROUPS_ ldap admin dn = cn=Manager,dc=test,dc=com ldap ssl = No ldap passwd sync = yes comment = Samba-PDC Server public = No browseable = Yes writable = No client schannel = No server schannel = No client signing = No server signing = No [netlogon] path = /usr/local/samba/lib/netlogon read only = Yes write list = ntadmin locking = No [tmp] path = /tmp guest ok = Yes read only = Yes [profiles] path = /profiles read only = No writable = Yes create mask = 0600 directory mask = 0700 [homes] comment = Home Directories browsable = no writeable = yes valid users = %S create mask = 0700 directory mask = 0700 hide dot files = yes testparm -v (output) # Global parameters [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = FIFEDEV realm = afs username map = netbios name = DEV netbios aliases = netbios scope = server string = Samba 3.0.1 interfaces = bind interfaces only = No security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = No server schannel = No allow trusted domains = Yes hosts equiv = min passwd length = 5 map to guest = Never null passwords = Yes obey pam restrictions = No password server = * smb passwd file = /usr/local/samba/private/smbpasswd private dir = /usr/local/samba/private passdb backend = ldapsam algorithmic rid base = 1000 root directory = guest account = nobody pam password change = No passwd program = /usr/local/bin/smbldap-passwd.pl -o %u passwd chat = *new*password* %n\n *new*password:* %n\ *successfully* passwd chat debug = Yes passwd chat timeout = 2 username map = password level = 0 username level = 0 unix password sync = No restrict anonymous = 0 lanman auth = Yes ntlm auth = Yes client NTLMv2 auth = No client lanman auth = Yes client plaintext auth = Yes preload modules = log level = 0 syslog = 1 syslog only = No log file = /var/log/samba/%m.log max log size = 5000 timestamp logs = Yes debug hires timestamp = No debug pid = No debug uid = No smb ports = 445 139 protocol = NT1 large readwrite = Yes max protocol = NT1
[Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble
I have a Samba 3 PDC running with an LDAP backend on Red Hat 8. All authentication appears to be working correctly but I can't login to the domain from a W2K or WXP Pro workstation after I have successfully joined them to the domain. If I login locally to the workstation I can browse the Samba shares just fine. I have checked the schannel and sign or seal settings on both the workstations and the server and made sure they were set to disable but still no luck. Can anyone give me any ideas on how to solve this problem. TIA Scott Smb.conf # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2003/11/25 10:42:04 # Global parameters [global] workgroup = FIFEDEV netbios name = Dev null passwords = Yes passdb backend = ldapsam passwd program = /usr/local/bin/smbldap-passwd.pl -o %u passwd chat = *new*password* %n\n *new*password:* %n\ *successfully* passwd chat debug = Yes log file = /var/log/samba/%m.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/local/sbin/smbldap-useradd.pl -a %u delete user script = /usr/local/sbin/smbldap-useradd.pl -d %u add group script = /usr/local/sbin/smbldap-useradd.pl -a -g %g% delete group script = /usr/local/sbin/smbldap-useradd.pl -d -g %g add user to group script = /usr/local/sbin/smbldap-useradd.pl -j -u %u -g %g delete user from group script = /usr/local/sbin/smbldap-useradd.pl -j -u %u -g %g set primary group script = /usr/local/sbin/smbldap-useradd.pl -m -u %u -gid %g add machine script = /usr/local/sbin/smbldap-useradd.pl -a -w %m logon script = logon.bat logon path = logon drive = domain logons = Yes os level = 22 preferred master = Yes domain master = Yes wins support = Yes wins proxy = No ldap suffix = dc=test,dc=com ldap machine suffix = ou=_COMPUTERS_ ldap user suffix = ou=_USERS_ ldap group suffix = ou=_GROUPS_ ldap admin dn = cn=Manager,dc=test,dc=com ldap ssl = No ldap passwd sync = yes comment = Samba-PDC Server public = No browseable = Yes writable = No client schannel = No server schannel = No client signing = No server signing = No [netlogon] path = /usr/local/samba/lib/netlogon read only = Yes write list = ntadmin locking = No [tmp] path = /tmp guest ok = Yes read only = Yes [profiles] path = /profiles read only = No writable = Yes create mask = 0600 directory mask = 0700 [homes] comment = Home Directories browsable = no writeable = yes valid users = %S create mask = 0700 directory mask = 0700 hide dot files = yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Can't login to Samba PDC
We're trying to migrate from a windows NT domain to a Samba domain. I've installed Samba 3.0.2a with an LDAP backend. The server seems to be running fine as I can browse the shares from a non-domain Win2k workstation after a successful password check. The workstations join the domain just fine but after I join them to the domain I can't log in to them. I've checked my schannel and sign or seal settings in the Samba server and the workstation but still no luck. Any help is greatly appreciated, I've been working at this for about two months now and I'm just getting frustrated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
