Re: [Samba] Samba winbind secondary group problem
This did fix my problem in samba-3.0.0-14.3E. Thanks Mike!! This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is to set winbind use default domain = no in the smb.conf. Mike [EMAIL PROTECTED] wrote: Hello all, I am having some serious problems getting winbind to recognize secondary group memberships. I have a samba server version samba-3.0.0-14.3E running on RHES v.3. This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not running. See below for smb.conf. cat /proc/version: Linux version 2.4.21-9.ELsmp ([EMAIL PROTECTED]) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004 I have joined the domain with: net rpc join -U administrator -r PDC I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows all the domain users and wbinfo -g shows all the domain groups. ls -l shows the correct domain user/group ownerships. Users can access shares owned by them or their PRIMARY domain group. But when they try to access a share owned by a secondary group that they belong to, it is access denied. The only way I can get a secondary group to resolve is by putting a local unix group in /etc/group and giving it the same GID as the corresponding domain group, then adding the users to the local unix group. I have a RedHat 9 box with the same configuration that works the way it's supposed to - ie - honoring secondary group memberships from the domain(of course it is samba version samba-2.2.7a-8.9.0). This is a very critical situation for us. Any help/suggestions would be greatly appreciated. Below is a snip from the samba log file(shows 3 supplementary groups even though this user belongs to about 20 groups). [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 10504 Primary group is 10013 and contains 3 supplementary groups Group[ 0]: 10013 Group[ 1]: 10013 Group[ 2]: 10029 #Begin smb.conf passdb backend = smbpasswd #winbind configuration-- winbind separator = + winbind use default domain = yes template shell = /bin/false template homedir = /netarray/shares/home/%U idmap uid = 1-2 idmap gid = 1-2 #end winbind configuration- security = domain password server = PDC BDC password level = 8 username level = 8 [Shared] available = yes browseable = yes comment = path = /netarray/shares/Shared public = no writable = yes valid users = @Domain Users @Domain Admins @Global ITS @d_users @d_admins @g_its invalid users = internet1 internet2 hrtest -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba winbind secondary group problem
This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is to set winbind use default domain = no in the smb.conf. This did in fact solve the group resolution problem on samba-3.0.0-14.3E. I have not tried 3.0.1 yet but will this week and will post the results. Thanks very much Mike! This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is to set winbind use default domain = no in the smb.conf. Mike [EMAIL PROTECTED] wrote: Hello all, I am having some serious problems getting winbind to recognize secondary group memberships. I have a samba server version samba-3.0.0-14.3E running on RHES v.3. This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not running. See below for smb.conf. cat /proc/version: Linux version 2.4.21-9.ELsmp ([EMAIL PROTECTED]) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004 I have joined the domain with: net rpc join -U administrator -r PDC I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows all the domain users and wbinfo -g shows all the domain groups. ls -l shows the correct domain user/group ownerships. Users can access shares owned by them or their PRIMARY domain group. But when they try to access a share owned by a secondary group that they belong to, it is access denied. The only way I can get a secondary group to resolve is by putting a local unix group in /etc/group and giving it the same GID as the corresponding domain group, then adding the users to the local unix group. I have a RedHat 9 box with the same configuration that works the way it's supposed to - ie - honoring secondary group memberships from the domain(of course it is samba version samba-2.2.7a-8.9.0). This is a very critical situation for us. Any help/suggestions would be greatly appreciated. Below is a snip from the samba log file(shows 3 supplementary groups even though this user belongs to about 20 groups). [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 10504 Primary group is 10013 and contains 3 supplementary groups Group[ 0]: 10013 Group[ 1]: 10013 Group[ 2]: 10029 #Begin smb.conf passdb backend = smbpasswd #winbind configuration-- winbind separator = + winbind use default domain = yes template shell = /bin/false template homedir = /netarray/shares/home/%U idmap uid = 1-2 idmap gid = 1-2 #end winbind configuration- security = domain password server = PDC BDC password level = 8 username level = 8 [Shared] available = yes browseable = yes comment = path = /netarray/shares/Shared public = no writable = yes valid users = @Domain Users @Domain Admins @Global ITS @d_users @d_admins @g_its invalid users = internet1 internet2 hrtest -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba winbind secondary group problem
Hello all, I am having some serious problems getting winbind to recognize secondary group memberships. I have a samba server version samba-3.0.0-14.3E running on RHES v.3. This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not running. See below for smb.conf. cat /proc/version: Linux version 2.4.21-9.ELsmp ([EMAIL PROTECTED]) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004 I have joined the domain with: net rpc join -U administrator -r PDC I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows all the domain users and wbinfo -g shows all the domain groups. ls -l shows the correct domain user/group ownerships. Users can access shares owned by them or their PRIMARY domain group. But when they try to access a share owned by a secondary group that they belong to, it is access denied. The only way I can get a secondary group to resolve is by putting a local unix group in /etc/group and giving it the same GID as the corresponding domain group, then adding the users to the local unix group. I have a RedHat 9 box with the same configuration that works the way it's supposed to - ie - honoring secondary group memberships from the domain(of course it is samba version samba-2.2.7a-8.9.0). This is a very critical situation for us. Any help/suggestions would be greatly appreciated. Below is a snip from the samba log file(shows 3 supplementary groups even though this user belongs to about 20 groups). [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 10504 Primary group is 10013 and contains 3 supplementary groups Group[ 0]: 10013 Group[ 1]: 10013 Group[ 2]: 10029 #Begin smb.conf passdb backend = smbpasswd #winbind configuration-- winbind separator = + winbind use default domain = yes template shell = /bin/false template homedir = /netarray/shares/home/%U idmap uid = 1-2 idmap gid = 1-2 #end winbind configuration- security = domain password server = PDC BDC password level = 8 username level = 8 [Shared] available = yes browseable = yes comment = path = /netarray/shares/Shared public = no writable = yes valid users = @Domain Users @Domain Admins @Global ITS @d_users @d_admins @g_its invalid users = internet1 internet2 hrtest -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Converting local unix users to winbindd
I've got a samba server with about 800 users that is part of a NT domain, and is set to security=server (pointing to a PDC for auth). The samba server was setup years ago before winbindd. I'd like to convert all the local unix users(all of which are really domain users) to use winbindd. Does anyone know of a document that describes the necessary steps to do this(ie - changing file permissions to the winbindd uid/gid, mapping unix groups to winbindd domain groups? Did a little googling, but didn't turn up anything of value. Thanks for any help. Tom -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Win2k problem
I have a samba server version 2.2.7a-8.9.0 running on RedHat 9.0. It is acting as a domain controller. I have some win2k clients logging in to this domain and mapping home shares, shared drives, etc. The network the servers are on is 1000Mb and the client networks are all 100Mb. The client networks are linked via 1000Mb uplink. The problem I'm having is that when a user copies a fair number of files (197 files equalling 34 MB in this case) from a mapped share J: to another directory on that same share, about 3/4 of the way through the copy, the share shows disconnected (a red x on the share mapping, and net use shows 'DisconnectedJ:'. Seems as though it's related to this: [2003/12/22 11:10:55, 1] smbd/service.c:close_cnum(677) asim0369 (192.168.1.64) closed connection to service SYS [2003/12/22 11:10:55, 2] smbd/service.c:make_connection(331) Invalid username/password for sys [smbguest] [2003/12/22 11:10:55, 2] smbd/service.c:make_connection(331) Invalid username/password for sys [smbguest] [2003/12/22 11:10:55, 2] smbd/service.c:make_connection(331) Invalid username/password for sys [smbguest] [2003/12/22 11:10:55, 2] smbd/service.c:make_connection(331) Invalid username/password for sys [smbguest] [2003/12/22 11:10:55, 1] smbd/service.c:make_connection(636) asim0369 (192.168.1.64) connect to service SYS as user tomd (uid=10001, gid=10011) (pid 26701) Once these entries appear in the log, the share shows up as disconnected. I can still work in the share, add/modify/delete and so on, but the red X remains usually until I manually disconnect/reconnect(and sometimes that doesn't work). Also, why is win2k apparently connecting as nobody/smbguest(not sending user/pass?) first, and then later connect as the logged in user? Any help on this would be greatly appreciated. Thanks in advance, Tom Dangler Here's my smb.conf: [global] workgroup = WORKGROUPNAME netbios name = SAMBASERVER server string = FILE SERVER log level=2 domain admin group = @administrators @domainadmins printcap name = cups load printers = yes printing = cups guest account = smbguest log file = /var/log/samba/%m.log max log size = 0 security = user password level = 8 username level = 8 encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* pam password change = yes obey pam restrictions = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 99 preferred master = yes domain logons = yes logon drive = G: logon home = \\SAMBASERVER\%U show add printer wizard = yes logon script = %U.bat add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u # Share Definitions == #the affected share [SHARED] security mask = 2777 create mask = 2775 directory mask = 2775 comment = SHARED path = /shared writable = yes printable = no public = no -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba