Re: [Samba] Samba Active Directory w/ Kerberos Trust
Hi Andrew, thanks for the reply. Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm. Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this. Cheers, --Joseph On Nov 4, 2012, at 9:39 PM, Andrew Bartlett abart...@samba.org wrote: On Thu, 2012-11-01 at 15:00 +, Rafferty, Joseph wrote: Hello, I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account stubs that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason: Samba always ignores PAM for authentication in the case of encrypt passwords = yeshttp://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html Setting encrypt passwords = no results in the following testparm error: ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'. Anyone successfully authenticating this way? Thanks for the help! -Joseph smb.conf: [global] log file = /var/log/samba/log.%m log level = auth:3 max log size = 50 security = ads netbios name = SERVERNAME realm = AD.DOMAIN.EDUhttp://ad.domain.edu/ password server = dc.ad.domain.eduhttp://dc.ad.domain.edu/ workgroup = AD idmap uid = 1-500 idmap gid = 1-500 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes obey pam restrictions = yes What error do you get when you use *just* what you have above? You should run winbind, and accept kerberos logins from your clients. We need to be joined to the AD domain. As long as the tickets contain a PAC, we really don't mind where they came from. Don't try and involve PAM or turn off encrypted passwords, because we never get a plaintext password from modern clients anyway. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Active Directory w/ Kerberos Trust
On Mon, 2012-11-05 at 19:58 +, Rafferty, Joseph wrote: Hi Andrew, thanks for the reply. Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm. Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this. I *think* the idea with this kind of trust/mapping thing is that 'AD' servers (like Samba) get a ticket that includes the PAC, even if the initial user came from MIT. That's pretty much the only way we can work, if we are to get the windows groups etc. You will need to dig in further into why we return LOGON_FAILURE with a higher log level and our debug logs. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Active Directory w/ Kerberos Trust
For the user continuum\jrafferty (continuum is the AD realm): http://pastebin.com/DJ3xShTr Using the user principal name, jraffe...@tamu.edu http://pastebin.com/34VXJuAc Using just jrafferty http://pastebin.com/ZF7EE2n7 Interestingly, I emailed our AD admins on the status of that AD trust, and was told that it is in place and in production (realm is AUTH). If I try a different user, auth\jrafferty: http://pastebin.com/aZX6zxGY --- So, it seems now I just need to research how to modify smb.conf to make AUTH my primary domain, since it seems 'winbind use default domain' isn't working correctly, even for CONTINUUM (see [MYGROUP]\ in the above examples). -Joseph On Nov 5, 2012, at 2:09 PM, Andrew Bartlett abart...@samba.org wrote: On Mon, 2012-11-05 at 19:58 +, Rafferty, Joseph wrote: Hi Andrew, thanks for the reply. Presently, my configuration (as shown) works great for user accounts with known passwords within the active directory domain (very few of these - mostly admin, service, test accounts). The issue lies when trying to use upn-mapped user accounts. Active directory is not supposed to be the authentication authority for those accounts, so when they're created (via some script - not in my control), the passwords are long randomly-generated strings. However, because of the Kerberos trust and UPN mapping, a user can masq as that AD user with a valid TGT from the trusted realm. Trying to login as one of the mapped users: NT_STATUS_LOGON_FAILURE Regarding the PAC: the trusted realm is MIT Kerberos. I think there are plans to mirror this in an AD domain somewhere, but I haven't heard anything more on this. I *think* the idea with this kind of trust/mapping thing is that 'AD' servers (like Samba) get a ticket that includes the PAC, even if the initial user came from MIT. That's pretty much the only way we can work, if we are to get the windows groups etc. You will need to dig in further into why we return LOGON_FAILURE with a higher log level and our debug logs. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Active Directory w/ Kerberos Trust
On Mon, 2012-11-05 at 21:39 +, Rafferty, Joseph wrote: For the user continuum\jrafferty (continuum is the AD realm): http://pastebin.com/DJ3xShTr OK, now I see the issue. Your setup is deliberately incompatible with NTLM authentication (as you only have random passwords recorded on the AD DC). You must log in with kerberos - ie kinit first, then sun smbclient -k (for example) or use a windows client already logged in with kerberos credentials. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Active Directory w/ Kerberos Trust
On Thu, 2012-11-01 at 15:00 +, Rafferty, Joseph wrote: Hello, I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account stubs that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason: Samba always ignores PAM for authentication in the case of encrypt passwords = yeshttp://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html Setting encrypt passwords = no results in the following testparm error: ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'. Anyone successfully authenticating this way? Thanks for the help! -Joseph smb.conf: [global] log file = /var/log/samba/log.%m log level = auth:3 max log size = 50 security = ads netbios name = SERVERNAME realm = AD.DOMAIN.EDUhttp://ad.domain.edu/ password server = dc.ad.domain.eduhttp://dc.ad.domain.edu/ workgroup = AD idmap uid = 1-500 idmap gid = 1-500 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes obey pam restrictions = yes What error do you get when you use *just* what you have above? You should run winbind, and accept kerberos logins from your clients. We need to be joined to the AD domain. As long as the tickets contain a PAC, we really don't mind where they came from. Don't try and involve PAM or turn off encrypted passwords, because we never get a plaintext password from modern clients anyway. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Active Directory w/ Kerberos Trust
Hello, I'm having some difficulty understanding the best approach to setting up a samba fileserver in our environment. We have an active directory domain (2008) that has account stubs that we use for security and authorization (the passwords are unknown/random). This domain has a one-way Kerberos trust to an MIT Kerberos realm that we use for authentication. The user accounts are name-mapped to the corresponding principal name in the kerberos/authentication realm. I had planned to net join the server to the active directory realm for user and group resolution, but configure PAM to use pam_krb5 for authentication instead of winbind. However, it appears to me that, by design, Samba is not able to authenticate and authorize in two different realms this way for the following reason: Samba always ignores PAM for authentication in the case of encrypt passwords = yeshttp://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#ENCRYPTPASSWORDS http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html Setting encrypt passwords = no results in the following testparm error: ERROR: in 'security=domain' mode the 'encrypt passwords' parameter must always be set to 'true'. Anyone successfully authenticating this way? Thanks for the help! -Joseph smb.conf: [global] log file = /var/log/samba/log.%m log level = auth:3 max log size = 50 security = ads netbios name = SERVERNAME realm = AD.DOMAIN.EDUhttp://ad.domain.edu/ password server = dc.ad.domain.eduhttp://dc.ad.domain.edu/ workgroup = AD idmap uid = 1-500 idmap gid = 1-500 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes obey pam restrictions = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba active directory question
We are migrating to 2008 Active Directory and in making changed to smb.conf and krb5.conf and restarting smb services I get below error in the winbindd.log: Winbind won't start [2011/04/07 15:03:09, 1] nsswitch/winbindd.c:main(979) winbindd version 3.0.22-13.16-SUSE-SLES10 started. Copyright The Samba Team 2000-2004 [2011/04/07 15:03:09, 0] nsswitch/winbindd_util.c:winbindd_upgrade_idmap(1195) idmap_convert: Unable to open idmap database [2011/04/07 15:03:09, 1] nsswitch/winbindd.c:main(1012) Could not init idmap -- netlogon proxy only [2011/04/07 15:03:09, 0] nsswitch/winbindd_util.c:init_domain_list(522) Could not fetch our SID - did we join? [2011/04/07 15:03:09, 0] nsswitch/winbindd.c:main(1076) unable to initalize domain list [2011/04/07 15:03:33, 1] nsswitch/winbindd.c:main(979) winbindd version 3.0.22-13.16-SUSE-SLES10 started. Copyright The Samba Team 2000-2004 [2011/04/07 15:03:33, 0] nsswitch/winbindd_util.c:winbindd_upgrade_idmap(1195) idmap_convert: Unable to open idmap database [2011/04/07 15:03:33, 1] nsswitch/winbindd.c:main(1012) Could not init idmap -- netlogon proxy only [2011/04/07 15:03:33, 0] nsswitch/winbindd_util.c:init_domain_list(522) Could not fetch our SID - did we join? [2011/04/07 15:03:33, 0] nsswitch/winbindd.c:main(1076) unable to initalize domain list Here is the change in smb.conf file, esatest being the AD test domain. workgroup = ESATEST --- workgroup = LANGROUP 27c27 realm = esa.test --- realm = EFW.COM Here is the krb5.conf changes made: default_realm = EFW.COM --- default_realm = esa.test 5a6,10 (below was inserted, leaving the old realms also in place) esa.test = { kdc = 10.1.32.58 default_domain = esa.test admin_server = 10.1.32.58 } 20a26 .esatest = esa.test __ The information contained in this email transmission may contain proprietary and business sensitive information. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. Unauthorized interception of this e-mail is a violation of law. If you are not the intended recipient, please contact the sender by reply email and immediately destroy all copies of the original message. Any technical data and/or information provided with or in this email may be subject to U.S. export controls law. Export, diversion or disclosure contrary to U.S. law is prohibited. Such technical data or information is not to be exported from the U.S. or given to any foreign person in the U.S. without prior written authorization of Elbit Systems of America and the appropriate U.S. Government agency. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba-active directory: ports needed
Greetings we have samba v3.3.x as a domain member of active directory. Samba also uses winbind for user enumeration. What ports need to be opened on the network ACLs to allow samba to connect to active directory? thanks, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + Active Directory - Deny Hosts
Hi All I just got my RHEL5 hosts authenticating successfully from a Win2K3-R2 Active Directory server using the Samba / Winbind combination. While the host login capability works perfectly, we need the capability to deny specific users and groups access to specific computers. The generic Active Directory option of User-Properties-Account-Log On To works perfectly (i.e. I can specify my host, and it denies or allows accordingly) however I would have to specify all of the machines that I wish to allow access for an individual (which is not really feasible). The Group Policy Object - Deny Log on Locally - I believe is not supported for Linux (is this correct?) Is there a way to get this functionality to easily work for groups (i.e. GroupX is allowed to login to Host1, while GroupY is not?) on the Linux end? Has anyone been successful? Thanks again --Tim F. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Samba Active Directory - Login from non Domain Machine
Just in case anyone is interested, this was a simple case of case sensitivity of the username. The domain name needed to be in uppercase, so the login had to be: DOMAINNAME\username And then everything worked fine. I think windows might automatically use uppercase for domain names. You can check the log to see what it is using on a valid user. There are also options you can put in your config file to make thing case insensitive if you want but I am not familiar with them yet. Sorry if everyone know this, but I am still new to Samba. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Melia Jr. Sent: Friday, April 11, 2008 11:22 AM To: samba@lists.samba.org Subject: [Samba] Samba Active Directory - Login from non Domain Machine I have Samba running on debian etch using winbind and my windows 2003 active directory infrastructure. Everything works find. I have one issue. I cannot connect to a share from a machine that is not on the domain. If I try to connect to the share from a windows xp box that is not on the domain that the samba server is in, I am prompted for a username and password. If I put in my domain credentials, I still get an access denied message. However if I login to a computer that is on the domain using credentials that are part of the group that is allowed access to the same share, I can get into that share without an problem or prompt (as you would expect). I just don't understand why I cannot connect from a machine that is not a member of the domain. Any thoughts? Also, how do you have samba re-read the smb.conf file without having to restart smbd on debian? Thanks, Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Active Directory - Login from non Domain Machine
I have Samba running on debian etch using winbind and my windows 2003 active directory infrastructure. Everything works find. I have one issue. I cannot connect to a share from a machine that is not on the domain. If I try to connect to the share from a windows xp box that is not on the domain that the samba server is in, I am prompted for a username and password. If I put in my domain credentials, I still get an access denied message. However if I login to a computer that is on the domain using credentials that are part of the group that is allowed access to the same share, I can get into that share without an problem or prompt (as you would expect). I just don't understand why I cannot connect from a machine that is not a member of the domain. Any thoughts? Also, how do you have samba re-read the smb.conf file without having to restart smbd on debian? Thanks, Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-Active Directory only returns default group
I have a RHEL 4.6 server with the Red Hat supplied Samba 3.0.25b-1.el4_6.4 packages (samba, samba-client, samba-common) installed. I was able to bind this server to our Active Directory forest but when I run groups username all I get is username : domain users despite the fact our users are members of multiple groups in our AD domain. However I can chgrp files/directories to domain groups other than the default Domain Users group. I can successfully run wbinfo -g but I cannot run wbinfo -u, I get a Error looking up domain users message. I verified that nscd is not running. Does anyone know how to help Samba find the other domain groups that our users are members of? Below are my config files: /etc/samba/smb.conf: workgroup = WORKGROUP netbios name = SERVERNAME server string = SERVERNAME security = ADS realm = DOMAIN.FOREST.COM password server = domain_controller_IP client use spnego = NO server signing = AUTO ntlm auth = YES lanman auth = YES encrypt passwords = YES use kerberos keytab = YES log level = 10 local master = NO domain master = NO idmap uid = 1-30 idmap gid = 1-30 template shell = /bin/false winbind enum users = YES winbind enum groups = YES winbind use default domain = YES /etc/krb5.conf: [libdefaults] default_realm = DOMAIN.FOREST.COM default_keytab_name = FILE:/etc/krb5.keytab dns_fallback = no [realms] } DOMAIN.FOREST.COM = { kdc = DOMAIN03.FOREST.COM.:88 kdc = DOMAIN02.FOREST.COM.:88 kdc = DOMAIN01.FOREST.COM.:88 admin_server = DOMAIN03.FOREST.COM. admin_server = DOMAIN02.FOREST.COM. admin_server = DOMAIN01.FOREST.COM. } [domain_realm] .domain.forest.com = DOMAIN.FOREST.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false /etc/nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind hosts: files dns wins bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files publickey: nisplus automount: files aliases:files nisplus Andrew Philipoff Programmer Analyst Information Technology Services Department of Medicine University of California, San Francisco Phone: 415-476-1344 Help Desk: 415-476-6827 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba/active directory permissions
Using Debian 4.0.I want to create one Share (eg. Files) and have subdirectories for each department. This is so that users only have to mount one share. So it looks something like this: Files - Accounting - Human Resources - Enginnering - etc Using Samba how can I give subdirectories different permissions using Active Directory. Would this be done by creating corresponding linux groups and assign them to the directories at the linux level? If so how do I map Active Directory users/groups to their respective Linux users/groups. I'm trying to replace a Windows machine that is currently acting as a file server. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Active Directory Trust
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello All, I'm having an issue creating a two-way trust relationship between my Samba Domain and a Windows 2003 Active Directory Domain. Here is a summary of my environment: Samba 3.0.14a OpenLDAP 2.0.23-7 Debian Woody Active Directory 2003 (running in mixed mode) Windows 2003 The trust works fine from AD - Samba: [EMAIL PROTECTED] root]$ net rpc trustdom list Password: Trusted domains list: none Trusting domains list: FOOBAR [EMAIL PROTECTED] root]$ But when I try to establish the trust the other way, I get NT_STATUS_ACCESS_DENIED: [EMAIL PROTECTED] root]$ net -d 3 -I 10.6.24.44 rpc trustdom establish FOOBAR [2006/02/06 16:27:03, 3] param/loadparm.c:lp_load(3915) lp_load: refreshing parameters [2006/02/06 16:27:03, 3] param/loadparm.c:init_globals(1329) Initialising global parameters [2006/02/06 16:27:03, 3] param/params.c:pm_process(573) params.c:pm_process() - Processing configuration file /etc/samba/ smb.conf [2006/02/06 16:27:03, 3] param/loadparm.c:do_section(3417) Processing section [global] [2006/02/06 16:27:03, 2] lib/interface.c:add_interface(81) added interface ip=10.6.15.10 bcast=10.6.15.255 nmask=255.255.255.0 Password: [2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_start_connection(1406) Connecting to host=DC01 [2006/02/06 16:27:07, 3] lib/util_sock.c:open_socket_out(752) Connecting to 10.6.24.44 at port 445 [2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego (708) Doing spnego session setup (blob length=104) [2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego (733) got OID=1 2 840 48018 1 2 2 [2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego (733) got OID=1 2 840 113554 1 2 2 [2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego (733) got OID=1 2 840 113554 1 2 2 3 [2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego (733) got OID=1 3 6 1 4 1 311 2 2 10 [2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego (740) got [EMAIL PROTECTED] [2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(869) Got challenge flags: [2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x62890215 [2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(891) NTLMSSP: Set final flags: [2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60080215 [2006/02/06 16:27:07, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60080215 [2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup(861) SPNEGO login failed: No logon interdomain trust account [2006/02/06 16:27:07, 1] libsmb/cliconnect.c:cli_full_connection(1494) failed session setup with NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT Could not connect to server DC01 [2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_start_connection(1406) Connecting to host=DC01 [2006/02/06 16:27:07, 3] lib/util_sock.c:open_socket_out(752) Connecting to 10.6.24.44 at port 445 [2006/02/06 16:27:07, 0] utils/net_rpc.c:rpc_trustdom_establish(4663) NetServerEnum2 error: Couldn't find primary domain controller for domain FOOBAR [2006/02/06 16:27:07, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451) cli_nt_session_open: cli_nt_create failed on pipe \wkssvc to machine DC01. Error was NT_STATUS_ACCESS_DENIED [2006/02/06 16:27:07, 0] utils/net_rpc.c:rpc_trustdom_establish(4672) Couldn't not initialise wkssvc pipe [2006/02/06 16:27:07, 2] utils/net.c:main(897) return code = -1 [EMAIL PROTECTED] root]$ The trust account is set up on the AD side and I am using the same password on both ends. Is there some issue that I don't know about? Thanks in advance, Phillip Cockrell -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD587PfnIftn7ju/IRAlTVAJ9OochufB3i2F0LvBEIs3vPa12NewCgip9I V6hrm/u/9D76VaC253c03Ho= =B3Wv -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba + active directory : I delete a file in the windows profile, it reappears on another station!
hi all I have : samba-3.0.9-2.3 and winbind-3.0.9-2.3 on suse 9.2 a windows 2000 server pack 4 clients 2000 pro pack 4 evertything looks ok, i can log on the clients, the windows profile is a linux share, acl are ok... BUT here is my bug : the user john logs on 2000 station1 , creates a file file.txt in My Documents (or anywhere in his profile), and logs off (then the file is on /home/profile/john/My Documents, the samba shared directory on linux) then the user john logs on another station, station2 , deletes the file file.txt in My Documents, and logs off (then there is no file on /home/profile/john/My Documents) after he logs on the first station station1, and the file that was deleted is back in My Documents!!! He logs off and the file is now back in /home/profile/john/My Documents. Well that's the bug, and I understand nothing! In active directory i don't make redirection of My Documents I have 3 shares (/home/profiles, /home/winhome and /home/partage), and this bug is only with /home/profiles) I send my smb.conf thanks a lot if you can help me! [global] workgroup = cubedns server string = suseserver wins support = no netbios name = suseserver name resolve order = wins bcast lmhosts host wins server = 192.0.9.142 logon path = \\%L\profiles\%u logon drive = H: logon script = logon.bat local master = no domain master = no preferred master = no dns proxy = no security = ADS realm = CUBEDNS.FR password server = gm8.cubedns.fr encrypt passwords = yes hosts allow = 192.0.9. 127. username map = /etc/samba/smbusers log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 log level = 1 winbind:2 idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes ldap ssl = no template primary group = graphistes client schannel = no winbind separator = + #template homedir = /home/%D/%U #template shell = /bin/bash socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 max xmit = 8192 [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon browseable = no guest ok = no read only = yes writeable = no [profiles] comment = Profiles path = /home/profiles read only = no create mask = 0700 directory mask = 0700 guest ok = no browseable = no writeable = yes profile acls = yes [homes] comment = Home path = /home/winhome read only = no create mask = 0700 directory mask = 0700 guest ok = no browseable = no writeable = yes [partage] comment = Partage path = /home/partage read only = no writeable = yes create mask = 0770 directory mask = 0770 guest ok = no browseable = no #inherit acls = yes ___ Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs exceptionnels pour appeler la France et l'international. Téléchargez sur http://fr.messenger.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Active Directory NT_STATUS_ACCESS_DENIED - expired?
On Wed, 2006-01-25 at 11:42 +0100, Andreas Unterkircher wrote: Hello list, I'm using several samba server (mix between v2.2 and v3.0 versions) within an Active Directory domain. These servers are normal domain members and winbind is used to lookup the domain users on the linux machines. Sometimes it looks like that some of the servers get kicked out of the domain. In the samba logs suddenly NT_STATUS_ACCESS_DENIED messages appear and samba stopps authenticate users against domain. The computer account is still present in Active Directory. I've check if the account has expired but it's expired time is far away (9223372036854775807, in 2038 ...). The account is neither inactive, disabled or locked out. When I try to rejoin on the existing computer account (smbpasswd -j, net join) it works on samba side but in the domain controllers event log I see some of the following errors: The session setup from the computer SRV-MFM-30 failed to authenticate. The name of the account referenced in the security database is SRV-MFM-30$. The following error occurred: Access is denied. I have to remove the computer object and join the domain again. Then everything works again (for some time). This happens with security=domain (rpc) and also with security=ads (ldap,kdc,...). The timeframe ist mostly 2 or 3 months. Anyone has a clue what can cause this or encountered similar problems? Password expiry is configured from group or domain policy, not a value on the entry. The command 'net ads changetrustpw' should fix it. We should handle this automatically, but don't (please file a bug, if there isn't one already). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Active Directory NT_STATUS_ACCESS_DENIED - expired?
Hello list, I'm using several samba server (mix between v2.2 and v3.0 versions) within an Active Directory domain. These servers are normal domain members and winbind is used to lookup the domain users on the linux machines. Sometimes it looks like that some of the servers get kicked out of the domain. In the samba logs suddenly NT_STATUS_ACCESS_DENIED messages appear and samba stopps authenticate users against domain. The computer account is still present in Active Directory. I've check if the account has expired but it's expired time is far away (9223372036854775807, in 2038 ...). The account is neither inactive, disabled or locked out. When I try to rejoin on the existing computer account (smbpasswd -j, net join) it works on samba side but in the domain controllers event log I see some of the following errors: The session setup from the computer SRV-MFM-30 failed to authenticate. The name of the account referenced in the security database is SRV-MFM-30$. The following error occurred: Access is denied. I have to remove the computer object and join the domain again. Then everything works again (for some time). This happens with security=domain (rpc) and also with security=ads (ldap,kdc,...). The timeframe ist mostly 2 or 3 months. Anyone has a clue what can cause this or encountered similar problems? Cheers, Andreas Unterkircher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba Active directory and SSO
Dear all, I guess there were a lot of posts about this subject, but Im really stuck prefer start a new thread hoping that some of you won't mind re-posting to help the Samba NewBie that I am. well, here is my situation: - more than 1000 users on a hetegenous network, One Domain the need to keep only one. - I need my Linux Boxes' users to get authenticated against a single AD, therefore I installed Samba 3 on a redhat 9 kernel 2.4, - smbd, nmbd Winbind are running - the linux boxes joined my domain using the command [EMAIL PROTECTED] root]#net ads join -U Administrator%password - I am able to view the list of the users in the AC, with: [EMAIL PROTECTED] root]#/usrlocal/samba/bin/wbinfo -u HOWEVER, I get the listing in the format username not the supposed MYDAMAINNAME+username furthermore, when I try to logon the linuxbox using one of my AD users, I simply cannot Please find below my config files: smb.conf, /pam.d./login /etc/nsswitch Thank you very much for reading my post Please let me know if you need anymore information Best Regards, smb.conf #=== Global Settings = [global] # workgroup = NT-Domain-Name or Workgroup-Name workgroup = medi netbios name = LinuxMachine logon drive = h: logon home = \\home_dir_server\%U logon script = %U.bat winbind separator = : idmap uid = 1-2 idmap gid = 1-2 winbind uid = 1-2 winbind gid = 1-2 winbind enunm users = yes winbind enunm groups = yes template homedir = /home/%D/ %U template shell = /bin/bash winbind usedefault domain = yes client use spnego = yes unix extensions = yes case sensitive = yes delete readonly = yes # server string is the equivalent of the NT Description field server string = Samba Server max log size = 50 security = ADS ads server = 10.100.101.62 password server = 10.100.101.62 encrypt passwords = yes realm = medi.com smb passwd file = /etc/samba/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n pam password change = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins server = 10.100.101.62 username map = /etc/samba/smbusers dns proxy = no # Share Definitions == [homes] comment = Home Directories browseable = no writeable = yes valid users = %S create mode = 0664 directory mode = 0775 [shared] path = /home/shared writeable = yes guest ok = yes [medi] path = /home/medi writeable = yes Login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth sufficient/lib/security/pam_winbind.so auth sufficient/lib/security/pam_unix.so use_first_pass auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountsufficient/lib/security/pam_winbind.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so #auth requisitepam_nologin.so #auth requisitepam_krb5.so #auth optional pam_smbpass.so migrate #accountrequired pam_krb5.so #password requisitepam_cracklib.so retry=3 #password optional pam_smbpass.so nullok use_authtok try_first_pass #password required pam_krb5.so use_authtok try_first_pass #sessionrequired pam_krb5.so nsswitch: passwd: files winbind shadow: files group: files winbind === Sebbane Mehdi Network Systems Administrator ITS Department Alakhawayn University Ifrane 53000 Morocco Voice : +212 (0) 55 86 24 23 Fax: +212 (0) 55 86 24 24 www.aui.ma === -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba Active directory and SSO
Hi, I think there is one thing or two you must change. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: sexta-feira, 16 de Dezembro de 2005 15:48 To: samba@lists.samba.org Subject: [Samba] samba Active directory and SSO Dear all, I guess there were a lot of posts about this subject, but Im really stuck prefer start a new thread hoping that some of you won't mind re-posting to help the Samba NewBie that I am. well, here is my situation: - more than 1000 users on a hetegenous network, One Domain the need to keep only one. - I need my Linux Boxes' users to get authenticated against a single AD, therefore I installed Samba 3 on a redhat 9 kernel 2.4, - smbd, nmbd Winbind are running - the linux boxes joined my domain using the command [EMAIL PROTECTED] root]#net ads join -U Administrator%password - I am able to view the list of the users in the AC, with: [EMAIL PROTECTED] root]#/usrlocal/samba/bin/wbinfo -u HOWEVER, I get the listing in the format username not the supposed MYDAMAINNAME+username furthermore, when I try to logon the linuxbox using one of my AD users, I simply cannot Please find below my config files: smb.conf, /pam.d./login /etc/nsswitch Thank you very much for reading my post Please let me know if you need anymore information Best Regards, smb.conf #=== Global Settings = [global] --snip -- winbind usedefault domain = yes I think this must be set to no in order to show also the MYDOMAIN part,i.e winbind use default domain = no According to man 5 smb.conf you should set also winbind separator: winbind separator (G) This parameter allows an admin to define the character used when listing a username of the form of DOMAIN \user. This parameter is only applicable when using the pam_winbind.so and nss_win- bind.so modules for UNIX services. Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the charac- ter + is used as a special character for NIS in /etc/group. Default: winbind separator = â\â Example: winbind separator = + === Sebbane Mehdi Network Systems Administrator ITS Department Alakhawayn University Ifrane 53000 Morocco Voice : +212 (0) 55 86 24 23 Fax: +212 (0) 55 86 24 24 www.aui.ma === -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Best Regards, Bruno Guerreiro -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/Active Directory help!
Hello, I'm a Samba newbie. I'm trying to figure out how to setup shares on Darwin that will authenticate through Active Directory. Thus far, I've successfully joined Active Directory, but Im having problems creating local network shares. Darwin or Macos 10.4.2 seems to have some unique configurations. Commands like getent seem to be missing. Some of the man files are just plain wrong!! Especially when it comes to Samba. My SSO (Single Sign On) works fine connecting to Windows Shares. How do I setup a share that will have its passwords authenticated toward a certain group in Active Directory? Jason -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Active Directory Restart
I am having an issue where I can not connect from an XP box on the Win2000 AD domain. If I restart samba and winbindd I can then connect normally for a period of time then which is goes back and I have restart samba and winbindd once again. Any help would be greatly appreciated. # Smb.conf ## [global] netbios name = suselinux realm = DOMAIN.COM security = ADS encrypt passwords = yes wins server = 10.10.10.14 workgroup = DOMAIN password server = DC.DOMAIN.COM idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes log file = /var/log/samba/%m.log [homes] comment = Home Directories browseable = yes writeable = yes writeable = yes preserve case = yes short preserve case = yes [printers] comment = All Printers path = /var/tmp printable = yes create mask = 0600 browseable = no guest ok = no [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 browseable = yes guest ok = no printable = no [ftp] comment = FTP File Share path = /home/ftp writable = yes printable = no create mask = 0660 directory mask = 0775 valid users = root DOMAIN\itgroup force group = ftpadmin force user = ftpusers # winbindd.log ## [2004/04/01 09:26:33, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'pc1$' does not exist [2004/04/01 09:26:33, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'PC1$' does not exist [2004/04/01 09:32:37, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'will' does not exist [2004/04/01 09:32:37, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'will' does not exist [2004/04/01 09:32:37, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'WILL' does not exist [2004/04/01 09:32:43, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'server1$' does not exist [2004/04/01 09:32:43, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'SERVER1$' does not exist # will.log ## [2004/03/31 11:59:05, 1] smbd/service.c:make_connection_snum(705) will (10.10.10.24) connect to service ftp initially as user will (uid=500, gid=100) (pid 1421) [2004/04/01 09:26:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(245) Username DOMAIN\PC1$ is invalid on this system [2004/04/01 09:26:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(245) Username DOMAIN\PC1$ is invalid on this system [2004/04/01 09:32:29, 1] smbd/service.c:close_cnum(887) will (10.10.10.24) closed connection to service ftp -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Active Directory Restart
How long does the availability last? From: Will Hughes [EMAIL PROTECTED] Date: Thu, 1 Apr 2004 10:02:32 -0600 To: [EMAIL PROTECTED] Subject: [Samba] Samba Active Directory Restart I am having an issue where I can not connect from an XP box on the Win2000 AD domain. If I restart samba and winbindd I can then connect normally for a period of time then which is goes back and I have restart samba and winbindd once again. Any help would be greatly appreciated. # Smb.conf ## [global] netbios name = suselinux realm = DOMAIN.COM security = ADS encrypt passwords = yes wins server = 10.10.10.14 workgroup = DOMAIN password server = DC.DOMAIN.COM idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes log file = /var/log/samba/%m.log [homes] comment = Home Directories browseable = yes writeable = yes writeable = yes preserve case = yes short preserve case = yes [printers] comment = All Printers path = /var/tmp printable = yes create mask = 0600 browseable = no guest ok = no [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 browseable = yes guest ok = no printable = no [ftp] comment = FTP File Share path = /home/ftp writable = yes printable = no create mask = 0660 directory mask = 0775 valid users = root DOMAIN\itgroup force group = ftpadmin force user = ftpusers # winbindd.log ## [2004/04/01 09:26:33, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'pc1$' does not exist [2004/04/01 09:26:33, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'PC1$' does not exist [2004/04/01 09:32:37, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'will' does not exist [2004/04/01 09:32:37, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'will' does not exist [2004/04/01 09:32:37, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'WILL' does not exist [2004/04/01 09:32:43, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'server1$' does not exist [2004/04/01 09:32:43, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'SERVER1$' does not exist # will.log ## [2004/03/31 11:59:05, 1] smbd/service.c:make_connection_snum(705) will (10.10.10.24) connect to service ftp initially as user will (uid=500, gid=100) (pid 1421) [2004/04/01 09:26:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(245) Username DOMAIN\PC1$ is invalid on this system [2004/04/01 09:26:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(245) Username DOMAIN\PC1$ is invalid on this system [2004/04/01 09:32:29, 1] smbd/service.c:close_cnum(887) will (10.10.10.24) closed connection to service ftp -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + Active Directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 6 Jan 2004, Cedric Puddy wrote: The logs are saying: [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! Is there any special configuration I have to do on Active Directory to become AD authentication available to Samba ? Almost certainly, you are running version 3.0.1, which as best I've been able to determine breaks kerberos ticket handling in the case of a Win2k/XP box trying to access SAMBA. Can people seeing this please test 3.0.2pre1 and let me know if it is fixed now? Thanks. the same problem I am, increase the logging level to something like 5, and look for unknown key table type errors shortly before the Failed to verify ticket error in your /var/log/samba/log.workstation file (assuming that you put your logs in the default linux location :) cheers, jerry -- Hewlett-Packard- http://www.hp.com SAMBA Team -- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc If we're adding to the noise, turn off this song --Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE//FVlIR7qMdg1EfYRAnGMAJ9+0awBB/khW5uFk8ohl6qbIm4NagCg8Rln 2jNR+be0KE8ToJLTsxF2Mqw= =T7be -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + Active Directory
Hi, As Cedric suggested (thank you very much, man !!), I´ve downgraded my Samba from 3.0.1 to 3.0.0 and it worked !! There´s no more password asking window and no more Kerboros ticket errors. Now I´m facing a new, weird problem: when my users can´t print 0(I´ve installed Cups to manage the Deskjet 840c), they receive an access denied - unable to connect error message when they try to print. From the Samba server box I can print using cat somefile /dev/lp0. I´ve tried to change permissions, 777-ing both printer spool directory and /dev/lp0. The computer sharing options are: writable=yes, guest ok = yes, browseable = yes...etc). What is missing ?? Is there any config I´m forgetting ? Thanks in advance, Lindolfo Rodrigues -- Cabeçalho inicial --- De: Cedric Puddy [EMAIL PROTECTED] Para: samba_list [EMAIL PROTECTED] Cópia: samba [EMAIL PROTECTED] Data: Tue, 6 Jan 2004 19:42:27 -0500 (EST) Assunto: Re: [Samba] Samba + Active Directory On Tue, 6 Jan 2004, samba_list wrote: Hi, I´m having much trouble on configuring Samba to work on an Active Directory environment. Using getent password I´m able to see AD´s users. wbinfo -u and wbinfo -g also work fine. When someone from a Windows try to access my Samba server, the smd password window is shown (I think that the autehntication would be transparent, wouldn't it ?), any password I provide is rejected: I tried AD users using either the plain username and the DOMAIN\username form. I tried also using my root password, without any success. The logs are saying: [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! Is there any special configuration I have to do on Active Directory to become AD authentication available to Samba ? Almost certainly, you are running version 3.0.1, which as best I've been able to determine breaks kerberos ticket handling in the case of a Win2k/XP box trying to access SAMBA. I've reported the problem to the list, and several others have as well in recent times, but as yet, I haven't noticed a clear answer as to what is broken. One fellow said that he was testing 3.0.1 with the libads code changes reverted to 3.0.0, but I don't believe he's reported back yet. (I'd be *very* interested in beta testing that! :) What works for me is going to back to version 3.0.0. The reason that's not good for me is becuase I have a whole bunch of existing unix users that I want to map properly to existing windows users of the same names, and 3.0.1 is supposed to do that automaticly. If that's not a concern for you, then you might not have any reason to care which version you are running. I'm using the redhat RPMS, and doing this sequence successfully downgrades me from 3.0.1 - 3.0.0: ensure that you have an admin ticket with kinit, if you do the net ads leave/join bits... net ads leave cp /etc/samba/smb.conf /etc/samba/smb.conf.bak /etc/rc.d/init.d/smb stop /etc/rc.d/init.d/winbind stop rpm -Uvh --force /usr/src/rpms/samba-3.0.0-2_rh9.i386.rpm cp /etc/samba/smb.conf.bak /etc/samba/smb.conf /etc/rc.d/init.d/smb start /etc/rc.d/init.d/winbind start net ads join The above process assumes that you've got the rpm file downloaded in /usr/src/rpms, that you have the right rpms for your system (in my case, rh9), and guarentees that your smb.conf file doesn't get accidentally wiped out. I'm don't believe that the net ads leave/join part is strictly necessary. I've just been doing it whenever I upgrade/downgrade out of pedantdry. My understanding is that it shouldn't be necessary, because the shared secrets/etc should be stored in the Samba TDB databases somewhere... In my case, simply changing to 3.0.0 immediately makes everything work, and going to 3.0.1 immediately mades everything break. If you want further confirmation that you are having the same problem I am, increase the logging level to something like 5, and look for unknown key table type errors shortly before the Failed to verify ticket error in your /var/log/samba/log.workstation file (assuming that you put your logs in the default linux location :) I hope that helps, Best Regards, -Cedric Puddy I´ve already installed PAM and followed all intructions at samba.org, but is not working. Could someone please help me ? Thanks in advance, Lindolfo P.S.: I´ve already checked both servers´ time, they are syncronized. -- - | CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services | 118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157 \ Cedric Puddy, IS Director [EMAIL
Re: [Samba] Samba + Active Directory
Google for access denied, unable to connect +samba and you'll get lots of hits. If you do that and then still can't print check your cups error_log to see if you are getting Unsupported format 'application/octet-stream' If so then you need to uncomment the line in both mime.convs and mime.types that has application/octet-stream in it. I just went through this about 2 hours ago. On Wednesday 07 January 2004 02:10 pm, samba_list wrote: Hi, As Cedric suggested (thank you very much, man !!), I´ve downgraded my Samba from 3.0.1 to 3.0.0 and it worked !! There´s no more password asking window and no more Kerboros ticket errors. Now I´m facing a new, weird problem: when my users can´t print 0(I´ve installed Cups to manage the Deskjet 840c), they receive an access denied - unable to connect error message when they try to print. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + Active Directory
Hi, I´m having much trouble on configuring Samba to work on an Active Directory environment. Using getent password I´m able to see AD´s users. wbinfo -u and wbinfo -g also work fine. When someone from a Windows try to access my Samba server, the smd password window is shown (I think that the autehntication would be transparent, wouldn't it ?), any password I provide is rejected: I tried AD users using either the plain username and the DOMAIN\username form. I tried also using my root password, without any success. The logs are saying: [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! Is there any special configuration I have to do on Active Directory to become AD authentication available to Samba ? I´ve already installed PAM and followed all intructions at samba.org, but is not working. Could someone please help me ? Thanks in advance, Lindolfo P.S.: I´ve already checked both servers´ time, they are syncronized. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + Active Directory
On Tue, 6 Jan 2004, samba_list wrote: Hi, I´m having much trouble on configuring Samba to work on an Active Directory environment. Using getent password I´m able to see AD´s users. wbinfo -u and wbinfo -g also work fine. When someone from a Windows try to access my Samba server, the smd password window is shown (I think that the autehntication would be transparent, wouldn't it ?), any password I provide is rejected: I tried AD users using either the plain username and the DOMAIN\username form. I tried also using my root password, without any success. The logs are saying: [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! Is there any special configuration I have to do on Active Directory to become AD authentication available to Samba ? Almost certainly, you are running version 3.0.1, which as best I've been able to determine breaks kerberos ticket handling in the case of a Win2k/XP box trying to access SAMBA. I've reported the problem to the list, and several others have as well in recent times, but as yet, I haven't noticed a clear answer as to what is broken. One fellow said that he was testing 3.0.1 with the libads code changes reverted to 3.0.0, but I don't believe he's reported back yet. (I'd be *very* interested in beta testing that! :) What works for me is going to back to version 3.0.0. The reason that's not good for me is becuase I have a whole bunch of existing unix users that I want to map properly to existing windows users of the same names, and 3.0.1 is supposed to do that automaticly. If that's not a concern for you, then you might not have any reason to care which version you are running. I'm using the redhat RPMS, and doing this sequence successfully downgrades me from 3.0.1 - 3.0.0: ensure that you have an admin ticket with kinit, if you do the net ads leave/join bits... net ads leave cp /etc/samba/smb.conf /etc/samba/smb.conf.bak /etc/rc.d/init.d/smb stop /etc/rc.d/init.d/winbind stop rpm -Uvh --force /usr/src/rpms/samba-3.0.0-2_rh9.i386.rpm cp /etc/samba/smb.conf.bak /etc/samba/smb.conf /etc/rc.d/init.d/smb start /etc/rc.d/init.d/winbind start net ads join The above process assumes that you've got the rpm file downloaded in /usr/src/rpms, that you have the right rpms for your system (in my case, rh9), and guarentees that your smb.conf file doesn't get accidentally wiped out. I'm don't believe that the net ads leave/join part is strictly necessary. I've just been doing it whenever I upgrade/downgrade out of pedantdry. My understanding is that it shouldn't be necessary, because the shared secrets/etc should be stored in the Samba TDB databases somewhere... In my case, simply changing to 3.0.0 immediately makes everything work, and going to 3.0.1 immediately mades everything break. If you want further confirmation that you are having the same problem I am, increase the logging level to something like 5, and look for unknown key table type errors shortly before the Failed to verify ticket error in your /var/log/samba/log.workstation file (assuming that you put your logs in the default linux location :) I hope that helps, Best Regards, -Cedric Puddy I´ve already installed PAM and followed all intructions at samba.org, but is not working. Could someone please help me ? Thanks in advance, Lindolfo P.S.: I´ve already checked both servers´ time, they are syncronized. -- - | CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services | 118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157 \ Cedric Puddy, IS Director[EMAIL PROTECTED] PGP Key Available at: http://www.thinkers.org/cedric -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba - Active Directory and folder level perm.
I have samba 2.2.7 installed on a Sol8 unix box I have also config'ed Winbind. My aim is to map my samba share to my win2k Active Directory server - and apply folder lever permision ie.. \\samba-server\home-share%username%\ however I am seeing only SIDs Everyone and Administrator in the security tab of my share [sub]folders. It there a way to implement folder level security on Active Directory server of samba mounted shares? I can see my users from wbinfo -u -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + Active Directory
Hi! I'm trying to use Samba 3.0 (CVS) as a PDC for Win2000. After reading some Howto's it works great to join the domain and to login but a big problem is still there. I want to have at least one Domain Administrator. But i don't know how to make one. In the Howtos and manuals (which are made for 2.2) stands that you have to insert DomainAdminGroup = adm (or something like that) in the smb.conf In an old Howto stands DomainAdminUsers = ...,i've tried this,too. But that doesn't works. Now i've read, that samba 3.0 is supporting Active Directory. But the Functions of that are nowhere documented or described. Can anybody tell me, what to do? Thanks in advance and sorry for my english :) Florian Flachmeier, Diepholz, Germany -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + Active Directory
Florian Flachmeier wrote: Hi! I'm trying to use Samba 3.0 (CVS) as a PDC for Win2000. After reading some Howto's it works great to join the domain and to login but a big problem is still there. I want to have at least one Domain Administrator. But i don't know how to make one. In the Howtos and manuals (which are made for 2.2) stands that you have to insert This all changed in 3.0. Lookup the GROUP-MAPPING-HOWTO.txt in textdocs/ Andrew Bartlett - Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba