[Samba] SAMBA + open LDAP + password hashing
Hi everybody, I'm running an Ubuntu server as fileserver for Osx clients using netatalk and now I need to add support to samba for windows clients. Every user has an account on open LDAP user base and every account has a password stored using SSHA hashing. I would like to know if I can use the same user base with samba and how to configure it to use ssha instead of NT/LM or if there is an alternative. Thanks Bye *Alberto* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA + open LDAP + password hashing
Many thanks for the answer, you solved a doubt I had for a long time. What do you mean when you say other than kerberos ? Can you point me to some documentation or how to for setting up samba + kerberos + ldap? Thanks *Alberto Aldrigo* Il 02/10/13 20:57, Andrew Bartlett ha scritto: On Wed, 2013-10-02 at 11:46 +0200, Alberto Aldrigo | Ca' Tron RE wrote: Hi everybody, I'm running an Ubuntu server as fileserver for Osx clients using netatalk and now I need to add support to samba for windows clients. Every user has an account on open LDAP user base and every account has a password stored using SSHA hashing. I would like to know if I can use the same user base with samba and how to configure it to use ssha instead of NT/LM or if there is an alternative. No, there is no alternative (other than Kerberos). The encryption types are incompatible. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA + open LDAP + password hashing
On Thu, 2013-10-03 at 09:41 +0200, Alberto Aldrigo | Ca' Tron RE wrote: Many thanks for the answer, you solved a doubt I had for a long time. What do you mean when you say other than kerberos ? Can you point me to some documentation or how to for setting up samba + kerberos + ldap? Thanks The easiest way to do Samba + kerberos + ldap is to set up Samba as an AD DC. That said, I shouldn't have mentioned Kerberos in the context of your original query, as it still has the same issues of needing those password types, which you don't have. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SAMBA + open LDAP + password hashing
Hi everybody, I'm running an Ubuntu server as fileserver for Osx clients using netatalk and now I need to add support to samba for windows clients. Every user has an account on open LDAP user base and every account has a password stored using SSHA hashing. I would like to know if I can use the same user base with samba and how to configure it to use ssha instead of NT/LM or if there is an alternative. Thanks Bye *Alberto* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA + open LDAP + password hashing
On Wed, 2013-10-02 at 11:46 +0200, Alberto Aldrigo | Ca' Tron RE wrote: Hi everybody, I'm running an Ubuntu server as fileserver for Osx clients using netatalk and now I need to add support to samba for windows clients. Every user has an account on open LDAP user base and every account has a password stored using SSHA hashing. I would like to know if I can use the same user base with samba and how to configure it to use ssha instead of NT/LM or if there is an alternative. No, there is no alternative (other than Kerberos). The encryption types are incompatible. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4.1 LDAP error joining domain as DC
Fresh download of Samba 4.1 RC4 source code. Simple build: ./configure make make install Trying to join an existing domain as a domain controller. The domain and forest are both Windows 2008 R2 operational level. There is a single Windows Server 2012 DC. Running the following command to join: # samba-tool domain join mydomain.com DC -d3 -Umydomain.com\\administrator --dns-backend=BIND9_DLZ GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Finding a writeable DC for domain 'mydomain.com' Found DC win-server.mydomain.com Password for [mydomain.com\administrator]: workgroup is MYDOMAIN realm is mydomain.com checking sAMAccountName Adding CN=smb-server,OU=Domain Controllers,DC=mydomain,DC=com Adding CN=smb-server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com Adding CN=NTDS Settings,CN=smb-server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com Using binding ncacn_ip_tcp:win-server.mydomain.com[,seal] Adding SPNs to CN=smb-server,OU=Domain Controllers,DC=mydomain,DC=com Setting account password for smb-server$ Enabling account Adding DNS account CN=dns-smb-server,CN=Users,DC=mydomain,DC=com with dns/ SPN Join failed - cleaning up checking sAMAccountName Deleted CN=smb-server,OU=Domain Controllers,DC=mydomain,DC=com Deleted CN=NTDS Settings,CN=smb-server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com Deleted CN=smb-server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - 052D: SvcErr: DSID-031A129B, problem 5003 (WILL_NOT_PERFORM), data 0 File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 1169, in join_DC ctx.do_join() File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 1072, in do_join ctx.join_add_objects() File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 616, in join_add_objects ctx.samdb.add(msg) Anyone have any ideas? Thanks, Pete -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.1 LDAP error joining domain as DC
I tried joining the domain as a member, which worked. I then tried to promote the server to a DC using samba-tool domain dcpromo but it failed with the same error: ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - 052D: SvcErr: DSID-031A129B, problem 5003 (WILL_NOT_PERFORM), data 0 File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 482, in run promote_existing=True) File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 1169, in join_DC ctx.do_join() File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 1072, in do_join ctx.join_add_objects() File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 616, in join_add_objects ctx.samdb.add(msg) Pete On Sep 28, 2013, at 12:19 PM, Pete Storkey pstor...@shaw.ca wrote: Fresh download of Samba 4.1 RC4 source code. Simple build: ./configure make make install Trying to join an existing domain as a domain controller. The domain and forest are both Windows 2008 R2 operational level. There is a single Windows Server 2012 DC. Running the following command to join: # samba-tool domain join mydomain.com DC -d3 -Umydomain.com\\administrator --dns-backend=BIND9_DLZ GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Finding a writeable DC for domain 'mydomain.com' Found DC win-server.mydomain.com Password for [mydomain.com\administrator]: workgroup is MYDOMAIN realm is mydomain.com checking sAMAccountName Adding CN=smb-server,OU=Domain Controllers,DC=mydomain,DC=com Adding CN=smb-server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com Adding CN=NTDS Settings,CN=smb-server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com Using binding ncacn_ip_tcp:win-server.mydomain.com[,seal] Adding SPNs to CN=smb-server,OU=Domain Controllers,DC=mydomain,DC=com Setting account password for smb-server$ Enabling account Adding DNS account CN=dns-smb-server,CN=Users,DC=mydomain,DC=com with dns/ SPN Join failed - cleaning up checking sAMAccountName Deleted CN=smb-server,OU=Domain Controllers,DC=mydomain,DC=com Deleted CN=NTDS Settings,CN=smb-server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com Deleted CN=smb-server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - 052D: SvcErr: DSID-031A129B, problem 5003 (WILL_NOT_PERFORM), data 0 File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 1169, in join_DC ctx.do_join() File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 1072, in do_join ctx.join_add_objects() File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 616, in join_add_objects ctx.samdb.add(msg) Anyone have any ideas? Thanks, Pete -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Luc, Very helpful... I'm doing a migration from a very non-standard samba ldap implementation that we can't just migrate. We would like to save the users' passwords though. I'm testing using known password hashes and I'm having trouble authenticating after I change the passwords. How can I extract what is being inserted in to samba4 in order to verify that I'm doing things correctly? Thanks! Bo - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: samba@lists.samba.org Cc: Andrew Bartlett abart...@samba.org Sent: Tuesday, April 9, 2013 11:25:47 AM Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Ok this works: #!/usr/bin/env python import sys sys.path.insert(0, /usr/local/samba/lib64/python2.6/site-packages) sys.path.insert(1, /usr/local/samba/lib/python2.6/site-packages) from samba import Ldb, registry from samba.param import LoadParm from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl from samba.samba3 import passdb from samba.samba3 import param as s3param from samba.dcerpc import lsa, samr, security from samba.dcerpc.security import dom_sid from samba.credentials import Credentials from samba import dsdb from samba.ndr import ndr_pack from samba import unix2nttime # Convert Hex to Byte string def HexToByte( hexStr ): bytes = [] hexStr = ''.join( hexStr.split( ) ) for i in range(0, len(hexStr), 2): bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) return ''.join( bytes ) # Connect to samba4 backend new_lp_ctx = s3param.get_context() new_lp_ctx.load(/usr/local/samba/etc/smb.conf) new_lp_ctx.set(private dir, /usr/local/samba/private) s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) # Change testuser password new_userdata = s4_passdb.getsampwnam(testuser) new_userdata.nt_passwd = HexToByte(878D8014606CDA29677A44EFA1353FC7) new_userdata.lanman_passwd = HexToByte(552902031BEDE9EFAAD3B435B51404EE) s4_passdb.update_sam_account(new_userdata) I was missing some module paths and the extra info for connecting to the LDB database... Now I just have to generalize this procedure so that I can update the passwords every night like I do with Samba3-LDAP. Andrew, thanks for the pointers. I'm posting this in case it can help someone else. - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: Andrew Bartlett abart...@samba.org Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 7:38:05 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Hello Andrew, How would I convert the below base16 strings into raw bytes acceptable to this routine? We presently inject the NTLM passwords directly into our LDAP database for Samba3. Also, I can't seem to figure out the argument values for 'passdb.PDB'. I tried 'ldb', 'samba_dsdb'. Thanks for your help! On 2013-03-27, at 6:18 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Duh... got it, nvm... new_userdata = s4_passdb.getsampwnam(jtest) print binascii.hexlify(new_userdata.nt_passwd) And my troubleshooting was required by a typo that I made.. argh! - Original Message - From: Bo Kersey b...@vircio.com To: Luc Lalonde luc.lalo...@polymtl.ca Cc: samba@lists.samba.org, Andrew Bartlett abart...@samba.org Sent: Tuesday, August 13, 2013 11:03:40 AM Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Luc, Very helpful... I'm doing a migration from a very non-standard samba ldap implementation that we can't just migrate. We would like to save the users' passwords though. I'm testing using known password hashes and I'm having trouble authenticating after I change the passwords. How can I extract what is being inserted in to samba4 in order to verify that I'm doing things correctly? Thanks! Bo - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: samba@lists.samba.org Cc: Andrew Bartlett abart...@samba.org Sent: Tuesday, April 9, 2013 11:25:47 AM Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Ok this works: #!/usr/bin/env python import sys sys.path.insert(0, /usr/local/samba/lib64/python2.6/site-packages) sys.path.insert(1, /usr/local/samba/lib/python2.6/site-packages) from samba import Ldb, registry from samba.param import LoadParm from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl from samba.samba3 import passdb from samba.samba3 import param as s3param from samba.dcerpc import lsa, samr, security from samba.dcerpc.security import dom_sid from samba.credentials import Credentials from samba import dsdb from samba.ndr import ndr_pack from samba import unix2nttime # Convert Hex to Byte string def HexToByte( hexStr ): bytes = [] hexStr = ''.join( hexStr.split( ) ) for i in range(0, len(hexStr), 2): bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) return ''.join( bytes ) # Connect to samba4 backend new_lp_ctx = s3param.get_context() new_lp_ctx.load(/usr/local/samba/etc/smb.conf) new_lp_ctx.set(private dir, /usr/local/samba/private) s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) # Change testuser password new_userdata = s4_passdb.getsampwnam(testuser) new_userdata.nt_passwd = HexToByte(878D8014606CDA29677A44EFA1353FC7) new_userdata.lanman_passwd = HexToByte(552902031BEDE9EFAAD3B435B51404EE) s4_passdb.update_sam_account(new_userdata) I was missing some module paths and the extra info for connecting to the LDB database... Now I just have to generalize this procedure so that I can update the passwords every night like I do with Samba3-LDAP. Andrew, thanks for the pointers. I'm posting this in case it can help someone else. - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: Andrew Bartlett abart...@samba.org Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 7:38:05 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Hello Andrew, How would I convert the below base16 strings into raw bytes acceptable to this routine? We presently inject the NTLM passwords directly into our LDAP database for Samba3. Also, I can't seem to figure out the argument values for 'passdb.PDB'. I tried 'ldb', 'samba_dsdb'. Thanks for your help! On 2013-03-27, at 6:18 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Ok this works: #!/usr/bin/env python import sys sys.path.insert(0, /usr/local/samba/lib64/python2.6/site-packages) sys.path.insert(1, /usr/local/samba/lib/python2.6/site-packages) from samba import Ldb, registry from samba.param import LoadParm from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl from samba.samba3 import passdb from samba.samba3 import param as s3param from samba.dcerpc import lsa, samr, security from samba.dcerpc.security import dom_sid from samba.credentials import Credentials from samba import dsdb from samba.ndr import ndr_pack from samba import unix2nttime # Convert Hex to Byte string def HexToByte( hexStr ): bytes = [] hexStr = ''.join( hexStr.split( ) ) for i in range(0, len(hexStr), 2): bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) return ''.join( bytes ) # Connect to samba4 backend new_lp_ctx = s3param.get_context() new_lp_ctx.load(/usr/local/samba/etc/smb.conf) new_lp_ctx.set(private dir, /usr/local/samba/private) s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) # Change testuser password new_userdata = s4_passdb.getsampwnam(testuser) new_userdata.nt_passwd = HexToByte(878D8014606CDA29677A44EFA1353FC7) new_userdata.lanman_passwd = HexToByte(552902031BEDE9EFAAD3B435B51404EE) s4_passdb.update_sam_account(new_userdata) I was missing some module paths and the extra info for connecting to the LDB database... Now I just have to generalize this procedure so that I can update the passwords every night like I do with Samba3-LDAP. Andrew, thanks for the pointers. I'm posting this in case it can help someone else. - Original Message - From: Luc Lalonde luc.lalo...@polymtl.ca To: Andrew Bartlett abart...@samba.org Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 7:38:05 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection Hello Andrew, How would I convert the below base16 strings into raw bytes acceptable to this routine? We presently inject the NTLM passwords directly into our LDAP database for Samba3. Also, I can't seem to figure out the argument values for 'passdb.PDB'. I tried 'ldb', 'samba_dsdb'. Thanks for your help! On 2013-03-27, at 6:18 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Hello Andrew, Would this work: ### def HexToByte( hexStr ): ## ## Taken from ActiveState Code recipes: ## http://code.activestate.com/recipes/510399-byte-to-hex-and-hex-to-byte-string-conversion bytes = [] hexStr = ''.join( hexStr.split( ) ) for i in range(0, len(hexStr), 2): bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) return ''.join( bytes ) # Connect to samba4 backend s4_passdb = passdb.PDB(samba4) # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = HextoByte(878D8014606CDA29677A44EFA1353FC7) admin_userdata.lanman_passwd = HextoByte(552902031BEDE9EFAAD3B435B51404EE) s4_passdb.update_sam_account(admin_userdata) ### I'm trying to figure out how to connect to the local Samba4 database... What I have above 's4_passdb = passdb.PDB(samba4)' doesn't work. I tried 'ldb', 'samba_dsdb', and 'samba4' without success. Any hints please? Thanks! - Original Message - From: Andrew Bartlett abart...@samba.org To: Luc Lalonde luc.lalo...@polymtl.ca Cc: samba@lists.samba.org Sent: Wednesday, March 27, 2013 6:18:15 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Hello Andrew, How would I convert the below base16 strings into raw bytes acceptable to this routine? We presently inject the NTLM passwords directly into our LDAP database for Samba3. Also, I can't seem to figure out the argument values for 'passdb.PDB'. I tried 'ldb', 'samba_dsdb'. Thanks for your help! On 2013-03-27, at 6:18 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote: Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Sort of. Those values are not base16 strings, but raw bytes, but otherwise that looks pretty much right at a first glance. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
Hello Andrew, I'm finally diving into this project... First off, my sysadmin stuff is mostly in Perl. So my Python is rudimentary at best. Here we go anyway... I've looked at the 'upgrade.py' but I can't seem to figure out how to connect to the Samba4 passwd database. In the script I see these lines: ### # Connect to samba4 backend s4_passdb = passdb.PDB(new_lp_ctx.get(passdb backend)) I would appreciate a hint on how to connect to the database please. Where is the 'passdb' object referenced from? Once that's done, from what I understand, I should be able to change the passwords directly: ### # Change foo-user password admin_userdata = s4_passdb.getsampwnam(foo-user) admin_userdata.nt_passwd = 878D8014606CDA29677A44EFA1353FC7 admin_userdata.lanman_passwd = 552902031BEDE9EFAAD3B435B51404EE s4_passdb.update_sam_account(admin_userdata) ### Is that right? Cheers. -- Luc Lalonde, analyste - Département de génie informatique: École polytechnique de Montréal (514) 340-4711 x5049 luc.lalo...@polymtl.ca - - Original Message - From: Andrew Bartlett abart...@samba.org To: Luc Lalonde luc.lalo...@polymtl.ca Cc: samba@lists.samba.org Sent: Tuesday, December 11, 2012 10:22:21 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection On Tue, 2012-12-11 at 21:48 -0500, Luc Lalonde wrote: Hello Folks, In pour present Samba-3 setup we update user passwords in our LDAP backend. We only have access to the encrypted NTLM passwords and use Perl scripts to do this. Beyond importing the user database with the 'Classic upgrade' method, will we be able to adapt our Perl scripts so that we can keep updating the internal Samba-4 database with the encrypted passwords as we did with Samba-3? We've been using Samba for many years now and very much appreciate all the work done by the Samba team. Congrats on getting Samba-4 to stable status! Yes, you can continue to do that. The best approach would be to set it via the ldb python bindings, specifying the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control and unicodePwd, or via the python or C passdb API. One approach you could code from is how we set the administrator password during the 'classicupgrade' script in source4/scripting/python/samba/upgrade.py. Give that a go, but if you need more clues I'm very happy to help out. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba/Winbind/LDAP connection issue.
Hi, I been having issue with my samba/winbind, since I update from samba 3.5 to 3.6. below is the error I am getting from my log file and the samba config file. I am running Red Hat 6.4. nmbd[2188]: [2013/03/10 13:25:14.327717, 0] nmbd/nmbd_namequery.c:108(query_name_response) Mar 10 13:25:14 c89005 nmbd[2188]: query_name_response: Multiple (2) responses received for a query on subnet x.x.x.x for name MYDOMAIN1d. Mar 10 13:25:14 c89005 nmbd[2188]: This response was from IP x.x.x.x, reporting an IP address of x.x.x.x. Mar 11 00:01:14 c89005 nslcd[1587]: [88ddb1] ldap_result() timed out Mar 11 05:00:19 c89005 nslcd[1587]: [9be780] ldap_result() timed out Mar 11 14:58:12 c89005 winbindd[23655]: [2013/03/11 14:58:12.385839, 0] lib/smbldap.c:697(smbldap_store_state) Mar 11 14:58:12 c89005 winbindd[23655]: PANIC: assert failed at lib/smbldap.c(697): tmp_ldap_state == smbldap_state Mar 11 14:58:12 c89005 winbindd[23655]: [2013/03/11 14:58:12.606028, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) Mar 11 14:58:12 c89005 winbindd[23655]: idmap_alloc module tdb already registered! Mar 11 14:58:12 c89005 winbindd[23655]: [2013/03/11 14:58:12.606204, 0] winbindd/idmap.c:149(smb_register_idmap) Mar 11 14:58:12 c89005 winbindd[23655]: Idmap module passdb already registered! Mar 11 14:58:12 c89005 winbindd[23655]: [2013/03/11 14:58:12.606284, 0] winbindd/idmap.c:149(smb_register_idmap) Mar 11 14:58:12 c89005 winbindd[23655]: Idmap module nss already registered! Mar 11 14:58:12 c89005 winbindd[23655]: [2013/03/11 14:58:12.614752, 0] lib/smbldap.c:1153(smbldap_connect_system) Mar 11 14:58:12 c89005 winbindd[23655]: failed to bind to server ldap:// ldap.science.purdue.edu/ with dn=cn=SlapHappy,dc=science,dc=lcl Error: Invalid credentials Mar 11 14:58:12 c89005 winbindd[23655]: #011(unknown) Mar 11 14:58:27 c89005 winbindd[23655]: [2013/03/11 14:58:27.762968, 0] winbindd/idmap.c:599(idmap_alloc_init) Mar 11 14:58:27 c89005 winbindd[23655]: ERROR: Initialization failed for alloc backend, deferred! Mar 11 14:58:27 c89005 winbindd[23655]: [2013/03/11 14:58:27.794053, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) Mar 11 14:58:27 c89005 winbindd[23655]: idmap_alloc module tdb already registered! Mar 11 14:58:27 c89005 winbindd[23655]: [2013/03/11 14:58:27.794192, 0] winbindd/idmap.c:149(smb_register_idmap) Mar 11 14:58:27 c89005 winbindd[23655]: Idmap module passdb already registered! Mar 11 14:58:27 c89005 winbindd[23655]: [2013/03/11 14:58:27.794270, 0] winbindd/idmap.c:149(smb_register_idmap) Mar 11 14:58:27 c89005 winbindd[23655]: Idmap module nss already registered! Mar 11 14:58:27 c89005 winbindd[23655]: [2013/03/11 14:58:27.803810, 0] lib/smbldap.c:1153(smbldap_connect_system) Mar 11 14:58:27 c89005 winbindd[23655]: failed to bind to server ldap:// ldap.science.purdue.edu/ with dn=cn=SlapHappy,dc=science,dc=lcl Error: Invalid credentials Mar 11 14:58:27 c89005 winbindd[23655]: #011(unknown) Mar 11 14:58:42 c89005 winbindd[23655]: [2013/03/11 14:58:42.950615, 0] winbindd/idmap.c:599(idmap_alloc_init) Mar 11 14:58:42 c89005 winbindd[23655]: ERROR: Initialization failed for alloc backend, deferred! [global] netbios name = C89005 server string = Samba Server Version %v workgroup = MYDOMAIN realm = CENTRAL.MYDOMAN.LCL security = ADS password server = * passdb backend = tdbsam client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes unix extensions = no host msdfs = yes socket options = TCP_NODELAY smb ports = 445 ##LOGS # max 1MB per log file, then rotate max log size = 1024 ## WINS domain master = no local master = no preferred master = no dns proxy = no wins server = 128.210.30.240 ## PRINTING printing = bsd printcap name = /dev/null load printers = no ## WINBIND winbind use default domain = true winbind offline logon = false winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind normalize names = yes obey pam restrictions = no allow trusted domains = yes template shell = /bin/bash template homedir = /home/%D/%U ldap ssl = start tls ldap suffix = dc=science,dc=lcl ldap idmap suffix = ou=idmap ldap admin dn = cn=SlapHappy,dc=science,dc=lcl idmap uid = 5000-20 idmap gid = 5000-20 idmap backend = ldap:ldap://ldap.example.edu/ idmap config:ldap_base_dn = ou=idmap,dc=science,dc=lcl idmap config:ldap_user_dn = cn=SlapHappy,dc=science,dc=lcl idmap alloc backend = ldap idmap alloc config: ldap_url = ldap://ldap.example.edu/ idmap alloc config: ldap_base_dn = ou=idmap,dc=science,dc=lcl idmap alloc config: ldap_user_dn
[Samba] Samba 4 LDAP NTLM password nightly injection
Hello Folks, In pour present Samba-3 setup we update user passwords in our LDAP backend. We only have access to the encrypted NTLM passwords and use Perl scripts to do this. Beyond importing the user database with the 'Classic upgrade' method, will we be able to adapt our Perl scripts so that we can keep updating the internal Samba-4 database with the encrypted passwords as we did with Samba-3? We've been using Samba for many years now and very much appreciate all the work done by the Samba team. Congrats on getting Samba-4 to stable status! Thank You! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 LDAP NTLM password nightly injection
On Tue, 2012-12-11 at 21:48 -0500, Luc Lalonde wrote: Hello Folks, In pour present Samba-3 setup we update user passwords in our LDAP backend. We only have access to the encrypted NTLM passwords and use Perl scripts to do this. Beyond importing the user database with the 'Classic upgrade' method, will we be able to adapt our Perl scripts so that we can keep updating the internal Samba-4 database with the encrypted passwords as we did with Samba-3? We've been using Samba for many years now and very much appreciate all the work done by the Samba team. Congrats on getting Samba-4 to stable status! Yes, you can continue to do that. The best approach would be to set it via the ldb python bindings, specifying the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control and unicodePwd, or via the python or C passdb API. One approach you could code from is how we set the administrator password during the 'classicupgrade' script in source4/scripting/python/samba/upgrade.py. Give that a go, but if you need more clues I'm very happy to help out. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba x Ldap Latency change groups
I'm with a problem and need some help with this. So i'm using 389ds + samba 3.6.9, I have Ldap integrated with samba, it works. I get login successfully, attributes permissions with ACL, created Shared FOlders, all right. But when I insert a user in a Samba Group,it takes between 20 ~ 30 minutes to works. I already restart service, restart server, but only is inserted after the time. What i have to do ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba x Ldap Latency change groups
On Wed, Oct 31, 2012 at 11:31:21AM -0300, Flávio wrote: I'm with a problem and need some help with this. So i'm using 389ds + samba 3.6.9, I have Ldap integrated with samba, it works. I get login successfully, attributes permissions with ACL, created Shared FOlders, all right. But when I insert a user in a Samba Group,it takes between 20 ~ 30 minutes to works. I already restart service, restart server, but only is inserted after the time. What i have to do ? Are you using nscd caching ? Try turning it off. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and LDAP
Hello ! I have a doubt. I´m configured LDAP whith Samba, the LDAP is run. But I can't login in one domain, I change the password user with smbldap-passwd. But it's not sufficient to login. Then I have to use smbpasswd -a username, so i get autenticate in domain with user. Use the smbpasswd. It´s wrong ? Thanks Rodrigo Faria Tavares Administrator System Linux -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and LDAP
You can use smbpasswd or pdbedit to add a samba user. Actually, if the LDAP user already exists the smbpasswd or pdbedit command adds various samba attributes. You should look at the LDAP properties of a user before and after you run the smbpasswd -a or pdbedit -a command. I like the Apache Directory Studio ldap editor/browser, although you can also use ldapsearch from the command line. You will see that the samba-enabled LDAP accounts have additional object classes and attributes. I have Samba 3.x with an LDAP backend. Not all LDAP users are Samba users, since we use LDAP for other things besides samba. By default, samba expects that the ldap user already exisits. However, it is possible for samba to be configured to automatically create and delete the ldap user. On 07/31/12 08:18, rodrigo tavares wrote: Hello ! I have a doubt. I´m configured LDAP whith Samba, the LDAP is run. But I can't login in one domain, I change the password user with smbldap-passwd. But it's not sufficient to login. Then I have to use smbpasswd -a username, so i get autenticate in domain with user. Use the smbpasswd. It´s wrong ? Thanks Rodrigo Faria Tavares Administrator System Linux -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba PDC + ldap: segfault in uid_to_sid/_nss_ldap_getpwuid_r
All, on a fairly large (73 TB XFS) file server running CentOS 6.2, samba 3.5.10-116.el6_2 I see pretty frequently backtraces like this one: May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793851, 0] lib/fault.c:46(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: === May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793921, 0] lib/fault.c:47(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: INTERNAL ERROR: Signal 11 in pid 11709 (3.5.10-116.el6_2.slrdbg2) May 11 15:54:19 vrfs001 smbd[11709]: Please read the Trouble-Shooting section of the Samba3-HOWTO May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793947, 0] lib/fault.c:49(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: May 11 15:54:19 vrfs001 smbd[11709]: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793982, 0] lib/fault.c:50(fault_report) May 11 15:54:19 vrfs001 smbd[11709]: === May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.794010, 0] lib/util.c:1490(smb_panic) May 11 15:54:19 vrfs001 smbd[11709]: PANIC (pid 11709): internal error May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.826895, 0] lib/util.c:1594(log_stack_trace) May 11 15:54:19 vrfs001 smbd[11709]: BACKTRACE: 29 stack frames: May 11 15:54:19 vrfs001 smbd[11709]:#0 smbd(log_stack_trace+0x1a) [0x7fae111cc8aa] May 11 15:54:19 vrfs001 smbd[11709]:#1 smbd(smb_panic+0x1f) [0x7fae111cc96f] May 11 15:54:19 vrfs001 smbd[11709]:#2 smbd(+0x36b26d) [0x7fae111bc26d] May 11 15:54:19 vrfs001 smbd[11709]:#3 /lib64/libc.so.6(+0x32900) [0x7fae0e030900] May 11 15:54:19 vrfs001 smbd[11709]:#4 /lib64/libnss_ldap.so.2(_nss_ldap_getpwuid_r+0x15d) [0x7fae03586a6d] May 11 15:54:19 vrfs001 smbd[11709]:#5 /lib64/libc.so.6(getpwuid_r+0xdd) [0x7fae0e0a84ed] May 11 15:54:19 vrfs001 smbd[11709]:#6 /lib64/libc.so.6(getpwuid+0x6f) [0x7fae0e0a7ddf] May 11 15:54:19 vrfs001 smbd[11709]:#7 smbd(+0x31bd5d) [0x7fae1116cd5d] May 11 15:54:19 vrfs001 smbd[11709]:#8 smbd(+0x32174f) [0x7fae1117274f] May 11 15:54:19 vrfs001 smbd[11709]:#9 smbd(uid_to_sid+0x10b) [0x7fae1117291b] May 11 15:54:19 vrfs001 smbd[11709]:#10 smbd(create_file_sids+0x1f) [0x7fae10facd0f] May 11 15:54:19 vrfs001 smbd[11709]:#11 smbd(+0x164689) [0x7fae10fb5689] May 11 15:54:19 vrfs001 smbd[11709]:#12 smbd(posix_get_nt_acl+0x10b) [0x7fae10fb63fb] May 11 15:54:19 vrfs001 smbd[11709]:#13 smbd(+0x1872bd) [0x7fae10fd82bd] May 11 15:54:19 vrfs001 smbd[11709]:#14 smbd(smb_vfs_call_get_nt_acl+0x2d) [0x7fae10fa7b9d] May 11 15:54:19 vrfs001 smbd[11709]:#15 smbd(can_access_file_acl+0x6f) [0x7fae10fc7d1f] May 11 15:54:19 vrfs001 smbd[11709]:#16 smbd(reply_ntcreate_and_X+0xf25) [0x7fae10f69a65] May 11 15:54:19 vrfs001 smbd[11709]:#17 smbd(+0x1690f5) [0x7fae10fba0f5] May 11 15:54:19 vrfs001 smbd[11709]:#18 smbd(+0x169497) [0x7fae10fba497] May 11 15:54:19 vrfs001 smbd[11709]:#19 smbd(+0x1699f8) [0x7fae10fba9f8] May 11 15:54:19 vrfs001 smbd[11709]:#20 smbd(run_events+0x22b) [0x7fae111dcbbb] May 11 15:54:19 vrfs001 smbd[11709]:#21 smbd(smbd_process+0x82b) [0x7fae10fb966b] May 11 15:54:19 vrfs001 smbd[11709]:#22 smbd(+0x678fce) [0x7fae114c9fce] May 11 15:54:19 vrfs001 smbd[11709]:#23 smbd(run_events+0x22b) [0x7fae111dcbbb] May 11 15:54:19 vrfs001 smbd[11709]:#24 smbd(+0x38bee1) [0x7fae111dcee1] May 11 15:54:19 vrfs001 smbd[11709]:#25 smbd(_tevent_loop_once+0x90) [0x7fae111dd2c0] May 11 15:54:19 vrfs001 smbd[11709]:#26 smbd(main+0xb7b) [0x7fae114cad2b] May 11 15:54:19 vrfs001 smbd[11709]:#27 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7fae0e01ccdd] May 11 15:54:19 vrfs001 smbd[11709]:#28 smbd(+0xea849) [0x7fae10f3b849] May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.827188, 0] lib/fault.c:326(dump_core) May 11 15:54:19 vrfs001 smbd[11709]: dumping core in /var/log/samba/cores/smbd pwuid information is stored in OpenLDAP on this machine - could this be related? anyone ever seen this - any clue how to debug this further? thanks, guenter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SAMBA-FREERADIUS-LDAP
Hi, this is my first e-mail on this list and am newbie of samba also. I'll explain you what i'd like to do with my lan and i ask you some advices. I've got a Debian Squeeze server. I installed an LDAP server with some groups and users. The LAN has a computer room with 30 pc Ubuntu. In addition to these there are others computers will can connect to the LAN using wireless connection and they can have differents operating systems (Mac, Windows, Ubuntu). I want that every user can connect using a computer of the room or his own computer. Every user will be registered on the LDAP server. I want that every user will have his home directory on the server and not on the client. I can configure only the clients of the computer room but i can't configure the others (Mac, Windows, Ubuntu) because i'll not be on the place so, i'll not use Winbind. I want, if possible, configure Freeradius for the wireless authentication using LDAP credentials. After this authentication the user will can enter in his home directory on the server What do you think? Thanks Z. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA-FREERADIUS-LDAP
Hallo, stefano, Du meintest am 26.04.12: The LAN has a computer room with 30 pc Ubuntu. In addition to these there are others computers will can connect to the LAN using wireless connection and they can have differents operating systems (Mac, Windows, Ubuntu). I want that every user can connect using a computer of the room or his own computer. Every user will be registered on the LDAP server. I want that every user will have his home directory on the server and not on the client. We try/evaluate a solution for this problem on/in some schools. No freeradius, no LDAP. The clients try to login into the samba domain on the Linux-/Samba server, they must have a linux-/samba account on this server. That's all. No Microsoft domain, no machine account or so. Quite simple. The next probably problem (not related to samba): the server also works as a communication server, as a proxy server for surfing. We have defined that using the proxy server requires an authentication (with the linux account) - it works. No Microsoft domain, no winbind etc. The client works as a kind of thin client. It must have an OS which can mount samba shares - that's enough. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA-FREERADIUS-LDAP
Wow, this is a good idea. I'll think about a change. I'll do some questions: I need that after the power-on of the client, will appear the login screen. Is this like your solution also? I found many manuals and guide but everyone explain samba configuration with windows, hosts, winbind, etc. and am confused about it. I don't understand the difference on the configuration using not winbind and hosts. Which proxy server do you have? Did you configured also pam for the login? Thank you Z. On 04/26/2012 10:55 AM, Helmut Hullen wrote: Hallo, stefano, Du meintest am 26.04.12: The LAN has a computer room with 30 pc Ubuntu. In addition to these there are others computers will can connect to the LAN using wireless connection and they can have differents operating systems (Mac, Windows, Ubuntu). I want that every user can connect using a computer of the room or his own computer. Every user will be registered on the LDAP server. I want that every user will have his home directory on the server and not on the client. We try/evaluate a solution for this problem on/in some schools. No freeradius, no LDAP. The clients try to login into the samba domain on the Linux-/Samba server, they must have a linux-/samba account on this server. That's all. No Microsoft domain, no machine account or so. Quite simple. The next probably problem (not related to samba): the server also works as a communication server, as a proxy server for surfing. We have defined that using the proxy server requires an authentication (with the linux account) - it works. No Microsoft domain, no winbind etc. The client works as a kind of thin client. It must have an OS which can mount samba shares - that's enough. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA-FREERADIUS-LDAP
Hallo, stefano, Du meintest am 26.04.12: I'll do some questions: I need that after the power-on of the client, will appear the login screen. Is this like your solution also? No - that's at least impossible for private machines. Our school machines can show such a screen via autostart (or something like this). I found many manuals and guide but everyone explain samba configuration with windows, hosts, winbind, etc. and am confused about it. I don't understand the difference on the configuration using not winbind and hosts. If I have understood the relations (and I'm not sure): you don't need winbind if you only use a samba server (and no microsoft server). Which proxy server do you have? We use squid - works fine. Did you configured also pam for the login? No - we use slackware as base distribution, and slackware doesn't need pam. But if I have understood the special pam scripts and configuration files: may be you don't need to change them. It's really a quite simple configuration: the server runs samba, and samba has an smb domain (p.e. WORKGROUP) and some shares. The clients run some application which can mount samba shares. And the user of the client must have a linux-/samba account on the server, for logging in, for own shares (home), for shared shares (public) etc. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.6.3 LDAP errors in logs
Hi I have recently upgraded our Samba 3.4.2 servers (LDAP 2.4.21 backend) to Samba 3.6.3. Since the upgrade, I have the following errors in our logs every time a Windows 7 client logs in: * 2012/04/19 11:41:33, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PCNAME machine account PCNAME$* The user is able to login fine and everything appears to be working. However I would like to resolve this message as it looks terrible in the logs. Applied all windows 7 reg fixes, have disabled password change requirement on the win7 pcs. I would appreciate any help I can get I have googled this for a couple of weeks now and cannot find a resolution. Thank you Candy M -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 LDAP security
Hi I'm using Samba 4 to serve Linux and win 7 clients. I'd like to use GSSAPI to bind to the Samba 4 LDAP to extract the attributes I've added for the Linux clients. nslcd advertises such support, but keeps telling me 'Unknown authentication method'. As a workaround I've done this: I'm using nss-ldapd to map user attributes via nfs4 to the Linux clients. Works fine, but the binddn and bindpw have to be stored in /etc. nslcd runs as user nslcd and I have the permissions on /etc/nslcd.conf set to 0400 nslcd:nslcd. I've discovered that any user can do the bind, so it's not the Admin password that is needed. Until I can get the kerberized bind working (probably never!), any comments about the security of this? Are there other processes where passwords have to be stored in a file? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba with LDAP Authentication
Check out SASL library's On 01/10/2012 04:35 PM, steve wrote: On 01/10/2012 09:50 PM, Amit More wrote: Hello All, I want to authenticate existing LDAP users to samba shares. From what i have been reading, it seems like there are two ways to achieve this 1. Configure samba to use plaintext passwords (encrypt passwords = no in smb.conf) and configure clients to send unencrypted passwords. 2. Use smbpasswd utility to add users. Using this utility the user's samba password will be different from the LDAP password. I don't want to use plaintext authentication so cannot use the first method described here. I also want the samba password to be the same as the LDAP password and must be in sync. Is there anyway to achieve this? Can anyone please point me in the right direction? I would really appreciate your help. Thanks, Amit Hi. We have a one password solution like you describe running on openSUSE. There is a good howto here: http://digiplan.eu.org/ldap-samba-howto-v4.html It may get you started at least. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba with LDAP Authentication
Hello All, I want to authenticate existing LDAP users to samba shares. From what i have been reading, it seems like there are two ways to achieve this 1. Configure samba to use plaintext passwords (encrypt passwords = no in smb.conf) and configure clients to send unencrypted passwords. 2. Use smbpasswd utility to add users. Using this utility the user's samba password will be different from the LDAP password. I don't want to use plaintext authentication so cannot use the first method described here. I also want the samba password to be the same as the LDAP password and must be in sync. Is there anyway to achieve this? Can anyone please point me in the right direction? I would really appreciate your help. Thanks, Amit -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba with LDAP Authentication
On 01/10/2012 09:50 PM, Amit More wrote: Hello All, I want to authenticate existing LDAP users to samba shares. From what i have been reading, it seems like there are two ways to achieve this 1. Configure samba to use plaintext passwords (encrypt passwords = no in smb.conf) and configure clients to send unencrypted passwords. 2. Use smbpasswd utility to add users. Using this utility the user's samba password will be different from the LDAP password. I don't want to use plaintext authentication so cannot use the first method described here. I also want the samba password to be the same as the LDAP password and must be in sync. Is there anyway to achieve this? Can anyone please point me in the right direction? I would really appreciate your help. Thanks, Amit Hi. We have a one password solution like you describe running on openSUSE. There is a good howto here: http://digiplan.eu.org/ldap-samba-howto-v4.html It may get you started at least. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and LDAP Server
Thanks, I got it! Samba is guided through the SRV records in DNS On 22/12/2011 19:15, David Roid wrote: Hello Lantukh, Domain controller, LDAP server and kdc can be found by DNS, Samba consults DNS server to find them. Therefore DNS server itself can be a single-point. I'm guessing your myserver1 is used as the DNS server in this case and when it's down you are in trouble. Cheers -David 2011/12/23 Lantukh Sergey sergey.lant...@docpath.com mailto:sergey.lant...@docpath.com Good day I could not find an answer to my problem/question, can you help me here... I have SAMBA 3.2.5 on Linux\Debian 5 I using Winbind for connect to MS Active Directory Windows 2003 and get a list of all users. /etc/samba/smb.conf [global] realm = MYDOMAIN.LOCAL Security = ADS /etc/krb5.con [realms] MYDOMAIN.LOCAL = { kdc = myserver1.mydomain.local: 88 kdc = myserver2.mydomain.local: 88 admin_server = myserver1.mydomain.local: 464 default_domain = DOCPATH.ES http://DOCPATH.ES [domain_realm] . mydomain.local = MYDOMAIN.LOCAL mydomain.local = MYDOMAIN.LOCAL My question is: When I give the command: # net ads info I have: LDAP server: 192.168.1.10 LDAP server name: myserver1.mydomain.local Realm: MYDOMAIN.local Bind Path: dc = MYDOMAIN, dc = LOCAL LDAP port: 389 Server time: Thu, 22 Dec 2011 17:52:38 CET KDC server: 192.168.1.10 Server time offset: 2 192.168.1.10 this is myserver1.mydomain.local Where SAMBA knows about my LDAP server? I have 2 Domain Controllers and SAMBA is always connected to the first. When the first server is not available SAMBA can not get a list of users via winbind. How can I get SAMBA to connect to a second domain controller? How can I change the LDAP server for samba? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and LDAP Server
Good day I could not find an answer to my problem/question, can you help me here... I have SAMBA 3.2.5 on Linux\Debian 5 I using Winbind for connect to MS Active Directory Windows 2003 and get a list of all users. /etc/samba/smb.conf [global] realm = MYDOMAIN.LOCAL Security = ADS /etc/krb5.con [realms] MYDOMAIN.LOCAL = { kdc = myserver1.mydomain.local: 88 kdc = myserver2.mydomain.local: 88 admin_server = myserver1.mydomain.local: 464 default_domain = DOCPATH.ES [domain_realm] . mydomain.local = MYDOMAIN.LOCAL mydomain.local = MYDOMAIN.LOCAL My question is: When I give the command: # net ads info I have: LDAP server: 192.168.1.10 LDAP server name: myserver1.mydomain.local Realm: MYDOMAIN.local Bind Path: dc = MYDOMAIN, dc = LOCAL LDAP port: 389 Server time: Thu, 22 Dec 2011 17:52:38 CET KDC server: 192.168.1.10 Server time offset: 2 192.168.1.10 this is myserver1.mydomain.local Where SAMBA knows about my LDAP server? I have 2 Domain Controllers and SAMBA is always connected to the first. When the first server is not available SAMBA can not get a list of users via winbind. How can I get SAMBA to connect to a second domain controller? How can I change the LDAP server for samba? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and LDAP Server
Hello Lantukh, Domain controller, LDAP server and kdc can be found by DNS, Samba consults DNS server to find them. Therefore DNS server itself can be a single-point. I'm guessing your myserver1 is used as the DNS server in this case and when it's down you are in trouble. Cheers -David 2011/12/23 Lantukh Sergey sergey.lant...@docpath.com Good day I could not find an answer to my problem/question, can you help me here... I have SAMBA 3.2.5 on Linux\Debian 5 I using Winbind for connect to MS Active Directory Windows 2003 and get a list of all users. /etc/samba/smb.conf [global] realm = MYDOMAIN.LOCAL Security = ADS /etc/krb5.con [realms] MYDOMAIN.LOCAL = { kdc = myserver1.mydomain.local: 88 kdc = myserver2.mydomain.local: 88 admin_server = myserver1.mydomain.local: 464 default_domain = DOCPATH.ES [domain_realm] . mydomain.local = MYDOMAIN.LOCAL mydomain.local = MYDOMAIN.LOCAL My question is: When I give the command: # net ads info I have: LDAP server: 192.168.1.10 LDAP server name: myserver1.mydomain.local Realm: MYDOMAIN.local Bind Path: dc = MYDOMAIN, dc = LOCAL LDAP port: 389 Server time: Thu, 22 Dec 2011 17:52:38 CET KDC server: 192.168.1.10 Server time offset: 2 192.168.1.10 this is myserver1.mydomain.local Where SAMBA knows about my LDAP server? I have 2 Domain Controllers and SAMBA is always connected to the first. When the first server is not available SAMBA can not get a list of users via winbind. How can I get SAMBA to connect to a second domain controller? How can I change the LDAP server for samba? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba with ldap+TLS
Dear Bruno, Steve and Samba Friends, If I recall correctly, it is the username used to start smbd, which needs a ldaprc file with apropriate settings. In my case this is root and the file looks like: # # User specific LDAP settings # # Override global directive (if set) TLS_REQCERT demand # client authentication TLS_CERT /root/root.mydomain.com.pem TLS_KEY /root/keys/root.mydomain.com.key But you have to adapt it to your own needs. I hope this helps. On Mon, Nov 07, 2011 at 06:24:42PM +0100, Bruno MACADRE wrote: Hi, No, you don't need CA certificate on win clients 'cause they don't connect directly to the LDAP. Only your Samba server need CA certificate to connect to the LDAP using TLS. Regards, Bruno Le 07/11/2011 18:18, steve a écrit : Hi I know Linux clients need a CA certificate to authenticate via LDAP using TLS. What about win 7 and XP clients using a Samba server? Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, Willy * W.K. Offermans Home: +31 45 544 49 44 Mobile: +31 681 15 87 68 e-mail: wi...@offermans.rompen.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba with ldap+TLS
Hi I know Linux clients need a CA certificate to authenticate via LDAP using TLS. What about win 7 and XP clients using a Samba server? Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba with ldap+TLS
Hi, No, you don't need CA certificate on win clients 'cause they don't connect directly to the LDAP. Only your Samba server need CA certificate to connect to the LDAP using TLS. Regards, Bruno Le 07/11/2011 18:18, steve a écrit : Hi I know Linux clients need a CA certificate to authenticate via LDAP using TLS. What about win 7 and XP clients using a Samba server? Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5 + ldap backend - I can't logon under PDC
From: Jubacca juba...@ngi.it Date: Thu, 25 Aug 2011 12:55:48 +0200 Hi , I use Samba 3.5 PDC + ldap backend . I can't put the machine if I don't specify the wins server on Pc-client. I try different name resolve order , but nothing change ? Can you help me ? Samba 3.X PDC is compatible for Windows NT PDC, so NetBIOS name resolution is required for them to join to the domain. If your PC-clients locate in different IP subnets from Samba PDC, you have to configure them as WINS client as you said or configure LMHOSTS file on each machines correctly. This problem has nothing to do with setting of name resolve order. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5 + ldap backend - I can't logon under PDC
Am 25.08.2011 12:55, schrieb Jubacca: Hi , I use Samba 3.5 PDC + ldap backend . I can't put the machine if I don't specify the wins server on Pc-client. I try different name resolve order , but nothing change ? Can you help me ? My global is : [global] workgroup = workgroup netbios name = SERVER server string = Server Samba wins support = yes browse list = Yes remote announce = 10.0.0.255/workgroup lm announce = yes lm interval = 30 dns proxy = yes hosts allow = 127.0.0.1 10.0.0.1/255.255.255.0 name resolve order = wins lmhosts host bcast # name resolve order = bcast host lmhosts wins interfaces = bond0 , eth1 ,lo bind interfaces only = no log file = /var/log/samba/%U.%m.log log level = 0 passdb:6 auth:10 vfs:5 acls:3 msdfs:3 max log size = 5000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user username map = /etc/samba/usermap case sensitive = no encrypt passwords = true enable privileges = yes passdb backend = ldapsam:ldap://server:389/ ldap admin dn = cn=admin,dc=domain,dc=com ldap suffix = dc=domain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap ssl = off ldap delete dn = nomap to guest = bad user domain logons = yes domain master = yes local master = yes preferred master = yes os level = 255 logon path = \\%N\profiles\%U logon drive = S: logon home = \\%N\%U logon script = logon.bat add user script = /usr/sbin/smbldap-useradd -a -m %u delete user script = /usr/sbin/smbldap-userdel %u add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g printing = cups socket options = TCP_NODELAY idmap uid = 1-2 idmap gid = 1-2 time server = yes null passwords = no idmap backend = ldap:ldap://server:389/ obey pam restrictions = yes ldap passwd sync = yes unix password sync = no passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes Hi, which distro you are using? i set up my ldap pdc with nsswitch. on ubuntu you have to install libnss-ldapd. greets juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5 + ldap backend - I can't logon under PDC
I use Ubuntu server 11 , and I have istalled nsswitch with libnss-ldap. Bye Il 26/08/2011 16.03, J. Echter ha scritto: Am 25.08.2011 12:55, schrieb Jubacca: Hi , I use Samba 3.5 PDC + ldap backend . I can't put the machine if I don't specify the wins server on Pc-client. I try different name resolve order , but nothing change ? Can you help me ? My global is : [global] workgroup = workgroup netbios name = SERVER server string = Server Samba wins support = yes browse list = Yes remote announce = 10.0.0.255/workgroup lm announce = yes lm interval = 30 dns proxy = yes hosts allow = 127.0.0.1 10.0.0.1/255.255.255.0 name resolve order = wins lmhosts host bcast # name resolve order = bcast host lmhosts wins interfaces = bond0 , eth1 ,lo bind interfaces only = no log file = /var/log/samba/%U.%m.log log level = 0 passdb:6 auth:10 vfs:5 acls:3 msdfs:3 max log size = 5000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user username map = /etc/samba/usermap case sensitive = no encrypt passwords = true enable privileges = yes passdb backend = ldapsam:ldap://server:389/ ldap admin dn = cn=admin,dc=domain,dc=com ldap suffix = dc=domain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap ssl = off ldap delete dn = nomap to guest = bad user domain logons = yes domain master = yes local master = yes preferred master = yes os level = 255 logon path = \\%N\profiles\%U logon drive = S: logon home = \\%N\%U logon script = logon.bat add user script = /usr/sbin/smbldap-useradd -a -m %u delete user script = /usr/sbin/smbldap-userdel %u add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g printing = cups socket options = TCP_NODELAY idmap uid = 1-2 idmap gid = 1-2 time server = yes null passwords = no idmap backend = ldap:ldap://server:389/ obey pam restrictions = yes ldap passwd sync = yes unix password sync = no passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes Hi, which distro you are using? i set up my ldap pdc with nsswitch. on ubuntu you have to install libnss-ldapd. greets juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.5 + ldap backend - I can't logon under PDC
Hi , I use Samba 3.5 PDC + ldap backend . I can't put the machine if I don't specify the wins server on Pc-client. I try different name resolve order , but nothing change ? Can you help me ? My global is : [global] workgroup = workgroup netbios name = SERVER server string = Server Samba wins support = yes browse list = Yes remote announce = 10.0.0.255/workgroup lm announce = yes lm interval = 30 dns proxy = yes hosts allow = 127.0.0.1 10.0.0.1/255.255.255.0 name resolve order = wins lmhosts host bcast # name resolve order = bcast host lmhosts wins interfaces = bond0 , eth1 ,lo bind interfaces only = no log file = /var/log/samba/%U.%m.log log level = 0 passdb:6 auth:10 vfs:5 acls:3 msdfs:3 max log size = 5000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user username map = /etc/samba/usermap case sensitive = no encrypt passwords = true enable privileges = yes passdb backend = ldapsam:ldap://server:389/ ldap admin dn = cn=admin,dc=domain,dc=com ldap suffix = dc=domain,dc=com ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap ssl = off ldap delete dn = nomap to guest = bad user domain logons = yes domain master = yes local master = yes preferred master = yes os level = 255 logon path = \\%N\profiles\%U logon drive = S: logon home = \\%N\%U logon script = logon.bat add user script = /usr/sbin/smbldap-useradd -a -m %u delete user script = /usr/sbin/smbldap-userdel %u add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g printing = cups socket options = TCP_NODELAY idmap uid = 1-2 idmap gid = 1-2 time server = yes null passwords = no idmap backend = ldap:ldap://server:389/ obey pam restrictions = yes ldap passwd sync = yes unix password sync = no passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and Ldap
Hi, all the users here are stored in a LDAP-Server, means authentication on a workstation (linux) is over LDAP. Yesterday I configured a Samba-Server, it also uses the LDAP-Server as its backend. I found out, that with a call smbpasswd -a user an existing user gets all the attributes from the sambaSamAccount automaticly. But here is my first question - for this call I need to know the users password, is there a way, so that I can use the users password already saved in LDAP as the unix account password ? Another question. When a user calls passwd on a workstation, now only the passwordfield in LDAP for the unix account will be changed. But I want to keep unix account password and samba password synchron - is this possible with calling passwd ? thanks gizmo -- NEU: FreePhone - kostenlos mobil telefonieren! Jetzt informieren: http://www.gmx.net/de/go/freephone -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and Ldap
The user's unix LDAP password should be encrypted (technically I think it is actually hashed, since it is not reversible)- so no, you can't get their existing password. There are two options in smb.conf to have the password sync ldap passwd sync = yes or unix password sync = yes I have ldap backend for linux and samba passwords, but initally had NIS for unix and TDB for samba. I use the unix password sync option partially as a legacy hold over of the previous backend. I therefore also set passwd program = /etc/samba/smbldappasswd.sh %u passwd chat =*New* %n\n *changed* Samba passes the new windows password to the external script which uses the sun ldappasswd command to change the user's unix script.You can't just use the passwd command since the local root account on a unix server is not the LDAP admin user. The ldap passwd sync = yes would probably have been cleaner. On 06/24/2011 05:36 AM, thom_s...@gmx.de wrote: Hi, all the users here are stored in a LDAP-Server, means authentication on a workstation (linux) is over LDAP. Yesterday I configured a Samba-Server, it also uses the LDAP-Server as its backend. I found out, that with a call smbpasswd -a user an existing user gets all the attributes from the sambaSamAccount automaticly. But here is my first question - for this call I need to know the users password, is there a way, so that I can use the users password already saved in LDAP as the unix account password ? Another question. When a user calls passwd on a workstation, now only the passwordfield in LDAP for the unix account will be changed. But I want to keep unix account password and samba password synchron - is this possible with calling passwd ? thanks gizmo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and LDAP - which attributes are mandatory which optional
Hello Götz, A short explanation sambaAcctFlags:[W]-Workstation, [U]-User. String of 11 characters surrounded by square brackets [ ] representing account flags such as U (user), W (workstation), X (no password expiration), I (domain trust account), H (home dir required), S (server trust account), and D (disabled). sambaHomeDrive: forces the [homes] mapped to a certain Letter (ex: S:). Refer to the logon drive.If empty smb.conf sambaHomePath: your.homes.path. if empty smb.conf [homes] path is used sambaKickoffTime: Specifies the time (UNIX time format) when the user will be locked down and cannot login any longer. If this attribute is omitted, then the account will never expire. Using this attribute together with shadowExpire of the shadowAccount ObjectClass will enable accounts to expire completely on an exact date. sambaLMPassword: Lan Manager Password sambaLogoffTime: sambaLogonScript: your.logon.script. if empty smb.conf netlogon script. sambaLogonTime: sambaNTPassword: Stores the passwords auto. Do not touch sambaPrimaryGroupSID: The primary Group SID auto. Do not touch. sambaProfilePath: The Profile Path. If it is empty taken from smb.conf. Not needed if you do no profiles. sambaPwdCanChange: need to be 0 or 1. 1 user can change password sambaPwdLastSet: counts the last set of password automatically. Used for your password policy. The integer time in seconds since 1970 when the sambaLMPassword and sambaNTPassword attributes were last set. sambaPwdMustChange: You must set to 0 or 1. 0 the user must change his password needs: sambaPwdCanChange =1. On some distributions you also need to, sambaPwdLastSet=0. You can go into deep there: http://www.linuxtopia.org/online_books/network_administration_guides/samba_r eference_guide/18_passdb_23.html Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Götz Reinicke - IT-Koordinator Gesendet: Freitag, 12. November 2010 08:15 An: samba@lists.samba.org Betreff: [Samba] Samba and LDAP - which attributes are mandatory which optional Hallo, I'm asking myself, which LDAP attributes are mandatory which optional for user and workstation accounts. After using the smbldap-populate command there where different attributes set than for adding users with the smbldap-useradd command. --- snip --- sambaAcctFlags: sambaHomeDrive: sambaHomePath: sambaKickoffTime: sambaLMPassword: sambaLogoffTime: sambaLogonScript: sambaLogonTime: sambaNTPassword: sambaPrimaryGroupSID: sambaProfilePath: sambaPwdCanChange: sambaPwdLastSet sambaPwdMustChange: --- snap --- Regards and Thanks for any help, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and LDAP - which attributes are mandatory which optional
Hallo, I'm asking myself, which LDAP attributes are mandatory which optional for user and workstation accounts. After using the smbldap-populate command there where different attributes set than for adding users with the smbldap-useradd command. --- snip --- sambaAcctFlags: sambaHomeDrive: sambaHomePath: sambaKickoffTime: sambaLMPassword: sambaLogoffTime: sambaLogonScript: sambaLogonTime: sambaNTPassword: sambaPrimaryGroupSID: sambaProfilePath: sambaPwdCanChange: sambaPwdLastSet sambaPwdMustChange: --- snap --- Regards and Thanks for any help, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.3.8/LDAP/Hide unreadable
Hi ! I've configured Samba 3.3.8 (RHEL5 stable) to use LDAP as Passdb Backend. For resolving filesystem permissions I'm using pam_ldap and nscd for caching. Winbind is disabled. I recently noticed that there are many LDAP Requests. It seems these requests came with the hide unreadable option in the share. I'm not sure if it's only when accessing directories via symlinks. The LDAP Requests causes bad performance. So does anyone know how to reduce these requests? Greetings Thorsten -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.3 ldap tools
These connections that give error are stablished with the ldap system libs, not with smbldap-tools (that use perl), so you have to configure your system to use your certificates (etc/{ldap,openldap}/ldap.conf). regards. 2010/6/30 Indexer inde...@internode.on.net I am currently trying to setup my Samba server to act as a samba PDC, with ldap as a backend. I have a selfsigned CA, that has signed the certificates to my ldap server. Starting my smbd, i keep getting the message smb_ldap_setup_connection: ldap://ldap.streetgeek.lan/ Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 1 try! smbldap_open: already connected to the LDAP server Failed search for base: dc=dev,dc=gamersalliance,dc=net,dc=au, error: -1 (Can't contact LDAP server) (error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)) I have set in smbldap-tools.conf to verify=allow, as well as in ldap.conf to TLS_REQCERT = allow, so i dont understand why this is happening. All of my systems are pointed to the same cacert file so i doubt that it is confusing certificates. Are there any other options i should be considering? Thanks William -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.3 ldap tools
I am currently trying to setup my Samba server to act as a samba PDC, with ldap as a backend. I have a selfsigned CA, that has signed the certificates to my ldap server. Starting my smbd, i keep getting the message smb_ldap_setup_connection: ldap://ldap.streetgeek.lan/ Failed to issue the StartTLS instruction: Connect error Connection to LDAP server failed for the 1 try! smbldap_open: already connected to the LDAP server Failed search for base: dc=dev,dc=gamersalliance,dc=net,dc=au, error: -1 (Can't contact LDAP server) (error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)) I have set in smbldap-tools.conf to verify=allow, as well as in ldap.conf to TLS_REQCERT = allow, so i dont understand why this is happening. All of my systems are pointed to the same cacert file so i doubt that it is confusing certificates. Are there any other options i should be considering? Thanks William -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and ldap failover - RH / Centos problem?
Hi folks, I recently got my ldap master slave samba test environment up and runing. samba-3.0.33-3.15.el5_4.1 openldap-2.3.43-3.el5 The ldap systems sync fine, samba users are authenticated by each server seperatly if I set tham in the samba conf. E.g. passdb backend = ldapsam:ldap://ldap2.filmakademie.de; and passdb backend = ldapsam:ldap://ldap1.filmakademie.de; work. passdb backend = ldapsam:ldap://ldap1.filmakademie.de ldap://ldap2.filmakademie.de; works as long, as ldap1 is up. If ldap1 is down, no authentication / switchover to ldap2 is done. I've googled, looked up the samba wiki and finaly I found a posting Fedora 4 related to probems with an ldap_initialize() function ... So my question, are ther any known problems or what may I check/debug? Thanks and best regards, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 34 + LDAP = hang?
Hi, I tried updating Samba to 3.4 (from 3.3) as libsmbclient uses it and that pulls in talloc which conflicts with 3.3.. Unfortunately when I tried it, it hung when I tried to use the ldap passdb backend. I could not really get any useful debugging out of it :( The stack trace is junk (even after enabling max debug) and running with.. sudo /usr/local/sbin/smbd -d 10 -F -S Showed stuff but nothing related to LDAP (except mentioning the line in the config) and it still hung after saying it was going to daemonise itself. It hung not using any CPU but it hadn't yet opened any TCP listen sockets - however it did have a socket to the LDAP server open. Does anyone actually use this combination on FreeBSD? I have had various annoying issues with LDAP (eg slapd crashing when it's not shut down cleanly, various frustrations getting it setup etc) but I haven't come across this bug before. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba (anonymous) LDAP Authentication
Unix and Windows/Samba servers both store passwords in a one-way encrypted format. So when you authenticate to a server, you type in your password, the server encrypts it and compares it to the encrypted version it has it is password database.This is is important since your encrypted password data may (legitimately or not) be accessible to other people. This is a separate from any network level encryption that may be used. (For example, if you telnet into a server your password is stored in an encrypted format but the password is still transmitted in the clear.) Unix and Windows use different password encryption methods which means that they have to have different encrypted passwords stored, which means the users have to have different passwords.(Unix uses things like CRYPT or MD5.) You can have unix use the windows password via Winbindd. However to have Windows/Samba use the unix password (which is what you want) you would have to configure samba to disable the password encryption (which is what you don't want.)I am not sure the exact syntax and I am pretty sure if is strongly discouraged. As far as I know, you can not use Windows password encryption routines for the unix passwords directly. On 03/29/2010 07:16 PM, Robert Heller wrote: At Mon, 29 Mar 2010 17:38:39 -0400 gaiseric.van...@gmail.com wrote: According to how you have described your environment, whether or not you use LDAP for Samba's backend, your users will still need corresponding unix accounts AND will still have separate unix and windows passwords.If you use ldap there will be separate fields for the different passwords. If you configure password sync it should appear to the users that they have a single password. (i.e. they change the password in Windows or with smbpassword the unix password should also change.) If you really want a single password I think your options are as follows- Configure unix logons to use windbind authentication (ie. authenticate using the samba/windows password.) Use kerberos for unix and samba. But that may not resolve your concerns with Samba writing to LDAP. So if you only have one samba machine and only a few users you may still want to stick to the TDB backend for the windows account info. Samba will still match the unix name to the windows name either way. OK, it looks like that is what I am stuck with. I only *really* need one or two users -- it is only for dealing with backups and posting some files. This seems to work I will just have to live with the potiental issues of possible differing passwords if/when that happens -- it is only two usernames at present. Question: why can't samba just use UNIX's user authentication? Is this something in the way MS-Windows encrypts the password it sends over the NetBIOS protocol? Or is there some other issue going on? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba (anonymous) LDAP Authentication
I am trying to things up to allow a *few* select users on a small number of MS-Windows boxes to write to a couple of directories on a Linux server. Most of the users on the MS-Windows boxes will only have anonymous (guest) read-only access to one directory and anonymous (guest) access to the printers. The Linux server primarily is a PXEBoot and NFS server for a group of diskless Linux workstations. I am using LDAP for user Authentication for these machines. I would *like* to have just one user authentication database (the LDAP one). The MS-Windows machines will *never* need to allow things like user creation or modification (including password changing), so Samba *should not need* the rootdn password for the LDAP server. I am having a hard time figuring out how to do this. It *seems* that Samba wants to have the rootdn password -- do I have to configure it that way? Or do I have to *duplicate* the user authentication in Samba's own user database (resulting in people having their passwords in two separate places and/or end up having two passwords for their accounts [a Linux password and a MS-Windows password])? The *best* option would be for Samba to just go though pam/nss (like everything else under Linux), but it looks like Samba no longer does things this way. I am using Samba 3.0.33-3.15.el5_4.1 on a CentOS 5.4 (32-bit) system. -- Robert Heller -- 978-544-6933 Deepwoods Software-- Download the Model Railroad System http://www.deepsoft.com/ -- Binaries for Linux and MS-Windows hel...@deepsoft.com -- http://www.deepsoft.com/ModelRailroadSystem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba (anonymous) LDAP Authentication
According to how you have described your environment, whether or not you use LDAP for Samba's backend, your users will still need corresponding unix accounts AND will still have separate unix and windows passwords.If you use ldap there will be separate fields for the different passwords. If you configure password sync it should appear to the users that they have a single password. (i.e. they change the password in Windows or with smbpassword the unix password should also change.) If you really want a single password I think your options are as follows- Configure unix logons to use windbind authentication (ie. authenticate using the samba/windows password.) Use kerberos for unix and samba. But that may not resolve your concerns with Samba writing to LDAP. So if you only have one samba machine and only a few users you may still want to stick to the TDB backend for the windows account info. Samba will still match the unix name to the windows name either way. # pdbedit -Lv jsmith ... Unix username:jsmith NT username: jsmith I am running LDAP backend for both unix and samba/windows accounts. Initially I was running NIS for unix passwords and TDB for samba, then I moved unix to ldap (while keeping samba in TDB) and then I moved samba to TDB. I wanted LDAP backend for everything to make it easier to support multiple Samba machines and also because I did want to consolidated account information as much as possible. You should be able to create an ldap user that has full (or a lot) of rights on a particular branch of your ldap tree.I use sun directory studio so I am not sure how this would be handled with OpenLDAP.I think Samba will still need to write things like last logon info to ldap. And if you have password sync Samba needs to write to the password fields. LDAP ACL's are not my strong point- I mostly copy, edit and paste existing ACL's. On 03/29/2010 04:43 PM, Robert Heller wrote: I am trying to things up to allow a *few* select users on a small number of MS-Windows boxes to write to a couple of directories on a Linux server. Most of the users on the MS-Windows boxes will only have anonymous (guest) read-only access to one directory and anonymous (guest) access to the printers. The Linux server primarily is a PXEBoot and NFS server for a group of diskless Linux workstations. I am using LDAP for user Authentication for these machines. I would *like* to have just one user authentication database (the LDAP one). The MS-Windows machines will *never* need to allow things like user creation or modification (including password changing), so Samba *should not need* the rootdn password for the LDAP server. I am having a hard time figuring out how to do this. It *seems* that Samba wants to have the rootdn password -- do I have to configure it that way? Or do I have to *duplicate* the user authentication in Samba's own user database (resulting in people having their passwords in two separate places and/or end up having two passwords for their accounts [a Linux password and a MS-Windows password])? The *best* option would be for Samba to just go though pam/nss (like everything else under Linux), but it looks like Samba no longer does things this way. I am using Samba 3.0.33-3.15.el5_4.1 on a CentOS 5.4 (32-bit) system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba (anonymous) LDAP Authentication
At Mon, 29 Mar 2010 17:38:39 -0400 gaiseric.van...@gmail.com wrote: According to how you have described your environment, whether or not you use LDAP for Samba's backend, your users will still need corresponding unix accounts AND will still have separate unix and windows passwords.If you use ldap there will be separate fields for the different passwords. If you configure password sync it should appear to the users that they have a single password. (i.e. they change the password in Windows or with smbpassword the unix password should also change.) If you really want a single password I think your options are as follows- Configure unix logons to use windbind authentication (ie. authenticate using the samba/windows password.) Use kerberos for unix and samba. But that may not resolve your concerns with Samba writing to LDAP. So if you only have one samba machine and only a few users you may still want to stick to the TDB backend for the windows account info. Samba will still match the unix name to the windows name either way. OK, it looks like that is what I am stuck with. I only *really* need one or two users -- it is only for dealing with backups and posting some files. This seems to work I will just have to live with the potiental issues of possible differing passwords if/when that happens -- it is only two usernames at present. Question: why can't samba just use UNIX's user authentication? Is this something in the way MS-Windows encrypts the password it sends over the NetBIOS protocol? Or is there some other issue going on? -- Robert Heller -- 978-544-6933 Deepwoods Software-- Download the Model Railroad System http://www.deepsoft.com/ -- Binaries for Linux and MS-Windows hel...@deepsoft.com -- http://www.deepsoft.com/ModelRailroadSystem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Vs LDAP (Active Directory)
Dear friends, I have Solaris 10 box and samba running on the box. I have created a share called /tmp and it is working fine I do have LDAP server (Windows Active Directory). Is there a way I can access the share /tmp only for certain users? I searched google and did not find any document other than troubleshooting tips. Can you guys help me? I have root access on my Solaris Box and LDAP server is out of my control and I cannot do anything with my LDAP server. I have LDAP parameters Thanks Baluchen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Vs LDAP (Active Directory)
Den 23-03-2010 12:58, balamurugan.thangam...@verizon.com skrev: Dear friends, I have Solaris 10 box and samba running on the box. I have created a share called /tmp and it is working fine I do have LDAP server (Windows Active Directory). Is there a way I can access the share /tmp only for certain users? I searched google and did not find any document other than troubleshooting tips. Can you guys help me? I have root access on my Solaris Box and LDAP server is out of my control and I cannot do anything with my LDAP server. I have LDAP parameters Thanks Baluchen Dear Thangamani You could use valid users which can control access based on usernames and groups example here valid users = @SCHEMMER\Acct, @SHEMMER\Domain Admins, user2, tmpuser -- Bedste Hilsner/Best Regards Rune Tønnesen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Vs LDAP (Active Directory)
create a group, allow only people in that group access to /tmp balamurugan.thangam...@verizon.com wrote: Dear friends, I have Solaris 10 box and samba running on the box. I have created a share called /tmp and it is working fine I do have LDAP server (Windows Active Directory). Is there a way I can access the share /tmp only for certain users? I searched google and did not find any document other than troubleshooting tips. Can you guys help me? I have root access on my Solaris Box and LDAP server is out of my control and I cannot do anything with my LDAP server. I have LDAP parameters Thanks Baluchen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 3.4 ldap sambaLogonTime update
Is there a good way to update sambaLogonTime when a user logs on? Centos 5.4 Samab 3.4.5 from sernet PDC+LDAP -- Jonn Taylor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba with ldap + windows AD can work together?
A couple years ago when I migrated my NT4 domain to Samba, I had to re-establish the trust relationships with the other domains after the migration. Other than that, the migration was rather uneventful. On Wed, 2010-01-06 at 23:39 -0600, Alberto Moreno wrote: Hi people. I have 2 domains right now: WinNT4 + Windows 2k3. A lot of u will say, why don't u just move everything to win2k3?.. well I prefer to work with linux/Unix. My question is this, I test the migration from NT4 to linux with ldap, it works and is not to difficult, my problem is this: All my printers are in the server running windows 2k3 my AD server, the NT4 users can access the resources from the win2k3 server without any issue, if I make the migration from NT4 to Linux, will my users lost the connection of the win2k3(AD) resources? Centos 5.4. Thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba with ldap + windows AD can work together?
On 01/07/10 00:39, Alberto Moreno wrote: Hi people. I have 2 domains right now: WinNT4 + Windows 2k3. A lot of u will say, why don't u just move everything to win2k3?.. well I prefer to work with linux/Unix. My question is this, I test the migration from NT4 to linux with ldap, it works and is not to difficult, my problem is this: All my printers are in the server running windows 2k3 my AD server, the NT4 users can access the resources from the win2k3 server without any issue, if I make the migration from NT4 to Linux, will my users lost the connection of the win2k3(AD) resources? Centos 5.4. Thanks!!! Do you have trusts setup between the two domains or are the printers shared for anon access? If you vampire the NT4 accounts to your new linux samba DC then in theory everything should stay the same. In practice I have found that Samba/Windows trusts are flaky so I would either (a) make sure you can access shared printers w/o trusts and (b) have a provision for sharing printers from the Samba machine or a Windows server in your samba domain. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba with ldap + windows AD can work together?
Hi people. I have 2 domains right now: WinNT4 + Windows 2k3. A lot of u will say, why don't u just move everything to win2k3?.. well I prefer to work with linux/Unix. My question is this, I test the migration from NT4 to linux with ldap, it works and is not to difficult, my problem is this: All my printers are in the server running windows 2k3 my AD server, the NT4 users can access the resources from the win2k3 server without any issue, if I make the migration from NT4 to Linux, will my users lost the connection of the win2k3(AD) resources? Centos 5.4. Thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC LDAP and LDAP Aliases
Hello all I've got a problem with unresolved (at least I guess that) LDAP Aliases and Samba. That's my LDAP Setup: ou=alvhaus,ou=ch { base } ou=People,ou=alvhaus,ou=ch { posix and samba accounts } ou=Group,ou=alvhaus,ou=ch { posix and samba groups } ou=Samba,ou=alvhaus,ou=ch { samba base dn } ou=Idmap,ou=Samba,ou=alvhaus,ou=ch ou=Machines,ou=Samba,ou=alvhaus,ou=ch ou=PeopleAlias,ou=Samba,ou=alvhaus,ou=ch { that's an alias to ou=People,ou=alvhaus,ou=ch } ou=GroupAlias,ou=Samba,ou=alvhaus,ou=ch { that's an alias to ou=Group,ou=alvhaus,ou=ch } ldapsearch -h MYHOST -D uid=Account Admin,ou=System Accounts,dc=alvhaus,dc=ch -W -b ou=Samba,dc=alvhaus,dc=ch -a search -s one The output of ldapsearch is right! The aliases are correctly resolved (controled by the -a search parameter) # People, alvhaus.ch dn: ou=People,dc=alvhaus,dc=ch objectClass: organizationalUnit ou: People # Group, alvhaus.ch dn: ou=Group,dc=alvhaus,dc=ch objectClass: organizationalUnit ou: Group # Idmap, Samba, alvhaus.ch dn: ou=Idmap,ou=Samba,dc=alvhaus,dc=ch objectClass: organizationalUnit ou: Idmap # Machines, Samba, alvhaus.ch dn: ou=Machines,ou=Samba,dc=alvhaus,dc=ch objectClass: organizationalUnit ou: Machines # FILESERV, Samba, alvhaus.ch dn: sambaDomainName=FILESERV,ou=Samba,dc=alvhaus,dc=ch sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain ... more My smb.conf ldap admin dn = uid=Account Admin,ou=System Accounts,dc=alvhaus,dc=ch ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Machines ldap passwd sync = yes ldap suffix = ou=Samba,dc=alvhaus,dc=ch ldap ssl = no ldap user suffix = ou=People For me it looks right! And it's also working, if People and Group aren't aliased. So I guess samba pdc is not resolving aliases. Version 3.4.0 -Ivo Steinmann -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC LDAP and LDAP Aliases
On 2009-12-10 at 14:40 +0100 Ivo Steinmann sent off: For me it looks right! And it's also working, if People and Group aren't aliased. So I guess samba pdc is not resolving aliases. іn the next samba release (not yet in 3.5 ...) you'll be able to tell samba whether and how to do alias dereferencing. But you should be able to tell the ldap library to do that by default, too - see ldap.conf(5). That would also make your -a option in ldapsearch obsolete. Cheers Björn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba with ldap PDC cannot join my windows to domain?
On Thu, Aug 13, 2009 at 12:02 PM, Dale Schroederd...@briannassaladdressing.com wrote: Alberto Moreno wrote: Hello my friends. Looks like I had seen some light with this small issue. Normally wet u have a PDC in your network, with Winboxes, AD, NT4, u must have at least 1 Master Browser rigth? Well at home I have just 2 winboxes xp pro sp3, every time I setup a samba server, nomally I stop the computer browser services of my clients, in this case my 2 winboxes, this way samba could quickly became the master browser of my network. Like I told u before, one of my issues is that my domain name doesn't appear at my network, just the workgroup of the winboxes machines, every time I try to browse my networks with my winboxes, it took a while to answer or some times just stop working and finally, won't show me my samba domain. If I read the nmbd.log, it tells me that samba is the master browser... cool but is not happening. Last night I decide to enable one of my winboxes Computer Browser service and boom, I could browse my network and see my domain. This tell me that samba is having issues trying to handle the network browser, right now I could not add my box to the doman, but at least I could see my domain there. I follow the manuals Dale at work and no issue here, even that I have 2 domains running, but as soon as I start samba, it appears at my network. The issue is at home. Well If u have some tips guys about how to troubleshoot this I will appreciated. Thanks all for your help and time!!! To ensure that samba is the master browser against xp machines, I use [global] domain master = Yes os level = 65 announce version = 5.9 This has always worked for me. Dale Hi my friends. I got finally my test server working. What I did: 1) My server wasn't working as I describe to u. Them I decide to start from scratch. 2) Read about 4 how-to's(one of them was about ubuntu thanks Dale). I decide to start from scratch, because for some reason even that I delete the samba info (/var/cache/samba, /var/lib/ldap) and some other files we create each time we setup this, my windows xp machine could not reach my samba server and my server act very strange. Right the server is working, I could finally add my windows xp machine to the domain without any issue. I'm just continue learning more about samba. Thanks all for your help and time!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba with ldap PDC cannot join my windows to domain?
Alberto Moreno wrote: Hello my friends. Looks like I had seen some light with this small issue. Normally wet u have a PDC in your network, with Winboxes, AD, NT4, u must have at least 1 Master Browser rigth? Well at home I have just 2 winboxes xp pro sp3, every time I setup a samba server, nomally I stop the computer browser services of my clients, in this case my 2 winboxes, this way samba could quickly became the master browser of my network. Like I told u before, one of my issues is that my domain name doesn't appear at my network, just the workgroup of the winboxes machines, every time I try to browse my networks with my winboxes, it took a while to answer or some times just stop working and finally, won't show me my samba domain. If I read the nmbd.log, it tells me that samba is the master browser... cool but is not happening. Last night I decide to enable one of my winboxes Computer Browser service and boom, I could browse my network and see my domain. This tell me that samba is having issues trying to handle the network browser, right now I could not add my box to the doman, but at least I could see my domain there. I follow the manuals Dale at work and no issue here, even that I have 2 domains running, but as soon as I start samba, it appears at my network. The issue is at home. Well If u have some tips guys about how to troubleshoot this I will appreciated. Thanks all for your help and time!!! To ensure that samba is the master browser against xp machines, I use [global] domain master = Yes os level = 65 announce version = 5.9 This has always worked for me. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba with ldap PDC cannot join my windows to domain?
Alberto Moreno wrote: Hi people. I have been working with samba+ldap = PDC in my test netwwork. I had follow the good tutorial: Samba By Example, chapter 5, I had done all the test the book say and no issues. I have 2 issues: 1; I cannot see my domain at my windows browser. 2; I cannot add my windows xp pro to my domain. I have been trying to see if I could find the solution but nothing yet, there is the reason I send this email. My server is Centos 5.3 latest one all the packages are the current from centos. Ldap looks that is working, because all my test from the book pass, and the same with samba. Went I try to add one Winbox to the domain I receive this: The following error occurred attempting to join the domain MyDomain The network path as not found My smb.conf is this: ... wins support = Yes The clients will try to locate a DC for your domain via wins and broadcast. If neither of these works, it will fail. Seems like you configured the samba box to be a WINS server. Did you add its IP address under WINS in the TCP/IP settings on the client machines? -- Deyan Stoykov, dstoy...@ru.acad.bg University of Rousse, BG-7017 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba with ldap PDC cannot join my windows to domain?
Alberto, You will need a [netlogon] share. I used these tutorials for my setup, taking the best from both. I know they can work. I did skip the [profiles] share, as I didn't want roaming profiles. http://wiki.makethemove.net/index.php?title=LDAP-Samba https://help.ubuntu.com/community/OpenLDAP-SambaPDC-OrgInfo-Posix Compare these to what you've done; see if anything was missed. Dale Alberto Moreno wrote: Hi people. I have been working with samba+ldap = PDC in my test netwwork. I had follow the good tutorial: Samba By Example, chapter 5, I had done all the test the book say and no issues. I have 2 issues: 1; I cannot see my domain at my windows browser. 2; I cannot add my windows xp pro to my domain. I have been trying to see if I could find the solution but nothing yet, there is the reason I send this email. My server is Centos 5.3 latest one all the packages are the current from centos. Ldap looks that is working, because all my test from the book pass, and the same with samba. Went I try to add one Winbox to the domain I receive this: The following error occurred attempting to join the domain MyDomain The network path as not found My smb.conf is this: [global] dos charset = 850 unix charset = ISO8859-1 display charset = ISO8859-1 workgroup = RMAI netbios name = RMAIPDC server string = Samba Server on %L os level = 33 remote announce = 192.168.50.255 interfaces = eth0,lo bind interfaces only = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 allow hosts = 192.168.50.0/24 127.0.0.1 admin users = Manager @Domain Admins passdb backend = ldapsam:ldap://127.0.0.1 enable privileges = Yes username map = /etc/samba/smbusers log level = 6 syslog = 1 log file = /var/log/samba/%m.log max log size = 100 smb ports = 139 445 name resolve order = wins bcast hosts time server = No #printcap name = CUPS show add printer wizard = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u #logon script = scripts\logon.bat #logon path = \\%L\profiles\%U #logon drive = X: domain logons = Yes domain master = Yes preferred master = Yes wins support = Yes ##LDAP### ldap suffix = dc=rmai,dc=local ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=rmai,dc=local idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 # map acl inherit = Yes cups options = [homes] comment = RMAI Home Directories browseable = No writeable = Yes read only = No create mask = 0664 browseable = No valid users = %U [profiles] path = /home/samba/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 browseable = No writeable = Yes guest ok = No The stuff I can see at the log files is this: windows-box.log [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_uint32(710) 004c uni_max_len: 000c [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_uint32(710) 0050 offset : [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_uint32(710) 0054 uni_str_len: 000c [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:dbg_rw_punival(942) 0058 buffer : F.A.M.-.C.H.O.R.I.Z.O... [2009/08/11 16:40:49, 6] rpc_parse/parse_prs.c:prs_debug(84) 70 smb_io_chal [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_uint8s(857) 0070 data: 03 a3 f4 30 4b c7 3c 90 [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_debug(84) 00 net_io_r_auth [2009/08/11 16:40:49, 6] rpc_parse/parse_prs.c:prs_debug(84) 00 smb_io_chal [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_uint8s(857) data: 00 00 00 00 00 00 00 00 [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_ntstatus(769) 0008 status: NT_STATUS_ACCESS_DENIED [2009/08/11 16:40:49, 5] rpc_server/srv_pipe.c:api_rpcTNP(2305) api_rpcTNP: called NETLOGON successfully [2009/08/11 16:40:49, 3] rpc_server
Re: [Samba] samba with ldap PDC cannot join my windows to domain?
On Mittwoch, 12. August 2009 wrote Alberto Moreno: Hi people. I have been working with samba+ldap = PDC in my test netwwork. I had follow the good tutorial: Samba By Example, chapter 5, I had done all the test the book say and no issues. I have 2 issues: 1; I cannot see my domain at my windows browser. 2; I cannot add my windows xp pro to my domain. I have been trying to see if I could find the solution but nothing yet, there is the reason I send this email. My server is Centos 5.3 latest one all the packages are the current from centos. Ldap looks that is working, because all my test from the book pass, and the same with samba. Went I try to add one Winbox to the domain I receive this: The following error occurred attempting to join the domain MyDomain The network path as not found Maybe, it helps: Try the domain RMAI. My smb.conf is this: [global] dos charset = 850 unix charset = ISO8859-1 display charset = ISO8859-1 workgroup = RMAI Thanks for your time!!! -- LIving the dream... -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba with ldap PDC cannot join my windows to domain?
Hi people. I have been working with samba+ldap = PDC in my test netwwork. I had follow the good tutorial: Samba By Example, chapter 5, I had done all the test the book say and no issues. I have 2 issues: 1; I cannot see my domain at my windows browser. 2; I cannot add my windows xp pro to my domain. I have been trying to see if I could find the solution but nothing yet, there is the reason I send this email. My server is Centos 5.3 latest one all the packages are the current from centos. Ldap looks that is working, because all my test from the book pass, and the same with samba. Went I try to add one Winbox to the domain I receive this: The following error occurred attempting to join the domain MyDomain The network path as not found My smb.conf is this: [global] dos charset = 850 unix charset = ISO8859-1 display charset = ISO8859-1 workgroup = RMAI netbios name = RMAIPDC server string = Samba Server on %L os level = 33 remote announce = 192.168.50.255 interfaces = eth0,lo bind interfaces only = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 allow hosts = 192.168.50.0/24 127.0.0.1 admin users = Manager @Domain Admins passdb backend = ldapsam:ldap://127.0.0.1 enable privileges = Yes username map = /etc/samba/smbusers log level = 6 syslog = 1 log file = /var/log/samba/%m.log max log size = 100 smb ports = 139 445 name resolve order = wins bcast hosts time server = No #printcap name = CUPS show add printer wizard = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u #logon script = scripts\logon.bat #logon path = \\%L\profiles\%U #logon drive = X: domain logons = Yes domain master = Yes preferred master = Yes wins support = Yes ##LDAP### ldap suffix = dc=rmai,dc=local ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=rmai,dc=local idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 # map acl inherit = Yes cups options = [homes] comment = RMAI Home Directories browseable = No writeable = Yes read only = No create mask = 0664 browseable = No valid users = %U [profiles] path = /home/samba/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 browseable = No writeable = Yes guest ok = No The stuff I can see at the log files is this: windows-box.log [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_uint32(710) 004c uni_max_len: 000c [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_uint32(710) 0050 offset : [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_uint32(710) 0054 uni_str_len: 000c [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:dbg_rw_punival(942) 0058 buffer : F.A.M.-.C.H.O.R.I.Z.O... [2009/08/11 16:40:49, 6] rpc_parse/parse_prs.c:prs_debug(84) 70 smb_io_chal [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_uint8s(857) 0070 data: 03 a3 f4 30 4b c7 3c 90 [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_debug(84) 00 net_io_r_auth [2009/08/11 16:40:49, 6] rpc_parse/parse_prs.c:prs_debug(84) 00 smb_io_chal [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_uint8s(857) data: 00 00 00 00 00 00 00 00 [2009/08/11 16:40:49, 5] rpc_parse/parse_prs.c:prs_ntstatus(769) 0008 status: NT_STATUS_ACCESS_DENIED [2009/08/11 16:40:49, 5] rpc_server/srv_pipe.c:api_rpcTNP(2305) api_rpcTNP: called NETLOGON successfully [2009/08/11 16:40:49, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(529) free_pipe_context: destroying talloc pool of size 70 I will increase the debug level and give u more info. Thanks for your time!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba BDC + LDAP failing to authenticate users
I have Samba 3.2.4 running on Solaris 10 from sunfreeware. From what I can tell just recently happened to this server, which runs as a BDC + LDAP. Previously I have been able to authenticate against it as well as map drives from it. Though now it complains about no such user exists, though they do. here is the log entries, level 2 With correct password [2009/07/02 12:21:33, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/07/02 12:21:33, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/07/02 12:21:33, 2] passdb/pdb_ldap.c:init_sam_from_ldap(571) init_sam_from_ldap: Entry found for user: user.name [2009/07/02 12:21:33, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210) pdb_get_group_sid: Failed to find Unix account for user.name [2009/07/02 12:21:33, 1] auth/auth_util.c:make_server_info_sam(562) User user.name in passdb, but getpwnam() fails! [2009/07/02 12:21:33, 0] auth/auth_sam.c:check_sam_security(355) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2009/07/02 12:21:33, 2] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [user.name] - [user.name] FAILED with error NT_STATUS_NO_SUCH_USER with wrong password [2009/07/02 12:22:40, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/07/02 12:22:40, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/07/02 12:22:40, 2] lib/smbldap.c:smbldap_open_connection(796) smbldap_open_connection: connection opened [2009/07/02 12:22:40, 2] passdb/pdb_ldap.c:init_sam_from_ldap(571) init_sam_from_ldap: Entry found for user: user.name [2009/07/02 12:22:40, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210) pdb_get_group_sid: Failed to find Unix account for user.name [2009/07/02 12:22:40, 2] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [user.name] - [user.name] FAILED with error NT_STATUS_WRONG_PASSWORD smb.conf [Global] workgroup = x.x.x netbios name = xxx server string = BDC %v passdb backend = ldapsam:ldap://x.x.x.x domain master = no domain logons = yes ldap suffix = dc=x,dc=x,dc=x ldap user suffix = ou=people ldap group suffix = ou=group ldap machine suffix = ou=machines ldap admin dn = cn=manager,dc=x,dc=x,dc=x encrypt passwords = yes enable privileges = yes log level = 0 syslog = 0 domain master = no wins support = no wins server = x.x.x.x ntlm auth = yes lanman auth = yes ldap ssl = start tls local master = yes os level = 33 preferred master = yes [gtest] path = /var/gtest browseable = yes writeable = yes create mask = 0777 directory mask = 0777 force group = Domain Users public = yes Any ideas? -- Personally, I liked the university. They gave us money and facilities, we didn't have to produce anything! You've never been out of college! You don't know what it's like out there! I've worked in the private sector. They expect results. -Ray Ghostbusters -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 3.0.28 + ldap domain update to 3.0.33 is save?
Hi people. I have I have 1 server(gentoo) running samba 3.0.28+ldap as domain of my winboxes, running: dev-perl/perl-ldap-0.34 dev-python/python-ldap-2.2.1 net-nds/openldap-2.3.43 net-nds/smbldap-tools-0.9.4-r1 sys-auth/nss_ldap-258 sys-auth/pam_ldap-183 Emerge is offering me samba 3.0.33 and other ports that works with samba, just wondering is someone have already update samba from 3.0.28 to 3.0.33 and if save to do this, I just don't want to break my current samba domain with ldap. Thanks all for your time!!! LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.0.28 + ldap domain update to 3.0.33 is save?
I have I have 1 server(gentoo) running samba 3.0.28+ldap as domain of my winboxes, running: dev-perl/perl-ldap-0.34 dev-python/python-ldap-2.2.1 net-nds/openldap-2.3.43 net-nds/smbldap-tools-0.9.4-r1 sys-auth/nss_ldap-258 sys-auth/pam_ldap-183 Emerge is offering me samba 3.0.33 and other ports that works with samba, just wondering is someone have already update samba from 3.0.28 to 3.0.33 and if save to do this, I just don't want to break my current samba domain with ldap. I consider any thing less than 3.0.35 unsafe (since there are known bugs and exploits) so do that upgrade. BTW, I am running gentoo servers in my production environment. Because of the slowness of the adoption of packages I bump my own ebuilds in my gentoo overlay. http://github.com/drescherjm/jmdgentoooverlay/tree/cad0a4a6a77820c3ccf37e0a44caaa5da391c54f/net-fs/samba John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Samba and LDAP
I am trying to set up an additional domain server within my network using SAMBA and LDAP. There's a problem that I think is with LDAP. If any of you have set up a system like this, I would appreciate your expertise. What does your current setup look like? What have you already established? Question # 1: My PDC, which controls the domain and SAMBA, should clearly use LDAP server. Should the additional server use SAMBA server or client? Workstations will sign onto the domain and then onto shares on both the PDC and the additional server. LDAP and Samba is much like AD and Windows-Servers, only with the old Domain like PDC/BDC setup instead of the DC setup. By using LDAP you can share e.g. user, group, machine accounts between different linux/ samba servers. So you only have to add/change/modify the LDAP based data once and it will be distributed to all participating linux servers. Question # 2: If I copy the / directory to a flash drive, can I just copy it back to the hard drive if I end up with a configuration impossibility? I've had to reload the system once already because of LDAP configuration problems, and I'd rather not do it again. The SAMBA shares on the PDC are working fine. But I can't share thing on the other server unless I set up a smbpasswd set, and that's a pain. Well, you copied your configuration to the second server? Did you configure your LDAP-server to replicate data with each other? You only need to backup you /etc directory, because that's where the configuration is stored. If you misconfigured something, you can easily go back to the previous state by restoring the old configuration files. Cheers, Christian === Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and LDAP
Hi, all -- I am trying to set up an additional domain server within my network using SAMBA and LDAP. There's a problem that I think is with LDAP. If any of you have set up a system like this, I would appreciate your expertise. Question # 1: My PDC, which controls the domain and SAMBA, should clearly use LDAP server. Should the additional server use SAMBA server or client? Workstations will sign onto the domain and then onto shares on both the PDC and the additional server. Question # 2: If I copy the / directory to a flash drive, can I just copy it back to the hard drive if I end up with a configuration impossibility? I've had to reload the system once already because of LDAP configuration problems, and I'd rather not do it again. The SAMBA shares on the PDC are working fine. But I can't share thing on the other server unless I set up a smbpasswd set, and that's a pain. Thanks. cheers, pete -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba with ldap-Backend as PDC: Changing SMB-Password under Unix?
Hello, I have a working PDC with ldap-Backend under SUSE 10.2. Everything is working fine, except 2 thing: Can I change the sambaNTpassword and sambaLMpassword under Unix so that the User can change the samba-Passwords and the Unix-Password with one single command? Can I automaticly connect the Home-Networkshare to a Network-Drive? Without a Logon-Script? Regards Daniel __ Hinweis von ESET NOD32 Antivirus, Signaturdatenbank-Version 3941 (20090317) __ E-Mail wurde gepruft mit ESET NOD32 Antivirus. http://www.eset.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba with ldap-Backend as PDC: Changing SMB-Password under Unix?
On Tue, Mar 17, 2009 at 10:12:47AM +0100, Daniel Spannbauer wrote: Can I change the sambaNTpassword and sambaLMpassword under Unix so that the User can change the samba-Passwords and the Unix-Password with one single command? smbpasswd -r against the localhost, together with ldap passwd sync = yes. Can I automaticly connect the Home-Networkshare to a Network-Drive? Without a Logon-Script? Not sure about that one :-) Volker pgpCBlG9FdOm4.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba with ldap-Backend as PDC: Changing SMB-Password under Unix?
Can I automaticly connect the Home-Networkshare to a Network-Drive? Without a Logon-Script? In smb.conf: logon drive = X: -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba with ldap-Backend as PDC: Changing SMB-Password under Unix?
On Tue, 2009-03-17 at 10:12 +0100, Daniel Spannbauer wrote: Hello, I have a working PDC with ldap-Backend under SUSE 10.2. Everything is working fine, except 2 thing: Can I change the sambaNTpassword and sambaLMpassword under Unix so that the User can change the samba-Passwords and the Unix-Password with one single command? Yes, using ldap passwd sync (although it has been rather argumentative on recent versions; not certain why). Can I automaticly connect the Home-Networkshare to a Network-Drive? Without a Logon-Script? I don't think so. Buy you can use policies (via POLEDIT.EXE) to redirect My Documents transparently to the user's network home directory. I think this is covered in the Samba HOWTO/ByExample and you can go to Google and search 'site:lists.samba.org folder redirection' to get lots of references. -- OpenGroupware developer: awill...@whitemice.org http://whitemiceconsulting.blogspot.com/ OpenGroupare Cyrus IMAPd documenation @ http://docs.opengroupware.org/Members/whitemice/wmogag/file_view -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
AW: [Samba] Samba with ldap-Backend as PDC: Changing SMB-Password under Unix?
An: samba Betreff: Re: [Samba] Samba with ldap-Backend as PDC: Changing SMB- Password under Unix? On Tue, 2009-03-17 at 10:12 +0100, Daniel Spannbauer wrote: Hello, I have a working PDC with ldap-Backend under SUSE 10.2. Everything is working fine, except 2 thing: Can I change the sambaNTpassword and sambaLMpassword under Unix so that the User can change the samba-Passwords and the Unix-Password with one single command? Yes, using ldap passwd sync (although it has been rather argumentative on recent versions; not certain why). I think ldap passwd sync changes also the unix_password when I change my Password under Windows. But I want to change my sambaNTpassword and sambaLMpassword und Unix. So, when I do a passwd horst I want to change the Unix_password AND the sambaNTpassword and the sambaLMpassword For the user horst. So, it doesn't matter where I change my password (unix or Windows), all my passwords are changed. Can I automaticly connect the Home-Networkshare to a Network-Drive? Without a Logon-Script? I don't think so. Buy you can use policies (via POLEDIT.EXE) to redirect My Documents transparently to the user's network home directory. I think this is covered in the Samba HOWTO/ByExample and you can go to Google and search 'site:lists.samba.org folder redirection' to get lots of references. Hmmm, Ok. But what does the switch logon drive exactly? Regards Daniel __ Hinweis von ESET NOD32 Antivirus, Signaturdatenbank-Version 3942 (20090317) __ E-Mail wurde gepruft mit ESET NOD32 Antivirus. http://www.eset.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Samba 3.0.24 + LDAP - User Lockout not working
Hi, not all Samba-LDAP attributes that are listed in the Samba3-LDAP-Schema are working yet. IMHO the only source that mentions it clearly is the Samba HOWTO. Please refer to http://de3.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2582136; and search for LDAP Special Attributes for sambaSamAccounts. Cheers, Christian === Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de Axel Werner m...@awerner.homeip.net wrote Subject: [Samba] Samba 3.0.24 + LDAP - User Lockout not working Date: 12.02.2009 16:30 Hi, im trying to setup a password policy with samba and openldap. while lockout works perfect on openldap it looks like it does not work with my samba. Ive set sambaLockoutThreshold to 3 and sambaLockoutDuration to -1 (lockout forever) within the Domain-Object in LDAP. So i expect whenever a windows user does 3 false logon attemps his samba account will be LOCKED forever, until reseted by an admin. If i peek those parameters with pdbedit -P it will confirm my konfiguration. so it looks fine. I also found the sambaBadPasswordCount Attribute in every User-Object in the LDAP tree. Default is 0 Now i do several false login attempts from my windows xp workstation (usualy 5 attempts) and recheck that sambaBadPasswordCount Attribute in that specific userobject. STILL showing 0 !! btw: the admin object that is configured in smb.conf has all the permissions to access and write ALL attributes of any object in my DIT. Does anyone knows this Problem ?!? im lost! i use Debian 4.0 with the debian packages for Samba 3.0.24 and openldap. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.0.24 + LDAP - User Lockout not working
Hi Christian, thanks fer Answer. Is yours an OFFICIAL Answer to this problem ?? I cannot find ANY documents telling about not used or not implemented functionality on user lockout or those ldap attributes neither. So its hard to believe that those things are spare or unused even after YEARS. I found some realy old mailinglist postsing from 2004 with exactly the same problem. So it seems this isnt realy new stuff. http://lists.samba.org/archive/samba/2004-July/089429.html Whats going on here ?! thanks fer help regards Axel Am 13.02.2009 09:50, Christian Rost schrieb: Hi, not all Samba-LDAP attributes that are listed in the Samba3-LDAP-Schema are working yet. IMHO the only source that mentions it clearly is the Samba HOWTO. Please refer to http://de3.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2582136; and search for LDAP Special Attributes for sambaSamAccounts. Cheers, Christian === Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de Axel Werner m...@awerner.homeip.net wrote Subject: [Samba] Samba 3.0.24 + LDAP - User Lockout not working Date: 12.02.2009 16:30 Hi, im trying to setup a password policy with samba and openldap. while lockout works perfect on openldap it looks like it does not work with my samba. Ive set sambaLockoutThreshold to 3 and sambaLockoutDuration to -1 (lockout forever) within the Domain-Object in LDAP. So i expect whenever a windows user does 3 false logon attemps his samba account will be LOCKED forever, until reseted by an admin. If i peek those parameters with pdbedit -P it will confirm my konfiguration. so it looks fine. I also found the sambaBadPasswordCount Attribute in every User-Object in the LDAP tree. Default is 0 Now i do several false login attempts from my windows xp workstation (usualy 5 attempts) and recheck that sambaBadPasswordCount Attribute in that specific userobject. STILL showing 0 !! btw: the admin object that is configured in smb.conf has all the permissions to access and write ALL attributes of any object in my DIT. Does anyone knows this Problem ?!? im lost! i use Debian 4.0 with the debian packages for Samba 3.0.24 and openldap. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.0.24 + LDAP - User Lockout not working
On Fri, Feb 13, 2009 at 10:33:03AM +0100, Axel Werner wrote: Is yours an OFFICIAL Answer to this problem ?? I cannot find ANY documents telling about not used or not implemented functionality on user lockout or those ldap attributes neither. So its hard to believe that those things are spare or unused even after YEARS. I found some realy old mailinglist postsing from 2004 with exactly the same problem. So it seems this isnt realy new stuff. http://lists.samba.org/archive/samba/2004-July/089429.html Whats going on here ?! Please take a look at https://bugzilla.samba.org/show_bug.cgi?id=5825 There is at least one user for whom it finally worked, even in a PDC/BDC scenario. Volker pgpAWu3tfTHe0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.0.24 + LDAP - User Lockout not working
Hi, im trying to setup a password policy with samba and openldap. while lockout works perfect on openldap it looks like it does not work with my samba. Ive set sambaLockoutThreshold to 3 and sambaLockoutDuration to -1 (lockout forever) within the Domain-Object in LDAP. So i expect whenever a windows user does 3 false logon attemps his samba account will be LOCKED forever, until reseted by an admin. If i peek those parameters with pdbedit -P it will confirm my konfiguration. so it looks fine. I also found the sambaBadPasswordCount Attribute in every User-Object in the LDAP tree. Default is 0 Now i do several false login attempts from my windows xp workstation (usualy 5 attempts) and recheck that sambaBadPasswordCount Attribute in that specific userobject. STILL showing 0 !! btw: the admin object that is configured in smb.conf has all the permissions to access and write ALL attributes of any object in my DIT. Does anyone knows this Problem ?!? im lost! i use Debian 4.0 with the debian packages for Samba 3.0.24 and openldap. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3 LDAP account db concepts
yes you will still need to use nss_ldap to authenticate for unix shell accounts, imap, etc. i can't answer your other questions as i build the RPMs with the provided scripts. John Goubeaux wrote: Folks, I some very basic questions with regard to Samba and LDAP backend account database use. I am familiar with LDAP and have been using ldap for a while now to store info for a variety of services. I have been using Samba as a stand alone file server with user account info in /etc/passwd for a while as well. I am now trying to build samba 3.3.0 as a standalone, non PDC, on solaris 10 using a SUN DS 5.2 as my back end account db. I have read through much of the available documentation and it seems clear that one can achieve a setup where ALL of the user account info can be stored in a DS however i am confused by some of what I am reading, for example the The Official Samba 3.2.x HOWTO and Reference Guide in chp 11 says: There are a few points to stress that the ldapsam does not provide. The LDAP support referred to in this documentation does not include: A means of replacing /etc/passwd. Do I still need to employ LDAP NSS and PAM modules ? Ver 3.3.0 does not seem to support a configure --with-ldapsam option, does this mean that the defualt --with-ldap installs what used to be done with ldapsam ? The referenced Samba (v.3) PDC LDAP howto by Ignacio Coupeau (2004) is achieved with configure --with-ldapsam and no mention of pam modules is made. So, my basic question is: What are my options, given what i want to achieve? And can someone shed some more light on the concepts involved ? Thanks in advance and sorry if I have missed something obvious in the docs. -john -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3 LDAP account db concepts
Folks, I some very basic questions with regard to Samba and LDAP backend account database use. I am familiar with LDAP and have been using ldap for a while now to store info for a variety of services. I have been using Samba as a stand alone file server with user account info in /etc/passwd for a while as well. I am now trying to build samba 3.3.0 as a standalone, non PDC, on solaris 10 using a SUN DS 5.2 as my back end account db. I have read through much of the available documentation and it seems clear that one can achieve a setup where ALL of the user account info can be stored in a DS however i am confused by some of what I am reading, for example the The Official Samba 3.2.x HOWTO and Reference Guide in chp 11 says: There are a few points to stress that the ldapsam does not provide. The LDAP support referred to in this documentation does not include: A means of replacing /etc/passwd. Do I still need to employ LDAP NSS and PAM modules ? Ver 3.3.0 does not seem to support a configure --with-ldapsam option, does this mean that the defualt --with-ldap installs what used to be done with ldapsam ? The referenced Samba (v.3) PDC LDAP howto by Ignacio Coupeau (2004) is achieved with configure --with-ldapsam and no mention of pam modules is made. So, my basic question is: What are my options, given what i want to achieve? And can someone shed some more light on the concepts involved ? Thanks in advance and sorry if I have missed something obvious in the docs. -john -- John Goubeaux Systems Administrator Gevirtz Graduate School of Education UC Santa Barbara Phelps Hall 3534 805 893-8190 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC, LDAP, IDMAP backend not working
Please help. I've been searching for days, trying nearly everything I can find that seems relevant, but I can't get this working. I am able to create users, login to Windows systems joined to the SAMBA domain as those users, but filesystem ACLs on Windows Domain Member Servers do not work which I suspect is due to my IDMAP OU is empty. wbinfo -u returns Error looking up domain users wbinfo -g returns: BUILTIN/administrators BUILTIN/users wbinfo -t returns checking the trust secret via RPC calls succeeded getent passwd -and- getent group list all my local and domain users and groups respectively. When running wbinfo -u my log.winbindd shows: [2008/12/26 12:24:52, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn SID_TO_GID [2008/12/26 12:24:52, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308) [23999]: sid to gid S-1-5-32-546 [2008/12/26 12:24:52, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(673) find_lookup_domain_from_sid(S-1-5-32-546) [2008/12/26 12:24:52, 10] nsswitch/winbindd_util.c:find_lookup_domain_from_sid(676) calling find_domain_from_sid [2008/12/26 12:24:52, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(2300) Retrieving response for pid 23794 [2008/12/26 12:24:52, 5] nsswitch/winbindd_async.c:lookupsid_recv(706) lookupsid returned an error [2008/12/26 12:24:52, 5] nsswitch/winbindd_sid.c:sid2gid_lookupsid_recv(274) sid2gid_lookupsid_recv: Could not convert get sid type for S-1-5-32-546 [2008/12/26 12:24:52, 10] nsswitch/winbindd.c:process_request(314) process_request: request fn PING [2008/12/26 12:24:52, 3] nsswitch/winbindd_misc.c:winbindd_ping(470) [23999]: ping smbldap-tools seem to function correctly net commands seem to function correctly. Any idea where the problem might be? Thank you! Ubuntu 8.04 LTS Samba 3.0.28a OpenLDAP 2.4.9 smb.conf: [global] unix charset = LOCALE workgroup = VOICECURVE server string = %h server (Samba, Ubuntu) map to guest = Bad User passdb backend = ldapsam passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* log level = 3 passdb:5 auth:10 winbind:10 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 time server = Yes add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p -a %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon path = domain logons = Yes os level = 35 domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=voicecurve,dc=com ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=voicecurve,dc=com ldap user suffix = ou=Users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap domains = VOICECURVE idmap alloc backend = ldap winbind separator = / winbind enum users = Yes winbind enum groups = Yes idmap alloc config:range = 1 - 1000 idmap alloc config:ldap_url = ldap://localhost/ idmap alloc config:ldap_user_dn = cn=admin,dc=voicecurve,dc=com idmap alloc config:ldap_base_dn = ou=idmap,dc=voicecurve,dc=com idmap config VOICECURVE:range = 1 - 1000 idmap config VOICECURVE:ldap_url = ldap://localhost/ idmap config VOICECURVE:ldap_user_dn = cn=admin,dc=voicecurve,dc=com idmap config VOICECURVE:ldap_base_dn = ou=idmap,dc=voicecurve,dc=com idmap config VOICECURVE:backend = ldap idmap config VOICECURVE:default = yes ldapsam:editposix = yes ldapsam:trusted = yes nsswitch.conf: passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba idmap ldap backend
Well that did it, thank you very very much. Did I read the documentation wrong or is it the documentation that need to be adjusted. I read this http://us1.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm and then the section IDMAP Storage in LDAP using Winbind regards, Johan Hendriks No virus found in this outgoing message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.8.2/1741 - Release Date: 23-10-2008 7:54 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba idmap ldap backend
Hello all First of all Sorry for the long e-mail I am trying to get samba working as a domain member and store the idmap in a ldap database. The join is successful and all commands are working like it should wbinfo –u, wbinfo –g kinit enz But the id administrator command gives me the following # id administrator id: administrator: no such user If I do not use the ldap backend it works well. This is on FreeBSD 7_RELEASE with samba 3.0.32 and openldap 2.3.43 I did do all the things mentioned in chapter 7 of the by example doc. Also the smbpasswd –w 12345 I am working on this for over 3 days now but my ldap understanding is not that much I guess. What am I forgetting or doing wrong. Best regards, Johan Hendriks My slapd.conf file # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/samba.schema loglevel 256 pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb ### # BDB database definitions ### databasebdb suffix dc=double-l,dc=local rootdn cn=Manager,dc=double-l,dc=local rootpw = 12345 directory /usr/local/var/db/openldap-data # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSIDeq index sambaPrimaryGroupSIDeq index sambaDomainName eq index default sub my ldap.con and nss_ldap.conf file base dc=double-l,dc=local binddn cn=Manager,dc=double-l,dc=local bindpw 12345 pam_password exop bind_policy soft bind_timelimit 10 host 127.0.0.1 idle_timelimit 3600 ldap_version 3 nss_base_group ou=Groups,dc=double-l,dc=local?one nss_base_passwd ou=People,dc=double-l,dc=local?one nss_base_shadow ou=People,dc=double-l,dc=local?one nss_connect_policy persist nss_paged_results yes pagesize 1000 port 389 timelimit 30 my vi /etc/nsswitch.conf group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files my idmap.ldiff file dn: dc=snowshow,dc=com objectClass: dcObject objectClass: organization dc: snowshow o: The Greatest Snow Show in Singapore. description: Posix and Samba LDAP Identity Database dn: cn=Manager,dc=snowshow,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=Idmap,dc=snowshow,dc=com objectClass: organizationalUnit ou: idmap and finally my smb.conf file [global] workgroup = DOUBLE-L netbios name = BEASTY realm = DOUBLE-L.LOCAL server string = Samba Server security = ADS log level = 1 ads:10 auth:10 sam:10 rpc:10 ldap admin dn = cn=Manager,dc=DOUBLE-L,dc=LOCAL ldap idmap suffix = ou=Idmap ldap suffix = dc=DOUBLE-L,dc=LOCAL idmap backend = ldap:ldap://127.0.0.1 idmap uid = 15-55 idmap gid = 15-55 template shell = /usr/local/bin/bash winbind use default domain = Yes [share1] comment = Data Directory path = /mnt #write list = @mr70 read only = no create mask = 0777 directory mask = 0777 and my /etc/krb5.conf file [libdefaults] default_realm = DOUBLE-l.LOCAL clockskew = 300 [realms] DOUBLE-l.LOCAL = { kdc = w2003s01.double-l.local } [domain_realm] .double-l.local = DOUBLE-l.LOCAL This is a part of my slapd.log file after a restart of samba and a id administrator command Oct 21 16:47:34 beasty slapd[60723]: conn=7 fd=13 closed (connection lost) Oct 21 16:47:34 beasty slapd[60723]: conn=8 fd=15 closed (connection lost) Oct 21 16:47:34 beasty slapd[60723]: conn=6 fd=12 closed (connection lost) Oct 21 16:47:35 beasty slapd[60723]: conn=13 fd=12 ACCEPT from IP=127.0.0.1:58176 (IP=127.0.0.1:389) Oct 21 16:47:35 beasty slapd[60723]: conn=13 op=0 BIND dn=cn=Manager,dc=double-l,dc=local method=128 Oct 21 16:47:35 beasty
Re: [Samba] samba idmap ldap backend
In nsswitch.conf, replace ldap by winbind 2008/10/21 Johan Hendriks [EMAIL PROTECTED]: Hello all First of all Sorry for the long e-mail I am trying to get samba working as a domain member and store the idmap in a ldap database. The join is successful and all commands are working like it should wbinfo –u, wbinfo –g kinit enz But the id administrator command gives me the following # id administrator id: administrator: no such user If I do not use the ldap backend it works well. This is on FreeBSD 7_RELEASE with samba 3.0.32 and openldap 2.3.43 I did do all the things mentioned in chapter 7 of the by example doc. Also the smbpasswd –w 12345 I am working on this for over 3 days now but my ldap understanding is not that much I guess. What am I forgetting or doing wrong. Best regards, Johan Hendriks My slapd.conf file # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/samba.schema loglevel 256 pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb ### # BDB database definitions ### databasebdb suffix dc=double-l,dc=local rootdn cn=Manager,dc=double-l,dc=local rootpw = 12345 directory /usr/local/var/db/openldap-data # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSIDeq index sambaPrimaryGroupSIDeq index sambaDomainName eq index default sub my ldap.con and nss_ldap.conf file base dc=double-l,dc=local binddn cn=Manager,dc=double-l,dc=local bindpw 12345 pam_password exop bind_policy soft bind_timelimit 10 host 127.0.0.1 idle_timelimit 3600 ldap_version 3 nss_base_group ou=Groups,dc=double-l,dc=local?one nss_base_passwd ou=People,dc=double-l,dc=local?one nss_base_shadow ou=People,dc=double-l,dc=local?one nss_connect_policy persist nss_paged_results yes pagesize 1000 port 389 timelimit 30 my vi /etc/nsswitch.conf group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files my idmap.ldiff file dn: dc=snowshow,dc=com objectClass: dcObject objectClass: organization dc: snowshow o: The Greatest Snow Show in Singapore. description: Posix and Samba LDAP Identity Database dn: cn=Manager,dc=snowshow,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=Idmap,dc=snowshow,dc=com objectClass: organizationalUnit ou: idmap and finally my smb.conf file [global] workgroup = DOUBLE-L netbios name = BEASTY realm = DOUBLE-L.LOCAL server string = Samba Server security = ADS log level = 1 ads:10 auth:10 sam:10 rpc:10 ldap admin dn = cn=Manager,dc=DOUBLE-L,dc=LOCAL ldap idmap suffix = ou=Idmap ldap suffix = dc=DOUBLE-L,dc=LOCAL idmap backend = ldap:ldap://127.0.0.1 idmap uid = 15-55 idmap gid = 15-55 template shell = /usr/local/bin/bash winbind use default domain = Yes [share1] comment = Data Directory path = /mnt #write list = @mr70 read only = no create mask = 0777 directory mask = 0777 and my /etc/krb5.conf file [libdefaults] default_realm = DOUBLE-l.LOCAL clockskew = 300 [realms] DOUBLE-l.LOCAL = { kdc = w2003s01.double-l.local } [domain_realm] .double-l.local = DOUBLE-l.LOCAL This is a part of my slapd.log file after a restart of samba and a id administrator command Oct 21 16:47:34 beasty slapd[60723]: conn=7 fd=13 closed (connection lost) Oct 21 16:47:34 beasty slapd[60723]: conn=8 fd=15 closed (connection lost) Oct 21 16:47:34 beasty slapd[60723]: conn=6 fd=12 closed (connection lost) Oct 21 16:47:35 beasty slapd[60723]: conn=13 fd=12 ACCEPT from
RE: [Samba] Samba PDC + LDAP: adding user to local admin group
hmmm giving users local admin rights, thats not the way to do it. and makes your network insecure.. Better control this through de domain groups. this is how i do it. i create a domain groep, add the users in it, and through loginscript i create a local group and add the domain group in it. now on directories/files or in registry i give the local group the needed rights. Louis -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Gustavo Michels Verzonden: donderdag 9 oktober 2008 22:27 Aan: samba@lists.samba.org Onderwerp: [Samba] Samba PDC + LDAP: adding user to local admin group Hi all, I'm evaluating Zimbra [1] as the groupware server for my small company. It uses OpenLDAP for authentication services and I'm configuring a Samba server as a PDC for my company, using the same ldap backend. So far, so good, everything is working beautifully well, I can add computers to the domain, login from any workstation, access shares with the appropriate rights and so on. However there's one last thing I need: some normal domain users need administrative rights on their local machines. I know I can go into each workstation and add the user to local administrators group, however that's not the right way to do it. Can I have it set on the domain level, so that if the user login on any workstation, he will be granted the correct local admin rights on that workstation? Here's what I tried, user 'producao' (id=10003) and group 'Local Admins' (id=10005): # net groupmap list Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) - Vendas Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) - Admins Produção (S-1-5-21-594618841-1354246140-1601124177-21006) - Producao Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) - Financeiro Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) - Local Admins Here you can see that 'Local Admins' has the correct RID (544). # getent group |grep Admin Admins:*:10002: Local Admins:*:10005:10003 # getent passwd |grep producao producao:*:10003:10003:Produção Colortech:/colortech/homes/producao:/bin/false User 'producao' is a member of 'Local Admins' group (secondary, since I read that BUILTIN groups cannot be a primary group for a user in a windows NT4 domain). # /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech cn=Local Admins # extended LDIF # # LDAPv3 # base with scope subtree # filter: cn=Local Admins # requesting: ALL # # Local Admins, groups, colortechdp.com.br dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br gidNumber: 10005 displayName: Local Admins sambaGroupType: 5 description: Local Admins cn: Local Admins sambaSID: S-1-5-21-594618841-1354246140-1601124177-544 memberUid: 10003 objectClass: posixGroup objectClass: sambaGroupMapping And the information on the LDAP server seems to be correct, including the sambaGroupType property set to 5, instead of 2. So, what is wrong in here? Or it isn't possible to do it in the domain level? Thanks Gustavo [1] http://www.zimbra.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC + LDAP: adding user to local admin group
Hi all, On Thu, Oct 9, 2008 at 6:29 PM, Tim Bates [EMAIL PROTECTED] wrote: Not sure if you can do it like that, but if you only want to give them local admin on their own computer (and not everyone else's), you're going to want to do it on each computer manually anyway... Or via a script if you're going to have to change them often. If you set it at a domain level like you said, it would give them admin rights anywhere they can log into. Well actually it wouldn't be a big problem if the user has local admin rights on any machine. On Fri, Oct 10, 2008 at 4:17 AM, L.P.H. van Belle [EMAIL PROTECTED] wrote: hmmm giving users local admin rights, thats not the way to do it. and makes your network insecure.. Better control this through de domain groups. this is how i do it. i create a domain groep, add the users in it, and through loginscript i create a local group and add the domain group in it. now on directories/files or in registry i give the local group the needed rights. That's a nice approach, but what commands I have available to do such tasks as create/add groups on the local machine? I'm don't have deep technical knowledge on windows networking. Anyway, I thought this was a trivial task and it seems it is not. So, as there aren't many users with this special need, I'm starting to consider the manual way of adding the to the local admin group on their own machine. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC + LDAP: adding user to local admin group
On 10/9/2008, Tim Bates ([EMAIL PROTECTED]) wrote: If you set it at a domain level like you said, it would give them admin rights anywhere they can log into. But if you control which workstations they can log into, this isn't really a problem - save the part of them having local admin rights... ;) -- Best regards, Charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC + LDAP: adding user to local admin group
Hi all, I'm evaluating Zimbra [1] as the groupware server for my small company. It uses OpenLDAP for authentication services and I'm configuring a Samba server as a PDC for my company, using the same ldap backend. So far, so good, everything is working beautifully well, I can add computers to the domain, login from any workstation, access shares with the appropriate rights and so on. However there's one last thing I need: some normal domain users need administrative rights on their local machines. I know I can go into each workstation and add the user to local administrators group, however that's not the right way to do it. Can I have it set on the domain level, so that if the user login on any workstation, he will be granted the correct local admin rights on that workstation? Here's what I tried, user 'producao' (id=10003) and group 'Local Admins' (id=10005): # net groupmap list Vendas (S-1-5-21-594618841-1354246140-1601124177-21002) - Vendas Domain Admins (S-1-5-21-594618841-1354246140-1601124177-512) - Admins Produção (S-1-5-21-594618841-1354246140-1601124177-21006) - Producao Financeiro (S-1-5-21-594618841-1354246140-1601124177-21008) - Financeiro Local Admins (S-1-5-21-594618841-1354246140-1601124177-544) - Local Admins Here you can see that 'Local Admins' has the correct RID (544). # getent group |grep Admin Admins:*:10002: Local Admins:*:10005:10003 # getent passwd |grep producao producao:*:10003:10003:Produção Colortech:/colortech/homes/producao:/bin/false User 'producao' is a member of 'Local Admins' group (secondary, since I read that BUILTIN groups cannot be a primary group for a user in a windows NT4 domain). # /opt/zimbra/openldap/bin/ldapsearch -x -h servidor.colortech cn=Local Admins # extended LDIF # # LDAPv3 # base with scope subtree # filter: cn=Local Admins # requesting: ALL # # Local Admins, groups, colortechdp.com.br dn: cn=Local Admins,ou=groups,dc=colortechdp,dc=com,dc=br gidNumber: 10005 displayName: Local Admins sambaGroupType: 5 description: Local Admins cn: Local Admins sambaSID: S-1-5-21-594618841-1354246140-1601124177-544 memberUid: 10003 objectClass: posixGroup objectClass: sambaGroupMapping And the information on the LDAP server seems to be correct, including the sambaGroupType property set to 5, instead of 2. So, what is wrong in here? Or it isn't possible to do it in the domain level? Thanks Gustavo [1] http://www.zimbra.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC + LDAP: adding user to local admin group
Gustavo Michels wrote: So, what is wrong in here? Or it isn't possible to do it in the domain level? Not sure if you can do it like that, but if you only want to give them local admin on their own computer (and not everyone else's), you're going to want to do it on each computer manually anyway... Or via a script if you're going to have to change them often. If you set it at a domain level like you said, it would give them admin rights anywhere they can log into. TB -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba PDC, ldap and ntlm_auth
Hello I need to use to use ntlm_auth for samba users existing on the same machine.(samba PDC, Squid and Openldap in the same server) I read some mail in this list, particularly messages of Hesham S. Ahmed of Oct 7 2002 and I understand to do this I need join the PDC to itself but when I use net join I receive this message # /usr/bin/net join Unable to find a suitable server Unable to find a suitable server If I use # /usr/bin/net join -S BACKUP Password: Could not connect to server BACKUP Connection failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO I use samba with ldap database, this is a piece of the smb.conf file # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command testparm # to check that you have not made any basic syntactic errors. # #=== Global Settings = [global] workgroup = UNIVERSITA netbios name =BACKUP # server string is the equivalent of the NT Description field server string = Samba Server # This option is important for security. It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the loopback interface. For more examples of the syntax see # the smb.conf man page hosts allow = 192.168.9. # if you want to automatically load your printer list rather # than setting them up individually then you'll need this # printcap name = /etc/printcap # #load printers = yes # It should not be necessary to spell out the print system type unless # yours is non-standard. Currently supported print systems include: # bsd, sysv, plp, lprng, aix, hpux, qnx ; printing = cups # This option tells cups that the data has already been rasterized # cups options = raw # Uncomment this if you want a guest account, you must add this to /etc/passwd # otherwise the user nobody is used ; guest account = pcguest # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/utenti.log ; log file = /var/log/samba/%m.log # all log information in one file # log file = /var/log/samba/smbd.log log level=3 # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. # Use password server option only with security = server ; password server = NT-Server-Name # Password Level allows matching of _n_ characters of the password for # all combinations of upper and lower case. ; password level = 8 ; username level = 8 encrypt passwords=yes security = user mangling method = hash2 passdb backend = ldapsam:ldap://127.0.0.1/ ldap passwd sync = yes ldap admin dn= cn=Manager,dc=universita,dc=it ldap suffix = dc=universita,dc=it ldap group suffix = ou=Gruppi ldap user suffix= ou=Utenti ldap machine suffix= ou=Computers ldap idmap suffix= ou=Idmap ldap delete dn= yes idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 add machine script =/usr/sbin/smbldap-useradd -t 0 -w %u add user script =/usr/sbin/smbldap-useradd -a -m %u delete user script =/usr/sbin/smbldap-userdel %u add group script =/usr/sbin/smbldap-groupadd -p %g delete group script =/usr/sbin/smbldap-groupdel %g add user to group script =/usr/sbin/smbldap-groupmod -m %u %g delete user from group script =/usr/sbin/smbldap-groupmod -x %u %g set primary group script=/usr/sbin/smbldap-usermod -g %g %u template shell = /bin/false # You may wish to use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. # Do not enable this option unless you have read those documents #smb passwd file = /etc/samba/smbpasswd # The following are needed to allow password changing from Windows to # update the Linux system password also. # NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above. # NOTE2: You do NOT need these to allow workstations to change only #the encrypted SMB passwords. They allow the Unix password #to be kept in sync with the SMB password. ; unix password sync = Yes ; passwd program = /usr/bin/passwd %u ; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # Unix users can map
[Samba] samba PDC, ldap and ntlm_auth
Hello I need to use to use ntlm_auth for samba users existing on the same server.(samba PDC, Squid and Openldap in the same server) I was read some mails in this list, particularly messages of Hesham S. Ahmed of Oct 7 2002 and I understand to do this I need join the PDC to itself but when I use net join I receive this message # /usr/bin/net join Unable to find a suitable server Unable to find a suitable server If I use # /usr/bin/net join -S BACKUP Password: Could not connect to server BACKUP Connection failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO I use samba with ldap database, this is a piece of the smb.conf file # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command testparm # to check that you have not made any basic syntactic errors. # #=== Global Settings = [global] workgroup = UNIVERSITA netbios name =BACKUP # server string is the equivalent of the NT Description field server string = Samba Server # This option is important for security. It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the loopback interface. For more examples of the syntax see # the smb.conf man page hosts allow = 192.168.9. # if you want to automatically load your printer list rather # than setting them up individually then you'll need this # printcap name = /etc/printcap # #load printers = yes # It should not be necessary to spell out the print system type unless # yours is non-standard. Currently supported print systems include: # bsd, sysv, plp, lprng, aix, hpux, qnx ; printing = cups # This option tells cups that the data has already been rasterized # cups options = raw # Uncomment this if you want a guest account, you must add this to /etc/passwd # otherwise the user nobody is used ; guest account = pcguest # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/utenti.log ; log file = /var/log/samba/%m.log # all log information in one file # log file = /var/log/samba/smbd.log log level=3 # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. # Use password server option only with security = server ; password server = NT-Server-Name # Password Level allows matching of _n_ characters of the password for # all combinations of upper and lower case. ; password level = 8 ; username level = 8 encrypt passwords=yes security = user mangling method = hash2 passdb backend = ldapsam:ldap://127.0.0.1/ ldap passwd sync = yes ldap admin dn= cn=Manager,dc=universita,dc=it ldap suffix = dc=universita,dc=it ldap group suffix = ou=Gruppi ldap user suffix= ou=Utenti ldap machine suffix= ou=Computers ldap idmap suffix= ou=Idmap ldap delete dn= yes idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 add machine script =/usr/sbin/smbldap-useradd -t 0 -w %u add user script =/usr/sbin/smbldap-useradd -a -m %u delete user script =/usr/sbin/smbldap-userdel %u add group script =/usr/sbin/smbldap-groupadd -p %g delete group script =/usr/sbin/smbldap-groupdel %g add user to group script =/usr/sbin/smbldap-groupmod -m %u %g delete user from group script =/usr/sbin/smbldap-groupmod -x %u %g set primary group script=/usr/sbin/smbldap-usermod -g %g %u template shell = /bin/false # You may wish to use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. # Do not enable this option unless you have read those documents #smb passwd file = /etc/samba/smbpasswd # The following are needed to allow password changing from Windows to # update the Linux system password also. # NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above. # NOTE2: You do NOT need these to allow workstations to change only #the encrypted SMB passwords. They allow the Unix password #to be kept in sync with the SMB password. ; unix password sync = Yes ; passwd program = /usr/bin/passwd %u ; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # Unix users can map
[Samba] Samba and LDAP install on FreeBSD
Here is my problem. I installed the OpenLdap 2.4.10 server and SASL client. I then went to install the Samba 3.0.30 Port and it tells me that it needs to install OpenLDAP client 2.3.42, but the 2.4.10 is in the same place and I need to deinstall it. I deinstall 2.4.10 and samba will install, but now openldap will not run because it has missing files. I went to reinstall the 2.4.10 SASL client, but it tells me that the openldap 2.3.42 needs to be removed. If I go to remove the 2.3.42 openldap client, it tells me that samba 3.0.30 relies on it. I am kind of stuck here. Does samba 3.0.30 not work with openldap 2.4? Do I have to have openldap 2.3? Thanks for any suggestions. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP install on FreeBSD
On Tue, 22 Jul 2008, [EMAIL PROTECTED] wrote: Here is my problem. I installed the OpenLdap 2.4.10 server and SASL client. I then went to install the Samba 3.0.30 Port and it tells me that it needs to install OpenLDAP client 2.3.42, but the 2.4.10 is in the same place and I need to deinstall it. I deinstall 2.4.10 and samba will install, but now openldap will not run because it has missing files. I went to reinstall the 2.4.10 SASL client, but it tells me that the openldap 2.3.42 needs to be removed. If I go to remove the 2.3.42 openldap client, it tells me that samba 3.0.30 relies on it. I am kind of stuck here. Does samba 3.0.30 not work with openldap 2.4? Do I have to have openldap 2.3? Put this in /etc/make.conf WANT_OPENLDAP_VER=24 It tells the ports tree that you want OpenLDAP 2.4 if a port doesn't specify a particular version. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP install on FreeBSD
Daniel O'Connor wrote: On Tue, 22 Jul 2008, [EMAIL PROTECTED] wrote: Here is my problem. I installed the OpenLdap 2.4.10 server and SASL client. I then went to install the Samba 3.0.30 Port and it tells me that it needs to install OpenLDAP client 2.3.42, but the 2.4.10 is in the same place and I need to deinstall it. I deinstall 2.4.10 and samba will install, but now openldap will not run because it has missing files. I went to reinstall the 2.4.10 SASL client, but it tells me that the openldap 2.3.42 needs to be removed. If I go to remove the 2.3.42 openldap client, it tells me that samba 3.0.30 relies on it. I am kind of stuck here. Does samba 3.0.30 not work with openldap 2.4? Do I have to have openldap 2.3? Put this in /etc/make.conf WANT_OPENLDAP_VER=24 It tells the ports tree that you want OpenLDAP 2.4 if a port doesn't specify a particular version. Thank you. That took care of the problem. I thought something could be added somewhere to make it use 2.4, but I was looking in the actual Makefile in the port and I did not see anything there. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP install on FreeBSD
On Wed, 23 Jul 2008, [EMAIL PROTECTED] wrote: It tells the ports tree that you want OpenLDAP 2.4 if a port doesn't specify a particular version. Thank you. That took care of the problem. I thought something could be added somewhere to make it use 2.4, but I was looking in the actual Makefile in the port and I did not see anything there. Yes, unfortunately I am not really sure if it documented anywhere other than the source :( ports(7) doesn't appear to cover it. ISTR last time I grovelled through /usr/ports/Mk/* for it.. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba