Hi,
I have some strange problems with 3.0a21 PDC (samba and nss use both
ldap) and I can't find any good help with google...
One strange thing is that logon script does'nt work anymore, it worked
at one point and now doesnt (I quite play around here and I dont know in
which point of changing smb.conf it stopped to work).
[netlogon] share is like that:
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = no
writable = no
browseable = yes
public = yes
and some lines from [global]:
local master = yes
os level = 99
domain master = yes
preferred master = yes
domain logons = yes
logon drive = U:
logon path = \\server\%U\profiles
logon home = \\server\%U\
logon script = START.BAT
/home/samba/netlogn/START.BAT exists, line breaks are in dos -style ...
if I log into NT4 on 2K ws, then i can mount \\pdc1\netlogon share and
run START.BAT there..
So what the heck can it be?
Another thing was that smbgroupedit -v showd several Domain Admins and
Domain Users group (with different SIDs).. So i took experimental step
and deleted some of them, leaving exactly one of every group..
Can this be somehow connected to 1st problem?
Also samba complained that:
get_domain_user_groups: primary gid of user [john] is not a Domain group
! get_domain_user_groups: You should fix it, NT doesn't like that
so a added john's primary group to Domain Users ans Users group (but
seems to change nothing):
root@woody-samba:/var/log/samba# smbgroupedit -v
NT group (SID) -> Unix group
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Domain Admins (S-1-5-21-2072525299-305900136-1143589454-512) -> domadm
Domain Guests (S-1-5-21-2072525299-305900136-1143589454-514) -> -1
Domain Users (S-1-5-21-2072525299-305900136-1143589454-513) -> users
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> users
root@woody-samba:/var/log/samba#
Third problem is locally stored profiles. How I could make such set up
that when user logs out from WS , then WS would copy changed profile
back to server and delete it from WS ?
It's question of security and hard disk space..
4)
How could i set up client name resolution so that X client canot
announce itself as DC/browse master etc?
I every client resolves names via boadcast then when my DC goes down and
someone brings up his nt/samba server he could do lotof damaga - collect
people passwords etc...
now if I had every WS configured to resolve names via WINS and wins
configured with static netbios/ip resolve table, then I wouldn have to
worry about this? But as I understand only way wins server works is like
it adds routing support to broadcast resove mechanism...
Thanks goes to everyone bothering to enlighten me..
On Fri, 2003-02-28 at 13:09, john@ylenurme.ee wrote:> [netlogon] share is like that: > > [netlogon] > comment = Network Logon Service > path = /home/samba/netlogon > guest ok = no > writable = no > browseable = yes > public = yesthis is what i'm using ... [netlogon] path = /etc/samba/netlogon write list = root guest ok = Yes nt acl support = No do you have scriptPath set in ldap? i don't use logon scripts so i'm not sure you need it - just an idea.> > Another thing was that smbgroupedit -v showd several Domain Admins and > Domain Users group (with different SIDs).. So i took experimental step > and deleted some of them, leaving exactly one of every group.. > Can this be somehow connected to 1st problem?i have one of each of these. probably you changed your sid during your experiments... it might be a good idea to wipe out all your tdb files and rejoin your machines (that is if your still in testing mode)> Also samba complained that: > > get_domain_user_groups: primary gid of user [john] is not a Domain group > ! get_domain_user_groups: You should fix it, NT doesn't like thati get that sometimes - i just ignore it...> Third problem is locally stored profiles. How I could make such set up > that when user logs out from WS , then WS would copy changed profile > back to server and delete it from WS ? > It's question of security and hard disk space..you can do that with a setting in gpedit.msc don't remember which one but i think i'll be obvious.> > 4) > How could i set up client name resolution so that X client canot > announce itself as DC/browse master etc? > I every client resolves names via boadcast then when my DC goes down and > someone brings up his nt/samba server he could do lotof damaga - collect > people passwords etc...just use wins - it reduces broadcasting significantly. it would not be entirely trivial to just bring up a fake pdc you'd need to know the domain SID fake authentication of clients and fake up some profiles to be downloaded to the user. I don't think the client authenticates the server with samba. someone with more knowledge of the internals might be able to comment more usefully on this front... brad -- Bradley W. Langhorst <brad@langhorst.com>
Hello, This is my first time delving into non 2.2 samba, and attempting to develop a single authentication solution for windows and unix machines. Currently, we use nis for the unix machines (solaris 2.6-2.8, irix 6.5, linux, motorola), and there is NO PDC for windows. samba servers use nis and use unencrypted passwords for authentication. What I would like to do, is begin preparing for an upgrade to samba 3.0 (when it is production), as the company i work for, is implementing a windows 2000 initiative to all the satellite offices.. I would like, if possible, to provide a samba solution as opposed to windows 2000. With an ldap backend, can samba and Unix share the same user/passwords? or is there different schema/encryption methods for the two? I had planned on getting PADL's LDAP->NIS gateway for the older unixes that do not have direct LDAP authentication capabilities. Thanks for your help, -- Matt Schillinger mschilli@vss.fsi.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4 Mar 2003, Matt Schillinger wrote:> With an ldap backend, can samba and Unix share the same user/passwords?You still have to maintain the lmPassword and ntPassword attributes (storing the Windows password hashes). cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+ZP/cIR7qMdg1EfYRAlWEAKCVyOj+C5MFdrse+an8TrES1cn9LwCdEDbV sIW6afwuzcEHNNYA2kcFul4=ZFch -----END PGP SIGNATURE-----