Hi, I have some strange problems with 3.0a21 PDC (samba and nss use both ldap) and I can't find any good help with google... One strange thing is that logon script does'nt work anymore, it worked at one point and now doesnt (I quite play around here and I dont know in which point of changing smb.conf it stopped to work). [netlogon] share is like that: [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = no writable = no browseable = yes public = yes and some lines from [global]: local master = yes os level = 99 domain master = yes preferred master = yes domain logons = yes logon drive = U: logon path = \\server\%U\profiles logon home = \\server\%U\ logon script = START.BAT /home/samba/netlogn/START.BAT exists, line breaks are in dos -style ... if I log into NT4 on 2K ws, then i can mount \\pdc1\netlogon share and run START.BAT there.. So what the heck can it be? Another thing was that smbgroupedit -v showd several Domain Admins and Domain Users group (with different SIDs).. So i took experimental step and deleted some of them, leaving exactly one of every group.. Can this be somehow connected to 1st problem? Also samba complained that: get_domain_user_groups: primary gid of user [john] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that so a added john's primary group to Domain Users ans Users group (but seems to change nothing): root@woody-samba:/var/log/samba# smbgroupedit -v NT group (SID) -> Unix group System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Admins (S-1-5-21-2072525299-305900136-1143589454-512) -> domadm Domain Guests (S-1-5-21-2072525299-305900136-1143589454-514) -> -1 Domain Users (S-1-5-21-2072525299-305900136-1143589454-513) -> users Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> users root@woody-samba:/var/log/samba# Third problem is locally stored profiles. How I could make such set up that when user logs out from WS , then WS would copy changed profile back to server and delete it from WS ? It's question of security and hard disk space.. 4) How could i set up client name resolution so that X client canot announce itself as DC/browse master etc? I every client resolves names via boadcast then when my DC goes down and someone brings up his nt/samba server he could do lotof damaga - collect people passwords etc... now if I had every WS configured to resolve names via WINS and wins configured with static netbios/ip resolve table, then I wouldn have to worry about this? But as I understand only way wins server works is like it adds routing support to broadcast resove mechanism... Thanks goes to everyone bothering to enlighten me..
On Fri, 2003-02-28 at 13:09, john@ylenurme.ee wrote:> [netlogon] share is like that: > > [netlogon] > comment = Network Logon Service > path = /home/samba/netlogon > guest ok = no > writable = no > browseable = yes > public = yesthis is what i'm using ... [netlogon] path = /etc/samba/netlogon write list = root guest ok = Yes nt acl support = No do you have scriptPath set in ldap? i don't use logon scripts so i'm not sure you need it - just an idea.> > Another thing was that smbgroupedit -v showd several Domain Admins and > Domain Users group (with different SIDs).. So i took experimental step > and deleted some of them, leaving exactly one of every group.. > Can this be somehow connected to 1st problem?i have one of each of these. probably you changed your sid during your experiments... it might be a good idea to wipe out all your tdb files and rejoin your machines (that is if your still in testing mode)> Also samba complained that: > > get_domain_user_groups: primary gid of user [john] is not a Domain group > ! get_domain_user_groups: You should fix it, NT doesn't like thati get that sometimes - i just ignore it...> Third problem is locally stored profiles. How I could make such set up > that when user logs out from WS , then WS would copy changed profile > back to server and delete it from WS ? > It's question of security and hard disk space..you can do that with a setting in gpedit.msc don't remember which one but i think i'll be obvious.> > 4) > How could i set up client name resolution so that X client canot > announce itself as DC/browse master etc? > I every client resolves names via boadcast then when my DC goes down and > someone brings up his nt/samba server he could do lotof damaga - collect > people passwords etc...just use wins - it reduces broadcasting significantly. it would not be entirely trivial to just bring up a fake pdc you'd need to know the domain SID fake authentication of clients and fake up some profiles to be downloaded to the user. I don't think the client authenticates the server with samba. someone with more knowledge of the internals might be able to comment more usefully on this front... brad -- Bradley W. Langhorst <brad@langhorst.com>
Hello, This is my first time delving into non 2.2 samba, and attempting to develop a single authentication solution for windows and unix machines. Currently, we use nis for the unix machines (solaris 2.6-2.8, irix 6.5, linux, motorola), and there is NO PDC for windows. samba servers use nis and use unencrypted passwords for authentication. What I would like to do, is begin preparing for an upgrade to samba 3.0 (when it is production), as the company i work for, is implementing a windows 2000 initiative to all the satellite offices.. I would like, if possible, to provide a samba solution as opposed to windows 2000. With an ldap backend, can samba and Unix share the same user/passwords? or is there different schema/encryption methods for the two? I had planned on getting PADL's LDAP->NIS gateway for the older unixes that do not have direct LDAP authentication capabilities. Thanks for your help, -- Matt Schillinger mschilli@vss.fsi.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4 Mar 2003, Matt Schillinger wrote:> With an ldap backend, can samba and Unix share the same user/passwords?You still have to maintain the lmPassword and ntPassword attributes (storing the Windows password hashes). cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "You can never go home again, Oatman, but I guess you can shop there." --John Cusack - "Grosse Point Blank" (1997) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+ZP/cIR7qMdg1EfYRAlWEAKCVyOj+C5MFdrse+an8TrES1cn9LwCdEDbV sIW6afwuzcEHNNYA2kcFul4=ZFch -----END PGP SIGNATURE-----