Hi, I got samba 3.0.26a on my Fedora 7, and when i try to add users with smbpasswd -a username, it only works if the user exists as a linux user... i got a Centos 4.4 system with samba 3.0.10 and it works even if the user doesn't exists on the system. Can anyone explain me why this happens? is it from this new version (3.0.26a) or may be a problem of Fedora 7?
On Mon, 2007-10-08 at 15:45 +0100, Ricardo Manuel Esteves (VI) wrote:> Hi, > > I got samba 3.0.26a on my Fedora 7, and when i try to add users with > smbpasswd -a username, it only works if the user exists as a linux > user... i got a Centos 4.4 system with samba 3.0.10 and it works even > if the user doesn't exists on the system. > > Can anyone explain me why this happens? is it from this new version > (3.0.26a) or may be a problem of > Fedora 7?Always been like that since I can remember, and it is by design. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org
Hi, I got samba 3.0.26a on my Fedora 7, and when i try to add users with smbpasswd -a username, it only works if the user exists as a linux user... i got a Centos 4.4 system with samba 3.0.10 and it works even if the user doesn't exists on the system. Can anyone explain me why this happens? is it from this new version (3.0.26a) or may be a problem of Fedora 7?
Ok, lets put this better, maybe i confused some stuff... I got my ldap server on the centos machine, lots of users configured there, and works fine on the samba of that machine. Then i got Fedora 7 machine, with Samba configured to authenticate from the centos machine LDAP. When i try to connect to the Fedora 7 samba shares with some user that exists on the LDAP but not on the Fedora 7 system, it gives me this error: Examples: Fedora 7 machine: smbclient //127.0.0.1/util -U drocha Password: session setup failed: NT_STATUS_LOGON_FAILURE log.smbd : [2007/10/08 16:38:23, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211) pdb_get_group_sid: Failed to find Unix account for drocha [2007/10/08 16:38:24, 1] auth/auth_util.c:make_server_info_sam(566) User drocha in passdb, but getpwnam() fails! [2007/10/08 16:38:24, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' CentOS 4 machine: smbclient //127.0.0.1/util -U drocha Password: Domain=[VERSAOINTEGRAL] OS=[Unix] Server=[Samba 3.0.10-1.4E.12.2] smb: \> works fine. On Mon, 2007-10-08 at 15:45 +0100, Ricardo Manuel Esteves (VI) wrote:> Hi, > > I got samba 3.0.26a on my Fedora 7, and when i try to add users with > smbpasswd -a username, it only works if the user exists as a linux > user... i got a Centos 4.4 system with samba 3.0.10 and it works even > if the user doesn't exists on the system. > > Can anyone explain me why this happens? is it from this new version > (3.0.26a) or may be a problem of > Fedora 7?
> Ok, lets put this better, maybe i confused some stuff... > I got my ldap server on the centos machine, lots of users configured > there, and works fine on the samba of that machine. > Then i got Fedora 7 machine, with Samba configured to authenticate from > the centos machine LDAP. > When i try to connect to the Fedora 7 samba shares with some user that > exists on the LDAP but not on the Fedora 7 system, it gives me this > error: > Examples: > Fedora 7 machine: > smbclient //127.0.0.1/util -U drocha > Password: > session setup failed: NT_STATUS_LOGON_FAILURE > [2007/10/08 16:38:24, 1] auth/auth_util.c:make_server_info_sam(566) > User drocha in passdb, but getpwnam() fails!Yep; you need to complete the configuration of the FC7 box. You need to connect NSS on the FC7 box to your domain/DSA. getpwnam is a call to NSS. This is all documented in the Samba docs & "man nsswitch.conf" -- Consonance: an Open Source .NET OpenGroupware client. http://code.google.com/p/consonance/ - Searching for a bored Cairo# hacker. Contact:awilliam@whitemiceconsulting.com http://www.opengroupware.org
Are the IDEALX tools necessary for "complete" integration with LDAP? Or is the built-in support sufficiently advanced now? Daniel
On Thursday 11 October 2007 22:57, Daniel L. Miller wrote:> Are the IDEALX tools necessary for "complete" integration with LDAP? Or > is the built-in support sufficiently advanced now? > > DanielDaniel, What function do you believe the IDEALX tools serve? Why do you think these scripts are needed? What makes you think that "built-in support" might be the right (or best) solution? Have you read the Samba documentation? Specifically, is there anything in the Samba3-HOWTO or in Samba3-ByExample that would lead you to believe that there is any attempt to supercede the necessity for the IDEALX tools (or an alternative set of scripts that is external to Samba itself)? What does "complete" integration with LDAP mean to you? You are not the first person to ask questions like these. It would help me to write more useful documentation if I could better understand what is behind the questions. In case you do not know of the books "Samba3-HOWTO" and "Samba3-byExample" they can be obtained from: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf http://www.samba.org/samba/docs/Samba3-ByExample.pdf The IDEALX tools are a means of creating and managing UNIX user and group accounts in the LDAP directory. Samba can then create and manage the Windows (SambaSAM) account information that is necessary to support Windows network activities. As a network administrator, I want total control over how UNIX accounts are managed in my LDAP directory and I would not want this done by Samba - particularly if that removes my ability to control how this is done. Your mileage may vary, but I suspect most UNIX administrators who manage Samba would not want to lose control of the UNIX part of the directory. For example, if Samba had total control over all Windows networking (Samba) accounts, and the Windows network administrator deletes a user account, but the users also has vital UNIX files, how should the deletion of the UNIX account information be handled? By keeping the LDAP administration scripts that impact the UNIX account management separate from the Windows (Samba) account part, the administrator can exercise greater control over. - Just my $0.02 worth. Cheers, John T.
Am Freitag, 12. Oktober 2007 06:58 schrieb John H Terpstra:> On Thursday 11 October 2007 22:57, Daniel L. Miller wrote: > > Are the IDEALX tools necessary for "complete" integration with LDAP? Or > > is the built-in support sufficiently advanced now? > > > > Daniel > > Daniel, > > What function do you believe the IDEALX tools serve? Why do you think these > scripts are needed? What makes you think that "built-in support" might be > the right (or best) solution? > > Have you read the Samba documentation? Specifically, is there anything in the > Samba3-HOWTO or in Samba3-ByExample that would lead you to believe that there > is any attempt to supercede the necessity for the IDEALX tools (or an > alternative set of scripts that is external to Samba itself)? > > What does "complete" integration with LDAP mean to you? > > You are not the first person to ask questions like these. It would help me to > write more useful documentation if I could better understand what is behind > the questions. > > In case you do not know of the books "Samba3-HOWTO" and "Samba3-byExample" > they can be obtained from: > > http://www.samba.org/samba/docs/Samba3-HOWTO.pdf > http://www.samba.org/samba/docs/Samba3-ByExample.pdf > > The IDEALX tools are a means of creating and managing UNIX user and group > accounts in the LDAP directory. Samba can then create and manage the Windows > (SambaSAM) account information that is necessary to support Windows network > activities. > > As a network administrator, I want total control over how UNIX accounts are > managed in my LDAP directory and I would not want this done by Samba - > particularly if that removes my ability to control how this is done. Your > mileage may vary, but I suspect most UNIX administrators who manage Samba > would not want to lose control of the UNIX part of the directory. > > For example, if Samba had total control over all Windows networking (Samba) > accounts, and the Windows network administrator deletes a user account, but > the users also has vital UNIX files, how should the deletion of the UNIX > account information be handled? > > By keeping the LDAP administration scripts that impact the UNIX account > management separate from the Windows (Samba) account part, the administrator > can exercise greater control over. - Just my $0.02 worth. > > Cheers, > John T.Hi John, there is ongoing work to avoid (some) external scripts http://wiki.samba.org/index.php/Ldapsam_Editposix Cheers, Guenter
John H Terpstra wrote:> On Thursday 11 October 2007 22:57, Daniel L. Miller wrote: > >> Are the IDEALX tools necessary for "complete" integration with LDAP? Or >> is the built-in support sufficiently advanced now? >> >> Daniel >> > What does "complete" integration with LDAP mean to you? > > You are not the first person to ask questions like these. It would help me to > write more useful documentation if I could better understand what is behind > the questions. >Do the "ldapsam:trusted: and "ldapsam:editposix" extensions provide - (pause whilst I search for the correct word) - "equivalent" functionality to the IDEALX tools? Or are they solutions for different applications? For "typical" applications, with a PDC, mixed Unix and Windows workstations, file and print sharing - are the extensions a simpler way to achieve the - (wait, need to substitute word again) - "equivalent" level of LDAP integration? -- Daniel