Hello everyone
I have been struggling a lot with Samba and this mailing list is my last hope.
I have a windows server 2008 R2 and my aim? is to store the user's
roaming profiles to a samba share. I don't want users to be able to
login into the linux machines using their windows credentials just to
save their roaming profiles on a samba share.
To achieve this I followed numerous pages online but I always get stuck and can
not achieve my end result.
I managed to join the samba server to the windows domain:
net ads testjoin = Join is OK and I can see the samba server under computer
accounts in AD
wbinfo -u works (I get all the active directories users listed)
wbinfo -g also works (can see AD groups)
getent passwd also works. Active directory users are listed in the format below:
b.simpson:*:16777235:16777219:Bart Simpson:/home/b.simpson:/bin/bash
j.giant:*:16777236:16777219:John Giant:/home/j.giant:/bin/bash
getent group does not work :(??????? (only local users are shown)
My problem is that when I try to change the ownership of my samba share to
"domain users" I get:
chgrp: invalid group: `domain users' . Therefore users can not login to the
domain using a
client PC (WinXP).
They get the error about not being able to find the
servers copy of their roaming profile and they are getting logged in with a temp
account.
"Login failure unknown username or bad password".? (I can confirm I am
typing the right password)
Could someone please have a look at my config files below and if you see
anything wrong please let me know.
Samba server: 2.6.32-358.18.1.el6.x86_64
smbstatus: Samba version 3.6.9-151.el6_4.1
My krb5.conf looks like this:
?
[libdefaults]????????
??????????????? ticket_lifetime = 600??????
??????????????? default_realm = TESTAD.BIO.AC.UK
??????????????? allow_weak_crypto = true
?????????????? dns_lookup_realm = true
?????????????? dns_lookup_kdc = true
??????????????? forward? = true
??????????????? forwardable = true
??????????????? clockskew? = 300
??????????????? noaddresses = true
[realms]????????
??????????????? TESTAD.BIO.AC.UK = {????????
? kdc = TESTSERVER1.TESTAD.BIO.AC.UK
????????????????????????? default_domain = TESTAD.BIO.AC.UK????????
??????????????????????????????? }?
[domain_realm]????????
??????????????? .testad.bio.ac.uk = TESTAD.BIO.AC.UK????????
??????????????? testad.bio.ac.uk = TESTAD.BIO.AC.UK?
[kdc]????????
??????????????? profile = /etc/krb5kdc/kdc.conf?
[logging]????????
??????????????? kdc = FILE:/var/log/krb5kdc.log????????
??????????????? admin_server = FILE:/var/log/kadmin.log????????
??????????????? default = FILE:/var/log/krb5lib.logog?
My SMB.CONF looks like this:
[global]
?? workgroup = TESTAD
?? password server = testserver1.testad.bio.ac.uk
?? realm = TESTAD.BIO.AC.UK
?? security = ads
?? idmap config * : range = 16777216-33554431
?? template homedir = /home/%U
?? template shell = /bin/bash
?? winbind use default domain = yes
?? winbind offline logon = no
?? server string = Samba Server Version %v
??????? # logs split per machine
??????? log file = /var/log/samba/log.%m
??????? # max 50KB per log file, then rotate
??????? max log size = 50
name resolve order = bcast
netbios name = zeus
[Profiles]
?path = /srv/samba/profiles/
?comment = TestAD Directories
?browseable = yes
?read only = no
?store dos attributes = Yes
?create mask = 0600
?directory mask = 0700
?profile acls = yes
?csc policy = disable
SELINUX and firewall is disabled.
The IP address of the windows server is inside /etc/resolv.conf
My nssswitch.conf looks like this:
# To use db, put the "db" in front of "files" for entries
you want to be
# looked up first in the databases
#
# Example:
#passwd:??? db files nisplus nis
#shadow:??? db files nisplus nis
#group:???? db files nisplus nis
passwd:??? files winbind
shadow:??? files?
group:???? files winbind
#hosts:???? db files nisplus nis dns
hosts:????? files dns nis
ethers:???? files nis
netmasks:?? files nis
networks:?? files nis
protocols:? files nis
rpc:??????? files nis
services:?? files
netgroup:?? files nis
publickey:? nisplus
automount:? files nis
aliases:??? files nisplus
Inside /etc/hosts I have included the samba server and the windows server
information.
I don't know what other information should I provide. If you need anything
else please let me know.
Many thanks
________________________________
???: "samba-request at lists.samba.org" <samba-request at
lists.samba.org>
????: samba at lists.samba.org
????????: 7:00 ?.?. ???????, 23 ??????????? 2013
????: samba Digest, Vol 129, Issue 26
----- ?????????? ?????? -----
Send samba mailing list submissions to
??? samba at lists.samba.org
To subscribe or unsubscribe via the World Wide Web, visit
??? https://lists.samba.org/mailman/listinfo/samba
or, via email, send a message with subject or body 'help' to
??? samba-request at lists.samba.org
You can reach the person managing the list at
??? samba-owner at lists.samba.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of samba digest..."
Today's Topics:
? 1. Re: ldbedit syntax problem (steve)
? 2. Re: ldbedit syntax problem (G?mes G?za)
? 3. Samba as DC Member (KevinTang at umac.mo)
? 4. Re: ldbedit syntax problem (Rowland Penny)
? 5. Re: Samba as DC Member (steve)
? 6. Force user doesn't work (Bart-Jan van Hummel)
? 7. Re: Force user doesn't work (Bart-Jan van Hummel)
? 8. Re: Force user doesn't work (Jonathan Buzzard)
? 9. Log on to Samba 4 AD DC using domain user
? ? ? (jared.m.jacobson at L-3com.com)
? 10. samba-tool join domain fails (Axel)
? 11. Re: Log on to Samba 4 AD DC using domain user (steve)
On Sun, 2013-09-22 at 13:36 +0100, Rowland Penny wrote:> On 22/09/13 13:04, steve wrote:
> > Hi
> > How do I ldbedit this dn?
> >
> > CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo
> >
> > It's the * that I can't get.
> >
> > Cheers,
> > Steve
> >
> >
> Hi Steve, how about 'ldbedit -e nano --url=ldap://server.bar.foo
> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 CN=*' and then search in the
> results for '*'
>
> Rowland
Hi Rowland, hi everyone
Yes, that works fine, thanks. The problem is that it loads the whole of
the db into the editor.
Cheers,
Steve
2013-09-22 21:09 keltez?ssel, steve ?rta:> On Sun, 2013-09-22 at 13:36 +0100, Rowland Penny wrote:
>> On 22/09/13 13:04, steve wrote:
>>> Hi
>>> How do I ldbedit this dn?
>>>
>>> CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo
>>>
>>> It's the * that I can't get.
>>>
>>> Cheers,
>>> Steve
>>>
>>>
>> Hi Steve, how about 'ldbedit -e nano --url=ldap://server.bar.foo
>> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 CN=*' and then search in
the
>> results for '*'
>>
>> Rowland
> Hi Rowland, hi everyone
> Yes, that works fine, thanks. The problem is that it loads the whole of
> the db into the editor.
> Cheers,
> Steve
>
>
Hi,
I haven't tried it but with ldbsearch it works:
-b OU=auto.users,ou=automount,DC=bar,DC=foo CN=*
Regards
Geza Gemes
Dear all,
I have install Windows AD and Linux client PC.
In Linux PC, I modify these file to allow AD user logon the Linux Client
PC via LDAPS.
- /etc/sssd/sssd.conf
- /etc/krb5.conf
- /etc/pam.d/system-auth-ac
- /etc/pam.d/password-auth-ac
- /etc/openldap/ldap.conf
When I create SAMBA share folder on Linux Client PC, and my Windows PC
want to connect to it, Windows prompt a login dialog for access that SAMBA
share.
My problem is no matter I enter AD user account, or Linux 'root'
account,
it already said login error and cannot allow me to enter. What wrong of my
setting?
My Windows AD is:
OS: Windows Server 2008 R2 64bit standard edition
IP: 192.168.10.1/16
My Windows Client is:
OS: Windows 7, 32bit Enterprise. (already join Windows AD domain).
IP: 192.168.20.1/16
My Linux Client is:
OS: CentOS 6.4, 64bit
IP: 192.168.30.1/16
Thank you very much
Kevin Tang
On 22/09/13 20:09, steve wrote:> On Sun, 2013-09-22 at 13:36 +0100, Rowland Penny wrote:
>> On 22/09/13 13:04, steve wrote:
>>> Hi
>>> How do I ldbedit this dn?
>>>
>>> CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo
>>>
>>> It's the * that I can't get.
>>>
>>> Cheers,
>>> Steve
>>>
>>>
>> Hi Steve, how about 'ldbedit -e nano --url=ldap://server.bar.foo
>> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 CN=*' and then search in
the
>> results for '*'
>>
>> Rowland
> Hi Rowland, hi everyone
> Yes, that works fine, thanks. The problem is that it loads the whole of
> the db into the editor.
> Cheers,
> Steve
>
>
Well, yes but better too much rather than nothing
Rowland
On Mon, 2013-09-23 at 15:51 +0800, KevinTang at umac.mo
wrote:> Dear all,
>
> I have install Windows AD and Linux client PC.
>
> In Linux PC, I modify these file to allow AD user logon the Linux Client
> PC via LDAPS.
> - /etc/sssd/sssd.conf
> - /etc/krb5.conf
> - /etc/pam.d/system-auth-ac
> - /etc/pam.d/password-auth-ac
> - /etc/openldap/ldap.conf
> My Linux Client is:
> OS: CentOS 6.4, 64bit
> IP: 192.168.30.1/16
>
> Thank you very much
> Kevin Tang
>
Hi
I think you want the client to be a file server no?
try in [global]
workgroup = MYDOMAIN
security = ADS
kerberos method = system keytab
Make sure /etc/hosts has:
127.0.0.1 centos-client.mydomain.com centos-client localhost
and that you can (at least) ping the 2008 box
Then try to join the domain:
net ads join -UAdministrator
That may get you a little closer.
HTH
Steve
I am using Samba 3.6.6 on Debian Wheezy.
I want to be able to change www files on my dev server using my macbook.
So I setup samba and made a share for the /var/www directory.
I added the users bart & root to samba to connect. And connect using command
K and then smb://192.168.2.100 (my samba server).
As apache uses www-data as a user and group for the www files I use force user
and force group in samba to prevent errors in the rights.
However it does force the group www-data, but doesn't force the user. Every
file I create is being owned by root in the group www-data.
To seek for errors I tailed the logs in /var/log/samba and only found an error
in the log.smbd when restarting the samba service. See the log here:
smbd version 3.6.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
[2013/09/23 11:14:22.601031, 0] printing/print_cups.c:110(cups_connect)
Unable to connect to CUPS server localhost:631 - Connection refused
[2013/09/23 11:14:22.602215, 0] printing/print_cups.c:487(cups_async_callback)
failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
And here is my smb.conf:
[global]
server string = %h server
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
[homes]
comment = Home Directories
valid users = %S
create mask = 0700
directory mask = 0700
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[www]
comment = www
path = /var/www/
valid users = bart, root
admin users = bart, root
write list = bart, root
force user = www-data
force group = www-data
read only = No
I even tried adding www-data to the valid users as well as the admin users and
the write list. This did not have any effect.
Can you help me out? Thanks in advance!
On Mon, 2013-09-23 at 16:20 Jonathan Buzzard wrote: > Simplest solution is to put "unix extensions = no" in your
smb.conf and
> restart Samba. Though this requires that you don't rely on them
> elsewhere.
Thanks I will do that just to be sure.
Just now I found another solution as well:
Removing the admin users also works, this used to work fine on older versions of
Samba,
on this version (and I take it on newer versions as well) this needs te be
removed.
On Mon, 2013-09-23 at 11:45 +0200, Bart-Jan van Hummel
wrote:> I am using Samba 3.6.6 on Debian Wheezy.
>
> I want to be able to change www files on my dev server using my macbook.
That is your problem right there. The MacOS X smb client does not
generally respect force user/group parameters when Unix extensions are
present.
Simplest solution is to put "unix extensions = no" in your smb.conf
and
restart Samba. Though this requires that you don't rely on them
elsewhere.
JAB.
--
Jonathan A. Buzzard? ? ? ? ? ? ? ? Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
Hi, all,
I am having trouble figuring out how to log on to a Samba 4 AD DC using
any AD domain account.? Has anyone had success doing this?? If so, is
there a guide somewhere?
I have stood up a Samba 4 Active Directory Domain Controller on a Red
Hat 6.3 system, and it appears to be functioning correctly.? I have a
Windows 7 workstation, a Windows 2008R2 storage server, and two other
Red Hat servers (running Samba 3.6.9) joined to the domain, and I can
log in to all the systems except the DC using domain accounts.? How do I
configure the AD DC to allow login?
So far I've tried following the guidance in the Red Hat "Integrating
Red
Hat Enterprise 6 with Active Directory
<http://www.redhat.com/resourcelibrary/reference-architectures/integrati
ng-red-hat-enterprise-linux-6-with-active-directory> ", the Samba
wiki's
pages "Local user management and authentication/sssd
<https://wiki.samba.org/index.php/Local_user_management_and_authenticati
on/sssd> " and "Local user management and authentication/nslcd
<https://wiki.samba.org/index.php/Local_user_management_and_authenticati
on/nslcd> ".? I've tried following the Samba wiki page "Samba
4/Winbind
<https://wiki.samba.org/index.php/Samba4/Winbind> ".? None of them
have
worked.
Thanks for any help you can offer.
Jared
_________________________________________
Jared Jacobson, CISSP
Information Assurance Engineer
L-3 Communications - Communications Systems West
Desk:? (801) 594-3669
Cell: (801) 530-9191
E-mail: jared.m.jacobson at L-3com.com
Hi folks,
big problem with my testint environment... my windows 2003-domain exists since
2004 and the credentials are correct, guaranteed.
This problem is actually same on Ubuntu 12.04.3 and Debian 7...
<code>
root at pa-lnxd-04:~# /usr/local/samba/bin/samba-tool domain join
INTRANET.DOMAIN.DE DC -Uintranet/admin --realm=intranet.DOMAIN.de
Finding a writeable DC for domain 'INTRANET.DOMAIN.DE'
Found DC wi-pas01.intranet.DOMAIN.de
Password for [INTRANET\admin]:
workgroup is INTRANET
realm is intranet.DOMAIN.de
checking sAMAccountName
Adding CN=PA-LNXD-04,OU=Domain Controllers,DC=intranet,DC=DOMAIN,DC=de
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -
<00000522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data
0>? <>
? File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
? ? return self.run(*args, **kwargs)
? File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
? ? machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
? File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1104, in join_DC
? ? ctx.do_join()
? File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1007, in do_join
? ? ctx.join_add_objects()
? File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 499, in join_add_objects
? ? ctx.samdb.add(rec)
</code>
It seems to be, that all prerequisites fine. DNS, ACL etc., ping works fine...
also resolutions of fqdn's
Can someone help?
Thanks & Cheers
axel
On Mon, 2013-09-23 at 10:00 -0600, jared.m.jacobson at L-3com.com
wrote:> Hi, all,
>
>?
>
> I am having trouble figuring out how to log on to a Samba 4 AD DC using
> any AD domain account.? Has anyone had success doing this?? If so, is
> there a guide somewhere?
Hi
Each domain user must have a uidNumber and a gidNumber to be able to
authenticate to a Linux system such as Samba4. You can use winbind,
nss-ldapd or sssd to do that. I'd recommend storing the numbers in AD
and pulling them direct rather than a separate mapping.
HTH
Steve
_______________________________________________
samba mailing list
samba at lists.samba.org
https://lists.samba.org/mailman/listinfo/samba
