Hello everyone I have been struggling a lot with Samba and this mailing list is my last hope.
I have a windows server 2008 R2 and my aim is to store the user's roaming profiles to a samba share. I don't want users to be able to login into the linux machines using their windows credentials just to save their roaming profiles on a samba share. To achieve this I followed numerous pages online but I always get stuck and can not achieve my end result. I managed to join the samba server to the windows domain: net ads testjoin = Join is OK and I can see the samba server under computer accounts in AD wbinfo -u works (I get all the active directories users listed) wbinfo -g also works (can see AD groups) getent passwd also works. Active directory users are listed in the format below: b.simpson:*:16777235:16777219:Bart Simpson:/home/b.simpson:/bin/bash j.giant:*:16777236:16777219:John Giant:/home/j.giant:/bin/bash getent group does not work :( (only local users are shown) My problem is that when I try to change the ownership of my samba share to "domain users" I get: chgrp: invalid group: `domain users' . Therefore users can not login to the domain using a client PC (WinXP). They get the error about not being able to find the servers copy of their roaming profile and they are getting logged in with a temp account. "Login failure unknown username or bad password". (I can confirm I am typing the right password) Could someone please have a look at my config files below and if you see anything wrong please let me know. Samba server: 2.6.32-358.18.1.el6.x86_64 smbstatus: Samba version 3.6.9-151.el6_4.1 My krb5.conf looks like this: [libdefaults] ticket_lifetime = 600 default_realm = TESTAD.BIO.AC.UK allow_weak_crypto = true dns_lookup_realm = true dns_lookup_kdc = true forward = true forwardable = true clockskew = 300 noaddresses = true [realms] TESTAD.BIO.AC.UK = { kdc = TESTSERVER1.TESTAD.BIO.AC.UK default_domain = TESTAD.BIO.AC.UK } [domain_realm] .testad.bio.ac.uk = TESTAD.BIO.AC.UK testad.bio.ac.uk = TESTAD.BIO.AC.UK [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.logog My SMB.CONF looks like this: [global] workgroup = TESTAD password server = testserver1.testad.bio.ac.uk realm = TESTAD.BIO.AC.UK security = ads idmap config * : range = 16777216-33554431 template homedir = /home/%U template shell = /bin/bash winbind use default domain = yes winbind offline logon = no server string = Samba Server Version %v # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 name resolve order = bcast netbios name = zeus [Profiles] path = /srv/samba/profiles/ comment = TestAD Directories browseable = yes read only = no store dos attributes = Yes create mask = 0600 directory mask = 0700 profile acls = yes csc policy = disable SELINUX and firewall is disabled. The IP address of the windows server is inside /etc/resolv.conf My nssswitch.conf looks like this: # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files winbind shadow: files group: files winbind #hosts: db files nisplus nis dns hosts: files dns nis ethers: files nis netmasks: files nis networks: files nis protocols: files nis rpc: files nis services: files netgroup: files nis publickey: nisplus automount: files nis aliases: files nisplus Inside /etc/hosts I have included the samba server and the windows server information. I don't know what other information should I provide. If you need anything else please let me know. Many thanks ________________________________ Απο: "samba-requ...@lists.samba.org" <samba-requ...@lists.samba.org> Προς: samba@lists.samba.org Στάλθηκε: 7:00 μ.μ. Δευτέρα, 23 Σεπτεμβρίου 2013 Θέμα: samba Digest, Vol 129, Issue 26 ----- Προωθημένο μήνυμα ----- Send samba mailing list submissions to samba@lists.samba.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.samba.org/mailman/listinfo/samba or, via email, send a message with subject or body 'help' to samba-requ...@lists.samba.org You can reach the person managing the list at samba-ow...@lists.samba.org When replying, please edit your Subject line so it is more specific than "Re: Contents of samba digest..." Today's Topics: 1. Re: ldbedit syntax problem (steve) 2. Re: ldbedit syntax problem (G?mes G?za) 3. Samba as DC Member (kevint...@umac.mo) 4. Re: ldbedit syntax problem (Rowland Penny) 5. Re: Samba as DC Member (steve) 6. Force user doesn't work (Bart-Jan van Hummel) 7. Re: Force user doesn't work (Bart-Jan van Hummel) 8. Re: Force user doesn't work (Jonathan Buzzard) 9. Log on to Samba 4 AD DC using domain user (jared.m.jacob...@l-3com.com) 10. samba-tool join domain fails (Axel) 11. Re: Log on to Samba 4 AD DC using domain user (steve) On Sun, 2013-09-22 at 13:36 +0100, Rowland Penny wrote: > On 22/09/13 13:04, steve wrote: > > Hi > > How do I ldbedit this dn? > > > > CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo > > > > It's the * that I can't get. > > > > Cheers, > > Steve > > > > > Hi Steve, how about 'ldbedit -e nano --url=ldap://server.bar.foo > --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 CN=*' and then search in the > results for '*' > > Rowland Hi Rowland, hi everyone Yes, that works fine, thanks. The problem is that it loads the whole of the db into the editor. Cheers, Steve 2013-09-22 21:09 keltezéssel, steve írta: > On Sun, 2013-09-22 at 13:36 +0100, Rowland Penny wrote: >> On 22/09/13 13:04, steve wrote: >>> Hi >>> How do I ldbedit this dn? >>> >>> CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo >>> >>> It's the * that I can't get. >>> >>> Cheers, >>> Steve >>> >>> >> Hi Steve, how about 'ldbedit -e nano --url=ldap://server.bar.foo >> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 CN=*' and then search in the >> results for '*' >> >> Rowland > Hi Rowland, hi everyone > Yes, that works fine, thanks. The problem is that it loads the whole of > the db into the editor. > Cheers, > Steve > > Hi, I haven't tried it but with ldbsearch it works: -b OU=auto.users,ou=automount,DC=bar,DC=foo CN=* Regards Geza Gemes Dear all, I have install Windows AD and Linux client PC. In Linux PC, I modify these file to allow AD user logon the Linux Client PC via LDAPS. - /etc/sssd/sssd.conf - /etc/krb5.conf - /etc/pam.d/system-auth-ac - /etc/pam.d/password-auth-ac - /etc/openldap/ldap.conf When I create SAMBA share folder on Linux Client PC, and my Windows PC want to connect to it, Windows prompt a login dialog for access that SAMBA share. My problem is no matter I enter AD user account, or Linux 'root' account, it already said login error and cannot allow me to enter. What wrong of my setting? My Windows AD is: OS: Windows Server 2008 R2 64bit standard edition IP: 192.168.10.1/16 My Windows Client is: OS: Windows 7, 32bit Enterprise. (already join Windows AD domain). IP: 192.168.20.1/16 My Linux Client is: OS: CentOS 6.4, 64bit IP: 192.168.30.1/16 Thank you very much Kevin Tang On 22/09/13 20:09, steve wrote: > On Sun, 2013-09-22 at 13:36 +0100, Rowland Penny wrote: >> On 22/09/13 13:04, steve wrote: >>> Hi >>> How do I ldbedit this dn? >>> >>> CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo >>> >>> It's the * that I can't get. >>> >>> Cheers, >>> Steve >>> >>> >> Hi Steve, how about 'ldbedit -e nano --url=ldap://server.bar.foo >> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 CN=*' and then search in the >> results for '*' >> >> Rowland > Hi Rowland, hi everyone > Yes, that works fine, thanks. The problem is that it loads the whole of > the db into the editor. > Cheers, > Steve > > Well, yes but better too much rather than nothing Rowland On Mon, 2013-09-23 at 15:51 +0800, kevint...@umac.mo wrote: > Dear all, > > I have install Windows AD and Linux client PC. > > In Linux PC, I modify these file to allow AD user logon the Linux Client > PC via LDAPS. > - /etc/sssd/sssd.conf > - /etc/krb5.conf > - /etc/pam.d/system-auth-ac > - /etc/pam.d/password-auth-ac > - /etc/openldap/ldap.conf > My Linux Client is: > OS: CentOS 6.4, 64bit > IP: 192.168.30.1/16 > > Thank you very much > Kevin Tang > Hi I think you want the client to be a file server no? try in [global] workgroup = MYDOMAIN security = ADS kerberos method = system keytab Make sure /etc/hosts has: 127.0.0.1 centos-client.mydomain.com centos-client localhost and that you can (at least) ping the 2008 box Then try to join the domain: net ads join -UAdministrator That may get you a little closer. HTH Steve I am using Samba 3.6.6 on Debian Wheezy. I want to be able to change www files on my dev server using my macbook. So I setup samba and made a share for the /var/www directory. I added the users bart & root to samba to connect. And connect using command K and then smb://192.168.2.100 (my samba server). As apache uses www-data as a user and group for the www files I use force user and force group in samba to prevent errors in the rights. However it does force the group www-data, but doesn't force the user. Every file I create is being owned by root in the group www-data. To seek for errors I tailed the logs in /var/log/samba and only found an error in the log.smbd when restarting the samba service. See the log here: smbd version 3.6.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 [2013/09/23 11:14:22.601031, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2013/09/23 11:14:22.602215, 0] printing/print_cups.c:487(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL And here is my smb.conf: [global] server string = %h server map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [homes] comment = Home Directories valid users = %S create mask = 0700 directory mask = 0700 browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [www] comment = www path = /var/www/ valid users = bart, root admin users = bart, root write list = bart, root force user = www-data force group = www-data read only = No I even tried adding www-data to the valid users as well as the admin users and the write list. This did not have any effect. Can you help me out? Thanks in advance! On Mon, 2013-09-23 at 16:20 Jonathan Buzzard wrote: > Simplest solution is to put "unix extensions = no" in your smb.conf and > restart Samba. Though this requires that you don't rely on them > elsewhere. Thanks I will do that just to be sure. Just now I found another solution as well: Removing the admin users also works, this used to work fine on older versions of Samba, on this version (and I take it on newer versions as well) this needs te be removed. On Mon, 2013-09-23 at 11:45 +0200, Bart-Jan van Hummel wrote: > I am using Samba 3.6.6 on Debian Wheezy. > > I want to be able to change www files on my dev server using my macbook. That is your problem right there. The MacOS X smb client does not generally respect force user/group parameters when Unix extensions are present. Simplest solution is to put "unix extensions = no" in your smb.conf and restart Samba. Though this requires that you don't rely on them elsewhere. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. Hi, all, I am having trouble figuring out how to log on to a Samba 4 AD DC using any AD domain account. Has anyone had success doing this? If so, is there a guide somewhere? I have stood up a Samba 4 Active Directory Domain Controller on a Red Hat 6.3 system, and it appears to be functioning correctly. I have a Windows 7 workstation, a Windows 2008R2 storage server, and two other Red Hat servers (running Samba 3.6.9) joined to the domain, and I can log in to all the systems except the DC using domain accounts. How do I configure the AD DC to allow login? So far I've tried following the guidance in the Red Hat "Integrating Red Hat Enterprise 6 with Active Directory <http://www.redhat.com/resourcelibrary/reference-architectures/integrati ng-red-hat-enterprise-linux-6-with-active-directory> ", the Samba wiki's pages "Local user management and authentication/sssd <https://wiki.samba.org/index.php/Local_user_management_and_authenticati on/sssd> " and "Local user management and authentication/nslcd <https://wiki.samba.org/index.php/Local_user_management_and_authenticati on/nslcd> ". I've tried following the Samba wiki page "Samba 4/Winbind <https://wiki.samba.org/index.php/Samba4/Winbind> ". None of them have worked. Thanks for any help you can offer. Jared _________________________________________ Jared Jacobson, CISSP Information Assurance Engineer L-3 Communications - Communications Systems West Desk: (801) 594-3669 Cell: (801) 530-9191 E-mail: jared.m.jacob...@l-3com.com Hi folks, big problem with my testint environment... my windows 2003-domain exists since 2004 and the credentials are correct, guaranteed. This problem is actually same on Ubuntu 12.04.3 and Debian 7... <code> root@pa-lnxd-04:~# /usr/local/samba/bin/samba-tool domain join INTRANET.DOMAIN.DE DC -Uintranet/admin --realm=intranet.DOMAIN.de Finding a writeable DC for domain 'INTRANET.DOMAIN.DE' Found DC wi-pas01.intranet.DOMAIN.de Password for [INTRANET\admin]: workgroup is INTRANET realm is intranet.DOMAIN.de checking sAMAccountName Adding CN=PA-LNXD-04,OU=Domain Controllers,DC=intranet,DC=DOMAIN,DC=de Join failed - cleaning up checking sAMAccountName ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 > <> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1104, in join_DC ctx.do_join() File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1007, in do_join ctx.join_add_objects() File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 499, in join_add_objects ctx.samdb.add(rec) </code> It seems to be, that all prerequisites fine. DNS, ACL etc., ping works fine... also resolutions of fqdn's Can someone help? Thanks & Cheers axel On Mon, 2013-09-23 at 10:00 -0600, jared.m.jacob...@l-3com.com wrote: > Hi, all, > > > > I am having trouble figuring out how to log on to a Samba 4 AD DC using > any AD domain account. Has anyone had success doing this? If so, is > there a guide somewhere? Hi Each domain user must have a uidNumber and a gidNumber to be able to authenticate to a Linux system such as Samba4. You can use winbind, nss-ldapd or sssd to do that. I'd recommend storing the numbers in AD and pulling them direct rather than a separate mapping. HTH Steve _______________________________________________ samba mailing list samba@lists.samba.org https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba