headers
James Mills | 1 Dec 2010 02:02
Picon
Favicon
Gravatar

NT_STATUS_PASSWORD_MUST_CHANGE looping

Hi,

We have an Ubuntu 10.10 server running Samba 3.5.4 with OpenLDAP 2.4.23
and we have a small problem where every time a user logs onto a workstation
they are asked to change their password. Once they enter a new password
and confirm it, it asks them again and again and again.

The only way to fix this (which isn't a fix) is to use the smbldap-passwd
tool to reset their password. But then it happens again the next day.

Here is a sample LDAP entry for my user:

32 uid=JMills,ou=Users,dc=neubau,dc=com,dc=au
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: James Mills
sn: Mills
givenName: James
uid: JMills
uidNumber: 1066
gidNumber: 513
homeDirectory: /export/data/home/JMills
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
(Continue reading)

Permalink | Reply | 0 comments |
headers
d | 1 Dec 2010 06:21
Picon

Windows 7 problem accessing domain member samba server on different subnet

Hi All,

I have a problem accessing Samba 3.0.33 on some CentOS 5 machines on a
different subnet from a Windows 7 computer.

All servers and computers are joined to a Windows 2003 AD domain.

I have identical samba machines on two subnets (CentOS/samba 3.0.33).
The samba machines on the same subnet as my Win 7 computer are
accessible both by the netbios name and ip address.

The samba machines on another subnet are only accessible by IP
address. If I attempt to access these samba servers using their
netbios name, I get prompted for a password.

This configuration has worked for some time, and all CentOS/samba
machines are accessible by Windows XP and 2003 using the netbios name.

I believe Windows 2008 servers have the same issues as Windows 7.
Access can only be made by IP address and not netbios name.

Is this a known issue, or something specific to my environment? I have
been googling this for some time and I cannot find any issue identical
to this.

Some additional info:

security = domain
client use spnego = no
encrypt passwords = yes
(Continue reading)

Permalink | Reply | 2 comments |
headers
Ken D'Ambrosio | 1 Dec 2010 09:01

ACLs, NT_STATUS_ACCESS_DENIED, etc.

Hey, all.  I've got some irksome issues, and would love it if someone
could show me where I'm going wrong.

First and foremost, I can access the folders, create new ones, etc.  But
copying stuff from an existing Windows share (with ACLs), not so much. 
Likewise when I try to assign permissions.  I wind up with stuff like

[2010/12/01 02:56:34,  0] libsmb/ntlmssp_sign.c:208(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2010/12/01 02:56:34,  0] rpc_server/srv_pipe_hnd.c:395(process_request_pdu)
  process_request_pdu: failed to do auth processing.
[2010/12/01 02:56:34,  0] rpc_server/srv_pipe_hnd.c:396(process_request_pdu)
  process_request_pdu: error was NT_STATUS_ACCESS_DENIED.

Googling this stuff has been to pretty much no avail.  I'm running Ubuntu
10.04's Samba, v. 3.4.7~dfsg-1ubuntu3.2.  (I did try upgrading to 10.10's
Samba -- same problems, different errors.  Downgraded.)

Here's my smb.conf (I apologize for its messiness; t-shooting does that):

[global]
	workgroup = SEGWAY
	realm = SEGWAY.LOCAL
	netbios name = bed_fs1
	server string = %h server (Samba %v, Ubuntu)
	security = ADS
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	domain master = No
(Continue reading)

Permalink | Reply | 0 comments |
headers
Georg Weickelt | 1 Dec 2010 10:25
Picon

oplocks failed if user is not the owner of the file?

Maybe, my last question was to short, but I would like to clear this:

Some users are faster than other users, I think because of caching the files on the client.

I have some identical windows 7 clients. All connected to Samba 3.5.6-4.1-2450-SUSE-SL11.2-x86_64
Samba is acting as a domain-master.
This is a part of smb.conf:

[global]
 workgroup = Firma
 map to guest = Bad User
 passdb backend = tdbsam:/etc/samba/passdb.tdb
 time server = Yes
 socket options = TCP_NODELAY  IPTOS_LOWDELAY
 printcap name = cups
 add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u
 logon script = netlogon.cmd
 logon path = \\%L\profiles\.msprofile
 logon drive = h:
 logon home = \\%L\%U\.9xprofile
 domain logons = Yes
 os level = 65
 preferred master = Yes
 domain master = Yes
 wins support = Yes
 ldap ssl = no
 cups options = raw

[public]
 comment = Datenverzeichnis
(Continue reading)

Permalink | Reply | 0 comments |
headers
Bruno MACADRE | 1 Dec 2010 10:38
Picon

Permissions problem

Hello all,

	I've got an old server running SAMBA 3.3.0. I've some shares on it. All 
shares looks like this :

[partinfo]
	path=/shares/partinfo
	valid users = +info
	force user = %U
	force group = info
	read only = No
	create mask = 0660
	directory mask = 0770

All works perfectly : When I create a file on this share other users in 
the info group can modify it but nobody can delete it (exactly that i want).

But, it's time to change our server and to put a newer version of SAMBA 
(3.5.6). On the new server, the behaviour is totaly different (with the 
same smb.conf file) : When I create a new file, other users n the group 
info can modify it AND delete it (exactly that i don't want) !!!

Worst ! When I put in this share (localy in root) a file like this :
# echo "Test" >/shares/partinfo/testfile
# chown root.root /shares/partinfo/testfile
# chmod 600 /shares/partinfo/testfile

When I return to my share (like above) with my user (not admin user) I 
can delete the file 'testfile' without any problem !!!
(Continue reading)

Permalink | Reply | 3 comments |
headers
Volker Lendecke | 1 Dec 2010 11:19
Picon
Favicon

Re: Files in samba share cannot be deleted after copying failed.

On Tue, Nov 30, 2010 at 11:01:13AM +0100, Volker Lendecke wrote:
> Sure, that would be a possible reason. But something looks
> not right in your setup. After a failover, locking.tdb
> should be empty. When smbd is started on node2 after the
> failover is done, it will open the locking.tdb file with
> CLEAR_IF_FIRST. This means, all entries which are by
> definition empty are wiped out. Alternatively, if you are
> running ctdb, then smbd should have either been able to send
> the kill message to the other node, or the code should have
> discovered that process 12924 is not around anymore and it
> should have removed the conflicting entry from the
> locking.tdb entry.

Can you give a few more details about your setup? Do you
have ctdb running? Do you have "clustering=yes" set in your
smb.conf?

Thanks,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
--

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
(Continue reading)

Permalink | Reply | 1 comment |
headers
Rafa Toucedo | 1 Dec 2010 12:23
Picon
Subject: kerberos <at> samba4 DC

kerberos <at> samba4 DC

Hello, when I try to put my SAMBA4 as DC from a domain controller in windows
2000

/usr/local/samba # bin/samba-tool join (WINDOWS 2000 DOMAIN). DC
-U(USER) <at> (WINDOWS 2000 DOMAIN)%(PASSWORD) --realm=(WINDOWS 2000 DOMAIN). -d5

throws me the following error:

Failed to get CCACHE for GSSAPI client: KDC has no support for encryption
type
Aquiring initiator credentials failed: kinit for ADMCONST <at> DOMD4086 failed
(KDC has no support for encryption type: KDC has no support for encryption
type)
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_UNSUCCESSFUL

My krb5.conf is as follows:

[libdefaults]
        default_realm = (WINDOWS 2000 DOMAIN)
        dns_lookup_realm = true
        dns_lookup_kdc = true
        clockskew = 300
        default_keytab_name  = FILE:/home/pilote/rafa.keytab
        default_tkt_enctypes = des-cbc-crc
        default_tgs_enctypes = des-cbc-crc

[realms]
(WINDOWS 2000 DOMAIN) = {
        kdc = (HOSTNAME).(WINDOWS 2000 DOMAIN):88
}
(Continue reading)

Permalink | Reply | 1 comment |
headers
George Mamalakis | 1 Dec 2010 12:14
Picon
Favicon

Re: Permissions problem

On 01/12/2010 11:38, Bruno MACADRE wrote:
> Hello all,
>
>     I've got an old server running SAMBA 3.3.0. I've some shares on 
> it. All shares looks like this :
>
> [partinfo]
>     path=/shares/partinfo
>     valid users = +info
>     force user = %U
>     force group = info
>     read only = No
>     create mask = 0660
>     directory mask = 0770
>
> All works perfectly : When I create a file on this share other users 
> in the info group can modify it but nobody can delete it (exactly that 
> i want).
>
> But, it's time to change our server and to put a newer version of 
> SAMBA (3.5.6). On the new server, the behaviour is totaly different 
> (with the same smb.conf file) : When I create a new file, other users 
> n the group info can modify it AND delete it (exactly that i don't 
> want) !!!
>
> Worst ! When I put in this share (localy in root) a file like this :
> # echo "Test" >/shares/partinfo/testfile
> # chown root.root /shares/partinfo/testfile
> # chmod 600 /shares/partinfo/testfile
>
(Continue reading)

Permalink | Reply | 2 comments |
headers
George Mamalakis | 1 Dec 2010 12:10
Picon
Favicon

Domain-name appended into username when "selecting users or groups"

Dear all,

I am facing a peculiar situation:
on my smb.conf  log level = 5, and on my windows machine I log on as a 
local administrator to add remote desktop users that are in fact domain 
users.
When my worgroup = SOMETHING, everything works fine. When I change my 
worgroup to: workgroup = example.com, and try to add a new remote 
desktop user, and set as an object name example.com\user and try to 
"check name", after a give the username and password I get the following 
error:

The following error occurred while using the user name 
(user <at> EXAMPLE.COM). and password you entered:
Logon failure: unknown user name or bad password.

Which is true, since on the samba server, on my machine log I get:
# grep -i user machine

  Got user=[user <at> EXAMPLE.COM] domain=[] workstation=[MACHINE] len1=24 
len2=24
   Mapping user []\[user <at> EXAMPLE.COM] from workstation [MACHINE]
   Mapped domain from [] to [EXAMPLE.COM] for user [user <at> EXAMPLE.COM] 
from workstation [MACHINE]
   attempting to make a user_info for user <at> EXAMPLE.COM (user <at> EXAMPLE.COM)
   making strings for user <at> EXAMPLE.COM's user_info struct
   making blobs for user <at> EXAMPLE.COM's user_info struct
   check_ntlm_password:  Checking password for unmapped user 
[]\[user <at> EXAMPLE.COM] <at> [MACHINE] with the new password interface
   check_ntlm_password:  mapped user is:
(Continue reading)

Permalink | Reply | 6 comments |
headers
Hoover, Tony | 1 Dec 2010 15:31

Re: Windows 7 problem accessing domain member samba serve r on different subnet

We recently ran into a similar issue.  If you have any microsoft "Live"
components installed on your 7 box, samba servers must be contacted by
numeric IP address rather than netbios (or even IP mnemonic) name.

http://www.sevenforums.com/network-sharing/8303-cant-connect-samba-share-via
-name-ip-works.html

----------------------------------------------
Tony Hoover, Network Administrator
KSU - Salina, College of Technology and Aviation
(785) 826-2660

"Don't Blend in..."
----------------------------------------------

-----Original Message-----
From: samba-bounces <at> lists.samba.org [mailto:samba-bounces <at> lists.samba.org]
On Behalf Of d
Sent: Tuesday, November 30, 2010 11:22 PM
To: samba <at> lists.samba.org
Subject: [Samba] Windows 7 problem accessing domain member samba server on
different subnet

Hi All,

I have a problem accessing Samba 3.0.33 on some CentOS 5 machines on a
different subnet from a Windows 7 computer.

All servers and computers are joined to a Windows 2003 AD domain.
(Continue reading)

Permalink | Reply | 1 comment |

Gmane