[Samba] Security = ADS and 3.0.23 Upgrade

Dale Schroeder dale at BriannasSaladDressing.com
Wed Jul 19 16:36:06 GMT 2006 

Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dale Schroeder wrote:
>   
>> Since upgrading to 3.0.23 I have encountered several problems. (latest
>> Debian Sarge with deb's from samba.org and security = ADS).  All was
>> working flawlessly before.
>>
>> *1.* getent passwd no longer lists machine accounts.
>>     
>
> Only machines?  Or no domain users at all?  Please read
> the release notes.  'winbind enum users' was disabled by
> default in 3.0.23.
>   

    Domain users are listed, machines are not.
    /winbind enum users = Yes/ is and has been set, as has /winbind enum 
groups = Yes/.
>   
>> *2.* On the Win2K pdc, the samba system's "DNS name" 
>> on the general tab is now listed as localhost.localdomain,
>> and the operating system is still listed as Samba 3.0.22.
>> (In the DNS mmc, the DNS records are correct.)
>>     
>
> Did you rejoin the domain ?  If so, looks like you have
> a broken  /etc/hosts file ni the Samba box.  Fix you hostname.
>
> We don't set the Operating system attribute any more.
> Just delete that.
>   
    I did not rejoin the domain.  I checked, and both hosts and hostname 
files are correct.  I now understand that this is the current default 
behavior.
>   
>> *3.* Old shares are accessible, newly created ones are not.
>>     
>
> Not enough detail here.
>   

    Sorry for the lack of clarity and detail.

    A share with /valid users =  DOMAIN+%S/ works as before.
    A new share with /valid users = @"DOMAIN+Domain Users", DOMAIN+dale/ 
fails where it previously worked.  A username/password dialog opens and 
refuses all credentials.  This particular "valid user" directive worked 
seamlessly in 3.0.22.
net groupmap list only retrieves the two BUILTIN groups (administrator 
and user), so it appears that it no longer finds all the Windows domain 
groups.  The release notes said default group mapping changes affected 
only tdbsam and smbpasswd backends.  Is this correct?  If so, perhaps I 
do need to rejoin the domain.

Thank you for the reply,
Dale

More information about the samba mailing list