[Samba] Security = ADS and 3.0.23 Upgrade

Gerald (Jerry) Carter jerry at samba.org
Wed Jul 19 18:17:12 GMT 2006

Hash: SHA1


>>> *1.* getent passwd no longer lists machine accounts.
>> Only machines?  Or no domain users at all?  Please read
>> the release notes.  'winbind enum users' was disabled by
>> default in 3.0.23.
> Domain users are listed, machines are not. 
> 'winbind enum users = Yes' is and has been set, 
> as has 'winbind enum groups = Yes'.

Hmm....That makes no sense to me.  Maybe we filtered
them from the getpwent() output.  As long as a 'getent passwd
<machine>' works you should be fine.  For example,

# getent passwd color\\suse10$

>>> *2.* On the Win2K pdc, the samba system's "DNS name" on the general
>>> tab is now listed as localhost.localdomain,
>>> and the operating system is still listed as Samba 3.0.22.
>>> (In the DNS mmc, the DNS records are correct.)
>> Did you rejoin the domain ?  If so, looks like you have
>> a broken  /etc/hosts file ni the Samba box.  Fix you hostname.
>> We don't set the Operating system attribute any more.
>> Just delete that.
> I did not rejoin the domain.  I checked, and both hosts 
> and hostname files are correct.  I now understand that this
> is the current default behavior.

Do you mean the dNSHostName attribute on the machine's
account localhost.localdomain?  Could you send me a screen
shot of exactly what you are referring to?  Thanks.

>>> *3.* Old shares are accessible, newly created ones are not.
> Sorry for the lack of clarity and detail.
> A share with 'valid users =  DOMAIN+%S' works as before.
> A new share with 'valid users = @"DOMAIN+Domain Users", 
> DOMAIN+dale' fails where it previously worked.
> A username/password dialog opens and refuses all
> credentials.  This particular "valid user" directive
> worked seamlessly in 3.0.22.

There have been some issues with 'valid users' in 3.0.23
description doesn't appear to match the bug reports
but you might want to test the SAMBA_3_0_23 svn branch
to make sure that you aren't just hitting a bug here.

> net groupmap list only retrieves the two BUILTIN
> groups (administrator and user), so it appears that
> it no longer finds all the Windows domain groups.
> The release notes said default group mapping changes
> affected only tdbsam and smbpasswd backends.  Is
> this correct?  If so, perhaps I do need to rejoin
> the domain.

This is correct behavior.  net groupmap lists local
mappings and has nothing to do with domain groups
managed by Winbind.

cheers, jerry
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org


More information about the samba mailing list