Search Results

Search found 21360 results on 855 pages for 'domain controller'.

Page 239/855 | < Previous Page | 235 236 237 238 239 240 241 242 243 244 245 246  | Next Page >

• Exim4: Deny outgoing emails with specific destination domains to being sent to the smarthost

  - by Yoann P

  I try to deny outgoing emails with specific destination domains to being sent to the smarthost but unsuccessfully. I'm on a debian "squeeze" configured to use a smarthost. vi /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt Add right after "acl_check_rcpt:" deny message = Domain $domain is prohibited for outgoing mails domains = lsearch;/etc/exim4/restricted_domains Reload exim, but the mails to the restricted domains continue to go out I also tried to add the acl_not_smtp after reading this post but without success either. vi /etc/exim4/conf.d/main/02_exim4-config_options Add "acl_not_smtp = acl_check_not_smtp" vi /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt And add at the top of the file acl_check_not_smtp: deny message = Domain $domain is prohibited for outgoing mails domains = lsearch;/etc/exim4/restricted_domains Can anybody point me what i'm doing wrong please? Thanks, Best regards,

  Read the article

• How can I enable anonymous access to a Samba share under ADS security mode?

  - by hemp

  I'm trying to enable anonymous access to a single service in my Samba config. Authorized user access is working perfectly, but when I attempt a no-password connection, I get this message: Anonymous login successful Domain=[...] OS=[Unix] Server=[Samba 3.3.8-0.51.el5] tree connect failed: NT_STATUS_LOGON_FAILURE The message log shows this error: ... smbd[21262]: [2010/05/24 21:26:39, 0] smbd/service.c:make_connection_snum(1004) ... smbd[21262]: Can't become connected user! The smb.conf is configured thusly: [global] security = ads obey pam restrictions = Yes winbind enum users = Yes winbind enum groups = Yes winbind use default domain = true valid users = "@domain admins", "@domain users" guest account = nobody map to guest = Bad User [evilshare] path = /evil/share guest ok = yes read only = No browseable = No Given that I have 'map to guest = Bad User' and 'guest ok' specified, I don't understand why it is trying to "become connected user". Should it not be trying to "become guest user"?

  Read the article

• ssl port didnt work on nginx

  - by Jin Lin

  I set up the unicorn and nginx on one of my ec2 machine. and my request are loading ok with nginx listen to port 80. but when I enable it to ssl, which listen to port 443. It doesn't work. and it can still work with port 80, https. server { listen 443 ssl; # replace with your domain name server_name domain.com; # replace this with your static Sinatra app files, root + public root /home/ubuntu/domain/public; ssl on; ssl_certificate /etc/ssl/domain.crt; ssl_certificate_key /etc/ssl/domain.key; # maximum accepted body size of client request client_max_body_size 4G; # the server will close connections after this time keepalive_timeout 5; location ~ ^/assets/ { add_header ETag ""; gzip_static on; expires max; add_header Cache-Control public; } location / { proxy_set_header X-Forwarded-Proto https; try_files $uri @app; } location @app { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; # pass to the upstream unicorn server mentioned above proxy_pass http://unicorn_server; } }

  Read the article

• How to create a password-less service account in AD?

  - by Andrew White

  Is it possible to create domain accounts that can only be accessed via a domain administrator or similar access? The goal is to create domain users that have certain network access based on their task but these users are only meant for automated jobs. As such, they don't need passwords and a domain admin can always do a run-as to drop down to the correct user to run the job. No password means no chance of someone guessing it or it being written down or lost. This may belong on SuperUser ServerFault but I am going to try here first since it's on the fuzzy border to me. I am also open to constructive alternatives.

  Read the article

• While Mail Forwarding with exim, how do I rewrite the To header with true destination address

  - by Jom

  I have mail forwarding setup with exim using a domain forwarding file. virtual_aliases_nostar: driver = redirect allow_defer allow_fail data = ${if exists{/etc/valiases/$domain}{${lookup{$local_part@$domain}lsearch{/etc/valiases/$domain}}}} file_transport = address_file group = mail pipe_transport = virtual_address_pipe retry_use_local_part domains = lsearch;/etc/localdomains unseen It is working fine. However, I would like to rewrite the "to" header. In my system filter, I would like to put something like: headers remove to headers add "To: $recipient:" I've tried: headers remove to headers add "To: $recipient:" headers remove to headers add "To: $h_env-to:" headers remove to headers add "To: $env-to:" The intent is to have the end recipient see their own email address in the To: line of their mail client. I can't seem to figure out what the correct header is for the final destination of the email so that I can put it in the to header. I've read through the Exim docs and can't seem to find it. I've also looked in the headers in an email at a mail client and can't see it there either. Any suggestions would be appreciated.

  Read the article

• Anonymous access to SMB share hosted on Server 2008 R2 Enterprise

  - by bwerks

  Hi all, First off, I have read through this post and a whole slew of non-SF posts which seem to address the same or a similar problem, however I was still unable to fix my problem. I've got three machines in this situation: a domain-joined server that runs Server 2008 R2 Enterprise ("share server") a domain-joined workstation running XP Pro SP3 ("test server") a domain-unjoined test server running Server 2003 R2 SP2 ("workstation") The share server is exposing a share on the network that the test server must access--it's a Source/Symbol Server share for our debugging purposes. I believe visual studio simply accesses the the share with its own credentials in this case, meaning that the share must be accessible anonymously since the test server isn't joined to the domain and there's no opportunity to supply domain authentication. I've attempted a lot of things to avoid the authentication window when accessing the share: I've enabled the Guest account on the share server and given Guest full sharing/NTFS permissions for the share. I've given ANONYMOUS LOGON full sharing/NTFS permissions for the share. I've added my share to “Network Access: Shares that can be accessed anonymously” in LSP. I've disabled “Network access: Restrict anonymous access to Named Pipes and Shares” in LSP. I've enabled “Network access: Let Everyone permissions apply to anonymous users” in LSP. Added ANONYMOUS LOGON to “Access this computer from the network” in LSP. Added the Guest account to “Access this computer from the network” in LSP. Attempted to provision the share using the Share and Storage Management MMC snap-in. Unfortunately when I attempt to access the share from the test server, I still see the prompt and I'm forced to enter "Guest" manually. I also tried this workflow using the local administrator account on a workstation, and the same thing happens both with and without XP Simple File Sharing enabled. Any idea why I'm getting these results, or what I should have done differently?

  Read the article

• Sudoers file allow sudo on specific file for active directory group

  - by tubaguy50035

  I have active directory sign in working on an Ubuntu 12.04 box. When the user signs in, I have a script that runs that needs sudo permission (since it modifies the samba config file). How would I specify this in my sudoer's file? I've tried: %DOMAIN\\AD+Programmers ALL=NOPASSWD: /usr/local/bin/createSambaShare.php I've found various resources on the internet stating that this is how it would be done, but I'm not sure that I have the first part right. What are they using as the DOMAIN? The workgroup or the realm? I use Samba + winbind for active directory integration. Here's my smb.conf: [global] security = ads netbios name = hostname realm = COMPANYNAME.COM password server = passwordserver workgroup = COMPANYNAME idmap uid = 1000-10000 idmap gid = 1000-10000 winbind separator = + winbind enum users = no winbind enum groups = no winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no EDIT: The users that should have access to run that script are all part of the Programmers group which has an Active Directory Domain Services Folder of Company.com/Staff/Security Groups (not sure if that matters or not).

  Read the article

• DNS Aliases of multiple domains in win2k8

  - by dbekiaris

  Hello, I have set up a AD integrated server deploying also the role of DNS server. What I want is to put an alias for a specific host of my domain, putting an alias (CNAME) different from the domain name (for example, if the domain is www.mydomain1.com, the alias should be www.domain2.com). Is this possible in Windows Server 2008 and how? Thank you very much in advance. Kind Regards

  Read the article

• Configuring two DNS zones with named.conf

  - by tike

  I am trying to configure DNS to run two domain names. I am able to do one domain but am not sure how to configure a second domain. So for example: test.com and test1.com on same machine. How do i configure zone file and named.conf to achieve this?

  Read the article

• Can Windows logoff events be tracked?

  - by Massimo

  I'm working on an application to track network user logon/logoff events in an Active Directory domain; the application will work by auditing security logs on domain controllers. Auditing logon events can get somewhat tricky, but it can succesfully be done. My problem: how can I track logoff events? Based on some research I've done, it looks like these events are only logged locally on workstations, but not on DCs; also, the "lastLogoff" attribute exists on AD user objects, but it's not actually used by anyone. This is a very specific question: is something logged on DCs when a user logs off from a domain workstation? To clarify: I'm not intereseted in other auditing mehods, I can't deploy logon/logoff scripts and I can't install anything anywhere; I also know opened and closed network sessions are logged, but this is not what I'm looking for. I need to audit interactive logons and logoffs to domain workstations, and I can do this by only reading domain controllers security logs; reading each workstation's local event logs is out of question. If this can't be done, it's ok; but I need a clear answer on that. Can this be done? If yes, how?

  Read the article

• Mod_jk Tomcat VirtualHost

  - by user37143

  Hi, I have two applications in Tomcat app1 and app2. I have mod_jk configured for Apache front end and I am able to get the Tomcat index.jsp Now I created two virtualhosts for app1 and app2 so that app1.domain.com will point to app1 in tomcat and app2.domain.com will point to app2 in Tomcat but it's not working. I have the Vhost as ServerName www.app1.domain.com ServerAlias app1.domain.com DocumentRoot "/opt/tomcat/webapps/app1" DirectoryIndex index.jsp Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all The following section added for Jk JkMount /.do ajp13 JkMount /.jsp ajp13 JkMount / ajp13 JkMount /* ajp13 JkUnMount /.php ajp13 JkUnMount /.gif ajp13 JkUnMount /.html ajp13 JkUnMount /.css ajp13 JkUnMount /.png ajp13 JkUnMount /.jpg ajp13 # But this did not work both the sub domains loads Tomcat's index.jsp. Can some one help me? Thanks

  Read the article

• Apache Reverse proxy Http to https

  - by Coppes

  I have a website which is fully running on Https. For some reason i did get the task to find a way to convert a url for example: http://www.domain.com/a/e-nc/youless to a https version of it, without losing HTTP POST header such as the POST values which are in it. So i thought (not even sure) let's try to make a reversed proxy in apache and see how that works. Anyway after a lot of struggling i came to the point to ask it here. So to be speicific my goal is: Convert the http://www.domain.com/a/e-nc/youless to https://www.domain.com/a/e-nc/youless without losing the POST conditions. What i have tried until now is the following: Created a file called: proxiedhosts in my apache2/sites-enabled folder with the following contents: SSLProxyEngine On SSLProxyCACertificateFile /etc/apache2/ssl/certificate****.pem ProxyRequests Off ProxyPreserveHost On <Proxy *> Order allow,deny Allow from all </Proxy> ProxyPass /a/e-nc/youless/ https://www.domain.com/a/e-nc/youless/ ProxyPassReverse /a/e-nc/youless/ https://www.domain.com/a/e-nc/youless/ Thanks in advance!

  Read the article

• Centos/Postfix able to send mail but not receive it

  - by Dan Hastings

  I have set up postfix and used the mail command to test and an email was successfully sent and delivered. The email arrived in my yahoo inbox BUT the sender also recieved an email in the Maildir directory saying "I'm sorry to have to inform you that your message could not be delivered to one or more recipients", even though the message was delivered. I tried replying from yahoo to the email but it never arrived. I have 1 MX record added to godaddy which i did last week. Priority0 Host @ Points to mail.domain.com TTL1 Hour Postfix main.cf has the following added to it myhostname = mail.domain.com mydomain = domain.com myorigin = $mydomain inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mynetworks = 192.168.0.0/24, 127.0.0.0/8 relay_domains = home_mailbox = Maildir/ I checked var/logs/maillog and found the following errors occuring postfix/anvil[18714]: statistics: max connection rate 1/60s for (smtp:unknown) at Jun 3 09:30:15 postfix/anvil[18714]: statistics: max connection count 1 for (smtp:unknown) at Jun 3 09:30:15 postfix/anvil[18714]: statistics: max cache size 1 at Jun 3 09:30:15 postfix/smtpd[18772]: connect from unknown[unknown] postfix/smtpd[18772]: lost connection after CONNECT from unknown[unknown] postfix/smtpd[18772]: disconnect from unknown[unknown] output of postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = domain.com myhostname = mail.domain.com mynetworks = 168.100.189.0/28, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relay_domains = sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop unknown_local_recipient_reject_code = 550

  Read the article

• Diagnosing Logon Audit Failure event log entries

  - by Scott Mitchell

  I help a client manage a website that is run on a dedicated web server at a hosting company. Recently, we noticed that over the last two weeks there have been tens of thousands of Audit Failure entries in the Security Event Log with Task Category of Logon - these have been coming in about every two seconds, but interesting stopped altogether as of two days ago. In general, the event description looks like the following: An account failed to log on. Subject: Security ID: SYSTEM Account Name: ...The Hosting Account... Account Domain: ...The Domain... Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID: NULL SID Account Name: david Account Domain: ...The Domain... Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x154c Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: ...The Domain... Source Network Address: 173.231.24.18 Source Port: 1605 The value in the Account Name field differs. Above you see "david" but there are ones with "john", "console", "sys", and even ones like "support83423" and whatnot. The Logon Type field indicates that the logon attempt was a remote interactive attempt via Terminal Services or Remote Desktop. My presumption is that these are some brute force attacks attempting to guess username/password combinations in order to log into our dedicated server. Are these presumptions correct? Are these types of attacks pretty common? Is there a way to help stop these types of attacks? We need to be able to access the desktop via Remote Desktop so simply turning off that service is not feasible. Thanks

  Read the article

• Accessing C$ over LAN on Win2008R2 - cannot by hostname but can by IP and FQDN

  - by Idgoo

  Having an issue with one of our Win2k8 R2 file servers. Trying to access C$ or the Admin share is giving us an error (see error details that the bottom), however we are able to connect using the server's IP and FQDN. can access \\172.16.x.x\c$ with domain cred can access \\server.domain.local\c$ with domain creds cannot access \\servername\c$ with same domain creds Server pings fine with Hostname, IP, FQDN, the Primary DNS suffix is also correct. DNS, PTR and Wins records are all correct for the Server I have checked that I am not trying to connect with cached credentials in the Windows vault, the server is also appending primary and connection specific DNS suffixes to the hostname. Any ideas what might be causing this issue? Error Details: c$ is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions

  Read the article

• Email hosting on home's Windows server 2003

  - by klay

  Hi guys, I am new to Server management, I have a static Ip address and I bought recently a domain name, I configure the domain name to target my Ip address. I am running windows server 2003 standard. what are the steps to host my email adresses? Do I need to buy anything else, or what I have is enough (static ip address, domain name, win server 2003, exchange server 2003) ?? thanks Guys

  Read the article

• Using Virtual Domains with WordPress and Cherokee Web Server

  - by ikevinjp

  I'm trying to configure WordPress to work with Cherokee Web Server. The multi-site set up in WordPress is yyy.com and uses 'sub-domains'. Thus, I have sites like aaa.yyy.com, bbb.yyy.com - they all work fine so far. However, I have another completely different domain: abcde.com. Within WordPress, the sub-domain set up is abcde.yyy.com. When a public user accesses abcde.com, it cannot properly be redirected to the WordPress sub-domain abcde.yyy.com. How do I set up Cherokee to properly redirect virtual domains to WordPress? That means, the domain facing public would be abcde.com but WordPress would want to see abcde.yyy.com to properly return the correct content for the specific site. (I tried and it always get redirected to something like this: "http://yyy.com/wp-signup.php?new=abcde.com")

  Read the article

• Vacation sends autoreply message to the recipient as well

  - by elitalon

  Hi, I have configured my Postfix server with vacation for a domain. Sending a message to [email protected] causes two events: The message is delivered to the recipient ([email protected]) An auto-reply message is sent to the sender, alerting that [email protected] should be used instead. Everything works well except for one particular drawback: the auto-reply is also sent to the recipient, so it receives two messages in the end. What can I do to avoid that? I'm only using the $TO variable in the custom vacation.msg message. And here is Postfix's master.cf vacation line: autoreply unix - n n - - pipe flags=Rhu user=vacation argv=/usr/bin/vacation -j -m /home/vacation/.vacation.msg -f /home/vacation/.vacation.db vacation I know using the -j is a little bit risky according to man page, but I'm kind of testing here.

  Read the article

• Windows Server 2008 R2 DNS Server not working?

  - by wolfvilleian

  I have a server running Windows Server 2008 R2 hosting a DNS server, exchange 2010 and is a domain controller. One computer on the network (and domain) can ping the server 25% of the time, also when I try to ping it's own hostname it also does not work. However another computer that is on the domain can ping it fine, and another computer on the network but not domain can ping fine as well. The computer that cannot ping the server is setup to use the DNS server running on the server only (secondary dns points to nothing) and it will resolve the hostname of the server to the external IP not internal when the other two computers correctly resolve the internal All 3 computers and server are connected directly into the same switch. Does anyone have any ideas on how to fix this? Thanks

  Read the article

• Configure Postfix to use external MX servers for delivery of local mail if user is unknown

  - by mr.b

  I have a following setup: linux box with postfix configured to be responsible for example.com domain domain's MX servers are configured so that mail sent to example.com is sent to google mail servers several user accounts on linux machine exist (same machine also hosts example.com site) When someone from the outside attempts to send mail to address ending with @example.com, it gets routed to google mail (and there handled appropriately). When linux machine tries to send mail to outside world, mail is delivered correctly, as reverse dns and spf records are configured correctly, so linux machine is valid mail sender for example.com domain (along with google mail servers). However, here's the problem. When php application (hosted at linux box) tries to send mail to [email protected] (and someuser doesn't exist on linux box), it fails, since it doesn't even consult google mail servers, but postfix smtp locally concludes that "someuser" is unknown. So, the question is: how do I tell postfix to relay mails sent to @example.com domain to google mail servers (so, to servers specified in MX records), IF and only if a mailbox is not found locally.

  Read the article

• Media player only works as administrator?

  - by Jeremy

  It seems I can only get Media Player 12 to work as administrator. If I run it normally (I am in the administrator group on my local PC) and right click on Music, and choose Manage Music Library. Media Player will sit and think for 5 or so seconds, then just not do anying, no dialog, no error. If I run as administator I can now get into the Manage Music Library dialog and add my a public folder containing my music. I've even tried granting everyone access to the public folder. One thing to note is that I have recently set up a domain controller and added my PC to the domain. With my local account I never noticed this problem, but I've since created a domain account and am now seeing this issue. I can't find much difference between the local and domain accounts - both are in the administrator group. Why would WMP require run as administrator? OS, Windows 7 64bit

  Read the article

• Intel Rapid Storage Technology - Raid5 is very slow

  - by Cederstrom

  Hi, I build a computer with a raid5, using the motherboards raid controller (ASUS P7H57D-V EVO - intel Rapid Storage Technology). The read and write are however very slow, when using the raid controller :( - I am using Windows 2008 R2, and when using the windows software raid, it was ok in speed - so there must be an issue with the controller? Im using 6 disks on 2TB each. Do anyone have any idea why its so slow, and how to fix it? I rather not pick the easy solutiuon of "just buy a raid controller" :| If you need more info about my setup, please just ask. Thanks :)

  Read the article

• Correct use of SMTP "Sender" header?

  - by Eric Rath

  Our web application sends email messages to people when someone posts new content. Both sender and recipient have opted into receiving email messages from our application. When preparing such a message, we set the following SMTP headers: FROM: [email protected] TO: [email protected] SENDER: [email protected] We chose to use the author's email address in the FROM header in an attempt to provide the best experience for the recipient; when they see the message in their mail client, the author is clear. To avoid the appearance of spoofing, we added the SENDER header (with our own company email address) to make it clear that we sent the message on the author's behalf. After reading RFCs 822 and 2822, this seems to be an intended use of the sender header. Most receiving mail servers seem to handle this well; the email message is delivered normally (assuming the recipient mailbox exists, is not over quota, etc). However, when sending a message FROM an address in a domain TO an address in the same domain, some receiving domains reject the messages with a response like: 571 incorrect IP - psmtp (in reply to RCPT TO command) I think this means the receiving server only saw that the FROM header address was in its own domain, and that the message originated from a server it didn't consider authorized to send messages for that domain. In other words, the receiving server ignored the SENDER header. We have a workaround in place: the webapp keeps a list of such domains that seem to ignore the SENDER header, and when the FROM and TO headers are both in such a domain, it sets the FROM header to our own email address instead. But this list requires maintenance. Is there a better way to achieve the desired experience? We'd like to be a "good citizen" of the net, and all parties involved -- senders and recipients -- want to participate and receive these messages. One alternative is to always use our company email address in the FROM header, and prepend the author's name/address to the subject, but this seems a little clumsy.

  Read the article

• Calling Excel from PHP 5 through COM fails on Windows 7 when Apache started through Task Planner

  - by Stefan Pantke

  I currently write an application, which controls Excel through COM: The app creates a COM-based Excel instance, opens some XLS files and reads their contents. Scenario I On Windows 7, I start Apache and mySQL using xmapp-control with system administrator rights. All works as expected. The PHP-based controller script interacts with Excel as expected. Scenario II A problem appears, if I start Apache and mySQL as 'background jobs'. Here is how: I created two jobs using Windows 7 Task Planner. One runs apache_start.bat, the other runs mysql_start.bat. Both tasks run as SYSTEM with elevated privileges when Windows 7 boots. Apache and mySQL work as expected. Specifically, Apache serves HTTP request from clients and PHP is able to talk to mySQL. When I call the PHP controller, which calls and interacts with Excel using COM, I do receive an error. The error seems to come from Excel [not COM itself] and reads like this: Excel can't read the XLS-file Excel failed to save the file due to an ill-name worksheet Interestingly, during the first run of the PHP-based controller script, it takes a few seconds to render the error message. Each subsequent run immediately renders the error message. Windows system logs didn't show a single problem report entry. Note, that the PHP program and the Apache instance didn't change - except the way Apache was started. At least the PHP controller script is perfectly able to read the file-system, since it provides the pathes to the XLS-file through scandir() of a certain directory. Concurrency issues can't be the cause of the problem. A single instance of the specific PHP controller interacts with Excel. Question Could someone provide details, why this happens?

  Read the article

• Samba with Active Directory - shares are readonly, NT_STATUS_MEDIA_WRITE_PROTECTED

  - by froh42

  I've set a samba server that seems to work, all shares are seemingly exported as readonly, however. The machine is called "lx". When I'm on lx I can run the following command: froh@lx:~$ smbclient //lx/export -UAdministrator Enter Administrator's password: Domain=[CUSTOMER] OS=[Unix] Server=[Samba 3.5.4] smb: \> mkdir wrzlbrmpf NT_STATUS_MEDIA_WRITE_PROTECTED making remote directory \wrzlbrmpf smb: \> ls . D 0 Fri Dec 3 19:04:20 2010 .. D 0 Sun Nov 28 01:32:37 2010 zork D 0 Fri Dec 3 18:53:33 2010 bar D 0 Sun Nov 28 23:52:43 2010 ork 1 Fri Dec 3 18:53:02 2010 foo 1 Sun Nov 28 23:52:41 2010 gaga D 0 Fri Dec 3 19:04:20 2010 How can I troubleshoot this? What I did: First I set up a fresh install of Ubuntu 10.10 x64. Second I got kerberos working with the following krb5.conf file: [libdefaults] ticket_lifetime = 24000 clock_skew = 300 default_realm = CUSTOMER.LOCAL [realms] CUSTOMER.LOCAL = { kdc = SB4.customer.local:88 admin_server = SB4.customer.local:464 default_domain = CUSTOMER.LOCAL } [domain_realm] .customer.local = CUSTOMER.LOCAL customer.local = CUSTOMER.LOCAL #[login] # krb4_convert = true # krb4_get_tickets = false I also added winbind to group, passwd and shadow in nsswitch.conf. Seemingly Kerberos works: root@lx:~# net ads testjoin Join is OK root@lx:~# wbinfo -a 'Administrator%MYSECRETPASSWORD' plaintext password authentication succeeded challenge/response password authentication succeeded wbinfo -u and wbinfo -g also spit out a list of users and a list of groups respectiveley. I noted that domain accounts did NOT include a domain and they are in german (as on the SBS 2003 that is the domain server). So I get a "Domänenbenutzer" in wbinfo -u's output not a "CUSTOMER+Domain User" or something similar. I'm not sure anymore what I did to the PAM configuration, but here is what I currently have: root@lx:/etc/pam.d# cat samba @include common-auth @include common-account @include common-session-noninteractive root@lx:/etc/pam.d# grep -ve '^#' common-auth auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so root@lx:/etc/pam.d# grep -ve '^#' common-account account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account required pam_permit.so account required pam_krb5.so minimum_uid=1000 root@lx:/etc/pam.d# grep -ve '^#' common-session-noninteractive session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so session optional pam_winbind.so At some point I joined the linux box into the AD domain. After (manually) creating a home directory on the linux box I can log in using the Adminstrator user with the password taken from AD. Now I run samba with the following setup: [global] netbios name = LX realm = CUSTOMER.LOCAL workgroup = CUSTOMER security = ADS encrypt passwords = yes password server = 192.168.20.244 #IP des Domain Controllers os level = 0 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = Yes winbind enum groups = Yes preferred master = no winbind separator = + dns proxy = no wins proxy = no # client NTLMv2 auth = Yes log level = 2 logfile = /var/log/samba/log.smbd.%U template homedir = /home/%U template shell = /bin/bash [export] path = /mnt/sdc1/export read only = No public = Yes Currently I don't care whether export is exported to everyone or just one user, I want to see somebody WRITING to that directory before I start fiddling with the authentication settings. (Who may access it). As mentioned, accessing the share from smbclient results in this NT_STATUS_MEDIA_WRITE_PROTECTED . Accessing it from windows shows ACLs that look correct (The user may write) - but it does not work, I can only read files not write. The directory to be exported looks like this: root@lx:/etc/pam.d# ls -ld /mnt/ drwxr-xr-x 5 root root 4096 2010-11-28 01:29 /mnt/ root@lx:/etc/pam.d# ls -ld /mnt/sdc1/ drwxr-xr-x 4 froh froh 4096 2010-11-28 01:32 /mnt/sdc1/ root@lx:/etc/pam.d# ls -ld /mnt/sdc1/export/ drwxrwxrwx+ 5 administrator domänen-admins 4096 2010-12-03 19:04 /mnt/sdc1/export/ root@lx:/etc/pam.d# getfacl /mnt/ getfacl: Entferne führende '/' von absoluten Pfadnamen # file: mnt/ # owner: root # group: root user::rwx group::r-x other::r-x root@lx:/etc/pam.d# getfacl /mnt/sdc1/ getfacl: Entferne führende '/' von absoluten Pfadnamen # file: mnt/sdc1/ # owner: froh # group: froh user::rwx group::r-x other::r-x root@lx:/etc/pam.d# getfacl /mnt/sdc1/export/ getfacl: Entferne führende '/' von absoluten Pfadnamen # file: mnt/sdc1/export/ # owner: administrator # group: domänen-admins user::rwx group::rwx group:domänen-admins:rwx mask::rwx other::rwx default:user::rwx default:group::rwx default:group:domänen-admins:rwx default:mask::rwx default:other::rwx My, oh my what am I overlooking? What am I to blind to see?

  Read the article

< Previous Page | 235 236 237 238 239 240 241 242 243 244 245 246  | Next Page >