[Samba] Re: Reg: net rpc rights grant command is not working onsamba-3.0.10

Hi,

please direct general questions to the samba mailing list
or (if it is a development / technical question) to the
samba-technical mailing list.

You need to provide more information.

your samba configuration, the precise output of the net command,
a level 10 log of the net command...

You might also consider upgrading your samba version.
3.0.10 is ancient.

Cheers - Michael

Kumar Kalisamy wrote:
> Hi,
>
> I am not able to run "net rpc rights grant" because it says
> "rights" command not found error getting, pls can you help me to solve
> this problem and can you tell me reference e-books to prepare Samba.
>
> Advance thanks for you help.
>
> Regards,
>
> Kumar Kalisamy ( FAC-W IT OPS )

--
Michael Adam <ma@sernet.de> <obnox@samba.org>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: comment

iD8DBQFIV6PdyU9JOBhPkDQRAjmFAKCU8iXd/h8ACc3fDieq+DXcx29cwQCeICYZ
wOCqaMG/jhGdKN+bVeQbrUo=
=W9k5
-----END PGP SIGNATURE-----

If you are running a distribution-supported release of samba 3.0.10
(Red Hat Enterprise Linux 3, perhaps?) you should consider staying
with that version if it can still satisfy your needs. Currently samba
3 is undergoing some very rapid revision, and samba 4 is not ready
yet. RHEL3's samba has been very stable and reliable in my
enterprise, with uptimes measured in years.

If you need a feature from a later version of samba, obviously you'll
have to upgrade. But you should be aware that current versions of
samba seem to have lost some features you might take for granted in
older versions (such as stacked backends and domain trusts with
user-specified names, for example). I hope nobody will take this as a
criticism, I appreciate and admire the work of the Samba Team.

--Charlie

On Tue, Jun 17, 2008 at 7:45 AM, Michael Adam <ma@sernet.de> wrote:
> Hi,
>
> please direct general questions to the samba mailing list
> or (if it is a development / technical question) to the
> samba-technical mailing list.
>
> You need to provide more information.
>
> your samba configuration, the precise output of the net command,
> a level 10 log of the net command...
>
> You might also consider upgrading your samba version.
> 3.0.10 is ancient.
>
> Cheers - Michael
>
> Kumar Kalisamy wrote:
>> Hi,
>>
>> I am not able to run "net rpc rights grant" because it says
>> "rights" command not found error getting, pls can you help me to solve
>> this problem and can you tell me reference e-books to prepare Samba.
>>
>> Advance thanks for you help.
>>
>> Regards,
>>
>> Kumar Kalisamy ( FAC-W IT OPS )
>
> --
> Michael Adam <ma@sernet.de> <obnox@samba.org>
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.SerNet.DE, mailto: Info @ SerNet.DE
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Tue, Jun 17, 2008 at 06:03:13PM -0400, Charlie wrote:
> If you need a feature from a later version of samba, obviously you'll
> have to upgrade. But you should be aware that current versions of
> samba seem to have lost some features you might take for granted in
> older versions (such as stacked backends and domain trusts with
> user-specified names, for example).

Stacked backends -- you mean the passdb backends? Yes, they
were taken away because they caused quite a bit of trouble.
But "domain trusts with user-specified names" -- what is
that? I know we have bugs in winbind with trusts, but they
are bugs, not deliberately taken away features.

Volker

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFIWDcBUzqjrWwMRl0RAmTxAJ4009KvhyhsUEo8iTeGWE/jaxd3qACfVZED
N1oQJXBIXHXo9aI+J+h7LsQ=
=qJCB
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

net rpc rights was introduced in 3.0.11.

Charlie wrote:
> If you are running a distribution-supported release of samba 3.0.10
> (Red Hat Enterprise Linux 3, perhaps?) you should consider staying
> with that version if it can still satisfy your needs. Currently samba
> 3 is undergoing some very rapid revision, and samba 4 is not ready
> yet. RHEL3's samba has been very stable and reliable in my
> enterprise, with uptimes measured in years.
>
> If you need a feature from a later version of samba, obviously you'll
> have to upgrade. But you should be aware that current versions of
> samba seem to have lost some features you might take for granted in
> older versions (such as stacked backends and domain trusts with
> user-specified names, for example). I hope nobody will take this as a
> criticism, I appreciate and admire the work of the Samba Team.
>
> --Charlie
>
> On Tue, Jun 17, 2008 at 7:45 AM, Michael Adam <ma@sernet.de> wrote:
>> Hi,
>>
>> please direct general questions to the samba mailing list
>> or (if it is a development / technical question) to the
>> samba-technical mailing list.
>>
>> You need to provide more information.
>>
>> your samba configuration, the precise output of the net command,
>> a level 10 log of the net command...
>>
>> You might also consider upgrading your samba version.
>> 3.0.10 is ancient.
>>
>> Cheers - Michael
>>
>> Kumar Kalisamy wrote:
>>> Hi,
>>>
>>> I am not able to run "net rpc rights grant" because it says
>>> "rights" command not found error getting, pls can you help me to solve
>>> this problem and can you tell me reference e-books to prepare Samba.
>>>
>>> Advance thanks for you help.
>>>
>>> Regards,
>>>
>>> Kumar Kalisamy ( FAC-W IT OPS )
>> --
>> Michael Adam <ma@sernet.de> <obnox@samba.org>
>> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
>> phone: +49-551-370000-0, fax: +49-551-370000-9
>> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
>> http://www.SerNet.DE, mailto: Info @ SerNet.DE
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>


- --
================================================== ===================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIWDcnIR7qMdg1EfYRAu80AKCaCiGjVf0UUrVnCReqSK 8s5gTXCgCeK47g
vEww33062P4acoZFvkDbVCA=
=KhM+
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Apparently you used to be able to establish an interdomain trust with
a user-specified name. Now the name has to match the name of the
calling domain. This works OK for two domains sharing a single
authentication backend, but blows up if you have three or more (I have
four physical sites at this time, but we are still a-growing according
to our CEO).

Pretend you have three sites named SITE1, SITE2, SITE3 and they all
have a single authentication backend running syncrepl'd OpenLDAP.
There are separate domains at each site named DOMAIN1, DOMAIN2,
DOMAIN3 and each has his own samba PDC and WINS server. Each site has
multiple ethernet segments. (This is a low cost, high performance,
high reliability rig with excellent security and auditing capabilities
by the way.)

SITE1's PDC needs a domain trust account named "DOMAIN1" with a SID
from DOMAIN2 to access resources in DOMAIN2.

SITE1's PDC needs a domain trust account named "DOMAIN1" with a SID
from DOMAIN3 to access resources in DOMAIN3.

Net rpc trustdom doesn't allow you to use a domain trust name other
than the name of the calling domain anymore. :(

This would not be a problem if samba could make the call to LDAP with
a filter string of
(&(uid=DOMAIN1)(sambaSID=S-1-5-21-xxxxxxxx-xxxxxxx*)), and since
sambaSID now requires a substring index in LDAP anyway that would be a
perfectly legal filter.

It would also not be a problem if samba could check the SID values
whenever it gets multiple objects back from LDAP. It would then see
that only one object with uid=DOMAIN1 had an appropriate SID and use
that one, but the trust lookup just bombs out with an error message
instead.

It would also not be a problem if samba honored the "ldap machine
suffix" setting in smb.conf when looking up interdomain trusts - but,
instead, it uses "ldap suffix" so you can't just segregate the
container objects by domain and use appropriate settings in each
site's smb.conf files.

It would not be a problem if there were an "ldap domain trust suffix"
setting in smb.conf either. I know some people are aesthetically
offended by the ever-multiplying options available in smb.conf, but
personally I don't mind since the defaults are generally very good.

And, of course, it would not be a problem if you could still use
separate interdomain trust accounts named "DOMAIN1TRUST1" and
"DOMAIN1TRUST2" et cetera. Looking at the data in LDAP and
secrets.tdb, it appears that the restriction's in the software and not
the data structures.

There is a way around the problem, but it's a hack, and people who
don't feel comfortable with rewriting their authentication backend
access controls in a large live network probably shouldn't do it.

If I have explained this poorly, I apologize - interpersonal
communications skills are not my area of speciality.

--Charlie


On Tue, Jun 17, 2008 at 6:13 PM, Volker Lendecke
<Volker.Lendecke@sernet.de> wrote:
> On Tue, Jun 17, 2008 at 06:03:13PM -0400, Charlie wrote:
>> If you need a feature from a later version of samba, obviously you'll
>> have to upgrade. But you should be aware that current versions of
>> samba seem to have lost some features you might take for granted in
>> older versions (such as stacked backends and domain trusts with
>> user-specified names, for example).
>
> Stacked backends -- you mean the passdb backends? Yes, they
> were taken away because they caused quite a bit of trouble.
> But "domain trusts with user-specified names" -- what is
> that? I know we have bugs in winbind with trusts, but they
> are bugs, not deliberately taken away features.
>
> Volker
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Tue, Jun 17, 2008 at 07:14:28PM -0400, Charlie wrote:
> If I have explained this poorly, I apologize - interpersonal
> communications skills are not my area of speciality.

If I understood you correctly then you have users in LDAP
that are to be authenticated in more than one domain.
Assuming that is right then yes, this is a not supported
configuration and never has been. It might have worked at
some point, but we deliberately moved to a much more
predictable SID-based model for almost everything
internally. On that way we very likely broke what you
described.

The only way a central LDAP can work is using completely
independent OUs per domain in a way that no objects from one
domain are seen by another domain.

One thing that I could imagine though is to centralize ID
mapping in this scenario, winbind from domain A could
(read-only) look at the LDAP objects of domain B to get a
unified uid space.

I know that it is hard or impossible to change your existing
LDAP tree, but one account in multiple domains is just way
too error-prone, fragile and confusing if not used VERY,
VERY carefully.

Volker

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFIWKl7UzqjrWwMRl0RAqAZAKCXzkDw7ji9TUJLoTusyu Xgn8HU/wCgkTty
8r50JbA+MI7BYCkmbTc49T4=
=ke7A
-----END PGP SIGNATURE-----

On Wed, Jun 18, 2008 at 2:21 AM, Volker Lendecke
<Volker.Lendecke@sernet.de> wrote:
>
> If I understood you correctly then you have users in LDAP
> that are to be authenticated in more than one domain.

Correct. This is a highly desirable configuration that offers
tremendous competitive advantages to commercial enterprises and
increased efficiency for non-profits such as hospitals and research
foundations. I believe many organizations use samba in this way,
because it makes MS-Windows desktops more powerful than a pure
Microsoft server architecture does.

> Assuming that is right then yes, this is a not supported
> configuration and never has been. It might have worked at
> some point, but we deliberately moved to a much more
> predictable SID-based model for almost everything
> internally. On that way we very likely broke what you
> described.

The current model does not preclude this configuration, although the
software makes it very hard to do. In my previous email I made some
suggestions about how the code could be tweaked to support it. (Since
I'm not contributing code at this time, I am certainly willing to pay
for others to do so.)

> The only way a central LDAP can work is using completely
> independent OUs per domain in a way that no objects from one
> domain are seen by another domain.

Yes and No. Yes, machine trust accounts and idmaps have to be
restricted from appearing in more than one domain. No, user accounts
can still be published to all domains.

Samba PDCs (running v3.0.11 or greater) that are netlogon servers
behave in ways I still don't fully understand. My end-users in the
past simply logged on in whichever domain they happened to be
visiting, and a user SID was composed with a consistent
algorithmically generated RID attached to the local server SID.

Samba hosts that are not PDCs or netlogon servers still work great
with multiple domains on a single authentication backend. We have
been using this capability for more than a decade to great advantage.
There are thousands of sites running RHEL3 that do the same thing - if
you have an application host that runs samba, you can have thousands
of users from different domains using it without incurring the high
licensing and hardware costs of a MS-Windows server on the back end.

> One thing that I could imagine though is to centralize ID
> mapping in this scenario, winbind from domain A could
> (read-only) look at the LDAP objects of domain B to get a
> unified uid space.

Yes, that's essentially what we're doing. We have domain-specific
container objects for trusts that are restricted by OpenLDAP ACLs, but
we have a single ou=People object and a single ou=Group object. I can
supply more configuration information if you wish, but this email is
already very long!

> I know that it is hard or impossible to change your existing
> LDAP tree, but one account in multiple domains is just way
> too error-prone, fragile and confusing if not used VERY,
> VERY carefully.

I personally am comfortable with rewriting the entire LDAP tree if
necessary - I did it three times when we converted from 3.0.10 to
3.0.25 and then to 3.0.28. I generally dump the database to LDIF and
rewrite it with gnu awk, then reload it and sync it out to the
replicas (we have dozens). If I am forced to do major modifications
with systems running - something I try to avoid - I write a bash
script incorporating ldapsearch and ldapmodify from the OpenLDAP
toolset. I cannot recommend this to others, because it's too easy to
destroy your enterprise infrastructure with a typographical error.

In a modern, directory based work environment, people are not limited
to single desks, or even single countries or states. A person in
England may be signing on to systems in Baluchistan tomorrow, and
everything is expected to work seamlessly as though that person were
still in England. A site is expected to continue functioning even if
half the WAN links to that site break unexpectedly. We have achieved
this with samba, linux, and Windows versions 3.11 through XP. It's
getting harder to do, though, and the advantages of running linux are
eroding as software like MS-Windows gets more complex and difficult to
integrate with standards-based architectures.

>
> Volker

Thank you, Volker, for taking the time to discuss this with me!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba