[Samba] Problem with tdb files.
Hi All: I have problems with maintain tdb files. From samba doc, these files are classified into persistent and temporary. From the man page of smbd, these file are classified into persistent and not. However, there are some files no need to backup but need to be persistent (netsamlogon_cache.tdb), and some files need to backup but not need to be persisten (registry.tdb). There are also some .dat files also mentioned in samba FAQ that need to be deleted under particular case (change ip address). How can I maintain these tdb/dat files? Which file needed to be deleted when samba restarts? Which files should be ket and backup regularly?I believe some tdb files can't be kept because of size problem. I also noticed join domain would have problem if browse.dat and gencache.tdb keep wrong data. Please give me some advice. Thanks in advance, Latrell. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SSH and winbind authentication on Solaris 10
The answer is (weird) you cannot log in the first time from PUTTY. I brought my guinea pig to my Mac, had her log in via SSH one time, and now she can log in from putty. On 7/20/06 6:39 PM, "Gerald (Jerry) Carter" <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Burris, Celeste Suliin wrote: >> I've googled my heart out, but I cannot see an example >> of ssh authentication with Active Directory and winbindd, >> particularly on Solaris 10. I have it working on Solaris >> 8 with telnet, but I'm trying to break my users of >> telnet. > > There's not much to it besides adding pam_winbind.so to > your pam file and make sure to set 'template shell' > to a valid shell on your system. The default in > /bin/false. > > > > > > cheers, jerry > = > Samba--- http://www.samba.org > Centeris --- http://www.centeris.com > "What man is a man who does not make the world better?" --> > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org > > iD8DBQFEwDBpIR7qMdg1EfYRAqxpAKCn3oERV/11rUBUUAabPVPwGOJfVgCfTaYC > I+bI7ZzC2qgouEYNnAoLlSE= > =mupj > -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't access Samba server with NetBIOS Name but OK with IP
Hi, folks I installed samba 3.0.21b-2 with winbind on a Fedora 5 server. I edited 5 files (show below) and join Windows AD by "net join ADS" command. It worked in the first month. I could access to folders with appropriate permission. Then I found I couldn't access to the server by keying-in "\\smbservername". A pop-up Windows box say "Incorrect password or unknown user". I tried domain\domain-username, domain-username, userNo-in-getent-passwd but none of them worked. However, if I use its IP address such as \\10.10.10.2, it worked as normal. I check DNS record. They all exist in the DNS server. I even key in the DNS record in all hosts file. But no difference. I also noticed one thing. When I use Windows XP I check the security tag of the folder shared on this FC5. I can see AD username, AD group name and everyone which stand for user, group and others. All check-boxed in front of these username, groupname and everyone are un-checked even if I can access the folders. What did I do wrong? Shall I edit /etc/pam.d/login file as well? How? Here is my current /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth Thanks for any comment, Yujie ==Fstab== LABEL=/home /home ext3defaults,acl1 2 ==Nsswitch.conf=== passwd: files winbind shadow: files group: files winbind hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases:files nisplus =Krb5.conf= [libdefaults] default_realm = COMPANY.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] COMPANY.COM = { kdc = adserver.company.com:88 admin_server = adserver.company.com:749 default_domain = company.com } [domain_realm] .example.com = COMPANY.COM example.com = COMPANY.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } =/etc/samba/smb.conf security = ADS template shell = /bin/false template homedir = /home/%D/%U idmap uid = 1-2 idmap gid = 1-2 enhanced browsing = no winbind use default domain = yes ===hosts== 10.10.10.2 fc5.company.com fc5 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SSH and winbind authentication on Solaris 10
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Burris, Celeste Suliin wrote: > I've googled my heart out, but I cannot see an example > of ssh authentication with Active Directory and winbindd, > particularly on Solaris 10. I have it working on Solaris > 8 with telnet, but I'm trying to break my users of > telnet. There's not much to it besides adding pam_winbind.so to your pam file and make sure to set 'template shell' to a valid shell on your system. The default in /bin/false. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --> -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwDBpIR7qMdg1EfYRAqxpAKCn3oERV/11rUBUUAabPVPwGOJfVgCfTaYC I+bI7ZzC2qgouEYNnAoLlSE= =mupj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failed to set servicePrincipalNames (Samba+Solaris 10+NISplus+ADS+DNS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian, > # /usr/local/samba/bin/net ads join -U Administrator > Administrator's password: > > Using short domain name -- ULS > Failed to set servicePrincipalNames. Only NTLM authentication > will be possible. > Please ensure that the DNS domain of this server matches > the AD domain, Or rejoin with using Domain Admin credentials. > Joined 'KRAKEN' to realm 'ULS.NT.PITT.EDU' > > Our Unix system FQDNS name is kraken.library.pitt.edu > Our Windows ADS realm is ULS.NT.PITT.EDU. > Our Active Directory DNS Tree starts at NT.PITT.EDU as > we (Pitt) did not want to integrate the existing DNS > tree with the Active Directory DNS Tree. An Option > that is defined by Microsoft. > > We can not put our UNIX system under the Active Directory > Tree as it exists in a Solaris NIS+ configuration where > the other UNIX systems are located in the library.pitt.edu DNS > Tree. > > Thus neither setting the DNS domain to the AD domain > or vise versa is possible. My question is - given this > setup what problems will we run into? Please send me a level 10 debug log from 'net ads join'. You should be able to do this as a Domain Admin. And please make sure that your /etc/hosts is not broken. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwC8MIR7qMdg1EfYRAsLrAKCTe0ltb1r+h14i3Xz7DxWPr/4ejwCeL6Gr WbDrAHMvCgI3hum3q8smu9w= =DaC3 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SSH and winbind authentication on Solaris 10
I've googled my heart out, but I cannot see an example of ssh authentication with Active Directory and winbindd, particularly on Solaris 10. I have it working on Solaris 8 with telnet, but I'm trying to break my users of telnet. Has anyone got it working? If so, would you be willing to share the global section of your smb.conf and pam.conf with me? Is there something I need to put in one of the ssh configuration files? Celeste Suliin Burris Systems Administrator Community and Economic Development Department Phone - 253-591-5093 Email - [EMAIL PROTECTED] URL - http://www.cityofdestiny.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] an error User tftp in passdb, but getpwnam() fails!
hi there im trying to to raise the smbd deamon but i can't and in the log i get an error... User tftp in passdb, but getpwnam() fails! can ypu please give me an answer assaf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] NTConfig.pol /samba troubleshooting
Hello, I have (had) poledit/NTConfig.pol working on rhel4 for one of the labs, it has winexit.scr and a custom adm that has worked fine. I have used the net rpc groupmap to map users and root. It doesn't appear the configuration is being picked up on some machines for the next lab. Even the base one . There is only Default User and Computer. Is there nt group related issues I should be checking? I have heard nested groups do not get picked up. I get GID errors in samba machine logs (still) users:@students, @labs etc regards Bruce Hermes [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Deathto 'winbind use default domain'!")
My opinion: Local users should always take precedence. People should specifically refer to local users as \localuser, if that is the form the SMB client insists on sending. Tacking on default domains and/or stripping domains to/from user names and "trying them out" is playing fast and loose with user identity and is a breeding ground for potential security holes. Dave Daugherty -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of simo Sent: Thursday, July 20, 2006 9:59 AM To: Gerald (Jerry) Carter Cc: Volker Lendecke; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Deathto 'winbind use default domain'!") On Thu, 2006-07-20 at 11:35 -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Volker, > > Assume I have a member server named LINUX joined to a > domain name AD. Now assume I have a local user named foo > in my passdb and a user named foo in the domain as well. > I'm modifying winbindd_util.c:parse_domain_user() to do > a lookup_name() to try to figure out which domain to prepend > to the username rather than just assuming its a domain user. > But this means that we'll always choose the local user > (due to the order of an isolated search in lookup_name()). > > The main problem is the use default domain abomination > will confuse local and domain users of the same name and > possibly return incorrect group membership. > > I am about a 1/2 inch from marking the smb.conf option > as deprecated and adding similar option to pam_winbind.conf. > This option just cannot work reliably. > > Do you have any suggestions? I would just document that local users will always take precendence. Winbind use default domain is too valuable to be removed imho. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Clients fail to join domain, machine password not found
I have setup a samba PDC+LDAP on our fileserver, which is housed in the university's server room, so it is on a different subnet. I give our client machines the ip of the pdc as the wins server. This allows our clients to join the domain, but it fails with user name not found. Checking the logs, I see that Administrator was able to login, and the smbldap-tools script ran and added the machine to the domain. But before this even happens, it seems samba looks for the machine password, and fails. Its the only error that is in the log. I'm running Samba 3.0.22(Blastwave) on Solaris 10. I've run the same version on Linux(RHEL v4) to do the same job(before we moved the homes to the fileserver) and didn't have any of these problems. I've tried everything I can think off, but still no go. Any ideas? The smb.conf: [global] workgroup = CBI netbios name = Cajal enable privileges = yes interfaces = ce0 127.0.0.1 server string = Cajal PDC %v security = user encrypt passwords = Yes log level = 2 syslog = 0 time server = yes domain logons = yes os level = 90 preferred master = yes domain master = yes wins support = yes passdb backend = ldapsam:ldap://x.x.x ldap admin dn = cn=samba,ou=DSA,dc=x ldap suffix = dc=x ldap group suffix = ou=group ldap user suffix = ou=people ldap machine suffix = ou=machines ldap idmap suffix = ou=Idmap ldap passwd sync = Yes ldap ssl = start tls add user script = /opt/csw/sbin/smbldap-useradd -m "%u" add machine script = /opt/csw/sbin/smbldap-useradd -w "%u" add group script = /opt/csw/sbin/smbldap-groupadd -p "%g" add user to group script = /opt/csw/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /opt/csw/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /opt/csw/sbin/smbldap-usermod -g "%g" "%u" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba with ads
Hi There, I'm using samba 3.0.21c with ADS. getting the following error message [EMAIL PROTECTED] ~]# smbclient -k -UAdministrator //192.168.1.45/Public session setup failed: NT_STATUS_LOGON_FAILURE. Please advice -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] programmatical retrieval of windows event logs from linux
Am a Linux guy and trying to support security monitoring for Windows devices. Am trying to find a programmatic way of pulling security and application logs from Windows machine. OR it can be a push model where windows can generate events/traps. It should all be built-in in windows with no external tool installation. Looks like there is no NATIVE built in asynchronous event reporting from windows (2000/2003/xp)? It can be in terms of SNMP Traps as well. Given this, one can use Samba apis (rpcclient) to periodically pull the event logs from windows. Is there any better way to accomplish the same programmatically using Push or Pull model to get the security and application logs on windows from Linux ? -Dave - See the all-new, redesigned Yahoo.com. Check it out. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Failed to set servicePrincipalNames (Samba+Solaris 10+NISplus+ADS+DNS)
When joining our Solaris 10 Samba 3.0.23 system to ADS via... # /usr/local/samba/bin/net ads join -U Administrator Administrator's password: Using short domain name -- ULS Failed to set servicePrincipalNames. Only NTLM authentication will be possible. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. Joined 'KRAKEN' to realm 'ULS.NT.PITT.EDU' Our Unix system FQDNS name is kraken.library.pitt.edu Our Windows ADS realm is ULS.NT.PITT.EDU. Our Active Directory DNS Tree starts at NT.PITT.EDU as we (Pitt) did not want to integrate the existing DNS tree with the Active Directory DNS Tree. An Option that is defined by Microsoft. We can not put our UNIX system under the Active Directory Tree as it exists in a Solaris NIS+ configuration where the other UNIX systems are located in the library.pitt.edu DNS Tree. Thus neither setting the DNS domain to the AD domain or vise versa is possible. My question is - given this setup what problems will we run into? Thanks for any info. Brian Gregg. -- ++--+ | Brian D. Gregg | | | Systems Analyst| | | University Library System | | | University of Pittsburgh |e-mail: [EMAIL PROTECTED] | | 7500 Thomas Blvd. | voice: 412-244-7507 | | Pittsburgh, PA 15208 | fax: 412-244-7515 | ++--+ | Member: | | ASNP - Association of Storage Networking Professionals| +---+ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't become connected user?
Please be note to the part that I found in "samba.doc". Windows XP Professional When attempting to join a domain, you receive the following error message: "Computer Name Changes: The following error occurred attempting to join the domain MYDOMAIN: The specified network password is not correct". Additionally, your Samba logfile (at debug level 1) reveals: "smbd/service.c:make_connection(): Can't become connected user!". This is usually caused by improper registry settings in the client. Use Window's Group Policy Editor (gpedit.msc) to make the following changes in the "Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options" branch: Disable: Domain member: Digitally encrypt or sign secure channel data Disable: Domain member: Digitally sign secure channel data (when possible) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] mount a window 2003 nfs share on a sun running solaris10
Hi Is there a way to mount a shared 2.5 tb volume from 1 2003 windows onto a sun running solaris 10. is there a simple way to do this with samba? thanks donr email [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How to get login name of logged user?
Hello list. Is there any way to get login name of a currently logged user on remote machine using samba? I can get the list of all users with command smbclient -L host, but how do I know who of them logged now? Thanks in advance. Roman Gorohov. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Win2k Master Browser believes Linux box is master browser
Cheers This has seems to fix the problem. Thanks alot Mark On 17 Jul 2006, at 16:26, Nanni X wrote: Hi Mark, I think you should set the "os level" directive to a low value ( try 5 or 10). This directive instructs smb to have a "low profile" during the election of a new master browser. Then add a line: preferred master = NO This line prevents the samba box to start a new election Instead, when I set up a samba PDC I use values like 200+ and "preferred master = YES" to be "sure" (is it possible to be sure when you play with windoze? ;-) ) the samba box becomes a master browser. Perhaps the directive left open, without a value can be assumed as an high value. Really I don't know. Let me know hope this helps Giovanni -- Nessun virus nel messaggio in uscita. Controllato da AVG Antivirus. Versione: 7.1.394 / Database dei virus: 268.10.1/389 - Data di rilascio: 14/07/06 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] simple configuration problem
This is smb.conf: [global] workgroup = workgroup netbios name = darkstar security = share log file = /var/log/samba.%m max log size = 50 [homes] comment = Home Directories browseable = yes read only = No [printers] comment = All Printers path = /var/spool/samba guest ok = yes printable = yes browseable = yes However, when I try to read "homes on samba 3.0.22" from Win, appears a window that has as username DARKSTAR/Guest and ask me a password. Why does it ask me a password, if I set "share"? And which can be that password for guest, for it's nobody user? Thanx! M. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] guest ok
Gerald (Jerry) Carter wrote: > Anthony, > >> it should be "guest account = testguest" and "guest ok >> = yes" - notice the spaces. the other parameters >> are similar. check your spacing. > > Doesn't matter. Parameter names are case and white > space insensitive. > ahh, thank you. that's an interesting tidbit about which i was unaware (among other things):) -a -- Anthony http://messinet.com http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] guest ok
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anthony, > Donald W Watson wrote: > >> passdbbackend = tdbsam >> guestaccount = testguest > >> [shareC] >> write list= testguest >> guest only = yes >> guest ok = yes >> path = /tmp/shareC > > it should be "guest account = testguest" and "guest ok > = yes" - notice the spaces. the other parameters > are similar. check your spacing. Doesn't matter. Parameter names are case and white space insensitive. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwAo/IR7qMdg1EfYRAjR7AKDEcEM7Pc+bkcxk6bVng1tb3nT1ewCeLuid emKN2vHe/IJpr53QUmSYrCY= =NY5/ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] guest ok
Donald W Watson wrote: > passdbbackend = tdbsam > guestaccount = testguest > [shareC] > write list= testguest > guest only = yes > guest ok = yes > path = /tmp/shareC it should be "guest account = testguest" and "guest ok = yes" - notice the spaces. the other parameters are similar. check your spacing. -- Anthony http://messinet.com http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: OpenPGP digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] guest ok
I have the following smb.conf file. Note the "guestaccount" parameter, and the guest parameters in shareA, shareB, and shareC. # # Generated by modify_samba_config.pl # [global] adminusers= Administrator, root logonhome = \\%L\%U\.9xprofile addsharecommand = /usr/local/autobench/sources/samba/util/modify_samba_config.pl addgroupscript= /usr/sbin/groupadd -p "%g" deletesharecommand= /usr/local/autobench/sources/samba/util/modify_samba_config.pl include = /etc/samba/dhcp.conf deleteuserfromgroupscript = /usr/sbin/groupmod -x "%u" "%g" adduserscript = /usr/sbin/useradd -m "%u" deleteprintercommand = /usr/local/autobench/sources/samba/util/modify_samba_config.pl maptoguest= Bad User addprintercommand = /usr/local/autobench/sources/samba/util/modify_samba_config.pl setprimarygroupscript = /usr/sbin/usermod -g "%g" "%u" addmachinescript = /usr/sbin/useradd "%u" domainlogons = yes deleteuserscript = /usr/sbin/userdel -r "%u" printcapname = cups passdbbackend = tdbsam guestaccount = testguest printing = cups cupsoptions = raw logondrive= P: addusertogroupscript = /usr/sbin/groupmod -m "%u" "%g" logonpath = \\%L\profiles\.msprofile printcapcachetime = 750 workgroup = SAMBA_TEST security = user domainmaster = yes ## Section - [users] [users] readonly = No comment = All users vetofiles = /aquota.user/groups/shares/ inheritacls = Yes path = /home ## Section - [homes] [homes] readonly = No browseable= No comment = Home Directories inheritacls = Yes validusers= %S ## Section - [printers] [printers] createmask= 0600 browseable= No comment = All Printers printable = Yes path = /var/tmp ## Section - [shareC] [shareC] write list= testguest guest only = yes guest ok = yes path = /tmp/shareC ## Section - [print$] [print$] directorymask = 0775 createmask= 0664 comment = Printer Drivers forcegroup= ntadmin path = /var/lib/samba/drivers writelist = @ntadmin root ## Section - [shareA] [shareA] path = /tmp/shareA writelist = user1 ## Section - [groups] [groups] readonly = No comment = All groups inheritacls = Yes path = /home/groups ## Section - [profiles] [profiles] directorymask = 0700 createmask= 0600 readonly = No storedosattributes= Yes comment = Network Profiles Service path = %H ## Section - [shareB] [shareB] path = /tmp/shareB guestok = yes writelist = user1 # # end of generated smb.conf # After reading the smb.conf man page, here's what I think should happen with the shares. Using smbclient get and put: user1 should be able to read/write shareA testguest should not be able to read/write shareA user1 should be able to read but not write shareB (is authenticated as testguest) testguest should be able to read but not write shareB (no password needed) user1 should not be able to read/write shareC (is not allowed to connect) testguest should be able to read/write shareC (no password needed) Mounting the shares should produce similar results with file opens. However, here's what actually happens: user1 can read but not write shareA (different from above) testguest can neither read nor write shareA (ok) user1 can read but not write shareB (ok) testguest can read but not write shareB (ok) user1 can read but not write shareC (different from above) testguest can read but not write shareC (different from above) Have I misinterpreted the man page? Sincerely,Don Watson Linux Technology and Solutions; Beaverton, OR 503-578-4861/TL: 775-4861; [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/s
[Samba] SAMBA_3_0_RELEASE == Samba 3.0.23a
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Foks, With the exception of a few help messages I need to add to 'net ads join', the release tree should be ready. If people could run their tests and report back if anything that should be fixed is not. Check the release notes for details. We are due to release tomorrow afternoon. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwANiIR7qMdg1EfYRAj3EAJsF9/aLA5NlMT8BVNED4bJAWuUOHQCcDAeQ IVkX7WeW6ggybIjx53EEMW0= =BjEN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, >>> I was saying dns domain not equal realm dropped >>> and rewrite ads join code >> >> No it wasn't. I run with this on a daily basis. >> Perhaps something else is attributing to your failures. >> > First, I'm not having failures. I was commenting information > I believed I read. So what did you mean in this post: > http://marc.theaimsgroup.com/?l=samba&m=115193492903190&w=2 ... > Did you mean if one joins with non-admin credentials > it no longer works, but if one's credentials are > administrative it still works? > > I understand previously joined machines still work. > > Not trying to be a wise guy, just trying to understand. No problem. I spent a couple of days just staring at traces and reading to try to track down the corner cases. It's pretty confusing. The best thing to do is to read here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp and then use ADSIedit to view the default security descriptor on a machine account object. A non-admin (and the machine itself) only has validated-write access to the dNSHostName and servicePrincipalName attributes. This means that the dNSHostName value has to be with the AD realm and the SPN has to match the dNSHostName. Try to join a WinXP box to a domain using a non-admin account with the dns suffix outside of the AD realm and you will see what I mean. It fails to joins and tells you to contact the administrator to relax the rules (or something similar). If you are a domain admin, the you have full control to these attributes and can do whatever you like. Samba 3.0.22 did all the ads join operations using LDAP requests which required you to be a Domain Admins. As part of the join, the machine SID was given full control over the object in AD so again you could do whatever you liked with 'net ads keytab add -P'. The code in 3.0.23 uses a mixture of RPC and LDAP just like Windows 2000/XP. The advantage is that a non-admin can now join a Samba box to a domain given the same privileges as required by Windows. The disadvantage is that we can no longer assume we have admin rights to set any property we like. This is why for example, we no longer try to create a UPN by default (although I added a new option to net ads join in 3.0.23a that will do that) or set the operatingSystem attribute value. Hope this helps clear up some of the confusion. Note that I've added in a fair amount of new code in 3.0.23a for (a) deriving the DES salt (b) generating the keytab file (c) optionally creating the UPN as part of the join. Please give it a whirl and let me know how it goes. Our Krb5 code is over 3 years old spreading about multiple MIT and heimdal versions. It's time for some spring cleaning but I don't want to loose functionality if we can help it. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEwALEIR7qMdg1EfYRAqxYAKCEtHnMHWcM0jfe8rEW+qMDHtq+/ACgqoSp 8h+xhVsePFFBKvjfXYisoXQ= =540H -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug VanLeuven wrote: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug, File a bug report if you believe this to be true. I'm not at 3.0.23 right now and don't have the time to try it here. I wouldn't want to lose this. I did see a mention they dropped support of joins from machines where the domain differs from the realm, but haven't had time to check this. There has been a rewrite of the ads join code since 3.0.22. Doug, You should probably review my comments to Scott. Keytab support is being rewritten, not dropped. I was saying dns domain not equal realm dropped and rewrite ads join code No it wasn't. I run with this on a daily basis. Perhaps something else is attributing to your failures. First, I'm not having failures. I was commenting information I believed I read. So what did you mean in this post: http://marc.theaimsgroup.com/?l=samba&m=115193492903190&w=2 qoute: > You were right. ( as usual.. ) > I had the wrong FQDN on the samba server. > After reconfiguring my network and I got the FQDN back > from 'hostname' the join worked as planned. For the record, this is what WinXP does as well. You cannot join a WinXP box to a domain using a non-admin account if the client's FQDN is outside the AD domain. I agree this is a change from previous Samba version, but then previous Samba releases always required domain admin creds to join. endquote Did you mean if one joins with non-admin credentials it no longer works, but if one's credentials are administrative it still works? I understand previously joined machines still work. Not trying to be a wise guy, just trying to understand. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] USRMGR, groups, and ldap
I currently have samba version 3.0.23 installed using ldap as the backend. I am experiencing the same problems as Holger Wesser mentioned in his posting "USRMGR.exe not working properly". However, it appears that the fix of creating the group mappings does not work. They appear to be mapped correctly on my setup. My net groupmap list is: Domain Admins (S-1-5-21-1882045844-2771900506-1057560041-512) -> Domain Admins Domain Users (S-1-5-21-1882045844-2771900506-1057560041-513) -> Domain Users Domain Guests (S-1-5-21-1882045844-2771900506-1057560041-514) -> Domain Guests Domain Computers (S-1-5-21-1882045844-2771900506-1057560041-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators However, there are no groups listed in usrmgr.exe or any of the dialog boxes for adding users/groups in XP. The users are listed correctly in usrmgr.exe but with none of the group memberships. In addition, net rpc group members "Administrators" reports: Couldn't list alias members I was hoping for some direction on how to diagnose and correct the problem. -James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] New to this list. How to Samba Archives.
Try this http://www.mail-archive.com/ Cheers, henrik 20 jul 2006 kl. 20:27 skrev Ariel Duran: Hello all, What is the easiest way to search the samba archives? The archive doesn't have a search option like the qmail archives search option. Regards, Ariel Duran -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] MS06-035 problems?
It was a false alarm, it turns out. The guy who was installing the machine forgot to edit the selinux configuration on the default FC5 install. It was in "permissive" mode, but it needed to be "disabled" in order for it to work. Thanks, Alan On Thu, 2006-07-13 at 12:52 -0500, Gerald (Jerry) Carter wrote: > Alan Munter wrote: > > > I just patched our domain controllers with MS06-035 > > because it said it was just fixing a couple of memory > > leak problems with SMB in srvsvc. > > > > Now, this afternoon, one of my colleagues tried to > > join a FC5 machine to our active directory using > > the recipe that we have been using for years > > (which worked yesterday, according to him), and > > it fails on "net ads join". > > > > No changes have been made to the domain controllers > > other than the Black Tuesday patches. > > > > Here's a log dump from "net -d4 ads join". We get the error: > > What version of Samba is this 3.0.22 ? > > > [2006/07/12 15:55:14, 3] > > libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(571) > > verify_service_password: get_service_ticket failed: KDC has no support > > for encryption type > > Ignore that. It's not the issue. > > > Any ideas of what's going on? Need more info? Did MS > > sneak some more changes into the server service that > > they aren't talking about in that patch? > > Need more details. What do level 10 debug logs from smbd tell you about > the failed authentication? > > > > cheers, jerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] USRMGR, groups, and ldap
I currently have samba version 3.0.23 installed using ldap as the backend. I am experiencing the same problems as Holger Wesser mentioned in his posting "USRMGR.exe not working properly". However, it appears that the fix of creating the group mappings does not work. They appear to be mapped correctly on my setup. My net groupmap list is: Domain Admins (S-1-5-21-1882045844-2771900506-1057560041-512) -> Domain Admins Domain Users (S-1-5-21-1882045844-2771900506-1057560041-513) -> Domain Users Domain Guests (S-1-5-21-1882045844-2771900506-1057560041-514) -> Domain Guests Domain Computers (S-1-5-21-1882045844-2771900506-1057560041-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators However, there are no groups listed in usrmgr.exe or any of the dialog boxes for adding users/groups in XP. The users are listed correctly in usrmgr.exe but with none of the group memberships. In addition, net rpc group members "Administrators" reports: Couldn't list alias members I was hoping for some direction on how to diagnose and correct the problem. -James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [SECURITY] Samba 3.0.1 - 3.0.22: memory exhaustion DoSagainst smbd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gautier, B (Bob) wrote: >> -Original Message- >> >> == >> == >> == Subject: Memory exhaustion DoS against smbd >> == CVE ID#: CAN-2006-3403 > While we wait for this patch to get backported into 3.0.10 > as a RHEL4 update, will setting the 'max connections' > parameter on all shares work around this problem? The problem is that a 'max connections' would limit the total connections and what you really want to limit is the share connections per smbd. If could set something like "max connections = 1" in [global] to set a ceiling but you will take a slight performance hit for it. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv+NEIR7qMdg1EfYRAsa1AKDFV1dnX+HSVVM+S+RjSBV9S85otwCfRniQ ajxDm1Io1ptpGPo98ZJZ1/k= =FK96 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] identifying servers
Hi Norbert, you can configure IAS at windows (2000 or 2003) and configure freeradius to use IAS (radius server) to authenticate your users. Marcos --- Norbert Wegener <[EMAIL PROTECTED]> escreveu: > I want to use freeradius and Active directory for > authentication in a > larger Active Directory forest and therefore > freeradius must know the > relevant domain servers. > As this forest is living with servers beeing added > and removed, I want > to identify the global catalog servers in that > forest automatically. > How could this be achieved using samba tools? > Thanks > Norbert Wegener > -- > To unsubscribe from this list go to the following > URL and read the > instructions: > https://lists.samba.org/mailman/listinfo/samba > ___ Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora! http://br.mobile.yahoo.com/mailalertas/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't connect with force user set (3.0.23)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jochen Knuth wrote: > Hi, > > after an update to samba 3.0.23 i can't connect to shares > if i set the option force user. Just to clarify yet again, unqualfied domain user and group names are not suppored in smb.conf and have not been since Samba 3.0.8. But your failure has been fixed in 3.0.23a (due out tomorrow). Please test the SAMBA_3_0_23 svn branch if you can to verify this fix. Thanks. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv9msIR7qMdg1EfYRArwyAJ4jmn4DQ8a/PGYyoLZSqYA/8tSbjQCgzYdN +0PZI8NRDYRS5ide9B62IYI= =/zOg -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security = ADS and 3.0.23 Upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale Schroeder wrote: > You are quite correct that adding the missing parameter > to the hosts file and rejoining the domain would fix > this problem. > > That leaves only the 'valid users' bug you mentioned. > Of the three parameters following: > > 1. 'valid users' had to be disabled > 2. 'write list' had to be present > 3. 'admin users' had no effect either way Fixed in 3.0.23a: http://viewcvs.samba.org/cgi-bin/viewcvs.cgi?rev=17022&view=rev Please test the svn://svnanon.samba.org/samba/branches/SAMBA_3_0_23 tree to be sure. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv9dBIR7qMdg1EfYRAgjJAKCysDrXXi4+VtXKsOKVFXdlB9nM9QCg7yIh ZJ9ucaWzZluYG9oq/K7ty2c= =ABLv -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] New to this list. How to Samba Archives.
On Thu, 20 Jul 2006, Ariel Duran wrote: Hello all, What is the easiest way to search the samba archives? The archive doesn't have a search option like the qmail archives search option. The easiest way to search the archives is to goto: http://marc.theaimsgroup.com/ And scrolling down until you get to the Samba portion. You can click on a mailing list, and then run a search on it. Many, many mailing lists are there, so it's really a great resource for sysadmins. HTH. Regards, Ariel Duran -- -- +-+ | Sean Elble | | Virginia Tech | | Computer Engineering, Class of 2008| | Vice President, VTLUUG | | E-Mail: [EMAIL PROTECTED]| +-+ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] New to this list. How to Samba Archives.
Hello all, What is the easiest way to search the samba archives? The archive doesn't have a search option like the qmail archives search option. Regards, Ariel Duran -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security = ADS and 3.0.23 Upgrade
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dale Schroeder wrote: I've attached the screenshots, but I think my confusion was expecting the pdc to display the FQDN from its DNS records for the samba system, not the hosts file on the samba system. I will almost guarantee that you have host a broken /etc/hosts on you Samba box. The machine's hostname should not be listed in the 127.0.0.1 line. This will also break Krb5 authentication. Fix this on the Unix box and rejoin the domain. Should be fine. You are quite correct that adding the missing parameter to the hosts file and rejoining the domain would fix this problem. That leaves only the 'valid users' bug you mentioned. Of the three parameters following: 1. 'valid users' had to be disabled 2. 'write list' had to be present 3. 'admin users' had no effect either way in order for me to access the test share. I used all three quite frequently in 3.0.22 and prior, so I surely do hope it is something that can be remedied. I greatly appreciate your time and your help. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Lendecke wrote: > What happens now? Looking at the code I get the impression > that we default to DOMAIN\foo. So if we get an unqualified > name, talloc_asprintf(ctx, "%s\\%s", lp_workgroup(), name), > try with that and only if that fails then do the naked > lookup_name() which has its defined order. This is a hack, > but that whole thing is. Sure. If a user of the same name doesn't exist in the local passdb and domain SAM. But when LINUX\foo and DOMAIN\foo both exist, the lookup for DOMAIN\foo will succeed. > I did not try this, so it might break horribly. But I've > looked at putting lookup_name into /parse_domain_user > before and did _not_ try that yet. I was about to and realized it cannot work 100% of the time. That is what prompted this thread. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv9GTIR7qMdg1EfYRAjn7AJ9WRKpeUoHup7SQxTeNp9Py8Z4GxwCaA7J8 O+xNAflypuPvPvp52Xx/z5A= =PbIM -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Deathto 'winbind use default domain'!")
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dave Daugherty wrote: > My opinion: > > Local users should always take precedence. > > People should specifically refer to local users as > \localuser, if that is the form the > SMB client insists on sending. > > Tacking on default domains and/or stripping > domains to/from user names and "trying them out" is playing > fast and loose with user identity and > is a breeding ground for potential security holes. Dave, I don't think you fully understand the problem. We're talking about Unix shell tools, not SMB clients. A local username is always unqualfied when sent by Unix tools like 'id' to query group membership. A domain user may or may not be qualfied so how do you know an unqualified domain user from a normal local user? For example, With 'winbind use default domain = no' $ id uid=780(jerry) gid=100(users) groups=16(dialout),33(video),100(users),10001(BUILTIN\users), 10007(SUSE10\developers) With 'winbind use default domain = yes' $ id uid=780(jerry) gid=100(users) groups=16(dialout),33(video),100(users) the problem is that when guesing the domain, we assume the Windows domain name. Prior to querying group membership, we do a lookup_name() query to the DC for this name (DOMAIN\jerry) which fails since it is a local user. So any local groups are excluded from the getgroups() return. *This* ambiguity is why I will be removing the geuss work from the server code in 3.0.24. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv9DpIR7qMdg1EfYRAhMoAJ9mu5FujBGJgheCqD57c5BC4VUQ6ACfU4SA nKAFtPFGUBQa7CyY0QKrdk4= =Yc53 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")
On Thu, Jul 20, 2006 at 01:46:29PM -0500, Gerald (Jerry) Carter wrote: > We're given a username. Both LINUX\foo and DOMAIN\foo > exist so lookup_name() on either of those will succeed. > How do you know which one is which? A local user is > always unqualified and a domain user may or may not be. > How do you tell them apart? What happens now? Looking at the code I get the impression that we default to DOMAIN\foo. So if we get an unqualified name, talloc_asprintf(ctx, "%s\\%s", lp_workgroup(), name), try with that and only if that fails then do the naked lookup_name() which has its defined order. This is a hack, but that whole thing is. I did not try this, so it might break horribly. But I've looked at putting lookup_name into parse_domain_user before and did _not_ try that yet. Volker pgpBLSEMOwHeh.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Lendecke wrote: > What about in the case of winbind use default domain > doing a qualified lookup_name() first and if that > fails do the unqualified one? We're given a username. Both LINUX\foo and DOMAIN\foo exist so lookup_name() on either of those will succeed. How do you know which one is which? A local user is always unqualified and a domain user may or may not be. How do you tell them apart? ciao, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv8+FIR7qMdg1EfYRAljDAJ4scHn2Z1FcY60O4D42d7w/nUA6lgCeMi1V 33k9WArv5SCZeWCwog4+cLw= =xgPw -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")
On Thu, Jul 20, 2006 at 11:35:11AM -0500, Gerald (Jerry) Carter wrote: > Assume I have a member server named LINUX joined to a > domain name AD. Now assume I have a local user named foo > in my passdb and a user named foo in the domain as well. > I'm modifying winbindd_util.c:parse_domain_user() to do > a lookup_name() to try to figure out which domain to prepend > to the username rather than just assuming its a domain user. > But this means that we'll always choose the local user > (due to the order of an isolated search in lookup_name()). What about in the case of winbind use default domain doing a qualified lookup_name() first and if that fails do the unqualified one? Volker pgpYEkg5jA7mt.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug VanLeuven wrote: > Gerald (Jerry) Carter wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Doug, >> >>> File a bug report if you believe this to be true. I'm not at 3.0.23 >>> right now and don't have the time to try it >>> here. I wouldn't want to lose this. I did see a mention >>> they dropped support of joins from machines where >>> the domain differs from the realm, but haven't had time to check >>> this. There has been a rewrite of the >>> ads join code since 3.0.22. >> >> Doug, >> >> You should probably review my comments to Scott. Keytab >> support is being rewritten, not dropped. > > I was saying dns domain not equal realm dropped > and rewrite ads join code No it wasn't. I run with this on a daily basis. Perhaps something else is attributing to your failures. >> PS: I asked out Apache guy (at Centeris) who is working >> with mod_auth_kerb and he claims that krb5 authentication >> to http://SerVer.ExaMple.COM still gets a ticket for >> HTTP/server.example.com which supports my theory about >> tickets based on SPN values. > > Yes, it works with rc4-hmac. But it's been coming > back to me. It didn't work with des-cbc-md5 until > the permutations were added. How soon we forget. > It's really difficult to test des-only now. Have to > join with rc4, then hand edit with adsi.exe in the > AD, then remove the rc4 from krb5.conf > and reboot the machine to purge the caches, because > samba set's the des-only on a compile time flag. I'll go back and retest but I'm still not convinced (until I can reproduce it myself). cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv8xTIR7qMdg1EfYRAmjxAJwN0i1/kOlvoCittCd+HwDd/BzL1ACgviXe I84w7wN7ptp0OMJMCb9rfgI= =ayvR -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Anybody building Mandriva rpms?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Rankin wrote: > Thanks Gemes: > > Gerry, do you have any additional info on this??? Nope. Buchan was (still is?) doing packages for Mandriva but I have not heard from him in a while. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv8bKIR7qMdg1EfYRAi+IAJwP6BClAJqlzi11Aken3JWgcEMjNACdEpKY UgbF+8idam+lgFra5emneH8= =UL/D -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don Meyer wrote: > Yes, I'm pretty sure Jerry Carter does. ([EMAIL PROTECTED]) > He's posted that he expects a patch for this to be > included in the 3.0.23a release -- due sometime real > soon now... ;-) This was the last major bug to be fixed in 3.0.23a. I've attached a patch to bug 3920. Note that this will break 'winbind nested groups' for local users. Local group membership for domain users still works, but a local user will not get the nested group gids included in his or her token. See my comments in the bug report for more details. Also please note that unqualified domain user or group names have not been supported in smb.conf since Samba 3.0.8. You are advised to fix your configuration files. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv8PdIR7qMdg1EfYRAkAPAJ910Yjyk4ruFbFTwwIrpa9B20BZ9QCg1I24 NKxIB9tvN5ghsnqduzXslP4= =rK96 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")
On Thu, 2006-07-20 at 12:37 -0500, Gerald (Jerry) Carter wrote: > First assigning the wrong groups to a user is a security > issue. Second, I said pull 'winbind use default domain' > from the server code and put it in the client code. ok so you do the translation in pam_winbindd and nss_winbindd instead of winbindd, sounds reasonable, sorry for the misunderstanding. > The fact is that this parameter is fundamentally broken. > It cannot actually work correctly. At some point (probably > for 3.0.24) we will have to break it and move it to the > client. There is no way around it. I was just worried you said you wanted to remove it, I have no objection on just moving it in the client libraries. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simo, >> I am about a 1/2 inch from marking the smb.conf option >> as deprecated and adding similar option to pam_winbind.conf. >> This option just cannot work reliably. >> >> Do you have any suggestions? > > I would just document that local users will > always take precendence. > > Winbind use default domain is too valuable to > be removed imho. First assigning the wrong groups to a user is a security issue. Second, I said pull 'winbind use default domain' from the server code and put it in the client code. The fact is that this parameter is fundamentally broken. It cannot actually work correctly. At some point (probably for 3.0.24) we will have to break it and move it to the client. There is no way around it. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv79FIR7qMdg1EfYRAqQuAKDiEQZRH9npORt5bJYT8j8Jqom78ACg8WEK iOGOYZqXmVk/N3/apLtAJ8s= =rO9A -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] View disk size
Greetings, This is my first visit to this list. We run Samba to talk to our HP-UX 11.i machine. I'm wondering if there is a configuration feature in Samba that will allow me to see the full properties of my Unix drives from the PC side. We use Windows XP. Currently when I do a properties on the Unix drive I can see the amount of data stored there but it does not report the remaining free space. This causes some of my PC applications to generate an error if it thinks the output file been created is greater than the free space it sees. In all cases the process has completed because there was enough free space, however I would like the error messages to disappear. Thanks, Conrad -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")
On Thu, 2006-07-20 at 11:35 -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Volker, > > Assume I have a member server named LINUX joined to a > domain name AD. Now assume I have a local user named foo > in my passdb and a user named foo in the domain as well. > I'm modifying winbindd_util.c:parse_domain_user() to do > a lookup_name() to try to figure out which domain to prepend > to the username rather than just assuming its a domain user. > But this means that we'll always choose the local user > (due to the order of an isolated search in lookup_name()). > > The main problem is the use default domain abomination > will confuse local and domain users of the same name and > possibly return incorrect group membership. > > I am about a 1/2 inch from marking the smb.conf option > as deprecated and adding similar option to pam_winbind.conf. > This option just cannot work reliably. > > Do you have any suggestions? I would just document that local users will always take precendence. Winbind use default domain is too valuable to be removed imho. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] programmatical retrieval of windows event logs from linux
I was only looking at Native windows support with no Hassles of any external agent installation: > Am a Linux guy and trying to support security monitoring for Windows devices. > Am trying to find a programmatic way of pulling security and application logs > from Windows machine. OR it can be a push model where windows can generate > events/traps. It should all be built-in in windows with no external tool > installation. > > Looks like there is no NATIVE built in asynchronous event reporting from > windows (2000/2003/xp)? > It can be in terms of SNMP Traps as well. > > Given this, one can use Samba apis (rpcclient) to periodically pull the > event logs > from windows. Is there any better way to accomplish the same > programmatically > using Push or Pull model to get the security and application logs on > windows from Linux ? Jeff Saxton <[EMAIL PROTECTED]> wrote: http://www.intersectalliance.com/projects/SnareWindows/ dave wrote: > Am a Linux guy and trying to support security monitoring for Windows > devices. Am trying to find a programmatic way of pulling security and > application logs > from Windows machine. OR it can be a push model where windows can generate > events/traps. It should all be built-in in windows with no external tool > installation. > > Looks like there is no NATIVE built in asynchronous event reporting from > windows (2000/2003/xp)? > It can be in terms of SNMP Traps as well. > > Given this, one can use Samba apis (rpcclient) to periodically pull the > event logs > from windows. Is there any better way to accomplish the same > programmatically > using Push or Pull model to get the security and application logs on > windows from Linux ? > > > -Dave > > > > > > - > Do you Yahoo!? > Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- Jeff Saxton SenSage, Inc. 55 Hawthorne Street Suite 700 San Francisco, CA 94105 Phone: 415.808.5900 Fax:415.371.1385 Direct: 415-808-5921 Cell: 650-235-0776 mailto:[EMAIL PROTECTED] Enterprise Security Analytics SenSage, the leading provider of enterprise security analytics, offers unparalleled performance and a scalable means for organizations to centrally aggregate, efficiently analyze, dynamically monitor and cost-effectively store massive volumes of event log data. - See the all-new, redesigned Yahoo.com. Check it out. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] programmatical retrieval of windows event logs from linux
Am a Linux guy and trying to support security monitoring for Windows devices. Am trying to find a programmatic way of pulling security and application logs from Windows machine. OR it can be a push model where windows can generate events/traps. It should all be built-in in windows with no external tool installation. Looks like there is no NATIVE built in asynchronous event reporting from windows (2000/2003/xp)? It can be in terms of SNMP Traps as well. Given this, one can use Samba apis (rpcclient) to periodically pull the event logs from windows. Is there any better way to accomplish the same programmatically using Push or Pull model to get the security and application logs on windows from Linux ? -Dave - Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker, Assume I have a member server named LINUX joined to a domain name AD. Now assume I have a local user named foo in my passdb and a user named foo in the domain as well. I'm modifying winbindd_util.c:parse_domain_user() to do a lookup_name() to try to figure out which domain to prepend to the username rather than just assuming its a domain user. But this means that we'll always choose the local user (due to the order of an isolated search in lookup_name()). The main problem is the use default domain abomination will confuse local and domain users of the same name and possibly return incorrect group membership. I am about a 1/2 inch from marking the smb.conf option as deprecated and adding similar option to pam_winbind.conf. This option just cannot work reliably. Do you have any suggestions? cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv7C/IR7qMdg1EfYRAte3AJ9bR2BcglUsI4l47KSz0zH9FUX5YwCgk36H 50pVU6+8aK4QvmEeNAwBruw= =DfC7 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] No mapping between account names and security IDs wasdone
Ivan Gustin: I get an error message "No mapping between account names and security IDs was done" on fresh clean Windows XP SP2 PC when I try to join it to Samba PDC. For information to all who need solution to this problem: I solved it. :-) I found the LJ article on http://www.linuxjournal.com/article/6604, with solution in this paragraph: "The following error occurred attempting to join the domain "MYDOMAIN": No mapping between account names and security IDs was done. This obscure error reportedly has been fixed by using lower-case names for the workstation name in /etc/passwd and smbpasswd and on the Windows XP client." So, correcting character case in workstation names allows joining to Samba PDC. HTH, Ivan Gustin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Home directories
Madhu Kumar: > I have a small requirement , I have a samba setup on my server with > the following configuration in [homes] share : [...] > Since i have multiple users who use the windows machines, if i logout > say from some machine and if i login once again on the same machine > with different user the previous user's home directory is still > visible with current user's home directory. I need to resolve it. how > could i change my [homes] configuration to do this. I deal with the same problem long ago. On one Samba site I have 800+ users which uses 30 PC, and remaining previous user's home directory very soon shows dozens visible directories, and causing full mess. This is not problem with Samba, it's up to the Windows Networking. I solved that by avoid using [homes] built-in section, but using generic [personal] share, with this main option: [Personal] path = %H ... This ensures that each user's home directory is always named "Personal" (not by user's name), pointed to right each user's home path, and without remaining multiples homes (because it is only one share name). Try that, and say if this satisfies you. HTH, Ivan Gustin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] setdriver fails with WERR_ACCESS_DENIED
Flavien, I had a similar problem about a month ago. Just like you, I could execute "rpcclient enumdrivers", but "rpcclient setdriver" resulted in the WERR_ACCESS_DENIED. In my case, I am using winbind to the fullest so that our Windows sysadmin can control access to folders within shares based on Active Directory security group memberships. That means that when I mount a share, I'm not identified as simply "rtanner" but rather as "CATNET\rtanner", CATNET being the name of the domain. I resolved the WERR_ACCESS_DENIED issue in rpcclient by specifying "CATNET\rtanner" as a printer admin and authenticating as the user "CATNET\rtanner" rather than simply "rtanner" in rpcclient. The only oddity was that the global setting in "printers" was not enough. I had to explicitly declare "CATNET\rtanner" as a printer admin in each printer definition in smb.cfg. And after that, everything was honky dory. Hope that helps. -- Rob Flavien said the following on 07/20/2006 04:50 AM: Hi, I'm using samba 3.0.22 on a Linux/Debian machine. I'm trying to get printer drivers on the server automatically picked by the XP clients on the server. $ rpcclient localhost -U flavien -c 'enumdrivers' Password: [Windows NT x86] Printer Driver Info 1: Driver Name: [hp1] The user "flavien" has PrintOperator privileges : $ net rpc rights list flavien -U flavien Password: SePrintOperatorPrivilege SeDiskOperatorPrivilege I try to set the driver to the printer : $ rpcclient localhost -U flavien -c 'setdriver hp1 hp1' Password: result was WERR_ACCESS_DENIED Something that looks suspicious to me : $ rpcclient localhost -U flavien -c 'getdriverdir "Windows NT x86"' Password: Directory Name:[\\LOCALHOST\print$\W32X86] Shouldn't it be the netbios name of the server instead of LOCALHOST ? FWIW, the /etc/samba/drivers dir is writeable by "flavien" I'm pretty stuck here now. Any help appreciated. Flavien. -- Rob Tanner UNIX Services Manager Linfield College, McMinnville OR -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] password required when connecting from xp but not linux
Hi, I have samba version 3.0.22 installed on solaris 8. I have added users with smbpasswd -a. When mounting from an XP machine passwords are required, yet when mounting from fedora5 it prompts for a password but mounts irrespective of what is entered. Any ideas? TIA Rich # more /usr/local/samba_new/lib/smb.conf # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2006/06/22 15:34:54 [global] workgroup = HOME server string = Unix Server unix password sync = Yes log level = 2 log file = /var/log/samba/samba.log.%m max log size = 50 wins support = Yes invalid users = bin, web, daemon, adm, sync, shutdown, halt, mail, news, uucp, operator, nuucp, lp, listen, nobody, noaccess create mask = 0777 directory mask = 0777 hosts allow = 192.168.1., localhost [homes] comment = Home Directories path = /userdata/home/%u read only = No guest ok = Yes browseable = No [point1] comment = point1 path = /point1 valid users = user1,user2,user3 read only = No [point2] comment = point2 path = /point2 valid users = user1,user2,user3 read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't connect with force user set (3.0.23)
Hi, after an update to samba 3.0.23 i can't connect to shares if i set the option force user. Samba is used on a Freebsd 5.5p1 Server, the Domain Controller is a Windows 2003 Server. The [Global] part and a [Share] part follows: # Global parameters [global] workgroup = IPRO.LEO netbios name = UNIXSERVER server string = IPRO Samba %v interfaces = bge0 bind interfaces only = Yes security = DOMAIN client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log level = 2 log file = /var/log/samba.log time server = Yes os level = 30 lm interval = 120 preferred master = No local master = No domain master = No wins support = Yes ldap ssl = no preload = homes,usr socket address = 172.16.0.1 idmap uid = 17000-22000 idmap gid = 17000-22000 winbind use default domain = Yes hosts allow = 172.16., 127.0.0.1 hosts deny = 0.0.0.0/0 hide dot files = No veto oplock files = /*log*/ [plone] force user = zope writeable = yes valid users = jok,kerkow,goetz write list = jok,kerkow,goetz path = /usr/local/www/Zope/z29test/ force group = zope I tried to patch the auth_util.c to rev. 17022 as i seen some posts regarding this, but it didn't work (can't connect at all, core dump) Ciao, Jochen -- -- Jochen Knuth WebMaster http://www.ipro.de IPRO GmbH Phone ++49-7152-93330 Steinbeisstr. 6 Fax ++49-7152-933340 71229 LeonbergEMail: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] user login ldap problems, misunderstandings
hi, i have managed to set up samba and ldap to work together i have got machines joined to the server, used IDEALX to create default entries. i can log into the machines with root and nobody accouts but nobody elses. i have added on about 80 users to ldap but none of them can login they all appear to have posix and samba attributes in the ldap directory. i am geting a bit confused also by this smbpasswd do i need to run it for each user in ldap, i kinda figured i did not but got a little confused when reading others posts on the web. also where can i look to find why the logins are failed i have the samba log level set to 3 which i believe is the highest but nothing shows up to show that an attempt was made. any help with log files to check levels to change or anything that can help me figure out where i am going wrong, as samba and ldap seem to work and communicate fine. any help appreciated thxs i have managed to come so far not knowing ldap or samba to this point. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba 3.0.23 winbind use default domain = yes behaviour
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John wrote: > I tried the patch and at first it looked like it > worked OK, but it breaks the support of BUILTIN groups > With stripping the domain, I lost also the support > of the BUILTIN groups. > > When tested on a machine with an unpatched 3.0.23 > BUILTIN groups works That was what I was afraid of since getting BUILTIN to work correct was the reason for the original change. I'm going to try to have the resolved today. When I do, I'll post a patch to bug # 3920. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv40kIR7qMdg1EfYRAnp5AJ0eTzIVDit2jGvesoZ4+Krp63a2aACgoDlQ zTzYtW0sSZn/mHkrlCPt9Xo= =pvD7 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot add ACL entry in Windows.
Same problem here. I thinks its a bug in the new version. --- Linus Lund <[EMAIL PROTECTED]> wrote: > Hello, > > Just upgraded from Samba 3.0.22 to 3.0.23, running > on a SlackWare Linux > Box with a 2.4.31 kernel. All Unix users and samba > users are stored in > ldap. Using setfacl renders correct user/groups in > the windows acl > editor, and works perfectly. However, when I try to > add a user/group in > the Security tab for a share/folder I get the > following message > > "The program cannot open the required dialog box > because it cannot > determine wheter the computer named fileserv is > joined to a domain. > Close this message and try again." > > Followed by > "The system cannot find text for message 0x%1 in the > message file for %2". > > The error occurs with all users, tested on windows > xp SP2 and windows > 2k3 SP1. The problem occured in samba 3.0.23, was > not present in samba > 3.0.22. The improved group handling in samba 3.0.23 > makes me reluctant > to downgrading though. > > Anyone got any ideas what to test/do? > > Regards, > Linus > -- > To unsubscribe from this list go to the following > URL and read the > instructions: > https://lists.samba.org/mailman/listinfo/samba > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba 3.0.23 winbind use default domain = yes behaviour
Hi Dietrich, I tried the patch and at first it looked like it worked OK, but it breaks the support of BUILTIN groups With stripping the domain, I lost also the support of the BUILTIN groups. When tested on a machine with an unpatched 3.0.23 BUILTIN groups works "Dietrich Streifert" <[EMAIL PROTECTED]> schreef in bericht news:[EMAIL PROTECTED] Hi John, this is already filed as a bug: https://bugzilla.samba.org/show_bug.cgi?id=3920 and Jerry is working on it. I'v attached an inofficial not supported patch against relaease 3.0.23 of nsswitch/winbindd_group.c which reverted the change and worked for me. John schrieb: > Hello list, > > I encountered a problem in Samba 3.0.23 regarding the winbind use default > domain = yes behaviour. > It only works for the users an NOT anymore for the Group. So this make > getent group to show NETBIOSDOMAINNAME/group which course mail squid > configuration to fail. My squid configuration allowed access based on the > AD > groups, which are provided by Winbindd. > Tested distribution: > SuSE 9.0, CentOS 4.3 > Samba build: Sernet 3.0.23 > Is this a bug or is this by design? Does anybody know a way to getent > group > to honour the winbind use default domain = yes option? > > Regards, > John > The Netherlands. > > > > -- Mit freundlichen Grüßen Dietrich Streifert Visionet GmbH > --- samba-3.0.23.orig/source/nsswitch/winbindd_group.c Fri Jun 23 15:16:50 > 2006 > +++ samba-3.0.23/source/nsswitch/winbindd_group.c Thu Jul 13 10:34:06 2006 > @@ -42,7 +42,7 @@ > { > fstring full_group_name; > > - fill_domain_username( full_group_name, dom_name, gr_name, False); > + fill_domain_username( full_group_name, dom_name, gr_name, True); > > gr->gr_gid = unix_gid; > > @@ -146,7 +146,7 @@ > > /* Append domain name */ > > - fill_domain_username(name, domain->name, the_name, False); > + fill_domain_username(name, domain->name, the_name, True); > > len = strlen(name); > > @@ -752,7 +752,7 @@ > /* Fill in group entry */ > > fill_domain_username(domain_group_name, ent->domain_name, > - name_list[ent->sam_entry_index].acct_name, False); > + name_list[ent->sam_entry_index].acct_name, True); > > result = fill_grent(&group_list[group_list_ndx], > ent->domain_name, > @@ -929,7 +929,7 @@ > groups.sam_entries)[i].acct_name; > fstring name; > > - fill_domain_username(name, domain->name, group_name, False); > + fill_domain_username(name, domain->name, group_name, True); > /* Append to extra data */ > memcpy(&extra_data[extra_data_len], name, >strlen(name)); > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot add ACL entry in Windows.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Linus Lund wrote: > Hello, > > Just upgraded from Samba 3.0.22 to 3.0.23, running on a SlackWare Linux > Box with a 2.4.31 kernel. All Unix users and samba users are stored in > ldap. Using setfacl renders correct user/groups in the windows acl > editor, and works perfectly. However, when I try to add a user/group in > the Security tab for a share/folder I get the following message > > "The program cannot open the required dialog box because it cannot > determine wheter the computer named fileserv is joined to a domain. > Close this message and try again." Already fixed in the upcoming 3.0.23a code which should be out tomorrow. One more bug to fix. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEv31fIR7qMdg1EfYRAkKxAJ4wcYQghuG5+wq8zzSMYHA0Tx1UXwCfVuOC Jnf54WcGnUCyYFKQydeaa4k= =LaiZ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.23 for Debian Sarge: LDAP problems
Hi, I always prefer the Samba packages for Debian-Stable from the Samba-Team and I never had a problem so far (thank you, Simo!). Yesterday I updated from 3.0.22 to 3.0.23 in my LDAP-based network. I updated samba.schema, added "index sambaSID eq,sub" to my slapd.conf and ran slapindex. When I started slapd and samba afterwards, I saw error messages like these (from smbd.log): [2006/07/20 00:14:36, 0] lib/smbldap.c:smb_ldap_setup_conn(638) ldap_initialize: Time limit exceeded [2006/07/20 00:14:36, 1] lib/smbldap.c:another_ldap_try(1150) Connection to LDAP server failed for the 1 try! [2006/07/20 00:14:37, 0] lib/smbldap.c:smb_ldap_setup_conn(638) ldap_initialize: Time limit exceeded [2006/07/20 00:14:37, 1] lib/smbldap.c:another_ldap_try(1150) Connection to LDAP server failed for the 2 try! ... ... [message repeated several times] ... [2006/07/20 00:14:50, 1] lib/smbldap.c:another_ldap_try(1150) Connection to LDAP server failed for the 15 try! [2006/07/20 00:14:51, 0] lib/smbldap.c:smb_ldap_setup_conn(638) ldap_initialize: Time limit exceeded [2006/07/20 00:14:51, 0] smbd/server.c:main(960) ERROR: failed to setup guest info. So Samba/smbd does not work anymore. The same errors occur when I run the net command: athena:~# net groupmap list [2006/07/20 14:14:48, 0] lib/smbldap.c:smb_ldap_setup_conn(638) ldap_initialize: Time limit exceeded [2006/07/20 14:14:49, 0] lib/smbldap.c:smb_ldap_setup_conn(638) ldap_initialize: Time limit exceeded ... ... [message repeated several times] ... [2006/07/20 14:15:18, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3039) ldapsam_setsamgrent: LDAP search failed: Time limit exceeded [2006/07/20 14:15:18, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3111) ldapsam_enum_group_mapping: Unable to open passdb Switching back to the previous slapd.conf and samba.schema doesn't work, disabling TLS did not help either. The slapd can be connected with any other non-Samba tool (ldapsearch, phpldapadmin). Does anybody have an idea what the problem might be? thank you, Uwe -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot add ACL entry in Windows.
Hello, Just upgraded from Samba 3.0.22 to 3.0.23, running on a SlackWare Linux Box with a 2.4.31 kernel. All Unix users and samba users are stored in ldap. Using setfacl renders correct user/groups in the windows acl editor, and works perfectly. However, when I try to add a user/group in the Security tab for a share/folder I get the following message "The program cannot open the required dialog box because it cannot determine wheter the computer named fileserv is joined to a domain. Close this message and try again." Followed by "The system cannot find text for message 0x%1 in the message file for %2". The error occurs with all users, tested on windows xp SP2 and windows 2k3 SP1. The problem occured in samba 3.0.23, was not present in samba 3.0.22. The improved group handling in samba 3.0.23 makes me reluctant to downgrading though. Anyone got any ideas what to test/do? Regards, Linus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba Digest, Vol 43, Issue 27
Hello: I'm away on holidays right now! If this is an Urgent ticket please submit a repair ticket herehttp://ts.sd57.bc.ca I will be checking my mail still every few days Or Page #613-4732 Thanks Benny.nerd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] setdriver fails with WERR_ACCESS_DENIED
Hi, I'm using samba 3.0.22 on a Linux/Debian machine. I'm trying to get printer drivers on the server automatically picked by the XP clients on the server. $ rpcclient localhost -U flavien -c 'enumdrivers' Password: [Windows NT x86] Printer Driver Info 1: Driver Name: [hp1] The user "flavien" has PrintOperator privileges : $ net rpc rights list flavien -U flavien Password: SePrintOperatorPrivilege SeDiskOperatorPrivilege I try to set the driver to the printer : $ rpcclient localhost -U flavien -c 'setdriver hp1 hp1' Password: result was WERR_ACCESS_DENIED Something that looks suspicious to me : $ rpcclient localhost -U flavien -c 'getdriverdir "Windows NT x86"' Password: Directory Name:[\\LOCALHOST\print$\W32X86] Shouldn't it be the netbios name of the server instead of LOCALHOST ? FWIW, the /etc/samba/drivers dir is writeable by "flavien" I'm pretty stuck here now. Any help appreciated. Flavien. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Wins problems
I am experiencing annoying problems. Minimum 2 times per hour samba is stopping serving as WINS serve. BOSS is my PDC: boss> nmblookup BOSS no results found boss>net lookup dc (nothing) also other computers using BOSS as wins server cannot find it andalso a domain controller. after stopping and starting samba it works for some time. my smb.conf tdi.kill-9.pl/smb.conf -- Regards, Dariusz Dwornikowski Network Administrator Cognifide Poland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Home directories
Hi , I have a small requirement , I have a samba setup on my server with the following configuration in [homes] share : [homes] comment = Home Directories browseable = no writable = yes path = /home/%u valid users = %u root force user = %u I have added samba and linux users and done all the configuration and shares are visible in windows. When a user logs on the machine only his home directory should be visible. Since i have multiple users who use the windows machines, if i logout say from some machine and if i login once again on the same machine with different user the previous user's home directory is still visible with current user's home directory. I need to resolve it. how could i change my [homes] configuration to do this. Thanks in advance Regards Madhavan -- Get a spam free email account - Visit http://www.bluebottle.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] pdbedia and password policy
Hello, I need to be able to change this: Password must change: Sat, 20 Dec 02:15:51 GMT Apparently the pbdedit utility should be able to change it but I'm not sure of the syntax to use. Thanks Regards, Komal -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.22 freez share
Hello I have problem with my samba server... My configuration: system: CentOS release 4.2 (Final) kernel: 2.6.9-22.0.1.ELsmp samba: 3.0.22 (compiled by myself) server: HP DL380 G3 2xIntel(R) Xeon(TM) CPU 3.40GHz ram: 4GB This server is working with cluster with another one. They have access to storage (SAN fibre channel). File system is GFS. Problem with samba - sometimes some shares don't response to clients. It's look like freez. Sometimes it's with all share, sometimes selected directory. In that sytuation client (windows 2000, XP) must ALT+CTRL+DEL to kill explorer proces and connect again. Users read/write to share typical documents *.doc, *.xls, *.pdf. I have no idea when is that problem. Could you suggest solution? Sorry for my english. Regards Marek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cifs Mount w/ACL
this tool could be a possible workaround http://de.samba.org/samba/docs/man/manpages-3/smbcacls.1.html greez Max Kipness wrote: Hello - I've tried doing some research of previous posts and can't seem to figure out how this may be done. Basically I would like to mount a Windows XP share (using cifs.mount) on a Fedora 4 server, and by doing a stat on on any file in that mounted share, be able to see the windows acl permissions/owner. Is this possible? And if so, how? Thanks, Max -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Excluding directories from a read-only = yes
i think it's hard in smb.conf without using ACLs provided by the filesystem. can you use veto files, or must your users be able to see those "thousands of folders", too? greez Ed Curtis wrote: I have a share with thousands of folders. In each of those folders there is another directory named 'files'. I want to be able to lock down these thousands of folders but allow r/w access to the 'files' folders inside of them. Is there anyway to do this in smb.conf? Thanks, Ed -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba Digest, Vol 43, Issue 26
Hello: I'm away on holidays right now! If this is an Urgent ticket please submit a repair ticket herehttp://ts.sd57.bc.ca I will be checking my mail still every few days Or Page #613-4732 Thanks Benny.nerd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba as pdc in Ubuntu dapper, fails on ps$ join?
ok, this time with attachment, sorry :) L. > Hola, > > I've done everything as correct as I can see in smb.conf under fresh ubuntu > 6.06 fully > updated install to have it run as a PDC on hostname florentine, domain > DAVEYST. > > There are no testparm errors. > > I've added users with useradd and smbpasswd -a > I've added machines with useradd and smbpasswd -a -m > > I can see the server in my network neighbourhood and access/browse folders on > the samba > server using a linux account login within the network neighbourhood. > > However, when I try to go to My computer properties ---> computer name ---> > Change.., and > then put in my domain name and computer name and when prompted use root > account and > password (or any account and password) I get an Access Denied error. > > I've attached a log level = 10 tar.gz of the /var/log/samba/smbd.log of > everything that > happens when I do this process on the workstation (hostname = robin, ie > robin$) - it's > quite long, but it also seems to be successful - see below for abridged > listing. > > I've been on the ubuntu forums where they suggested I should install quota - > but I don't > think that installing quota would solve my problems. > > Has anyone seen anything like this before, or know why despite my smb-log > having the like > of: > > [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(219) > check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] > with > the new password interface > [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(222) > check_ntlm_password: mapped user is: [EMAIL PROTECTED] > > > [2006/07/15 15:57:41, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(267) > fetch sid from gid cache 0 -> S-1-5-21-3923429160-1838912494-2447857936-512 > > > [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(268) > check_ntlm_password: sam authentication for user [root] succeeded > ... > ... > [2006/07/15 15:57:41, 2] auth/auth.c:check_ntlm_password(307) > check_ntlm_password: authentication for user [root] -> [root] -> [root] > succeeded > > > [2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(219) > check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] > with the new > password interface > [2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(222) > check_ntlm_password: mapped user is: [EMAIL PROTECTED] > > > [2006/07/15 15:59:43, 3] smbd/service.c:make_connection_snum(488) > Connect path is '/tmp' for service [IPC$] > [2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(250) > [2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(251) > se_access_check: user sid is S-1-5-21-3923429160-1838912494-2447857936-501 > se_access_check: also S-1-5-21-3923429160-1838912494-2447857936-514 > se_access_check: also S-1-1-0 > se_access_check: also S-1-5-2 > se_access_check: also S-1-5-32-546 > > > [2006/07/15 15:59:43, 3] smbd/process.c:timeout_processing(1447) > timeout_processing: End of file from client (client has disconnected). > [2006/07/15 15:59:43, 3] smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2006/07/15 15:59:43, 2] smbd/server.c:exit_server(614) > Closing connections > [2006/07/15 15:59:43, 3] smbd/connection.c:yield_connection(69) > Yielding connection to > [2006/07/15 15:59:43, 3] smbd/server.c:exit_server(655) > Server exit (normal exit) > > > any ideas? > > smb.conf follows: > > #=== Global Settings === > > [global] >workgroup = DAVEYST >netbios name = florentine >server string = %h server (Samba, Ubuntu) >wins support = yes >dns proxy = no >name resolve order = wins bcast hosts >security = user >encrypt passwords = true >username map = /etc/samba/smbusers >unix password sync = yes > ; passdb backend = tdbsam >obey pam restrictions = yes > ; guest account = nobody >invalid users = root >log file = /var/log/samba/smdb.log >log level = 3 >max log size = 1 >time server = Yes >passwd program = /usr/bin/passwd %u >passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n > *password\supdated\ssuccessfully* . >veto oplock files = \*.prm\*.mdb\*.mda pam password change = yes >domain logons = yes > # domain admin group = root @admin administrator >preferred master = yes >local master = yes >os level = 65 > > # Useradd scripts >add user script = /usr/sbin/useradd -m %u >delete user script = /usr/sbin/userdel -r %u >add group script = /usr/sbin/groupadd %g >delete group script = /usr/sbin/groupdel %g >add user to group script = /usr/sbin/usermod -G %g %u >add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u > > >logon path = \\%N\%U\profile > >logon drive = H: >logon hom
Re: [Samba] ArcView + Samba: Performance nightmare under Linux, ok under Solaris or HP-UX
On Wed, Jul 19, 2006 at 04:00:00PM +0200, Andreas Haumer wrote: > Any comments? No, except a big thanks for this analysis. It is always nice to see that this completely paranoid hunt for the 100% compatibility that can be very exhausting sometimes does pay off. Volker pgpegj0YC0xxy.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba as pdc in Ubuntu dapper, fails on ps$ join?
Hola, I've done everything as correct as I can see in smb.conf under fresh ubuntu 6.06 fully updated install to have it run as a PDC on hostname florentine, domain DAVEYST. There are no testparm errors. I've added users with useradd and smbpasswd -a I've added machines with useradd and smbpasswd -a -m I can see the server in my network neighbourhood and access/browse folders on the samba server using a linux account login within the network neighbourhood. However, when I try to go to My computer properties ---> computer name ---> Change.., and then put in my domain name and computer name and when prompted use root account and password (or any account and password) I get an Access Denied error. I've attached a log level = 10 tar.gz of the /var/log/samba/smbd.log of everything that happens when I do this process on the workstation (hostname = robin, ie robin$) - it's quite long, but it also seems to be successful - see below for abridged listing. I've been on the ubuntu forums where they suggested I should install quota - but I don't think that installing quota would solve my problems. Has anyone seen anything like this before, or know why despite my smb-log having the like of: [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2006/07/15 15:57:41, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(267) fetch sid from gid cache 0 -> S-1-5-21-3923429160-1838912494-2447857936-512 [2006/07/15 15:57:41, 3] auth/auth.c:check_ntlm_password(268) check_ntlm_password: sam authentication for user [root] succeeded ... ... [2006/07/15 15:57:41, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2006/07/15 15:59:43, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2006/07/15 15:59:43, 3] smbd/service.c:make_connection_snum(488) Connect path is '/tmp' for service [IPC$] [2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(250) [2006/07/15 15:59:43, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-5-21-3923429160-1838912494-2447857936-501 se_access_check: also S-1-5-21-3923429160-1838912494-2447857936-514 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-32-546 [2006/07/15 15:59:43, 3] smbd/process.c:timeout_processing(1447) timeout_processing: End of file from client (client has disconnected). [2006/07/15 15:59:43, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/07/15 15:59:43, 2] smbd/server.c:exit_server(614) Closing connections [2006/07/15 15:59:43, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/07/15 15:59:43, 3] smbd/server.c:exit_server(655) Server exit (normal exit) any ideas? smb.conf follows: #=== Global Settings === [global] workgroup = DAVEYST netbios name = florentine server string = %h server (Samba, Ubuntu) wins support = yes dns proxy = no name resolve order = wins bcast hosts security = user encrypt passwords = true username map = /etc/samba/smbusers unix password sync = yes ; passdb backend = tdbsam obey pam restrictions = yes ; guest account = nobody invalid users = root log file = /var/log/samba/smdb.log log level = 3 max log size = 1 time server = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . veto oplock files = \*.prm\*.mdb\*.mda pam password change = yes domain logons = yes # domain admin group = root @admin administrator preferred master = yes local master = yes os level = 65 # Useradd scripts add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u logon path = \\%N\%U\profile logon drive = H: logon home = \\%N\%U logon script = startnet.bat socket options = TCP_NODELAY SO_RCVBUF=8191 SO_SNDBUF=8192 domain master = yes idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash #=== Share Definitions === [homes] comment = Home Directories
Re: [Samba] Must restart Samba regularly because saving files stops working
On 2006/7/19, Volker Lendecke <[EMAIL PROTECTED]> wrote: On Wed, Jul 19, 2006 at 06:42:30PM +0200, Roel Slegers wrote: > When you say "tuning tcp parameters" could you point me in the right > direction please? Are you talking about tuning the HP-UX kernel, or This would be the kernel first. smb.conf does not do anything here. But I don't know enough about HP/UX to how to tune it. You need to give the TCP/IP more space, but to know what exactly needs tuning I can't tell from here. Volker Thanks Volker, We'll see what we can find in our kernel parameters. Roel PS: Sorry but I forgot to send a copy of my previous message to the samba list, so I include that now: On Wed, Jul 19..., Roel Slegers wrote: Hi, and thanks. That "No buffer space available" message is something we've always had on our test servers, also on servers with plenty of RAM running only samba with maybe 1 or 2 pc's connected. And this with the various samba versions (2.x - 3.x) we've experimented with in the past. So IMHO I do not think this is RAM related. But to make sure we should maybe resolve this before looking any further. When you say "tuning tcp parameters" could you point me in the right direction please? Are you talking about tuning the HP-UX kernel, or about tuning smb.conf? Do you know of some documentation that can help do this? BTW googling seems to show that this "No buffer space available" especially occurs a lot on HP-UX 11 servers; is that possible? PS: sorry for the upper case... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba