Re: [Samba] Logon time restrictions?
On Jan 23, 2004, at 12:47 PM, Anders Norrbring wrote: I'll try posting again, just to see if someone knows... Uh - you asked a pretty complex question, and reposting it because noone answered after just 3 hours is expecting a lot! Some of the primary developers of Samba are on the other side of the planet from you, most likely. Give it a day next time. I've browsed to lots of doc. files, but I can't find a good answer. Is it possible to set logon time restrictions to users when Samba operates as a PDC, controlling Windows XP Pro clients? We're in the need to have different time restrictions based on user groups as well as individual users. I can say pretty confidently that you won't be able to do what you need with the stock Samba 2.2.5. You don't say what the host operating system is, but with Samba 2.x, having a restriction such as this really depends on what authentication methods are available on the operating system you are running Samba on, as well as how Samba itself is configured. Let's assume for the moment you are using Linux on the Samba PDC. I have made Samba 2.x jump through hoops with the use of PAM authentication, in order to have password expiration policies and password change policies in effect. I personally have never seen any mechanism built into the standard Linux authentication mechanisms which restricts logon based on time of day. PAM on Redhat certainly doesn't. I suggest you review what is available in Samba 3.0 and later. My understanding is that the authentication mechanisms are much more flexible than they were in 2.x. That said, I think what you need is going to require a bit of work on your part to implement. It's not an out-of-the-box requirement for most Samba servers, to say the least! -- Jim Morris(J i m @ M o r r i s - W o r l d . c o m) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] RE: SPAM
On Tuesday, October 14, 2003, at 02:39 PM, David Brodbeck wrote: I suspect the main culprit is the USENET gateway. Any post to USENET with a valid email address seems to immediately attract lots of virus traffic. Maybe it's time to eliminate the USENET gateway. If USENET wasn't dead before, it effectively is now, since posting to it results in an almost immediate mailbox DoS. I agree. Usenet these days is the domain of spammers and Warez postings. Ten years ago I used to spend hours a day on Linux and Samba (comp.os.protocols.smb) newsgroups, reading and replying to messages. That was back when there were maybe a couple of thousand newsgroups total. As the web grew, my use of Usenet has decreased, and I have not actively bothered to even setup a newsgroup reader in a couple of years. If I cannot find it in mailing list archives or a google search, I am usually not going to waste time in Usenet - with 30,000 or more groups on most Usenet servers today! I vote to kill the mailing list -> Usenet gateway, if that is what is causing these virus email attacks on subscribers. If I wanted to use Usenet, I would go read comp.os.protocols.smb or whatever, directly! -- Jim Morris([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RE: SPAM
I have to agree with the others on the need for the mailing list to do something. I just posted to the Samba list for the first time in a couple of months, and since doing so, have gotten 3 or 4 dozen of these virus emails. And I run server based email filters - these are the ones that are getting through the filters! The viruses don't infect me, as I only read mail from Linux or Mac OS X, but they are clogging my inbox. The point is - I posted one question to this mailing list today, and in the 4 or 5 hours since, have averaged 10+ virus emails an hour. I am not sure what can be done though. The mails don't even have me as the "To:" address - instead I think they are getting BCC'ed to me by whoever on this list is infected. I would gladly forgo direct replies from this list, and have replies posted only to the list address, if it would eliminate the problem. In other words, the list would almost have to run with anonymous postings or something, for that to work. Obviously you would have to be a subscriber to post, but the emails would be stripped by the mailing list manager. -- Jim Morris([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smb_register_charset error in Samba 3.0.0
Hi all. I upgraded one of my servers to Samba 3.0.0 over the weekend, using the source. Since doing so, I have had a huge number of errors logged on that system that are all related to usage of the smbmont command. Running smbmount (or mount.smbfs) gives the following error: mount.smbfs: error in loading shared libraries: /usr/local/samba/lib/charset/CP850.so: undefined symbol: smb_register_charset Any ideas here? I build Samba using the same options I used to build Samba 2.2.8a, which does not produce the error: ./configure --with-smbmount --with-pam --with-pam_smbpass --with-quotas --with-winbind --with-utmp Any thoughts are appreciated! Note that the server in question is running a Linux 2.2.x kernel, if that has any bearing on the issue. It is an old Redhat 6.0 box that I have kept up to date manually from tarballs, since Redhat stopped producing errata for Redhat 6.x. Thanks! -- Jim Morris([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba over IPX/NetBeui
On Tue, 2003-03-04 at 11:16, Tirant wrote: > Is it possible to run SAMBA over IPX/NetBeui? (I will thank any suggestion) At this time, no. This question came up on the list not too long ago. Apparently at some time in the past, someone made some patches available to allow an old version of Samba to work over either IPX or NETBEUI (I forget which). However, Samba is pretty much restricted to operation using a TCP socket. It would require a lot of work to modify it to support another protocol. > My mid-term/long-term solution is to get a router with a Wireless AP, > and switch included. Until you can have all of the computers in the same subnet, I don't think you will find an easy solution. Your idea of getting a router is probably best. Of course, you could just do that using your Linux PC, by adding a 2nd ethernet card. I use a Linux system with 2 ethernet cards as my ADSL router - I tried a Netgear Wireless Router (MR314) for a while, and it was not nearly as reliable as the Linux box when it came to keeping the connection up. -- /------- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] printing using SAMBA-OSX and XP Network
On Wednesday, February 26, 2003, at 01:42 PM, Dawn wrote: I want to use SAMBA for printing on the Mac in OSX. I downloaded the files. Now, do any of you know where I can get the information-(url) on setting up the Printers using SAMBA? I don't think that OS X can use a Windows or Samba shared printer without an addon product such as 'Dave'. Your Mac already has a version of Samba installed - installing a later version from samba.org will not help with printing. I suggest you instead investigate the use of CUPS for printing to network printers on UNIX/Linux boxes. If your printer is on a Windows 2000/XP system, you can install the LPD print server from Microsoft, and use CUPS to print to that as well. I do that all the time with my iBook to print to Samba and Windows shared printers... -- Jim Morris ([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba & Delphi & Paradox
On Tue, 2003-02-11 at 12:01, Fábio Ferreira wrote: > I have a server samba/linux executing a software Delphi with access to > database Paradox. The configurations are OK, but when more than an user is > accessing the system, he is very slow. > How can I solve this problem? Delpi applications use the Borland Database Engine (BDE) to access shared file databases such as Paradox and dBase files on a network drive. I develop a lot of C++ Builder applications myself, and have been using the BDE for quite a few years now. With dBASE files at least, what causes slow operation when multiple users begin accessing the files are the use of opportunistic locks (oplocks) on the share. When one client is accessing the file, oplocks allow the client to cache database table changes locally. However, when a second client accesses the file, the Samba server issues an oplock break request to the first client that has an oplock on the file. The second client is not granted access to the file until the first client acknowledges the oplock break and flushes all of its changes back to the Samba server. This can take quite a while if the file is large, or if the first client does not acknowledge the oplock break request (due to network errors or buggy client code). There are two things you can try: 1. Disable oplocks on the entire share, by putting 'oplocks = no' in that share definition in smb.conf: [myshare] oplocks = no 2. Or disable oplocks on JUST the Paradox files, by specifying using the 'veto oplock files' option and a wildcard pattern. Here is what I use to prevent oplocks on dBASE files: [myshare] veto oplock files = /*.DBF/*.dbf/*.MDX/*.mdx/ I hope that explanation helps. Remember too that Paradox databases have a file called PDOXUSERS.NET, which will typically be stored in the root of a drive. This file is used to arbitrate file access and locks between multiple Paradox client applications. If using a network drive, this needs to be a common shared location for all client PC's. According to the BDE help, if using Paradox files on a network drive, ALL CLIENT PC's must have the 'NET DIR' parameters set to the same mapped network drive location. This is configured in the Paradox driver settings in the BDE Administration tool -- /------- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and OSX
On Wed, 2003-01-01 at 16:21, Jim LaSalle wrote: > How do I map OSX to Samba file shares? I'm not new to Samba but OSX is a > puzzle. I can get the Mac OSX to see the Samba server but not the > shares. Maybe I'm so hung up on the Windows "net use D: \\server\share" > syntax I can see the forest for the trees. Use the Go->Servers option, or something like that - I don't have my iBook in front of me at the moment. When you do that, type the server name, and connect to the server. To see the full list of shares, you may need to click the 'Authenticate' button, and give a valid username/password pair for the Samba server. Once you do this, the full list of shares should be viewable via a drop down list. Once you pick one of the shares and then click the 'Connect' button, it will be mounted as a volume on your desktop. Alternatively, you can use command line tools such as smbclient, and I am sure that the 'mount' command has syntax for mounting an SMB share into the /Volumes directory hierarchy on OS X. I hope that helps. like I said, I am running off memory here, but I have mounted my Samba server shares many times on my iBook, using Finder.... -- /- | Jim Morris | Email: [EMAIL PROTECTED] || AIM: JFM2001 \--------- -- /--- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and OSX
On Wed, 2003-01-01 at 16:21, Jim LaSalle wrote: > How do I map OSX to Samba file shares? I'm not new to Samba but OSX is a > puzzle. I can get the Mac OSX to see the Samba server but not the > shares. Maybe I'm so hung up on the Windows "net use D: \\server\share" > syntax I can see the forest for the trees. Use the Go->Servers option, or something like that - I don't have my iBook in front of me at the moment. When you do that, type the server name, and connect to the server. To see the full list of shares, you may need to click the 'Authenticate' button, and give a valid username/password pair for the Samba server. Once you do this, the full list of shares should be viewable via a drop down list. Once you pick one of the shares and then click the 'Connect' button, it will be mounted as a volume on your desktop. Alternatively, you can use command line tools such as smbclient, and I am sure that the 'mount' command has syntax for mounting an SMB share into the /Volumes directory hierarchy on OS X. I hope that helps. like I said, I am running off memory here, but I have mounted my Samba server shares many times on my iBook, using Finder.... -- /- | Jim Morris | Email: [EMAIL PROTECTED] || AIM: JFM2001 \- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Tape Drives
On Wednesday, January 1, 2003, at 10:03 AM, Nate Grissom wrote: Is it possible to share a tape drive using Samba. I have a tape drive that is attached to a Solaris box, that I would like to use to backup my entire environment; Solaris and Windows. If this is possible, how should I configure the smb.conf file. Umm. Samba is really for file and printer sharing - if that tape drive can look like a file or subdirectory that you can share, then it would help! Since I doubt that is the case, you are left using standard Unix facilities such as tar and cpio, or a commercial backup package for Solaris. However, if Samba is installed on your Solaris system, you should be able to use smbclient (in smbtar mode) to perform backups of Windows PC's to the tape drive on the Solaris box. I came across a set of scripts that someone posted to the Samba mailing list a couple of years ago, which would take a list of PC and share names, and do a backup of multiple Windows PC's to the tape drive on a Unix system, using smbclient - with each PC being backed up to a separate tar file on the tape basically. I hope that gets you started in the right direction. If you don't mind spending money, there are a few cross platform backup solutions (Arkeia?) that will let you access the Solaris tape drive from the Windows PC's -- Jim Morris ([EMAIL PROTECTED])
Re: [Samba] virus mailing
I agree with blocking attachments. The sad fact is that if you just ban a user email address that sent a virus to the mailing list, you may be banning an innocent person! I have been seeing a LOT of 'virus removal' messages directed towards my email address, saying that I sent an infected email to a person I never even heard of. The sad fact is, many of these Outlook based viruses forge the sender address using other addresses on the infected computer. I have never used Outlook - all my email is read on either Linux or Mac OS X. I don't even use Windows based email clients - maybe Mozilla once in a blue moon those infected emails came from someone who may have once received mail from me, who DOES run a virus engine such as Outlook. -- Jim Morris ([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How important are oplocks?
On Thu, 2002-12-19 at 08:20, Jean-Paul ARGUDO wrote: > I read this option in smb docs. Looks great. But in my case, since I > have users yet only working on M$ Office standard, to put a veto for > oplocks on .doc and .xls files equals disable oplocks :-)) I understand. > Other question: is "veto oplock files" really case sensitive? > Couldn't you put some regexp here? SMB dev=> Is this supported? Case sensitivity depends on how you have the 'case sensitive' option of Samba configured the default is NO. I have both cases, but maybe it is not necessary. And no - the option does not use regexp style expressions - just ? and * wildcard characters. Look at 'veto files' for the rules on these expressions -- /--- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How important are oplocks?
On Thu, 2002-12-19 at 07:41, Jean-Paul ARGUDO wrote: > But, again, I cant bet on a technology. I'm not playing poker and cant > do it with files where maybe all the business of my company is based on. > Thats why I've disabled oplocks. I have had it disabled on all shared-file database extensions I know of for years, while allowing it to be used for other files (Word docs for example). You do it selectively using the 'veto oplock files' option, globally or for a share: veto oplock files = /*.DBF/*.dbf/*.MDX/*.mdx/*.ITB/*.itb/*.MDB/*.mdb/ You get the picture. it is a slash (/) separated list of filename or filename patterns -- /------- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How important are oplocks?
On Thu, 2002-12-19 at 03:56, Marian Mlcoch, Ing wrote: > Thanks Jim for best report of oplock as i read. > Super can be if you can add info or link about list of dangerous database > engines for oplocks... > Btw. Foxpro 2.6 = is ok. > Foxpro 7.. = bad. > Clipper= dangerous... > exist this list for off oplocks? Thanks. But unfortunately, its not that simple.I doubt for example that one version of FoxPro will be good with oplocks, while another is bad. The entire problem with oplocks and shared-file databases such as dBASE, FoxPro, Paradox, Access, etc, is with file caching on the client side (the OPLCOCK), and that client system not breaking the oplock when requested. Even when the breaks do happen properly, the time to write the file back out to the server may be significant, causing a LONG delay on the 2nd client to open the file. When you see oplock problems, I guess you could say it is more client-OS and hardware dependant than it is on the software involve. It just so happens that the type of software that runs into oplock related issues most often is shared-file database software. Most other applications do not have 2 or more users opening the same file at the same time on a routine basis. -- /------- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How important are oplocks?
On Wed, 2002-12-18 at 11:24, John H Terpstra wrote: > Keep in mind that NetWare can use IPX/SPX but more likely, for a number of > years now is using NCP (NetWare Core Protocol) over TCP/IP. > > NCP is a well oiled machine compared with CIFS. However, when in Rome ... > ie: If all your clients speak Swingoli it does no good to insist that > Mockaputri is much better (not that I speak either of them!). Oh - I wholeheartedly agree. I was just making the point about Netware because a poster on this thread was comparing the performance of his Netware server to Samba with oplocks disabled. If your clients are using SMB, obviously the server must speak SMB! ;-) My Netware experience predates NCP over TCP/IP. I shutdown my last Netware 3.11 server in 1994 to replace it with Samba on Linux! That server was a bear to get up too - it was on a PS/2 Model 80 (Microchannel anyone?), and I had to roll my own ethernet driver for Linux to work with the Microchannel ethernet card I had available. That took about 2 weeks of kernel hacking at the time but ultimately, the Samba on Linux solution scaled much better than Netware did on that 386-20 system. -- /------- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How important are oplocks?
On Wed, 2002-12-18 at 09:52, Bob Puff@NLE wrote: > If Samba is corrupting the data files, then why wouldn't this be turned OFF by > default? I would think data corruption would be a major, MAJOR problem, and > reduce the usability of Samba. Is this really true? It comes down to the fact that Samba is faithfully mimicking a Windows NT/2000 server. Windows NT and Windows 2000 servers *BY DEFAULT* also have OPLOCKS enabled. Oplocks provide a *SIGNIFICANT* performance boost for network file operatings when a single user is accessing a file. They allow the *CLIENT* machine to basically cache the file locally, just like caching a local file on a local hard drive. Writes to the file are cached as well. Where oplocks cause problems is when a second client wants to open the same file (as in a shared file database). Then the Samba/NT/2000 server must issue what is called an 'oplock break request' to the first client that has oplocks on the file. The client is supposed to then flush any changes to disk, and release the oplocks on the file. The server must then wait on this to happen before the second client can be granted access to the file. Problems arise when the client takes too long to respond, or fails to respond to the oplock break request from the server. The second client sees a long delay in opening the file. Furthermore, if file IS opened by the second client and the first client never responded, or responds after the timeout occurs, then you can end up with file corruption, as the first client finally flushes changes to disk, after the second client has read the now outdated data, and is using it. Regardless of the problems, the fact of the matter is that if Samba does not enable oplocks by default, just as Windows NT and 2000 servers do, then Samba servers yeild much lower performance for many server file operations performed by the typical Windows network client. You would have everyone screaming about how slow the network is, and Samba would come nowhere near the performance of Windows NT/2000 servers in benchmarks. I have been using shared file databases on Windows NT and Windows 2000 servers for years now (dBASE files). For all customer installs, we *MUST* disable oplocks on the NT/2000 servers in order to maintain database integrity. So this problem is not unique to Samba. Samba handles it much more gracefully than NT/2000 do! On NT/2000 servers, you have to edit a registry key that disables oplocks globally on the entire server. With Samba, I can disable them on a share or file wildcard pattern basis, using the 'veto oplock files' option in smb.conf. The user that compared Samba with/without oplocks to his Netware server's performance is not comparing apples to apples. Samba clients are using the Windows Networking client - and really can only be compared to a comparably equipped and configured Windows NT/2000 server. Netware servers require the use of a Netware client package. The Netware client has an entirely different implementation of locking mechanisms, caching algorithms, and the entire network protocol and file sharing model is different. As is the Netware server. I think most experts that have ever researched the topic will agree that for sheer file serving performance, nothing can beat Netware. Historically anyway. I've not seen any benchmarks that included Netware in a few years. Where Netware falls down is in 3rd party support (these days), and the ability to run general purpose applications on your server. Plus, the server and client licenses are a LOT more expensive than a Samba server solution. I'll hazard a bet that if one were to examine the Netware IPX/SPX protocol, it is nowhere nearly as convoluted and ad-hoc as the SMB protocol, which Microsoft hodge-podged together. You really have to step back and think about the amount of effort involved by the Samba Team in faithfully reverse engineering and reproducing all the intricate details of a protocol that is such a mess! Keep up the good work, 'Team Samba'! -- /--- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] FOX PRO 2.6 on SMB
On Mon, 2002-12-16 at 19:24, Ing Juan Pablo Feria wrote: > We have some Fox Pro apps shared on Samba server (I know FOX sucks) and > sometimes we need to recreate indexes, and we have to call all the users > and ask them to close their programs. > > If we kill the user's smb process we got corrupted indexes... > > here's the question : is there any way to force the used files by an smb > user process to close avoiding corruption, or perhaps make the server > "think" that the user's the one closing the files. I don't think there is a way to do this. With the xBase file format (.DBF), you are talking about a shared-file database on a file server. When a client is updating the file, the client is also responsible for maintaining (updating) any production indexes for that file (the .MDX file for dBase anyway). This is happening on the client side - not the server side. I don't see how the smbd process could know the index was updated or flushed to disk properly, since index changes may still be cached on the client side Your best bet in my experience with dBASE or FoxPro is to disable oplocks on those files, to avoid client-side caching of the files. Use the 'veto oplock files' parameter on the share to do this. Samba also has several options that control write caching and syning to disk. These may help ensure that the index file changes are always flushed to disk as well -- /--- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Access to Everyone
Just create a 'guest only' share, and set 'writeable = no' on that share Jim Morris ([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Caching
On Wed, 2002-12-11 at 11:28, KaZeR wrote: > thanks for your reply :) Unfortunately - I didn't know I had sent anything! I had a inadvertent key sequence while typing, and closed the window, and ultimately had to kill the mail program. So what I sent was incomplete > ok, so have you got an idea to solution this problem? this problem is > concerning a server sharing a front office application with three clients > (under Win). The caching of files makes client having incompletes datas.. This sounds like the CLIENTS are caching the data, rather than the server. I would try an initial test of disapling OPLOCKS on the share in question: [sharename] oplocks = no This may impact overall performance, but will at least tell you if oplocks by the clients are the issue. If you determine oplocks to be the issue, you can disable them on specific files or filename patterns. You don't say what application is involved here, or what OS the clients are running. File locking options and share modes can also be a factor, but in any case, it all depends on what type of application you are using, and you have not provided that critical detail. Is this a database application, using shared files? If so, what database is used? Access? dBASE (.DBF files), etc You could try (globally or on the share): locking = yes strict locking = yes share modes = yes dos filetime resolution = yes Good luck! -- /------- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Caching
On Wed, 2002-12-11 at 11:09, KaZeR wrote: > I need to know how to tell samba not to cache files. Well, This is a very broad subject. There can be both client-side and server-side caching involved when accessing a Samba server. The caching of files on the server is really an OS-level tuning option, beyond the scope of Samba's configuration. However, there are a number -- /------- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba Performance question
Wolfgang, I think the bottleneck is what another poster has just pointed out - the fact that Samba is trying to support both long filenames and the older DOS 8.3 style 'mangled' filenames. The time spent building the list of mangled filenames for the huge numbers of files you have must be very time consuming. Have you looked at CPU load during the operation that the customer complains is too slow? If it is high, that lends credence to this theory. The fact that you see a 2X increase in speed when going with ASU seems to also point to something other than the storage itself as the problem... -- /------- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Performance question
On Friday, December 6, 2002, at 04:13 AM, Noel Kelly wrote: Someone else might well know better but I believe this is a file system issue. ext2/ext3 manipulate the directory entries using lists so if you have a great many files in one directory you will see performance issues as you describe. The original poster is running an HP cluster system with Tru64 v5.1! Linux has nothing to do with his issues. The answer to this is to change filesystem - no mean feat with your data sizes. Filesystems like XFS and ReiserFS use binary trees to manipulate the directory entries and it is a far faster way of doing things with crowded directories so you should see an improvemnet. Probably a good point, but again, he is limited to the filesystems available under Tru64. I have only used HP-UX up through V10.0, and am not familiar with Tru64, so cannot comment on that I suppose an alternative short term solution is to get the users to break large directories up into small ones if the data lends itself to it. Probably the best solution - but maybe not what his customer will want to hear Wolfgang: is this on a raid array, or some type of other storage array? Could that be the bottleneck? Is the NT system using comparable storage hardware? -- Jim Morris ([EMAIL PROTECTED])
Re: [Samba] Locking user accounts
On Thu, 2002-12-05 at 08:52, Martijn van Brummelen wrote: > If I apply the patch that you say I will have too use pam. But the whole idea > of smb-ldap is not too use pam right? I think your solution works with pam > but not with ldap I think. Cause all information is stored in ldap and pam > does not get involved. I will wait for more replies for a while, if that does > not work. I will try your solution. This is indeed the case. This solution only works when you are using PAM. If you are authenticating against an LDAP server, you will need to somehow cause the account information stored on the LDAP server to become disabled after a number of failed logon attempts. Unfortunately, I do not know of any method to do that with an LDAP server. From Samba's perspective (for user authentication), the LDAP server is just another way of storing the same information that we would store in the smbpasswd file. Think of it is a database that we use for looking up the username and password. The database (or directory in this case) is just a storage mechanism. It has no facilities for locking out an account. We are looking up data in the directory - we are not logging into the directory with the given username and password. Without major changes to Samba, I believe there is no way to achieve what you want with just LDAP as the Samba authentication mechanism. I would like to point out that there is a pam_ldap module available that allows a Linux system to do user authentication against an LDAP directory, rather than against a Unix password database. By doing that, you could have failed logons still use the pam_tally module to increment a failed logon attempt counter, while using LDAP for the backend password storage. In this case, both the Unix and Samba passwords would be stored in the LDAP directory I suppose. Can someone that is using LDAP for Samba authentication comment on this, especially if you are also using PAM? Thanks! -- /----------- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Locking user accounts
On Thursday, December 5, 2002, at 06:59 AM, Martijn van Brummelen wrote: At this moment I am running a samba-ldap-pdc. This works really good. But what worries me is the following thing: user accounts never get locked. This is a problem cause anyone can guess or use bruteforce to enter password. Is there a solution/workaround for this? I want the following situation : when a user tries to logon for 4 times I want the account to lock out the account. Winnt disables the account for several minutes and then the account is locked out. This subject has come up several times in the past couple of weeks. I just went down this road myself actually. Samba has no built in facility for accomplishing what you need. However, if you are familiar with PAM, there is a PAM module (pam_tally) that is specifically for locking out an account after a specified number of failed logon attempts. (A successful logon resets the count to zero any time before the limit is reached). If you have configured Samba with 'obey pam restrictions = yes' in the smb.conf file, Samba will fail the logon once pam_tally's retry limit is reached. However, the kicker is that if you are using encrypted passwords with Samba, the password lookup is not done via PAM - just the account verification. So a bad logon attempt via Samba does not increment the failed logon counter. The solution to this is in a 2 line patch to the Samba 2.2.7 source code, which I posted to the samba-technical mailing list this past Monday. This patch causes Samba to increment the failed logon count via pam_tally.so, when you are using PAM, and encrypted passwords for Samba. Here is the patch again, against the Samba 2.2.7 source tree: diff -r samba-2.2.7.orig/source/smbd/password.c samba-2.2.7/source/smbd/password.c 617a618,624 #if defined(WITH_PAM) // Jim Morris, 12/03/2002. UGLY HACK TO FORCE PAM_TALLY COUNTER TO // BE UPDATED WHEN LOGON FAILS USING SMBPASSWD FILE. if (lp_obey_pam_restrictions() && (ret == FALSE)) smb_pam_passcheck( user, password ); #endif Basically, the trick is to call the PAM password check with a bad password after the encrypted Samba password verification fails. I have most PAM services setup to use the system-auth service, which is where I have configured pam_tally. Here's my /etc/pam.d/system-auth file: #%PAM-1.0 authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_unix.so likeauth nullok authrequired /lib/security/pam_deny.so authrequired /lib/security/pam_tally.so no_magic_root deny=3 reset account required /lib/security/pam_unix.so account required /lib/security/pam_tally.so no_magic_root deny=3 reset passwordrequired /lib/security/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so Yours may be different if the Unix accounts are authenticated against an LDAP server! Here's /etc/pam.d/samba: %PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth accountrequired pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth password required pam_smbpass.so use_authtok use_first_pass I hope this information helps! -- Jim Morris ([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password expiration
On Tuesday, December 3, 2002, at 01:46 PM, <[EMAIL PROTECTED]> wrote: 1) Does Samba now fully support password expiration? (I can get it to pop up a message on the windows client that the password is about to expire, but it keeps letting me log on) Samba does not directly support password expiration (at this time anyway). It indirectly can support it via PAM on Linux, Solaris or other PAM enabled systems. In these cases, by setting 'obey pam restrictions = yes' in your smb.conf file, you can have Samba obey any expiration settings on the user accounts, which you have setup in the Unix password database. That said, my experience in implementing this for a large site recently is that you will NOT get any sort of password expiration dialog at the Windows clients. What happens is that you either can login, or you cannot. Once the password has expired, you can no longer logon to the domain or the Samba server. No explanation is given - it is as if you keyed in a bad password. 2) How do I get it to change password from the "password is expiring" dialog? (I can change the password from the "change password" button in windows, but when I say I want to change it from the "password about to expire" message, I aways get "can't change password because domain is unavailable" I think I addressed this already - Samba is not what displays this dialog on the Windows client. The solution I ultimately implemented in order to meet a new 60-day password expiration policy was to implement a web page which is invoked by the Windows logon script if the user is within the 'warning' period configured in the Unix password database. 7 days for example. During that period, a web page will be invoked by the logon script, telling the user their password is about to expire in x days, and giving them a link to a URL on the Samba server itself, where they can change their password. I guess maybe I could put something together like a HOWTO on this topic if it sounds useful to others. It took a few days to peice together a solution -- Jim Morris ([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Simultaneous logins
On Tue, 2002-12-03 at 09:18, Dimitrios Stergiou wrote: > if user1 logins from pc1, then i want him to NOT be able to login from anothe > pc until he is logout from pc1. > > Any ideas/pointers? We had a big discussion of this topic last week on the samba-technical mailing list. It appears that at this point in time, what you want to do is not supported by Samba itself. For that matter, Windows NT/2000 Server does not have a provision for this. You can setup a list of workstations that a user is allowed to login from on a Windows NT/2000 Server - but you cannot restrict concurrent logons from those workstations. Netware is the only PC-based NOS that I know of that has a provision for doing that. Anyway, the consensus was that this is one of several features that should be focused on after the impending Samba 3.0 release is complete. -- /----- | Jim Morris | Email: [EMAIL PROTECTED] || AIM: JFM2001 \- -- /------- | Jim Morris | Email: [EMAIL PROTECTED] | |AIM: JFM2001 \--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Simultaneous logins
On Tue, 2002-12-03 at 09:18, Dimitrios Stergiou wrote: > if user1 logins from pc1, then i want him to NOT be able to login from anothe > pc until he is logout from pc1. > > Any ideas/pointers? We had a big discussion of this topic last week on the samba-technical mailing list. It appears that at this point in time, what you want to do is not supported by Samba itself. For that matter, Windows NT/2000 Server does not have a provision for this. You can setup a list of workstations that a user is allowed to login from on a Windows NT/2000 Server - but you cannot restrict concurrent logons from those workstations. Netware is the only PC-based NOS that I know of that has a provision for doing that. Anyway, the consensus was that this is one of several features that should be focused on after the impending Samba 3.0 release is complete. -- /----- | Jim Morris | Email: [EMAIL PROTECTED] || AIM: JFM2001 \- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Share Concurrency
On Sunday, December 1, 2002, at 03:55 PM, Paul Ketelaar wrote: Samba Gurus, How can the number of concurrent connections to a Samba share be limited. Say for example you have an article of software for which you only have 5 licences. When all five seats are used and 6th connection is attempted the user cannot connect. You can limit the number of concurrent connections to a share using the 'max connections' option in smb.conf, which is set on a per-share basis. I actually use this to arbitrate access to an old DOS application in use at one site, which can only operate with one user at a time - if two run, data corruption can occur. This application is on a special share by itself, with the setting 'max connections = 1' for that share. I use a setting of 'deadtime = 1', which is a very low setting, to kill clients that no longer have open files on the share. That way a user cannot lock other users out of the share indefinitely once they have closed the application and no longer have open files. Normally though, a batch file is run (from an icon on the user's desktop) that maps the share (using 'net use'), runs the app, and then unmaps the share when done (net use /d). -- Jim Morris ([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Version 2.2.6 and above are not able to store big files over 2GB
On Friday, November 29, 2002, at 10:09 AM, Klaus Ethgen wrote: when I store a file biger than 2GB to a samba server version 2.2.5 everythink works fine. But when I do that with a server version 2.2.6 or 2.2.7 the saving fails on the 2GB limit. The problem can be seen with windowsclients or with smbclient (any version > 2.2.5). I did some debuging and find that the lseek64 fails. But I didn't find the reason. Is this on the same exact server, and on the same server filesystem? I ask, because on Linux at least, some of the native filesystem types still have a 2GB file size limit. My recent experience is that ext2 and ext3 still have a 2GB filesize limit by default. On the other hand, ReiserFS does not, since version 3.5.x. Just something to consider. it may be a Samba bug, but if the lseek64() fails, it would seem to lie in the filesystem.... -- Jim Morris ([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + Clipper
On Friday, November 29, 2002, at 05:43 AM, Riviera Adm - Marcelo Oliveira da Costa wrote: Then we turned off oplocks and level2oplocks and found peace. But sometimes the system until freeze in one station and this freeze others stations too. When clipper system is closed in the first freezed station, the others return to normality. This sounds like a locking issue. What locking related options do you have set in smb.conf? Also consider the possibility of a network hardware issue (bad network card, bad cabling, bad hub). Test performance using a tool like a 'flood ping' on your Linux server to some of the problem clients. As root, run 'ping -f x.x.x.x' and see what percentage of packets (if any) are dropped after you let it run a little while. Press Ctrl-C to stop the test I use dBASE files that are several hundreds of MB's in size (total size of almost 1GB in about 8 dBASE tables). Application performance is acceptable on both 10BaseT and 100BaseTX LAN segments - although you can notice a difference on the 100Mbps segments certainly. Locking options I use are: locking = yes strict locking = yes share modes = yes Note that you can turn off oplocks for JUST the DBF/MDX/NDX files using the 'veto oplock files' option in your smb.conf, on a per-share basis. For example: [sharename] veto oplock files = /*.DBF/*.dbf/*.MDX/*.mdx/ The softhouse that was developer clipper system say: * linux and samba is the problem > he don't know nothing about linux He is wrong on that point - I've been using Samba for dBASE file storage since 1994 * network bandwidth is the problem [100 and 10 Mbit/s] > maybe ... That depends on what type operations you are doing. I have seen decent performance on 10BaseT LAN segments for indexed lookups on DBF files that were 200-300MB in size. Writes can take longer though, as when you append a record, the index update may require rewriting the index file on the server. * server is the problem [ Compaq ML330G2 : PIII 1GHz, 256, 18GB SCSI, 100Mbit/s only file server for 33 clients ] > I don't believe in this ... The server is not an issue, as long as its disk performance is able to sustain the network bandwidth. CPU is usually not a factor. I have a dual PII-400 and a Pentium 100MHz still in active operation as Samba servers. Our major DBF has 65MB and the major NSX has 18MB. I think that is big and the problem is it, but system developer say that isn't. It is big, but not too big. It really depends on how the application is written, and how it updates the data tables and indexes I don't want to come back to NT4, where the clipper system too crash. Resume: Where I can find information about samba and clipper systems ? Good luck - there will not be too much info. We migrated most of our DOS based clipper applications to C++ applications for DOS and Windows years ago. Even in that environment, not too much developer support is available these days. Good luck with your problem. -- Jim Morris ([EMAIL PROTECTED])
Re: [Samba] Login scripts
On Friday, November 29, 2002, at 04:25 AM, Simon Chappell wrote: I have noticed that my XP system does not pick up its login script at bootup. the win98 is fine but XP just skips it. I am using %g.bat in the smb.conf. Is there a problem with WinXP(many I hear you say) that stops it from picking up login scripts. Is this XP Pro, or XP Home? If its XP Home, then I do not think domain logons will be an option - and therefore you will not see the logon script processing. If its XP Pro, is it setup to logon to the domain properly? I know these may be simplistic questions, but it never hurts to check the obvious -- Jim Morris ([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [SAMBA] config/performance problem on solaris 8
On Thursday, November 28, 2002, at 09:05 PM, Justin Richards wrote: at any rate, thank you both for helping me look at this problem! this kind of performance will keep me happy for a while! I'm glad to hear I steered you in the right direction! Just remember to use FTP in the future any time you want to check network performance. Any idea why tcp:tcp_conn_hash_size=32768 would have such negative affect? We have tweaked this setting on some of our larger servers at work (E4500's, E6500's and Sunfire 4800's) and it never had bad results.. Not having touched Solaris or a Sparc based system in almost 5 years, I cannot really comment on these settings in your /etc/system file. What I see on the Sun web site indicates this sets the size (in entries) of the TCP connection hash table, with the default value being 512. One would think this would affect TCP connections for both reading and writing equally. But then again. I don't really know! The Sun docs do say only to change it from the default if you expect to consistently have more than a few thousand concurrent TCP connections. Anyway, I'm glad to have been of service -- Jim Morris ([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [SAMBA] config/performance problem on solaris 8
Justin, What type of performance do you get when putting a file to the server using FTP? Or NFS for that matter? If there is a networking issue other than Samba, you should see slow write performance using those protocols as well Samba will probably be close to NFS in speed, with both being somewhat slower than FTP, which has less protocol overhead (no filesystem involved). -- Jim Morris ([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Foxpro configuration
On Wednesday, November 27, 2002, at 09:53 PM, Sascha Wüst wrote: could someone please give me the correct entries for using Foxpro with a samba share. I tried everything I can think of in the smb.conf but I am always confronted with locking problems and multiuser issues: Let me take a stab at helping you. I have had many years of running XBase applications on Samba file servers - we have Clipper, dBASE and 32-bit Windows applications developed using the Borland Database Engine (BDE), and Codebase. dBASE should be pretty much the same as Foxpro for locking issues, since most of the locking is defined in the DBF file format. Ok - to comment on your smb.conf options oplocks=off Don't do this on a global basis, unless FoxPro database files are the only thing on the server. Leave oplocks at their defaults for Samba 2.2.x, and turn off oplocks selectively for your FoxPro files under each share's settings in smb.conf, using the 'veto oplocks' option. Here's an example: [data] comment = Database Storage veto oplock files = /*.DBF/*.dbf/*.MDX/*.mdx/*.NDX/*.ndx/ lock spin count = 3 lock spin time = 25 I have never changes those options from their defaults. I don't think these are your problem. locking=yes In addition to this, I would add: strict locking = yes Strict locking will enforce file locks even if the client is a 'poorly written' one that does not check for locks properly. Other settings to check are to make sure you have not turned off things like 'share modes', which are crucial for most DOS and Windows apps to work properly when sharing files. Let me know if any of this helps. -- Jim Morris ([EMAIL PROTECTED]) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Multiple server names on one machine
Beckett, Martin" <[EMAIL PROTECTED]> wrote: > I want to have a single samba server with file shares under multiple server > names. > > eg: \\fileserver\share > \\appserver\\share > \\backup\\share > > All being the same physical machine, the idea being that as the system > expands these can be moved > onto separate machines as demand increases without having to change all the > clients. Ok - here's how you do that. As another email mentioned, it is done using the "netbios aliases" option *AND* - assuming the shares are different for each server - the "include" directive in the smb.conf file. Here's an example that has two "virtual" samba servers showing up in the workgroup/domain, with different shares. To do this, we will use 3 files: smb.conf, server1.conf, and server2.conf. The important thing to note is the usage of the "netbios aliases" directive, and the placement of the "include" directive at the end of the [global] section of smb.conf. We use the substitution parameter %L, which gets replaced by the NETBIOS name the server is being accessed as. smb.conf [global] netbios name = SERVER1 netbios aliases = SERVER2 . . . . include = %L.conf Now, we want to put share definitions that we want to be UNIQUE per virtual Samba server into the server specific file we are including at the bottom of the [global] section of smb.conf. You could include shares you want to be on ALL servers - such as [homes] and [printers] - in the main smb.conf file. Note as well that you could START the server specific files with more global options. For example, you may want one virtual server to be accessed using share-level security, and the other with user-level security. Here are some server specific share definitions. server1.conf [apps] comment = Shared Application files path = /shared/apps read only = No guest ok = Yes guest only = Yes server2.conf [data] comment = Shared Data files path = /shared/data read only = No guest ok = No guest only = No Anyway - gotta go. hope this gets you going in the right direction! -- /-\ | Jim Morris | [EMAIL PROTECTED] | \-/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
