Re: [Samba] Samba's incorrect handling of LDAP ppolicy responses (yes, again)
Volker Lendecke wrote: On Mon, May 18, 2009 at 01:36:12PM -0400, Ryan Steele wrote: Probably beating a dead horse, but is it still the case (as it has been for several years) that Samba incorrectly handles responses from LDAP's ppolicy overlay? As we are working more actively with bugzilla again now, can you please file a bug report as an enhancement? Thanks, Volker No problem. To the 3.4 branch or the 4.0? Also, as I stated before, I'm more than happy to help in any way I can. -- Ryan Steele Systems Administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba's incorrect handling of LDAP ppolicy responses (yes, again)
Volker Lendecke wrote: On Tue, May 19, 2009 at 09:31:30AM -0400, Ryan Steele wrote: No problem. To the 3.4 branch or the 4.0? Also, as I stated before, I'm more than happy to help in any way I can. 3.4. please. Volker Here ya go. Let me know if you have any questions or concerns: https://bugzilla.samba.org/show_bug.cgi?id=6375 -- Ryan Steele Systems Administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba's incorrect handling of LDAP ppolicy responses (yes, again)
Hey folks, Probably beating a dead horse, but is it still the case (as it has been for several years) that Samba incorrectly handles responses from LDAP's ppolicy overlay? Thread references on the subject where I've asked before are listed below: * http://lists.samba.org/archive/samba/2008-April/139711.html * http://www.mail-archive.com/samba@lists.samba.org/msg96183.html Before anyone asks, no I don't have the money to personally fund development of this entire functionality change, though I'd be happy to contribute a smaller monetary amount, or provide testing, suggestions, and beer at the local pub. Regards, Ryan -- Ryan Steele Systems Administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
Alexandre Biancalana wrote: On 10/2/08, Ryan Steele [EMAIL PROTECTED] wrote: Volker Lendecke wrote: On Mon, Sep 29, 2008 at 10:14:01AM -0400, Adam Tauno Williams wrote: This is, AFAIK, the only solution currently. We do the same thing. It stinks. As I said in the former mail thread: Patches are welcome. If you really want it done quickly, some companies on http://samba.org/samba/support also offer development services. Volker Unfortunately, I suspect that many of the folks who probably want this done are system administrators, not software developers. As a systems administrator, I do have the ability to write code, but all I really use in my day-to-day life is Perl and Bash, maybe dabbling in some Python or Ruby. As Samba is written primarily in C, I probably wouldn't write very good patches for it - I find that my proficiency lies in the languages I actually use now, not the ones I used during undergrad in college. And while I'd love just dump money in to the project (or have an employer do it), that's just not always a reality (especially not the amounts needed to fund development efforts). All that being said, I'd be curious to know where this lies in the current development pipeline (if at all). Again, I (and I believe the community) think this would be very beneficial to Samba as a use and marketing tool, and deserves some consideration. I'm happy to do what I can - testing, tracking down bugs (even if I can't submit working patches), and money when I have it. But mostly I rely on good developers to develop, so that I can focus on my role in the chain - testing it and implementing it in real-world situations, and promoting it by installing it in all applicable environments. However, it can't be overstated how much I appreciate the work that has been done up to this point on Samba - it's a fantastic piece of software. Keep up the good work! Do we have any paper explaining the work that have to be done ? Or early patches (proof of concept) that could be used as starting point for this ? I don't think there are either of those (officially). The thread I started back in April (which starts here: http://lists.samba.org/archive/samba/2008-April/139711.html) has all the technical details on exactly what happens currently, and suggestions about how it could be fixed. But, I can try and sum up the general idea of what's wrong (as best I can remember, forgive me if I'm a little off in some aspects - it's been several months since I've dealt with it), and how it could be fixed. Take the case where a Windows user has logged in to the Samba domain, and attempts to change their password by hitting ctrl+alt+delete. The user provides their old password, and the new password, and sends both to Samba. Samba then checks to see what it's passdb backend is, which in this case would be ldapsam:ldap://server, and as a result sends the old and new password to LDAP. If LDAP is using the ppolicy overlay, it checks to see if the new password meets all the criteria defined in the ppolicy. Take the ppolicy entry I described in that thread: 56 cn=Password Policy,ou=Policies,dc=example,dc=com cn: Password Policy pwdAttribute: userPassword pwdMaxAge: 3888000 pwdMinAge: 3468000 pwdMinLength: 6 pwdExpireWarning: 432000 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdLockout: TRUE pwdCheckQuality: 1 pwdGraceAuthNLimit: 0 pwdInHistory: 6 pwdMaxFailure: 2 pwdLockoutDuration: 60 objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: top pwdCheckModule: check_password.so pwdSafeModify: FALSE This is an entry that is visible to ANYBODY who queries LDAP. It uses the above attributes to check if the password is sufficient - e.g.: Is it long enough (pwdMinLength - minimum six characters)? Is it one of the last 6 passwords (pwdInHistory)? Is it strong enough (pwdCheckModule - it uses check_password.so to check the strength the check_password.so was a shared object created by compiling a small C program I wrote that checked to see if the password had at least 3 out of 4 of the following: one uppercase letter, one lowercase letter, a number, and a punctuation mark. The pwdCheckModule has to be of the form described here: http://linux.die.net/man/5/slapo-ppolicy) If the user provided a password that only had numbers in it, it would fail the pwdCheckModule check because it only met 1 of those 4 strength criteria, and LDAP returns 0x13 (NT_STATUS_PASSWORD_RESTRICTION) and the following message to Samba: [2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472) Extended operation failed with error: Constraint violation (Password fails quality checking policy) [2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644) ldapsam_modify_entry: LDAP Password could not be changed for user tester: Constraint violation Password fails quality checking policy But, instead
Re: [Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
Volker Lendecke wrote: On Mon, Sep 29, 2008 at 10:14:01AM -0400, Adam Tauno Williams wrote: This is, AFAIK, the only solution currently. We do the same thing. It stinks. As I said in the former mail thread: Patches are welcome. If you really want it done quickly, some companies on http://samba.org/samba/support also offer development services. Volker Unfortunately, I suspect that many of the folks who probably want this done are system administrators, not software developers. As a systems administrator, I do have the ability to write code, but all I really use in my day-to-day life is Perl and Bash, maybe dabbling in some Python or Ruby. As Samba is written primarily in C, I probably wouldn't write very good patches for it - I find that my proficiency lies in the languages I actually use now, not the ones I used during undergrad in college. And while I'd love just dump money in to the project (or have an employer do it), that's just not always a reality (especially not the amounts needed to fund development efforts). All that being said, I'd be curious to know where this lies in the current development pipeline (if at all). Again, I (and I believe the community) think this would be very beneficial to Samba as a use and marketing tool, and deserves some consideration. I'm happy to do what I can - testing, tracking down bugs (even if I can't submit working patches), and money when I have it. But mostly I rely on good developers to develop, so that I can focus on my role in the chain - testing it and implementing it in real-world situations, and promoting it by installing it in all applicable environments. However, it can't be overstated how much I appreciate the work that has been done up to this point on Samba - it's a fantastic piece of software. Keep up the good work! Respectfully, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
Volker Lendecke wrote: On Fri, Sep 26, 2008 at 12:16:22PM -0400, Ryan Steele wrote: Some months back, I entertained a conversation with Volker Lendecke, Adam Tauno Williams, and Simo Sorce about getting Samba to play nice with LDAP's ppolicy overlay. (Thread starts here: http://www.mail-archive.com/samba@lists.samba.org/msg92134.html and ends here: http://www.mail-archive.com/samba@lists.samba.org/msg92214.html) I was wondering if any progress had been made on this front that would make the job of maintaining PCI/DSS compliance for Samba PDC shops a bit more streamlined? Certainly, there have to be more than a few folks out there who would see this as a huge leap for Samba, and give it more of an edge in the market? At least I'm not aware of anything that has been done. Sorry, Volker Well, given that nothing has been done, what are other folks doing to synchronize Samba password policies with LDAP password policies? I remember (and the aformentioned thread explains) the situation where a Windows client would attempt to change their password to something weak, and Samba would then ask LDAP if the password met the ppolicy restrictions. If it didn't, LDAP would return a message stating that the password policy was violated, but Samba would return a completely unrelated error message (even though it clearly got the ppolicy message from LDAP). My workaround was to implement the same security policy in Samba via pdbedit, so essentially the LDAP policies were duplicated in Samba. Another thread I was involved in back then (http://lists.samba.org/archive/samba/2008-April/139594.html) briefly describes this. But, again, this is far from the perfect situation of having one universal way to enforce password policies, and still has it's share of problems. I'd be interested to hear what others have done to circumvent or otherwise work around this type of problem. Respectfully, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Revisiting Samba's interaction with LDAP's ppolicy overlay
Hey folks, Some months back, I entertained a conversation with Volker Lendecke, Adam Tauno Williams, and Simo Sorce about getting Samba to play nice with LDAP's ppolicy overlay. (Thread starts here: http://www.mail-archive.com/samba@lists.samba.org/msg92134.html and ends here: http://www.mail-archive.com/samba@lists.samba.org/msg92214.html) I was wondering if any progress had been made on this front that would make the job of maintaining PCI/DSS compliance for Samba PDC shops a bit more streamlined? Certainly, there have to be more than a few folks out there who would see this as a huge leap for Samba, and give it more of an edge in the market? Respectfully, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] check password script
Ryan Steele wrote: Hey folks, My 'check password script' seems to work well, but I have a question about the messages returned to the user. Currently, it prints an extremely verbose message, a-la: The password supplied does not meet the minimum complexity requirements. Please select another password that meets all of the following criteria: is at least 8 characters; has not been used in the previous 5 passwords; must not have been changed within the past 40 days; does not contain your account or full name; contains at least three of the following four character groups: English uppercase characters (A through Z); English lowercase characters (a through z); Numerals (0 through 9); Non-alphabetic characters (such as !, $, #, %). Type a password which meets these requirements in both text boxes. The verbosity is a good thing. The formatting, however, strikes fear in the hearts of the non-technical users. Is is possible to customize the message that the users see, if only to format it in a more readable way? Thanks! Ryan Hm - any takers on this? I've not found a solution yet, but I'm hoping it's at least a feasible task. Thanks again, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] check password script
Hey folks, My 'check password script' seems to work well, but I have a question about the messages returned to the user. Currently, it prints an extremely verbose message, a-la: The password supplied does not meet the minimum complexity requirements. Please select another password that meets all of the following criteria: is at least 8 characters; has not been used in the previous 5 passwords; must not have been changed within the past 40 days; does not contain your account or full name; contains at least three of the following four character groups: English uppercase characters (A through Z); English lowercase characters (a through z); Numerals (0 through 9); Non-alphabetic characters (such as !, $, #, %). Type a password which meets these requirements in both text boxes. The verbosity is a good thing. The formatting, however, strikes fear in the hearts of the non-technical users. Is is possible to customize the message that the users see, if only to format it in a more readable way? Thanks! Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
Volker Lendecke wrote: On Tue, Apr 08, 2008 at 10:10:18AM -0400, Ryan Steele wrote: I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure why it's showing the user this message instead. I see I can edit the values that Samba is showing the user with pdbedit, but I shouldn't need to edit that - my password policy is defined in LDAP, and those are the message I'd like the users to see. How are these policies exactly defined in LDAP? Are they visible for LDAP clients? It's an explicit entry in LDAP: 56 cn=Password Policy,ou=Policies,dc=example,dc=com cn: Password Policy pwdAttribute: userPassword pwdMaxAge: 3888000 pwdMinAge: 3468000 pwdMinLength: 6 pwdExpireWarning: 432000 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdLockout: TRUE pwdCheckQuality: 1 pwdGraceAuthNLimit: 0 pwdInHistory: 6 pwdMaxFailure: 2 pwdLockoutDuration: 60 objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: top pwdCheckModule: check_password.so pwdSafeModify: FALSE The check_password.so module is what's doing the strength checks, similar to how the 'check password script' works in Samba. All other password policy attributes listed above are visible (read access) from a directory listing (for every user). If they are visible, then we might have a chance to return them to the client, although this would require coding. If they are defined in some LDAP server config file that is not visible to Samba, then we can't export those to the client. It sounds like everything is pretty cut and dry with the exception of the checks enforced by check_password.so. But, I think if Samba just returned the errors sent back by LDAP/check_password.so (e.g., password too short, password does not meet required strength checks, etc.), that would suffice. I can see that Samba receives these error messages, but seems to do nothing with them (log information included in previous posts in this thread). If that can be rectified, that should get us pretty close, no? Thanks as always, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
Volker Lendecke wrote: On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote: It's not defined in my Samba source, but I guess that was the wrong place to look. On my system, /usr/include/ldap.h does in fact have that defined. However, Samba still returns NT_STATUS_UNSUCCESSFUL, and Windows still reports that the password couldn't be changed because the domain was unavailable... have I zigged where I should've zagged, or is Samba not setting rc properly when it gets the response from LDAP? Please check that your LDAP server indeed does return 0x13 over the 389 connection. You might also add a DEBUG statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) to check what smbd sees. That's at least what I would do. Volker My initial process was flawed (the makefile I was using was pointing to the wrong source tree). I have now gotten the new code in pdb_ldap.c working, but there's still a slight issue. It returns NT_STATUS_PASSWORD_RESTRICTION as expected, but instead of passing back the message that LDAP sends, which is: [2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472) Extended operation failed with error: Constraint violation (Password fails quality checking policy) [2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644) ldapsam_modify_entry: LDAP Password could not be changed for user tester: Constraint violation Password fails quality checking policy ...it returns Your password must be at least 5 characters, cannot repeat any of your previous 0 passwords and must be at least 0 days old. Please type a different password. Type a password that meets these requirements in both text boxes. Is there any way to get Samba to use what it's being given by LDAP, instead of using these values? I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure where it's actually getting those from, but it's not what the users are being restricted by and I'd like the error messages to reflect the LDAP restrictions that it's passing back to Samba. Thanks as always for your help and insight, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
Volker Lendecke wrote: On Mon, Apr 07, 2008 at 03:19:00PM -0400, Ryan Steele wrote: It's not defined in my Samba source, but I guess that was the wrong place to look. On my system, /usr/include/ldap.h does in fact have that defined. However, Samba still returns NT_STATUS_UNSUCCESSFUL, and Windows still reports that the password couldn't be changed because the domain was unavailable... have I zigged where I should've zagged, or is Samba not setting rc properly when it gets the response from LDAP? Please check that your LDAP server indeed does return 0x13 over the 389 connection. You might also add a DEBUG statement right above the #if defined(LDAP_CONSTRAINT_VIOLATION) to check what smbd sees. That's at least what I would do. Volker My initial process for building the binary package was flawed (the makefile was using the wrong source tree). After correcting that, the new code has been inserted, and it is successfully returning NT_STATUS_PASSWORD_RESTRICTION in pdb_ldap.c. However, there is a slight problem. Instead of showing the user the message that LDAP is passing back (and which Samba receives) which is: [2008/04/08 05:35:26, 10] lib/smbldap.c:smbldap_extended_operation(1472) Extended operation failed with error: Constraint violation (Password fails quality checking policy) [2008/04/08 05:35:26, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644) ldapsam_modify_entry: LDAP Password could not be changed for user tester: Constraint violation Password fails quality checking policy ...it returns Your password must be at least 5 characters, cannot repeat any of your previous 0 passwords and must be at least 0 days old. Please type a different password. Type a password that meets these requirements in both text boxes. Is it possible to have Samba convey to the user the message that LDAP returns, instead of returning the aformentioned message? I want the error the users see to reflect why they're actually being denied a password change. I'm using ldapsam:ldap://server as my passdb backend, so I'm not sure why it's showing the user this message instead. I see I can edit the values that Samba is showing the user with pdbedit, but I shouldn't need to edit that - my password policy is defined in LDAP, and those are the message I'd like the users to see. Thanks as always for your help and insight, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
Volker Lendecke wrote: On Fri, Apr 04, 2008 at 04:47:56PM -0400, John Drescher wrote: I think the bug/problem is that this message is being displayed instead of Password could not be changed for user tester: Constraint violation and does not pass required number of strength checks (1 of 3). Current 3.2 has the attached code. Might help for you. Volker Adding: #if defined(LDAP_CONSTRAINT_VIOLATION) if (rc == LDAP_CONSTRAINT_VIOLATION) return NT_STATUS_PASSWORD_RESTRICTION; #endif ...to pdb_ldap.c didn't seem to change the behavior at all. I suspect it's because LDAP_CONSTRAINT_VIOLATION isn't defined anywhere in my 3.0.24 source, though I could certainly be wrong. I'm grabbing the latest source from git to see where that's defined, but if anybody wants to head me off at the pass with the information, it's certainly welcome. Thanks, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.24 handling LDAP responses incorrectly
Volker Lendecke wrote: On Mon, Apr 07, 2008 at 02:03:32PM -0400, Ryan Steele wrote: #if defined(LDAP_CONSTRAINT_VIOLATION) if (rc == LDAP_CONSTRAINT_VIOLATION) return NT_STATUS_PASSWORD_RESTRICTION; #endif ...to pdb_ldap.c didn't seem to change the behavior at all. I suspect it's because LDAP_CONSTRAINT_VIOLATION isn't defined anywhere in my 3.0.24 source, though I could certainly be wrong. I'm grabbing the latest source from git to see where that's defined, but if anybody wants to head me off at the pass with the information, it's certainly welcome. If your LDAP libs don't have that define, you might try to use the value from OpenLDAP: #define LDAP_CONSTRAINT_VIOLATION 0x13 Volker It's not defined in my Samba source, but I guess that was the wrong place to look. On my system, /usr/include/ldap.h does in fact have that defined. However, Samba still returns NT_STATUS_UNSUCCESSFUL, and Windows still reports that the password couldn't be changed because the domain was unavailable... have I zigged where I should've zagged, or is Samba not setting rc properly when it gets the response from LDAP? Thanks, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.24 handling LDAP responses incorrectly
Hey list, Recently I've gotten my Samba PDC to successfully use an OpenLDAP backend, while using the smbk5pwd and ppolicy overlays for OpenLDAP. However, Samba appears to incorrectly handle responses from LDAP's ppolicy overlay, even though it very clearly receives them. If I enter in a password (be it through Ctrl+Alt+Delete or when a password expires and the user is prompted at logon) that violates the ppolicy constraints, I get one of two scenarios. 1. If logging is turned off in OpenLDAP (loglevel 0 in slapd.conf), Windows reports the password change was successful (Your password has been changed dialog box), when in fact none of the attributes have changed (including but not limited to sambaNTPassword, sambaLMPassword. 2. If logging is turned on (anything other than 0 in the slapd.conf), Windows reports that The system cannot change your password now because the domain DOMAINNAME is unavailable. While this is certainly not the case, at least in this situation the user is informed that the password change did not work. I can see that LDAP does indeed pass back a response to Samba; from the LDAP logs: Apr 4 10:47:37 servername slapd[12709]: do_extended Apr 4 10:47:37 servername slapd[12709]: dnPrettyNormal: uid=tester,ou=Users,dc=example,dc=com Apr 4 10:47:37 servername slapd[12709]: dnPrettyNormal: uid=tester,ou=Users,dc=example,dc=com, uid=tester,ou=users,dc=example,dc=com Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry(uid=tester,ou=users,dc=example,dc=com) Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry(uid=tester,ou=users,dc=example,dc=com) Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry(uid=tester,ou=users,dc=example,dc=com) Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 Apr 4 10:47:37 servername slapd[12709]: bdb_dn2entry(cn=password policy,ou=policies,dc=example,dc=com) Apr 4 10:47:37 servername slapd[12709]: bdb_entry_get: rc=0 Apr 4 10:47:37 servername slapd[12709]: check_password_quality: module error: (check_password.so) Password for dn=uid=tester,ou=Users,dc=example,dc=com does not pass required number of strength checks (1 of 3).[1] Apr 4 10:47:37 servername slapd[12709]: send_ldap_result: conn=76 op=24 p=3 Apr 4 10:47:37 servername slapd[12709]: send_ldap_extended: err=19 oid= len=0 Apr 4 10:47:37 servername slapd[12709]: send_ldap_response: msgid=25 tag=120 err=19 Apr 4 10:47:42 servername slapd[12709]: connection_get(19): got connid=77 Apr 4 10:47:42 servername slapd[12709]: connection_read(19): checking for input on id=77 Apr 4 10:47:42 servername slapd[12709]: ber_get_next on fd 19 failed errno=0 (Success) Apr 4 10:47:42 servername slapd[12709]: connection_closing: readying conn=77 sd=19 for close Apr 4 10:47:42 servername slapd[12709]: connection_close: conn=77 sd=-1 Apr 4 10:47:42 servername slapd[12709]: connection_get(13): got connid=76 Apr 4 10:47:42 servername slapd[12709]: connection_read(13): checking for input on id=76 Apr 4 10:47:42 servername slapd[12709]: ber_get_next on fd 13 failed errno=0 (Success) Apr 4 10:47:42 servername slapd[12709]: connection_closing: readying conn=76 sd=13 for close Apr 4 10:47:42 servername slapd[12709]: connection_close: conn=76 sd=-1 ...and, Samba does receive this error message intact. From the Samba logs: [2008/04/04 12:11:54, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1777) ldapsam_update_sam_account: user tester to be modified has dn: uid=tester,ou=Users,dc=example,dc=com [2008/04/04 12:11:54, 2] passdb/pdb_ldap.c:init_ldap_from_sam(965) init_ldap_from_sam: Setting entry for user: tester [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(520) smbldap_make_mod: deleting attribute |sambaPwdCanChange| values |1207320457| [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(529) smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1207325514| [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_make_mod(504) smbldap_make_mod: attribute |sambaPwdMustChange| not changed. [2008/04/04 12:11:54, 5] lib/smbldap.c:smbldap_modify(1363) smbldap_modify: dn = [uid=tester,ou=Users,dc=example,dc=com] [2008/04/04 12:11:54, 10] lib/smbldap.c:smbldap_extended_operation(1472) Extended operation failed with error: Constraint violation (Password fails quality checking policy) [2008/04/04 12:11:54, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1644) ldapsam_modify_entry: LDAP Password could not be changed for user tester: Constraint violation Password fails quality checking policy [2008/04/04 12:11:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (1043, 513) - sec_ctx_stack_ndx = 1 [2008/04/04 12:11:54, 5] rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7534) init_samr_r_chgpasswd_user [2008/04/04 12:11:54, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1480) _samr_chgpasswd_user: 1480 [2008/04/04 12:11:54, 5] rpc_parse/parse_prs.c:prs_debug(84) 00 samr_io_r_chgpasswd_user
[Samba] Samba PDC, OpenLDAP, and passwd chat
Hey List, I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and smbk5pwd overlays). While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag on password change. I currently have the following in my smb.conf related to password changes: passwd program = /usr/bin/ldappasswd -x -W -S -D uid=%u,ou=Users,dc=example,dc=com passwd chat = *Enter NEW password* %n\n *Confirm NEW password* %n\n *Verify OLD password* %o\n *Password changed* \n passdb backend = ldapsam:ldap://127.0.0.1 I can change passwords, but there are a couple of things I've noticed that don't work properly. 1. My 'passwd chat' text isn't reflected on the Windows clients on the domain. Instead, I get (when changing via ctrl+alt+delete or during domain logon if the password has expired): User name: Log on to: Old password: New password: Confirm new password: 2. The password requirements set forth by ppolicy (such as length, strength, and recently used passwords) don't seem to be adhered to. I can put in 'foobar' as the new password, change it to 'foobar1', change it back to 'foobar', and Samba will happily change the passwords. While the change does take, and I can log in to the domain with 'foobar' or 'foobar1' as the password, it's certainly not what I want. Conversely, I get this desired results when invoking 'ldappasswd' from the command-line: # Testing the weak password 'foobar' server:~# /usr/bin/ldappasswd -x -W -S -D uid=tester,ou=Users,dc=example,dc=com New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password fails quality checking policy # Testing a password in the list of the last six passwords server:~# /usr/bin/ldappasswd -x -W -S -D uid=tester,ou=Users,dc=example,dc=com New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password is in history of old passwords If I try putting in something like 'a' as the password, I get a dialog box that says: Your password must be at least 5 characters, cannot repeat any of your previous 0 passwords and must be at least 0 days old. Please type a different password. Type a password that meets these requirements in both text boxes. Where is this text/requirement list coming from? And, how can I configure Samba such that it returns the desired errors (above) to the user? In the same vein, instead of having the sambaPasswordHistory attribute in LDAP reflect the old hashed passwords, I just get one entry which reads: sambaPasswordHistory: I would very much appreciate any advice you folks might be able to offer. Thanks, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC, OpenLDAP, and passwd chat
Hey Denis, Denis Cardon wrote: Hi Ryan, I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and smbk5pwd overlays). While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag on password change. I currently have the following in my smb.conf related to password changes: passwd program = /usr/bin/ldappasswd -x -W -S -D uid=%u,ou=Users,dc=example,dc=com passwd chat = *Enter NEW password* %n\n *Confirm NEW password* %n\n *Verify OLD password* %o\n *Password changed* \n passdb backend = ldapsam:ldap://127.0.0.1 Correct me if I'm wrong, but I thought that the password chat was refering to some kind of Expect script to interact with the script refered by the password program parameters (/usr/bin/ldappasswd in your case). There is some more info on this in the smb.conf man page. Yeah, you're right. And, in reading the man page, I found this: Note that this parameter only is only used if the unix password sync parameter is set to yes. I, however, have ldap passwd sync = yes, not unix passwd sync = yes. So I guess 'passwd chat' isn't ever going to be used in my case? I can live with the default dialog, but I absolutely need to fix #2 below - the ppolicy restrictions on password length, strength, etc. need to be adhered to. The fact that I get: Your password must be at least 5 characters, cannot repeat any of your previous 0 passwords and must be at least 0 days old. Please type a different password. Type a password that meets these requirements in both text boxes. ...instead of the requirements set forth in OpenLDAP (minimum 6 chars, can't use previous 6 passwords, etc) as demonstrated below is an issue. Where is it pulling these requirements from, and how can I get it to relay messages from OpenLDAP (e.g., the 'password fails quality checking' message) back to the user? I can change passwords, but there are a couple of things I've noticed that don't work properly. 1. My 'passwd chat' text isn't reflected on the Windows clients on the domain. Instead, I get (when changing via ctrl+alt+delete or during domain logon if the password has expired): User name: Log on to: Old password: New password: Confirm new password: 2. The password requirements set forth by ppolicy (such as length, strength, and recently used passwords) don't seem to be adhered to. I can put in 'foobar' as the new password, change it to 'foobar1', change it back to 'foobar', and Samba will happily change the passwords. While the change does take, and I can log in to the domain with 'foobar' or 'foobar1' as the password, it's certainly not what I want. Conversely, I get this desired results when invoking 'ldappasswd' from the command-line: # Testing the weak password 'foobar' server:~# /usr/bin/ldappasswd -x -W -S -D uid=tester,ou=Users,dc=example,dc=com New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password fails quality checking policy # Testing a password in the list of the last six passwords server:~# /usr/bin/ldappasswd -x -W -S -D uid=tester,ou=Users,dc=example,dc=com New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password is in history of old passwords If I try putting in something like 'a' as the password, I get a dialog box that says: Your password must be at least 5 characters, cannot repeat any of your previous 0 passwords and must be at least 0 days old. Please type a different password. Type a password that meets these requirements in both text boxes. Where is this text/requirement list coming from? And, how can I configure Samba such that it returns the desired errors (above) to the user? In the same vein, instead of having the sambaPasswordHistory attribute in LDAP reflect the old hashed passwords, I just get one entry which reads: sambaPasswordHistory: I would very much appreciate any advice you folks might be able to offer. Thanks, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Desktops for non-roaming profiles
Hey folks, Just wanted to let you know that this process worked for me: 1. Log on to the domain with the domain user. 2. Reboot 3. Log on as the local administrator 4. Copy the profile (Start - My Computer - Properties - Advanced - User Profiles), making sure to grant permissions to the domain user 5. Log off 6. Log on as the domain user. Failing to grant the permissions in step #4 was a pitfall I hit, but once I got that sorted out, the migration seemed to go well. I haven't done extensive testing on what exactly got copied over (looked okay, but it's possible cookies, passwords, etc. didn't get migrated - TBD), but upon initial inspection, things looked okay. Thanks in advance for all who provided advice and insight. Best Regards, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Desktops for non-roaming profiles
Hi list, In my current organization, we aren't going to be using roaming profiles (for various reasons, it's not desired). I'm moving us from no domain controller to Samba as a PDC (with an OpenLDAP backend), and I'm trying to make the process as invisible as possible to the end users. Each XP user's local desktop exists at: C:\Documents and Settings\username ...and I'd like Samba to log them in to the domain and use that as their local desktop. Currently, on my test machines it's setting their local desktop as: C:\Documents and Settings\TEMP ...which isn't quite what I want, as the desktop icons are located in ...\username, not ...\TEMP. I don't get any errors, the Event Viewer yields nothing, and the folder C:\Documents and Settings\username has the proper permissions (as the local machine's administrator, I added them by browsing to the domain controller and selecting the user from the list) In my global section of the smb.conf, I've got: domain master = yes preferred master = yes domain logons = yes logon script = logon.bat logon drive = H: logon home = \\%N\%u ...and the [netlogon] share is pretty vanilla. I guess what I need to know is whether I can tell Samba somehow to try and first use C:\Documents and Settings\username, and THEN fall back to other options. Is this possible (and feasible)? Thanks, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Desktops for non-roaming profiles
Hi Dennis, Dennis McLeod wrote: Are you trying to use the EXISTING profile on the machine? Yeah... It's not going to be as seamless as you would like. Darn. :-) Basically, you will have to sit in front of each machine, join it to the domain, log in as the user into the domain to create the local profile), reboot (to free up the user profile - logging out doesn't work), log in as administrator, look at c:\documents and settings to get the name of the new profile (usually the username appended with a .domainname), then right click on My computer, properties, advanced, user profiles, highlight the old profile, copy to button, point it at the new user profile, change permissions to the new user (or if it's a generic profile, use everyone). Then, log back out, and in as the NEW domain user, and see what you get. It does seem to copy the desktop items (and probably other things as well), but drops me in to C:\, and I get weird behaviors. It's unable to load the Windows Classic theme (I get the error The theme could not load. Unspecified error.), and exhibits odd behaviors (loading the XP theme turns the XP theme off, for example). The permissions look right to me... It will not copy cookies or passwords (Outlook) so those will need to be fixed. How about background, appearance, etc.? None of those are preserved in my tests, though it probably has to do with the aforementioned problem (defaulting to C:\). Microsoft has a user migration tool which is supposed to do this, but it doesn't work, IMHO. I chose to migrate a few, and rebuild a few. It might take me a year, but they'll get moved, eventually. Also, I had to set local machine policy to Only allow local profiles and Prevent Roaming profile changes from Propagating to the server: Yeah, that helped. Start, Run, gpedit.msc, Computer Configuration, Administrative Templates, system, User Profiles. registry string: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] LocalProfile=dword:0001 ReadOnlyProfile=dword:0001 This might be why it's going to \TEMP. XP want's to pull down a roaming policy, but there exists none. I think that may be the case as well. If that's the case I would suspect you won't have the second (.domainname) profile in c:\documents and settings Until I changed those two entries, you're right I didn't. If you have a local user named bob, and a domain user named bob, and bob already has a local profile, if you log into the domain as bob, you should get a second profile named bob.domainname.. HTH, Dennis Here's another reference: http://groups.google.com/group/linux.samba/msg/9c8b4de804545326 That didn't seem to fly for me either. I'm interested to hear what you think with regards to it dropping me to C:\. The user DOMAINNAME\bob has privileges to access C:\Documents and Settings\bob.DOMAINNAME, which I overwrote with the existing profile using the Windows profile copy mechanism. Thanks for your assistance thus far. Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] full_audit on Samba 3.0.20 vs 3.0.25
Volker Lendecke wrote: On Fri, Aug 03, 2007 at 04:20:20PM -0400, Ryan Steele wrote: Just a quick question for you: Does Samba 3.0.20 support the full_audit module? I've got the module operating on two boxes, one with Samba The full audit module was added around 3.0.4. 3.0.25 and the other with 3.0.20, and only the former seems to interpret VFS directives, such as: full_audit:prefix = %u full_audit:failure = none full_audit:success = open write close On the 3.0.20 box, they seem to be ignored, which causes the logs to fill up very quickly. I appreciate any light that can be shed on this situation. Thanks in advance! Not sure what this is, I think the full smb.conf would be necessary here. Volker Volker and list, Here's the smb.conf, followed by an example log entry - I'd appreciate any insight as to why it still logs the failures (and lots of them!) Thanks! [global] workgroup = SOMEGROUP server string = %h server (SOMESERVER) wins support = yes dns proxy = yes name resolve order = wins lmhosts host bcast smb ports = 139 log file = /var/log/samba/log.%m max log size = 100 log level = 0 vfs:2 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://127.0.0.1/ obey pam restrictions = no ldap admin dn = cn=admin,dc=somedomain,dc=com ldap suffix = dc=somedomain,dc=com ldap group suffix = ou=Groups ldapuser suffix = ou=People ldap machine suffix = ou=Computers ldap idmap suffix = ou=People ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE [homes] comment = Home Directories browseable = no writable = yes create mask = 0700 directory mask = 0700 [printers] comment = All Printers browseable = no path = /tmp printable = yes public = no writable = no create mode = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no [Shared Files] vfs objects = full_audit full_audit:prefix = %u full_audit:failure = none full_audit:success = write comment = SOMESERVER's Files path = /home/sharedfiles browseable = yes writable = yes oplocks = No level 2 oplocks = No directory mask = 0775 create mask = 0664 Here's the log entry: Aug 9 11:04:52 servername smbd_audit: username|sys_acl_get_file|fail (Operation not supported)|/path/to/file -- Ryan Steele Systems Administrator [EMAIL PROTECTED] AgoraNet, Inc. (302) 224-2475 314 E. Main Street, Suite 1 (302) 224-2552 (fax) Newark, DE 19711http://www.agora-net.com GPG Signature:http://www.agora-net.com/~steele/signature.asc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Tracking file activity
Ryan Steele wrote: Ray Anderson wrote: Been using it for a while now: smb.conf entry: # turn on auditing vfs objects = audit In the Samba howto collection, section 21.3: 21.3 Included Modules 21.3.1 audit 21.3.2 extd audit And just for completeness: 21.3.1 audit A simple module to audit file access to the syslog facility. The following operations are logged: • share • connect/disconnect • directory opens/create/remove • file open/close/rename/unlink/chmod 21.3.2 extd audit This module is identical with the audit module above except that it sends audit logs to both syslog as well as the smbd log files. The log level for this module is set in the smb. conf file. Valid settings and the information that will be recorded are shown in the next table. 21.3.2.1 Configuration of Auditing This auditing tool is more felxible than most people readily will recognize. There are a number of ways by which useful logging information can be recorded. • Syslog can be used to record all transaction. This can be disabled by setting in the smb.conf file syslog = 0. Section 21.3. Included Modules Table 21.1. Extended Auditing Log Information Log Level Log Details - File and Directory Operations 0 Make Directory, Remove Directory, Unlink 1 Open Directory, Rename File, Change Permissions/ACLs 2 Open Close File 10 Maximum Debug Level • Logging can take place to the default log file (log.smbd) for all loaded VFS modules just by setting in the smb.conf file log level = 0 vfs:x, where x is the log level. This will disable general logging while activating all logging of VFS module activity at the log level specified. • Detailed logging can be obtained per user, per client machine, etc. This requires the above together with the creative use of the log file settings. An example of detailed per-user and per-machine logging can be obtained by setting log level = /var/log/samba/%U.%m.log. Auditing information often must be preserved for a long time. So that the log files do not get rotated it is essential that the max log size = 0 be set in the smb.conf file. Ryan Steele wrote: Hey List, I was wondering if and how one would go about tracking file activity on a Samba server, for basic auditing purposes. I'd ideally like to see what files where edited, by whom and when. I've done some RTFM and a bit of searching around the 'net, but haven't found anything yet. Even pointers to documentation on the subject would be welcome. Thanks in advance for any tips! Best Regards, Ryan Ray, I appreciate your advice. I am experimenting with an implementation of the extd_audit module now on a test cluster - thanks for pointing me in the direction of the HOWTO, I should have looked there before bumping the list. Thanks again. Ryan I'm having a bit of trouble with the logging on this, and I'm hoping someone can point out a simple mistake I'm overlooking. My intentions are to have everything in the shared directory container log to /var/log/samba/log.machine.username, but the all of the VFS info continues to filter into syslog. I've HUP'ed the daemon and restarted to no avail. Any thoughts? Here's my smb.conf - it's pretty vanilla, as it's a testbox for the purposes only of testing the audit module: [global] obey pam restrictions = Yes encrypt passwords = Yes local master = no domain master = no preferred master = no netbios name = Testbox workgroup = TESTDOMAIN server string = %h server (TestServer) wins support = yes dns proxy = yes name resolve order = wins lmhosts host bcast smb ports = 139 log file = /var/log/samba/log.%m max log size = 100 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE [homes] comment = Home Directories browseable = no writable = yes create mask = 0700 directory mask = 0700 [Shared Files] comment = Shared Files log level = vfs:2 path = /home/sharedfiles browseable = yes writable = yes oplocks = No level 2 oplocks = No directory mask = 0775 create mask = 0664 log file = /var/log/samba/log.%m.%U vfs objects = extd_audit Thanks in advance for any advice. Best Regards, Ryan -- Ryan Steele Systems Administrator Greater Philadelphia Area -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.4.1 (GNU/Linux) mQELBEaFKjABCADLYm6aPkaSU0QWXu5hqocuyIwl1d1NUuoVJ97tBUqkR3IOJMZC mLhMF3x1XE5zykajE6mIAKR8uVgubrHRBbTZtM+vH4u2ZboY+NBEzABZqj+NQtnW dVEeFPKsWA991iUV9hyj2H51fVQa1wa7xM7Im75iSnSZJ+oxFWzPQrv0znFBs5H0 xVlX4i1zSICqM4WRjBsZTGG5PcaG9i1TS/txBM8YWp0eZAHnpuY3BXzW6EPuKe7w 7vfXOWo/FOd0PaMY/yMWgL5YfvhdZ7FwWjDbhYp/ypnVk9DOLLFm0sH8S20BelUR +zd86ksGzipjSOC21D/q9PFn6DtV5JFH7qEBAAYptCJSeWFuIFN0ZWVsZSA8c3Rl ZWxlQGFnb3JhLW5ldC5jb20
Re: [Samba] SMBD using nearly 100 percent CPU
Andy, Luckily, the client this was happening to's contract ran out. I haven't had the problem with any other clients, but I suspect it had something to do with the kernel it was running on...that was the only thing that differed between the boxes that did and didn't work. (It was an older kernel...2.6.5 or something) I never had a chance to ultimately determine the root cause...but my advice would be to attach an strace to the process(es) that is/are spinning out of control and see what it's hanging on. In the online book Samba3 By Example (Google that) it has a chapter on stracing smbd processes. Hope that helps. Best, Ryan andy liebman wrote: Over the past few months, I have seen many postings here about runaway smbd processes with Samba versions 3.0.20 and above. Personally, it never happened to me until today. Also, I have stuck with Samba 3.0.13 on most of my machines because of THIS reported issue and a couple of other issues that I have experienced. However, I have a machine running RIGHT NOW where smbd has gone out of control. This machine is running 3.0.20b. If it would help, and if somebody could tell me exactly -- and I mean exactly -- what to do on my machine to capture information that might help explain what is going on, I would be happy to collect the information. But, it has to be in the next couple of hours. It is 8:30 am Friday in Boston, MA USA. I have to reboot the machine to use it in about 3 hours. Note that rpc.statd also seems to be out of control. Don't know if it is related. Andy Liebman Here's what TOP looks like: Tasks: 170 total, 2 running, 168 sleeping, 0 stopped, 0 zombie Cpu(s): 12.6% us, 34.1% sy, 0.0% ni, 20.3% id, 0.0% wa, 0.0% hi, 33.1% si Mem: 2075844k total, 2019784k used,56060k free, 7668k buffers Swap: 1012052k total, 2556k used, 1009496k free, 1820308k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 4743 root 25 0 8664 2164 1416 R 99.7 0.1 621:48.83 smbd 2569 root 15 0 1692 688 584 S 58.8 0.0 323:00.52 rpc.statd 4928 andrew15 0 13604 11m 1592 S 0.7 0.6 0:10.55 Xvnc 11509 andrew16 0 27520 12m 9m S 0.3 0.6 0:01.64 konsole 1 root 16 0 1560 536 472 S 0.0 0.0 0:00.70 init 2 root RT 0 000 S 0.0 0.0 0:00.00 migration/0 3 root 34 19 000 S 0.0 0.0 0:00.00 ksoftirqd/0 4 root RT 0 000 S 0.0 0.0 0:00.00 migration/1 5 root 34 19 000 S 0.0 0.0 0:00.00 ksoftirqd/1 6 root 10 -5 000 S 0.0 0.0 0:00.09 events/0 7 root 10 -5 000 S 0.0 0.0 0:05.15 events/1 8 root 11 -5 000 S 0.0 0.0 0:00.01 khelper 9 root 10 -5 000 S 0.0 0.0 0:00.00 kthread 12 root 20 -5 000 S 0.0 0.0 0:00.00 kacpid 124 root 10 -5 000 S 0.0 0.0 0:00.05 kblockd/0 125 root 10 -5 000 S 0.0 0.0 0:00.05 kblockd/1 167 root 15 0 000 S 0.0 0.0 3:42.50 pdflush -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] What is the best Linux version for Samba
[EMAIL PROTECTED] wrote: I want to configure a server with Samba. I made some test with Mandriva 2006 but I'm not sure it's the best linux performance ! What do you think ? Did you make some test between different linux version ? Best Regards, Luc Sainte-Marie Network Administrator I use Debian, and I have no complaints. I did run into problems with older kernels...like the early 2.6.x's...but the latest version gives me great performance, even with Outlook .pst files over 600MB in size. However, I am a bit biased in that I prefer package based distro'sI'm sure the others on the list will have some good suggestions as well. Best Regards, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Accessing home directories problem (XP Home Edition)
You may be right. I've read places about people modifying registry entries on XP Home clients to get things to work properly, but according to the Samba3 book, if configured properly that's not the case. I dunno, I avoid Windows when I can, and when I am forced to use it, Win2k or XP Pro. Sorry I couldn't be of more help :-) Good luck, Ryan Brian Thibault wrote: You maybe right, but i was under the impression it was just domains that didn't work properly with XP Home, not peer-to-peer access. - Brian On 6/21/06, * Ryan Steele* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I'm pretty sure I read somewheres that XP Home Edition and Samba just will not work, period I think it was the Samba3 By Example book, written by Jerry Carter...but Jerry might be able to support/deny that claim. Best, Ryan Brian Thibault wrote: Hi there, I have my Samba, set up and running. My users are add and should be set up right. The problem is when I can't access my home directories from Windows XP Home Edition http://www.linuxforum.com/forums/index.php?showtopic=179059#. It should give me a login box right? .. but its not. It just gives me the error message that I don't have access to the folder. When I manually add my home directory though in my smb.conf, then click on that directory from my windows box, it presents me w/ a login box. After I login here, then I can access my magic home directory. Here is my smb.conf dump from testparm: [global] workgroup = X server http://www.linuxforum.com/forums/index.php?showtopic=179059# string = File Server map to guest = Bad User passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* log file http://www.linuxforum.com/forums/index.php?showtopic=179059# = /var/log/samba/%m.log max log size = 50 server signing = Auto socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 printcap name = /etc/printcap preferred master = No domain master = No dns proxy = No ldap ssl = no guest ok = Yes hosts allow = 192.168.1., 127. cups options = raw [homes] comment = Home Directories valid users = %S read only = No [printers] comment = All Printershttp://www.linuxforum.com/forums/index.php?showtopic=179059# http://www.linuxforum.com/forums/index.php?showtopic=179059# path = /var/spool/samba printable = Yes browseable = No [briansdir] path = /home/brian valid users = brian read only = No guest ok = No [public] path = /home/public read only = No guest only = Yes case sensitive = No msdfs proxy = no Is the problem just w/ XP Home or what? Any help would be appreciated... Thanks, Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] UNIX accounts can create
Jorge,
Sorry, but nothing seems apparently obvious to me... I would really try
making sure that smbldap-tools has all the proper information in its
configuration files. I'm short on time, but I hope I helped at least a
little bit.
Best,
Ryan
IT wrote:
ryan i see and review my configuration a lot of times searching a error
but nothing... I thinking to reinstall all server in a linux box for
test. the actual samba+ldap server is a Unix Solaris 10 X86
/usr/local/samba/bin/net getlocalsid
SID for domain NEPTUNE is: S-1-5-21-1628075765-904855948-1163074499
smbldap.conf wthout comments
SID=S-1-5-21-1628075765-904855948-1163074499
sambaDomain=L_DOM
slaveLDAP=localhost
slavePort=389
masterLDAP=localhost
masterPort=389
ldapTLS=0
verify=
cafile=
clientcert=
clientkey=
suffix=dc=mydom,dc=com,dc=ar
usersdn=ou=Users,${suffix}
computersdn=ou=Computers,${suffix}
groupsdn=ou=Groups,${suffix}
idmapdn=ou=Idmap,${suffix}
sambaUnixIdPooldn=sambaDomainName=XL_DOM,${suffix}
scope=sub
hash_encrypt=CRYPT
crypt_salt_format=%s
userLoginShell=/bin/bash
userHome=/usuarios/%U
userHomeDirectoryMode=700
userGecos=System User
defaultUserGid=513
defaultComputerGid=515
skeletonDir=/etc/skel
defaultMaxPasswordAge=45
userSmbHome=\\neptune\%U
userProfile=\\neptune\profiles\%U
userHomeDrive=P:
userScript=login1.bat
mailDomain=
with_smbpasswd=0
smbpasswd=/usr/local/sbin/smbpasswd
with_slappasswd=0
slappasswd=/usr/local/sbin/slappasswd
my smb.conf
[global]
workgroup = XL_DOM
server string = NT2003
interfaces = e1000g0
security = user
log level = 10
syslog = 0
log file = /var/log/samba/%m
domain logons = yes
passdb backend = ldapsam:ldap://localhost
domain master = No
smb ports = 139 445
#name resolver order = hosts lmhosts wins bcast
wins server = 10.1.1.211
ldap suffix = dc=mydom,dc=com,dc=ar
ldap ssl = no
ldap timeout = 20
domain master = no
ldap suffix = dc=mydom,dc=com,dc=ar
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap admin dn = cn=Manager,dc=mydom,dc=com,dc=ar
ldap idmap suffix = ou=Idmap
add machine script = /usr/local/sbin/smbldap-useradd -w %u
add user script = /usr/local/sbin/smbldap-useradd -m %u
#delete user script = /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
#delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m
%u %g
delete user from group script =
/usr/local/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/local/sbin/smbldap-usermod -g
%g %u
TIA
Jorge
*/Ryan Steele [EMAIL PROTECTED]/* escribió:
Ooops, I meant see what it returns and copy and paste that into
smbldap.conf
Best,
Ryan
Ryan Steele wrote:
Not totally sure...sounds like a problem with smbldap not having
the
proper SID. Do a 'net getlocalsid' and put what it returns in
smbldap.conf on the line where you specify the SID for the domain.
It's the firs thing under General Configuration. See if that helps.
Best,
Ryan
IT wrote:
Thanks ryan...
First i use smbldap-useradd with -a flag in the smb.conf but
the
vampire process create the ldap porcion but cant create posix
accounts. in the vampire process say Cant create posix account
info.
Triying to resolve this problem. i see that populate
and smbldap-useradd either create the posix part.
with -a flag say:
/usr/local/sbin/smbldap-useradd -a testuser
Cannot confirm uidNumber 1008 is free: checking for the next one
Can't call method get_value on an undefined value at
/usr/local/sbin/smbldap-userad line 197.
viewing te code near line 197
189 my $group_entry;
190 my $userGroupSID;
191 my $userRid;
192 my $user_sid;
193 if (defined $Options{'a'} or defined $Options{'i'}) {
194 # as grouprid we use the value of the sambaSID attribute for
195 # group of gidNumber=$userGidNumber
196 $group_entry = read_group_entry_gid($userGidNumber);
197 $userGroupSID =$group_entry-get_value('sambaSID');
198 unless ($userGroupSID) {
199 print Error: SID not set for unix group $userGidNumber\n;
200 print check if your unix group is mapped to an NT group\n;
201 exit (7);
202 }
any idea?
Jorge
*/Ryan Steele /* escribió:
IT wrote:
Anybody know whats wrong when the commands
smbldap-useradd or populate work fine with ldap but cant create
unix/linux accounts
Pelase Help.
Jorge
Re: [Samba] I have no winbind pipe!
sneezewort wrote: You can ping with wbinfo -p command. I can't stop winbind, in fact I cant even kill it by pid. I even tried to reboot, but winbindd is still unkillable, and no wbinfo or net join commands work. I tried to do a full uninstall and reinstall, but the problem remains. -- View this message in context: http://www.nabble.com/I-have-no-winbind-pipe%21-t1794490.html#a4906659 Sent from the Samba - General forum at Nabble.com. I have had Samba processes that do not respond to kill either. However, you can pass the kill command options that will sometimes help. kill -9 is the most severe, and in most cases will kill just about anything. (If it doesn't, you've got more serious issues with your kernel). However, make sure that there aren't more graceful ways first. Do a man kill to see what options there are. But, if all else fails, there is the -9. I know I've had to use it more than I'd like... Best, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] UNIX accounts can create
IT wrote: Anybody know whats wrong when the commands smbldap-useradd or populate work fine with ldap but cant create unix/linux accounts Pelase Help. Jorge __ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! ¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar I think you have to provide it the -a option if you want it to create a posix account. List, correct me if I'm wrong. Hope that helps, Jorge. Best, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] UNIX accounts can create
Not totally sure...sounds like a problem with smbldap not having the
proper SID. Do a 'net getlocalsid' and put what it returns in
smbldap.conf on the line where you specify the SID for the domain. It's
the firs thing under General Configuration. See if that helps.
Best,
Ryan
IT wrote:
Thanks ryan...
First i use smbldap-useradd with -a flag in the smb.conf but the
vampire process create the ldap porcion but cant create posix
accounts. in the vampire process say Cant create posix account info.
Triying to resolve this problem. i see that populate
and smbldap-useradd either create the posix part.
with -a flag say:
/usr/local/sbin/smbldap-useradd -a testuser
Cannot confirm uidNumber 1008 is free: checking for the next one
Can't call method get_value on an undefined value at
/usr/local/sbin/smbldap-userad line 197.
viewing te code near line 197
189 my $group_entry;
190 my $userGroupSID;
191 my $userRid;
192 my $user_sid;
193 if (defined $Options{'a'} or defined $Options{'i'}) {
194# as grouprid we use the value of the sambaSID attribute for
195# group of gidNumber=$userGidNumber
196$group_entry = read_group_entry_gid($userGidNumber);
197$userGroupSID =$group_entry-get_value('sambaSID');
198unless ($userGroupSID) {
199 print Error: SID not set for unix group $userGidNumber\n;
200 print check if your unix group is mapped to an NT group\n;
201 exit (7);
202}
any idea?
Jorge
*/Ryan Steele [EMAIL PROTECTED]/* escribió:
IT wrote:
Anybody know whats wrong when the commands
smbldap-useradd or populate work fine with ldap but cant create
unix/linux accounts
Pelase Help.
Jorge
__
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar
I think you have to provide it the -a option if you want it to
create
a posix account. List, correct me if I'm wrong. Hope that helps,
Jorge.
Best,
Ryan
__
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] UNIX accounts can create
Ooops, I meant see what it returns and copy and paste that into smbldap.conf
Best,
Ryan
Ryan Steele wrote:
Not totally sure...sounds like a problem with smbldap not having the
proper SID. Do a 'net getlocalsid' and put what it returns in
smbldap.conf on the line where you specify the SID for the domain.
It's the firs thing under General Configuration. See if that helps.
Best,
Ryan
IT wrote:
Thanks ryan...
First i use smbldap-useradd with -a flag in the smb.conf but the
vampire process create the ldap porcion but cant create posix
accounts. in the vampire process say Cant create posix account info.
Triying to resolve this problem. i see that populate
and smbldap-useradd either create the posix part.
with -a flag say:
/usr/local/sbin/smbldap-useradd -a testuser
Cannot confirm uidNumber 1008 is free: checking for the next one
Can't call method get_value on an undefined value at
/usr/local/sbin/smbldap-userad line 197.
viewing te code near line 197
189 my $group_entry;
190 my $userGroupSID;
191 my $userRid;
192 my $user_sid;
193 if (defined $Options{'a'} or defined $Options{'i'}) {
194# as grouprid we use the value of the sambaSID attribute for
195# group of gidNumber=$userGidNumber
196$group_entry = read_group_entry_gid($userGidNumber);
197$userGroupSID =$group_entry-get_value('sambaSID');
198unless ($userGroupSID) {
199 print Error: SID not set for unix group $userGidNumber\n;
200 print check if your unix group is mapped to an NT group\n;
201 exit (7);
202}
any idea?
Jorge
*/Ryan Steele [EMAIL PROTECTED]/* escribió:
IT wrote:
Anybody know whats wrong when the commands
smbldap-useradd or populate work fine with ldap but cant create
unix/linux accounts
Pelase Help.
Jorge
__
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar
I think you have to provide it the -a option if you want it to
create
a posix account. List, correct me if I'm wrong. Hope that helps,
Jorge.
Best,
Ryan
__
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap administration tool??
Robin Mordasiewicz wrote: On Thu, 15 Jun 2006, Dirk H Bartley wrote: I am nearing being prepared to get our corporate network from Active Directory to samba3 with ldap. The last hurdle is to get an administrative interface to the ldap repository containing the users and Groups. I,m hoping for some recommendations. I have attempted the following. Samba Console: http://imc.sourceforge.net/samba-console.html [CUT] Gosa: https://gosa.gonicus.de/ [CUT] LAM: http://lam.sourceforge.net/ [CUT] User Manager for domains: [CUT] Once again, thank you in advance for all recommendations. I tried a couple of the above, but decided to use http://phpldapadmin.sourceforge.net We still use the smbldap command line stuff for adding users and such. The web front end is good for the less experienced folks to manipulate attributes. Personally, I still use the command line method as well...but I think what you may be looking for is SWAT -- the Samba Web Administration Tool. Not sure if you can incorporate smbldap-tools into it or not? Best, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows XP and Samba 3.0.22 -- don't mix?
Roger Lucas wrote: I navigate through Windows Explorer to My Network Places and so on until I get to the server. I open up a folder on the server. I execute the 'ps auxwww | grep mbd' and sure enough, there's the share. The smbstatus command confirms this. Now, I close out that Windows Explorer window I have open to the server. However, a 'ps auxwww | grep mbd' shows that there is still a connection open to this folder an smbstatus confirms After a few minutes, the user for that pid changes to root, and the process just sits in there forever, sucking up 0.9% of memory. This happens with EVERY share Windows opens, and when it gets in this state, I can't open any new shares. I've tried using the deadtime option to kill these...no dice, they still hang around. In fact, the only thing that gets rid of them is a 'killall -9 smbd'. Are you sure that the Windows XP machine has closed the connection to the SAMBA server? Try the net use command on the XP machine to find out. My XP machine leaves loads of connections open even after I have closed the Explorer window or similar. This is a major annoyance for me and I have to use the net use share /delete command to get XP to explicitly close the share. It could be that your problem is being caused at the XP end rather than the SAMBA end... I am using SAMBA 3.0.22 here with XP, Win2K and Win2003 in both AD and workgroup configuration and have had no problems with SAMBA but have had problems with Windows - especially with this holding connections open feature. Roger, A good suggestion, but unfortunately the smbd daemon still continues to run on the server end. However, I've run across the problem of no longer being able to duplicate the problem consistently. I'm not sure what exactly causes some smbd daemons to continue running after the client closes the connection while others close properly. Officially stumped... but thanks! Best, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows XP and Samba 3.0.22 -- don't mix?
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ryan, A good suggestion, but unfortunately the smbd daemon still continues to run on the server end. However, I've run across the problem of no longer being able to duplicate the problem consistently. I'm not sure what exactly causes some smbd daemons to continue running after the client closes the connection while others close properly. Officially stumped... but thanks! So where does this leave your bug report? cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEkCiTIR7qMdg1EfYRAkn5AJ4jlMl7m6o4vJaPIUUboFrl87ladwCfchHQ uJWq0n1SjSgbDt7XBWQOxu0= =uzBp -END PGP SIGNATURE- Jerry, I'm not sure. The production environment still experiences this issue, it's just that I have trouble duplicating it in a test environment. However, the traffic in that production environment is significantly heavier so it would be most difficult to create a similar environment in a test realm with only one or two XP machines. I'm still not sure what causes the daemons continue running on the server end. I'll do my best to try and figure that out, Jerry, as I know it must be difficult when even the person reporting the bug can't consistently reproduce the problem. I suppose for now you can nix the bug report, until I've been able to sufficiently determine what causes this problem. Thank you! Best, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows XP and Samba 3.0.22 -- don't mix?
Jeremy Allison wrote: On Wed, Jun 14, 2006 at 04:27:18PM -0500, Logan Shaw wrote: It seems to me that, in most cases (there are exceptions), doing a kill -9 isn't any more harmful than the machine crashing or power being lost. How resistant is smbd to the machine losing power? Would the same risk exist? They are not quite equivalent as power being lost loses all data not flushed to disk (if a non-journaling filesystem is being used). But the same risk is present. Jeremy. Nonetheless, if a stop and a kill don't do it, there isn't much option left.at least not that I'm aware of. And if there is, I'd be more than happy to use it instead of kill -9. (Maybe kill -15 or something??) I dunno. In any even, I'm still doing my best to trace one of the problem processes, as Jerry suggested, from the production environment. Just have to wait until it rears its ugly head again (which oughtta be tomorrow, if past behavior is a precedent for future behavior). Thanks for all the input on this fellas, I appreciate it! Best, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windows XP and Samba 3.0.22 -- don't mix?
printing = cups printcap name = cups ; to maintain capital letters in shortcuts in any of the profile folders: preserve case = yes short preserve case = yes case sensitive = no [homes] comment = Home of %U, %u read only = No create mask = 0644 directory mask = 0775 browseable = No oplocks = No level 2 oplocks = No [netlogon] path = /home/netlogon/ read only = yes browseable = Yes write list = user1 valid users = @Domain Users [printers] #comment = Network Printers #printer admin = @Print Operators #guest ok = yes #printable = yes #path = /home/spool/ #browseable = No #read only = Yes #printable = Yes #print command = /usr/bin/lpr -P%p -r %s #lpq command = /usr/bin/lpq -P%p #lprm command = /usr/bin/lprm -P%p %j comment = All Printers path = /var/spool/cups browseable = yes public = yes guest ok = yes writable = no printable = yes printer admin = root, @Print Operators [print$] path = /home/printers guest ok = Yes browseable = Yes read only = Yes valid users = @Domain Users write list = @Print Operators #create mask = 0664 #directory mask = 0775 [public] comment = Public Repository path = /home/public guest ok = Yes read only = No directory mask = 0775 create mask = 0664 oplocks = No level 2 oplocks = No [downloads] comment = Helpful Downloads path = /home/downloads guest ok = Yes read only = No directory mask = 0775 create mask = 0664 write list = user1 valid users = @Domain Users Any help would be greatly appreciatedthanks! Best Regards, Ryan Steele -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows XP and Samba 3.0.22 -- don't mix?
Jeremy Allison wrote: On Tue, Jun 13, 2006 at 11:37:05AM -0400, Ryan Steele wrote: I desperately need a resolution to this issue. I've asked once (about a day or two ago), but I haven't heard anything back. The only reason I press the issue is I may because without a quick resolution, I may be forced to switch over to AD (cry!). I submitted a request via Bugzilla but I saw a slightly similar problem with 3.0.20a that still hasn't been resolved, so I thought this might be a quicker route? Here's a synopsis: If you *have* to have a resolution on issues then you need to buy support from someone, or use a Linux distro that has support available and buy that. Well, my life doesn't depend on it, I really just want to support Samba and stick with it because I've never had problems before this and in general I really like the Samba suite. I navigate through Windows Explorer to My Network Places and so on until I get to the server. I open up a folder on the server. I execute the 'ps auxwww | grep mbd' and sure enough, there's the share. The smbstatus command confirms this. Now, I close out that Windows Explorer window I have open to the server. However, a 'ps auxwww | grep mbd' shows that there is still a connection open to this folder an smbstatus confirms After a few minutes, the user for that pid changes to root, and the process just sits in there forever, sucking up 0.9% of memory. This happens with EVERY share Windows opens, and when it gets in this state, I can't open any new shares. I've tried using the deadtime option to kill these...no dice, they still hang around. In fact, the only thing that gets rid of them is a 'killall -9 smbd'. There isn't a generic problem with Samba and XP, millions of clients are using it successfully (and I'm not saying that lightly). If the process seems stuck try attaching to it with gdb or strace and find out what it's doing. I'm glad to hear there isn't a generic problem. As far as strace, it's a bit difficult in this situation; by the time I'd have the information I'd need, there would be tens of thousands of lines of superfluous informationmaking it near impossible to extrapolate the useful stuff. It'd be like finding a needle in a haystack. Also, I'm a competent coder, but not a great one...so stepping through it with gdb might not be the best solution for me. I was hoping there might be a way to attack this problem without having to step through it with, say, gdb. Don't use kill -9, that can damage internal Samba databases. Is there a better way? `/etc/init.d/samba stop` and `kill /pid/` don't work...the processes still hang around. If you don't know how to do these things then either learn to do so, or buy support from someone who can. Sorry to seem harsh but the reality of such pleas is that it's easier to help someone who knows how to help themself. It does seem a bit harsh. I fully support Samba and the wonderful effort and strides you guys are making...it really does show! However, not all of the users/administrators are of equal experience, so we turn here for advice. On your advice though, I'll figure out how to strace one of the processes generated by an XP client and include that in a follow-up to the mailing list, along with whatever I'm able to extrapolate from the data. In my Bugzilla report, I included an excerpt from the log file that was generated by attempting to access share information from the server's command line at such a time when the Samba server was in an overwhelmed state, along with info from stdout. The Bugzilla tracking number is #3832. Jeremy. Any thoughts? Thanks! Best Regards, Ryan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smbd -D processes spawn out of control
All, I'm running the latest stable version of SerNet-Samba on a Debian Sarge box (I switched from the traditional Samba package for certain reasons which I won't delve into here), but I've come across a serious issue. Every day, the Samba processes become so numerous that the server begins acting really flaky. That is to say, there are so many smbd -D processes that the server stops responding to further Samba requests and the server comes to a crawl. For brevity's sake, I won't post the results of 'ps auxwww | grep smbd', as it would take up a lot of unnecessary space...but an smbstatus reveals nothing that indicates a huge problem: server:/var/log/samba# smbstatus Processing section [homes] Processing section [netlogon] Processing section [printers] Processing section [print$] Processing section [public] Processing section [downloads] Samba version 3.0.22-SerNet-Debian PID Username Group Machine --- 11210 user2Domain Users user2 (192.168.1.198) 11353 user1 Domain Users user1 (192.168.1.199) 11252 user3 Domain Users user3(192.168.1.209) 11208 user4 Domain Users user4 (192.168.1.197) 11199 user5 Domain Users user5 (192.168.1.251) 11280 user6 Domain Users user6 (192.168.1.208) Service pid machine Connected at --- public 11353 user1 Mon Jun 12 13:38:19 2006 IPC$ 11208 user4 Mon Jun 12 13:26:06 2006 IPC$ 12921 user1 Mon Jun 12 14:51:33 2006 IPC$ 11353 user1 Mon Jun 12 14:01:21 2006 IPC$ 12391 user1 Mon Jun 12 14:02:53 2006 IPC$ 11210 user2 Mon Jun 12 14:11:13 2006 IPC$ 12623 user1 Mon Jun 12 14:27:55 2006 IPC$ 12391 user1 Mon Jun 12 14:02:53 2006 public 11199 user5 Mon Jun 12 13:25:34 2006 IPC$ 11199 user5 Mon Jun 12 13:34:53 2006 public 11210 user2 Mon Jun 12 13:26:20 2006 IPC$ 11252 user3 Mon Jun 12 13:31:02 2006 IPC$ 12612 user1 Mon Jun 12 14:26:26 2006 public 11280 user6 Mon Jun 12 13:32:20 2006 user511199 user5 Mon Jun 12 13:25:34 2006 IPC$ 12921 user1 Mon Jun 12 14:51:33 2006 IPC$ 12612 user1 Mon Jun 12 14:26:26 2006 IPC$ 12945 user1 Mon Jun 12 14:52:56 2006 IPC$ 11353 user1 Mon Jun 12 14:01:20 2006 public 11252 user3 Mon Jun 12 13:28:57 2006 public 11208 user4 Mon Jun 12 13:34:47 2006 user611280 user6 Mon Jun 12 13:33:37 2006 Locked files: Pid DenyMode Access R/WOplock SharePath Name 11280DENY_WRITE 0x2019f RDWR NONE /home//user6 archive.pst Mon Jun 12 13:33:44 2006 11280DENY_WRITE 0x2019f RDWR NONE /home//user6 companylists.pst Mon Jun 12 13:33:45 2006 11280DENY_NONE 0x2019f RDWR NONE /home/public user6/My Documents/company/Assoc vs Shareholderbenefit Comp 2005.xls Mon Jun 12 14:02:36 2006 11280DENY_NONE 0x2019f RDWR NONE /home/public user6/My Documents/company/Budget/2006 Budget/company Budget-2006 1-23-06.xls Mon Jun 12 14:03:55 2006 11280DENY_NONE 0x2019f RDWR NONE /home/public Quickbooks/company2005.qbw Mon Jun 12 14:06:17 2006 11199DENY_NONE 0x2019f RDWR NONE /home/public user5/My Documents/companyLetterhead.doc Mon Jun 12 14:00:24 2006 11280DENY_WRITE 0x2019f RDWR NONE /home//user6 user6.PST Mon Jun 12 13:33:37 2006 11280DENY_NONE 0x2019f RDWR NONE /home/public Quickbooks/company2005.qbI Mon Jun 12 14:06:17 2006 11210DENY_NONE 0x2019f RDWR NONE /home/public user2/ADP/Batches/2006/Pay per 13 6-4 thru 6-17-06.xls Mon Jun 12 15:33:14 2006 I've tried *everything* short of strace-ing, and I'm running out of options and time to get this working. If anyone has had similar problems, please let me know what you did to correct the issue. Nothing is NFS mounted, everything is local to the box (Samba, the home accounts, LDAP, etc). It seems to me that Samba doesn't recognize when an smbd process should be killed on the server side, so they continually build up. However, memory usage and swap space usage on the box are relatively low, so it's not an issue of the server being unable to handle the load of traffic. Users then experience the problem of being disconnected and working offline, being unable to print, unable to access shares, etc. Also of
Re: [Samba] smbd -D processes spawn out of control
descend = /proc,/dev,/etc,/lib,/lost+found,/initrd #show add printer wizard = yes ; to maintain capital letters in shortcuts in any of the profile folders: preserve case = yes short preserve case = yes case sensitive = no [homes] comment = Home of %U, %u read only = No create mask = 0644 directory mask = 0775 browseable = No oplocks = No level 2 oplocks = No [netlogon] path = /home/netlogon/ read only = yes browseable = Yes write list = user1 valid users = @Domain Users #[profiles] #path = /home/profiles #read only = no #create mask = 0600 #directory mask = 0700 #browseable = No #guest ok = Yes #profile acls = yes #csc policy = disable ## next line is a great way to secure the profiles #force user = %U ## next line allows administrator to access all profiles #valid users = %U @Domain Admins [printers] #comment = Network Printers #printer admin = @Print Operators #guest ok = yes #printable = yes #path = /home/spool/ #browseable = No #read only = Yes #printable = Yes #print command = /usr/bin/lpr -P%p -r %s #lpq command = /usr/bin/lpq -P%p #lprm command = /usr/bin/lprm -P%p %j comment = All Printers path = /var/spool/cups browseable = yes public = yes guest ok = yes writable = no printable = yes printer admin = root, @Print Operators [print$] path = /home/printers guest ok = Yes browseable = Yes read only = Yes valid users = @Domain Users write list = @Print Operators #create mask = 0664 #directory mask = 0775 [public] comment = Public Repository path = /home/public guest ok = Yes read only = No directory mask = 0775 create mask = 0664 oplocks = No level 2 oplocks = No [downloads] comment = Helpful Downloads path = /home/downloads guest ok = Yes read only = No directory mask = 0775 create mask = 0664 write list = user1 valid users = @Domain Users Jeremy Allison wrote: On Mon, Jun 12, 2006 at 03:58:28PM -0400, Ryan Steele wrote: I've tried *everything* short of strace-ing, and I'm running out of options and time to get this working. If anyone has had similar Then I'd try strace, and also attach with gdb and see where the spinning smbd's are spending their time. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
