Using a non default port is not the solution, because history has learned
that security by obscurity never worked.
It's not security by obscurity, moving the default port is just to not
see all that garbage in the log files - as the automated scripts don't
check for ssh on
Enjoy this..., 8000+ attempts.
I moved the ssh port from the standard 22 to a high port. The attempts
to break into my servers disappeared. The logs are clean now. I would
advise you to do the same. Choose a high ( 1024) unused port and
configure the clients accordingly.
In smb.conf:
server string =
or
server string = anything
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Can I share all three of these (two are embedded)?
/data
/data/a
/data/b
Or do I need to break up up as singles?
Of course you can!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Conclusion: There is no way for
an individual user, even one with decades of computer
experience, to set up a Linux LAN.
I cannot in any way, shape or for, agree with that. My first Linux
domain controller was working on production after a couple of weeks of
study, starting
# yum list | grep samba3
samba3.i3863.4.0-40.el5 installed
samba3.x86_64 3.4.0-40.el5 installed
samba3-client.i386 3.4.0-40.el5 installed
samba3-client.x86_64 3.4.0-40.el5 installed
samba3-utils.i386
After upgrading a test machine to Sernet's 3.4 package, it looks like
the net command is gone.
I am using that same Sernet package (i386 version) and the net command
is working perfectly here.
--
To unsubscribe from this list go to the following URL and read the
instructions:
Does there exist a GUI Front End for OpenLDAP admin for CentOS 5 (RHEL
5)?
From a Windows client you can see and manage your LDAP directory with
the free
LDAP Admin:
http://ldapadmin.sourceforge.net/
Under Linux, Luma
http://luma.sourceforge.net/
You can also manage your directory
We don't have any MS-Windows clients. The GUI must be Linux-based (this
includes a web-based system accessed via a standard web browser).
Under Linux, Luma
http://luma.sourceforge.net/
You can also manage your directory with a browser using the following
(among others):
Thanks for info, what do I need to modify or configure in order for this
file to remain hidden on all clients?
In smb.conf:
hide files = /desktop.ini/
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
The smbldap-tools developer's homepage is here:
http://www.iallanis.info/
You will find smbldap-tools-0.9.6-pre1 here:
http://www.iallanis.info/smbldap-tools/development_release/
It worked well for me.
If you prefer, smbldap-tools-0.9.5-1 final is here:
smbldap-tools-0.9.5-1.src.rpm
And you need winbind to fetch the fetch out of the domain, otherwise
windows could not known the samba-users.
You only need winbind if your server is a member server of a Windows
Active Directory.
I am setting file permissions from Windows on a Linux Samba PDC and I
don't use winbind.
Are there any config options needed within smb.conf that must exist to use this
feature?
Yes, there are. Instead of listing them here, I would direct you to the
smb.conf man page, available here in html format:
http://us3.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Search for
ok then you have the same users on both systems.
No, I don't have the same users on both systems. The Samba machine is
the Primary Domain Controller. The users of the Windows workstations are
authorized by the samba PDC. All the users are defined on the PDC only.
--
To unsubscribe from
Please does some one have any documentation, tutorial, how to
about setting up a PDC basing on Samba with a LDAP (OpenLDAP) backend ?
Samba 3 by Example, included with Samba in HTML and PDF formats:
Chapter 5. Making Happy Users
You can also find it online here:
I have configured a samba PDC with a logon script. The logon script includes
dos commands to map a drive letter for different shares. One share has user
home directory, one has common folder for all the users and other share is
group share. For assigning a drive letter to group share I have
I can join the XP box to my Samba domain (called DOMAIN) using the
root user and pass.
But after rebooting and logging into that XP box as root, I can not
admin the box and am treated as a regular user.
On that XP computer, add the Domain Admin to the Administrators group.
--
To
nss_base_passwdou=Computers,dc=DOMAIN,dc=IT?one
should be
nss_base_hostsou=Computers,dc=DOMAIN,dc=IT?one
No, it shouldn't. From the point of view of a Windows domain, computers
are users too. The Samba manual even makes a joke about that, saying
that computers are
Did you install libnss-ldap and libpam-ldap? You need those.
Also, in /etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
I found that Samba works better with the ldpasam:trusted = yes
parameter. In this case, your LDAP database MUST contain the entire
POSIX account
If I try to connect with a user that exist in both the LDAP and etc/passwd
files I cannot get it to authenticate (error user is invalid or bad
password) but I don't get any log in the samba files
It means that the error precedes Samba.
--
To unsubscribe from this list go to the following
or are you saying nss_base_hosts
ou=Computers,dc=DOMAIN,dc=IT?one is wrong?
I don't know about NFS, but from the point of view of a Samba PDC the
above is wrong. Computers are also domain users and as such they must be
referred to the nss_base_passwd directive.
Quoting from
I am a bit new to Samba PDC. When a M$ tech article says:
Use Active Directory Users and Computers to create a new
organizational unit (OU). What does this mean in Samba PDC talk?
Please translate.
That is LDAP terminology, not MS's.
You can do it: google LDAP. There is plenty of
Hmm, yes and no. In MS AD a OU means a little bit more than in pure LDAP.
In AD you create a OU
1. to delegate the administration of a subset of users, groups and
computers and
2. to attach a group policy to a subset of users and computers.
The term and concept come from LDAP. The way it
...I think that the term and concept came before LDAP - X.500 is what
you're thinking of :-)
You must consider context. We are speaking relatively here.
Organizational unit is an expression of natural human language which
certainly predates X.500. If you go down that road you will end
Based on your smb.conf, you must have the following entries in
/etc/ldap.conf
nss_base_passwdou=Users,dc=DOMAIN,dc=IT?one
nss_base_passwdou=Computers,dc=DOMAIN,dc=IT?one
nss_base_shadowou=Users,dc=DOMAIN,dc=IT?one
nss_base_group ou=Groups,dc=DOMAIN,dc=IT?one
If the user logs in with his password all works well. If he restarts
or shutdown his machine and tries to relogin the system tells him that
his username/password is not correct.
If I reset his password @ Ubuntu with smbpasswd username and renter
the exactly same password, the user logs in
net groupmap add ntgroup=Domain Admins unixgroup=domadm rid=512 type=d
Question 1: if my previous /etc/group names already match the
ntgroup names, do I still need to run the above command?
Yes.
Question 2: once I have mapped these groups, where are they
stored, so I can back them up?
Furthermore, when I access a samba share from any XP machine,
file/directory names on the Linux machine with non-ASCII characters e.g.
Gé Reinders will display wrongly, with box replacing 'é'.
I solved my problems with accented characters by using:
dos charset = CP850
unix charset =
So as it stands, all my defined shares work great, but my user home
folders have the network path not found error when trying to access or
map the drive.
You must have some error somewhere. I am running Samba 3.2.11 over
CentOS 5.2 with a symbolic link from /home to /data/users and it all
These settings are (S) in man smb.conf which means you should set them under
the share stanza, not in the global section.
That is incorrect.
Share parameters can also be used in the [global] section to be applied
globally.
Global parameters can only be used in the [global] section.
Here's (finally) the contents of his smb.conf:
[global]
workgroup = EXAMPLE01
password server = 192.168.50.1 192.168.50.2
realm = EXAMPLE.ORG
security = ads
idmap backend = rid:SIMR01=16777216-32554431
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
But again, no go. So I am assuming there must be another setting
Create a symbolic link from /home to your new home location.
You won't need to change anything in your smb.conf.
--
To unsubscribe from this list go to the following URL and read the
instructions:
Aye aye aye. Alright, trying again. Thanks for your patience, everyone.
Still no attachment.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
It will be difficult to help you if you don't tell, at least, what
version of Samba you are using...
A look at your smb.conf would be helpful, too.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kindly give me some advice on what tools that you use to extract a
LDAP export from SAMBA into a CSV or better?
From a Windows client you can see and manage your LDAP directory with
the free
LDAP Admin:
http://ldapadmin.sourceforge.net/
You can also manage your directory with a
I have a samba server acting as a pdc
I search for creating some users who will have access on some machines
and not on others ,
so login is not possible everywhere!
Is it possible?? ; the server comes with samba 3.2.8-0.27 with
smbpasswd as backend
thanx for answers
I am using the
I want to avoid this and I do not have administrator permission of the windows
machine.
Is there any client side setting that I can change to avoid the updation of
'last access date' on the server?
Mount the server's filesystem with the noatime option?
--
To unsubscribe from this list
Is there something I can do to ensure that RID=2*UID+1000 in every case?
See attribute sambaAlgorithmicRidBase under class sambaDomain.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Not to ask too stupid a question, but why would you want
to have a machine account? Would not the user account
suffice?
The Samba packages contain a book called: The Oficial Samba-3 HOWTO and
Reference Guide
Look at Chapter 4: Domain Control
--
To unsubscribe from this list go to the
Hello all
I am running Samba 3.2.8 over CentOS 5.2, with a LDAP back end.
On some days, not all, strange entries appear in the Samba logs. I get
entries like this:
[2009/03/18 18:35:09, 0] smbd/service.c:make_connection(1366)
aurora (192.168.0.22) couldn't find service netlogo
The real
Can I automaticly connect the Home-Networkshare to a Network-Drive? Without
a Logon-Script?
In smb.conf:
logon drive = X:
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Since I got no answer, does it means that there is no possibility to force all
users to change their password the next time they will connect to the domain ?
It is possible, at least with LDAP. Now, I need to find a way to explain
how. I am in a hurry now. I will try to come back with
Ldap Account Manager (LAM) is a web interface to LDAP.
With it, you can define Minimum password length, Minimum lowercase
characters, Minimum uppercase characters, Minimum numeric characters,
Minimum symbolic characters, Minimum character classes, etc.
http://lam.sourceforge.net/
--
To
Using 'security=share' or 'security=user', via Windows right-click any Samba
exported file and set the Read-only attribute. This works, but now can not
clear the Read-only attribute, Windows reports simply Access is denied.
This happens with 3.3.0 and 3.3.1, but NOT 3.2.3.
Working
Also, what is different from my config that is causing this problem vs. other
posters who report that it works ok for them? (...)
I simply reported that it is working for me (as it is) because I assumed
that you were using store dos attributes = yes as I am. I found this
to be the
After setting the option ldapsam:trusted = yes smbd doesnt start any
longer
I get the following error in /var/log/smbd.log:
[2009/03/09 22:01:31, 0] smbd/server.c:main(1063)
ERROR: failed to setup guest info.
Group mapping?
Domain Guests is a required group, along with Domain Users
Im my [homes] share i want to have two access rules. First one is
%D%w%S so that DOMAINdmarkey will only be able to access his own home
directory and nobody elses
But I only want users in the postgrad group to be able to access
their home directory.
That question has already been solved
I have set up a share with map hidden = yes, create mask = 0777
and directory mask = 0777.
Setting and removing the hidden attribute on a file works as
expected, but not on folders.
If I check the unix permissions on the folders, the execute bit is
always set for other.
Is this not
Hello all
I am now experimenting with samba 3.3.0 and acl_xattr. I can see that
there is another method of storing Windows ACLs: acl_tdb.
Can someone here tell me something about the relative merits and
demerits of those two methods?
I am using CenttOS with an ext3 filesystem.
Thank you!
The source code package includes a (almost) complete documentation.
See there, under docs, the following books:
- Samba3-HOWTO.pdf -- This 965-pages book contains a whole chapter
dedicated to vfs modules: Chapter 23 Stackable VFS modules
- Samba3-ByExample.pdf
The HTML versions of the
One word: LDAP.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Compilation options are not enough to enable vfs_acl_xattr support.
Does your smb.conf call the appropriate vfs module?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
No, could you tell me what flags i need to set in smb.conf? In the
future, how do I figure out what flags should be used by reading the
source code? Is there any document about vfs module?
vfs objects = acl_xattr
Document? man smb.conf
Did you read the samba docs at all?
--
To
I did read majority of the how to document
http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/ and I
don't think I can find the answer there. Understandably that document
is for samba 3.0.x, but I don't see a version of howto for samba 3.3.
I also checked smb.conf file, I don't think
I have a CentOS 5.2 server with Samba 3.2.7 and an LDAP backend .
Everything is working well and smooth.
I noticed that the log files for some client machines (Windows XP)
contain the following:
[datetime, 0] smbd/trans2.c:call_trans2qfsinfo(2568)
call_trans2qfsinfo: not an allowed info
I have a Fedora 6 with samba 3.0.2465 working great as a PDC with
Win98 clients. The server has domain logon working and login scripts
running I have made a second server to replace the first but after
upgrading beyond Fedora 8 it no longer works. I can see shares with
Vista64 Business and
NOBODY ?? Noone here with successfull experience on User Lockout using
Samba+LDAP ??
It is working here. Samba 3.2.7 and 3.2.8 with LDAP, over CentOS 5.2.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Where is my PC getting the older version number from? I copied the
private folder, smb.conf, and smbpasswd from the old version to the new
install location. Could it be getting Samba 3.0.20b from one of these
files?
smb.conf
server string = - gives you the samba version.
Every so often I will see this in my log file:
smbd[1034]: [2009/02/02 08:47:21, 0]
lib/util_sock.c:get_peer_addr_internal(1607)
smbd[1034]: getpeername failed. Error was Transport endpoint is not
connected
smbd[1034]: read_socket_with_timeout: client 0.0.0.0 read error =
Connection reset
I have a PDC with CentOS + Samba 3.2.7 + LDAP serving a network of
Windows XP workstations. Everything is working very fast and smooth but
the following happens:
A user such as John Smith with username john normally appears as
John Smith under Windows XP, as can be seen when we press the Star
I believe this was supposed to be a bug in smbldap-tools however with
the latest release of that I still get that. It's no biggie though.
smbldap-tools is a set of scripts that do nothing to a running account. It only
works upon creating or modifying accounts.
The full user's name is
http://fixunix.com/samba/142062-samba-windows-xp-userid-start-menu.html
Also happens with an NT 4.0 domain controller, so it might not be a
Samba problem at all ;-).
Well...
Thank you for the link!
(I still would like to have some more hints about the causes...)
--
To unsubscribe
Here is the patch I've committed to the 3.3 code tree
for this problem. It will be in the next release. Please
try it out and let me know if it fixes your problem (it
does here).
Thank you so much!
Will Sernet provide a 3.3.0-38 version as they did with 3.2.7?
--
To unsubscribe from this
3.0.34 is now installed. no change. 'net rpc list groups' returns
nothing, while 'net rpc group members group' returns the correct
data
The correct syntax is 'net rpc group list' ...
--
To unsubscribe from this list go to the following URL and read the
instructions:
Is behavior of ACLs under Samba 3.3.0 (Sernet) completely different from
that under version 3.2.7? The release notes only talks about some fixes.
I installed version 3.3.0 and got completely different result with the
same filesystem and the exact same samba configuration. The ACLs behaved
Much of the ACL code has been rewritten to allow underlying
filesystems to implement native NT ACLs directly (...)
Good!
but the functionality should be the same as 3.2.x when not
using the experimental ACL modules.
I am not using the ACL modules and the functionality is definitely
I would describe the problem *slightly* differently from Miguel. I do
not think that ACLs are the real problem, because the bug behaviour
exists regardless of whether you're using filesystem ACLs or not.
You may be right. I didn't have the time to thoroughly test it because I
had to
What your users can do with the file over Samba hasn't actually changed,
is they have write access to the directory they can still delete
the file, but the ACLs look funny.
No, they can't. I was alerted to this problem precisely because users
who have full access to the directory
How are they trying to delete the files ? Using Windows explorer or
cmd.exe or a custom app ?
Using Windows Explorer. This is a CentOS machine serving a network of
Windows XP workstations.
--
To unsubscribe from this list go to the following URL and read the
instructions:
Volker's changes are correct, in that delete access in POSIX does not
belong to a file itself, but to the containing directory. So really
we should remove the DELETE_ACCESS bit from both the file and the
directory ACL returned.
Without having the deep knowledge you have about this, it seems
Can you give me an exact scenario to reproduce. I can certainly
delete files I have created in my test env.
I have a directory from which getfacl --t obtains the following:
USER Adminrwx rwx
GROUP Admins rwx rwx
group Admins rwx rwx
group Editores rwx rwx
Effectively, we should remove the map acl full control parameter as it now
longer
has any use except to break things. I'll mark it deprecated with the patch.
Yes, I suppose you are right.
Thank you for your efforts. I really appreciate your work.
--
To unsubscribe from this list go to
I have a question of a similar nature that I am going to post in a
separate message in this forum, but what I would like to know is
this: Is there a comprehensive list of ALL of the attributes of a
sambaSamAccount somewhere? I would like to know all of the various
things that you could
Is this expected behavior, or is there something seriously wrong with my
setup?
It seems to me that the latter does apply...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I have a LDAP server as passdb backend but how it is possible? what
should I do?
One of the attributes for objectClass sambaSamAccount is
sambaUserWorkstations. It is one of the components of a Samba account
in LDAP.
What are you using to manage your LDAP backend? As an example, from a
I have a LDAP server as passdb backend but how it is possible? what
should I do?
One of the attributes for objectClass sambaSamAccount is
sambaUserWorkstations. It is one of the components of a Samba account
in LDAP.
What are you using to manage your LDAP backend? As an example, from a
I have a CentOS 5.2 server with Samba 3.2.7 and an LDAP backend .
Everything is working well and smooth.
I noticed that the log files for some client machines (Windows XP)
contain the following:
[datetime, 0] smbd/trans2.c:call_trans2qfsinfo(2568)
call_trans2qfsinfo: not an allowed info
Filipe, it is possible it is taking so long to do a sort because when
doing it, it caches it on the client side of Distiller also + does it on the
Samba Server to. IE; Sorts on Both Sides.
I tried it, several times, on a standalone Windows workstation and the
same happens.
I am not
Sounds like a bug in the program. Maybe it runs a separate instance for
each page in that mode and doesn't release any memory until it is all
finished. On something smaller or less complex it might not make much
difference, but if the memory use pushes into swap it will take much
Hello, is there any wat to limit users log on to some special machines? I
mean not all users can log on in to a machine.
It can be done with LDAP as passdb backend.
--
To unsubscribe from this list go to the following URL and read the
instructions:
I do use it, though, at it works fine mostly. I've heard it explained
that the reasoning for avoiding TDBSAM is that if you're running a PDC,
you probably also need features not provided by TDBSAM. In many cases,
that isn't exactly accurate. We have MANY users, but our needs are
fairly simple
I just turned dir_index OFF with tune2fs. Now the directory order is the
same as the inode order.
This makes the order of files predictable and in fact turns out to solve
my problem.
With dir_index turned OFF on that filesystem, when a copy is made to
another directory (even from Windows on
Hi,
You might want to try to look into the Distiller side of things.
That's what I always did. I am a DTP guy.
1) I believe you are using Rundirex.txt file to convert all the .ps's
into one .pdf. This page from Adobe confirms that it will take the
files in directory order under
again, Windows NTFS directories are inherently stored in sorted order
because they are B-Tree indexes on the filename.
if this distiller process is being run from a DOS batch job in
Windows, you could perhaps use something like...
for /f %%F in ('dir /b /on *.ps') DO
(...) add the definition of a bubble sort routine before
that (which I got from Wikipedia), and then modify /RunDir into the
snippet below. (...)
Thank you for caring to look for and post the code.
At first I became very excited about it. But then I tried it...
It does work. The problem
You don't necessarily have to wait to see what the Distiller would do.
ls -U shows the files unsorted, in the directory order, that is
probably the order in which the Distiller is using them.
Yes, Distiller uses the directory order. I made an experience at home. I
copied 10 files by
Rebooted with sync on that filesystem. Copied the files again to a newly
created dir, etc. The results are the same. Why doesn't the directory
order reflect the inode order?
Because of dir_index!
I just turned dir_index OFF with tune2fs. Now the directory order is the
same as the
I just turned dir_index OFF with tune2fs. Now the directory order is the
same as the inode order.
This makes the order of files predictable and in fact turns out to solve
my problem.
With dir_index turned OFF on that filesystem, when a copy is made to
another directory (even from Windows on a
and you thought that 2400 bps was fast too I bet. Having started at 300
bps, I was shocked at how fast 1200 bps was.
that was a couple of eons ago
That reminded me that I still used a 1200 one for a while, too.
When the first 14,400 modems appeared, I could not believe the speed.
The
This sounds to me like the dir_index option was applied to a file system
that didn't originally have it and an fsck -Df wasn't run at the time.
That may well be the most relevant information given here! I will
*certainly* give it a try.
Thank you!
--
To unsubscribe from this list go to the
Did you consider sharing a directory from the machine running distiller
and cifs-mounting it on the linux side to get ntfs behavior?
That is out of question. The Windows machines are graphic workstations
which are not all connected all the time and the Distiller service is
essential to the
According to the Samba documentation, smbpasswd is not even recommended
for a PDC...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
I was asking the same question not too many days ago.
I went with LDAP. It is not as difficult as some people think. It seems
somewhat daunting at first but then you quickly get the grasp of it.
It simply *works* and solves *a lot* of challenges at the same time,
leaving you ready for
I was under the impression that the Distiller app was running under
Windows. If it isn't, it doesn't make much sense for it to expect NTFS
filesystem semantics.
Yes, Distiller is running under Windows. When pages start to get ready,
one of the graphic operators opens Distiller on
I based my speculation on some observations I had made on some of my
own systems when I implemented dir_index. It so happens that, on that
system at least, a find /foo -print returns the filenames in sorted
order. Unfortunately, it isn't true on another system that I just
checked. So now I
http://code.google.com/p/samba-dirsort-vfs/
Did you try that? I think someone recommended it to you.
Well, I did try to compile it but make fails on all the Linux computers
I have access to. They all run CentOS 5.2. It would be nice to have a
.rpm... I am a sysadmin, not a programmer, I am
This sounds to me like the dir_index option was applied to a file system
that didn't originally have it and an fsck -Df wasn't run at the time.
That may well be the most relevant information given here! I will
*certainly* give it a try.
Thank you!
I still think the dir_index _ought_ to do what you need it to do. But
I've never had to depend on it for that purpose so it is just wishful
supposition on my part.
I am now almost certain that dir_index will solve the problem. I already
remotely did fsck -fD to that filesystem.
Now I
Did you consider sharing a directory from the machine running distiller
and cifs-mounting it on the linux side to get ntfs behavior?
That is out of question. The Windows machines are graphic workstations
which are not all connected all the time and the Distiller service is
essential to the
I was under the impression that the Distiller app was running under
Windows. If it isn't, it doesn't make much sense for it to expect NTFS
filesystem semantics.
Yes, Distiller is running under Windows. When pages start to get ready,
one of the graphic operators opens Distiller on
301 - 400 of 461 matches
Mail list logo