[Samba] index and searching
Hello, are there any news about remote indexing to use the index on a share ? Is there a way to create such index from one client and use it for other clients ? What kind of search do you prefer to look for office/pdf files in your samba shares ? Thanks in advance Christoph -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] windows 7
Hello, i'm using Samba Version : 2:3.5.5~dfsg-1~bpo50+2 from backports Patch applied : http://support.microsoft.com/kb/2171571 Key modified : [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] DNSNameResolutionRequired=dword: DomainCompatibilityMode=dword:0001 -- When i include windows7 station into samba domain, everything works fine, but i've got a lot of error message : [2010/10/25 08:19:53.174725, 2] smbd/sesssetup.c:1390(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2010/10/25 08:19:53.177153, 2] smbd/sesssetup.c:1390(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2010/10/25 08:19:53.177843, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2010/10/25 08:19:55.607701, 2] rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain) Returning domain sid for domain TEST-SAMBA - S-1-5-21-3551297527-875676932-1423664221 [2010/10/25 08:19:59.095642, 2] ../libcli/auth/credentials.c:306(netlogon_creds_server_check_internal) credentials check failed [2010/10/25 08:19:59.095692, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client WINDOWS7 machine account WINDOWS7$ [2010/10/25 08:20:06.623691, 2] auth/auth.c:314(check_ntlm_password) check_ntlm_password: Authentication for user [WINDOWS7] - [WINDOWS7] FAILED with error NT_STATUS_NO_SUCH_USER pdbedit -v WINDOWS7$ : --- Unix username:WINDOWS7$ NT username: Account Flags:[W ] User SID: S-1-5-21-3551297527-875676932-1423664221-1005 Primary Group SID:S-1-5-21-3551297527-875676932-1423664221-513 Full Name:WINDOWS7$ Home Directory: \\test\windows7_ HomeDir Drive:m: Logon Script: Profile Path: Domain: TEST-SAMBA Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:lun, 25 oct 2010 08:19:55 CEST Password can change: lun, 25 oct 2010 08:19:55 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF pdbedit -L WINDOWS7$ : --- WINDOWS7$:4294967295:WINDOWS7$ What's means 4294967295 ??? After that when i connect on the windows 7 station with tiptop user, i've got also some error messages : [2010/10/25 08:32:58.833370, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [tiptop] - [tiptop] - [tiptop] succeeded [2010/10/25 08:32:58.860904, 1] auth/auth_util.c:580(make_server_info_sam) User WINDOWS7$ in passdb, but getpwnam() fails! [2010/10/25 08:32:58.860939, 0] auth/auth_sam.c:493(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2010/10/25 08:32:58.861009, 2] auth/auth.c:314(check_ntlm_password) check_ntlm_password: Authentication for user [WINDOWS7$] - [WINDOWS7$] FAILED with error NT_STATUS_NO_SUCH_USER [2010/10/25 08:33:00.510068, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [tiptop] - [tiptop] - [tiptop] succeeded [2010/10/25 08:33:00.544211, 1] smbd/service.c:1070(make_connection_snum) windows7 (192.168.151.73) connect to service tiptop initially as user tiptop (uid=1002, gid=1002) (pid 2098) but everything works fine. the station exist in the domain, the user can connect on it is it normal? this samba version doesnt well support windows 7 station yet ? Thanks for your help -- --- Pascal --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Our success story with samba4
Hi, besides nsd it is possible to make dynamic update work with bind on centos 5.5. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lukasz Zalewski Gesendet: Freitag, 22. Oktober 2010 21:55 An: Michael Wood Cc: samba@lists.samba.org; samba-technical Betreff: Re: [Samba] Our success story with samba4 On 22/10/2010 19:52, Michael Wood wrote: Hi Michael, Hi Lukasz On 19 October 2010 11:12, Lukasz Zalewskilu...@eecs.qmul.ac.uk wrote: Hi all, This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. This semester we have moved from samba 3.0.X DC to samba4 DC for students, and things are working great The move was predominantly driven by switching from Windows XP to Windows 7 desktop platform (but also by a need for proper group policy). Our setup is quite simple and includes: One samba4 DC (running on centos 5.5 x64) with nsd dns backend [...] Do you have dynamic DNS updates working with nsd? Using Kerberos? From clients too or just with the samba_dnsupdate script? Nope, AFAIK nsd can't do ms style dynamic updates (its the one bundled with Centos 5.5). We decided to go for static dns (we have only one s4 DC), which is composed of the bind config file generated by s4 provision (nsd can use bind config files, but TXT records have to be quoted for some reason) and all other records generated from database. How was it to set up compared to bind? Besides not setting up dynamic updates, quite easy (I think easier than bind). As mentioned earlier, it supports bind config syntax (but TXT records have to be quoted). Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
Hi, I'm sure this is not the correct behaviour. It used to work in samba 3.3 using the primary group set on the unix attributes tab. Of course this group has a GID, otherwise it wouldn't be visible. -Original Message- From: Andrew Lyon [mailto:andrew.l...@gmail.com] Sent: Sonntag, 24. Oktober 2010 17:20 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? On Sun, Oct 24, 2010 at 2:46 PM, Andrew Lyon andrew.l...@gmail.com wrote: -Original Message- From: Andrew Lyon [mailto:andrew.l...@gmail.com] Sent: Freitag, 22. Oktober 2010 11:50 To: Oliver Weinmann Cc: samba@lists.samba.org Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann oliver.weinm...@vega.de wrote: Hi, Any news regarding this problem? I have testet samba 3.5.6 and the problem still persists. I had to downgrade to 3.3 on a few machines now. Regards, Oliver -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: Donnerstag, 9. September 2010 13:13 To: samba@lists.samba.org Subject: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!??? Dear All, I stepped over a strange issue today. I have one installation of samba winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of a user is updated immediately. On a newer samba 3.5.4 installation the primary group is not updated at all. It always displays domain users. Is there a new setting for the smb.conf? Here is my smb.conf: [global] netbios name = gedail1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = true password server = server1.somedomain.net server2.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 It's a W2k3 AD Domain. Regards, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users. I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid: net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P sAMAccountName: Domain Users objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local gidNumber: 1 sAMAccountName: test objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local uidNumber: 10009 gidNumber: 10010 The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users: wbinfo -i test test:*:10009:1:test:/home/test:/bin/bash Andy _ _ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email _ _ On Fri, Oct 22, 2010 at 10:55 AM, Oliver Weinmann oliver.weinm...@vega.de wrote: Good to know that I'm not the only one facing this serious problem. I would really like to know why this is not the case under samba 3.3. Currently I have stopped upgrading from 3.3 to 3.5.x because this problem is generating a lot of trouble for us when users of different projects create files and they are read/write for all members of domain users. The only way around this is to use the SGID on the folder to inherit the project group. Hi, I've
[Samba] home directory password problem
Hi all, I just setup samba 3 on centos 5.5, and i'm having some problems with usernames/passwords. I'm unable to login to my home directory with my username and password. 1. I've done smbpasswd -a to add the username 2. I've done smbpasswd -e to enable the username 3. The unix username and windows username are both manishie 4. The /home/manishie directory permissions are: drwxr-xr-x 4 manishie manishie I can successfully access file or printer shares with the guest ok = yes flag. I cannot login from either windows 7 or from os x to the home directory share, because the password is not accepted. my smb.conf follows. Any ideas? Thanks! mkm -- [global] workgroup = manishienet server string = wiggly server netbios name = wiggles browseable = yes log file = /var/log/samba/%m.log max log size = 50 security = share ; passdb backend = tdbsam local master = yes os level = 65 preferred master = yes wins support = yes wins proxy = yes load printers = yes cups options = raw printcap name = cups printing = cups [homes] comment = Home Directories browseable = yes writable = yes valid users = %S [printers] comment = All Printers path = /var/spool/samba guest ok = yes writable = no printable = yes browseable = no guest ok = yes [public] path = /home/tmp public = yes writable = yes printable = no -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Application will not run for domain user
Hi, It is Part of xp here not samba. xP sp3 is somewhat different with w2000. I managed to run some older Programs in give full acls on the client for the domain users and on the samba server. Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gaiseric Vandal Gesendet: Freitag, 22. Oktober 2010 05:11 An: samba@lists.samba.org Betreff: Re: [Samba] Application will not run for domain user Two possible options: 1) It may not be a local vs domain user issue. It may be an administrator vs non administrator issus. Can you add the domain user to the local administrators group? 2) It may be the file permissions- samba doesn't always translate the unix acl's to windows properly. If you can run quicken with the data on the XP machines local hard drive than this is the case. What is the Samba PDC OS and File system? I found Solaris 10 ZFS was especially tricky. If you right click on a network directory or file, and check the permissions do you get an warning about permissions being incorrectly ordered? Can you check effective permissions to see if a deny group is overriding an allow user? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Moskowitz Sent: Thursday, October 21, 2010 10:48 PM To: samba@lists.samba.org Subject: [Samba] Application will not run for domain user I have set up a Samba PDC using the Amahi.org distro, so there might be some things they still have a bit off... Anyway, I have a somewhat old program, Quicken 2000. On my old Win2K workstation on an old NT server, it ran just fine for domain users. The software is installed on the workstation, and the data is on the server. But on my new XP Pro workstation on my new Samba PDC, it only runs for a local user, and that user is a super user (I have not created a regular user on the system yet). It will not run for the domain user. I reinstalled the software while logged on as the domain user. I got prompted to supply a user with admin privs for the install, which I did. I still cannot run the program from the domain user. Where do I look to fix this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA 4 ACL support
Hi, why do you need this linux-windows mapping? On samba3 this could only be made by winbind or ldapclient. I think the same way you would succeed with samba4. Samba4 has his own cldap running by pointing your ldapclient on linux to the cladp I think you could make it work. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Vaclav Klecanda Gesendet: Montag, 18. Oktober 2010 09:42 An: samba@lists.samba.org Betreff: [Samba] SAMBA 4 ACL support Hi all, I am experimenting with samba 4. I have existing data on NTFS partition and want to share them via samba. But I have problems with permissions (ACL). There is an option: ntvfs handler that tells how mapping of permissions between unix and windows world shall behave. But there is lack of documentation. So I tried posix, simiple but in either case I wasnot able to write even set permissions via GUI from windows client. So I would like to ask if somebody knows where could I read something about this topic or if there is a guru that knows how this thing work, please could you share you knowledge? Thanks a lot, Vasek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Our success story with samba4
On 25 October 2010 08:45, Daniel Müller muel...@tropenklinik.de wrote: Hi, besides nsd it is possible to make dynamic update work with bind on centos 5.5. Yes, sure. It's just that bind configuration seems to be a significantly difficult part of getting Samba 4 working (many people seem to have trouble with it) so I was wondering if nsd was any better. I am using bind, but I don't really need dynamic DNS updates because I am only using Samba 4 for authentication of services on a couple of servers. i.e. no workstations. Static IPs. No machines joining/leaving etc. Since I have bind working, I am not looking to switch to nsd. I was just wondering why Lukasz chose it, but I suppose they were using it already, before implementing Samba 4. -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lukasz Zalewski Gesendet: Freitag, 22. Oktober 2010 21:55 An: Michael Wood Cc: samba@lists.samba.org; samba-technical Betreff: Re: [Samba] Our success story with samba4 On 22/10/2010 19:52, Michael Wood wrote: Hi Michael, Hi Lukasz On 19 October 2010 11:12, Lukasz Zalewskilu...@eecs.qmul.ac.uk wrote: Hi all, This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. This semester we have moved from samba 3.0.X DC to samba4 DC for students, and things are working great The move was predominantly driven by switching from Windows XP to Windows 7 desktop platform (but also by a need for proper group policy). Our setup is quite simple and includes: One samba4 DC (running on centos 5.5 x64) with nsd dns backend [...] Do you have dynamic DNS updates working with nsd? Using Kerberos? From clients too or just with the samba_dnsupdate script? Nope, AFAIK nsd can't do ms style dynamic updates (its the one bundled with Centos 5.5). We decided to go for static dns (we have only one s4 DC), which is composed of the bind config file generated by s4 provision (nsd can use bind config files, but TXT records have to be quoted for some reason) and all other records generated from database. How was it to set up compared to bind? Besides not setting up dynamic updates, quite easy (I think easier than bind). As mentioned earlier, it supports bind config syntax (but TXT records have to be quoted). -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ldap user suffix
Thanks for your idea . thanks On 10/22/10, Gaiseric Vandal gaiseric.van...@gmail.com wrote: If the two organizations having nothing to do with each other, does that mean they don't need access to the same files? Will the following solution work for you - configure a 2nd IP on the server - run two instances of samba- each samba instance has its own smb.conf file, with unique ip, server name, ldap settings, local configuration directories etc. The two samba instances don't even have to be in the same domain or workgroup.I would however make one the WINS server for the whole organization. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of vishesh kumar Sent: Friday, October 22, 2010 8:18 AM To: Lukasz Zalewski Cc: samba@lists.samba.org Subject: Re: [Samba] ldap user suffix Thanks Luk I have to store users in different OU, because there is two separate Units running inside one organization. They have nothing to do with each other and their parent organization is same and their is only one Server to manage both. Thanks On 10/20/10, Lukasz Zalewski lu...@eecs.qmul.ac.uk wrote: On 10/20/2010 08:16 AM, vishesh kumar wrote: Thanks oliver for your reply, But No this is not possible in my case Thanks Why do you want to store users in two separate OU's? What is the rule that defines which OU should be used? You could look into openldap overlays, which might allow you to do dynamic re-write of dn's (amongst other things). Some distros ship openldap without overlays enabled so you need to check (this approach sounds like an overkill though, and might be more trouble than its worth) I'm assuming you are using openldap Regards Luk On 10/20/10, Olivier FONTESoliv...@famille-fontes.net wrote: On Wed, 20 Oct 2010 11:19:12 +0530, vishesh kumar linuxtovish...@gmail.com wrote: Dear friends My domain users in two diffrent OU, one OU is TEMP_USERS and other OU is PEOPLE. What i should mention in smb.conf ? If i mention ldap user suffix = ou=PEOPLE, then users of ou TEMP_USERS is not able to authenticate. Please guide me. Thanks -- http://linuxinterviews.blogspot.com Hi, is it possible to put the two OU into a specific OU that you could mention in your smb.conf ?? I had a similar problem, i solved it this way. Olivier --- Le domaine famille-fontes.net est auto hébergé à mon domicile. Contactez moi si vous souhaitez faire de même. -- http://linuxinterviews.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- http://linuxinterviews.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Our success story with samba4
On 10/25/2010 07:45 AM, Daniel Müller wrote: Hi Daniel, Hi, besides nsd it is possible to make dynamic update work with bind on centos 5.5. I think the version of bind shipped with CentOS 5.5 is too old. See http://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates You can, as wiki suggests, build one from source Regards Luk --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lukasz Zalewski Gesendet: Freitag, 22. Oktober 2010 21:55 An: Michael Wood Cc: samba@lists.samba.org; samba-technical Betreff: Re: [Samba] Our success story with samba4 On 22/10/2010 19:52, Michael Wood wrote: Hi Michael, Hi Lukasz On 19 October 2010 11:12, Lukasz Zalewskilu...@eecs.qmul.ac.uk wrote: Hi all, This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. This semester we have moved from samba 3.0.X DC to samba4 DC for students, and things are working great The move was predominantly driven by switching from Windows XP to Windows 7 desktop platform (but also by a need for proper group policy). Our setup is quite simple and includes: One samba4 DC (running on centos 5.5 x64) with nsd dns backend [...] Do you have dynamic DNS updates working with nsd? Using Kerberos? From clients too or just with the samba_dnsupdate script? Nope, AFAIK nsd can't do ms style dynamic updates (its the one bundled with Centos 5.5). We decided to go for static dns (we have only one s4 DC), which is composed of the bind config file generated by s4 provision (nsd can use bind config files, but TXT records have to be quoted for some reason) and all other records generated from database. How was it to set up compared to bind? Besides not setting up dynamic updates, quite easy (I think easier than bind). As mentioned earlier, it supports bind config syntax (but TXT records have to be quoted). Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Our success story with samba4
On 10/25/2010 08:31 AM, Michael Wood wrote: Hi Michael, On 25 October 2010 08:45, Daniel Müllermuel...@tropenklinik.de wrote: Hi, besides nsd it is possible to make dynamic update work with bind on centos 5.5. Yes, sure. It's just that bind configuration seems to be a significantly difficult part of getting Samba 4 working (many people seem to have trouble with it) so I was wondering if nsd was any better. I am using bind, but I don't really need dynamic DNS updates because I am only using Samba 4 for authentication of services on a couple of servers. i.e. no workstations. Static IPs. No machines joining/leaving etc. This was our reasoning for switching to nsd (as we run nsd for other services). We do have machines joining/leaving, but the ip's and names are static so the records can be generated beforehand. Since I have bind working, I am not looking to switch to nsd. I was just wondering why Lukasz chose it, but I suppose they were using it already, before implementing Samba 4. We started with bind and it was all working (RHEL 6 beta), but when we switched to CentOS 5 the bind was not new enough. We wanted to avoid needles manual builds of bind (in general any packages) and keep everything packaged. (In saying that i had to build ldap module for python 2.6 to get the import from ldap script working) Regards Luk -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Lukasz Zalewski Gesendet: Freitag, 22. Oktober 2010 21:55 An: Michael Wood Cc: samba@lists.samba.org; samba-technical Betreff: Re: [Samba] Our success story with samba4 On 22/10/2010 19:52, Michael Wood wrote: Hi Michael, Hi Lukasz On 19 October 2010 11:12, Lukasz Zalewskilu...@eecs.qmul.ac.ukwrote: Hi all, This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. This semester we have moved from samba 3.0.X DC to samba4 DC for students, and things are working great The move was predominantly driven by switching from Windows XP to Windows 7 desktop platform (but also by a need for proper group policy). Our setup is quite simple and includes: One samba4 DC (running on centos 5.5 x64) with nsd dns backend [...] Do you have dynamic DNS updates working with nsd? Using Kerberos? From clients too or just with the samba_dnsupdate script? Nope, AFAIK nsd can't do ms style dynamic updates (its the one bundled with Centos 5.5). We decided to go for static dns (we have only one s4 DC), which is composed of the bind config file generated by s4 provision (nsd can use bind config files, but TXT records have to be quoted for some reason) and all other records generated from database. How was it to set up compared to bind? Besides not setting up dynamic updates, quite easy (I think easier than bind). As mentioned earlier, it supports bind config syntax (but TXT records have to be quoted). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Folder ACLs
I am running Samba 3.6 and I have implemented extended attributes and acls for my shares. I want to make directory behavior as similar as possible to client Windows XP. When I open the properties tab on a directory in a share, under user names I see two additional users: CREATOR GROUP and CREATOR OWNER. This seems to be a consequence of the ACL translation, as copying or moving this directory back to the PC results in the user list to the same users as the directories on the PC. The inherit permissions flag is not set on the share folder although it is set on the PC. I have tried to edit the folder permissions from the Windows property menu for both the file owner as well as the CREATOR OWNER user above, and the making a change as deselecting full control flag, reverts back to the original state. I can post my configuration if required, I intended to map permissions as directly as possible, though leave them flexible so that I can edit them later if required. I saw the posting earlier regarding an experimental patch for Samba 3.6 ACL handling. Are these changes already included in the next version of 3.x Samba? Derek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining domain works - logging in doesn't
On 22/10/2010 18:45, Dale Schroeder wrote: Jonathan, A guess -- I had the same error message and similar log entries because I had set server signing = auto The 3.5.x PDC would work only with the default No. That was it Dale! Many thanks. Jon. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbstatus questions
Hello list, I'm running a samba 3.5.3 CTDB cluster, found the output is different Q1: What does the 0: mean in pid column? There was no such stuff in non-CTDB smbstatus output. snip samba_01:~ # smbstatus -S 2/dev/null Service pid machine Connected at --- ben 0:21363 samba Mon Oct 25 17:59:35 2010 ben 0:21442 samba Mon Oct 25 17:59:39 2010 snip Q2: How to parse smbstatus to capture service column and pid column? as in case of homes share the service is named as username, while domain username may contain whitespace(s)? snip samba_01:~ # smbstatus -S 2/dev/null Service pid machine Connected at --- ben 0:21363 samba Mon Oct 25 17:59:35 2010 benjamin linus 0:21442 samba Mon Oct 25 17:59:39 2010 benjamin[space]linux james ford0:21550 samba Mon Oct 25 18:00:29 2010 james[space][space]ford, awk/cut can't handle this well, they only keep one space. snip I need these column to close specific shares with smbcontrol, but fail to capture them. Is there any alternative? Regards -David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbstatus questions
On Mon, Oct 25, 2010 at 06:18:27PM +0800, David Roid wrote: Hello list, I'm running a samba 3.5.3 CTDB cluster, found the output is different Q1: What does the 0: mean in pid column? There was no such stuff in non-CTDB smbstatus output. That's the node number. If you connect to another node, that number will change. Q2: How to parse smbstatus to capture service column and pid column? as in case of homes share the service is named as username, while domain username may contain whitespace(s)? snip samba_01:~ # smbstatus -S 2/dev/null Service pid machine Connected at --- ben 0:21363 samba Mon Oct 25 17:59:35 2010 benjamin linus 0:21442 samba Mon Oct 25 17:59:39 2010 benjamin[space]linux james ford0:21550 samba Mon Oct 25 18:00:29 2010 james[space][space]ford, awk/cut can't handle this well, they only keep one space. snip I need these column to close specific shares with smbcontrol, but fail to capture them. Is there any alternative? Not really, sorry. You might want to send a patch to smbstatus that makes the output machine-parseable. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
Just a reminder. -Original Message- From: Kandukuru, Suresh Sent: Tuesday, October 19, 2010 6:49 PM To: 'j...@samba.org'; 'samba@lists.samba.org' Cc: 'volker.lende...@sernet.de' Subject: RE: [Samba] Restricting samba subfolder acl changes to admin users Jeremy did you get a chance to look at this . can you please pass your comments on this.? Thanks Suresh -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Monday, October 18, 2010 1:16 PM To: Kandukuru, Suresh Cc: j...@samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kanduk...@emc.com wrote: Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it. here is is my test. 1) created share test , given write access to it for admin, user1 users. 2) connected to share with admin user and created sub folder test_subfldr in it. and given read access to user1 user . output of getfacl r...@storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ # file: test_subfldr/ # owner: admin # group: users user::rwx user:user1:r-x group::rwx mask::rwx other::rwx default:user::rwx default:user:user1:r-x default:group::--- default:mask::rwx default:other::--- r...@storage:/mnt/soho_storage/samba/shares/SP0/test# -- 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr. This might actually be a bug. Maybe Samba believes the user has write permissions due to the group having the w permission? Which group is the user member of? Jeremy, can this be a mis-mapping of Posix permissions to NTFS ACLs in the dos filemode permission check? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
Jeremy did you get a chance to look at this . can you please pass your comments on this.? Thanks Suresh -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Monday, October 18, 2010 1:16 PM To: Kandukuru, Suresh Cc: j...@samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kanduk...@emc.com wrote: Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it. here is is my test. 1) created share test , given write access to it for admin, user1 users. 2) connected to share with admin user and created sub folder test_subfldr in it. and given read access to user1 user . output of getfacl r...@storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ # file: test_subfldr/ # owner: admin # group: users user::rwx user:user1:r-x group::rwx mask::rwx other::rwx default:user::rwx default:user:user1:r-x default:group::--- default:mask::rwx default:other::--- r...@storage:/mnt/soho_storage/samba/shares/SP0/test# -- 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr. This might actually be a bug. Maybe Samba believes the user has write permissions due to the group having the w permission? Which group is the user member of? Jeremy, can this be a mis-mapping of Posix permissions to NTFS ACLs in the dos filemode permission check? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] build_sam_account: smbpasswd database is corrupt
Hi, I wanted to migrate my sambapasswd file to a ldap test system and noticed, that I do get errors: build_sam_account: smbpasswd database is corrupt ... username with uid ... is not in unix passwd database! Importing/changing LDAP accounts fail after the last useraccount entry in my sambapasswd file. Is there a way to remove all accounts which are in the sambapasswdfile but not in my /etc/passwdfile? Or is there a sort of 'skip on error' option for 'pdbedit --import'? Thanks a lot and best regards, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Geschäftsführer: Prof. Thomas Schadt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbstatus questions
On 18:33:12 wrote David Roid: Hello list, I'm running a samba 3.5.3 CTDB cluster, found the output is different Q1: What does the 0: mean in pid column? There was no such stuff in non-CTDB smbstatus output. snip samba_01:~ # smbstatus -S 2/dev/null Service pid machine Connected at --- ben 0:21363 samba Mon Oct 25 17:59:35 2010 ben 0:21442 samba Mon Oct 25 17:59:39 2010 snip Q2: How to parse smbstatus to capture service column and pid column? as in case of homes share the service is named as username, while domain username may contain whitespace(s)? snip samba_01:~ # smbstatus -S 2/dev/null Service pid machine Connected at --- ben 0:21363 samba Mon Oct 25 17:59:35 2010 benjamin linus 0:21442 samba Mon Oct 25 17:59:39 2010 benjamin[space]linux james ford0:21550 samba Mon Oct 25 18:00:29 2010 james[space][space]ford, awk/cut can't handle this well, they only keep one space. snip awk can handle this, but I like sed. You may try this sed one liner. smbstatus -S 2/dev/null |sed -ne 's/^\(.*[[:alnum:]]\)[[:space:]]\{1, \}\([[:digit:]]\{1,2\}\:[[:digit:]]\{1,20\}\)[[:space:]]\{1,\}\([[:alnum:]]*\) [[:space:]]\{1,\}\(.*\)$/\...@_\2_@_...@_\4/p' It only works for ctdb. You may change _...@_ with another delimeter like \t or \; ;-) . I need these column to close specific shares with smbcontrol, but fail to capture them. Is there any alternative? Regards -David -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Bug in pdbedit?
I came across this some time ago and I finally decided to report it: When I input pdbedit -Lv root I get: Primary Group SID:S-1-5-21-XX-XX-XX-513 But if I use smbldap-usershow root i get: Primary Group SID:S-1-5-21-XX-XX-XX-512 If I inspect the LDAP database with any other tool, the stored value is 512 (Domain Admins). So, where is pdbedit reading the 513 (Domain Users) from? I thought that, since I have a LDAP backend, it should be reading it from the LDAP database... This has happened both in Samba 3.2.x and all of the 3.5.x releases. I didn't try 3.3.x and 3.4.x. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cannot browse domain user list with 3.3.9 (and higher)
Hi Sorry to ask again, but I am really in trouble to upgrade my samba server from 3.3.2 to higher. I made some other tests with various version up to 3.5.4 I get the same symptoms and the same error as below : Bad char conversion. Is there a compatibility problem between Samba version ? Do I have to purge some old cached files in the var/locks dir (or other) ? Did I miss to compile samba with a specific option or specific lib ? Please help Thanks in avance. Henri -Message d'origine- De : samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] De la part de henri Envoyé : mercredi 20 octobre 2010 21:26 À : samba@lists.samba.org Objet : [Samba] Cannot browse domain user list with 3.3.9 Hi, I am trying to upgrade Samba from 3.3.2 to 3.3.9 for Win7 compatibility issue. It is running on Redhat 9.0 (I've planned to upgrade to Centos 5.5 in a second setp) and without any ldap backend (tdbsam actually). As I have already done in the past for upgrading, I have done the following procedure : 1) Compile 3.3.9 . My configure option are : ./configure --with-acl-support --enable-cups --with-pam --with-configdir=/usr/local/samba/etc --with-quotas --with-winbind 2) Stop the 3.3.2 service , and backup all the /usr/local/samba dir 3) make install the 3.3.9 4) restart the 3.3.9 service Everything seems to work fine, except that : - I can't use USRMGR.EXE anymore. I get a popup error when I run it : Incorrect Parameter, do you want to select another domain to administer . - I can't explore the users domain when I try to list the users for adding permissions to share a folder, or adding a domain user in a local group. I can see only the domain groups. I really need some help, I will have to deploy Win7 in a very near futur :-S . I have done some debugging in log level 2, it seems I got an error about Bad char conversion : When I run USRMGR.EXE : [2010/10/20 19:01:02, 2] smbd/close.c:close_normal_file(606) smbadmin closed file USRMGR.EXE (numopen=2) NT_STATUS_OK [2010/10/20 19:01:02, 2] smbd/open.c:open_file(551) smbadmin opened file USRMGR.EXE read=Yes write=No (numopen=3) [2010/10/20 19:01:02, 1] librpc/ndr/ndr.c:ndr_push_error(493) ndr_push_error(5): Bad char conversion [2010/10/20 19:01:02, 0] rpc_server/srv_pipe.c:api_rpcTNP(2381) api_rpcTNP: samr: SAMR_QUERYDISPLAYINFO failed. [2010/10/20 19:02:49, 1] librpc/ndr/ndr.c:ndr_push_error(493) ndr_push_error(5): Bad char conversion [2010/10/20 19:02:49, 0] rpc_server/srv_pipe.c:api_rpcTNP(2381) api_rpcTNP: samr: SAMR_QUERYDISPLAYINFO failed. When I try to list the domain users : 2010/10/20 19:03:43, 2] rpc_server/srv_samr_nt.c:_samr_LookupDomain(3456) Returning domain sid for domain CIRAD_STP - S-1-5-21-3907834674-2055786620-3212856667 [2010/10/20 19:03:43, 2] rpc_server/srv_samr_nt.c:_samr_LookupDomain(3456) Returning domain sid for domain CIRAD_STP - S-1-5-21-3907834674-2055786620-3212856667 [2010/10/20 19:03:43, 1] librpc/ndr/ndr.c:ndr_push_error(493) ndr_push_error(5): Bad char conversion [2010/10/20 19:03:43, 0] rpc_server/srv_pipe.c:api_rpcTNP(2381) api_rpcTNP: samr: SAMR_QUERYDISPLAYINFO failed. [2010/10/20 19:03:43, 2] rpc_server/srv_samr_nt.c:_samr_LookupDomain(3456) Returning domain sid for domain CIRAD_STP - S-1-5-21-3907834674-2055786620-3212856667 [2010/10/20 19:03:43, 2] rpc_server/srv_samr_nt.c:_samr_LookupDomain(3456) Returning domain sid for domain CIRAD_STP - S-1-5-21-3907834674-2055786620-3212856667 Here is the global section on my smb.conf : [global] log level = 2 netbios name = server1 server string = My Server workgroup = CIRAD_STP wins support = yes os level = 255 local master = yes preferred master = yes domain master = yes domain logons = yes security = user encrypt passwords = yes passdb backend = tdbsam:/usr/local/samba/private/passdb.tdb enable privileges = yes printcap name = /etc/printcap load printers = no printing = cups nt acl support = yes map acl inherit = yes inherit acls = yes obey pam restrictions = yes time server = yes username map = /usr/local/samba/etc/smbusers name resolve order = wins host lmhosts bcast logon script = logon%a.cmd logon path = logon drive = H: logon home = \\server1\%U Thanks in advance , any help would be very appreciated . Henri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] CTDB_Recovery_Lock
Hello list, I compiled the CTDB version from samba.org::ftp/unpacked/ctdb with the parameter: --prefix= This I did on CentOS 5.5 Then I copy and edit ctdb.sysconfig from /usr/src/ctdb/config to /etc/sysconfig/ctdb I set CTDB_RECOVERY_LOCK=/share/ctdb_lock/lock_file on all three nodes. Every node can read and write on /share. When I try to start ctdb it start successful with [OK]. But it print the message No recovery lock specified. Starting CTBD without split brain prevention. When I start the ctdbd with the --reclock=/share/ctdb_lock/lock_file parameter it start's up without any problems. At the first time we compile ctdb without set the parameter --prefix= . But then he put all files in /usr/local/... For example: /usr/local/etc/ctdb/... Why he don't take the lock file on /share/ctdb_lock/lock_file? Must this file a specific one? Sorry if this is the wrong mailinglist for ctdb. Regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Domain user printing
It looks like a domain user has NO printing permission. Do I need Policy Editor for this? Where do I get it to run on an XP Pro system? I have seen various notes about this, but I can't make head or tails of them. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Folder ACLs
On Mon, Oct 25, 2010 at 02:04:30AM -0700, Derek Lewis wrote: I am running Samba 3.6 and I have implemented extended attributes and acls for my shares. I want to make directory behavior as similar as possible to client Windows XP. 3.5.x or 3.6 ? 3.6 is not released yet. When I open the properties tab on a directory in a share, under user names I see two additional users: CREATOR GROUP and CREATOR OWNER. This seems to be a consequence of the ACL translation, as copying or moving this directory back to the PC results in the user list to the same users as the directories on the PC. The inherit permissions flag is not set on the share folder although it is set on the PC. I have tried to edit the folder permissions from the Windows property menu for both the file owner as well as the CREATOR OWNER user above, and the making a change as deselecting full control flag, reverts back to the original state. I can post my configuration if required, I intended to map permissions as directly as possible, though leave them flexible so that I can edit them later if required. I saw the posting earlier regarding an experimental patch for Samba 3.6 ACL handling. Are these changes already included in the next version of 3.x Samba? The fixes for the acl_xattr module are in the git v3-6-test and master trees. Here is the jumbo patch that will apply to 3.5.6 and bring the ACL handling to functional parity with the later code. Please test and let me know if it works for you. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Folder ACLs
On Mon, Oct 25, 2010 at 12:33:43PM -0700, Jeremy Allison wrote: On Mon, Oct 25, 2010 at 02:04:30AM -0700, Derek Lewis wrote: I am running Samba 3.6 and I have implemented extended attributes and acls for my shares. I want to make directory behavior as similar as possible to client Windows XP. 3.5.x or 3.6 ? 3.6 is not released yet. When I open the properties tab on a directory in a share, under user names I see two additional users: CREATOR GROUP and CREATOR OWNER. This seems to be a consequence of the ACL translation, as copying or moving this directory back to the PC results in the user list to the same users as the directories on the PC. The inherit permissions flag is not set on the share folder although it is set on the PC. I have tried to edit the folder permissions from the Windows property menu for both the file owner as well as the CREATOR OWNER user above, and the making a change as deselecting full control flag, reverts back to the original state. I can post my configuration if required, I intended to map permissions as directly as possible, though leave them flexible so that I can edit them later if required. I saw the posting earlier regarding an experimental patch for Samba 3.6 ACL handling. Are these changes already included in the next version of 3.x Samba? The fixes for the acl_xattr module are in the git v3-6-test and master trees. Here is the jumbo patch that will apply to 3.5.6 and bring the ACL handling to functional parity with the later code. Please test and let me know if it works for you. Arg. Attachment got stripped. Get it here instead: http://samba.org/~jra/samba-3-5-x-acl-jumbo-patch.tgz Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can I have a pointer to an XP discussion list for policies?
Obviously I am missing something major here. Or maybe just a minor thing. My smb.conf looks rather normal, and the domain user are Linux users, so there is no extra permissions. A domain user cannot print to a network attached printer that is using the HP printer port (9100). This seems to be a local policy block, as a local user can print to it. (note that a domain user CAN print to the XPS document writer 'printer'). A domain user cannot connect to a printer share, it gets an obvious policy error. So since there is no help over here to my earlier posts, perhaps an XP list might have some answers :( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kanduk...@emc.com wrote: Thanks Jeremy and Volker. Clarified some of points.still little bit confusion for me. so, in summary if a user can change ACL, if he has write acess on the share and the ownership on subfolders / files inside it. here is is my test. 1) created share test , given write access to it for admin, user1 users. 2) connected to share with admin user and created sub folder test_subfldr in it. and given read access to user1 user . output of getfacl r...@storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ # file: test_subfldr/ # owner: admin # group: users user::rwx user:user1:r-x group::rwx mask::rwx other::rwx default:user::rwx default:user:user1:r-x default:group::--- default:mask::rwx default:other::--- r...@storage:/mnt/soho_storage/samba/shares/SP0/test# -- 4) connected to test share with user1 , could not write into test_subfldr. and user1 has changed acl settings on test_subfldr to write access . why samba is allowing this? Though user1 has write access to share , he is not the owner of test_subfldr/.(admin is the owner for this) . user1 effectivly has read access on the test_subfldr. attached smb.conf for your reference. Ok, started to look at this. Thanks for your patience. What are the getfacl permissions on the folder: /mnt/soho_storage/samba/shares/SP0/test I need to see the output from: getfacl /mnt/soho_storage/samba/shares/SP0/test and also please send me (privately if you wish) a debug level 10 log from smbd when user1 connects to the test share and changes the acl setting on test_subfldr. Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind user authentication (-a) fails, but kerberos authentication succeeds
I have tried various settings for the Authentication Methods, all with similar results, currently set for NTLMv2 only. I don't know why wbinfo attempts plaintext auth when it is turned off in smb.conf. Also I have upgraded to the latest Samba available from RedHat, which did at least allow me to do on the fly account creation. I thought the two symptoms were linked, but obviously I was mistaken. The only other clue I have is that I can't use smbclient to list or connect to shares on the Linux box (But can with Kerberos auth), but I can for shares on Windows machines. Thanks Steven charles weber wrote: Is AD set for ntlmv2 only? On Oct 22, 2010, at 8:45 AM, Robert Freeman-Day wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/21/2010 09:36 PM, Gaiseric Vandal wrote: What kind of domain - samba PDC or Windows Active Directory ? Maybe the samba version is just too old. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Steven Moyse Sent: Thursday, October 21, 2010 8:52 PM To: samba@lists.samba.org Subject: [Samba] Winbind user authentication (-a) fails, but kerberos authentication succeeds I am having trouble setting up winbind authentication. I have successfully joined the domain winbind -t OK winbind -u OK winbind -g OK winbind -K 'DOMAIN\user%password' OK winbind -a 'DOMAIN\user%password' FAIL For winbind -a: Plaintext authentication is attempted, and fails with NT_STATUS_ACCESS_DENIED challenge/response authentication is attempted, and fails with NT_STATUS_ACCESS_DENIED Am using SAMBA 3.0.33 on Redhat 5.4 patched to latest. I have previously configured many SAMBA servers If you are joined to a Windows domain, you can update your RHEL to 5.5 and take advantage of Red Hat's Samba3x package. I wrote up a quickie migration doc to get there: https://wiki.uits.iu.edu/confluence-prd/pages/viewpage.action?pageId=116097702 It may be a good idea to migrate to it anyway to take advantages of newer features. - -- Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=getsearch=0xBA9DF9ED3E4C7D36 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzBh18ACgkQup357T5MfTYAgACfeuGaOaI51WMgD86dVNCgzq4b agkAoM2a2FT4qJSBC126yz1H/Zg/fCbP =pzMb -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Steven Moyse Civica Pty Ltd 96 - 102 Lambton Rd. Broadmeadow NSW 2292 Phone: 02 4941 9493 (-9499 FAX) email: smo...@civica.com.au -- This email is from Civica Pty Limited and it, together with any attachments, is confidential to the intended recipient(s) and the contents may be legally privileged or contain proprietary and private information. It is intended solely for the person to whom it is addressed. If you are not an intended recipient, you may not review, copy or distribute this email. If received in error, please notify the sender and delete the message from your system immediately. Any views or opinions expressed in this email and any files transmitted with it are those of the author only and may not necessarily reflect the views of Civica and do not create any legally binding rights or obligations whatsoever. Unless otherwise pre-agreed by exchange of hard copy documents signed by duly authorised representatives, contracts may not be concluded on behalf of Civica by email. Please note that neither Civica nor the sender accepts any responsibility for any viruses and it is your responsibility to scan the email and the attachments (if any). All email received and sent by Civica may be monitored to protect the business interests of Civica. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6 directory ACLs
On Mon, Oct 18, 2010 at 11:33:34PM +0100, Miguel Medalha wrote: FYI. I've just committed a jumbo ACL patch for v3-6-test (and am currently looking at backporting this to 3.5.x) which I hope will fix several issues with storing ACLs in xattrs and getting full Windows ACL compatibility. That would be *very* nice, especially the backporting to 3.5.x part! Here you go :-). Download the jumbo patch for 3.5.6 here: http://samba.org/~jra/samba-3-5-x-acl-jumbo-patch.tgz Please test and give me feedback ! Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbstatus questions
It works! Thanks Harry! 2010/10/26 Harry Jede walk2...@arcor.de On 18:33:12 wrote David Roid: Q2: How to parse smbstatus to capture service column and pid column? as in case of homes share the service is named as username, while domain username may contain whitespace(s)? snip samba_01:~ # smbstatus -S 2/dev/null Service pid machine Connected at --- ben 0:21363 samba Mon Oct 25 17:59:35 2010 benjamin linus 0:21442 samba Mon Oct 25 17:59:39 2010 benjamin[space]linux james ford0:21550 samba Mon Oct 25 18:00:29 2010 james[space][space]ford, awk/cut can't handle this well, they only keep one space. snip awk can handle this, but I like sed. You may try this sed one liner. smbstatus -S 2/dev/null |sed -ne 's/^\(.*[[:alnum:]]\)[[:space:]]\{1, \}\([[:digit:]]\{1,2\}\:[[:digit:]]\{1,20\}\)[[:space:]]\{1,\}\([[:alnum:]]*\) [[:space:]]\{1,\}\(.*\)$/\...@_\2_@_...@_\4/p' It only works for ctdb. You may change _...@_ with another delimeter like \t or \; ;-) . I need these column to close specific shares with smbcontrol, but fail to capture them. Is there any alternative? Regards -David -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Build status as of Mon Oct 25 06:00:01 2010
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2010-10-24 00:00:34.0 -0600 +++ /home/build/master/cache/broken_results.txt 2010-10-25 00:00:03.0 -0600 @@ -1,4 +1,4 @@ -Build status as of Sun Oct 24 06:00:11 2010 +Build status as of Mon Oct 25 06:00:01 2010 Build counts: Tree Total Broken Panic @@ -15,7 +15,7 @@ samba-web0 0 0 samba_3_current 31 30 3 samba_3_master 32 20 0 -samba_3_next 32 32 0 +samba_3_next 31 31 0 samba_4_0_test 37 31 0 talloc 32 6 0 tdb 30 11 0
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via adcfda9 s3-waf: implement LIBMSRPC_GEN as tiny wrapper of 'NDR_STANDARD NDR_DSSETUP NDR_SPOOLSS' via 9802183 s3-waf: use NDR_NETLOGON for ntlm_auth via baf4c4d s3-waf: use NDR_SCHANNEL via 5b9a3a7 s3-waf: use NDR_NTLMSSP subsystem via ffbe1c0 s3-waf: add NDR_STANDARD dependencies to fix the build via 2b74cea s3-waf: use git to calculate the version if available via 8ea6f41 s4-waf: don't generate PACKAGE_* defines in config.h via e54d58d autobuild: add some comments via 47e2371 autobuild: run ldb tests with TDB_NO_FSYNC=1 from db73b4a waf: moved the -Wl,-no-undefined flags to source4 and ldb http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit adcfda92439f90c5c05fc80495dff53d9baa219f Author: Stefan Metzmacher me...@samba.org Date: Mon Oct 25 06:07:46 2010 + s3-waf: implement LIBMSRPC_GEN as tiny wrapper of 'NDR_STANDARD NDR_DSSETUP NDR_SPOOLSS' metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Mon Oct 25 08:58:49 UTC 2010 on sn-devel-104 commit 98021831d768ebeea0f216f3ad65738c0ea45f37 Author: Stefan Metzmacher me...@samba.org Date: Mon Oct 25 06:06:32 2010 + s3-waf: use NDR_NETLOGON for ntlm_auth metze commit baf4c4d3070a7e710fab890fdfebc89e34d15147 Author: Stefan Metzmacher me...@samba.org Date: Mon Oct 25 06:05:37 2010 + s3-waf: use NDR_SCHANNEL metze commit 5b9a3a79f72f8df7e6d2d10cc48286a35afe0e85 Author: Stefan Metzmacher me...@samba.org Date: Mon Oct 25 06:03:22 2010 + s3-waf: use NDR_NTLMSSP subsystem metze commit ffbe1c0723595e538b518335bde862627107a317 Author: Stefan Metzmacher me...@samba.org Date: Mon Oct 25 07:47:35 2010 +0200 s3-waf: add NDR_STANDARD dependencies to fix the build metze commit 2b74cea5f0f3bdfc51f03cfb7641010c7954f222 Author: Stefan Metzmacher me...@samba.org Date: Mon Oct 25 06:33:39 2010 + s3-waf: use git to calculate the version if available metze commit 8ea6f41ec9d3e2577432a8d9be100f1f42775787 Author: Stefan Metzmacher me...@samba.org Date: Mon Oct 25 06:49:46 2010 + s4-waf: don't generate PACKAGE_* defines in config.h - We don't use them anywhere (heimdal has special rules) - They calculate the version at configure time and may contain the wrong git hash while building - If we really need them in future we should add them to version.h and not config.h, as the changing git hash will trigger a full rebuild if config.h changes. metze commit e54d58d11388d0ff4afe3d08e0b19b0dd43835ad Author: Stefan Metzmacher me...@samba.org Date: Mon Oct 25 08:16:04 2010 + autobuild: add some comments metze commit 47e2371598846271fcdd8b4bb43869acce1de8ed Author: Stefan Metzmacher me...@samba.org Date: Mon Oct 25 07:01:28 2010 + autobuild: run ldb tests with TDB_NO_FSYNC=1 Only the tdb tests should not have this. metze --- Summary of changes: script/autobuild.py |4 ++- source3/wscript | 24 +-- source3/wscript_build | 54 +- source4/heimdal_build/config.h |8 + source4/heimdal_build/roken.h |4 -- source4/heimdal_build/wscript_build |1 - source4/wscript |7 7 files changed, 41 insertions(+), 61 deletions(-) Changeset truncated at 500 lines: diff --git a/script/autobuild.py b/script/autobuild.py index 357cb16..a124ddf 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -24,6 +24,7 @@ tasks = { (install, make install, text/plain), (test, TDB_NO_FSYNC=1 make test FAIL_IMMEDIATELY=1, text/plain) ], +# We have 'test' before 'install' because, 'test' should work without 'install' source4 : [ (configure, ./configure.developer ${PREFIX}, text/plain), (make, make -j, text/plain), (test, TDB_NO_FSYNC=1 make test FAIL_IMMEDIATELY=1, text/plain), @@ -32,8 +33,9 @@ tasks = { source4/lib/ldb : [ (configure, ./configure --enable-developer -C ${PREFIX}, text/plain), (make, make -j, text/plain), (install, make install, text/plain), - (test, make test, text/plain) ], + (test, TDB_NO_FSYNC=1 make test, text/plain) ], +# We don't use TDB_NO_FSYNC=1 here, because we want to test the transaction code lib/tdb : [ (autogen, ./autogen-waf.sh, text/plain), (configure, ./configure --enable-developer -C ${PREFIX}, text/plain), (make, make -j, text/plain), diff --git
[SCM] CTDB repository - branch 1.2 updated - ctdb-1.9.1-213-gba60c7b
The branch, 1.2 has been updated via ba60c7b12e2132a64d7258c4c2eb615fd6bf135a (commit) from 8128f466e646fd945fe9e8ff098858d13e52e6a0 (commit) http://gitweb.samba.org/?p=sahlberg/ctdb.git;a=shortlog;h=1.2 - Log - commit ba60c7b12e2132a64d7258c4c2eb615fd6bf135a Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Mon Oct 25 19:49:19 2010 +1100 new version 1.2.8 --- Summary of changes: packaging/RPM/ctdb.spec.in |5 - 1 files changed, 4 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/packaging/RPM/ctdb.spec.in b/packaging/RPM/ctdb.spec.in index 852df0f..fe1e702 100644 --- a/packaging/RPM/ctdb.spec.in +++ b/packaging/RPM/ctdb.spec.in @@ -3,7 +3,7 @@ Name: ctdb Summary: Clustered TDB Vendor: Samba Team Packager: Samba Team sa...@samba.org -Version: 1.2.7 +Version: 1.2.8 Release: 1GITHASH Epoch: 0 License: GNU GPL version 3 @@ -142,6 +142,9 @@ development libraries for ctdb %{_libdir}/libctdb.a %changelog +* Mon Oct 25 2010 : Version 1.2.8 + - Allow samba to specify that a new database to attach to/ create + should use Jenkins3 hash : CQ1019744 * Mon Oct 18 2010 : Version 1.2.7 - Dont monitor GPFS filesystems in 62.cnfs - If tdb_open() fails, print errno to make troubleshooting easier -- CTDB repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e24cd13 s4:samldb LDB module - fix indentations via edab363 s4:samldb LDB module - use uint32_t for available krbtgt number via 9e6d07e s4:samldb LDB module - assign better memory contexts in some cases from adcfda9 s3-waf: implement LIBMSRPC_GEN as tiny wrapper of 'NDR_STANDARD NDR_DSSETUP NDR_SPOOLSS' http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e24cd13e40fa3ce867654cfea70369ba627351d8 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Oct 25 11:05:22 2010 +0200 s4:samldb LDB module - fix indentations Autobuild-User: Matthias Dieter Wallnöfer m...@samba.org Autobuild-Date: Mon Oct 25 09:48:15 UTC 2010 on sn-devel-104 commit edab363466256ab0357e4e43f2e38b25a509d711 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Oct 25 11:02:34 2010 +0200 s4:samldb LDB module - use uint32_t for available krbtgt number commit 9e6d07e1b32d3050cc3574f658be1ea6ff4e87d8 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Oct 25 10:55:11 2010 +0200 s4:samldb LDB module - assign better memory contexts in some cases --- Summary of changes: source4/dsdb/samdb/ldb_modules/samldb.c | 73 +++ 1 files changed, 45 insertions(+), 28 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 2357ffd..8a420f4 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -132,8 +132,8 @@ static int samldb_next_step(struct samldb_ctx *ac) return ac-curstep-fn(ac); } - /* we exit the samldb module here */ - /* If someone set an ares to forward controls and response back to the caller, use them */ + /* We exit the samldb module here. If someone set an ares to forward +* controls and response back to the caller, use them. */ if (ac-ares) { return ldb_module_done(ac-req, ac-ares-controls, ac-ares-response, LDB_SUCCESS); @@ -145,7 +145,8 @@ static int samldb_next_step(struct samldb_ctx *ac) /* sAMAccountName handling */ -static int samldb_generate_sAMAccountName(struct ldb_context *ldb, struct ldb_message *msg) +static int samldb_generate_sAMAccountName(struct ldb_context *ldb, + struct ldb_message *msg) { char *name; @@ -236,16 +237,19 @@ static int samldb_allocate_sid(struct samldb_ctx *ac) /* see if a krbtgt_number is available */ -static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, unsigned krbtgt_number) +static bool samldb_krbtgtnumber_available(struct samldb_ctx *ac, + uint32_t krbtgt_number) { TALLOC_CTX *tmp_ctx = talloc_new(ac); struct ldb_result *res; - const char *attrs[] = { NULL }; + const char *no_attrs[] = { NULL }; int ret; - ret = dsdb_module_search(ac-module, tmp_ctx, res, NULL, LDB_SCOPE_SUBTREE, -attrs, DSDB_FLAG_NEXT_MODULE, -msDC-SecondaryKrbTgtNumber=%u, krbtgt_number); + ret = dsdb_module_search(ac-module, tmp_ctx, res, NULL, +LDB_SCOPE_SUBTREE, no_attrs, +DSDB_FLAG_NEXT_MODULE, +(msDC-SecondaryKrbTgtNumber=%u), +krbtgt_number); if (ret == LDB_SUCCESS res-count == 0) { talloc_free(tmp_ctx); return true; @@ -287,7 +291,8 @@ static int samldb_rodc_add(struct samldb_ctx *ac) return LDB_ERR_OTHER; found: - ret = ldb_msg_add_empty(ac-msg, msDS-SecondaryKrbTgtNumber, LDB_FLAG_INTERNAL_DISABLE_VALIDATION, NULL); + ret = ldb_msg_add_empty(ac-msg, msDS-SecondaryKrbTgtNumber, + LDB_FLAG_INTERNAL_DISABLE_VALIDATION, NULL); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); } @@ -298,12 +303,13 @@ found: return ldb_operr(ldb); } - ret = ldb_msg_add_fmt(ac-msg, sAMAccountName, krbtgt_%u, krbtgt_number); + ret = ldb_msg_add_fmt(ac-msg, sAMAccountName, krbtgt_%u, + krbtgt_number); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); } - newpass = generate_random_password(ac, 128, 255); + newpass = generate_random_password(ac-msg, 128, 255); if (newpass == NULL) { return ldb_operr(ldb); } @@ -327,7 +333,8 @@ static int samldb_find_for_defaultObjectCategory(struct samldb_ctx *ac) ret = dsdb_module_search(ac-module, ac, res,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c3fa990 s4:ldap.py - prove the denied multi-valued replace requests via fedd4aa s4:objectclass_attrs LDB module - deny multi-valued replace requests via 6e407a3 s4:provision_*_references.ldif - add and do not replace the wellKnownObjects from e24cd13 s4:samldb LDB module - fix indentations http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c3fa990f216e68a4b36d064f8a34e93d951b9201 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Sun Oct 24 21:32:30 2010 +0200 s4:ldap.py - prove the denied multi-valued replace requests Autobuild-User: Matthias Dieter Wallnöfer m...@samba.org Autobuild-Date: Mon Oct 25 11:49:19 UTC 2010 on sn-devel-104 commit fedd4aa3cb7a0d4b895ec040d74cfbfbee42cac5 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Tue Oct 19 15:14:53 2010 +0200 s4:objectclass_attrs LDB module - deny multi-valued replace requests This is the AD behaviour. But on attributes with the flag FLAG_ATTR_REQ_PARTIAL_SET_MEMBER it is allowed. commit 6e407a3c1c7166801bcec364186c487c27b18550 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Oct 25 11:28:09 2010 +0200 s4:provision_*_references.ldif - add and do not replace the wellKnownObjects This is the correct AD operation in this case. Multi-valued replaces are generally denied most of the time. --- Summary of changes: source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 13 +++ source4/dsdb/tests/python/ldap.py | 36 ++-- source4/setup/provision_basedn_references.ldif |2 +- .../setup/provision_configuration_references.ldif |2 +- 4 files changed, 33 insertions(+), 20 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index 2024a33..b3f7048 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -139,6 +139,19 @@ static int attr_handler(struct oc_context *ac) } } + /* Multi-valued replace operations are generally denied but +* there do exist exceptions where attributes have the flag +* FLAG_ATTR_REQ_PARTIAL_SET_MEMBER set. */ + if ((ac-req-operation == LDB_MODIFY) + (LDB_FLAG_MOD_TYPE(msg-elements[i].flags) == LDB_FLAG_MOD_REPLACE) + (msg-elements[i].num_values 1) + ((attr-systemFlags DS_FLAG_ATTR_REQ_PARTIAL_SET_MEMBER) == 0)) { + ldb_asprintf_errstring(ldb, objectclass_attrs: attribute '%s' on entry '%s' is replaced multi-valued!, + msg-elements[i].name, + ldb_dn_get_linearized(msg-dn)); + return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS; + } + /* Substitute the attribute name to match in case */ msg-elements[i].name = attr-lDAPDisplayName; } diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py index c02f567..a7e718e 100755 --- a/source4/dsdb/tests/python/ldap.py +++ b/source4/dsdb/tests/python/ldap.py @@ -613,15 +613,15 @@ class BasicTests(unittest.TestCase): objectclass: group, description: [desc1, desc2]}) -#m = Message() -#m.dn = Dn(ldb, cn=ldaptestgroup,cn=users, + self.base_dn) -#m[description] = MessageElement([desc1,desc2], FLAG_MOD_REPLACE, -# description) -#try: -#ldb.modify(m) -#self.fail() -#except LdbError, (num, _): -#self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) +m = Message() +m.dn = Dn(ldb, cn=ldaptestgroup,cn=users, + self.base_dn) +m[description] = MessageElement([desc1,desc2], FLAG_MOD_REPLACE, + description) +try: +ldb.modify(m) +self.fail() +except LdbError, (num, _): +self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) m = Message() m.dn = Dn(ldb, cn=ldaptestgroup,cn=users, + self.base_dn) @@ -655,15 +655,15 @@ class BasicTests(unittest.TestCase): description) ldb.modify(m) -#m = Message() -#m.dn = Dn(ldb, cn=ldaptestgroup,cn=users, + self.base_dn) -#m[description] = MessageElement([desc1,desc2], FLAG_MOD_REPLACE, -# description) -#try: -#ldb.modify(m) -#self.fail() -#except LdbError, (num, _): -#self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) +m = Message() +m.dn = Dn(ldb,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e567d6c s4:samldb LDB module - other indentation fixes on error messages from c3fa990 s4:ldap.py - prove the denied multi-valued replace requests http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e567d6c9f77a6f7fa311ed22050ad9d0b26f0a09 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Oct 25 13:33:13 2010 +0200 s4:samldb LDB module - other indentation fixes on error messages Autobuild-User: Matthias Dieter Wallnöfer m...@samba.org Autobuild-Date: Mon Oct 25 12:31:57 UTC 2010 on sn-devel-104 --- Summary of changes: source4/dsdb/samdb/ldb_modules/samldb.c | 21 - 1 files changed, 12 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 8a420f4..780491f 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -646,7 +646,8 @@ static int samldb_fill_object(struct samldb_ctx *ac) /* do not allow to mark an attributeSchema as RODC filtered if it * is system-critical */ if (check_rodc_critical_attribute(ac-msg)) { - ldb_asprintf_errstring(ldb, Refusing schema add of %s - cannot combine critical attribute with RODC filtering, + ldb_asprintf_errstring(ldb, + samldb: refusing schema add of %s - cannot combine critical attribute with RODC filtering, ldb_dn_get_linearized(ac-msg-dn)); return LDB_ERR_UNWILLING_TO_PERFORM; } @@ -696,8 +697,7 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct samldb_ctx *ac) (const char *)ldb_dn_get_rdn_val(ac-msg-dn)-data); if (sid == NULL) { ldb_set_errstring(ldb, - No valid SID found in - ForeignSecurityPrincipal CN!); + samldb: No valid SID found in ForeignSecurityPrincipal CN!); return LDB_ERR_CONSTRAINT_VIOLATION; } if (! samldb_msg_add_sid(ac-msg, objectSid, sid)) { @@ -741,7 +741,8 @@ static int samldb_schema_info_update(struct samldb_ctx *ac) ret = dsdb_module_schema_info_update(ac-module, schema, DSDB_FLAG_NEXT_MODULE); if (ret != LDB_SUCCESS) { - ldb_asprintf_errstring(ldb, samldb_schema_info_update: dsdb_module_schema_info_update failed with %s, + ldb_asprintf_errstring(ldb, + samldb_schema_info_update: dsdb_module_schema_info_update failed with %s, ldb_errstring(ldb)); return ret; } @@ -772,7 +773,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) el = ldb_msg_find_element(ac-msg, sAMAccountType); if (el != NULL) { ldb_set_errstring(ldb, - samldb: sAMAccountType must not be specified!); + samldb: sAMAccountType must not be specified!); return LDB_ERR_UNWILLING_TO_PERFORM; } @@ -784,7 +785,8 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) sid = samdb_result_dom_sid(ac, ac-msg, objectSid); if ((sid != NULL) (!dsdb_module_am_system(ac-module)) (ldb_request_get_control(ac-req, LDB_CONTROL_RELAX_OID) == NULL)) { - ldb_asprintf_errstring(ldb, No SID may be specified in user/group modifications for %s, + ldb_asprintf_errstring(ldb, + samldb: no SID may be specified in user/group modifications for %s, ldb_dn_get_linearized(ac-msg-dn)); return LDB_ERR_UNWILLING_TO_PERFORM; } @@ -1280,7 +1282,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) el = ldb_msg_find_element(req-op.mod.message, sAMAccountType); if (el != NULL) { ldb_set_errstring(ldb, - samldb: sAMAccountType must not be specified!); + samldb: sAMAccountType must not be specified!); return LDB_ERR_UNWILLING_TO_PERFORM; } /* make sure that isCriticalSystemObject is not specified */ @@ -1288,7 +1290,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) if (el != NULL) { if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID)
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8bc2b54 s4-test: Extend DRS-msDSIntId test to verify Configuration NC replica also from e567d6c s4:samldb LDB module - other indentation fixes on error messages http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8bc2b54c7237697d8fddcec9a02d742c81c83699 Author: Kamen Mazdrashki kame...@samba.org Date: Sat Oct 9 06:47:20 2010 +0300 s4-test: Extend DRS-msDSIntId test to verify Configuration NC replica also Autobuild-User: Kamen Mazdrashki kame...@samba.org Autobuild-Date: Mon Oct 25 13:13:48 UTC 2010 on sn-devel-104 --- Summary of changes: source4/torture/drs/rpc/msds_intid.c | 35 + 1 files changed, 30 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/torture/drs/rpc/msds_intid.c b/source4/torture/drs/rpc/msds_intid.c index a6e7dc5..9fc141f 100644 --- a/source4/torture/drs/rpc/msds_intid.c +++ b/source4/torture/drs/rpc/msds_intid.c @@ -559,12 +559,14 @@ static bool test_dsintid_schema(struct torture_context *tctx, struct DsIntIdTest } /** - * Fetch Domain NC and check ATTID values returned. - * When Domain partition is replicated, ATTID + * Fetch non-Schema NC and check ATTID values returned. + * When non-Schema partition is replicated, ATTID * should be msDS-IntId value for the attribute * if this value exists */ -static bool test_dsintid_domain(struct torture_context *tctx, struct DsIntIdTestCtx *ctx) +static bool _test_dsintid(struct torture_context *tctx, + struct DsIntIdTestCtx *ctx, + const char *nc_dn_str) { uint32_t i; const struct dsdb_schema *ldap_schema; @@ -580,8 +582,8 @@ static bool test_dsintid_domain(struct torture_context *tctx, struct DsIntIdTest torture_assert(tctx, mem_ctx, Not enough memory); /* fetch whole Schema partition */ - torture_comment(tctx, Fetch partition: %s\n, ctx-domain_dn); - if (!_test_GetNCChanges(tctx, ctx-dsa_bind, ctx-domain_dn, mem_ctx, ctr6)) { + torture_comment(tctx, Fetch partition: %s\n, nc_dn_str); + if (!_test_GetNCChanges(tctx, ctx-dsa_bind, nc_dn_str, mem_ctx, ctr6)) { torture_fail(tctx, _test_GetNCChanges() failed); } @@ -643,6 +645,28 @@ static bool test_dsintid_domain(struct torture_context *tctx, struct DsIntIdTest return true; } +/** + * Fetch Domain NC and check ATTID values returned. + * When Domain partition is replicated, ATTID + * should be msDS-IntId value for the attribute + * if this value exists + */ +static bool test_dsintid_configuration(struct torture_context *tctx, struct DsIntIdTestCtx *ctx) +{ + return _test_dsintid(tctx, ctx, ctx-config_dn); +} + +/** + * Fetch Configuration NC and check ATTID values returned. + * When Configuration partition is replicated, ATTID + * should be msDS-IntId value for the attribute + * if this value exists + */ +static bool test_dsintid_domain(struct torture_context *tctx, struct DsIntIdTestCtx *ctx) +{ + return _test_dsintid(tctx, ctx, ctx-domain_dn); +} + /** * DSSYNC test case setup @@ -708,5 +732,6 @@ void torture_drs_rpc_dsintid_tcase(struct torture_suite *suite) torture_dsintid_tcase_teardown); test = torture_tcase_add_simple_test(tcase, Schema, (run_func)test_dsintid_schema); + test = torture_tcase_add_simple_test(tcase, Configuration, (run_func)test_dsintid_configuration); test = torture_tcase_add_simple_test(tcase, Domain, (run_func)test_dsintid_domain); } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6fb64b9 s4:samdb_search_count - introduce a mem_ctx parameter via fd7943b ldb:gendb_* calls: support a NULL resultset parameter from 8bc2b54 s4-test: Extend DRS-msDSIntId test to verify Configuration NC replica also http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6fb64b9c7a281c2d148238390fccc08dce962f92 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Oct 25 18:14:02 2010 +0200 s4:samdb_search_count - introduce a mem_ctx parameter All other samdb_search_* calls do have one - why samdb_search_count doesn't? Autobuild-User: Matthias Dieter Wallnöfer m...@samba.org Autobuild-Date: Mon Oct 25 17:42:33 UTC 2010 on sn-devel-104 commit fd7943bc80f0e96b70d4f851ea4e3f8f7689bead Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Oct 25 18:10:04 2010 +0200 ldb:gendb_* calls: support a NULL resultset parameter This is useful for samdb_search_count where only the amount of entries matters. --- Summary of changes: lib/util/util_ldb.c |9 + source4/dsdb/common/util.c | 10 -- source4/dsdb/samdb/ldb_modules/samldb.c |4 ++-- source4/rpc_server/samr/dcesrv_samr.c |9 ++--- 4 files changed, 17 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/util_ldb.c b/lib/util/util_ldb.c index 5a23ce4..a928245 100644 --- a/lib/util/util_ldb.c +++ b/lib/util/util_ldb.c @@ -55,22 +55,23 @@ int gendb_search_v(struct ldb_context *ldb, expr?%s:NULL, expr); if (ret == LDB_SUCCESS) { - talloc_steal(mem_ctx, res-msgs); - DEBUG(6,(gendb_search_v: %s %s - %d\n, basedn?ldb_dn_get_linearized(basedn):NULL, expr?expr:NULL, res-count)); ret = res-count; - *msgs = res-msgs; + if (msgs != NULL) { + *msgs = talloc_steal(mem_ctx, res-msgs); + } talloc_free(res); } else if (scope == LDB_SCOPE_BASE ret == LDB_ERR_NO_SUCH_OBJECT) { ret = 0; - *msgs = NULL; + if (msgs != NULL) *msgs = NULL; } else { DEBUG(4,(gendb_search_v: search failed: %s\n, ldb_errstring(ldb))); ret = -1; + if (msgs != NULL) *msgs = NULL; } talloc_free(expr); diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 9b813d1..39589e5 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -192,19 +192,17 @@ struct dom_sid *samdb_search_dom_sid(struct ldb_context *sam_ldb, return the count of the number of records in the sam matching the query */ int samdb_search_count(struct ldb_context *sam_ldb, + TALLOC_CTX *mem_ctx, struct ldb_dn *basedn, - const char *format, ...) _PRINTF_ATTRIBUTE(3,4) + const char *format, ...) _PRINTF_ATTRIBUTE(4,5) { va_list ap; - struct ldb_message **res; const char *attrs[] = { NULL }; int ret; - TALLOC_CTX *tmp_ctx = talloc_new(sam_ldb); va_start(ap, format); - ret = gendb_search_v(sam_ldb, tmp_ctx, basedn, res, attrs, format, ap); + ret = gendb_search_v(sam_ldb, mem_ctx, basedn, NULL, attrs, format, ap); va_end(ap); - talloc_free(tmp_ctx); return ret; } @@ -1871,7 +1869,7 @@ const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, * is for sure the same as our server site). If more sites do * exist then we don't know which one to use and set the site * name to . */ - cnt = samdb_search_count(ldb, sites_container_dn, + cnt = samdb_search_count(ldb, mem_ctx, sites_container_dn, (objectClass=site)); if (cnt == 1) { site_name = samdb_server_site_name(ldb, mem_ctx); diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 780491f..26022b7 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -180,7 +180,7 @@ static int samldb_check_sAMAccountName(struct samldb_ctx *ac) return ldb_operr(ldb); } - ret = samdb_search_count(ldb, NULL, (sAMAccountName=%s), + ret = samdb_search_count(ldb, ac, NULL, (sAMAccountName=%s), ldb_binary_encode_string(ac, name)); if ((ret 0) || (ret 1)) { return ldb_operr(ldb); @@ -1523,7 +1523,7
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via f991e79 s3: Initialize output vars in parse_ea_blob from 050075f Add SeSecurityPrivilige. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit f991e79affe671deb43e93ce38672f4c4d68fec0 Author: Volker Lendecke v...@samba.org Date: Sun Oct 24 13:27:33 2010 +0200 s3: Initialize output vars in parse_ea_blob Autobuild-User: Volker Lendecke vlen...@samba.org Autobuild-Date: Sun Oct 24 12:22:22 UTC 2010 on sn-devel-104 (cherry picked from commit 172a1580d234a2194ce5bc6ca6056bbea48ed7e3) --- Summary of changes: source3/libsmb/clifile.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/clifile.c b/source3/libsmb/clifile.c index 6b8230b..296e53a 100644 --- a/source3/libsmb/clifile.c +++ b/source3/libsmb/clifile.c @@ -4246,6 +4246,7 @@ static bool parse_ea_blob(TALLOC_CTX *ctx, const uint8_t *rdata, if (ea_size == 0) { /* No EA's present. */ *pnum_eas = 0; + *pea_list = NULL; return true; } @@ -4268,6 +4269,7 @@ static bool parse_ea_blob(TALLOC_CTX *ctx, const uint8_t *rdata, if (num_eas == 0) { *pnum_eas = 0; + *pea_list = NULL; return true; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 33f65a9 s4:samr RPC server - dcesrv_samr_info_DomGeneralInformation - count always all type of groups via 83c3813 s4:samr RPC server - remove a somewhat pointless comment from 6fb64b9 s4:samdb_search_count - introduce a mem_ctx parameter http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 33f65a93fe905d60d8fca85327ddbbf3f8c7fe6e Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Oct 25 20:48:18 2010 +0200 s4:samr RPC server - dcesrv_samr_info_DomGeneralInformation - count always all type of groups One pair are universal an global groups (on the SAMR pipe called groups) and the other one are the domain and builtin local groups (on the SAMR pipe called aliases). Autobuild-User: Matthias Dieter Wallnöfer m...@samba.org Autobuild-Date: Mon Oct 25 19:37:27 UTC 2010 on sn-devel-104 commit 83c381385cf7d3787497a1adc78bb80e2e9c2e21 Author: Matthias Dieter Wallnöfer m...@samba.org Date: Mon Oct 25 20:39:05 2010 +0200 s4:samr RPC server - remove a somewhat pointless comment Regardless if groups and users do exist in the builtin domain or not we do count always all users, groups and aliases. --- Summary of changes: source4/rpc_server/samr/dcesrv_samr.c | 11 ++- 1 files changed, 6 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index cef580e..e419485 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -519,17 +519,18 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state break; } - /* No users in BUILTIN, and the LOCAL group types are only in builtin, and the global group type is never in BUILTIN */ info-num_users = samdb_search_count(state-sam_ctx, mem_ctx, state-domain_dn, (objectClass=user)); info-num_groups = samdb_search_count(state-sam_ctx, mem_ctx, state-domain_dn, - ((objectClass=group)(groupType=%u)), + ((objectClass=group)(|(groupType=%u)(groupType=%u))), + GTYPE_SECURITY_UNIVERSAL_GROUP, GTYPE_SECURITY_GLOBAL_GROUP); info-num_aliases = samdb_search_count(state-sam_ctx, mem_ctx, state-domain_dn, - ((objectClass=group)(groupType=%u)), + ((objectClass=group)(|(groupType=%u)(groupType=%u))), + GTYPE_SECURITY_BUILTIN_LOCAL_GROUP, GTYPE_SECURITY_DOMAIN_LOCAL_GROUP); return NT_STATUS_OK; @@ -3571,8 +3572,8 @@ static NTSTATUS dcesrv_samr_GetGroupsForUser(struct dcesrv_call_state *dce_call, attrs, d_state-domain_sid, ((member=%s)(|(grouptype=%d)(grouptype=%d))(objectclass=group)), ldb_dn_get_linearized(a_state-account_dn), - GTYPE_SECURITY_GLOBAL_GROUP, - GTYPE_SECURITY_UNIVERSAL_GROUP); + GTYPE_SECURITY_UNIVERSAL_GROUP, + GTYPE_SECURITY_GLOBAL_GROUP); if (count 0) return NT_STATUS_INTERNAL_DB_CORRUPTION; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via a78b0d5 pidl:Samba4/NDR/Parser: fix NDR64 union alignment from f991e79 s3: Initialize output vars in parse_ea_blob http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit a78b0d53043f82a77ba09fdfce73f5db63dff3ee Author: Stefan Metzmacher me...@samba.org Date: Mon Aug 16 17:35:50 2010 +0200 pidl:Samba4/NDR/Parser: fix NDR64 union alignment We need to align before the switch_type and before the union arms. Both alignments are to the boundary of the largest possible union arm. This means that adding a new union arm with a larger alignment would break compat!!! metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Sun Oct 24 17:49:23 UTC 2010 on sn-devel-104 (cherry picked from commit 482c02284068810a57b35a509857fb1273d833b0) --- Summary of changes: pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm |8 1 files changed, 8 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm index b389cfb..56b43a6 100644 --- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm +++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm @@ -1665,6 +1665,10 @@ sub ParseUnionPushPrimitives() $self-pidl(int level = ndr_push_get_switch_value($ndr, $varname);); + if (defined($e-{ALIGN})) { + $self-pidl(NDR_CHECK(ndr_push_union_align($ndr, $e-{ALIGN}));); + } + if (defined($e-{SWITCH_TYPE})) { $self-pidl(NDR_CHECK(ndr_push_$e-{SWITCH_TYPE}($ndr, NDR_SCALARS, level));); } @@ -1810,6 +1814,10 @@ sub ParseUnionPullPrimitives($) my ($self,$e,$ndr,$varname,$switch_type) = @_; my $have_default = 0; + if (defined($e-{ALIGN})) { + $self-pidl(NDR_CHECK(ndr_pull_union_align($ndr, $e-{ALIGN}));); + } + if (defined($switch_type)) { $self-pidl(NDR_CHECK(ndr_pull_$switch_type($ndr, NDR_SCALARS, _level));); $self-pidl(if (_level != level) {); -- Samba Shared Repository