On Tuesday 29 July 2008 18:56:24 Linda W wrote:
> John H Terpstra wrote:
> > Please do not send the output of testparm -sv.
>
> --sorry---didn't want to presume defaults were the same in suse vs.
> standard.
>
> > Just send the output from "testparm -s" from the OpenSUSE 10.3 system.
>
> ----Done:
> Load smb config files from /etc/samba/smb.conf
> Processing section "[netlogon]"
> Processing section "[profiles]"
> Processing section "[homes]"
> Processing section "[home]"
> Processing section "[%U]"
> Processing section "[Share]"
> Processing section "[suse93]"
> Processing section "[backups]"
> Processing section "[root$]"
> Processing section "[Usr_Doc]"
> Processing section "[Music]"
> Processing section "[Pictures]"
> Processing section "[Inst]"
> Processing section "[Software]"
> Processing section "[logs]"
> Processing section "[vct]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_PDC
> [global]
> display charset = UTF8
> workgroup = BLISS
> netbios aliases = web-proxy, clock, wpad
> server string = Ishtar
> interfaces = eth0, lo
> bind interfaces only = Yes
> username map = /etc/samba/smbusers
This parameter should not be needed. Best to delete it.
> client plaintext auth = No
> log file = /var/log/samba/log.%m
> max log size = 2048
> name resolve order = wins lmhosts hosts wins
> time server = Yes
This parameter is counter-productive since the 2.6 kernel auto-tunes the
socket send and receive buffer sizes. Suggest you delete it.
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> show add printer wizard = No
> add user script = /usr/sbin/useradd -m %u
> delete user script = /usr/sbin/userdel %u
> add group script = /usr/sbin/groupadd %g
> delete group script = /usr/sbin/groupdel %g
> add machine script = /usr/sbin/useradd -g machines -c Machine -d
> /dev/null -s /bin/false %u
> domain logons = Yes
> domain master = Yes
> wins support = Yes
> hosts allow = 192.168.3.0/24, 127.1
The next three (3) parameters should also not be needed. Suggest removal also.
> allocation roundup size = 0
> block size = 4096
> use sendfile = Yes
>
> [netlogon]
> path = /home/samba/netlogon/%u
This parameter should be changed from:
> write list = @admin, root
to:
write list = @"BLISS\admin", BLISS\root
add:
guest ok = Yes
Also make sure that the guest account (nobody) is able to access
the /home/samba/netlogon/%u folders. In general, use of the %u parameter in
a resource that should be accessible by the guest account is potentially
problematic.
> [profiles]
> comment = Network Profiles Service
> path = /home/samba/profiles
> read only = No
Why these parameters on the profiles share?
> create mask = 0600
> directory mask = 0700
> store dos attributes = Yes
> browseable = No
Why these parameters?
> csc policy = disable
> share modes = No
Add this one:
profile acls = Yes
> [homes]
> comment = Home Dir
> valid users = %S, %D%w%S
> read only = No
Why these parameters? Should not be needed.
> create mask = 0750
> inherit acls = Yes
> [home]
> comment = /home (allhomes)
> path = /home
What is this? Do you have a group named "trusted_local_net_users"?
> valid users = @trusted_local_net_users, law
Change to:
valid users = @"BLISS\trusted_local_net_users", BLISS\law
What are the ownership and permissions settings on the /home directory?
Are you seriously allowing users to write to each other's home directories?
> read only = No
Why these two parameters? What are you trying to achieve with them?
> create mask = 0750
> inherit acls = Yes
> browseable = No
What ist he purpose of this share? Is this not covered by the homes service?
> [%U]
> comment = Home Directory
> path = /home/%U
> valid users = %S, %D%w%S
> read only = No
> create mask = 0750
> inherit acls = Yes
>
> [Share]
> comment = Share
> path = /Share
> read only = No
What are the permissions on the /Share directory? Why do you need to permit
the nobody account to set ACLs on this directory?
> inherit acls = Yes
> guest ok = Yes
>
> [suse93]
> path = /Share/suse93/d1
> guest ok = Yes
>
> [backups]
> comment = Host backup-dirs
> path = /backups/%m
Again, add the domain specifier (@BLISS\admin). What is the purpose of
the "%m" parameter here? It makes no sense/
> write list = @admin, @%m
> read only = No
> create mask = 0700
> inherit acls = Yes
For the remaining shares, the same questions as above apply. It is best to
keep your configuration simple, then add complexity only as it is proven to
be necessary.
> [root$]
> comment = /
> path = /
> read list = law, @trusted
> write list = law
> read only = No
> browseable = No
>
> [Usr_Doc]
> comment = /usr/share/doc
> path = /usr/share/doc
> read list = @users
> write list = law
> guest ok = Yes
>
> [Music]
> comment = Music
> path = /Share/Music
> read list = @trusted_local_net_users
> write list = law
> guest ok = Yes
>
> [Pictures]
> comment = Pictures
> path = /Share/Pictures
> read list = trusted_local_net_users, law
> write list = law
>
> [Inst]
> comment = Inst
> path = /Share/Software/Inst
> read list = @trusted_local_net_users
> write list = law
> browseable = No
>
> [Software]
> comment = Software images
> path = /Share/Software
> read list = @trusted_local_net_users
> write list = law
> browseable = No
>
> [logs]
> comment = Athena logs
> path = /home/NT_Perflogs
> guest ok = Yes
> browseable = No
>
> [vct]
> comment = test
> path = /var/cache/test
> read list = law, @admin, root
> write list = law, @admin, root
> guest ok = Yes
> browseable = No
Please show us the output of executing on both servers:
net groupmap list
Also, what is the output of?:
net getdomainsid
- John T.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
