Re: [Samba] Fwd: machine authentication at Active Directory
On Wed, 2007-04-11 at 18:20 -0300, Otto Fuchshuber Filho wrote: > Can anybody help me with this issue or tell me where I can get help? > Thanks > -- > Otto Fuchshuber Filho > [EMAIL PROTECTED] > > -- Forwarded message -- > From: Otto Fuchshuber Filho <[EMAIL PROTECTED]> > Date: 10/04/2007 22:08 > Subject: machine authentication at Active Directory > To: [EMAIL PROTECTED] > > > On a 802.1X environment, it's possible to permit a windows > desktop gain access to the network by using only machine > authentication at the Active Directory (no need for login + > password). > Is it possible to do the same with a Linux desktop with samba? I > mean a Linux desktop pass machine credentials to Active Directory > as windows do (SID), without any login and password. We store the information that could do this, but I don't think anybody has done the link between that and 802.1x. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Group Policy install MSI from Samba share
-- Forwarded message -- From: "James A. Dinkel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Date: Wed, 11 Apr 2007 10:47:45 -0500 Subject: RE: [Samba] Group Policy install MSI from Samba share I'm assigning this to the Computer Accounts, not publishing to groups/users. The only thing I could think of was to give permission to the Domain Computers group, but that does not work. James Dinkel We post our .msi files on our samba share without any problems getting them to install through GPO. In the smb.conf, we list domain computers as being a valid user. We have also set the acl on the directory to give domain computers r-x. Yes, we are using extended acls on our reiserfs partition. Check both places. Good luck Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] InterDomain Trust Issue w/Server 2003
I'm having an issue establishing a trust between a samba/ldap PDC and a
windows 2003 Active directory server on a seperate domain. Here is what I've
done. I've created a 2 way trust in windows with the samba domain. When I try
to verify the outgoing trust from windows I get an access denied message. In
samba logs I get " get_md4pw: Workstation CATS$: no account in domain"
although I've created a trust account on the samba server
using 'smbldap-useradd -w CATS' then I do the ldapmodify stuff accourding to
the samba interdomain trust howto and set the sambaAcctFlags to "I". When I
try to do "net rpc trustdom establish CATS" I type the password and
get "[2007/04/12 15:43:07, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451)
cli_nt_session_open: cli_nt_create failed on pipe \wkssvc to machine CODY1.
Error was NT_STATUS_ACCESS_DENIED
[2007/04/12 15:43:07, 0] utils/net_rpc.c:rpc_trustdom_establish(4672)
Couldn't not initialise wkssvc pipe"
If I type the wrong password, I get "NT_STATUS_LOGON_FAILURE" so I know the
password is right. Does anyone have any ideas?
[EMAIL PROTECTED] ~]# smbldap-usershow cats$
dn: uid=CATS$,ou=People,dc=domain,dc=com
objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
cn: CATS$
sn: CATS$
uid: CATS$
uidNumber: 1140
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
userPassword: {SMD5}ZERr2tHzfxsdfFSddfsdfWs=
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: System User
sambaSID: S-1-5-21-1149954056-267194260-154304278-3280
sambaAcctFlags: [I]
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Idmap back compatible issue
I ran into a problem on idmap backend.
In previous Samba releases, there are two kinds of scenarios on idmap
backend.
1) No explicit idmap backend option presented in smb.conf. But imply
using default tdb idmap backend
idmap uid = low - high
idmap gid = low - high
2) idmap backend option exists in smb.conf
idmap uid = low - high
idmap gid = low - high
idmap backend = tdb [or ldap:ldap://ldapserver.com]
In 3.0.25pre2, 2) works to me. But 1) didn't. It looks the new idmap
only considers the second scenarios as back compatibility. It didn't
consider the first to be back compatible. Therefore, when using implied
idmap backend(without idmap backend option in smb.conf), winbind won't
work. When dom_list is empty after dom_list = lp_idmap_backend(), the
variable compat didn't assign to 1.
I believe that many users take the default setting without specific
idmap backend option, if there is no particular idmap requirement. I'd
like to recommend considering the first situation as back compatible
issue. At lease let it takes the default tdb backend when no idmap
domains presented, no idmap backend in smb.conf.
Here is a patch for this. Could somebody look at it?
# diff -U 3 idmap.c idmap.c_my
--- idmap.c 2007-04-12 11:52:07.0 -0700
+++ idmap.c_my 2007-04-12 11:51:49.0 -0700
@@ -321,6 +321,14 @@
*p = '\0';
compat_params = p + 1;
}
+ } else {
+ /* Back compatible: without idmap domains and explicit
idmap backend
+* Taking default idmap backend: tdb
+*/
+ DEBUG(3, ("idmap_init: No idmap domains, No idmap
backend dom_list=%s\n", *dom_list));
+ compat = 1;
+ compat_backend = talloc_strdup( idmap_ctx, "tdb");
+ compat_params = compat_backend;
}
if ( ! dom_list) {
Thanks.
-Ying
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can I do advanced group mapping (rpc) without Active Directory?
All, I finally figured out how to create essentially 'domain administrators' with the mapping. However, I would like to go further. I work for a school district and I would like to further map students, teachers, and admin to groups. The catch seems to be, that I do not have Active Directory- so I don't think I can just make a 'teachers' group and map it? I have a unixgroup teachers, and people are assigned correctly for that (so they get the correct mappings).. but with rpc mappings, I could give more privileges such as giving teachers printer admin. Any explanation of how to do the most with samba without active directory, would be appreciated. Thanks in advance, Aaron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote: > I cannot set rights on a arbitrary file or folder for the Windows > predefined group "Authenticated Users" (which has SID S-1-5-11) via > SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. > > Everything else works: > - I can set rights for any other domain group. > - I can read the ACL entry for "Authenticated Users" in the Windows 2000 > File Attribute Dialog if I set it manually with setfacl before > - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked > with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the > existence of this predefined group. > > What am I doing wrong? Is this supposed to work? > Is there a workaround or any other suitable mapping for this group? > > In the "Unofficial Samba + ACL Howto", there is a reference (chapter > 3.1.4) that this might not work, but that was back in 2003 and 4 years > have passed since then. What fails ? Selecting the user in the GUI ? More info on exactly what isn't working would be good. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)
I cannot set rights on a arbitrary file or folder for the Windows predefined group "Authenticated Users" (which has SID S-1-5-11) via SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. Everything else works: - I can set rights for any other domain group. - I can read the ACL entry for "Authenticated Users" in the Windows 2000 File Attribute Dialog if I set it manually with setfacl before - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the existence of this predefined group. What am I doing wrong? Is this supposed to work? Is there a workaround or any other suitable mapping for this group? In the "Unofficial Samba + ACL Howto", there is a reference (chapter 3.1.4) that this might not work, but that was back in 2003 and 4 years have passed since then. Kind regards for any hint, Jens P.S: smb.conf output from testparm, nt acl support = Yes is also set (testparm does not show it) [global] dos charset = ISO-8859-1 unix charset = ISO-8859-1 display charset = ISO-8859-1 workgroup = XXX realm = XXX.TEST security = ADS password server = xxx.xxx.test passdb backend = tdbsam guest account = samba name resolve order = host wins bcast idmap uid = 1000-6 idmap gid = 1000-6 winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 ldapsam:trusted = Yes admin users = XXX\\Administrator ea support = Yes map acl inherit = Yes hide dot files = No map hidden = Yes map readonly = permissions dos filemode = Yes [homes] comment = Home Directories read only = No browseable = No preexec = mkdir -m 700 %P [shared] comment = ACL shared folder path = /export/shared read only = No create mask = 0777 directory mask = 0777 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SMB Signature verification failed when establish trust with win2003 domain
On Wed, Apr 11, 2007 at 09:36:55AM -0400, Lin Li wrote: > I found the solution. When the problem happens I set the "client use > spnego" to no. If I set it to yes, the trust works. Can you get me a wireshare/ethereal trace of the failure case please ! Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] RE: Samba 3.0 and XP roaming profiles
Script is user1.bat with all the permissions. So Windows should know, but nothing is happening. Gigs Dennis McLeod-5 wrote: > > I haven't done this, so I don't really know. > If the script is named "user1", would windows know what to do with it? > Shouldn't it be "user1.bat"? (assuming it's a batch file.) > If so, shouldn't it say: > > path= /var/samba/netlogon/%U.bat > > In the netlogon section? > > Again, I haven't tried it, so I'm just guessing > Dennis > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > contact_mahajan > Sent: Thursday, April 12, 2007 8:35 AM > To: [EMAIL PROTECTED] > Subject: Re: [Samba] Samba 3.0 and XP roaming profiles > > > > Hi, > > I dont have samba with LDAP. > I took out "\scripts\" part from logon script part in GLOBAL settings. > ALso > I created a script for a particular test user (script name is same as > login > name). I stored that script under /var/samba/netlogon/. Permissions were > also set so that this user can read/write/Execute, plus the ownership was > also changed. > I tried loggin as this user to test the script but nothing was mapped. I > think the script failed. Can you think of any reason? I even restarted my > samba services. > > Thanks, > > Gigs > > > > > > Wolfgang Ratzka wrote: >> >> contact_mahajan schrieb: >> >>> Also regarding my logon script, my smb.conf fille says like this: >>> >>> [GLOBAL] >>> .. >>> logon script = scripts\login.bat >>> . >>> >>> [netlogon] >>> ... >>> path= /var/samba/netlogon/%U >>> >> >> This definition is trying to be subtle by defining a per-user-netlogon >> share, as %U expands to the session user name. Normally you will not >> want to do this, so you will strip off the "/%U" and simply put your >> login scripts below /var/samba/netlogon. (Permissions should of course >> be so that everyone can read and only admins can write.) The logon >> script parameter is a (windows) path relative to the netlogon >> directory. There is no need to put those in a subdirectory. (Sou you >> can do away with the "scripts\" part...) You should note that the >> logon script parameter in the [global] section can be overridden by >> per-user-settings in ldap (if you are using ldap). >> >> Kind regards >> -- >> Wolfgang Ratzka Phone: +49 6421 2823531 FAX: +49 6421 2826994 Uni >> Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/listinfo/samba >> >> > > -- > View this message in context: > http://www.nabble.com/Samba-3.0-and-XP-roaming-profiles-tf3561201.html#a9961 > 787 > Sent from the Samba - General mailing list archive at Nabble.com. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > -- View this message in context: http://www.nabble.com/Samba-3.0-and-XP-roaming-profiles-tf3561201.html#a9963320 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba 3.0 and XP roaming profiles
I haven't done this, so I don't really know. If the script is named "user1", would windows know what to do with it? Shouldn't it be "user1.bat"? (assuming it's a batch file.) If so, shouldn't it say: path= /var/samba/netlogon/%U.bat In the netlogon section? Again, I haven't tried it, so I'm just guessing Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of contact_mahajan Sent: Thursday, April 12, 2007 8:35 AM To: [EMAIL PROTECTED] Subject: Re: [Samba] Samba 3.0 and XP roaming profiles Hi, I dont have samba with LDAP. I took out "\scripts\" part from logon script part in GLOBAL settings. ALso I created a script for a particular test user (script name is same as login name). I stored that script under /var/samba/netlogon/. Permissions were also set so that this user can read/write/Execute, plus the ownership was also changed. I tried loggin as this user to test the script but nothing was mapped. I think the script failed. Can you think of any reason? I even restarted my samba services. Thanks, Gigs Wolfgang Ratzka wrote: > > contact_mahajan schrieb: > >> Also regarding my logon script, my smb.conf fille says like this: >> >> [GLOBAL] >> .. >> logon script = scripts\login.bat >> . >> >> [netlogon] >> ... >> path= /var/samba/netlogon/%U >> > > This definition is trying to be subtle by defining a per-user-netlogon > share, as %U expands to the session user name. Normally you will not > want to do this, so you will strip off the "/%U" and simply put your > login scripts below /var/samba/netlogon. (Permissions should of course > be so that everyone can read and only admins can write.) The logon > script parameter is a (windows) path relative to the netlogon > directory. There is no need to put those in a subdirectory. (Sou you > can do away with the "scripts\" part...) You should note that the > logon script parameter in the [global] section can be overridden by > per-user-settings in ldap (if you are using ldap). > > Kind regards > -- > Wolfgang Ratzka Phone: +49 6421 2823531 FAX: +49 6421 2826994 Uni > Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > -- View this message in context: http://www.nabble.com/Samba-3.0-and-XP-roaming-profiles-tf3561201.html#a9961 787 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] machine trust account password backup
Hi all, I am facing a problem regarding machine trust account password backup for samba-3 acting as NT4 PDC. If I understand it well, password for machine trust account are always modified the first time a windows host joins the domain. I use smbpasswd backend (samba3.0.25rc1), and the password in modified in the db file smbpasswd. Is there a way to now this password in a clear text format ? I manually create user and machine accounts (Unix+samba) and I actually need this because my rescue system automatically recreates smbpasswd from cleartext information stored in a remote DB. It's been working well for years with user accounts, but now that I switched to samab-as-PDC I encounter a big problem (I cant get the machine password to have them stored in my backup database). I am looking for a solution: - Ideally I would like to set an initial password for machine trust account and force the client to use this password: the samba password for the machine would be "imported" in windows registry (maybe manually) ? Can samba force windows to use a given password for machine trust account ? - Maybe there are some possibilies to get the cleartext transcoding of the password that is set when joining the domain the first time so that I can back-it up in my database ? What is the "standard" solution you would recommand ? Do I rather backup smbpasswd file and restore lines concerning machine trust account ? Any comments are welcome. Vincent -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0 and XP roaming profiles
Hi, I dont have samba with LDAP. I took out "\scripts\" part from logon script part in GLOBAL settings. ALso I created a script for a particular test user (script name is same as login name). I stored that script under /var/samba/netlogon/. Permissions were also set so that this user can read/write/Execute, plus the ownership was also changed. I tried loggin as this user to test the script but nothing was mapped. I think the script failed. Can you think of any reason? I even restarted my samba services. Thanks, Gigs Wolfgang Ratzka wrote: > > contact_mahajan schrieb: > >> Also regarding my logon script, my smb.conf fille says like this: >> >> [GLOBAL] >> .. >> logon script = scripts\login.bat >> . >> >> [netlogon] >> ... >> path= /var/samba/netlogon/%U >> > > This definition is trying to be subtle by defining a per-user-netlogon > share, > as %U expands to the session user name. Normally you will not want to do > this, > so you will strip off the "/%U" and simply put your login scripts below > /var/samba/netlogon. (Permissions should of course be so that everyone can > read and only admins can write.) > The logon script parameter is a (windows) path relative to the netlogon > directory. There is no need to put those in a subdirectory. (Sou you can > do > away with the "scripts\" part...) You should note that the logon script > parameter in the [global] section can be overridden by per-user-settings > in ldap > (if you are using ldap). > > Kind regards > -- > Wolfgang Ratzka Phone: +49 6421 2823531 FAX: +49 6421 2826994 > Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > -- View this message in context: http://www.nabble.com/Samba-3.0-and-XP-roaming-profiles-tf3561201.html#a9961787 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] PDC and BDC across WAN
We have several locations seperated by WAN links. There is one PDC in the central office, and a BDC at each other site. The PDC has a WINS server, all other servers and stations are configured to query this server (hybrid mode - WINS first, then broadcast.) Here is my problem: When one of the BDCs is disconnected from the network, all of the sites suffer problems (ie., Windows logins slow down from 10-15 seconds to 5-10 minutes, system policies fail to apply, accessing mapped drives slows down.) The entire domain basically becomes unusable. When the connection is reestablished, everything returns to normal rather quickly. I've spent some time Googling my problem, but so far have been unsuccessful. Should I be using interdomain trust relationships instead of my current single WAN-spanning domain? Or is there something else I've overlooked? -- Mike Alborn <[EMAIL PROTECTED]> School District 28 (Quesnel) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Drag and Drop and Crash
This is becoming an interesting problem. The user of the affected machine I was dealing with was in dire need of it working. I ended up using the repair option from the install cd and when that finished and the user logged in everything worked. So at this point I am unsure as to what the cause is. We also are running the dreaded Symantec AV. If I get another machine that this pops up on then hopefully I can have the time to try and isolate the cause. Thanks again for the info. --jim Thomas McNeely wrote: Hi Jim, The Samba listserv rejected this post, so I’m sending it to you directly. Feel free to try posting it to the listserv if you like, as you did for Rhiannon. - We also have this problem. We are using Samba 3.0.23d and 3.0.24, both installed from source code (as opposed to the packages that come with the operating system), running on Slackware Linux 10.2 and 9.1, respectively. The problem first appeared for us on April 5th. Our servers had been running fine with no changes since Christmas when the problem first appeared. The problem manifests as a sudden workstation reboot (without proper shutdown) when users do most any kind of write operation to a Samba share – copying, renaming, or saving files. The affected workstations do not have a problem performing these operations on Microsoft servers – just Samba. Elsewhere on our campus is a Solaris server (unknown version) running an unknown version of Samba that does not have this problem. I’ll try to get more info about this. There is considerable variation among the workstations exhibiting the problem – different generations of hardware, some are domain members and others not, some are logged into Novell and other not. At this point I think all the affected workstations run the Novell Client, but that thought just now came to me and I haven’t experimented with it yet. All affected workstations have been running Windows XP with SP2. We have definitely determined that a key cause of this problem is Symantec AntiVirus. We can induce and cure the problem at will by installing or removing Symantec, and we’ve done so many times now. I don’t have the version info available right now; I’ll try to get it soon. Although the timing with regard to MS patch KB925902 is extremely suspicious, we haven’t been able to experimentally establish any correlation with that patch. We haven’t ruled out that it could be a contributing factor though. Tom McNeely Western Washington University Libraries -- Jim Summers School of Computer Science-University of Oklahoma - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with subfolder permissions within share
Yes you must chmod so the group has full access, and also make sure you set the correct group with chgrp. Also note that you either must have SGID set on the directorys (Only directories) OR force group = group in smb.conf On Thu, Apr 12, 2007 at 11:29:40AM +0100, Bruno Silva wrote: > > Just an question, im currently having the same problem here > So > main share has to be valid users [EMAIL PROTECTED] > sub folders must be chmoded to the special group permissions right? > > -Mensagem original- > De: Mark Adams [mailto:[EMAIL PROTECTED] > Enviada: quarta-feira, 11 de Abril de 2007 14:05 > Para: Jethro Hermans > Cc: [EMAIL PROTECTED] > Assunto: Re: [Samba] Problem with subfolder permissions within share > > > On Wed, Apr 11, 2007 at 10:14:49AM +0200, Jethro Hermans wrote: > > > > I want to do the following set-up but I don't succeed in it: > > > > > > > > e.g.: > > > > > > > > users: user1 > > > >user2 > > > >user3 > > > > > > > >share: "test" with access from user1,2 and 3 > > > > > > > > Now I want to create a subfolder in "test" e.g. "subtest" but only > with > > > > access for user1 and 3 but I'm not able to do that. > > > > Is there a solution for this? > > > > > I assume that all of these users are in a group e.g "group1" that has > > > read/write access, and you are allowing @group1 for the valid users = > > > access in smb.conf? > > > > > > To get what you want you could create another group "group2" that > > > allows read/write permission to "subtest" with only user1 and user3 in > > > the group. > > > > Jethro wrote privately > > Do you want to say that I have to create a second folder (as > > subfolder) > > in the smb.conf with only these users as valid? Is this the only > > right way to do this or is there maybe a way to do this in windows. > > Because I created the subfolder via windows so it would be more easy to > > manage the permissions and allowed users also that way.< > > Hi Jethro, > > Please make sure when you reply to mailing list messages that you 'Reply > All' as the information may be useful for other users if they have > similar issues. > > To answer your question, No i'm not talking about adding an extra entry > in the smb.conf, as it is in the same container as your first share it > would still be visible even if you did this. > > I am talking about setting the folder permissions in linux. You can do > what you are asking effectively using groups. > > I suggest you do the following; > > Create 2 groups on your linux server; group1 and group2 > > Add user1, user2, and user3 to group1. > Add user1 and user3 to group2. > > Change your smb.conf config for "test" so it has > > valid users = @group1 > > using the @ sign means it will allow the people in that group, rather > than having to add multiple users > > Then set the perms (chmod) on the "test" folder in the filesystem to 2774 > (the 2 is important as this sets "SGID or Set group id" this will > ensure any files created in this folder, no matter by what user, will > always set the group) > > Change the group ownership (chgrp) recursively to group1 for "test" > > cd in to "test" and change the group ownership of "subtest" to group2 > > Set the perms of 2774 for the "subtest" folder. > > Once this is done it should work as you desire, if user1 or user3 logs > in, they will have access to all folders. If user2 logs in, they will > not have access to "subtest". > > I would recommend you read a bit more about linux if you intend to use > it. Especially about permissions, see the following link for more > information; > > http://www.zzee.com/solutions/linux-permissions.shtml > > Regards, > Mark > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can upload but can't delete how ?
Gerald (Jerry) Carter wrote: > Stanislav Nedelchev wrote: > >> Hi to all , > >> Is there a way to make this with samba possible . > >> User can save files to share but can't delete the files only user with > >> special right can delete files. > > See "inherit owner" in smb.conf(5). But if you can write to > a file you can truncate it to 0 bytes so the delete permission > is a little misleading. > > > > > > cheers, jerry > = > Samba--- http://www.samba.org > Centeris --- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian > See "inherit owner" in smb.conf(5). But if you can write to > a file you can truncate it to 0 bytes so the delete permission > is a little misleading. Yes but you can't delete involuntarily some file over the network . i read the manual but i can;t find how to use inherit owner. Any suggestion are welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems sharing HP Officejet 6210 Linux --> XP
When sharing a printer via samba you can upload windows' drivers to samba server. I spent many time to do this solution. It's needed upload the driver and create a correct device mode. Upload driver for a samba server can be make either rpcclient(hard mode) or using Windows Wizard for add drivers(easy mode). Please before make any changes on server read from title -> "Creating the [print$] Share" to -> "Setting Default Print Options for Client Drivers" here: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/classicalprinting.html#id358044 2007/4/10, 1arrybarnett <[EMAIL PROTECTED]>: Problem: The basic catch-22 with this printer model is that the drivers aren't part of the standard XP distro. The XP printer installation wizard expects the drivers to be available from the print server. After searching the net, I came across this basic installation method: 1. Temporarily plug the printer into the XP PC and install the drivers from the Printer CD. Then plug the printer back into the linux server. Nooo... please don't do this. worse workaround. :-) At this point 2 techniques were suggested, neither of which worked for me: 2a. Go back to the wizard and install the remote printer, using the correct driver this time. This apparantly succeeds, but printint the test page fails with an uninformative popup inviting me to go to the troubleshooting wizard (which is equally unhelpful). or 2b. Hack the local printer configuration by going to properties-->ports and creating a Local port with the value \\\, as shared by Samba. This step fails for me with error 66 "The network resource type is not correct". For me work.. but isn't necessary. So that's it, I'm stuck. I would love to hear from anyone who has worked through this problem already. Failing that, how can I pick apart this problem to figure out what's failing? Note: There was also some discussion in the forums about the print$ share and loading drivers on the Linux box, but I never figured out if that was relevant to my use case (Linux server/Windows client). Many thanks in advance to those who reply. Cheers, Larry -- Att. Lutieri G. B. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Moving a Samba PDC from Solaris 2.8 to CentOS 4.4
Hello, I try to move a Samba-PDC (3.0.24) from Solaris 2.8 to CentOS 4.4 with the guidance from: http://www.samba.org/samba/docs/man/Samba-Guide/upgrades.html#id333969 (Replacing a Domain Controller) At the moment I am trying this in a test environment. This means the following (not the real names/IPs. Just for illustration ;-)): smb.conf entries: ... netbios name = smbtest interfaces = 1.1.1.1/255.255.255.0 ... Hostname Solaris: solaris Virtual network interface with ip: 1.1.1.1 Hostname CentOS: smbtest Real network interface with ip: 1.1.1.1 Than I followed the docs expect that I don't power off the Solaris machine. I just stop the samba daemons and delete the virtual network interface. When I did that, the Windows XP clients can't login in the Domain anymore. After some investigation I found out that the SIDs of the domain and of the Linux-host are not the same than before on the Solaris host. When I change the SIDs with "net setlocalsid" and "net setdomainsid" to the original ones it seems to work again. Any ideas why that happens? Is this the expected behavior (because of the hostname change)? Do I have something else to change to test the PDC move? Best regards, Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Problem with subfolder permissions within share
Just an question, im currently having the same problem here So main share has to be valid users [EMAIL PROTECTED] sub folders must be chmoded to the special group permissions right? -Mensagem original- De: Mark Adams [mailto:[EMAIL PROTECTED] Enviada: quarta-feira, 11 de Abril de 2007 14:05 Para: Jethro Hermans Cc: [EMAIL PROTECTED] Assunto: Re: [Samba] Problem with subfolder permissions within share > On Wed, Apr 11, 2007 at 10:14:49AM +0200, Jethro Hermans wrote: > > > I want to do the following set-up but I don't succeed in it: > > > > > > e.g.: > > > > > > users: user1 > > >user2 > > >user3 > > > > > >share: "test" with access from user1,2 and 3 > > > > > > Now I want to create a subfolder in "test" e.g. "subtest" but only with > > > access for user1 and 3 but I'm not able to do that. > > > Is there a solution for this? > > > I assume that all of these users are in a group e.g "group1" that has > > read/write access, and you are allowing @group1 for the valid users = > > access in smb.conf? > > > > To get what you want you could create another group "group2" that > > allows read/write permission to "subtest" with only user1 and user3 in > > the group. > > Jethro wrote privately > Do you want to say that I have to create a second folder (as > subfolder) > in the smb.conf with only these users as valid? Is this the only > right way to do this or is there maybe a way to do this in windows. > Because I created the subfolder via windows so it would be more easy to > manage the permissions and allowed users also that way.< Hi Jethro, Please make sure when you reply to mailing list messages that you 'Reply All' as the information may be useful for other users if they have similar issues. To answer your question, No i'm not talking about adding an extra entry in the smb.conf, as it is in the same container as your first share it would still be visible even if you did this. I am talking about setting the folder permissions in linux. You can do what you are asking effectively using groups. I suggest you do the following; Create 2 groups on your linux server; group1 and group2 Add user1, user2, and user3 to group1. Add user1 and user3 to group2. Change your smb.conf config for "test" so it has valid users = @group1 using the @ sign means it will allow the people in that group, rather than having to add multiple users Then set the perms (chmod) on the "test" folder in the filesystem to 2774 (the 2 is important as this sets "SGID or Set group id" this will ensure any files created in this folder, no matter by what user, will always set the group) Change the group ownership (chgrp) recursively to group1 for "test" cd in to "test" and change the group ownership of "subtest" to group2 Set the perms of 2774 for the "subtest" folder. Once this is done it should work as you desire, if user1 or user3 logs in, they will have access to all folders. If user2 logs in, they will not have access to "subtest". I would recommend you read a bit more about linux if you intend to use it. Especially about permissions, see the following link for more information; http://www.zzee.com/solutions/linux-permissions.shtml Regards, Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] panic in smbd_audit aftar a connect
hello I'm using Samba 3.0.21b-2 on RHEL4.1. All the machines are logging to a windows 2003 ADS domain server. The samba server is a ADS member of this windows 2k3 server and user's access log is recorded by using the audit module. I recently came into this trouble, when I connect to samba server from client, the smbd_audit suddenly got panic. Please advise me how to solve this problem. The related log file looks like this: Mar 6 11:13:58 host01 smbd_audit: [2007/03/06 11:13:58, 0] lib/fault.c:fault_report(36) Mar 6 11:13:58 host01 smbd_audit: === Mar 6 11:13:58 host01 smbd_audit: [2007/03/06 11:13:58, 0] lib/fault.c:fault_report(37) Mar 6 11:13:58 host01 smbd_audit: INTERNAL ERROR: Signal 11 in pid 15063 (3.0.21b-2) Mar 6 11:13:58 host01 smbd_audit: Please read the Trouble-Shooting section of the Samba3-HOWTO Mar 6 11:13:58 host01 smbd_audit: [2007/03/06 11:13:58, 0] lib/fault.c:fault_report(39) Mar 6 11:13:58 host01 smbd_audit: Mar 6 11:13:58 host01 smbd_audit: From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf Mar 6 11:13:58 host01 smbd_audit: [2007/03/06 11:13:58, 0] lib/fault.c:fault_report(40) Mar 6 11:13:58 host01 smbd_audit: === Mar 6 11:13:58 host01 smbd_audit: [2007/03/06 11:13:58, 0] lib/util.c:smb_panic2(1576) Mar 6 11:13:58 host01 smbd_audit: PANIC: internal error Mar 6 11:13:58 host01 smbd_audit: [2007/03/06 11:13:58, 0] lib/util.c:smb_panic2(1584) Mar 6 11:13:58 host01 smbd_audit: BACKTRACE: 17 stack frames: Mar 6 11:13:59 host01 smbd_audit:#0 smbd(smb_panic2+0x8a) [0xe1295b] Mar 6 11:13:59 host01 smbd_audit:#1 smbd(smb_panic+0x19) [0xe12b8b] Mar 6 11:13:59 host01 smbd_audit:#2 smbd [0xdfe311] Mar 6 11:13:59 host01 smbd_audit:#3 /lib/tls/libc.so.6 [0x2f18c8] Mar 6 11:13:59 host01 smbd_audit:#4 smbd(winbindd_request_response+0x2e) [0xe22b28] Mar 6 11:13:59 host01 smbd_audit:#5 smbd [0xe22017] Mar 6 11:13:59 host01 smbd_audit:#6 smbd [0xe52188] Mar 6 11:13:59 host01 smbd_audit:#7 smbd [0xe5321b] Mar 6 11:13:59 host01 smbd_audit:#8 smbd(make_server_info_pac+0x198) [0xe53645] Mar 6 11:13:59 host01 smbd_audit:#9 smbd [0xca1fdb] Mar 6 11:13:59 host01 smbd_audit:#10 smbd(reply_sesssetup_and_X+0x4f1) [0xca2f4e] Mar 6 11:13:59 host01 smbd_audit:#11 smbd [0xccf984] Mar 6 11:13:59 host01 smbd_audit:#12 smbd(process_smb+0x19b) [0xccfd60] Mar 6 11:13:59 host01 smbd_audit:#13 smbd(smbd_process+0x15c) [0xcd0c6d] Mar 6 11:13:59 host01 smbd_audit:#14 smbd(main+0x962) [0xeab315] Mar 6 11:14:00 host01 smbd_audit:#15 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x2dee23] Mar 6 11:14:00 host01 smbd_audit:#16 smbd [0xc660f1] Part of my smb.conf, everything but the shares.: ;= Global Settings = [global] acl check permissions = no acl group control = no acl map full control = yes admin users = [EMAIL PROTECTED] allow trusted domains = Yes bind interfaces only = Yes display charset = UTF-8 dos charset = CP932 full_audit:prefix = %u|%I:%S idmap gid = 1-6 idmap uid = 1-6 inherit acls = yes log file = /var/log/samba/log.%m max log size = 1 netbios name = HOST01 password server = .x.xx.xx .y.yy.yy xxxz.zz.zz.zz realm = .X.XX.XX security = ADS server string = Storage socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 template homedir = /home/%U template shell = /bin/bash unix charset = UTF-8 winbind cache time = 15 winbind separator = @ workgroup = DOMAIN01 ;=== Share Settings = [SERVICE01] browseable = yes create mask = 0775 directory mask = 0775 dos filemode = yes force unknown acl user = yes full_audit:failure = connect disconnect mkdir rmdir sendfile rename chmod chown unlink full_audit:success = connect disconnect mkdir rmdir sendfile rename chmod chown unlink open inherit permissions = yes path = /xxx/yyy/zzz printable = no public = no read only = no vfs object = full_audit writable = yes Thanks in advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Any pointers for multiple subnets?
On Thu, Apr 12, 2007 at 11:58:48AM +0530, Nandan Bhat wrote: > Hi Mark, > Hi Nandan, > Thanks for the link; I'll try it out and let you know how it goes. > > As for my LANs, my situation is this: > * my linux machines are on both LANs > * both linux machines are part of the 192.168.1.0/24 workgroup and > appear under the workgroup when viewed from Windows clients in > 192.168.1.0/24 > ** under 192.168.1.0/24, all windows clients are able to browse the two > linux boxes and machines under 192.168.1.0/24 but not machines under > 192.168.0.0/24 > * both linux machines appear under a workgroup when viewed from Windows > clients in 192.168.0.0/24 (and are browseable). > ** under 192.168.0.0/24, all windows clients are able to browse the two > linux boxes and machines under 192.168.0.0/24 but not machines under > 192.168.1.0/24 > It sounds like Samba is working as desired. To have netbios work for the windows machines across the subnets I believe you will have to have the WINS server as detailed in that old (2005) link I posted. I have never set this up personally so can not help you on that any further. Personally, I would instead use DNS. do you have a DNS server on one of the linux boxes (such as dnsmasq?) if you set up dns and DHCP from the linux box, then your windows clients will most likely browse across fine as long as they are getting their dhcp lease from this box (make sure you turn off any adsl/firewall/router dhcp setup). Regards, Mark > I'll try out the suggestions in the link and let you know how it goes. > BTW, I am guessing only one of my linux machines needs to be the local > master; the other may be a domain master (but need not be). Correct me > if I'm wrong on that concept. > > Thanks, > > Nandan > > > Mark Adams wrote: > >Hi Nathan > > > > > >>Thanks for your interest. In reply to your question, the answer is > >>yes. Both the linux machines are on both the LANs. Both are browseable > >>from Windows clients in both networks by \\netbiosname and \\ipaddress > >> > > > >To confirm, You can connect across these subnets with netbios or ip, but > >only browsing through "My Network Places" does not work? and the only > >shares you are trying to browse for are the samba shares on your linux > >box? if not do the windows based shares show? > > > >Have you set the workgroup in the samba config? or are you choosing > >'View Entire Network' when browsing through My network places? > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Using Special Characters
[EMAIL PROTECTED] wrote: Volker Lendecke wrote: On Fri, Apr 06, 2007 at 01:42:55AM -0700, [EMAIL PROTECTED] wrote: I know these characters are not allowed in Windows file systems but I don't think that means SMB file names should be restricted (or at least not for linux clients). Anyways I'm mostly just using this Linux to Linux so if their isn't any way to do this, I guess I could just use NFS instead. With latest Samba and latest CIFS you should be able to use the posix extensions that Jeremy has put in lately. So you have a chance here. Volker If I do need a new version of samba then I've have to wait for a Gentoo ebuild for it. Right now I have samba 3.0.24 and kernel 2.6.18. Justin So far I haven't been able to upgrade samba as the latest version still isn't in portage. I did end up restarting the server and client computers though and now I can access files with special characters in them with the Linux CIFS client. So I guess this is supported in the CIFS client but it only works part of the time. Justin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0 and XP roaming profiles
contact_mahajan schrieb: > Also regarding my logon script, my smb.conf fille says like this: > > [GLOBAL] > .. > logon script = scripts\login.bat > . > > [netlogon] > ... > path= /var/samba/netlogon/%U > This definition is trying to be subtle by defining a per-user-netlogon share, as %U expands to the session user name. Normally you will not want to do this, so you will strip off the "/%U" and simply put your login scripts below /var/samba/netlogon. (Permissions should of course be so that everyone can read and only admins can write.) The logon script parameter is a (windows) path relative to the netlogon directory. There is no need to put those in a subdirectory. (Sou you can do away with the "scripts\" part...) You should note that the logon script parameter in the [global] section can be overridden by per-user-settings in ldap (if you are using ldap). Kind regards -- Wolfgang Ratzka Phone: +49 6421 2823531 FAX: +49 6421 2826994 Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
