[Samba] segfault with failed to set uid

[David Kempe]

Hi,
I having intermittent problems which trigger the below segfault. Would 
love to know what the problem is, and will gladly take any suggestions 
as to how to troubleshoot this.
When this segfault happen, the windows clients sometimes report "write 
delay failed".


This machine is an OpenVZ virtual machine, with a bridged interface.
Samba version: 3.0.22-1ubuntu3.6 (ubuntu dapper with custom OpenVZ kernel)
kernel: 2.6.18-028stab053
Filesystem is xfs with noatime on.
mount output:
simfs on / type simfs (rw,noatime)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw)
tmpfs on /dev/shm type tmpfs (rw)
varrun on /var/run type tmpfs (rw)
varlock on /var/lock type tmpfs (rw)

xfs filesystem is on top of a Raid1 md device on the host, with the 
members provided by AoE.


I don't think the segfaults correspond to the occasional AoE retransmits 
we get.
All networking is gigabit, and this system was stress tested with dbench 
before going into production, and worked pretty well. Host has plenty of 
ram, and nothing else segfaults, so I don't think its a hardware 
problem, though I wouldn't rule out an interaction problem with 
Samba/XFS/OpenVZ/md-RAID1/AoE at this stage.


As you can see it points at a windows server for authentication. I have 
recently increased the winbind cache time to 900, in an effort to fix, 
but to no avail. Across about 150 client machines getting about 10 
segfaults a day, each with this error.
No particular pattern to the segfaults, and nothing sticks out about the 
users/uid etc of the users affected (seems to be everyone and anyone at 
random).


Setting loglevel to 10 for a specific machine doesn't seem to provide 
any extra information for this problem.


getting this segfault which triggers a panic action intermittently:

Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 47979553320704 (LWP 7785)]
0x2ba31bd930c4 in waitpid () from /lib/libc.so.6
#0  0x2ba31bd930c4 in waitpid () from /lib/libc.so.6
#1  0x2ba31bd3d5ff in strtold_l () from /lib/libc.so.6
#2  0x005c1374 in smb_panic2 (why=0x6ac813 "failed to set uid\n", 
   decrement_pid_count=) at lib/util.c:1545

#3  0x005c60d8 in assert_uid (ruid=4294967295, euid=10122)
   at lib/util_sec.c:96
#4  0x0049235e in become_id (uid=10122, gid=1) at smbd/sec_ctx.c:60
#5  0x00492c8c in pop_sec_ctx () at smbd/sec_ctx.c:375
#6  0x0048a579 in unbecome_root () at smbd/uid.c:435
#7  0x005eeaf1 in reply_to_oplock_break_requests (fsp=0x8de810)
   at smbd/oplock.c:683
#8  0x00490601 in close_file (fsp=0x8de810, normal_close=1)
   at smbd/close.c:228
#9  0x00471ba7 in reply_close (conn=0x8d8390, inbuf=0x2ba31a5a3010 "", 
   outbuf=0x2ba31a5c4010 "", size=, 
   dum_buffsize=) at smbd/reply.c:3286
#10 0x004a111a in switch_message (type=4, inbuf=0x2ba31a5a3010 "", 
   outbuf=0x2ba31a5c4010 "", size=45, bufsize=131072) at smbd/process.c:1071
#11 0x004a15f0 in process_smb (inbuf=0x2ba31a5a3010 "", 
   outbuf=0x2ba31a5c4010 "") at smbd/process.c:1101

#12 0x004a24a4 in smbd_process () at smbd/process.c:1753
#13 0x00645a39 in main (argc=23, argv=0x7fff905b09a0)
   at smbd/server.c:976


I have tried to reproduce the problem by stressing the system further, 
but to no avail. It does not appear related to system load etc, but 
happens at random.


The machine is a profile server for Firefox and Thunderbird, so lots of 
small files are opening and closing etc.


Here is my testparm -v: Domain replaced with (XXX)

[EMAIL PROTECTED]:/var/log/samba # testparm -v
Load smb config files from /etc/samba/smb.conf
Can't find include file /etc/samba/smb.conf.
Processing section "[homes]"
Processing section "[public]"
Processing section "[win]"
Processing section "[vmware]"
Processing section "[gap_backup]"
Processing section "[iso]"
Processing section "[pictures]"
Loaded services file OK.
WARNING: passdb expand explicit = yes is deprecated
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
   dos charset = CP850
   unix charset = UTF-8
   display charset = LOCALE
   workgroup = XXX
   realm = XXX.XXX.COM.AU
   netbios name = MRFORGETFUL
   netbios aliases =
   netbios scope =
   server string =
   interfaces =
   bind interfaces only = No
   security = ADS
   auth methods =
   encrypt passwords = Yes
   update encrypted = No
   client schannel = Auto
   server schannel = Auto
   allow trusted domains = Yes
   hosts equiv =
   map to guest = Never
   null passwords = No
   obey pam restrictions = Yes
   password server = xxxserver
   smb passwd file = /etc/samba/smbpasswd
   private dir = /etc/samba
   passdb backend = smbpasswd
   al

Re: [Samba] LDAP Logon Script Management

[Adam Williams]

Asier Baranguán wrote:

El Martes, 18 de Marzo de 2008, Mark Rutherford escribió:

  

What I have done, since users don't need individual scripts is tie a
script to a group because different groups have different printers and
such. I use Kixtart for this... so yes the scripts are elaborate but once
it's done I have had little reason to poke around in them.



I've a similar kind of setup with KIX32 and logon scripts with symlinks, and 
use wpkg to distribute software. Anyone can help me with startup scripts (not 
logon scripts)? So software can be deployed to machines independent of the 
logged user privileges?


I've looked a setup with WPKG Client but:

A) It must run under a user with administrative privileges on the local 
machine and the password is in a XML file. Not very secure.


B) Must run with the SYSTEM account, so no access to samba shares because 
deployed software can't have public access.


Thanks
  


wpkg works fine for me, i use a guest share and the dos client.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] LDAP Logon Script Management

[Asier Baranguán]

El Martes, 18 de Marzo de 2008, Mark Rutherford escribió:

> What I have done, since users don't need individual scripts is tie a
> script to a group because different groups have different printers and
> such. I use Kixtart for this... so yes the scripts are elaborate but once
> it's done I have had little reason to poke around in them.

I've a similar kind of setup with KIX32 and logon scripts with symlinks, and 
use wpkg to distribute software. Anyone can help me with startup scripts (not 
logon scripts)? So software can be deployed to machines independent of the 
logged user privileges?

I've looked a setup with WPKG Client but:

A) It must run under a user with administrative privileges on the local 
machine and the password is in a XML file. Not very secure.

B) Must run with the SYSTEM account, so no access to samba shares because 
deployed software can't have public access.

Thanks
-- 
Asier.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Setting up ADS in Samba with MIT kerberos mapping/backend

[Steve Harper]

We here at the University of Utah have a similar setup that we are 
trying to get work.  We have set up a cross-realm trust between our MIT 
Kerberos server and our Windows AD Domain, and all the user accounts 
altSecurityIdentities map the AD users to our MIT style kerberos realm. 
  AD passwords are set to long random strings.


So far we have followed the guide below on the Samba wiki, with some 
success but there are a few things that still do not work.


http://wiki.samba.org/index.php/Samba_%26_Active_Directory

On linux and mac workstations we can map shares on our samba server once 
we have done a kinit against our kerberos realm.


kinit [EMAIL PROTECTED]
smbclient \\sambaserver.utah.edu\SHARENAME -k

Smb shares initiated from the GUI on the Mac work ok on the Tiger 
release of Mac OS X, but seem to fail on Leopard.


Other than that, it all works fine on these clients.

The problem is with the windows workstations.  Workstations that are 
members of the domain can logon with their MIT passwords, specifying the 
kerberos realm in the GINA.  Once there they can seamlessly map drives 
iff they specify their (usually set to garbage) local AD passwords.  All 
other permutations to let the samba or windows server know that we want 
to use our cross-realm trust credentials have been unsucessful thus far. 
 Ideally we would like to be able to map drives to these shares from 
windows machines that are not even members of our AD domain.


A new option I saw that I have not had time to try out yet for the 
smb.conf is

use kerberos keytab = yes

This might help the clients to succeed, or it might be useful in getting 
Samba to attempt to authenticate users directly against our MIT Kerberos 
server.  I've still got a lot of reading and experimenting to do to see 
if we can pull this together.  Hopefully somebody else on this list has 
already fought such a battle and emerged triumphant.  But in perusing 
the list archives for a few hours I have yet to see something like this.


Thanks,
Steve Harper
Center for High Performance Computing
University of Utah.

James Pulver wrote:
So, I'm trying to figure out how to get Samba to work in this way. 
Specifically, I have a 2003 R2 AD in 2003 functional level. All user 
accounts are mapped to the same user account name @ our MIT Kerberos 
server. Users do not know their AD password.


Can Samba authenticate users with their Kerberos realm passwords, and 
know to use the same user name so the UIDs match for both platforms + 
permissions?


If it can, what should the smb.conf look like?
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
Cornell University


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Setting up ADS in Samba with MIT kerberos mapping/backend

[James Pulver]

So, I'm trying to figure out how to get Samba to work in this way. 
Specifically, I have a 2003 R2 AD in 2003 functional level. All user 
accounts are mapped to the same user account name @ our MIT Kerberos 
server. Users do not know their AD password.


Can Samba authenticate users with their Kerberos realm passwords, and 
know to use the same user name so the UIDs match for both platforms + 
permissions?


If it can, what should the smb.conf look like?
--
James Pulver
Information Technology Area Supervisor
LEPP Computer Group
Cornell University

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't access shares - still doesn't work

[Carl Carpenter]

That was it.  Thanks.
 
 

Carl Carpenter
IT Manager
Hill Country Community MHMR Center
(830)258-5414
  

-Original Message-
From: Adam Williams [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 18, 2008 2:17 PM
To: [EMAIL PROTECTED]
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't access shares - still doesn't work


have you tried adding msdfs root = yes in your global section?  i had to do
that on mine

Carl Carpenter wrote: 

I started over and tried again.  Using only the Fedora Core 6 installation

disks went all the way through the process of setting up Samba.  Had

absolutely no problem with accessing the shares.  Ran 'yum update'.  Now I'm

back to being asked for a username and password which it then won't

validate.  Does this narrow it down for anybody?  Is there something in the

Samba updates (or something else) that changes the rules?



Running FC6 and Samba 3.0.24-11.fc6.

Workstation is XP Pro

Authentication is to NT4 domain - PDC is NT4 server.



Carl Carpenter

IT Manager

Hill Country Community MHMR Center

(830)258-5414

 



  

-Original Message-

From: 

[EMAIL PROTECTED] 

[mailto:[EMAIL PROTECTED]

rg] On Behalf Of Carl Carpenter

Sent: Friday, March 14, 2008 9:46 AM

To: samba@lists.samba.org

Subject: RE: [Samba] Can't access shares - additional information





I realized I forgot to include my smb.conf file:



[EMAIL PROTECTED] etc]# testparm -s

Load smb config files from /etc/samba/smb.conf

Processing section "[homes]"

Processing section "[printers]"

Processing section "[tmp]"

Processing section "[Intranet]"

Loaded services file OK.

Server role: ROLE_DOMAIN_MEMBER

[global]

workgroup = HCCMHMRC

server string = Intranet

security = DOMAIN

password server = colnago

log file = /var/log/samba/%m.log

max log size = 50

preferred master = No

dns proxy = No

wins server = 192.168.0.7

default service = Intranet

cups options = raw



[homes]

comment = Home Directories

read only = No



[printers]

comment = All Printers

path = //var/spool/samba

printable = Yes

browseable = No



[tmp]

comment = Temporary file space

path = /tmp

read only = No

guest ok = Yes



[Intranet]

path = /var/www/html

read only = No

create mask = 0774

directory mask = 0775

guest ok = Yes



I can access the tmp share and the Printer share.  This tells 

me that there is not an issue finding the Samba server.



Permissions on Intranet share (/var/www/html):



[EMAIL PROTECTED] www]# pwd

/var/www

[EMAIL PROTECTED] www]# ls -al html

total 16

drwxrwxr-x 2 apache www-data 4096 Sep 18 10:27 .

drwxr-xr-x 8 root   root 4096 Sep 18 10:27 ..



Ccarpenter is a member of www-data.



I cleared out the samba log for my machine.  Then I tried to 

access the Intranet share.  It asked for username and 

password which, of course, failed.  Here's the contents of 

the log after that attempt.



[2008/03/14 09:39:23, 1] smbd/ipc.c:api_fd_reply(290)

  api_fd_reply: INVALID PIPE HANDLE: 72df

[2008/03/14 09:39:35, 1] smbd/service.c:make_connection_snum(950)

  osc00062 (192.168.0.101) connect to service Intranet 

initially as user ccarpenter (uid=501, gid=501) (pid

6070)

[2008/03/14 09:39:37, 1] smbd/service.c:close_cnum(1150)

  osc00062 (192.168.0.101) closed connection to service 

Intranet [2008/03/14 09:39:49, 1] 

smbd/service.c:make_connection_snum(950)

  osc00062 (192.168.0.101) connect to service Intranet 

initially as user ccarpenter (uid=501, gid=501) (pid

6071)

[2008/03/14 09:39:57, 1] smbd/service.c:close_cnum(1150)

  osc00062 (192.168.0.101) closed connection to service 

Intranet [EMAIL PROTECTED] samba]# tail -40 osc00062.log 

[2008/03/14 09:39:23, 1] smbd/ipc.c:api_fd_reply(290)

  api_fd_reply: INVALID PIPE HANDLE: 72df

[2008/03/14 09:39:35, 1] smbd/service.c:make_connection_snum(950)

  osc00062 (192.168.0.101) connect to service Intranet 

initially as user ccarpenter (uid=501, gid=501) (pid

6070)

[2008/03/14 09:39:37, 1] smbd/service.c:close_cnum(1150)

  osc00062 (192.168.0.101) closed connection to service 

Intranet [2008/03/14 09:39:49, 1] 

smbd/service.c:make_connection_snum(950)

  osc00062 (192.168.0.101) connect to service Intranet 

initially as user ccarpenter (uid=501, gid=501) (pid

6071)

[2008/03/14 09:39:57, 1] smbd/service.c:close_cnum(1150)

  osc00062 (192.168.0.101) closed connection to service Intranet



Then, looking through Webmin at the connections, I see this:



6097IPC$ccarpenter  ccarpenter  

osc00062Fri

Mar 14 09:43:38 2008None



Which also coincides with the appearance of the Printers 

share which is not visible when I first open Custer through 

Network Neighborhood.



Is this an old problem that I'm supposed to find the answer 

in an obvious place, or has it

Re: [Samba] Question

[Adam Williams]

set the group perms in linux so only that group has files to it.  samba 
obeys unix file permissions.


try chmod 660 on the directory?

Richard Buskirk wrote:

I read everything I could get my hands on.

 


Windows domain user authenticates into linux.

RHEL4.6 looks at the AD for authentication and allows them to see the
samba shared folders.

Using winbind and samba.

 


Now that it is functioning and I can set a samba shared folder , HOW do
I make that folder so that only the members in a certain group can see
the folder.

Seems everyone can see it, but only the group members have access to it
the way I have it setup now.

 


[ADMINS]

comment = Testing Auth

public = no

writeable = yes

path = /SHAREDDRIVE/ADMINFOLDER

force group = DOMAIN/admin

 


I don't want anyone to see the samba share folder but the group members.
Am I just in the wrong location on where I should set the view on the
folder.

Also if I change the smb.conf file and restart the smb I have to restart
the windows box before it can see new shared files/folders is there
anyway around that issue. I would like the shares to be more dynamic and
on the fly changeable.

 

 

  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Can't access shares - still doesn't work

[Adam Williams]

have you tried adding msdfs root = yes in your global section?  i had to 
do that on mine


Carl Carpenter wrote:

I started over and tried again.  Using only the Fedora Core 6 installation
disks went all the way through the process of setting up Samba.  Had
absolutely no problem with accessing the shares.  Ran 'yum update'.  Now I'm
back to being asked for a username and password which it then won't
validate.  Does this narrow it down for anybody?  Is there something in the
Samba updates (or something else) that changes the rules?

Running FC6 and Samba 3.0.24-11.fc6.
Workstation is XP Pro
Authentication is to NT4 domain - PDC is NT4 server.

Carl Carpenter
IT Manager
Hill Country Community MHMR Center
(830)258-5414
 

  

-Original Message-
From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]

rg] On Behalf Of Carl Carpenter
Sent: Friday, March 14, 2008 9:46 AM
To: samba@lists.samba.org
Subject: RE: [Samba] Can't access shares - additional information


I realized I forgot to include my smb.conf file:

[EMAIL PROTECTED] etc]# testparm -s
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[tmp]"
Processing section "[Intranet]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = HCCMHMRC
server string = Intranet
security = DOMAIN
password server = colnago
log file = /var/log/samba/%m.log
max log size = 50
preferred master = No
dns proxy = No
wins server = 192.168.0.7
default service = Intranet
cups options = raw

[homes]
comment = Home Directories
read only = No

[printers]
comment = All Printers
path = //var/spool/samba
printable = Yes
browseable = No

[tmp]
comment = Temporary file space
path = /tmp
read only = No
guest ok = Yes

[Intranet]
path = /var/www/html
read only = No
create mask = 0774
directory mask = 0775
guest ok = Yes

I can access the tmp share and the Printer share.  This tells 
me that there is not an issue finding the Samba server.


Permissions on Intranet share (/var/www/html):

[EMAIL PROTECTED] www]# pwd
/var/www
[EMAIL PROTECTED] www]# ls -al html
total 16
drwxrwxr-x 2 apache www-data 4096 Sep 18 10:27 .
drwxr-xr-x 8 root   root 4096 Sep 18 10:27 ..

Ccarpenter is a member of www-data.

I cleared out the samba log for my machine.  Then I tried to 
access the Intranet share.  It asked for username and 
password which, of course, failed.  Here's the contents of 
the log after that attempt.


[2008/03/14 09:39:23, 1] smbd/ipc.c:api_fd_reply(290)
  api_fd_reply: INVALID PIPE HANDLE: 72df
[2008/03/14 09:39:35, 1] smbd/service.c:make_connection_snum(950)
  osc00062 (192.168.0.101) connect to service Intranet 
initially as user ccarpenter (uid=501, gid=501) (pid

6070)
[2008/03/14 09:39:37, 1] smbd/service.c:close_cnum(1150)
  osc00062 (192.168.0.101) closed connection to service 
Intranet [2008/03/14 09:39:49, 1] 
smbd/service.c:make_connection_snum(950)
  osc00062 (192.168.0.101) connect to service Intranet 
initially as user ccarpenter (uid=501, gid=501) (pid

6071)
[2008/03/14 09:39:57, 1] smbd/service.c:close_cnum(1150)
  osc00062 (192.168.0.101) closed connection to service 
Intranet [EMAIL PROTECTED] samba]# tail -40 osc00062.log 
[2008/03/14 09:39:23, 1] smbd/ipc.c:api_fd_reply(290)

  api_fd_reply: INVALID PIPE HANDLE: 72df
[2008/03/14 09:39:35, 1] smbd/service.c:make_connection_snum(950)
  osc00062 (192.168.0.101) connect to service Intranet 
initially as user ccarpenter (uid=501, gid=501) (pid

6070)
[2008/03/14 09:39:37, 1] smbd/service.c:close_cnum(1150)
  osc00062 (192.168.0.101) closed connection to service 
Intranet [2008/03/14 09:39:49, 1] 
smbd/service.c:make_connection_snum(950)
  osc00062 (192.168.0.101) connect to service Intranet 
initially as user ccarpenter (uid=501, gid=501) (pid

6071)
[2008/03/14 09:39:57, 1] smbd/service.c:close_cnum(1150)
  osc00062 (192.168.0.101) closed connection to service Intranet

Then, looking through Webmin at the connections, I see this:

6097IPC$ccarpenter  ccarpenter  
osc00062Fri
Mar 14 09:43:38 2008None

Which also coincides with the appearance of the Printers 
share which is not visible when I first open Custer through 
Network Neighborhood.


Is this an old problem that I'm supposed to find the answer 
in an obvious place, or has it stumped everyone out there?


Carl Carpenter
IT Manager
Hill Country Community MHMR Center
(830)258-5414
 



-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
rg] On Behalf Of Carl Carpenter
Sent: Thursday, March 13, 2008 3:10 PM
To: samba@lists.samba.org
Subject: [Samba] Can't access shares


Running FC6 and Samba 3.0.24-11.fc6.
Workstation is XP Pro

Initially, after disabling SELinux and turning off Iptables,
I coul

Re: [Samba] LDAP Logon Script Management

[Mark Rutherford]

I personally don't know of a good LDAP tool for managing login scripts.
I don't know that the two are related, honestly but there is a section 
in the samba docs that touches it a little bit:

http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/AdvancedNetworkManagement.html

What I have done, since users don't need individual scripts is tie a 
script to a group because different groups have different printers and such.
I use Kixtart for this... so yes the scripts are elaborate but once it's 
done I have had little reason to poke around in them.


Someone may have a better answer, And I am curious myself as to what 
other management utilities and tools there are out there.



Hans-Wilhelm Heisinger wrote:
I recently migrated from Windows NT 4.0 to Samba with a LDAP backend 
and haven't found a good tool have managing logon scripts for user 
groups and individual users.  What tools are available for managing 
this?  Currently each user is assigned their own script which makes 
changes painful.


Mit freundlichen Grüßen / With kind regards
Hans-Wilhelm Heisinger




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] LDAP Logon Script Management

[Hans-Wilhelm Heisinger]

I recently migrated from Windows NT 4.0 to Samba with a LDAP backend and 
haven't found a good tool have managing logon scripts for user groups and 
individual users.  What tools are available for managing this?  Currently each 
user is assigned their own script which makes changes painful.

Mit freundlichen Grüßen / With kind regards
Hans-Wilhelm Heisinger


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Question

[John Drescher]

On Tue, Mar 18, 2008 at 12:28 PM, Richard Buskirk
<[EMAIL PROTECTED]> wrote:
> I read everything I could get my hands on.
>
>
>
>  Windows domain user authenticates into linux.
>
>  RHEL4.6 looks at the AD for authentication and allows them to see the
>  samba shared folders.
>
>  Using winbind and samba.
>
>
>
>  Now that it is functioning and I can set a samba shared folder , HOW do
>  I make that folder so that only the members in a certain group can see
>  the folder.
>
>  Seems everyone can see it, but only the group members have access to it
>  the way I have it setup now.
>
>
>
>  [ADMINS]
>
> comment = Testing Auth
>
> public = no
>
> writeable = yes
>
> path = /SHAREDDRIVE/ADMINFOLDER
>
> force group = DOMAIN/admin
>
>
Have you tried hide unreadable = yes

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't access shares - still doesn't work

[Carl Carpenter]

I started over and tried again.  Using only the Fedora Core 6 installation
disks went all the way through the process of setting up Samba.  Had
absolutely no problem with accessing the shares.  Ran 'yum update'.  Now I'm
back to being asked for a username and password which it then won't
validate.  Does this narrow it down for anybody?  Is there something in the
Samba updates (or something else) that changes the rules?

Running FC6 and Samba 3.0.24-11.fc6.
Workstation is XP Pro
Authentication is to NT4 domain - PDC is NT4 server.

Carl Carpenter
IT Manager
Hill Country Community MHMR Center
(830)258-5414
 

> -Original Message-
> From: 
> [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]
> rg] On Behalf Of Carl Carpenter
> Sent: Friday, March 14, 2008 9:46 AM
> To: samba@lists.samba.org
> Subject: RE: [Samba] Can't access shares - additional information
> 
> 
> I realized I forgot to include my smb.conf file:
> 
> [EMAIL PROTECTED] etc]# testparm -s
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[printers]"
> Processing section "[tmp]"
> Processing section "[Intranet]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> [global]
> workgroup = HCCMHMRC
> server string = Intranet
> security = DOMAIN
> password server = colnago
> log file = /var/log/samba/%m.log
> max log size = 50
> preferred master = No
> dns proxy = No
> wins server = 192.168.0.7
> default service = Intranet
> cups options = raw
> 
> [homes]
> comment = Home Directories
> read only = No
> 
> [printers]
> comment = All Printers
> path = //var/spool/samba
> printable = Yes
> browseable = No
> 
> [tmp]
> comment = Temporary file space
> path = /tmp
> read only = No
> guest ok = Yes
> 
> [Intranet]
> path = /var/www/html
> read only = No
> create mask = 0774
> directory mask = 0775
> guest ok = Yes
> 
> I can access the tmp share and the Printer share.  This tells 
> me that there is not an issue finding the Samba server.
> 
> Permissions on Intranet share (/var/www/html):
> 
> [EMAIL PROTECTED] www]# pwd
> /var/www
> [EMAIL PROTECTED] www]# ls -al html
> total 16
> drwxrwxr-x 2 apache www-data 4096 Sep 18 10:27 .
> drwxr-xr-x 8 root   root 4096 Sep 18 10:27 ..
> 
> Ccarpenter is a member of www-data.
> 
> I cleared out the samba log for my machine.  Then I tried to 
> access the Intranet share.  It asked for username and 
> password which, of course, failed.  Here's the contents of 
> the log after that attempt.
> 
> [2008/03/14 09:39:23, 1] smbd/ipc.c:api_fd_reply(290)
>   api_fd_reply: INVALID PIPE HANDLE: 72df
> [2008/03/14 09:39:35, 1] smbd/service.c:make_connection_snum(950)
>   osc00062 (192.168.0.101) connect to service Intranet 
> initially as user ccarpenter (uid=501, gid=501) (pid
> 6070)
> [2008/03/14 09:39:37, 1] smbd/service.c:close_cnum(1150)
>   osc00062 (192.168.0.101) closed connection to service 
> Intranet [2008/03/14 09:39:49, 1] 
> smbd/service.c:make_connection_snum(950)
>   osc00062 (192.168.0.101) connect to service Intranet 
> initially as user ccarpenter (uid=501, gid=501) (pid
> 6071)
> [2008/03/14 09:39:57, 1] smbd/service.c:close_cnum(1150)
>   osc00062 (192.168.0.101) closed connection to service 
> Intranet [EMAIL PROTECTED] samba]# tail -40 osc00062.log 
> [2008/03/14 09:39:23, 1] smbd/ipc.c:api_fd_reply(290)
>   api_fd_reply: INVALID PIPE HANDLE: 72df
> [2008/03/14 09:39:35, 1] smbd/service.c:make_connection_snum(950)
>   osc00062 (192.168.0.101) connect to service Intranet 
> initially as user ccarpenter (uid=501, gid=501) (pid
> 6070)
> [2008/03/14 09:39:37, 1] smbd/service.c:close_cnum(1150)
>   osc00062 (192.168.0.101) closed connection to service 
> Intranet [2008/03/14 09:39:49, 1] 
> smbd/service.c:make_connection_snum(950)
>   osc00062 (192.168.0.101) connect to service Intranet 
> initially as user ccarpenter (uid=501, gid=501) (pid
> 6071)
> [2008/03/14 09:39:57, 1] smbd/service.c:close_cnum(1150)
>   osc00062 (192.168.0.101) closed connection to service Intranet
> 
> Then, looking through Webmin at the connections, I see this:
> 
>   6097IPC$ccarpenter  ccarpenter  
> osc00062  Fri
> Mar 14 09:43:38 2008  None
> 
> Which also coincides with the appearance of the Printers 
> share which is not visible when I first open Custer through 
> Network Neighborhood.
> 
> Is this an old problem that I'm supposed to find the answer 
> in an obvious place, or has it stumped everyone out there?
> 
> Carl Carpenter
> IT Manager
> Hill Country Community MHMR Center
> (830)258-5414
>  
> 
> > -Original Message-
> > From:
> > [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]
> > rg] On Behalf Of Carl Carpenter
> > Sent: Thursday, March 13, 2008 3:10 PM
> > To: samba@lists.samba.org
> > Subject: [Samba] Can't 

[Samba] Question

[Richard Buskirk]

I read everything I could get my hands on.

 

Windows domain user authenticates into linux.

RHEL4.6 looks at the AD for authentication and allows them to see the
samba shared folders.

Using winbind and samba.

 

Now that it is functioning and I can set a samba shared folder , HOW do
I make that folder so that only the members in a certain group can see
the folder.

Seems everyone can see it, but only the group members have access to it
the way I have it setup now.

 

[ADMINS]

comment = Testing Auth

public = no

writeable = yes

path = /SHAREDDRIVE/ADMINFOLDER

force group = DOMAIN/admin

 

I don't want anyone to see the samba share folder but the group members.
Am I just in the wrong location on where I should set the view on the
folder.

Also if I change the smb.conf file and restart the smb I have to restart
the windows box before it can see new shared files/folders is there
anyway around that issue. I would like the shares to be more dynamic and
on the fly changeable.

 

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] failed to add domain dn= sambaDomainName

[Adam Williams]

did you run smbldap-populate?

Luca Ferrari wrote:

Hi,
I'm trying to configure my samba server to work with the ldap system on the 
same host. The samba domain name is LDAP, but when I try to start samba I 
cannot and in the log I found:


[2008/03/18 11:12:14, 1] lib/smbldap_util.c:add_new_domain_info(216)
  add_new_domain_info: failed to add domain dn= 
sambaDomainName=LDAP,dc=myHost,dc=com with: Invalid DN syntax

invalid DN

Where can be the problem? Both in /etc/samba/smb.conf 
and /etc/smbldap-tools/smbldap.conf the domain name is set to LDAP.


Thanks,
Luca

  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: ntlm_auth

[Kai Blin]

On Tuesday 18 March 2008 15:31:59 Kai Blin wrote:
> Dean, Barry  liverpool.ac.uk> writes:
> > Now when I test "ntlm_auth" I get the following odd goings on:
> >
> > Scenario A: Works
> >
> > Type: ntlm_auth --username=USER --password=PASSWORD --domain=DOMAIN
> > Result: NT_STATUS_OK: Success (0x0)
> >
> > Scenario B: FAILS
> >
> > Type: ntlm_auth --username=USER --domain=DOMAIN
> > password: 
> >
> > Result: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
> >
> > What's different about the password handling between A and B?

Ok, I've just set up a 3.2.0pre2 box for today's bugzilla day and joined it to 
the AD PDC running win2k3.

In this configuration, both scenarios work. Could you please provide your 
smb.conf file and a debuglevel 10 log of the ntlm_auth call?

Cheers,
Kai

-- 
Kai Blin
WorldForge developer  http://www.worldforge.org/
Wine developerhttp://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
--
Will code for cotton.


signature.asc
Description: This is a digitally signed message part.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Vista joinDomain gdwError = 0x32

[Volker Lendecke]

On Tue, Mar 18, 2008 at 04:00:12PM +0100, Mario Gzuk wrote:
> Hi,
> the same error is with samba version 3.0.24. Later versions can not be
> tested because of the "Samba/Ldap problems with Versions > 3.0.24".
> 
> Nobody knows some thing about this error messages?

You might want to add your info to
https://bugzilla.samba.org/show_bug.cgi?id=5336
This needs to be solved before 3.2, and maybe this will
get fixed in 3.0.28 as well.

Volker


pgpQHPhXH8Q9D.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Vista joinDomain gdwError = 0x32

[Mario Gzuk]

Hi,
the same error is with samba version 3.0.24. Later versions can not be
tested because of the "Samba/Ldap problems with Versions > 3.0.24".

Nobody knows some thing about this error messages?

greetings mario

Am Montag, den 03.03.2008, 09:45 +0100 schrieb Mario Gzuk:
> Hi,
> I am trying to join MS Vista to a samba (3.0.23) Domain. If I join the
> domain manually all works fine, but when I try the unattended method I
> got the following errors:
> 
> 2008-03-04 02:58:32, Error[unattendedjoin.exe]
> Unattended Join: NetJoinDomain failed error code is [50]
> 2008-03-04 02:58:32, Error[unattendedjoin.exe]
> Unattended Join: Unable to join; gdwError = 0x32
> 
> I am searching the samba logs and the Internet, but there is no
> description of this error (also not on microsoft.com). Maybe someone of
> the samba experts know this error code? 
> Let me know if you need more information.
> 
> Thank you for any hint.
> 
> greetings mario
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] failed to add domain dn= sambaDomainName

[Luca Ferrari]

Hi,
I'm trying to configure my samba server to work with the ldap system on the 
same host. The samba domain name is LDAP, but when I try to start samba I 
cannot and in the log I found:

[2008/03/18 11:12:14, 1] lib/smbldap_util.c:add_new_domain_info(216)
  add_new_domain_info: failed to add domain dn= 
sambaDomainName=LDAP,dc=myHost,dc=com with: Invalid DN syntax
invalid DN

Where can be the problem? Both in /etc/samba/smb.conf 
and /etc/smbldap-tools/smbldap.conf the domain name is set to LDAP.

Thanks,
Luca

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: ntlm_auth

[Kai Blin]

Dean, Barry  liverpool.ac.uk> writes:

> Now when I test "ntlm_auth" I get the following odd goings on:
> 
> Scenario A: Works
> 
>   Type: ntlm_auth --username=USER --password=PASSWORD --domain=DOMAIN
>   Result: NT_STATUS_OK: Success (0x0)
> 
> Scenario B: FAILS
> 
>   Type: ntlm_auth --username=USER --domain=DOMAIN
>   password: 
> 
>   Result: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
> 
> What's different about the password handling between A and B?

That's a good question. I'm currently looking into that.

> The upshot is that the command issued by FreeRADIUS:
> 
> ntlm_auth = "/usr/sfw/bin/ntlm_auth --request-nt-key --username=
> %{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00}
-- nt-response=%{mschap:NT-Response:-00}"
> 
> the %{} bits become a basic domain free user name, eg "user", and some long
Hex strings...
> 
> Also fails.

That's a completely different ntlm_auth mode. I'll check that as well, though.

> So my MSCHAPv2 auth is now broken.

What version of Samba is this again?

Cheers,
Kai

-- 
Kai Blin
WorldForge developer  http://www.worldforge.org/
Wine developerhttp://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
--
Will code for cotton.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] vista svn checkout to mapped drive slower than xp

[stoffell]

Hi,

On a vista pc we run Syncrosvn client to check out svn repositories to
a samba share. It works but on Vista this takes much longer than on
windows xP. Checkout or status check on local disk work normally.
(tried the same on a different vista pc, same problem..)

To troubleshoot this I created a smaller test SVN repository to make
it easier to read network captures. (I made a svn repository using the
putty source code) Our 'normal' repositories range from 40 -> 100Mb in
size. (doing captures on those would create huge files..)

I have placed the files on http://stoffell.be/samba/ and have read the
CIFS document of SNIA but only have found out that: When vista does a
checkout or "svn status --verbose" the capture files show a lot more
"NT Create AndX Request". 6188 packets, compared to 140 (on XP). Is
this related to the problem or should I tweak something in Vista to
"workaround" this?

Hope to get some feedback on this and if I need to collect more info,
please let me know..

The tech info:
Samba version 3.0.24 is running on Debian Etch. (fully updated)
Vista 32bit is fully updated. (no SP1 yet)
XP sp2
Syncro svn client v3.1 (also tested with Tortoisesvn, same issues)
Vista and XP connected over 100 Mbit switched network.

Thanks in advance for any feedback.

cheers,
Kristof
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Running a login script

[Mike Stewart]

Hello all, 

We are trying to find a way to run login scripts for our users but all the 
How-To files seem rather complicated :-( 

We have been using Samba for several years and all our users have Windows 2000 
PCs, Samba accounts etc. They log into their Windows with a username/password 
OK. The Samba server is set up with the same username/password combination as 
their PCs so they don't have to supply username/password again and drive 
mappings are saved by Windows. A very simple system which has proved easy to 
maintain. 

We are trying now to introduce "Generic" PCs which any user can access (hot 
desking I think it is called). So, we want the Samba server to prompt the user 
for a username/password combination when they click on the desktop shortcut to 
the server (we've accomplished that part easily) and then automatically run a 
login script to map their drives - that's the part we are struggling to find a 
solution to. 

All the examples we've found so far refer to "Domain Controllers" - Do we 
*have* to set up the server as a Domain controller, do we *have* to create 
machines accounts etc ? 

TIA 

Mike 




-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] ntlm_auth

[Dean, Barry]

I am trying to get FreeRADIUS using Samba's ntlm auth for MSCHAPv2 
authentication.

I asked this question over on the FreeRADIUS list, and I think the stunned 
silence means that the folks over there think you guys in the Samba world may 
be able to help better.

I admit it's been a few years since I did any Samba!

I have joined my two RADIUS servers (FreeRADIUS 2.0.2, Solaris 10 x86, Sun's 
winbindd 3.0.25a) to our AD domain with the "net join" command. This worked 
(eventually!).

Now when I test "ntlm_auth" I get the following odd goings on:

Scenario A: Works

Type: ntlm_auth --username=USER --password=PASSWORD --domain=DOMAIN
Result: NT_STATUS_OK: Success (0x0)

Scenario B: FAILS

Type: ntlm_auth --username=USER --domain=DOMAIN
password: 

Result: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)

What's different about the password handling between A and B?

The upshot is that the command issued by FreeRADIUS:

ntlm_auth = "/usr/sfw/bin/ntlm_auth --request-nt-key --username= 
%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} 
-- nt-response=%{mschap:NT-Response:-00}"

the %{} bits become a basic domain free user name, eg "user", and some long Hex 
strings...

Also fails.

So my MSCHAPv2 auth is now broken.

This worked with our Test AD environment fine. I am told the only difference 
between test/production is:

1) Production is in "native mode"
2) Production supports logins using both "USER\livad.liv.ac.uk" and "[EMAIL 
PROTECTED]" forms.

Thanks in advance.

---
Barry Dean
Networks Team



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Problem: NT_STATUS_INSUFF_SERVER_RESOURCES

[Chris Osicki]

On Mon, 17 Mar 2008 20:26:54 +0100
Volker Lendecke <[EMAIL PROTECTED]> wrote:

> On Mon, Mar 17, 2008 at 06:09:18PM +0100, Chris Osicki wrote:
> > 
> > Hi
> > 
> > A client (Win2000 Server, I think) cannot connect anymore a share on my 
> > Samba server.
> > The error message on the client side: "Not enough server storage is 
> > available to process 
> > this command"
> > 
> > I found in my logs the following in my logs:
> > 
> > [2008/03/17 08:42:01, 3] smbd/process.c:process_smb(1110)
> >   Transaction 95095 of length 110
> > [2008/03/17 08:42:01, 3] smbd/process.c:switch_message(914)
> >   switch message SMBtconX (pid 13117) conn 0x552b20a830
> > [2008/03/17 08:42:01, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2008/03/17 08:42:01, 3] smbd/error.c:error_packet(146)
> >   error packet at smbd/reply.c(676) cmd=117 (SMBtconX) 
> > NT_STATUS_INSUFF_SERVER_RESOURCES
> > 
> > 
> > The server is hapily serving few other shares, CPU/memory/diskspace looks 
> > OK.
> > 
> > Could anybody explain to me how to interpret this message?
> 
> Very likely some buggy program on the W2k server. This error
> message only happens when you have more than 65534
> concurrent shares open on a single smb connection.
> 
> Volker

Thanks a lot Volker!

Regards,
Chris

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba/LDAP Question

[Hector Blanco]

Hello!

A few days ago, two users of this list sent me examples of a working
"machine" account in Samba, beause the one I get when I try to add a
machine with smbldap doesn't work very well (as I explained in
http://lists.samba.org/archive/samba/2008-February/138639.html) and I
found that in my account some fields didn't appear (as shown in
http://lists.samba.org/archive/samba/2008-February/138860.html)

I'm thinking in adding the missing fields by hand. I guess that the
most important fields are:

---
objectClass: sambaSamAccount
[. . .]
sambaNTPassword:
sambaPrimaryGroupSID:
sambaSID:
---

I suppose I know how to set the sambaNTPassword with smbpasswd but I
don't know what I should write as sambaPrimaryGroupSID and sambaSID. I
think I remember reading somewhere that the sambaSID can be calculated
somehow, but I don't remember now, and I certainly don't know what to
do with the sambaPrimaryGroupSID. Does any of you know how to
calculate them?

Alternatively, I've beenthinking that maybe I can add a machine (or at
least these samba fields) with other commands, besides the
smbldap-tools,I mean... maybe I could get something with the "normal"
samba commands (smbpasswd, and so on). Is it possible? Any
recommendations?

Any hint will be deeply appreciated :)

2008/2/27, Frank J. Pellegrino <[EMAIL PROTECTED]>:
> Below is a sample of a machine entry:
>
>  dn: uid=295mand01$,ou=computers,o=sju.edu
>  cn: 295mand01$
>  description: Computer
>  gecos: Computer
>
> gidNumber: 515
>  homeDirectory: /dev/null
>  loginShell: /bin/false
>
> objectClass: top
>  objectClass: person
>  objectClass: organizationalperson
>
> objectClass: inetOrgPerson
>  objectClass: posixAccount
>  objectClass: sambaSamAccount
>
> sambaAcctFlags: [W  ]
>  sambaNTPassword: 8E5BB69CD089184751166B254347DBD2
>  sambaPrimaryGroupSID: S-1-5-21-1948856034-3740470957-464559834-2031
>  sambaSID: S-1-5-21-1948856034-3740470957-464559834-2005314
>  sn: 295mand01$
>  uid: 295mand01$
>  uidNumber: 1002157
>
>
>
>
>  At 04:02 PM 2/27/2008, Hector Blanco wrote:
>  >Ehm... just to make sure... could anybody who has LDAP+Samba working
>  >send the ldif definition of what he has as a "machine"?
>  >
>  >I've got this as a machine:
>  >
>  >dn: uid=enano$,ou=Hosts,dc=jome
>  >objectClass: top
>  >objectClass: person
>  >objectClass: organizationalPerson
>  >objectClass: inetOrgPerson
>  >objectClass: posixAccount
>  >cn: enano$
>  >sn: enano$
>  >uid: enano$
>  >uidNumber: 1007
>  >gidNumber: 515
>  >homeDirectory: /dev/null
>  >loginShell: /bin/false
>  >description: Computer
>  >gecos: Computer
>  >structuralObjectClass: inetOrgPerson
>  >entryUUID: 0cd59f8e-79a9-102c-8d64-8b73cc15be28
>  >creatorsName: cn=admin,dc=jome
>  >createTimestamp: 20080227175622Z
>  >entryCSN: 20080227175622Z#01#00#00
>  >modifiersName: cn=admin,dc=jome
>  >modifyTimestamp: 20080227175622Z
>  >entryDN: uid=enano$,ou=Hosts,dc=jome
>  >subschemaSubentry: cn=Subschema
>  >hasSubordinates: FALSE
>  >-
>  >
>  >and I don't see any "samba" thing in here... Is that fine?
>  >
>  >Thanks!!
>  >
>  >
>  >
>  >2008/2/27, Frank J. Pellegrino <[EMAIL PROTECTED]>:
>  > > If your solaris box is setup as an LDAP client you can add a search
>  > >  descriptor with the ldapclient command.
>  > >  Below is an example of what we changed to make joining the domain work 
> on
>  > >  the first try.
>  > >
>  > >  NS_LDAP_SERVICE_SEARCH_DESC= passwd:
>  > ou=computers,o=sju.edu;ou=People,o=sju.edu
>  > >
>  > >
>  > >
>  > >
>  > >  At 03:13 PM 2/27/2008, Hector Blanco wrote:
>  > >  >Mmmm..If I understood properly, I'm afraid I can just say... "Welcome
>  > >  >to the club, mate":
>  > >  >
>  > >  >Take a look to this:
>  > >  >http://lists.samba.org/archive/samba/2008-February/138639.html
>  > >  >http://lists.samba.org/archive/samba/2008-February/138442.html
>  > >  >
>  > >  >May it be a bug??  Is the same thing that is happeing to you?
>  > >  >
>  > >  >Regards
>  > >  >
>  > >  >2008/2/4, Frank J. Pellegrino <[EMAIL PROTECTED]>:
>  > >  > > We have just setup Samba 3.0.28 with LDAP support.  We are using a
>  > Sun One
>  > >  > >  5.2 LDAP server.
>  > >  > >
>  > >  > >  We are having a problem when a new machine joins the domain.
>  > >  > >  Here is a snippet of our smb.conf file
>  > >  > >add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>  > >  > >ldap machine suffix = ou=computers
>  > >  > >ldap user suffix = ou=People
>  > >  > >
>  > >  > >  When a new machine attempts to join the domain a new entry is
>  > created in
>  > >  > >  ou=computers as expected.  This entry has only the posixAccount
>  > >  > information
>  > >  > >  and no Samba info.  However, the machine reports that it failed to
>  > >  > join the
>  > >  > >  domain.  Log entries on both samba and LDAP tell me that after the
>  > >  > entry is
>  > >  > >  crea

Re: [Samba] how to log only opened files via vfs_modules?

[Volker Lendecke]

On Tue, Mar 18, 2008 at 10:25:57AM +0100, Hubert Choma wrote:
> I have share with a lot of scan files with .tif extension.
> They are grouped in catalogs by years for example 2006 2007 2008 etc.
> I would like to log open files (open scanned files .tif) by users. But 
> /var/log/messages shows a lot of useless informations!!.
> 
> For example user fujitsu opened only file 11005_07.tif in windows 
> explorer.
> In /var/log/messages I can't exactly know which file was opened by user. 
> Audit lists me all touched files by windows explorer but I must know 
> which one was opened.
> Its generate me a lot of unnecessary entrys in /var/log/messages.
> 
> Other operations on files like remove delete or rename are logged 
> correctly.

Explorer *does* read at least part of all files to display
the shiny little icon.

Volker


pgpdfo13NtczA.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] how to log only opened files via vfs_modules?

[Hubert Choma]

I have share with a lot of scan files with .tif extension.
They are grouped in catalogs by years for example 2006 2007 2008 etc.
I would like to log open files (open scanned files .tif) by users. But 
/var/log/messages shows a lot of useless informations!!.

For example user fujitsu opened only file 11005_07.tif in windows 
explorer.
In /var/log/messages I can't exactly know which file was opened by user. 
Audit lists me all touched files by windows explorer but I must know 
which one was opened.
Its generate me a lot of unnecessary entrys in /var/log/messages.

Other operations on files like remove delete or rename are logged 
correctly.

PLEASE HELP !
See my smb.conf

Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12795_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12795_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12795_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12793_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12792_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12791_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12790_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/11005_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12790_07.tif
Mar 18 09:54:00 localhost smbd_audit: 
fujitsu|sm17|10.10.10.160|skany|pread|ok|2007/12790_07.tif


smb.conf

[global]
 log level = 2 vfs:3 auth:2 passdb:3
 log file = /var/log/samba/%U.%m.log
 max log size = 5000

[skany]
comment = skany
;   browseable = yes
path = /mnt/skany/skany/
write list = @skanery
valid users = @geo,@skanery
deny hosts = korytarz1, korytarz2
vfs objects = recycle full_audit
recycle:repository = .recycle/%U
recycle:touch = true
recycle:keeptree = true
recycle:versions = false
recycle:exclude = *.TMP
recycle:directory_mode = 773
full_audit:success = write pwrite rename unlink rmdir mkdir connect 
read 
pread
full_audit:prefix = %u|%m|%I|%S
 

Re: [Samba] Re: Samba/Ldap problems with Versions > 3.0.24

[Tomasz Chmielewski]

Mario Gzuk schrieb:

Hi,

Am Montag, den 17.03.2008, 13:41 -0400 schrieb Adam Tauno Williams:

we have similiar problems with samba+ldap after updating to 3.0.27.
But in our case, the following ldap-Attributes won't get updated:
sambaPwdMustChange
sambaPwdCanChange
only sambPwdLastSet gets altered.
in newly created accounts the two Attributes even won't be created !?
I already checked every log-file i can think of, I played with verbose 
logging, but I really can't find a solution up to now.
I also asked about this stuff here in the mailinglist several weeks ago, 
but no answer til now.

So what could we do ?

Is there a policy set to affect these attributes?

littleboy:~ # pdbedit -P "minimum password age"
account policy value for minimum password age is 86400
littleboy:~ # pdbedit -P "maximum password age"
account policy value for maximum password age is 5184000


We have a policy for the maximum password age (value is: 15552000). But
this doesnt matter. The timestamps in the LDAP get updated correctly,
but the pdbedit -Lv user shows the wrong dates and the functionality is
broken as you may read in my previous mail...


A similar problem was reported in "Strange NT_STATUS_PASSWORD errors 
after upgrade to 3.0.26a" if you search the lists (actually, I see you 
mentioned it, too).


I guess this bug is worth reporting on http://bugzilla.samba.org?


--
Tomasz Chmielewski
http://wpkg.org
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba/Ldap problems with Versions > 3.0.24

[Mario Gzuk]

Hi,

Am Montag, den 17.03.2008, 13:41 -0400 schrieb Adam Tauno Williams:
> > we have similiar problems with samba+ldap after updating to 3.0.27.
> > But in our case, the following ldap-Attributes won't get updated:
> > sambaPwdMustChange
> > sambaPwdCanChange
> > only sambPwdLastSet gets altered.
> > in newly created accounts the two Attributes even won't be created !?
> > I already checked every log-file i can think of, I played with verbose 
> > logging, but I really can't find a solution up to now.
> > I also asked about this stuff here in the mailinglist several weeks ago, 
> > but no answer til now.
> > So what could we do ?
> 
> Is there a policy set to affect these attributes?
> 
> littleboy:~ # pdbedit -P "minimum password age"
> account policy value for minimum password age is 86400
> littleboy:~ # pdbedit -P "maximum password age"
> account policy value for maximum password age is 5184000

We have a policy for the maximum password age (value is: 15552000). But
this doesnt matter. The timestamps in the LDAP get updated correctly,
but the pdbedit -Lv user shows the wrong dates and the functionality is
broken as you may read in my previous mail...

greetings mario gzuk

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba