Re: [Samba] Solaris 10 - Samba authentication Question
Let me try to clarify a bit more.. Goal using security=user 3 Shares---Winshare SunShare --- PrivateShare all users -- WinShare (no password prompt) all users---SunShare (no password prompt) ---PrivateShare (prompt for username /password) Thx for any pointers ct Greetings list: OS :Solaris 10 (sparc)05/08 Samba version: 11.10.0,REV=2005.01.08.05.16 I think his equates to on version 3.28 Overview We have 2 shares on UNIX side that are used to transfer files from Windows to Solaris. One share is read-only and the other is writable This is working great for the users. The current setting is : security=share All clients are Windows XP. - Change We want to make - We want to add a protected share for a certain number of users to access via password. While not affecting the other shares or requiring users to enter a password. I know we will have to change to : security=user After several attempts to accomplish this but have not had any success.. What I have done: Added a UNIX user to smbpasswd Added a UNIX group to /etc/group and added the UNIX user. The below smb.conf does not work for the private area (logs). It seems to *behave like* the security =share as it pops up a Greyed out box with Guest in it and prompts for a password. Thx Charles Particulars /etc/group logs::700:charles /etc/sfw/private/smbpasswd charles:104:9CEBF93A3F7BA80A8B0EA5A7DF135B03:7112CEA3B9A87EBEC3B84CC6066091DE:[U ]:LCT-48CA6DF5: smb.conf (not working) [global] netbios name = samba server string = Samba Server workgroup = Workgroup security = user guest ok = yes map to guest = Bad User log file = /var/samba/log/log.%m dos filemode = Yes hide unreadable = Yes wins server = xxx.xxx.xxx.xxx encrypt passwords = Yes null passwords = Yes domain master = No dns proxy = No os level = 50 hide special files = Yes dont descend = lost+found preferred master = no max log size = 50 log level = 9 [SUNshare] comment = SUN Share (read-only) path = /export/sunfiles force user = nobody4 force group = nogroup inherit permissions = Yes inherit acls = Yes inherit owner = Yes dont descend = [WINshare] comment = Windows Share (write) path = /export/winfiles force user = nobody4 force group = nogroup read only = No dont descend = [logs] comment = Logs Share path = /export/logs force group = logs guest ok = no write list = charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] inherited acl
Thanks Willy and Roberto testparm -vis serving my purpose. Another doubt i have is related with acl. Even though by default inherit permissions = No inherits acls =No map acl inherit = No New files and folder is inheriting permission from parent. thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Solaris 10 - Samba authentication Question
Solved.. I had to add passdb backend = smbpasswd to the [global] ct Let me try to clarify a bit more.. Goal using security=user 3 Shares---Winshare SunShare --- PrivateShare all users -- WinShare (no password prompt) all users---SunShare (no password prompt) ---PrivateShare (prompt for username /password) Thx for any pointers ct Greetings list: OS :Solaris 10 (sparc)05/08 Samba version: 11.10.0,REV=2005.01.08.05.16 I think his equates to on version 3.28 Overview We have 2 shares on UNIX side that are used to transfer files from Windows to Solaris. One share is read-only and the other is writable This is working great for the users. The current setting is : security=share All clients are Windows XP. - Change We want to make - We want to add a protected share for a certain number of users to access via password. While not affecting the other shares or requiring users to enter a password. I know we will have to change to : security=user After several attempts to accomplish this but have not had any success.. What I have done: Added a UNIX user to smbpasswd Added a UNIX group to /etc/group and added the UNIX user. The below smb.conf does not work for the private area (logs). It seems to *behave like* the security =share as it pops up a Greyed out box with Guest in it and prompts for a password. Thx Charles Particulars /etc/group logs::700:charles /etc/sfw/private/smbpasswd charles:104:9CEBF93A3F7BA80A8B0EA5A7DF135B03:7112CEA3B9A87EBEC3B84CC6066091DE:[U ]:LCT-48CA6DF5: smb.conf (not working) [global] netbios name = samba server string = Samba Server workgroup = Workgroup security = user guest ok = yes map to guest = Bad User log file = /var/samba/log/log.%m dos filemode = Yes hide unreadable = Yes wins server = xxx.xxx.xxx.xxx encrypt passwords = Yes null passwords = Yes domain master = No dns proxy = No os level = 50 hide special files = Yes dont descend = lost+found preferred master = no max log size = 50 log level = 9 [SUNshare] comment = SUN Share (read-only) path = /export/sunfiles force user = nobody4 force group = nogroup inherit permissions = Yes inherit acls = Yes inherit owner = Yes dont descend = [WINshare] comment = Windows Share (write) path = /export/winfiles force user = nobody4 force group = nogroup read only = No dont descend = [logs] comment = Logs Share path = /export/logs force group = logs guest ok = no write list = charles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] rcsmbd4wins smaba 3.031 infinite error loop sys_gethosbyname:Unknown host
Hello to all , I have successfully installed smbd4wins on my suse 10.2 . Everything is working well but a error in my rcsmbd4wins.log telling m in a endless loop: lib/util.c:330 :interpret_addr()] sys_gethostbyname:Unknown host.HOSTNAME Now the HOSTNAME wins is complaining is no more in action and the address is gone. Can someone help me? Any Idee? Greetings Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] call_nt_transact_ioctl(0x9005c)
I'm seeing these errors every couple minutes from my Samba server (3.0.28... RHEL5 build). [2008/09/15 11:59:44, 0] smbd/nttrans.c:call_nt_transact_ioctl(2463) call_nt_transact_ioctl(0x9005c): Currently not implemented. I realize what 'currently not implemented' means, and since no users have complained, I assume the message is ignorable. I was wondering however, if anyone can enlighten me as to what ioctl 0x9005c is/does, and what windows processes/etc might try to use it. Perhaps it's something that I can turn off or re-configure on the client machines. Thanks! -Brian -- --- Brian H. Nelson Youngstown State University System Administrator Media and Academic Computing bnelson[at]cis.ysu.edu --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] inherited acl
Am Montag, 15. September 2008 schrieb vishesh kumar: Thanks Willy and Roberto testparm -vis serving my purpose. Another doubt i have is related with acl. Even though by default inherit permissions = No inherits acls =No map acl inherit = No New files and folder is inheriting permission from parent. thanks If the parent directory has default:[group|user]:some name:permissions entries these are inherited by new objects. This is a standard POSIX behaviour and is not related to Samba. They would even be inherited if you created a new file/directory using the console. Matthias -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire x Windows 2003 Server
Hi! Sometime ago I successfully used net rpc vampire against a NT4 domain. Back then I was using ldapsam. Is it possible to do this against a w2k3 domain using tdbsam? Can you point me some documentation? Thanks in advance! -- Fabiano Caixeta Duarte -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba write performance in kernel
On Mon, Sep 15, 2008 at 02:44:32PM +0800, Lin Mac wrote: I think my question is not precise. And I'm not really familiar with linux block and virtual file system subsystems, so please correct me if I'm wrong. Neither am I :-). Reading from samba can achieve zero copy with help of sendfile and scather/gather support of NIC driver. Writing to samba by going to user space and back again would cause 2 memory copy (copy_to_user, copy_from_user). Writing to samba with splice could avoid going to user space, so there is no memory copy (copy_to_user, copy_from_user). But buffers received from network driver (around 1.5kB each) are sent to file system subsystem and below. Will it be cached and gathered to become a continuous buffer (which cause 1 memory copy), or does virtual file system subsystem and below could support scatter/gather, so there will be no memory copy at all (zero copy) ? This is a kernel implementation detail. Remember Samba runs on many other kernels, not just Linux. Linux has splice, *BSD has receivefile, Solaris probably has something different. The point is that Samba calls the kernel function at the right point to *allow* zero-copy writes - it's up to the specific kernel to ensure that happens (this is a long-winded way of saying I'm not a kernel engineer, sorry :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Network Help
I have searched the internet, and have tried some things I have found, but cannot resolve my issue. Hoping to find some help here. I have a peer to peer network static IP on all workstations, approximately 100 computers running Windows XP pro, and Windows 2000 pro. My desktop, Ubuntu, and one Linux Server, running Red Hat 9. The RH9 machine has Samba v2.27 running as WINS. It is set as master browser and preferred master. However, it seems that it loses its master and preferred browser status. When browsing the network from a workstation, most of the computers or none of the computers, are listed in the View all Network Computers. Would like to have Samba as master at all times. Any ideas that may help me out? Thanks in advance. smb.conf # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2008/09/05 13:10:52 # Global parameters [global] netbios name = LINUXBOX server string = linuxbox security = user encrypt passwords = Yes null passwords = Yes username map = /etc/samba/smbusers syslog only = Yes announce version = 5 name resolve order = wins hosts bcast lmhosts socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=8192 printcap name = CUPS os level = 66 preferred master = Yes dns proxy = No wins support = Yes guest account = nobody printing = cups [print$] path = /var/lib/samba/printers write list = root create mask = 0664 directory mask = 0775 guest ok = Yes [printers] path = /tmp guest ok = Yes printable = Yes browseable = No [Myfiles] path = /media/samba force user = root force group = root read only = No create mask = 0664 [jakarta-tomcat-5] comment = TOMCAT path = ../jakarta-tomcat-5 read only = No [homes] valid users = %S read only = No browseable = yes -- Darryl Tidd PC Specialist Dealers Auto Auction of OKC 1028 S. Portland Oklahoma City, OK 73108 (405)947-2886 x130 Contact Me mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samaba winwind
Chavez, James R. schrieb: Michael, Andreas, and list, Quick questions for clarity please. Using Winbind and having the uid and gid consistent across all linux and Solaris servers is something I have struggled with. So is it fair to say that without SFU, or extending schema with RFC2307, or using Windows 2003R2 and manually populating these Active Directory user objects with Unix attributes, you cannot manually specify which Unix uid is mapped to a Windows ID? You can use OpenLDAP for example instead of SFU or RFC2307 extension:-) But: Yes, this is at least my experience. There is a net groupmap command which will write to the tdb database backend, but didnt ever used this and dont know if this command is relevant in this context. I remember this command is (only) used when setup an Samba domain controller to map the builtin windows groups 512,513,514. Although there is no net usermap command. I ask this because in certain locations where I work we have existing Unix infrastructures based on NIS. Therefore all access to data is based upon these NIS uid and gid permissions in these environments. The Windows group has been pushing Linux out in these locations and in some cases, insisting they be joined to Active Directory, and authenticate local and SSH logins with Winbind. My issue with this is that the existing resources that the staff accesses have permissions based on NIS permissions. So when logging in with Active Directory credentials, these AD users are dynamically allocated a Unix uid by Winbind that has no longer has access to established resources based on the NIS permissions. What I have done in certain areas is migrated all uid, gid, and host information from NIS into an OpenLDAP directory. Then use Kerberos (AD creds)to authenticate then map the Kerberos name to the 8 character Unix name in LDAP using PADL's nss_ldap. I could just create the LDAP usernames the same as the Kerberos names but wanted to keep with the 8 character scheme, I think AIX still has this limitation. This seems to work but if I can use Winbind to statically map existing Unix uid to Windows ID's that would be less work. Is there in fact a way to use Winbind and use the NIS uid and gid info that already exists? From what I have read so far all Winbind uid generation is dynamic. Please correct me if I am wrong. We had the same constellation in our institute and we put all uids/gids from NIS to Active Directory by hand, bit by bit. About 200 users. I dont know a way to you nis AND winbind at the same time, so the ActiveDirectory system will read information from NIS and put it together with the Windows AD information, without to migrate the uids/gids. I hope a samba developer could answer this question positive :-) Bye, Andy Thanks James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Adam Sent: Friday, September 12, 2008 2:19 AM To: Andreas Ladanyi Cc: samba@lists.samba.org Subject: Re: [Samba] Re: samaba winwind Hi, Andreas Ladanyi wrote: vishesh schrieb: dear all i am running samba 3.0.28 on two server and using winbind to get active directory users and group. the problem i facing is attach the uid assigned for same user is diffrent on samba servers. The uid saved in the Active Directory is different from the winbind Linux side ? No, the problem is that the uids on the two samba servers are different for the same user. This is because you are using (the default of) idmap backend = tdb. This assigns increasing uids (per server) to users in the the order the access the server. If you need the same user ids, you have (at least) the following two options: 1. Use idmap backend = rid. Then a user gets the the uid built as LOW_RANGE_UID + RID. Here LOW_RANGE_UID is the lower bound of the range idmap uid = LOW_RANGE_UID - HIGH_RANGE_UID and RID is the relative identifyer: the user SID is built as follows: DOMAIN_SID-RID. i.e. the rid is the last block of digits of the user's sid, hence is unique inside one domain, and users will get the same uid on all samba servers using idmap backend = rid. See the man paget idmap_rid(8). 2. Use idmap backend = ad: When you install the SFU (Services For Unix) schema extensions, then you can set unix attributes for users and groups in actice directory. and the same uid is obtained for users on all samba servers using this backend. Hope this helps, Michael -- Michael Adam [EMAIL PROTECTED] [EMAIL PROTECTED] SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail
Re: [Samba] Network Help
On Mon, 2008-09-15 at 14:44 -0500, Darryl Tidd wrote: I have searched the internet, and have tried some things I have found, but cannot resolve my issue. Hoping to find some help here. I have a peer to peer network static IP on all workstations, approximately 100 computers running Windows XP pro, and Windows 2000 pro. My desktop, Ubuntu, and one Linux Server, running Red Hat 9. The RH9 machine has Samba v2.27 running as WINS. It is set as master browser and preferred master. However, it seems that it loses its master and preferred browser status. When browsing the network from a workstation, most of the computers or none of the computers, are listed in the View all Network Computers. Would like to have Samba as master at all times. Any ideas that may help me out? Thanks in advance. smb.conf # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2008/09/05 13:10:52 # Global parameters [global] netbios name = LINUXBOX server string = linuxbox security = user encrypt passwords = Yes null passwords = Yes username map = /etc/samba/smbusers syslog only = Yes announce version = 5 name resolve order = wins hosts bcast lmhosts socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=8192 printcap name = CUPS os level = 66 I believe this is your issue - I've seen a number of non-definitive answers over the years on this one; clarification would be greatly appreciated. However, my general practice is to never exceed 64 for the os level parameter. I find that values over 64 ofter return unexpected results, and I've found that my Samba servers don't lose elections in recent memory and I usually leave them at the default value in smb.conf of 33. HTH, Rubin preferred master = Yes dns proxy = No wins support = Yes guest account = nobody printing = cups [print$] path = /var/lib/samba/printers write list = root create mask = 0664 directory mask = 0775 guest ok = Yes [printers] path = /tmp guest ok = Yes printable = Yes browseable = No [Myfiles] path = /media/samba force user = root force group = root read only = No create mask = 0664 [jakarta-tomcat-5] comment = TOMCAT path = ../jakarta-tomcat-5 read only = No [homes] valid users = %S read only = No browseable = yes -- Darryl Tidd PC Specialist Dealers Auto Auction of OKC 1028 S. Portland Oklahoma City, OK 73108 (405)947-2886 x130 Contact Me mailto:[EMAIL PROTECTED] -- Rubin Bennett RB Technologies http://thatitguy.com [EMAIL PROTECTED] (802)223-4448 Think for yourselves and let others enjoy the privilege to do so, too. ~Voltaire -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Network Help
On Monday 15 September 2008 04:20:37 pm Rubin Bennett wrote: I believe this is your issue - I've seen a number of non-definitive answers over the years on this one; clarification would be greatly appreciated. Sorry that I cannot clarify, yet second the motion, but will add that I run my Samba PDC's with: os level = 255 announce version = 5.9 Suggest the OP try as well: local master = Yes domain master = Yes Which will still allow the network to act in a peer-to-peer fashion if he doesn't join systems to the domain (although with this many clients it's a good idea). In any case (with or without 'domain master = Yes' and/or joining the domain or not) the 100 clients will need their workgroups set to the same workgroup as the linuxbox which I don't see explicitly defined: workgroup = MYWORKGROUP so it will just be the default (if I didn't define mine it would default to WORKGROUP). Of course the clients will also need to be setup to use the wins server (hopefully with this many clients dhcp is handling that task). -- Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Mac OS 10.5.5
Hello, I have a Mac running Mac OS 10.5.5 that I need joined to a Samba domain. I am running Samba 3.0.31 Any tips? We found some guides for 10.4 that worked, but not for 10.5 Thanks! ++Amaru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] write only permissions
Hi, We've just put in a Samba fileserver to replace our windows box for our School District and it seems to be working great. I have a question about defining some specific permissions though. We set up 'Drop boxes' for teachers that kids can drag files into, but they don't have read permission so they can't read each others submitted work. Here's what is looks like on the fileserver [EMAIL PROTECTED]:/srv/materials/WHS/VanCleek# getfacl Drop_Box/ # file: Drop_Box # owner: admin # group: domain\040admins user::rwx user:vancleek:rwx group::rwx group:whs\040student:-wx mask::rwx other::--- default:user::rwx default:user:vancleek:rwx default:group::rwx default:group:whs\040student:-wx default:mask::rwx default:other::--- and the view through windows security tab shows Traverse folder/Create Files/Write Attributes/Write Extended Attributes/Read permissions. Needless to say this doesn't seem to work! The student account (in the right group) is not allowed to drop a file into that folder. If I add g:wsd\\whs\ Student:rwx then the student can do anything sucessfully, with -wx nothing?!! Can anyone help? Many thanks, Steve Rippl Technology Director Woodland School District -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba migration woes
I am trying to migrate samba from a box with Mandrake 10.1 with Samba 3.0.10 to a new box running CentOS 5.2 with Samba 3.0.28. The two versions of samba are too differnet to simply copy the config and tdb files over to the new box and the Mandrake box won't upgrade past 3.0.10. I could really use some suggestions. Thanks Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] write only permissions
On Mon, Sep 15, 2008 at 01:57:55PM -0700, Steve Rippl wrote: Hi, We've just put in a Samba fileserver to replace our windows box for our School District and it seems to be working great. I have a question about defining some specific permissions though. We set up 'Drop boxes' for teachers that kids can drag files into, but they don't have read permission so they can't read each others submitted work. Here's what is looks like on the fileserver [EMAIL PROTECTED]:/srv/materials/WHS/VanCleek# getfacl Drop_Box/ # file: Drop_Box # owner: admin # group: domain\040admins user::rwx user:vancleek:rwx group::rwx group:whs\040student:-wx mask::rwx other::--- default:user::rwx default:user:vancleek:rwx default:group::rwx default:group:whs\040student:-wx default:mask::rwx default:other::--- and the view through windows security tab shows Traverse folder/Create Files/Write Attributes/Write Extended Attributes/Read permissions. Needless to say this doesn't seem to work! The student account (in the right group) is not allowed to drop a file into that folder. If I add g:wsd\\whs\ Student:rwx then the student can do anything sucessfully, with -wx nothing?!! Can anyone help? Ok, the problem is that students need to be able to read the containing directory in order to be able to drag and drop new files there. The reason is that Samba needs to be able to scan the directory on their behalf in order to do case insensitive lookups. But so long as you don't mind allowing the students to see the names of each others files, you can set up a DropBox so that students can write into it (and their own files) but not edit or see others files. Firstly, you want to make sure that files created in the DropBox directory are not owned by the student's primary group, but by the group owner of the DropBox direcotry. So : chgrp teachers DropBox to make it owned by the teachers group. Then set the setgid bit on the DropBox directory to make sure that files created within there have an owning group of teachers. chmod g+s DropBox Then ensure that a file in DropBox can be renamed or deleted by only the owner of the file, or by the owner of the directory, or by root (same permissions that /tmp has). chmod +t DropBox Then allow students to write into the directory by adding an ACL setfacl -m g:students:rwx DropBox So long as the defaul acl is set so that others have no permissions, files written by a student into that directory will be owned by themselves but will have an owning group of teachers, and students will not be able to read each others files. If you need to be cause the files to be owned by the owner of the directory, not by the students who created them you need to set up a separate share as described above, but then add the share level parameter : inherit owner = yes which will cause files created within the directories in that share to be owned by the containing directory, not the creating owner. Hope this helps, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] inherited acl
Thanks Nagel That means inherit permission and inherit acl parameter should be used only when default acl not present on parent directory. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
