Re: [Samba] Failed to send packet on .255
Todd Chester kirjoitti: Hi All, On my first internal NIC, Samba is working perfectly. On my new, second internal NIC, I am getting the following in my messages log: libsmb/nmblib.c:send_udp(793) Packet send failed to 192.168.254.255(138) ERRNO=Operation not permitted nmbd/nmbd_packets.c:send_netbios_packet(163) send_netbios_packet: send_packet() to IP 192.168.254.255 port 137 failed I though .255 was a reserved address. What is the error all about? There is only one computer on my new second nic: 192.168.254.12 and it is in test phase. Sounds like firewall issue to me. what iptables -L -v print on root? -- Eero, RCHE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba slow over WAN.
Morning. I recently set up a Samba server serving a smaller company of 5-6 people. They previously used to be in a domain (windows 2003 server), but as they are using laptops and running around like mad, we skipped the domain on this one. Everything works great over the LAN (Or it's just too fast for them to notice it's slow) but over WAN it takes them a couple of minutes to open an Excel file (for instance). So we sent a reinstalled XP down to them to test what speeds it got, and it got full speed. It only took a few seconds to open the same file. All client machines are running XP SP3. Samba version Version 3.0.33-3.7.el5. WAN connection is a 20/20 fiber. Client connection is 6/2 (the test PC was on that connection aswell). Samba send/receive buffers are at the maximum (It gave the best performance over WAN when my colleague and i tested it). Does anyone have a clue as to what is going on here? With regards, Kasper -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.4 on Centos 5.3
Dear Sirs, I'm running a vanilla CentOS 5.3 server, and yum there has Samba 3.0.33. What's the recommended way to install Samba 3.4 as an upgrade over 3.0.33? Just ./configure make sudo make install ? Cheers Nik -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4 on Centos 5.3
On Thu, 2009-07-09 at 08:57 +0200, Niklas Saers wrote: Dear Sirs, I'm running a vanilla CentOS 5.3 server, and yum there has Samba 3.0.33. What's the recommended way to install Samba 3.4 as an upgrade over 3.0.33? Just ./configure make sudo make install ? Cheers Nik In my humble opinion it's wise to choose the package from your distribution. Unless you have the time to maintain/upgrade it yourself. They are in the repo because they are stable (That's how it works in debian anyways). And i do believe CentOS takes care of security patches. With regards, Kasper -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] bash change from r...@myserver to administra...@myserver
Thank you for the clarification . Does it help if I add ROOT in a group of invalid user ? [global] .. ... invalid users = root bin daemon adm sync shutdown \ halt mail news uucp operator gopher \ mailnull rpm ntp Thank you and Best Regards, Tom Norberto Bensa wrote: On Thu, Jul 9, 2009 at 1:28 AM, supha...@gmx.comsupha...@gmx.com wrote: Hello Norberto, Why it change back and forth automatically between root and Administrator ? sometimes nss reads from /etc/password and sometimes from ldap. I don't know why. Will it lead to any problem in the future? Maybe. If you do: id root id Administrator you'll get back uid=0 So who is uid=0, root or administrator? You know they are the same entity, but machines are too stupid. Regards, Norberto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] TOSHARG-StandAloneServer.xml translate finish and some 1 typo found
Now, TOSHARG-StandAloneServer.xml translate to Japanese finished(3.3.4 base). and 1 typo found. If all that is needed is a server for read-only files, or for printers alone, it may not make sense to effect a complex installation. For example, a drafting office needs to store old drawings and reference standards. Noone can write files to the server because it is legislatively - None? or No one? important that all documents remain unaltered. A share-mode read-only standalone server is an ideal solution. /para -- --- Oota Toshiya --- t-oota at dh.jp.nec.com NEC Computers Software Operations Unit Shiba,Minato,Tokyo Open Source Software Platform Development Division Japan,Earth,Solar system (samba-jp/ldap-jp Staff,mutt-j/samba-jp postmaster) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] scary fill_share_mode_lock failed message
On Wed, Jul 08, 2009 at 06:04:53PM -0500, Jonathon Doran wrote: I'm still working on figuring out why some accesses to profile data are failing. We are running 3.3.2-0.33.fc11 (the latest release for FC11). I saw this in the log file stat_cache_lookup: lookup succeeded for name [USER/STARTMENU] - [user/StartMenu] [2009/07/08 17:39:59, 3] locking/locking.c:fetch_share_mode_unlocked(857) fill_share_mode_lock failed I saw Volker had a fix which went into 3.2.8 (I'm looking at the 3.2.9 maintenance release notes). It would be a big help if I could get a little clarification on this. That particular instance of the message is the one I fixed. It is harmless. Volker signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4 on Centos 5.3
Hi Kasper, On Jul 9, 2009, at 9:13 AM, Kasper Sacharias Eenberg wrote: In my humble opinion it's wise to choose the package from your distribution. I would, but I need functionality that was introduced with Samba 3.2, and since the only package I can find is 3.0.33, that's not an option. Are there other package-repositories than the default I can use that perhaps have a newer version of Samba? They are in the repo because they are stable (That's how it works in debian anyways). There have been many Samba releases since 3.0.33, I should expect they are stable? :-) Cheers Nik -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4 on Centos 5.3
Niklas Saers kirjoitti: Dear Sirs, I'm running a vanilla CentOS 5.3 server, and yum there has Samba 3.0.33. What's the recommended way to install Samba 3.4 as an upgrade over 3.0.33? Just ./configure make sudo make install ? Cheers It is recommended to use rpm packages, since Centos only provides very old version, many people are using samba from sernet repository: ftp://ftp.sernet.de/pub/samba/experimental/centos/5/ Sernet samba usually works fine, but .. -- Eero, RHCE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4 on Centos 5.3
Hi guys, On Jul 9, 2009, at 10:47 AM, Eero Volotinen wrote: It is recommended to use rpm packages, since Centos only provides very old version, many people are using samba from sernet repository: On Jul 9, 2009, at 10:29 AM, Waltari Harri wrote: Maybe you would take a look at Sernet Samba repo? Thanks for the link, I'll be sure to grab that one :-) Cheers Nik -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba member of domain, user authenticated from AD
Hi, I have a samba server which should be part of domain, and have a one share accesibile by a group from AD. How can this done? I tried to put samba in domaine, comunicate with AD but i cpuldn't make the AD users to autehniticate and access the share. I am using ubuntu, and despite of several tutorial and how to's I found it seems most of them are missing some info. So, do you have a good trustable working way to do it? Is it a solution to use ldap? Gabi -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login.bat has error?
Dear Adam, I changed my machine install Samba Ldap in other machine with new configuration. Even getent paaswd getent shadow is work well.Ldap doesn't has problem. Even i invoke :smbldap-useradd -w mylove then i run net rpc join mylove -u root Enter root's password: Creation of workstation account failed Unable to join domain MYLOVE. debian:/usr/local/etc/samba_3# I confused My smb.conf: / [global] dos charset = UTF-8 display charset = UTF-8 workgroup = MYLOVE realm = MYLOVE netbios name = MYLOVE server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = \\%N\profiles\%U logon drive = U: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=mylove ldap delete dn = Yes ldap group suffix = ou=group ldap idmap suffix = ou=idmap ldap machine suffix = ou=computer ldap suffix = dc=example,dc=com ldap ssl = no ldap user suffix = ou=people panic action = /usr/share/samba/panic-action %d map acl inherit = Yes case sensitive = No hide unreadable = Yes map hidden = Yes map system = Yes [homes] comment = Home Directories valid users = %S read only = No create mask = 0600 directory mask = 0700 browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [netlogon] path = /var/lib/samba/netlogon browseable = No [profiles] path = /var/lib/samba/profiles force user = %U read only = No create mask = 0600 directory mask = 0700 guest ok = Yes profile acls = Yes browseable = No csc policy = disable [public] path = /tmp read only = No guest ok = Yes On Tue, 2009-07-07 at 10:33 -0500, Adam Williams wrote: sounds like your computer doesn't have a machine account. Mohsen Pahlevanzadeh wrote: Dear all, I ran PDC on smbpasswd auth. When i use following the command, i receive : // debian:/usr/local/etc/samba_3# ./bin/net rpc join mylove -U root Enter root's password: Creation of workstation account failed Unable to join domain MYLOVE. debian:/usr/local/etc/samba_3# /// my smb.conf is : [global] netbios name = mylove server string = Axjooon workgroup = mylove os level = 65 prefered master = yes domain master = yes local master = yes domain logons = yes ;misc options #socket options = TCP NODELAY IPTOS LOWDELAY SO SNDBUF=8192 SO RCVBUF=8192 time server = yes hide dot files = yes #client code page = 852 #character set = ISO8859-2 smb passwd file = /usr/local/etc/samba_3/lib/smbpasswd security = user guest ok = no invalid users = bin sys ftp man mail admin users = @admin wins support = yes # passdb backend = ldapsam:ldap://ldap1.company.com ldap://ldap2.company.com; # passdb backend = ldapsam:ldap://127.0.0.1/ # ldap admin dn = cn=Manager,dc=mylove,dc=com #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com # ldap suffix = dc=mylove,dc=com #ldap group suffix = ou=Groups #ldap user suffix = ou=Users #ldap machine suffix = ou=Computers #ldap idmap suffix = ou=Idmap #add user script = /usr/sbin/smbldap-useradd -m %u #ldap delete dn = Yes #delete user script = /usr/sbin/smbldap-userdel %u # add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u # add group script = /usr/sbin/smbldap-groupadd -p %g #delete group script = /usr/sbin/smbldap-groupdel %g # add user to group script = /usr/sbin/smbldap-groupmod -m %u %g # delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g # set primary group script = /usr/sbin/smbldap-usermod -g '%g' '% u' #domain admin group = @admin #domain admin users = root
[Samba] Q: Import Samba users into AD?
Hi We have had a Samba 3.x PDC + OpenLDAP backend for a number of years, but we are finding that there are some things we would like to do which really require us to have an Active Directory Server. I was just wondering is there any way I can import my Samba OpenLDAP user objects (especially the sambaLMPassword and sambaNTPassword hashes) into an active directory.? And once imported, is there any way I can keep them sync'ed? Or do I have to recreate the users from scratch? Thanx muchly in advance. Chris. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4 on Centos 5.3
The default setting for LDAP StartTLS changed between those versions, watch out for that. Also, if you communicate with an AD, you will need to configure your /etc/krb5.conf file with the newer one. I've been running SerNet Samba for about a year, with excellent results. It is a Repo, so when you yum update it will update your samba as well. be sure to select the appropriate package level (experimental, recent, or tested) for your environment. On Thu, 2009-07-09 at 04:24 -0500, Niklas Saers wrote: Hi guys, On Jul 9, 2009, at 10:47 AM, Eero Volotinen wrote: It is recommended to use rpm packages, since Centos only provides very old version, many people are using samba from sernet repository: On Jul 9, 2009, at 10:29 AM, Waltari Harri wrote: Maybe you would take a look at Sernet Samba repo? Thanks for the link, I'll be sure to grab that one :-) Cheers Nik -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] TOSHARG-StandAloneServer.xml translate finish and some 1 typo found
OPC oota wrote: Now, TOSHARG-StandAloneServer.xml translate to Japanese finished(3.3.4 base). and 1 typo found. If all that is needed is a server for read-only files, or for printers alone, it may not make sense to effect a complex installation. For example, a drafting office needs to store old drawings and reference standards. Noone can write files to the server because it is legislatively - None? or No one? important that all documents remain unaltered. A share-mode read-only standalone server is an ideal solution. /para -- --- Oota Toshiya --- t-oota at dh.jp.nec.com NEC Computers Software Operations Unit Shiba,Minato,Tokyo Open Source Software Platform Development Division Japan,Earth,Solar system (samba-jp/ldap-jp Staff,mutt-j/samba-jp postmaster) Oota-san, Thank you. I replaced the word noone with the more correct form nobody. According to Wikipedia the word noone is an obsolete form of nobody. Apparently, the word noone if an incorrect form of no one, are is a poor usage of English. Thanks for pointing out the typos and gramatical challenges you find as the docs are being translated. Congratulations on the progress you are making. Cheers, John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS recycle force user (fwd)
Hi, have you some idea? Lukas -- Forwarded message -- Date: Wed, 8 Jul 2009 08:27:53 +0200 From: dese...@linuxbox.cz To: Dale Schroeder d...@briannassaladdressing.com Cc: samba@lists.samba.org Subject: Re: [Samba] VFS recycle force user I tried both - recycle:repository = .recycle/%U and also recycle:repository = .recycle/%u But with same result - samba maked directory .recycle/force_user :( L. --- Re: [Samba] VFS recycle force user[IMAGE] Try recycle:repository = .recycle/%U That changes service user to session user. Dale dese...@linuxbox.cz wrote: Hi, i have problem with share with parametr force user Here i my settings of VFS modul recycle vfs object = recycle recycle:repository = .recycle/%u recycle:maxsize = 5000 recycle:exclude = *.tmp *.temp *.o *.obj ~$* recycle:exclude_dir = sdileni/*/profile* tmp temp cache recycle:versions = yes recycle:touch = yes recycle:keeptree = yes and this is my share [my_share] path = /home/sdileni/instalace comment = software, instalace force group = smbgroup force user = smbuser public = yes If i delete some file from this share, then samba make directory .recycle/smbuser. But in older version (for example Samba 3.3.0) samba maked directory .recycle/real_user - and this i need! It's possible? I must have something new in configuration or is this new behavior of samba? thanks, Lukas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] login.bat has error?
Can i hope to solve this problem? On Thu, 2009-07-09 at 17:56 +0530, VIJAYAN wrote: Ok Millian thanks Mohsen Pahlevanzadeh Regards, -Original Message- From: Mohsen Pahlevanzadeh [mailto:moh...@pahlevanzadeh.org] Sent: Thursday, July 09, 2009 5:01 PM To: Adam Williams Cc: samba@lists.samba.org Subject: Re: [Samba] login.bat has error? Dear Adam, I changed my machine install Samba Ldap in other machine with new configuration. Even getent paaswd getent shadow is work well.Ldap doesn't has problem. Even i invoke :smbldap-useradd -w mylove then i run net rpc join mylove -u root Enter root's password: Creation of workstation account failed Unable to join domain MYLOVE. debian:/usr/local/etc/samba_3# I confused My smb.conf: / [global] dos charset = UTF-8 display charset = UTF-8 workgroup = MYLOVE realm = MYLOVE netbios name = MYLOVE server string = %h server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = \\%N\profiles\%U logon drive = U: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=mylove ldap delete dn = Yes ldap group suffix = ou=group ldap idmap suffix = ou=idmap ldap machine suffix = ou=computer ldap suffix = dc=example,dc=com ldap ssl = no ldap user suffix = ou=people panic action = /usr/share/samba/panic-action %d map acl inherit = Yes case sensitive = No hide unreadable = Yes map hidden = Yes map system = Yes [homes] comment = Home Directories valid users = %S read only = No create mask = 0600 directory mask = 0700 browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [netlogon] path = /var/lib/samba/netlogon browseable = No [profiles] path = /var/lib/samba/profiles force user = %U read only = No create mask = 0600 directory mask = 0700 guest ok = Yes profile acls = Yes browseable = No csc policy = disable [public] path = /tmp read only = No guest ok = Yes On Tue, 2009-07-07 at 10:33 -0500, Adam Williams wrote: sounds like your computer doesn't have a machine account. Mohsen Pahlevanzadeh wrote: Dear all, I ran PDC on smbpasswd auth. When i use following the command, i receive : // debian:/usr/local/etc/samba_3# ./bin/net rpc join mylove -U root Enter root's password: Creation of workstation account failed Unable to join domain MYLOVE. debian:/usr/local/etc/samba_3# /// my smb.conf is : [global] netbios name = mylove server string = Axjooon workgroup = mylove os level = 65 prefered master = yes domain master = yes local master = yes domain logons = yes ;misc options #socket options = TCP NODELAY IPTOS LOWDELAY SO SNDBUF=8192 SO RCVBUF=8192 time server = yes hide dot files = yes #client code page = 852 #character set = ISO8859-2 smb passwd file = /usr/local/etc/samba_3/lib/smbpasswd security = user guest ok = no invalid users = bin sys ftp man mail admin users = @admin wins support = yes # passdb backend = ldapsam:ldap://ldap1.company.com ldap://ldap2.company.com; # passdb backend = ldapsam:ldap://127.0.0.1/ # ldap admin dn = cn=Manager,dc=mylove,dc=com #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com # ldap suffix = dc=mylove,dc=com #ldap group suffix = ou=Groups #ldap user suffix = ou=Users #ldap machine suffix = ou=Computers #ldap idmap suffix = ou=Idmap #add user script = /usr/sbin/smbldap-useradd -m %u #ldap delete dn = Yes #delete user script = /usr/sbin/smbldap-userdel %u # add machine script =
Re: [Samba] login.bat has error?
On Thu, Jul 9, 2009 at 10:51 AM, Mohsen Pahlevanzadehmoh...@pahlevanzadeh.org wrote: Can i hope to solve this problem? It would help if you posted the samba log from the PDC that showed what happened when you tried to join the domain. Also have you setup your nss_switch.conf and are you running nscd? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Authentication requests being handled by PDC not local BDC
It seems leaving password server = * on the domain member causes it to fail after a while as it fails to find any servers. Setting it to explicitly saying password server = BISHOP ROSS gets it working again but it still only talks to the PDC(in a different subnet). On Wed, Jul 8, 2009 at 10:53 AM, David M Noriegadavidmnori...@gmail.com wrote: I have a PDC+LDAP as well as a BDC+LDAP in another subnet setup with a domain member in the same subnet as the BDC. From my understanding the domain member should be hitting the BDC for all authentication but watching the logs I see the PDC is the one handling it all. The BDC just sits there. Am I missing something? Here are the smb.conf for each servers: PDC: [global] workgroup = X.X.X netbios name = Ross server string = PDC %v map to guest = Bad User encrypt passwords = yes passdb backend = ldapsam:ldap://ldap1.x.x.x enable privileges = yes log level = 2 syslog = 0 time server = Yes socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768 add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-group-del '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon path = \\%L\profiles\%U logon script = netlogin.bat # logon drive = M: # logon home = \\cajal.x.x.x\%U domain logons = Yes os level = 225 domain master = Yes local master = Yes wins support = Yes # remote announce = x.x.x.255/X.X.X #bishop subnet ldap admin dn = cn=samba,ou=DSA,dc=x,dc=x,dc=x ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=machines ldap passwd sync = Yes ldap suffix = dc=x,dc=x,dc=x ldap ssl = start tls ldap user suffix = ou=people create mask = 0640 directory mask = 0750 case sensitive = No dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd interfaces = eth0 lo bind interfaces only = yes hosts deny = ALL hosts allow = xxx.xxx.0.0/255.255.0.0 BDC: [Global] workgroup = X.X.X netbios name = BISHOP server string = BDC %v interfaces = eth0 lo bind interfaces only = yes hosts deny = ALL hosts allow = xxx.xxx.0.0/255.255.0.0 passdb backend = ldapsam:ldap://ldap2.x.x.x domain master = no domain logons = yes ldap suffix = dc=x,dc=x,dc=x ldap user suffix = ou=people ldap group suffix = ou=group ldap machine suffix = ou=machines ldap admin dn = cn=manager,dc=x,dc=x,dc=x encrypt passwords = yes enable privileges = yes log level = 3 syslog = 0 domain master = no wins server = ross.x.x.x wins proxy = yes remote announce = xxx.xxx.xxx.255/X.X.X #Ross subnet remote browse sync = xxx.xxx.xxx.xxx #ross ip ntlm auth = yes lanman auth = yes ldap ssl = start tls local master = yes os level = 65 preferred master = yes Domain Member: [Global] workgroup = X.X.X server string = CAJAL %v security = domain password server = * lanman auth = Yes encrypt passwords = yes enable privileges = yes loglevel = 2 syslog = 0 deadtime = 5 os level = 8 local master = No domain master = No remote announce = xxx.xxx.xxx.255/X.X.XXX interfaces = ce0 lo0 bind interfaces only = yes hosts allow = xxx.xxx.0.0/255.255.0.0 hosts deny = ALL -- Personally, I liked the university. They gave us money and facilities, we didn't have to produce anything! You've never been out of college! You don't know what it's like out there! I've worked in the private sector. They expect results. -Ray Ghostbusters -- Personally, I liked the university. They gave us money and facilities, we didn't have to produce anything! You've never been out of college! You don't know what it's like out there! I've worked in the private sector. They expect results. -Ray Ghostbusters -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: (FIXED) editposix: winbind -u: Error looking up domain users
On Wed, Jul 8, 2009 at 3:48 PM, Norberto Bensanbe...@gmail.com wrote: http://wiki.samba.org/index.php/Ldapsam_Editposix Everything works. I can add users, list users, delete users (and groups) with net rpc user... I can join clients, etc. *But* wbinfo -u and -g gives: zool...@kvm-test-samba1:~$ wbinfo -u Error looking up domain users zool...@kvm-test-samba1:~$ wbinfo -g BUILTIN\administrators BUILTIN\users Well guys. I missed one _small_ detail. This VM was running hardy (samba 3.0.28a) After upgrading it to interpid (samba 3.2.3) wbinfo works: zool...@kvm-test-samba1:~$ wbinfo -t checking the trust secret via RPC calls succeeded zool...@kvm-test-samba1:~$ wbinfo -m BUILTIN PRUEBA zool...@kvm-test-samba1:~$ wbinfo -u nobody nbensa marisa diego zool...@kvm-test-samba1:~$ wbinfo -g BUILTIN\administrators BUILTIN\users domain users domain admins domain guests Thanks Dale for your time! HTH someone, Norberto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbindd and group cache
Hi, Sometimes I do not see the changes of domain group memberships with getent group until I restart winbindd. Is there a possibility to flush the cache? In smb.conf we set up winbind cache time = 60. Winbindd-Version: Version 3.0.28-0.5-1657-SUSE-CODE10 Thanks smime.p7s Description: S/MIME Cryptographic Signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Quick question on joining a Win2k3 domain
All, New to the list, but have used samba off and on over the years, though not recently. I just installed 3.3.3 on a FreeBSD 7.1 box, and joined it to our Win2k3 domain. It seems to work just fine, though initially I got an error. I did: it-kbuff-fbsd# kinit _serv...@mycomany.com Then it-kbuff-fbsd# net ads join -U _service -S zad3.mycompany.com createcomputer=MyCompanyUS/Computers/Workstations Using short domain name -- MYCOMPANY Joined 'IT-KBUFF-FBSD' to realm 'mycompany.com' [2009/07/08 19:41:37, 0] libads/kerberos.c:ads_kinit_password(362) kerberos_kinit_password it-kbuff-fb...@mycompany.com failed: Client not found in Kerberos database In spite of the error message, it seems to work, as there is an entry in ADUC and after I've defined a share or two I can do a 'net view' of the box and a directory listing against the shares from an XP machine. I've also updated to 3.3.6, though, just in case. Is the error message benign, or should I be researching further? I didn't find much that seemed relevant after some googling with the error message as a search term for about an hour yesterday. Kurt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Active Directory Integration Problems
Hello everyone, I have setup Samba 3.0.28a on an Ubuntu 8.04 server. The setup that I am working with is an exact copy (as far as I can tell) if an identical installation that I did on a test box. Kerberos is setup and working properly. I can use kinit to issue tickets. The box has been successfully joined to the Active Directory domain. I can enumerate AD users and groups. I can log into the Linux box with accounts from AD. When browsing to the server over the network using the UNC, I can connect to the server just fine. The problem comes in when I try to connect to the share (\\server name\share name). When attempting to connect to the share I am prompted for authentication credentials. Neither valid AD credentials, nor valid credentials for accounts on the local box work. I have set the directory world readable/writeable (chmod 777). I'm not sure what to do to further troubleshoot the issue. The exact same configuration works fine on another box. I have included my smb.conf file here for reference. Thanks in advance for any help and insights. [global] security = ads realm = censored, ALL IN CAPS) password server = censored, FQDN to domain controller workgroup = 2CP winbind separator = '\' winbind refresh tickets = yes idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 [test] path = /home/2CP/darmstrong valid users = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin write list = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin read list = David Armstrong Database Administrator MOCA THE MUSEUM OF CONTEMPORARY ART -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] bash change from r...@myserver to administra...@myserver
On Thu, Jul 9, 2009 at 4:18 AM, supha...@gmx.comsupha...@gmx.com wrote: Thank you for the clarification . Does it help if I add ROOT in a group of invalid user ? I don't know. I never tried. Why don't you just modify the uid for Administrator? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem building 3.4.0 from source
I am attempting to build 3.4.0 from source on my Ubuntu 8.04 box. I have gcc installed. When I run ./configure it returns C compiler cannot create executables. I have been looking through the config.log file and I think I found the error message. configure:3304: gccconftest.c 5 /usr/bin/ld: crt1.o: No such file: No such file or directory collect2: ld returned 1 exit status configure:3307: $? = 1 configure:3345: result: configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME Samba | #define PACKAGE_TARNAME samba | #define PACKAGE_VERSION 3 | #define PACKAGE_STRING Samba 3 | #define PACKAGE_BUGREPORT samba-techni...@samba.org | #define CONFIG_H_IS_FROM_SAMBA 1 | /* end confdefs.h. */ | I checked and there is an ld file in /usr/bin. It is about 430k in size. David Armstrong Database Administrator MOCA THE MUSEUM OF CONTEMPORARY ART -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem building 3.4.0 from source
I've never seen this but the problem is that ld cannot find crt1. Doing some searching it seems its part of the libc library. So for some reason ld cannot find it. I'd say find where crt1 is located on the system and make sure the path is right in ld.so.conf. And just to be sure, install libc-devel - Show quoted text - On Thu, Jul 9, 2009 at 2:42 PM, David Armstrongdarmstr...@moca.org wrote: I am attempting to build 3.4.0 from source on my Ubuntu 8.04 box. I have gcc installed. When I run ./configure it returns C compiler cannot create executables. I have been looking through the config.log file and I think I found the error message. configure:3304: gcc conftest.c 5 /usr/bin/ld: crt1.o: No such file: No such file or directory collect2: ld returned 1 exit status configure:3307: $? = 1 configure:3345: result: configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME Samba | #define PACKAGE_TARNAME samba | #define PACKAGE_VERSION 3 | #define PACKAGE_STRING Samba 3 | #define PACKAGE_BUGREPORT samba-techni...@samba.org | #define CONFIG_H_IS_FROM_SAMBA 1 | /* end confdefs.h. */ | I checked and there is an ld file in /usr/bin. It is about 430k in size. David Armstrong Database Administrator MOCA THE MUSEUM OF CONTEMPORARY ART -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Personally, I liked the university. They gave us money and facilities, we didn't have to produce anything! You've never been out of college! You don't know what it's like out there! I've worked in the private sector. They expect results. -Ray Ghostbusters -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Active Directory Integration Problems
[test] path = /home/2CP/darmstrong valid users = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin write list = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin read list = Try setting up your share like this, I am not sure that you need the quotes except of groups with spaces in them. [faculty] comment = CHE Faculty Share path= /home/CHE-shares/faculty browseable = yes read only = yes inherit permissions = yes write list = @CHEMENG+Domain Admins, @CHEMENG+Faculty valid users = @CHEMENG+Domain Admins, @CHEMENG+Faculty admin users = @CHEMENG+Domain Admins -- Brian Gregorcy IT Manager University of Utah Department of Chemical Engineering 801.585.7170 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Classic confusion over new IDMAP params
Hello fellow Samba Users and Developers ... Recently I have been struggling to clearly understand the current documentation for IDMAP. There seems to be the old way of doing things and the new way of doing things...and the documentation is not very clear as to which way is appropriate for which release of Samba. At least not clear to those of use who don't read source code ;-) I am attempting to setup a memeber server, ie. join my samba system to and Active Directory domain. I am using the latest Samba 3.4.0 and have read what documentation I could find. Having browsed through the posts to this list as well I thought it was time to ask a few questions, and would really appreciate if someone could either point me to a post which has already discussed this topic or answer my question directly. Let me summarize my environment and what I'm trying to accomplish: I work for a networking company and we have a pretty good size AD infrastructure with around 8000 users and who knows how many groups. I am attempting to setup a member server for my domain as mentioned and I'd like to keep ID mapping consistent on my system ( CentOS 5.3 64bit ) with the rest of the Company. I'm not sure how my IT department maintains the mapping of SID to UID however I do know that they do have UID data setup in Active Directory. I am not able to use the idmap_ad backend as the structure I saw in AD didn't look like we are using SFU. This being the case I decided to use idmap_ldap as my idmap backend. My idea is that I will create some initial mappings and then write a script to sync the IDs allocated by Samba with the IDs that are actually in AD. Seems a little funky but the best thing I could think of. Here is my current config: #=== Global Settings = [global] workgroup = JNPR server string = FT-NM Team File Server security = ads load printers = no log file = /var/log/samba/machines/%m.log max log size = 50 encrypt passwords = yes realm = jnpr.net passdb backend = tdbsam interfaces = 10.85.34.254/24 wins support = no wins server = 172.24.36.10 dns proxy = no kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab socket options = TCP_NODELAY syslog = 1 # Winbindd, idmap and ldap settings winbind nested groups = yes winbind enum users = yes winbind enum groups = yes winbind cache time = 6000 winbind separator = : allow trusted domains = no winbind use default domain = yes template homedir = /home/%U template shell = /bin/zsh ldap connection timeout = 2 ldap debug level = 0 ldap debug threshold = 10 ldap delete dn = no idmap uid = 1000-20 idmap gid = 1000-20 idmap backend = ldap idmap config JNPR: default = yes idmap config JNPR: backend = ldap idmap config JNPR: ldap_url = ldap://localhost idmap config JNPR: ldap_user_dn = cn=smbd,ou=samba,dc=jtac-west,dc=jnpr,dc=net idmap config JNPR: ldap_base_dn = ou=maps,ou=samba,dc=jtac-west,dc=jnpr,dc=net idmap alloc backend = ldap idmap alloc config: ldap_url = ldap://localhost idmap alloc config: ldap_anon = no idmap alloc config: ldap_user_dn = cn=smbd,ou=samba,dc=jtac-west,dc=jnpr,dc=net idmap alloc config: ldap_base_dn = ou=maps,ou=samba,dc=jtac-west,dc=jnpr,dc=net idmap alloc config: range = 10-20 I've been able to get Winbind working and wbinfo is reporting what its supposed to be. However I don't think I've understood how to properly configure the new idmap subsystem. I am seeing this in the winbindd-idmap log: [2009/07/09 12:55:55, 0] winbindd/idmap.c:201(smb_register_idmap_alloc) idmap_alloc module tdb already registered! [2009/07/09 12:55:55, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module passdb already registered! [2009/07/09 12:55:55, 0] winbindd/idmap.c:149(smb_register_idmap) Idmap module nss already registered! [2009/07/09 12:55:55, 1] winbindd/idmap_ldap.c:847(idmap_ldap_db_init) ERROR: missing idmap ldap url [2009/07/09 12:55:55, 1] winbindd/idmap.c:321(idmap_init_domain) idmap initialization returned NT_STATUS_UNSUCCESSFUL You may wonder why I don't just use the old style of config as I only have one domain. I've decided to do this so that if I need to support a trusted domain I can without a substantial reconfiguration. Any ideas and comments to help steer me down the right path are greatly appreciated. Best Regards, Theo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Simple group question...
New to this windows domain stuff, sorry ( at my age learning new stuff can take a while ). I've set up a domain and joined a couple of XP workstations to is and all is fine. What I want to do now is to ensure that the users of these PCs still have administrative rights on their PC's. Can anyone show me the basics / point me to a good guide on how to do this??? TIA, Steve -- Steve Holdoway st...@greengecko.co.nz http://www.greengecko.co.nz MSN: st...@greengecko.co.nz GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0 signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Simple group question...
Quoting steve st...@greengecko.co.nz: New to this windows domain stuff, sorry ( at my age learning new stuff can take a while ). I've set up a domain and joined a couple of XP workstations to is and all is fine. What I want to do now is to ensure that the users of these PCs still have administrative rights on their PC's. Can anyone show me the basics / point me to a good guide on how to do this??? What I did was to create a new group Desktop Administrators, and add that group to the local administrator group on each of my machines. I keep a master image for a lab machine and update it periodically, then copy it to the other machines. So an update to the local settings doesn't require running around to all machines. Since we use LDAP to manage user/groups, adding/removing people from this new group is trivial. I'm pretty new to all of this, so I'll be interested in hearing of any better solutions. But this one seems to work well. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login.bat has error?
When i run net rpc join mylove -U root i see following log in /var/log/samba/log.mylove : [2009/07/10 02:54:12, 0] passdb/pdb_interface.c:pdb_default_create_user(336) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w mylove$' gave 9 when i saw it, i wanted to add to add by hand, but i saw it added already. Yes, i run nscd.Even i stop nscd but i didn't see anythings. I already configured nsswitch.conf for ldap : nsswitch.conf bsswd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 ldap // Even i run nmbd smbd as non-daemon. Yours, Mohsen On Thu, 2009-07-09 at 11:14 -0400, John Drescher wrote: On Thu, Jul 9, 2009 at 10:51 AM, Mohsen Pahlevanzadehmoh...@pahlevanzadeh.org wrote: Can i hope to solve this problem? It would help if you posted the samba log from the PDC that showed what happened when you tried to join the domain. Also have you setup your nss_switch.conf and are you running nscd? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login.bat has error?
My log.nmbd: / Copyright Andrew Tridgell and the Samba Team 1992-2008 [2009/07/10 03:16:29, 0] nmbd/nmbd.c:main(879) standard input is not a socket, assuming -D option [2009/07/10 03:16:29, 0] nmbd/nmbd_subnetdb.c:create_subnets(206) create_subnets: No local IPv4 non-loopback interfaces ! [2009/07/10 03:16:29, 0] nmbd/nmbd_subnetdb.c:create_subnets(207) create_subnets: Waiting for an interface to appear ... [2009/07/10 03:16:59, 0] nmbd/nmbd_logonnames.c:add_logon_names(160) add_domain_logon_names: Attempting to become logon server for workgroup MYLOVE on subnet 192.168.2.101 [2009/07/10 03:16:59, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(291) become_domain_master_browser_bcast: Attempting to become domain master browser on workgroup MYLOVE on subnet 192.168.2.101 [2009/07/10 03:16:59, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(304) become_domain_master_browser_bcast: querying subnet 192.168.2.101 for domain master browser on workgroup MYLOVE [2009/07/10 03:17:03, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(121) become_logon_server_success: Samba is now a logon server for workgroup MYLOVE on subnet 192.168.2.101 [2009/07/10 03:17:07, 0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2(110) * Samba server MYLOVE is now a domain master browser for workgroup MYLOVE on subnet 192.168.2.101 * [2009/07/10 03:17:22, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(395) * Samba name server MYLOVE is now a local master browser for workgroup MYLOVE on subnet 192.168.2.101 * /// Mylove is my netbios name my workgroup name. On Thu, 2009-07-09 at 20:07 -0300, Norberto Bensa wrote: On Thu, Jul 9, 2009 at 8:31 AM, Mohsen Pahlevanzadehmoh...@pahlevanzadeh.org wrote: Even i invoke :smbldap-useradd -w mylove Does this one succeed or doesn't? then i run net rpc join mylove -u root Why are you doing this? Who is mylove? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VFS recycle force user
On Tue, Jul 07, 2009 at 03:47:31PM +0200, dese...@linuxbox.cz wrote: i have problem with share with parametr force user Here i my settings of VFS modul recycle vfs object = recycle recycle:repository = .recycle/%u recycle:maxsize = 5000 recycle:exclude = *.tmp *.temp *.o *.obj ~$* recycle:exclude_dir = sdileni/*/profile* tmp temp cache recycle:versions = yes recycle:touch = yes recycle:keeptree = yes and this is my share [my_share] path = /home/sdileni/instalace comment = software, instalace force group = smbgroup force user = smbuser public = yes If i delete some file from this share, then samba make directory .recycle/smbuser. But in older version (for example Samba 3.3.0) samba maked directory .recycle/real_user - and this i need! It's possible? I must have something new in configuration or is this new behavior of samba? I think this is a side effect of the change that went into 3.4.0pre1. From the changelog : Changes since 3.4.0pre1 --- o Jeremy Allison * BUG 6291: Fix 'force user'. The recycle code uses a substitution of conn-server_info-unix_name for the %u parameter, and this is not (correctly) set to the forced username on connect (which is required for force user to work correctly. The real user name is lost after authentication, which is what you've asked for. The previous (3.3.0) behavior was probably a side effect of force user not being correct in that release. I think in the latest Samba 3.3.6 it would behave the same. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Active Directory Integration Problems
Thanks for the replies. I have modified the share portion of my smb.conf file as shown below. Still no luck. [test] path = /home/2CP/darmstrong browseable = yes read only = yes inherit permissions = yes valid users = 2CP\darmstrong,buexec,test,itadmin write list = 2CP\darmstrong,buexec,test,itadmin read list = When modifying file permissions for shares on Windows servers, I have to log out and log back on again before the workstation recognizes them. Does the same go for Samba shares? -Original Message- From: Gary Greene [mailto:ggre...@minervanetworks.com] Sent: Thursday, July 09, 2009 2:38 PM To: gregorcy; David Armstrong Cc: samba@lists.samba.org Subject: Re: [Samba] Active Directory Integration Problems On 7/9/09 2:20 PM, gregorcy brian.grego...@utah.edu wrote: [test] path = /home/2CP/darmstrong valid users = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin write list = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin read list = Try setting up your share like this, I am not sure that you need the quotes except of groups with spaces in them. [faculty] comment = CHE Faculty Share path= /home/CHE-shares/faculty browseable = yes read only = yes inherit permissions = yes write list = @CHEMENG+Domain Admins, @CHEMENG+Faculty valid users = @CHEMENG+Domain Admins, @CHEMENG+Faculty admin users = @CHEMENG+Domain Admins The domain portion of the user isn't needed if you have 'winbind use default domain = true' in your config. The quotes are however required since Samba and the NSS stack on Linux cannot (or at least not from my experience) handle escapes. -- Gary L. Greene, Jr. IT Operations Minerva Networks, Inc. Cell: (650) 704-6633 Phone: (408) 240-1239 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login.bat has error?
Forwarding this one to the list: On Thu, Jul 9, 2009 at 8:16 PM, Mohsen Pahlevanzadehmoh...@pahlevanzadeh.org wrote: Mylove is my netbios name my workgroup name. Oh... That's a violation of the smb protocol :-) Your netbios name can't be your workgroup/domain name. Try that on Windows if you don't believe me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login.bat has error?
On Thu, Jul 9, 2009 at 7:38 PM, Norberto Bensanbe...@gmail.com wrote: Forwarding this one to the list: On Thu, Jul 9, 2009 at 8:16 PM, Mohsen Pahlevanzadehmoh...@pahlevanzadeh.org wrote: Mylove is my netbios name my workgroup name. Oh... That's a violation of the smb protocol :-) Your netbios name can't be your workgroup/domain name. Try that on Windows if you don't believe me. It also can not be the name of a user or group or anything else in smb John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Simple group question...
Hi, This works for me ,you can try. After join computer to domain then log on to Windows Xp with local administrator account and go to control panel - addusers (select account from your domain) - Grant access level to your domain account as Administrator. Or you can use net command to do this. Open a cmd shell, then execute: C:\ net localgroup administrators /add MYDOMAIN\tom Regards, Tom samba-bounces+hypermonk=hotmail@lists.samba.org on behalf of steve wrote: New to this windows domain stuff, sorry ( at my age learning new stuff can take a while ). I've set up a domain and joined a couple of XP workstations to is and all is fine. What I want to do now is to ensure that the users of these PCs still have administrative rights on their PC's. Can anyone show me the basics / point me to a good guide on how to do this??? TIA, Steve -- Steve Holdoway st...@greengecko.co.nz http://www.greengecko.co.nz http://www.greengecko.co.nz/ MSN: st...@greengecko.co.nz GPG Fingerprint = B337 828D 03E1 4F11 CB90 853C C8AB AF04 EF68 52E0 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Simple group question...
On Fri, Jul 10, 2009 at 2:18 AM, supha...@gmx.comsupha...@gmx.com wrote: Hi, This works for me ,you can try. After join computer to domain then log on to Windows Xp with local administrator account and go to control panel - addusers (select account from your domain) - Grant access level to your domain account as Administrator. That's the admin nightmare :-) If you have 500 computers to admin, how do you remove Tom's admin rights? The best way is: - Create a new domain group. - Add users to new domain group. - Add this new domain group to the local administrators group on each machine. Now, every user in new domain group will have admin rights in the computers. If for some reason you think John Doe does not need admin rights anymore, you just remove him from the new domain group -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Simple group question...
Of course the problem with this method is you are granting that group admin rights to all those computers. If a single account in that group with those rights becomes infected with some malware, it is possible for that malware to infect ALL the computers. Just saying... If you have 500 computers to admin, how do you remove Tom's admin rights? The best way is: - Create a new domain group. - Add users to new domain group. - Add this new domain group to the local administrators group on each machine. Now, every user in new domain group will have admin rights in the computers. If for some reason you think John Doe does not need admin rights anymore, you just remove him from the new domain group -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha8-289-gc624a70
The branch, master has been updated
via c624a704be96488f0aee27930cbd4c8d99df464b (commit)
from 2481ce89427ef38b47fb29d16c15b77e9d2c20b9 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit c624a704be96488f0aee27930cbd4c8d99df464b
Author: Volker Lendecke v...@samba.org
Date: Thu Jul 9 22:03:52 2009 +0200
Make escape_ldap_string take a talloc context
---
Summary of changes:
source3/include/proto.h |2 +-
source3/lib/ldap_escape.c | 25 -
source3/lib/smbldap_util.c | 12 +-
source3/libads/ldap_user.c |6 ++--
source3/passdb/pdb_ldap.c | 45 +++
source3/utils/net_ads.c | 10
source3/winbindd/winbindd_ads.c |6 ++--
7 files changed, 54 insertions(+), 52 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/proto.h b/source3/include/proto.h
index f887b4e..c0f4dc1 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -554,7 +554,7 @@ void init_ldap_debugging(void);
/* The following definitions come from lib/ldap_escape.c */
-char *escape_ldap_string_alloc(const char *s);
+char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s);
char *escape_rdn_val_string_alloc(const char *s);
/* The following definitions come from lib/module.c */
diff --git a/source3/lib/ldap_escape.c b/source3/lib/ldap_escape.c
index d101bc5..a731cb9 100644
--- a/source3/lib/ldap_escape.c
+++ b/source3/lib/ldap_escape.c
@@ -32,10 +32,10 @@
* and to be free()ed by the caller.
**/
-char *escape_ldap_string_alloc(const char *s)
+char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s)
{
size_t len = strlen(s)+1;
- char *output = (char *)SMB_MALLOC(len);
+ char *output = talloc_array(mem_ctx, char, len);
const char *sub;
int i = 0;
char *p = output;
@@ -43,7 +43,7 @@ char *escape_ldap_string_alloc(const char *s)
if (output == NULL) {
return NULL;
}
-
+
while (*s)
{
switch (*s)
@@ -64,14 +64,17 @@ char *escape_ldap_string_alloc(const char *s)
sub = NULL;
break;
}
-
+
if (sub) {
+ char *tmp;
len = len + 3;
- output = (char *)SMB_REALLOC(output, len);
- if (!output) {
+ tmp = talloc_realloc(mem_ctx, output, char, len);
+ if (tmp == NULL) {
+ TALLOC_FREE(output);
return NULL;
}
-
+ output = tmp;
+
p = output[i];
strncpy (p, sub, 3);
p += 3;
@@ -84,7 +87,7 @@ char *escape_ldap_string_alloc(const char *s)
}
s++;
}
-
+
*p = '\0';
return output;
}
@@ -101,7 +104,7 @@ char *escape_rdn_val_string_alloc(const char *s)
}
p = output;
-
+
while (*s)
{
switch (*s)
@@ -122,10 +125,10 @@ char *escape_rdn_val_string_alloc(const char *s)
*p = *s;
p++;
}
-
+
s++;
}
-
+
*p = '\0';
/* resize the string to the actual final size */
diff --git a/source3/lib/smbldap_util.c b/source3/lib/smbldap_util.c
index 66aef6b..478a3d2 100644
--- a/source3/lib/smbldap_util.c
+++ b/source3/lib/smbldap_util.c
@@ -126,7 +126,7 @@ static NTSTATUS add_new_domain_info(struct smbldap_state
*ldap_state,
char *escape_domain_name;
/* escape for filter */
- escape_domain_name = escape_ldap_string_alloc(domain_name);
+ escape_domain_name = escape_ldap_string(talloc_tos(), domain_name);
if (!escape_domain_name) {
DEBUG(0, (Out of memory!\n));
return NT_STATUS_NO_MEMORY;
@@ -135,11 +135,11 @@ static NTSTATUS add_new_domain_info(struct smbldap_state
*ldap_state,
if (asprintf(filter, ((%s=%s)(objectclass=%s)),
get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN),
escape_domain_name, LDAP_OBJ_DOMINFO) 0) {
- SAFE_FREE(escape_domain_name);
+ TALLOC_FREE(escape_domain_name);
return NT_STATUS_NO_MEMORY;
}
- SAFE_FREE(escape_domain_name);
+ TALLOC_FREE(escape_domain_name);
attr_list = get_attr_list(NULL, dominfo_attr_list );
rc = smbldap_search_suffix(ldap_state, filter, attr_list, result);
@@ -258,7 +258,7 @@ NTSTATUS
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha8-290-gf1fad2e
The branch, master has been updated via f1fad2efe4daf95ad77db6251ad5d77fb9ef755c (commit) from c624a704be96488f0aee27930cbd4c8d99df464b (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f1fad2efe4daf95ad77db6251ad5d77fb9ef755c Author: Tim Prouty tpro...@samba.org Date: Thu Jul 9 15:56:36 2009 -0700 s3: Fix two arguments that broke when plumbing smb_filneame through dos_mode() --- Summary of changes: source3/smbd/dosmode.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/dosmode.c b/source3/smbd/dosmode.c index ca926aa..d3df80a 100644 --- a/source3/smbd/dosmode.c +++ b/source3/smbd/dosmode.c @@ -448,8 +448,8 @@ static bool get_stat_dos_flags(connection_struct *conn, if (S_ISDIR(smb_fname-st.st_ex_mode)) *dosmode |= aDIR; - *dosmode |= set_sparse_flag(smb_fname-st); - *dosmode |= set_link_read_only_flag(smb_fname-st); + *dosmode |= set_sparse_flag(smb_fname-st); + *dosmode |= set_link_read_only_flag(smb_fname-st); return true; } -- Samba Shared Repository
Build status as of Fri Jul 10 00:00:02 2009
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2009-07-09 00:00:31.0 + +++ /home/build/master/cache/broken_results.txt 2009-07-10 00:00:29.0 + @@ -1,22 +1,22 @@ -Build status as of Thu Jul 9 00:00:02 2009 +Build status as of Fri Jul 10 00:00:02 2009 Build counts: Tree Total Broken Panic build_farm 0 0 0 -ccache 25 3 0 +ccache 33 7 0 distcc 0 0 0 -ldb 25 25 0 -libreplace 23 11 0 +ldb 33 33 0 +libreplace 32 13 0 lorikeet 0 0 0 -pidl 20 2 0 -ppp 10 0 0 -rsync25 8 0 +pidl 23 2 0 +ppp 14 0 0 +rsync33 11 0 samba-docs 0 0 0 samba-web0 0 0 -samba_3_current 23 13 0 -samba_3_master 24 19 2 -samba_3_next 24 22 1 -samba_4_0_test 23 22 11 -talloc 25 25 0 -tdb 23 23 0 +samba_3_current 31 17 0 +samba_3_master 32 27 3 +samba_3_next 32 29 1 +samba_4_0_test 32 29 13 +talloc 33 33 0 +tdb 31 31 0
[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha8-291-g8d1b061
The branch, master has been updated
via 8d1b061b517176e172151e6814083aa7a7051d56 (commit)
from f1fad2efe4daf95ad77db6251ad5d77fb9ef755c (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 8d1b061b517176e172151e6814083aa7a7051d56
Author: Jeff Layton jlay...@redhat.com
Date: Thu Jul 9 21:04:08 2009 -0400
cifs.upcall: use pid value from kernel to determine KRB5CCNAME to use
If the kernel sends the upcall a pid of the requesting process, we can
open that process' /proc/pid/environ file and scrape the KRB5CCNAME
value out of it.
Signed-off-by: Jeff Layton jlay...@redhat.com
---
Summary of changes:
client/cifs.upcall.c | 87 +++---
1 files changed, 75 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/client/cifs.upcall.c b/client/cifs.upcall.c
index 4110de3..e592a4f 100644
--- a/client/cifs.upcall.c
+++ b/client/cifs.upcall.c
@@ -1,6 +1,7 @@
/*
* CIFS user-space helper.
* Copyright (C) Igor Mammedov (niall...@gmail.com) 2007
+* Copyright (C) Jeff Layton (jlay...@redhat.com) 2009
*
* Used by /sbin/request-key for handling
* cifs upcall for kerberos authorization of access to share and
@@ -38,6 +39,54 @@ typedef enum _secType {
} secType_t;
/*
+ * given a process ID, get the value of the KRB5CCNAME environment variable
+ * in the context of that process. On error, just return NULL.
+ */
+static char *
+get_krb5_ccname(pid_t pid)
+{
+ int fd;
+ ssize_t len, left;
+
+ /*
+* FIXME: sysconf for ARG_MAX instead? Kernel seems to be limited to a
+* page however, so it may not matter.
+*/
+ char buf[4096];
+ char *p, *value = NULL;
+
+ buf[4095] = '\0';
+ snprintf(buf, 4095, /proc/%d/environ, pid);
+ fd = open(buf, O_RDONLY);
+ if (fd 0)
+ return NULL;
+
+ /* FIXME: don't assume that we get it all in the first read? */
+ len = read(fd, buf, 4096);
+ close(fd);
+ if (len 0)
+ return NULL;
+
+ left = len;
+ p = buf;
+
+ /* can't have valid KRB5CCNAME if there are 13 bytes left */
+ while (left 12) {
+ if (strncmp(KRB5CCNAME=, p, 11)) {
+ p += strnlen(p, left);
+ ++p;
+ left = buf + len - p;
+ continue;
+ }
+ p += 11;
+ left -= 11;
+ value = strndup(p, left);
+ break;
+ }
+ return value;
+}
+
+/*
* Prepares AP-REQ data for mechToken and gets session key
* Uses credentials from cache. It will not ask for password
* you should receive credentials for yuor name manually using
@@ -58,15 +107,15 @@ typedef enum _secType {
* ret: 0 - success, others - failure
*/
static int
-handle_krb5_mech(const char *oid, const char *principal,
-DATA_BLOB * secblob, DATA_BLOB * sess_key)
+handle_krb5_mech(const char *oid, const char *principal, DATA_BLOB *secblob,
+DATA_BLOB *sess_key, const char *ccname)
{
int retval;
DATA_BLOB tkt, tkt_wrapped;
/* get a kerberos ticket for the service and extract the session key */
- retval = cli_krb5_get_ticket(principal, 0,
-tkt, sess_key, 0, NULL, NULL);
+ retval = cli_krb5_get_ticket(principal, 0, tkt, sess_key, 0, ccname,
+NULL);
if (retval)
return retval;
@@ -88,11 +137,12 @@ handle_krb5_mech(const char *oid, const char *principal,
#define DKD_HAVE_IPV4 8
#define DKD_HAVE_IPV6 16
#define DKD_HAVE_UID 32
+#define DKD_HAVE_PID 64
#define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC)
static int
-decode_key_description(const char *desc, int *ver, secType_t * sec,
- char **hostname, uid_t * uid)
+decode_key_description(const char *desc, int *ver, secType_t *sec,
+ char **hostname, uid_t *uid, pid_t *pid)
{
int retval = 0;
char *pos;
@@ -117,6 +167,16 @@ decode_key_description(const char *desc, int *ver,
secType_t * sec,
/* BB: do we need it if we have hostname already? */
} else if (strncmp(tkn, ipv6=, 5) == 0) {
/* BB: do we need it if we have hostname already? */
+ } else if (strncmp(tkn, pid=, 4) == 0) {
+ errno = 0;
+ *pid = strtol(tkn + 4, NULL, 0);
+ if (errno != 0) {
+ syslog(LOG_WARNING, Invalid pid format: %s,
+ strerror(errno));
+
