Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[Harry Jede]

On Dienstag, 18. August 2009 wrote jw:
> Hello
> I am trying to create a 'dropbox' share, using the sticky bit and
> 'inherit owner'.
>
> By themselves they work, but when a directory is created in this
> share, its permissions are not quite what I need.
> Therefore, I try to use 'force directory mode' or 'inherit
> permissions'. However, whenever I do that, the owner on the
> newly-created directory is no longer correct w/regard to 'inherit
> owner'.
>
> Is this correct behavior, or a bug?
You should try posix acls. Read the man pages:
getfacl
setfacl
acl

or search this list archiv. Look for "default acl".

...
> Thanks,
> John



-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Fwd: Not able to display domain users using wbinfo

[Avinash Rao]

Why i need winbind..
coz, i have a requirement to control samba users accessing the
internet through squid. I checked the squid ACL's and i can
restrict/allow samba users from accessing the internet but there are
too many users. The other option is to use "src IP Address" option in
squid, but i have a constraint here as i have other users who cannot
be restricted and are in the same subnet..

So, the only other option is to use the windows groups they belong to,
for which i need to winbind!



On Wed, Aug 19, 2009 at 6:19 PM, Chris
Osicki wrote:
> On Mon, 17 Aug 2009 16:50:37 +0200
> Volker Lendecke  wrote:
>
>> On Mon, Aug 17, 2009 at 04:28:00PM +0200, Helmut Hullen wrote:
>> > Do you need "winbind"? Without any Windows server (PDC) you don't need
>> > the winbind crap.
>>
>> "winbind crap"?
>>
>> Volker
>
> Highly exaggerated.
> It's quite evolving, though. And not easy to keep up with ;-)
> See my other posting.
>
> Regards,
> Chris
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[Jeremy Allison]

On Wed, Aug 19, 2009 at 07:55:45PM -0700, jw wrote:
> On Wed, Aug 19, 2009 at 2:53 PM, Jeremy Allison wrote:
> >
> > Not happening on my system. The inherit owner works
> > as specified.
> >
> 
> What OS are you running?
> 
> I have tried on a second FreeBSD-7.2 system, with
> never-before-installed samba 3.2, and it does not work there either.

Ubuntu Linux 8.10 equivalent. I've been testing 3.4.0,
but I'll also try 3.2.latest tomorrow and I'll see
if it does the same.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Migrating to replacement PDC

[John H Terpstra - Samba Team]

On 08/19/2009 09:41 PM, Brian H wrote:
> 
> I've been reading the SAMBA documentation at:
> http://us3.samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749
> 
> But I just need some confirmation since this is our primary server, and
> I'm not fully confident about what I read.
> 
> SITUATION:
> We currently have a Samba server running as our Primary Domain
> Controller which is authenticating against a local LDAP database.  The
> hardware is failing so we need to build a replacement box.  Machine
> hostnames are based off of asset tags, so the hostnames will be
> different between the two servers.
> 
> The intention is to build the NEW server with a unique hostname and temp
> IP address, and the same smb.conf.  Then at the point of migration,
> change the IP address of the NEW server to that of the OLD server, start
> up SAMBA, and then let it take over as the PDC.
> 
> QUESTIONS:
> And from what I understand, as long as I make sure the NEW server has
> the same NETBIOS name in the /etc/samba/smb.conf file, then it should
> pull the "domain SID" from LDAP the first time it is started.

Not at all. You need to configure the new server as a BDC.  Then BEFORE
joining it to the domain, import the domain SID as follows:

net rpc getsid

Now join the domain:

net rpc join

Then you can shutdown both servers when you are ready, convert the BDC
to the PDC, convert the old PDC to a BDC, restart both servers, or just
the PDC and you will be in business.

PS: The PDC has:
domain logons = Yes
domain master = Yes

The BDC has:
domain logons = Yes
domain master = No

> Does this mean I don't need to import the "secrets.tdb" or manually set
> the SID with "net setlocalsid S-1-5-21-22-2394995923-3994118334", or
> change the hostname that of the OLD server?

No. No need to do this.

Cheers,
John T.

> MISC FACTS:
> OLD Server
> Hostname: asset01
> DNS Name(s): asset01 PDC LDAP
> NETBIOS: PDC
> IP: 172.16.1.1
> Services: SAMBA, LDAP
> 
> NEW Server (future values are in < > )
> Hostname: asset02
> DNS Name(s): asset02 
> NETBIOS: 
> IP: 172.16.1.2 <172.16.1.1>
> Services: SAMBA, LDAP
> 
> 
> Brian H
> binaryno...@gmail.com
> http://www.binarynomad.com
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[jw]

On Wed, Aug 19, 2009 at 2:53 PM, Jeremy Allison wrote:
>
> Not happening on my system. The inherit owner works
> as specified.
>

What OS are you running?

I have tried on a second FreeBSD-7.2 system, with
never-before-installed samba 3.2, and it does not work there either.

-John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Migrating to replacement PDC

[Brian H]

I've been reading the SAMBA documentation at:
http://us3.samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749

But I just need some confirmation since this is our primary server,  
and I'm not fully confident about what I read.


SITUATION:
We currently have a Samba server running as our Primary Domain  
Controller which is authenticating against a local LDAP database.  The  
hardware is failing so we need to build a replacement box.  Machine  
hostnames are based off of asset tags, so the hostnames will be  
different between the two servers.


The intention is to build the NEW server with a unique hostname and  
temp IP address, and the same smb.conf.  Then at the point of  
migration, change the IP address of the NEW server to that of the OLD  
server, start up SAMBA, and then let it take over as the PDC.


QUESTIONS:
And from what I understand, as long as I make sure the NEW server has  
the same NETBIOS name in the /etc/samba/smb.conf file, then it should  
pull the "domain SID" from LDAP the first time it is started.


Does this mean I don't need to import the "secrets.tdb" or manually  
set the SID with "net setlocalsid S-1-5-21-22-2394995923-3994118334",  
or change the hostname that of the OLD server?


MISC FACTS:
OLD Server
Hostname: asset01
DNS Name(s): asset01 PDC LDAP
NETBIOS: PDC
IP: 172.16.1.1
Services: SAMBA, LDAP

NEW Server (future values are in < > )
Hostname: asset02
DNS Name(s): asset02 
NETBIOS: 
IP: 172.16.1.2 <172.16.1.1>
Services: SAMBA, LDAP


Brian H
binaryno...@gmail.com
http://www.binarynomad.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Can only connect to Samba thru IP, not FQDN

[Maxim Hansen]

Hi!
I'm running FreeNAS 0.7RC1 with Samba 3.0.34. It's joined to my windows AD,
and I can see all users, and etc.

My XP clients don't have any issues connecting using either FQDN or IP,
while my vista clients suffer from the problem that if I try to connect to
the NAS by entering the following address: "\\nas01.domain.com", it keeps
asking me for username and password, no matter what combinations I try
(DOMAIN\username , usern...@domain, username, etc..).
Now if I try to connect to Samba using this address format:
"\\xxx.xxx.xxx.xxx", it successfully connects, without asking for any
username or password (it's correctly using my windows domain logon
credentials from the current account).

How might I go about fixing this weird issue? Is this a client problem
(vista), or is there some configuration on the server (smb.conf?) that I
have missed?

Huge thanks in advance!

-- Maxim
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Enforcing local profile doesn't let Home Directory mapping

[Michael Heydon]

Avinash Rao wrote:

Sorry if the question is a bit unclear. What i meant is the net rpc
commands are meant to manage trusts between a samba domain and Window
NT domain or ADS. But in my case, I have only one samba server
configured as a PDC.
  
RPC is remote procedure call, it can be used to issue various requests 
to SMB servers over the network. It doesn't have to be related to 
trusts, doesn't have to be windows. The group list command you used is a 
perfect example.



You mentioned about loopback, where should i check this? Also, I have
used samba but not so much in depth. I am learning these options as
the users in the network are increasing.
  
In your smb.conf, you have "interfaces" and "bind interfaces only" set. 
Read up on these options in the man page.


*Michael Heydon - IT Administrator *
micha...@jaswin.com.au 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Which version do I need for SMB2?

[John Klimek]

Darn, OK.

Last question then...

What about NFS versus SMB?  Are both about the same speed?

(By the way, I'm an MSDN subscriber so W2K8 was actually "free" for me...)

On Wed, Aug 19, 2009 at 5:32 PM, Volker
Lendecke wrote:
> On Wed, Aug 19, 2009 at 03:26:57PM -0400, John Klimek wrote:
>> I'm not sure what you mean by "try linux-cifs".  Are you suggesting I
>> create local mount points using linux-cifs as the filesystem type?
>
> You referred to it as "linux-cifs", I just followed your
> wording. I mean you should use the Linux filesystem type
> "cifs" in your fstab or use the "-t cifs" argument to the
> Linux mount command.
>
>> I'm willing to upgrade so that's not really a big issue.  I just need
>> to know which version to upgrade to (eg. Samba3 or Samba4)
>
> Samba3 or 4 won't help you at all for this, you need the
> proper kernel support.
>
>> I've heard that before as well but I've also heard/seen benchmarks
>> where SMB2 is much, much faster than SMB1.  However, like you said,
>> perhaps it's due to SMB optimizations.
>>
>> Do you suggest I stick with Samba3 v3.3.2 and just use SMB?
>>
>> I'd really prefer to use SMB2 (if possible) especially since I
>> upgraded to Windows Server 2008 almost specifically for this feature
>> but if you are telling me that Samba3 (v3.3.2) will provide me almost
>> exactly the same performance than I'll stick with that.  However, if I
>> need to optimize my configuration (versus no additional optimization
>> with Samba4?) than that's a different story.
>>
>> Thanks so much for your help!
>
> Sorry to say that, but you got caught by Microsoft marketing
> for completely non-reasons. Upgrading to Windows 2008 just
> to support Linux clients better is -- well -- not going to
> help you at all. You better read your license agreement if
> you can return the W2k8 license :-)
>
> Volker
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkqMb3QACgkQbsgDfmnSbrZvPgCeMfSuWkYNMy2JP9sFq1Gy0JjI
> kF0AmgKII0Drya6O4IHPAHL+nS6y6tbP
> =jv+b
> -END PGP SIGNATURE-
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[Jeremy Allison]

On Wed, Aug 19, 2009 at 02:16:54PM -0700, jw wrote:
> On Wed, Aug 19, 2009 at 1:44 PM, Jeremy Allison wrote:
> >
> > Well I'm creating the directory with a logged in user
> > of "jra", who is in the "eng" group. I don't think the
> > setting of the guest account has anything to do with
> > it as I'm not logging in as guest at all.
> >
> 
> Hmm.. Well I switched to 'security = user' and created an account,
> made a new share that looks exactly like yours, made the directory
> permissions match yours (except my group name is different), and
> created the dir with smbclient and the authenticated samba user, but
> no joy.
> 
> Still the owner of the new dir is that of the creating user, not the
> parent directory.

Not happening on my system. The inherit owner works
as specified.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Stefan Immel ist außer Haus.

[Stefan . Immel]

Ich werde ab  19.08.2009 nicht im Büro sein. Ich kehre zurück am
31.08.2009.

Ich werde Ihre Nachricht nach meiner Rückkehr beantworten. In dringenden
Fällen senden Sie bitte eine Email an i...@stroeher.de.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Which version do I need for SMB2?

[Volker Lendecke]

On Wed, Aug 19, 2009 at 03:26:57PM -0400, John Klimek wrote:
> I'm not sure what you mean by "try linux-cifs".  Are you suggesting I
> create local mount points using linux-cifs as the filesystem type?

You referred to it as "linux-cifs", I just followed your
wording. I mean you should use the Linux filesystem type
"cifs" in your fstab or use the "-t cifs" argument to the
Linux mount command.

> I'm willing to upgrade so that's not really a big issue.  I just need
> to know which version to upgrade to (eg. Samba3 or Samba4)

Samba3 or 4 won't help you at all for this, you need the
proper kernel support.

> I've heard that before as well but I've also heard/seen benchmarks
> where SMB2 is much, much faster than SMB1.  However, like you said,
> perhaps it's due to SMB optimizations.
> 
> Do you suggest I stick with Samba3 v3.3.2 and just use SMB?
> 
> I'd really prefer to use SMB2 (if possible) especially since I
> upgraded to Windows Server 2008 almost specifically for this feature
> but if you are telling me that Samba3 (v3.3.2) will provide me almost
> exactly the same performance than I'll stick with that.  However, if I
> need to optimize my configuration (versus no additional optimization
> with Samba4?) than that's a different story.
> 
> Thanks so much for your help!

Sorry to say that, but you got caught by Microsoft marketing
for completely non-reasons. Upgrading to Windows 2008 just
to support Linux clients better is -- well -- not going to
help you at all. You better read your license agreement if
you can return the W2k8 license :-)

Volker


signature.asc
Description: Digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[jw]

On Wed, Aug 19, 2009 at 1:44 PM, Jeremy Allison wrote:
>
> Well I'm creating the directory with a logged in user
> of "jra", who is in the "eng" group. I don't think the
> setting of the guest account has anything to do with
> it as I'm not logging in as guest at all.
>

Hmm.. Well I switched to 'security = user' and created an account,
made a new share that looks exactly like yours, made the directory
permissions match yours (except my group name is different), and
created the dir with smbclient and the authenticated samba user, but
no joy.

Still the owner of the new dir is that of the creating user, not the
parent directory.

This is starting to feel like a bug. Or some simple setting (or
default) that I am missing.
I will have wait until tonight to look at it more.

-John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[Jeremy Allison]

On Wed, Aug 19, 2009 at 01:41:51PM -0700, jw wrote:
> On Wed, Aug 19, 2009 at 1:35 PM, Jeremy Allison wrote:
> > On Wed, Aug 19, 2009 at 01:29:51PM -0700, jw wrote:
> >> On Wed, Aug 19, 2009 at 11:20 AM, Jeremy Allison wrote:
> >> Would you mind showing me your full config for your working case, and
> >> the directory permissions / ownership on your share (privately, if you
> >> like) ?
> >
> > ls -ld /tmp/myshare
> >
> > drwsrwsr-t 3 nobody eng 4096 Aug 19 11:19 /tmp/myshare
> >
> > smb.conf stanza:
> >
> > [tmpperms]
> >        path = /tmp/myshare
> >        read only = no
> >        inherit owner = yes
> >        inherit permissions = yes
> >        directory mask = 07775
> >
> > I connect with smbclient and do "mkdir foo" and I get :
> >
> > ls -ld /tmp/myshare/foo/
> >
> > drwxrwsr-t 2 nobody eng 4096 Aug 19 11:19 /tmp/myshare/foo/
> 
> But by default, samba's guest account is 'nobody', right?
> So with what you have, if you create the directory with smbclient, I
> imagine you can rename it once it's created?
> I want to prevent that.
> That is why the config in my original email has
> 
>guest account = sambaguest
> 
> Could you try on your side again with 'guest account' set to something
> other than 'nobody' ?
> Presumably an account that is still in the 'eng' group, so the group
> write permissions still allow you to create a new directory in the
> first place.

Well I'm creating the directory with a logged in user
of "jra", who is in the "eng" group. I don't think the
setting of the guest account has anything to do with
it as I'm not logging in as guest at all.

Jeremy
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[jw]

On Wed, Aug 19, 2009 at 1:35 PM, Jeremy Allison wrote:
> On Wed, Aug 19, 2009 at 01:29:51PM -0700, jw wrote:
>> On Wed, Aug 19, 2009 at 11:20 AM, Jeremy Allison wrote:
>> Would you mind showing me your full config for your working case, and
>> the directory permissions / ownership on your share (privately, if you
>> like) ?
>
> ls -ld /tmp/myshare
>
> drwsrwsr-t 3 nobody eng 4096 Aug 19 11:19 /tmp/myshare
>
> smb.conf stanza:
>
> [tmpperms]
>        path = /tmp/myshare
>        read only = no
>        inherit owner = yes
>        inherit permissions = yes
>        directory mask = 07775
>
> I connect with smbclient and do "mkdir foo" and I get :
>
> ls -ld /tmp/myshare/foo/
>
> drwxrwsr-t 2 nobody eng 4096 Aug 19 11:19 /tmp/myshare/foo/

But by default, samba's guest account is 'nobody', right?
So with what you have, if you create the directory with smbclient, I
imagine you can rename it once it's created?
I want to prevent that.
That is why the config in my original email has

   guest account = sambaguest

Could you try on your side again with 'guest account' set to something
other than 'nobody' ?
Presumably an account that is still in the 'eng' group, so the group
write permissions still allow you to create a new directory in the
first place.

-John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[Jeremy Allison]

On Wed, Aug 19, 2009 at 01:29:51PM -0700, jw wrote:
> On Wed, Aug 19, 2009 at 11:20 AM, Jeremy Allison wrote:
> >
> > Ok, this works with 3.4.0. You need to set:
> >
> >        inherit owner = yes
> >        inherit permissions = yes
> >        directory mask = 07775
> >
> 
> Isn't that one too many characters in the mask?

No. The sticky bit is 01000 so you need the extra 7
to make sure it isn't masked.

> The directory bits are correct (including sticky), but the owner is
> NOT inherited. It is the samba guest account, not the directory owner.

This is working here, don't know why not in your case.

> It seems strange that something like this would be so broken on an
> up-to-date 3.3.6 though..

I don't think it is.

> Would you mind showing me your full config for your working case, and
> the directory permissions / ownership on your share (privately, if you
> like) ?

ls -ld /tmp/myshare

drwsrwsr-t 3 nobody eng 4096 Aug 19 11:19 /tmp/myshare

smb.conf stanza:

[tmpperms]
path = /tmp/myshare
read only = no
inherit owner = yes
inherit permissions = yes
directory mask = 07775

I connect with smbclient and do "mkdir foo" and I get :

ls -ld /tmp/myshare/foo/

drwxrwsr-t 2 nobody eng 4096 Aug 19 11:19 /tmp/myshare/foo/

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[jw]

On Wed, Aug 19, 2009 at 1:02 PM, jw wrote:
>
> What I am interested in is the sticky bit - getting that inherited.
> The docs only mention the sticky bit with regard to permissions.
>

Whoops - that should read "with regard to *printer* permissions"

-John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[jw]

On Wed, Aug 19, 2009 at 11:20 AM, Jeremy Allison wrote:
>
> Ok, this works with 3.4.0. You need to set:
>
>        inherit owner = yes
>        inherit permissions = yes
>        directory mask = 07775
>

Isn't that one too many characters in the mask?
Regardless, I tried 07775 (as written), 0775, and 7775 just now via smbclient.
The directory bits are correct (including sticky), but the owner is
NOT inherited. It is the samba guest account, not the directory owner.

   drwxrwxr-t   2 sambaguest sambaguest  512 Aug 19 13:15 foodir3

I'll try from a genuine Win box when I get home, but I expect the
results will be the same.

I am using samba 3.3.6 - apparently there is no 3.4.0 port for FreeBSD
(I could not find one).
Perhaps I will try downloading a tarball or using samba4-devel...

It seems strange that something like this would be so broken on an
up-to-date 3.3.6 though..

Would you mind showing me your full config for your working case, and
the directory permissions / ownership on your share (privately, if you
like) ?

-John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] idmap_rid and manual group mapping

[Ilya V. Paramonov]

Hello.

I use pam_winbind to authenticate users against the domain. Winbind is 
configured to use idmap_rid backend to guarantee consistent mapping between 
UIDs and SIDs. Everything works perfect, but I need the domain users to be the 
members of some local UNIX groups (like plugdev and floppy). Is there a way to 
manually map some domain groups to local groups keeping UID mapping via 
idmap_rid inact? Or maybe there is another way to solve the problem in question?

-- 
Best regards,
Ilya Paramonov
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[jw]

On Wed, Aug 19, 2009 at 10:35 AM, Dale
Schroeder wrote:
> John,
>
> The following quote comes from the SWAT description of the "inherit
> permissions" parameter.
> From the way it is written, it seems quite plausible that it also applies to
> "inherit owner".
>
> inherit permissions (S)
>
> Note that the setuid bit is never set via inheritance (the code explicitly
> prohibits this).
>

I don't actually care about the setuid bit. I think I was playing with
it earlier so you might see it in the permissions.
What I am interested in is the sticky bit - getting that inherited.
The docs only mention the sticky bit with regard to permissions.

Another way for me to accomplish this is to turn on suiddir in my
kernel (perhaps what you were hinting at?), but I'm trying to avoid
it...

-John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Which version do I need for SMB2?

[John Klimek]

Thanks for the reply!

(Responses below...)

On Wed, Aug 19, 2009 at 3:05 PM, Volker
Lendecke wrote:
> On Wed, Aug 19, 2009 at 02:53:26PM -0400, John Klimek wrote:
>> First off, I'm a little confused but I've been trying to do some
>> research and still have some questions... (please forgive me!)
>>
>> I'm trying to figure out the "best" (ie. fastest) way to connect from
>> Ubuntu to Windows Server 2008.  I can use SMB, SMB2, or NFS.
>
> Ubuntu is the server or client? If it's the client, try "linux-cifs".
>

Ubuntu is the client.  Ubuntu 9.04 (Jaunty) to be specific.

I'm not sure what you mean by "try linux-cifs".  Are you suggesting I
create local mount points using linux-cifs as the filesystem type?

>> >From what I've gathered, Samba4 includes SMB2 support but what about
>> Samba3?  If so, which version supports it?  (v3.3.2?)
>
> Samba4 contains an implementation of both SMB2 client and
> server, but that has not seen any serious development for
> many months. Stefan Metzmacher right now is developing an
> SMB2 server for Samba3. I would expect a release with Samba
> 3.5 in latest beginning 2010. My personal expectation would
> be that we do not enable it by default yet so that it can
> settle, and that we enable it by default with 3.6 in July
> 2010.
>
>> I'm also confused about "smbfs".  It seems like it's been discontinued
>> in favor of "linux-cifs" so I'm wondering if that supports SMB2 and
>> what package(s) would be needed to create mount points using that.
>
> None of the versions of smbfs or linux-cifs right now
> shipped in major distributions do smb2.

I'm willing to upgrade so that's not really a big issue.  I just need
to know which version to upgrade to (eg. Samba3 or Samba4)

>
> By the way, it's just not true that SMB2 is faster than
> SMB1. It might be true for Microsoft's client
> implementations, but a properly tuned SMB1 client can almost
> saturate a 10GigE connection. I've seen more than
> 700MBytes/second Samba->smbclient on a single SMB1
> connection where the raw TCP speed would have been a little
> less than 800MBytes/sec on the same hardware.

I've heard that before as well but I've also heard/seen benchmarks
where SMB2 is much, much faster than SMB1.  However, like you said,
perhaps it's due to SMB optimizations.

Do you suggest I stick with Samba3 v3.3.2 and just use SMB?

I'd really prefer to use SMB2 (if possible) especially since I
upgraded to Windows Server 2008 almost specifically for this feature
but if you are telling me that Samba3 (v3.3.2) will provide me almost
exactly the same performance than I'll stick with that.  However, if I
need to optimize my configuration (versus no additional optimization
with Samba4?) than that's a different story.

Thanks so much for your help!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Which version do I need for SMB2?

[Volker Lendecke]

On Wed, Aug 19, 2009 at 02:53:26PM -0400, John Klimek wrote:
> First off, I'm a little confused but I've been trying to do some
> research and still have some questions... (please forgive me!)
> 
> I'm trying to figure out the "best" (ie. fastest) way to connect from
> Ubuntu to Windows Server 2008.  I can use SMB, SMB2, or NFS.

Ubuntu is the server or client? If it's the client, try "linux-cifs".

> >From what I've gathered, Samba4 includes SMB2 support but what about
> Samba3?  If so, which version supports it?  (v3.3.2?)

Samba4 contains an implementation of both SMB2 client and
server, but that has not seen any serious development for
many months. Stefan Metzmacher right now is developing an
SMB2 server for Samba3. I would expect a release with Samba
3.5 in latest beginning 2010. My personal expectation would
be that we do not enable it by default yet so that it can
settle, and that we enable it by default with 3.6 in July
2010.

> I'm also confused about "smbfs".  It seems like it's been discontinued
> in favor of "linux-cifs" so I'm wondering if that supports SMB2 and
> what package(s) would be needed to create mount points using that.

None of the versions of smbfs or linux-cifs right now
shipped in major distributions do smb2.

By the way, it's just not true that SMB2 is faster than
SMB1. It might be true for Microsoft's client
implementations, but a properly tuned SMB1 client can almost
saturate a 10GigE connection. I've seen more than
700MBytes/second Samba->smbclient on a single SMB1
connection where the raw TCP speed would have been a little
less than 800MBytes/sec on the same hardware.

Volker


pgpcqOZZLFNPt.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Which version do I need for SMB2?

[John Klimek]

First off, I'm a little confused but I've been trying to do some
research and still have some questions... (please forgive me!)

I'm trying to figure out the "best" (ie. fastest) way to connect from
Ubuntu to Windows Server 2008.  I can use SMB, SMB2, or NFS.

>From what I've gathered, Samba4 includes SMB2 support but what about
Samba3?  If so, which version supports it?  (v3.3.2?)

I'm also confused about "smbfs".  It seems like it's been discontinued
in favor of "linux-cifs" so I'm wondering if that supports SMB2 and
what package(s) would be needed to create mount points using that.

Sorry for the questions and thanks so much for any help!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[Jeremy Allison]

On Tue, Aug 18, 2009 at 08:09:00PM -0700, jw wrote:
> On Tue, Aug 18, 2009 at 3:11 PM, Jeremy Allison wrote:
> > To allow these to apply to the new directory, set :
> >
> > directory mask = 0775
> >
> > The reason you're not getting 775 perms on the new directory
> > is that the default directory mask is 0755, which masks out
> > the write permission for the group.
> >
> > Just setting inherit owner, and directory mask = 0775
> > should be enough.
> 
> Hi,
> 
> I gave this a shot, but it's still not quite doing what I would expect.
> I have:
> 
>inherit owner = yes
>directory mask = 7775
> 
> And this produces:
> 
>drwxrwxr-x   2 nobody  sambaguest   512 Aug 18 19:54 New Folder (20)
> 
> The problem is the sticky bit is not set. I want the sticky bit to be
> set so that new files created under this directory cannot be edited
> once created.

Ok, this works with 3.4.0. You need to set:

inherit owner = yes
inherit permissions = yes
directory mask = 07775

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[Jeremy Allison]

On Tue, Aug 18, 2009 at 08:09:00PM -0700, jw wrote:
> On Tue, Aug 18, 2009 at 3:11 PM, Jeremy Allison wrote:
> > To allow these to apply to the new directory, set :
> >
> > directory mask = 0775
> >
> > The reason you're not getting 775 perms on the new directory
> > is that the default directory mask is 0755, which masks out
> > the write permission for the group.
> >
> > Just setting inherit owner, and directory mask = 0775
> > should be enough.
> 
> Hi,
> 
> I gave this a shot, but it's still not quite doing what I would expect.
> I have:
> 
>inherit owner = yes
>directory mask = 7775
> 
> And this produces:
> 
>drwxrwxr-x   2 nobody  sambaguest   512 Aug 18 19:54 New Folder (20)
> 
> The problem is the sticky bit is not set. I want the sticky bit to be
> set so that new files created under this directory cannot be edited
> once created.

Ah ok, you originally complained about not getting the
right group permissions, not the sticky bit. The sticky
bit is not automatically inherited by UNIX.

Let me look into this a little more...

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[Dale Schroeder]

John,

The following quote comes from the SWAT description of the "inherit 
permissions" parameter.
From the way it is written, it seems quite plausible that it also 
applies to "inherit owner".



 inherit permissions (S)

Note that the setuid bit is /never/ set via inheritance (the code 
explicitly prohibits this).


Dale


jw wrote:

On Wed, Aug 19, 2009 at 3:22 AM, Charles
Marcus wrote:
  

? He said 0775, not 7775




Well, I need the sticky bit set (see my previous reply).
So I have tried 1775, 3775, and 7775, all with the same results.
If I use 0775, the sticky bit is masked out, which will not work for me.

Or do I misunderstand 'directory mask' ?
Regardless, it doesn't work for 0775, either (correct owner, but
sticky bit not set).

-John
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] (no subject)

[Jeremy Allison]

On Wed, Aug 19, 2009 at 09:58:39AM -0500, McGranahan, Jamen wrote:
> Running Sun Solaris 9 sparc; trying to get Samba to interact with our Windows 
> Active Directory so we can create shares on our Sun server. Kerberos works 
> well. Wbinfo -u and Wbinfo -g both return results. Getent also returns 
> results, both getent passwd & getent group.  I've created a test folder and 
> added it in the smb.conf file as a share:
> 
> [test]
> path = /test
> writeable = yes
> browseable = yes
> guest ok = no
> valid users = VANDERBILT\mcgranj
> public = no
> 
> This folder does exist on the server, but when I try to map, I get no 
> results. When I check the samba log, I see that samba crashes:
> 
> lib240:/usr/local/samba/var#tail 129.59.149.157.log
> [2009/06/22 10:26:12,  0] lib/util.c:log_stack_trace(1827)
>   unable to produce a stack trace on this platform
> [2009/06/22 10:26:12,  0] lib/fault.c:dump_core(231)
>   dumping core in /usr/local/samba/var/cores/smbd
> [2009/08/19 09:50:50,  0] lib/util.c:smb_panic(1673)
>   PANIC (pid 21681): sys_setgroups failed
> [2009/08/19 09:50:50,  0] lib/util.c:log_stack_trace(1827)
>   unable to produce a stack trace on this platform
> [2009/08/19 09:50:50,  0] lib/fault.c:dump_core(231)
>   dumping core in /usr/local/samba/var/cores/smbd

You're running into this bug :

https://bugzilla.samba.org/show_bug.cgi?id=2496

Solaris limits the number of supplementary groups
a user can be in to 32. This is too small for Windows,
and in Sun's in-kernel CIFS server running on ZFS
they have a kernel-only workaround which they currently
have refused to make available to user-space processes.

Please complain to Sun support about this situation,
and ask them to fix this limitation in the solaris
userspace support.

Attached to this bug you'll find a workaround
written by Dave Collier-Brown which uses an
LB_PRELOAD library to use the Solaris group
list as a cache.

Jeremy.

-
 From the code:

/*
 * libgroups - a library for Samba on Solaris to allow
 *  an arbitrarily large number of groups.
 *
 *
 * Problem Description:
 * Unix has a system-wide limit on the number of groups
 * a user may be in. Samba, which provides file service
 * to Windows clients, needs to support larger numbers
 * of groups per user. This is due to the Windows use of
 * groups, which typically results in more than 16 or
 * 32 groups for a user. At the moment, only Linux has
 * enoug groups for a medium to large Windows AD domain.
 * 
 * I therefor wrote this interposer library (at home)
 * to remove this limitation on a per-process basis.
 * It keeps an unbounded list of groups and treats the 
 * standard Solaris groups list as a cache. Before opening 
 * a file, the interposer checks to see if the open would 
 * fail because of a group not being in the cache, and if so 
 * will  move it to the head of the ache, shifting the
 * other entries down.
 *
 * Caveats: 
 * This was written for Samba, which is setuid-root.
 * As the library requries root permissions for setgroups, 
 * it will ONLY work if the program is setuid root or
 * otherwise has the ablity to call setgroups from the
 * middle of the open interposer function. The library will
 * try to abort immediately on startup if it does not
 * have sufficient privelege.
 *

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba and Windows Server 2003 Native Functional Level

[William O'Leary]

I have a mix of Solaris 9 and 10 machines running versions of samba from 2.2.12 
to 3.0.24.  I would like to know if I upgrade all of my Domain Controllers to 
2003, and change the functional level to 2003 Native, what version of Samba at 
a minimum would I need to be running so that things still work.

--William

___

William O'Leary | Manager Network Service & Support
CHIPS Computer Consulting LLC | www.chipscc.com | e 
wole...@chipscc.com
5 Aerial Way | Suite 400 | Syosset, NY 11791 | t 516.377.6585 | f 516.470.9214
after hours 866.477.3743

Microsoft Gold Certified Partner / Symantec Gold Certified Partner

It's 9AM, do you know where your data is?
___

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] (no subject)

[McGranahan, Jamen]

Running Sun Solaris 9 sparc; trying to get Samba to interact with our Windows 
Active Directory so we can create shares on our Sun server. Kerberos works 
well. Wbinfo -u and Wbinfo -g both return results. Getent also returns results, 
both getent passwd & getent group.  I've created a test folder and added it in 
the smb.conf file as a share:

[test]
path = /test
writeable = yes
browseable = yes
guest ok = no
valid users = VANDERBILT\mcgranj
public = no

This folder does exist on the server, but when I try to map, I get no results. 
When I check the samba log, I see that samba crashes:

lib240:/usr/local/samba/var#tail 129.59.149.157.log
[2009/06/22 10:26:12,  0] lib/util.c:log_stack_trace(1827)
  unable to produce a stack trace on this platform
[2009/06/22 10:26:12,  0] lib/fault.c:dump_core(231)
  dumping core in /usr/local/samba/var/cores/smbd
[2009/08/19 09:50:50,  0] lib/util.c:smb_panic(1673)
  PANIC (pid 21681): sys_setgroups failed
[2009/08/19 09:50:50,  0] lib/util.c:log_stack_trace(1827)
  unable to produce a stack trace on this platform
[2009/08/19 09:50:50,  0] lib/fault.c:dump_core(231)
  dumping core in /usr/local/samba/var/cores/smbd

I really need to get this running. Please advise. Thank you!

***
* Jamen McGranahan
* Systems Services Librarian
* Library Information Technology Services
* Vanderbilt University
* Suite 700
* 110 21st Avenue South
* Nashville, TN  37240
* (615) 343-1614
* (615) 343-8834 (fax)
* jamen.mcgrana...@vanderbilt.edu
***

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question concerning file permissions in Samba 3.3.4

[Dorrian, William M Contractor ace...@saj]

Jeremy,

Thanks for the clarification.

It turns out that I had an Active Directory permission problem, and here it
is:

A user (We'll call him "User1") was part of an Active Directory Global Group
(Which I'll call "Group1"). "Group1" is one of six Global groups which are
nested in what we call "Supergroup1" (also an Active Directory Global group).

The issue was that we recursively assigned "Full Control" permissions to
"Supergroup1" and then assumed "User1" would have "Full Control" on the files
contained within. (At first, we thought that the reason why "User1" couldn't
modify those files was because "Modify" and "Delete" couldn't be selected
when viewing at the file permissions in Windows Explorer. However, you set us
straight on that and we now know that wasn't the problem.)

The real issue is that the permissions aren't working transitively from
"Supergroup1" to "Group1" to "User1". Is there a setting that I'm missing?
Note that if we assign permissions to "Group1" on a directory, all is well
and "User1" can modify files.

Thanks again for your help,
Bill D.

 

-Original Message-
From: Jeremy Allison [mailto:j...@samba.org] 
Sent: Monday, August 17, 2009 5:26 PM
To: Dorrian, William M Contractor ace...@saj
Cc: samba@lists.samba.org
Subject: Re: [Samba] Question concerning file permissions in Samba 3.3.4

On Mon, Aug 17, 2009 at 03:15:59PM -0400, Dorrian, William M  Contractor
ace...@saj wrote:
> We're running Samba 3.3.4 on RHEL 5 Linux, using Active Directory 
> authentication.
> 
> I've noticed that we are able to assign NTFS "Full Control" 
> permissions to directories; however, we are unable to do the same on 
> the files contained within those directories. Is there a default 
> setting that is preventing us from being able to assign them? Note 
> that this happens even at the very top of the directory tree...

Ok, here is the deal. With Samba 3.3.x, we moved to using the returned
Windows permissions (as mapped from POSIX ACLs) to control all file access.
This gets us closer to Windows behavior, but there's one catch. "Full
Control" includes the ability to delete a file, but in POSIX the ability to
delete a file belongs to the containing directory, not the file itself.

So when we return the Windows permissions for a file ACL with "rwx" set, by
default we'd like to map to "Full Control" (see the default setting of the
parameter acl map full control) but we must remove the DELETE_ACCESS flag
from the mapping, as that is not a permission that is granted. Thus the ACL
editor doesn't see "DELETE_ACCESS"
in the returned ACE entry, and so doesn't believe it's "Full Control".

If we don't remove the DELETE_ACCESS bit, the client will open a file for
delete, and successfully get a file handle back, but the delete will fail
when the set file info (delete this file) call is made. Windows clients only
check the error return on the open for delete call, not the actual set file
info that allows the delete - if you fail that call Windows explorer silently
ignores the error, tells you you have deleted the file, but the file is still
there and will reappear on the next directory refresh, thus confusing users.

Hopefully this explains why we can't map completely into "Full Control" but
must remove the DELETE_ACCESS bit. It may confuse users a bit, but that's
better than confusing them when they're wondering why files they've deleted
keep coming back from the dead (trust me, people complained more about that
for a *long* time until I discovered this work-around).

Jeremy
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[jw]

On Wed, Aug 19, 2009 at 3:22 AM, Charles
Marcus wrote:
>
> ? He said 0775, not 7775
>

Well, I need the sticky bit set (see my previous reply).
So I have tried 1775, 3775, and 7775, all with the same results.
If I use 0775, the sticky bit is masked out, which will not work for me.

Or do I misunderstand 'directory mask' ?
Regardless, it doesn't work for 0775, either (correct owner, but
sticky bit not set).

-John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Please help with Samba on Solaris10

[Chris Osicki]

Hi 

I'm having lots of problems getting Samba to work on Solaris.
First I tried the version which comes with Solaris10: 3.0.30.
It almost did work, but a user could not _rename_ files.

Next try was with 3.4.0. Unfortunately winbindd tried to _modify_ idmap
entries in my LDAP server to make them be from the UID range defined in 
smb.conf.
WHY? What's the idea behind it?

Winbindd also populated my LDAP server with few hundred (thousend?) of idmap 
entries,
including:
BUILTIN\Guests 4
BUILTIN\Users 4
BUILTIN\Administrators 4
\Everyone 5
NT AUTHORITY\NETWORK 5

I must be missing the reason. Is it documented somewhere?


Current try: 3.2.4

make install produces such errors:

/bin/sh: test: argument expected
make: [installlibwbclient] Error 1 (ignored)
/opt/MC/bin/install -c -m 0644 
/var/tmp/src/Samba/samba-3.2.4/source/nsswitch/libwbclient/wbclient.h 
//usr/local/samba/include
/opt/MC/bin/install -c bin/libnetapi.so.0 //usr/local/samba/lib
if test -e bin/libnetapi.so.0 ; then \
ln -s -f `basename bin/libnetapi.so.0` \
//usr/local/samba/lib/`basename bin/libnetapi.so` ; \
fi


smbd cannot find libraries:

ldd /usr/local/samba/sbin/smbd | grep not
libtalloc.so =>  (file not found)
libtdb.so => (file not found)
libwbclient.so =>(file not found)

RPATH not set. I set LD_LIBRARY_PATH to /usr/local/samba/lib.
Still couldn't find libraries.
It looks like "make install" didn't make softlinks. I made them.

I joined the domain,  set LDAP password, started winbindd and smbd.

Winbind looks OK, 
"wbinfo -t" -> success
wbinfo --sid-to-uid -> OK
smbclient -L usonfs -> OK

When I access a share I get this:

smbclient //usonfs/test -U tgdosch1 -W corproot
Enter tgdosch1's password:
Domain=[CORPROOT] OS=[Unix] Server=[Samba 3.2.4]
Receiving SMB: Server stopped responding
tree connect failed: Call returned zero bytes (EOF)

Could anybody give me a hint what could cause this?
I can provide the (huge) logfiles if anybody want to have a look at them.

Moreover, winbind populated my LDAP server with few hundreds of SID-GID
mappings, probably all groups my user, tgdosch1, belongs to. Couldn't identify 
all them yet.

Is this behaviour documented somewhere?

My smb.conf below.

Thanks for your time.
Regards,
Chris

[global]
workgroup = CORPROOT
netbios name = usonfs
security = domain
#client lanman auth = No
#client NTLMv2 auth = Yes
log level = 10
preferred master = no
bind interfaces only = yes
interfaces = usonfs

password server = sg57.corproot.net sg1006z.corproot.net
winbind uid = 2-23000
winbind gid = 2-23000
winbind enum users = no
winbind enum groups = no

idmap backend = ldap:ldap://usoldap02.swissptt.ch
ldap admin dn = uid=idmapadm,ou=testmap,dc=swissptt,dc=ch
ldap idmap suffix = ou=testmap
ldap suffix = dc=swissptt,dc=ch
ldap ssl = off

[homes]
path = /export/home/%S
writable = yes
public = no
browseable = No
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Send error in SETFSUnixInfo = -5

[Raphael Clifford]

I am trying to mount a samba server using

mount -t cifs -o username=x,password=x //foo.com/username /home/lesshaste/work

and I get

 Send error in SETFSUnixInfo = -5
 CIFS VFS: Negotiating Unix capabilities with the server failed.
Consider mounting with the Unix Extensions  disabled, if problems are
found, by specifying the nounix mount option.

If I then mount with nounix I don't seem to be able to overwrite
existing files but strangely I can delete them.  This makes editing a
file very difficult, for example.

Any ideas what is going on? The client is on ubuntu jaunty 9.04.

I have attached a compressed (and slightly anonymised) version of the
logs for the mount operation above.

Raphael
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Fwd: Not able to display domain users using wbinfo

[Chris Osicki]

On Mon, 17 Aug 2009 16:50:37 +0200
Volker Lendecke  wrote:

> On Mon, Aug 17, 2009 at 04:28:00PM +0200, Helmut Hullen wrote:
> > Do you need "winbind"? Without any Windows server (PDC) you don't need
> > the winbind crap.
> 
> "winbind crap"?
> 
> Volker

Highly exaggerated.
It's quite evolving, though. And not easy to keep up with ;-)
See my other posting.

Regards,
Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Enforcing local profile doesn't let Home Directory mapping

[Avinash Rao]

Michael,

Sorry if the question is a bit unclear. What i meant is the net rpc
commands are meant to manage trusts between a samba domain and Window
NT domain or ADS. But in my case, I have only one samba server
configured as a PDC.

You mentioned about loopback, where should i check this? Also, I have
used samba but not so much in depth. I am learning these options as
the users in the network are increasing.

Thanks
Avinash


On Wed, Aug 19, 2009 at 1:06 PM, Michael Heydon wrote:
> Avinash Rao wrote:
>>
>> You mean in smb.conf file? i have added host allow = 127.
>>
>
> Allowing hosts wont do any good if samba isn't listening on the interface
> that those hosts are connected to. If you want to allow connections from
> localhost you need to listen on loopback.
>
>> The thing is i don't have any windows server in the network, I have
>> one Ubuntu Server and samba is configured as PDC.
>
> I'm not sure what you are getting at here.
>
> *Michael Heydon - IT Administrator *
> micha...@jaswin.com.au 
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'

[Charles Marcus]

On 8/18/2009, jw (jwde...@gmail.com) wrote:
>> directory mask = 0775
>>
>> The reason you're not getting 775 perms on the new directory
>> is that the default directory mask is 0755, which masks out
>> the write permission for the group.
>>
>> Just setting inherit owner, and directory mask = 0775
>> should be enough.

> I gave this a shot, but it's still not quite doing what I would expect.
> I have:
> 
>inherit owner = yes
>directory mask = 7775

? He said 0775, not 7775

-- 

Best regards,

Charles
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind authentication issue on 3.2.13/14 and 3.4.0 (was: Crazied NTLM_AUTH on samba 3.4.0)

[Alex Crow]

This is now on Bugzilla, bug 6646.
-- 
This message is intended only for the addressee and may contain 
confidential information.  Unless you are that person, you may not 
disclose its contents or use it in any way and are requested to delete 
the message along with any attachments and notify us immediately. 

"Transact" is operated by Integrated Financial Arrangements plc 
Domain House, 5-7 Singer Street, London  EC2A 4BQ 
Tel: (020) 7608 4900 Fax: (020) 7608 1200
(Registered office: as above; Registered in England and Wales under
number: 3727592) 
Authorised and regulated by the Financial Services Authority (entered on
the FSA Register; number: 190856)


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] smbldap-populate

[Paul Hennion]

Hi There,

I am installing samba ldap on my debian lenny system.When i get to the step of 
running the 
populate script i get the following error:

failed to add entry: attribute 'sambaNextRid' not allowed at
/usr/sbin/smbldap-populate line 499,  line 241

How do i fix this problem? I am running samba 3.2.5-4lenny6 slapd 2.4.11-1 and 
smbldap-
toools 0.9.4-1.

Tia
Paul
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Winbind authentication issue on 3.2.13/14 and 3.4.0 (was: Crazied NTLM_AUTH on samba 3.4.0)

[Alex Crow]

On Tue, 2009-08-18 at 14:44 +0100, Alex Crow wrote:
> > . For example: 1 time
> > return 0xc0c3 ( NT_STATUS_INVALID_NETWORK_RESPONSE) or 0x1c010002 (???)
> > and much others. I realized one thing: when the response is "Broken Pipe"
> > the ntlm responds "OK" on first after try and back to the errors after this
> > warning...
> > 
> 
> I am seeing similar problems with 3.2.13 on my Squid server.
> 
> If it happens again I will try to get a log.
> 
> Alex Crow

I have upgraded to 3.2.14 and the problem persists.

I am in a Samba Domain (pdc and bdc also running 3.2.14) and I have a
bidirectional trust set up to a remote Samba 3.2.14 domain.

A winbindd log at debug level 10 is available here:

http://www.nanogherkin.com/winbindd_autherrorlog.bz2

There were two instances of the issue, one shortly before 08:30 and the
other shortly before 09:24.

wbinfo authentication will also fail:

wbinfo -a ajc%
plaintext password authentication failed
Could not authenticate user ajc with plaintext password
challenge/response password authentication failed
error code was NT code 0x1c010002 (0x1c010002)
error messsage was: NT code 0x1c010002
Could not authenticate user ajc with challenge/response


I can also tell you that it can be immediately (if temporarily) restored
to operation by running "wbinfo -t". I am trying to keep my users happy
by running this every few seconds but obviously this isn't ideal!

smb.conf on the Squid server follows:

[global]
workgroup = IFA_NET
security = DOMAIN
netbios name = WEBPROXY
interfaces = eth2, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldaps://bdc.ifa.net
username map = /etc/samba/smbusers
log level = 10
syslog = 0
log file = /var/log/samba/%m
max log size = 1048576
smb ports = 139 445
name resolve order = wins lmhosts bcast hosts
time server = no
#printcap name = CUPS
show add printer wizard = Yes
enable privileges = yes
ldap suffix = dc=ifa,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=ifa,dc=net
ldap ssl = no
ldap timeout = 20
#idmap backend = ldap:ldap://192.168.20.137
idmap uid = 1-2
idmap gid = 1-2
#winbind nested groups = yes
winbind trusted domains only = no
winbind use default domain = yes
#winbind enum users = yes
#winbind enum groups = yes
allow trusted domains = yes
#winbind separator = +
map acl inherit = Yes
ea support = Yes
#printing = cups
#printer admin = root
wins server = 192.168.20.137
nt acl support = yes

> -- 
> This message is intended only for the addressee and may contain 
> confidential information.  Unless you are that person, you may not 
> disclose its contents or use it in any way and are requested to delete 
> the message along with any attachments and notify us immediately. 
> 
> "Transact" is operated by Integrated Financial Arrangements plc 
> Domain House, 5-7 Singer Street, London  EC2A 4BQ 
> Tel: (020) 7608 4900 Fax: (020) 7608 1200
> (Registered office: as above; Registered in England and Wales under
> number: 3727592) 
> Authorised and regulated by the Financial Services Authority (entered on
> the FSA Register; number: 190856)
> 
> 
-- 
This message is intended only for the addressee and may contain 
confidential information.  Unless you are that person, you may not 
disclose its contents or use it in any way and are requested to delete 
the message along with any attachments and notify us immediately. 

"Transact" is operated by Integrated Financial Arrangements plc 
Domain House, 5-7 Singer Street, London  EC2A 4BQ 
Tel: (020) 7608 4900 Fax: (020) 7608 1200
(Registered office: as above; Registered in England and Wales under
number: 3727592) 
Authorised and regulated by the Financial Services Authority (entered on
the FSA Register; number: 190856)


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Using LDAP authentication

[karan rai]

Check this link - http://kbase.redhat.com/faq/docs/DOC-17368
I have tested it and it works.

Karan

On Tue, Aug 18, 2009 at 6:16 PM, davefu  wrote:

>
> Hi guys. I'm trying to make a fresh samba installation authenticate against
> an already working OpenLDAP installation. I'm wondering if there is a way
> for Samba to use pam libraries, in the same way my Debian server is
> actually
> configured to use the LDAP users in addition to the ones locally created in
> the system.
> I've noticed samba has internal support for LDAP authentication, but the
> thing is I don't have access to the LDAP administrator's password (which
> is,
> according to lots of tutorials, one of the requirements to know in order to
> make it work).
>
> The OpenLDAP server is already working with other Samba Servers which I
> don't have access to, so it can be considered ready for the task. I just
> need to know if I should aim for the pam-ldap solution, or focus more on
> smb.conf and use ldap as pass backend, figure out the ldappassword and
> "smbpasswd -w adminldappasswd" it, etc, etc.
>
> Thanks in advance!
> --
> View this message in context:
> http://www.nabble.com/Using-LDAP-authentication-tp25024120p25024120.html
> Sent from the Samba - General mailing list archive at Nabble.com.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Enforcing local profile doesn't let Home Directory mapping

[Michael Heydon]

Avinash Rao wrote:

You mean in smb.conf file? i have added host allow = 127.
  
Allowing hosts wont do any good if samba isn't listening on the 
interface that those hosts are connected to. If you want to allow 
connections from localhost you need to listen on loopback.



The thing is i don't have any windows server in the network, I have
one Ubuntu Server and samba is configured as PDC.

I'm not sure what you are getting at here.

*Michael Heydon - IT Administrator *
micha...@jaswin.com.au 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Enforcing local profile doesn't let Home Directory mapping

[Avinash Rao]

On Wed, Aug 19, 2009 at 12:40 PM, Michael Heydon wrote:
> **Avinash Rao wrote:
>>
>> Am sorry i forgot to mention that i am not able to list
>> #net rpc group list -Uroot%not24get
>> Could not connect to server 127.0.0.1
>> Connection failed: NT_STATUS_CONNECTION_REFUSED
>>
>>
>
> I'm guessing here, but this is probably related to the use of interfaces and
> bind interfaces only. Try adding your loopback interface to the list.
>

You mean in smb.conf file? i have added host allow = 127.
The thing is i don't have any windows server in the network, I have
one Ubuntu Server and samba is configured as PDC.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Enforcing local profile doesn't let Home Directory mapping

[Michael Heydon]

**Avinash Rao wrote:

Am sorry i forgot to mention that i am not able to list
#net rpc group list -Uroot%not24get
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_CONNECTION_REFUSED

  


I'm guessing here, but this is probably related to the use of interfaces 
and bind interfaces only. Try adding your loopback interface to the list.


*Michael Heydon - IT Administrator *
micha...@jaswin.com.au 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Enforcing local profile doesn't let Home Directory mapping

[Avinash Rao]

Am sorry i forgot to mention that i am not able to list
#net rpc group list -Uroot%not24get
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_CONNECTION_REFUSED


On Wed, Aug 19, 2009 at 12:34 PM, Avinash Rao wrote:
> Thanks for the reply..
> I am reading 
> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html
> to know the advantages of mapping user groups and if it is of any use
> to us.
>
> I also tried executing the root preexec =
> /etc/samba/scripts/autopoweruser.sh %U %m to add the user logging to
> the Power Users group on the local workstation, but it didn't work, i
> dont see it executing only.
>
>
>
> On Wed, Aug 19, 2009 at 12:20 PM, Michael Heydon 
> wrote:
>> Avinash Rao wrote:
>>>
>>> Also, is there a way i can control the file permission on the clients
>>> local harddrive from samba. For example, If a user A logs in to the
>>> samba domain, he will not have any access to the local hard drive, can
>>> we give permission from the samba, probably make that domain user a
>>> part of power users on the client machine.
>>>
>>
>> Not directly, I use cpau in the login scripts to escalate to a domain admin
>> and as that user run a script which does things like add certain domain
>> groups to the local admins group. Just remember group membership is worked
>> out before the login scripts are run, so the user will have to log out and
>> back in for any changes to take affect.
>>
>> It is a security risk (cpau doesn't encrypt the credentials, it uses some
>> secret encoding) so it isn't suitable for everyone, but it works well for
>> us.
>>
>> *Michael Heydon - IT Administrator *
>> micha...@jaswin.com.au 
>>
>>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Enforcing local profile doesn't let Home Directory mapping

[Avinash Rao]

Thanks for the reply..
I am reading 
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html
to know the advantages of mapping user groups and if it is of any use
to us.

I also tried executing the root preexec =
/etc/samba/scripts/autopoweruser.sh %U %m to add the user logging to
the Power Users group on the local workstation, but it didn't work, i
dont see it executing only.



On Wed, Aug 19, 2009 at 12:20 PM, Michael Heydon wrote:
> Avinash Rao wrote:
>>
>> Also, is there a way i can control the file permission on the clients
>> local harddrive from samba. For example, If a user A logs in to the
>> samba domain, he will not have any access to the local hard drive, can
>> we give permission from the samba, probably make that domain user a
>> part of power users on the client machine.
>>
>
> Not directly, I use cpau in the login scripts to escalate to a domain admin
> and as that user run a script which does things like add certain domain
> groups to the local admins group. Just remember group membership is worked
> out before the login scripts are run, so the user will have to log out and
> back in for any changes to take affect.
>
> It is a security risk (cpau doesn't encrypt the credentials, it uses some
> secret encoding) so it isn't suitable for everyone, but it works well for
> us.
>
> *Michael Heydon - IT Administrator *
> micha...@jaswin.com.au 
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba