Re: [Samba] Claimed Zero Day exploit in Samba.

[Volker Lendecke]

On Mon, Feb 08, 2010 at 11:12:51AM -0700, cjay wrote:
> Would you still be vulnerable to this attack if you have wide links =  
> yes but have Unix extensions set to no?

No, because you can't create symlinks remotely.

Volker
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted domain

[Volker Lendecke]

On Tue, Feb 09, 2010 at 02:13:31PM +0100, intartaglia.maximilien wrote:
> wbinfo -u
> 
> I have only the user from medical and not from administratif
> 
> The log of /var/log/samba.log/wb-Administratif:
> 
> 
> [2010/02/08 13:02:36,  1] winbindd/winbindd_ads.c:127(ads_cached_connection)
>   ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check failed
> 
> but when I do this command (test user administratif)  it's ok
> 
> wbinfo -a administratif/almacom
> Enter administratif/almacom's password:
> plaintext password authentication succeeded
> Enter administratif/almacom's password:
> challenge/response password authentication succeeded

This is entirely possible if you just have a one-way trust
or the dc from ADMINISTRATIF does not allow listing users
for other reasons. A log file (debug level 10)
log.wb-ADMINISTRATIF might show what is going on.

BTW, why do you need the ADMINISTRATIF users in wbinfo -u?
For squid, i.e. ntlm_auth, to work this should not be
necessary.

Volker


signature.asc
Description: Digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] How Configure Samba4 to use Openldap-Backend?

[Andrew Bartlett]

On Tue, 2010-02-09 at 14:29 +0100, Chris Fischer wrote:
> I tried to use samba4 (alpha8) with openldap backend and followed the

Alpha8 is getting very old now.  I would suggest you try the current GIT
tree, but some small issues have broken the LDAP backend there.  We
should have those resolved soon, and then that will be your best
option. 

Follow https://bugzilla.samba.org/show_bug.cgi?id=7040

> instructions on:
> 
> http://wiki.samba.org/index.php/Samba4/LDAP_Backend/OpenLDAP
> http://wiki.samba.org/index.php/Samba4/HOWTO/Ubuntu_Server_9.04
> 
> and different other sources.
> 
> First try with debian packages, second with self compiled from git.
> 
> The script provision-backend is gone, so I only called provision (realm,
> domain, role, etc ). After modifying the slapd.conf template it run
> successful. In the template were the overlay options missing.

If you had to change the template, then you are probably using an
unsupported version of OpenLDAP.  (We require a very new version to work
around a number of issues and bugs). 

> I can run slapd without errors. But how could I tell samba to use this
> backend?

This is set up automatically by provision, when you give it the correct
options. 

> I know the "server service" directive and options like "sam database"
> 
> sam database = ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap%2fldapi
> 
> server services = smb, rpc, nbt, wrepl, cldap, kdc, drepl, winbind,
> ntp_signd, kcc # But i am not familiar with the meaning of all.

You should not change any of these options.  

> slapd in debug mode shows some action on starting samba4, thats all.
> 
> Is there a need to add connection credentials like "smbpasswd -w"

No, these have been autoconfigured by the provision script. 

> Could someone, who has this configuration running, be so kind to send me
> an example smb.conf

There is nothing special in the smb.conf.  Instead, the provision script
embeds the right information in the sam.ldb database itself. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Cisco Inc.



signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Having problem with "valid users" in Active Directory/Samba environment

[Eric Peterson]

We have a Ubuntu/Samba setup to serve Windows-XP users using Active Directory 
credentials.
The application is a backup service using rsync from their workstations to the 
server.
Ubuntu: 9.10, Samba: 3.4.0. 
The backups work fine, and individual users logged onto XP with AD credentials 
can see the contents of their shares on the server. 
However, we have been unable to configure Samba to allow specified users 
(domain admins) access to Samba shares, which is needed for administration of 
the shares. 

The "valid user" and "admin user" constructs are not working in our environment.
When smb.conf is configured with these constructs (see testparm output below), 
which should allow access, instead we get an error message on the XP side and 
the following messages in /var/log/samba: (in the example, trying to access the 
share \\\wirt)

[2010/02/08 21:31:21,  0] param/loadparm.c:8546(process_usershare_file) 
process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. 
Permission denied
[2010/02/08 21:31:21,  0] param/loadparm.c:8546(process_usershare_file) 
process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. 
Permission denied
[2010/02/08 21:31:21,  0] param/loadparm.c:8546(process_usershare_file) 
process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. No such 
file or directory
[2010/02/08 21:31:21,  0] smbd/service.c:1188(make_connection) ___10.0.3.56 
(:::10.0.3.56) couldn't find service wirt

The error in XP says: "Windows cannot find '\\\wirt'. Check the 
spelling and try again"

Is there something wrong with the smb.conf settings, or something else that 
needs to be done to allow domain admins access to user shares?
Could something with the pam or winbind settings explain this behavior?

One clue is that when we cranked the log level to 3, the log messages indicated 
that the Samba connection was being made to a UNIX user DOMAIN\lfvr3tk1$ rather 
than DOMAIN\admin as would be expected. The name of the admin's XP computer is 
"lfvr3tk1". The logfile is quite large so I did not include it here.

What's going on

Thanks,
Eric Peterson


==output from testparm=

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[public]"
Processing section "[public_rw]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
 
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = %h server (Samba, Ubuntu)
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
 
[homes]
comment = Home Directories
valid users = DOMAIN\%S, DOMAIN\admin
admin users = DOMAIN\admin
 
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
browsable = No
 
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
 
[public]
path = /export/public
guest ok = Yes
 
[public_rw]
path = /export/public_rw
read only = No
guest ok = Yes

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] How Configure Samba4 to use Openldap-Backend?

[Chris Fischer]

I tried to use samba4 (alpha8) with openldap backend and followed the

instructions on:

http://wiki.samba.org/index.php/Samba4/LDAP_Backend/OpenLDAP
http://wiki.samba.org/index.php/Samba4/HOWTO/Ubuntu_Server_9.04

and different other sources.

First try with debian packages, second with self compiled from git.

The script provision-backend is gone, so I only called provision (realm,
domain, role, etc ). After modifying the slapd.conf template it run
successful. In the template were the overlay options missing.

I can run slapd without errors. But how could I tell samba to use this
backend?

I know the "server service" directive and options like "sam database"

sam database = ldapi://%2fvar%2flib%2fsamba%2fprivate%2fldap%2fldapi

server services = smb, rpc, nbt, wrepl, cldap, kdc, drepl, winbind,
ntp_signd, kcc # But i am not familiar with the meaning of all.

slapd in debug mode shows some action on starting samba4, thats all.

Is there a need to add connection credentials like "smbpasswd -w"

Could someone, who has this configuration running, be so kind to send me
an example smb.conf


thanks in advance
Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Provision script fails with Samba4 (latest git version)

[Endi Sukma Dewata]

Hi James,

There is a bug for this issue:
https://bugzilla.samba.org/show_bug.cgi?id=7040

--
Endi S. Dewata


- "James Ray"  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> All,
>   I'm trying to get samba4 to provision with the latest git version.
> My
> provision command looks like so:
> # ./setup/provision --realm=TEST.DOMAIN --domain=DOMAIN
> --adminpass=pass
> - --server-role='domain controller' --ldap-backend-type=openldap
> - --slapd-path=/usr/sbin/slapd
> 
> I get the following output from the command:
> hdb_db_open: database "cn=Schema,cn=Configuration,dc=test,dc=domain":
> db_open(/usr/local/samba4/private/ldap/db/schema/id2entry.bdb)
> failed:
> No such file or directory (2).
> backend_startup_one (type=hdb,
> suffix="cn=Schema,cn=Configuration,dc=test,dc=domain"): bi_db_open
> failed! (2)
> slap_startup failed (test would succeed using the -u switch)
> Failed to bind - LDAP client internal error:
> NT_STATUS_UNEXPECTED_NETWORK_ERROR
> Failed to connect to
> 'ldapi://%2Fusr%2Flocal%2Fsamba4%2Fprivate%2Fldap%2Fldapi'
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=test,DC=domain
> pdc_fsmo_init: no domain object present: (skip loading of domain
> details)
> 
> Traceback (most recent call last):
>   File "./setup/provision", line 244, in 
>
> nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode,useeadb=eadb)
>   File "bin/python/samba/provision.py", line 1301, in provision
> dom_for_fun_level=dom_for_fun_level)
>   File "bin/python/samba/provision.py", line 945, in setup_samdb
> "SAMBA_VERSION_STRING": version
>   File "bin/python/samba/provision.py", line 260, in
> setup_modify_ldif
> ldb.modify_ldif(data)
>   File "bin/python/samba/__init__.py", line 261, in modify_ldif
> self.modify(msg, controls)
> _ldb.LdbError: (1, 'LDAP client internal error:
> NT_STATUS_INTERNAL_ERROR')
> A transaction is still active in ldb context [0x42f1450] on
> /usr/local/samba4/private/secrets.ldb
> 
> Any one with any ideas on where I progress from here with this? I
> seem
> to have come to a road block.
> 
> Thanks for any help you can provide.
> 
> - --
> James Ray. 
> Computing Services   (http://pub.tsn.dk/how-to-quote.php)
> Queen Mary, University of London
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAktxLvgACgkQcGHKt+AwrtjkZgCgjmqOJ5GH/Myi/siTlx+1hbNE
> m3IAniZmq2vxv98P8OxMcunlWj6jTnFS
> =GNAH
> -END PGP SIGNATURE-
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted domain

[intartaglia . maximilien]

Hey,

I've got a probleme. My AD is a windows 2008 R2 (shéma 2003)

I have  tow windows 2008 R2 rodc in my architecture. I've a squid under suse 
11.1 x64 and daemon samba and winbind;

The version of samba is : Version 3.4.5-3.1-2289-SUSE-CODE11

I have tow domain windows 2008 r2 in my architecture

Domain : medical
Domain administrative.

Squid/samba/suse is join to the domain Medical.

Net ads testjoin:
Ok

My problem is the daemon  winbind  find all my user of domain medical but not 
the domain administratif.

I've find it's a problem of winbind (fix 7037 3.5rc2?)

Can you help me please:

The configuration :

/etc/krb5.conf:
[logging]
default = FILE:SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log

[libdefaults]

default_realm = MEDICAL.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
clockskew = 3000



[realms]


MEDICAL.LOCAL = {
kdc = 172.22.45.5
admin_server = 192.168.11.70
default_domain = MEDICAL
}
ADMINISTRATIF.LOCAL = {
kdc = 172.22.45.1
admin_server = 192.168.11.40
default_domain = ADMINISTRATIF
}

MEDICAL = {
kdc = 172.22.45.5
admin_server = 192.168.11.70
}
ADMINISTRATIF = {
kdc = 172.22.45.1
admin_server = 192.168.11.40
}

[domain_realm]
medical.local = MEDICAL.LOCAL
.medical.local = MEDICAL.LOCAL
administratif.local = ADMINISTRATIF.LOCAL
.administratif.local = ADMINISTRATIF.LOCAL
MEDICAL.LOCAL = MEDICAL.LOCAL
.MEDICAL.LOCAL = MEDICAL.LOCAL
.ADMINISTRATIF.LOCAL = ADMINISTRATIF.LOCAL
ADMINISTRATIF = ADMINISTRATIF.LOCAL
.ADMINISTRATIF = ADMINISTRATIF.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
use_shmem = sshd
}
 Samba :
# Samba config file created using SWAT
# from relais (127.0.0.1)
# Date: 2004/01/05 13:42:43

# Global parameters
[global]
log file = /var/log/samba/%m.log
allow trusted domains = yes
idmap gid = 1-2
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
realm = MEDICAL.LOCAL
winbind use default domain = no
dns proxy = no
printing = cups
idmap uid = 1-2
local master = no
domain master = no
preferred master = no
template homedir = /home/%D/%U
workgroup = MEDICAL
os level = 0
winbind refresh tickets = yes
winbind enum groups = Yes
winbind enum users = Yes
security = ADS
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody 
-s /bin/false %m$
winbind separator = /
max log size = 1024
usershare allow guests = No


the test are here :


relay:~ # wbinfo -t
checking the trust secret via RPC calls succeeded
relay:~ # wbinfo -m
BUILTIN
RELAY
MEDICAL
ADMINISTRATIF
relay:~ #

wbinfo -u

I have only the user from medical and not from administratif

The log of /var/log/samba.log/wb-Administratif:


[2010/02/08 13:02:36,  1] winbindd/winbindd_ads.c:127(ads_cached_connection)
  ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check failed

but when I do this command (test user administratif)  it's ok

wbinfo -a administratif/almacom
Enter administratif/almacom's password:
plaintext password authentication succeeded
Enter administratif/almacom's password:
challenge/response password authentication succeeded




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] probleme with samba 3.4.5-5.1 + winbind+ windows 2008 R2 + trusted domain

[intartaglia . maximilien]

The daemon winbind dont' trusted domains windows 2008 R

Help me please

I've got a probleme. My AD is a windows 2008 R2 (shéma 2003)

I have  tow windows 2008 R2 rodc in my architecture.
The version of samba is : Version 3.4.5-3.1-2289-SUSE-CODE11

I have tow domain windows 2008 r2 in my architecture

Domain : medical
Domain administratif.

/samba/suse is join to the domain Medical.

Net ads testjoin:
Ok

My problem is the daemon  winbind  find all my user of domain medical but not 
the domain administratif.

I've find it's a problem of winbind (fix 7037 3.5rc2?)

Can you help me please:

The configuration :

/etc/krb5.conf:
[logging]
default = FILE:SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log

[libdefaults]

default_realm = MEDICAL.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
clockskew = 3000



[realms]


MEDICAL.LOCAL = {
kdc = 172.22.45.5
admin_server = 192.168.11.70
default_domain = MEDICAL
}
ADMINISTRATIF.LOCAL = {
kdc = 172.22.45.1
admin_server = 192.168.11.40
default_domain = ADMINISTRATIF
}

MEDICAL = {
kdc = 172.22.45.5
admin_server = 192.168.11.70
}
ADMINISTRATIF = {
kdc = 172.22.45.1
admin_server = 192.168.11.40
}

[domain_realm]
medical.local = MEDICAL.LOCAL
.medical.local = MEDICAL.LOCAL
administratif.local = ADMINISTRATIF.LOCAL
.administratif.local = ADMINISTRATIF.LOCAL
MEDICAL.LOCAL = MEDICAL.LOCAL
.MEDICAL.LOCAL = MEDICAL.LOCAL
.ADMINISTRATIF.LOCAL = ADMINISTRATIF.LOCAL
ADMINISTRATIF = ADMINISTRATIF.LOCAL
.ADMINISTRATIF = ADMINISTRATIF.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
use_shmem = sshd
}
 Samba :
# Samba config file created using SWAT
# from relais (127.0.0.1)
# Date: 2004/01/05 13:42:43

# Global parameters
[global]
log file = /var/log/samba/%m.log
allow trusted domains = yes
idmap gid = 1-2
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
realm = MEDICAL.LOCAL
winbind use default domain = no
dns proxy = no
printing = cups
idmap uid = 1-2
local master = no
domain master = no
preferred master = no
template homedir = /home/%D/%U
workgroup = MEDICAL
os level = 0
winbind refresh tickets = yes
winbind enum groups = Yes
winbind enum users = Yes
security = ADS
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody 
-s /bin/false %m$
winbind separator = /
max log size = 1024
usershare allow guests = No


the test are here :


relay:~ # wbinfo -t
checking the trust secret via RPC calls succeeded
relay:~ # wbinfo -m
BUILTIN
RELAY
MEDICAL
ADMINISTRATIF
relay:~ #

wbinfo -u

I have only the user from medical and not from administratif

The log of /var/log/samba.log/wb-Administratif:


[2010/02/08 13:02:36,  1] winbindd/winbindd_ads.c:127(ads_cached_connection)
  ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check failed

but when I do this command (test user administratif)  it's ok

wbinfo -a administratif/almacom
Enter administratif/almacom's password:
plaintext password authentication succeeded
Enter administratif/almacom's password:
challenge/response password authentication succeeded




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind does not list users from trusted domain

[T Berman]

Having the same issue - was there any resolution to this?



  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Claimed Zero Day exploit in Samba.

[cjay]

Would you still be vulnerable to this attack if you have wide links = 
yes but have Unix extensions set to no?



On 2/5/2010 11:17 AM, Jeremy Allison wrote:

Claimed Zero Day exploit in Samba.

A user named "kcopedarookie" posted what they claim to
be a video of a zero-day exploit in Samba on youtube
yesterday here:

http://www.youtube.com/watch?v=NN50RtZ2N74&aia=true

The video shows modifications to smbclient allowing
/etc/passwd to be downloaded from a remote server.

The issue is actually a default insecure configuration
in Samba.

Quick FAQ: What do I do !
-

Set:

wide links = no

in the [global] section of your smb.conf and restart
smbd to eliminate this problem.

Longer FAQ: The real issue
--

The problem comes from a combination of two features in
Samba, each of which on their own are useful to Administrators,
but in combination allow users to access any file on the system
that their logged in username has permissions to read (this is
not a privilege escalation problem).

By default Samba ships with the parameter "wide links = yes",
which allows Administrators to locally (on the server) add
a symbolic link inside an exported share which SMB/CIFS clients
will follow.

As an example, given a share definition:

[tmp]
path = /tmp
read only = no
guest ok = yes

The administrator could add a symlink:

$ ln -s /etc/passwd /tmp/passwd

and SMB/CIFS clients would then see a file called "passwd"
within the [tmp] share that could be read and would allow
clients to read /etc/passwd.

If the "wide links" parameter is set to "no", any attempt
to read this file will fail with an "access denied" error.

The problem occurs as Samba allows clients using the UNIX
extensions (which are also turned on by default) to create
symlinks on remotely mounted shares on which they have write
access that point to any path on the file system.

This is by design, as applications running on UNIX clients
may have good reasons to create symlinks anywhere on the
filesystem they have write access that point to local files
(such as /etc/passwd).

UNIX clients will resolve these links locally, but Windows
clients will resolve them on the server. It is this combination
that causes the problem.

All future versions of Samba will have the parameter
"wide links" set to "no" by default, and the manual
pages will be updated to explain this issue.


--
C. J. Keist Email: cj.ke...@colostate.edu
UNIX/Network ManagerPhone: 970-491-0630
Engineering Network ServicesFax:   970-491-5569
College of Engineering, CSU
Ft. Collins, CO 80523-1301

All I want is a chance to prove 'Money can't buy happiness'
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] TR: probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted domain

[intartaglia . maximilien]

Hey,

I've got a probleme. My AD is a windows 2008 R2 (shéma 2003)

I have  tow windows 2008 R2 rodc in my architecture. I've a squid under suse 
11.1 x64 and daemon samba and winbind;

The version of samba is : Version 3.4.5-3.1-2289-SUSE-CODE11

I have tow domain windows 2008 r2 in my architecture

Domain : medical
Domain administrative.

Squid/samba/suse is join to the domain Medical.

Net ads testjoin:
Ok

My problem is the daemon  winbind  find all my user of domain medical but not 
the domain administratif.

I've find it's a problem of winbind (fix 7037 3.5rc2?)

Can you help me please:

The configuration :

/etc/krb5.conf:
[logging]
default = FILE:SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log

[libdefaults]

default_realm = MEDICAL.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
clockskew = 3000



[realms]


MEDICAL.LOCAL = {
kdc = 172.22.45.5
admin_server = 192.168.11.70
default_domain = MEDICAL
}
ADMINISTRATIF.LOCAL = {
kdc = 172.22.45.1
admin_server = 192.168.11.40
default_domain = ADMINISTRATIF
}

MEDICAL = {
kdc = 172.22.45.5
admin_server = 192.168.11.70
}
ADMINISTRATIF = {
kdc = 172.22.45.1
admin_server = 192.168.11.40
}

[domain_realm]
medical.local = MEDICAL.LOCAL
.medical.local = MEDICAL.LOCAL
administratif.local = ADMINISTRATIF.LOCAL
.administratif.local = ADMINISTRATIF.LOCAL
MEDICAL.LOCAL = MEDICAL.LOCAL
.MEDICAL.LOCAL = MEDICAL.LOCAL
.ADMINISTRATIF.LOCAL = ADMINISTRATIF.LOCAL
ADMINISTRATIF = ADMINISTRATIF.LOCAL
.ADMINISTRATIF = ADMINISTRATIF.LOCAL
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
use_shmem = sshd
}
 Samba :
# Samba config file created using SWAT
# from relais (127.0.0.1)
# Date: 2004/01/05 13:42:43

# Global parameters
[global]
log file = /var/log/samba/%m.log
allow trusted domains = yes
idmap gid = 1-2
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
realm = MEDICAL.LOCAL
winbind use default domain = no
dns proxy = no
printing = cups
idmap uid = 1-2
local master = no
domain master = no
preferred master = no
template homedir = /home/%D/%U
workgroup = MEDICAL
os level = 0
winbind refresh tickets = yes
winbind enum groups = Yes
winbind enum users = Yes
security = ADS
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody 
-s /bin/false %m$
winbind separator = /
max log size = 1024
usershare allow guests = No


the test are here :


relay:~ # wbinfo -t
checking the trust secret via RPC calls succeeded
relay:~ # wbinfo -m
BUILTIN
RELAY
MEDICAL
ADMINISTRATIF
relay:~ #

wbinfo -u

I have only the user from medical and not from administratif

The log of /var/log/samba.log/wb-Administratif:


[2010/02/08 13:02:36,  1] winbindd/winbindd_ads.c:127(ads_cached_connection)
  ads_connect for domain ADMINISTRATIF failed: Decrypt integrity check failed

but when I do this command (test user administratif)  it's ok

wbinfo -a administratif/almacom
Enter administratif/almacom's password:
plaintext password authentication succeeded
Enter administratif/almacom's password:
challenge/response password authentication succeeded



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Commercial Support Listings - Samba Web Site

[John H Terpstra]

This is a reissue of the request for updates to the commercial support
listings on the Samba web site.  Please use the below form for any
update required.

Recently there have been complaints from users who have sought
commercial support for Samba and who were unable to contact many of the
people and companies who are listed on the samba web site as providing
commercial support.

The Commercial Support entries have not been validated for a number of
years and housekeeping is needed.

If your name or your company is listed (or you wish to be listed on the
Samba web site) as providing commercial support for Samba, please send
an email to j...@samba.org with the following information:


Subject: Samba Commercial Support Listing

1. Business Name:
2. Contact Name:
3. Business address:
4. City:
5. State or Province:
6. Country:
7. Web URL:
8. Telephone Number/s:
9. Email address/es:
10. A description of the services you provide (max 100 words):
11. Specialty samba capabilities:
12. Special Notes:

We are in process of contacting every company that is currently listed
as providing commercial support.  Those that are not contactable or have
not responded will be deleted from the list in 14 days time.

Kind regards,
John H Terpstra
Samba Team
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] LDAP backend replication?

[Jakov Sosic]

Hi to all!

I've set up Zimbra LDAP (2.4) as master, and I want to use RHEL v5 LDAP
(2.3) as a slave. This is relevant part of my slapd.conf on LDAP 2.3:

# syncrepl directives
syncrepl  rid=101
provider=ldap://192.168.1.86
bindmethod=simple
binddn="uid=zimbra,cn=admins,cn=zimbra"
credentials=PASSword
searchbase="dc=company,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
# Refer updates to the master
updateref   ldap://192.168.1.86

Replication works OK, when I first start LDAP, it populates
automatically. But after that initial data, it just doesn't pull
anything anymore. I have to restart it, or it won't pull data from
Master :( Problem is, when I add user to Zimbra LDAP (master), it does
not propagate immediately data to slave LDAP. I don't even know what the
interval is, I've never seen it happen in a few minutes after the Master
LDAP is updated...

Am I missing something? Shouldn't "refreshAndPersist" do it without any
delay (or with minimal delay)? Should I run someting on zimbra LDAP
side, or is the sync from LDAP 2.4 to LDAP 2.3 impossible? Would it be
better to set something like:

type=refreshOnly
interval=00:00:00:01

but this just seems like a bruteforce to me :( I repeat, after I restart
slave LDAP, all the new enteries appear magically.

I'm really confused.

Problems that occur with samba because of this is that I cannot add new
machines to the domain, I get the "username could not be found" errors.
I'm trying to free my samba of mater ldap, and bind it to slave ldap.
That way, updates will be refered to master, but if master fails, users
would still be able to log in. Is this a correct understanding or am I
missing something?

Thank you.



-- 
|Jakov Sosic|ICQ: 28410271|   PGP: 0x965CAE2D   |
=
| start fighting cancer -> http://www.worldcommunitygrid.org/   |
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] OS X Clients Unable To Create Subdirectories?

[Jeremy Allison]

On Tue, Feb 09, 2010 at 11:58:00AM -0700, Kimball Larsen wrote:
> I asked about this a few days ago, but none of the suggestions have made any 
> difference... asking again in the hopes I'll find more things to try 
> 
> Linux: Ubuntu 9.10
> Samba version: 3.4.0
> OS X 10.6.2

Can you reproduce on the latest Samba 3.4.5 ?

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [netlogon] section being ignored

[Mark Leisher ♺]

Gaiseric Vandal wrote:
Does it work if you specify a *.bat or *.cmd file?I haven't seen 
*.vbs files used as a logon script before.
Once you logon to the PC, are you able to view the netlogon share and 
logon scripts?




We've been using .vbs files for several years, and until 3.4, they 
worked fine. All users can log on to the netlogon share and read files. 
Bat and cmd files are ignored as well. No error messages in the log files.

--
Mark Leisher
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] OS X Clients Unable To Create Subdirectories?

[Kimball Larsen]

I asked about this a few days ago, but none of the suggestions have made any 
difference... asking again in the hopes I'll find more things to try 

Linux: Ubuntu 9.10
Samba version: 3.4.0
OS X 10.6.2

I'm running samba on a local linux server, with a bunch of shares.  Over the 
last several years, this has worked perfectly in our heterogenous network of OS 
X and Windows.  All my windows clients still work perfectly - my users can 
mount the samba shares and create, rename, move etc files and folders. 

However, recently (starting yesterday) my OS X clients are unable to rename any 
sub directories on any of my shares. 

So, if I have a structure like this: 

Share Root
FooFolder
Bar Folder

My OS X users are able to create and rename directories in the share root, but 
are unable to rename folders they create in sub directories.

So, if my OS X user navigates to FooFolder and tries to create a new folder 
there, a new folder is created called "untitled folder", but I'm unable to 
rename it.  Every time I do, the finder says "You don't have permission to 
rename the item "untitled folder".

But, again, I can create and rename folders in the root of the share without 
issue. 

Copying files back and forth are fine - just renaming sub directories is the 
issue.

Here are the relevant bits from my smb.conf (Neighborhood is the name of the 
share):

[global]
   log file = /var/log/samba/log.%m
   load printers = no 
   guest account = nobody
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
   socket options = TCP_NODELAY
   obey pam restrictions = yes
   encrypt passwords = true
   passwd program = /usr/bin/passwd %u
   passdb backend = tdbsam
   dns proxy = no
   delete readonly = yes
   server string = %h server
   invalid users = root
   workgroup = lappygroup
   security = share
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   max log size = 1000
   unix extensions = no


[Neighborhood]
 comment = Who are the people in your neighborhood...
 path = /mnt/brick/Neighborhood
 public = yes
 writable = yes
 create mask = 0777
 directory mask = 0777
 force user = nobody
 force group = nogroup


And here are the permissions on the root of the share:
r...@jake:/mnt/brick# ls -la | grep Neighborhood
drwxrwxrwx 46 nobody nogroup 2360 2010-02-02 15:31 Neighborhood

And the "Advertising" directory where I want to create a sub directory.
r...@jake:/mnt/brick/Neighborhood# ls -la | grep Advertising
drwxrwxrwx  4 nobody nogroup   144 2010-02-02 15:49 Advertising

And the resulting "untitled folder" that is created by the OS X client. 
r...@jake:/mnt/brick/Neighborhood/Advertising# ls -la
total 11
drwxrwxrwx  4 nobody nogroup  144 2010-02-02 15:49 .
drwxrwxrwx 46 nobody nogroup 2360 2010-02-02 15:31 ..
-rwxrwxrwx  1 nobody nogroup 6148 2009-05-04 10:03 .DS_Store
drwxrwxrwx  3 nobody nogroup 1064 2008-12-17 15:38 Lead Tracking
drwxrwxrwx  2 nobody nogroup   48 2010-02-02 15:49 untitled folder


What should I be checking?

Thanks!

-- Kimball 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] using RPCS printer driver for a P&P printer

[Ryan Suarez]

Is your problem this?
http://lists.samba.org/archive/samba/2005-September/110571.html

Richard Gansterer wrote:

Hi,

I'm wondering if anyone has had experience with using RPCS printer
drivers in a P&P printer share.
Installing the driver onto samba went without a problem (followed the
Samba howto "chapter 21:  Add Printer Wizard Driver Installation") but
after that, every time i try to access the printer properties
it takes sometimes minutes to open or just doesn't come up at all (same
behavior when i open the properties locally on the installed printer or
directly on the server as a printer admin). So i either can't
set up any default printer properties or it takes so long that its not
worth the waiting time (if the properties windows shows up, every action
i do in there will also have such a long delay).

I can't find any error/denied or similar messages (or simply smth that
would stand out of the usual) in the log files (loglevel 3). I can
install the drivers on the
WS by hand and use samba just for the printer queue fine (per-machine
printer). But since i will have to install more printers i wanted to use
the point&print method since it saves a lot of hassle.

The printer is a NRG DSc424 and im using Windows XP. The same thing
works fine with the official PCL6 drivers and i might have to settle for
that in the end but the RPCS drivers give a better quality.
It's not a permission problem either, using either root or a user with
the SePrintOperatorPrivilege right (also it would probably show up in
the log files otherwise).

If anyone knows what the cause for those delays might be (even if its
just that RPCS is simply slow in combination with samba) i'd be really
happy to know. :)

Thanks
Richard
  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [netlogon] section being ignored

[Gaiseric Vandal]

Does it work if you specify a *.bat or *.cmd file?I haven't seen 
*.vbs files used as a logon script before.
Once you logon to the PC, are you able to view the netlogon share and 
logon scripts?




Are you trying to have a different logon script for each user?   
Variables in the script should still allow you to map each user's home 
directory appropriately.


Alternately  you could specify the logon script parameter for each 
user's account.


On 02/09/10 12:58, Mark Leisher ♺ wrote:

Samba 3.4, Ubuntu 9.10.

Been fiddling with this for days and didn't find anything related with 
a search.


With the simple config file attached, none of the VBS logon scripts 
are executed when users log on to the domain. Am I missing something 
obvious?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] [netlogon] section being ignored

[Mark Leisher ♺]

Samba 3.4, Ubuntu 9.10.

Been fiddling with this for days and didn't find anything related with a 
search.


With the simple config file attached, none of the VBS logon scripts are 
executed when users log on to the domain. Am I missing something obvious?

--
Mark Leisher
[global]
workgroup = ZZ
server string = Zz
passdb backend = tdbsam
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
map to guest = Bad User
username map = /etc/samba/smbusers
add machine script = /usr/sbin/useradd -c Machine -d /var/empty -s 
/sbin/nologin %m$
logon script = %U.vbs
local master = Yes
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
security = user
utmp = yes

[homes]
comment = Home Directories
valid users = %S
read only = No
inherit acls = Yes
browseable = Yes
writable = Yes

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
public = no
browsable = no
writeable = no
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Noob (it seems) can't get XP client to join Samba Domain

[Gaiseric Vandal]

Did you create a unix account for "YOURMACHINE$"  ?



On 02/08/10 16:31, Jim Christiansen wrote:

I have followed:

http://rudd-o.com/en/linux-and-free-software/making-windows-xp-join-a-samba-domain-in-5-minutes

and

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ClientConfig.html#WXPP009

and the reg hack even though I'm using Samba 3.3.2

I keep getting the error message:

"The following error occured attempting to join the domain "ROOM101"
The username could not be found

Thanks everyone -Jim

Here's my smb.conf
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#behaviour of Samba but the option is considered important
#enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
# A well-established practice is to name the original file
# "smb.conf.master" and create the "real" config file with
# testparm -s smb.conf.master>smb.conf
# This minimizes the size of the really used smb.conf file
# which, according to the Samba Team, impacts performance
# However, use this with caution if your smb.conf file contains nested
# "include" statements. See Debian bug #483187 for a case
# where using a master file is not a good idea.
#

#=== Global Settings ===

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = ROOM101

# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
#   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no

# What naming service and in what order should we use to resolve host names
# to IP addresses
;   name resolve order = lmhosts host wins bcast

 Networking 

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



 Debugging/Accounting 

# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d


### Authentication ###

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
security = user

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam

obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan<<
ka...@informatik.tu-muenchen.de>  for
# sending the correct chat script for 

Re: [Samba] Provision script fails with Samba4 (latest git version)

[Martin Hochreiter]

Am 2010-02-09 10:46, schrieb James Ray:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,
I'm trying to get samba4 to provision with the latest git version. My
provision command looks like so:
# ./setup/provision --realm=TEST.DOMAIN --domain=DOMAIN --adminpass=pass
- --server-role='domain controller' --ldap-backend-type=openldap
- --slapd-path=/usr/sbin/slapd

I get the following output from the command:
hdb_db_open: database "cn=Schema,cn=Configuration,dc=test,dc=domain":
db_open(/usr/local/samba4/private/ldap/db/schema/id2entry.bdb) failed:
No such file or directory (2).
backend_startup_one (type=hdb,
suffix="cn=Schema,cn=Configuration,dc=test,dc=domain"): bi_db_open
failed! (2)
slap_startup failed (test would succeed using the -u switch)
Failed to bind - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
Failed to connect to
'ldapi://%2Fusr%2Flocal%2Fsamba4%2Fprivate%2Fldap%2Fldapi'
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=test,DC=domain
pdc_fsmo_init: no domain object present: (skip loading of domain details)

Traceback (most recent call last):
   File "./setup/provision", line 244, in
 nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode,useeadb=eadb)
   File "bin/python/samba/provision.py", line 1301, in provision
 dom_for_fun_level=dom_for_fun_level)
   File "bin/python/samba/provision.py", line 945, in setup_samdb
 "SAMBA_VERSION_STRING": version
   File "bin/python/samba/provision.py", line 260, in setup_modify_ldif
 ldb.modify_ldif(data)
   File "bin/python/samba/__init__.py", line 261, in modify_ldif
 self.modify(msg, controls)
_ldb.LdbError: (1, 'LDAP client internal error: NT_STATUS_INTERNAL_ERROR')
A transaction is still active in ldb context [0x42f1450] on
/usr/local/samba4/private/secrets.ldb

Any one with any ideas on where I progress from here with this? I seem
to have come to a road block.

Thanks for any help you can provide.
   

I am experiencing exactly the same behaviour with samba4alpha11
-the script is not able to connect to the ldap server but it still is able
to start it -
maybe someone can give us a hint, please

regards
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Client link utilization

[Jeremy Allison]

On Tue, Feb 09, 2010 at 10:25:44AM -0500, Lennart Sorensen wrote:
> On Tue, Feb 09, 2010 at 01:19:40AM +0100, Bostjan Skufca wrote:
> > Then I am greedier (if I also strive for 11MB/s:) Thanks for reminding
> > me though.
> > 
> > Can/Did someone push it over 10MB/s (or 100MB/s with 1Gbps ethernet))?
> > 
> > 
> > To Jeremy or someone who is involved in samba as a developer: do any
> > particular kernel options influence performance of smbclient, that you
> > know of? Compile time options? Compiler version?
> 
> Well I just checked what settings my NFS mount that works great is using.  it 
> uses:
> rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,
> retrans=2,sec=sys,mountvers=3,mountproto=udp
> 
> Now I tried different rsize values with cifs as well, but that doesn't
> seem to help (at least 64k made no improvement.  Going down to 4k made
> it slower).
> 
> Looking at it carefully, it turns out trying to set it over 16k gets
> ignored.  Changing the option CIFSMaxBufSize on the cifs module to 130048,
> does allow using rsize up to that value, and the speed goes up to 8.3MB/s
> from 7.5MB/s.  So it seems larger rsize makes it better.  Given nfs uses
> 8 times larger yet and gets great speed may be a clue too.

There are two issues here. One is the problem with the
Linux CIFSFS which you're talking about. FYI. Samba is
able to cope with single request read/write sizes up to
16MB from a UNIX extension client (smbclient can do this)
so you might want to talk to Steve French to learn how
to turn this on.

The second issue is the one with Windows clients. As
the redirectors are completely different, with completely
different requests and semantics I'd rather not get the
two confused in this thread. Please split out another
mailing list thread for the CIFSFS client speed issue,
so we have them clearly separated.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Client link utilization

[Lennart Sorensen]

On Tue, Feb 09, 2010 at 01:19:40AM +0100, Bostjan Skufca wrote:
> Then I am greedier (if I also strive for 11MB/s:) Thanks for reminding
> me though.
> 
> Can/Did someone push it over 10MB/s (or 100MB/s with 1Gbps ethernet))?
> 
> 
> To Jeremy or someone who is involved in samba as a developer: do any
> particular kernel options influence performance of smbclient, that you
> know of? Compile time options? Compiler version?

Well I just checked what settings my NFS mount that works great is using.  it 
uses:
rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,
retrans=2,sec=sys,mountvers=3,mountproto=udp

Now I tried different rsize values with cifs as well, but that doesn't
seem to help (at least 64k made no improvement.  Going down to 4k made
it slower).

Looking at it carefully, it turns out trying to set it over 16k gets
ignored.  Changing the option CIFSMaxBufSize on the cifs module to 130048,
does allow using rsize up to that value, and the speed goes up to 8.3MB/s
from 7.5MB/s.  So it seems larger rsize makes it better.  Given nfs uses
8 times larger yet and gets great speed may be a clue too.

-- 
Len Sorensen
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] A question to Samba developers (or experienced users) about connections to a LDAP server using Unix sockets (LDAPI)

[Adam Tauno Williams]

On Mon, 2010-02-08 at 21:04 +, Miguel Medalha wrote:
> > I couldn't find any significant answer by googling this.
> Oh well, I had just posted that when I found this :
> Samba connect ldap via socket
> http://lists.samba.org/archive/samba/2008-May/140869.html
> The following setting works fine for me on a Debian testing system
> and with openLDAP:
> [globals]
>   passdb backend = ldapsam:ldapi://

You can also specify the LDAPI socket path if your OpenLDAP server is
listening in a 'non-standard' location, like:

passdb backend = ldapsam:ldapi://%2fvar%2frun%2fldap2.4%2fldapi

You have to escape the "/" elements of the path.
-- 
OpenGroupware developer: awill...@whitemice.org

OpenGroupare & Cyrus IMAPd documenation @


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] (no subject)

[. .]

Hi, Anyone!
Help me get Samba compiled, if you can. Latest Samba, freshest FreeBSD 8.0. So, 
full steps:

fetch http://www.samba.org/samba/ftp/stable/samba-3.4.5.tar.gz
tar zxf samba-3.4.5.tar.gz ; cd samba-3.4.5/source3

./configure --prefix=/usr/local --with-configdir=/usr/local/etc 
--with-mandir=/usr/share/man --with-libiconv=/usr/local --with-krb5=/usr/local \
 --enable-swat --enable-shared-libs --with-ads --with-libsmbclient 
--with-winbind --with-ldap --with-acl-support --enable-cups \
 --with-libaddns --with-libsmbsharemodes --with-aio-support 
--with-included-popt --with-quotas

make

..
Compiling utils/smbget.c
Compiling libsmb/libsmb_cache.c
In file included from libsmb/libsmb_cache.c:25:
include/libsmb_internal.h:177: error: expected specifier-qualifier-list before 
'smbc_smb_encrypt_level'
libsmb/libsmb_cache.c: In function 'SMBC_add_cached_server':
libsmb/libsmb_cache.c:91: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c:91: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c:91: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c:91: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c:91: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c: In function 'SMBC_get_cached_server':
libsmb/libsmb_cache.c:121: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c:163: error: called object 
'smbc_getFunctionRemoveCachedServer(context)' is not a function
libsmb/libsmb_cache.c:178: error: called object 
'smbc_getFunctionRemoveCachedServer(context)' is not a function
libsmb/libsmb_cache.c: In function 'SMBC_remove_cached_server':
libsmb/libsmb_cache.c:203: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c:207: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c:207: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c:207: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c:207: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c:207: error: dereferencing pointer to incomplete type
libsmb/libsmb_cache.c: In function 'SMBC_purge_cached_servers':
libsmb/libsmb_cache.c:232: error: dereferencing pointer to incomplete type

How to cure it?

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Provision script fails with Samba4 (latest git version)

[James Ray]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,
I'm trying to get samba4 to provision with the latest git version. My
provision command looks like so:
# ./setup/provision --realm=TEST.DOMAIN --domain=DOMAIN --adminpass=pass
- --server-role='domain controller' --ldap-backend-type=openldap
- --slapd-path=/usr/sbin/slapd

I get the following output from the command:
hdb_db_open: database "cn=Schema,cn=Configuration,dc=test,dc=domain":
db_open(/usr/local/samba4/private/ldap/db/schema/id2entry.bdb) failed:
No such file or directory (2).
backend_startup_one (type=hdb,
suffix="cn=Schema,cn=Configuration,dc=test,dc=domain"): bi_db_open
failed! (2)
slap_startup failed (test would succeed using the -u switch)
Failed to bind - LDAP client internal error:
NT_STATUS_UNEXPECTED_NETWORK_ERROR
Failed to connect to
'ldapi://%2Fusr%2Flocal%2Fsamba4%2Fprivate%2Fldap%2Fldapi'
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=test,DC=domain
pdc_fsmo_init: no domain object present: (skip loading of domain details)

Traceback (most recent call last):
  File "./setup/provision", line 244, in 
nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode,useeadb=eadb)
  File "bin/python/samba/provision.py", line 1301, in provision
dom_for_fun_level=dom_for_fun_level)
  File "bin/python/samba/provision.py", line 945, in setup_samdb
"SAMBA_VERSION_STRING": version
  File "bin/python/samba/provision.py", line 260, in setup_modify_ldif
ldb.modify_ldif(data)
  File "bin/python/samba/__init__.py", line 261, in modify_ldif
self.modify(msg, controls)
_ldb.LdbError: (1, 'LDAP client internal error: NT_STATUS_INTERNAL_ERROR')
A transaction is still active in ldb context [0x42f1450] on
/usr/local/samba4/private/secrets.ldb

Any one with any ideas on where I progress from here with this? I seem
to have come to a road block.

Thanks for any help you can provide.

- --
James Ray. 
Computing Services   (http://pub.tsn.dk/how-to-quote.php)
Queen Mary, University of London
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAktxLvgACgkQcGHKt+AwrtjkZgCgjmqOJ5GH/Myi/siTlx+1hbNE
m3IAniZmq2vxv98P8OxMcunlWj6jTnFS
=GNAH
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Solidworks on Samba

[tom burkart]

Quoting Miki Barzilay :


Dear friend,
I saw your post
http://lists.samba.org/archive/samba/2008-November/144686.html about running
Solidworks with SAMBA as a file server.
I'm getting the same issue with the ~files
We have not got issues with the Solidworks lock files.  It is also  
correct that running Solidworks data on a network drive is not  
supported by Solidworks.


I am suspecting that there may be a permissions issue for your  
particular share.  What we do here is have a user that is used as the  
owner of the share and a group that everyone who wants to access the  
share has to be part of.  In the config file for that share we have  
the following settings among others:


valid users = @design
write list = @design
force user = design
force group = design
read only = No
create mask = 0755
directory mask = 06771

HTH,

tom

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba