Re: [Samba] samba file hierarcy issue
-Original Message- From: Bruno Martins [mailto:bmomart...@gmail.com] Sent: 30 December 2011 14:43 To: samba@lists.samba.org Subject: Re: [Samba] samba file hierarcy issue On Fri, Dec 30, 2011 at 2:15 PM, korhan yazgan korhanyaz...@gmail.com wrote: Hi I try to configure a samba file server and create a file hierarcy for clients to view folders. What i try to do is as below: I wanted to create a folder x with no password and other folders w,y,z inside folder x with password. So users can enter and view x folder content but cant view w,y,z folder contents without password. But my clients that connect to samba server cant view a folder hierarcy , they can just see the single folders that i defined in the smb.conf. Is it possible to create a folder hierarcy in samba server for clients Thanks Korhan I think it's only possible by setting permissions, either Windows ACL or POSIX ACL. This hierarchy works for us: drwxr-xr-x 50 root root 4096 Aug 19 16:00 dat/ drwxrws--- 36 root personnel 4096 Dec 22 15:49 dat/personnel drwxrwxr-x 30 root root 4096 Jul 28 19:36 publish/ drwxrwsr-x 3 root personnel 4096 Apr 4 2011 publish/personnel where dat and publish are both shares: [dat] comment = Group files path = /samba/dat create mask = 0744 directory mask = 02770 force directory mode = 02000 [pub] comment = Published files path = /samba/pub create mask = 0664 directory mask = 02775 force directory mode = 02775 guest ok = Yes Only logged-in members of the personnel group can read or write to files in dat/personnel; anyone can read files in pub/personnel but only logged-in members of the personnel group can write to it. Moray. To err is human; to purr, feline. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Architecture of remote system: Win7 or W2k8R2 ?
Hi, is there a possibility to distinguish Windows 7 and Windows Server 2008 R2? The architecture variable %a doesn't know Windows 7 or Server 2008 R2. Best, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Folder Permissions
Hello list members, my name is Stefan, this is my first post to this Mailinglist, so please bear with me. ;) I am working as a Network Administrator of a small Office Network. We use Debian Server as Samba PDC and Fileserver. The Domain runs pretty well with all the Windows 7 Clients. I have just one thing that bugs me. In the groupshare we set up, users can only access folders that are world readable, for some reason. As a temporary fix I put all users into the Domain Admin group, so they can at least use the groupshare. But first of all you probably want to know the details. The Samba Version is 3.5.6 This is my smb.conf: - [global] netbios name = SCM-SRV-01 server string = Domain Server (%h) workgroup = SCM interfaces = eth1 eth2 eth3 bind interfaces only = yes security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . local master = yes preferred master = yes os level = 200 domain master = yes domain logons = yes logon path = \\%L\%U\profile logon drive = h: logon script = login.bat profile acls = yes hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/ hide dot files = yes wins support = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d socket options = TCP_NODELAY #=== Share Definitions === [homes] comment = Home Directories browseable = no valid users = %S writeable = yes create mode = 0600 directory mode = 0700 [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writeable = no share modes = no [groups] writable = yes path = /home/groups force group = users comment = All group folders create mode = 660 directory mode = 770 --- Output of net groupmap list: Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) - users Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) - guests Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) - domainadmin --- Like I said everyting works well, except the permissions in the share [groups]. All linux (and therefore domain) users are in the primary group users. All the employees are in the group 'mitarbeiter'. So if I set /home/groups to drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/ the share is not accessible. Eventhough alle users are in the group users and should therefore be able to read that folder. If I put users into the domainadmin group, group permissions work as expected. All employees can access subfolders of groups which are readable to mitarbeiter (but not others they have no permissions for) and can also read the content of /home/groups. So the mapping of unix groups from Windows7 works without problems. Folder permission in Samba can only be realized if I make folders world readable, which is not what I want for all folders. After extensive internet research I could not figure out what I am doing wrong. I also had similar samba setups where unix group permissions always where correctly used in samba. I suspect it being a problem with domain groups and there mapping. I also tried to create some samba Domain Groups and map them to the local unix groups, which didn't make a difference either. So I hope anybody on this list knows what the problem is. I am happy to give more information as needed! Thanks, Stefan Horning -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Folder Permissions
Check your extended ACL permissions and verify that they are enabled for your kernel.. On 01/03/2012 09:05 AM, Stefan Horning wrote: Hello list members, my name is Stefan, this is my first post to this Mailinglist, so please bear with me. ;) I am working as a Network Administrator of a small Office Network. We use Debian Server as Samba PDC and Fileserver. The Domain runs pretty well with all the Windows 7 Clients. I have just one thing that bugs me. In the groupshare we set up, users can only access folders that are world readable, for some reason. As a temporary fix I put all users into the Domain Admin group, so they can at least use the groupshare. But first of all you probably want to know the details. The Samba Version is 3.5.6 This is my smb.conf: - [global] netbios name = SCM-SRV-01 server string = Domain Server (%h) workgroup = SCM interfaces = eth1 eth2 eth3 bind interfaces only = yes security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . local master = yes preferred master = yes os level = 200 domain master = yes domain logons = yes logon path = \\%L\%U\profile logon drive = h: logon script = login.bat profile acls = yes hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/ hide dot files = yes wins support = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d socket options = TCP_NODELAY #=== Share Definitions === [homes] comment = Home Directories browseable = no valid users = %S writeable = yes create mode = 0600 directory mode = 0700 [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writeable = no share modes = no [groups] writable = yes path = /home/groups force group = users comment = All group folders create mode = 660 directory mode = 770 --- Output of net groupmap list: Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) - users Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) - guests Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) - domainadmin --- Like I said everyting works well, except the permissions in the share [groups]. All linux (and therefore domain) users are in the primary group users. All the employees are in the group 'mitarbeiter'. So if I set /home/groups to drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/ the share is not accessible. Eventhough alle users are in the group users and should therefore be able to read that folder. If I put users into the domainadmin group, group permissions work as expected. All employees can access subfolders of groups which are readable to mitarbeiter (but not others they have no permissions for) and can also read the content of /home/groups. So the mapping of unix groups from Windows7 works without problems. Folder permission in Samba can only be realized if I make folders world readable, which is not what I want for all folders. After extensive internet research I could not figure out what I am doing wrong. I also had similar samba setups where unix group permissions always where correctly used in samba. I suspect it being a problem with domain groups and there mapping. I also tried to create some samba Domain Groups and map them to the local unix groups, which didn't make a difference either. So I hope anybody on this list knows what the problem is. I am happy to give more information as needed! Thanks, Stefan Horning -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] limiting netbios browsing
From: Chris Smith smb...@chrissmith.org Date: Mon, 2 Jan 2012 14:29:43 -0500 Given a DC environment where very few (1-3) hosts actually need to be discovered via browsing is there a good way to limit what is browseable? To set browse list = no solves your issue? --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Folder Permissions
Hi Aaron, thanks for your reply. I already have the /home Partition mounted with ACL enabled. However I don't use ACL permissions for the described folders. If I would set permissions with setfacl I would just give the same permissions then with unix rights. I only need one group to have rwx access, nothing more. In other samba setups I used, that was never a problem, but those were no Domain setups... Stefan Am 03.01.2012 17:31, schrieb Aaron E.: Check your extended ACL permissions and verify that they are enabled for your kernel.. On 01/03/2012 09:05 AM, Stefan Horning wrote: Hello list members, my name is Stefan, this is my first post to this Mailinglist, so please bear with me. ;) I am working as a Network Administrator of a small Office Network. We use Debian Server as Samba PDC and Fileserver. The Domain runs pretty well with all the Windows 7 Clients. I have just one thing that bugs me. In the groupshare we set up, users can only access folders that are world readable, for some reason. As a temporary fix I put all users into the Domain Admin group, so they can at least use the groupshare. But first of all you probably want to know the details. The Samba Version is 3.5.6 This is my smb.conf: - [global] netbios name = SCM-SRV-01 server string = Domain Server (%h) workgroup = SCM interfaces = eth1 eth2 eth3 bind interfaces only = yes security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . local master = yes preferred master = yes os level = 200 domain master = yes domain logons = yes logon path = \\%L\%U\profile logon drive = h: logon script = login.bat profile acls = yes hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/ hide dot files = yes wins support = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d socket options = TCP_NODELAY #=== Share Definitions === [homes] comment = Home Directories browseable = no valid users = %S writeable = yes create mode = 0600 directory mode = 0700 [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writeable = no share modes = no [groups] writable = yes path = /home/groups force group = users comment = All group folders create mode = 660 directory mode = 770 --- Output of net groupmap list: Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) - users Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) - guests Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) - domainadmin --- Like I said everyting works well, except the permissions in the share [groups]. All linux (and therefore domain) users are in the primary group users. All the employees are in the group 'mitarbeiter'. So if I set /home/groups to drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/ the share is not accessible. Eventhough alle users are in the group users and should therefore be able to read that folder. If I put users into the domainadmin group, group permissions work as expected. All employees can access subfolders of groups which are readable to mitarbeiter (but not others they have no permissions for) and can also read the content of /home/groups. So the mapping of unix groups from Windows7 works without problems. Folder permission in Samba can only be realized if I make folders world readable, which is not what I want for all folders. After extensive internet research I could not figure out what I am doing wrong. I also had similar samba setups where unix group permissions always where correctly used in samba. I suspect it being a problem with domain groups and there mapping. I also tried to create some samba Domain Groups and map them to the local unix groups, which didn't make a difference either. So I hope anybody on this list knows what the problem is. I am happy to give more information as needed! Thanks, Stefan Horning -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] limiting netbios browsing
On Tue, Jan 3, 2012 at 11:59 AM, TAKAHASHI Motonobu mo...@monyo.com wrote: To set browse list = no solves your issue? I think that may do what I want. Just need to make sure that the Domain Controller can be discovered by the clients. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Architecture of remote system: Win7 or W2k8R2 ?
On Tue, Jan 03, 2012 at 11:24:37AM +0100, Alexander Födisch wrote: Hi, is there a possibility to distinguish Windows 7 and Windows Server 2008 R2? The architecture variable %a doesn't know Windows 7 or Server 2008 R2. No way to do that at present. I looked into this a while ago and it's a little difficult as different versions of Vista send different SMB2 version strings, so it's hard even to tell different patch levels of Windows Vista from each other. If you can spot something in the negprot packet that's unique for each version let me know and I'll code it up. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Interoperability with MAC OSX clients, resource forks, xattrs
Hi Frank, I'm working on a adouble backend for _Netatalk_ which will store all Mac extra data in extended attributes. As you've noticed most filesystems limit the maximum size of EAs, therefore the new adouble module will split Mac ressourceforks larger than this limit into multiple EAs. even though it's getting slightly off topic now, this might also be interesting for the vfs_streams_xattr module. During my tests I realized that EAs are treated as some kind of second class citizens by the linux kernel when compared against the data of a file. You can already see it on the prototype of getxattr() that just allows to read or write the complete EA value, but not parts of it or seeking. Even worse, the kernel needs to allocate the value buffer as a contiguous block of kernel memory - up to 64k on XFS or reiserfs. This is a quite ambitious operation in kernel space and it failed several times on my test server even though it is equipped with 8G RAM and was just serving one OSX client at that time. You see these nice 'order 4 allocation failed' logs in the dmesg output then, also causing the getxattr() or setxattr() operation to fail. I don't want to discourage you - but you may have a hard time getting this idea to run stable. Stefan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Folder Permissions
Stefan, I'm not certain as to the cause of your problem, but as a test, try adding to [global] == map untrusted to domain = Yes to see if there is any improvement. Do you need force group = users? If uncertain, try turning it off. To satisfy my curiosity, what is the output of getfacl /home/groups? Dale On 01/03/2012 11:43 AM, Stefan Horning wrote: Hi Aaron, thanks for your reply. I already have the /home Partition mounted with ACL enabled. However I don't use ACL permissions for the described folders. If I would set permissions with setfacl I would just give the same permissions then with unix rights. I only need one group to have rwx access, nothing more. In other samba setups I used, that was never a problem, but those were no Domain setups... Stefan Am 03.01.2012 17:31, schrieb Aaron E.: Check your extended ACL permissions and verify that they are enabled for your kernel.. On 01/03/2012 09:05 AM, Stefan Horning wrote: Hello list members, my name is Stefan, this is my first post to this Mailinglist, so please bear with me. ;) I am working as a Network Administrator of a small Office Network. We use Debian Server as Samba PDC and Fileserver. The Domain runs pretty well with all the Windows 7 Clients. I have just one thing that bugs me. In the groupshare we set up, users can only access folders that are world readable, for some reason. As a temporary fix I put all users into the Domain Admin group, so they can at least use the groupshare. But first of all you probably want to know the details. The Samba Version is 3.5.6 This is my smb.conf: - [global] netbios name = SCM-SRV-01 server string = Domain Server (%h) workgroup = SCM interfaces = eth1 eth2 eth3 bind interfaces only = yes security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . local master = yes preferred master = yes os level = 200 domain master = yes domain logons = yes logon path = \\%L\%U\profile logon drive = h: logon script = login.bat profile acls = yes hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/ hide dot files = yes wins support = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d socket options = TCP_NODELAY #=== Share Definitions === [homes] comment = Home Directories browseable = no valid users = %S writeable = yes create mode = 0600 directory mode = 0700 [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writeable = no share modes = no [groups] writable = yes path = /home/groups force group = users comment = All group folders create mode = 660 directory mode = 770 --- Output of net groupmap list: Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) - users Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) - guests Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) - domainadmin --- Like I said everyting works well, except the permissions in the share [groups]. All linux (and therefore domain) users are in the primary group users. All the employees are in the group 'mitarbeiter'. So if I set /home/groups to drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/ the share is not accessible. Eventhough alle users are in the group users and should therefore be able to read that folder. If I put users into the domainadmin group, group permissions work as expected. All employees can access subfolders of groups which are readable to mitarbeiter (but not others they have no permissions for) and can also read the content of /home/groups. So the mapping of unix groups from Windows7 works without problems. Folder permission in Samba can only be realized if I make folders world readable, which is not what I want for all folders. After extensive internet research I could not figure out what I am doing wrong. I also had similar samba setups where unix group permissions always where correctly used in samba. I suspect it being a problem with domain groups and there mapping. I also tried to create some samba Domain Groups and map them to the local unix groups, which didn't make a difference either. So I hope anybody on this list knows what the problem is. I am happy to give more information as needed! Thanks, Stefan Horning -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba bugzilla access denied
Is this normal or a bug? When accessing samba's bugzilla for bug #8674 I get an access denied: You are not authorized to access bug #8674 A bug in bugzilla? I know Microsoft hides bugs and fixes, didn't know it happened in open source. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba bugzilla access denied
On Tue, Jan 03, 2012 at 04:26:06PM -0500, Chris Smith wrote: Is this normal or a bug? When accessing samba's bugzilla for bug #8674 I get an access denied: You are not authorized to access bug #8674 A bug in bugzilla? I know Microsoft hides bugs and fixes, didn't know it happened in open source. If it's something reported to us that we think might be relevant for security it can happen. Sorry. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba on FreeNAS permissions
Hi list, I am having a weird issue with samba as included with FreeNAS 8.0.2. All my users are in LDAP, and the local server can see and authenticate LDAP users via other mechanisms like SSH. When I log into this FreeNAS machine via SSH, the server understands group permissions and all works as expected. The filesystem that the share is on is ZFS and FreeNAS is based on FreeBSD. My issue is, when I mount a CIFS share from a Windows workstation to the FreeNAS Samba server, secondary group permissions are not honoured. In a bit more detail. I have a user in LDAP called alex.ferrara with the primary group of Domain Users and I can mount CIFS shares just fine. The main CIFS share destination directory is set to mode 2775 with the owner root and group Domain Users. My user can create files as you would expect. So far so good. The problem comes in when I have a directory underneath the main share that is owned by root and group Domain Admins. My user is a member of the domain admins group and I can create files if I log in via SSH, but when I access the same directory via CIFS, I get the message You need permission to perform this action. The version of Samba is 3.5.11 and my config file is included below. [global] encrypt passwords = yes dns proxy = no strict locking = no read raw = yes write raw = yes oplocks = yes max xmit = 65535 deadtime = 15 display charset = LOCALE max log size = 10 syslog only = yes syslog = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes smb passwd file = /var/etc/private/smbpasswd private dir = /var/etc/private getwd cache = yes guest account = nobody map to guest = Bad Password netbios name = server workgroup = DOMAIN server string = FreeNAS Server use sendfile = yes large readwrite = no store dos attributes = yes security = user passdb backend = ldapsam:ldap://10.16.0.10 ldap admin dn = cn=admin,dc=domain ldap suffix = dc=domain ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = off ldap replication sleep = 1000 ldap passwd sync = yes #ldap debug level = 1 #ldap debug threshold = 1 ldapsam:trusted = yes idmap uid = 1-3 idmap gid = 1-3 create mask = 0664 directory mask = 0775 client ntlmv2 auth = yes dos charset = CP437 unix charset = UTF-8 log level = 3 aio read size = 1 aio write size = 1 [share] path = /mnt/data/share printable = no veto files = /.snap/.windows/ writeable = yes browseable = yes inherit owner = yes inherit permissions = yes vfs objects = zfsacl recycle recycle:repository = .recycle/%U recycle:keeptree = yes recycle:versions = yes recycle:touch = yes recycle:directory_mode = 0777 recycle:subdir_mode = 0700 inherit acls = Yes map archive = No map readonly = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes Alex Ferrara Director Receptive IT Solutions P 0403 604 604 F (02) 4822 7700 E a...@receptiveit.com.au W www.receptiveit.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba bugzilla access denied
On Tue, Jan 3, 2012 at 4:35 PM, Volker Lendecke volker.lende...@sernet.de wrote: If it's something reported to us that we think might be relevant for security it can happen. Sorry. Thought that might be a possibility. Thanks, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Freezes accessing shares/ low performance
Hey! I Have a problem with samba as is noticed, in fact, i have two, and i will start in order. When accessing the shares on my samba server, it sometimes freezes, i have the lateste version, 3.6.1, mas since version 3.4 wish was the first i used, i've been running into this problems. When i try to browse the shares, many times, like 1 in 10, it freezes and sometimes, when saving files, it fails at the first command and only at the second command to save it does so. My other problem is with samba very low performance, i have 50 computers on the office, have 1000mbps connections, 3 1000mbps ports being used just for samba as a bond, and still the performance is very low, my server is a hp dl380 g6 with 24GB of memory, dual xeon at 2.4Ghz and 2 Sas controllers with 1024MB memory each, so i shouldn't be experiencing any delay. I'll Put a dump of both my smb.conf and smbd.log. Hope to get Some Help cause this is driving me crazy!!! *smb.conf* #Date: 2011/02/19 00:34:22 [global] security = user workgroup = NLAdomain netbios aliases = NLSRV server string = NLSRV name resolve order = wins host bcast socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536 os level = 255 interfaces = bond0 lo preferred master = Yes domain master = Yes domain logons = Yes wins support = Yes admin users = vleal, joaoluis time server = yes logon script = netlogon.bat logon path = \\%L\profiles\%U.msprofile oplocks = yes level 2 oplocks = yes add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false '%u' add user script = /usr/sbin/useradd -s /bin/bash -m %u local master = Yes netbios name = NLSRV nt acl support = yes log file = /var/log/samba/%m.log log level = 4 max log size = 50 max xmit = 65535 dead time = 0 dns proxy = no smb ports = 445 printcap name = /dev/null password server = None load printers = no printing = bsd veto oplock files = /*jpg/*psd/*max/*png/ #[homes] #comment = Home Directories #valid users = %S, %D%w%S #inherit acls = Yes #browseable = No [profiles] comment = Network Profiles Service path = /home/samba/profiles read only = No create mask = 0600 hide files = /destop.ini/outlook*.lnk/*Briefcase*/ store dos attributes = Yes browseable = No [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ browseable = No [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes browseable = No #[printers] # comment = All Printers #path = /var/tmp #create mask = 0600 #printable = Yes #browseable = No #[print$ ] #comment = Printer Drivers #path = /var/lib/samba/drivers #write list = @ntadmin, root #force group = ntadmin #create mask = 0664 directory mask = 0775 [netlogon] comment = Network Logon Service path = /home/samba/netlogon write list = root read only = No browseable = no [gg] comment = Grafica_Geral path = /gg read only = No hide files = /lost+found/Thumbs.db force create mode = 0774 directory mask = 0774 force user = root force group = samba-domain-users [g3d] comment = Grafica_3d path = /g3d read only = No inherit acls = Yes hide files = /lost+found/Thumbs.db force create mode = 0774 directory mask = 0774 force user = root force group = samba-domain-users [adm] comment = Administrativa path = /adm read only = No inherit acls = Yes inherit permissions = Yes hide files = /lost+found/Thumbs.db force create mode = 0770 directory mask = 0770 #force user = root #force group = samba-domain-users [prj] comment = Projecto path = /prj read only = No inherit acls = Yes hide files = /lost+found/Thumbs.db force create mode = 0774 directory mask = 0774 force user = root force group = samba-domain-users [sw] comment = Software path = /adm/software read only = No valid users = @software hide files = /Thumbs.db #force create mode = 0774 #directory mask = 0774 #force user = root force group = software [bkp] comment = Backup path = /bkp read only = No inherit acls = Yes hide files = /Thumbs.db/lost+found force create mode = 0770 directory mask = 0770 force user = root force group = samba-domain-admins browseable = no *smbd.log* Found policy hnd[0] [] 00 00 00 00 05 00 00 00 00 00 00 00 03 4F D4 6A .O.j [0010] 86 15 00 00 [2012/01/03 20:53:40.219505, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [] 00 00 00 00 05 00 00 00 00 00 00 00 03 4F D4 6A .O.j [0010] 86 15 00 00 [2012/01/03 20:53:40.219565, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [] 00 00 00 00 05 00 00 00 00 00 00 00 03 4F D4 6A
[Samba] The Group Policy Client service failed the logon. Access is denied.
Hello all, Let give the background. We replaced our PDC with a new machine. Both old and new machines are running Debian 6.0 Squeeze and Samba 3.5.6. moved all data and user accounts to new server. New server has the exact same configuration files as the old server. All machines have been rejoined to the domain both WinXP and Win7. The WinXP machines work perfectly all domain users can login with their roaming profiles and all is good. However on the Win7 machines none of the network users can log in to the machine. Upon attempting you get the this error The Group Policy Client service failed the logon. Access is denied. After Googling around for a solution I have attempted the following solutions: 1) Delete the roaming profile Machine recreates the roaming profile but denies login 2) Delete registry key from HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrent VersionProfilelist[USERSKEY] Machine recreates the key but denies login 3) Both 12 at the same time Machine recreates the roaming profile and the key but denies login Any pointers would be greatly appreciated see smb.conf file below. [global] smb passwd file = /etc/samba/passdb.tdb enable privileges = yes logon drive = H: domain master = yes encrypt passwords = true logon home = \\%L\%U netbios name = ARDVARC server string = Gaudior's PDC logon script = logon.bat local master = yes workgroup = GAUACA logon path = \\%L\%U\profile os level = 99 security = user add machine script = /usr/sbin/useradd -s /bin/false \-d /dev/null %u preferred master = yes domain logons = yes hide files = /desktop.ini/$RECYCLE.BIN/profile/profile.V2/ guest account = nobody map to guest = bad user wins support = yes [staff] comment = staff share drive path = /home/staff/share read only = no ;valid users = [student] comment = student share by level path = /home/student/share read only = no [netlogon] comment = Net Logon Service path = /home/netlogon read only = yes write list = root public = yes guest ok = yes browsable = no [homes] comment = Home valid users = %S read only = no browsable = no -- Mathew E. Enders Where once Samba and Apache sold Linux to the world they are now just part of the plumbing. But that's OK, plumbers make good money. --Jeremy Allison -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] write permissions with drag and drop
Hello I've configured the following share in smb.conf : [wp] path=/backup0/wp browseable = yes valid users = admin writable = no read only = yes create mask = 0400 directory mask = 0400 printable = no Logged in admin user, when I run a .bat script I can't copy any file in this share. This is ok. But I can copy a file in this share by draging it with Windows explorer How can I prevent this ? smbd -V give : Version 3.5.6 Regards -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 1750, chemin du Lavarin, 84000 Avignon Téléphone : 04.90.27.57.44 Messagerie : h.hen...@isc84.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bed281d s3: Remove the unused file_existed parameter from smbd_calculate_access_mask via c01f02a s3: Avoid file_existed in smbd_calculate_maximum_allowed_access via 49a5202 s3: Remove some else{} branches in smbd_calculate_maximum_allowed_access via 8cadd19 s3: Directly use *p_access_mask in smbd_calculate_maximum_allowed_access via a5a4b58 s3: Factor out smbd_calculate_maximum_allowed_access from f66ef5c upgradeprovision: do not hold references to messageElements http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bed281dad774cfe3c828552740de70072b4901b5 Author: Volker Lendecke v...@samba.org Date: Fri Dec 16 18:56:40 2011 +0100 s3: Remove the unused file_existed parameter from smbd_calculate_access_mask Autobuild-User: Volker Lendecke vlen...@samba.org Autobuild-Date: Tue Jan 3 15:16:50 CET 2012 on sn-devel-104 commit c01f02a4b97de453a0db7feb3c2d323f05fac7f6 Author: Volker Lendecke v...@samba.org Date: Fri Dec 16 18:51:19 2011 +0100 s3: Avoid file_existed in smbd_calculate_maximum_allowed_access We access the file by name anyway, so we can just try to access it. The file system will for sure tell us if the file does not exist. commit 49a520217ceb04cbd4278a3bce7cb1f8dd04b018 Author: Volker Lendecke v...@samba.org Date: Fri Dec 16 18:47:03 2011 +0100 s3: Remove some else{} branches in smbd_calculate_maximum_allowed_access commit 8cadd19a91cc4cded493b9ba5dec821f93dcfb54 Author: Volker Lendecke v...@samba.org Date: Fri Dec 16 18:45:14 2011 +0100 s3: Directly use *p_access_mask in smbd_calculate_maximum_allowed_access commit a5a4b581b7b428621da5477994f0413443fa6bcb Author: Volker Lendecke v...@samba.org Date: Fri Dec 16 18:42:30 2011 +0100 s3: Factor out smbd_calculate_maximum_allowed_access --- Summary of changes: source3/smbd/fake_file.c |1 - source3/smbd/globals.h |1 - source3/smbd/open.c| 105 ++-- source3/smbd/smb2_create.c |5 -- 4 files changed, 62 insertions(+), 50 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/fake_file.c b/source3/smbd/fake_file.c index 2b31ba5..95f6f93 100644 --- a/source3/smbd/fake_file.c +++ b/source3/smbd/fake_file.c @@ -130,7 +130,6 @@ NTSTATUS open_fake_file(struct smb_request *req, connection_struct *conn, NTSTATUS status; status = smbd_calculate_access_mask(conn, smb_fname, - false, /* fake files do not exist */ access_mask, access_mask); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, (open_fake_file: smbd_calculate_access_mask diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index 02527e7..631298b 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -214,7 +214,6 @@ bool smbd_dirptr_lanman2_entry(TALLOC_CTX *ctx, NTSTATUS smbd_calculate_access_mask(connection_struct *conn, const struct smb_filename *smb_fname, - bool file_existed, uint32_t access_mask, uint32_t *access_mask_out); diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 587093a..dbc4dba 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1476,9 +1476,64 @@ static void schedule_defer_open(struct share_mode_lock *lck, Work out what access_mask to use from what the client sent us. / +static NTSTATUS smbd_calculate_maximum_allowed_access( + connection_struct *conn, + const struct smb_filename *smb_fname, + uint32_t *p_access_mask) +{ + struct security_descriptor *sd; + uint32_t access_granted; + NTSTATUS status; + + if (get_current_uid(conn) == (uid_t)0) { + *p_access_mask |= FILE_GENERIC_ALL; + return NT_STATUS_OK; + } + + status = SMB_VFS_GET_NT_ACL(conn, smb_fname-base_name, + (SECINFO_OWNER | +SECINFO_GROUP | +SECINFO_DACL),sd); + + if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { + /* +* File did not exist +*/ + *p_access_mask = FILE_GENERIC_ALL; + return NT_STATUS_OK; + } + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,(smbd_calculate_access_mask: + Could not get acl on file %s: %s\n, + smb_fname_str_dbg(smb_fname), + nt_errstr(status)));
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cd3a935 s3: Fix a cutpaste error via 0923e7f s3: Fix a typo from bed281d s3: Remove the unused file_existed parameter from smbd_calculate_access_mask http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cd3a935d0e170cf82ac16ee99affab4950fe0b72 Author: Volker Lendecke v...@samba.org Date: Tue Jan 3 15:20:09 2012 +0100 s3: Fix a cutpaste error Autobuild-User: Volker Lendecke vlen...@samba.org Autobuild-Date: Tue Jan 3 16:57:44 CET 2012 on sn-devel-104 commit 0923e7fa39f18a9717230d82c4f3488391e7e961 Author: Volker Lendecke v...@samba.org Date: Tue Jan 3 15:13:48 2012 +0100 s3: Fix a typo --- Summary of changes: source3/torture/torture.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 9e16bac..619f92d 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -3778,7 +3778,7 @@ static bool run_oplock4(int dummy) ev = tevent_context_init(talloc_tos()); if (ev == NULL) { - printf(tevent_req_create failed\n); + printf(tevent_context_init failed\n); return false; } @@ -3802,7 +3802,7 @@ static bool run_oplock4(int dummy) open_req = cli_openx_send( talloc_tos(), ev, cli2, fname_ln, O_RDWR, DENY_NONE); - if (oplock_req == NULL) { + if (open_req == NULL) { printf(cli_openx_send failed\n); return false; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 909056a s3-cli: fix bug 563, 8GB tar on BE machines from cd3a935 s3: Fix a cutpaste error http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 909056a2daacd961b40158b86bc117650a897054 Author: Masafumi Nakayama mas...@jp.ibm.com Date: Wed Nov 2 10:35:19 2011 +0100 s3-cli: fix bug 563, 8GB tar on BE machines Borrows on existing patches proposed by Craig Barratt and Brad Ellis. Signed-off-by: David Disseldorp dd...@suse.de Autobuild-User: David Disseldorp dd...@samba.org Autobuild-Date: Tue Jan 3 18:31:28 CET 2012 on sn-devel-104 --- Summary of changes: source3/client/clitar.c | 22 +- 1 files changed, 17 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/client/clitar.c b/source3/client/clitar.c index 5943926..bf18e54 100644 --- a/source3/client/clitar.c +++ b/source3/client/clitar.c @@ -188,8 +188,10 @@ static void writetarheader(int f, const char *aname, uint64_t size, time_t mtime memset(hb.dbuf.size, 0, 4); hb.dbuf.size[0]=128; - for (i = 8, jp=(char*)size; i; i--) - hb.dbuf.size[i+3] = *(jp++); + for (i = 8; i; i--) { + hb.dbuf.size[i+3] = size 0xff; + size = 8; + } } oct_it((uint64_t) mtime, 13, hb.dbuf.mtime); memcpy(hb.dbuf.chksum, , sizeof(hb.dbuf.chksum)); @@ -291,7 +293,17 @@ of link other than a GNUtar Longlink - ignoring\n)); finfo-mtime_ts = finfo-ctime_ts = convert_time_t_to_timespec((time_t)strtol(hb-dbuf.mtime, NULL, 8)); finfo-atime_ts = convert_time_t_to_timespec(time(NULL)); - finfo-size = unoct(hb-dbuf.size, sizeof(hb-dbuf.size)); + if ((hb-dbuf.size[0] 0xff) == 0x80) { + /* This is a non-POSIX compatible extention to extract files + greater than 8GB. */ + finfo-size = 0; + for (i = 0; i 8; i++) { + finfo-size = 8; + finfo-size |= hb-dbuf.size[i+4] 0xff; + } + } else { + finfo-size = unoct(hb-dbuf.size, sizeof(hb-dbuf.size)); + } return True; } @@ -1005,8 +1017,8 @@ static int skip_file(int skipsize) static int get_file(file_info2 finfo) { uint16_t fnum = (uint16_t) -1; - int pos = 0, dsize = 0, bpos = 0; - uint64_t rsize = 0; + int dsize = 0, bpos = 0; + uint64_t rsize = 0, pos = 0; NTSTATUS status; DEBUG(5, (get_file: file: %s, size %.0f\n, finfo.name, (double)finfo.size)); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6a1201a dlz_bind9: create session info from PAC using auth context from 909056a s3-cli: fix bug 563, 8GB tar on BE machines http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6a1201a67b36bc1bb3214ee911b130c4affb8dec Author: Amitay Isaacs ami...@gmail.com Date: Tue Jan 3 15:39:20 2012 +1100 dlz_bind9: create session info from PAC using auth context This fixes the creation of session info from PAC, after changes in gensec code. Autobuild-User: Amitay Isaacs ami...@samba.org Autobuild-Date: Wed Jan 4 01:59:09 CET 2012 on sn-devel-104 --- Summary of changes: source4/dns_server/dlz_bind9.c | 66 +++ 1 files changed, 59 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c index 97eaac8..549ae0d 100644 --- a/source4/dns_server/dlz_bind9.c +++ b/source4/dns_server/dlz_bind9.c @@ -54,6 +54,7 @@ struct dlz_bind9_data { /* Used for dynamic update */ struct smb_krb5_context *smb_krb5_ctx; + struct auth4_context *auth_context; struct auth_session_info *session_info; char *update_name; @@ -463,6 +464,50 @@ static isc_result_t parse_options(struct dlz_bind9_data *state, /* + * Create session info from PAC + * This is called as auth_context-generate_session_info_pac() + */ +static NTSTATUS b9_generate_session_info_pac(struct auth4_context *auth_context, +TALLOC_CTX *mem_ctx, +struct smb_krb5_context *smb_krb5_context, +DATA_BLOB *pac_blob, +const char *principal_name, +const struct tsocket_address *remote_addr, +uint32_t session_info_flags, +struct auth_session_info **session_info) +{ + NTSTATUS status; + struct auth_user_info_dc *user_info_dc; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); + + status = kerberos_pac_blob_to_user_info_dc(tmp_ctx, + *pac_blob, + smb_krb5_context-krb5_context, + user_info_dc, + NULL, + NULL); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(tmp_ctx); + return status; + } + + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc, + session_info_flags, session_info); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(tmp_ctx); + return status; + } + + talloc_free(tmp_ctx); + return status; +} + + +/* called to initialise the driver */ _PUBLIC_ isc_result_t dlz_create(const char *dlzname, @@ -473,7 +518,6 @@ _PUBLIC_ isc_result_t dlz_create(const char *dlzname, const char *helper_name; va_list ap; isc_result_t result; - TALLOC_CTX *tmp_ctx; struct ldb_dn *dn; NTSTATUS nt_status; @@ -482,8 +526,6 @@ _PUBLIC_ isc_result_t dlz_create(const char *dlzname, return ISC_R_NOMEMORY; } - tmp_ctx = talloc_new(state); - /* fill in the helper functions */ va_start(ap, dbdata); while ((helper_name = va_arg(ap, const char *)) != NULL) { @@ -527,8 +569,14 @@ _PUBLIC_ isc_result_t dlz_create(const char *dlzname, nt_status = gensec_init(); if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return false; + result = ISC_R_NOMEMORY; + goto failed; + } + + state-auth_context = talloc_zero(state, struct auth4_context); + if (state-auth_context == NULL) { + result = ISC_R_NOMEMORY; + goto failed; } if (state-options.url == NULL) { @@ -559,9 +607,13 @@ _PUBLIC_ isc_result_t dlz_create(const char *dlzname, state-log(ISC_LOG_INFO, samba_dlz: started for DN %s, ldb_dn_get_linearized(dn)); + state-auth_context-event_ctx = state-ev_ctx; + state-auth_context-lp_ctx = state-lp; + state-auth_context-sam_ctx = state-samdb; + state-auth_context-generate_session_info_pac = b9_generate_session_info_pac; + *dbdata = state; - talloc_free(tmp_ctx);