Re: [Samba] Basic questions regarding Samba capabilities
First, I'm not sure if your speaking of samba4 or just upgrading your s3 domain structure .. my comments are based on samba4 hope it helps .. Policies: -- Group policy works with S4.. So whatever group policies you can set in windows DC you can set on the S4 dcs.. Scalability -- 1PDC and several BDCs would be your answer. Essentially your going to create the same infrastructure as you would with the windows family of servers. unstead of multiple pdc's you'd use bdc's at in different vlans.. or RODC's but I am not sure where the RODC's are in terms of completeness. Backend -- OPENLDAP isn't supported as a back-end.. I believe that your only option is to use the built-in samba4 back-end at this point.. Compatability -- there are no special steps in joining windows 7 or 2008 servers to the S4 domain.. There is an upgrade script that should pull your users and computers to the new domain, obviously this would require extensive testing in your environment. On 05/20/2012 11:32 AM, Jason Voorhees wrote: Hi people: I've been using Samba for a long time with some basic features like Samba working as a PDC, integrated with OpenLDAP, being a print server, among others, for a small number of almost controlled users (no more than 30 or 50 users). But now I'm interested to implement a Windows domain using Samba for a University with 6000-8000 users distributed through several VLANs, subnets, offices in a medium/big campus. I'd like to avoid using a propietary solution like Windows 2008 with ADS so I'd like to know some suggestions like these: Policies: === - How well can Samba manage policies for workstations? - Is it easy or safe to apply and/or remove policies from workstations? - What kind of things can I allow or deny from succeding in workstations using policies? For example: could I avoid users from changing the IP address of the workstation? Could I set a fixed wallpaper or internet explorer proxy settings to workstations? Scalability In a big scenario like the previous i mentioned: - How many BDCs would be needed? Is it enough to have 1 PDC and severals BDCs? - Is it possible to have multiple PDCs of the same domain each one being in a different VLAN? or, what's the right approach in terms of structure-architecture to implement PDCs and BDCs? Backend === Definitely I plan to use OpenLDAP as backend but, similar to the previous question about BDCs: how many Master/Slave OpenLDAP servers do you think it would be necessary? It could be 1 BDC+OpenLDAP (slave or master) for each office or VLAN? Compatibility: === - I know that are some procedures to join Windows 7 to Samba domain, I did this before successfully. Do you know -maybe- of another possible compatibility problem that you suggest I can be prepared for? - If after some time (weeks, months or years) I plan to replace this Samba based domain to Windows 2k ADS domain: is it possible to do this migration without problem? it isn't necessary to reinstall all the domain and rejoin all the workstation? Technically I can investigate how to implement each of these features (policies, BDCs, openldap, etc...) but before taking a decision like this i would like to have some suggestions of people that have done similar implementations before. This help it would be excellent for me, I hope some one can help. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Basic questions regarding Samba capabilities
IN a such great environment like yours I would suggest having several PDCs in replication mode. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Aaron E. Gesendet: Montag, 21. Mai 2012 14:51 An: samba@lists.samba.org Betreff: Re: [Samba] Basic questions regarding Samba capabilities First, I'm not sure if your speaking of samba4 or just upgrading your s3 domain structure .. my comments are based on samba4 hope it helps .. Policies: -- Group policy works with S4.. So whatever group policies you can set in windows DC you can set on the S4 dcs.. Scalability -- 1PDC and several BDCs would be your answer. Essentially your going to create the same infrastructure as you would with the windows family of servers. unstead of multiple pdc's you'd use bdc's at in different vlans.. or RODC's but I am not sure where the RODC's are in terms of completeness. Backend -- OPENLDAP isn't supported as a back-end.. I believe that your only option is to use the built-in samba4 back-end at this point.. Compatability -- there are no special steps in joining windows 7 or 2008 servers to the S4 domain.. There is an upgrade script that should pull your users and computers to the new domain, obviously this would require extensive testing in your environment. On 05/20/2012 11:32 AM, Jason Voorhees wrote: Hi people: I've been using Samba for a long time with some basic features like Samba working as a PDC, integrated with OpenLDAP, being a print server, among others, for a small number of almost controlled users (no more than 30 or 50 users). But now I'm interested to implement a Windows domain using Samba for a University with 6000-8000 users distributed through several VLANs, subnets, offices in a medium/big campus. I'd like to avoid using a propietary solution like Windows 2008 with ADS so I'd like to know some suggestions like these: Policies: === - How well can Samba manage policies for workstations? - Is it easy or safe to apply and/or remove policies from workstations? - What kind of things can I allow or deny from succeding in workstations using policies? For example: could I avoid users from changing the IP address of the workstation? Could I set a fixed wallpaper or internet explorer proxy settings to workstations? Scalability In a big scenario like the previous i mentioned: - How many BDCs would be needed? Is it enough to have 1 PDC and severals BDCs? - Is it possible to have multiple PDCs of the same domain each one being in a different VLAN? or, what's the right approach in terms of structure-architecture to implement PDCs and BDCs? Backend === Definitely I plan to use OpenLDAP as backend but, similar to the previous question about BDCs: how many Master/Slave OpenLDAP servers do you think it would be necessary? It could be 1 BDC+OpenLDAP (slave or master) for each office or VLAN? Compatibility: === - I know that are some procedures to join Windows 7 to Samba domain, I did this before successfully. Do you know -maybe- of another possible compatibility problem that you suggest I can be prepared for? - If after some time (weeks, months or years) I plan to replace this Samba based domain to Windows 2k ADS domain: is it possible to do this migration without problem? it isn't necessary to reinstall all the domain and rejoin all the workstation? Technically I can investigate how to implement each of these features (policies, BDCs, openldap, etc...) but before taking a decision like this i would like to have some suggestions of people that have done similar implementations before. This help it would be excellent for me, I hope some one can help. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't populate LDAP directory with smbldap-populate
I have the following environment # cat /etc/redhat-release CentOS release 5.8 (Final) # uname -r 2.6.18-308.4.1.el5 I have installed smbldap-tools from http://download.gna.org/smbldap-tools/packages/el5/smbldap-tools-0.9.8-1.el5.noarch.rpm. Configured OpenLDAP, but when I try to populate LDAP directory I got the following error messages # smbldap-populate -a Administrator -g 1 -l 1 -r 1 -u 1 Populating LDAP directory for domain SYSADM (S-1-5-21-206255134-223837211-2022137911) (using builtin directory structure) Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Please provide a password for the domain Administrator: No such object at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 431. # cat smbldap.conf | grep -v ^# | grep -v ^$ SID=S-1-5-21-206255134-223837211-2022137911 sambaDomain=SYSADM slaveLDAP=localhost slavePort=389 masterLDAP=localhost masterPort=389 ldapTLS=0 ldapSSL=0 verify=none suffix=dc=sys-adm,dc=local usersdn=ou=Users,${suffix} computersdn=ou=Computers,${suffix} groupsdn=ou=Groups,${suffix} idmapdn=ou=Idmap,${suffix} sambaUnixIdPooldn=sambaDomainName=${sambaDomain},${suffix}
Re: [Samba] Can't populate LDAP directory with smbldap-populate
No, i don't. It's testing environment, so the password is too simple - 1234567 :) On Mon, May 21, 2012 at 4:58 PM, L.P.H. van Belle be...@bazuin.nl wrote: Hai, Are u using, @#$%^*!() in your password ? Try itout.. Gr. Louis -Oorspronkelijk bericht- Van: alex@gmail.com [mailto:samba-boun...@lists.samba.org] Namens Alex Domoradov Verzonden: 2012-05-21 15:55 Aan: samba@lists.samba.org Onderwerp: [Samba] Can't populate LDAP directory with smbldap-populate I have the following environment # cat /etc/redhat-release CentOS release 5.8 (Final) # uname -r 2.6.18-308.4.1.el5 I have installed smbldap-tools from http://download.gna.org/smbldap-tools/packages/el5/smbldap-tool s-0.9.8-1.el5.noarch.rpm. Configured OpenLDAP, but when I try to populate LDAP directory I got the following error messages # smbldap-populate -a Administrator -g 1 -l 1 -r 1 -u 1 Populating LDAP directory for domain SYSADM (S-1-5-21-206255134-223837211-2022137911) (using builtin directory structure) Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Please provide a password for the domain Administrator: No such
Re: [Samba] Can't populate LDAP directory with smbldap-populate
Hai, Are u using, @#$%^*!() in your password ? Try itout.. Gr. Louis -Oorspronkelijk bericht- Van: alex@gmail.com [mailto:samba-boun...@lists.samba.org] Namens Alex Domoradov Verzonden: 2012-05-21 15:55 Aan: samba@lists.samba.org Onderwerp: [Samba] Can't populate LDAP directory with smbldap-populate I have the following environment # cat /etc/redhat-release CentOS release 5.8 (Final) # uname -r 2.6.18-308.4.1.el5 I have installed smbldap-tools from http://download.gna.org/smbldap-tools/packages/el5/smbldap-tool s-0.9.8-1.el5.noarch.rpm. Configured OpenLDAP, but when I try to populate LDAP directory I got the following error messages # smbldap-populate -a Administrator -g 1 -l 1 -r 1 -u 1 Populating LDAP directory for domain SYSADM (S-1-5-21-206255134-223837211-2022137911) (using builtin directory structure) Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Please provide a password for the domain Administrator: No such object at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 431. # cat smbldap.conf | grep -v ^# | grep -v ^$ SID=S-1-5-21-206255134-223837211-2022137911
Re: [Samba] Basic questions regarding Samba capabilities
Hai, Backend -- OPENLDAP isn't supported as a back-end.. I believe that your only option is to use the built-in samba4 back-end at this point.. About above, is it still posible to replicate the samba ad/ldap to other ldap servers ( without samba ), and will openldap be a supported backend in the future. Best regard, Louis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04)
Early responses are not encouraging. It sounds like this was not an accidently happening, but they *intend* to obscure the root level of the share. Might it work to try to downgrade my Samba installation to a version prior to the introduction of this bug? If so, do you know which version would be the latest to still work? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Purcell, Scott Sent: Saturday, May 19, 2012 6:21 PM To: smfre...@gmail.com Cc: samba@lists.samba.org; linux-c...@vger.kernel.org Subject: Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04) I'll inquire. But we're a very windows-centric shop -- I may be given the old Working as designed... if it won't work on Linux you'll have to use Windows routine... Scott Purcell Content Development: Linux, Virtualization, and Cloud Solutions Dell | GSD Learning Development From: Steve French [smfre...@gmail.com] Sent: Saturday, May 19, 2012 10:25 AM To: Purcell, Scott Cc: jlay...@samba.org; li...@kukkukk.com; samba@lists.samba.org; linux-c...@vger.kernel.org Subject: Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04) On Sat, May 19, 2012 at 9:52 AM, scott_purc...@dell.com wrote: Is there any workaround? Fixing the permissions on the parent directory so it can be traversed is not possible? From: Jeff Layton [jlay...@poochiereds.net] On Behalf Of Jeff Layton [jlay...@samba.org] Sent: Saturday, May 19, 2012 7:37 AM To: Purcell, Scott Cc: li...@kukkukk.com; samba@lists.samba.org; linux-c...@vger.kernel.org Subject: Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04) On Fri, 18 May 2012 16:32:29 -0500 scott_purc...@dell.com wrote: Yes, I think that has been the normal behavior since our data was moved to this device. I assumed it was due to filesystem permissions -- that I don't have read access to the root level of the share, but do have r/w access to the /training/ directory below it. Using smbclient, get NT_STATUS_ACCESS_DENIED when I try: ls ls training ls /training ls /training/ but if I cd to training, I can list its contents. BTW, I've tried appending the path in my mount command as well and mount.cifs still doesn't handle it: Known problem since the superblock sharing patches went in. cifs.ko needs to establish a dentry and inode for the root of the share and then walks down to the prefixpath for the mount. Unfortunately if you don't have access to any point along that path, the mount will fail. There have been a couple of proposals to fix it, but they've had their own problems. What probably needs to happen is to do something like what NFS does in its superblock sharing model. Allow several trees of dentries within a superblock and only connect them later if we happen to stumble across the right entry. See commit 54ceac45159 for an explanation of the model NFS uses for this. -- Jeff Layton jlay...@samba.org -- To unsubscribe from this list: send the line unsubscribe linux-cifs in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html -- Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] : Server's root name change when log-in
On 09/05/2012 21:51, Gaiseric Vandal wrote: For ldap, as long as getent passwd shows your user and computer accounts, that is what really matters. Is samba is looking for users in your ldap base (e.g. dc=univ-orleans,dc=fr) ? If so it will see all users. However it will not distinguish between users in ou=people or ou =systeme.Any users you wish to have administrator privledges should be added to the Domain Admins group. Verify that you have a group mapping for domain admins. # net groupmap list | grep Domain Admins Domain Admins (S-1-5-21-XXX-XXX-XXX-512 ) - Domain Admins I have a unix group in ldap called Domain Admins - my unix system allows groups with spaces in it. I don't know if yours will. Verify with net rpc group MEMBERS Domain Admins -U Administrator However, even if you are a system administrator, you should not normally be logged in as an admin-equivalent.Instead, you should only use an admin-equivalent account when you specifically need it. If you wish to allow some users to add machines to the domain but not give them full admin privlegdes you should be able to grant the SeMachineAccountPrivilege right. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html I don't understand the admin99 issue. You have a samba user called admin99, and you use that to join a Windows machine to the domain? Where are you opening a terminal from? What does pbdedit -Lv admin99 show? Hi back, sorry, very long week-end and other problem, but now i can answer. It's very stragne that with the command : $ net groupmap list | grep Domain Admins i've got every group in ou=groups are in Domain admin ( don't really know how hte previous people does this, it means that every one is a Domain admin ? how can i change this ? I need only that people in ou=systeme are Domain Admins. i don't have a unix group in ldap called Domain Admins, but there is an ou=systeme where are all my admins. (admin99, admin41 etc ... ) I've configure libnss-ldap and libpam-ldap to configure authentification between ldap and samba. I reference my URI of the ldap, the DN , and choose Unix authentication and LDAP authentication. ( with crypted md5) and i change my /etc/nsswitch.conf from : passwd: compat to passwd: files ldap group: compat group: files ldap shadow: compat shadow: files ldap did i need to change anything else ? or am i wrong ? i've configure smb-ldap-tools and configured sabldap_bind.conf file ( dn and password ) and smbldap.conf ( SID, sambadomain, masterldap, , did i really need this because i don't use ( in my case smb-ldap-populate ) i think i miss something :s i have all my users from my ldap with getent passwd For the admin99 issue : when i use libpam, libnss and ldap (start) , and i try to join the domain to a windows host, when asking login mdp i try : admin45 and password, it says welcome to the domain etc .., reboot. But in the server, if i use a new terminal, root's name change to admin41. if i stop ldap for 5 minutes, it change to root Where are you opening a terminal from? from the server What does pbdedit -Lv admin99 show?i don't have the pbdedit command thanks -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Grant only one AD group to samba share ?
All, On my ubuntu linux machine here, I already have samba set up and configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working) sanity check of winbind (sample output): $ wbinfo -g MYDOMAIN\domain admins MYDOMAIN\domain users MYDOMAIN\my group MYDOMAIN\my group2 Looks good. I need to grant all users in my group access to the share, all others shouldn't even see it. [share] comment = Testing path = /media/share guest ok = no read only = yes valid users = @MYDOMAIN\My Group browseable = no locking = no If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with invalid user name or bad password, vs valid credentials says access denied. So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not. The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in the config file -- is that part of the problem maybe? valid users = @MYDOMAIN\My Group valid users = @MYDOMAIN\My Group valid users = MYDOMAIN\My Group etc nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= My Domain\My Group?Any thoughts? Thanks, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04)
Submitted as bug 8950. -Original Message- From: Steve French [mailto:smfre...@gmail.com] Sent: Saturday, May 19, 2012 6:47 PM To: Purcell, Scott Cc: jlay...@samba.org; li...@kukkukk.com; samba@lists.samba.org; linux-c...@vger.kernel.org Subject: Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04) Don't want to forget is to open a bug report (at bugzilla.samba.org) if you haven't already created one - even if tricky to fix safely, I don't want to lose track of this issue if we can find a way to safely handle this case. There is a lot going on in development of cifs.ko with smb2 enablement and the introduction of SMB 3 (and also some dramatic performance improvements that went in over the last four releases). On Sat, May 19, 2012 at 6:20 PM, scott_purc...@dell.com wrote: I'll inquire. But we're a very windows-centric shop -- I may be given the old Working as designed... if it won't work on Linux you'll have to use Windows routine... Scott Purcell Content Development: Linux, Virtualization, and Cloud Solutions Dell | GSD Learning Development From: Steve French [smfre...@gmail.com] Sent: Saturday, May 19, 2012 10:25 AM To: Purcell, Scott Cc: jlay...@samba.org; li...@kukkukk.com; samba@lists.samba.org; linux-c...@vger.kernel.org Subject: Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04) On Sat, May 19, 2012 at 9:52 AM, scott_purc...@dell.com wrote: Is there any workaround? Fixing the permissions on the parent directory so it can be traversed is not possible? From: Jeff Layton [jlay...@poochiereds.net] On Behalf Of Jeff Layton [jlay...@samba.org] Sent: Saturday, May 19, 2012 7:37 AM To: Purcell, Scott Cc: li...@kukkukk.com; samba@lists.samba.org; linux-c...@vger.kernel.org Subject: Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04) On Fri, 18 May 2012 16:32:29 -0500 scott_purc...@dell.com wrote: Yes, I think that has been the normal behavior since our data was moved to this device. I assumed it was due to filesystem permissions -- that I don't have read access to the root level of the share, but do have r/w access to the /training/ directory below it. Using smbclient, get NT_STATUS_ACCESS_DENIED when I try: ls ls training ls /training ls /training/ but if I cd to training, I can list its contents. BTW, I've tried appending the path in my mount command as well and mount.cifs still doesn't handle it: Known problem since the superblock sharing patches went in. cifs.ko needs to establish a dentry and inode for the root of the share and then walks down to the prefixpath for the mount. Unfortunately if you don't have access to any point along that path, the mount will fail. There have been a couple of proposals to fix it, but they've had their own problems. What probably needs to happen is to do something like what NFS does in its superblock sharing model. Allow several trees of dentries within a superblock and only connect them later if we happen to stumble across the right entry. See commit 54ceac45159 for an explanation of the model NFS uses for this. -- Jeff Layton jlay...@samba.org -- To unsubscribe from this list: send the line unsubscribe linux-cifs in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html -- Thanks, Steve -- Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't populate LDAP directory with smbldap-populate
It seems that this issue RHEL/CentOS related. I have tried the following Install smbldap-tools-0.9.8 on Debian squeeze, locate smbldap.conf to my test server with CentOS-5.8. All works fine # smbldap-populate -a Administrator -g 1 -l 1 -r 1 -u 1 Populating LDAP directory for domain SYSADM (S-1-5-21-206255134-223837211-2022137911) (using builtin directory structure) adding new entry: dc=sysadm,dc=local adding new entry: ou=Users,dc=sysadm,dc=local adding new entry: ou=Groups,dc=sysadm,dc=local adding new entry: ou=Computers,dc=sysadm,dc=local adding new entry: ou=Idmap,dc=sysadm,dc=local adding new entry: uid=Administrator,ou=Users,dc=sysadm,dc=local adding new entry: uid=nobody,ou=Users,dc=sysadm,dc=local adding new entry: cn=Domain Admins,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Domain Users,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Domain Guests,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Domain Computers,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Administrators,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Account Operators,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Print Operators,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Backup Operators,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Replicators,ou=Groups,dc=sysadm,dc=local adding new entry: sambaDomainName=SYSADM,dc=sysadm,dc=local Please provide a password for the domain Administrator: Changing UNIX and samba passwords for Administrator New password: *** Retype new password: *** On CentOS server # smbldap-usershow Administrator dn: uid=Administrator,ou=Users,dc=sysadm,dc=local cn: Administrator sn: Administrator objectClass: top,person,organizationalPerson,inetOrgPerson,sambaSamAccount,posixAccount,shadowAccount gidNumber: 0 uid: Administrator uidNumber: 0 homeDirectory: /home/Administrator sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\PDC-SRV\Administrator sambaHomeDrive: H: sambaProfilePath: \\PDC-SRV\profiles\Administrator sambaPrimaryGroupSID: S-1-5-21-206255134-223837211-2022137911-512 sambaSID: S-1-5-21-206255134-223837211-2022137911-500 loginShell: /bin/false gecos: Netbios Domain Administrator sambaLMPassword: 0AFA9EFC9DE20294AAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: 8F4BC1891E1050BDB614E72625AC2D7B sambaPwdLastSet: 1337613886 sambaPwdMustChange: 1341501886 userPassword: {SSHA}4GSeyrunuwZo4F5JyPxEhFALjEhNMlN0 shadowLastChange: 15481 shadowMax: 45 # ldapsearch -LLL -x -b 'dc=sysadm,dc=local' -D 'cn=root,dc=sysadm,dc=local' -w 1234567 uid=Administrator dn: uid=Administrator,ou=Users,dc=sysadm,dc=local cn: Administrator sn: Administrator objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 0 uid: Administrator uidNumber: 0 homeDirectory: /home/Administrator sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\PDC-SRV\Administrator sambaHomeDrive: H: sambaProfilePath: \\PDC-SRV\profiles\Administrator sambaPrimaryGroupSID: S-1-5-21-206255134-223837211-2022137911-512 sambaSID: S-1-5-21-206255134-223837211-2022137911-500 loginShell: /bin/false gecos: Netbios Domain Administrator sambaLMPassword: 0AFA9EFC9DE20294AAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: 8F4BC1891E1050BDB614E72625AC2D7B sambaPwdLastSet: 1337613886 sambaPwdMustChange: 1341501886 userPassword:: e1NTSEF9NEdTZXlydW51d1pvNEY1SnlQeEVoRkFMakVoTk1sTjA= shadowLastChange: 15481 shadowMax: 45 On Mon, May 21, 2012 at 5:01 PM, Alex Domoradov alex@gmail.com wrote: No, i don't. It's testing environment, so the password is too simple - 1234567 :) On Mon, May 21, 2012 at 4:58 PM, L.P.H. van Belle be...@bazuin.nl wrote: Hai, Are u using, @#$%^*!() in your password ? Try itout.. Gr. Louis -Oorspronkelijk bericht- Van: alex@gmail.com [mailto:samba-boun...@lists.samba.org] Namens Alex Domoradov Verzonden: 2012-05-21 15:55 Aan: samba@lists.samba.org Onderwerp: [Samba] Can't populate LDAP directory with smbldap-populate I have the following environment # cat /etc/redhat-release CentOS release 5.8 (Final) # uname -r 2.6.18-308.4.1.el5 I have installed smbldap-tools from http://download.gna.org/smbldap-tools/packages/el5/smbldap-tool s-0.9.8-1.el5.noarch.rpm. Configured OpenLDAP, but when I try to populate LDAP directory I got the following error messages # smbldap-populate -a Administrator -g 1 -l 1 -r 1 -u 1 Populating LDAP directory for domain SYSADM (S-1-5-21-206255134-223837211-2022137911) (using builtin directory structure) Use of uninitialized value in concatenation (.) or string at /usr/sbin/smbldap-populate line 483, DATA line 303. Use of uninitialized value in string eq at /usr/sbin/smbldap-populate line 484, DATA line 303. entry already exist. Use of uninitialized value in
Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04)
On Mon, 21 May 2012 09:59:44 -0500 scott_purc...@dell.com wrote: Early responses are not encouraging. It sounds like this was not an accidently happening, but they *intend* to obscure the root level of the share. Might it work to try to downgrade my Samba installation to a version prior to the introduction of this bug? If so, do you know which version would be the latest to still work? No, it was not intentional, just not simple to fix. -- Jeff Layton jlay...@samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
On 05/21/2012 05:20 PM, Newman, John W wrote: All, On my ubuntu linux machine here, I already have samba set up and configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working) sanity check of winbind (sample output): $ wbinfo -g MYDOMAIN\domain admins MYDOMAIN\domain users MYDOMAIN\my group MYDOMAIN\my group2 Looks good. I need to grant all users in my group access to the share, all others shouldn't even see it. [share] comment = Testing path = /media/share guest ok = no read only = yes valid users = @MYDOMAIN\My Group browseable = no locking = no If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with invalid user name or bad password, vs valid credentials says access denied. So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not. The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in tthinkhe config file -- is that part of the problem maybe? valid users = @MYDOMAIN\My Group valid users = @MYDOMAIN\My Group valid users = MYDOMAIN\My Group etc nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= My Domain\My Group?Any thoughts? Thanks, John Hi You don't really need smb.conf to get group only entry. Just have smb.conf with: [share] comment = Testing path = /media/share read only = No chgrp My\ Group /media/share chmod 0770 /media/share chmod g+s /media/share setfacl -d -Rm g::rw /media/share Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Permission denied on user's home dir mounted on linux client
am sorry, the title was wrong. i re-send my question. On 05/19/2012 01:05 PM, zingalo wrote: Hi, I have a debian server with ldap, samba, smbldap-tools installed and ubuntu clients. I set pam_mount to mount the user's home directories from the ldap-samba server (amahoro) on the clients at login time and this runs. On the server the user's home directories are stored in /users like /users/username. Logging by gdm appears the message: Could not update ICEauthority file /home/user/.ICEauthority. Logging from a shell it mounts the user's home but i can't create files inside, Permission denied. I tried to set all the permissions to all the users for a user's home but it didn't resolve my problem. Someone on debian.irc told me that samba doesn't support unix permissions. Someone told me that is possible but complicated. Online i didn't find clear answers to this. Do you know about this argument? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 DNS - Adding CNAME
I have been working on this too, and found that I needed to add the FQDN as the target of the CNAME. This is what appears to be happening... When I just put in the name, for example: samba-tool dns add dnsserver mydomain.org newname CNAME realname ...and I use the Windows DNS tool to look at the record in the mydomain.orgzone, it maps newname to realname. --- NOTICE the dot at the end. In DNS parlance, that dot usually means, don't add anything after this. So, when DNS is trying to resolve the actual IP, it tries to look up realname with no domain, and eventually times out. If you change this to: samba-tool dns add dnsserver mydomain.org newname CNAME realname.mydomain.org ... then doing a dig or ping or whatever seems to work correctly. I may be doing this wrong, but at least this is how I got it to work. On Sat, May 19, 2012 at 6:57 AM, Mike Howard m...@dewberryfields.co.ukwrote: On 19/05/2012 11:12, Michael Wood wrote: So, the question is; What am I doing wrong? I haven't tried the above myself, but it seems you are adding it the wrong way around. i.e. it looks like you are saying that the canonical name of centos is debian instead of what you want (i.e. that the canonical name of debian is centos.) i.e. it looks like you now have this situation: centos IN A 192.168.1.11 centos IN CNAME debian Yes, I did wonder about that and did try it the other way around. That resulted in a new record as follows; Name=debian, Records=1, Children=0 CNAME: centos. (flags=f0, serial=21, ttl=900) But it still doesn't resolve. OK, then try specifying the FQDN for centos when you add the CNAME record. From the output above it looks like it's adding a CNAME to centos. instead of centos.example.com. Also try: dig @192.168.1.254 debian.example.com. IN CNAME If everything is set up correctly you should get something like this: [...] ;; QUESTION SECTION: ;debian.example.com.IN CNAME ;; ANSWER SECTION: debian.example.com. 3600IN CNAME centos.example.com. [...] Ok, I used; samba-tool dns add 127.0.0.1 example.com debian CNAME centos.example.com a query now returns; Name=centos, Records=1, Children=0 A: 192.168.1.11 (flags=f0, serial=2, ttl=900) Name=debian, Records=1, Children=0 CNAME: centos.example.com. (flags=f0, serial=23, ttl=900) and 'dig @192.168.1.254 debian.example.com. IN CNAME' returns; [...] ;; QUESTION SECTION: ;debian.example.com. IN CNAME ;; ANSWER SECTION: debian.example.com. 900 IN CNAME centos.example.com. [...] However, neither 'debian' nor 'debian.example.com' resolve to an IP, yet the output from dig implies the entry is correct? Of course, 'centos' does resolve. -- Any question is easy if you know the answer! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Charles Tryon _ “Risks are not to be evaluated in terms of the probability of success, but in terms of the value of the goal.” - Ralph D. Winter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' My Group is a windows AD group, not a local linux group. The machine is joined to the windows domain through net ads join, but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that.chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Monday, May 21, 2012 11:57 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 05/21/2012 05:20 PM, Newman, John W wrote: All, On my ubuntu linux machine here, I already have samba set up and configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working) sanity check of winbind (sample output): $ wbinfo -g MYDOMAIN\domain admins MYDOMAIN\domain users MYDOMAIN\my group MYDOMAIN\my group2 Looks good. I need to grant all users in my group access to the share, all others shouldn't even see it. [share] comment = Testing path = /media/share guest ok = no read only = yes valid users = @MYDOMAIN\My Group browseable = no locking = no If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with invalid user name or bad password, vs valid credentials says access denied. So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not. The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in tthinkhe config file -- is that part of the problem maybe? valid users = @MYDOMAIN\My Group valid users = @MYDOMAIN\My Group valid users = MYDOMAIN\My Group etc nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= My Domain\My Group?Any thoughts? Thanks, John Hi You don't really need smb.conf to get group only entry. Just have smb.conf with: [share] comment = Testing path = /media/share read only = No chgrp My\ Group /media/share chmod 0770 /media/share chmod g+s /media/share setfacl -d -Rm g::rw /media/share Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
OK, I definitely am missing something. the group IDs do seem to work somewhat, but perhaps I just have the wrong syntax. I keep going back to these two lines that he put there a long time ago: winbind separator = \\ winbind use default domain = yes I see others using or % or @ ... wbinfo -Y $(wbinfo -n `wbinfo -g | grep Group` | cut -d -f 1) 10005 so the SID mapping is somehow happening. It's weird though as each time I call that with a different group name, the 1 number just goes up by one. Like it is making up the unix IDs as it goes and perhaps something isn't set right. Shouldn't all of the AD groups be tied to a unix ID automatically, and not just making them up one at a time? Anyway, I'm not sure if that relates to my real problem here or not. I understand the nix security model pretty well ... windows not so much .. and bringing windows permissions into a nix machine, not at all!! :D This was all set up by another dev who is no longer in our department, I am trying to make sense of it and enhance it. Steve's suggestion below is probably correct to set the permissions on the share how I need, but what am I missing to get that chgrp command to work right? Thanks -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Newman, John W Sent: Monday, May 21, 2012 15:43 To: 'steve'; samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' My Group is a windows AD group, not a local linux group. The machine is joined to the windows domain through net ads join, but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that.chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Monday, May 21, 2012 11:57 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 05/21/2012 05:20 PM, Newman, John W wrote: All, On my ubuntu linux machine here, I already have samba set up and configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working) sanity check of winbind (sample output): $ wbinfo -g MYDOMAIN\domain admins MYDOMAIN\domain users MYDOMAIN\my group MYDOMAIN\my group2 Looks good. I need to grant all users in my group access to the share, all others shouldn't even see it. [share] comment = Testing path = /media/share guest ok = no read only = yes valid users = @MYDOMAIN\My Group browseable = no locking = no If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with invalid user name or bad password, vs valid credentials says access denied. So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not. The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in tthinkhe config file -- is that part of the problem maybe? valid users = @MYDOMAIN\My Group valid users = @MYDOMAIN\My Group valid users = MYDOMAIN\My Group etc nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= My Domain\My Group?Any thoughts? Thanks, John Hi You don't really need smb.conf to get group only entry. Just have smb.conf with: [share] comment = Testing path = /media/share read only = No chgrp My\ Group /media/share chmod 0770 /media/share chmod g+s /media/share setfacl -d -Rm g::rw /media/share Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
On 05/21/2012 3:42 PM, Newman, John W wrote: OK, I definitely am missing something. the group IDs do seem to work somewhat, but perhaps I just have the wrong syntax. I keep going back to these two lines that he put there a long time ago: winbind separator = \\ If this separator is in effect, then valid users = @MYDOMAIN\\My Group Or change to winbind separator = \ Dale winbind use default domain = yes I see others using or % or @ ... wbinfo -Y $(wbinfo -n `wbinfo -g | grep Group` | cut -d -f 1) 10005 so the SID mapping is somehow happening. It's weird though as each time I call that with a different group name, the 1 number just goes up by one. Like it is making up the unix IDs as it goes and perhaps something isn't set right. Shouldn't all of the AD groups be tied to a unix ID automatically, and not just making them up one at a time? Anyway, I'm not sure if that relates to my real problem here or not. I understand the nix security model pretty well ... windows not so much .. and bringing windows permissions into a nix machine, not at all!! :D This was all set up by another dev who is no longer in our department, I am trying to make sense of it and enhance it. Steve's suggestion below is probably correct to set the permissions on the share how I need, but what am I missing to get that chgrp command to work right? Thanks -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Newman, John W Sent: Monday, May 21, 2012 15:43 To: 'steve'; samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' My Group is a windows AD group, not a local linux group. The machine is joined to the windows domain through net ads join, but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that.chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Monday, May 21, 2012 11:57 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 05/21/2012 05:20 PM, Newman, John W wrote: All, On my ubuntu linux machine here, I already have samba set up and configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working) sanity check of winbind (sample output): $ wbinfo -g MYDOMAIN\domain admins MYDOMAIN\domain users MYDOMAIN\my group MYDOMAIN\my group2 Looks good. I need to grant all users in my group access to the share, all others shouldn't even see it. [share] comment = Testing path = /media/share guest ok = no read only = yes valid users = @MYDOMAIN\My Group browseable = no locking = no If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with invalid user name or bad password, vs valid credentials says access denied. So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not. The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in tthinkhe config file -- is that part of the problem maybe? valid users = @MYDOMAIN\My Group valid users = @MYDOMAIN\My Group valid users = MYDOMAIN\My Group etc nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= My Domain\My Group?Any thoughts? Thanks, John Hi You don't really need smb.conf to get group only entry. Just have smb.conf with: [share] comment = Testing path = /media/share read only = No chgrp My\ Group /media/share chmod 0770 /media/share chmod g+s /media/share setfacl -d -Rm g::rw /media/share Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the
[Samba] 3.6.5 and not_defined_in_RFC4178@please_ignore error
Hello, We're having trouble joining an AD domain with 3.6.5 This message when running net join looks fishy : got principal=not_defined_in_RFC4178@please_ignore OS : Solaris 10 x64 Kerberos : MIT krb5 1.10.1 DC servers are running Windows 2008 The error message is : ./net join -U aranskis Enter aranskis's password: Failed to join domain: failed to lookup DC info for domain 'CORP.NET' over rpc: Logon failure ADS join did not work, falling back to RPC... Unable to find a suitable server for domain CORP Unable to find a suitable server for domain CORP with -d9, here's the hopefully relevant output : ads_dns_lookup_srv: 18 records returned in the answer section. namecache_store: storing 18 addresses for CORP.NET#1c: 10.219.244.253, [List of DCs IP follows] [..] Successfully contacted LDAP server 10.219.244.253 [..] got principal=not_defined_in_RFC4178@please_ignore [..] SPNEGO login failed: Logon failure failed session setup with NT_STATUS_LOGON_FAILURE libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'CIB.NET' over rpc: Logon failure' domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE relevant configuration options : [global] realm=CORP.NET workgroup=CORP.NET security=ADS encrypt passwords = yes bind interfaces only = true interfaces = msusersncs Any hints on the best way to try and figure out what is wrong when trying to register in the AD ? (the same config worked with samba 3.4.x, but the DCs were running Windows 2003) Cheers, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba compilation issue
Thanks 3.4.2 is starting now.I made the following entries. smb passwd file = /opt/usr/local/samba/private/smbpasswd private dir = /opt/usr/local/samba/private lock directory = /opt/usr/local/samba/var/locks state directory = /opt/usr/local/samba/var/locks cache directory = /opt/usr/local/samba/var/locks pid directory = /opt/usr/local/samba/var/locks usershare path = /opt/usr/local/samba/var/locks/usershares Regarding 3.4.17. Is there any other way like editing configure file and skip libtalloc? “./configure --enable-external-libtalloc=no --with-libtalloc=no” is not skipping the libtalloc. Thanks, Prabu -Original Message- From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] Sent: Sunday, May 20, 2012 6:15 PM To: Murugan, Prabu Cc: samba@lists.samba.org Subject: RE: Samba compilation issue I didn't know about the smbd -i option. That is useful. In your smb.conf file you may want to specify that your locks directory is set to /usr/local/samba/var/locks. The testparm -v will show your current settings. There are a lot of settings that can be set in smb.conf. It seems that since you installed in an alternative path, the locks directory is not in the default path. Or you could add some sym links. I have run into similar issue when changing from samba from sunfreeware to samba from source to samba from oracle. On my server tbash-3.00# testparm -v | more Load smb config files from /etc/samba/smb.conf ... smb passwd file = /etc/samba/private/smbpasswd private dir = /etc/samba/private ... lock directory = /var/samba/locks state directory = /var/samba/locks cache directory = /var/samba/locks pid directory = /var/samba/locks usershare path = /var/samba/locks/usershares ... PS. You should backup your locks and private directories when changing versions or reinstalling samba. -Original Message- From: prabu.muru...@emc.com [mailto:prabu.muru...@emc.com] Sent: Saturday, May 19, 2012 12:30 PM To: gaiseric.van...@gmail.com Subject: Re: Samba compilation issue Forgot to mention.after reinstallation also smbd is referring to /usr. On 19-May-2012, at 9:52 PM, Murugan, Prabu prabu.muru...@emc.commailto:prabu.muru...@emc.com wrote: Smbd -i gives interactive output. It is referring to /usr/local. Not sure why. bash-3.2# /opt/usr/local/samba/sbin/smbd -D -i -s /opt/usr/local/samba/lib/smb.conf creating lame upcase table creating lame lowcase table Unable to setup corepath for smbd: No such file or directory smbd version 3.4.2 started. Copyright Andrew Tridgell and the Samba Team 1992-2009 Failed to load /usr/local/samba/lib/valid.dat - No such file or directory creating default valid table tdb(unnamed): tdb_open_ex: could not open file /usr/local/samba/var/locks/messages.tdb: No such file or directory ERROR: Failed to initialise messages database: No such file or directory messaging_tdb_init failed: NT_STATUS_OBJECT_NAME_NOT_FOUND Could not init smbd messaging context. I tried this option to reinstall since it was not showing in pkginfo. I think I am messing up things. bash-3.2# pkginfo |grep samba system SUNWsmbaSsamba - A Windows SMB/CIFS fileserver for UNIX (Source) system SUNWsmbacsamba - A Windows SMB/CIFS fileserver for UNIX (client) system SUNWsmbarsamba - A Windows SMB/CIFS fileserver for UNIX (Root) system SUNWsmbausamba - A Windows SMB/CIFS fileserver for UNIX (Usr) bash-3.2# mv /opt/usr/local/samba/ /opt/usr/local/samba-error bash-3.2# mv /opt/var/sadm/pkg/SMCsamba /opt/var/sadm/pkg/SMCsamba.tmp bash-3.2# pkgadd -R /opt -d samba-3.4.2-sol10-sparc-local Processing package instance SMCsamba from /var/tmp/samba-3.4.2-sol10-sparc-local The following files are already installed on the system and are being used by another package: /opt/usr/local/samba/bin/ …. Installation of SMCsamba.tmp was successful bash-3.2# pkginfo |grep SMCsamba bash-3.2# pkginfo |grep samba system SUNWsmbaSsamba - A Windows SMB/CIFS fileserver for UNIX (Source) system SUNWsmbacsamba - A Windows SMB/CIFS fileserver for UNIX (client) system SUNWsmbarsamba - A Windows SMB/CIFS fileserver for UNIX (Root) system SUNWsmbausamba - A Windows SMB/CIFS fileserver for UNIX (Usr) From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] Sent: Saturday, May 19, 2012 5:33 PM To: Murugan, Prabu Cc: samba@lists.samba.orgmailto:samba@lists.samba.org Subject: RE: Samba compilation issue I don’t know if installing Samba in an alternate path could cause an issue with dependencies. But It doesn’t seem like it.If “smbd –V” works then I would think this is not an issue. So it The “testparm –v “ command should also let you verify that
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ce11eb5 s3:smb2_ioctl: Fix Coverity ID 701771 Uninitialized scalar variable from 1d53e57 s4-dsdb: allow modification of some deleted object if the show-deleted control is presented http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ce11eb5b9427e4ba5b86c6cd0378a7300ce1218f Author: Stefan Metzmacher me...@samba.org Date: Mon May 21 11:44:09 2012 +0200 s3:smb2_ioctl: Fix Coverity ID 701771 Uninitialized scalar variable metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Mon May 21 19:27:44 CEST 2012 on sn-devel-104 --- Summary of changes: source3/smbd/smb2_ioctl.c | 10 ++ 1 files changed, 10 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_ioctl.c b/source3/smbd/smb2_ioctl.c index b1a9e32..37acf11 100644 --- a/source3/smbd/smb2_ioctl.c +++ b/source3/smbd/smb2_ioctl.c @@ -417,6 +417,11 @@ static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx, in_security_mode = SVAL(in_input.data, 0x14); in_max_dialect = SVAL(in_input.data, 0x16); + status = GUID_from_ndr_blob(in_guid_blob, in_guid); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + max_dialect = conn-smb2.client.dialects[conn-smb2.client.num_dialects-1]; if (in_max_dialect != max_dialect) { state-disconnect = true; @@ -494,6 +499,11 @@ static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } + status = GUID_from_ndr_blob(in_guid_blob, in_guid); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + if (in_num_dialects != conn-smb2.client.num_dialects) { state-disconnect = true; tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8576256 s3: Fix vfs_xattr_tdb.c from ce11eb5 s3:smb2_ioctl: Fix Coverity ID 701771 Uninitialized scalar variable http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 857625673833ddfa3897ce30def118cb593865b6 Author: Volker Lendecke v...@samba.org Date: Mon May 21 14:41:40 2012 +0200 s3: Fix vfs_xattr_tdb.c size is the maximum buffer, only copy what we actually got. For me, this fixes valgrind errors in the DIR1 test that might potentially make DIR1 non-flaky again. Signed-off-by: Jeremy Allison j...@samba.org Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Mon May 21 22:10:15 CEST 2012 on sn-devel-104 --- Summary of changes: source3/modules/vfs_xattr_tdb.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c index ee3199d..fc5c3de 100644 --- a/source3/modules/vfs_xattr_tdb.c +++ b/source3/modules/vfs_xattr_tdb.c @@ -57,7 +57,7 @@ static ssize_t xattr_tdb_getxattr(struct vfs_handle_struct *handle, errno = ERANGE; return -1; } - memcpy(value, blob.data, size); + memcpy(value, blob.data, xattr_size); return xattr_size; } -- Samba Shared Repository
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-05-22-0025/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-05-22-0025/samba3.stderr http://git.samba.org/autobuild.flakey/2012-05-22-0025/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-05-22-0025/samba4.stderr http://git.samba.org/autobuild.flakey/2012-05-22-0025/samba4.stdout The top commit at the time of the failure was: commit 857625673833ddfa3897ce30def118cb593865b6 Author: Volker Lendecke v...@samba.org Date: Mon May 21 14:41:40 2012 +0200 s3: Fix vfs_xattr_tdb.c size is the maximum buffer, only copy what we actually got. For me, this fixes valgrind errors in the DIR1 test that might potentially make DIR1 non-flaky again. Signed-off-by: Jeremy Allison j...@samba.org Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Mon May 21 22:10:15 CEST 2012 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c531aac Added torture test for bug #8910. Test remove_duplicate_addrs2(). from 8576256 s3: Fix vfs_xattr_tdb.c http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c531aac27c433e0eb068a8a4f0a6c90cad2e44fa Author: Jeremy Allison j...@samba.org Date: Mon May 21 14:29:11 2012 -0700 Added torture test for bug #8910. Test remove_duplicate_addrs2(). Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Tue May 22 01:31:17 CEST 2012 on sn-devel-104 --- Summary of changes: source3/include/proto.h|1 + source3/libsmb/namequery.c |2 +- source3/selftest/tests.py |3 +- source3/torture/torture.c | 104 4 files changed, 108 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/proto.h b/source3/include/proto.h index f9306b8..31c709d 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -911,6 +911,7 @@ bool name_status_find(const char *q_name, const struct sockaddr_storage *to_ss, fstring name); int ip_service_compare(struct ip_service *ss1, struct ip_service *ss2); +int remove_duplicate_addrs2(struct ip_service *iplist, int count ); struct tevent_req *name_query_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, const char *name, int name_type, diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c index 662d8d6..8934d85 100644 --- a/source3/libsmb/namequery.c +++ b/source3/libsmb/namequery.c @@ -1102,7 +1102,7 @@ static void sort_service_list(struct ip_service *servlist, int count) Remove any duplicate address/port pairs in the list */ -static int remove_duplicate_addrs2(struct ip_service *iplist, int count ) +int remove_duplicate_addrs2(struct ip_service *iplist, int count ) { int i, j; diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index bcd9ae8..fa1f5e5 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -107,7 +107,8 @@ local_tests=[ LOCAL-CONV-AUTH-INFO, LOCAL-IDMAP-TDB-COMMON, LOCAL-hex_encode_buf, - LOCAL-sprintf_append] + LOCAL-sprintf_append, + LOCAL-remove_duplicate_addrs2] for t in local_tests: plantestsuite(samba3.smbtorture_s3.%s % t, s3dc, [os.path.join(samba3srcdir, script/tests/test_smbtorture_s3.sh), t, '//$SERVER_IP/tmp', '$USERNAME', '$PASSWORD', binpath('smbtorture3'), -e]) diff --git a/source3/torture/torture.c b/source3/torture/torture.c index 962d0e7..83b0666 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -8726,6 +8726,109 @@ static bool run_local_hex_encode_buf(int dummy) return true; } +static const char *remove_duplicate_addrs2_test_strings_vector[] = { + 0.0.0.0, + ::0, + 1.2.3.1, + 0.0.0.0, + 0.0.0.0, + 1.2.3.2, + 1.2.3.3, + 1.2.3.4, + 1.2.3.5, + ::0, + 1.2.3.6, + 1.2.3.7, + ::0, + ::0, + ::0, + 1.2.3.8, + 1.2.3.9, + 1.2.3.10, + 1.2.3.11, + 1.2.3.12, + 1.2.3.13, + 1001:::1000:0:::, + 1.2.3.1, + 1.2.3.2, + 1.2.3.3, + 1.2.3.12, + ::0, + ::0 +}; + +static const char *remove_duplicate_addrs2_test_strings_result[] = { + 1.2.3.1, + 1.2.3.2, + 1.2.3.3, + 1.2.3.4, + 1.2.3.5, + 1.2.3.6, + 1.2.3.7, + 1.2.3.8, + 1.2.3.9, + 1.2.3.10, + 1.2.3.11, + 1.2.3.12, + 1.2.3.13, + 1001:::1000:0::: +}; + +static bool run_local_remove_duplicate_addrs2(int dummy) +{ + struct ip_service test_vector[28]; + int count, i; + + /* Construct the sockaddr_storage test vector. */ + for (i = 0; i 28; i++) { + struct addrinfo hints; + struct addrinfo *res = NULL; + int ret; + + memset(hints, '\0', sizeof(hints)); + hints.ai_flags = AI_NUMERICHOST; + ret = getaddrinfo(remove_duplicate_addrs2_test_strings_vector[i], + NULL, + hints, + res); + if (ret) { + fprintf(stderr, getaddrinfo failed on [%s]\n, + remove_duplicate_addrs2_test_strings_vector[i]); + return false; + } + memset(test_vector[i], '\0', sizeof(test_vector[i])); + memcpy(test_vector[i].ss, + res-ai_addr, +