Re: [Samba] AD / new auxiliary class / vb script
Hello Matthieu, 1) Yes is a typo sorry. 2) ldbsearch -H ldap://dc_ip --cross-ncs '(ldapdisplayname=iscA)' -U admin%password give (have to authenticate if it is not work) : # record 1 dn: CN=iscA,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org objectClass: top objectClass: classSchema cn: iscA instanceType: 4 whenCreated: 20120523130147.0Z whenChanged: 20120523130147.0Z uSNCreated: 5642 subClassOf: top governsID: 1.2.840.113556.1.8000.2554.99.1 mayContain: iscA1 rDNAttID: cn showInAdvancedViewOnly: TRUE objectClassCategory: 3 lDAPDisplayName: iscA name: iscA objectGUID: 39a53446-19e6-4f67-a280-14fce546e475 schemaIDGUID: f0a54822-d855-40b1-8afd-421933f5824d defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLOLORCWOWDSDDTDTSW;;;DA)(A;;RPWPC RCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU) objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=o rg defaultObjectCategory: CN=iscA,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org uSNChanged: 5643 distinguishedName: CN=iscA,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org # returned 1 records # 1 entries # 0 referrals 3) ldbsearch -H ldap://dc_ip --cross-ncs '(auxiliaryClass=iscA)' -U admin%password give # record 1 dn: CN=User,CN=Schema,CN=Configuration,DC=sc,DC=isc84,DC=org objectClass: top objectClass: classSchema cn: User instanceType: 4 whenCreated: 20120523124800.0Z uSNCreated: 1787 subClassOf: organizationalPerson governsID: 1.2.840.113556.1.5.9 mayContain: msSFU30NisDomain mayContain: msSFU30Name mayContain: msDS-SourceObjectDN mayContain: x500uniqueIdentifier mayContain: userSMIMECertificate mayContain: userPKCS12 mayContain: uid mayContain: secretary mayContain: roomNumber mayContain: preferredLanguage mayContain: photo mayContain: labeledURI mayContain: jpegPhoto mayContain: homePostalAddress mayContain: givenName mayContain: employeeType mayContain: employeeNumber mayContain: displayName mayContain: departmentNumber mayContain: carLicense mayContain: audio rDNAttID: cn showInAdvancedViewOnly: TRUE adminDisplayName: User adminDescription: User objectClassCategory: 1 lDAPDisplayName: user name: User objectGUID: 399ff624-5ec8-4379-8f6a-09cdf0bd0594 schemaIDGUID: bf967aba-0de6-11d0-a285-00aa003049e2 systemOnly: FALSE systemPossSuperiors: builtinDomain systemPossSuperiors: organizationalUnit systemPossSuperiors: domainDNS systemMayContain: msTSPrimaryDesktop systemMayContain: msTSSecondaryDesktops systemMayContain: msPKI-CredentialRoamingTokens systemMayContain: msDS-ResultantPSO systemMayContain: msTSLSProperty01 systemMayContain: msTSLSProperty02 systemMayContain: msTSManagingLS2 systemMayContain: msTSManagingLS3 systemMayContain: msTSManagingLS4 systemMayContain: msTSLicenseVersion2 systemMayContain: msTSLicenseVersion3 systemMayContain: msTSLicenseVersion4 systemMayContain: msTSExpireDate2 systemMayContain: msTSExpireDate3 systemMayContain: msTSExpireDate4 systemMayContain: msDS-AuthenticatedAtDC systemMayContain: msDS-UserPasswordExpiryTimeComputed systemMayContain: msTSManagingLS systemMayContain: msTSLicenseVersion systemMayContain: msTSExpireDate systemMayContain: msTSProperty02 systemMayContain: msTSProperty01 systemMayContain: msTSInitialProgram systemMayContain: msTSWorkDirectory systemMayContain: msTSDefaultToMainPrinter systemMayContain: msTSConnectPrinterDrives systemMayContain: msTSConnectClientDrives systemMayContain: msTSBrokenConnectionAction systemMayContain: msTSReconnectionAction systemMayContain: msTSMaxIdleTime systemMayContain: msTSMaxConnectionTime systemMayContain: msTSMaxDisconnectionTime systemMayContain: msTSRemoteControl systemMayContain: msTSAllowLogon systemMayContain: msTSHomeDrive systemMayContain: msTSHomeDirectory systemMayContain: msTSProfilePath systemMayContain: msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon systemMayContain: msDS-FailedInteractiveLogonCount systemMayContain: msDS-LastFailedInteractiveLogonTime systemMayContain: msDS-LastSuccessfulInteractiveLogonTime systemMayContain: msRADIUS-SavedFramedIpv6Route systemMayContain: msRADIUS-FramedIpv6Route systemMayContain: msRADIUS-SavedFramedIpv6Prefix systemMayContain: msRADIUS-FramedIpv6Prefix systemMayContain: msRADIUS-SavedFramedInterfaceId systemMayContain: msRADIUS-FramedInterfaceId systemMayContain: msPKIAccountCredentials systemMayContain: msPKIDPAPIMasterKeys systemMayContain: msPKIRoamingTimeStamp systemMayContain: msDS-SupportedEncryptionTypes systemMayContain: msDS-SecondaryKrbTgtNumber systemMayContain: pager systemMayContain: o systemMayContain: mobile systemMayContain: manager systemMayContain: mail systemMayContain: initials systemMayContain: homePhone systemMayContain: businessCategory systemMayContain: userCertificate systemMayContain: userWorkstations systemMayContain: userSharedFolderOther systemMayContain: userSharedFolder systemMayContain: userPrincipalName systemMayContain: userParameters systemMayContain: userAccountControl systemMayContain: unicodePwd systemMayContain: terminalServer
Re: [Samba] Solaris 11 ZFS - acl_xattr still needed ?
Then POSIX ACLs are still the way to go for the moment, though ZFS ACL's seems pretty robust. Volker, may I ask what is the trend now: are people switching to ACEs now or still stick with POSIX ? Dragos On Tue, May 22, 2012 at 2:16 PM, Volker Lendecke volker.lende...@sernet.dewrote: On Tue, May 22, 2012 at 02:12:02PM +0300, Pacher Dragos wrote: Seems resonable, zfsacl stores the ACE's natively compared to acl_xattr that makes use of extended attributes. It seems that the big players (Oracle, IBM) made their own tools. Any idea of the strict mapping completeness among zfsacl and acl_xattr ? Closer than posix acls, but depending on your requirements still pretty bad for some aspects of ACLs. In particular inheritance based things are not covered properly, and chown operations have very different semantics. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 : Problem setting folder and file permissions from windows box
Hi, this is my first message here. I need help, the reason is in the title. The version running is SAMBA_4.0.0ALPHA18_DEVELOPERBUILD It was running just fine until I had (for some reason) had to transfer all the system (ubuntu 11.10 server) to another clean hard drive. I used rsync -rltgoHDv /olddriveroot /newdriveroot to copy the files, and installed grub on the new disk. Now the problem is that samba4 works, domain users can log on and access files, but the permissions have been reset to some basic values (different from all the ones I had set before), and I can not change them at all from a windows7 box as I could before. When I apply the changes, it takes a while to process the files, then the basic permissions are set again (my changes lost). Here is my /usr/local/samba/etc/smb.conf : [global] interfaces = 127.0.0.1/8 192.168.1.0/24 server role = domain controller workgroup = ACEIUBUNTU realm = ACEI2 netbios name = ubuntuserveur passdb backend = samba4 security = ADS domain master = yes local master = yes wins support = yes browseable = yes log file = /var/log/samba/smbd.log socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=4096 SO_SNDBUF=4096 [netlogon] path = /usr/local/samba/var/locks/sysvol/acei2/scripts read only = no [sysvol] path = /usr/local/samba/var/locks/sysvol read only = no [profiles] path = /usr/local/samba/var/profiles read only = no [homes] path = /home/windows read only = no - The AD database is readable, since I can edit users and computers with the administration toolkit from windows7 box. /usr/local/samba/bin/testparm gives the following result : Load smb config files from /usr/local/samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [netlogon] Processing section [sysvol] Processing section [profiles] Processing section [homes] Loaded services file OK. Server role: ROLE_DOMAIN_BDC Press enter to see a dump of your service definitions [global] workgroup = ACEIUBUNTU realm = ACEI2 interfaces = 127.0.0.1/8, 192.168.1.0/24 server role = domain controller security = ADS passdb backend = samba4 log file = /var/log/samba/smbd.log socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=4096 SO_SNDBUF=4096 domain master = Yes wins support = Yes idmap config * : backend = tdb [netlogon] path = /usr/local/samba/var/locks/sysvol/acei2/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [profiles] path = /usr/local/samba/var/profiles read only = No [homes] path = /home/windows read only = No Also, user_xattr and acl are enabled on the ext4 file system, and the home folder on which I can not set permission has root:users ownership with rwx rights (which was working before). Since it is a recopy from a working system, maybe there is a problem with some file permission on the linux system, but I have searched a lot without finding any solution. Any help would be greatly appreciated. Regards, micmac -- View this message in context: http://samba.2283325.n4.nabble.com/Samba4-Problem-setting-folder-and-file-permissions-from-windows-box-tp4632038.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba as member of multi domain AD (nss/pam)
Hi list, I'm looking for someone out there, using samba as a member server in a multi-domain Active Directory forest (maybe even with nss_/pam_winbind for unix users/groups). It took quite a long time to get things working at all here, and we're still not really comfortable with our current solution (especially the unix nss/pam part). I'd be glad if someone out there was interested in exchanging information on that topic. So please don't hesitate to contact me, if you are :) Bye, Marcel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as member of multi domain AD (nss/pam)
On 24/05/12 10:06, Marcel Ritter wrote: Hi list, I'm looking for someone out there, using samba as a member server in a multi-domain Active Directory forest (maybe even with nss_/pam_winbind for unix users/groups). It took quite a long time to get things working at all here, and we're still not really comfortable with our current solution (especially the unix nss/pam part). I'd be glad if someone out there was interested in exchanging information on that topic. So please don't hesitate to contact me, if you are :) Bye, Marcel Hi Marcel Not as part of a multi domain no but we have bypassed winbind in favour of storing attributes in the directory instead of an external winbind mapping. It works fine using nss-pam-ldapd (I think this is libnss-ldapd and libpam-ldapd on Debian). It not officially supported but it works a treat. http://linuxcostablanca.blogspot.com.es/p/s4bind.html Cheers and hth a bit with your nss qn. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] multi home dir locations
On 23-5-2012 19:50, steve wrote: On 05/23/2012 07:22 PM, Muhammad Yousuf Khan wrote: check this. [ProfileShare] comment = Roaming Profile Share path = /nas/users/%D/%U valid users = %U read only = No guest ok = No browseable = yes root preexec = /scripts/smbmkdir.sh %D %U create mask = 4770 directory mask = 4770 store dos attributes = Yes map archive = No map system = No map hidden = No map readonly = no smbmkdir.sh #!/bin/bash if [ ! -e /nas/users/$1/$2 ]; then mkdir -p /nas/users/$1/$2 chown $2:admin-grp /nas/users/$1/$2 chmod 4770 /nas/users/$1/$2 fi exit 0 On Wed, May 23, 2012 at 8:28 PM, stevest...@steve-ss.com wrote: On 05/23/2012 03:56 PM, Collen wrote: Hi all, i've got samba 3.6 joined to a ad domain (s4 in this case) running winbind all looks ok, but i ran into a problem (for us that is) i've got 2 groups (students and employes) who have there home dirs in 2 different places. /home/students/user /home/employ/user +1 It's not just you: we have s3 connected to and s4 domain and we want e.g. /home2/students/year7 /home2/students/year7/year7a/student /home2/students/year7/year7b/student /home2/staff /home2/staffteacher Under winbind we cannot see how to do it. So we have used the new nss-pam-ldapd instead and store the unixHomeDirectory in the directory. As it's available in both the 2008 and s4 schema it works quickly and efficiently. With the homeDirectory [share] and unixHomeDirectory being mapped by ldapd it works fine. Just like under 2008r2. I Really do think we should look into this being standard. Winbind has done a good job since 2000 but unless it can cope with new ideas. . . I'm sure it can. It's just not as easy. Please contact us personally for full details. Cheers, Steve. http://linuxcostablanca.blogspot.com.es/p/s4bind.html Thanks that's a good idea, but nope. It doesn't work in winbind: I want a student who has a home directory in /home2/DOMAIN/students/year7/student-name and a teacher who has a home directory in: path = /home2/DOMAIN/staffstaff name I can't do that with winbind. As both unixHomeDirectory and the homeDirectory attributes are available in the 20008r2 and Samba4 schemas, why not simply write the values _you_ want into the directory and map it using nss-ldapd? As m$ make it available, surely this is what they intend us to do. Cheers, Steve Thx that was indeed the way I was looking for. but how can i make it default ? that when i add a user it also has the objectclass - posixaccount ?? in the user manager from windows ad, i see the unix attributes, but can't alter them also when I look at the users with ldap, i have to add the posixaccount objectclass before i can enter a unixhomedir can i add a default objectclass to the users layer ?? annyway, thx for putting me on the right track... Cheers, Collen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 : Problem setting folder and file permissions from windows box
I have just tried to set permissions on folders present inside profiles share, and there it works! I can add users, change permissions and so on. The ownership of /usr/local/samba/var/profiles is also root:users with same rights as my /home/windows folder (which is homes share). So I don't get why I can set permissions and edit users in the profiles share, and not in the homes share. /home is not on a separate partition, everything is on the same partition, so not a filesystem issue. hope it can help to pinpoint the issue... micmac Le 24/05/2012 10:14, micmac a écrit : Hi, this is my first message here. I need help, the reason is in the title. The version running is SAMBA_4.0.0ALPHA18_DEVELOPERBUILD It was running just fine until I had (for some reason) had to transfer all the system (ubuntu 11.10 server) to another clean hard drive. I used rsync -rltgoHDv /olddriveroot /newdriveroot to copy the files, and installed grub on the new disk. Now the problem is that samba4 works, domain users can log on and access files, but the permissions have been reset to some basic values (different from all the ones I had set before), and I can not change them at all from a windows7 box as I could before. When I apply the changes, it takes a while to process the files, then the basic permissions are set again (my changes lost). Here is my /usr/local/samba/etc/smb.conf : [global] interfaces = 127.0.0.1/8 192.168.1.0/24 server role = domain controller workgroup = ACEIUBUNTU realm = ACEI2 netbios name = ubuntuserveur passdb backend = samba4 security = ADS domain master = yes local master = yes wins support = yes browseable = yes log file = /var/log/samba/smbd.log socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=4096 SO_SNDBUF=4096 [netlogon] path = /usr/local/samba/var/locks/sysvol/acei2/scripts read only = no [sysvol] path = /usr/local/samba/var/locks/sysvol read only = no [profiles] path = /usr/local/samba/var/profiles read only = no [homes] path = /home/windows read only = no - The AD database is readable, since I can edit users and computers with the administration toolkit from windows7 box. /usr/local/samba/bin/testparm gives the following result : Load smb config files from /usr/local/samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [netlogon] Processing section [sysvol] Processing section [profiles] Processing section [homes] Loaded services file OK. Server role: ROLE_DOMAIN_BDC Press enter to see a dump of your service definitions [global] workgroup = ACEIUBUNTU realm = ACEI2 interfaces = 127.0.0.1/8, 192.168.1.0/24 server role = domain controller security = ADS passdb backend = samba4 log file = /var/log/samba/smbd.log socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=4096 SO_SNDBUF=4096 domain master = Yes wins support = Yes idmap config * : backend = tdb [netlogon] path = /usr/local/samba/var/locks/sysvol/acei2/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [profiles] path = /usr/local/samba/var/profiles read only = No [homes] path = /home/windows read only = No Also, user_xattr and acl are enabled on the ext4 file system, and the home folder on which I can not set permission has root:users ownership with rwx rights (which was working before). Since it is a recopy from a working system, maybe there is a problem with some file permission on the linux system, but I have searched a lot without finding any solution. Any help would be greatly appreciated. Regards, micmac -- View this message in context: http://samba.2283325.n4.nabble.com/Samba4-Problem-setting-folder-and-file-permissions-from-windows-box-tp4632038.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 : Problem setting folder and file permissions from windows box
Ok it seems I have to also copy the extended attributes from the original folders. Does anybody know how to copy xattr from some file/folder to another ? (I think it's still in the subject and could be useful to anyone wanting to move files to another drive, right ?)... The ideal would be knowing how to copy a file or a folder, together with its extended attributes, and also how to copy extended attributes from existing files/folders to other files/folders. micmac -- View this message in context: http://samba.2283325.n4.nabble.com/Samba4-Problem-setting-folder-and-file-permissions-from-windows-box-tp4632038p4632045.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting access to [homes]
On 05/23/2012 09:39 PM, NdK wrote: On 23/05/2012 15:30, steve wrote: If the gidNumber for the gid is stored in AD (as the 2008 and samba4 schema allow) then there can be no clash. It is then no problem in extracting it and applying it using normal /etc/nsswitch.conf format. The AD schema is still 2003. And who manages it thinks the world is Win-only :( It's easier to talk a mountain into moving itself than making 'em change a single bit in the schema... [...] snip Hi Diego I think the schema we use (Samba4) is m$ supplied. Our devs fought to get it out of them a few months ago. It is 2008 and/or 2008r2. It certainly has all the rfc2307 stuff that Linux needs out of the box. It has objectClasses posixGroup and posixAccount and all the attributes that go with them. We tried winbind, but the mappings uid:gid just don't work for us. It seems a pity to have this all available in the schema but still recommend external winbind mappings. But we are very novice in all this. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting access to [homes]
On 05/23/2012 11:46 PM, Jonathan Buzzard wrote: NdK wrote: On 23/05/2012 15:30, steve wrote: If the gidNumber for the gid is stored in AD (as the 2008 and samba4 schema allow) then there can be no clash. It is then no problem in extracting it and applying it using normal /etc/nsswitch.conf format. The AD schema is still 2003. And who manages it thinks the world is Win-only :( It's easier to talk a mountain into moving itself than making 'em change a single bit in the schema... Surely it is at least 2003 R2, in which case the scheme has been extended (the update to R2 does it whether you want it or not) and all the fields are waiting to be populated :-) JAB. It is 2008r2. We have the rfc2307 objectClasses and attributes built in. Let's use them! Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 Re-provisioning
What's best practice when it comes to changing a samba4 provision, without screwing current domain objects (users, computers, policy etc)? If, for example, I wanted to change the DNS from internal to external bind9, is it just a case of re-running 'provision' with the different command line option or will that mangle the domain sid etc? Cheers, Mike. -- Any question is easy if you know the answer! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mount.cifs Is it possible to have a file owned by the user who creates the file?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 17 May 2012 14:37:00 +0200 steve st...@steve-ss.com wrote: On 05/17/2012 02:34 AM, Jeff Layton wrote: On Wed, 16 May 2012 17:30:23 +0200 stevest...@steve-ss.com wrote: On 05/16/2012 02:56 PM, steve wrote: Hi e.g. mount.cifs //192.168.1.6/reports /mnt -o rw,setuids,nodev,user=steve2 Any file created in the share is always owned by steve2 (or the person who mounted the share). According to man cifs(8), the setuids overrides this but doesn't seem to work for us. We'd like it to be the same behavior as nfs if that's possible. Version 4.0.0alpha21-GIT-46a41d0 with s3fs Cheers, Steve CORRECTION: It _looks_ as though it's owned by the person specified as user _when in the share_ but the actual file (the unmounted file) is always owned by root. Steve Sadly, permissions enforcement and handling in cifs.ko are badly broken by default. The only way to do this properly is to switch to using multiuser mounts. Have a look at the multiuser option in mount.cifs(8) and cifscreds(1). Cheers, Hi Jeff Thanks for the confirmation. Strangely, I found by accident that using the .gvfs smb:// mount in Nautilus does actually create user owned files. I'm sure that there must be a catch there somewhere though: AFAIK, the .gvfs stuff uses a libsmbclient fuse-based fs. Apples and oranges here... kinit Administrator mount.cifs -o rw,uid=308,sec=krb5 //server/share /somewhere Calling mount.cifs directly isn't recommended. It's a mount helper that's intended to only be called from /bin/mount. produces uid 308 files no matter who accesses the share. Leaving off the uid= creates files as uid=root. Maybe the .gvfs is doing what you described on a who-ever-is-logged-in-and-access's-it basis? That's correct behavior. If you've specified uid= which tells the client to forcibly override all of the uids in the inodes with the value you provided. It can't do that on the server however. All the server sees is a call to create a file that came from the client by Administrator. That probably doesn't match up to uid 308 on the server, which is why you see the mismatch. What you may want to do is to instead use -o sec=krb5,multiuser, which will make cifs.ko switch to multiuser mode. In that mode, each uid on the client that accesses the mount will do so using their own credentials and (most importantly) the client won't try to enforce permissions locally. It does mean that every user who accesses the mount will need a krb5 ticket however instead of every user sharing the same set of credentials. - -- Jeff Layton jlay...@samba.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (GNU/Linux) iQIcBAEBAgAGBQJPvhjQAAoJEAAOaEEZVoIVyq4P/j7te66su6d4RkZJ6DOPELae v89mjwfn79ro4JBRnrdj8M2Qo7vO3a4Y/F7x0VhO2mVmU5P8JPmzunCuS/z31G+k 7hHUCTbl1sME2tePHk18SybW/zbrKINPJjK+pzkyoDfWLRZjDF0yeJv2rSFjI2ET tAd71oZ2gyOtPJemZwAkeGrqDIEENS0D5m1U0HNKkOyqd7VJxxvu+C6Z8bD2jYKR ByO63Fe6D7YM+ldGPCR+XLgGj7aBTzeWTdrvzPXWPMEl09btG7Yy6kktlLanae3T a6LZ2p2r66/18OfFgZpR9Mifgd4diZx/bNTKaM59joh1DUyrPOT8o7xs7Pdi2XW6 E+NUCbDoZZ4zo7mfdZDRHYTVDw6Z6LhXE6O+gvpzBvMeDVWx4ciW+64c2ml6GdIv NS1wX74joA7Hwb9Mnnr5mhUUjnZXpviSDFFY6DESEI4okJFY7bxGv6+rllnPrbji GKqW4xhR0Bl9/TzXnKY4yvJMcL94wbuLo+c1TGKcC6Q+ObNEHrcny3LMe+wYb2fo rCwPrZ3essw6J8j6/u42eol0pC4BjWgfMr1ex/HTyHiMycCTKd+rVL2cO94751at spGZ15HZ9hMJZow0S9A41/JG+5enHSz+PX4DfnFAIKd+rpIbqX2N1bkZsyyIup/s Yc32hr1g5iphc5g9hueH =R+2L -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Linux to Windows Interoperability
Hello, Currently using a freely available MS Windows file system driver, Ext2Fsd, to communicate (read/write) with external media formatted EXT3 (Linux volume) from within MS Windows. Curious to know if Samba is able to support communication (read/write) with external media formatted EXT3 (Linux volume) from within the MS Windows environment? Looking forward to your reply. Thanks. Best, Matthew Knecht 516-346-7264 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux to Windows Interoperability
Curious to know if Samba is able to support communication (read/write) with external media formatted EXT3 (Linux volume) from within the MS Windows environment? I am not sure samba works on a windows machine. I mean you would have to disable the Server service and probably a few more since Samba replaces these. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux to Windows Interoperability
If you are thinking about storing the files on a linux ext3 partition, then it is possible, but the access will be case sensitive. From: John Drescher dresche...@gmail.com To: Knecht, Matthew J (AS) matthew.kne...@ngc.com Cc: samba@lists.samba.org samba@lists.samba.org; samba-techni...@lists.samba.org samba-techni...@lists.samba.org; mail...@lists.samba.org mail...@lists.samba.org Sent: Thursday, May 24, 2012 3:32 PM Subject: Re: [Samba] Linux to Windows Interoperability Curious to know if Samba is able to support communication (read/write) with external media formatted EXT3 (Linux volume) from within the MS Windows environment? I am not sure samba works on a windows machine. I mean you would have to disable the Server service and probably a few more since Samba replaces these. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba compilation issue - trick
In fact, that makes sense- why recompile multiple times if you don't need to do. It should be fine as long as the dependent libraries versions (e.g. glibc, openldap, kerberos etc) are the same or at least close enough. If you had a library mismatch you would probably find that out as soon as you ran it. It is odd though- if your environments are the same then the compilation should not have been an issue. On 05/24/12 01:20, prabu.muru...@emc.com wrote: Hi, I have just copied the compiled samba directory from other machine :). 3.4.17 is working now and it joined to AD domain too. I know it is not the correct procedure. Do you think it will create any issue in future? -Prabu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] cannot execute .exe files from a share
Hello, i've seen this error on the mailing list but no solutions. Problem: No user can execute an .exe file from a group share under any windows version (wXP til Windows 7). Permisions: Every user can read, write, delete, etc in that share. I've chmoded 777 the file but for nothing. The user can copy the .exe file to another location like desktop and then can execute it (is a portable aplication) with no problems. Strange behaviour: The most strange is that if an user copies the .exe file to their 'home' (his private share on the samba server) then they CAN run it!. Another clue: the admin users of the share CAN execute the .exe file CONFIGUTARION It's an standalone server joined on a Windows 2003 domain [global] workgroup = HCG realm = SOME.ACTIVEDIRECTORY.DOMAIN server string = Servidor de Datos security = ADS map to guest = Bad User obey pam restrictions = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 load printers = No printcap name = /dev/null disable spoolss = Yes domain master = No dns proxy = No panic action = /usr/share/samba/panic-action %d template shell = /bin/bash winbind separator = / winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config * : range = 1-2 idmap config * : backend = tdb printing = bsd [homes] comment = Directorio personal path = /home/%S valid users = %S force group = users read only = No create mask = 0600 directory mask = 0700 browseable = No [administracio] path = /home/administracio valid users = @administracio admin users = ds read only = No create mask = 0660 directory mask = 0770 inherit acls = Yes inherit owner = Yes vfs objects = acl_xattr, full_audit full_audit:priority = notice full_audit:facility = local7 full_audit:failure = connect full_audit:success = rmdir rename unlink full_audit:prefix = Administracio|%u|%m So an user of @administracio group can execute .exe files in its home share but NOT the same .exe file in [administracio] share. Except user 'ds' that it is an admin user of the share. ls -l /home/administracio/program.exe -rwxrwxrwx 1 administrador administracio 582656 may 23 13:26 /home/administracio/program.exe ls -l /home drwxrws--- 56 administrador administracio 4096 may 24 15:01 administracio (althought chmodig 777 /home/administracio don't work). Samba version 3.6.3 Thank you! -- beavies at gmail dot com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 : Problem setting folder and file permissions from windows box
I found a Python script that can copy the xattr from one file to another, sadly it didn't help at all... I'm completely desperate about a solution... and apparently people don't care at all about what I'm saying on this list. Here is the script, if it can be of use to some: http://game-sat.com/~brian/xattr.copy micmac -- View this message in context: http://samba.2283325.n4.nabble.com/Samba4-Problem-setting-folder-and-file-permissions-from-windows-box-tp4632038p4632070.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba / LDAP : map uid to another field ?
Hi ! I have an OpenLDAP where users DN are in the form « uid=P1234,ou=people,dc=example,dc=com » and where the login is in the « eduPersonPrincipalName » attribute (ex : jdoe). I have configured my system (Debian Squeeze) to authenticate against LDAP (libpam-ldapd + libnss-ldapd with a mapping uid-eduPersonPrincipalName), if I do « ssh jdoe@server », it's works great. Now I want to give Samba share to theses users so I configured Samba (3.5.6) to connect to LDAP but I cannot authenticate with eduPersonPrincipalName, if I use the « uid », it's works. I have searched for a mapping option in samba but I didn't found... Is it possible to map « uid » attribute to another attribute ? If yes, how ? Here the smb.conf : [global] server string = %h server obey pam restrictions = Yes passdb backend = ldapsam:ldap://192.168.102.153; pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 domain logons = Yes domain master = Yes dns proxy = No ldap admin dn = cn=admin,dc=example,dc=fr ldap group suffix = ou=groups ldap passwd sync = yes ldap suffix = dc=example,dc=fr ldap ssl = no ldap user suffix = ou=people ldap debug level = 1 ldap debug threshold = 1 panic action = /usr/share/samba/panic-action %d [netlogon] path = /srv/samba/netlogon write list = P1234 browseable = No [profiles] path = /srv/samba/export/profiles valid users = %U read only = No create mask = 0600 directory mask = 0700 profile acls = Yes browseable = No [homes] comment = Home Directories valid users = %S create mask = 0700 directory mask = 0700 browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers Here the slapd log which show the use of uid: May 24 15:34:08 docs-test slapd[623]: conn=1149 fd=19 ACCEPT from IP= 192.168.102.153:55825 (IP=0.0.0.0:389) May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 BIND dn=cn=admin,dc=example,dc=fr method=128 May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 BIND dn=cn=admin,dc=example,dc=fr mech=SIMPLE ssf=0 May 24 15:34:08 docs-test slapd[623]: conn=1149 op=0 RESULT tag=97 err=0 text= May 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SRCH base= scope=0 deref=0 filter=(objectClass=*) May 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SRCH attr=supportedControl May 24 15:34:08 docs-test slapd[623]: conn=1149 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SRCH base=dc=example,dc=fr scope=2 deref=0 filter=((uid=sderosiaux)(objectClass=sambaSamAccount)) May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory loginShell gecos May 24 15:34:08 docs-test slapd[623]: conn=1149 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= May 24 15:34:08 docs-test slapd[623]: conn=1149 fd=19 closed (connection lost) Thanks for advice, Sylvain -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] cannot execute .exe files from a share
Try to set the sticky bit for the group on this share. Good Luck Danel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von BeavieS Gesendet: Donnerstag, 24. Mai 2012 15:31 An: samba@lists.samba.org Betreff: [Samba] cannot execute .exe files from a share Hello, i've seen this error on the mailing list but no solutions. Problem: No user can execute an .exe file from a group share under any windows version (wXP til Windows 7). Permisions: Every user can read, write, delete, etc in that share. I've chmoded 777 the file but for nothing. The user can copy the .exe file to another location like desktop and then can execute it (is a portable aplication) with no problems. Strange behaviour: The most strange is that if an user copies the .exe file to their 'home' (his private share on the samba server) then they CAN run it!. Another clue: the admin users of the share CAN execute the .exe file CONFIGUTARION It's an standalone server joined on a Windows 2003 domain [global] workgroup = HCG realm = SOME.ACTIVEDIRECTORY.DOMAIN server string = Servidor de Datos security = ADS map to guest = Bad User obey pam restrictions = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 load printers = No printcap name = /dev/null disable spoolss = Yes domain master = No dns proxy = No panic action = /usr/share/samba/panic-action %d template shell = /bin/bash winbind separator = / winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config * : range = 1-2 idmap config * : backend = tdb printing = bsd [homes] comment = Directorio personal path = /home/%S valid users = %S force group = users read only = No create mask = 0600 directory mask = 0700 browseable = No [administracio] path = /home/administracio valid users = @administracio admin users = ds read only = No create mask = 0660 directory mask = 0770 inherit acls = Yes inherit owner = Yes vfs objects = acl_xattr, full_audit full_audit:priority = notice full_audit:facility = local7 full_audit:failure = connect full_audit:success = rmdir rename unlink full_audit:prefix = Administracio|%u|%m So an user of @administracio group can execute .exe files in its home share but NOT the same .exe file in [administracio] share. Except user 'ds' that it is an admin user of the share. ls -l /home/administracio/program.exe -rwxrwxrwx 1 administrador administracio 582656 may 23 13:26 /home/administracio/program.exe ls -l /home drwxrws--- 56 administrador administracio 4096 may 24 15:01 administracio (althought chmodig 777 /home/administracio don't work). Samba version 3.6.3 Thank you! -- beavies at gmail dot com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux to Windows Interoperability
On Wed, May 23, 2012 at 9:13 AM, Knecht, Matthew J (AS) matthew.kne...@ngc.com wrote: Hello, Currently using a freely available MS Windows file system driver, Ext2Fsd, to communicate (read/write) with external media formatted EXT3 (Linux volume) from within MS Windows. Curious to know if Samba is able to support communication (read/write) with external media formatted EXT3 (Linux volume) from within the MS Windows environment? that's not really how smb/cifs work. Samba is a network server process that (among other things) translates whatever local filesystems your operating system supports into a network filesystem that OS's that have a smb/cifs client can use. It does not directly support any filesystems itself, that's your OS's job. Even if somehow one were to make Samba work on windows, which is pointless since windows already has a smb/cifs server built in, it would NOT add ext3 support to windows. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba / LDAP : map uid to another field ?
I am not sure if you can act on the samba side. Maybe you should think the other way around. You can map one attribute to another inside the LDAP server. You would use the map attribute directive to map eduPersonPrincipalName to uid. Both logins would then authenticate against uid. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] cannot execute .exe files from a share
-Original Message- From: BeavieS [mailto:beav...@gmail.com] Sent: 24 May 2012 14:31 Hello, i've seen this error on the mailing list but no solutions. Problem: No user can execute an .exe file from a group share under any windows version (wXP til Windows 7). Permisions: Every user can read, write, delete, etc in that share. I've chmoded 777 the file but for nothing. The user can copy the .exe file to another location like desktop and then can execute it (is a portable aplication) with no problems. Strange behaviour: The most strange is that if an user copies the .exe file to their 'home' (his private share on the samba server) then they CAN run it!. Another clue: the admin users of the share CAN execute the .exe file CONFIGUTARION It's an standalone server joined on a Windows 2003 domain [global] workgroup = HCG realm = SOME.ACTIVEDIRECTORY.DOMAIN server string = Servidor de Datos security = ADS map to guest = Bad User obey pam restrictions = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 load printers = No printcap name = /dev/null disable spoolss = Yes domain master = No dns proxy = No panic action = /usr/share/samba/panic-action %d template shell = /bin/bash winbind separator = / winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config * : range = 1-2 idmap config * : backend = tdb printing = bsd [homes] comment = Directorio personal path = /home/%S valid users = %S force group = users read only = No create mask = 0600 directory mask = 0700 browseable = No [administracio] path = /home/administracio valid users = @administracio admin users = ds read only = No create mask = 0660 directory mask = 0770 inherit acls = Yes inherit owner = Yes vfs objects = acl_xattr, full_audit full_audit:priority = notice full_audit:facility = local7 full_audit:failure = connect full_audit:success = rmdir rename unlink full_audit:prefix = Administracio|%u|%m So an user of @administracio group can execute .exe files in its home share but NOT the same .exe file in [administracio] share. Except user 'ds' that it is an admin user of the share. ls -l /home/administracio/program.exe -rwxrwxrwx 1 administrador administracio 582656 may 23 13:26 /home/administracio/program.exe ls -l /home drwxrws--- 56 administrador administracio 4096 may 24 15:01 administracio (althought chmodig 777 /home/administracio don't work). Samba version 3.6.3 I'm sure I saw this problem a long time ago - now to see if I can remember the solution... Windows security settings? It identifies the file as being remote (or possibly Local-intranet) and Windows is set to not trust remote files. Moray. To err is human; to purr, feline. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5 to 3.6
same problem here with a pc not in the same workgroup/domain we had no problems to access the server with user/password from other workgroup since update to 3.6.3 - now the user can't access and samba log's the error: [2012/05/24 15:54:12.124757, 1] auth/server_info.c:391(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-133745353-162177866-37141012-513) does not match the domain sid(S-1-5-21-71619937-141952100-153857936) for bgsystem(S-1-5-21-71619937-141951100-153857936-4306) with the correct user/password access to the share should always be granted! with two windows pc's this would work too. is there a way to turn the consistency off or switch to the old behavior? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] cannot execute .exe files from a share
On 24.05.2012 15:30, BeavieS wrote: Problem: No user can execute an .exe file from a group share under any windows version (wXP til Windows 7). Check your Internet Explorer (yes, IE) Security-Settings and if you are connecting to the share via the server IP add the IP to the IE trusted sites. Some time ago my users had problems opening Office Files. This was caused by the IE-Security settings. The users were connected to the share via IP instead of the server's netbios name, so Windows thought the file was downloaded from the Internet and blocked it. Best regards Denis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 : Problem setting folder and file permissions from windows box
On 05/24/2012 03:39 PM, micmac wrote: I found a Python script that can copy the xattr from one file to another, sadly it didn't help at all... I'm completely desperate about a solution... and apparently people don't care at all about what I'm saying on this list. Here is the script, if it can be of use to some: http://game-sat.com/~brian/xattr.copy micmac -- View this message in context: http://samba.2283325.n4.nabble.com/Samba4-Problem-setting-folder-and-file-permissions-from-windows-box-tp4632038p4632070.html Sent from the Samba - General mailing list archive at Nabble.com. Hi I think you may be looking at the same bug as us: https://bugzilla.samba.org/show_bug.cgi?id=8938 Briefly: posix to windows and windows to posix doesn't work at the moment. I feel sure we are on the edge of an imminent fix. Please add your test-case to 3938 if you think it relevant. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba / LDAP : map uid to another field ?
Unfortunaly, I cannot do this since the two attributes are different meaning and are used in another applications so maybe with a local LDAP replica and use of your tricks will works. I will try if there are no Samba solutions. Thanks :) 2012/5/24 miguelmeda...@sapo.pt I am not sure if you can act on the samba side. Maybe you should think the other way around. You can map one attribute to another inside the LDAP server. You would use the map attribute directive to map eduPersonPrincipalName to uid. Both logins would then authenticate against uid. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Lots of NT_STATUS_OBJECT_NAME_COLLISION errors, harmless?
Hello all, I'm attempting to setup a small Windows network using Samba as the PDC (and the only server involved). Clients are running Windows 7 (x86_64) and the server is running Debian Squeeze with samba 3.5.6. For now I'm just using tdmsam as the passwd backend. The problem I have is that I see lots of errors involving NT_STATUS_OBJECT_NAME_COLLISION, here's an example at login time for user pre500 with roaming profiles enabled: [2012/05/24 15:36:15.038884, 3] smbd/dosmode.c:166(unix_mode) unix_mode(pre500.V2) returning 0700 [2012/05/24 15:36:15.038902, 2] smbd/open.c:2505(open_directory) open_directory: unable to create pre500.V2. Error was NT_STATUS_OBJECT_NAME_COLLISION [2012/05/24 15:36:15.038925, 3] smbd/error.c:80(error_packet_set) error packet at smbd/error.c(153) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_NAME_COLLISION And similar errors at logout for every directory within the profile: [2012/05/24 15:36:15.975852, 3] smbd/dosmode.c:166(unix_mode) unix_mode(pre500.V2/AppData/Roaming/Microsoft/Windows/Start Menu) returning 0700 [2012/05/24 15:36:15.975870, 2] smbd/open.c:2505(open_directory) open_directory: unable to create pre500.V2/AppData/Roaming/Microsoft/Windows/Start Menu. Error was NT_STATUS_OBJECT_NAME_COLLISION [2012/05/24 15:36:15.975888, 3] smbd/error.c:80(error_packet_set) error packet at smbd/error.c(153) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_NAME_COLLISION The unix user can access, create and delete files/directories within the profiles directory without issue directly on the samba server itself and the directories quoted in the error messages already exist with the correct owner. Here's my global and profile share config in case it shows any obvious errors: [global] security = user workgroup = YNIC netbios name = SAMBA os level = 99 preferred master = yes domain master = yes domain logons = Yes wins support = yes name resolve order = wins hosts bcast interfaces = 144.32.169.120 bind interfaces only = true encrypt passwords = yes username map = /etc/samba/smbusers # management scripts pruned passdb backend = tdbsam logon path = \\%L\profiles\%U log level = 4 [profiles] path = /srv/samba/profiles comment = roaming profiles read only = no store dos attributes = yes create mask = 0600 directory mask = 0700 browseable = no guest ok = no printable = no profile acls = yes csc policy = disable So far, even with these errors, I haven't observed any failures from the client although my testing so far has been severely limited. Would anyone be able to confirm if these errors are something I should be concerned about or if they are purely cosmetic and can be safely ignored? Much appreciated, Paul. -- Paul Elliott, UNIX Systems Administrator York Neuroimaging Centre, University of York -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Re-provisioning
If all you are trying to do is rebuild (or migrate) your DNS without boffing the rest of your current domain, you should be able to use: /usr/local/samba/sbin/samba_upgradedns --dns-backend=BIND9_DLZ --verbose I just used this to convert my flat-file back-end over to DLZ. I DON'T know if it understands pulling your zone out of the internal server and converting it to bind9. On Thu, May 24, 2012 at 6:30 AM, Mike Howard m...@dewberryfields.co.ukwrote: What's best practice when it comes to changing a samba4 provision, without screwing current domain objects (users, computers, policy etc)? If, for example, I wanted to change the DNS from internal to external bind9, is it just a case of re-running 'provision' with the different command line option or will that mangle the domain sid etc? Cheers, Mike. -- Any question is easy if you know the answer! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- Charles Tryon _ “Risks are not to be evaluated in terms of the probability of success, but in terms of the value of the goal.” - Ralph D. Winter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] exported LDAP DB file smbpasswd?
Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
Presumably with the PGINA/LDAP solution, the has method is something unix-compatible (e.g. unix crypt+md5, or SSHA) that is hard to break with a password cracking program? Are the LDAP transmissions done in the clear? If so, you could sniff the traffic and capture the passwords. (You may not consider this ethical.) Either way, if you had a database of plain text passwords you could then create the NTLM passwords for each user. You could try configuring samba to use permit plain text passwords for authentication. I think (but not sure) that could then configure samba to use pam authentication (the same way a unix login would.) But you would then need to configure all the Windows PC's to support plain text passwords. On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
Hi Gaiseric, I tried w/o success in configuring Samba + PAM last night. Do you know now of any documentation that would help? - aurf On May 24, 2012, at 5:35 PM, Gaiseric Vandal wrote: Presumably with the PGINA/LDAP solution, the has method is something unix-compatible (e.g. unix crypt+md5, or SSHA) that is hard to break with a password cracking program? Are the LDAP transmissions done in the clear? If so, you could sniff the traffic and capture the passwords. (You may not consider this ethical.) Either way, if you had a database of plain text passwords you could then create the NTLM passwords for each user. You could try configuring samba to use permit plain text passwords for authentication. I think (but not sure) that could then configure samba to use pam authentication (the same way a unix login would.) But you would then need to configure all the Windows PC's to support plain text passwords. On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] exported LDAP DB file smbpasswd?
Just what is in the documentation on samba.org. Anything involving plain-text authentication seems to be discouraged. On 05/24/12 17:56, aurfalien wrote: Hi Gaiseric, I tried w/o success in configuring Samba + PAM last night. Do you know now of any documentation that would help? - aurf On May 24, 2012, at 5:35 PM, Gaiseric Vandal wrote: Presumably with the PGINA/LDAP solution, the has method is something unix-compatible (e.g. unix crypt+md5, or SSHA) that is hard to break with a password cracking program? Are the LDAP transmissions done in the clear? If so, you could sniff the traffic and capture the passwords. (You may not consider this ethical.) Either way, if you had a database of plain text passwords you could then create the NTLM passwords for each user. You could try configuring samba to use permit plain text passwords for authentication. I think (but not sure) that could then configure samba to use pam authentication (the same way a unix login would.) But you would then need to configure all the Windows PC's to support plain text passwords. On 05/24/12 16:25, aurfalien wrote: Hi all, I am using OpenLDAP and over have ~800 users in its DB. I would like to simply use Samba as a file server, no PDC. I have been able to export my LDAP DB to a file containing hashes of users passwords. Is there a way I can import this file to smbpasswd or other file that Samba understands so that my 800 some odd users won't have to re register there passwords? I would really love to avoid having 800 annoyed users retyping there passwords for accessing shares. I have them currently authenticating on Windows via an LDAP client (pGina). - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e33bf32 selftest: Run only the samba3 tests on builds without the AD DC via 9633ec0 WHATSNEW: Move to document changes for beta1 via abb2c7f s4-provision: Make s3fs the default way to install a new Samba4 DC via 22cd4bc s4-selftest: Always delete the user at the end of test_passwords.sh from f52afa9 dlz_bind9: Make the talloc destructor static and return 0. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e33bf32ba3538032f95afbcd4b7e11c6ec6cb226 Author: Andrew Bartlett abart...@samba.org Date: Thu May 24 16:53:34 2012 +1000 selftest: Run only the samba3 tests on builds without the AD DC Autobuild-User: Andrew Bartlett abart...@samba.org Autobuild-Date: Thu May 24 11:51:40 CEST 2012 on sn-devel-104 commit 9633ec0c8605d6cfa43cc4a688f2ce9195f99bf1 Author: Andrew Bartlett abart...@samba.org Date: Thu May 24 16:30:00 2012 +1000 WHATSNEW: Move to document changes for beta1 This is not the beta1 release, but this is the preperation for such a release. Andrew Bartlett commit abb2c7fef466f973a871661a3a96c75f8c3afc0d Author: Andrew Bartlett abart...@samba.org Date: Thu May 24 14:56:27 2012 +1000 s4-provision: Make s3fs the default way to install a new Samba4 DC With s3fs now well settled into master, we now throw the swtich and make it the default. There is still much to do, but we need to be using s3fs by default to find out exactly what that is. Andrew Bartlett commit 22cd4bcc9e8367c6871512f4c96033c7836e2c41 Author: Andrew Bartlett abart...@samba.org Date: Thu May 24 13:37:09 2012 +1000 s4-selftest: Always delete the user at the end of test_passwords.sh If this test is run in the dc environment (rather than dc:local) is would not delete the test user. Andrew Bartlett --- Summary of changes: WHATSNEW.txt | 108 -- selftest/target/Samba4.pm|1 + selftest/wscript |7 ++- source4/setup/provision |4 +- testprogs/blackbox/test_passwords.sh |2 +- 5 files changed, 61 insertions(+), 61 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8798a87..41e6055 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,4 @@ -What's new in Samba 4 alpha20 +What's new in Samba 4 beta1 = Samba 4.0 will be the next version of the Samba suite and incorporates @@ -7,48 +7,36 @@ stable 3.x series. The primary additional features over Samba 3.6 are support for the Active Directory logon protocols used by Windows 2000 and above. -SECURITY RELEASE - - -This is a security release in order to address CVE-2012-2111 -(Incorrect permission checks when granting/removing privileges can -compromise file server security). - -o CVE-2012-2111: - Samba 3.4.x to 3.6.4 are affected by a - vulnerability that allows arbitrary users - to modify privileges on a file server. - -This is in regards to the smbd file server, which is shipped in Samba -4.0 alpha. The AD DC is not directly impacted, as the LSA -implementation differs. WARNINGS -Samba4 alpha20 is not a final Samba release, however we are now making +Samba4 beta1 is not a final Samba release, however we are now making good progress towards a Samba 4.0 release, of which this is a preview. -Be aware the this release contains both the technology of Samba 3.6 -(that you can reasonably expect to upgrade existing Samba 3.x releases -to) and the AD domain controller work previously known as 'samba4'. - -While binaries for the stable file server are provided in this -release, for a stable, supported file server, Samba3 domain or AD -domain member installation, please run a Samba 3.x release, as we are -still bedding down the new single build system. +Be aware the this release contains the best of all of Samba's +technology parts, both a file server (that you can reasonably expect +to upgrade existing Samba 3.x releases to) and the AD domain +controller work previously known as 'samba4'. Samba4 is subjected to an awesome battery of tests on an automated basis, we have found Samba 4.0 to be very stable in it's behavior. However, we still recommend against upgrading production servers from Samba 3.x release to Samba 4.0 alpha at this stage. +In particular note that the new default configuration 's3fs' may have +different stability characteristics compared with our previous default +file server. We are making this release so that we can find and fix +any of these issues that arise in the real world. AD DC installations +can provision with --use-ntvfs to obtain the previous default file +server. + If you are
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a95b2ba s3:smbd/msdfs: pass allow_broken_path to resolve_dfspath_wcard() via 758d612 s3:smbd/msdfs: pass 'allow_broken_path' to get_referred_path() via a92f717 s3:smbd/msdfs: let create_conn_struct() also fake the 'smbd_server_connection' via 0733183 s3:smbd/files: work without sconn-file_bmap and assign fsp-fnum = -1 via 768004b s3:smbd/files: fix error path and correctly cleanup from e33bf32 selftest: Run only the samba3 tests on builds without the AD DC http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a95b2ba043ce843149fef4821cc25823c53cf994 Author: Stefan Metzmacher me...@samba.org Date: Wed May 23 13:22:47 2012 +0200 s3:smbd/msdfs: pass allow_broken_path to resolve_dfspath_wcard() metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Thu May 24 16:14:01 CEST 2012 on sn-devel-104 commit 758d61201f7b51da6ce74aee2d18c5125d72522e Author: Stefan Metzmacher me...@samba.org Date: Wed May 23 13:09:40 2012 +0200 s3:smbd/msdfs: pass 'allow_broken_path' to get_referred_path() Note the DCERPC code should not be smb2 specific! I wonder why this is at all smb2 specific... metze commit a92f7176bd7f198a547952142b7d361a9b4e9146 Author: Stefan Metzmacher me...@samba.org Date: Wed May 23 13:06:55 2012 +0200 s3:smbd/msdfs: let create_conn_struct() also fake the 'smbd_server_connection' metze commit 0733183594dbd3ce07ddaf9e1fcf8102b80fc605 Author: Stefan Metzmacher me...@samba.org Date: Thu May 24 10:43:56 2012 +0200 s3:smbd/files: work without sconn-file_bmap and assign fsp-fnum = -1 For faked connection_structs we do not need valid fnum values, e.g. in the dfs and printing code. metze commit 768004b11d396edfafaee90c7c710722376ff2e6 Author: Stefan Metzmacher me...@samba.org Date: Thu May 24 11:22:11 2012 +0200 s3:smbd/files: fix error path and correctly cleanup metze --- Summary of changes: source3/modules/vfs_default.c |4 +- source3/printing/nt_printing.c| 15 +- source3/rpc_server/dfs/srv_dfs_nt.c | 11 +++-- source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 10 +++- source3/smbd/filename.c |2 + source3/smbd/files.c | 76 +--- source3/smbd/msdfs.c | 55 +++-- source3/smbd/proto.h | 16 +++--- source3/smbd/trans2.c |1 + 9 files changed, 128 insertions(+), 62 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c index 887dbcb..8908508 100644 --- a/source3/modules/vfs_default.c +++ b/source3/modules/vfs_default.c @@ -22,6 +22,7 @@ #include system/time.h #include system/filesys.h #include smbd/smbd.h +#include smbd/globals.h #include ntioctl.h #include smbprofile.h #include ../libcli/security/security.h @@ -209,7 +210,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle, } /* The following call can change cwd. */ - status = get_referred_path(r, pathnamep, handle-conn-sconn, + status = get_referred_path(r, pathnamep, + !handle-conn-sconn-using_smb2, junction, consumedcnt, self_referral); if (!NT_STATUS_IS_OK(status)) { vfs_ChDir(handle-conn, handle-conn-connectpath); diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 96947f1..f52b6ae 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -616,7 +616,10 @@ static uint32 get_correct_cversion(struct auth_session_info *session_info, return -1; } - nt_status = create_conn_struct(talloc_tos(), smbd_server_conn, conn, + nt_status = create_conn_struct(talloc_tos(), + server_event_context(), + server_messaging_context(), + conn, printdollar_snum, lp_pathname(printdollar_snum), session_info, oldcwd); @@ -1000,7 +1003,10 @@ WERROR move_driver_to_download_area(struct auth_session_info *session_info, return WERR_NO_SUCH_SHARE; } - nt_status = create_conn_struct(talloc_tos(), smbd_server_conn, conn, + nt_status = create_conn_struct(talloc_tos(), + server_event_context(), + server_messaging_context(), + conn,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b452fb3 waf: for MIT krb5 build require kerberos version above 1.9 via 72029d5 s3-smbldap: Add API for external callback to perform LDAP bind in smbldap via 838435ab3 s4/scripting: in MIT build do not install samba-tool, it is not usable yet via ca2b625 s4-selftest: Demonstrate the correct behaviour between specified usernames and kerberos ccache via dc3f74a auth/credentials: 'workgroup' set via command line will not drop existing ccache from a95b2ba s3:smbd/msdfs: pass allow_broken_path to resolve_dfspath_wcard() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b452fb30f79c5effa508b891bcb453de8f452286 Author: Alexander Bokovoy a...@samba.org Date: Thu May 24 16:28:31 2012 +0300 waf: for MIT krb5 build require kerberos version above 1.9 MIT krb5 implementation provides sufficient support for features used in Samba 4 starting with 1.9. Require version above when using system MIT krb5 build. Autobuild-User: Alexander Bokovoy a...@samba.org Autobuild-Date: Thu May 24 18:15:36 CEST 2012 on sn-devel-104 commit 72029d5547766787afb0a76c3959d1820388e28e Author: Alexander Bokovoy a...@samba.org Date: Thu May 24 15:38:41 2012 +0300 s3-smbldap: Add API for external callback to perform LDAP bind in smbldap In order to support other bind methods, introduce a generic bind callback. When smbldap_state.bind_callback is set, it means there is an alternative way to perform LDAP bind to ldap_simple_bind_s() so call it instead. The call is wrapped in become_root()/unbecome_root() to allow proper permissions in smbd to access needed resources in the callback, for example, credential caches. When run outside smbd, become_root()/unbecome_root() are no-op. The API expectation is similar to ldap_simple_bind_s(). A caller of smbldap API can pass additional information to the callback by setting smbldap_state.bind_callback_data pointer. Both callback and the data pointer elements of smbldap_state structure get cleaned up if someone sets proper credentials on smbldap_state with smbldap_set_creds() so if you are interested in using smbldap_state.bind_dn with the callback, make sure to set callback after credentials are set. commit 838435ab30c03e5db7eb1e80f486528231dffdfc Author: Alexander Bokovoy a...@samba.org Date: Thu May 24 15:24:12 2012 +0300 s4/scripting: in MIT build do not install samba-tool, it is not usable yet commit ca2b6259b7f0787eb372b56076e63413f530ec12 Author: Andrew Bartlett abart...@samba.org Date: Thu May 24 13:36:20 2012 +1000 s4-selftest: Demonstrate the correct behaviour between specified usernames and kerberos ccache This shows that a username/password on the command line must always override any credentials cache in the environment. Andrew Bartlett commit dc3f74a953de0fcf9b3f693efe2ba8dea7b93da9 Author: Alexander Bokovoy a...@samba.org Date: Thu May 24 15:17:40 2012 +0300 auth/credentials: 'workgroup' set via command line will not drop existing ccache The root cause for existing ccache being invalidated was use of global loadparm with 'workgroup' value set as if from command line. However, we don't really need to take 'workgroup' parameter value's nature into account when invalidating existing ccache. When -U is used on the command line, one can specify a password to force ccache invalidation. The commit also reverts previous fix now that root cause is clear. --- Summary of changes: auth/credentials/credentials.c |6 +- auth/credentials/credentials_krb5.c | 14 ++ source3/include/smbldap.h|2 ++ source3/lib/smbldap.c| 20 +++- source4/scripting/bin/wscript_build |4 +--- source4/scripting/wscript_build |7 +++ testprogs/blackbox/test_kinit.sh |1 - testprogs/blackbox/test_passwords.sh |8 wscript_configure_system_mitkrb5 |9 - 9 files changed, 48 insertions(+), 23 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 3eaccde..05f0a62 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -483,7 +483,11 @@ _PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred, * calculations */ cred-domain = strupper_talloc(cred, val); cred-domain_obtained = obtained; - cli_credentials_invalidate_ccache(cred, cred-domain_obtained); + /* setting domain does not mean we have to invalidate ccache +* because domain in not used for
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b5e9ece s3:smbd: remove global 'smbd_server_conn' !!! via 288a75d s3:smbd: only call file_init_global() in the parent smbd via 9e45885 s3:smbd/files: split file_init_global() out of file_init() via 48e62f2 s3:smbd: remove unused var in smbXsrv_connection_init_tables() via 0beede3 s4:smb_server/smb: fix talloc_free() bug from b452fb3 waf: for MIT krb5 build require kerberos version above 1.9 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b5e9ece1f3936d2221480169713042019e34a276 Author: Stefan Metzmacher me...@samba.org Date: Thu May 24 13:46:11 2012 +0200 s3:smbd: remove global 'smbd_server_conn' !!! For now we still use a global 'global_smbXsrv_connection' in order to pass the connection state to exit_server*(). metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Thu May 24 20:07:20 CEST 2012 on sn-devel-104 commit 288a75d8dc4b17c92da22e0e04f622c593bd5df7 Author: Stefan Metzmacher me...@samba.org Date: Thu May 24 12:26:46 2012 +0200 s3:smbd: only call file_init_global() in the parent smbd metze commit 9e45885fcc54fa16e947b5b6370f171c2c7bfaf2 Author: Stefan Metzmacher me...@samba.org Date: Thu May 24 12:20:30 2012 +0200 s3:smbd/files: split file_init_global() out of file_init() metze commit 48e62f2d46a39b09ac0bcad84493b12381bb5a05 Author: Stefan Metzmacher me...@samba.org Date: Thu May 24 12:41:20 2012 +0200 s3:smbd: remove unused var in smbXsrv_connection_init_tables() metze commit 0beede33a7034d63912bed301e3e7340f8d2ea86 Author: Stefan Metzmacher me...@samba.org Date: Thu May 24 11:57:02 2012 +0200 s4:smb_server/smb: fix talloc_free() bug ERROR: talloc_free with references at ../source4/smb_server/smb/receive.c:637 reference at ../source4/ntvfs/posix/pvfs_wait.c:86 metze --- Summary of changes: source3/smbd/files.c | 47 +++- source3/smbd/globals.c | 11 +--- source3/smbd/globals.h |2 +- source3/smbd/process.c | 55 - source3/smbd/proto.h |5 +++- source3/smbd/server.c| 33 ++ source3/smbd/server_exit.c | 10 +- source4/smb_server/smb/receive.c |2 +- 8 files changed, 105 insertions(+), 60 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/files.c b/source3/smbd/files.c index ae34006..fcdd740 100644 --- a/source3/smbd/files.c +++ b/source3/smbd/files.c @@ -189,38 +189,59 @@ void file_close_pid(struct smbd_server_connection *sconn, uint16 smbpid, Initialise file structures. / -bool file_init(struct smbd_server_connection *sconn) +static int files_max_open_fds; + +bool file_init_global(void) { - int request_max_open_files = lp_max_open_files(); + int request_max = lp_max_open_files(); int real_lim; + int real_max; + + if (files_max_open_fds != 0) { + return true; + } /* * Set the max_open files to be the requested * max plus a fudgefactor to allow for the extra * fd's we need such as log files etc... */ - real_lim = set_maxfiles(request_max_open_files + MAX_OPEN_FUDGEFACTOR); + real_lim = set_maxfiles(request_max + MAX_OPEN_FUDGEFACTOR); - sconn-real_max_open_files = real_lim - MAX_OPEN_FUDGEFACTOR; + real_max = real_lim - MAX_OPEN_FUDGEFACTOR; - if (sconn-real_max_open_files + FILE_HANDLE_OFFSET + MAX_OPEN_PIPES -65536) - sconn-real_max_open_files = - 65536 - FILE_HANDLE_OFFSET - MAX_OPEN_PIPES; + if (real_max + FILE_HANDLE_OFFSET + MAX_OPEN_PIPES 65536) { + real_max = 65536 - FILE_HANDLE_OFFSET - MAX_OPEN_PIPES; + } - if(sconn-real_max_open_files != request_max_open_files) { - DEBUG(1, (file_init: Information only: requested %d + if (real_max != request_max) { + DEBUG(1, (file_init_global: Information only: requested %d open files, %d are available.\n, - request_max_open_files, sconn-real_max_open_files)); + request_max, real_max)); } - SMB_ASSERT(sconn-real_max_open_files 100); + SMB_ASSERT(real_max 100); - sconn-file_bmap = bitmap_talloc(sconn, sconn-real_max_open_files); + files_max_open_fds = real_max; + return true; +} +bool file_init(struct smbd_server_connection *sconn) +{ + bool ok; + + ok = file_init_global(); + if (!ok) { +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 64ddb66 s3:smbd/signing: use smbd_server_connection as talloc parent for its smb1 signing state via 074991c s3-passdb: Fix negative SID-uid/gid/both cache handling from b5e9ece s3:smbd: remove global 'smbd_server_conn' !!! http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 64ddb668843554725eb7cddc862c8e906f1bbe63 Author: Stefan Metzmacher me...@samba.org Date: Mon Dec 12 13:50:04 2011 +0100 s3:smbd/signing: use smbd_server_connection as talloc parent for its smb1 signing state metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Fri May 25 00:23:53 CEST 2012 on sn-devel-104 commit 074991cefe2b8bb58de869e099379e182fab28b7 Author: Ira Cooper i...@samba.org Date: Wed May 23 21:42:26 2012 -0400 s3-passdb: Fix negative SID-uid/gid/both cache handling -1 uid/gid/both signals a non existent uid/gid/both. Signed-off-by: Stefan Metzmacher me...@samba.org --- Summary of changes: source3/passdb/lookup_sid.c | 14 ++ source3/smbd/signing.c |4 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 4ceba3c..3f8b06d 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -1347,6 +1347,20 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, } } done: + for (i=0; inum_sids; i++) { + switch(ids[i].type) { + case WBC_ID_TYPE_GID: + case WBC_ID_TYPE_UID: + case WBC_ID_TYPE_BOTH: + if (ids[i].id == -1) { + ids[i].type = ID_TYPE_NOT_SPECIFIED; + } + break; + case WBC_ID_TYPE_NOT_SPECIFIED: + break; + } + } + ret = true; fail: TALLOC_FREE(wbc_ids); diff --git a/source3/smbd/signing.c b/source3/smbd/signing.c index 8e4c50f..f4a8d2a 100644 --- a/source3/smbd/signing.c +++ b/source3/smbd/signing.c @@ -186,7 +186,7 @@ bool srv_init_signing(struct smbd_server_connection *conn) struct smbd_shm_signing *s; /* setup the signing state in shared memory */ - s = talloc_zero(server_event_context(), struct smbd_shm_signing); + s = talloc_zero(conn, struct smbd_shm_signing); if (s == NULL) { return false; } @@ -208,7 +208,7 @@ bool srv_init_signing(struct smbd_server_connection *conn) return true; } - conn-smb1.signing_state = smb_signing_init(server_event_context(), + conn-smb1.signing_state = smb_signing_init(conn, allowed, desired, mandatory); if (!conn-smb1.signing_state) { return false; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via eec4f80 move VERSION to alpha22 via 9ccbe16 WHATSNEW: update for alpha21, and mark as release via 7891ad4 wintest: s3fs is now the default in provision via 1876d63 doc: Explain our build systems for Samba 4.0 from 64ddb66 s3:smbd/signing: use smbd_server_connection as talloc parent for its smb1 signing state http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit eec4f80d613c2c725194a23d208d51a616c3156e Author: Andrew Bartlett abart...@samba.org Date: Fri May 25 10:20:46 2012 +1000 move VERSION to alpha22 We will change this to beta once we both fix the VERSION parsing scripts and we agree that the next release will indeed be the beta. Andrew Bartlett Autobuild-User: Andrew Bartlett abart...@samba.org Autobuild-Date: Fri May 25 04:19:30 CEST 2012 on sn-devel-104 commit 9ccbe1660c466f6c45f6b61a32f6ec5813ccf380 Author: Andrew Bartlett abart...@samba.org Date: Fri May 25 10:17:34 2012 +1000 WHATSNEW: update for alpha21, and mark as release The plan has changed. This will we hope be the last alpha. Andrew Bartlett commit 7891ad478b46d756a6ff402f62bd529f5520434f Author: Andrew Bartlett abart...@samba.org Date: Fri May 25 08:52:47 2012 +1000 wintest: s3fs is now the default in provision commit 1876d63083e3c4c9a4f6112cca423dcf9b00acfe Author: Andrew Bartlett abart...@samba.org Date: Thu May 24 20:31:37 2012 +1000 doc: Explain our build systems for Samba 4.0 --- Summary of changes: BUILD_SYSTEMS.txt| 97 ++ VERSION |2 +- WHATSNEW.txt | 16 wintest/test-s4-howto.py |3 +- 4 files changed, 107 insertions(+), 11 deletions(-) create mode 100644 BUILD_SYSTEMS.txt Changeset truncated at 500 lines: diff --git a/BUILD_SYSTEMS.txt b/BUILD_SYSTEMS.txt new file mode 100644 index 000..2aff56d --- /dev/null +++ b/BUILD_SYSTEMS.txt @@ -0,0 +1,97 @@ +BUILDING SAMBA 4.0 +(which build system to use and why) +=== + +The waf build +- + +Samba 4.0 ships with a new build system, based on waf. A background to +this build system can be found at https://wiki.samba.org/index.php/Waf + +This is the build system that is used when you run ./configure make +in the top level of a Samba 4.0 release tree. + +For the vast majority of our users, this is the build system you should +use. It supports parallel and incremental builds, and builds the whole +Samba suite, the file server, the print server, the NT4 domain +controller, winbind, the AD Domain Controller, the client libraries and +the python libraries. + +A key feature for many of our distributors and OEMs is that despite the +range of additional features, the resulting binaries and libraries are +substantially smaller, because we use shared libraries extensively. + +For distributions that have a requirement to use the system-supplied +Kerberos library, we support building against a Heimdal or system MIT +Kerberos library, provided the version is recent enough (otherwise we +will use our internal version of Heimdal). Please note that builds +with MIT krb5 support will not have AD DC features. + +By the time of the first release candidate, we will finish renaming +the binaries that we ship so that where we provide a tool under a name +that was used in Samba 3.x, it continues to behave in the same way it +always has. This will ensure that our change in build system does not +impact on our user's ability to use Samba as they always have. + +For developers, this build system backs a comprehensive 'make test', +which provides code coverage of around 48% of our code by line: +https://build.samba.org/lcov/data/coverage/samba_4_0_test/ + +This build system also implements important features such as ABI +checking (which protects you as users from accidental changes to our +published libraries), symbol versions and dependency checked incremental +rebuilds after header-file changes. + +The waf build also assists developers by providing fully-linked binaries +that run from bin/ without needing to set LD_LIBRARY_PATH. + +For users who do not have python installed on their systems, we provide +a install_with_python.sh script, which will install a local copy of +python sufficient to run the build system, without impacting on the rest +of the system. + +Within this requirement, we expect that this build will run on all our +supported platforms, and will actively deal with any portability issues +that users can bring to our attention. + +For all these reasons, we highly recommend this new build system to all +our users, for whatever purpose you want to put Samba to. + +The autoconf build +-- + +For a small number
[SCM] CTDB repository - branch 1.13 updated - ctdb-1.43-5-gc8886ad
The branch, 1.13 has been updated via c8886ad41c80c45619d5eb6e2f95d652b171ca1e (commit) via ea073ef2f73343247e653c7c39f2e0f5e34a0c39 (commit) from b8260448c192c3866bffb99b475a4b3de57f38b3 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.13 - Log - commit c8886ad41c80c45619d5eb6e2f95d652b171ca1e Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Fri May 25 12:31:11 2012 +1000 RECOVERY: Increase the time we allow before timing out recovery related tasks. If the system is temporarily taking unusually long to perform these tasks it is better to wait a lot longer and allow the tasks to complete than timing out repeatedly and then becomming banned. commit ea073ef2f73343247e653c7c39f2e0f5e34a0c39 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Fri May 25 12:27:59 2012 +1000 RECOVER: When we pull databases during recovery, we used to reallocate the databuffer for each entry added. This would normally not be an issue, but for cases where memory is fragmented, this could start to cost significant cpu if we need to reallocate and move to a different region. Change this to instead preallocate , by default, 10MByte chunks to the data buffer. This significantly reduces the number of potential reallocate and move operations that may be required. Create a tunable to override/change how much preallocation should be used. --- Summary of changes: include/ctdb_private.h |1 + server/ctdb_recover.c |7 ++- server/ctdb_recoverd.c |7 ++- server/ctdb_tunables.c |5 +++-- 4 files changed, 16 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/include/ctdb_private.h b/include/ctdb_private.h index 0f494b4..7c3fdf0 100644 --- a/include/ctdb_private.h +++ b/include/ctdb_private.h @@ -134,6 +134,7 @@ struct ctdb_tunable { uint32_t db_record_count_warn; uint32_t db_record_size_warn; uint32_t db_size_warn; + uint32_t pulldb_preallocation_size; }; /* diff --git a/server/ctdb_recover.c b/server/ctdb_recover.c index 05f72f9..e54312f 100644 --- a/server/ctdb_recover.c +++ b/server/ctdb_recover.c @@ -348,6 +348,7 @@ struct pulldb_data { struct ctdb_db_context *ctdb_db; struct ctdb_marshall_buffer *pulldata; uint32_t len; + uint32_t allocated_len; bool failed; }; @@ -364,7 +365,10 @@ static int traverse_pulldb(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, params-failed = true; return -1; } - params-pulldata = talloc_realloc_size(NULL, params-pulldata, rec-length + params-len); + if (params-len + rec-length = params-allocated_len) { + params-allocated_len = rec-length + params-len + ctdb-tunable.pulldb_preallocation_size; + params-pulldata = talloc_realloc_size(NULL, params-pulldata, params-allocated_len); + } if (params-pulldata == NULL) { DEBUG(DEBUG_CRIT,(__location__ Failed to expand pulldb_data to %u\n, rec-length + params-len)); ctdb_fatal(params-ctdb, failed to allocate memory for recovery. shutting down\n); @@ -414,6 +418,7 @@ int32_t ctdb_control_pull_db(struct ctdb_context *ctdb, TDB_DATA indata, TDB_DAT params.ctdb_db = ctdb_db; params.pulldata = reply; params.len = offsetof(struct ctdb_marshall_buffer, data); + params.allocated_len = params.len; params.failed = false; if (ctdb_db-unhealthy_reason) { diff --git a/server/ctdb_recoverd.c b/server/ctdb_recoverd.c index f739900..b380746 100644 --- a/server/ctdb_recoverd.c +++ b/server/ctdb_recoverd.c @@ -1178,6 +1178,7 @@ struct recdb_data { struct ctdb_context *ctdb; struct ctdb_marshall_buffer *recdata; uint32_t len; + uint32_t allocated_len; bool failed; bool persistent; }; @@ -1206,7 +1207,10 @@ static int traverse_recdb(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, params-failed = true; return -1; } - params-recdata = talloc_realloc_size(NULL, params-recdata, rec-length + params-len); + if (params-len + rec-length = params-allocated_len) { + params-allocated_len = rec-length + params-len + params-ctdb-tunable.pulldb_preallocation_size; + params-recdata = talloc_realloc_size(NULL, params-recdata, params-allocated_len); + } if (params-recdata == NULL) { DEBUG(DEBUG_CRIT,(__location__ Failed to expand recdata to %u (%u records)\n, rec-length + params-len, params-recdata-count)); @@ -1245,6 +1249,7 @@ static int push_recdb_database(struct ctdb_context *ctdb, uint32_t dbid, params.ctdb = ctdb; params.recdata = recdata;
[SCM] CTDB repository - branch master updated - ctdb-1.13-183-g03fa2a5
The branch, master has been updated via 03fa2a517247eb2adfba67248e2466f17ea14418 (commit) via 1f262deaad0818f159f9c68330f7fec121679023 (commit) from 6cf6a9b071bd8dd730717ca07ff73bf247bb (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit 03fa2a517247eb2adfba67248e2466f17ea14418 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Fri May 25 12:31:11 2012 +1000 RECOVERY: Increase the time we allow before timing out recovery related tasks. If the system is temporarily taking unusually long to perform these tasks it is better to wait a lot longer and allow the tasks to complete than timing out repeatedly and then becomming banned. commit 1f262deaad0818f159f9c68330f7fec121679023 Author: Ronnie Sahlberg ronniesahlb...@gmail.com Date: Fri May 25 12:27:59 2012 +1000 RECOVER: When we pull databases during recovery, we used to reallocate the databuffer for each entry added. This would normally not be an issue, but for cases where memory is fragmented, this could start to cost significant cpu if we need to reallocate and move to a different region. Change this to instead preallocate , by default, 10MByte chunks to the data buffer. This significantly reduces the number of potential reallocate and move operations that may be required. Create a tunable to override/change how much preallocation should be used. --- Summary of changes: include/ctdb_private.h |1 + server/ctdb_recover.c |7 ++- server/ctdb_recoverd.c |7 ++- server/ctdb_tunables.c |5 +++-- 4 files changed, 16 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/include/ctdb_private.h b/include/ctdb_private.h index 0f494b4..7c3fdf0 100644 --- a/include/ctdb_private.h +++ b/include/ctdb_private.h @@ -134,6 +134,7 @@ struct ctdb_tunable { uint32_t db_record_count_warn; uint32_t db_record_size_warn; uint32_t db_size_warn; + uint32_t pulldb_preallocation_size; }; /* diff --git a/server/ctdb_recover.c b/server/ctdb_recover.c index 05f72f9..e54312f 100644 --- a/server/ctdb_recover.c +++ b/server/ctdb_recover.c @@ -348,6 +348,7 @@ struct pulldb_data { struct ctdb_db_context *ctdb_db; struct ctdb_marshall_buffer *pulldata; uint32_t len; + uint32_t allocated_len; bool failed; }; @@ -364,7 +365,10 @@ static int traverse_pulldb(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, params-failed = true; return -1; } - params-pulldata = talloc_realloc_size(NULL, params-pulldata, rec-length + params-len); + if (params-len + rec-length = params-allocated_len) { + params-allocated_len = rec-length + params-len + ctdb-tunable.pulldb_preallocation_size; + params-pulldata = talloc_realloc_size(NULL, params-pulldata, params-allocated_len); + } if (params-pulldata == NULL) { DEBUG(DEBUG_CRIT,(__location__ Failed to expand pulldb_data to %u\n, rec-length + params-len)); ctdb_fatal(params-ctdb, failed to allocate memory for recovery. shutting down\n); @@ -414,6 +418,7 @@ int32_t ctdb_control_pull_db(struct ctdb_context *ctdb, TDB_DATA indata, TDB_DAT params.ctdb_db = ctdb_db; params.pulldata = reply; params.len = offsetof(struct ctdb_marshall_buffer, data); + params.allocated_len = params.len; params.failed = false; if (ctdb_db-unhealthy_reason) { diff --git a/server/ctdb_recoverd.c b/server/ctdb_recoverd.c index f739900..b380746 100644 --- a/server/ctdb_recoverd.c +++ b/server/ctdb_recoverd.c @@ -1178,6 +1178,7 @@ struct recdb_data { struct ctdb_context *ctdb; struct ctdb_marshall_buffer *recdata; uint32_t len; + uint32_t allocated_len; bool failed; bool persistent; }; @@ -1206,7 +1207,10 @@ static int traverse_recdb(struct tdb_context *tdb, TDB_DATA key, TDB_DATA data, params-failed = true; return -1; } - params-recdata = talloc_realloc_size(NULL, params-recdata, rec-length + params-len); + if (params-len + rec-length = params-allocated_len) { + params-allocated_len = rec-length + params-len + params-ctdb-tunable.pulldb_preallocation_size; + params-recdata = talloc_realloc_size(NULL, params-recdata, params-allocated_len); + } if (params-recdata == NULL) { DEBUG(DEBUG_CRIT,(__location__ Failed to expand recdata to %u (%u records)\n, rec-length + params-len, params-recdata-count)); @@ -1245,6 +1249,7 @@ static int push_recdb_database(struct ctdb_context *ctdb, uint32_t dbid, params.ctdb = ctdb; params.recdata = recdata;
[SCM] Samba Shared Repository - annotated tag samba-4.0.0alpha21 created
The annotated tag, samba-4.0.0alpha21 has been created at 881090d61f3d6ffe3fc6be0ee716affa3db5e21d (tag) tagging 9ccbe1660c466f6c45f6b61a32f6ec5813ccf380 (commit) replaces samba-4.0.0alpha20 tagged by Andrew Bartlett on Fri May 25 14:53:57 2012 +1000 - Log - samba4: tag release samba-4.0.0alpha21 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQBPvxBlz4A8Wyi0NrsRAvPKAJ0ScZsNI1GYA9P+m4rg7SP6Wxe44gCggSc2 l/JwJCES8M3Dl0q15TgOZks= =k2bL -END PGP SIGNATURE- Alejandro Escanero Blanco (1): s3:auth/server_info: the primary rid should be in the groups rid array (bug #8798) Alexander Bokovoy (18): s4:ntvfs: add missing headers to vfs_ipc Avoid using Heimdal-specific tests in MIT build s4:torture: auth/pac.c: use Kerberos wrapper for krb5_keyblock_init s4:auth/kerberos: don't do tracing in MIT build lib/krb5_wrap: implement krb5_cc_get_lifetime for MIT Kerberos dns: fix comments and make s4/libcli/resolve dns resolver working s3-passdb: add unixid_from_uid/unixid_from_gid/unixid_from_both API auth-credentials: Support using pre-fetched ccache when obtaining kerberos credentials s4: samba-tool is usable without export-keytab command, make sure it does not break Introduce system MIT krb5 build with --with-system-mitkrb5 option. libcli/dns: make 'clidns' private library out of DNS code in WAF build wafsamba: ensure TO_LIST does not fail with empty string s3-autoconf: fix typo after migrating DNS resolver code to lib/addns blackbox: fix samba4.blackbox.kinit test auth/credentials: 'workgroup' set via command line will not drop existing ccache s4/scripting: in MIT build do not install samba-tool, it is not usable yet s3-smbldap: Add API for external callback to perform LDAP bind in smbldap waf: for MIT krb5 build require kerberos version above 1.9 Alexander Werth (1): s3:vfs/gpfs: Have inherited deny ACE's show up in ACLs Amitay Isaacs (4): s4-dns: Build BIND DLZ modules with correct private library samba-upgradedns: Use the correct magic incantation of sys.path.insert() dlz_bind9: Fix the named crash on reloading named dlz_bind9: Make the talloc destructor static and return 0. Andreas Schneider (18): krb5samba: Add a smb_krb5_cc_get_lifetime() function. s4-auth: Use smb_krb5_cc_get_lifetime() wrapper. waf: Fix com_err detection with MIT krb5. doc: Fixes for the talloc context tutorial. doc: Fixes for the talloc stealing tutorial. doc: Fixes for the talloc dynamic type system tutorial. doc: Fixes for the talloc destructor tutorial. doc: Fixes for the talloc pool tutorial. doc: Fixes for the talloc debugging tutorial. doc: Fixes for the talloc best practices tutorial. talloc: Update doxygen config. s4-auth: Use smb_krb5_make_pac_checksum. krb5samba: Add smb_krb5_make_pac_checksum. s3-spoolss: Set DWORD values correctly. s3-auth: Don't lookup the system user in pdb. s3-auth: Rename to init_system_session_info(). krb5samba: Add smb_gss_oid_equal wrapper. gse: Use the smb_gss_oid_equal wrapper. Andrew Bartlett (78): move VERSION to alpha21 s3-smbd: Use security_session_user_level() rather than nt_token_check_sid() selftest: Enable ACL testing against the s3dc environment selftest: attempt to test samba3hide in a different environment selftest: prepare to run smbtorture tests against plugin_s4_dc selftest: run plugin_s4_dc with 'acl_xattr xattr_tdb streams_depot' VFS modules selftest: Add hideunread share to plugin_s4_dc selftest: Use same pattern for path to share as Samba3.pm file_server: forward dssetup, but use embedded svcctl for s3fs file_server: use embedded eventlog server file_server: use embedded ntsvcs server file_server: Use the embedded winreg server file_server: use embedded srvsvc selftest: change knownfail to cope with running plugin_s4_dc as well selftest: add knownfail entries for plugin_s4_dc tests selftest: mark samba3.raw.acls.inheritance(plugin_s4_dc) as flapping selftest: mark samba3.raw.samba3checkfsp as flapping on plugin_s4_dc selftest: add hooks required for printing to Samba4.pm selftest: Do not start samba4 srvsvc in plugin_s4_dc mode selftest: Run smbtorture tests being run against s3dc against plugin_s4_dc as well selftest: run more raw.samba3 against secshare simple file server file_server: set 'store dos attributes = yes' s4-provision: set 'dcerpc endpoint servers' but not 'vfs objects' selftest: 'store dos attributes = yes' is now set in fileserver.conf testsuite/libsmbclient: Remove unused and expensive-to-link testsuite s4-provision: Fix --use-s3fs to parse