[Samba] Daemon accounts - best practice?
Hello I've got a small group of computers with a linux server running samba 3.6 acting as PDC. One windows client runs a server software under a local account and I would like it to transition to using a domain account instead, the primary benefit would be to simplify file-ownership across hosts. (I'm aware of that having a client acting as a wannabe-server is a not so ideal setup, but I'm unfortunately quite stuck with it). Question: What's the best way to create services/daemon accounts in Samba? Thank you for your answers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Do not close winbind socket during use
Hi Andrew, i tried your both patches (on a 'clean' 4.0.6), and the difference is that samba is not crashing anymore, but winbind seems to be blocked after a wbinfo --uid-info 300. e.g : r...@gwnois03.test.ch ~# wbinfo --uid-info 311 TEST\Guest:*:311:312::/home/TEST/Guest:/bin/false r...@gwnois03.test.ch ~# wbinfo --uid-info 300 no response, infinite timeout Philippe -Original Message- From: Andrew Bartlett [mailto:abart...@samba.org] Sent: Thursday, June 27, 2013 3:43 AM To: Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE; me...@samba.org; k...@samba.org Cc: sa...@samba.org; samba-techni...@samba.org Subject: [PATCH] Do not close winbind socket during use On Wed, 2013-06-26 at 20:39 +1000, Andrew Bartlett wrote: On Mon, 2013-06-24 at 15:26 +, philippe.simo...@swisscom.com wrote: Hi Andrew, and by putting more num-callers : valgrind --num-callers=50 samba -i -M single Thanks for getting me that. I've managed to reproduce it here, but not under valgrind, and only when I hack the code to force a timeout. At least this should help me figure out why we process the winbind socket close, which is the crux of this issue. I think I've found the cause of the issue you are hitting. There is still another issue with the nested event loop in the krb5 libs, but these two patches should help significantly. As you have had more luck than I in reproducing this in a unaltered setting, please let me know if this helps. Patches are for git master, but may apply to 4.0 as well. Kai, Metze: In reading the code, I cannot see why the DNS server would not suffer the same issue, if the DNS clients closed it's socket. Should we find a more generic way to do this in service_stream, or should just duplicate this? I don't think other servers hit the same issue as they are currently 'blocking' in terms of the socket handler. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Do not close winbind socket during use
On Thu, 2013-06-27 at 07:14 +, philippe.simo...@swisscom.com wrote: Hi Andrew, i tried your both patches (on a 'clean' 4.0.6), and the difference is that samba is not crashing anymore, but winbind seems to be blocked after a wbinfo --uid-info 300. e.g : r...@gwnois03.test.ch ~# wbinfo --uid-info 311 TEST\Guest:*:311:312::/home/TEST/Guest:/bin/false r...@gwnois03.test.ch ~# wbinfo --uid-info 300 no response, infinite timeout Philippe Can you run it with -d4 and mail me the log (privately), and run it under valgrind again? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Do not close winbind socket during use
On Thu, 2013-06-27 at 11:42 +1000, Andrew Bartlett wrote: On Wed, 2013-06-26 at 20:39 +1000, Andrew Bartlett wrote: On Mon, 2013-06-24 at 15:26 +, philippe.simo...@swisscom.com wrote: Hi Andrew, and by putting more num-callers : valgrind --num-callers=50 samba -i -M single Thanks for getting me that. I've managed to reproduce it here, but not under valgrind, and only when I hack the code to force a timeout. At least this should help me figure out why we process the winbind socket close, which is the crux of this issue. I think I've found the cause of the issue you are hitting. There is still another issue with the nested event loop in the krb5 libs, but these two patches should help significantly. As you have had more luck than I in reproducing this in a unaltered setting, please let me know if this helps. Patches are for git master, but may apply to 4.0 as well. Actually, while they might apply to 4.0, the other changes I earlier in the thread need to be applied first. (They are already in master). Kai, Metze: In reading the code, I cannot see why the DNS server would not suffer the same issue, if the DNS clients closed it's socket. Should we find a more generic way to do this in service_stream, or should just duplicate this? I don't think other servers hit the same issue as they are currently 'blocking' in terms of the socket handler. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] change user password (gui)
Hi all :-) I configurated a small file server (no PDC), I created the users with smbpasswd -a Now I need permits to users change own password (from gui). Is there a way to do this? thanks! Pol -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Hi! samba-tool don't work with --uid-number option! root@bdc:/usr/local/samba/var/profiles# ../../bin/samba-tool user add repl4 --uid-number=313 Usage: samba-tool user add username [password] [options] samba-tool user add: error: no such option: --uid-number and internal help for this command does not have this option: root@bdc:/usr/local/samba/var/profiles# ../../bin/samba-tool user add --help Usage: samba-tool user add username [password] [options] Create a new user. This command creates a new user account in the Active Directory domain. The username specified on the command is the sAMaccountName. User accounts may represent physical entities, such as people or may be used as service accounts for applications. User accounts are also referred to as security principals and are assigned a security identifier (SID). A user account enables a user to logon to a computer and domain with an identity that can be authenticated. To maximize security, each user should have their own unique user account and password. A user's access to domain resources is based on permissions assigned to the user account. The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server. Example1: samba-tool user add User1 passw0rd --given-name=John --surname=Smith --must- change-at-next-login -H ldap://samba.samdom.example.com -Uadministrator%passw1rd Example1 shows how to create a new user in the domain against a remote LDAP server. The -H parameter is used to specify the remote target server. The -U option is used to pass the userid and password authorized to issue the command remotely. Example2: sudo samba-tool user add User2 passw2rd --given-name=Jane --surname=Doe --must-change-at-next-login Example2 shows how to create a new user in the domain against the local server. sudo is used so a user may run the command as root. In this example, after User2 is created, he/she will be forced to change their password when they logon. Example3: samba-tool user add User3 passw3rd --userou=OrgUnit Example3 shows how to create a new user in the OrgUnit organizational unit. Options: -h, --helpshow this help message and exit -H URL, --URL=URL LDB URL for database or target server --must-change-at-next-login Force password to be changed on next login --random-password Generate random password --use-username-as-cn Force use of username as user's CN --userou=USEROU Alternative location (without domainDN counterpart) to default CN=Users in which new user object will be created --surname=SURNAME User's surname --given-name=GIVEN_NAME User's given name --initials=INITIALS User's initials --profile-path=PROFILE_PATH User's profile path --script-path=SCRIPT_PATH User's logon script path --home-drive=HOME_DRIVE User's home drive letter --home-directory=HOME_DIRECTORY User's home directory path --job-title=JOB_TITLE User's job title --department=DEPARTMENT User's department --company=COMPANY User's company --description=DESCRIPTION User's description --mail-address=MAIL_ADDRESS User's email address --internet-address=INTERNET_ADDRESS User's home page --telephone-number=TELEPHONE_NUMBER User's phone number --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE User's office location Samba Common Options: -s FILE, --configfile=FILE Configuration file -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL debug level --option=OPTION set smb.conf option from command line --realm=REALM set the realm name Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos --ipaddress=IPADDRESS IP address of server Version Options: -V, --version Display version number 2013/6/26 steve st...@steve-ss.com On Wed, 2013-06-26 at 15:06 +0400, Vladimir A Fomkin wrote: Hi again! I configured my AD samba PDC and BDC for applying uid from uidNumber line in AD LDAP. But I have a problem - uidNumber is not a creating automaticaly. I must create this for each user by hands. How to solve this problem? Thx! samba-tool user add vladimir
Re: [Samba] The problem with setting up AD domain to Samba 4
On 27/06/13 13:58, Vladimir A Fomkin wrote: Hi! samba-tool don't work with --uid-number option! Hi It only works with the development version. Why not add the uidNumber to the user using ldbedit or ldbadd? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
How add one parameter by ldbedit without interactive editor? (for scripting) 2013/6/27 steve st...@steve-ss.com On 27/06/13 13:58, Vladimir A Fomkin wrote: Hi! samba-tool don't work with --uid-number option! Hi It only works with the development version. Why not add the uidNumber to the user using ldbedit or ldbadd? Steve -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: Users cannot rename/delete files on Samba share
I'm starting a new thread because the issue now is different from the one I was originally experiencing. Here are two level 10 debug logs one from each of two servers: http://w4fbc.org/samba/DC.log http://w4fbc.org/samba/FS.log Each has a test share setup like this: chgrp -R staff-faculty /test chmod 0770 /test chmod g+s /test setfacl -m g::rwx /test [test] path = /test read only = no inherit acls = yes inherit permissions = yes DC.log is from a Samba domain controller running 3.6.9. This test share works as expected. Members of the staff-faculty group can create/modify/delete/rename files regardless of user ownership in the test share on this server. FS.log is from a Samba domain member server now running 3.6.9. This test share does not quite work. Members of the staff-faculty group can create/modify files regardless of user ownership but cannot delete/rename files regardless of user ownership. FWIW, I have yet another Samba member server (PS) running 3.4.7 which does not normally have shares. I have set up a test share on it configured exactly the same as the two above mentioned servers. This share behaves as expected (same as DC). Furthermore, PS is configured exactly as FS with the exception of server name and shares. The DC runs over an ldap backend and getent passwd and group behave as expected on all Samba servers. So any ideas on why the share on FS does not function as expected? Kind Regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Users cannot rename/delete files on Samba share
On Thu, Jun 27, 2013 at 10:00 AM, Chris Nighswonger cnighswon...@foundations.edu wrote: FS.log is from a Samba domain member server now running 3.6.9. This test share does not quite work. Members of the staff-faculty group can create/modify files regardless of user ownership but cannot delete/rename files regardless of user ownership. In case it might help someone else: removing winbind fixed the problem. Kind Regards, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How to restore deleted Samba4 directory objects?
Hi, What is the best way to restore deleted Samba4 directory objects? Ideally I'd like to be able to retain the SID so that downstream apps can continue to work when the objects are back. Any info appreciated. Thx! -cs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba