Re: [Samba] windows 7 cannot connect
From my build docs for RHEL. YMMV and caveat emptor ;-) # cd /etc/yum.repos.d # wget http://ftp.sernet.de/pub/samba/major version/rhel/5/sernet-samba.repo where major version is something like 3.5 # yum install samba3.x86_64 samba3-*64* increase maximum number of open files and processes for large rsync and copy operations: add the following line to /etc/security/limits.conf * softnofile 16384 * hardnofile 10 (NOTE: 10 should be `cat /proc/sys/fs/file-max` or one rogue process can lock the entire box! LEAVE SOME ROOM!) # vi ~/.bashrc add the following lines to the end of the script ulimit -u hard 1 PS1='[\t \u@\h \W]\$ ' to allow domain logins to the local box add the following to /etc/pam.d/system-auth **NOTE NOT NEEDED FOR NORMAL FILE SERVERS**USE WITH CAUTION** authsufficient pam_winbind.so REBOOT # yum update -y copy smb.conf to /etc/samba from working server, or backup location, modify as needed for new host (i.e. share locations) copy krb5.conf to /etc from working server (note: arcfour-hmac-md5 is the only encryption type that seems to work with server 2008SP2 DCs and samba 3.5+) test samba configuration for basic typos, etc. # testparm modify /etc/nsswitch.conf to add winbind lookups passwd: files winbind group: files winbind make a machine account in the domain # net ads join -U Administrator (note: if it complains about a DNS update, that is OK as you already specified a static IP in DNS) enter the DOMAIN administrator password, note: this creates /etc/samba/secrets.tdb - secure this file, as well as /var/lib/samba/gencache_notrans.tdb, gencache.tdb, group_mapping.ldb # nmbd -D # smbd -D # winbindd ensure auto-startup. Edit /etc/rc.d/rc.local and add 5 lines /usr/sbin/nmbd -D /usr/sbin/smbd -D /usr/sbin/winbindd /usr/bin/wbinfo -u /usr/bin/wbinfo -g check setup wbinfo -u (returns a list of domain users) wbinfo -g (returns a list of domain groups) wbinfo -t (tests shared secret with domain) nslookup hostname (make sure DNS is configured properly) set up backups as appropriate... DONE Hopefully that helps. -=Andrew -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Marc Fromm Sent: Wednesday, August 10, 2011 4:38 PM To: Chris Weiss Cc: samba@lists.samba.org Subject: Re: [Samba] windows 7 cannot connect The server currently has 3.0.33 on it, but it needs at least 3.4 to work with windows 7 computers. Red hat will not be upgrading samba beyond 3.0.33 for their 32bit RH5 users. Thus I am stuck and cannot use yum and the red hat repos to do the upgrade. On site directed me to this page to download the rpms, but I am not experienced enough with manually updating a package. http://ftp.sernet.de/pub/samba/ . I downloaded all the files listed under the 3.6/rhel/5/i386 directory. Thus I was hoping to find to step by step on how to do the upgrade. -Original Message- From: Chris Weiss [mailto:cwe...@gmail.com] Sent: Wednesday, August 10, 2011 2:17 PM To: Marc Fromm Cc: John Drescher; samba@lists.samba.org Subject: Re: [Samba] windows 7 cannot connect On Wed, Aug 10, 2011 at 3:13 PM, Marc Fromm marc.fr...@wwu.edu wrote: My googling seems to point at upgrading samba to 3.4. Currently installed on my RHEL 5.2 32 bit server is as listed below for smb and samba. If I was running RHEL 64 bit I would be supported by red hat and updating the OS to the latest 5.x would provide this for me. For some reason red hat feels they do not need to support their 32 bit users, which my server is running, and updating the OS does not update certain packages like samba and php. Even though I have paid support with red hat they will not provide support to update the needed packages. Thus, is there a detailed set of procedures on how to manually upgrade samba on a RHEL 5.2 server? I do not want to try this by trial and error and cripple the server. I think RH 5 has a samba 3.x package, or was that only Centos? I don't recall what version it was intro'd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Shutdown hangs since setting up Samba
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of bew...@gmx.com Sent: Friday, June 10, 2011 9:42 AM To: samba@lists.samba.org Subject: Re: [Samba] Shutdown hangs since setting up Samba Am 04.06.2011 16:40, schrieb Harry Jede: On 16:30:33 wrote bew...@gmx.com: Am 03.06.2011 23:50, schrieb Chris Weiss: On Fri, Jun 3, 2011 at 4:11 PM, bew...@gmx.com wrote: I get this error messages on boot: CIFS VFS: Error connecting to socket. Aborting operation CIFS VFS: cifs_mount failed w/return code = -101 I have seen these before. OK, I'm not the only one. as I recall, it's trying to mount before the network comes fully up, and downing the network before unmounting the cifs. I have the same suspicion, but don't know how to fix it. I do not recall the solution, and I don't use cifs in fstab anymore. What are you using instead of CIFS? Use the pam mount helper. They run, when a user is logging in. man pam_mount man pam_mount.conf I followed this step-by-step guide [1], but it doesn't work. The error messages in /var/log/auth.log look quite familiar to me: pam_mount(mount.c:72): mount error(101): Network is unreachable pam_mount(mount.c:72): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) pam_mount(pam_mount.c:521): mount of ben failed - In my experience the switch to udev or some other parallel booting process (not sure what did it) in more recent linux distros has caused the init sequence to be violated. So no longer can you count on S1 being finished before S99 starts. I have had to do one of two things to resolve this RHEL: all mounting commands are put into /etc/rc.d/rc.local, because that file is explicitely called after all other startup scripts have completed. (although on Fedora 14 this doesn't even seem to be the case anymore...?) SLES: Create a startup script that waits for your network interface to come up before executing mounting commands. Here's a simple, non-robust one (where do_network_mounts actually does the mounting commands): #!/bin/bash # wait for a network interface to come up if we're running scripts in parallel mode while [ `ifconfig | grep 192.168 | wc -l` -eq 0 ]; do sleep 5 done /mnt/do_network_mounts -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbclient doesn't work from cron
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Bob Miller Sent: Tuesday, April 26, 2011 10:09 AM To: hel...@hullen.de Cc: samba@lists.samba.org Subject: Re: [Samba] smbclient doesn't work from cron On Tue, 2011-04-26 at 16:04 +0200, Helmut Hullen wrote: I tell you I've restarted cron daemon and it always fails. What's wrong in cron line ??? One simple way to test the many problems (none of them a samba problem): make a simple (executable) shell script and let cron call this shell script. I encountered a couple years ago a problem with a cron command, which I ended up tracing to cron and the shell (debian system, cannot remember exactly if it was a different shell or different handling of the shell that cron uses). My research led me to a new habit/method of creating cronjobs, one that forces cron to execute the commands in a bash shell just like you do from the command line. As Helmut suggests, put your commands in a file, and then use the bash command to call the script: 0 10 * * * bash /path/to/file/with/commands My experience also has to do with shell paths not getting set properly, so I now explicitely state the path of all binaries that I want to run. i.e. /usr/sbin/nmbd -D /usr/sbin/smbd -D /usr/sbin/winbindd It's not as robust to transfer between platforms, but it does mean that cron jobs always work. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mac OS X status
Does anyone actually use self-compiled Samba on Mac OS X ?? Better question: does anybody actually use Mac OSX for server work? If so, they're crazy IMO. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to join to Windows 2003 PDC using samba 3.5.8 from alinux machine!!
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Rick Gates Sent: Friday, April 01, 2011 10:00 AM To: samba@lists.samba.org Subject: [Samba] Unable to join to Windows 2003 PDC using samba 3.5.8 from alinux machine!! Hi all, I am using samba 3.5.8 on a linux machine. I am not able to join the domain of a windows 2003 server in ADS mode. I am getting the following error message: # /usr/local/samba/bin/net ads join -U Administrator%password -I 10.25.66.71 Failed to join domain: failed to find DC for domain ABCDOM.PQR.COM # I am not sure what the issue here. It works absolutely fine when I try to join the domain in rpc mode. # /usr/local/samba/bin/net rpc join -U Administrator%password Joined domain ABCDOM. # The smb.conf used is: # /usr/local/samba/bin/testparm Load smb config files from /usr/local/samba/lib/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [homes] Processing section [printers] Processing section [Linux] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = ABCDOM realm = ABCDOM.PQR.COM server string = Samba Server - Research security = ADS password server = 10.25.66.71 log level = 10 log file = /var/log/samba/%m.log max log size = 50 add user script = /usr/sbin/useradd %u delete user script = /usr/sbin/userdel %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -a -G %g %u delete user from group script = /usr/sbin/deluser %u %g add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u domain master = No dns proxy = No wins server = 10.25.66.71 idmap uid = 200-12 idmap gid = 200-12 admin users = root cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [Linux] comment = Share on this linux machine path = /tmp/linux read only = No # NOTE: 10.25.66.71 is the IP of my 2003 windows server. My lmhosts file is: # cat lmhosts. 10.25.66.71 ABC3 10.25.66.71 ABCDOM#1b 10.25.66.71 ABCDOM#1c # It would be great, if any one can tell me if there is anything wrong here and probably help me sort out this issue. Thanks in advance!! What does your krb5.conf look like? I suspect it's having trouble finding a kdc. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo -- Could not remove gid to sid mapping
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of markus hansen Sent: Tuesday, March 15, 2011 3:39 AM To: Bob Miller Cc: samba@lists.samba.org Subject: Re: [Samba] wbinfo -- Could not remove gid to sid mapping Hi, thanks for your reply. wbinfo --set-gid-mapping=guid of interest,correct sid returns: guid of interest any chance to fix this? Maybe, using the net command. I believe you would be able to use `net groupmap` to modify the relation, and there are other net commands that can probably put this straight. If I ever finish wrapping my head around the net command, I will tell you more ;) I tried the net groupmap command, but it doesnt touch this mapping. Using the net groupmap delete command only seems to affect the output net groupmap list is listing. I can have the correct maping in net groupmap list - but wbinfo still returns the wrong mapping, and the mapping wbinfo returns seems to be the one samba actualle uses ... best regards Henrik -- If you don't have any custom mappings set, delete /var/lib/samba/* files and restart samba to clear all caches. (back them up first of course) Otherwise you will have to find the specific tdb file that has the info in it (it changes and is mostly undocumented so I have trouble keeping up with what is stored where anymore) -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind user ID's on multiple servers
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Javier Conti Sent: Wednesday, March 09, 2011 4:28 PM To: TAKAHASHI Motonobu Cc: samba@lists.samba.org; Mike Auleta Subject: Re: [Samba] Winbind user ID's on multiple servers On Mar 10, 2011 12:16 AM, TAKAHASHI Motonobu mo...@monyo.com wrote: 2011/3/10 Javier Conti javier.co...@gmail.com: On 9 March 2011 20:13, Mike Auleta michael_aul...@condenast.com wrote: We're looking at setting up Linux Authentication to our AD servers using winbind and need to know if there is a way to keep all the user IDs in sync across the Linux servers. The way I see it now, the user ID is assigned numerically depending on the order users log in to a server. Could make for issues if NFS mounted directories are involved. Hi, I'm using AD 2008 R2 as PDC, and have been successful using the following configuration in /etc/samba/smb.conf on the client: [global] (snip) idmap backend = ad idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 1 - 2 idmap config MYDOMAIN : schema_mode = rfc2307 winbind nss info = rfc2307 Since this configuration uses the Posix attributes found in the rfc2307 schema, I have the uidNumber attribute of users and the gidNumber attribute of groups populated with the IDs used in Unix (and in the range between 1 and 2). idmap backend should be a writeable backend such as tdb or ldap. If someone manages user and groups on the AD, thus assigning uidNumbers and gidNumbers on it, is it still necessary (or a real advantage) for the idmap backend to be writeable? Just wondering... Javier Anyway, to synclonize UID, you can also use rid or ldap instead of ad. If you simply want to sync UIDs, rid is a better choice, I think. For example: idmap config DOMAIN:range = 100 - 199 idmap config DOMAIN:base_rid = 0 idmap config DOMAIN:backend = rid Please refer to manpages in the detail. This is why, if you have a single domain and no weird setup, RID mapping is best. You get consistent mapping across all domain member servers and it's easy to port stuff around. I messed around with the other stuff and SFU, but RID is the easiest by far. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getpeername failed. Error was Transport endpoint is notconnected (3.0.37)
Hi All, I have a Solaris 10 server (Sun Fire T5520) that has recently been patched with Samba 3.0.37 but is not able to share any drives to Windows clients. Instead, the /var/samba/log/log.smbd is showing the following errros: getpeername failed. Error was Transport endpoint is not connected Denied connection from 0.0.0.0 (0.0.0.0) [2011/03/10 21:10:04, 1] smbd/process.c:(1076) [2011/03/10 21:10:04, 0] lib/util_sock.c:(1224) write_data: write failure in writing to client 0.0.0.0. Error Broken pipe Error writing 5 bytes to client. -1. (Broken pipe) It would be very much appreciate some guidances on how to resolve this issue. This error is very old, and seems to be related to samba binding to multiple ports (139 and 445). You only need 445 in most modern worlds, unless you're a PDC from what I can tell. I stuck this in my smb.conf file: # restrict ports to avoid # getpeername failed. Error was Transport endpoint is not connected and # Error writing 4 bytes to client. -1. (Transport endpoint is not connected) # errors from port 139 legacy mode - PDC may need 139 open smb ports = 445 -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Not sure I understand when add user script is called
Here's how we do it. There are a thousand variations on a theme (samba 3.5.6) [homes] path = /data/homes/%D/%S valid users = @XX+domain admins, %S read only = No root preexec = /data/Backup/createhomes.sh %D %S Shell script looks like (creates /data/homes/DOMAIN NAME/USERNAME) #!/bin/bash if [ ! -d /data/homes/$1/$2 ]; then mkdir /data/homes/$1/$2 chmod g+s /data/homes/$1/$2 chown $2:domain admins /data/homes/$1/$2 chmod 770 /data/homes/$1/$2 /usr/bin/setfacl -m g:domain admins:rwx /data/homes/$1/$2 /usr/bin/setfacl -m u:$2:rwx /data/homes/$1/$2 fi exit 0 -=Andrew -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Jack Downes Sent: Friday, February 18, 2011 12:29 AM To: samba@lists.samba.org Subject: [Samba] Not sure I understand when add user script is called I've built a domain member. It works pretty good with the exception that I want on-the-fly home directories being built. I'm not sure this is doable with a domain member as everything I've tried isn't even called - as far as I can tell. Using log level 3. If anyone can shed light on how to dynamically create home directories, that'd be great. anyway, here's my latest incarnation of smb.conf. [global] display charset = UTF-8 workgroup = KRH realm = KRH.INT netbios aliases = hitstor server string = HIT anything server interfaces = 172.29.107.110 bind interfaces only = Yes security = ADS auth methods = sam, winbind, trustdomain password server = kal-dc3.krh.int, kal-dc4.krh.int, kal-dc2.krh.int, * ntlm auth = No client NTLMv2 auth = Yes log level = 1 syslog = 0 log file = /var/log/samba/log.%U debug prefix timestamp = Yes smb ports = 139 name resolve order = wins host bcast lmhost unix extensions = No server signing = auto lpq cache time = 10 max open files = 2 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 name cache timeout = 60 load printers = No printcap cache time = 60 show add printer wizard = No add user script = /usr/sbin/pw useradd %u -g krh -k /usr/local/etc/skel -d /home/KRH local master = No domain master = No dns proxy = No wins server = 10.6.1.21 utmp = Yes nmbd bind explicit broadcast = No host msdfs = No idmap uid = 1-2 idmap gid = 1-2 template shell = /usr/local/bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes acl group control = Yes cups options = raw force printername = Yes wide links = Yes [homes] comment = Home Directories read only = No browseable = No Here's the /etc/pam.d/system file: # # $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.4.1 2010/06/14 02:09:06 kensmith Exp $ # # System-wide defaults # # auth authsufficientpam_opie.sono_warn no_fake_prompts authrequisitepam_opieaccess.sono_warn allow_local authsufficient /usr/local/lib/pam_winbind.so mkhomedir=yes #authsufficientpam_krb5.sono_warn try_first_pass #authsufficientpam_ssh.sono_warn try_first_pass authrequiredpam_unix.sono_warn try_first_pass nullok # account #account requiredpam_krb5.so accountrequiredpam_login_access.so accountrequiredpam_unix.so # session #session optionalpam_ssh.so sessionrequiredpam_lastlog.sono_fail session required /usr/local/lib/pam_mkhomedir.so skel=/usr/local/etc/skel # password #passwordsufficientpam_krb5.sono_warn try_first_pass passwordrequiredpam_unix.sono_warn try_first_pass -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ADS-based authentication fails with NT_STATUS_USER_UNKNOWN but wbinfo works
First thing I would do is a testparm -v on both the old and new boxes, and do a diff -a on those files to see what has changed. Samba changes default options between versions so what may have worked on an older version is not guaranteed to work on the new ones. Also, what does your krb5.conf file look like? -=Andrew -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, February 18, 2011 6:53 AM To: samba Subject: [Samba] samba ADS-based authentication fails with NT_STATUS_USER_UNKNOWN but wbinfo works Hi I've found a few list posts with this problem but none of their solutions helped. Apologies for the long mail but I've no idea which section of the various logs will be the important part. I've set up a RHEL5.3 server (with Samba 3.0.33) to authenticate to an existing active directory realm on our local network. The AD server is Windows-based and works fine for a couple of hundred users on their windows clients (mix of XP, Vista, Win7); it also works ok with an existing Samba install. I'm trying to set it up to authenticate those users to access a second server; unfortunately the authentication fails. I copied the krb5.conf and smb.conf files from the working server, then followed the various ADS howtos (to join the machine to the AD and obtain krb tickets) and have got to the point where klist behaves as expected, as does wbinfo, which implies that the machine account is set up correctly, yes? (I've replaced company name with in all these logs). [root@pd-pistachio samba]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: geoff.winkl...@lan..co.uk Valid starting Expires Service principal 02/18/11 10:48:32 02/18/11 20:48:34 krbtgt/lan..co...@lan..co.uk renew until 02/19/11 10:48:32 02/18/11 11:08:48 02/18/11 20:48:34 dc1$@LAN..CO.UK renew until 02/19/11 10:48:32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@pd-pistachio samba]# wbinfo -t checking the trust secret via RPC calls succeeded [root@pd-pistachio samba]# wbinfo -a geoff.winkless Enter geoff.winkless's password: plaintext password authentication succeeded Enter geoff.winkless's password: challenge/response password authentication succeeded If I try to log onto a share on pd-pistachio from my XP machine (named -001119) I get: [2011/02/18 13:05:24, 3] smbd/oplock.c:init_oplocks(863) init_oplocks: initializing messages. [2011/02/18 13:05:24, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(234) Linux kernel oplocks enabled [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) Transaction 0 of length 137 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) switch message SMBnegprot (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [PC NETWORK PROGRAM 1.0] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [LANMAN1.0] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [Windows for Workgroups 3.1a] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [LM1.2X002] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [LANMAN2.1] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) Requested protocol [NT LM 0.12] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_nt1(364) using SPNEGO [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(606) Selected protocol NT LM 0.12 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) Transaction 1 of length 240 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) wct=12 flg2=0xc807 [2011/02/18 13:05:24, 2] smbd/sesssetup.c:setup_new_vc_session(1212) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) reply_spnego_negotiate: Got secblob of size 40 [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0xa2088207 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) Transaction 2 of length 272 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
Re: [Samba] samba authenticates only against the primary group of auser?
Or it means that samba is correctly applying restrictive security - invalid users supersedes valid users. -=Andrew -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Athanasios Silis Sent: Tuesday, February 15, 2011 5:03 AM To: samba@lists.samba.org Subject: [Samba] samba authenticates only against the primary group of auser? Hello everyone! I seem to be have a bit of a problem setting up a few network folders for a my office on a Qnap storage device running Samba -v3.5.2. So I ask: when the 'write list' of a share contains ONLY groups, and a user tries to log on to that share, then samba authenticates against the primary group only of that user only?? Here is the example that fails: -the user is 'isak' -the group of interest is 'iso_ops'. This user belongs these groups: everyone, engineers, iso_ops (this is the order I get when I run the command 'groups' from a shell) -The shared folder in question is 'iso'. this folder has the following permissions: no individual user permissions have been set (every tickbox is blank). group 'everyone' is denied access. group 'iso_ops' has read/write access. the relevant smb.conf part is this: [iso] comment = ISO files path = /share/MD0_DATA/iso browsable = yes oplocks = yes ftp write only = no public = yes invalid users = guest,@everyone read list = write list = @iso_ops,@administrators valid users = root,@iso_ops,@administrators inherit permissions = yes So normally, I would expect that user 'isak', is allowed read/write access to 'iso' folder, because he is member of the 'iso_ops' group. However, now I try to log on to the share as 'isak' but I never get past the login prompt.. If I move @everyone to the 'valid users' then I can log on AND I can write to the network share, since @iso_ops can write to the share (even though @everyone can't).. So - correct me if I'm wrong - but it seems that users are authenticated only against their primary group! This is most upsetting since on the machine I am running samba on, I don't have the command usermod is order to change the primary groups of my user (in fact even though I have ssh access, the system is optimised to be setup from its web interface - and I can't set the primary group from there either). But that doesn't seem like a rational behaviour of samba altogether - usermod would merely tackle some of the problems that can arise. Let me explain: -there are a few engineering related shared folders that the @engineers group can authenticate against -there is this one 'iso' folder that @iso_ops can authenticate against. -Dearest user isak is an engineer (thus in the engineers group), but is also responsible for keeping the ISO9001 files for the office -imagine how much of an important person! -by authenticating against only the primary group, isak can only access the engineering folders, or the iso folder depending of which one is his primary group - BUT NOT BOTH! this is a non welcoming behaviour that can only be tackled by allowing @everyone to have read access to the shares - unwelcomed too. So finally is there a way to make samba try and authenticate a user against ALL of his groups (and not just the primary one)? Thank you very much for your help Thanassis Silis I -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ADS-based authentication fails with NT_STATUS_NO_SUCH_USER but wbinfo works
On 18 February 2011 16:32, Andrew Masterson
andrew.master...@nuvistaenergy.com wrote:
First thing I would do is a testparm -v on both the old and new
boxes, and do a diff -
a on those files to see what has changed.
Samba changes default options between versions so what may have
worked on an
older version is not guaranteed to work on the new ones.
Also, what does your krb5.conf file look like?
-=Andrew
-Original Message-
From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org]
On Behalf Of Geoff Winkless
Sent: Friday, February 18, 2011 10:14 AM
To: samba
Subject: Re: [Samba] samba ADS-based authentication fails with
NT_STATUS_NO_SUCH_USER but wbinfo works
Once again, I forgot to change the To: line so apologies to Andrew,
who will have this twice
Hi Andrew, thanks for the response.
(I've modified the subject line because I just realised I
mis-remembered the error message when I typed the subject line
before...)
I was running 3.0.33 on both boxes with identical conf files; it
wasn't working then, so I updated to 3.5 in case it improved matters
(it didn't). I can't get onto the first box right now cos I don't have
admin rights on it and the owner's not here, but I'll try to get the
output from testparm on Monday.
krb5.conf file looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LAN..CO.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
LAN..CO.UK = {
kdc = 192.168.3.1
admin_server = 192.168.3.1
default_domain = LAN..CO.UK
}
[domain_realm]
.lan..co.uk = LAN..CO.UK
lan..co.uk = LAN..CO.UK
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Thanks again
Geoff
Your krb5.conf files looks pretty much the same, except I had to modify
mine to get it to work with 2008DCs, I specify the ports in the realms
section, and have no kdc profile. Did you copy that kdc.conf file over
as well (if it is needed at all?)
default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
-=Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba crashes floods logfiles: smbd/notify_inotify.c:244(inotify_handler) - No data on inotify fd?!
3. Did I do anything wrong, or is this a problem with the standard kernel included in openSUSE 11.2? Is there anything I can do about it? This problem has been around for several years on RHEL as well - I suspect it is a kernel-samba issue. http://forum.soft32.com/linux/Samba-Samba-logs-fill-disk-inotify-errors- smbd-100-CPU-ftopict479508.html Every box I build now has that setting turned on. I occasionally turn it off to see if there are still issues, and every time it comes back - so it's still an issue AFAIK. 4. Is this problem in any kind related to my other problem posted in this list with subject PDC unreliable - Connection interruptions, many error messages at 2010-12-29 - 21:15 EET? Possibly. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Keeping Windows ACL's when migrating to SAMBA Server
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of TAKAHASHI Motonobu Sent: Saturday, December 18, 2010 10:20 PM To: George Cc: samba@lists.samba.org; Jeremy Allison Subject: Re: [Samba] Keeping Windows ACL's when migrating to SAMBA Server 2010/12/19 George greenadm...@gmail.com: Rightnow i got it half working but am having trouble with part of it. If I use robocopy, It copies the files and ACL but not the correct create of modify dates robocopy \\man_fs2\Batteries \\bed-fs1\servers\man_fs2\Batteries /sec /e If I use xxcopy I can copy all the files with the proper create and modify dates but it wont copy the ACL's. xxcopy \\man_fs2\Batteries \\bed-fs1\servers\man_fs2\Batteries /backup George Are you using the /COPYALL switch? http://www.stevelu.com/TechnicalArticles/DevTools/1206.aspx (for gory flag details) I have successfully migrated several servers with terabytes of data from windows to linux by using robocopy (although I don't remember the exact flags at the moment). xcopy is unreliable for that much data IMX. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RHEL 5
I've got a client asking if Samba Internet Services 3.5 is supported under REHL 5. Define supported. If you mean 24/7 tiered escalation included with your RHEL subscription - then no. I have filed two bug reports about running the latest Sernet Samba on RHEL 5 fully patched https://bugzilla.samba.org/show_bug.cgi?id=7457 https://bugzilla.samba.org/show_bug.cgi?id=7518 and they've been outstanding for months now, and the servers have crashed at least once in the meantime. I also have to go in occasionally and kill zombie processes that peg a processor. So if you need super-ultra-resilient samba, don't use the sernet 3.5 strain. I got forced into it because Red Hat didn't have a Samba version compatible with Server 2008 when I had to build. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba idmap against ad
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Stuart Bailey Sent: Wednesday, August 11, 2010 5:28 AM To: samba@lists.samba.org Subject: [Samba] Samba idmap against ad Hello, I have a samba server (old - running FC6, samba 3.0.24-11.fc6) that authenticates against AD. This is all configured and has been working fine until this week. A new user has been added to AD, but cannot access the samba drives. All other users can still access samba as normal. net ads testjoin reports OK. wbinfo -a newuser%pass and wbinfo -K newuser%pass both succeed. wbinfo -r newuser reports all the user group memberships from AD. wbinfo -p is OK wbinfo -i newuser reports that no information on that user can be found. wbinfo -n newuser returns the SID, and wbinfo -s SID returns the username However, wbinfo -S SID fails. I found a thread that suggests a corrupted idmap cache file. If I delete this file, and restart winbind, the file is re-created, but contains no SID data. I've also noticed that the winbindd_idmap.tdb file has an old time stamp winbindd_cache.tdb has today's date. I tried setting: winbind cache time = 3600 idmap cache time = 3600 but no improvement. Also, this is affecting both FC6 servers we have, both with the same config. The config has not changed, and the servers have not been rebooted / power cycled etc. The problem only affects new AD user accounts. Any sugguestions as to where I should look next? Many thanks, Stuart --- Sounds like you hit a limit somewhere. What is your user and group mapping range? Have you run out of space in there? i.e. idmap uid = 10-20 idmap gid = 10-20 -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] HOWTO close session(s) to a specific share from samba server side?
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Jeremy Allison Sent: Wednesday, August 11, 2010 11:16 AM To: David Roid Cc: samba@lists.samba.org Subject: Re: [Samba] HOWTO close session(s) to a specific share from samba server side? On Wed, Aug 11, 2010 at 04:18:48PM +0800, David Roid wrote: Hello list, I noticed that connections from the same client to different shares have got the same pid on samba server, please refer to the out put below: # net status shares Service pid machine Connected at --- foo 1751 realoneThu Aug 12 07:38:49 2010 bar 1751 realoneThu Aug 12 07:39:10 2010 It seems there is no way to close session(s) to a specify share, without hurting other stuff: 1. kill -9 obvious is not an option, it will kill everything of that pid. 2. net rap session close client, it accepts an argument specifying the client name. In this case I still lose both sessions. What I need here is a way to close sessions, no matter where they are from, to a specific share; is there a fine grained command to do this? smbcontrol close-share. Check the man page. Jeremy. - Unfortunately that closes the entire share, not an individual connection to that share. I have fought with this before unless I'm missing something. Unlocking files is another impossible task unless (I think) you are brave enough to edit the locks.tdb file. I generally just script killing the PIDs as there's no other real way to unlock stuff. The client end is usually robust enough to deal with it unless it needs a stateful connection (which is usually database only thing). -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.0.37 with Windows Server 2008
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Nick Couchman Sent: Wednesday, August 11, 2010 8:22 AM To: Robert Freeman-Day Cc: samba@lists.samba.org Subject: Re: [Samba] Samba 3.0.37 with Windows Server 2008 Nick, I would suggest looking at your available encryption types available to Solaris. We ran into this before and this bug supplied a work around that fixed us. http://bugs.opensolaris.org/bugdatabase/printableBug.do?bug_id=6534506 If you want to find out the encryption levels available to your system, you can issue: # cryptoadm list Okay, so I can do this, but the extra file is not present on OpenSolaris, and the only other three pkcs libraries that are present are in use on the system. Also, I'm able to successfully use kinit to get a kerberos ticket from the command line on the Solaris system, but Samba still fails. Thanks for the lead - I'll continue to track it down! -Nick Trying to use anything other than arcfour-hmac-md5 failed for me when trying to connect to a 2008SP2 DC (even the aes128 and 256 types didn't work the last time I tried about 8 months ago). /etc/krb5.conf [libdefaults] default_realm = XXX.XXX dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] HOWTO close session(s) to a specific share from samba server side?
Unfortunately that closes the entire share, not an individual
connection
to that share. I have fought with this before unless I'm missing
something.
If you send that to the target smbd, yes. You should be
able to send that to individual service smbds as well.
So something like
smbcontrol `smbstatus -p | grep x | awk {'print$1'}` close-share
X
should script nicely. I never thought of doing that...you learn
something new every day.
Unlocking files is another impossible task unless (I think) you are
brave enough to edit the locks.tdb file.
Have you looked at reset on zero vc = yes?
There are many situations where client Windoze applications lock files
on the network, and you need to unlock them before proceeding with an
update (that can, of course, only be run from another Windoze box).
This can be from machines that don't clear their locks, go to sleep,
people that are logged in and don't log out, whatever the reason. The
only way that I know of with smbd is to kill the process IDs locking the
files before proceeding with the updates.
The option you mention above seems more about machines cleaning up their
dead connections (which is definitely something I need to look into - is
there a reason this is off by default?)
-=Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent behavior since 3.5.x
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Steve Chupack Sent: Saturday, June 26, 2010 6:18 PM To: samba@lists.samba.org Subject: Re: [Samba] getent behavior since 3.5.x I can confirm that I've always had to manually replace the system's libnss_windbind files with those in [samba source]/nssswitch. On Sat, 26 Jun 2010 16:39:42 -0400 Gaiseric Vandal gaiseric.van...@gmail.com wrote: Are you use the nss_winbind or winbind_nss files compiled? They may be in a separate directory or explicitly require make nsswitch command. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of David Boyd Sent: Friday, June 25, 2010 12:44 PM To: sa...@samba.org Subject: [Samba] getent behavior since 3.5.x Since upgrading to samba 3.5.x (x=2,3,4) from samba 3.4.8 and samba-3.3.12 on FreeBSD versions 6.4, 7.3 and 8.0, getent has failed to return samba group or user entries displaying only the local unix group and password data. wbinfo -u and wbinfo -g seem to work just fine. No smb.conf changes were made during the upgrades. Falling back to samba 3.4.8 resolves this issue. Logins using the samba credentials always work without regard to version. Several bug reports exist which describe these problems although not specifically for FreeBSD. Is this expected behavior? I realize that getent isn't a samba utility. Should another bug report be submitted? What info? debug level? Thanks for any reply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Existing bug: https://bugzilla.samba.org/show_bug.cgi?id=7355 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd errors failures and warnings in logs
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Jelle de Jong Sent: Monday, June 28, 2010 2:12 AM To: samba@lists.samba.org Subject: Re: [Samba] smbd errors failures and warnings in logs On 22-06-10 14:54, Jelle de Jong wrote: I configured a running samba server that seems to work, except that the logs are full with failures, errors and warnings. They seem to be related to winbindd idmap and smbd endpoints. I did some testing and purged winbindd from the system I thought it was needed for my setup with net sam provision but it seems not needed for normal runtime. However I still get a lot of smbd warnings and errors. Could somebody help me explaining these errors and possibly make suggestions how to fix the issues causing them. See the attached file for my configuration errors and samba version. Thanks in advance, With kind regards, Jelle de Jong -- I have been getting similar errors (call_nt_transact_ioctl and get_peer_addr_internal) for months/years now. After much searching many other people have the same problems. When there are no users connected to the systems the get_peer_addr_internal errors seem to diminish in frequency (it seems like a DNS issue), and disabling oplocks seems to have removed most of the call_nt_transact_ioctl errors. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Microsoft OneNote 2007 painfully slow
We have a user trying to share a OneNote 2007 notebook and it takes minutes to load a 20 KB notebook. I've opened a 500 KB Excel spreadsheet from the same share and it took seconds. Has anyone else run into this problem? We are running Samba 3.4.8 on Debian Squeeze. Thanks, Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University --- When I have run into stuff like this it is because an application is trying to modify security permissions on the files that it doesn't have the right to (like with creater\owner, etc.). Given that M$ is fond of creating temporary lock files, etc. you may want to start looking there first. -=Andrew I don't recall seeing any temp files like Word/Excel/etc 2007 (we ran into that problem, in fact I still have a script running every 15 minutes to scan the file system and 'fix' the permissions). I'll watch the directory as I open up the NoteBook and see if I can see any funny business. Thanks, Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University -0-0-0-0-0-0-0-0-0-0-0-0- Maybe also watch the perms on the file itself. We ran into an issue with Blackberry backups a while back where the Blackberry Desktop Manager somehow managed to convince the windows server that was hosting them to change the permissions on the backup file to the user _only_ having access. What's really odd about this is that the users don't have permission to change permissions, and System/Administrators should have full rights by inheritance. Yet somehow a remote workstation managed to convince windoze to bypass inheritance and the non-ability to change security permissions. At least on a linux box root can still access/modify the files but I had a hell of a time getting them off the windoze box. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Idmap module nss already registered ???
Hello, we are running samba 3.3.8 on RHEL 5.5 - connected to Active Directory via winbind. Everything seems to work fine: matching of UID/GID is working which can be tested with ... wbinfo -i username wbinfo -n username wbinfo -s SID ... BUT it takes about 1 min until a connection to the samba server can be established or until the available samba shares are listed: net use x: \\sambatest\sharename (takes about 1 min) or net view \\sambatest (takes about 1 min) Here is the part from smb.conf which configures the WINBIND connection. ... template shell = winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 idmap config TESTDOM : range = 100-100 idmap config TESTDOM : schema_mode = rfc2307 idmap config TESTDOM : readonly = yes idmap config TESTDOM : backend = ad And here is the corresponding nsswitch.conf section: passwd: files winbind These are the entries from log.winbindd-idmap [2010/06/14 15:59:02, 0] winbindd/idmap.c:smb_register_idmap(149) Idmap module nss already registered! The delay is caused by winbind since without winbind you get fast response. Any ideas how to speed-up winbind and/or avoiding the Idmap module nss already registered error ? regards - I have been getting these errors (with different symptoms) on RHEL for quite a while since upgrading to 3.3 and 3.5. What does your smb.conf look like? -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] root postexec issue on both Samba 3.4.5 and 3.0.28
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Allen Chen Sent: Friday, June 11, 2010 2:25 PM To: samba@lists.samba.org Subject: [Samba] root postexec issue on both Samba 3.4.5 and 3.0.28 Hi, there I'm using Samba 3.4.5 and 3.0.28 on RHEL 5.2, and I noticed that on both samba servers 'root postexec' script in [netlogon] is executed automatically when logged in for around 11 minutes. This makes me crazy to track when a use is logged out. The man page smb.conf.5 says: postexec (S) This option specifies a command to be run whenever the service is disconnected. I don't understand when a user is still logged in, why 'root postexec' script gets called after 11 minutes. though everything still works fine. I used to have Samba 3.0.22 and 'root postexec' script was executed only when users logout. It doesn't matter how long you have logged in. How can I fix this issue? Thanks, Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Shot in the dark: your deadtime is causing the service to disconnect and execute the postexec (not that it should, just guessing here). -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Microsoft OneNote 2007 painfully slow
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert LeBlanc Sent: Monday, June 07, 2010 2:45 PM To: samba@lists.samba.org Subject: [Samba] Microsoft OneNote 2007 painfully slow We have a user trying to share a OneNote 2007 notebook and it takes minutes to load a 20 KB notebook. I've opened a 500 KB Excel spreadsheet from the same share and it took seconds. Has anyone else run into this problem? We are running Samba 3.4.8 on Debian Squeeze. Thanks, Robert LeBlanc Life Sciences Undergraduate Education Computer Support Brigham Young University --- When I have run into stuff like this it is because an application is trying to modify security permissions on the files that it doesn't have the right to (like with creater\owner, etc.). Given that M$ is fond of creating temporary lock files, etc. you may want to start looking there first. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP and home dir creation
Subject: [Samba] Samba/LDAP and home dir creation Hi, all. I'm working on a project to create a Samba PDC with LDAP authentication. I've been pretty successful in getting everything to work. However, I've run into a small snag: The PDC is built on an OpenSuse 11.2 box. Most of the member servers are also OpenSuse 11.2 boxes. However, a CentOS 5.5 server was just added to the mix. While users can lo into the CentOS box, with LDAP providing the creds, no home directory is automagically created as in the OpenSuse boxes. I'd like to fix that, with your help. I've used authconfig-tui on the CentOS box to enable Use LDAP and Use LDAP Authentication (the equivalent of YAST's LDAP Client config tool?). I believe my smb.conf and ldap.conf files are correct (I'll provide them if you all need to see them). Any ideas? Thanks. Dimitri -- To avoid messing with PAM, you can also do something like root preexec=/data/Backup/createhomes.sh %D %S in your smb.conf and the file createhomes.sh looks something like #!/bin/bash if [ ! -d /data/homes/$1/$2 ]; then mkdir /data/homes/$1/$2 chmod g+s /data/homes/$1/$2 chown $2:domain admins /data/homes/$1/$2 chmod 770 /data/homes/$1/$2 /usr/bin/setfacl -m g:domain admins:rwx /data/homes/$1/$2 /usr/bin/setfacl -m u:$2:rwx /data/homes/$1/$2 /usr/bin/setfacl -m g:domain users:000 /data/homes/$1/$2 fi exit 0 -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] FW: disconnecting user from only one share
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of raveenpl Sent: Tuesday, May 04, 2010 3:18 PM To: samba@lists.samba.org Subject: [Samba] disconnecting user from only one share Hello, I would like to know if somebody knows any way to disconnect/logout user only from one share. One of my user is using serveral samba shares. I would like to disconnect him only from one share. I noticed that killing PID of smbd subprocess causes disconnecting from all used shares - I can not afford it, because other shares are used by critical for my user applications. Any suggestions? Thanks a lot! -- smbstatus -p | grep username gives you the process IDs associated with a user smbstatus | grep PID will tell you which service each instance is connected with, so you can disconnect only the instance connected to a particular service. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ACL inheritance issue on homes directory
I have recently commissioned a box running RHEL5.4 and samba sernet 3.5.2 that is AD integrated. The other shares on the box seem to obey the inherit acls and inherit permissions flags as well as force create mode and force directory mode, but not on the _homes_ directory. Has anyone experienced similar problems, and where should I start looking to troubleshoot this problem? Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACL inheritance issue on homes directory
I have recently commissioned a box running RHEL5.4 and samba sernet 3.5.2 that is AD integrated. The other shares on the box seem to obey the inherit acls and inherit permissions flags as well as force create mode and force directory mode, but not on the _homes_ directory. Has anyone experienced similar problems, and where should I start looking to troubleshoot this problem? Are the homes directories mounted via NFS, or have some other difference in their mount options ? All of the shares are on the same logical volume disk, an etx4 local partition /dev/mapper/VolGroup00-LogVol01 on /data type ext4 (rw,user_xattr,acl) -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to clear winbind cache
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Liutauras Adomaitis Sent: Tuesday, May 04, 2010 1:13 PM To: samba@lists.samba.org Subject: [Samba] how to clear winbind cache Hello all, I'd like to know how to clear winbind cache. The problem is that we have decided to change uid and gid mapping range, but changing smb.conf accordingly didn't help. We use ldap as backend. After deleting all idmap entries in ldap nothing changed. If we disable winbindd caching with -n switch we receive desired effect - users get mapped to new uids and gids. Restarting winbindd without -n reverts everything back - users are mapped to old id's. Stoping winbind, removing winbind_cache.tdb file and starting winbind doesn't solve the issue. Liutauras Whenever I want a clean start I nuke the entire /var/lib/samba directory and restart samba, and let samba repopulate everything automatically. This was after many hours of scouring through the .tdb documentation which is outdated within a couple of months of being published, and just deciding to be inelegant about it. You may just need to remove all winbindd* files (like winbindd_idmap.tdb). Make a backup beforehand of course. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 212GB log file generated for a workstation
To fix the inotify problem use kernel change notify = No in your smb.conf. I am still experiencing this problem on RHEL 5.4 fully patched. As for the log files, the inotify errors did the same thing to me (default size is 5M, and I got 100+GB log files) -=Andrew -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Mike A. Leonetti Sent: Thursday, April 29, 2010 7:53 AM To: Samba Mailing Subject: [Samba] 212GB log file generated for a workstation Had a server fill up completely with a samba workstation log file. The log file repeatedly had this information [2010/04/29 04:00:01, 0] smbd/notify_inotify.c:inotify_handler(240) No data on inotify fd?! about a billion times. In my smb.conf Ihave max log size = 50 set, so I was hoping the log file wouldn't get that big. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Illegal characters in filename?
The easiest way might be to write a cron script that does a simple tr on invalid characters to rename files. Barring that check the mangled names parameter for an understanding of how samba creates the mangled names. Also of interest might be mangle prefix, mangling char, mangling method -=Andrew -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Daniel Frey Sent: Saturday, March 06, 2010 7:55 PM To: samba@lists.samba.org Subject: [Samba] Illegal characters in filename? I have a server that uses both NFS and Samba. I noticed on a Windows client that some directories and files were in the 8.3 format, and clicking on them resulted in an Access denied. message. I've since upgraded to 3.5.0 - now the Access denied. message is gone and I can enter and open files, but all of the names are shown in the 8.3 format and are almost unreadable. I discovered that the filenames in question have full colons (:) in them, and this is illegal for Windows clients. Windows itself won't let you create a file with an invalid filename. I have listings like: T7UFO1~9 --TAHX6K~4.txt --TAHX6K~B.ods etc. I was browsing around in smb.conf's man page looking for a way for these files to at least be readable. Is there a way to map all of the invalid characters in Windows that linux can use so they simply appear as a hyphen (or another character?) It would be so much easier than having to open each file to identify them. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Upgrade to sernet 3.5.1-42 not working
I rebuilt the whole thing and tracked down the one problem - the rights on the /data directory didn't have o+rx. So the per-share stuff is working now. The NTLMV2 error is still showing up in the logs however - and it is talking to a W2K8SP2 DC (zeus). Share access still works - but I can envision a whole log full of these things once I put it into production. Toggling this option has no effect on the logs: client NTLMv2 auth = Yes/No Mar 20 08:00:44 Bubbles smbd[31693]: [2010/03/20 08:00:44.180066, 0] libsmb/ntlmssp_sign.c:209(ntlmssp_check_packet) Mar 20 08:00:44 Bubbles smbd[31693]: NTLMSSP NTLM2 packet check failed due to invalid signature! Mar 20 08:00:44 Bubbles smbd[31693]: [2010/03/20 08:00:44.180139, 0] rpc_server/srv_pipe_hnd.c:398(process_request_pdu) Mar 20 08:00:44 Bubbles smbd[31693]: process_request_pdu: failed to do auth processing. Mar 20 08:00:44 Bubbles smbd[31693]: [2010/03/20 08:00:44.180183, 0] rpc_server/srv_pipe_hnd.c:399(process_request_pdu) Mar 20 08:00:44 Bubbles smbd[31693]: process_request_pdu: error was NT_STATUS_ACCESS_DENIED. Is this something I should be worried about? Or is it trying NTLMV2 and falling back to NTLM? -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Upgrade to sernet 3.5.1-42 not working
I have installed 3.5.1-42.el5 on an RHEL 5.4 box, added it to the domain, wbinfo -u and -g work fine. kinit works fine. It seems to recognize and use the global admin users section properly. If I add people or groups to the admin users group in the global section everything works fine. (this is obviously not the desired setup though) It doesn't seem to honour the valid users section inside the shares, however. I can put whatever I want in there and it fails to recognize them. The only error I can find is the following, however it seems unrelated to putting people in the global admin users group or not and more to unclean DNS. This setup is working on an RHEL 5.4 with 3.3.10 [2010/03/19 10:00:11.062710, 0] libsmb/ntlmssp_sign.c:209(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid signature! [2010/03/19 10:00:11.062784, 0] rpc_server/srv_pipe_hnd.c:398(process_request_pdu) process_request_pdu: failed to do auth processing. [2010/03/19 10:00:11.062826, 0] rpc_server/srv_pipe_hnd.c:399(process_request_pdu) process_request_pdu: error was NT_STATUS_ACCESS_DENIED. [2010/03/19 10:00:13.508036, 0] lib/util_sock.c:675(write_data) [2010/03/19 10:00:13.508104, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer [2010/03/19 10:00:13.508224, 0] smbd/process.c:79(srv_send_smb) Error writing 4 bytes to client. -1. (Transport endpoint is not connected) [2010/03/19 10:00:13.528683, 0] smbd/service.c:988(make_connection_snum) canonicalize_connect_path failed for service G_drive, path /data/G_drive [2010/03/19 10:00:13.530587, 0] smbd/service.c:988(make_connection_snum) canonicalize_connect_path failed for service G_drive, path /data/G_drive [2010/03/19 10:00:15.753830, 0] smbd/service.c:988(make_connection_snum) canonicalize_connect_path failed for service G_drive, path /data/G_drive smb.conf Load smb config files from /etc/samba/smb.conf Processing section [G_drive] Loaded services file OK. 'winbind separator = +' might cause problems with group membership. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = realm = .LOCAL server string = %h security = ADS password server = zeus dione client NTLMv2 auth = Yes log file = /var/log/samba/%m deadtime = 15 printcap name = cups local master = No domain master = No idmap uid = 1-2 idmap gid = 1-2 template homedir = /data/user_home/%D/%U template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 5 admin users = @+domain admins, +Administrator inherit owner = Yes use sendfile = Yes veto oplock files = /*.mdb/*.MDB/*.mde/*.MDE/*.accdb/*.ACCDB/*.ldb/*.LDB/ access based share enum = Yes [G_drive] comment = G_Groups on Bubbles path = /data/G_drive valid users = @+domain admins, @+domain users, +Administrator, @+r_g_drive read only = No force create mode = 0770 force directory mode = 0770 inherit permissions = Yes inherit acls = Yes hide unreadable = Yes browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind doing dns on short domain
-Original Message-
From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org] On Behalf Of Jim Kusznir
Sent: Wednesday, March 10, 2010 7:20 PM
To: samba@lists.samba.org
Subject: [Samba] winbind doing dns on short domain
Hi all:
I'm building an authentication infrastructure for combined windows
plus linux clients. To that end, I have a Win Server 2008r2 ADS and a
win svr 2008r2 client, and an ubuntu 9.10 client running the default
samba + winbind (whatever is in their production repos).
I had it 95% working this morning...Then all of a sudden, all winbind
queries died. No idea why. I spent the entire day debugging it, and
I finally found out what its doing: Its DNS requests for the
_kerberos... host are using the short domain, not the fqdn:
16:03:37.479967 IP 192.168.3.11.38775 192.168.3.16.53: 44000+ SRV?
_kerberos._tcp.CASAS. (38)
(domain is CASAS.WSU.EDU). I can do a DNS lookup with the fqdn, and
it works fine, but the short name definitely does NOT work. I've even
modified /etc/resolv.conf to directly query the windows dns server
that is serving up casas.wsu.edu (which the normal production dns
server is set to delegate to). DNS queries for any of the magic
entries in proper form do work (with exception of reverse resolution
of the linux host itself -- it returns a different domain name when
querying the correct servers).
I've gone through both /etc/krb5.conf and smb.conf; there are now NO
occurrences of the short domain name in there. (I even changed
workgroup in smb.conf to the fqdn, as that was the last remaining
occurrence). Keep in mind that winbind was working fine with no edits
to either files yesterday and early this morning, no changes had
occurred anywhere on that line...all I did was tweak pam files to try
and correct a different problem).
Here are my config files:
-- smb.conf --
[global]
workgroup = CASAS.WSU.EDU
server string = %h Ubuntu Termserver
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
realm = CASAS.WSU.EDU
password server = 192.168.3.16
idmap uid = 1-2
idmap gid = 1-2
idmap backend = rid:CASAS.WSU.EDU=1-2
allow trusted domains = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
/etc/krb5.conf
[libdefaults]
default_realm = CASAS.WSU.EDU
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
CASAS.WSU.EDU = {
kdc = ad1.casas.wsu.edu:88
admin_server = ad1.casas.wsu.edu
default_domain = casas.wsu.edu
}
[domain_realm]
.casas.wsu.edu = CASAS.WSU.EDU
casas.wsu.edu = CASAS.WSU.EDU
[login]
krb4_convert = true
krb4_get_tickets = false
-
And here's a tcpdump done filtering on port 53 during a winbind restart:
-
16:03:37.399967 IP 192.168.3.11.49438 192.168.3.16.53: 3748+ A?
AD1.CASAS.WSU.EDU. (35)
16:03:37.399967 IP 192.168.3.16.53 192.168.3.11.49438: 3748* 1/0/0
A[|domain]
16:03:37.399967 IP 192.168.3.11.43851 192.168.3.16.53: 27311+ A?
AD1.CASAS.WSU.EDU. (35)
16:03:37.399967 IP 192.168.3.16.53 192.168.3.11.43851: 27311* 1/0/0
A[|domain]
16:03:37.429967 IP 192.168.3.11.40739 192.168.3.16.53: 46827+ A?
ad1.casas.wsu.edu. (35)
16:03:37.429967 IP 192.168.3.16.53 192.168.3.11.40739: 46827* 1/0/0
A[|domain]
16:03:37.429967 IP 192.168.3.11.54465 192.168.3.16.53: 44669+[|domain]
16:03:37.429967 IP 192.168.3.16.53 192.168.3.11.54465: 44669
NXDomain*[|domain]
16:03:37.429967 IP 192.168.3.11.57928 192.168.3.16.53:
Re: [Samba] Help with samba implementation
If you are doing anything samba related on AIX, I highly suggest that you look at the pware site. http://pware.hvcc.edu/ there are some docs on setting up Bill's pWare compile of samba on AIX here: http://pware.hvcc.edu/documentation.html And you can join the pWare mailing list here: http://lists.hvcc.edu/mailman/listinfo/pware Bill is usually very helpful in getting people's difficulties ironed out, and has the most current, stable versions of samba compiled and working for 6.1. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] write list for share is ignored
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Jon Trauntvein Sent: Friday, January 22, 2010 10:00 AM To: samba@lists.samba.org Subject: [Samba] write list for share is ignored I recently updated a Samba server from Fedora Core 4 to CentOs 4.5. The old server had samba version 3.0.11 installed while the newer has samba version 3.0.33 installed. The following file is a simplified version of my smb.conf file: [global] debug level = 5 security = domain workgroup = CSI-INTRANET auth methods = guest, sam, winbind server string = Software Engineering Workgroup Server load printers = yes guest account = nobody log file = /var/log/samba/log.%m max log size = 1024 encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no map to guest = bad user winbind separator = \\ idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes [cora] available = yes browseable = yes path = /home/group/cora public = yes guest ok = yes read only = yes write list = @cora force create mode = 0775 --- Why do you have this set? read only = yes http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html If this parameter is yes, then users of a service may not create or modify files in the service's directory. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Looking for AIX Users of Winbind -- Authorization and SSHProblems
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Kevin Newman Sent: Thursday, November 12, 2009 3:55 PM To: samba@lists.samba.org Subject: [Samba] Looking for AIX Users of Winbind -- Authorization and SSHProblems Hi all, I've got Samba with Winbind working on AIX 5.3 and 6.1 fairly well with Active Directory 2003. In fact, I'd say short of 2 very important services, it's working almost perfectly. Unfortunately, these 2 services are quite critical, and without them I'm afraid we'll have to resort to some sort of proprietary identity solution like Novell, which I'm not crazy about. Assume that these examples are all from Samba 3.3.4, though I have tried a few versions back to 3.0.0 and forward to 3.3.9, with no different results. These are also from pWare's compiled versions (linked here: http://pware.hvcc.edu/download/). The two things I can't get working with Winbind on AIX: 1. SSH. Doesn't seem to work on AIX 5.3 with Winbind. I get a setgroups: Not owner and initgroups: Not owner error in the sshd debug and the session is closed after authentication succeeds. I *can*, however, get this working on AIX 6.1 with pWare's compiled SSH 5.2.1.0. 2. Authorization (e.g., who can log into the box ... NOT just all of AD). I'm pretty good at configuring Winbind on Linux, and on Linux there's a pam_winbind.conf file that I usually use to lock down the box to specific AD users or groups -- I use the require_membership_of line and it works just fine. Unfortunately, I don't see any pam_winbind.conf file in AIX by default. I've tried placing it in /etc/security/ or in other locations, but it doesn't seem to be used. I've also tried adding pam_winbind lines to the /etc/pam.conf and manually adding the require_membership_of after the stanza, like so: telnet account required/usr/lib/security/pam_winbind.so require_membership_of=someGroup ... also with no success. To me, it's simply unacceptable to implement this Winbind configuration without being able to choose who logs onto the box. Without implementing some form of authorization, I might as well just set everyone's password blank. So, my question to everyone is: is there anyone out there using Winbind with AIX? If so, have you overcome those 2 issues I'm describing? Thanks, Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba We are using winbind on AIX, and this is my documentation on how I got it to work: To use WINBIND: cp -p /opt/pware/samba/3.0.28/lib/security/WINBIND /usr/lib/security - edit /usr/lib/security/methods.cfg and add - WINBIND: program = /usr/lib/security/WINBIND options = authonly - edit the default stanza in /etc/security/user to have - SYSTEM = WINBIND OR compat -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] which version best to use right now?
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Philip Brown Sent: Wednesday, November 04, 2009 1:41 PM To: samba@lists.samba.org Subject: [Samba] which version best to use right now? hiya folks, I've been trying to figure out which branch of samba is best for us to use. I read the FAQ, and it seems a little out of date. or at best, lacking in info. It says that, The current stable, production Samba server is the Samba 3.2 branch. If that is the case.. then why are there **THREE** other branches? why is there also a 3.3, *and* a 3.4, *and* a 4.x branch? To give an idea of my criteria: I'm looking for a version that will be part of a large-scale server for the next few years, as a member of an ms-windows active directory What OS are you using? If you're using something like RHEL or SUSE I would go with the vendor-packaged kit and forget any of the bleeding edge stuff. Red Hat is still on 3.0.33, but they seem to keep it more up to date that a generic 3.0.33 release, and I would go with that - it performs just fine and should have all the functionality you need. (unless you end up in a strange AD environment that you need more current AD support, but I severely doubt it) -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmapping changes from 3.0.10 to 3.4.2.
On Behalf Of Wayne Rasmussen Sent: Friday, October 30, 2009 4:37 PM To: samba@lists.samba.org Subject: [Samba] idmapping changes from 3.0.10 to 3.4.2. idmapping changes from 3.0.10 to 3.4.2. Trying to transition from 3.0.10 to 3.4.2 with a minimal change to the system meaning it would be nice to only change the smb.conf file if possible. The new version doesn't seem to properly work. getent passwd only produces entries from /etc/passwd. Sometimes, getent passwd user will get results but usually they don't. Also, when winbindd (ves 3.0.10) started it would have a heavy load for about 15 minutes while it loaded information. This version (3.4.2) seems to have very little load so it seems to act differently or it is having a problem. Any suggestions on how to change the global section below quickly and easily to make this a transparent tranision? Below is the global section of our smb.conf for 3.0.10. Note: I changed the workgroup/realm for posting. I just want it to work like the previous system worked. [global] workgroup = XX realm = XX.YYY.ZZZ security = ADS encrypt passwords = yes log level = 1 idmap uid = 2000-90 idmap gid = 2000-90 winbind enum users = yes winbind enum groups = yes template homedir = /u/%U template shell = /bin/false winbind use default domain = yes winbind cache time = 1800 wins server = 143.231.3.194 143.231.40.66 client schannel = no #starting to add stuff to see how things are working #username map = /usr/local/samba/lib/users.map #guestaccount = NULL #load printers = yes log file = /usr/local/samba/var/log.%m -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Try doing # testparm -s -v smb.conf.verbose on both systems, then a diff on the output files to see if any default settings changed between versions. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fw: Samba as fileserver in an Windows AD Domain
I tried to setup a SuSE10.2 with samba 3.0.23d (but the same trouble with SuSE11.1). I got a valid Kerberos Ticket and joined successfully the domain (with net join). Users and group are displayed with wbinfo -u / -g . I could also verify accounts with wbinfo -a user%pass. When I tried to access the shares, the dialog apears to give the credentials. It doesn't matter what you fill in, there is no access. I also could not get users and groups with getent passwd / group. I tried different configs of /etc/nsswitch.conf with different results: only local accounts will be showed: passwd: compat group: compat local account and the group BUILTIN passwd: files winbind group: files winbind here are the local account, the BUILTIN group and a new entry like this: +::0: are displayed I think there is a problem with matching Windows LDAP with *nix LDAP passwd: files winbind ldap group: files winbind ldap My /etc/smb.conf: [global] workgroup = WIN2003SRV security = ADS realm = win2003srv.loc idmap backend = ad idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/%D/%U winbind separator = + password server = 10.1.2.154 domain master = No ldap ssl = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes encrypt passwords = yes client use spnego = yes wins server = 10.1.2.154 I see successful logins at the Windows DC. Do I need LDAP, or is Kerberos enough? Could somebody tell me what I do wrong? is really nobody able to give me a hint what to look for? Is nscd running? If so, turn it off. I think the default SUSE installs have nscd enabled. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] inotify (was: ACL)
I'm trying to use samba to share some files with ACL.
But when i create a new folder or file, I have to press F5 before I can see
any change on the folder.
For example:
I create a new folder on a directory. But I can´t see it until i press F5
Someone knows how to fix it?
Probably your Samba or kernel version is too old. This has nothing to
do with ACLs. Either Samba isn't monitoring files for changes (upgrade
Samba) or the required facility isn't available (kernel too old.) I
think the code has been in the kernel for a long time, so probably a
Samba upgrade is in order.
FWIW I used to have this issue on Samba 3.0.x but not any more on 3.2.x.
Cheers,
Adam.
---
The samba 3.0.x series displays new files fine, it has to do with kernel
conflicts.
For example, on one of our RHEL5.3 servers we are using the kernel
2.6.18-92.1.13.el5xen and Samba Version 3.0.31-SerNet-RedHat, and leaving
inotify enabled causes runaway smb processes and spams log files that fill
terabyte arrays. In order to stop this we had to specify
kernel change notify = no
in smb.conf, but newer kernel versions don't have this problem. As far as I am
aware, this is also only an issue when files are created via a non-smb process
(i.e. sftp, local cp, etc.)
Newer kernel versions (i.e. 2.6.18-164.el5) work fine with Samba Version
3.0.33-3.14.el5, and if you create files locally they show up almost
immediately on the client.
-=Andrew
Thankyou, there is some good info here and I even kinda understand... :) one
question though, if I update samba what kind of issues might I have after
that... I am sure I would have to re-start samba but would it mess with my very
simple smb.conf file? Or would it mess with any permissions?
One danger to updating samba versions is that they sometimes change the default
options in the smb.conf file, and you will experience some strange behavior.
Before updating samba, I would do a
# testparm-v fullsmb.conf
which will verbosely list all the default options so if something goes awry you
can check back to make sure no defaults have changed.
Also make sure that you are backing up the proper samba files. This is what my
weekly backups look like (although you may not need to back it up as
frequently):
#!/bin/bash
export DTYD=`date '+%y%m%d_%H'`
mkdir /BACKUP/LOCATION/samba/samba_weekly_${DTYD}
mkdir /BACKUP/LOCATION/samba/samba_weekly_${DTYD}/var_lib_samba
mkdir /BACKUP/LOCATION/samba/samba_weekly_${DTYD}/var_cache_samba
mkdir /BACKUP/LOCATION/samba/samba_weekly_${DTYD}/etc_samba
cp -r /var/lib/samba/* /BACKUP/LOCATION/samba/samba_weekly_${DTYD}/var_lib_samba
cp -r /var/cache/samba/*
/BACKUP/LOCATION/samba/samba_weekly_${DTYD}/var_cache_samba
cp -r /etc/samba/* /BACKUP/LOCATION/samba/samba_weekly_${DTYD}/etc_samba
testparm -s -v /BACKUP/LOCATION/samba/0_support_files/smb.conf.FULL.${DTYD}
unset DTYD
-=Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] MDB database corruption
That is known and has been already dealt with. But i can't deny that the only thing i changed was my Linux and Samba version. I remember there were issues with the 3.0 series earlier on with MSAccess, but I haven't heard anything since 3.2. Try veto oplock files = /*.mdb/*.MDB/*.mde/*.MDE/*.accdb/*.ACCDB/*.ldb/*.LDB/ in your smb.conf Disabling oplocks DOES indeed cure the issue (no corruption since a couple of weeks)... but, unfortunately, it slows a little the response from the application. That is, i think, the best we can get. Thank you everyone for your suggestions. -- Francesco We ran into the same issue, but preferred stability to speed as well. ;-) I haven't had an issue with any other file type - only crapccess databases. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] MDB database corruption
Mmh... i'd like to stick with official repository. So you're telling me that Ubuntu Server 8.04 is quite behind in keeping Samba version up-to-date? Well according to the Samba website the latest release in the 3.0 series is 3.0.37. But that branch is only being maintained with security releases, the current release in the 3.2 branch is 3.2.15. But even the 3.2 branch has now been superseded with 3.4, so yes, 3.0.28a is quite old :-) That is known and has been already dealt with. But i can't deny that the only thing i changed was my Linux and Samba version. I'll plan an update of Samba, and investigate other causes as well. Thank you. I remember there were issues with the 3.0 series earlier on with MSAccess, but I haven't heard anything since 3.2. Cheers, Adam. - Try veto oplock files = /*.mdb/*.MDB/*.mde/*.MDE/*.accdb/*.ACCDB/*.ldb/*.LDB/ in your smb.conf -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] inotify (was: ACL)
I'm trying to use samba to share some files with ACL. But when i create a new folder or file, I have to press F5 before I can see any change on the folder. For example: I create a new folder on a directory. But I can´t see it until i press F5 Someone knows how to fix it? Probably your Samba or kernel version is too old. This has nothing to do with ACLs. Either Samba isn't monitoring files for changes (upgrade Samba) or the required facility isn't available (kernel too old.) I think the code has been in the kernel for a long time, so probably a Samba upgrade is in order. FWIW I used to have this issue on Samba 3.0.x but not any more on 3.2.x. Cheers, Adam. --- The samba 3.0.x series displays new files fine, it has to do with kernel conflicts. For example, on one of our RHEL5.3 servers we are using the kernel 2.6.18-92.1.13.el5xen and Samba Version 3.0.31-SerNet-RedHat, and leaving inotify enabled causes runaway smb processes and spams log files that fill terabyte arrays. In order to stop this we had to specify kernel change notify = no in smb.conf, but newer kernel versions don't have this problem. As far as I am aware, this is also only an issue when files are created via a non-smb process (i.e. sftp, local cp, etc.) Newer kernel versions (i.e. 2.6.18-164.el5) work fine with Samba Version 3.0.33-3.14.el5, and if you create files locally they show up almost immediately on the client. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] invalid computer name when accessing a Samba server from a Samba client
Domain=[CPTTM] OS=[Unix] Server=[Samba 3.0.20b] Does the NAS have a machine account in the domain? -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS
[r...@presidio3 ~]# net ads join -U Administrator
Enter Administrator's password:
[2009/09/23 23:58:48, 0] libads/kerberos.c:ads_kinit_password(362)
kerberos_kinit_password administra...@garnser.se failed: Cannot find
KDC for requested realm
Failed to join domain: failed to connect to AD: Cannot find KDC for
requested realm
Any idea why this is?
Do you have
DOMAIN.NAME = {
kdc = pdc.domain.name:88
...
}
In your krb5.conf? Is your firewall allowing traffic to/from on port 88? Or do
you have
dns_lookup_kdc = no
in your krb5.conf file? (the default is supposed to be yes)
And can you ping the kdc from your box? Is DNS resolving properly?
-=Andrew
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind enum groups/users = no
After a bunch of reading, the most information I can find on turning these off is that they will speed up certain tasks, and this warning: Warning: Turning off group enumeration may cause some programs to behave oddly. Does anyone have any more information on what programs may behave oddly? Is this a server side odd-behaviour, client-side or both? (Using ls on some small directories seems to take a while presumably because it is busy getting the updated user/group information from the PDC, so I was wondering about turning these parameters off.) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Veto files question
Turning it on its head then, set ACLS for the full read-write share, and set the local perms to 700. Then set the flags on the original mount to honour acls, and the flags on the second mount to *not* honour acls. Then set hide unreadable=yes for the second mount. Maybe the nt acl support option will help. Maybe a different way to approach the problem. YMMV -=Andrew -Original Message- From: Allen Chen [mailto:ac...@harbourfrontcentre.com] Sent: Tuesday, August 25, 2009 7:40 AM To: Andrew Masterson Cc: samba@lists.samba.org Subject: Re: [Samba] Veto files question Andrew Masterson wrote: hide unreadable = yes is the closest I can think of. You could then set perms to something like 400 and only owners will be able to read their own files. -=Andrew Thank you, Andrew. Changing the perms is not the solution. This is what I want to do: I have a public share. Everybody can read,write and modify files within this share. This works perfect. * I want to create another 'share' in smb.conf pointing to the same folder. * When a user mounts this share, he will only see the files belongs to his. I think Samba should have the power to filter it. Any idea? Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Veto files question
hide unreadable = yes is the closest I can think of. You could then set perms to something like 400 and only owners will be able to read their own files. -=Andrew -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Allen Chen Sent: Thursday, August 20, 2009 7:35 AM To: samba@lists.samba.org Subject: [Samba] Veto files question Hi, there I have a question about Veto files in smb.conf: Can we use this option to hidden files not belonging to myself in a shared folder? If not, how do we implement this functionality in Samba? Thanks, Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] inotify_handler No data on inotify fd?
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Kyle Schmitt Sent: Wednesday, August 05, 2009 8:07 AM To: samba Subject: [Samba] inotify_handler No data on inotify fd? I've got a samba server that's occasionally spewing inotify errors. The classic, smbd/notify_inotify.c:inotify_handler No data on inotify fd? type errors solved by kernel change notify = false Now, everything is working perfectly on this box unless one or two users leave files open from specific machines (this is as far as I can tell, it's hard to get good info from the users sometimes, but it's what the logs indicate). Because of this, I would rather not put in the kernel change notify = false line, so I'm wondering if there's another good solution. When I logged into the server, lsof told me the offending client had a single Excel file open about 1300 times, and I found their samba process had been running for 14 hours. What if I set limits, lets say hard and soft limits for open files to 512, or 128, and cpu time limits of 4 hours or so. Would that cause issues for my users? Would that have killed the misbehaving client, or at least kept it from choking my system? Will samba behave OK, if a user's samba process runs out of open file handles, or will it instead fill my logs even faster? Thanks --Kyle From what I understand changing the kernel notify options only affects users viewing files created locally (i.e. root logged on to the server creates a file) - not via smb connections. And in the worst case they have to hit refresh to get an updated list from the server. I would just turn it off and save yourself the headache. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] No data on inotify fd error
Receiving the exact same errors on RHEL 5.3 kernel: 2.6.18-92.1.13.el5xen Samba Version: 3.0.31-SerNet-RedHat After some googling it looks like a kernel bug, so I set kernel change notify = No in smbd.conf and I had to kill two rogue smbd processes on the box, reboot the rogue user's machine and then it hasn't happened again since. (the smbd processes appeared to have detached themselves from the client, so they were filling the logs and needed to be terminated) It looks like I'll need to schedule an outage to update the kernel. -Original Message- From: samba-bounces+andrew.masterson=nuvistaenergy@lists.samba.org [mailto:samba-bounces+andrew.masterson=nuvistaenergy@lists.samba.org ] On Behalf Of MargoAndTodd Sent: Saturday, June 27, 2009 3:23 PM To: samba@lists.samba.org Cc: volker.lende...@sernet.de Subject: Re: [Samba] No data on inotify fd error Volker Lendecke wrote: On Fri, Jun 26, 2009 at 03:45:32PM -0700, MargoAndTodd wrote: My poor /var/log/messages is getting hammered with: smbd[16076]: No data on inotify fd?! smbd[16076]: [2009/06/25 13:21:18, 0] \ smbd/notify_inotify.c:inotify_handler(249) Everything else seems to be working fine. Any idea what this is all about? Is there any way to reproduce this? Till we really fix this, can you try the attached workaround patch? This will reduce the number of messages a lot. Hi Volker, What triggered this was my root partition filling. I go to this customer on Wednesdays or Thursdays. I get a nightly backup report, which I have included a df on my hard drives. My root partition went from typical 56% capacity to 86%. After cleaning everything up, it dropped to 46%. So, I installed a months worth of YUM updates, including a kernel update. Since this is a running server, I could not reboot after the kernel update. So I set it to reboot at 8:00 PM (20:00). Since then, with the fine offices of logrotate, my root partition has dropped to 27%. So there is a very big possibility that the kernel update and/or the reboot did the trick. But, I will check next Tuesday or Thursday. I am not sure how to duplicate this. And, am a bit cautious about sending this to Samba's bugzilla, being that it is older Red Hat Enterprise stuff. If I can duplicate this, I should report it to Red Hat. -T -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] inherit group on new files/directories
chmod g+s dirname -Original Message- From: samba-bounces+andrew.masterson=nuvistaenergy@lists.samba.org [mailto:samba-bounces+andrew.masterson=nuvistaenergy@lists.samba.org] On Behalf Of Lluís Forns Sent: Tuesday, March 10, 2009 5:22 AM To: samba@lists.samba.org Subject: [Samba] inherit group on new files/directories I have a share with folders belonging to diferent groups, with restricted access depending on unix groups. When a user creates a file inside one of this folders I want it created with directory group; I think it should be possible using inherit acl but it don't work; my share configuration is: [arees2] path = /home/samba/arees valid users = @users admin users = root read only = No create mask = 0770 directory mask = 0770 inherit permissions = Yes inherit acls = Yes inherit owner = Yes My share files are: drwxrwx--- 4 root disseny 4096 2009-03-09 12:45 disseny drwxrwx--- 40 root informatica 4096 2009-03-10 10:30 Informatica drwxrwx--- 14 root users 4096 2009-03-10 09:19 Plantilles drwxrwx--- 7 root relacions 4096 2008-11-19 18:06 Relacions drwxrwx--- 17 root secretaria 4096 2009-02-24 19:25 Secretaria drwxrwx--- 2 root informatica 4096 2009-03-02 13:07 Web Any hint? Just in case it is useful, my full smb.conf as tesparm -v is: [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = MEGOSG realm = netbios name = MEGSERVER netbios aliases = netbios scope = server string = %h (sevidor de fitxers) interfaces = bind interfaces only = No security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes map to guest = Bad User null passwords = No obey pam restrictions = Yes password server = * smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba passdb backend = tdbsam algorithmic rid base = 1000 root directory = guest account = nobody enable privileges = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd chat debug = No passwd chat timeout = 2 check password script = username map = password level = 0 username level = 0 unix password sync = Yes restrict anonymous = 0 lanman auth = No ntlm auth = Yes client NTLMv2 auth = No client lanman auth = Yes client plaintext auth = No preload modules = use kerberos keytab = No log level = 3 syslog = 0 syslog only = No log file = /var/log/samba/log.%m max log size = 1000 debug timestamp = Yes debug prefix timestamp = No debug hires timestamp = No debug pid = No debug uid = No enable core files = Yes smb ports = 445 139 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No reset on zero vc = No acl compatibility = auto defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 16644 name resolve order = lmhosts host wins bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = No unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego = Yes enable asu support = No svcctl list = deadtime = 0 getwd cache = Yes keepalive = 300 lpq cache time = 30 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 1 open files database hash size = 10007 socket options = TCP_NODELAY use mmap = Yes hostname lookups = No name cache timeout = 660 load printers = Yes printcap cache time = 750 printcap name = cups cups server = iprint server = disable spoolss = No addport command = enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = mangling method = hash2 mangle prefix = 1 max stat cache size = 1024 stat cache = Yes machine password timeout = 604800 add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u rename user script = delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u
RE: [Samba] Excel permission in samba
Inherit permissions = yes Inherit owner = yes -Original Message- From: samba-bounces+andrew.masterson=nuvistaenergy@lists.samba.org [mailto:samba-bounces+andrew.masterson=nuvistaenergy@lists.samba.org ] On Behalf Of Mario Remy Almeida Sent: Wednesday, January 07, 2009 7:05 AM To: Samba Users Subject: [Samba] Excel permission in samba Hi All, Recently Moved from windows file server to samba file server but still users are authenticating from windows ADS 2003 server I have a strange problem. smb.conf file config is bellow ### START smb.conf file ### [global] netbios name = AA-FTP workgroup = airarabia realm = airarabia.com server string = Samba File Server encrypt passwords = yes security = ADS password server = 10.200.2.22 log level = 3 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap preferred master = No passdb backend = tdbsam domain master = no dns proxy = yes ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind separator = + winbind use default domain = yes cups options = raw vfs object = vscan-clamav force create mode = 0660 force directory mode = 0770 vscan-clamav: config-file = /etc/samba/vscan-clamav.conf [I T] comment = IT path = /home/IT browseable = yes writeable = yes preserve case = yes short preserve case = yes force security mode = 0600 inherit acls = yes ### END OF smb.conf file ## Parent directory is IP Addresses ls -al drwxrws---+ 2 root root4096 Jan 7 17:13 IP Addresses getfacl result # file: IP\040Addresses # owner: root # group: root user::rwx user:clamav:rwx user:aalsaadi:rwx user:isa_mario:rwx user:skoirala:rwx user:ahussain:rwx user:rskendar:rwx user:adelali:rwx user:malbadri:rwx group::r-x mask::rwx other::--- Observations 1 getfacl before modification # file: Switches\040IP\040Addresses.xls # owner: root # group: root user::rw- user:root:rwx user:clamav:rwx user:aalsaadi:rwx user:isa_mario:rw- user:skoirala:rwx user:ahussain:rwx user:rskendar:rwx user:adelali:rwx user:malbadri:rwx group::r-- mask::rwx other::--- User isa_mario modifies and save the file getfacl after modification # file: Switches\040IP\040Addresses.xls # owner: isa_mario # group: root user::rwx user:root:rw- user:clamav:rwx user:aalsaadi:rwx user:skoirala:rwx user:ahussain:rwx user:rskendar:rwx user:adelali:rwx user:malbadri:rwx group::rw- mask::rwx other::--- The owner of the file is changed to isa_mario instead of root Observation 2 changed the owner manually back to root getfacl before modification # file: Switches\040IP\040Addresses.xls # owner: root # group: root user::rwx user:root:rw- user:clamav:rwx user:aalsaadi:rwx user:skoirala:rwx user:ahussain:rwx user:rskendar:rwx user:adelali:rwx user:malbadri:rwx group::rw- mask::rwx other::--- User rskendar modifies and save the file getfacl after modification # file: Switches\040IP\040Addresses.xls # owner: root # group: root user::rwx user:root:rwx user:clamav:rwx user:aalsaadi:rwx user:skoirala:rwx user:ahussain:rwx user:adelali:rwx user:malbadri:rwx group::rw- mask::rwx other::--- Now here the Owner is not changed owner remains the same as root As soon as the use saves the file (Crt s) error message file is readonly option is to click ok and then another messsage the file was successfully save but failed to reopen the file In both the observations respected saving users are not show in the acl (isa_mario and rskendar) Because of this the user was not able to open and save the file next time In order to give temp solution had to change the parent folder permission to chmod g+s what could be the problem, what am I missing in the conf file? Need help very urgent. //Remy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba PDC, cannot add windows workstations
Smells like a DNS (or firewall) issue on the PDC. Make sure that your DNS resolution is happening properly. From: samba-bounces+andrew.masterson=nuvistaenergy@lists.samba.org on behalf of Viji V Nair Sent: Wed 12/31/2008 7:01 AM To: samba@lists.samba.org Subject: [Samba] samba PDC, cannot add windows workstations Hi, I have setup samba as a PDC with kerberos and ldap. While adding the windows clients I get the following error message on the logs, and windows says the user name and password is incorrect [2008/12/31 19:00:09, 0] lib/util_sock.c:write_data(1059) [2008/12/31 19:00:09, 0] lib/util_sock.c:get_peer_addr_internal(1607) getpeername failed. Error was Transport endpoint is not connected write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer [2008/12/31 19:00:09, 0] smbd/process.c:srv_send_smb(74) Error writing 4 bytes to client. -1. (Transport endpoint is not connected) Any help on the same will be gratly appreciated. # rpm -qa |grep samba samba-client-3.2.5-0.23.fc10.x86_64 samba-common-3.2.5-0.23.fc10.x86_64 samba-3.2.5-0.23.fc10.x86_64 samba-winbind-3.2.5-0.23.fc10.x86_64 # uname -a Linux viji.testing.com 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 EST 2008 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/samba/smb.conf [global] workgroup = TESTING.COM server string = Samba Server Version %v security= user passdb backend = smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level= 33 domain logons = yes domain master = yes local master= yes preferred master= yes wins support= yes template shell = /bin/false realm = TESTING.COM use kerberos keytab = yes load printers = yes cups options = raw # log level = 3 passdb:5 auth:10 [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable= yes [share] comment = Share path = /share browseable = yes guest ok = no writable = yes valid users = admin Thanks Viji -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Authentication fails - 3.0.26a-0.9-1787-SUSE-SLES9
What does wbinfo -D return? I recently brought up our fifth Samba domain member server with 3.0.26a-0.9-1787-SUSE-SLES9 against an NT4 domain on a new subnet. The subnet also has an NT4 BDC that is working correctly. Wbinfo and getent both work properly but users can not get to the [homes] service but can get to another share that is on the same system. If I setup a share definition in smb.conf for myself as a home share it fails with the same error. All of our other Samba servers are working correctly. When a connection is attempted they get the following: '/data2/home/OREILLY2/bdehn' does not exist or permission denied when connecting to [bdehn] Error was Permission denied. I turned up the log level (5) and see that winbind show's me authenticating correctly but still the Permission denied message. If I stop and restart windbind I see the following in log.winbind: rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from remote machine OREILLYTS6 pipe \lsarpc fnum 0x801! rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(601) cli_pipe_validate_current_pdu: Bind NACK received from remote machine OREILLYTS6 pipe \samr fnum 0x802! rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2362) cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED I have re-joined the domain several times and deleted all tdb's. Any help would be much appreciated! Bob Dehn More info... The [homes] section path had been defined as path = /data2/home/%D/%U/ which is identical to our other member servers. I changed the path statement to path = /data2/home/%U/ and moved the directories and it works fine. What could I have mis-configured that would cause the '%D' to not pickup the domain name? As I mentioned previously wbinfo and getent work great... Thanks in advance for any help! Bob Dehn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Creating folders while preserving sharing group
chmod g+s ~/Share/ smb.conf: inherit acls = yes inherit permissions = yes or create mask 750 or something similar. -Original Message- From: samba-bounces+andrew.masterson=nuvistaenergy@lists.samba.org [mailto:samba-bounces+andrew.masterson=nuvistaenergy@lists.samba.org ] On Behalf Of Ooi Kwan Chen Sent: Monday, December 15, 2008 6:47 PM To: samba@lists.samba.org Subject: [Samba] Creating folders while preserving sharing group Hi there, I'm using Samba 3.0.24-6etch10 in Debian Etch 64bit with kernel Linux 2.6.18-6-amd64. Here is my case scenario. I have created a folder to be shared with other group users. The ownership for the folders are showed as below: Directory path:~/Share/ drwxr-x--- 25 admin data 4096 2008-05-05 13:42 file1107 drwxr-x--- 25 admin data 4096 2008-11-13 14:57 file1207 When the admin group users created a folder under the Share directory, it is showed as below: drwxr- 2 admin admin 4096 2008-12-15 11:45 New Folder I wanted the folder to have admin:data kind of ownership whenever the admin users created a file or a folder. Is it possible to do that? Here's my smb.conf file [Share] comment = Share path = /Share read only = No create mask = 0640 directory mask = 0740 [global] workgroup = IT netbios name = ITSHARE server string = %h server security = USER encrypt passwords = No passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 os level = 64 local master = No domain master = No dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d invalid users = root read list = data write list = admin hosts allow = 192.168.11.0/24 192.168.10.0/24 Appreciate your all kind suggestions. Thank you -- Best regards, Ooi Kwan Chen (John), System Support, Server Management Section, Group IT Department, DXN Holdings Berhad Office Phone : +604 771 6688 Ext 122 Fax : +604 772 4785 Website : www.dxn2u.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] replace winbind with ldap
Try this: http://osr600doc.sco.com/en/INT_sambaDocGuide/migration.html -Original Message- From: samba-bounces+andrew.masterson=nuvistaenergy@lists.samba.org [mailto:samba-bounces+andrew.masterson=nuvistaenergy@lists.samba.org ] On Behalf Of vishesh kumar Sent: Monday, December 15, 2008 3:32 AM To: Madars Vitolins Cc: Samba List Subject: Re: [Samba] replace winbind with ldap dear madars I am not migrating for interest but want to free server running windows active directory. Group Policy has not been implemented in our enviroment. thanks On Mon, Dec 15, 2008 at 1:59 PM, Madars Vitolins m...@silodev.eu wrote: Hi Vishesh, Why do you want to migrate to openLdap? Just for interest. One thing about your case I could say that openLdap won't support group policy. Thanks, Madars vishesh kumar wrote: dear all Currently i am using samba 3.0.28 with windbind on rhel5.2. Our network consist almost 200 users and window 2003 active directory which holds domain data. Now i want to replace active directory with openldap. I want to know is there any tool that help to migrate Active Directory data to openldap ? thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] performance problem with access database
Add veto oplock files = /*.mdb/*.MDB/*.mde/*.MDE/*.accdb/*.ACCDB/*.ldb/*.LDB/ to your smb.conf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Scheidegger Patrick Sent: Friday, November 14, 2008 11:37 AM To: samba@lists.samba.org Subject: [Samba] performance problem with access database Hello I have problem with a access application, when I try to start the application then I must wait 5 minutes ago before he started. I do this from a WinXp Workstation to a Linux Debian Etch and samba 3.0.24 installation. What can I do for better performance. best regards pat -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba authentication using ADS
Try this: http://wiki.samba.org/index.php/Samba__Active_Directory -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Prashanth Adiyodi Sent: Wednesday, October 01, 2008 7:42 AM To: samba@lists.samba.org Subject: [Samba] Samba authentication using ADS Greetings I need help in setting up my linux box with ADS authentication on Samba. I know that it can be done using winbind and Kerberos. I tried some of the online methods but I am not able to get a result. Request you to please help me with this. These are the steps I followed to setup winbind * Using Authconfig command I put in the relavant details like Use Winbind and Use Winbind Authentication and left Cache Information, Use MD5 Passwords and Use Shadow Passwords selected * Then I put details about the domain with authentication. * I placed entries in /etc/nssswitch as passwd: files winbind shadow: files winbind group: files winbind This is the output I get [2008/10/01 18:27:56, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot find KDC for requested realm [2008/10/01 18:27:56, 0] utils/net_ads.c:ads_startup(186) ads_connect: Cannot find KDC for requested realm [2008/10/01 18:27:56, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451) cli_nt_session_open: cli_nt_create failed on pipe \lsarpc to machine ads.example.com. Error was NT_STATUS_ACCESS_DENIED could not initialise lsa pipe could not obtain sid for domain Shutting down Winbind services:[FAILED] Starting Winbind services: [ OK ] Please help me as to what is going wrong. Appreciate if any members could help me out in configuring using Kerberos. Here also I edited the krb5.conf, krb.conf and krb.realm with the correct parameters but stll am not able to get a solution. Thanking you Prashanth Adiyodi System Administrator Roamware (I) Pvt. Ltd. 7th Floor, Sigma, Hiranandani Gardens Technology Street, Powai, Mumbai-400 076 Tel: 40406000 Ext: 6124 GSM: 91-9833377712 www.roamware.com http://www.roamware.com The information contained herein may include confidential or privileged information and is intended solely for the recipient(s) noted above. If you receive this e-mail in error, please respond to the sender and delete the e-mail. Any dissemination of this e-mail or the information contained in this e-mail or attachments to unintended parties is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] When to restart samba
to plan outages of production shares unless I have to. So I am asking what I *can* change without having to disrupt everyone. I'm just a regular schmuck who wants to use Linux/Samba in a predominantly Windows world. -=Andrew - John T. -=Andrew On Friday 29 August 2008 10:27:10 Andrew Masterson wrote: If I understand correctly, in order to have the smb.conf file applied you need to restart smbd. Is service smbd reload sufficient (which does a killproc smbd -HUP)? Will this kill any active connections to samba resources causing user disruption? Or is this a seamless process that can be carried out midday? I ask because if I need to kill all user connections to production shares in order to test different share parameters that changes my approach. If you make changes to the [global] stanza in smb.conf you need to restart Samba's smbd and nmbd daemons. And winbind as well? The documentation seems to indicate that winbindd needs to be started after nmbd and smbd - so does it need to be restarted as well, or will it remain active? Are there potential conflicts if winbind isn't shut down before restarting the nmbd and smbd daemons? Yes, winbindd and smbd should be restarted after changing the global stanza of smb.conf. In reality, this is only necessary when global parameters have been changed that may impact Samba's behavior. For example, changing the log level parameter does not require restarting of any Samba daemon. Check the man page for smb.conf to determine if a restart is perhaps necessary. Changes to the share stanzas in smb.conf generally do not require a restart of smbd. Smbd monitors the smb.conf file for changes. Could you elaborate on generally and give me an estimate of how long it takes for the changes to be reloaded? That depends on the OS. On some older systems this can take 20 sec or so, on all modern systems the change is almost immediately effective. - John T. Thanks a bunch for your answers, Andrew Existing connections will not see the changes made, so clients that have an existing connection should log off and logon again. - John T. -- John H Terpstra Don't do as I do; Show me better! - Anonymous. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] When to restart samba
If I understand correctly, in order to have the smb.conf file applied you need to restart smbd. Is service smbd reload sufficient (which does a killproc smbd -HUP)? Will this kill any active connections to samba resources causing user disruption? Or is this a seamless process that can be carried out midday? I ask because if I need to kill all user connections to production shares in order to test different share parameters that changes my approach. Thanks, Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] When to restart samba
If I understand correctly, in order to have the smb.conf file applied you need to restart smbd. Is service smbd reload sufficient (which does a killproc smbd -HUP)? Will this kill any active connections to samba resources causing user disruption? Or is this a seamless process that can be carried out midday? I ask because if I need to kill all user connections to production shares in order to test different share parameters that changes my approach. If you make changes to the [global] stanza in smb.conf you need to restart Samba's smbd and nmbd daemons. And winbind as well? The documentation seems to indicate that winbindd needs to be started after nmbd and smbd - so does it need to be restarted as well, or will it remain active? Are there potential conflicts if winbind isn't shut down before restarting the nmbd and smbd daemons? Changes to the share stanzas in smb.conf generally do not require a restart of smbd. Smbd monitors the smb.conf file for changes. Could you elaborate on generally and give me an estimate of how long it takes for the changes to be reloaded? Thanks a bunch for your answers, Andrew Existing connections will not see the changes made, so clients that have an existing connection should log off and logon again. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] When to restart samba
Thanks for the info - I've gotten conflicting info from SWAT, Webmin and the man pages, so I thought I would ask. It appears that there isn't a hard rule for when to restart vs. wait for autoload so I'll have to play with it a bit to figure out when and what. -=Andrew On Friday 29 August 2008 10:27:10 Andrew Masterson wrote: If I understand correctly, in order to have the smb.conf file applied you need to restart smbd. Is service smbd reload sufficient (which does a killproc smbd -HUP)? Will this kill any active connections to samba resources causing user disruption? Or is this a seamless process that can be carried out midday? I ask because if I need to kill all user connections to production shares in order to test different share parameters that changes my approach. If you make changes to the [global] stanza in smb.conf you need to restart Samba's smbd and nmbd daemons. And winbind as well? The documentation seems to indicate that winbindd needs to be started after nmbd and smbd - so does it need to be restarted as well, or will it remain active? Are there potential conflicts if winbind isn't shut down before restarting the nmbd and smbd daemons? Yes, winbindd and smbd should be restarted after changing the global stanza of smb.conf. In reality, this is only necessary when global parameters have been changed that may impact Samba's behavior. For example, changing the log level parameter does not require restarting of any Samba daemon. Check the man page for smb.conf to determine if a restart is perhaps necessary. Changes to the share stanzas in smb.conf generally do not require a restart of smbd. Smbd monitors the smb.conf file for changes. Could you elaborate on generally and give me an estimate of how long it takes for the changes to be reloaded? That depends on the OS. On some older systems this can take 20 sec or so, on all modern systems the change is almost immediately effective. - John T. Thanks a bunch for your answers, Andrew Existing connections will not see the changes made, so clients that have an existing connection should log off and logon again. - John T. -- John H Terpstra Don't do as I do; Show me better! - Anonymous. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Trouble authenticating to Samba shares with Win 2k3 ADS
So I have installed MS SFU on the local domain controller, but we have a
primary DC over at a data center - does MS SFU have to be installed on the PDC
as well to get this all to work? I'm a little unclear on this.
[EMAIL PROTECTED] ~]# wbinfo --getdcname=DNAME
PDCDOM01
which is the PDC over at the data centre, not the local DC. Is this an issue?
Also: I can wbinfo -u and -g fine. I can use -a and -K to check authentication
of my account on the domain (both work). I can get SIDs
[EMAIL PROTECTED] ~]# wbinfo -n UNAME
S-1-5-21-3188596277-436205732-2179202570-1295 User (1)
but not resolve them into UIDs.
[EMAIL PROTECTED] ~]# wbinfo -S S-1-5-21-3188596277-436205732-2179202570-1295
Could not convert sid S-1-5-21-3188596277-436205732-2179202570-1295 to uid
[EMAIL PROTECTED] ~]# wbinfo -Y S-1-5-21-3188596277-436205732-2179202570-1295
Could not convert sid S-1-5-21-3188596277-436205732-2179202570-1295 to gid
/var/log/samba/log.winbindd-idmap spits out the following lines after I restart
nmbd, smbd and winbindd:
[2008/07/25 18:13:42, 1] nsswitch/idmap.c:idmap_init(377)
Initializing idmap domains
[2008/07/25 18:13:42, 1] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
Could not get unix ID
which seems consistent with not being able to map SIDs above
You can find a level 10 debug log here:
http://www.mediafire.com/?2h00d92gf19
Great mailing list you have here.
-=Andrew
From: Jason Gerfen [mailto:[EMAIL PROTECTED]
Sent: Wed 7/23/2008 1:18 PM
To: Andrew Masterson
Cc: samba@lists.samba.org
Subject: Re: [Samba] Trouble authenticating to Samba shares with Win 2k3 ADS
Turn up the debugging and take a look at the following schema attributes
for the user you are attempting to authenticate. It looks like some
POSIX account data may be missing.
uidNumber
gidNumber
sfuHomeDirectory
loginShell
Also turn up the debugging to 20, restart your samba server and required
services (winbind etc.) and try again. You might want to also look into
using the wbinfo --help under the SID to GID, and SID to UID mapping
functions.
If those are not working then the schema attributes or values are
missing in the AD account schema.
Andrew Masterson wrote:
I added those lines (and changed the range to 1-2), and still
smbclient returns the same error.
session setup failed: NT_STATUS_LOGON_FAILURE
I also updated the krb5.conf file as I noticed some errors (Improper
format of Kerberos configuration file) in some of the logs. Those
errors are now gone, and the only idmap log file I see is
log.winbindd-idmap and it gives:
[EMAIL PROTECTED] etc]# more /var/log/samba/log.winbindd-idmap
[2008/07/23 11:03:44, 1] nsswitch/idmap.c:idmap_init(377)
Initializing idmap domains
[2008/07/23 11:03:44, 1]
nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
Could not get unix ID
And the second message (error) wasn't happening before. Am I missing a
module to provide the AD idmap backend? (although it looks like it is
trying to do it and failing)
New krb5.conf file
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DNAME.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DNAME.LOCAL = {
kdc = DCONTR.DNAME.local:88
admin_server = DCONTR.DNAME.local:749
default_domain = DNAME.local
}
[domain_realm]
.DNAME.local = DNAME.LOCAL
DNAME.local = DNAME.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-Original Message-
From: Jason Gerfen [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 23, 2008 10:58 AM
To: Andrew Masterson
Cc: samba@lists.samba.org
Subject: Re: [Samba] Trouble authenticating to Samba shares with Win 2k3
ADS
Try using the following in your smb.conf
client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no
idmap domains = DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1000 - 3
And for troubleshooting try taking a look at the
/var/log/samba/log.idmap* logs for UID/GID to SID mapping
Or you can use
% wbinfo -i USER
% wbinfo -n USER
% wbinfo -s USER
Hope that helps some.
Andrew Masterson wrote:
I may have a deficiency in understanding the procedure for ADS
authentication with samba, but most of the server setup works so far.
I
have bound a Red Hat Enterprise 5 server to our windows domain, it
shows
up in DNS and ADS, I can ping it, but I can't get samba shares to be
accessible to users, or even get the smbclient to return shares
properly.
wbinfo -g returns the domain groups properly
wbinfo -u return the domain users
RE: [Samba] User profile changes logging into domain
Grab C:\Documents and Settings\USERNAME, copy it into C:\Documents and Settings\Default User before logging onto the domain. (or blow away the USERNAME.DOMAIN profile and re-login) C:\Documents and Settings\USERNAME\NTUSER.DAT and C:\Documents and Settings\USERNAME\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Are usually locked, and are part of the registry - so copying them over carries over all of those impossible-to-find registry entries like toolbars and such. I usually use IZarc to grab everything as it ignores file locking. If you have stuff you don't want re-created on _all_ new users' desktops strip it out first, or make a backup of Default User, login with the domain account, then recreate Default User The Microsoft tools for doing this don't work or miss things. (as usual...) -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Christopher Perry Sent: Thursday, July 24, 2008 9:45 AM To: samba@lists.samba.org Subject: [Samba] User profile changes logging into domain Hi, We have a bunch of users that have local profiles, and when the login to the domain they get a new profile created on their workstation. For example, a user like c:\documents and settings\rguyton changes to c:\documents and settings\rguyton.HMDCDOMAIN Is there a way to get this to use the existing profile? Also, i went into gpedit.msc and set allow local profiles only since we're not using roaming profiles . Thanks for any assistance. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Trouble authenticating to Samba shares with Win 2k3 ADS
I may have a deficiency in understanding the procedure for ADS
authentication with samba, but most of the server setup works so far. I
have bound a Red Hat Enterprise 5 server to our windows domain, it shows
up in DNS and ADS, I can ping it, but I can't get samba shares to be
accessible to users, or even get the smbclient to return shares
properly.
wbinfo -g returns the domain groups properly
wbinfo -u return the domain users properly
[EMAIL PROTECTED] samba]# wbinfo -a 'DNAME\uname'%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded
[EMAIL PROTECTED] samba]# wbinfo -K 'DNAME\uname'%secret
plaintext kerberos password authentication for [DNAME\uname%secret]
succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
[EMAIL PROTECTED] samba]# wbinfo -t
checking the trust secret via RPC calls succeeded
So that all works fine. smbclient chokes though:
[EMAIL PROTECTED] samba]# smbclient -L solar -U 'DNAME\uname'
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
[EMAIL PROTECTED] samba]# smbclient -L solar -U uname
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
or if I even use a samba user that I have setup with smbpasswd
[EMAIL PROTECTED] samba]# smbclient -L solar -U sambaname
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
The only log file in /var/log/samba that shows any changes is log.nmbd
[2008/07/23 08:18:47, 0] nmbd/nmbd_namequery.c:query_name_response(109)
query_name_response: Multiple (2) responses received for a query on
subnet 192.168.77.244 for name DNAME1d.
This response was from IP 192.168.77.216, reporting an IP address of
192.168.77.216.
Here is my smb.conf
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2008/07/17 09:25:15
[global]
workgroup = DNAME
realm = DNAME.LOCAL
netbios aliases = solar.dname.local, solar.dname.com
server string = Samba %v %h
interfaces = 192.168.77.244
security = ADS
# security = user
auth methods = winbind
use kerberos keytab = Yes
encrypt passwords = yes
winbind enum users = Yes
winbind enum groups = Yes
preferred master = No
local master = No
domain master = No
ldap ssl = no
idmap domains = DNAME
idmap uid = 1-2
idmap gid = 1-2
[T_drive]
writeable = yes
valid users = sambaname,'DNAME\uname'
public = yes
path = /data/T_drive
Here is krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DNAME.LOCAL
[realms]
DNAME.LOCAL = {
default_domain =
kdc = nvautil01.DNAME.local:
admin_server = nvadom01:
}
[domain_realm]
dname.local = DNAME.LOCAL
pam.d directory samba file
[EMAIL PROTECTED] samba]# more /etc/pam.d/samba
#%PAM-1.0
authsufficient pam_krb5afs.so
account sufficient pam_krb5afs.so
authsufficient pam_winbind.so
account sufficient pam_winbind.so
session sufficient pam_krb5afs.so
password sufficient pam_krb5afs.so
auth required pam_unix.so
account required pam_unix.so
session sufficient pam_winbind.so
password sufficient pam_winbind.so
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Trouble authenticating to Samba shares with Win 2k3 ADS
I added those lines (and changed the range to 1-2), and still
smbclient returns the same error.
session setup failed: NT_STATUS_LOGON_FAILURE
I also updated the krb5.conf file as I noticed some errors (Improper
format of Kerberos configuration file) in some of the logs. Those
errors are now gone, and the only idmap log file I see is
log.winbindd-idmap and it gives:
[EMAIL PROTECTED] etc]# more /var/log/samba/log.winbindd-idmap
[2008/07/23 11:03:44, 1] nsswitch/idmap.c:idmap_init(377)
Initializing idmap domains
[2008/07/23 11:03:44, 1]
nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
Could not get unix ID
And the second message (error) wasn't happening before. Am I missing a
module to provide the AD idmap backend? (although it looks like it is
trying to do it and failing)
New krb5.conf file
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DNAME.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DNAME.LOCAL = {
kdc = DCONTR.DNAME.local:88
admin_server = DCONTR.DNAME.local:749
default_domain = DNAME.local
}
[domain_realm]
.DNAME.local = DNAME.LOCAL
DNAME.local = DNAME.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-Original Message-
From: Jason Gerfen [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 23, 2008 10:58 AM
To: Andrew Masterson
Cc: samba@lists.samba.org
Subject: Re: [Samba] Trouble authenticating to Samba shares with Win 2k3
ADS
Try using the following in your smb.conf
client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no
idmap domains = DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1000 - 3
And for troubleshooting try taking a look at the
/var/log/samba/log.idmap* logs for UID/GID to SID mapping
Or you can use
% wbinfo -i USER
% wbinfo -n USER
% wbinfo -s USER
Hope that helps some.
Andrew Masterson wrote:
I may have a deficiency in understanding the procedure for ADS
authentication with samba, but most of the server setup works so far.
I
have bound a Red Hat Enterprise 5 server to our windows domain, it
shows
up in DNS and ADS, I can ping it, but I can't get samba shares to be
accessible to users, or even get the smbclient to return shares
properly.
wbinfo -g returns the domain groups properly
wbinfo -u return the domain users properly
[EMAIL PROTECTED] samba]# wbinfo -a 'DNAME\uname'%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded
[EMAIL PROTECTED] samba]# wbinfo -K 'DNAME\uname'%secret
plaintext kerberos password authentication for [DNAME\uname%secret]
succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
[EMAIL PROTECTED] samba]# wbinfo -t
checking the trust secret via RPC calls succeeded
So that all works fine. smbclient chokes though:
[EMAIL PROTECTED] samba]# smbclient -L solar -U 'DNAME\uname'
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
[EMAIL PROTECTED] samba]# smbclient -L solar -U uname
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
or if I even use a samba user that I have setup with smbpasswd
[EMAIL PROTECTED] samba]# smbclient -L solar -U sambaname
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
The only log file in /var/log/samba that shows any changes is log.nmbd
[2008/07/23 08:18:47, 0]
nmbd/nmbd_namequery.c:query_name_response(109)
query_name_response: Multiple (2) responses received for a query on
subnet 192.168.77.244 for name DNAME1d.
This response was from IP 192.168.77.216, reporting an IP address of
192.168.77.216.
Here is my smb.conf
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2008/07/17 09:25:15
[global]
workgroup = DNAME
realm = DNAME.LOCAL
netbios aliases = solar.dname.local, solar.dname.com
server string = Samba %v %h
interfaces = 192.168.77.244
security = ADS
# security = user
auth methods = winbind
use kerberos keytab = Yes
encrypt passwords = yes
winbind enum users = Yes
winbind enum groups = Yes
preferred master = No
local master = No
domain master = No
ldap ssl = no
idmap domains = DNAME
idmap uid = 1-2
idmap gid = 1-2
[T_drive]
writeable = yes
valid users = sambaname,'DNAME\uname'
public = yes
path = /data/T_drive
Here is krb5.conf
[logging]
default = FILE:/var/log
RE: [Samba] Trouble authenticating to Samba shares with Win 2k3 ADS
Yeah, that was the most common solution I found after some digging, but nscd isn't running and my nsswitch.conf file has winbind in the appropriate places I think: nsswitch.conf passwd: files winbind shadow: files group: files winbind #hosts: db files nisplus nis dns hosts: files dns winbind # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases:files nisplus -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2008 3:39 PM To: Andrew Masterson Cc: samba@lists.samba.org Subject: Re: [Samba] Trouble authenticating to Samba shares with Win 2k3 ADS On Wed, Jul 23, 2008 at 08:36:13AM -0600, Andrew Masterson wrote: I may have a deficiency in understanding the procedure for ADS authentication with samba, but most of the server setup works so far. I have bound a Red Hat Enterprise 5 server to our windows domain, it shows up in DNS and ADS, I can ping it, but I can't get samba shares to be accessible to users, or even get the smbclient to return shares properly. You did not list your nsswitch.conf. Did you put winbind in there (and killed nscd?)? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
