Re: [Samba] ACL strange behaviour
El Lunes, 7 de Abril de 2008, toni escribió: El Fri, 04 Apr 2008 21:04:21 +0200 Carlos Lorenzo Matés [EMAIL PROTECTED] ha escrit: Hi Toni. El Viernes, 4 de Abril de 2008, toni escribió: hi john, El Fri, 04 Apr 2008 09:12:38 -0400 John Drescher [EMAIL PROTECTED] ha escrit: On Fri, Apr 4, 2008 at 7:39 AM, toni [EMAIL PROTECTED] wrote: hi, i'm experiencing a strange behaviour when setting ACL from Windows XP clients (server is BDC with LDAP) after migrating service from SLES 9.3 to SLES 10.1: i can't set ACL to a folder to give access to individual users without allowing the group of the creator. step by step, i tried to remove group permissions (which worked fine) but, when i add permissions to other users, group permissions become effective for the group in the directory (but no in its subfolders) the correct behaviour is that i can allow access to several users without access for the group, and this was working after the migration. it could be a different ACL behaviour between SLES 9 (Samba 3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba 3.0.28-0.2-1625-SUSE-CODE10)? We had the same problems, finally we have downgrade our samba to 3.0.24 wich is SLES 10 + SP1 base version. verified, it works with 3.0.24! (SLES 10 + SP1, with codename: Samba 3.0.24-2.36-1616-SUSE-CODE10) do you know if this issue were reported to samba, i cannot find any ACL related bug in samba's bugtracker. if not i will fill a bug report. No, but i opened some bug reports with novell (i had a premium service for support), and they have not been able to solve this, i think that novell is involved in the samba development, but i dont' know if they had reported this problem to the samba devs. if you open the bug, please put the link here and i will add the information i sent to novell regarding this bug. also i think you sould report this to novell if you have a SLES Thanks -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r.com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL strange behaviour
Hi Toni. El Viernes, 4 de Abril de 2008, toni escribió: hi john, El Fri, 04 Apr 2008 09:12:38 -0400 John Drescher [EMAIL PROTECTED] ha escrit: On Fri, Apr 4, 2008 at 7:39 AM, toni [EMAIL PROTECTED] wrote: hi, i'm experiencing a strange behaviour when setting ACL from Windows XP clients (server is BDC with LDAP) after migrating service from SLES 9.3 to SLES 10.1: i can't set ACL to a folder to give access to individual users without allowing the group of the creator. step by step, i tried to remove group permissions (which worked fine) but, when i add permissions to other users, group permissions become effective for the group in the directory (but no in its subfolders) the correct behaviour is that i can allow access to several users without access for the group, and this was working after the migration. it could be a different ACL behaviour between SLES 9 (Samba 3.0.20b-3.17-1297-SUSE) and SLES 10 (Samba 3.0.28-0.2-1625-SUSE-CODE10)? We had the same problems, finally we have downgrade our samba to 3.0.24 wich is SLES 10 + SP1 base version. I had tested with 3.0.25 and 3.0.28 and had problems, also with domain trust with an NT domain Greetings -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r.com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusted domain user login
Hi. El Jueves, 31 de Enero de 2008, Carlos Lorenzo Matés escribió: Hi. El Miércoles, 30 de Enero de 2008, Thorkil Olesen escribió: Carlos Lorenzo Matés clmates at mundo-r.com writes: Maybe you should try: wbinfo -a NTDOMAIN\\clorenzo%myrealpassword This was my first try and it says exactly the same. Well, that should work. We have the very same users groups and passwords in the NT Domain and in the samba Domain, our samba domain uses ldap for storage. It doesn't make sense to have same users in both domains. We make this because we are migrating the NT domain to a samba domain and this was the best option to make this transparent for users From samba's point of view users in different domains are not the same even though they have same username and password. They will still have different SIDs. Here is our nsswitch.conf (...) passwd: files ldap group: files ldap (...) passwd_compat: ldap winbind group_compat: ldap winbind (...) Why do you put winbind at 'passwd_compat' instead of 'passwd'? I don't know I'm going to revise this, thanks Well, teste with the winbind added behind passwd and group and now getent returns the NT Domain users and groups also, as you said. getent shadow only returns the ldap shadows btw the wbinfo -a was not working because i was only seting an \ betwen the domain name and the user name, and must be \\. Now is working regardless the nsswitch setup but the trust still does not work fine Thanks again -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r DOT com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba and Windows Terminal Server problems
Hi to all. firs of all sorry if you already have read my last two posts. Erroneously i have posted both as answers to others threads instead of oppening a new one (btw i have clicked on the mailing list address to create a new mail, but the mail client has used the same thread identifier) Now here is the real content of this post. Have anyone in the list users form a samba domain login in to a Windows terminal server with the samba domain account? can you put here the results of the set command in the cmd.exe? have you the HOMEPATH defined? Thanks -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r DOT com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusted domain user login
Hi. El Miércoles, 30 de Enero de 2008, Jay Santillan escribió: Hello Mr. Carlos, getent returns the ldap users, groups and paswwords, should getent also return the NT domain users when they are the same? I think,This will depend on your smb.conf. if you set 'winbind enum users' and 'winbind enum groups' to yes, getent should also display the users. by default, these are set to 'no'. I already have the enum options to yes Thanks -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r DOT com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Terminal Server and samba anyone?
Hi. Have anyone in the list users form a samba domain login in to a Windows terminal server with the samba domain account? can you put here the results of the set command in the cmd.exe? have you the HOMEPATH defined? Thanks -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r DOT com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusted domain user login
Hi. El Miércoles, 30 de Enero de 2008, Thorkil Olesen escribió: Carlos Lorenzo Matés clmates at mundo-r.com writes: Maybe you should try: wbinfo -a NTDOMAIN\\clorenzo%myrealpassword This was my first try and it says exactly the same. Well, that should work. We have the very same users groups and passwords in the NT Domain and in the samba Domain, our samba domain uses ldap for storage. It doesn't make sense to have same users in both domains. We make this because we are migrating the NT domain to a samba domain and this was the best option to make this transparent for users From samba's point of view users in different domains are not the same even though they have same username and password. They will still have different SIDs. Here is our nsswitch.conf (...) passwd: files ldap group: files ldap (...) passwd_compat: ldap winbind group_compat: ldap winbind (...) Why do you put winbind at 'passwd_compat' instead of 'passwd'? I don't know I'm going to revise this, thanks getent returns the ldap users, groups and paswwords, should getent also return the NT domain users when they are the same? If you use 'DOMAIN\user' it should, eg. getent passwd NTDOMAIN\\clorenzo I don't think however that nsswitch is used by wbinfo -a so this may not be your real problem. I had a similar problem that i solved by changing to kerberos, but with NT this is not possible. I don't think I can help with this. Ok, im going to play with nsswitch to see if this changes something, also will make another try with getent with the NTDOMAIN as you said. Thanks again -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r DOT com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusted domain user login
Hi. El Martes, 29 de Enero de 2008, Thorkil Olesen escribió: Carlos Lorenzo Matés clmates at mundo-r.com writes: I have logged in the samba server as root and tried this myserver:~ # wbinfo -a clorenzo%myrealpassword plaintext password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc008) error messsage was: Invalid handle Could not authenticate user clorenzo%myrealpassword with plaintext password challenge/response password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc008) error messsage was: Invalid handle Could not authenticate user clorenzo with challenge/response Maybe you should try: wbinfo -a NTDOMAIN\\clorenzo%myrealpassword This was my first try and it says exactly the same. wbinfo -u and wbinfo -g gets right the list of users and groups from the NT domain That is a good sign! wbinfo is a great tool to examine how winbind sees the world. I spent some time on an interdomain trust to a W2k3-server, but I think my problem was different from yours. Have you set up nsswitch.conf? Can you see a user with getent? We have the very same users groups and passwords in the NT Domain and in the samba Domain, our samba domain uses ldap for storage. Here is our nsswitch.conf # This works: #passwd:ldap compat #group: ldap compat # As does this: passwd: files ldap group: files ldap hosts: files dns wins networks: files dns services: files ldap protocols: files rpc:files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files nis ldap aliases:files ldap passwd_compat: ldap winbind group_compat: ldap winbind shadow: compat #passwd_compat: ldap #group_compat: ldap #shadow: compat getent returns the ldap users, groups and paswwords, should getent also return the NT domain users when they are the same? Thanks -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r DOT com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windows Terminal server with samba and HOMEPATH
Hi to all We have moved our users from an NT domain to a samba domain We have changed our terminal server from the NT domain to the samba domain All seems to work fine, but we have found a problem we don't have if we login in the terminal server but in the NT domain. In the terminal the system should create a windows folder under c:\documents and settings\username to store some .ini that an application need to modify for each user. In this way each user can had his own .ini copy When we had the users to log into the terminal server in the NT domain the system was working this way. Now that our users logs into the samba domain all of them share the same .ini into the c:\windows directory. We have examined the environment variables logged in the NT domain and in the SAMBA domain (both cases in a terminal server session), and here is the difference: in the NT domain: HOMEDRIVE = C: HOMEPATH = \Documents and Settings\username HOMESHARE (undefined) if i open a cmd session it starts at c:\Documents and settings\username in the Samba Domain HOMEDRIVE = C: HOMEPATH = Blank HOMESHARE = \\server\username if i open a cmd session it says that the home cannot be defined with UNC naming and it opens at C:\ this is the proble that is causing the users to don't have his own .ini files and chare the ones in c:\Windows We are using windows nt policies provided by the samba server (stored as ntconfig.pol under /var/lib/samba/netlogon). In this policies we had setup some folder redirection (for My Documents and for the Desktop). This folder redirection is working fine in both cases, logged in workstation or in a terminal server session. We have tried to fin a suitable template for terminal server to define this variable, but none seems suitable. Also examining the registry this variables seem to be defined in a volatile branch Anyone has come to this problem? How can i define this variable for each user upon login? thanks -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r DOT com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusted domain user login
Hi. El Viernes, 25 de Enero de 2008, Thorkil Olesen escribió: Carlos Lorenzo Matés clmates at mundo-r.com writes: We are unable to estabilish a full bi directional trust between an NT domain and a smaba domain we can make the NT to trust the samba, but not in the reverse, the samba is not able to estabilish the trust with the NT Try to manually authenticate a user from the NT-domain at the samba-server using wbinfo -a If that succeeds then try to access a samba-share with that user. It will not solve the problem, but it may point out where the problem is. I have logged in the samba server as root and tried this myserver:~ # wbinfo -a clorenzo%myrealpassword plaintext password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc008) error messsage was: Invalid handle Could not authenticate user clorenzo%myrealpassword with plaintext password challenge/response password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc008) error messsage was: Invalid handle Could not authenticate user clorenzo with challenge/response And if i try logged as my user it says [EMAIL PROTECTED]:~ wbinfo -a clorenzo%myrealpassword plaintext password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc008) error messsage was: Invalid handle Could not authenticate user clorenzo%myrealpassword with plaintext password challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc022) error messsage was: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly. Could not authenticate user clorenzo with challenge/response wbinfo -u and wbinfo -g gets right the list of users and groups from the NT domain Thanks -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r DOT com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusted domain user login
Hi. El Viernes, 25 de Enero de 2008, Thorkil Olesen escribió: Carlos Lorenzo Matés clmates at mundo-r.com writes: We are unable to estabilish a full bi directional trust between an NT domain and a smaba domain we can make the NT to trust the samba, but not in the reverse, the samba is not able to estabilish the trust with the NT Try to manually authenticate a user from the NT-domain at the samba-server using wbinfo -a If that succeeds then try to access a samba-share with that user. It will not solve the problem, but it may point out where the problem is. how? log in a shell in the samba server and use wbinfo -a from there? i'll try this on monday. Many Thanks -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r DOT com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trusted domain user login
Hi. El Viernes, 25 de Enero de 2008, Jay Santillan escribió: Greetings, We are currently experiencing logon problems with a trusted domain user(s). Example: We have DomainA and DomainB DomainA and DomainB both have workstations joined on their respective domain. DomainA and DomainB both have trust relationships. DomainA trusts DomainB and vise versa. DomainA is where being served by a Samba PDC, while DomainB has a PDC using Windows NT 4.0 Server We have a similar problem We are unable to estabilish a full bi directional trust between an NT domain and a smaba domain we can make the NT to trust the samba, but not in the reverse, the samba is not able to estabilish the trust with the NT in version 3.0.24 this make not much trouble as the system seems to work like the trust is correctly established, but in 3.0.25 through 3.0.28 does not work, and makes the samba browsing to lag continuously when we make net rpc trustdom establish NTDOMAIN ntpassword the system says that the trust could not be verified when we make net rpc trustdom list the system says trusted domains NTDOMAIN none trusting domains NTDOMAIN from the NT the trust seems to be estabilished but the reality is that the NT server is unable to browse the samba shares without entering a true samba user and password where you able to set the trust right? thanks -- Un saludo. Carlos Lorenzo Matés. clmates AT mundo-r DOT com signature.asc Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smbprngenpdf setup
Hi. I'm using SLES 9 what is the necessary setup for getting a working pdf generagtor. Do i need to setup only a samba printer or i need to setup a cups pinter? i've tried only with the samba setup like this [pdfs] comment = PDF creator path = /var/tmp writeable = yes create mask = 0600 printable = yes print command = /usr/bin/smbprngenpdf -J '%J' -c %c -s %s -u '%u' -z %z but i cant connect to it locally with the smbclient command i can conect to the other cups based printers via smbclient i have also tried to install the pdf backend in cups and if i configure a cups printer with this backend, i can print locally via cups then i configure a samba printer to use this cups printer and the smbclient is unable to get any output, the job is hold in the cups queue forever any clue? Many thanks Carlo Lorenzo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba