Re: [Samba] rsync'ing samba shares
Hi Greg, the answer to your question can be quite complex, depending on your needs and your setup. If we are sticking with file-syncing than you can use robocopy as well as rsync. It depends on the amount of data hat needs to be synced, how often you want to sync, how can the DCs reach each other, ... If you link your DCs together via a separate sync-only network, I would prefer rsync. That way you do not interfere with the regular network. Anyway, syncing by rsync/ robocopy has the drawback that it is always lagging behind. If both machines are in the same network consider using a distributed filesystem/ block device that syncs the data between the nodes on the fly. Cheers, Christian Gregory Sloop schrieb: >I know this has come up a bit in the past, but consider this >situation: > >Two Samba4 DC's - and I want to "mirror" the data shares to the >"backup" DC in case we lose the primary DC and it's file shares. > >[A cheap, dirty, poor-mans semi-CTDB. How did you ever guess that Red >Green was helping me?!] > >The easiest way is probably rsync'ing the data. > >However, will that include all the ACL's and extra data associated >with the files. I understand that to a disk on part of the DC, it >might not. But on the second DC, all the relevant users, AD group etc >do all exist. > >So, is using rsync in such a situation reasonable/workable, or should >we use some windows based utility - say robocopy to handle this? > >TIA >-Greg > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba Dipl.-Ing. Christian Rost [T.I.S.P.] roCon - Informationstechnologie Ulmenstraße 45 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 389 Directory Server (LDAP) and SAMBA
Hi Dorian, samba and ldap don't need to be on the same machine, but most setups use it this way. In smb.conf you have to specify your passdb backend like passdb backend = ldapsam:ldap:/// or better passdb backend = ldapsam:ldaps:/// to transmit the queries over TLS/ SSL. In addition to samba, you need to setup your OS itself, to authenticate against LDAP (see nsswitch, pam). With samba 3.x you need to add additional objectlasses and attributes to your ldap based user/ group profiles. See [http://www.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html] for more details. If the Windows RID and Linux UID/ GID are stored in your user/ group profiles, you don't need winbind and idmap. You only need winbind/ idmap if you're authenticating Linux against samba or a Windows host, but that's not what you want to do. ## Additional Information: http://www.samba.org/samba/docs/man/Samba3-HOWTO/ http://www.samba.org/samba/docs/man/Samba3-HOWTO/samba-bdc.html#id2566941 http://www.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2593073 http://www.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html Cheers, Christian === Dipl.-Ing. Christian Rost [T.I.S.P.] roCon - Informationstechnologie Ulmenstraße 45 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de Dorian Preston <dpres...@remindermedia.com> wrote Subject: [Samba] 389 Directory Server (LDAP) and SAMBA Date: 12.02.2013 23:09 >I have: > >*389 Directory Server (v1.2) with about 100+ current and active users. >*Separate SAMBA server that I would like to use LDAP credentials to >authenticate with. > >Found guides for using LDAP credentials with SAMBA here: >http://directory.fedoraproject.org/wiki/Howto:Samba >http://sangacollins.wordpress.com/posts/directory-server/ > > > >What I have been able to do: > >Added the samba schema information (61samba.ldif) into my 389 directory >server. > >Used the configure.pl script to configure smbldap-tools for my 389 >Directory server. > >Ran smbldap-populate to add the basic Windows user setup for SAMBA. > > >Issues: > >It seems that all of the SAMBA/LDAP guides expect SAMBA and LDAP to be on >the same server. > >Don't really understand how I am supposed to add the SAMBA schema >information to my current LDAP users so they can be authenticated via >SAMBA. > >One of the guides says alot about enabling winbind and authconfig. Don't >know if this is needed. > > >Questions: > >Is there any up to date documentation for using 389 Directory Server as an >LDAP Authentication Backend for SAMBA? > >Is there a process (read. I unfortunately can't just delete/add user >accounts with SAMBA info) for adding SAMBA information into my existing >LDAP accounts? > >Do I need to do anything using authconfig? > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How can I show only the shares that user have access to in SAMBA
Hi Simon, as far as I know, you can't hide shares with user specific settings. It is not implemented wether in Windows nor in Samba. The only way is to hide the share for all users by adding the "$" at the end of the share name - like [kmplan$]. To limit access to the share you need to set share and corresponding filesystem permissions. Cheers, Christian simon ben schrieb: >Dear All, > >I have implemented samba to right now in test environment to be >implemented in production as samba file server > >so far its working grt > >but I have one issue > >i have right now one share and want only the users who have access to >the share to see it >and the others should not > >when I log into the user who has no access I see the share and when i >double click it ask me for username and password > >googling arround this issuse is solved by using the below in smb.conf >file > hide dot files = yes >hide unreadable = yes >in the share definition section. > >but its still visible > >security is set as user > >here the part of my smb.conf >-- >[kmplan] > writeable = yes > path = /opt/network/testplan > write list = @localgrp > revalidate = yes > hide unreadable = yes > hide dot files = yes > comment = masterplan testing directory > valid users = @localgrp >----- > >is there anything i need to set in smb.conf >appreciate your help and advice > > >regards > >simon -- Dipl.-Ing. Christian Rost roCon - Informationstechnologie Ulmenstraße 45 44534 Lünen Fon: +49 2306 910 658 Fax: +48 2306 910 664 URL: www.rocon-it.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Configuration of idmap_ldap "No backend defined"
Hi, your security concerns are welcome. Well I didn't use LDAP based idmap yet, but "multiple entries returned" could be a result of your duplicate settings for "idmap config" - one with the asterisk and the second with MYDOMAIN. Please read the docs to determine which of the entries is necessary. Cheers, Christian Jon Theil Nielsen schrieb: >Hi and thanks, > >The base dn is not as shown. Might be some kind of paranoia... >I changed the smb.conf as suggested. Did not change any other file. Now >my >log shows: > >[2012/04/14 20:29:36.891125, 2] >lib/smbldap.c:1018(smbldap_open_connection) > smbldap_open_connection: connection opened >[2012/04/14 20:29:36.901600, 0] >winbindd/idmap_ldap.c:192(verify_idpool) > Multiple entries returned from (objectclass=sambaUnixIdPool) (base == >dc=example,dc=com) >[2012/04/14 20:29:36.901919, 1] >winbindd/idmap_ldap.c:516(idmap_ldap_db_init) > idmap_ldap_db_init: failed to verify ID pool (NT_STATUS_UNSUCCESSFUL) >[2012/04/14 20:29:36.903646, 5] >winbindd/idmap_ldap.c:421(idmap_ldap_close_destructor) > The connection to the LDAP server was closed >[2012/04/14 20:29:36.904039, 1] >winbindd/idmap.c:249(idmap_init_domain) > idmap initialization returned NT_STATUS_UNSUCCESSFUL > >Regards, >Jon > >On 14 April 2012 20:14, Christian Rost >wrote: > >> Hi, >> >> please check your ldap configuration in your smb.conf file. At first >> verify that your base-dn is really "dc=example,dc=com". Than remove >> "cn=Manager" from each option that contains "base_dn". >> >> As usual, make sure that your LDAP server is set up correctly and >that >> everthing works fine. Than you can connect samba to your LDAP. >> >> Cheers, >> >> Christian >> >> Jon Theil Nielsen schrieb: >> >> >Hi list, >> > >> >I can't make idmap talk to my LDAP server. And I haven't found an >> >updated >> >howto. >> > >> >Some entries from log.windbindd-imap: >> >[2012/04/13 20:05:40.500475, 5] >> >winbindd/idmap.c:153(smb_register_idmap) >> > Successfully added idmap backend 'ldap' >> >[2012/04/13 20:05:40.501112, 5] >> >winbindd/idmap.c:153(smb_register_idmap) >> > Successfully added idmap backend 'tdb' >> >[2012/04/13 20:05:40.501318, 5] >> >winbindd/idmap.c:153(smb_register_idmap) >> > Successfully added idmap backend 'passdb' >> >[2012/04/13 20:05:40.501516, 5] >> >winbindd/idmap.c:153(smb_register_idmap) >> > Successfully added idmap backend 'nss' >> >[2012/04/13 20:05:40.540035, 2] >> >lib/smbldap.c:1018(smbldap_open_connection) >> > smbldap_open_connection: connection opened >> >[2012/04/13 20:05:40.550305, 2] >> >passdb/pdb_ldap.c:2427(init_group_from_ldap) >> > init_group_from_ldap: Entry found for group: 515 >> >[2012/04/13 20:05:40.592075, 1] >> >winbindd/idmap.c:288(idmap_init_named_domain) >> > no backend defined for idmap config MYDOMAIN >> >[2012/04/13 20:06:23.606655, 2] >> >passdb/pdb_ldap.c:2427(init_group_from_ldap) >> > init_group_from_ldap: Entry found for group: 548 >> >[2012/04/13 20:06:23.629123, 2] >> >passdb/pdb_ldap.c:2427(init_group_from_ldap) >> > init_group_from_ldap: Entry found for group: 1006 >> >[2012/04/13 20:06:23.632141, 1] >> >winbindd/idmap.c:288(idmap_init_named_domain) >> > no backend defined for idmap config MYDOMAIN >> >[2012/04/13 20:06:23.637118, 2] >> >passdb/pdb_ldap.c:2427(init_group_from_ldap) >> > init_group_from_ldap: Entry found for group: 1005 >> >[2012/04/13 20:06:23.640003, 1] >> >winbindd/idmap.c:288(idmap_init_named_domain) >> > no backend defined for idmap config MYDOMAIN >> >[2012/04/13 20:06:23.653837, 1] >> >winbindd/idmap.c:288(idmap_init_named_domain) >> > no backend defined for idmap config MYDOMAIN >> >[2012/04/13 20:06:33.287504, 1] >> >winbindd/idmap.c:288(idmap_init_named_domain) >> > no backend defined for idmap config MYDOMAIN >> >[2012/04/13 20:06:33.287723, 1] >> >winbindd/idmap.c:288(idmap_init_named_domain) >> > no backend defined for idmap config BUILTIN >> >[2012/04/13 20:06:38.048645, 1] >> >winbindd/idmap.c:288(idmap_init_named_domain) >> > no backend defined for idmap config MYDOMAIN >> > >> >Part of my smb.conf: >> >[global] >> >ldap admin dn = cn=Manager,dc=example,dc=com >>
Re: [Samba] Configuration of idmap_ldap "No backend defined"
Hi, please check your ldap configuration in your smb.conf file. At first verify that your base-dn is really "dc=example,dc=com". Than remove "cn=Manager" from each option that contains "base_dn". As usual, make sure that your LDAP server is set up correctly and that everthing works fine. Than you can connect samba to your LDAP. Cheers, Christian Jon Theil Nielsen schrieb: >Hi list, > >I can't make idmap talk to my LDAP server. And I haven't found an >updated >howto. > >Some entries from log.windbindd-imap: >[2012/04/13 20:05:40.500475, 5] >winbindd/idmap.c:153(smb_register_idmap) > Successfully added idmap backend 'ldap' >[2012/04/13 20:05:40.501112, 5] >winbindd/idmap.c:153(smb_register_idmap) > Successfully added idmap backend 'tdb' >[2012/04/13 20:05:40.501318, 5] >winbindd/idmap.c:153(smb_register_idmap) > Successfully added idmap backend 'passdb' >[2012/04/13 20:05:40.501516, 5] >winbindd/idmap.c:153(smb_register_idmap) > Successfully added idmap backend 'nss' >[2012/04/13 20:05:40.540035, 2] >lib/smbldap.c:1018(smbldap_open_connection) > smbldap_open_connection: connection opened >[2012/04/13 20:05:40.550305, 2] >passdb/pdb_ldap.c:2427(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 515 >[2012/04/13 20:05:40.592075, 1] >winbindd/idmap.c:288(idmap_init_named_domain) > no backend defined for idmap config MYDOMAIN >[2012/04/13 20:06:23.606655, 2] >passdb/pdb_ldap.c:2427(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 548 >[2012/04/13 20:06:23.629123, 2] >passdb/pdb_ldap.c:2427(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 1006 >[2012/04/13 20:06:23.632141, 1] >winbindd/idmap.c:288(idmap_init_named_domain) > no backend defined for idmap config MYDOMAIN >[2012/04/13 20:06:23.637118, 2] >passdb/pdb_ldap.c:2427(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 1005 >[2012/04/13 20:06:23.640003, 1] >winbindd/idmap.c:288(idmap_init_named_domain) > no backend defined for idmap config MYDOMAIN >[2012/04/13 20:06:23.653837, 1] >winbindd/idmap.c:288(idmap_init_named_domain) > no backend defined for idmap config MYDOMAIN >[2012/04/13 20:06:33.287504, 1] >winbindd/idmap.c:288(idmap_init_named_domain) > no backend defined for idmap config MYDOMAIN >[2012/04/13 20:06:33.287723, 1] >winbindd/idmap.c:288(idmap_init_named_domain) > no backend defined for idmap config BUILTIN >[2012/04/13 20:06:38.048645, 1] >winbindd/idmap.c:288(idmap_init_named_domain) > no backend defined for idmap config MYDOMAIN > >Part of my smb.conf: >[global] >ldap admin dn = cn=Manager,dc=example,dc=com >ldap delete dn = Yes >ldap group suffix = ou=Groups >ldap idmap suffix = ou=Idmap >ldap machine suffix = ou=Computers >ldap passwd sync = yes >ldap suffix = dc=example,dc=com >ldap user suffix = ou=People >ldap debug level = 1 >idmap config *:backend = ldap >idmap config *:readonly = no >idmap config *:range = 1000-199 >idmap config *:ldap_url=ldap://localhost >idmap config *:ldap_base_dn = cn=Manager,dc=example,dc=com >idmap config MYDOMAIN:backend = ldap >idmap config MYDOMAIN:readonly = no >idmap config MYDOMAIN:range = 1000-199 >idmap config MYDOMAIN:ldap_url=ldap://localhost >idmap config MYDOMAIN:ldap_base_dn = cn=Manager,dc=example,dc=com >idmap config MYDOMAIN:ldap_user_dn = >cn=admin,ou=Idmap,dc=example,dc=com > >I'm running samba 3.6.3 on FreeBSD 9.0-RELEASE and my LDAP server seems >to >work otherwise. At least, I can do user authentication this way. > >Of course, I can provide much more information from the logs and the >configuration files. I just don't know where to start. And any help >would >be much appreciated. > >Best regards, >Jon Theil Nielsen >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba -- Dipl.-Ing. Christian Rost roCon - Informationstechnologie Ulmenstraße 45 44534 Lünen Fon: +49 2306 910 658 Fax: +48 2306 910 664 URL: www.rocon-it.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems ldap authentication for Samba 3.5.11-2-1
Hi rlvcosta, the official samba howto provides all the information you are looking for. IMHO the LDAP user profile is incomplete, because necessary attributes are missing. So check out the howto and search for LDAP and/ or go to the section concerning Domain Backup. Cheers Christian Von meinem iPod gesendet Am 28.04.2012 um 04:53 schrieb rlvcosta : > Samba team, > > I'm having some problems to have a client Windows XP, I believe all systems > could have the same issue, using Ldap authentication with Samba. > > This is a native OpenFiler configuration with a local LDAP server for Samba > shares. The problem is that sharing is never authenticated where my > suspicious is about sambaSID. > > Basically I create a test user called "rlvcosta". This user was created into > LDAP as : > > dn: uid=rlvcosta,ou=People,dc=flores,dc=com > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: sambaSamAccount > homeDirectory: /dev/null > loginShell: /bin/false > cn: rlvcosta > givenName: rlvcosta > sn: rlvcosta > uid: rlvcosta > uidNumber: 500 > gidNumber: 9126 > sambaSID: S-1-5-21-1299536883-3844537390-917088389-1001 > > This appears to be ok. Although when I put a tcpdumo trace I see: > > Lightweight Directory Access Protocol > LDAPMessage searchRequest(161) "dc=flores,dc=com" wholeSubtree > messageID: 161 > protocolOp: searchRequest (3) > searchRequest > baseObject: dc=flores,dc=com > scope: wholeSubtree (2) > derefAliases: neverDerefAliases (0) > sizeLimit: 0 > timeLimit: 15 > typesOnly: False > Filter: > (&(sambaSID=S-1-5-21-1299536883-3844537390-917088389-513)(objectclass=sambaSamAccount)) > filter: and (0) > and: > (&(sambaSID=S-1-5-21-1299536883-3844537390-917088389-513)(objectclass=sambaSamAccount)) > and: 2 items > Filter: > (sambaSID=S-1-5-21-1299536883-3844537390-917088389-513) > and item: equalityMatch (3) > equalityMatch > attributeDesc: sambaSID > assertionValue: > S-1-5-21-1299536883-3844537390-917088389-513 > Filter: (objectclass=sambaSamAccount) > and item: equalityMatch (3) > equalityMatch > attributeDesc: objectclass > assertionValue: sambaSamAccount > attributes: 38 items > AttributeDescription: uid > AttributeDescription: uidNumber > AttributeDescription: gidNumber > AttributeDescription: homeDirectory > AttributeDescription: sambaPwdLastSet > AttributeDescription: sambaPwdCanChange > AttributeDescription: sambaPwdMustChange > AttributeDescription: sambaLogonTime > AttributeDescription: sambaLogoffTime > AttributeDescription: sambaKickoffTime > AttributeDescription: cn > AttributeDescription: sn > AttributeDescription: displayName > AttributeDescription: sambaHomeDrive > AttributeDescription: sambaHomePath > AttributeDescription: sambaLogonScript > AttributeDescription: sambaProfilePath > AttributeDescription: description > AttributeDescription: sambaUserWorkstations > AttributeDescription: sambaSID > AttributeDescription: sambaPrimaryGroupSID > AttributeDescription: sambaLMPassword > AttributeDescription: sambaNTPassword > AttributeDescription: sambaDomainName > AttributeDescription: objectClass > AttributeDescription: sambaAcctFlags > AttributeDescription: sambaMungedDial > AttributeDescription: sambaBadPasswordCount > AttributeDescription: sambaBadPasswordTime > AttributeDescription: sambaPasswordHistory > AttributeDescription: modifyTimestamp > AttributeDescription: sambaLogonHours > AttributeDescription: modifyTimestamp > AttributeDescription: uidNumber > AttributeDescription: gidNumber > AttributeDescription: homeDirectory > AttributeDescription: loginShell > AttributeDescription: gecos > > See that by Ldap DB the rlvcosta sambaSID is supposed to be > S-1-5-21-1299536883-3844537390-917088389-1001. But the search made from > Samba use the sufix 513, unless 1001. Samba receives appropriately the > request from client but looks like it doesn't map correctly the search to > LDAP server. > > I could not understand by the tcpdump trace the dynamic from Samba > authentication with LDAP. The LDAP has the correct structure but the search > from Samba doesn't create the correct sambaSID. > > My understand would be that Samba search the sambaSID prefix, like below, > and then suffix with user. But not sure how it does it or if there is abug > in Samba. > > dn: sambaDomainName=CACTO,dc=flores,dc=com > sambaDomainName: CACTO > sambaSID: S-1-5-21-1299536883-3844537390-917088389 > sambaAlgorithmicRidBase: 1000 > objectClass: sambaDomain > > Do you have any comments? Is there any documentation about detailed ldap > authentication used by Samba? > > In the end I can only make shares available using Public guest access, not > controlled access. > > > > -- > View this message in context: > http://samba.2283325.n4.nabble.com/Problems-ldap-authentication-for-Samba-3-5-11-2-1-tp4594155p4594155.html > Sent from the Samba - General mailing list archive at Nabble.com. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.
Re: [Samba] Synchronizing multiple samba servers
>Is it possible to use rsync instead? i saw that there is a -u option. > What you need is a bidirectional file-sync. Even it can be improvised with rsync, unison is the better choice. Unison is based on rsync and syncs files in both directions automatically, and to be on the safe side, it can be set to resolve conflicts manually. Cheers, Christian === Dipl.-Ing. Christian Rost roCon - Informationstechnologie Ulmenstraße 45 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de Janantha Marasinghe <jananth...@gmail.com> wrote Subject: Re: [Samba] Synchronizing multiple samba servers Date: 25.04.2012 10:15 >Is it possible to use rsync instead? i saw that there is a -u option. > >On Tue, Apr 24, 2012 at 6:36 PM, Janantha Marasinghe >wrote: > >> Thanks a lot all . i will look into unison >> >> >> >> On 4/24/2012 1:43 PM, ciradhb.forw...@laposte.net wrote: >> >> Hi, >> >> Maybe you could have a look to Unison which is a tool like rsync but in >> bidirectionnal way . >> http://www.cis.upenn.edu/~bcpierce/unison/index.html >> >> Henri >> >> >> >> >> >> > -Message d'origine- >> >> > De : samba-boun...@lists.samba.org >[mailto:samba-boun...@lists.samba.org] >> De la part de Janantha Marasinghe >> >> > Envoyé : mardi 24 avril 2012 07:20 >> >> > À : samba@lists.samba.org >> >> > Objet : [Samba] Synchronizing multiple samba servers >> >> > >> >> > Hi. >> >> > >> >> > I have two servers located in two different time zones. I want to know >> if there is a way to keep the shares synchronized. Right now >> >> > what i thought is to run rsync from Server A to Server B . However the >> issue is say Server B has a new version of the file in server A and >> >> > that should not be overwritten but should be copied back to server A. >> How to go about this? >> >> > >> >> > Regards >> >> > Janantha >> >> > -- >> >> > To unsubscribe from this list go to the following URL and read the >> >> > instructions: https://lists.samba.org/mailman/options/samba >> >> >> >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] understanding users mapping
Hi, as usual there are several ways to accomplish what you're looking for. This is what I prefer - "netgroups and granting rights", because 1) username map = /etc/samba/smbusers (linking users to root) IMHO the really old style for those who don't know a better way. You shouldn't grant admin-rights this way. 2) admin users = frank Somehow better than 1) but also a short-term solution you shouldn't use. 3) messing up with my netgroups and granting rights IMHO it's not "messing with" but the only way to grant user-rights and priviliges. It's more complex and you need to think about it ini advance, but it's a propper long-term solution. Check out the official samba-howto - chapter 15/16: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html Cheers, Christian === Dipl.-Ing. Christian Rost roCon - Informationstechnologie Ulmenstraße 45 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de Helmut Hullen wrote Subject: Re: [Samba] understanding users mapping Date: 03.02.2011 13:56 >Hallo, fdelval, > >Du meintest am 03.02.11 zum Thema Re: [Samba] understanding users mapping: > >> now i have like 3 ways of achieving what i want. > >> 1) username map = /etc/samba/smbusers (linking users to root) > >> 2) admin users = frank > >> 3) messing up with my netgroups and granting rights > > >> Which one should i use? > >I prefer "admin users" in the "smb.conf". Don't know wether it is the >best of all possible solutions. > >Viele Gruesse! >Helmut >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] VPN/WAN Domain members
Hi, the problem you're describing is common to such setups. IMHO the following will help you in your setup: 1. raise the VPN timeouts This should prevent your VPN to go offline. 2. install a PDC/ BDC in each location Distribute distribute domain specific information to all locations, so you don't rely so heavily on your VPN. The samba-howto gives you information about the setup (Chapter 5. Backup Domain Control -> LDAP Configuration Notes). For this setup you need a Linux-box in each location. Depending on the needed performance/ size of your locations/ ... , it can range from something like a "Buffalo WZR-HP-G300NH with OpenWRT" up to a small server. Cheers, Christian === Dipl.-Ing. Christian Rost roCon - Informationstechnologie Ulmenstraße 45 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de ray klassen wrote Subject: [Samba] VPN/WAN Domain members Date: 24.11.2010 18:15 >I have about 60 PC's running windows XP behind vpn routers in different >locations. I find that they lose connection or sync (or whatever the right >word >is) to the domain periodically, probably when the vpn shuts down due to >low >demand. The result is that any domain user not already in the local >password >hash cache cannot log in and any local share with domain permissions on it >will >not allow the a domain account access if the pc is not rebooted. Is there >any >way to force windows to resync without a reboot or to make XP more fault >tolerant to slower connections to the samba domain? > >Thanks in advance. etc... > > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba to update DDNS
>is it possible to let samba update the DNS entries in our bind DNS >server whenever a windows PC connects to the network ? > Hi, why don't you use dhcpd and bind. That would be the right way to implement dynamic DNS updates (DDNS) within you network. Christian === Dipl.-Ing. Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de Andreas Moroder wrote Subject: [Samba] samba to update DDNS Date: 15.06.2010 09:59 >Hello, > >is it possible to let samba update the DNS entries in our bind DNS >server whenever a windows PC connects to the network ? > >Bye >Andreas > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] question difference of roaming profile between WinXP and Win7
Hi, IMHO both profiles can stay within the same share, so you don't need a separate .v2 share. It's the same with Windows 2003 Server and a mixture of XP/ Vista/Seven Clients. What you need to keep in mind is that Windows XP profiles are not compatible with Vista/Seven profiles - hence the ".v2" suffix and they're completely different profiles. When you're logging into Vista/Seven for the first time, your exisitng pre-Vista profile will be converted and will be renamed to .v2. Each time you're logging into Vista/ Seven the ".v2" profile will be updated, and each time you're logging into XP your "" profile will be updated. Cheers, Christian ======= Dipl.-Ing. Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de r...@gmx.at wrote Subject: [Samba] question difference of roaming profile between WinXP and Win7 Date: 03.04.2010 17:02 >Hello >I want to add Win7 machine to my Samba PDC with WinXP clients. Google >tells me I have to add a .V2 to my profiles. The samba log ask about a .v2 >share. >Can someone explain me the difference of the v2 extension at the profile >names and the roaming profile share? >Following my settings: > >smb.conf: >[global] >logon path = \\%L\nt-profile >logon home = \\%L\nt-profile > >[nt-profile] >comment = Client Profiles >path = /BUERO/samba/nt-profile/%u >read only = No >create mask = 0600 >directory mask = 0700 > >[nt-profile.v2] >comment = Client Profiles >path = /BUERO/samba/nt-profile/%u >read only = No >create mask = 0600 >directory mask = 0700 > > >ls -l /BUERO/samba/nt-profile >drwsrwsr-x 24 kira users 4096 2010-04-03 16:16 kira >drwxr-sr-x 2 kira users 4096 2010-04-02 18:59 kira.V2 > >These are 2 empty profiles. >I logged on to user kira with an XP client, set the background colour to >green and logged of. Profile kira was filled with data. Now I logged on to >user kira with an Win7 client, the background was black. I set the >background to yellow and logged of. The profile kira.V2 is still empty. >Finally I logged on to kira with XP and the background was yellow. So Win7 >and XP are using the same profile, which should be if I understand "mr. >google" right. I thought I just had to copy the roaming profiles to a >profile with extension .V2. > >I found following in the samba log during Win7 logon: > : >get_referred_path: |nt-profile.V2| in dfs path \testserver\nt-profile.V2 >is not a dfs root. > : >Connect path is '/BUERO/samba/nt-profile/kira' for service [nt-profile.v2] > : >connect to service nt-profile.v2 initially as user kira (uid=524, gid=100) >(pid 12087) > : >reduce_name [.] [/BUERO/samba/nt-profile/kira] > : > >Further, there is a reference to nt-profile.V2 (uppercase V2) and next a >connect to nt-profile.v2 (lowercase v2). What is the difference? Finally, >the profile kira is used and not kira.V2. Why? > >Can someone explain me the correct setup of samba for Win7 clients? > >regards robert >-- >Sicherer, schneller und einfacher. Die aktuellen Internet-Browser - >jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/atbrowser >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Desktop.ini in Startmenue
Hi, the desktop.ini issue can't be solved by samba. That's because the contents of the "Start Menu" are located in different places, like within your Windows profile (roaming) and the "All Users" profile (local). Because the latter is located on your PC, there's no way for samba to interfere. BTW, it's not an samba-only issue, because you will get your desktop.ini files in a Windows-only network, too. Cheers, Christian ======= Dipl.-Ing. Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de Daniel Spannbauer wrote Subject: Re: [Samba] Desktop.ini in Startmenue Date: 02.11.2009 15:05 > > >Miguel Medalha schrieb: >> >>> >>> Roaming Profiles are working, but I always have the desktop.ini >>> visible in some folders of the Windows-Startmenue. >>> I found several hints for the dos-attributes in smb.conf, buit >>> notthing seems to work. >>> >> >> You have " hide files = /Desktop.ini/" >> >> In any Windows computer, you will find both "desktop.ini" and >> "Desktop.ini". >> >> Linux is case-sensitive, so "desktop.ini" is not covered by your >> configuration. >> >> I would advise you to use "hide files = /desktop.ini/Desktop.ini/". >> That's what I am doing and it works. >> I use it on the "global" section of "smb.conf" in order to cover all >> shares. >> >> >Added the line "hide files = >/Desktop.ini/desktop.ini/ntuser.ini/NTUSER.*/tmp/RECYCLER/" to the >global-section, but this seems to has no effect. There is still visible. > >Regards > >Daniel > > >-- >Daniel Spannbauer Software Entwicklung >marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 >Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 >http://www.marco.de/ Email d...@marco.de >Geschäftsführer Martin Reuter HRB 171775 Amtsgericht >München >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba using Server 2k3 DC for auth and ACL permissions
>These values were set using the permissions editor in windows > >the problem i have is that the permissions do nothing > >if i set a users from the domain to have full control of a folder, they >still cant access it, only users listed in the smb.conf file for that >share have access regardless of the acl permissions set, so im thinking im >missing something config wise Hi, it's the same as with Windows - you need two different sets of ACLs. One to access the share and one for the filesystem the share refers to. If you're watching the filesystem ACLs cloesely, the "web/" directory is owned by user "root" and group"root". In addition User "600" and group "605" have full and user "602" only read access. Does any of these IDs match your "@MY+fileserveradmin" and @"MY+Domain Users". But perhaps it's only because you missed the samba-share-option "write list", which grants read/ write access to users/ group per share. If it doesn't help, increase the "debug level" to 2 or 3 and check the logfiles. Cheers, Christian === Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Deploying apps via policy
>No just use Samba4, it brings server side GPO support. > >If you miss some config options from samba3 you really need, you can try >compile samba with "--enable-merged-build" to enable building samba3 >+samba4. >- samba3 then takes care of file sharing stuff >- samba4 handles the AD stuff. > >see http://wiki.samba.org/index.php/Franky. > Well, you're right and I am looking forward to it, but is it ready for an production environment yet? Cherrs, Christian ======= Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Deploying apps via policy
>Btw having GPO at place reduces much of the "hand work" you have to to >for client PC setup. > Hi, IMHO currently the only way to deploy GPOs with Samba is by using Nitrobit Group Policy [http://www.nitrobit.com/]. Cheers, Christian === Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] logon script
Hi, you don't have access to Samba variables from within your logon script. The most convenient way to solve this is by using the "ifmember.exe" executable from the Windows Server 2003 toolkit and to place it into your netlogon share - you need to google for ifmember. With ifmember.exe you can test, if the user who is running the logon script, belongs to the specified group. Use the following lines as an example and add it to your logon script: <snip> \\%SERVER01%\netlogon\ifmember.exe /verbose tech if errorlevel 1 goto TECH :STOPTECH \\%SERVER01%\netlogon\ifmember.exe /verbose mktg if errorlevel 1 goto MKTG :STOPMKTG goto END ## ## TECH group ## :TECH if exist k:\nul net use /delete k: /yes if not exist k:\nul net use k: \\%SERVER01%\tech /persistent:no goto STOPTECH ## ## MKTG group ## :MKTG if exist l:\nul net use /delete l: /yes if not exist l:\nul net use l: \\%SERVER01%\tech /persistent:no goto STOPMKTG :END rem This is the End of your script <...snip...> Cheers, Christian === Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de Santhosh Kumar Gulla wrote Subject: [Samba] logon script Date: 31.05.2009 00:35 >Hi, > >I have configured a samba PDC with a logon script. The logon script >includes >dos commands to map a drive letter for different shares. One share has >user >home directory, one has common folder for all the users and other share >is >group share. For assigning a drive letter to group share I have used the >command "net use g: \\%L\group\%G" but group share drive is not mounting >for >any of the users. I have three groups tech,mktg and sales. I want to >mount >tech share for tech group and that particular share only should be >mounted >as group share for tech group users and same for mktg and sales. Can you >please help me out in solving this issue. please assist me in giving >correct >parameters and path. > >Thank You. >Regards, >Santy >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Samba and LDAP
>I am trying to set up an additional domain server within my network >using SAMBA and LDAP. There's a problem that I think is with LDAP. If >any of you have set up a system like this, I would appreciate your >expertise. > What does your current setup look like? What have you already established? >Question # 1: My PDC, which controls the domain and SAMBA, should >clearly use LDAP server. Should the additional server use SAMBA server >or client? Workstations will sign onto the domain and then onto shares >on both the PDC and the additional server. > LDAP and Samba is much like AD and Windows-Servers, only with the old Domain like PDC/BDC setup instead of the DC setup. By using LDAP you can share e.g. user, group, machine accounts between different linux/ samba servers. So you only have to add/change/modify the LDAP based data once and it will be distributed to all participating linux servers. >Question # 2: If I copy the / directory to a flash drive, can I just >copy it back to the hard drive if I end up with a configuration >impossibility? I've had to reload the system once already because of >LDAP configuration problems, and I'd rather not do it again. > >The SAMBA shares on the PDC are working fine. But I can't share thing >on the other server unless I set up a smbpasswd set, and that's a pain. > Well, you copied your configuration to the second server? Did you configure your LDAP-server to replicate data with each other? You only need to backup you /etc directory, because that's where the configuration is stored. If you misconfigured something, you can easily go back to the previous state by restoring the old configuration files. Cheers, Christian === Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Samba 3.0.24 + LDAP - User Lockout not working
Hi, not all Samba-LDAP attributes that are listed in the Samba3-LDAP-Schema are working yet. IMHO the only source that mentions it clearly is the Samba HOWTO. Please refer to "http://de3.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2582136"; and search for "LDAP Special Attributes for sambaSamAccounts". Cheers, Christian === Christian Rost roCon - Informationstechnologie Glatzer Weg 4 44534 Lünen fon: +49 (0) 2306 910 658 fax: +49 (0) 2306 910 664 url: http://www.rocon-it.de Axel Werner wrote Subject: [Samba] Samba 3.0.24 + LDAP - User Lockout not working Date: 12.02.2009 16:30 >Hi, > >im trying to setup a password policy with samba and openldap. while >lockout works perfect on openldap it looks like it does not work with my >samba. > >Ive set "sambaLockoutThreshold" to 3 and "sambaLockoutDuration" to -1 >(lockout forever) within the Domain-Object in LDAP. So i expect whenever >a windows user does 3 false logon attemps his samba account will be >LOCKED forever, until reseted by an admin. >If i peek those parameters with "pdbedit -P" it will confirm my >konfiguration. so it looks fine. >I also found the "sambaBadPasswordCount" Attribute in every User-Object >in the LDAP tree. Default is 0 >Now i do several false login attempts from my windows xp workstation >(usualy 5 attempts) and recheck that "sambaBadPasswordCount" Attribute >in that specific userobject. STILL showing 0 !! >btw: the "admin" object that is configured in smb.conf has all the >permissions to access and write ALL attributes of any object in my DIT. > >Does anyone knows this Problem ?!? im lost! > >i use Debian 4.0 with the debian packages for Samba 3.0.24 and openldap. > > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Domain-member and simple read and readwrite file-permissions based on group-membership
Hi, I'm pretty confused about using samba as domain-member and file-server. Assuming i have a couple of windows-users on my active directory server and there are mainly 2 groups defined in the AD: ReadOnlyGroup and WriteOnlyGroup. On my samba-server there is one share which should be used by both groups and i want users in the WriteOnlyGroup to have the permission to modify/ delete all files/directories and the users to in the ReadOnlyGroup to only read the files/directories. To keep it simple I don't want any other acl's at all. I thought that this setup should be possible by using the read/write list -, the force group - and the mode - feature in the smb.conf. Now i have 2 options to connect to my PDC. Either I use security = ADS or I use security = domain. For the first option as far as I know, I need to use kerberos. Because i'm forced to use aix as platform for the samba-server and there is no kerberos-support installed, i must use security = domain. Runing with security = domain I think at first i'm now forced to replicate all active-directory user to unix-users on my samba-server to establish a mapping between NT <-> Unix User ID's for the proper ownership of files on the share's filesystem Now my Questions: 1) When i have done this, there is no need to use the "net groupmap" - Feature, because all users are mapped to Unix-User and these Unix-Users are belonging to primary unix-groups. The groupmap - Feature only makes sense if i run the winbindd-daemon (on top of kerberos) and there is no complete mapping of NT<->Unix User/Group. Is this correct? 2) Which kind of arguments are possible to: "read list" and "write list"? Is it correct that only unix-users and unix-groups are possible? Is there any way to use the ReadOnlyGroup and WriteOnlyGroup from the Active-Directory? If only unix-groups are possible I although have to replicate the group-memberships to the unix-system. Is this correct? When this is correct, this is pretty painfull because I've to administrate 2 userdatabases now. 3) Is this simple setup only possible with acl's on the filesystem and with running winbindd? Thank you for answers Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
