Re: [Samba] NFS locking ...maybe?
First off, I'll save the devs the trouble/time -- they'll say that re-sharing an NFS-mounted resource with Samba is not supported and is generally a bad idea. (Some might even go so far as to say a really bad idea... ;-) That said, I've done this successfully. Somewhat. It worked fine - until we started putting real users on the system and adding groups to fill out the security model. Then we discovered the 16 groups/user hard limit built into NFS. That alone sunk the effort... We saw a similar behavior -- users could not write/create new files, but could generally do everything else. The failure to write/create manifested as a permission denied error, and not a locking error, however. If you are seeing a locking error, you may have a different problem. Cheers, -D At 12:07 PM 5/24/2007, Ashley M. Kirchner wrote: Hi folks, After some more trial and error, I was able to get a bit further in the game with the permission issues I had (previous message was titled 'Samba permissions...) Now I'm able to get onto the system, browse and read/copy/delete files off of the shares. What I can't do is put stuff on because I get a locking error. The setup is as follows: Server 1 -- exports /storage/ftpusers Server 2 -- NFS mounts (autofs) the above export as /mnt/ftpusers At the same time, it also shares that mount through samba Server 3 (which is a WinBox) then accesses the above share. What I CAN do: From Server 3, I can go into network places, click on the samba share and get on it. I can browse everything that's on the share (which translates to everything that's on Server 1 in /storage/ftpusers/ ) I can copy files OFF of that share, and I can delete files off of that share. What I CANNOT do: From Server 3, I cannot PUT any files on that share. I get an error message that says: Cannot copy testfile.txt: The process cannot access the file because another process has locked a portion of the file. I know with absolute certainty that there is no actual program trying to access the file on either Server 2 or Server 1, which leads me to believe that maybe NFS locking is having something to do with it. Somewhere in the mounting of the NFS, or the share through samba, things get locked. What I don't understand is, why can I read, copy, AND delete from the share, but I can't PUT anything. The NFS mount is done with rw, as is the Samba share. I don't think it would've allowed me to delete files otherwise, but I could be wrong. Anyone have any ideas why I'm getting locking issues? And which one is the culprit? -- W | It's not a bug - it's an undocumented feature. + Ashley M. Kirchner mailto:[EMAIL PROTECTED] . 303.442.6410 x130 IT Director / SysAdmin / Websmith . 800.441.3873 x130 Photo Craft Imaging . 3550 Arapahoe Ave. #6 http://www.pcraft.com . . .. Boulder, CO 80303, U.S.A. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3 (the sequel)
At 07:17 AM 5/11/2007, simo wrote:
Afterward, testing the UID mappings that should have been established
(by 'getent passwd {username}' results in allocation of a new number.
I need to know what error you get, I have no errors in storing the IDs,
They get created in ldap for me.
Maybe you can get to the real error the server returns?
...
So, the previous patch fixes TDB mode, but that particular problem
appears to still exist under LDAP mode.
If there is any additional info you need (or tests to run) to help
diagnose this problem, I'd be glad to try to get it for you.
Need to know why the ldap server refuses to create the entries.
I can't repro this.
Not being able to reproduce on your end is a good sign -- the problem
may be on my end. I was testing with half-patched rc3 code while
I'm away at a redhat conference. Jerry has shown me the proper way
to build fresh RPMs from the SVN tree with *all* the patches -- I'll
plan on building fresh from this and also tearing down and starting
the LDAP fresh, so I can get clean results later this
afternoon/evening. We'll see if that makes the difference...
Thanks,
-D
Don Meyer [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3 (the sequel)
At 11:22 AM 5/11/2007, Don Meyer wrote:
At 07:17 AM 5/11/2007, simo wrote:
Afterward, testing the UID mappings that should have been established
(by 'getent passwd {username}' results in allocation of a new number.
I need to know what error you get, I have no errors in storing the IDs,
They get created in ldap for me.
Maybe you can get to the real error the server returns?
...
So, the previous patch fixes TDB mode, but that particular problem
appears to still exist under LDAP mode.
If there is any additional info you need (or tests to run) to help
diagnose this problem, I'd be glad to try to get it for you.
Need to know why the ldap server refuses to create the entries.
I can't repro this.
Not being able to reproduce on your end is a good sign -- the
problem may be on my end. I was testing with half-patched rc3
code while I'm away at a redhat conference. Jerry has shown me the
proper way to build fresh RPMs from the SVN tree with *all* the
patches -- I'll plan on building fresh from this and also tearing
down and starting the LDAP fresh, so I can get clean results later
this afternoon/evening. We'll see if that makes the difference...
OK, this problem was definitely on my end. I rebuilt fresh packages
from SVN, reinstalled reinitialized the LDAP server, and everything
worked just fine this time.FWIW, I think I may have mistakenly
copied in one of the smb.conf variants that was set up for a
master-replica LDAP system when my replica is not replicating. I
made sure to use the master-only variant this time, and everything is
just fine.
Sorry for the false alarm.
-D
Don Meyer [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3 (the sequel)
At 04:40 PM 5/9/2007, simo wrote:
On Fri, 2007-05-04 at 19:14 -0500, Don Meyer wrote:
At 06:00 PM 5/4/2007, simo wrote:
Sorry for the problem, this slipped through during recent patches to fix
the sid checking layer violation and the idmap offline code.
No problem.
I may have another for you, however. This patch enables me to
successfully restore when using a tdb backend. However, when using
idmap_ldap, it seems that winbind is opening a connection to the ldap
server and not closing it for many updates/queries.
When I try 'net idmap restore' when using idmap_ldap, the command
will plug away until the ldap server starts complaining accept(8)
failed errno=24 (Too many open files). netstat -aln shows around
1000 open connections from winbind on another system. (The one
with 3.0.25rc3+)
Found the problem, see patch for revision 22771.
Another one-liner :/
Thanks again for testing rc3 out.
Simo, you are going to think I'm picking on you, but I think we may
have yet another problem...
The 22771 patch does fix winbindd's abuse of the ldap server -- when
I start winbind, it opens two sessions to the ldap server. When I
subsequently try the 'net idmap restore' command to restore several
thousand SID-UID/GID mappings, all the transactions flow one of
those TCP sessions. However, the command throws a huge list of
errors (thousands) that we've seen before IIRC, and we thought you
had fixed with patch 22677:
---
Could not set mapping of UID 10392 to sid
S-1-5-21-893289765-2623729106-2343379446-1290
Could not set mapping of UID 10107 to sid
S-1-5-21-893289765-2623729106-2343379446-1120
Could not set mapping of UID 15937 to sid
S-1-5-21-893289765-2623729106-2343379446-3005
Could not set mapping of UID 10745 to sid
S-1-5-21-893289765-2623729106-2343379446-2134
Could not set mapping of UID 10476 to sid
S-1-5-21-893289765-2623729106-2343379446-1311
Could not set mapping of UID 17143 to sid
S-1-5-21-893289765-2623729106-2343379446-1899
Could not set mapping of UID 15891 to sid
S-1-5-21-893289765-2623729106-2343379446-1880
Could not set mapping of UID 10109 to sid
S-1-5-21-893289765-2623729106-2343379446-1131
Could not set mapping of UID 15912 to sid
S-1-5-21-893289765-2623729106-2343379446-1853
Could not set mapping of UID 10900 to sid
S-1-5-21-893289765-2623729106-2343379446-1417
Could not set mapping of UID 10708 to sid
S-1-5-21-893289765-2623729106-2343379446-1369
Could not set mapping of UID 10557 to sid
S-1-5-21-893289765-2623729106-2343379446-1587
...
--
The ldap.log shows an equally long list of suspect entries:
---
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7233 ADD
dn=sambaSID=S-1-5-21-25438887-418410483-241655303-3099,ou=idmap,dc=aces-web
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7233 RESULT
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7234 ADD
dn=sambaSID=S-1-5-21-25438887-418410483-241655303-2867,ou=idmap,dc=aces-web
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7234 RESULT
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7235 ADD
dn=sambaSID=S-1-5-21-25438887-418410483-241655303-1279,ou=idmap,dc=aces-web
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7235 RESULT
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7236 ADD
dn=sambaSID=S-1-5-21-25438887-418410483-241655303-2435,ou=idmap,dc=aces-web
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7236 RESULT
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7237 ADD
dn=sambaSID=S-1-5-21-25438887-418410483-241655303-2893,ou=idmap,dc=aces-web
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7237 RESULT
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7238 ADD
dn=sambaSID=S-1-5-21-893289765-2623729106-2343379446-2458,ou=idmap,dc=aces-web
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7238 RESULT
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7239 ADD
dn=sambaSID=S-1-5-21-893289765-2623729106-2343379446-1417,ou=idmap,dc=aces-web
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7239 RESULT
tag=105 err=68 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7240 ADD
dn=sambaSID=S-1-5-21-893289765-2623729106-2343379446-2676,ou=idmap,dc=aces-web
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7240 RESULT
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7241 ADD
dn=sambaSID=S-1-5-21-893289765-2623729106-2343379446-2401,ou=idmap,dc=aces-web
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7241 RESULT
tag=105 err=0 text=
---
Afterward, testing the UID mappings that should have been established
(by 'getent passwd {username}' results in allocation of a new number.
My first thought was that perhaps I missed the original patch for
this problem, so I reset the smb.conf back from ldap to tdb mode
[Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3
Folks, Maybe it's me, or my systems, but I've found that idmap restore simply doesn't work under samba-3.0.25rc3. When I try to import the idmap.dump file I create from one of my older systems into a fresh 3.0.25rc3 installation, I get a huge stream of errors along the line of could not set mapping of (UID|GID) to sid x. This happened whether I was using idmap_tdb or idmap_ldap. The same idmap.dump file restores successfully on my other 3.0.23 3.0.24 systems. I went further and used getent passwd to populate the system's idmap from the AD (while using idmap_tdb, BTW), and then ran the 'net idmap dump' command, which generated a file that looked fairly identical in structure to the idmap.dump file I got from the previous version. Following this, I tried to 'net idmap restore' the idmap dump file I had just created, and received the same long string of errors. Thus, I suspect there is something not quite right in the 'net idmap restore' functionality... Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3
At 06:00 PM 5/4/2007, simo wrote: Sorry for the problem, this slipped through during recent patches to fix the sid checking layer violation and the idmap offline code. No problem. I may have another for you, however. This patch enables me to successfully restore when using a tdb backend. However, when using idmap_ldap, it seems that winbind is opening a connection to the ldap server and not closing it for many updates/queries. When I try 'net idmap restore' when using idmap_ldap, the command will plug away until the ldap server starts complaining accept(8) failed errno=24 (Too many open files). netstat -aln shows around 1000 open connections from winbind on another system. (The one with 3.0.25rc3+) When watching netstat on the ldap server system, each query to winbind that one would expect it to talk to the ldap server generates a new TCP session which hangs around until winbind is restarted. (Granted, I have not wait more than 10 minutes yet, but this seems a bit extreme...)For instance, after winbindd restart, the first 'getent passwd user1' request opens a session. Running that command again does not. (Cached) Running 'getent passwd user2' opens another session, etc. This occurs whether the UID is already present, or if it needs to be added new. If you need more information on any of this, just let me know. It seems so close... ;-) Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Group permission problems with winbind NFS
At 08:30 AM 5/3/2007, simo wrote: On Mon, 2007-04-30 at 23:35 -0500, Don Meyer wrote: [..] This system NFS mounts the remote file storage resource on a backend RHEL4 server. The public facing web frontends also mount these same resources. Here is where things get hinky -- some users can write to the directories on the NFS mount, and some cannot. If the directory in question is owned by the user, then no problems writing. If not, but the directory's owning group contains the user as a member, then only sometimes can the user add/change/remove files in the directory. First, re-exporting NFS mounts via samba is really not a good practice, and we usually discourage it completely. Sorry, I wasn't clear enough to avoid the assumption: This is not a samba resource writing issue -- not a samba re-exporting an NFS mount. The writing I am referring to are file operations within an ssh shell or sftp session to the NFS mounted resource. In this instance, winbind is the only real operative function of the samba installation, in that it instantiates the AD-based users and groups. I also thought it might have something to do with nested groups, but even simple groups with only users as members exhibit the failure over NFS. I have had the thought that it could be the length of some of the groupnames, as some of them are pretty long: the longest is 64 bytes. The one I did most testing with is only 10 bytes long, however. The NFS protocol limits the number of groups per user to 16 and truncate all others, so you are not really able to tell the server you are in group #17 or #18 and so on. I am 99.9% sure this is the problem you are experiencing. That's why approximately you can have it working with older groups as they are probably just reported first and result in the first 16. Ouch! I thought the 16 group problem was a problem with older Sun NFS only, and that the modern implementations had done away with this. (Or at least raised the bar...) I guess I need to consider re-architecting with a different network file system that doesn't have these ... limitations... Thanks much for the info and theory/diagnosis. I'll see if I can verify that as the root cause... -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with Samba-3.0.25rc3 idmap_ldap (winbind dumps core)
, to set the
ldap_user_dn password for each defined domain, and for the idmap
alloc config side, you use the following commands:
net idmap secret DOMAIN secret
net idmap secret alloc secret
(Note: A little pointer dropped in the man page for idmap_ldap would
have been quite helpful here...)
Both of these were successful for me, so I went directly to
restarting winbindd and retesting. Sure enough, we have another
core dump as I issue the first getent passwd {user} command.
The log excerpt from log.winbindd-idmap follows:
[2007/05/01 02:02:47, 1] nsswitch/idmap.c:idmap_init(343)
Initializing idmap domains
[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(41)
===
[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(42)
INTERNAL ERROR: Signal 11 in pid 10031 (3.0.25rc3)
Please read the Trouble-Shooting section of the Samba3-HOWTO
[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(44)
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2007/05/01 02:02:47, 0] lib/fault.c:fault_report(45)
===
[2007/05/01 02:02:47, 0] lib/util.c:smb_panic(1620)
PANIC (pid 10031): internal error
[2007/05/01 02:02:47, 0] lib/util.c:log_stack_trace(1724)
BACKTRACE: 20 stack frames:
#0 winbindd(log_stack_trace+0x2d) [0xc9dc82]
#1 winbindd(smb_panic+0x56) [0xc9dd89]
#2 winbindd [0xc8a4e5]
#3 /lib/tls/libc.so.6 [0x99f898]
#4 winbindd [0xdbda8c]
#5 winbindd(idmap_init+0xecc) [0xdb8078]
#6 winbindd(idmap_sids_to_unixids+0x29) [0xdb9a78]
#7 winbindd(idmap_sid_to_uid+0x68) [0xdbcda6]
#8 winbindd(winbindd_dual_sid2uid+0x12b) [0xc3ee2b]
#9 winbindd [0xc3d15d]
#10 winbindd [0xc3deb9]
#11 winbindd(winbindd_sid2uid_async+0x7d) [0xc3ecf6]
#12 winbindd [0xc12de5]
#13 winbindd [0xc41f3f]
#14 winbindd [0xc3de07]
#15 winbindd [0xc3d852]
#16 winbindd [0xc1089c]
#17 winbindd(main+0x779) [0xc11d24]
#18 /lib/tls/libc.so.6(__libc_start_main+0xd3) [0x98cde3]
#19 winbindd [0xc10351]
[2007/05/01 02:02:47, 0] lib/fault.c:dump_core(181)
dumping core in /var/log/samba/cores/winbindd
I'm having trouble tracing this beyond the idmap_init function in
nsswitch/idmap.c.
If this points to a problem in samba, I hope this helps. On the
other hand, if this is a problem in my setup, any pointers in the
direction of fixing it would be greatly appreciated.
-D
Config details:
smb.conf: (output from testparm)
---
[global]
workgroup = ACES
realm = COLLEGE.ACESNET.UIUC.EDU
netbios name = ACES-BETA-MAINT
server string = %L (Samba v%v)
security = ADS
obey pam restrictions = Yes
password server = college.acesnet.uiuc.edu
username map = /etc/samba/smbusers
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log file = /var/log/samba/%m.log
max log size = 0
name resolve order = host lmhosts wins bcast
deadtime = 15
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = No
dns proxy = No
wins server = 128.174.5.30, 128.174.5.31
# the following line was added to satisfy smbpasswd...
ldap admin dn = cn=sambaadmin,dc=aces-web
idmap domains = ALLDOMAINS
idmap alloc backend = ldap
idmap uid = 1-1
idmap gid = 1-1
template shell = /bin/bash
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap alloc config:range = 1-1
idmap alloc config:ldap_url = ldap://ldap-master.aces-web:389/
idmap alloc config:ldap_user_dn = cn=sambaadmin,dc=aces-web
idmap alloc config:ldap_base_dn = ou=idmap,dc=aces-web
idmap config ALLDOMAINS:range = 1-1
idmap config ALLDOMAINS:ldap_url = ldap://localhost:389/
idmap config ALLDOMAINS:ldap_user_dn = cn=sambaadmin,dc=aces-web
idmap config ALLDOMAINS:ldap_base_dn = ou=idmap,dc=aces-web
idmap config ALLDOMAINS:backend = ldap
idmap config ALLDOMAINS:default = yes
create mask = 0664
directory mask = 02775
inherit permissions = Yes
inherit acls = Yes
case sensitive = No
---
Don Meyer [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759
--
To unsubscribe from
Re: [Samba] Joining an 2003 AD
At 04:39 PM 4/30/2007, Aaron Kincer wrote: You must make sure that the hostname set in /etc/hostname and what you have for your server string are exactly the same. At least that's how I fixed it. On Edgy 6.10/Samba 3.0.22, I didn't have to do this. This behavior was introduced at the 3.0.23c level, IIRC. (maybe 3.0.23b?)That explains the version differences you are seeing. The gotcha is that I get this failure despite attempting the 'net ads join' with Domain Admin credentials...(Even up through 3.0.25rc3) -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Joining an 2003 AD
No, on systems that I have attempted to override this error and join the domain with the system's given name, I have been unable to do so with the Domain Admin credentials that the error states is required for success. My current domain join workaround for a rebuild/new system is to install the 3.0.23-6 packages, run the 'net ads join', then immediately update to current version. -D At 10:31 PM 4/30/2007, Kemp, Levi wrote: Don, are you saying that despite putting in both you still get this error? -- At 04:39 PM 4/30/2007, Aaron Kincer wrote: You must make sure that the hostname set in /etc/hostname and what you have for your server string are exactly the same. At least that's how I fixed it. On Edgy 6.10/Samba 3.0.22, I didn't have to do this. ... The gotcha is that I get this failure despite attempting the 'net ads join' with Domain Admin credentials...(Even up through 3.0.25rc3) Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Group permission problems with winbind NFS
= No
-
krb5.conf:
-
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = COLLEGE.ACESNET.UIUC.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
COLLEGE.ACESNET.UIUC.EDU = {
kdc = college.acesnet.uiuc.edu:88
admin_server = college.acesnet.uiuc.edu:749
default_domain = college.acesnet.uiuc.edu
}
ACESNET.UIUC.EDU = {
kdc = acesnet.uiuc.edu:88
admin_server = acesnet.uiuc.edu:749
default_domain = acesnet.uiuc.edu
}
AD.UIUC.EDU = {
kdc = ad.uiuc.edu
admin_server = ad.uiuc.edu
default_domain = ad.uiuc.edu
}
EXTENSION.UIUC.EDU = {
kdc = extension.uiuc.edu
admin_server = extension.uiuc.edu
default_domain = extension.uiuc.edu
}
[domain_realm]
.college.acesnet.uiuc.edu = COLLEGE.ACESNET.UIUC.EDU
college.acesnet.uiuc.edu = COLLEGE.ACESNET.UIUC.EDU
.acesnet.uiuc.edu = ACESNET.UIUC.EDU
acesnet.uiuc.edu = ACESNET.UIUC.EDU
.ad.uiuc.edu=AD.UIUC.EDU
ad.uiuc.edu=AD.UIUC.EDU
.extension.uiuc.edu = EXTENSION.UIUC.EDU
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-
nssswitch.conf:
-
...
passwd: files winbind
shadow: files winbind
group: files winbind
...
-
Any insights that anyone can offer will be extremely welcome.
(Frankly, even just hearing that someone else is seeing a similar
problem would be welcome at this point... ;-)
Thanks,
-D
Don Meyer [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba-3.0.23c kernel lock problems with new Redhat kernel 2.6.9-42.0.8
Olm, What are the details (OS/type, etc.) of the NFS server that you are mounting these resources from? Is it possible that you are mounting an older 32 bit NFS service from a system that is evidently 64 bit capable? -D At 09:45 AM 2/2/2007, Ole Holm Nielsen wrote: We run samba-3.0.23c on some Redhat RHEL4 servers, and Samba used to work like a charm. But then a couple of days ago we upgraded the kernel on the Samba servers to kernel-smp-2.6.9-42.0.8.EL. All of a sudden our Windows users could not use Microsoft Office with files on the Samba shares :-( Our filesystems are actually NFS-mounted by the Samba server from another server, and the Samba server showed these log entries: ... With the previous kernel kernel-smp-2.6.9-42.0.3.EL there were no such problems ! The Redhat kernel Release Notes https://rhn.redhat.com/errata/RHSA-2007-0014.html do not mention any changes that seem to be related to Samba or NFS or locking. Fortunately I found this article http://lists.samba.org/archive/samba/2006-October/126638.html where Jeremy recommends to use posix locking = no, and indeed this fixes the problem ! Hopefully these observations can help others, but a real solution to the problem would be most welcome ! -- Ole Holm Nielsen Department of Physics, Technical University of Denmark Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD integration checklist
At 07:58 PM 12/8/2006, simo wrote: The one slight hiccup I am seeing is for console logins: locally defined users can log onto the console successfully -- if they use there AD password, they are accepted on the first password prompt. However, if they use their locally defined password (shadow) at the console, then they are subjected to a second password prompt each time -- and it doesn't matter whether they enter the local password correctly on the first prompt, it only matters on the second one. Is there something about my placement/ordering above that might be causing this? put the option use_first_pass on the second module in the stack, so that it doesn't ask for a new password, but try with the one provided to the first module. Bingo! That did the trick. To be specific for others running across this problem, the option use_first_pass needs to be added to the second (and any subsequent) modules in the auth stack. (Excluding the pam_env module...) E.g.: authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_winbind.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass authrequired /lib/security/$ISA/pam_deny.so Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD integration checklist
At 12:05 PM 12/8/2006, James A. Dinkel wrote: -Original Message- From: Simon Renshaw Sent: Friday, December 08, 2006 10:13 AM Hi, I compiled Samba 3.0.23d on a CentOS 4.4 machine. Then I configured /etc/krb5.conf for my domain. Was able to successfully run kinit and join my Windows 2003 domain with a net ads join. Net ads user and net ads group returns the users and the groups of the domain. I'm kinda stuck on the next step. I would like to grant access to the share defined in smb.conf to anybody in the domain. How do I make it authenticate users on the domain instead of using the server? ... You need this in your global section: idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes encrypt passwords = yes And this in your share section: valid users = @BENCHCAN\domain users Although this will give all your users access to / which doesn't seem like a good idea, but I assume this is just for testing. Don't forget the necessary modifications to nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind Cheers, -Don Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows Vista RC2 can't delete Samba Directories
At 05:27 PM 10/23/2006, Greg J. Zartman wrote: First, can you try 3.0.23c? If that does not work either, I'm running RHEL 4. Given that the RH team backports critical patches without changing package numbers, it's difficult to know what I'm working with. I see in the Samba-Technical list that you added somethign to the source tree that might be related to this. Can you send me the patch? I should be able to patch the packages I have here and give it another shot. Otherwise, I may be able to setup another machine running Fedora and see how Vista interacts with it running the current Samba. The old version that RedHat is stringing along in RHEL4 is so far bak as to be nearly useless for comparison. I've been running current code on RHEL 4 for over a year now. The 3.0.23c tarball has a makerpms.sh script (under packaging/RHEL/, IIRC...) that will build RPMs that RHEL4 is quite happy with, and can be installed over the top of the stock RHEL4 packages. The one caveat is that you may want to disable SELinux for SAMBA, as the new versions move the cache dir from /var/cache/samba/ to /var/lib/samba/, and don't (re)set the SELinux labels when creating this new directory. Mostly, this affects winbindd. I'd post the instructions on how to do this, but I'm away from the office on vacation right now, and don't have those notes handy. You should be able to find them in past posts easily enough by searching the samba list archives for SELinux. Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] restrict ssh login by Win2K AD group SOLVED!
At 02:19 PM 9/19/2006, Matt Herzog wrote: It is that simple. Of course I'd like to have more than one group be able to login so I'll dig into that presently. Create an AD group specifically for restricting ssh access -- ssh access or some such name. Then add the multiple AD groups to this group. Winbind should do the magic beyond this point. Adjust your pam_succeed_if.so line for this new gid once it propagates through winbind, and you should be all set... Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Rev #2 of the 3.02.3c patch
Jerry, In the future, when doing these pre-release tests, would it make sense to adjust the Release tags in the RPM packaging sections to reflect an ordered but prerelease nature of the builds? For instance, the first patch set built 3.0.23c-1 rpms. The second patch set also builds 3.0.23c-1 rpms. These aren't seen as updates, and would have to be force-installed. I manually adjusted the Release tag in the SPEC file from 1 to 2, to build 3.0.23c-2 rpms, which will then update cleanly. When the release tarball comes out, you'll probably still have the RPM Release tags still at 1, and then I'll have to adjust the SPEC's Release: tag to 3. May I suggest adjusting the Release tags in the SPEC files upward for each successive patch/release? One could (I think) even adopt a strategy of using Release values of 0.1, 0.2, etc. for prerelease patches/tests/etc., and then jumping to 1 for the actual release versions. Cheers, -D At 01:38 PM 8/30/2006, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Folks, I've uploaded the *final* 3.0.23c roll up patch to http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-2.diffs.gz. I've already cut the 3.0.23c tarballs so unless there is a major problem, this will be the final change set. Please report *any* bugs that you find. I'd like to wrap this one up and do the public 3.0.23c release on Friday. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9dsfIR7qMdg1EfYRAha2AKCngC4YgJ9zLj0S8nTmU193lNWe1wCgmDK4 gM8YRMtJ/KzdLzlUk2Pjcfk= =Ggf7 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
Well, I didn't see the last bit you describe, but I don't run RFC2307 (yet). We we bit by very similar behavior when moving from 3.0.22 to the 3.0.23 RC's. Turns out that the use-default-domain option is not being universally applied to groups in 3.0.23. As soon as I changed my valid users = +group statements to the format = +domain\group, then this problem was fixed for us. Maybe it will do the trick for you... Cheers, -D At 07:41 AM 7/18/2006, Howard Wilkinson wrote: I have managed to isolate where the problem is, now I need to work out what the problem is? I have a group cohtech:*:16777225:lesley,howard,ecbull in which I am a member - howard. I have a valid users = +cohtech entry in smb.conf for the share I am trying to connect to, I get the following reported in the machine.log file - zebra.log: string_to_sid: Sid +cohtech does not start with 'S-'. and the users get rejected. If I declare the user directly then access is allowed. This server gets its group database from the AD controllers via RFC2307. Anybody know why group expansion may be broken in 3.0.23? Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with 3.0.23 upgrade from 3.0.22 with rfc2307 patch
Yes, I'm pretty sure Jerry Carter does. ([EMAIL PROTECTED]) He's posted that he expects a patch for this to be included in the 3.0.23a release -- due sometime real soon now... ;-) Cheers, -D At 12:03 PM 7/18/2006, Howard Wilkinson wrote: you are a genius, this fixed it! Anybody know why? Howard. Don Meyer wrote: Well, I didn't see the last bit you describe, but I don't run RFC2307 (yet). We we bit by very similar behavior when moving from 3.0.22 to the 3.0.23 RC's. Turns out that the use-default-domain option is not being universally applied to groups in 3.0.23. As soon as I changed my valid users = +group statements to the format = +domain\group, then this problem was fixed for us. Maybe it will do the trick for you... Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Fedora packages or Enterprise packages of Samba on RHEL4?
At 05:15 AM 7/14/2006, Alex de Vaal wrote: b) The smbd and nmbd services run fine under the standard RHEL4 selinux-policy-targeted ruleset. However, winbindd rules aren't in this set, and will fail if SELinux is enabled/enforcing.If you are running winbindd, (which you probably are in ads mode) you can deal with this problem in a number of ways: ... This will load some additional rules that will allow winbindd to run without any (significant) AVC errors. This should only need to be done once. Running winbindd failed indeed in the first instance on RHEL4 because of SELinux. In SELinux there is however a winbind_disable_trans boolean (in the file: /etc/selinux/targeted/booleans), which is default 0. If you change this to 1 and reboot the server, winbind will run smoothly on RHEL4. Thanks Alex, this is the trick to disabling enforcement for a particular daemon/subsystem. There are a number of *_disable_trans boolean variables that essentially disable enforcement for the corresponding subsystem. When set to active (1), the boolean flag disables the context transition from the root state to the specific context. Since the base/root state has essentially unlimited access under the selinux targeted policy, the errors aren't generated and the blocks aren't enforced.Of course, this means the protections are disabled as well, but just for the winbind subsystem... Personally, I prefer to have the protections in place and will continue to augment the rules as necessary. Fortunately, the additional set of rules I've needed to add have been relatively stable over the past few builds. However, the winbind_disable_trans method is certainly much simpler. And would be recommended for those not worried about the security through the winbind service. BTW, the command to change this without editing a file is: setsebool -P winbind_disable_trans 1 Jerry, any thoughts on including this in the RHEL packaging? Perhaps the following logic flow: if SELinux is active and enforcing, if selinux-policy-targeted-sources package is not installed, if getsebool winbind_disable_trans = 0 then setsebool -P winbind_disable_trans 1 This could alleviate a whole lot of winbind problems for people installing RHEL-based packages, and as long as it is documented somewhere, is trivial/easy to undo for someone who wants to modify their SELinux config later. This also reminds me that I've been wanting to write up a similar patch to handle the selinux chcons for the /var/cache/samba/ -- /var/lib/samba/ transition... ;-) Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fedora packages or Enterprise packages of Samba on RHEL4?
At 01:15 PM 7/13/2006, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Don Meyer wrote: Were it up to me, I'd post the RPMs for RHEL with a prominent disclaimer on the support issue. (But then I'd probably want to separate builds for RHEL3/RHEL4...) Many people aren't aware of the improved ability to build RHEL packages from the tarball, and they only see the complete lack of RHEL binary packages as non-support for RHEL. And I think a CentOS branch symlinked to the RHEL branch, or vice-versa, would be a nice recognition of that program... The reason I mentioned CentOS is that its easier for me to keep updated. And given that the distro claims binary compatibility with the matching version of RHEL it should be fine. And that way I avoid the support issue with RHEL. Sounds good to me. And a symlink or a short message in a download directory directing someone looking for redhat/RHEL[3,4] packages to the equivalent CentOS directory should alleviate the not supported interpretations, as well as the Which redhat/fedora package should I try for RHELx? questions... Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fedora packages or Enterprise packages of Samba on RHEL4?
At 04:19 AM 7/11/2006, Alex de Vaal wrote:
The standard Samba package (3.0.10EL) of RHEL4 doesn't communicate with a
W2k3 server SP1, while security=ads on Samba. This is solved in Samba
version 3.0.14a, so I want to use this package; I use this version on all my
RHL9 servers and this package is very stable!
...
I'd like to continue with the Fedora Samba package on my RHEL4 server, but
I'd like to know why or why NOT to use it! (and why I have to use the
packages of enterprisesamba.com)
Please advise.
OK, my advice is to do the following:
1) Grab the latest 3.0.23 tarball from one of the Samba mirrors
2) expand it into a directory on your RHEL4 systems where you've been
building packages
3) cd ./samba-3.0.23/packaging/RHEL/
4) exec the command: . makerpms.sh
5) when the package build is finished: cd /usr/src/redhat/RPMS/i386/
You should have a nice set of up-to-date packages for your RHEL4
system in this directory. Thanks to Jerry and all the others for
the attention in the last couple versions to the RHEL packaging...
There are two caveats with this:
a) The cache directory is moved from /var/cache/samba/ to
/var/lib/samba/. This move does not adjust the SELinux labels when
it creates the new directory, and since it copies files - the files
are created with the incorrect labels inherited from the new
directory. I only had to do it once, but IIRC - executing mv
/var/cache/samba /var/lib before installing the new packages worked
for me on a new system.
b) The smbd and nmbd services run fine under the standard RHEL4
selinux-policy-targeted ruleset. However, winbindd rules aren't in
this set, and will fail if SELinux is enabled/enforcing.If you
are running winbindd, (which you probably are in ads mode) you can
deal with this problem in a number of ways:
1) disable SELinux: setenforce 0
2) There is a way to disable SELinux enforcement on a per
application/service basis, but I don't recall how to do that right
now. A Google search should turn it up, however...
3) Add custom SELinux rules for winbindd:
* Install selinux-policy-targeted-sources
* cd /etc/selinux/targeted/src/policy/domains/misc/
* create a file called something like winbind_add.te (I
believe the .te is important...) with the following contents:
-
allow mysqld_t winbind_tmp_t:dir getattr;
allow ntpd_t winbind_tmp_t:dir getattr;
allow winbind_t etc_runtime_t:file { getattr read };
allow winbind_t proc_t:file { getattr read };
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
allow winbind_t initrc_t:process { signal signull };
allow winbind_t initrc_var_run_t:file { lock read };
allow winbind_t var_lib_t:dir { search getattr };
allow winbind_t samba_log_t:dir { create setattr };
allow winbind_t unconfined_t:fifo_file read;
allow winbind_t var_lib_t:dir search;
-
* cd ../..
(should be /etc/selinux/targeted/src/policy/ )
* run the command: make load
This will load some additional rules that will allow winbindd to run
without any (significant) AVC errors. This should only need to be done once.
Don Meyer [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fedora packages or Enterprise packages of Samba on RHEL4?
At 06:21 AM 7/12/2006, Gerald (Jerry) Carter wrote: The Fedora specfile provided with Samba is compatible with RHEL4. I don't build RHEL4 packages only because IMO if you pay for support for RedHat, installing non-vendor supplied packages would void your support agreement. Althought I could provide RPMS for the lates version of CentOS which should be binary comatible with RHEL4 systems. Were it up to me, I'd post the RPMs for RHEL with a prominent disclaimer on the support issue. (But then I'd probably want to separate builds for RHEL3/RHEL4...) Many people aren't aware of the improved ability to build RHEL packages from the tarball, and they only see the complete lack of RHEL binary packages as non-support for RHEL. And I think a CentOS branch symlinked to the RHEL branch, or vice-versa, would be a nice recognition of that program... Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] I want to use CNAMES for my SAMBA server, how?
At 03:00 PM 7/10/2006, Gerald (Jerry) Carter wrote: Mann, Roy (RGMR) wrote: I have a RedHat Enterprise 3 server running SAMBA 3.0.10. The server has been joined to the Active Directory forest using its fully qualified domain name. Windows clients can successfully map drives using that fully qualified name, However, services have a tendency to be moved or need failover during maintenance so I would prefer to tell customers to use a service alias like smbserver3.rest.ofthe.domain.com. When clients use that alias, I can see attempts at kerberos authentication in the logs on the SAMBA server using the canonical FQDN so Windows is getting the right address, talking to the right smbd, but authentication fails. If you are using CNAMES, add the appropriate servicePrincipalName to the machine's object in AD. Something like adsiedit works well. Interesting... I never would have gotten here in a month or three. I've been seeing this problem sporadically of late, as well. Months ago, things worked fine without this. My question though is what are the ramifications of a similar situation: Where the CNAME might be dynamically moved to point to another system's base IP address in the case of a transfer of service/fail-over. Does this servicePrincipalName for the FQDN need to be deleted and added to the new host's object, or can the same servicePrincipalName be added to each machine's object? -- each machine that might be used to host that service address, that is... The answer to this has ramifications for the way we are implementing many other services, and are trying to use the same paradigm under Samba. We define a role IP name (FQDN) for a given service and tie it to a particular IP address. Then pass the IP address around as necessary -- the server serving as primary for a given service picks up the role address for that service in addition to its configured base IP address. Realistically, client requests are configured to employ the defined role FQDN. I assume the adsiedit utility mentioned is a windows executable and must be run at the DC. If these commands/utilities need to be run at the DC each time a service fails over, then this will be a major problem. Is there any functionality that would allow these changes to be effected from a Samba-based system, in order to avoid the need for commands run at the DC? (I suppose if the setting(s) could be safely preloaded for each server/object that might host a particular service address, then this remote capability might not be quite so necessary...) I look forward to any/all input on this scenario... Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] I want to use CNAMES for my SAMBA server, how?
At 08:15 PM 7/10/2006, Gerald (Jerry) Carter wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Don Meyer wrote:
My question though is what are the ramifications of
a similar situation: Where the CNAME might be
dynamically moved to point to another system's base
IP address in the case of a transfer of service/fail-over.
Does this servicePrincipalName for the FQDN need to
be deleted and added to the new host's object, or
can the same servicePrincipalName be added to each
machine's object? -- each machine that might be
used to host that service address, that is...
Maybe I misunderstood the original questions. Are we
trying top get krb5 authentcation working with cname
records? Is the client actuall requesting a service
ticket cifs/${name} and the request is failing?
Or is something else wrong? I admit I only briefly
read the original post.
The original poster (Roy Mann) indicated that he was having krb5
authentication failures when his clients were using a CNAME (FQDN) to
connect instead of the server's base (A record) FQDN. It works when
using the base FQDN. The reason he is trying to employ CNAMEs in his
resource mappings is to facilitate the fail-over process without
having to change significant numbers of mappings, etc. in the case of
a system failure and fail-over.
My first question was asking about the logical extension of this --
What has to happen at fail-over (CNAME transfer)? If you have
multiple machines which might someday be pointed to by the CNAME, can
you pre-add the servicePrincipalName using the CNAME to each server's
object in the manner you suggest?This way, only the DNS needs to
be adjusted to move the CNAME, and as the change propagates the
clients should start using the new server.
However, if the serverPrincipalName must be unique, and can only be
associated with one server object in the AD at any given time, then
this would imply that in order to move the CNAME, one would first
need to use the utility you suggest to edit the AD and transfer the
serverPrincipalName to another server object.
So which case is it? (I'm hoping for the former, but knowing MS,
I'd bet money on the latter...)
(After that first question, I then jumped deeper into the issue --
but let's back out and get this level dealt with first... ;-)
Cheers,
-D
Don Meyer [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] I want to use CNAMES for my SAMBA server, how?
At 07:49 PM 7/10/2006, Daniel Huntley wrote: netbios aliases = in your smb.conf Then setup the cname in DNS and point it to the correct A record. Establishing netbios aliases involves a whole lot of coordination -- only one system can be configured to be using the netbios alias at a time. Besides, we're trying to avoid the netbios name issues altogether by stipulating FQDN-based UNC resource references. The key in our system is to be able to move a role/service around by moving an IP address between servers. The servers would be configured with multiple IP addresses -- their fixed/static, base address and the role address that can be activated on a machine as needed. This method continues to work well under Samba 3.0.9/3.0.10 on our W2K AD implementation.However, our workup with Samba 3.0.22+ and a W2K3 AD, with the samba servers being more integrated results in auth failures when we try to employ this methodology. Given the similarity of our paradigm to the CNAME-based paradigm that Roy Mann asks about, I think Jerry's suggested solution for Roy migh apply to my situation as well. However, I need to find out the constraints and limitations of this fix... Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Setting AD user's home dir/logon script from Samba?
Folks, Does there exist any (relatively) easy method to set user settings like home directory logon script from a *nix system w/ Samba? I find that I can create a new user and set group membership, as well as set/change the user's password on an AD from a *nix system with Samba using the NET [ADS|RPC] utility. But I don't see a way to either create the user with home directory / logon script preset, or to change these settings after user creation. Am I missing something? TIA, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD users from different AD domains - update
Indeed! It seems to me that if a member server of domain A can get
the list of groups from DC in A, and can enumerate the users from
both domains A B, then it should be able to present the membership
of a group in A, to the extent that the users belong to domain A or
B.Right now, winbind can only present that membership for users
that are in the same domain as the group -- in this example, only
from domain A.
Quite frankly, I can understand why a Samba member server in domain A
might not be able to fully present the group membership for a group
from domain B -- but it really ought to be able to do it more fully
when the group in question is from its own domain...
And especially when other tools in the suite can do it:
net rpc group members {groupname} -S {domain-name} -U {username%pass}
Will get you a correct listing of group membership if username%pass
is valid credentials on the specified domain. (Does not have to be
admin in my testing.)
Since winbind has access to the auth-user that can be set by
wbinfo --set-auth-user=..., and it knows which domain to query from
the group list, winbind should be able to put 2 2 together to get a
proper group listing from the home domain.
(Yes, assuming wbinfo --set-auth-user= has been used to set the
auth-user credentials to use, and assuming that those credentials are
for the server's home domain.)
It would sure be nice if Winbind would at least try to derive a
full(er) group list, rather than simply not bothering to try because
it won't always succeed...
Cheers,
-D
At 01:28 PM 5/10/2006, Trimble, Ronald D wrote:
Volker,
I know you and I have been over this in the past, but I have a
few questions based on this thread. If winbind does correctly list the
groups, why does it not correctly tell you that the user is indeed a
member of that group? Are you saying that if you were an admin in all
domains it would work? What if the server was not merely a member
server? Would it work then?
I am not trying to be a pain, I am just looking for solutions to
a problem that lots of other Windows admins like myself see as a huge
issue.
Sincerely,
Ron
-Original Message-
From: Volker Lendecke [mailto:[EMAIL PROTECTED] On Behalf Of Volker
Lendecke
Sent: Wednesday, May 10, 2006 11:17 AM
To: Trimble, Ronald D
Cc: samba@lists.samba.org
Subject: Re: [Samba] AD users from different AD domains - update
On Wed, May 10, 2006 at 11:00:44AM -0400, Trimble, Ronald D wrote:
In other words, i would like to know if it is possible to
check the membership of a user in a group of another AD
domain ?
No, it is not. The only operation regarding group membership
that is doable reliably is getting the list of groups a user
is member of directly while this user is logging in.
Anything beyond that like asking the same question without
having logged in, getting a list of members of a group,
getting lists of users and groups and so on will sooner or
later fail if you are not administrator of all domains in
question. Winbind is not made for being admin in all
domains, and this is nothing that you _want_ winbind on a
member server to be.
Please look at the explanations in bug #3530. Don't wait for
this to be fixed.
Volker
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SElinux and Samba
At 09:21 AM 5/5/2006, Yvon Dubinsky wrote:
I found in one of that man pages man samba_selinux, you can just
disable SE for samba. I am sure there are other ways also but this
is what I have found so far. I tried to just open SE to samba but
that has not worked as of yet. What does work is typing -
setsebool -P smbd_disable_trans 1 - this disables SE for just samba
then restart samba with - service smb restart. I have not found a
way to just pass samba through SE as of yet with out disabling SE
for the samba demon.
I'm a little too stubborn for a quick fix like this, so I went the
route of adding the specific rules needed to allow SMB/Winbindd to
run without throwing AVC errors. I'm doing this on RHEL4 boxes,
which install with SElinux enforcing targeted by default -- this
allows me to leave SElinux active for its additional protections.
Doing it this way requires a little extra work, though...
First, you need to install the selinux-policy-targeted-sources
package, if not already installed.
When I build the RPMs from the source tarball, the first upgrade from
the default RHEL4 packages changes the tdb directory from
/var/cache/samba/ to /var/lib/samba/. This is accomplished by
creating /var/lib/samba/ -- Naturally, this royally mucks up the
SElinux labelings/permissions. So, immediately after the first
upgrade from RHEL4 samba packages, (before starting either smb or
winbind) I need to do the following:
chcon -Rt samba_var_t /var/lib/samba
mkdir /var/lib/samba/winbindd_privileged/
chcon -t winbind_var_run_t /var/lib/samba/winbindd_privileged/
Then, I drop the following file into the directory
/etc/selinux/targeted/src/policy/domains/misc/:
winbind_add.te:
--
allow winbind_t etc_runtime_t:file read;
allow winbind_t proc_t:file read;
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
allow winbind_t initrc_t:process { signal signull };
allow winbind_t initrc_var_run_t:file { lock read };
allow winbind_t var_lib_t:dir { search getattr };
allow winbind_t var_lib_t:dir search;
allow winbind_t samba_log_t:dir { create setattr };
allow winbind_t unconfined_t:fifo_file read;
allow winbind_t var_lib_t:dir search;
--
This file is what I currently need to add to the default SElinux
configuration to get Samba 3.0.23pre1 to work. What is needed seems
to change with each new version of Samba... (The default SElinux
ruleset for 3.0.10-1.3E.6 can be found in
/etc/selinux/targeted/src/policy/domains/program/winbind.te.)
Finally, after this extra policy file is in place, you should chdir
to /etc/selinux/targeted/src/policy/, and run the following command:
make load
After this, you should be able to start/restart the smb winbind
services without complaints.
Now, some might ask How do you derive these additional rules?
On a clean install, I install the packages, make the necessary mods,
and then set SElinux to non-enforcing:
setenforce 0
I then start tail -f /var/log/messages /tmp/samba_avc.log in a
separate console.
Next, I start the smb winbind services and get the running
properly. Running in non-enforcing mode allows all the error
messages to be generated in the logs, but the operations are allowed
to complete successfully. Once the services are running, I do a
couple user queries to prime the winbind system and have it sync with
the AD, etc. I then terminate the tail in the other console, and run
the following command:
audit2allow -i /tmp/samba_avc.log
This outputs (to stdout) the additional rules necessary to allow all
of the operations that generated AVC error messages in the log
excerpt. This should be what is necessary to get everything running
-- I copy these rules into the file I call winbind_add.te in
/etc/selinux/targeted/src/domains/misc/, and run the make load
command to force the system to reload the SElinux rules.
Finally, I can shut down the smb winbind services, run setenforce
1 to re-enable SElinux enforcing mode, and then restart smb
winbind. If all goes well, this should not generate any AVC errors...
Hope this helps someone...
-D
Don Meyer [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD users from different AD domains
At 04:29 PM 3/9/2006, Lionel Déruaz wrote: i am using samba 3.0.21rc1 (winbind in particular) on RHES server for a squid project : to authenticate users or check in they are member of some groups on AD W2K servers. We have a single AD forest, whith different domains, A B. The group, in domain A, we use for our authentication process contains user from the 2 domains A B. While using wbinfo, i cannot succeed to get a positive answer when i ask if a user from domain B belongs or not to the group. (but the user belongs to this group) i would like to know if it is possible to check the membership of a user in a group of another AD domain ? I hope it is clear enough :) This sounds like the same situation that has been discussed here a bit in the past week or so. You probably want to follow bug#3530 on https://bugzilla.samba.org. Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with Universal Groups
At 09:26 PM 3/3/2006, Gerald (Jerry) Carter wrote: Don Meyer wrote: As far as trying to at least get Domain Local group handling fixed in winbind, I would suggest looking at Bug 3530 on bugzilla.samba.org. The more people that can show similar failure cases, the more likely we can convince them that this is a bug that needs fixing, and not a feature request. Don, Please allow me to clarify. We are not ignoring this class of bugs. We are simply saying that the issue is harder to fix that people realize. It's not an issue of making enough noise for us to realize that there is a problem. Volker already acknowledged that. So rather than treating it as a simple bug to be fixed, we are trying to deal with the larger set of issues surrounding it. Thanks for being patient. Jerry, I don't think the issue is patience. Perhaps you (the samba team) have your own meaning assigned to each level in the system -- perhaps feature enhancement means something more to you internally than it does to us on the outside. To me, the inconsistency between what the group membership reported via winbind and via the net command, alone, would be enough to rate a bug in ay of the development projects I am involved with. My original severity rating as major was intended to indicate the level of impact this problem is having in our implementation, for lack of anything else to base the initial severity rating on. When someone then gets told closed - won't fix this, that is seen as a dismissal. (Go away, find another solution...) When one is told that this is not a bug, but a feature enhancement, this too is seen as a dismissal -- albeit to a slightly lesser degree. From the outside looking in, it appears that the team does not recognize this as a problem. If instead the response was: yes, this inconsistency is a problem (bug) -- the causes however, are particularly insidious, and will take some major reworking and the fixing of contributory problems before we can properly address this. This is going to take a while, so don't expect any progress on this soon. This would have been closer to the point I think you are trying to make... Also, documenting this as a known limitation in the interim might be helpful -- especially to others designing systems around Samba with the expectation that winbind group handling is the same as in W2K(3)... Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet Conferencing System Technical Lead, ACES Web Infrastructure UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Problem with Universal Groups
I can't speak for Domain Universal/Global groups -- our read of the MS documentation indicated that other-domain users were not valid within Universal/Global groups, but were in a Domain Local Group. As far as trying to at least get Domain Local group handling fixed in winbind, I would suggest looking at Bug 3530 on bugzilla.samba.org. The more people that can show similar failure cases, the more likely we can convince them that this is a bug that needs fixing, and not a feature request. Cheers, -D At 08:30 AM 3/3/2006, Trimble, Ronald D wrote: This is exactly what I am seeing. I think this should be reopened as a bug. I could easily provide all of the diagnostics since I have it set up like this right now. The strange thing is, I can get it to work with Domain Global groups, but not Universal groups which shows the SID properly. Domain Local doesn't work at all unless the user is in the same domain as the group. How do we get this escalated? -Original Message- From: Don Meyer [mailto:[EMAIL PROTECTED] Sent: Thursday, March 02, 2006 6:06 PM To: Trimble, Ronald D; samba@lists.samba.org Subject: Re: [Samba] Problem with Universal Groups Check your winbind group memberships -- I'm willing to bet that your winbind will only show group membership for users in the same domain as the group. We are seeing the same mis-behavior here. Group members from other domains are simply not being enumerated by winbind as a group member (getent group), even though the other-domain user itself is properly listed (getent passwd). I tried to report this as a bug, but it was closed/reopened as a feature request. Discussion was left that I had to prove that the other-domain user can successfully connect to a resource with permissions mapped directly to that other-domain user, but fails to connect to the same resource when permissions are mapped to a domain local group in the local server's domain that contains the other-domain user.(I have yet to create this test-case because of unrelated time-constraints...) Cheers, -D At 02:02 PM 3/2/2006, Trimble, Ronald D wrote: Everyone, With many thank to Jerry, my cross domain authentication is now working. This leads to a new problem. I cannot get samba to authenticate a remote domain user in a Universal group to authenticate properly. Here are the details: USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2) USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1 S-1-5-21-606747145-879983540-1177238915-173280 User (1) USTR-LINUX-1:~ # wbinfo --user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280 S-1-5-21-606747145-879983540-1177238915-513 . . . S-1-5-21-606747145-879983540-1177238915-79634 S-1-5-21-606747145-879983540-1177238915-79966 S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!** S-1-5-21-725345543-2052111302-527237240-177738 S-1-5-21-725345543-2052111302-527237240-349185 S-1-5-21-725345543-2052111302-527237240-307510 S-1-5-21-725345543-2052111302-527237240-177742 S-1-5-21-606747145-879983540-1177238915-90389 S-1-5-21-606747145-879983540-1177238915-72164 S-1-5-21-606747145-879983540-1177238915-91149 S-1-5-21-606747145-879983540-1177238915-70785 S-1-5-21-606747145-879983540-1177238915-91412 However, when I try to set up a test web page to require group NA\USTR-LINUX-1-REDHAT-READ And then attempt to access the page, I get the following error: error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required group(s). Does anyone else have something like this working? What am I doing wrong? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with Universal Groups
Check your winbind group memberships -- I'm willing to bet that your winbind will only show group membership for users in the same domain as the group. We are seeing the same mis-behavior here. Group members from other domains are simply not being enumerated by winbind as a group member (getent group), even though the other-domain user itself is properly listed (getent passwd). I tried to report this as a bug, but it was closed/reopened as a feature request. Discussion was left that I had to prove that the other-domain user can successfully connect to a resource with permissions mapped directly to that other-domain user, but fails to connect to the same resource when permissions are mapped to a domain local group in the local server's domain that contains the other-domain user.(I have yet to create this test-case because of unrelated time-constraints...) Cheers, -D At 02:02 PM 3/2/2006, Trimble, Ronald D wrote: Everyone, With many thank to Jerry, my cross domain authentication is now working. This leads to a new problem. I cannot get samba to authenticate a remote domain user in a Universal group to authenticate properly. Here are the details: USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2) USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1 S-1-5-21-606747145-879983540-1177238915-173280 User (1) USTR-LINUX-1:~ # wbinfo --user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280 S-1-5-21-606747145-879983540-1177238915-513 . . . S-1-5-21-606747145-879983540-1177238915-79634 S-1-5-21-606747145-879983540-1177238915-79966 S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!** S-1-5-21-725345543-2052111302-527237240-177738 S-1-5-21-725345543-2052111302-527237240-349185 S-1-5-21-725345543-2052111302-527237240-307510 S-1-5-21-725345543-2052111302-527237240-177742 S-1-5-21-606747145-879983540-1177238915-90389 S-1-5-21-606747145-879983540-1177238915-72164 S-1-5-21-606747145-879983540-1177238915-91149 S-1-5-21-606747145-879983540-1177238915-70785 S-1-5-21-606747145-879983540-1177238915-91412 However, when I try to set up a test web page to require group NA\USTR-LINUX-1-REDHAT-READ And then attempt to access the page, I get the following error: error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required group(s). Does anyone else have something like this working? What am I doing wrong? Thanks, Ron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Public shares in FC4 (update)
Look at your AVC error (below) -- to paraphrase, avc denied search
for smbd for the name /. That is running into a problem accessing
(traversing) the root directory. Hence the need to allow search
on default_t.
At 09:30 PM 2/25/2006, Louis E Garcia II wrote:
I spoke to soon. I am able to get samba working with this but not sure
if it's correct.
allow smbd_t default_t:dir search;
Would it be better: allow smbd_t samba_share_t:dir search;
and relabel:
drwxrwsrwx root root system_u:object_r:samba_share_t public
This seems more secure to me but doesn't work. I still get:
type=AVC msg=audit(1140923608.645:86): avc: denied { search } for
pid=3338 comm=smbd name=/ dev=hda5 ino=2
scontext=root:system_r:smbd_t tcontext=system_u:object_r:default_t
tclass=dir
...
why does smbd_t still see system_u:object_t:default_t
Don Meyer [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Public shares in FC4 (update)
audit2allow gave you the code to allow search capability on directories labeled default_t. You are instead giving samba full access to the parent directory of your share(s) by re-labeling it. It's your call whether granting smbd the limited search capability to all directories labeled default_t is more or less secure than granting smbd full access to a single parent directory. At 01:06 AM 2/26/2006, Louis E Garcia II wrote: Yes I just realized that. I solved it another way. When I had this samba couldn't see public. I got avc error saying smbd_t needed access to default_t drwxr-xr-x root root system_u:object_r:default_t /data drwxrwsrwx root root system_u:object_r:samba_share_t /data/public When I had this samba could see public and it worked. drwxr-xr-x root root system_u:object_r:samba_share_t /data drwxrwsrwx root root system_u:object_r:samba_share_t /data/public I think this is a better solution then to have samba have access to any new dir with default_t. What do you think? -Louis On Sat, 2006-02-25 at 23:43 -0600, Don Meyer wrote: Look at your AVC error (below) -- to paraphrase, avc denied search for smbd for the name /. That is running into a problem accessing (traversing) the root directory. Hence the need to allow search on default_t. Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Public shares in FC4 (update)
[Caveat: My systems are mostly RHEL4 based, I don't have a FC4 system handy to verify paths package names. But they should be somewhat close...] First, you need to identify what the problem is: If you cannot find the AVC errors reported in your syslog, and decifer them to know how to fix them manually, the easiest method is to run the following utility command: audit2allow -i /var/log/messages This will run the audit2allow utility against the current syslog file, which I'm assuming will contain the AVC errors generated by your problem. (If log rotation has occurred since the errors, simply run the command against /var/log/messages.1 .) The output from this command needs to be added to (create if necessary) the file: /etc/selinux/targeted/src/policy/domains/misc/local.te (If the src directory is missing under /etc/selinux/targeted/, you may need to install the selinux-policy-targeted-source package.) When you've finished editing local.te, cd to the policy level, and execute this command: cd /etc/selinux/targeted/src/policy/ make load After this, you can try your system to see if the error is still being thrown. Cheers, -D At 03:42 PM 2/24/2006, Louis E Garcia II wrote: Ok, I narrowed down the problem to selinux. With it off I have no problems. How do label /data/public so samba can use it? I have tried: # chcon -R -t samba_share_t /data/public but it didn't help. On Fri, 2006-02-24 at 12:32 -0500, Louis E Garcia II wrote: /dev/hda3/data ext3defaults 1 2 data is the partition. On Fri, 2006-02-24 at 09:18 +0100, Henrik Zagerholm wrote: Have you mounted the other partition as data or is data just at dir on the other partition? cheers, henrik 24 feb 2006 kl. 02:30 skrev Louis E Garcia II: I am able to share a directory under / like /samba and able to connect to it. The /data directory is not under / but a separate partition. I wouldn't think this is a problem? On Thu, 2006-02-23 at 18:20 -0500, Louis E Garcia II wrote: I am trying to share a directory with samba-3.0.14a and FC4. readable and writable to everyone. The directory is /data/public : 2777 root:root This is my smb.conf: [global] workgroup = HOMENETWORK server string = Samba Server security = SHARE hosts allow = 127.0.0.1, 192.168.0.0/24 hosts deny = 192.168.0.1/24 [public] comment = Public Stuff path = /data/public public = Yes read only = No browseable = Yes guest ok = Yes create mask = 2777 I am able to browse the server but when I open the share public I get an error that the directory doesn't exist. I am stumped. --Louis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Public shares in FC4 (update)
Looks like you have multiple SELinux issues to track down and
resolve. Hard telling whether they all trace back to a single cause though...
To have a better idea of how the errors trace to operations, open two
shells on a console. In one, tail -f /var/log/audit/audit.log --
this will give you a live display of the logged warnings
errors. In the other, try some operations -- restart your smb
service, and try the operations that are giving your problems. Watch
the other console to see the AVC errors as they happen.
You can use tail -f ... and pipe the output to a /tmp file to
capture snippets relevant to specific actions/operations. These can
then be processed through audit2allow to find the specific
modifications that you'll need to add to your local.te file and then
reload your SELinux policy.
-D
At 08:32 PM 2/24/2006, Louis E Garcia II wrote:
On FC4 it's under /var/log/audit/audit.log. This is the only place I
found AVC errors.
# audit2allow -i /var/log/audit/audit.log
allow auditd_t self:fifo_file write;
allow cupsd_config_t proc_net_t:dir search;
allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl write };
allow hald_t unconfined_t:fifo_file read;
allow httpd_t crond_t:fifo_file read;
allow nmbd_t unconfined_t:fifo_file write;
allow rpcd_t unconfined_t:fifo_file read;
allow smbd_t default_t:dir search;
allow smbd_t file_t:dir { getattr search };
allow smbd_t mnt_t:lnk_file read;
allow smbd_t root_t:dir write;
allow smbd_t unconfined_t:fifo_file write;
allow system_dbusd_t unconfined_t:fifo_file read;
I think I'm only worried about smb_t? There are 5 lines there, do I put
them all in /etc/selinux/targeted/src/policy/domains/misc/local.te?
or I only need some? I see nothing about /data/public access.
-Louis
On Fri, 2006-02-24 at 16:54 -0600, Don Meyer wrote:
[Caveat: My systems are mostly RHEL4 based, I don't have a FC4
system handy to verify paths package names. But they should be
somewhat close...]
First, you need to identify what the problem is: If you cannot find
the AVC errors reported in your syslog, and decifer them to know how
to fix them manually, the easiest method is to run the following
utility command:
audit2allow -i /var/log/messages
Don Meyer [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Effect of disabling LM/NTLMv1 auth on an AD?
Folks, Our campus AD team has decided that they ... Need to disable LM/NTLMv1 authentication support to provide greater security and be consistent with the CITES authentication roadmap. Noble thoughts, but there hasn't been much thought of the ramifications for other, interoperable systems like Samba. I can see that modern Samba versions support NTLMv1 and NTLMv2 methods. Theoretically, that should leave support for NTLMv2, and all should work. Practically, however, there is the question of what really happens with Samba member servers when one disables LM/NTLMv1 on the domain controllers?Can anyone speak to this? Thanks much, -Don Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain User access control in the smb.conf
At 12:52 PM 2/17/2006, Alex Wang wrote: I guess the @Domain\myaccount is the wrong format, but I check the manual and can't find anything talk about the user list in smb.conf smb# testparm ... winbind use default domain = Yes First off, if myaccount is a user account, then drop the @ -- that is one of the specials used to designate a group. Second, with winbind use default domain active/enabled, you should not have to specify the DOMAIN\ part. Also, since you are using the special char \ as a domain separator, you need to be very cognizant of where you need to properly escape it. (I.E., use \\ instead of just \) I'm pretty sure that valid users = is one of those places... Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re[2]: [Samba] Domain User access control in the smb.conf
Yes, if you have the valid users = line present in a resource's config block, then access to that resource is limited to the defined set of users. If not present, then any user can connect to the resource. -D At 01:41 PM 2/17/2006, Alex Wang wrote: Thanks Don, it works. Another question about that is, do I have to list all the users who need to access that share folder? [Test2] comment = Test path = /usr/tmp/ valid users = @Domain Admins readonly = Yes write list = myaccount Since myaccount is not in Domain Admins, I can't even access those share folder. Do I have to chagne to [Test2] comment = Test path = /usr/tmp/ valid users = @Domain Admins, myaccount readonly = Yes write list = myaccount Thanks Alex On Fri, 17 Feb 2006 13:29:50 -0600 Don Meyer [EMAIL PROTECTED] wrote: At 12:52 PM 2/17/2006, Alex Wang wrote: I guess the @Domain\myaccount is the wrong format, but I check the manual and can't find anything talk about the user list in smb.conf smb# testparm ... winbind use default domain = Yes First off, if myaccount is a user account, then drop the @ -- that is one of the specials used to designate a group. Second, with winbind use default domain active/enabled, you should not have to specify the DOMAIN\ part. Also, since you are using the special char \ as a domain separator, you need to be very cognizant of where you need to properly escape it. (I.E., use \\ instead of just \) I'm pretty sure that valid users = is one of those places... Cheers, -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba does not work with new AD groups
At 08:25 AM 2/15/2006, Parker, Michael wrote: I've configured a system to authenticate with an AD 2k3 domain (all domain controllers have SP1) using winbind. I have joined the server to the domain as well. I created some shares to work with AD groups. Here's a quick snippet of a share from my smb.conf file: [test] comment = test share for winbind testing path = /u01/test write list = @ll_main/rhmps The problem I have is if I tell the write list command to use an existing AD group which I am already a member of, I can write to the share. If on the other hand, I create a new AD group, add my user account to the group, then tell the write list to use the new group, I cannot write to the share. I have rebooted my test workstations, tried writing to the share from multiple XP (SP2), workstations logged out/in, and rebooted my smb server. Nothing seems to help and I'm not seeing anything in any logs to explain the problem. My samba server is a redat 3.0 box with update 5. The samba version is samba-3.0.9-1.3E.5 A couple of things to check: 1) Is your new group available for use on your RHEL3 box? That is, can you find it in your group listings: wbinfo -g or getent group? 2) Look at the group's entry in the output from the command getent group -- are the group members what you expect from your AD? 3) Does your [test] resource have a valid users = line? (Without, default is anyone can connect...) If so, does the membership specified on this line include the users in your write list = line?(Doesn't have to specify the same group as your write list= line, but users specified here should also have access granted via inclusion in the set specified on your valid users= line.) E.g. valid users = @Domain Users write list = @Subset_of_users Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba rpm and /var/*/samba directory for .tdb files
At 04:06 PM 2/15/2006, Craig White wrote:
On Wed, 2006-02-15 at 14:42 -0600, Gerald (Jerry) Carter wrote:
Don Meyer wrote:
At 08:24 AM 2/15/2006, Gerald (Jerry) Carter wrote:
Oliver Schulze L. wrote:
Hi,
I use CentOS4 (RHEL4) and it seems that I was using /var/lib/samba
for storing the .tdb files. Then I compilled the fedora .src.rpm from
samba.org
and it points now to /var/cache/samba
This was a mistake introduced into the RPM specfile during a
recent set of merges. When it was realized, the 3.0.21b-1 rpm was
pulled from samba.org and a new set of RPMs posted. The tdb files
should live in /var/lib/samba/
Actually, stock RHEL4 rpms for their 3.0.10-1.4E.2 version use
/var/cache/samba/.
Does this change in the packaging reflect a sea change towards use of
/var/lib/samba/ for the future?(I.E. Can we expect future
RHEL-distributed packagings to adopt use of /var/lib/samba/ as well?)
IMO. They should have always been in /var/lib/samba/.
I can't guess what RedHat would do, but SuSE and most other
distros I can think of use /var/lib/samba/. You could
probably check the stock Fedora RPMs and see what they use. IIRC
they are using /var/lib/samba/ as well.
if this helps...
# ls -l /var/cache/samba/
total 72
-rw--- 1 root root 8192 Jun 8 2004 gencache.tdb
-rw--- 1 root root 696 Feb 14 2005 messages.tdb
-rw--- 1 root root 696 Feb 14 2005 netsamlogon_cache.tdb
-rw--- 1 root root 20172 Feb 14 2005 winbindd_cache.tdb
-rw-r--r-- 1 root root 8192 Feb 14 2005 winbindd_idmap.tdb
drwxr-x--- 2 root root 4096 May 2 2005 winbindd_privileged
# uname -a
Linux lin-workstation.azapple.com 2.6.15-1.1830_FC4 #1 Thu Feb 2
17:23:41 EST 2006 i686 athlon i386 GNU/Linux
# cat /etc/redhat-release
Fedora Core release 4 (Stentz)
Craig
FWIW:
To get winbind working under the base RHEL4 packages (3.0.10-1.4E.2),
I had to modify the SELinux configuration slightly:
with package selinux-policy-targeted-sources installed, add these
two lines to /etc/selinux/targeted/src/policy/domains/misc/local.te:
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
followed by:
]# cd /etc/selinux/targeted/src/policy
]# make load
When I built and installed the 3.0.21b-3 packages under RHEL4, the
switch to using /var/lib/samba/ from /var/cache/samba/ resulted in a
whole mess of SELinux AVC errors. And a completely non-functional winbindd...
To fix, I had to to two things:
1) again modify the SELinux configuration by adding the following
lines to /etc/selinux/targeted/src/policy/domains/misc/local.te:
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
allow winbind_t initrc_t:process { signal signull };
allow winbind_t initrc_var_run_t:file { lock read };
allow winbind_t var_lib_t: dir { search };
... and another make load like above...
(Not sure whether the /var/lib/samba/ change directly caused the need
for lines 3,4 -- could have been some other change that made that
necessary. Line 5, though, is obviously due to this change.)
2) I also needed to execute a chcon to change the SELinux labeling on
the /var/lib/samba/ directory that was created during the
installation. The installation picked up the default labeling of
var_lib_t from the parent /var/lib/ directory. To allow things to
work properly under SELinux enforcing, and without wholesale opening
of anything labeled var_lib_t to just about all forms of access
from winbind_t, I used chcon to relabel the /var/lib/samba/ directory
to use the same labeling as /var/cache/samba/ had:
]# chcon -R -t samba_var_t /var/lib/samba
I also needed to fix the labeling on /var/lib/samba/winbindd_privileged/ :
]# chcon -R -t winbind_var_run_t /var/lib/samba/winbindd_privileged
Given these necessary changes, perhaps changing back to
/var/cache/samba/ for RHEL4 builds might be prudent...
Cheers,
-D
Don Meyer [EMAIL PROTECTED]
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety. -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Authenticating another domain
I remember seeing this before in my setup -- do you have REALMS properly defined in your krb5.conf file for all of these other domains? Getting the domains properly represented in krb5.conf fixed the wbinfo --sequence output as well as allowed proper enumeration of users from the other (trusted/trusting) domains. Trusted-only domains were still a problem, though... At 10:18 AM 2/16/2006, Trimble, Ronald D wrote: Running getent passwd EU\\inblr-auth1 doesn't return anything. Although it does work successfully with my NA domain account. The wbinfo --sequence command does reveal a little more information. Here is the output. wbinfo --sequence LAC : DISCONNECTED EU : DISCONNECTED AP : DISCONNECTED UIS : DISCONNECTED USTR-LINUX-1 : 1 BUILTIN : 1 NA : 14462477 How can I get it to connect? -Original Message- From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] Sent: Thursday, February 16, 2006 11:05 AM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Authenticating another domain -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trimble, Ronald D wrote: Username EU\inblr-auth1 is invalid on this system figure this out. That is the key. Does getent passwd 'EU\inblr-auth1' return anything? What does wbinfo --sequence show? Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Joining a trusted domain
This sounds like it might be somewhat related to the problem I posted a query about earlier this week -- where domain local groups in domain-A that contain users from (trusted/trusting) domain-B, are not having the domain-B users being enumerated by winbind as group members on Samba/winbind systems in domain-A. It appears that only domain-A users can be enumerated as group members by winbind, even if the group is defined as a domain local group, which can contain users defined in a foreign, trusted domain. (On windows systems within the domain, users from domain-B show up as group members just fine -- Samba appears to be dropping them off the list, though.) It seems like there might be some sort of common inability to deal with references to users in another (trusted) domain from within the context of the local domain, in certain places at least... Cheers, -D At 01:26 PM 2/16/2006, Devin Morton wrote: I've come across a fairly unique situation and after much searching have not found a solution. I thought I would see if anyone here has had any experience with this before. I have a location with two ADS domains with a two-way trust configured. -For this example I will call them corp.company.com and bst.company.com. -I have a FreeBSD client running Samba version three -I want to use an account in corp with privileges over bst to join the client to the bst domain. No matter what format I use to specify the location of the admin account process always appends the specified user to the bst I'm attempting to join. That domain, of course, cannot find the user and I receive an Invalid credentials error. Here is an example: ESPN-IQ-1# net ads join -S bst.company.com -U CORP.company.com/domainadmin Password: [2006/02/16 12:20:42, 1] libsmb/clikrb5.c:krb5_mk_req2(56) krb5_cc_get_principal failed (No credentials cache found) [2006/02/16 12:20:42, 0] libads/kerberos.c:ads_kinit_password(133) kerberos_kinit_password CORP.company.com/[EMAIL PROTECTED] failed: Client not found in Kerberos database [2006/02/16 12:20:42, 1] utils/net_ads.c:ads_startup(152) ads_connect: Invalid credentials Is there a way to specify a user account from a different domain when attempting to join in this fashion? Thanks in advance. Devin Morton -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] kerberos error when users in trusted win2k domain try to browse samba server
We have the same situation here. Apparently, users from domain-A can properly connect/browse/etc. a server in domain-B (assuming permissions OK, W2K3-based ADS) if the domains have a two-way trust in place. But users from a trusted domain cannot access Samba-server based resources, generating the errors you note below. To me, these errors seem to indicate that the trusted domain is rejecting the servers credentials, as they are from the trusting domain, which by definition it does not trust in a one-way relationship. In the windows world, the Windows admin gui usually pops up a dialog to ask an admin for proper credentials on the trusted domain when initiating actions such as adding a user from the trusted domain to a domain local group in the trusting domain. There needs to be some mechanism identified to supply satisfactory credentials for the server to use to communicate with the trusted domain, in this one-way trust situation. Cheers, -D At 11:39 AM 2/16/2006, Dale Wishner wrote: I have users from Domain A trying to browse a domain member samba server in Domain B. Domain A and Domain B are both Windows 2k domains. Domain B has a one way trust to A. A users can browse Domain B Windows server with no problem so I no the trust is fine. Samba version is 3.0.21b on RH Linux ES 3. The winbindd log is giving me the following error: [2006/02/16 08:28:50, 0] nsswitch/winbindd_dual.c:child_read_request(49) Got invalid request length: 0 [2006/02/16 09:20:32, 1] libsmb/clikrb5.c:ads_krb5_mk_req(487) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Server not found in Kerberos database) [2006/02/16 09:20:32, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539) spnego_gen_negTokenTarg failed: Server not found in Kerberos database [2006/02/16 09:21:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(487) ads_krb5_mk_req: krb5_get_credentials failed for [EMAIL PROTECTED] (Server not found in Kerberos database) [2006/02/16 09:21:02, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain ONTARIOPD failed: Server not found in Kerberos database [2006/02/16 09:21:02, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(157) error getting user info for sid S-1-5-21-1813802168-3123542457-4032405765-1223 [2006/02/16 09:21:02, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(157) error getting user info for sid S-1-5-21-1813802168-3123542457-4032405765-1223 [2006/02/16 09:21:02, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(157) error getting user info for sid S-1-5-21-1813802168-3123542457-4032405765-1223 Both Domain A and Domain B realms are defined in the krb5.conf file. Users from Domain B browse the samba server just fine. I have been working on this problems for three days. I have searched the 'Net and found people with similar issues but no solution. Any help would be appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba version and ports
James, IIRC, the CIFS protocol (as implemented by Microsoft) requires listening ports 445/tcp 139/tcp, with 137/udp 138/udp. Configurable ports would tend to make interoperability moot, hence the lack of port configuration info in the config file. For version info, I'd suggest restarting the running smbd daemon, then looking toward the end of the /var/log/samba/log.smbd file for the restart banner, which should indicate the version. -D At 08:43 AM 2/16/2006, James John - jrjame wrote: I have been unable to find what version of Samba is running on a particular HP/UX server. The information is not included in the ../samba/lib/smb.conf where I am used to finding it. Also, I can not tell what port they have configured on this box any tips? John R. James, Jr. Unix Engineer PTSRICT Team Acxiom, Corporation (501) 342-0455 * The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank you. * -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba rpm and /var/*/samba directory for .tdb files
At 08:24 AM 2/15/2006, Gerald (Jerry) Carter wrote: Oliver Schulze L. wrote: Hi, I use CentOS4 (RHEL4) and it seems that I was using /var/lib/samba for storing the .tdb files. Then I compilled the fedora .src.rpm from samba.org and it points now to /var/cache/samba This was a mistake introduced into the RPM specfile during a recent set of merges. When it was realized, the 3.0.21b-1 rpm was pulled from samba.org and a new set of RPMs posted. The tdb files should live in /var/lib/samba/ Actually, stock RHEL4 rpms for their 3.0.10-1.4E.2 version use /var/cache/samba/. Does this change in the packaging reflect a sea change towards use of /var/lib/samba/ for the future?(I.E. Can we expect future RHEL-distributed packagings to adopt use of /var/lib/samba/ as well?) -D Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba setup in win2k A.D.
Furthermore, have you verified that your time is properly synchronized with your AD's DC(s)? And is your krb5.conf file properly configured on your linux system? -D At 04:51 PM 2/15/2006, James Taylor wrote: Maybe this will help... Have you verified that all you AD controllers have replicated their info? I had similar issues to this back when I was using AD with Microsoft. You can force replication to occur but going to sites and services of your AD. You should be able to find all the AD replication partners and force a replication. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Verdugo Sent: Wednesday, February 15, 2006 2:46 PM To: samba@lists.samba.org Subject: [Samba] samba setup in win2k A.D. Please help, I'm having this problem at my job and it really needs to get solved. I'm trying to setup samba 3.0 to be a member fileserver in my Windows 2000 active directory domain. I followed the instruction on this website: http://www.linux-sxs.org/networking/nt4dom_samba.html#win_sysreq net RPC join -W domain -U domain user works wbinfo -t works wbinfo -G works wbinfo -U fails with the error: Error looking up domain users When I try to access the samba share from a windows network browser window it fails with the error: Logon Failure: The target account name is incorrect Any guidance you can offer will be repayed ten fold, thank you so much. Rich -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem w/ ADS domain local group and other-domain members
cache time = 10 hosts allow = 127., 128.###.###.0/255.255.254.0, 128.###.###.0/255.255.254.0, 130.###., 128.###.##. case sensitive = No # include = /etc/samba/smb.conf.lbe-2 [dev-W] path = /export/dev/W valid users = @ITCS CSS Team, @Domain Admins, IUSR_ACESWEB admin users = @Domain Admins read only = No create mask = 0664 directory mask = 02770 inherit permissions = Yes veto oplock files = /*.TTF/*.XLS/*.DOC/ [prod-W] path = /export/prod/W valid users = @ITCS CSS Team, @Domain Admins, IUSR_ACESWEB admin users = @Domain Admins read only = No create mask = 0664 directory mask = 02770 inherit permissions = Yes veto oplock files = /*.TTF/*.XLS/*.DOC/ [tmp] comment = Temporary file space path = /tmp valid users = @ITCS CSS Team, @Domain Admins admin users = @Domain Admins read only = No create mask = 0664 directory mask = 02770 dos filetime resolution = Yes Don Meyer [EMAIL PROTECTED] Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety. -- Benjamin Franklin, 1759 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
