RE: [Samba] When to use WINS server in a home network?

[Eric Diven]

If your IP addresses are statically assigned, you could put them in the
hosts file too.  The Windows hosts file is in
WINDOWS\system32\drivers\etc

Of course, any time anything changes, you'll have to update your hosts
files.  Whether that's better or worse than having a WINS server or
using the IP addresses themselves is up to you.

~Eric 

> -Original Message-
> From: samba-bounces+eric.diven=edsiohio@lists.samba.org 
> [mailto:samba-bounces+eric.diven=edsiohio@lists.samba.org]
>  On Behalf Of Rob Shinn
> Sent: Thursday, December 11, 2008 12:39 PM
> To: Uriel Avalos; samba@lists.samba.org
> Subject: Re: [Samba] When to use WINS server in a home network?
> 
> Caveats--virtual machines doing nat are, by definition, on a 
> separate subnet.  And your friends can share without a 
> hostname--just access by IP address! (ACLs apply of course)
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Group membership not being honored

[Eric Diven]

Well, the source of the problem appears to be that the AD users were
members of too many groups to map successfully, so none were being
mapped except for the primary group.  At least that was my best-gues
interpretation of the "sys_setgroups failed" message I was seeing in the
logs.

Since Solaris only supports membership in 16 groups, and the AD users
were in >100 each, I think that's the problem.  getent group returns the
correct list of users because it's going group->users instead of
user->groups, and so the limitation doesn't come into play.

Thankfully the group we had to set this up for was small enough to just
do the access individually.

~Eric

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]
>  On Behalf Of Eric Diven
> Sent: Tuesday, December 02, 2008 10:28 AM
> To: samba@lists.samba.org
> Subject: RE: [Samba] Group membership not being honored
> 
> This works if I assign the permissions to the primary group 
> that the user belongs to.  I seem to remember this working 
> for arbitrary groups in the past.  Can anybody clarify?
> 
> Thanks,
> 
> ~Eric 
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] How to enable offline bit in SAMBA

[Eric Diven]

The answer is probably going to depend upon exactly how the files are
offline.  The Tobi Oetiker samfs patch will compare the size of the
files to the number of blocks on disk that the file is taking up, and
set the offline bit for any file where the num_blocks * 512 < file_size.
The patch files on his site are tied to the various versions of samba,
but I've never had a problem doing a find and replace on a similar
version.  3.0.28 should work on 3.0.33, and 3.2.4 should work on 3.2.5,
for example.

http://tobi.oetiker.ch/solaris/sambasamfs/

Good luck,

~Eric

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]
>  On Behalf Of Vincent Guo
> Sent: Thursday, December 04, 2008 5:21 AM
> To: samba@lists.samba.org
> Cc: [EMAIL PROTECTED]
> Subject: [Samba] How to enable offline bit in SAMBA
> 
> We have a SAMBA built from source code, and we want to enable 
> offline bit in SAMBA, Can anybody can give some advices on this?
> 
> 
> Thanks.
> 
> Vincent
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Problems joining a domain with a large number of DCs

[Eric Diven]

> -Original Message-
> From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, December 02, 2008 12:29 PM
> To: [EMAIL PROTECTED]
> Cc: Eric Diven; samba@lists.samba.org
> Subject: Re: [Samba] Problems joining a domain with a large 
> number of DCs
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Volker Lendecke wrote:
> > On Tue, Dec 02, 2008 at 11:07:15AM -0600, Gerald (Jerry) 
> Carter wrote:
> >> This is the commit
> >> 
> http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=af33c8b3521564c22
> >> 9091f197341ba33a7d6f162
> >>
> >> I expect it was only a regression in the older code.  You 
> could ask 
> >> Volker directly.
> > 
> > Okay, you completely lost me here. Looking at the subject 
> of the mails 
> > I thought this is about server affinity cache stuff during 
> join. How 
> > does af33c8b35215 relate to that?
> 
> Sorry.  My fault.  I pointed at the top of tree that you 
> referred to the snapshot.  I should have been paying more attention.
> 
> I'm guessing I should have been pointing at
> 
> 
> commit 80e74a27c55c01221091e3eec930c2ac4433c22c
> Author: Stefan Metzmacher <[EMAIL PROTECTED]>
> Date:   Mon Oct 27 19:31:30 2008 +0100
> 
> libsmb/namequery.c: add saf_join_store() function
> 
> saf_join_store() should be called after a successful
> domain join, the affinity to the dc used at join time
> has a larger ttl, to avoid problems with delayed replication.
> 
> metze
> 
> Signed-off-by: Stefan Metzmacher <[EMAIL PROTECTED]>
> Signed-off-by: Günther Deschner <[EMAIL PROTECTED]>
> 
> And since the domain join code was rewritten to use libnet in 
> 3.2, this would explain why the commit doesn't seem to exist 
> in another branch.
> 
> 
> 
> 
> cheers, jerry
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFJNXBdIR7qMdg1EfYRAuE9AJ9/Fsh4PXV9LMavUd3D4uZYYxJz1ACg6jy5
> /2yTbSkNt6UMnlSYMFD38es=
> =tbGo
> -END PGP SIGNATURE-
> 

Okay, I'll give the 3.2.x branch a try and see what happens.
Thanks for clarifying the situation on this.

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Problems joining a domain with a large number of DCs

[Eric Diven]

> > I hate to drag this one up again, but I'm having issues with that 
> > snapshot of 3-0-test (smbd crashing, can't pin it to 
> anything).  Are 
> > the fixes actually in 3.0.33, or do I need to get a more recent 
> > version of 3-0-test?  I've looked at the release notes and 
> I don't see 
> > anything about the issue in there (just the security fix you made).
> 
> I believe it only included the security fix.
> 
> > Alternately, if I need to move to 3.2.5, I'm fine with that too.
> 
> This is better in the long run.  3.3.0 will be out soon and 
> the 3.0 tree will become only more frozen.
> 

I looked through the release notes going back to 3.2.0, and I don't see
anything in them matching Volker's description for those fixes.  Is
there a bug on this I can check or something else I should be looking
for?

Thanks,

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Problems joining a domain with a large number of DCs

[Eric Diven]

> You might want to use the latest git checkout of 3-0-test, 
> for example available via
> 
> http://repo.or.cz/w/Samba.git?a=snapshot;h=af33c8b3521564c;sf=tgz
> 
> as there have been fixes for the server affinity cache during join.
> 
> Volker
> 

I hate to drag this one up again, but I'm having issues with that
snapshot of 3-0-test (smbd crashing, can't pin it to anything).  Are the
fixes actually in 3.0.33, or do I need to get a more recent version of
3-0-test?  I've looked at the release notes and I don't see anything
about the issue in there (just the security fix you made).

Alternately, if I need to move to 3.2.5, I'm fine with that too.

Thanks,

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Group membership not being honored

[Eric Diven]

This works if I assign the permissions to the primary group that the
user belongs to.  I seem to remember this working for arbitrary groups
in the past.  Can anybody clarify?

Thanks,

~Eric 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED]
>  On Behalf Of Eric Diven
> Sent: Monday, December 01, 2008 6:10 PM
> To: samba@lists.samba.org
> Subject: [Samba] Group membership not being honored
> 
> I've got a relatively simple permissions scheme I need to 
> implement, and I'm having issues with group membership.
> 
> I have a share that I need to grant an active directory group 
> full control to.  If I add an AD user to the ACL on the 
> directory that is the root of the share, the user can access 
> it.  If I add an AD group to the ACL on that same directory, 
> group members cannot access the directory.
> 
> Any ideas please?
> 
> Thanks,
> 
> ~Eric/
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Group membership not being honored

[Eric Diven]

I've got a relatively simple permissions scheme I need to implement, and
I'm having issues with group membership.

I have a share that I need to grant an active directory group full
control to.  If I add an AD user to the ACL on the directory that is the
root of the share, the user can access it.  If I add an AD group to the
ACL on that same directory, group members cannot access the directory.

Any ideas please?

Thanks,

~Eric/
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Crashing in Get_Pwnam_internals

[Eric Diven]

I have two samba servers with pretty much identical setups (same
smb.conf, smbd, winbindd, libnss_winbind.so binaries), joined to the
same domain, one of which works, one doesn't.  I'm seeing smbd crashing
when I try to connect to the problem server with the following
information in the logs.

OS is Solaris 10 update 5
samba is a repository snapshot that Volker pointed me at to resolve an
issue with the number of DCs on the domain.

The working server is working pretty much flawlessly, and I can wbinfo
and getent the same information without issue on both servers.  The
crash happens whether I connect with windows or the smbclient, and when
I see it with smbclient, it comes after I've entered the password.

Any ideas what I might check to figure out what's going on?

Thanks,

~Eric

[2008/11/25 13:23:43, 6] param/loadparm.c:lp_file_list_changed(3102)
  lp_file_list_changed()
  file /opt/DEVONsamba/lib/smb.conf -> /opt/DEVONsamba/lib/smb.conf
last mod_time: Tue Nov 25 13:22:57 2008

[2008/11/25 13:23:43, 5] auth/auth_util.c:make_user_info_map(161)
  make_user_info_map: Mapping user [CORP]\[connep] from workstation
[HOUSSFSFL001P]
[2008/11/25 13:23:43, 5] auth/auth_util.c:make_user_info(75)
  attempting to make a user_info for connep (connep)
[2008/11/25 13:23:43, 5] auth/auth_util.c:make_user_info(85)
  making strings for connep's user_info struct
[2008/11/25 13:23:43, 5] auth/auth_util.c:make_user_info(117)
  making blobs for connep's user_info struct
[2008/11/25 13:23:43, 10] auth/auth_util.c:make_user_info(135)
  made an encrypted user_info for connep (connep)
[2008/11/25 13:23:43, 3] auth/auth.c:check_ntlm_password(221)
  check_ntlm_password:  Checking password for unmapped user
[EMAIL PROTECTED] with the new password interface
[2008/11/25 13:23:43, 3] auth/auth.c:check_ntlm_password(224)
  check_ntlm_password:  mapped user is: [EMAIL PROTECTED]
[2008/11/25 13:23:43, 10] auth/auth.c:check_ntlm_password(233)
  check_ntlm_password: auth_context challenge created by NTLMSSP
callback (NTLM2)
[2008/11/25 13:23:43, 10] auth/auth.c:check_ntlm_password(235)
  challenge is:
[2008/11/25 13:23:43, 5] lib/util.c:dump_data(2265)
  [000] E7 F3 2E FF 09 76 33 58   .v3X
[2008/11/25 13:23:43, 10] auth/auth.c:check_ntlm_password(261)
  check_ntlm_password: guest had nothing to say
[2008/11/25 13:23:43, 8] lib/util.c:is_myname(2077)
  is_myname("CORP") returns 0
[2008/11/25 13:23:43, 6] auth/auth_sam.c:check_samstrict_security(415)
  check_samstrict_security: CORP is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2008/11/25 13:23:43, 10] auth/auth.c:check_ntlm_password(261)
  check_ntlm_password: sam had nothing to say
[2008/11/25 13:23:43, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/11/25 13:23:43, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/11/25 13:23:43, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/11/25 13:23:43, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2008/11/25 13:23:43, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2008/11/25 13:23:44, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/11/25 13:23:44, 6] rpc_parse/parse_prs.c:prs_debug(84)
  00 net_io_user_info3
[2008/11/25 13:23:44, 5] rpc_parse/parse_prs.c:prs_uint32(710)
   ptr_user_info : 00020004
[2008/11/25 13:23:44, 7] rpc_parse/parse_prs.c:prs_debug(84)
  04 smb_io_time logon time
[2008/11/25 13:23:44, 5] rpc_parse/parse_prs.c:prs_uint32(710)
  0004 low : 089629b5
[2008/11/25 13:23:44, 5] rpc_parse/parse_prs.c:prs_uint32(710)
  0008 high: 01c93e87

 OUTPUT CONTINUES FOR A WHILE LIKE THIS 

[2008/11/25 13:23:44, 5] rpc_parse/parse_prs.c:prs_uint8(616)
  106b id_auth[5] : 05
[2008/11/25 13:23:44, 5] rpc_parse/parse_prs.c:prs_uint32s(997)
  106c sub_auths : 0015 494536f5 62e26657
6b635f23 0001b271
[2008/11/25 13:23:44, 8] rpc_parse/parse_prs.c:prs_debug(84)
  001080 smb_io_dom_sid2
[2008/11/25 13:23:44, 5] rpc_parse/parse_prs.c:prs_uint32(710)
  1080 num_auths: 0005
[2008/11/25 13:23:44, 9] rpc_parse/parse_prs.c:prs_debug(84)
  001084 smb_io_dom_sid sid
[2008/11/25 13:23:44, 5] rpc_parse/parse_prs.c:prs_uint8(616)
  1084 sid_rev_num: 01
[2008/11/25 13:23:44, 5] rpc_parse/parse_prs.c:prs_uint8(616)
  1085 num_auths  : 05
[2008/11/25 13:23:44, 5] rpc_parse/parse_prs.c:prs_uint8(616)
  1086 id_auth[0] : 00
[2008/11/25 13:23:44, 5] rpc_parse/parse_prs.c:prs_uint8(616)
  1087 id_auth[1] : 00
[2008/11/25 13:23:44, 5] rpc_parse/parse_prs.c:prs_uint8(616)
  1088 id_auth[2] : 00
[2008/11/25 13:23:44, 5] rpc_parse/parse_p

RE: [Samba] Problems joining a domain with a large number of DCs

[Eric Diven]

> > > I'm having issues joining samba to a domain with a large 
> number of 
> > > domain controllers.  The domain is a mixed windows
> > 2003/windows 2008
> > > domain.  The samba server is Solaris 10 update 5 running on SPARC.
> > > 
> > > I have a custom samba build of samba 3.0.28 on the server
> > because we
> > > need Tobi Oetiker's samfs patch.  Because of the issue 
> that version 
> > > has with passwords longer than eight characters on Solaris,
> > I've also
> > > build samba 3.0.24 for using net to join the domain.
> > 
> > You might want to use the latest git checkout of 3-0-test, 
> for example 
> > available via
> > 
> > http://repo.or.cz/w/Samba.git?a=snapshot;h=af33c8b3521564c;sf=tgz
> > 
> > as there have been fixes for the server affinity cache during join.
> > 
> > Volker
> > 
> 

Volker, you're awesome.  I finally got a chance to get everybody in the
same room and try it out, and lo, it just worked.  Thanks!

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Problems running autoconf on Solaris 10 Update 4

[Eric Diven]

> > It looks like all of this stuff is under source/lib.  It's like the 
> > autoconf equivalent of CPPFLAGS needs to be set so it picks up the 
> > directories that contain the stuff.  More research.
> 
> You might just run ./autogen on a recent linux box and scp 
> the result to Solaris.
> 
> Volker
> 

Thanks Volker, that worked like a charm!

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Problems running autoconf on Solaris 10 Update 4

[Eric Diven]

> -bash-3.00$ autoconf
> /usr/local/bin/m4:lib/replace/libreplace.m4:359: cannot open
> `libreplace_cc.m4': No such file or directory
> /usr/local/bin/m4:lib/replace/libreplace.m4:360: cannot open
> `libreplace_macros.m4': No such file or directory
> /usr/local/bin/m4:lib/replace/libreplace.m4:361: cannot open
> `autoconf-2.60.m4': No such file or directory
> /usr/local/bin/m4:configure.in:856: cannot open 
> `system/config.m4': No such file or directory
> /usr/local/bin/m4:configure.in:856: cannot open `dlfcn.m4': 
> No such file or directory
> /usr/local/bin/m4:configure.in:856: cannot open `getpass.m4': 
> No such file or directory
> /usr/local/bin/m4:configure.in:856: cannot open 
> `strptime.m4': No such file or directory
> /usr/local/bin/m4:configure.in:856: cannot open `win32.m4': 
> No such file or directory
> /usr/local/bin/m4:configure.in:856: cannot open `timegm.m4': 
> No such file or directory
> /usr/local/bin/m4:configure.in:856: cannot open `repdir.m4': 
> No such file or directory
> autom4te: /usr/local/bin/m4 failed with exit status: 1 

It looks like all of this stuff is under source/lib.  It's like the
autoconf equivalent of CPPFLAGS needs to be set so it picks up the
directories that contain the stuff.  More research.

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Problems running autoconf on Solaris 10 Update 4

[Eric Diven]

Sorry for the double post, I've been doing some more looking into this,
and it seems like this is a separate problem of more general interest
than my original AD issue.

My understanding is that the repository does not maintain a configure
script in the source directory.  Packaged releases of the samba code
include one, but if you're trying to build from the repo, you need to do
it yourself by running autoconf.

I've tried running autoconf to generate a configure script, but I'm not
getting very far.  This is on Solaris 10 update 4, I've updated m4 and
autoconf to the latest versions available on sunfreeware.com.  Output is
below.  The first 3 files that are causing problems are in lib/replace.
I haven't been able to turn up the others with a quick check, but I
could be looking in the wrong place.

Thanks, 

~Eric

-bash-3.00$ autoconf
/usr/local/bin/m4:lib/replace/libreplace.m4:359: cannot open
`libreplace_cc.m4': No such file or directory
/usr/local/bin/m4:lib/replace/libreplace.m4:360: cannot open
`libreplace_macros.m4': No such file or directory
/usr/local/bin/m4:lib/replace/libreplace.m4:361: cannot open
`autoconf-2.60.m4': No such file or directory
/usr/local/bin/m4:configure.in:856: cannot open `system/config.m4': No
such file or directory
/usr/local/bin/m4:configure.in:856: cannot open `dlfcn.m4': No such file
or directory
/usr/local/bin/m4:configure.in:856: cannot open `getpass.m4': No such
file or directory
/usr/local/bin/m4:configure.in:856: cannot open `strptime.m4': No such
file or directory
/usr/local/bin/m4:configure.in:856: cannot open `win32.m4': No such file
or directory
/usr/local/bin/m4:configure.in:856: cannot open `timegm.m4': No such
file or directory
/usr/local/bin/m4:configure.in:856: cannot open `repdir.m4': No such
file or directory
autom4te: /usr/local/bin/m4 failed with exit status: 1
-bash-3.00$ /usr/local/bin/m4 --version
m4 (GNU M4) 1.4.12
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Rene' Seindal.
-bash-3.00$ find lib/replace/
lib/replace/
lib/replace/.checker_innocent
lib/replace/Makefile.in
lib/replace/README
lib/replace/aclocal.m4
lib/replace/autoconf-2.60.m4
lib/replace/autogen.sh
lib/replace/config.guess
lib/replace/config.sub
lib/replace/configure.ac
lib/replace/dlfcn.c
lib/replace/dlfcn.m4
lib/replace/getpass.c
lib/replace/getpass.m4
lib/replace/install-sh
lib/replace/libreplace.m4
lib/replace/libreplace_cc.m4
lib/replace/libreplace_macros.m4
lib/replace/repdir.m4
lib/replace/repdir_getdents.c
lib/replace/repdir_getdirentries.c
lib/replace/replace.c
lib/replace/replace.h
lib/replace/samba.m4
lib/replace/snprintf.c
lib/replace/strptime.c
lib/replace/strptime.m4
lib/replace/system
lib/replace/system/README
lib/replace/system/aio.h
lib/replace/system/capability.h
lib/replace/system/config.m4
lib/replace/system/dir.h
lib/replace/system/filesys.h
lib/replace/system/glob.h
lib/replace/system/iconv.h
lib/replace/system/kerberos.h
lib/replace/system/locale.h
lib/replace/system/network.h
lib/replace/system/passwd.h
lib/replace/system/printing.h
lib/replace/system/readline.h
lib/replace/system/select.h
lib/replace/system/shmem.h
lib/replace/system/syslog.h
lib/replace/system/terminal.h
lib/replace/system/time.h
lib/replace/system/wait.h
lib/replace/test
lib/replace/test/os2_delete.c
lib/replace/test/shared_mmap.c
lib/replace/test/strptime.c
lib/replace/test/testsuite.c
lib/replace/timegm.c
lib/replace/timegm.m4
lib/replace/win32.m4
lib/replace/win32_replace.h
-bash-3.00$
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Problems joining a domain with a large number of DCs

[Eric Diven]

> > I'm having issues joining samba to a domain with a large number of 
> > domain controllers.  The domain is a mixed windows 
> 2003/windows 2008 
> > domain.  The samba server is Solaris 10 update 5 running on SPARC.
> > 
> > I have a custom samba build of samba 3.0.28 on the server 
> because we 
> > need Tobi Oetiker's samfs patch.  Because of the issue that version 
> > has with passwords longer than eight characters on Solaris, 
> I've also 
> > build samba 3.0.24 for using net to join the domain.
> 
> You might want to use the latest git checkout of 3-0-test, 
> for example available via
> 
> http://repo.or.cz/w/Samba.git?a=snapshot;h=af33c8b3521564c;sf=tgz
> 
> as there have been fixes for the server affinity cache during join.
> 
> Volker
> 

Volker,

Thanks again for the quick answer, I've been tied up with other stuff
and just now got around to working on the samba project.

It turns out that the tarball from the link you sent me has no configure
script in the source directory.  I've tried running autoconf to generate
a configure script, but I'm not getting very far.  This is on Solaris 10
update 4, I've updated m4 and autoconf to the latest versions from
sunfreeware.com.  Output is below.  The first 3 files that are causing
problems are in lib/replace.  I haven't been able to turn up the others
with a quick check, but I could be looking in the wrong place.

Thanks, 

~Eric

-bash-3.00$ autoconf
/usr/local/bin/m4:lib/replace/libreplace.m4:359: cannot open
`libreplace_cc.m4': No such file or directory
/usr/local/bin/m4:lib/replace/libreplace.m4:360: cannot open
`libreplace_macros.m4': No such file or directory
/usr/local/bin/m4:lib/replace/libreplace.m4:361: cannot open
`autoconf-2.60.m4': No such file or directory
/usr/local/bin/m4:configure.in:856: cannot open `system/config.m4': No
such file or directory
/usr/local/bin/m4:configure.in:856: cannot open `dlfcn.m4': No such file
or directory
/usr/local/bin/m4:configure.in:856: cannot open `getpass.m4': No such
file or directory
/usr/local/bin/m4:configure.in:856: cannot open `strptime.m4': No such
file or directory
/usr/local/bin/m4:configure.in:856: cannot open `win32.m4': No such file
or directory
/usr/local/bin/m4:configure.in:856: cannot open `timegm.m4': No such
file or directory
/usr/local/bin/m4:configure.in:856: cannot open `repdir.m4': No such
file or directory
autom4te: /usr/local/bin/m4 failed with exit status: 1
-bash-3.00$ /usr/local/bin/m4 --version
m4 (GNU M4) 1.4.12
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Rene' Seindal.
-bash-3.00$ find lib/replace/
lib/replace/
lib/replace/.checker_innocent
lib/replace/Makefile.in
lib/replace/README
lib/replace/aclocal.m4
lib/replace/autoconf-2.60.m4
lib/replace/autogen.sh
lib/replace/config.guess
lib/replace/config.sub
lib/replace/configure.ac
lib/replace/dlfcn.c
lib/replace/dlfcn.m4
lib/replace/getpass.c
lib/replace/getpass.m4
lib/replace/install-sh
lib/replace/libreplace.m4
lib/replace/libreplace_cc.m4
lib/replace/libreplace_macros.m4
lib/replace/repdir.m4
lib/replace/repdir_getdents.c
lib/replace/repdir_getdirentries.c
lib/replace/replace.c
lib/replace/replace.h
lib/replace/samba.m4
lib/replace/snprintf.c
lib/replace/strptime.c
lib/replace/strptime.m4
lib/replace/system
lib/replace/system/README
lib/replace/system/aio.h
lib/replace/system/capability.h
lib/replace/system/config.m4
lib/replace/system/dir.h
lib/replace/system/filesys.h
lib/replace/system/glob.h
lib/replace/system/iconv.h
lib/replace/system/kerberos.h
lib/replace/system/locale.h
lib/replace/system/network.h
lib/replace/system/passwd.h
lib/replace/system/printing.h
lib/replace/system/readline.h
lib/replace/system/select.h
lib/replace/system/shmem.h
lib/replace/system/syslog.h
lib/replace/system/terminal.h
lib/replace/system/time.h
lib/replace/system/wait.h
lib/replace/test
lib/replace/test/os2_delete.c
lib/replace/test/shared_mmap.c
lib/replace/test/strptime.c
lib/replace/test/testsuite.c
lib/replace/timegm.c
lib/replace/timegm.m4
lib/replace/win32.m4
lib/replace/win32_replace.h
-bash-3.00$
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Problems joining a domain with a large number of DCs

[Eric Diven]

> > > On Tue, Nov 04, 2008 at 05:59:25PM -0500, Eric Diven wrote:
> > > I'm having issues joining samba to a domain with a large 
> number of 
> > > domain controllers.  The domain is a mixed windows
> > 2003/windows 2008
> > > domain.  The samba server is Solaris 10 update 5 running on SPARC.
> > > 
> > > I have a custom samba build of samba 3.0.28 on the server
> > because we
> > > need Tobi Oetiker's samfs patch.  Because of the issue 
> that version 
> > > has with passwords longer than eight characters on Solaris,
> > I've also
> > > build samba 3.0.24 for using net to join the domain.
> > 
> > You might want to use the latest git checkout of 3-0-test, 
> for example
> 
> > available via
> > 
> > http://repo.or.cz/w/Samba.git?a=snapshot;h=af33c8b3521564c;sf=tgz
> > 
> > as there have been fixes for the server affinity cache during join.
> > 
> > Volker
> > 
> 
> Volker, thanks.  I'll take a look at that and see if it 
> works.  To clarify, is the issue in net in 3.0.24, and I can 
> resolve my problem by using only net from the git snapshot.  
> Or will I need to apply the Tobi patch to the snapshot and 
> use that build in its entirety?
> 
> Also, if I go to that build, it looks like the 8 character 
> password bug
> (https://bugzilla.samba.org/show_bug.cgi?id=4866) is still in 
> the re-opened state.  I'll try it, but if it's still an 
> issue, the domain policy prevents using passwords as short as 
> 8 characters.  I was looking yesterday for instructions on 
> how to join a machine to a domain without having to enter the 
> admin password.
> 
> My impression (probably incorrect) is that this can be done 
> by creating the machine account in AD before trying to join 
> the machine, but I've been unable to actually find any info 
> about how to then get samba joined.
> 
> Thanks again,
> 
> ~Eric
> 
> (Volker, sorry for the duplicate email, I hit the wrong reply 
> the first
> time)

I've been going through the changelogs, and it looks like the Solaris 8
char password bug was fixed in 3.0.28a by Jiri Sasek.  The bug still
lists as REOPENED, but there hasn't been any activity on it since
November of last year.

3.0.28a also appears to have added support for joining a Windows 2008
domain, which may be relevant as it is a mixed environment with both
W2K3 and W2K8 DCs.

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Problems joining a domain with a large number of DCs

[Eric Diven]

> On Tue, Nov 04, 2008 at 05:59:25PM -0500, Eric Diven wrote:
> > I'm having issues joining samba to a domain with a large number of 
> > domain controllers.  The domain is a mixed windows
> 2003/windows 2008
> > domain.  The samba server is Solaris 10 update 5 running on SPARC.
> > 
> > I have a custom samba build of samba 3.0.28 on the server
> because we
> > need Tobi Oetiker's samfs patch.  Because of the issue that version 
> > has with passwords longer than eight characters on Solaris,
> I've also
> > build samba 3.0.24 for using net to join the domain.
> 
> You might want to use the latest git checkout of 3-0-test, for example

> available via
> 
> http://repo.or.cz/w/Samba.git?a=snapshot;h=af33c8b3521564c;sf=tgz
> 
> as there have been fixes for the server affinity cache during join.
> 
> Volker
> 

Volker, thanks.  I'll take a look at that and see if it works.  To
clarify, is the issue in net in 3.0.24, and I can resolve my problem by
using only net from the git snapshot.  Or will I need to apply the Tobi
patch to the snapshot and use that build in its entirety?

Also, if I go to that build, it looks like the 8 character password bug
(https://bugzilla.samba.org/show_bug.cgi?id=4866) is still in the
re-opened state.  I'll try it, but if it's still an issue, the domain
policy prevents using passwords as short as 8 characters.  I was looking
yesterday for instructions on how to join a machine to a domain without
having to enter the admin password.

My impression (probably incorrect) is that this can be done by creating
the machine account in AD before trying to join the machine, but I've
been unable to actually find any info about how to then get samba
joined.

Thanks again,

~Eric

(Volker, sorry for the duplicate email, I hit the wrong reply the first
time)
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Problems joining a domain with a large number of DCs

[Eric Diven]

I'm having issues joining samba to a domain with a large number of
domain controllers.  The domain is a mixed windows 2003/windows 2008
domain.  The samba server is Solaris 10 update 5 running on SPARC.

I have a custom samba build of samba 3.0.28 on the server because we
need Tobi Oetiker's samfs patch.  Because of the issue that version has
with passwords longer than eight characters on Solaris, I've also build
samba 3.0.24 for using net to join the domain.

Using net from 3.0.24, I'm able to join the domain in the customary net
ads join -U [EMAIL PROTECTED] way.  A windows admin confirms that the
account is created in active directory, and that it's enabled.  When I
net ads testjoin, however, it fails with the following error:

[2008/11/04 15:39:50, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found)
[2008/11/04 15:39:50, 0] libads/kerberos.c:ads_kinit_password(228)
  kerberos_kinit_password [EMAIL PROTECTED] failed:
Preauthentication failed
Join to domain is not valid: Logon failure

Some googling around suggested that this might be caused by
inconsistencies in the information in the DCs on a large domain, so I
followed the suggestion to remove the machine account completely, create
it by hand, manually synch the DCs, and then try.  Various invocations
of net ads join caused account disablement and the same error as above.

Digging further into the kerberos error, I can kinit a user on the
domain without difficulty, and when I subsequently klist, I see some
tickets.  I can kdestroy and kinit, and tickets reappear.

Could anybody suggest what else I should look at?  Is this a kerberos
issue, a samba issue with caching the credentials, or something else?

Thanks,

~Eric

here's the stuff net pulls from the config file when it runs:

[2008/11/04 15:39:29, 3] param/loadparm.c:do_section(3778)
  Processing section "[global]"
  doing parameter aio read size = 1
  doing parameter aio write size = 1
  doing parameter workgroup = FOO
  doing parameter server string = MSR Server
  doing parameter security = ADS
  doing parameter log file = /var/samba/log/log.%m
  doing parameter max log size = 50
  doing parameter password server = server1 server2 server3
  doing parameter realm = FOO.DOMAIN.COM
  doing parameter passdb backend = smbpasswd
  doing parameter preferred master = no
  doing parameter dns proxy = no
  doing parameter encrypt passwords = yes
  doing parameter winbind separator = +
  doing parameter winbind use default domain = yes
  doing parameter winbind enum users = no
  doing parameter winbind enum groups = no
  doing parameter idmap uid = 1-2
  doing parameter idmap gid = 1-2

I'll post logs if people want to see 'em.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Restrict permission changes

[Eric Diven]

Hmmm.  I don't know if there's a way to do this in smb.conf.  Maybe somebody 
else knows.  Failing that, if it's appropriate to your environtment, you can 
have a unix user own the files (who never logs on as a windows user) and set 
the inherit owner option in the smb.conf file.  That's a lousy solution if you 
actually need to have people owning their own files though.  Is it even 
possible to do this under Windows natively?

I completely understand why you want to do this, Windows ACLs vs Unix ACLs and 
perms quickly get nasty.

If you're on a filesystem that supports NFS v4 ACLs (rare enough, I know), 
could you remove WRITE_DACL permission from the owner's ACE?

~Eric  

-Original Message-
From: Jan Patrick Lübbert [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 16, 2008 10:49 AM
To: Eric Diven
Subject: Re: [Samba] Restrict permission changes

No, both of them off. Only the owner can change permissions, that's right, but 
I want to restrict it so nobody is able to change them.

Jan

> -Original Message-
> Do you have acl group control = yes or dos filemode = yes in your smb.conf? 
> By default only the owner of the files should be able to change permissions.  
> Either of these affect that.

> ~Eric

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Jan Patrick Lübbert
> Sent: Monday, June 16, 2008 9:33 AM
> To: samba@lists.samba.org
> Subject: [Samba] Restrict permission changes

> Hello,

> I've a share with preset permissions on different directories including acls.
> So in one folder for example users can only read and into other read and 
> write.
> Everything works fine. The Problem is if one user decides to change 
> the permission of a file or directory (via Windows) the acls and permissions 
> get are messed up.

> How can I restrict users from changing permission on a share? I tried 
> "security mode" and "force security mode", but the acls alsways get deleted.

> Thanks

> Jan

> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba



--
Mit freundlichen Grüssen
Jan Patrick Lübbertmailto:[EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] How to map an AD group to an existing unix group/gid

[Eric Diven]

I have a unix group that owns some files on a share, and I'd like to set
up a group mapping so that an Active directory group (with an exising
mapping in winbind from earlier use) gets access to these files via a
mapping.

I've been fooling around with net groupmap add, and haven't been able to
get this set up.

The group Domain Users has an existing mapping to gid 10004, which
winbind allocated at some point in the past

I have a group testgroup, with gid=134

I've tried the following:

net groupmap add sid=S-...-513 unixgroup=testgroup
ntgroup="DOMAIN+Domain Users"
which gives the following for a net groupmap list:
DOMAIN+Domain Users (S-...-513) -> testgroup

and

net groupmap add sid=S-...-513 unixgroup=134
which gives this when I do a net groupmap list:
134 (S-...-513) -> DOMAIN+domain users

For both of these, when I view the properties of a file owned by
testgroup, the group owner shows up as Domain Users, with both read and
write permissions.  

For both of these, wbinfo shows the following:

wbinfo --group-info="DOMAIN+domain users"
DOMAIN+domain users:x:134

So far, so good, right?

However, for both of these, when I try to access a file owned by
testgroup, I'm denied access.  If I create a file in a directory when
logged in as a domain user, it gets created with gid 10004, that's fine.

nscd is disabled, nsswitch.conf contains group:  files winbind, OS is
Solaris 10 update 4, samba is 3.0.25a, as shipped with S10u4.

Any ideas on this?

Thanks,

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] what is the recommended samba version on solaris?

[Eric Diven]

I'm using 3.0.23d on Solaris 10 successfully.  I was using 3.0.24 and
3.0.25[x] but was having ACL related problems with them.  I never had
the problem you're having though.  Of course Solaris 10 != Solaris 8,
but it's something to try.  Good luck.

~Eric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Bai, Junmin
Sent: Wednesday, November 21, 2007 12:30 AM
To: samba@lists.samba.org
Subject: [Samba] what is the recommended samba version on solaris?

Guys

I was so frustrated about installing samba with ADS and winbind support
on solaris 8.
After fixing many problems, I am now facing another problem:

I created a directory "test" in the samba share and was editing a file
under the directory "test" and in the meantime the machine was rebooted.
After the machine is started, the
whole directory "test" is gone. 

I am using samba3.0.26a with ads and winbind on solaris 8. Is it a bug
with this version?
Could anybody recommend a samba version for solaris 8.

Thanks
Junmin

-Original Message-
From: Bai, Junmin
Sent: Wednesday, 21 November 2007 4:25 PM
To: '[EMAIL PROTECTED]'; samba@lists.samba.org
Subject: RE: [Samba] winbind caused "ls -l" hang on solaris 8


Thanks for the reply.

By disable nscd on solaris, the problem with "ls -l" hung is fixed.

Now I notice another problem with the samba. I created a directory
"test" in the samba share and was editing a file under the directory
"test" and in the meantime the machine was rebooted. After the machine
is started, the 
whole directory "test" is gone. Anybody know this issue.

Thanks,

Junmin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of [EMAIL PROTECTED]
Sent: Wednesday, 21 November 2007 11:48 AM
To: samba@lists.samba.org
Subject: Re: [Samba] winbind caused "ls -l" hang on solaris 8


Bai, Junmin wrote:
> Thanks for your reply. I understand what you mean. The command
> ldapsearch works fine and wbinfo -u and wbinfo -g work beautifully.

What do "getent passwd" and "getent group" do?  I bet they hang after 
showing the contents of your /etc files.

> It's openldap on solaris 8. Does it need any special configuration?

I admin a Linux system which authenticates against a W2K AD, and have 
the following NSS-related stuff in my /etc/nsswitch.conf:

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass uniqueMember member
nss_map_attribute   uid sAMAccountName
nss_map_attribute   homeDirectory unixHomeDirectory
nss_map_attribute   shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute   cn sAMAccountName

If your /etc/nsswitch.conf is missing these, add 'em and see if they 
make a difference.

Don

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Important: This email and any attachments may be confidential and may be
privileged.
If the email is not addressed to you please return it to us and destroy
any copies you may have.
Unauthorised use of this email and any attachment is prohibited.

Defence Housing Australia will send you correspondence and documents
 by email if you request or if you use email to contact us.
Email is not a secure form of communication and may transmit computer
viruses.
We take no responsibility for misdirection, corruption or unauthorised
use of email communications
 nor for any damage that may be caused as a result of transmitting or
receiving an  email communication.
It is your responsibility to establish your own protection against
viruses or other damage. 

This message has been scanned for viruses
and spam by SurfControl RiskFilter - E-mail.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
amba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: Re: [Samba] Samba Fatal Error: GID range full!! (max: 20000)

[Eric Diven]

A couple of obvious questions:  

I'm going to assume you've restarted winbindd and smbd, but I thought
I'd mention it because I've done similarly dumb things.

How many users/groups are you enumerating into winbind?  It seems like
unless you're on a huge domain, you're not going to have 2.  wbinfo
-u | wc -l will tell you how many mappings it has currently.  If it's a
large number, say 2, you may need to set winbind enum users = no
(and likewise for groups)

Does the new range overlap the previous working range?  If not, is it
possible you've orphaned the uids and gids in the old range?  I haven't
looked at the winbind code, that's purely speculative, but it's
something to try while somebody more authoritative mulls over your
question.

~Eric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Tim Evans
Sent: Monday, November 19, 2007 4:19 PM
To: samba@lists.samba.org
Subject: Fw: Re: [Samba] Samba Fatal Error: GID range full!! (max:
2)


On Mon, 19 Nov 2007 12:32:39 -0600, Dale Schroeder wrote
> Tim,
> 
> My guess is that your "idmap uid =" and "idmap gid =" ranges are not 
> large enough.  See:
> http://www.linuxquestions.org/questions/linux-networking-3/samba-
> problem-getent-differs-from-wbinfo-493615/

I have set large, non-overlapping ranges for idmap uid and gid.

Although the error messages about the GID range are no longer seen,
users still cannot access their shares.

> If this doesn't help you, please post your smb.conf

Only changes from the working smb.conf from yesterday are the reset
idmap ranges and the debug level setting.

[global]
workgroup = JJS-SDM
netbios name = appian
server string = appian
hosts allow = 192.168.1. 127.
log file = /var/log/samba/%m.log
debug level = 5
max log size = 50
security = user
encrypt passwords =  no
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd
:*all*authentication*tokens*updated*successfully*
winbind separator = +
idmap uid = 10-30
idmap gid = 10-30
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master
= no domain master = no preferred master = no domain logons = no wins
server = 192.168.1.250 dns proxy = no


--
Tim Evans, TKEvans.com, Inc.|5 Chestnut Court
UNIX System Admin Consulting|Owings Mills, MD 21117
http://www.tkevans.com/ |443-394-3864
http://www.come-here.com/News/  |[EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
an/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] ACL changes on Samba NT 4.0 Member Server

[Eric Diven]

Try samba 3.0.23d.  I just built if for Solaris, and it appears to be
working beautifully.
That's several days of my life I'll never get back.

I just did built the "new" version, installed it, copied the
libnss_winbind.so to where it lives and restarted samba.  No config
changes, nothing.  

~Eric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Eric Diven
Sent: Monday, November 05, 2007 12:55 PM
To: samba@lists.samba.org
Subject: RE: [Samba] ACL changes on Samba NT 4.0 Member Server

Not neccessarily, console login is controlled by PAM, not winbind.  If
you haven't set up PAM (and you shouldn't need to for just setting up a
file share), you won't be able to log in at the console (or by ssh,
etc).  

I'm still fighting this on my side as well, for what it's worth.  If I
figure it out, I'll let you know.  When I try to add an entry to the
ACL, I get the same error, but in the logs I see an error about not
being able to set the access rights into the Unix security model.  The
error I get is "Too many ACE entries for file to convert to posix
perms."  If you're seeing that too, we might be on to something.

I am seeing it consistently across Solaris and CentOS, so I'm guessing
this isn't a platform related issue for either of us.

Good luck.

~Eric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Hans-Wilhelm Heisinger
Sent: Monday, November 05, 2007 11:00 AM
To: samba@lists.samba.org
Subject: Re: [Samba] ACL changes on Samba NT 4.0 Member Server

John,

I seemed to have pinpointed the problem down to an authentication
issue.

wbinfo -a CPDOM+admin%password
plaintext password authentication succeeded challenge/reponse password
authentication succeeded

su CPDOM+admin
Password:
su: incorrect password

Any ideas?

John Drescher wrote:
> On 11/2/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]>
wrote:
>   
>>  I'm not really sure what I'm looking for or which log file the error

>> would present it's self in.  Anyways below is a my "shot in the dark"
>>
>> 
>
> This is the right file but I don't see an error.
>
> Hopefully someone else can help.
>
> John
>   
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
info/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] ACL changes on Samba NT 4.0 Member Server

[Eric Diven]

Not neccessarily, console login is controlled by PAM, not winbind.  If
you haven't set up PAM (and you shouldn't need to for just setting up a
file share), you won't be able to log in at the console (or by ssh,
etc).  

I'm still fighting this on my side as well, for what it's worth.  If I
figure it out, I'll let you know.  When I try to add an entry to the
ACL, I get the same error, but in the logs I see an error about not
being able to set the access rights into the Unix security model.  The
error I get is "Too many ACE entries for file to convert to posix
perms."  If you're seeing that too, we might be on to something.

I am seeing it consistently across Solaris and CentOS, so I'm guessing
this isn't a platform related issue for either of us.

Good luck.

~Eric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Hans-Wilhelm Heisinger
Sent: Monday, November 05, 2007 11:00 AM
To: samba@lists.samba.org
Subject: Re: [Samba] ACL changes on Samba NT 4.0 Member Server

John,

I seemed to have pinpointed the problem down to an authentication
issue.

wbinfo -a CPDOM+admin%password
plaintext password authentication succeeded challenge/reponse password
authentication succeeded

su CPDOM+admin
Password:
su: incorrect password

Any ideas?

John Drescher wrote:
> On 11/2/07, Hans-Wilhelm Heisinger <[EMAIL PROTECTED]>
wrote:
>   
>>  I'm not really sure what I'm looking for or which log file the error

>> would present it's self in.  Anyways below is a my "shot in the dark"
>>
>> 
>
> This is the right file but I don't see an error.
>
> Hopefully someone else can help.
>
> John
>   
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
info/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] smbpasswd and 8 character limit

[Eric Diven]

Sorry, brain-fart, you'll probably be interested in knowing what version
does work.  The latest version of Samba that I've tested as working with
the password issue is 3.0.24.  I'm having trouble getting ACL support to
work with it, but I have got ADS and winbind working seamlessly.

~Eric 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Gaiseric Vandal
Sent: Friday, November 02, 2007 5:04 PM
To: Samba
Subject: [Samba] smbpasswd and 8 character limit

The smbpasswd on my PDC (Solaris 9, Samba 3.026a) will truncate or
corrupt passwords over 8 chars.

The smbpasswd command on the linux clients (Samba 3.024a) is OK.
Anyone know if this is a samba version issue or something solaris
specific.

Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
o/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] smbpasswd and 8 character limit

[Eric Diven]

I'm pretty sure it's Solaris specific, I didn't have problems on my
CentOS box I've been using as a reference machine.  See this bug in
bugzilla: https://bugzilla.samba.org/show_bug.cgi?id=4863

~Eric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Gaiseric Vandal
Sent: Friday, November 02, 2007 5:04 PM
To: Samba
Subject: [Samba] smbpasswd and 8 character limit

The smbpasswd on my PDC (Solaris 9, Samba 3.026a) will truncate or
corrupt passwords over 8 chars.

The smbpasswd command on the linux clients (Samba 3.024a) is OK.
Anyone know if this is a samba version issue or something solaris
specific.

Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
o/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] File permissions issue: different behavior between samba and unix

[Eric Diven]

I'm seeing behavior that I was hoping somebody could explain.  I have a
share set up that will be a repository for company-wide data.  There are
three classes of people who can access it, readers, read/writers, and
admins.  Readers and read/writers are self explanatory, admins have
read/write access, and can change the permissions/ownership of files.

Read and write access is controlled by ACLs on the filesystem (see
below), admin access is controlled by smb.conf.  Read and admin access
works as expected.  Reader/Writer access is behaving unexpectedly.  A
writer can create a file in the share, the ownerships, permissions, and
ACLs are inherited as I expect them to be.  Now it gets strange.  

Once I've created a file, I can't rename it and get the error permission
denied.  I can write to the file itself, but not change its name or
delete it.  Yes I'm aware that rename/delete permission is a function of
the parent directory perms, not the file perms.  As I understand, file
creation requires exactly the same permissions (rwx) as rename and
delete.  Hence the unexpectedness of this.

Now it gets *REALLY* strange:

I can create, rename, and remove directories without difficulty.  I
don't get errors either renaming or deleting them.

One last bit of strangeness:

If I change the group ownership of the directory to the writer's group,
the unexpected behavior goes away.  This seems to suggest to me that
something strange is happening with the ACLs in samba in the case of
file rename or delete.

Samba version is 3.0.24, the issue is reproducible on Solaris and
CentOS.  I hesitate to call this a bug, because there could be a reason
for this, but this behavior is not consistent with how this works under
unix at the shell.  I duplicated the reader/writer permissions and acls
with a non-domain user and group, and observed the behavior I expected,
namely that I could rename and remove the file I had created.

If you want logs or further information, I can send them to you.

Thanks,

~Eric

Here are the perms and acls I've set up on the directory.  Note that the
setgid bit is set so that files created in the diretory inherit root
group 
ownership:

bash-3.00# ls -ld afiles
drwxrws---+  2 root root 512 Nov  1 10:21 afiles

bash-3.00# getfacl afiles
# file: afiles
# owner: root
# group: root
user::rwx
user:afile:rwx  #effective:rwx
group::rwx  #effective:rwx
group:afile:rwx #effective:rwx
group:W2K3TEST+areaders:r-x #effective:r-x
group:W2K3TEST+awriters:rwx #effective:rwx
group:W2K3TEST+admins:rwx   #effective:rwx
mask:rwx
other:---
default:user::rwx
default:group::rwx
default:group:W2K3TEST+areaders:r-x
default:group:W2K3TEST+awriters:rwx
default:group:W2K3TEST+admins:rwx
default:mask:rwx
default:other:---
bash-3.00#

Here is the share definition as spat back out from testparm

[afiles]
path = /honda/afiles
admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
read only = No
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Problem with ACLs "Too many ACE entries for file to convert to posix perms."

[Eric Diven]

At the suggestion of Stas, I'm starting a new thread on this one.  This
pretty much covers where I'm at right now:

Doug, thanks, here's a complete listing of the config file, and some
logging, hopefully this will be illuminating to somebody.

> Neither of these lines set the log level.

Yes, I've been setting it in the init script.  When I do ps -ef | grep
smbd, I see that logging is enabled.  I straightened out that problem
(the one behind the monitor *sheepish grin*), and the logging works as
it's supposed to.

> Getting windows acl's is a multi step process.

Tell me about it ;-)

> You need a file system capable of supporting extended acl's.  I
believe you previously said you were using UFS file system.  I haven't
used UFS since 1987.  Man Mount on linux doesn't suggest extended acl's
are supported.  Are they?

Both Solaris and CentOS support them.  Using fsetacl and fgetacl, I can
set acls and see them on files in the FS

> Once the file system is capable of supporting extended acl's, you need
to mount the filesystem with the appropriate options.  By default,
considering the age of UFS, I would assume extended acl's aren't
supported by default, if they are at all.

Sun has been updating it, acl support is on by default.  In fact, as
near as I can tell, you can't turn it off.  I'm under the impression
that there are many flavors of UFS, not all of which are compatible.

> Once the filesystem is mounted with the right options, then samba has
to have been compiled with the correct options, which you've verified.

It sure looks like it ;-)

> After all that, samba has top be configured correctly to support acl's
in windows.  Samba can be configured to serve files in ms-dos mode, so
it's not a given.

The smb.conf manpage indicates that nt acl support = yes by default.
Making it explicit doesn't seem to change the behavior.

> Usually, if someone is asked to show the configuration, put out the
entire conf file.  There's been a lot of dribs and drabs, but much has
been missing.  First thing I do is run a copy thru testparm.  Most of
this thread has been like blind mans bluff.

Usually I try to keep it to a minimum, because people frequently don't
trim out the stuff when they reply.  Result, a *lot* of extraneous crap.
As more and more people don't trim, the signal to noise ratio quickly
approaches zero.  As requested, I've put the whole thing in.  I've been
using testparm throughout this project, and I've included its output
too, since it strips comments and stuff that's included by default.

> Just so you know - a lot of people are using acl's in samba.

I don't doubt it.  How I'd love to join them, and I appreciate
everybody's help.

> Regards, Doug

Below, there's also a dump of the level 10 logging from trying to add an
entry to the ACL.  This covers adding an element to the ACL, but not the
issue of seeing them, I'm guessing the issues may be related.  To cut to
the chase, the fatal looking line appears to be the one 3 timestamps
from the bottom:

[2007/10/30 14:16:53, 3]
smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579)
  convert_canon_ace_to_posix_perms: Too many ACE entries for file
foo.txt to convert to posix perms.

This looks suspiciously like it's not actually trying to set the
security as an ACL.  If it were, I'd expect that it wouldn't be trying
to squeeze everything into posix perms.

~Eric


The complete config file:

bash-3.00# cat /usr/local/samba/lib/smb.conf # This is the main Samba
configuration file. You should read the # smb.conf(5) manual page in
order to understand the options listed # here. Samba has a huge number
of configurable options (perhaps too # many!) most of which are not
shown in this example # # Any line which starts with a ; (semi-colon) or
a # (hash) # is a comment and is ignored. In this example we will use a
# # for commentry and a ; for parts of the config file that you # may
wish to enable # # NOTE: Whenever you modify this file you should run
the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#=== Global Settings
=
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = W2K3TEST
   realm = W2K3TEST.LOCAL
   preferred master = no
   server string = croesus running samba
   security = ADS
   encrypt passwords = yes
   winbind separator = +
   winbind use default domain = no
   winbind enum users = no
   winbind enum groups = no
   idmap uid = 1-2
   idmap gid = 1-2

# if you want to automatically load your printer list rather # than
setting them up individually then you'll need this
   printcap name = /etc/printcap
   load printers = yes

# this tells Samba to use a separate log file for each machine # that
connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 5000

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for d

RE: [Samba] Can't see or change ACLs on Windows

[Eric Diven]

Doug, thanks, here's a complete listing of the config file, and some
logging, hopefully this will be illuminating to somebody.

> Neither of these lines set the log level.

Yes, I've been setting it in the init script.  When I do ps -ef | grep
smbd, I see that logging is enabled.  I straightened out that problem
(the one behind the monitor *sheepish grin*), and the logging works as
it's supposed to.

> Getting windows acl's is a multi step process.

Tell me about it ;-)

> You need a file system capable of supporting extended acl's.  I
believe you previously said you were using UFS file system.  I haven't
used UFS since 1987.  Man Mount on linux doesn't suggest extended acl's
are supported.  Are they?

Both Solaris and CentOS support them.  Using fsetacl and fgetacl, I can
set acls and see them on files in the FS

> Once the file system is capable of supporting extended acl's, you need
to mount the filesystem with the appropriate options.  By default,
considering the age of UFS, I would assume extended acl's aren't
supported by default, if they are at all.

Sun has been updating it, acl support is on by default.  In fact, as
near as I can tell, you can't turn it off.  I'm under the impression
that there are many flavors of UFS, not all of which are compatible.

> Once the filesystem is mounted with the right options, then samba has
to have been compiled with the correct options, which you've verified.

It sure looks like it ;-)

> After all that, samba has top be configured correctly to support acl's
in windows.  Samba can be configured to serve files in ms-dos mode, so
it's not a given.

The smb.conf manpage indicates that nt acl support = yes by default.
Making it explicit doesn't seem to change the behavior.

> Usually, if someone is asked to show the configuration, put out the
entire conf file.  There's been a lot of dribs and drabs, but much has
been missing.  First thing I do is run a copy thru testparm.  Most of
this thread has been like blind mans bluff.

Usually I try to keep it to a minimum, because people frequently don't
trim out the stuff when they reply.  Result, a *lot* of extraneous crap.
As more and more people don't trim, the signal to noise ratio quickly
approaches zero.  As requested, I've put the whole thing in.  I've been
using testparm throughout this project, and I've included its output
too, since it strips comments and stuff that's included by default.

> Just so you know - a lot of people are using acl's in samba.

I don't doubt it.  How I'd love to join them, and I appreciate
everybody's help.

> Regards, Doug

Below, there's also a dump of the level 10 logging from trying to add an
entry to the ACL.  This covers adding an element to the ACL, but not the
issue of seeing them, I'm guessing the issues may be related.  To cut to
the chase, the fatal looking line appears to be the one 3 timestamps
from the bottom:

[2007/10/30 14:16:53, 3]
smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579)
  convert_canon_ace_to_posix_perms: Too many ACE entries for file
foo.txt to convert to posix perms.

This looks suspiciously like it's not actually trying to set the
security as an ACL.  If it were, I'd expect that it wouldn't be trying
to squeeze everything into posix perms.

~Eric


The complete config file:

bash-3.00# cat /usr/local/samba/lib/smb.conf
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
"testparm"
# to check that you have not made any basic syntactic errors.
#
#=== Global Settings
=
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = W2K3TEST
   realm = W2K3TEST.LOCAL
   preferred master = no
   server string = croesus running samba
   security = ADS
   encrypt passwords = yes
   winbind separator = +
   winbind use default domain = no
   winbind enum users = no
   winbind enum groups = no
   idmap uid = 1-2
   idmap gid = 1-2

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   printcap name = /etc/printcap
   load printers = yes

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 5000

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Share Definition

RE: [Samba] Can't see or change ACLs on Windows

[Eric Diven]

Whoops, meant to go to the list, sorry.

~Eric 

-Original Message-
From: Eric Diven 
Sent: Tuesday, October 30, 2007 11:29 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [Samba] Can't see or change ACLs on Windows

On Tue, Oct 30, 2007 at 10:59:41AM -0400, Eric Diven wrote:
> Okay, here's what I've figured out from trying to do what you
suggested:

Well, so far we haven't seen any debug logs.

Volker

So far, neither have I.  I'm getting nothing in the logs on either
CentOS or Solaris when I do anything from the windows client.  Neither
the mtimes nor the file sizes on the logs that get generated at startup
are changing, and I'm not getting any new logfiles for client machines
that log on:

"Annoyingly, I'm not getting any logging for clients.  Why, I don't
know.
I see start-up messages correctly in the log.smbd file, including those
at log level 10, but not ones from clients.

Here are the logging-related lines from smbd.conf

# this tells Samba to use a separate log file for each machine # that
connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50"

^ From yesterday ^

If I could trouble you with a really stupid question:  Do I need to jack
the logging up on nmbd to 10 as well?  I'm working under the assumption
that this is an smbd problem, so that's where I've turned up the
logging.  We all know of course what happens when you assume ;-) 

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't see or change ACLs on Windows

[Eric Diven]

Okay, here's what I've figured out from trying to do what you suggested:

On CentOS, Administrator appears to be non-magical.  If the shared
directory of is owned by root, with permissions 770, Administrator can't
even map the share and gets an access denied error.  If I add
DOMAIN+administrator to the admin users list for the share in the
smb.conf file, I can then map the drive AND change ownership on the
files in the directory, even if I don't own them initially.  I can't,
however (even once DOMAIN+administrator owns the file) add an entry to
the acl using the windows properties screen.  I can't add either a user
or a group to the ACL.  I can modify the unix ugw permissions, for
example, removing write access to the group of the file.

On Solaris, I'm seeing the same thing when I have it configured the same
as CentOS.

It's like samba, for some reason, doesn't know it's ass from it's elbow
about ACLs on either Solaris or Linux.  Both appear to think they know:

(Solaris) 

bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL
   HAVE_SYS_ACL_H
   HAVE_SOLARIS_ACLS
   HAVE__ACL
   HAVE__FACL
bash-3.00#

(CentOS)

[EMAIL PROTECTED] stastest]# /usr/local/samba/sbin/smbd -b | grep ACL
   HAVE_SYS_ACL_H
   HAVE_POSIX_ACLS
[EMAIL PROTECTED] stastest]# 

As near as I've been able to google up, configuring and compiling with
--with-acl-support is the only thing you need to do to get samba to
support them, apart from having a kernel/fs that support ACLs, which
I've tested on both sides using regular unix tools.

~Eric

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 30, 2007 7:03 AM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't see or change ACLs on Windows

user that logged in to windows is DOMAIN/administrators group member ?
seems it have some meaning for samba . try to use  the built-in domain
administrator account as a windows login .
i removed all ACL's from test directory and changed owner user and group
to root so getfacl shows :
# file: mnt/loop/1
# owner: root
# group: root
user::rwx
group::rwx
other::---

and no one had access to files .
but i was still able to take ownership and after that set ACL's from
windows box if logged in as user that domain administrators group member
, or administrator itself.

btw , do you try to set file access permissions  or change files owner ?
if you try to change ownership to some domain group you will always get
"access denied" error since samba doesn't support group ownership.






On 10/29/07, Eric Diven <[EMAIL PROTECTED]> wrote:
>
>
> -----Original Message-
> From: Stas [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 29, 2007 1:37 PM
> To: Eric Diven
> Subject: Re: [Samba] Can't see or change ACLs on Windows
>
> well , lets's  try again ..
> create test directory " /samba/testdir run # chmod 777 -R 
> /samba/testdir create share in smb.conf that points to /samba/test 
> create some file in new share from windows box.
> open file properties and check permissions and owner ( you should see 
> "everyone - full control , CREATOR OWNER - full control  , etc , and 
> owner of created file should be user that logged in ) now try to set 
> permissions , it should work .
> if you want to restrict users -  remove "everyone" from ACL list , 
> this will just reset "Everyone" permission to "none" , so no one will 
> able to modify files until you add specific users or groups to ACL
list .
> looking strange but it worked for me..
>
> Still no luck.
>
> Our new directory:
> drwxrwxrwx   2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 29
13:41
> stastest
>
> [stastest]
>path = /foo/stastest
>writeable = yes
>inherit owner = yes
>inherit permissions = yes
>inherit acls = yes
>nt acl support = yes
>
> I've tried this with various inherit options on and off (including the

> dir sticky bit for inheriting group ownership)  and still can't get it

> to go.  I've also tried with varying ownerships on the directory with 
> no change.  Also, when I try to remove Everyone (or for that matter, 
> the unix group or owner) from the ACL, it pops right back up.  
> Everyone doesn't have Full Control set either.  Nor for that matter 
> does the group that owns the file.  Both Everyone and the group get rw

> permissions.
>
> ~Eric
>
> ~Eric
>
> On 10/29/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> >
> >
> > -Original Message-
> > From: Stas [mailto:[EMAIL PROTECTED]
> > Sent: Friday, October 26, 2007 6:56 PM
> > To: Eric Diven
> > Cc: samba@lists.samba.org
> > Subject: Re: [Samba] Can't see or change ACLs on Windows
> &g

RE: [Samba] Can't see or change ACLs on Windows

[Eric Diven]

 

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 29, 2007 1:37 PM
To: Eric Diven
Subject: Re: [Samba] Can't see or change ACLs on Windows

well , lets's  try again ..
create test directory " /samba/testdir
run # chmod 777 -R /samba/testdir
create share in smb.conf that points to /samba/test create some file in
new share from windows box.
open file properties and check permissions and owner ( you should see
"everyone - full control , CREATOR OWNER - full control  , etc , and
owner of created file should be user that logged in ) now try to set
permissions , it should work .
if you want to restrict users -  remove "everyone" from ACL list , this
will just reset "Everyone" permission to "none" , so no one will able to
modify files until you add specific users or groups to ACL list .
looking strange but it worked for me..

Still no luck.

Our new directory:
drwxrwxrwx   2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 29 13:41
stastest

[stastest]
   path = /foo/stastest
   writeable = yes
   inherit owner = yes
   inherit permissions = yes
   inherit acls = yes
   nt acl support = yes

I've tried this with various inherit options on and off (including the
dir sticky bit for inheriting group ownership)  and still can't get it
to go.  I've also tried with varying ownerships on the directory with no
change.  Also, when I try to remove Everyone (or for that matter, the
unix group or owner) from the ACL, it pops right back up.  Everyone
doesn't have Full Control set either.  Nor for that matter does the
group that owns the file.  Both Everyone and the group get rw
permissions.

~Eric

~Eric

On 10/29/07, Eric Diven <[EMAIL PROTECTED]> wrote:
>
>
> -Original Message-
> From: Stas [mailto:[EMAIL PROTECTED]
> Sent: Friday, October 26, 2007 6:56 PM
> To: Eric Diven
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Can't see or change ACLs on Windows
>
> any errors in samba's log?
> what error exactly you get at windows box when you try to set 
> permissions?
>
> Annoyingly, I'm not getting any logging for clients.  Why, I don't
know.
> I see start-up messages correctly in the log.smbd file, including 
> those at log level 10, but not ones from clients.
>
> Here are the logging-related lines from smbd.conf
>
> # this tells Samba to use a separate log file for each machine # that 
> connects
>log file = /var/log/samba/log.%m
>
> # Put a capping on the size of the log files (in Kb).
>max log size = 50
>
> The exact text of the error I get in Windows is:
>
> "Unable to save permission changes on hjkl.txt.
>
> Access is denied
>[OK]"
>
> As usual, I'm logged in as the owner of the file.
>
> Sigh.
>
> Thanks for your continuing help on this, by the way.  This is driving 
> me nuts.
>
> ~Eric
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't see or change ACLs on Windows

[Eric Diven]

 

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 26, 2007 6:56 PM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't see or change ACLs on Windows

any errors in samba's log?
what error exactly you get at windows box when you try to set
permissions?

Annoyingly, I'm not getting any logging for clients.  Why, I don't know.
I see start-up messages correctly in the log.smbd file, including those
at log level 10, but not ones from clients.

Here are the logging-related lines from smbd.conf

# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 50

The exact text of the error I get in Windows is:

"Unable to save permission changes on hjkl.txt.

Access is denied
   [OK]"

As usual, I'm logged in as the owner of the file.  

Sigh.

Thanks for your continuing help on this, by the way.  This is driving me
nuts.

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't see or change ACLs on Windows

[Eric Diven]

Here's what I have set up.  The ACLs on the directory afiles currently
do pretty much what I need them to do with samba, which is set up
permissions and acls on any files created in the directory by a windows
client.  It needs a little fine-tuning, but it's close.

bash-3.00# ls -l ; getfacl afiles
total 2
drwxrws---+  2 W2K3TEST+bobadmin W2K3TEST+awriters 512 Oct 17 17:07
afiles

# file: afiles
# owner: W2K3TEST+bobadmin
# group: W2K3TEST+awriters
user::rwx
user:afile:rwx  #effective:rwx
group::rwx  #effective:rwx
group:afile:rwx #effective:rwx
group:W2K3TEST+areaders:r-x #effective:r-x
group:W2K3TEST+awriters:rwx #effective:rwx
group:W2K3TEST+admins:rwx   #effective:rwx
mask:rwx
other:---
default:user::rwx
default:group::rwx
default:group:W2K3TEST+areaders:r-x
default:group:W2K3TEST+awriters:rwx
default:group:W2K3TEST+admins:rwx
default:mask:rwx
default:other:---
bash-3.00# 

~Eric

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 19, 2007 6:22 PM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't see or change ACLs on Windows

strange ...
please post  getfacl output .

On 10/19/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> Whoops, these were both supposed to go to the list.
>
> If I log on as the owner of the file, I still can't add another entry 
> to the ACL.  I can change the permissions set on the user, group and 
> world permissions, but that's it.  I do see that that the owner is 
> identified as the user I'm logged in as.
>
> ~Eric
>
> -Original Message-
> From: Stas [mailto:[EMAIL PROTECTED]
> Sent: Friday, October 19, 2007 12:13 AM
> To: Eric Diven
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Can't see or change ACLs on Windows
>
> make sure that user logged in to windows box is an owner of files .
> as i know , only owner can change permissions .
> try  # chown "administrator/DOMAIN" /samba/test.txt  , after that try 
> to set permissions on this file from windows .
>
>
> On 10/18/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> > None when I open the security tab, but when I try to add an entry to

> > the ACL, I get:
> >
> > "Unable to save permission changes on directory on 'croesus running 
> > samba (ipaddress)' (driveletter:).
> >
> > Access is denied."
> >
> > The smb.conf file is set up to allow admin access to both an AD user

> > and
> > group:
> >
> > the relevant sections of the smb.conf file:
> >
> > [global]
> > workgroup = W2K3TEST
> > realm = W2K3TEST.LOCAL
> > server string = croesus running samba
> > security = ADS
> > log file = /var/log/samba/log.%m
> > max log size = 50
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > printcap name = /etc/printcap
> > preferred master = No
> > dns proxy = No
> > idmap uid = 1-2
> > idmap gid = 1-2
> > winbind separator = +
> >
> > [afiles]
> > path = /foo/afiles
> > admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
> > read only = No
> >
> > I've logged in both as another member of the W2K3TEST+admins group, 
> > and as W2K3TEST+bobadmin, and that doesn't seem to have any effect 
> > on whether or not it works.  I've also tried adding a non-domain 
> > user and
>
> > group to the ACL on the Solaris side to see if that would make an 
> > entry other that the standard permissions appear on Windows, but to 
> > no
> avail.
> >
> > ~Eric
> >
> > -Original Message-
> > From: Stas [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, October 18, 2007 3:39 PM
> > To: [EMAIL PROTECTED]
> > Cc: Eric Diven; samba@lists.samba.org
> > Subject: Re: [Samba] Can't see or change ACLs on Windows
> >
> >  any errors on windows side when you try to set permissions?
> >
> > On 10/18/07, Volker Lendecke <[EMAIL PROTECTED]> wrote:
> > > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote:
> > > > Here you go:
> > > >
> > > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL
> > > >HAVE_SYS_ACL_H
> > > >HAVE_SOLARIS_ACLS
> > > >HAVE__ACL
> > > >HAVE__FACL
> > > >
> > > > It looks plausible to me, but I'm assuming you know better than 
> > > > I what
> > >
> > > That indeed looks right. No idea then, sorry. Maybe you want to 
> > > look
>
> > > in a debug level 10 log of smbd, search for 
> > > call_nt_transact_query_security_desc, maybe you find something 
> > > obvious.
> > >
> > > Volker
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/listinfo/samba
> > >
> > >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't see or change ACLs on Windows

[Eric Diven]

Whoops, these were both supposed to go to the list.

If I log on as the owner of the file, I still can't add another entry to
the ACL.  I can change the permissions set on the user, group and world
permissions, but that's it.  I do see that that the owner is identified
as the user I'm logged in as.

~Eric 

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED]
Sent: Friday, October 19, 2007 12:13 AM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't see or change ACLs on Windows

make sure that user logged in to windows box is an owner of files .
as i know , only owner can change permissions .
try  # chown "administrator/DOMAIN" /samba/test.txt  , after that try to
set permissions on this file from windows .


On 10/18/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> None when I open the security tab, but when I try to add an entry to 
> the ACL, I get:
>
> "Unable to save permission changes on directory on 'croesus running 
> samba (ipaddress)' (driveletter:).
>
> Access is denied."
>
> The smb.conf file is set up to allow admin access to both an AD user 
> and
> group:
>
> the relevant sections of the smb.conf file:
>
> [global]
> workgroup = W2K3TEST
> realm = W2K3TEST.LOCAL
> server string = croesus running samba
> security = ADS
> log file = /var/log/samba/log.%m
> max log size = 50
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> printcap name = /etc/printcap
> preferred master = No
> dns proxy = No
> idmap uid = 1-2
> idmap gid = 1-2
> winbind separator = +
>
> [afiles]
> path = /foo/afiles
> admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
> read only = No
>
> I've logged in both as another member of the W2K3TEST+admins group, 
> and as W2K3TEST+bobadmin, and that doesn't seem to have any effect on 
> whether or not it works.  I've also tried adding a non-domain user and

> group to the ACL on the Solaris side to see if that would make an 
> entry other that the standard permissions appear on Windows, but to no
avail.
>
> ~Eric
>
> -Original Message-
> From: Stas [mailto:[EMAIL PROTECTED]
> Sent: Thursday, October 18, 2007 3:39 PM
> To: [EMAIL PROTECTED]
> Cc: Eric Diven; samba@lists.samba.org
> Subject: Re: [Samba] Can't see or change ACLs on Windows
>
>  any errors on windows side when you try to set permissions?
>
> On 10/18/07, Volker Lendecke <[EMAIL PROTECTED]> wrote:
> > On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote:
> > > Here you go:
> > >
> > > bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL
> > >HAVE_SYS_ACL_H
> > >HAVE_SOLARIS_ACLS
> > >HAVE__ACL
> > >HAVE__FACL
> > >
> > > It looks plausible to me, but I'm assuming you know better than I 
> > > what
> >
> > That indeed looks right. No idea then, sorry. Maybe you want to look

> > in a debug level 10 log of smbd, search for 
> > call_nt_transact_query_security_desc, maybe you find something 
> > obvious.
> >
> > Volker
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> >
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't see or change ACLs on Windows

[Eric Diven]

On Thu, Oct 18, 2007 at 09:11:59AM -0400, Eric Diven wrote:
> Here you go:
> 
> bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL
>HAVE_SYS_ACL_H
>HAVE_SOLARIS_ACLS
>HAVE__ACL
>HAVE__FACL
> 
> It looks plausible to me, but I'm assuming you know better than I what

That indeed looks right. No idea then, sorry. Maybe you want to look in
a debug level 10 log of smbd, search for
call_nt_transact_query_security_desc, maybe you find something obvious.

Volker

Thanks, I'll take a crack at the logs with the high debug level and see
if I can see anything strange happening.  I'll agree that everything
"looks right", at least as near as I can tell.

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't see or change ACLs on Windows

[Eric Diven]

Here you go:

bash-3.00# /usr/local/samba/sbin/smbd -b | grep ACL
   HAVE_SYS_ACL_H
   HAVE_SOLARIS_ACLS
   HAVE__ACL
   HAVE__FACL

It looks plausible to me, but I'm assuming you know better than I what
it should say.  Also, I did just check, and that is the binary that the
init script is starting.  If I've done something stupid again, it isn't
that ;-)

~Eric

-Original Message-
From: Volker Lendecke [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 18, 2007 2:10 AM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't see or change ACLs on Windows

On Wed, Oct 17, 2007 at 06:25:06PM -0400, Eric Diven wrote:
> I added nt acl support = yes to the config file and restarted with no 
> effect.  The manpage for smb.conf said yes is the default, so I had 
> been omitting it, but I suppose it can't hurt.  The share is on a UFS 
> volume on Solaris, I couldn't find a documented acl option, so I tried

> doing a remount with it anyway, but mount just issued a warning saying

> it was ignoring it.  On the Linux box, I remounted with acl, and it 
> also didn't have any effect.  I still can't see or set acls on either
from windows.
> I can set the acls from the command line in either with setfacl, and 
> see them with getfacl.

What does "smbd -b | grep ACL" say?

Volker
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't see or change ACLs on Windows

[Eric Diven]

I added nt acl support = yes to the config file and restarted with no
effect.  The manpage for smb.conf said yes is the default, so I had been
omitting it, but I suppose it can't hurt.  The share is on a UFS volume
on Solaris, I couldn't find a documented acl option, so I tried doing a
remount with it anyway, but mount just issued a warning saying it was
ignoring it.  On the Linux box, I remounted with acl, and it also didn't
have any effect.  I still can't see or set acls on either from windows.
I can set the acls from the command line in either with setfacl, and see
them with getfacl.

~Eric

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 17, 2007 5:05 PM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't see or change ACLs on Windows

do you have " nt acl support = yes" in smb.conf ?
i'm not sure , but seems you have to mount the volume that contains
shared files with "-o acl" ..
check it out.



On 10/17/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> I've tested this on CentOS 4.3 and am seeing the same issue.  It seems

> like it's probably a configuration problem, but I'll be damned if I 
> can figure it out.
>
> ~Eric
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Eric Diven
> Sent: Wednesday, October 17, 2007 4:30 PM
> To: samba@lists.samba.org
> Subject: [Samba] Can't see or change ACLs on Windows
>
> I have samba server joined to a domain that I'm trying to use ads 
> security and acls on.  I can set acls on the Unix file system, and 
> access from a windows client seems to honor them.  I can't view the 
> acls under the security tab, all I see are the standard Unix 
> permissions instead.  If I try to add an entry to the acl, I get an 
> access denied error, even if the user is on the list of admin users.  
> Samba version is 3.0.24, OS is Solars 10.  Winbind works smoothly, I 
> can set an entry in an ACL to a domain user or group using setfacl on 
> the unix side, and I see it correctly with getfacl.  Any ideas please?
>
> ~Eric
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> man/listinfo/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't see or change ACLs on Windows

[Eric Diven]

I've tested this on CentOS 4.3 and am seeing the same issue.  It seems
like it's probably a configuration problem, but I'll be damned if I can
figure it out.

~Eric 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Eric Diven
Sent: Wednesday, October 17, 2007 4:30 PM
To: samba@lists.samba.org
Subject: [Samba] Can't see or change ACLs on Windows

I have samba server joined to a domain that I'm trying to use ads
security and acls on.  I can set acls on the Unix file system, and
access from a windows client seems to honor them.  I can't view the acls
under the security tab, all I see are the standard Unix permissions
instead.  If I try to add an entry to the acl, I get an access denied
error, even if the user is on the list of admin users.  Samba version is
3.0.24, OS is Solars 10.  Winbind works smoothly, I can set an entry in
an ACL to a domain user or group using setfacl on the unix side, and I
see it correctly with getfacl.  Any ideas please?

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
man/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Can't see or change ACLs on Windows

[Eric Diven]

I have samba server joined to a domain that I'm trying to use ads
security and acls on.  I can set acls on the Unix file system, and
access from a windows client seems to honor them.  I can't view the acls
under the security tab, all I see are the standard Unix permissions
instead.  If I try to add an entry to the acl, I get an access denied
error, even if the user is on the list of admin users.  Samba version is
3.0.24, OS is Solars 10.  Winbind works smoothly, I can set an entry in
an ACL to a domain user or group using setfacl on the unix side, and I
see it correctly with getfacl.  Any ideas please?

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Can't set ACLs on mounted share from windows

[Eric Diven]

On Samba 3.0.24, on Solaris 10, I can set ACLs from the command line
using setfacl and view them using getfacl.  When I look at the security
for the mounted share on Windows, I only see the owner, group and world
permissions.  I can modify those permissions, at least for world.  What
I can't do is add another user or group to the ACL.  I get the error

"Unable to save permission changes on directory on 'croesus running
samba (ipaddress)' (driveletter:).

Access is denied."

samba is compiled with ACL support, the fs and kernel support it.  I'm
logging in to the samba server as the owner of the file and directory
(whose UID comes from winbind, it's an AD user).  Both the user and it's
group is on the list of admin users in the share config.  I'm starting
to run out of ideas here to be honest.  Running at log level 2, I don't
see anything in the logs when I try to add a new user or group to the
ACL.  Any thoughts please?

~Eric

the relevant sections of the smb.conf file:

[global]
workgroup = W2K3TEST
realm = W2K3TEST.LOCAL
server string = croesus running samba
security = ADS
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = No
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +

[afiles]
path = /foo/afiles
admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
read only = No
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't chown a file to an ADS username

[Eric Diven]

Well, I'm an idiot:

1)  I wrongly assumed that make install had installed the version of
libnss_winbind.so.2 that I compiled because the file existed. 
2)  I realized this was not the case when I did an ls -l on /lib and saw
the timestamp on the file.
3)  I replaced the file with the new one
4)  I never restarted samba, leading to the immediate problem.

5)  In the meantime, the same problem had been happening, with the pipe
at a different location.  The new winbind was creating it in
/tmp/.winbindd, and the old library was looking for it in
/var/run/something_or_another.

Thanks for the help on this one.  I apologize for taking up your time
with that.

~Eric

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 09, 2007 4:08 PM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't chown a file to an ADS username

well , if  /tmp/.winbindd/pipe doen't exist nothing will work since
winbind's clients use it to communicate with winnbind.
there is no "pipe" file in /tmp/.winbindd after you start winbind ?
it should be created when winbindd starts.
check that /tmp/.winbindd directory owned by root .

On 10/9/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> Thanks for pointing that out.  The trace shows that it's trying to
> lstat64 /tmp/.winbindd/pipe, and not finding it.
> ldd shows that it's only looking for libc.so.6, and finding it at
> /lib/tls/libc.so.6
> I built this from source.  I've poached the smb.conf from the existing

> one in /etc/samba and made the same modifcations I've had to make 
> under Solaris.
>
> Here's the rest of the trace starting directly after the close(4):
>
> munmap(0xb7dab000, 53951)   = 0
> getpid()= 3132
> lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) =

> 0
>
> lstat64("/tmp/.winbindd/pipe", 0xbff36ab8) = -1 ENOENT (No such file 
> or
> directory)
> munmap(0xb7dba000, 1791)= 0
> close(3)= 0
> lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) =

> 0
>
> lstat64("/tmp/.winbindd/pipe", 0xbff36b38) = -1 ENOENT (No such file 
> or
> directory)
> munmap(0xb7db9000, 4096)= 0
> exit_group(0)   = ?
>
> Any idea what I need to do to resolve the issue with the pipe not 
> being there?
>
> ~Eric
>
> -Original Message-
> From: Stas [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 09, 2007 2:31 PM
> To: Eric Diven
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Can't chown a file to an ADS username
>
> well , at least we know that getent calls winbind ...
> "close(4)" - the last line in strace output ?
> try # ldd /lib/libnss_winbind.so.2
> it'll show you what libraries libnss_winbind requires , check that all

> of them are exist ..
> are you using RPM installation or compiled SAMBA from sources?
>
>
>
>
> On 10/9/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> > Okay, here's something to work with:
> >
> > open("/lib/tls/i686/sse2/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT

> > (No such file or directory) stat64("/lib/tls/i686/sse2", 0xbffd8d38)

> > =
>
> > -1 ENOENT (No such file or
> > directory)
> > open("/lib/tls/i686/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No 
> > such file or directory) stat64("/lib/tls/i686", 
> > {st_mode=S_IFDIR|0755,
>
> > st_size=4096, ...}) = 0 open("/lib/tls/sse2/libnss_winbind.so.2",
> > O_RDONLY) = -1 ENOENT (No such file or directory)
> > stat64("/lib/tls/sse2", 0xbffd8d38) = -1 ENOENT (No such file or
> > directory)
> > open("/lib/tls/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No such 
> > file or directory) stat64("/lib/tls", {st_mode=S_IFDIR|0755, 
> > st_size=4096, ...}) = 0 open("/lib/i686/sse2/libnss_winbind.so.2",
> > O_RDONLY) = -1 ENOENT (No such file or directory)
> > stat64("/lib/i686/sse2", 0xbffd8d38)= -1 ENOENT (No such file or
> > directory)
> > open("/lib/i686/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No such

> > file or directory) stat64("/lib/i686", {st_mode=S_IFDIR|0755, 
> > st_size=4096, ...}) = 0 open("/lib/sse2/libnss_winbind.so.2",
> > O_RDONLY) = -1 ENOENT (No such file or directory)
> > stat64("/lib/sse2", 0xbffd8d38) = -1 ENOENT (No such file or
> > directory)
> > open("/lib/libnss_winbind.so.2", O_RDONLY) = 4 read(4, 
> > "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\

RE: [Samba] Can't chown a file to an ADS username

[Eric Diven]

Thanks for pointing that out.  The trace shows that it's trying to
lstat64 /tmp/.winbindd/pipe, and not finding it.
ldd shows that it's only looking for libc.so.6, and finding it at
/lib/tls/libc.so.6
I built this from source.  I've poached the smb.conf from the existing
one in /etc/samba and made the same modifcations I've had to make under
Solaris.  

Here's the rest of the trace starting directly after the close(4):

munmap(0xb7dab000, 53951)   = 0
getpid()= 3132
lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

lstat64("/tmp/.winbindd/pipe", 0xbff36ab8) = -1 ENOENT (No such file or
directory)
munmap(0xb7dba000, 1791)= 0
close(3)= 0
lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

lstat64("/tmp/.winbindd/pipe", 0xbff36b38) = -1 ENOENT (No such file or
directory)
munmap(0xb7db9000, 4096)= 0
exit_group(0)   = ?

Any idea what I need to do to resolve the issue with the pipe not being
there?

~Eric

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 09, 2007 2:31 PM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't chown a file to an ADS username

well , at least we know that getent calls winbind ...
"close(4)" - the last line in strace output ?
try # ldd /lib/libnss_winbind.so.2
it'll show you what libraries libnss_winbind requires , check that all
of them are exist ..
are you using RPM installation or compiled SAMBA from sources?




On 10/9/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> Okay, here's something to work with:
>
> open("/lib/tls/i686/sse2/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT 
> (No such file or directory) stat64("/lib/tls/i686/sse2", 0xbffd8d38) =

> -1 ENOENT (No such file or
> directory)
> open("/lib/tls/i686/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No 
> such file or directory) stat64("/lib/tls/i686", {st_mode=S_IFDIR|0755,

> st_size=4096, ...}) = 0 open("/lib/tls/sse2/libnss_winbind.so.2", 
> O_RDONLY) = -1 ENOENT (No such file or directory)
> stat64("/lib/tls/sse2", 0xbffd8d38) = -1 ENOENT (No such file or
> directory)
> open("/lib/tls/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No such 
> file or directory) stat64("/lib/tls", {st_mode=S_IFDIR|0755, 
> st_size=4096, ...}) = 0 open("/lib/i686/sse2/libnss_winbind.so.2", 
> O_RDONLY) = -1 ENOENT (No such file or directory)
> stat64("/lib/i686/sse2", 0xbffd8d38)= -1 ENOENT (No such file or
> directory)
> open("/lib/i686/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No such 
> file or directory) stat64("/lib/i686", {st_mode=S_IFDIR|0755, 
> st_size=4096, ...}) = 0 open("/lib/sse2/libnss_winbind.so.2", 
> O_RDONLY) = -1 ENOENT (No such file or directory)
> stat64("/lib/sse2", 0xbffd8d38) = -1 ENOENT (No such file or
> directory)
> open("/lib/libnss_winbind.so.2", O_RDONLY) = 4 read(4, 
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\20\0\000"...,
> 512) = 512
> fstat64(4, {st_mode=S_IFREG|0755, st_size=15584, ...}) = 0 
> old_mmap(NULL, 28316, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 
> 4,
> 0) = 0xca7000
> old_mmap(0xcab000, 4096, PROT_READ|PROT_WRITE, 
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x3000) = 0xcab000 
> old_mmap(0xcac000, 7836, PROT_READ|PROT_WRITE, 
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xcac000
> close(4)
>
> Clearly, it's looking for libnss_winbind.so.2 in a bunch of places 
> where it isn't, and then finding it in /lib.  What is happening with 
> old_mmap is beyond my knowledge, however.  Does this help you any?
>
> ~Eric
>
> -Original Message-
> From: Stas [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 09, 2007 11:28 AM
> To: Eric Diven
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Can't chown a file to an ADS username
>
> try to run the  following command :  # strace -o ./strace.out getent 
> passwd  , then look into strace.out for winbind related messages .
> you should see something like that when getent starts winbind lookups:
> "open("/lib64/libnss_winbind.so.2", O_RDONLY) = 6"
>
>
>
>
>
>
> On 10/9/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> > Yes, these are only winbind startup messages, that's exactly the 
> > problem.  I had in my nsswitch.conf file:
> >
> > passwd:  compat winbind
> > shadow:  compat winbind
> > group:   compat winbind
> >
> > which produced only the local names
> >
&

RE: [Samba] Can't chown a file to an ADS username

[Eric Diven]

No, I'm not looking up a specific user.  I want all of the users that
are in the passwd database.  Running getent passwd should, in theory,
accomplish this by going through all of the sources defined in
nsswitch.conf and getting all of the entries each of them have.  At
least that's my understanding of how it should work.

~Eric 

-Original Message-
From: Greg Byshenk [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 09, 2007 12:32 PM
To: samba@lists.samba.org
Cc: Eric Diven
Subject: Re: [Samba] Can't chown a file to an ADS username

On Tue, Oct 09, 2007 at 09:33:40AM -0400, Eric Diven wrote:
> Yes, these are only winbind startup messages, that's exactly the 
> problem.  I had in my nsswitch.conf file:
> 
> passwd:  compat winbind
> shadow:  compat winbind
> group:   compat winbind
> 
> which produced only the local names
> 
> To test, I changed nsswitch.conf as follows:
> 
> passwd:  winbind [UNAVAIL=retunr] compat
> shadow:  compat winbind #so I have some hope of being able to log in 
> if I didn't get it changed back, maybe
> group:   winbind [UNAVAIL=return] compat
> 
> and got *nothing* back from getent passwd.  I'm guessing this means 
> I've got a .so file in the wrong place somewhere.  Following the 
> instructions online, I have
> 
> /lib/libnss_winbind.so.2
> /lib/libnss_winbind.so -> /lib/libnss_winbind.so.2 
> /usr/lib/libnss_winbind.so -> /lib/libnss_winbind.so.2
> 
> This sure looks correct, but it's pretty clear that winbind isn't 
> getting called.

This is just a shot in the dark, but...

- Are you calling 'getent passwd DOMAIN\\user'?
- If not, do you have 'winbind use default domain = yes" set?


-greg

 
> -Original Message-
> From: Stas [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 08, 2007 5:04 PM
> To: Eric Diven
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Can't chown a file to an ADS username
> 
> the winbindd.log you posted contains winbind startup messages?
> if not try to restart winbind and check winbind log for errors .
> /etc/nsswitch.conf contains winbind related strings?
> 
> 
> On 10/8/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> > I'm not actually getting much from it.  I'm assuming that all of 
> > winbinds logging goes to [logpath]/winbindd.log.
> >
> > If that's the case, I'm seeing nsswitch related stuff happening when

> > winbind starts up, but not when I run getent passwd.
> > I'm running winbind at debug level 3.
> >
> > [EMAIL PROTECTED] ~]# cat /var/log/samba/winbindd.log
> > [2007/10/08 13:18:23, 2] lib/interface.c:add_interface(81)
> >   added interface ip=192.168.100.80 bcast=192.168.100.255 
> > nmask=255.255.255.0
> > [2007/10/08 13:18:23, 2] lib/interface.c:add_interface(81)
> >   added interface ip=192.168.100.80 bcast=192.168.100.255 
> > nmask=255.255.255.0
> > [2007/10/08 13:18:23, 2] lib/tallocmsg.c:register_msg_pool_usage(61)
> >   Registered MSG_REQ_POOL_USAGE
> > [2007/10/08 13:18:23, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
> >   Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > [2007/10/08 13:18:23, 2]
> > nsswitch/winbindd_util.c:add_trusted_domain(175)
> >   Added domain EDSI EDSI.EDSI-INT.COM
> > S-1-5-21-1993962763-329068152-1801674531
> > [2007/10/08 13:18:23, 2]
> > nsswitch/winbindd_util.c:add_trusted_domain(175)
> >   Added domain LOCALHOST  S-1-5-21-9612232-2512366426-966941693
> > [2007/10/08 13:18:23, 2]
> > nsswitch/winbindd_util.c:add_trusted_domain(175)
> >   Added domain BUILTIN  S-1-5-32
> > [2007/10/08 13:18:23, 3]
> > nsswitch/winbindd_misc.c:winbindd_interface_version(483)
> >   [0]: request interface version
> > [2007/10/08 13:18:23, 3]
> > nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(516)
> >   [0]: request location of privileged pipe
> > [2007/10/08 13:18:23, 3] nsswitch/winbindd_misc.c:winbindd_ping(462)
> >   [0]: ping
> > [EMAIL PROTECTED] ~]#
> >
> > This is the result of clearing the log, restarting samba, and 
> > running getent passwd.  Nothing gets added to the log when I run it.

> > It's greek to me what the stuff from winbind start up means, but I'm

> > a little suspicious that nothing shows up on getent passwd.
> >
> > ~Eric
> >
> > -Original Message-
> > From: Stas [mailto:[EMAIL PROTECTED]
> > Sent: Monday, October 08, 2007 12:50 PM
> > To: Eric Diven
> > Cc: samba@lists.samba.org
> > Subject: Re: [Samba] Can't chown a file to an ADS username
> >
> > winbind's log may be helpful
> >
> >
>

RE: [Samba] Can't chown a file to an ADS username

[Eric Diven]

Okay, here's something to work with:

open("/lib/tls/i686/sse2/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No
such file or directory) 
stat64("/lib/tls/i686/sse2", 0xbffd8d38) = -1 ENOENT (No such file or
directory) 
open("/lib/tls/i686/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No such
file or directory) 
stat64("/lib/tls/i686", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 
open("/lib/tls/sse2/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No such
file or directory)
stat64("/lib/tls/sse2", 0xbffd8d38) = -1 ENOENT (No such file or
directory)
open("/lib/tls/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No such file
or directory) 
stat64("/lib/tls", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 
open("/lib/i686/sse2/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No
such file or directory)
stat64("/lib/i686/sse2", 0xbffd8d38)= -1 ENOENT (No such file or
directory)
open("/lib/i686/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No such
file or directory) 
stat64("/lib/i686", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 
open("/lib/sse2/libnss_winbind.so.2", O_RDONLY) = -1 ENOENT (No such
file or directory)
stat64("/lib/sse2", 0xbffd8d38) = -1 ENOENT (No such file or
directory)
open("/lib/libnss_winbind.so.2", O_RDONLY) = 4 
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\20\0\000"...,
512) = 512 
fstat64(4, {st_mode=S_IFREG|0755, st_size=15584, ...}) = 0 
old_mmap(NULL, 28316, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4,
0) = 0xca7000 
old_mmap(0xcab000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x3000) = 0xcab000 
old_mmap(0xcac000, 7836, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xcac000
close(4)

Clearly, it's looking for libnss_winbind.so.2 in a bunch of places where
it isn't, and then finding it in /lib.  What is happening with old_mmap
is beyond my knowledge, however.  Does this help you any?

~Eric

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 09, 2007 11:28 AM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't chown a file to an ADS username

try to run the  following command :  # strace -o ./strace.out getent
passwd  , then look into strace.out for winbind related messages .
you should see something like that when getent starts winbind lookups:
"open("/lib64/libnss_winbind.so.2", O_RDONLY) = 6"






On 10/9/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> Yes, these are only winbind startup messages, that's exactly the 
> problem.  I had in my nsswitch.conf file:
>
> passwd:  compat winbind
> shadow:  compat winbind
> group:   compat winbind
>
> which produced only the local names
>
> To test, I changed nsswitch.conf as follows:
>
> passwd:  winbind [UNAVAIL=retunr] compat
> shadow:  compat winbind #so I have some hope of being able to log in 
> if I didn't get it changed back, maybe
> group:   winbind [UNAVAIL=return] compat
>
> and got *nothing* back from getent passwd.  I'm guessing this means 
> I've got a .so file in the wrong place somewhere.  Following the 
> instructions online, I have
>
> /lib/libnss_winbind.so.2
> /lib/libnss_winbind.so -> /lib/libnss_winbind.so.2 
> /usr/lib/libnss_winbind.so -> /lib/libnss_winbind.so.2
>
> This sure looks correct, but it's pretty clear that winbind isn't 
> getting called.
>
> ~Eric
>
> -Original Message-
> From: Stas [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 08, 2007 5:04 PM
> To: Eric Diven
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Can't chown a file to an ADS username
>
> the winbindd.log you posted contains winbind startup messages?
> if not try to restart winbind and check winbind log for errors .
> /etc/nsswitch.conf contains winbind related strings?
>
>
> On 10/8/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> > I'm not actually getting much from it.  I'm assuming that all of 
> > winbinds logging goes to [logpath]/winbindd.log.
> >
> > If that's the case, I'm seeing nsswitch related stuff happening when

> > winbind starts up, but not when I run getent passwd.
> > I'm running winbind at debug level 3.
> >
> > [EMAIL PROTECTED] ~]# cat /var/log/samba/winbindd.log
> > [2007/10/08 13:18:23, 2] lib/interface.c:add_interface(81)
> >   added interface ip=192.168.100.80 bcast=192.168.100.255 
> > nmask=255.255.255.0
> > [2007/10/08 13:18:23, 2] lib/interface.c:add_interface(81)
> >   added interface ip=192.168.100.80 bcast=192.168.100.255 
> > nmask=255.255.255.0
> > [2007/10/08 13:18:23, 2] lib/tallocmsg.c:regi

RE: [Samba] Can't chown a file to an ADS username

[Eric Diven]

Yes, these are only winbind startup messages, that's exactly the
problem.  I had in my nsswitch.conf file:

passwd:  compat winbind
shadow:  compat winbind
group:   compat winbind

which produced only the local names

To test, I changed nsswitch.conf as follows:

passwd:  winbind [UNAVAIL=retunr] compat
shadow:  compat winbind #so I have some hope of being able to log in if
I didn't get it changed back, maybe
group:   winbind [UNAVAIL=return] compat

and got *nothing* back from getent passwd.  I'm guessing this means I've
got a .so file in the wrong place somewhere.  Following the instructions
online, I have

/lib/libnss_winbind.so.2
/lib/libnss_winbind.so -> /lib/libnss_winbind.so.2
/usr/lib/libnss_winbind.so -> /lib/libnss_winbind.so.2

This sure looks correct, but it's pretty clear that winbind isn't
getting called.

~Eric

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 08, 2007 5:04 PM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't chown a file to an ADS username

the winbindd.log you posted contains winbind startup messages?
if not try to restart winbind and check winbind log for errors .
/etc/nsswitch.conf contains winbind related strings?


On 10/8/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> I'm not actually getting much from it.  I'm assuming that all of 
> winbinds logging goes to [logpath]/winbindd.log.
>
> If that's the case, I'm seeing nsswitch related stuff happening when 
> winbind starts up, but not when I run getent passwd.
> I'm running winbind at debug level 3.
>
> [EMAIL PROTECTED] ~]# cat /var/log/samba/winbindd.log
> [2007/10/08 13:18:23, 2] lib/interface.c:add_interface(81)
>   added interface ip=192.168.100.80 bcast=192.168.100.255 
> nmask=255.255.255.0
> [2007/10/08 13:18:23, 2] lib/interface.c:add_interface(81)
>   added interface ip=192.168.100.80 bcast=192.168.100.255 
> nmask=255.255.255.0
> [2007/10/08 13:18:23, 2] lib/tallocmsg.c:register_msg_pool_usage(61)
>   Registered MSG_REQ_POOL_USAGE
> [2007/10/08 13:18:23, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
>   Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> [2007/10/08 13:18:23, 2]
> nsswitch/winbindd_util.c:add_trusted_domain(175)
>   Added domain EDSI EDSI.EDSI-INT.COM
> S-1-5-21-1993962763-329068152-1801674531
> [2007/10/08 13:18:23, 2]
> nsswitch/winbindd_util.c:add_trusted_domain(175)
>   Added domain LOCALHOST  S-1-5-21-9612232-2512366426-966941693
> [2007/10/08 13:18:23, 2]
> nsswitch/winbindd_util.c:add_trusted_domain(175)
>   Added domain BUILTIN  S-1-5-32
> [2007/10/08 13:18:23, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(483)
>   [0]: request interface version
> [2007/10/08 13:18:23, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(516)
>   [0]: request location of privileged pipe
> [2007/10/08 13:18:23, 3] nsswitch/winbindd_misc.c:winbindd_ping(462)
>   [0]: ping
> [EMAIL PROTECTED] ~]#
>
> This is the result of clearing the log, restarting samba, and running 
> getent passwd.  Nothing gets added to the log when I run it.  It's 
> greek to me what the stuff from winbind start up means, but I'm a 
> little suspicious that nothing shows up on getent passwd.
>
> ~Eric
>
> -Original Message-
> From: Stas [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 08, 2007 12:50 PM
> To: Eric Diven
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Can't chown a file to an ADS username
>
> winbind's log may be helpful
>
>
>
> On 10/8/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> > I've got a samba install on Linux with winbind installed, etc.  I've

> > configured it the same as I have under Solaris, but for some reason,

> > I
>
> > can't chown a file to an AD username.  I have joined the box to the 
> > domain, I can wbinfo -u/-g and get lists of users and groups on the 
> > domain.  When I run getent passwd or getent group, however, I don't 
> > see any of the domain users and groups.  I have winbind enum users 
> > and
>
> > groups = yes in the smb.conf file.
> >
> > Eventually, I need to be able to accomplish this with enum users and

> > groups = no for a large domain, but I'm trying to duplicate a 
> > problem we're have with Solaris.
> >
> > Any ideas?  I'm happy to furnish further info/configs/logs on
request.
> >
> > ~Eric
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't chown a file to an ADS username

[Eric Diven]

Okay, I've just tried this on my working solaris setup, and I definitely
get stuff in the log file when I run getent passwd.  Is there an
nsswitch log that would tell me if nsswitch is even trying to call the
winbind libraries?

~Eric 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Eric Diven
Sent: Monday, October 08, 2007 4:15 PM
To: samba@lists.samba.org
Subject: RE: [Samba] Can't chown a file to an ADS username

I'm not actually getting much from it.  I'm assuming that all of
winbinds logging goes to [logpath]/winbindd.log.

If that's the case, I'm seeing nsswitch related stuff happening when
winbind starts up, but not when I run getent passwd.
I'm running winbind at debug level 3.

[EMAIL PROTECTED] ~]# cat /var/log/samba/winbindd.log
[2007/10/08 13:18:23, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.100.80 bcast=192.168.100.255
nmask=255.255.255.0
[2007/10/08 13:18:23, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.100.80 bcast=192.168.100.255
nmask=255.255.255.0
[2007/10/08 13:18:23, 2] lib/tallocmsg.c:register_msg_pool_usage(61)
  Registered MSG_REQ_POOL_USAGE
[2007/10/08 13:18:23, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2007/10/08 13:18:23, 2]
nsswitch/winbindd_util.c:add_trusted_domain(175)
  Added domain EDSI EDSI.EDSI-INT.COM
S-1-5-21-1993962763-329068152-1801674531
[2007/10/08 13:18:23, 2]
nsswitch/winbindd_util.c:add_trusted_domain(175)
  Added domain LOCALHOST  S-1-5-21-9612232-2512366426-966941693
[2007/10/08 13:18:23, 2]
nsswitch/winbindd_util.c:add_trusted_domain(175)
  Added domain BUILTIN  S-1-5-32
[2007/10/08 13:18:23, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(483)
  [0]: request interface version
[2007/10/08 13:18:23, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(516)
  [0]: request location of privileged pipe
[2007/10/08 13:18:23, 3] nsswitch/winbindd_misc.c:winbindd_ping(462)
  [0]: ping
[EMAIL PROTECTED] ~]#

This is the result of clearing the log, restarting samba, and running
getent passwd.  Nothing gets added to the log when I run it.  It's greek
to me what the stuff from winbind start up means, but I'm a little
suspicious that nothing shows up on getent passwd.

~Eric

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED]
Sent: Monday, October 08, 2007 12:50 PM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't chown a file to an ADS username

winbind's log may be helpful



On 10/8/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> I've got a samba install on Linux with winbind installed, etc.  I've 
> configured it the same as I have under Solaris, but for some reason, I

> can't chown a file to an AD username.  I have joined the box to the 
> domain, I can wbinfo -u/-g and get lists of users and groups on the 
> domain.  When I run getent passwd or getent group, however, I don't 
> see any of the domain users and groups.  I have winbind enum users and

> groups = yes in the smb.conf file.
>
> Eventually, I need to be able to accomplish this with enum users and 
> groups = no for a large domain, but I'm trying to duplicate a problem 
> we're have with Solaris.
>
> Any ideas?  I'm happy to furnish further info/configs/logs on request.
>
> ~Eric
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
man/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't chown a file to an ADS username

[Eric Diven]

I'm not actually getting much from it.  I'm assuming that all of
winbinds logging goes to [logpath]/winbindd.log.

If that's the case, I'm seeing nsswitch related stuff happening when
winbind starts up, but not when I run getent passwd.
I'm running winbind at debug level 3.

[EMAIL PROTECTED] ~]# cat /var/log/samba/winbindd.log
[2007/10/08 13:18:23, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.100.80 bcast=192.168.100.255
nmask=255.255.255.0
[2007/10/08 13:18:23, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.100.80 bcast=192.168.100.255
nmask=255.255.255.0
[2007/10/08 13:18:23, 2] lib/tallocmsg.c:register_msg_pool_usage(61)
  Registered MSG_REQ_POOL_USAGE
[2007/10/08 13:18:23, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2007/10/08 13:18:23, 2]
nsswitch/winbindd_util.c:add_trusted_domain(175)
  Added domain EDSI EDSI.EDSI-INT.COM
S-1-5-21-1993962763-329068152-1801674531
[2007/10/08 13:18:23, 2]
nsswitch/winbindd_util.c:add_trusted_domain(175)
  Added domain LOCALHOST  S-1-5-21-9612232-2512366426-966941693
[2007/10/08 13:18:23, 2]
nsswitch/winbindd_util.c:add_trusted_domain(175)
  Added domain BUILTIN  S-1-5-32
[2007/10/08 13:18:23, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(483)
  [0]: request interface version
[2007/10/08 13:18:23, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(516)
  [0]: request location of privileged pipe
[2007/10/08 13:18:23, 3] nsswitch/winbindd_misc.c:winbindd_ping(462)
  [0]: ping
[EMAIL PROTECTED] ~]#

This is the result of clearing the log, restarting samba, and running
getent passwd.  Nothing gets added to the log when I run it.  It's greek
to me what the stuff from winbind start up means, but I'm a little
suspicious that nothing shows up on getent passwd.

~Eric

-Original Message-
From: Stas [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 08, 2007 12:50 PM
To: Eric Diven
Cc: samba@lists.samba.org
Subject: Re: [Samba] Can't chown a file to an ADS username

winbind's log may be helpful



On 10/8/07, Eric Diven <[EMAIL PROTECTED]> wrote:
> I've got a samba install on Linux with winbind installed, etc.  I've 
> configured it the same as I have under Solaris, but for some reason, I

> can't chown a file to an AD username.  I have joined the box to the 
> domain, I can wbinfo -u/-g and get lists of users and groups on the 
> domain.  When I run getent passwd or getent group, however, I don't 
> see any of the domain users and groups.  I have winbind enum users and

> groups = yes in the smb.conf file.
>
> Eventually, I need to be able to accomplish this with enum users and 
> groups = no for a large domain, but I'm trying to duplicate a problem 
> we're have with Solaris.
>
> Any ideas?  I'm happy to furnish further info/configs/logs on request.
>
> ~Eric
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't chown a file to an ADS username

[Eric Diven]

Samba version is 3.0.24, running on CentOS 4.3, sorry about that.

~Eric 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Eric Diven
Sent: Monday, October 08, 2007 12:35 PM
To: samba@lists.samba.org
Subject: [Samba] Can't chown a file to an ADS username

I've got a samba install on Linux with winbind installed, etc.  I've
configured it the same as I have under Solaris, but for some reason, I
can't chown a file to an AD username.  I have joined the box to the
domain, I can wbinfo -u/-g and get lists of users and groups on the
domain.  When I run getent passwd or getent group, however, I don't see
any of the domain users and groups.  I have winbind enum users and
groups = yes in the smb.conf file.

Eventually, I need to be able to accomplish this with enum users and
groups = no for a large domain, but I'm trying to duplicate a problem
we're have with Solaris.

Any ideas?  I'm happy to furnish further info/configs/logs on request.

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
man/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Can't chown a file to an ADS username

[Eric Diven]

I've got a samba install on Linux with winbind installed, etc.  I've
configured it the same as I have under Solaris, but for some reason, I
can't chown a file to an AD username.  I have joined the box to the
domain, I can wbinfo -u/-g and get lists of users and groups on the
domain.  When I run getent passwd or getent group, however, I don't see
any of the domain users and groups.  I have winbind enum users and
groups = yes in the smb.conf file.

Eventually, I need to be able to accomplish this with enum users and
groups = no for a large domain, but I'm trying to duplicate a problem
we're have with Solaris.

Any ideas?  I'm happy to furnish further info/configs/logs on request.

~Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Winbind integration with large AD on Solaris 10

[Eric Diven]

I'm having trouble getting Samba working on Solaris 10 with a large
active directory (35000 users, 5000 groups).  I've set this up
successfully in the past with winbind enum users = yes and winbind enum
users = yes in the smb.conf file.  Owing to the large number of users in
this application, I need to have these set to no.  Realistically, only a
couple dozen people and 3 groups actually need access to the share, and
it would be a waste of UIDs and a maintenance issue the admin doesn't
want to have to take on to eat up that many uids and gids for this.

System information:
Solaris 10 on SPARC
Samba 3.0.24 (avoids this issue:
https://bugzilla.samba.org/show_bug.cgi?id=4863, I tested, and this was
still an open issue in 3.0.25b, and the bug this is marked duplicate of
is still showing as reopened)

What works:

The system has been joined onto the domain
wbinfo -a DOM+username%password works consistently
wbinfo -u and -g both work, though sometimes intermittently.  It looks
like it might be timing out?

What else I see:

net idmap dump tdb_file shows no UID/SID mappings.  
getent group/passwd show no AD users or groups
I can't chown a file to a domain user (including the same one I can
authenticate with wbinfo -a)

Zeroth question:  Am I just doing it wrong?  I.e. do I need to manually
add users and groups if I'm not going to enumerate the whole list into
the unix side?  There doesn't seem to be a lot of documentation (at
least not that I've found) about setting up winbind without enumerating
all of the users and groups, so I'm not discounting this possibility.

First question:  If the problem isn't in the zeroth question, Is this a
nsswitch/winbind interaction issue?  It looks as though it might be
based on the above symptoms, though I'm suspicious that net idmap dump
doesn't show any mappings, including for users who have authenticated
directly with wbinfo -a

Second question:  Has anybody had similar problems with linux?  I'm
going to try setting up samba identically on a linux box this afternoon
to see if I can duplicate the problem.

Just to be clear, I can make the authentication work perfectly on a
smaller AD with enum users/groups = yes, and I've duplicated the problem
on the same smaller domain changing nothing in the configuration except
the enum users/groups = no.

Any help on this issue would be much appreciated.

~Eric 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba