RE: [Samba] Ubuntu samba slower than red hat??
Hi I would double check the smb.conf and other files eg. nsswitch.conf/pam.d (if you are using them). I am running the Ubuntu Server edition 6.06 and it works great as a member server in an AD environment. I am staying away from a GUI and using Webmin and SWAT to manage the box. I am doing this all on VM Server (free version) from a Winxp host. The AD and Ubuntu server are on the VM for testing before deploying the Ubuntu server into production. When I saw your post I remembered that at one point when I would do a lookup on files I got something like file owner and group as dean:1005 too. I realized that the shadow and group entries in nsswitch.conf are reversed from Fedora and I blindly added winbind to shadow and not group when first setting up my Samba server. When I found my problem, and added winbind to group, the lookup worked as it should have. But you may not be using Winbind. All my rambling is just suggestion. Running a firewall on Ubuntu? Check that out also. Use "top" to see what also is spawning while running SMB processes. Good luck Guille -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Dale Sent: Tuesday, July 25, 2006 7:43 PM To: Douglas D Germann Sr; samba@lists.samba.org Subject: Re: [Samba] Ubuntu samba slower than red hat?? A lot of things have changed since RH9. However, one has to question the wisdom of running a desktop distro like Ubuntu as a server. I note that your new server is essentially the same speed as your old one, but with only one HD. Also, you don't mention how much memory you have or how many users are connecting to your server. I know some people on this list are going to not like this suggestion, but for a server I would recommend you downgrade to Debian Sarge, which is running Samba 3.0.14a. This is a rock-solid distro that can be set up as a server. Basically, with it you will only have to restart it if you have a hardware problem. To fix your speed problem, set your log level up higher in samba (it's in smb.conf) to generate some data. You might even find the problem by yourself. Samba itself is not that slow, so it is likely something about your local setup. re. your ideas: 1 & 2 are not good ideas 3. quite likely, but this sounds like something fundamental 4. probably not a good idea Ubuntu is Debian based and may follow the same security settings. When you copied your files, you may have copied them disk-to-disk which would have kept the old user & group numbers. Your new numbers may be quite different. You may have to look at your files on the disk and correct the ownerships. Are your accounts and groups set up correctly. Is this a domain controller? Does it farm out password checking to another server? You may want to set up SWAT and use the wizard to set up the server in its intended role (domain controller, member server or stand-alone). Good luck. Douglas D Germann Sr wrote: > Hi-- > > About 10 days ago I switched from a Red Hat 9.0 machine > as my Samba server to Ubuntu. Ever since, things have > been slow. > > How do I mean, slow? > > 1st clue: previously, when I saved docs in OOo Writer, > I would go ctrl-S and once every 4th or 5th time it > would say it couldn't create a backup; now it is > every time. So to save I have to go ctrl-S esc esc ctrl-S. > > 2nd clue: WinXP on login to the server times out before > connecting the three drives it tries to connect--never before. > > 3rd clue: WinXp used to load directories instantly; now > it takes 4-5 seconds. > > There is some other weirdness too: when logged in to the > server it reports the file owner and group as dean:1005. > dean is the name of another user on this client machine, > but rarely used. It should see it as doug:data, which is > how the server sees it. > > Also it used to see the files as > -rwxrwSrwt 1 root root 4.0K 2003-01-25 03:18 wgetrc > > Now it sees them as > -rwxrwxrwx 1 dean data 99 1993-09-28 22:07 TEST.SDW > > > The new server: Ubuntu 6.06, Celeron D 2.53Ghz, one > 200GB HDD, 6 months old. samba 3.0.22 > The old server: RedHat 9.0, Celeron 2Ghz, one > 80GB HDD with OS on it, one 120GB HDD with only data > on it, at least 3 years old. Samba is at least that old. > 2.2.7a-security-rollup-fix > > So the question is, how can I speed up the Ubuntu samba? > How would you troubleshoot this? > > Some ideas I have not yet tried: > > 1. Remove all the commented lines from the smb.conf > file. > > 2. Perhaps older versions of samba are just faster > than the newer ones, and I should learn to live with it. > > 3. Perhaps there are some tweaks in samba that I need to > learn about. > > 4. Copy over the old smb.conf file to the new system. > > Where should I start? What is most likely to have
RE: [Samba] SAMBA/PDC + LDAP HELP please?
Hi, If you are using Fedora and have selinux enabled for your build, at the console "setenforce 0", and then try getent. If successful, I would suggest modifying selinux policy to accommodate the need for access. Just a thought, Guille -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan Taylor Sent: Wednesday, October 05, 2005 4:29 PM To: samba@lists.samba.org Subject: [Samba] SAMBA/PDC + LDAP HELP please? More information... below is my log after running "getent group | grep Domain" thank you -ryan Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 ACCEPT from IP= 127.0.0.1:32894 <http://127.0.0.1:32894> (IP=0.0.0.0:389<http://0.0.0.0:389> ) Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 BIND dn="cn=Manager,ou=DSA,dc=beefylinux,dc=com" method=128 Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=0 RESULT tag=97 err=49 text= Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 op=1 UNBIND Oct 5 19:25:04 beefylinux slapd[3320]: conn=0 fd=11 closed Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 ACCEPT from IP= 127.0.0.1:32895 <http://127.0.0.1:32895> (IP=0.0.0.0:389<http://0.0.0.0:389> ) Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 BIND dn="cn=Manager,ou=DSA,dc=beefylinux,dc=com" method=128 Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=0 RESULT tag=97 err=49 text= Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 op=1 UNBIND Oct 5 19:26:38 beefylinux slapd[3320]: conn=1 fd=11 closed -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba 3.0.x and windows 2000 service pack 4 issues ?
Hi Upgrade to 3.0.20 Known issue after Rollup and was fixed Good Luck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Feilner Sent: Monday, September 05, 2005 5:00 AM To: samba@lists.samba.org Subject: [Samba] samba 3.0.x and windows 2000 service pack 4 issues ? Hello list, can anybody help me: are there any problems with active directory support between samba 3.0.x and windows 2000 with service pack 4? I had a perfect connection between samba 3.0.9 and windows 2000 SP3 until today. On Friday the Administrator installed SP4 and today my linux box was rebooted. Since then ADS integration only works partly. Any helo appreciated! Thanks. -- Mit freundlichen Grüßen Markus Feilner -- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 8107989 fax +49 941 9465244 mobil + +49 170 3027092 skype ID: mfeilner mail: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.18/91 - Release Date: 9/6/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.18/91 - Release Date: 9/6/2005 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net ads join error
Hi, You are not alone with regards to this error message joining FC4 to Win2k ADS. I got this after I joined. *** glibc detected *** /usr/bin/net: free(): invalid pointer: 0x00fe0db0 *** === Backtrace: = /lib/libc.so.6[0x1a6424] /lib/libc.so.6(__libc_free+0x77)[0x1a695f] /lib/libcom_err.so.2(remove_error_table+0x4b)[0x140abb] /usr/lib/libkrb5.so.3[0xf7e8c4] /usr/lib/libkrb5.so.3[0xf7e5c7] /usr/lib/libkrb5.so.3[0xfcf9da] /lib/ld-linux.so.2[0x82a058] /lib/libc.so.6(exit+0xc5)[0x16dc69] /lib/libc.so.6(__libc_start_main+0xce)[0x157dee] /usr/bin/net[0x8e70f1] === Memory map: 00111000-00112000 r-xp 00111000 00:00 0 00112000-00117000 r-xp fd:00 1967449/lib/libcrypt-2.3.5.so 00117000-00118000 r-xp 4000 fd:00 1967449/lib/libcrypt-2.3.5.so 00118000-00119000 rwxp 5000 fd:00 1967449/lib/libcrypt-2.3.5.so 00119000-0014 rwxp 00119000 00:00 0 0014-00142000 r-xp fd:00 1966233/lib/libcom_err.so.2.1 00142000-00143000 rwxp 1000 fd:00 1966233/lib/libcom_err.so.2.1 00143000-00267000 r-xp fd:00 1966174/lib/libc-2.3.5.so 00267000-00269000 r-xp 00124000 fd:00 1966174/lib/libc-2.3.5.so 00269000-0026b000 rwxp 00126000 fd:00 1966174/lib/libc-2.3.5.so 0026b000-0026d000 rwxp 0026b000 00:00 0 0026d000-00282000 r-xp fd:00 3114427/usr/lib/libsasl2.so.2.0.20 00282000-00283000 rwxp 00015000 fd:00 3114427/usr/lib/libsasl2.so.2.0.20 00283000-00295000 r-xp fd:00 3117270/usr/lib/libz.so.1.2.2.2 00295000-00296000 rwxp 00011000 fd:00 3117270/usr/lib/libz.so.1.2.2.2 00297000-002a9000 r-xp fd:00 1966222/lib/libnsl-2.3.5.so 002a9000-002aa000 r-xp 00011000 fd:00 1966222/lib/libnsl-2.3.5.so 002aa000-002ab000 rwxp 00012000 fd:00 1966222/lib/libnsl-2.3.5.so 002ab000-002ad000 rwxp 002ab000 00:00 0 002ad000-002e2000 r-xp fd:00 1966241/lib/libssl.so.0.9.7f 002e2000-002e5000 rwxp 00035000 fd:00 1966241/lib/libssl.so.0.9.7f 002e5000-002e7000 r-xp fd:00 3178771/usr/lib/gconv/UTF-16.so 002e7000-002e9000 rwxp 1000 fd:00 3178771/usr/lib/gconv/UTF-16.so 002e9000-002eb000 r-xp fd:00 3178678/usr/lib/gconv/IBM850.so 002eb000-002ed000 rwxp 1000 fd:00 3178678/usr/lib/gconv/IBM850.so 002ed000-002f6000 r-xp fd:00 1966133/lib/libnss_files-2.3.5.so 002f6000-002f7000 r-xp 8000 fd:00 1966133/lib/libnss_files-2.3.5.so 002f7000-002f8000 rwxp 9000 fd:00 1966133/lib/libnss_files-2.3.5.so 002f8000-00301000 r-xp fd:00 1966216 /lib/libgcc_s-4.0.1-20050727.so .1 00301000-00302000 rwxp 9000 fd:00 1966216 /lib/libgcc_s-4.0.1-20050727.so .1 003a8000-003aa000 r-xp fd:00 1966199/lib/libdl-2.3.5.so 003aa000-003ab000 r-xp 1000 fd:00 1966199/lib/libdl-2.3.5.so 003ab000-003ac000 rwxp 2000 fd:00 1966199/lib/libdl-2.3.5.so 00421000-00438000 r-xp fd:00 3119387 /usr/lib/libgssapi_krb5.so.2.2 00438000-00439000 rwxp 00017000 fd:00 3119387 /usr/lib/libgssapi_krb5.so.2.2 006b8000-006bf000 r-xp fd:00 3113040/usr/lib/libpopt.so.0.0.0 006bf000-006c rwxp 6000 fd:00 3113040/usr/lib/libpopt.so.0.0.0 0076c000-00779000 r-xp fd:00 3126293 /usr/lib/liblber-2.2.so.7.0.16 00779000-0077a000 rwxp c000 fd:00 3126293 /usr/lib/liblber-2.2.so.7.0.16 00782000-007b6000 r-xp fd:00 3126351 /usr/lib/libldap-2.2.so.7.0.16 007b6000-007b8000 rwxp 00033000 fd:00 3126351 /usr/lib/libldap-2.2.so.7.0.16 0081c000-00836000 r-xp fd:00 1966082/lib/ld-2.3.5.so 00836000-00837000 r-xp 00019000 fd:00 1966082/lib/ld-2.3.5.so 00837000-00838000 rwxp 0001a000 fd:00 1966082/lib/ld-2.3.5.so 008ba000-00a7e000 r-xp fd:00 3121195/usr/bin/net 00a7e000-00a8f000 rwxp 001c4000 fd:00 3121195/usr/bin/net 00a8f000-00aa1000 rwxp 00a8f000 00:00 0 00c04000-00cfc000 r-xp fd:00 1966240/lib/libcrypto.so.0.9.7f 00cfc000-00d0e000 rwxp 000f8000 fd:00 1966240/lib/libcrypto.so.0.9.7f 00d0e000-00d11000 rwxp 00d0e000 00:00 0 00d5d000-00d8 r-xp fd:00 31 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Jencks Sent: Friday, August 26, 2005 11:58 AM To: samba@lists.samba.org Subject: RE: [Samba] net ads join error So now it looks like I can join the domain however I get the following output. Seems like there might be an issue with samba-3.0.20 and the new GCC 4 and glibc. Any idea's possibilities? I'm also not quite sure my previous problem went away the only thing I changed was adding my kdc server into the samba lmhosts file. Regards, Theo [EMAIL PROTECTED] samba]# net ads join -U tjencks%PASSWD Using short domain name -- HQ Joined 'THEO' to realm 'HQ.NAVIS.NET' *** glibc detected *** net: free(): invalid pointer: 0x007eedb0 *** === Backtrace: = /lib/libc.so.6[0x415124] /lib/libc.so.6(__libc_free+0x77)[0x41565f] /lib/libcom_err.so.2(remove_error_table+0x4b)
RE: [Samba] SUSE 9.3 Winbind+ PAM+AD
SELinux protection. To permanently allow the winbind transactions, use the Security Level program in Gnome/KDE and check the winbind_disable_trans setting. Step 7 Join the Domain net ads join -U Administrator net join -U Administrator (if Server = Domain) Step 8 Start smbd nmbd and winbindd Step 9 If all went well you have successfully joined the Windows domain. Test access to accounts wbinfo -t checking the trust secret via RPC calls succeeded (This is GOOD) wbinfo -u Should spew out usernames in Windows Wbinfo -g Should spew out groups in Windows In the past I have needed to restart the Windows server at least once after joining for it to allow lookups (Don't know why???). Step 10 This is where Windows gets involved. Make sure you add the linux host as a DNS entry in the Windows server. Restart DNS. Create a new user or modify a current user in AD for testing purposes and change the Home Directory, eg. H: \\linux\home (probably not necessary though). Next, login with the username on a Windows 2K/XP Workstation that has previously joined the domain. See if the share appears while browsing the linux server, eg. \\linux\fred My AD config is a bit more involved, as I use group policy, netlogon, and such for control and mounts. All that info is way out of the scope of this email so I won't go into that here. Hopefully this helps. I am not an expert, but if you run into a problem that I have seen before I might be able to help out. Guille -Original Message- From: Anthony PEROT - Generation Unix [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 12, 2005 5:47 AM To: Guille Subject: RE: [Samba] SUSE 9.3 Winbind+ PAM+AD Hi, I'm running a few workstations on FC4 and I would like to find a way to use AD users accounts and groups instead of local users, could you give me your procedure ? Thanks Anthony -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: 7/12/2005 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Problem with valid users in Samba
Hi, Out of curiosity, are you authenticating your users with a Windows 2K server? And if you are, have you recently applied the Windows 2000 SP4 rollup? Guille -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alejandro Cabrera Obed Sent: Monday, July 11, 2005 6:28 PM To: Samba (lista) Subject: [Samba] Problem with valid users in Samba Hi people, I have Linux Red Hat 9 with Samba installed (samba, samba-client and samba-common 2.2.7a-7.9.0). All the Windows clients in my LAN have accessed the corresponding home directories in the Samba server, but since yesterday they can't access them. When the Windows clients try to access their Samba directories in my Red Hat server, they are prompted for a user and password, so they put the correct data but they are kicked off. In the smb.conf file, in the corresponding line to the valid users in the home dirs, I have this: Valid users = %S I didn't do anything wrong.what could be happened ??? What can I do in order to acces Samba directories again ??? Thanks a lot !!! Greetings Alejandro -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.11/45 - Release Date: 7/9/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.12/46 - Release Date: 7/11/2005 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SUSE 9.3 Winbind+ PAM+AD
Well, once again I think I was able to figure out my own problem, which is impatience. I decided to bypass SWAT and manually configure my smb.conf file. That is when the magic began to start. If I recall correctly in Fedora, the default smb.conf file does not include the Valid Users = %S for the Home share. Once I removed that setting in SUSE to match my Fedora config that is things fell into place. The modified winbind statements worked when I placed them where I thought they ought to go. So I am almost completely happy. So now I am at 99%. When I figure out why I can't get to my share from a VPN client as I can with Fedora I'll be at 100%. Taking my time, Guille -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guille Williams Sent: Monday, July 11, 2005 2:01 PM To: samba@lists.samba.org Subject: [Samba] SUSE 9.3 Winbind+ PAM+AD Hello, I have been using Fedora Core, Samba, and Active Directory to provide authentication services for Windows based users for a few years now, but as an experiment I wanted to accomplish the same service with SUSE 9.3 . I have been able to get this configuration to run successfully with RH9, FC1, FC2, FC3, and FC4 (buggy but works), but with SUSE I have stalled a bit. I feel I have Samba+SUSE 9.3 running about 90% with only winbind and pam restrictions holding up the other 10% (nscd disabled of course). I can use all the wbinfo tricks (-a -g -t -u) to lookup users in AD, which suggests everything is working as it should; however, when I attempt to access a home folder for an established user in the directory I am prompted for a password. So, of course I tried googling and the Samba howto for a light bulb inspiring thought, but the answer eludes me. I did come across this site which caught my eye... http://www-uxsup.csx.cam.ac.uk/pub/doc/suse/suse9.3/suselinux-adminguide_en/ sec.update.version.html 4.2.3.16. From Samba 2.x to Samba 3.x Following the update from Samba 2.x to Samba 3.x, winbind authentication is no longer available. The other authentication methods can still be used. For this reason, the following programs have been removed: /usr/sbin/wb_auth /usr/sbin/wb_ntlmauth /usr/sbin/wb_info_group.pl Is this true? Will I not be able to use winbind authentication with SUSE 9.3? Does this rule apply only during the update? The system-auth stacks are setup a little differently in SUSE 9.3 in relation to Fedora Core. I now see common-auth common-account common-session and common-password for SUSE. I realized they use includes to call the separated statements that are normally bundled together in Fedora's system-auth file. I did not think it would be too hard to modify the common-* files and login for use with winbind as I had with Fedora. I was wrong. :( Anyway, I am using SUSE 9.3 all patched up with Samba 3.020101. The server is not a production server, so if I have to downgrade or play a bit it is all good. I have a working /etc/pam.d/login and /etc/pam.d/system-auth configuration that I use for Fedora to enforce the pam restrictions I require. pam.d login #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountsufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule sessionrequired pam_selinux.so close sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so # pam_selinux.so open should be the last session rule sessionrequired pam_selinux.so multiple open pam.d system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_winbind.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass authrequired /lib/security/$ISA/pam_deny.so account sufficient/lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_unix.so account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so Since I am new to SUSE it would be of great help if someone could translate the winbind calls used in Fedora's login and system-auth to SUSE's common-* and login files. I also came across this site, http://www.billboswellconsulting.com/addl_Linux_Info_authe
[Samba] SUSE 9.3 Winbind+ PAM+AD
Hello, I have been using Fedora Core, Samba, and Active Directory to provide authentication services for Windows based users for a few years now, but as an experiment I wanted to accomplish the same service with SUSE 9.3 . I have been able to get this configuration to run successfully with RH9, FC1, FC2, FC3, and FC4 (buggy but works), but with SUSE I have stalled a bit. I feel I have Samba+SUSE 9.3 running about 90% with only winbind and pam restrictions holding up the other 10% (nscd disabled of course). I can use all the wbinfo tricks (-a -g -t -u) to lookup users in AD, which suggests everything is working as it should; however, when I attempt to access a home folder for an established user in the directory I am prompted for a password. So, of course I tried googling and the Samba howto for a light bulb inspiring thought, but the answer eludes me. I did come across this site which caught my eye... http://www-uxsup.csx.cam.ac.uk/pub/doc/suse/suse9.3/suselinux-adminguide_en/sec.update.version.html 4.2.3.16. From Samba 2.x to Samba 3.x Following the update from Samba 2.x to Samba 3.x, winbind authentication is no longer available. The other authentication methods can still be used. For this reason, the following programs have been removed: /usr/sbin/wb_auth /usr/sbin/wb_ntlmauth /usr/sbin/wb_info_group.pl Is this true? Will I not be able to use winbind authentication with SUSE 9.3? Does this rule apply only during the update? The system-auth stacks are setup a little differently in SUSE 9.3 in relation to Fedora Core. I now see common-auth common-account common-session and common-password for SUSE. I realized they use includes to call the separated statements that are normally bundled together in Fedora's system-auth file. I did not think it would be too hard to modify the common-* files and login for use with winbind as I had with Fedora. I was wrong. :( Anyway, I am using SUSE 9.3 all patched up with Samba 3.020101. The server is not a production server, so if I have to downgrade or play a bit it is all good. I have a working /etc/pam.d/login and /etc/pam.d/system-auth configuration that I use for Fedora to enforce the pam restrictions I require. pam.d login #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountsufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule sessionrequired pam_selinux.so close sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so # pam_selinux.so open should be the last session rule sessionrequired pam_selinux.so multiple open pam.d system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_winbind.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass authrequired /lib/security/$ISA/pam_deny.so account sufficient/lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_unix.so account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so Since I am new to SUSE it would be of great help if someone could translate the winbind calls used in Fedora's login and system-auth to SUSE's common-* and login files. I also came across this site, http://www.billboswellconsulting.com/addl_Linux_Info_authenticating_suse.html, which didn't mention the login or system-auth, but did use /etc/security/pam_unix2.conf (SUSE 9.1). Should I head in the direction below? The actual path is /etc/security/pam_unix2.conf. You'll need to modify the auth and account lines to show call_modules=winbind. If you neglect to make this change, you won't be able to login using Active Directory credentials. auth: call_modules=winbind account: call_modules=winbind password: session: none Thanks ahead of time for any responses, Guille -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] HELP - winbind/PAM issues
Hi, I had a similar problem and rearranging some setting in the pam.d file system-auth helped. This is what I have. System-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_winbind.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass authrequired /lib/security/$ISA/pam_deny.so account sufficient/lib/security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_unix.so account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so Login #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountsufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule sessionrequired pam_selinux.so close sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so # pam_selinux.so open should be the last session rule sessionrequired pam_selinux.so multiple open -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theis, Jason (CAG-AP) Sent: Wednesday, January 19, 2005 1:47 PM To: 'samba@lists.samba.org' Subject: [Samba] HELP - winbind/PAM issues I have a laptop with fedora core 3 installed. I have an NT domain that I would like to use for all authentication (Linux and Windows). As a test I decided to focus on ssh authentication. I have completed the following: Created the smb.conf: [global] workgroup = DOMAIN_NAME server string = Linux Workstation log file = /var/log/samba/%m.log max log size = 50 security = domain socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 wins support = no wins server = local_wins_server dns proxy = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template homedir = /home/winnt/%D/$U template shell = /bin/bash winbind separator = \ winbind use default domain = no password server = * [homes] comment = Home Directories browseable = no writable = yes Edited /etc/pam.d/sshd to be (assuming no security just to get this thing running): #%PAM-1.0 auth required pam_nologin.so auth sufficient pam_winbind.so debug accountsufficient pam_winbind.so sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so I have successfully joined the domain. I get the following information when running wbinfo: wbinfo -u DOMAIN_NAME winbind use default domain = yestfbradm DOMAIN_NAME winbind use default domain = yestfbrenda DOMAIN_NAME winbind use default domain = yestfbrett DOMAIN_NAME winbind use default domain = yestfcarme DOMAIN_NAME winbind use default domain = yestfcarmen DOMAIN_NAME winbind use default domain = yestfcdom wbinfo -g DOMAIN_NAME winbind use default domain = yesvpn small office DOMAIN_NAME winbind use default domain = yeswebposting DOMAIN_NAME winbind use default domain = yeswebsecur01 DOMAIN_NAME winbind use default domain = yeswinsock users This is where I am stuck: wbinfo -a username%password plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user username%password with plaintext password challenge/response password authentication succeeded If I try to log in via ssh I get this in the log: Jan 19 14:21:18 linus pam_winbind[5326]: request failed: No such user, PAM error was 10, NT error was NT_STATUS_NO_SUCH_USER Jan 19 14:21:18 linus pam_winbind[5326]: user `username' not found Why is it not able to find my NT user when wbinfo will print out my user information just fine? Am I missing something? I have read just about every thread, forum, document, etc.. etc.. I can find. Please help. Thanks -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.1 - Release Date: 1/19/2005 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Obey Pam Restrictions Problem 3.0.10
Hi, I fixed the problem by rearranging some statements in the pam.d files Hurray! Later -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guille Williams Sent: Friday, January 07, 2005 6:01 PM To: samba@lists.samba.org Subject: [Samba] Obey Pam Restrictions Problem 3.0.10 Hi, I was using Samba 3.0.9 on Fedora Core 2 and decided to upgrade to 3.0.10. So I upgrade to Core 3 and installed Samba 3.0.10 and thought I could just copy my settings over to the new build and everything would run smoothly. I thought wrong. Everything seems fine until I enable Obey Pam Restrictions. If enabled I get a login error from XP stating: " Windows cannot locate your roaming profile (read only) and is attempting to log you on with your local profile. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator. DETAIL - Logon failure: unknown user name or bad password. " If Obey Pam Restrictions = no everything is fine except the home directory creation! I Obey Pam Restrictions to create Home Directories on the fly when a new user logs into the network. I don't have the time to manually create the directories for all the new students that sign up in the lab. The Obey Pam Restrictions option was working great on Core 2. I have been using this feature ever since I migrated from Samba 2 to Samba 3 and would be sad if I can't fix the problem or find a work around. I hope this problem is not because of Core 3. I can't afford to switch now because school is in session. I also disabled SELiunx because I thought that was the root of all this evil, but that didn't work. Here are the exact setting I used prior to 3.0.10/3.0.11pre1 that worked with 3.0.9 pam.d login auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountsufficient/lib/security/pam_winbind.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so pam.d/samba auth required pam_nologin.so auth required pam_stack.so service=system-auth accountrequired pam_stack.so service=system-auth sessionrequired /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 sessionrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth pam.d/system-auth authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_winbind.so authsufficient/lib/security/pam_unix.so likeauth nullok use_first_pass authrequired /lib/security/pam_deny.so account required /lib/security/pam_unix.so passwordrequired /lib/security/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so # Global parameters [global] workgroup = SCHOOL server string = Samba Server security = DOMAIN password server = * log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon path = preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/%U winbind use default domain = Yes admin users = "@Domain Admins" cups options = raw [homes] comment = Home Directories path = /home/%U read only = No create mask = 0760 browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No /etc/nsswitch.conf passwd: files winbind shadow: files group: files winbind Please Help, Guille -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.9 - Release Date: 1/6/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.9 - Release Date: 1/6/2005 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Obey Pam Restrictions Problem 3.0.10
Hi, I was using Samba 3.0.9 on Fedora Core 2 and decided to upgrade to 3.0.10. So I upgrade to Core 3 and installed Samba 3.0.10 and thought I could just copy my settings over to the new build and everything would run smoothly. I thought wrong. Everything seems fine until I enable Obey Pam Restrictions. If enabled I get a login error from XP stating: " Windows cannot locate your roaming profile (read only) and is attempting to log you on with your local profile. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator. DETAIL - Logon failure: unknown user name or bad password. " If Obey Pam Restrictions = no everything is fine except the home directory creation! I Obey Pam Restrictions to create Home Directories on the fly when a new user logs into the network. I don't have the time to manually create the directories for all the new students that sign up in the lab. The Obey Pam Restrictions option was working great on Core 2. I have been using this feature ever since I migrated from Samba 2 to Samba 3 and would be sad if I can't fix the problem or find a work around. I hope this problem is not because of Core 3. I can't afford to switch now because school is in session. I also disabled SELiunx because I thought that was the root of all this evil, but that didn't work. Here are the exact setting I used prior to 3.0.10/3.0.11pre1 that worked with 3.0.9 pam.d login auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountsufficient/lib/security/pam_winbind.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so pam.d/samba auth required pam_nologin.so auth required pam_stack.so service=system-auth accountrequired pam_stack.so service=system-auth sessionrequired /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022 sessionrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth pam.d/system-auth authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_winbind.so authsufficient/lib/security/pam_unix.so likeauth nullok use_first_pass authrequired /lib/security/pam_deny.so account required /lib/security/pam_unix.so passwordrequired /lib/security/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/pam_unix.so nullok use_authtok md5 shadow passwordrequired /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so # Global parameters [global] workgroup = SCHOOL server string = Samba Server security = DOMAIN password server = * log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon path = preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/%U winbind use default domain = Yes admin users = "@Domain Admins" cups options = raw [homes] comment = Home Directories path = /home/%U read only = No create mask = 0760 browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No /etc/nsswitch.conf passwd: files winbind shadow: files group: files winbind Please Help, Guille -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SWAT
Hi, Has anyone else notice a small issue with SWAT and Webmin? I am currently using Fedora Core 2 2.6.8-1.521, Webmin 1.150, and Samba 3.0.6. The problem I have is when I click on the SWAT option from within the Samba Windows File Sharing module I get a page blank page with links "Return to share list" or "Logout of SWAT". I did not have this problem with 3.0.6rc2. If I force the install of SWAT 3.0.6rc2 for use with 3.0.6 I can still manage Samba (I assume not safe). I can use SWAT fine if I allow it as an Extended Internet Service and add the host from which I want to connect, but since I never have had to do this in the past (Samba 2.2x-3.0.6rc2) I would like to avoid using Xinet in the future. Just Wondering, Guille -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security question for newbie
Yeah Well I decided to break down and read the help file, which I should have done all along, and figured out what eliminates the problem. Thanks to tm3 and Tim Tait for all the support. I hate when the answer is this easy, but all I had to do was specify path = /home/%U and all the users I enter (apache, bin, nobody etc.) now have the home directory of the current user. Thanks again, Guille - Original Message - From: "Tim Tait" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 01, 2004 8:51 PM Subject: Re: [Samba] Security question for newbie > > Guille Williams wrote: > > >Hi, > > > >I am using Samba version 3.051 in an Active Directory setting with Windows 2000 server. > >Everything is working rather well with regards to file-sharing and authentication. > >However, the one thing that I noticed that I haven't been able to fix quickly with SWAT is the prevention of browsing the Linux file-system with users such as 'nobody' or 'bin'. > >For example... > >I have a user in Active Directory named John. John is part of the group 'students', and has restricted access through Group Policy and Samba Shares. Now John should only have three browseable Shares in this example, Home, Public, and Software. > >Samba and Windows drive mapping take care of this correctly. But say John is a Linux fan, notices that were are using Linux, and decides to play around abit. > >John now enters \\(linux machine)\nobody ( more appropriate \\%N\nobody\), and TADA he now can see the root file-system for the Linux machine. > >Now John can browse through /etc/samba, find my samba.conf file, and see all the shares I may have hidden. I know I can chmod that file but that's not what's scaring me. > >John shouldn't be able to see /. I know that user 'nobody' home directory is /. John shouldn't have access to nobody's home directory. > > > >HOW DO I STOP THIS? > >Changing the properties of 'Other' on the folders in the root filesytem won't help because it just starts to break things. > >So I need a quick fix before I start buying books and reading months of old threads to resolve this issue. > >Thanks Ladies and Gents, > >Guille > > > >p.s. Sorry if this question is answered already in a thread I haven't found. I just joined the Mailing list and I am currently searching. > > > > > OK, it's not you! > > I just checked my Knoppix-HD install as well as my Devil-Linux box, and > both exhibit similar behaviour. On the Knoppix box "nobody" has their > home dir mapped to a dir that does not exist, so that fails. But > "\\machine\root" brings up the root home dir! > > Once you open that share, it then appears in the shares list Windows > explorer. The comment next to them all is "Home Directories", which I > think means they are being automounted by the [homes] share somehow. You > would think by default it would only allow mounting of a [homes] share > by the user that owns it. The directories that are listed do have > permissions set to allow the user in question to list them. Ie it is the > same as that user could do if they logged in directly. Not sure it is > proper though. > > Tim > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Security question for newbie
Tried this: guest account = pcguest and I still get the same result Thanks though, Guille - Original Message - From: "tms3" <[EMAIL PROTECTED]> To: "Guille Williams" <[EMAIL PROTECTED]> Sent: Thursday, July 01, 2004 8:09 PM Subject: Re: [Samba] Security question for newbie > I found it. I think. Try this. Add a line > > guest account = pcguest . > > The smb.conf.sample file says this: > > # Uncomment this if you want a guest account, you must add this to > /etc/passwd > # otherwise the user "nobody" is used > guest account = pcguest > > Since no accout pcguest exists...and now it ignores "nobody" I'm > guessing here. > > Guille Williams wrote: > > >O.k. > >I decided to start from scratch with a separate box running the same linux distro (Fedora 2). > >This time the linux box is a standalone server, Security=User, and I created a user *nix/smb Student, and all the other settings are defaults. > >>From the WinXP box I type \\fedora\ so that I can login with Student and verify access to the home directory. > >I also browse the Network Neighborhood and only see the Home directory. So that works fine too. But then I type \\fedora\nobody and I can see the file-system once again. > >What can I be doing wrong in such a simple setup. > > > >Guille > ># Samba config file created using SWAT > ># from 0.0.0.0 (0.0.0.0) > ># Date: 2004/07/01 19:39:32 > > > ># Global parameters > >[global] > > workgroup = WORKGROUP > > realm = > > netbios name = FEDORA > > netbios aliases = > > netbios scope = > > server string = Samba Server > > log file = /var/log/samba/log.smbd > > max log size = 50 > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > dns proxy = No > > ldap ssl = no > > idmap uid = 1-2 > > idmap gid = 10000-2 > > > >[homes] > > comment = Home Directories > > read only = No > > browseable = No > > > >[printers] > > comment = All Printers > > path = /var/spool/samba > > printable = Yes > > browseable = No > >- Original Message - > > From: tms3 > > To: Guille Williams > > Sent: Thursday, July 01, 2004 7:17 PM > > Subject: Re: [Samba] Security question for newbie > > > > > > Don't know much about the intracacies of System V/Linux, but there's got to be something odd in your smb.conf file to cause this. After reading your initiall email I thought: > > > > Shit, I better look into this! > > > > I did, and I can't replicate it. On my Samba ads joined machine, no ADS account, no mapping. I don't use SWAT for security reasons. Is SWAT adding things to smb.conf you don't want (again, I've never used it)? Maybe some miscofiguration in ldap? I wish I could be of more help. > > > > TMS III > > > > Guille Williams wrote: > > > >Good idea. > >The only problem is I am going to have to do this for all the UID -500 > >(except root). > >The solution is tedious but works. > >Thanks for you help, > >Guille > > > >- Original Message - > >From: "tms3" <[EMAIL PROTECTED]> > >To: "Guille Williams" <[EMAIL PROTECTED]> > >Sent: Thursday, July 01, 2004 5:04 PM > >Subject: Re: [Samba] Security question for newbie > > > > > > Wow, you can't on mine--Samba 3.0.4, FreeBSD5.2.1, W2k server. > > > >Anyway since the authentication is through AD, then create a user called > >nobody in AD, give it a password (big long ugly thing), and really > >deprive it's privaleges in AD. Should put a kibosh on it until you find > >out why this is happening. > > > >TMS III > >Guille Williams wrote: > > > >Hi, > > > >I am using Samba version 3.051 in an Active Directory setting with > > Windows 2000 server. > > Everything is working rather well with regards to file-sharing and > > authentication. > > However, the one thing that I noticed that I haven't been able to fix > > quickly with SWAT is the prevention of browsing the Linux file-system with > >users such as 'nobody' or 'bin'. > > For example... > >I have a user in Active Directory named John. John is part of the group > > 'students', and has restricted access through Group Policy and Samba Shares. > >Now John should only have three browseable Shares in this example, Home, > >Public, and Software. > > Samba and Windows drive mapping take
[Samba] Security question for newbie
O.k. I decided to start from scratch with a separate box running the same linux distro (Fedora 2). This time the linux box is a standalone server, Security=User, and I created a user *nix/smb Student, and all the other settings are defaults. >From the WinXP box I type \\fedora\ so that I can login with Student and verify >access to the home directory. I also browse the Network Neighborhood and only see the Home directory. So that works fine too. But then I type \\fedora\nobody and I can see the file-system once again. What can I be doing wrong in such a simple setup. Guille # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2004/07/01 19:39:32 # Global parameters [global] workgroup = WORKGROUP realm = netbios name = FEDORA netbios aliases = netbios scope = server string = Samba Server log file = /var/log/samba/log.smbd max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No - Original Message - From: tms3 To: Guille Williams Sent: Thursday, July 01, 2004 7:17 PM Subject: Re: [Samba] Security question for newbie Don't know much about the intracacies of System V/Linux, but there's got to be something odd in your smb.conf file to cause this. After reading your initiall email I thought: Shit, I better look into this! I did, and I can't replicate it. On my Samba ads joined machine, no ADS account, no mapping. I don't use SWAT for security reasons. Is SWAT adding things to smb.conf you don't want (again, I've never used it)? Maybe some miscofiguration in ldap? I wish I could be of more help. TMS III Guille Williams wrote: Good idea. The only problem is I am going to have to do this for all the UID -500 (except root). The solution is tedious but works. Thanks for you help, Guille - Original Message - From: "tms3" <[EMAIL PROTECTED]> To: "Guille Williams" <[EMAIL PROTECTED]> Sent: Thursday, July 01, 2004 5:04 PM Subject: Re: [Samba] Security question for newbie Wow, you can't on mine--Samba 3.0.4, FreeBSD5.2.1, W2k server. Anyway since the authentication is through AD, then create a user called nobody in AD, give it a password (big long ugly thing), and really deprive it's privaleges in AD. Should put a kibosh on it until you find out why this is happening. TMS III Guille Williams wrote: Hi, I am using Samba version 3.051 in an Active Directory setting with Windows 2000 server. Everything is working rather well with regards to file-sharing and authentication. However, the one thing that I noticed that I haven't been able to fix quickly with SWAT is the prevention of browsing the Linux file-system with users such as 'nobody' or 'bin'. For example... I have a user in Active Directory named John. John is part of the group 'students', and has restricted access through Group Policy and Samba Shares. Now John should only have three browseable Shares in this example, Home, Public, and Software. Samba and Windows drive mapping take care of this correctly. But say John is a Linux fan, notices that were are using Linux, and decides to play around abit. John now enters \\(linux machine)\nobody ( more appropriate \\%N\nobody\), and TADA he now can see the root file-system for the Linux machine. Now John can browse through /etc/samba, find my samba.conf file, and see all the shares I may have hidden. I know I can chmod that file but that's not what's scaring me. John shouldn't be able to see /. I know that user 'nobody' home directory is /. John shouldn't have access to nobody's home directory. HOW DO I STOP THIS? Changing the properties of 'Other' on the folders in the root filesytem won't help because it just starts to break things. So I need a quick fix before I start buying books and reading months of old threads to resolve this issue. Thanks Ladies and Gents, Guille p.s. Sorry if this question is answered already in a thread I haven't found. I just joined the Mailing list and I am currently searching. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Security question for newbie
Hi, I am using Samba version 3.051 in an Active Directory setting with Windows 2000 server. Everything is working rather well with regards to file-sharing and authentication. However, the one thing that I noticed that I haven't been able to fix quickly with SWAT is the prevention of browsing the Linux file-system with users such as 'nobody' or 'bin'. For example... I have a user in Active Directory named John. John is part of the group 'students', and has restricted access through Group Policy and Samba Shares. Now John should only have three browseable Shares in this example, Home, Public, and Software. Samba and Windows drive mapping take care of this correctly. But say John is a Linux fan, notices that were are using Linux, and decides to play around abit. John now enters \\(linux machine)\nobody ( more appropriate \\%N\nobody\), and TADA he now can see the root file-system for the Linux machine. Now John can browse through /etc/samba, find my samba.conf file, and see all the shares I may have hidden. I know I can chmod that file but that's not what's scaring me. John shouldn't be able to see /. I know that user 'nobody' home directory is /. John shouldn't have access to nobody's home directory. HOW DO I STOP THIS? Changing the properties of 'Other' on the folders in the root filesytem won't help because it just starts to break things. So I need a quick fix before I start buying books and reading months of old threads to resolve this issue. Thanks Ladies and Gents, Guille p.s. Sorry if this question is answered already in a thread I haven't found. I just joined the Mailing list and I am currently searching. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba