Re: [Samba] Debian Package Updates
On 11:32:37 wrote Gémes Géza: 2013-08-08 02:11 keltezéssel, Andrew Bartlett írta: On Wed, 2013-08-07 at 17:58 +0100, Dominic Evans wrote: On 5 August 2013 01:28, Andrew Bartlett abart...@samba.org wrote: On Fri, 2013-08-02 at 14:41 +0100, Dominic Evans wrote: The debian package of samba4 is still sitting at 4.0.3 in experimental. Please could someone (Andrew?) upload an updated package now that we are up to 4.0.7? http://packages.qa.debian.org/s/samba4.html We have toiled mightily, and have new experimental packages. They are stuck in the NEW queue, and have been for a month: http://ftp-master.debian.org/new.html (This is because we have additional package names, as part of the merge with the 'samba' package). So the new packages have now made it into experimental http://packages.qa.debian.org/s/samba/news/20130806T230018Z.html However, it isn't obvious what the upgrade step(s) should be from an existing `samba4` install to these packages. They don't appear to have specified Conflicts/Replaces with the samba4 packages, and it appears like a `sudo apt-get install -t experimental samba` would be partially installing alongside the existing samba4 binaries? We do have conflicts/Replaces set, and when the bulk of the packaging work was done this was tested upgrading from both. From here, the best approach would be to tell us what errors you get, and we can add some more as required. Andrew Bartlett Unfortunately http://packages.debian.org/search?keywords=sambasearchon=sourcenames suite=experimentalsection=all still shows samba4 (4.0.3+dfsg1-0.1). That is OK. Package name has changed from samba4 to samba. Compare these: http://packages.qa.debian.org/s/samba.html http://packages.qa.debian.org/s/samba4.html At least wait two days :-( . Debian QA is quite complex and need some time. Package maintainers may fix lintian errors. Regards Geza Gemes -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] upgrade samba
On 16:55:05 wrote Fabrizio Monti: Hi Nico Kadel-Garcia, thanks for reply. Path for smbldap is correct. Other log file have 2013/01/25 17:20:13.974204, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3564791867-1010203101-2143723903-513) does not match the domain sid(S-1-5-21-2427793829-1009842549-3523806979) for Manager(S-1-5-21-2427793829-1009842549-3523806979-500) You have a SID problem: S-1-5-21-3564791867-1010203101-2143723903-513 S-1-5-21-2427793829-1009842549-3523806979 S-1-5-21-2427793829-1009842549-3523806979-500 So it seems to be a config/upgrade problem. Check the output from: net getdomainsid also control the sid settting in smbldaptools.conf ... Then the problem is sid, samba-3.3 probabily do not check sid. Ldap is workin so it is possible disable sid check in samba-3.6? SIDs are Microsofts primary security indentifier. I believe you can not change this. Fabrizio. -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error with active Libvirt Bridge (virbr0)
On 09:59:31 wrote Börje Johnsson: Just want to report an error in samba configuration / setup. That is not a samba problem. I installed Samba 4 GA on a fresh installation of Ubuntu 12.04. The server is a testbed and has the virtualization package installed also. I have two network interfaces exept lo: eth0 and virbr0. In the provisioning step samba correctly finds my eth0 network interface: Looking up IPv4 addresses More than one IPv4 address found. Using 172.20.10.19 After I provision Samba I try to test according to the HOWTO and host lookup fails: # host -t SRV _ldap._tcp.hrt.local ;; connection timed out; no servers could be reached After i disable virbr0 everything works as intended (i reran the provisioning step, haven't checked if that was nessesary). So, you have found that the bridge definition from libvirt for the bridge virbr0 is the problem. The real problem is, that libvirt adds some iptable rules during bridge creation. So, never ever use libvirt created bridges. To solve this, I prefer not to use libvirt for this task. - create a host bridge br0 via brctl - create a new interface or hook up the old one in libvirt gui to br0 - reboot the host !!! host -t SRV _ldap._tcp.hrt.local _ldap._tcp.hrt.local has SRV record 0 100 389 hrmfile.hrt.local. cheers BJ -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] File update detection
On 11:02:43 wrote Dennis Verspuij - SpuyMore: Hello, I run Samba 4.0.0-168.fc18.rc5.x86_64 on my Linux box. I use an editor on my Windows box to edit files on one of the Samba shares and that editor has a file update detection mechanism, polling every x seconds for changes to file modification timestamp. And around every 12 to 14 seconds it pops up the files have been changed while they aren't. Any idea what may cause this? For Smaba3. man smb.conf dos filetime resolution and/or fake directory create times May be, a registry entry may fix this client behavior https://lists.samba.org/archive/samba/2012-June/168067.html Kind regards, Dennis Verspuij -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
Am Donnerstag, 29. November 2012 schrieben Sie:
I still dont understand why ldap search filter generated by samba ( i
have this from samba log ) cannot find anything in database:
smbldap_search_paged: base = [dc=gymsnv,dc=sk], filter =
[((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-
21-2390795950-2727105968-4008069955*))],scope = [2], pagesize =
[1024] [2012/11/29 18:15:14.227560, 3]
lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged:
search was successful
[2012/11/29 18:15:14.227647, 3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context:
destroying talloc pool of size 0
If I remove sambaSID and try to find it in ldap, I will get all my
groups. Filter =
((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))
Is this normal behavior or my ldap configuration can be incorrect?
That's not normal.
What indexes have you set?
# ldapsearch -LLLY external -H ldapi:/// -b cn=config (objectclass=*)
olcDBIndex
This are my indexes:
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: displayName eq,sub
olcDbIndex: givenName eq,sub
olcDbIndex: mail eq,sub
olcDbIndex: dhcpHWAddress eq
olcDbIndex: dhcpClassData eq
olcDbIndex: cn eq,pres,sub
olcDbIndex: sn eq,pres,sub
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: default sub
And this shows the files:
# cd /var/lib/ldap/
# ls -l *bdb
-rw--- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb
-rw--- 1 openldap openldap 8192 1. Jan 2012 dc.bdb
-rw--- 1 openldap openldap 8192 18. Nov 15:49 dhcpHWAddress.bdb
-rw--- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb
-rw--- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb
-rw--- 1 openldap openldap 8192 23. Aug 10:08 gidNumber.bdb
-rw--- 1 openldap openldap 8192 1. Jun 21:57 givenName.bdb
-rw--- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb
-rw--- 1 openldap openldap 8192 23. Aug 10:08 loginShell.bdb
-rw--- 1 openldap openldap 8192 1. Jun 21:57 mail.bdb
-rw--- 1 openldap openldap 8192 1. Jun 2012 memberUid.bdb
-rw--- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb
-rw--- 1 openldap openldap 8192 1. Jun 19:57 ou.bdb
-rw--- 1 openldap openldap 8192 23. Aug 08:54 sambaDomainName.bdb
-rw--- 1 openldap openldap 8192 10. Mai 2012 sambaGroupType.bdb
-rw--- 1 openldap openldap 8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb
-rw--- 1 openldap openldap 8192 23. Aug 10:08 sambaSID.bdb
-rw--- 1 openldap openldap 8192 27. Nov 22:54 sambaSIDList.bdb
-rw--- 1 openldap openldap 8192 1. Jun 21:57 sn.bdb
-rw--- 1 openldap openldap 8192 23. Aug 10:08 uid.bdb
-rw--- 1 openldap openldap 8192 23. Aug 10:08 uidNumber.bdb
-rw--- 1 openldap openldap 8192 1. Jan 2012 uniqueMember.bdb
root@capella:/var/lib/ldap#
--
Gruss
Harry Jede
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
Hi Simo, Hi this is my listing: net -U administrator rpc group members Administrators Enter administrator's password: Couldn't list alias members Your samba server WILL not list the members of this global group, mostly a security issue. ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=S-1-5-32*))' ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=*))' dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 Your LDAP client WILL list the group members. Do you know what does this mean? The reason is often wrong configured smbldap-tools. Check the /etc/smbldap-tools/smbldap.conf file for the wrong SID entry. net getdomainsid SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 Your server and your domain have different SIDs, that may be is yor problem. Try: # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955 and restart samba. Thanks. -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
Hi Simo,
please post to the list !!!
On Tue, Nov 27, 2012 at 9:56 AM, Harry Jede walk2...@arcor.de wrote:
Hi Simo,
Hi this is my listing:
net -U administrator rpc group members Administrators
Enter administrator's password:
Couldn't list alias members
Your samba server WILL not list the members of this global group,
mostly a security issue.
User administrator has all rights, so I dont think it is a security
issue. Or do you know some checks that I could try?
ldapsearch -xLLL
'((objectclass=sambaGroupMapping)(sambaGroupType=4)
(sambaSID=S-1-5-32*))'
ldapsearch -xLLL
'((objectclass=sambaGroupMapping)(sambaGroupType=4)
(sambaSID=*))'
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 1
sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
Your LDAP client WILL list the group members.
Do you know what does this mean?
The reason is often wrong configured smbldap-tools. Check the
/etc/smbldap-tools/smbldap.conf file for the wrong SID entry.
SID in smbldap.conf is:
SID=S-1-5-21-2390795950-2727105968-4008069955
So that is correct.
net getdomainsid
SID for local machine HOST is:
S-1-5-21-2242576961-186067218-2214866780 SID for domain
EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
Your server and your domain have different SIDs, that may be is yor
problem. Try:
# net setlocalsid S-1-5-21-2390795950-2727105968-4008069955
and restart samba.
Tried that, nothing changed.
Post:
net getdomainsid
Do the following steps (enclosed with ###) in order
###
I compared my smb.conf with yours. I have ldap suffix before
ldap group suffix.
ldap suffix = dc=europa,dc=xx
ldap admin dn= cn=admin,dc=europa,dc=xx
ldap group suffix= ou=groups
ldap user suffix = ou=people,ou=accounts
ldap machine suffix = ou=machines,ou=accounts
and I have NOT installed winbindd!
###
Check if you have the groups defined in LDAP and in /etc/groups. The
groups should only be in LDAP.
###
check the admin account in ldap:
# ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null
dn: cn=admin,dc=europa,dc=xx
Check that your ldap admin password is OK.
# tdbdump /var/lib/samba/secrets.tdb
look for:
{
key(45) = SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx
data(12) = ThePassword\00
}
Try to bind with this password:
# ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -w ThePassword
((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))
Check if root get the same result:
# ldapsearch -LLLY external -H ldapi:///
((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users))) 2/dev/null
###
at last, search for duplicate names:
# ldapsearch -xLLL ((objectclass=sambaGroupMapping)(|(cn=users)
(displayname=users)(uid=users))) dn
You should get one result.
Thanks.
--
regards
Harry Jede
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Gruss
Harry Jede
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
On 20:15:56 wrote Andrej Šimko: net getdomainsid SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 I compared my smb.conf with yours. I have ldap suffix before ldap group suffix. I switched that but result still the same. ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2/dev/null dn: cn=admin,dc=example,dc=sk tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too ) ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid =users))) 2/dev/null dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaSID: S-1-5-32-545 sambaGroupType: 4 displayName: Users gidNumber: 1 sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513 Sorry, that I haven't seen this in your mail at 09:07 This is a working group object: # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(|(cn=users)(displayname=users) (uid=users))) 2/dev/null dn: cn=users,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 545 cn: users description: Netbios Domain Users sambaSID: S-1-5-32-545 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513 sambaGroupType: 4 displayName: Users The main difference ist the objectclass posixGroup instead of sambaSidEntry. Samba Group Mapping is not a simple task. Your definition with objectclass=sambasidentry is not totally wrong, but the intended use is that you store your posixgroups in /etc/group or in NIS. With an LDAP backend that is not the best approach. Here the three standard definitions with objectclass=posixgroup ### A primary group: posix and windows primary members should NOT stored here dn: cn=teachers,ou=groups,dc=europa,dc=xx cn: teachers objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 1001 sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003 sambaGroupType: 2 displayName: teachers # getent group teachers teachers:*:1001: # net rpc group members teachers # nothing ### A regular group in posix, a global group in windows members are stored in memberUid dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: DomainAdmins memberUid: Administrator memberUid: root description: Netbios Domain Administrators sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 2 displayName: Domain Admins # getent group domainadmins DomainAdmins:*:512:Administrator,root # Asking for the Windows name, which is stored in displayName # net rpc group members domain admins EUROPA\Administrator EUROPA\root # Asking for the posix name, which is stored in cn # net rpc group members domainadmins EUROPA\Administrator EUROPA\root ### A windows/samba builtin group no posix members Windows members must be stored in sambaSIDList. These type of groups will be used in Windows OS (client and/or server) # ldapsearch -LLLY external -H ldapi:/// ((objectclass=sambaGroupMapping)(cn=administrators)) 2/dev/null dn: cn=Administrators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer sambaSID: S-1-5-32-544 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 4 displayName: Administrators # getent group administrators Administrators:*:544: # net rpc group members administrators EUROPA\Domain Admins ### -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC group list empty
On 18:32:29 wrote Andrej Šimko: Dear samba users, I have very strange problem. I have Samba PDC up and running, but only thing is missing. I cannot see any Domain Groups at all. ... net getdomainsid SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955 net groupmap list Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) - Domain Admins Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) - Domain Users Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) - Domain Guests Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators The strange thing is, if I try on Win XP to search groups, i see in logs: smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-2 1-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-2 1-2390795950-2727105968-4008069955*))],scope = [2], pagesize = [1024] smbldap_search_paged: base = [dc=example,dc=sk], filter = [((objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-3 # net help rpc group Usage: net rpc group Alias for net rpc group list global local builtin net rpc group add Create specified group net rpc group delete Delete specified group net rpc group addmem Add member to group net rpc group delmem Remove member from group net rpc group list List groups net rpc group members List group members net rpc group rename Rename group # net -U root rpc group members Administrators EUROPA\Domain Admins view this output: # ldapsearch -xLLL '((objectclass=sambaGroupMapping)(sambaGroupType=4) (sambaSID=S-1-5-32*))' dn: cn=Administrators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators memberUid: Administrator description: Netbios Domain Members can fully administer the computer sambaSID: S-1-5-32-544 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512 sambaGroupType: 4 displayName: Administrators dn: cn=users,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 545 cn: users description: Netbios Domain Users sambaSID: S-1-5-32-545 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513 sambaGroupType: 4 displayName: Users dn: cn=guests,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 546 cn: guests memberUid: nobody description: Netbios Domain Guests sambaSID: S-1-5-32-546 sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-514 sambaGroupType: 4 displayName: Guests dn: cn=AccountOperators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 548 cn: AccountOperators description: Netbios Domain Users to manipulate users accounts sambaSID: S-1-5-32-548 sambaGroupType: 4 displayName: Account Operators dn: cn=PrintOperators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: PrintOperators description: Netbios Domain Print Operators sambaSID: S-1-5-32-550 sambaGroupType: 4 displayName: Print Operators dn: cn=BackupOperators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: BackupOperators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 4 displayName: Backup Operators dn: cn=Replicators,ou=groups,dc=europa,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 4 displayName: Replicators If I try to search in ldap with that filter, I always get zero matches. I also tried to use wbinfo, wbinfo -u list all my users, wbinfo -g list is empty. If I try getent passwd and getent group I see all my users and groups. Can somebody help me with this? Thank you! -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP with Samba Server
On 19:43:51 wrote rodrigo tavares: Hello ! Today I have a ldap server, it replicate the database from another machine SMB-LDAP. See the result: dn: cn=informatica,ou=defensoria,dc=defensoria,dc=br cn: informatica description: Informatica gidNumber: 2451 phpgwAccountExpires: -1 phpgwAccountType: g userPassword: mail: informat...@defensoria.br memberUid: diego.santos memberUid: alan.murta memberUid: bruce.borba memberUid: william.mor memberUid: manuel.neto memberUid: eli.set memberUid: rodrigo.tavares memberUid: faria.tavares structuralObjectClass: posixGroup entryUUID: e0cf40fa-b0af-1031-9098-b773bfdd8a70 creatorsName: cn=admin,dc=defensoria,dc=br createTimestamp: 20121022161837Z objectClass: top objectClass: posixGroup objectClass: phpgwAccount objectClass: sambaGroupMapping sambaGroupType: 2 displayName: informatica sambaSID:: IFMtMS01LTIxLTM2OTQ4MTM4NjctMjE3NjUzNTQ2Ny0xMzMzMDcxNTk2LTU5MDM= The field sambaSID should never be base64 encoded! There is a space before S-1-5, but should not ;-) $ echo IFMtMS01LTIxLTM2OTQ4MTM4NjctMjE3NjUzNTQ2Ny0xMzMzMDcxNTk2LTU5MDM=| base64 -d S-1-5-21-3694813867-2176535467-1333071596-5903 check your smbldap config file. Maybe that all or most sambaSid attributes are wrong. entryCSN: 20121112130102.988770Z#00#000#00 modifiersName: cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br modifyTimestamp: 20121112130102Z I my smb.conf [system] comment = system path = /home/system public = yes printable = no browseable = no guest ok = yes read only = yes write list = @informatica domain logons = yes add user script = /usr/sbin/smbldap-useradd -a -m %u add group script = /usr/sbin/smbldap-groupadd -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u ldap user suffix = ou=defensoria ldap group suffix = ou=grupos ldap machine suffix = ou=computadores ldap passwd sync = yes ldap admin dn = cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br ldap suffix = dc=defensoria,dc=mg,dc=gov,dc=br ldap ssl = no passdb backend = ldapsam:ldap://10.26.7.249 http://rodrigofariat.files.wordpress.com/2012/11/ldap-smb.png When I try mapping the folder, come a screen with login/password, then i type password but is not login is not access. Why is not access ? Rodrigo Faria -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 v. Samba: why is default network profile in 'NETLOGON/Default User.v2' not used?
On 17:26:27 wrote Dave Ewart: On Wednesday, 27.06.2012 at 11:59 +0100, Dave Ewart wrote: [2012/06/27 11:07:04.794950, 3] smbd/process.c:1294(switch_message) switch message SMBtrans2 (pid 14326) conn 0x7fa7ba071750 [2012/06/27 11:07:04.794960, 3] smbd/trans2.c:5099(call_trans2qfilepathinfo) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2012/06/27 11:07:04.794978, 3] smbd/trans2.c:5225(call_trans2qfilepathinfo) call_trans2qfilepathinfo Default User.v2/NTUSER.DAT (fnum = -1) level=1004 call=5 total_data=0 [2012/06/27 11:07:04.797603, 3] smbd/process.c:1485(process_smb) Transaction 85 of length 142 (0 toread) [2012/06/27 11:07:04.797620, 3] smbd/process.c:1294(switch_message) switch message SMBsesssetupX (pid 14326) conn 0x0 No-one has replied to my thread, so perhaps this is an ususual issue. To help to debug it myself, can someone explain what Samba is 'doing' during the above log section? It looks to be Doing Something with 'Default User.v2/NTUSER.DAT', but it's not a file open or read, because I know what those look like in the logs. What is 'call_trans2qfilepathinfo'? According to KB-973289 http://support.microsoft.com/kb/973289 the owner should be everyone. Everyone has SID S-1-1-0 http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330 . Do you have a usermapping for everyone? All help appreciated, Thanks, Dave. -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] WINS doesn't work on some ip addresses in multihome setup
On 17:49:05 wrote Sebastian Suchanek: Hello everybody! Still struggeling with my latest Samba setup, I've just run accross another problem which I can't figure out on my own. Samba is supposed to act as a WINS server (among other things) on a multihomed machine. (The Samba version is 3.5.1 as part of Debian Squeeze) Here's the [global] part of the samba setup: --- 8 --- [global] workgroup = HST netbios name = Tux server string = %h server wins support = yes interfaces = 127.0.0.0/8 a.b.c.128/25 10.8.0.0/24 Do not use cdir notation with interfaces. NMBD do not like it :-( try: interfaces = lo a.b.c.128/255.255.255.128 10.8.0.0/255.255.255.255 with a b c as digits ;-) -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] WINS doesn't work on some ip addresses in multihome setup
On 18:06:25 wrote Sebastian Suchanek: I guess that the problem has something to do with the not adding non-broadcast interface tun0 debug message (tun0 is created by an OpenVPN daemon and set to 10.8.0.0/24), but how could this be avoided? check with netstat -uan |egrep '137|138' where nmbd is listening. If nmbd is not attached to your tun0 interface, you must turn of interfaces in smbd.conf, or use another vpn solution which supports tap interfaces. -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Bad configuration file
On 14:13:34 wrote Cédric Carlen: Hello everyone, I'm writing you a topic because i have a problem with smaba and LDAP. This is my problem, when I type in the shell slapcat, i've got this message try: slapcat -c str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapcat: bad configuration file! Which openldap version? I am pretty sure you use schema files from an other (older) openldap version. There is my slapd.conf : include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/ppolicy.schema modulepath /usr/lib/ldap moduleload back_bdbn moduleload ppolicy.la moduleload smbk5pwd.la overlay smbk5pwd smbk5pwd-enable samba overlay ppolicy ppolicy_default ou=default,ou=policies,dc=my,dc=test ppolicy_use_lockout ppolicy_hash_cleartext Please help :( Flake -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Bad configuration file
On 18:41:40 wrote Cédric Carlen: Hello everyone, I'm writing you a topic because i have a problem with smaba and LDAP. This is my problem, when I type in the shell slapcat, i've got this message str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapcat: bad configuration file! There is my slapd.conf : include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/ppolicy.schema modulepath /usr/lib/ldap moduleload back_bdbn a module with this name doesn't exist, try: moduleload back_bdb moduleload ppolicy.la moduleload smbk5pwd.la overlay smbk5pwd smbk5pwd-enable samba overlay ppolicy ppolicy_default ou=default,ou=policies,dc=my,dc=test ppolicy_use_lockout ppolicy_hash_cleartext Please help :( Flake -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Transfer speed
On 03:06:34 wrote Stan Hoeppner: On 4/10/2012 9:36 AM, Volker Lendecke wrote: On Tue, Apr 10, 2012 at 08:55:14AM -0500, Chris Weiss wrote: On Tue, Apr 10, 2012 at 8:53 AM, Volker Lendecke volker.lende...@sernet.de wrote: On Tue, Apr 10, 2012 at 08:26:48AM -0500, Chris Weiss wrote: that's dramatic! what needs done (from a user POV) to get this backported into Stable distro kernels? suggestions? Wait until the next major releases pick it up. that's a really crappy option. in certain cases that could be 4 years from now. Well, if you are an important enough RH customer you might be able to apply pressure. But that's a LOT of money probably. Same for SuSE. Debian will likely be very resistant against that kind of bribery^Wincentive. Debian already has 3.2.6 available in the stable repo: $ aptitude search linux-image ... i linux-image-3.2.6 - Linux kernel, version 3.2.6 ... I don't know what is in your sources.list According to packages.debian.org that's not true :-) . There is kernel 3.2.0 in backports, that's all, as usual. http://packages.debian.org/search?suite=allarch=anysearchon=nameskeywords=linux-image-3.2 Perhaps this site is not up to date ;-) -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is that possible to create profiles shares into group structure?
On 15:07:03 wrote Listas Fernandes: Hi. I'm using Samba + OpenLDAP. Samba version 3.4.9. Everything is working fine. But I would like to put the roaming user profiles in a directory structure considering the group of the users. For example, for now I have: /home/company/profiles/user1 /home/company/profiles/user2 /home/company/profiles/user3 And I would like to use: /home/company/profiles/financial/user1 /home/company/profiles/financial/user2 /home/company/profiles/students/user3 /home/company/profiles/visitors/user4 I've tried some changes using the %g variable in the [profiles] share, but nothing seems to do what I'm expecting. I've tried too using %g in the logon path but again nothing happened. I thought the following line would do the trick, but... no: logon path = \\%L\profiles\%g\%U try this: logon path = \\%L\profiles\%G\%U it works since years, we use logon path = \\%L\profiles\%G\%U\%a so we get a windows version specific profile. We need this because we have w2k and wxp workstations. I don't remember if we had precreated the profiles group directories :-( . Could you give me any clue about how to do that? Thanks! Alexander Brazil -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Prevent smbd from consulting winbindd
On 13:37:19 wrote Victor Sudakov: Colleagues, I am running smbd in a setup described in http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.h tml#id2604553 under Winbind is not used; users and groups are local. Samba is running in the security=domain mode, Do you have a PDC with the same setup? Are you syncing uid/gid manually? but all Windows users are being mapped to Unix users in /etc/passwd. This will break the setup which is described in the Samba-HOWTO- Collection you refere above :-( . The only way in which this differs from having local accounts is that the accounts are stored in a repository that *can be shared* . In practice this means that they will reside in either *an NIS-type database or else in LDAP* . So only NIS or LDAP will guarantee that you have identical uid/gid mapping across different machines. Now I need to run winbindd for Squid authentication. The problem is, as soon as I start winbindd, smbd begins consulting it so you are running smbd and winbind an squid on the same machine and all Windows users start receiving uids/gids different from those in /etc/passwd. Thats quite normal. How do I prevent smbd from consulting winbindd and make it use the old /etc/passwd mechanism for uids? I do not know. I believe it's not possible. Run smbd on one machine with NIS or LDAP, winbind for squid on an other machine. Alternatively you may try to run winbind with an own smb.conf for example # smb.conf for winbind only # Here you MUST have one blank line include /etc/samba.conf [global] security = domain winbind use default domain = yes # and so on if you wish to try this, you may start with a new setup. I have done this tree times with LDAP as backend, it works. If you need more details, I can write a step-by-step guide, maybe next week. In all cases you must have a PDC with security=user in smb.conf. TIA for any input. -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo --ping can't find winbind?
On 09:43:18 wrote James Chase: I have compiled 3.5.12 from source on CentOS 5.7. I am using krb5.conf, smb.conf files that have worked with other 3.5.x installs of Samba (at least in terms of wbinfo working) but now I am not able to get any data from winbind. The server is running and the logs don't report any errors. I had done several 'make uninstall' while compiling/recompiling with different options. Could the problem somehow be related? [root@sambatest samba]# bin/wbinfo -u Error looking up domain users [root@sambatest samba]# bin/wbinfo --ping Ping to winbindd failed could not ping winbindd! [root@sambatest samba]# ps -ef | grep winbin root 3743 1 0 10:19 ?00:00:00 sbin/winbindd -D root 3744 3743 0 10:19 ?00:00:00 sbin/winbindd -D root 3838 3709 0 10:42 pts/000:00:00 grep winbin [root@sambatest samba]# tail var/log.winbindd [2011/11/10 10:19:35, 0] winbindd/winbindd.c:1102(main) winbindd version 3.5.12 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 [2011/11/10 10:19:35.733572, 0] winbindd/winbindd_cache.c:3076(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 1 I asume that wbinfo tries another pidfile then winbindd generates :-( . -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo command generate a winbindd core dump
Am Dienstag, 18. Oktober 2011 schrieben Sie: On Tue, Oct 04, 2011 at 11:48:04PM +0200, Harry Jede wrote: OS Debian squeeze # wbinfo -V Version 3.5.6 ute@alix:~$ wbinfo --getdcname=KRONPRINZ Could not get dc name for KRONPRINZ As root and as unprivilegd user, this command results in a winbind core dump. This smells severely like https://bugzilla.samba.org/show_bug.cgi?id=7730 which was fixed in Samba 3.5.8. I dont have a 3.5.8 avaiable, but in $ wbinfo -V Version 3.5.11 it is fixed and I cannot produce a core dump. Fine. Volker -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ntlm_auth NT_STATUS_INVALID_HANDLE with windbind
On 09:35:16 wrote Alessandro: I should use an authenticated proxy with Squid, but I have a problem with winbind. I'm working on a PDC, debian squeeze with samba from backport (ver. 2:3.5.11~dfsg-1~bpo60+1 ) Here the problem: I can authenticate users. /usr/bin/ntlm_auth --username=myname --domain=MYCOMPANY password: NT_STATUS_INVALID_HANDLE: Invalid handle (0xc008) wbinfo -a myname Enter myname's password: plaintext password authentication failed Could not authenticate user myname with plaintext password Enter myname's password: challenge/response password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc008) error messsage was: Invalid handle Could not authenticate user myname with challenge/response With --domain argument the result is the same wbinfo seems to work fine with all other arguments (-u, -g, etc.. a strange behavior: with -m it gives two domains, BUILTIN and MYCOMPNAY) wbinfo should show three domains: # wbinfo -m BULITIN YOUR_DOMAIN YOUR_SERVER # net getdomainsid SID for local machine YOUR_SERVER is: LOCAL-SID SID for domain YOUR_DOMAIN is: DOMAIN-SID # ldapsearch -xLLL ((objectclass=sambaDomain)(sambaDomainName=*)) sambasid dn: sambaDomainName=YOUR_DOMAIN,dc=example,dc=net sambaSID: DOMAIN-SID dn: sambaDomainName=YOUR_SERVER,dc=example,dc=net sambaSID: LOCAL-SID and finally # wbinfo --ping-dc MUST succeed As SATOH Fumiyas tells us, one SHOULD join without a running winbindd Daemon. # net rpc join -S localhost -U administrator One are NOT joining localhost! One join $HOSTNAME!! Verify with # net rpc testjoin Join to 'YOUR_DOMAIN' is OK and # pdbedit -v $HOSTNAME$ Account Flags:[S ] User SID: DOMAIN-SID-SERVER-RID Primary Group SID:DOMAIN-SID-515 These tree settings are imortant. It MUST be a server account and the primary group sid MUST have the RID=515 # wbinfo -a user%secret plaintext password authentication succeeded challenge/response password authentication succeeded Dont forget to add the user proxy to the group winbindd_priv, so that the ntlm_auth helper from squid has enough rights. I found the following bug: https://bugzilla.samba.org/show_bug.cgi?id=7481 http://osdir.com/ml/debian-bugs-dist/2011-02/msg00966.html http://osdir.com/ml/debian-bugs-dist/2011-02/msg09069.html I could compile samba from source applying the #7481 patch, but I'm not sure this is my case, because the workaround exposed at the end of #7481 doesn't work for me. Any idea? It works for me with Samba 3.5.6 and also with 3.5.11 from backports :-) . I use openldap as passdb backend. Step-by-step guide You should verify these three groups: # net sam list builtin administrators guests users # net sam show administrators BUILTIN\administrators is a Local Group with SID S-1-5-32-544 # net sam show guests BUILTIN\guests is a Local Group with SID S-1-5-32-546 # net sam show users BUILTIN\users is a Local Group with SID S-1-5-32-545 and verify that these groups have their default members: # net rpc group members Administrators YOUR_DOMAIN\Domain Admins # net rpc group members guests YOUR_DOMAIN\Domain Guests # net rpc group members users YOUR_DOMAIN\Domain Users You must have a valid idmap alloc setup and have stored the secret in secrets.tdb smb.conf: ; idmap Konfiguration fuer SAMBA 3.5.6 mit LDAP idmap backend = ldap idmap uid = 100-199 idmap gid = 100-199 idmap alloc backend = ldap idmap alloc config : ldap_url = ldap://127.0.0.1/ idmap alloc config : ldap_base_dn = ou=Idmap,dc=example,dc=net idmap alloc config : ldap_user_dn = cn=admin,dc=example,dc=net Store the idmap secret in secrets.tdb # net idmap secret alloc secret The secret must be the password from ldap_user_dn If you are using ldap as passdb backend then set this: ldapsam:editposix = yes in smb.conf. This will prevent samba to use the smbldaptools. They produce wrong joins! And by the way, check that the previously created builtin groups have sambaGroupType=4. smbldaptools set this to 5, which does not work. If you now have set ldapsam:editposix dont forget to restart samba now, you should join as explained earlier Store the authuser in secrets.tdb # net -Uroot setauthuser will store user and passord in secrets.tdb, so that winbindd has enough rights to work. If your administrator account has uidnumber=0, you may use this account. stop samba, start winbind, start samba wait some seconds, winbindd will now create the third domain which has the name of your PDCs hostname. check with wbinfo HINT when I checked winbindd.conf with testparm, I have get some errors, until I put an empty or comment line before the line with the include statement :-) . Thanks Alessandro -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions
Re: [Samba] tattooing of tdbsam backend with logon script value
On 15:21:48 wrote Pat Emblen: On 15/10/11 19:15, Harry Jede wrote: pdbedit -S user Not here, it just sets an empty logon script, it doesn't default back to the one in smb.conf. root@sheldon:/home/smb/netlogon# pdbedit -S talcom Unix username:talcom NT username: Account Flags:[U ] User SID: S-1-5-21-3019205139-2287944265-981039286-3000 Primary Group SID:S-1-5-21-3019205139-2287944265-981039286-513 Full Name:talcom Home Directory: \\sheldon\talcom HomeDir Drive: Logon Script: default missing Profile Path: \\sheldon\profiles\talcom Domain: SHELDON Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 9223372036854775807 seconds since the Epoch Kickoff time: 9223372036854775807 seconds since the Epoch Password last set:Fri, 30 Sep 2011 20:03:00 EST Password can change: Fri, 30 Sep 2011 20:03:00 EST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF r I can see two differences between your acoounts and my: 1. You dont have a NT Username 2. Your Home Directory and your Profile Path points to the netbios server name sheldon, which is identical to your netbios domain name SHELDON. Try to create a new account with: pdbedit -a newuser and check it again. Is your Server Name really equal to your workgroup name? -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Getting remote registry information.
On 21:53:31 wrote Ken D'Ambrosio: Hey, all. A couple weeks ago, I asked about getting remote registry information, and someone helpfully offered up net rpc registry [blah]. And it does a decent job, but I'm yet to find the right permutation that would give me a whole branch of the hierarchy (akin to doing an export in regedit). For what I'm looking to do, that would be really, truly handy. Most seem to save the file remotely, or to spit out just the information for that level of the hierarchy (e.g., enumerate). Is there a way to get an entire branch? regedt32 or regedit as member of domain admins Thanks! -Ken -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] tattooing of tdbsam backend with logon script value
On 10:09:50 wrote Chris Smith: All users whose logon script values have not been explicitly defined automagically inherit the value that logon script is set to in smb.conf. And one can change the logon script for all such users simply by changing said value in smb.conf. However, once a logon script value value has been explicitly defined for a user this inheritance ability (as the explicit definition should not be overwritten) seems forever lost. I have not found a method to undo this tattooed state to allow for the automagic inheritance of the smb.conf logon script value. Therefore said users, who have once had an explicitly defined logon script value can (seemingly) no longer returned to the state where they use whatever logon script is defined in smb.conf. Is there a way to reset said users, removing the tattooing effect? Set the value of logon script to the empty string . # pdbedit -S user This works with ldapsam and should also work with tdbsam. Thanks, Chris -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issue with tesparam
On 10:57:22 wrote Moray Henderson: The example testparm command you give works for me on CentOS 5.2 with samba3-3.4.9-42.el5 and on CentOS 5.6 with samba3-3.5.11-44.el5. Build the command up slowly and try to identify where it is failing: # testparm -s # Do you get any output? # testparm --section-name=global -s # Do you get the right section? Yes # testparm --section-name=global -s | grep ALIX # Does grep work? Yes I have some other bugs/issues found with the Debian Samba packages :-( . In backports is a 3.5.11 package. So I will try this. If it has the same problems I compile my own one and go with upstream in the future. Moray. To err is human; to purr, feline. -- Regars Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: Win 7 Pro
On 19:40:52 wrote sa...@printflow.eu: I added WINS server to my DHCP config and now I join domain. THX ! I did not undo settings from http://wiki.samba.org/index.php/Windows7 to check. I will try with next machine in about week. This page also noted that registry setting is not needed with patch from MS witch seems be instaled. This led me to other question, I have two PDCs on my network for two companies. If I set both WINS server in DHCP setting may I expect it will work? Does w7 checks both of them? You should have *one and only one* WINS-Server per ethernet segment. WINS use broadcasts. -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] security of ntlmauth / winbindd_privileged dir
:121:proxy # id ute uid=10003(ute) gid=1002(students) Gruppen=1002(students),1006(online),1016(neu2) # md5sum /var/cache/apt/archives/winbind_2%3a3.5.6~dfsg-3squeeze5_amd64.deb 0d0d2535622eaf154889587fdc81e0b2 /var/cache/apt/archives/winbind_2%3a3.5.6~dfsg-3squeeze5_amd64.deb # testparm --section-name=global -s [global] unix charset = UTF8 workgroup = SCHULE server string = Schulserver %h interfaces = lo, 10.100.0.1/16 obey pam restrictions = Yes passdb backend = ldapsam pam password change = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* log level = 0 auth:3 sam:3 winbind:3 log file = /var/log/samba/log.%m smb ports = 139 announce version = 6.5 name resolve order = wins host bcast time server = Yes add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = %a.bat logon path = \\%L\profile\%G\%U\%a logon drive = U: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=admin,dc=delixs-schule,dc=de ldap delete dn = Yes ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=machines,ou=accounts ldap passwd sync = yes ldap suffix = dc=delixs-schule,dc=de ldap ssl = no ldap user suffix = ou=people,ou=accounts idmap backend = ldap idmap alloc backend = ldap idmap uid = 100-199 idmap gid = 100-199 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap alloc config : ldap_user_dn = cn=admin,dc=delixs- schule,dc=de idmap alloc config : ldap_base_dn = ou=Idmap,dc=delixs- schule,dc=de idmap alloc config : ldap_url = ldap://127.0.0.1/ veto files = /*.eml/*.nws/riched20.dll/autorun.inf/ # egrep -v '^$|^#' /etc/samba/winbind.conf include = /etc/samba/smb.conf [global] security= domain domain logons = no Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] wbinfo command generate a winbindd core dump
OS Debian squeeze # wbinfo -V Version 3.5.6 ute@alix:~$ wbinfo --getdcname=KRONPRINZ Could not get dc name for KRONPRINZ As root and as unprivilegd user, this command results in a winbind core dump. [2011/10/04 23:40:18.022674, 0] lib/fault.c:46(fault_report) === [2011/10/04 23:40:18.030995, 0] lib/fault.c:47(fault_report) INTERNAL ERROR: Signal 11 in pid 20226 (3.5.6) Please read the Trouble-Shooting section of the Samba3-HOWTO [2011/10/04 23:40:18.031215, 0] lib/fault.c:49(fault_report) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2011/10/04 23:40:18.031412, 0] lib/fault.c:50(fault_report) === [2011/10/04 23:40:18.031550, 0] lib/util.c:1465(smb_panic) PANIC (pid 20226): internal error [2011/10/04 23:40:18.063944, 0] lib/util.c:1569(log_stack_trace) BACKTRACE: 17 stack frames: #0 /usr/sbin/winbindd(log_stack_trace+0x1a) [0x7fc86ae39b0a] #1 /usr/sbin/winbindd(smb_panic+0x1f) [0x7fc86ae39bcf] #2 /usr/sbin/winbindd(+0x1a374d) [0x7fc86ae2974d] #3 /lib/libc.so.6(+0x321e0) [0x7fc86893d1e0] #4 /usr/sbin/winbindd(winbindd_getdcname_recv+0xc4) [0x7fc86adb73c4] #5 /usr/sbin/winbindd(+0xe1a7d) [0x7fc86ad67a7d] #6 /usr/sbin/winbindd(+0x12aa96) [0x7fc86adb0a96] #7 /usr/sbin/winbindd(+0x10c757) [0x7fc86ad92757] #8 /usr/sbin/winbindd(+0x10c07d) [0x7fc86ad9207d] #9 /usr/sbin/winbindd(+0x13459d) [0x7fc86adba59d] #10 /usr/sbin/winbindd(+0x134d4b) [0x7fc86adbad4b] #11 /usr/sbin/winbindd(run_events+0x1b2) [0x7fc86ae49342] #12 /usr/sbin/winbindd(+0x1c3601) [0x7fc86ae49601] #13 /usr/sbin/winbindd(_tevent_loop_once+0x90) [0x7fc86ae499e0] #14 /usr/sbin/winbindd(main+0x933) [0x7fc86ad68fa3] #15 /lib/libc.so.6(__libc_start_main+0xfd) [0x7fc868929c4d] #16 /usr/sbin/winbindd(+0xe0a79) [0x7fc86ad66a79] [2011/10/04 23:40:18.070826, 0] lib/fault.c:326(dump_core) dumping core in /var/log/samba/cores/winbindd -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba users profiles directory failing to mount in windows client
On 23:55:42 wrote greep elem: I am having some issues with Samba with roaming profiles running on Ubuntu server. When a user logs in they get prompted with an error: windows error-- Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator. DETAIL - The network path was not found. windows error-- While trying to figure this out I believe I have found the problem but am unsure how to fix it. It would appear that for the logon path = \\%N\Profiles\%U entry in smb.conf that the %N (or even %L) does not get translated to the netbios name of the server. doing the following command shows the %N still untranslated while the %U is correctly updated to the user name # pdbedit -Lv testuser | grep Path Profile Path: \\%N\profiles\testuser If I manually hard code the %N to the servers name instead of using %N or %L the roaming profile works perfectly. Can anyone point me in the right direction so as to resolve this issue? Use netbios name instead of netbios aliases -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] issue with tesparam
OS: Debian squeeze Samba: 3.5.6 # testparm --section-name=global -s 21|grep ALIX returns nothing # grep ALIX /etc/samba/smb.conf netbios name = ALIX works -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't add users to well known groups...
On 15:48:09 wrote Linda Walsh: I created the well known group Domain Admins pointing to a local group, but I am not able to add users to the group -- it claims I can only add users to local or global groups... But I only see local, domain ,well-known, builtin. There are no global groups unless one would include all groups that are not local (i.e. domain, well-known, and builtin) So why doesn't it want to let me add to my domain admins group when it is defined as a well known group (which it is, according to MS)... Nobody may be able to answer your questions, if you dont give us some background information! something like: which samba version which sam, ldapsam or tdbsam do you use winbind your global section of samba conf the commands you have used which well knwon groups you have cureently -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind with samba 3.5.6 on debian squeeze
I have a bug in the winbind package, Version: 2:3.5.6~dfsg-3squeeze4 winbindd is not responding to a ping # smbcontrol winbindd ping Can't find pid for destination 'winbindd' Workaround for users who wish to play the winbind game on squeeze: # cd /var/run/samba # ls *pid nmbd.pid smbd.pid winbindd-winbindd.conf.pid There is no winbindd.pid :-( , but a winbindd-winbindd.conf.pid To workaround this bug, until the package is fixed, edit /etc/init.d/winbind and put these three lines in start) just after start-stop-daemon ... cd $PIDDIR ln -s winbindd-winbindd.conf.pid winbindd.pid cd - restart winbind and all is fine # smbcontrol winbindd ping PONG from pid 5363 -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Pkg-samba-maint] winbind with samba 3.5.6 on debian squeeze
Hi Steve, thanks for your quick response. I have installed winbind on another machine, same version, same apt source. All works as expected. The machine on which this error happens, is based on a custom debian distribution. There is no winbind on his CD. Samba Version are: # ls /cdrom/pool/main/s/samba/ libpam-smbpass_3.5.6~dfsg-3squeeze2_amd64.deb libpam-smbpass_3.5.6~dfsg-3squeeze2_i386.deb libwbclient0_3.5.6~dfsg-3squeeze2_amd64.deb libwbclient0_3.5.6~dfsg-3squeeze2_i386.deb samba_3.5.6~dfsg-3squeeze2_amd64.deb samba_3.5.6~dfsg-3squeeze2_i386.deb samba-common_3.5.6~dfsg-3squeeze2_all.deb samba-common-bin_3.5.6~dfsg-3squeeze2_amd64.deb samba-common-bin_3.5.6~dfsg-3squeeze2_i386.deb samba-doc_3.5.6~dfsg-3squeeze2_all.deb smbclient_3.5.6~dfsg-3squeeze2_amd64.deb smbclient_3.5.6~dfsg-3squeeze2_i386.deb Surely, I have update the installation. May be there is a problem with this CD. I will investigate some time in this direction. -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request
On 19:17:01 wrote Paul Tietjens: I am getting errors in my samba logs like _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client XXX machine account XXX$ (Host log: http://pastebin.com/QXhbngN5). So far, machines do seem to join the domain (Machine account is created in LDAP, user can log in, etc), but I am concerned that when Windows 7 machines reach their 30 days they will begin issuing trust account has expired or is incorrect messages. Since we have a couple thousand machines, I wish to avoid that. I have followed the instructions at http://wiki.samba.org/index.php/Windows7 and tried a few other thnigs (but have not touch the sign/seal regkeys) and still get these errors in the logs when a machine boots and auths any user. I have updated the samba bins from debian backports to run version 3.5.8. I have made sure that our DNS server registers the machine account with hostname.DOMAIN, have tried turning off/on ntlmv2 on the server and using gpedit on the client, have made sure that time is synchronous on the server/client, have removed and re-added the machine account many times, and have tried some registry hacks like: HKLM\System\CCS\Services\TcpIp\Parameters Domain: XXX.com NV Domain: XXX.com Where should I look next? From your log: ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-1048866067-1567326443-2860397223-515] count=0 [2011/07/26 12:04:02.543539, 2] passdb/pdb_ldap.c:2446(init_group_from_ldap) So find this group by hand: ldapsearch -x -LLL sambasid=S-1-5-21-1048866067-1567326443-2860397223-515 Should look like this: # ldapsearch -x -LLL sambasid=S-1-5-21-2895420538-1884802692-219078741-515 dn: cn=Domain Computers,ou=groups,dc=xx,dc=xx objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers description: Netbios Domain Computers accounts sambaSID: S-1-5-21-2895420538-1884802692-219078741-515 sambaGroupType: 2 displayName: Domain Computers And you are using debian with winbind? check the status of winbind: smbcontrol winbind ping PONG from pid 11761 if you dont get a pong, you are not running winwindd, or you have a broken deb. cd /var/run/samba ln -s winbindd-winbindd.conf.pid winbindd.pid and winbind works :-) . If you have fixed this two possible issues and things still dont work, check your ldap acls. To do this set the loglevel of slapd to 384 (ACL + FILTER). -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Integrate Samba with Active Directory
On 09:07:40 wrote Bruno Martins - GALILEU LISBOA: Hello guys, I am setting up a Samba server (based on CentOS 5.6) on my company which will act as a print and file server. Also, it has dropbox installed. I have set up everything regarding to CUPS and Samba itself, but I'm not being able to integrate my shares with Active Directory. All I want is that access control to Samba shares is made through Active Directory users and their respective passwords, and not through Unix-style users and groups. Is this possible? Some configuration files: /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G your config: passwd: files ldap shadow: files winbind group: files winbind should be all the same ;-) ie files winbind /etc/samba/smb.conf - http://pastebin.com/9uffAyjV /etc/krb5.conf - http://pastebin.com/9zJFQR6J Can someone please give me some lights on this? If you need more information, just tell me. ;-) Thanks for your cooperation. Best regards, Bruno Martins -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win7 unable to join domain if PDC has a static IP address
On 19:40:39 wrote Thomas Harvey: # The primary network interface auto eth0 iface eth0 inet static address 10.25.100.14 netmask 255.255.0.0 network 10.11.0.0 broadcast 10.11.255.255 gateway 10.25.100.1 # ipcalc -b 10.25.100.14/255.255.0.0 Address: 10.25.100.14 Netmask: 255.255.0.0 = 16 Wildcard: 0.0.255.255 = Network: 10.25.0.0/16 HostMin: 10.25.0.1 HostMax: 10.25.255.254 Broadcast: 10.25.255.255 Hosts/Net: 65534 Class A, Private Internet Your host ip is NOT on your network, nor is the gateway ip direct reachable. -- Harry Jede -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Shutdown hangs since setting up Samba
On 16:30:33 wrote bew...@gmx.com: Am 03.06.2011 23:50, schrieb Chris Weiss: On Fri, Jun 3, 2011 at 4:11 PM, bew...@gmx.com wrote: I get this error messages on boot: CIFS VFS: Error connecting to socket. Aborting operation CIFS VFS: cifs_mount failed w/return code = -101 I have seen these before. OK, I'm not the only one. as I recall, it's trying to mount before the network comes fully up, and downing the network before unmounting the cifs. I have the same suspicion, but don't know how to fix it. I do not recall the solution, and I don't use cifs in fstab anymore. What are you using instead of CIFS? Use the pam mount helper. They run, when a user is logging in. man pam_mount man pam_mount.conf When I tried NFS, there were similar errors. Best Regards, Benedikt -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error when changing domain password in Windows XP
On 13:34:29 wrote Torkil Svensgaard: On 2011-05-26 15:29, Harry Jede wrote: On 15:24:57 wrote Torkil Svensgaard: On 2011-05-26 13:10, Gaiseric Vandal wrote: Do you have a password change chat script configured and defined in smb.conf ? I've tried the following two, as well as the default blank, same result in all cases. passwd program = /usr/sbin/smbldap-passwd %u passwd program = /usr/bin/passwd %u Either works when run manually as root. then you should check the ACLs in openldap Could you eloborate on that? The ACLs allow my admin user read and write access, the same admin user defined by ldap admin dn in smb.conf from your previous posted log: [2011/05/26 12:22:14.392666, 5] lib/smbldap.c:1556(smbldap_modify) smbldap_modify: dn = [uid=torkil,ou=Users,dc=drcmr,dc=local] [2011/05/26 12:22:14.392990, 10] lib/smbldap.c:1576(smbldap_modify) Failed to modify dn: uid=torkil,ou=Users,dc=drcmr,dc=local, error: 16 (No such attribute) (modify/delete: sambaNTPassword: no such value) I asume that this log comes from the user torkil and NOT from root. It looks that torkil can not read his own field sambaNTPassword. maybe an ldapsearch can help: ldapsearch -x -LLL -D uid=torkil,ou=Users,dc=drcmr,dc=local -W -b ou=Users,dc=drcmr,dc=local uid=torkil I'm wondering if the problem could be of timing, that first PAM changes the password in LDAP and then samba tries to do the same, but with the old password, like suggested here: http://lists.samba.org/archive/samba/2008-April/140319.html Mvh. Torkil -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error when changing domain password in Windows XP
On 14:14:23 wrote Torkil Svensgaard: On 2011-05-27 13:42, Harry Jede wrote: from your previous posted log: [2011/05/26 12:22:14.392666, 5] lib/smbldap.c:1556(smbldap_modify) smbldap_modify: dn = [uid=torkil,ou=Users,dc=drcmr,dc=local] [2011/05/26 12:22:14.392990, 10] lib/smbldap.c:1576(smbldap_modify) Failed to modify dn: uid=torkil,ou=Users,dc=drcmr,dc=local, error: 16 (No such attribute) (modify/delete: sambaNTPassword: no such value) I asume that this log comes from the user torkil and NOT from root. It looks that torkil can not read his own field sambaNTPassword. maybe an ldapsearch can help: ldapsearch -x -LLL -D uid=torkil,ou=Users,dc=drcmr,dc=local -W -b ou=Users,dc=drcmr,dc=local uid=torkil Thanks =) That search works fine and can read the sambaNTPassword field, if given the right password. I'm still inclined to think the problem could be as stated below. try the same search with the user(s) you have configured for smbldap-tools and pam_ldap you should NOT have a ldap user for nss, nore nss configured for shadow db. post the relevant config files and the global section from smb.conf I'm wondering if the problem could be of timing, that first PAM changes the password in LDAP and then samba tries to do the same, but with the old password, like suggested here: http://lists.samba.org/archive/samba/2008-April/140319.html Mvh. Torkil -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error when changing domain password in Windows XP
On 15:24:57 wrote Torkil Svensgaard: On 2011-05-26 13:10, Gaiseric Vandal wrote: Do you have a password change chat script configured and defined in smb.conf ? I've tried the following two, as well as the default blank, same result in all cases. passwd program = /usr/sbin/smbldap-passwd %u passwd program = /usr/bin/passwd %u Either works when run manually as root. then you should check the ACLs in openldap Mvh. Torkil -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DLZ plugins for bind from samba4
On 14:58:24 wrote Kai Blin: On 2011-05-12 10:02, Daniel Müller wrote: Hi Daniel, is there a good HOWTO for the DLZ plugins available? Original doku: http://bind-dlz.sourceforge.net/ldap_example.html How to patch, if needed: http://forum.ubuntuusers.de/topic/bind9-ldap-dns-server-bind-mit-zonen-in-ldap/ -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrating (vampire) from NT4 to samba 3.5.7
On 10:08:23 wrote Veiko Kukk: On 02/03/11 15:43, Veiko Kukk wrote: Also, on NT4 there is group named Domain Users, but that too does not get imported to ldap database. It's empty on linux box, getent group output gives: ... Domain Users:*:513: I investigated some more and found out that if I do net rpc group MEMBERS Domain Users, group members get listed. EKRPTEST\kasutaja1 EKRPTEST\kasutaja2 EKRPTEST\kasutaja3 EKRPTEST\kasutaja4 Then why getent group does not list members of Domain Users? dump the groups out of ldap :-) ldapsearch -x -LLL '(|(objectclass=posixGroup)(objectclass=sambaGroupMapping))' and you will see, that samba uses TWO DIFFERENT group definitions. It's your choice, which you will use in the future. Read Samba by Example to find your way to do it right. -- Veiko -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrating (vampire) from NT4 to samba 3.5.7
On 10:08:23 wrote Veiko Kukk: On 02/03/11 15:43, Veiko Kukk wrote: Also, on NT4 there is group named Domain Users, but that too does not get imported to ldap database. It's empty on linux box, getent group output gives: ... Domain Users:*:513: I investigated some more and found out that if I do net rpc group MEMBERS Domain Users, group members get listed. EKRPTEST\kasutaja1 EKRPTEST\kasutaja2 EKRPTEST\kasutaja3 EKRPTEST\kasutaja4 Then why getent group does not list members of Domain Users? dump the groups out of ldap :-) ldapsearch -x -LLL '(|(objectclass=posixGroup) (objectclass=sambaGroupMapping))' and you will see, that samba uses TWO DIFFERENT group definitions. It's your choice, which you will use in the future. Read Samba by Example to find your way to do it right. AND do remember, that both worlds (posix and windows) knows two different kind of groups: normal groups and primary groups. normal groups defines their members in the group definition. primary groups defines their members in the user definition. Also remember that Windows and samba knows and may uses nested groups, where posix have no equivalant. But modern nss implementaions knows how to handle nested groups. openldap may also support nested groups. I investigated some more and found out that if I do net rpc group MEMBERS Domain Users, group members get listed. EKRPTEST\kasutaja1 EKRPTEST\kasutaja2 EKRPTEST\kasutaja3 EKRPTEST\kasutaja4 Here, you have queried a so called primary group. Your group specialusers1 is a normal group. Check how the members are defined. Maybe you must reconfigure the PAM/NSS-system to use winbindd instead of ldap. -- Good luck Harry Jede -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
On 23:39:39 wrote Mike Brady: Daniel Exactly how did ldapsam:editposix not work right? I thought that the smb.conf man page described things well enough. I have converted my test set up from using smbldap-tools to using ldapsam:posixedit and so far it is doing everything that I was using smbldap-tools for correctly. I am using the SerNet 3.5.6 RPMs. Mike I have two installions with ldapsam:editposix on debian lenny, samba 3.4.5. Both are running fine. No problems. -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Adding LDAP Backend to Samba
On 09:57:41 wrote J. Echter: ... also i'd like to check the logs, i got many samba related logs but don't find any hint whats going on... increase the log level where could i have a look too? cheers. juergen greetings. p.s. sorry Jorge, did a quick reply. didn't want to spam you can nobody tell my where the accounts have to be in? May be, no one will do this. RTM Samba by Example at www.samba.org have the answers. Read it! I have done this and it helps me a lot. I would suggest you, to examine one of this examples on a fresh installed linux distro of your choice. is it correct that idmap is empty? It is. greetings juergen. -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] CentOs 5.5 Glusterfs 3.1.0 Samba 3.5 MSOffice Files
On 18:33:52 wrote Daniel Müller: So I created the file versuch.docx on the glusterd-vol. At the end of my smbd.log the file is read only. Only one change in the file possible My share definition: [test] path=/mnt/glusterfs/windows/test readonly=no profile acls = YES oplocks=NO level2 oplocks=NO write list=Domain Users Domain Admins write list=@Domain Users @Domain Admins should be groups, not a single user create mask = 2770 force group= Domain Users -rwxrw 1 root Domain Users 10021 8. Feb 15:42 versuch.docx -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Issues with default ACLs in created objects not including parent's owner: old bug or setup issue?
On 14:30:30 wrote Christian PERRIER: I have recurrent issue with ACLs on a server that's running samba 3.2.15 (this is a Debian lenny server and we're not ready, yet, to upgrade it...we just upgraded samba from 3.2.5 to 3.2.15+security fixes). If a foo directory, owned by joe, has joe and jim authorized to write to it through the filesystem's ACLs (and both in foo default ACL), and joe create a bar subdir in this directory.then joe himself is not added to the default ACL of foo/bar. He can still write to bar (as he's the directory owner)but any file or dir created by *jim* in foo/bar will not have write access for joe. show us getfacl foo and the share section in smb.conf I seem to remember this was an issue fixedsomewhere along 3.4 or 3.5 development cycles. However, I couldn't find any relevant bug report. Probably because my life is not driven by Bugzilla and I'm not good searching with it. So, would anyone remember about this being a bug.or could that be a local setup issue and some mysterious stanza missing in our setup? -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbstatus questions
On 18:33:12 wrote David Roid:
Hello list,
I'm running a samba 3.5.3 CTDB cluster, found the output is different
Q1: What does the 0: mean in pid column? There was no such stuff
in non-CTDB smbstatus output.
snip
samba_01:~ # smbstatus -S 2/dev/null
Service pid machine Connected at
---
ben 0:21363 samba Mon Oct 25 17:59:35 2010
ben 0:21442 samba Mon Oct 25 17:59:39 2010
snip
Q2: How to parse smbstatus to capture service column and pid column?
as in case of homes share the service is named as username, while
domain username may contain whitespace(s)?
snip
samba_01:~ # smbstatus -S 2/dev/null
Service pid machine Connected at
---
ben 0:21363 samba Mon Oct 25 17:59:35
2010 benjamin linus 0:21442 samba Mon Oct 25 17:59:39
2010 benjamin[space]linux
james ford0:21550 samba Mon Oct 25 18:00:29
2010 james[space][space]ford, awk/cut can't handle this well,
they only keep one space.
snip
awk can handle this, but I like sed. You may try this sed one liner.
smbstatus -S 2/dev/null |sed -ne 's/^\(.*[[:alnum:]]\)[[:space:]]\{1,
\}\([[:digit:]]\{1,2\}\:[[:digit:]]\{1,20\}\)[[:space:]]\{1,\}\([[:alnum:]]*\)
[[:space:]]\{1,\}\(.*\)$/\...@_\2_@_...@_\4/p'
It only works for ctdb. You may change _...@_ with another delimeter like \t or
\; ;-) .
I need these column to close specific shares with smbcontrol, but
fail to capture them. Is there any alternative?
Regards
-David
--
Gruss
Harry Jede
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem when valid users is used
On Mittwoch, 29. September 2010 wrote Arnaud BLONDEL - Alter Way Solutions: Hi, When I use valid users in smb.conf to limit access on my share, I have this message with smbclient : [global] workgroup = MYDOM domain master = no local master= no security= user passdb backend = ldapsam:ldap://x.x.x.x:389 ldap admin dn = cn=admin,dc=company,dc=com ldap suffix = dc=company,dc=com ldap user suffix= ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ... [Images] ... valid users = @Developpeurs ... # smbclient //x.x.x.x/Images -U test Enter test's password: Domain=[SERVER] OS=[Unix] Server=[Samba 3.3.2] tree connect failed: NT_STATUS_ACCESS_DENIED I have this log : 2010/09/29 16:19:03, 3] lib/util_sid.c:string_to_sid(228) string_to_sid: Sid @Developpeurs does not start with 'S-'. [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(425) Unable to get default yp domain, let's try without specifying it [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(429) looking for user test of domain (ANY) in netgroup Developpeurs [2010/09/29 16:19:03, 5] smbd/password.c:user_in_netgroup(445) looking for user test of domain (ANY) in netgroup Developpeurs [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(69) lookup_name: SERVER\Developpeurs = SERVER (domain), Developpeurs (name) [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70) lookup_name: flags = 0x077 [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/09/29 16:19:03, 3] smbd/uid.c:push_conn_ctx(388) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/09/29 16:19:03, 5] auth/token_util.c:debug_nt_user_token(522) NT user token: (NULL) [2010/09/29 16:19:03, 5] auth/token_util.c:debug_unix_user_token(548) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/09/29 16:19:03, 5] lib/smbldap.c:smbldap_search_ext(1205) smbldap_search_ext: base = [ou=Groups,dc=company,dc=com], filter = [((objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Dev eloppeurs)))], scope = [2] [2010/09/29 16:19:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(2348) init_group_from_ldap: Entry found for group: 1005 [2010/09/29 16:19:03, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/09/29 16:19:03, 10] passdb/passdb.c:lookup_global_sam_name(620) Found group Developpeurs Try to run the same search as Samba does: ldapsearch -s sub -b ou=Groups,dc=company,dc=com ((objectClass=sambaGroupMapping)(| (displayName=Developpeurs)(cn=Developpeurs))) (S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain -- ignoring.lookup_name: Unix Group\Developpeurs = Unix Group (domain), Developpeurs (name) Samba find this SID S-1-5-21-1003513250-1319205365-1235820382-1015 for your group, but according to your ldif, the SID for Developpeurs is: S-1-5-21-1003513250-1319205365-1235820382-101 So you may have a duplicate entry :-( . [2010/09/29 16:19:03, 10] passdb/lookup_sid.c:lookup_name(70) lookup_name: flags = 0x077 [2010/09/29 16:19:03, 10] smbd/share_access.c:user_ok_token(212) User test not in 'valid users' [2010/09/29 16:19:03, 2] smbd/service.c:create_connection_server_info(663) user 'test' (from session setup) not permitted to access this share (Images) [2010/09/29 16:19:03, 0] smbd/service.c:make_connection_snum(744) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED I use /etc/nsswitch to get users and groups from LDAP User test is in Developpeurs group : # id anisimov uid=1009(anisimov) gid=513(Domain Users) groupes=513(Domain Users),1005(Developpeurs) In LDAP : cn=Developpeurs,ou=Groups,dc=company,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping cn: Developpeurs gidNumber: 1005 sambaSID: S-1-5-21-1003513250-1319205365-1235820382-101 ... memberUid: test ... and : uid=test,ou=People,dc=company,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount ... givenName: anisimov uid: anisimov uidNumber: 1009 gidNumber: 513 sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1009 ... Where is the problem ? SAMBA : Version 3.3.2 -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem when valid users is used
On Donnerstag, 30. September 2010 wrote Arnaud BLONDEL - Alter Way Solutions: On 30/09/2010 10:46, Harry Jede wrote: Try to run the same search as Samba does: ldapsearch -s sub -b ou=Groups,dc=company,dc=com ((objectClass=sambaGroupMapping)(| (displayName=Developpeurs)(cn=Developpeurs))) ldapsearch -x -s sub -b 'ou=Groups,dc=company,dc=com' ((objectClass=sambaGroupMapping)(|(displayName=Developpeurs)(cn=Dev eloppeurs))) dn: cn=Developpeurs,ou=Groups,dc=company,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping cn: Developpeurs gidNumber: 1005 sambaSID: S-1-5-21-1003513250-1319205365-1235820382-1015 sambaGroupType: 2 displayName: Developpeurs description: Le groupe des programmeurs memberUid: test ... ... # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Samba find this SID S-1-5-21-1003513250-1319205365-1235820382-1015 for your group, but according to your ldif, the SID for Developpeurs is: S-1-5-21-1003513250-1319205365-1235820382-101 So you may have a duplicate entry :-( . Output is wrong, SID is S-1-5-21-1003513250-1319205365-1235820382-1015 OK, looks like a copy and paste error :-( Look at the next error message: (S-1-5-21-1003513250-1319205365-1235820382-1015) not in our domain -- Look up the SIDs of your Server and Domain net getlocalsid net getdomainsid -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Wrong results in dir listing with wildcard
On Donnerstag, 10. Juni 2010 wrote Guy Rouillier: My Samba server is a new install of Ubuntu 10.4 x86 with Samba 3.4.7. Samba is configured as standalone, and shares only a single directory /data for backup purposes. I stumbled across this issue while trying to get my original problem fixed (which I did, thanks to this helpful list.) Run the following in a temporary directory: echo abc ActivePerl-5.10.1.1007-MSWin32-x86-291969.msi echo abc ActivePython-2.6.5.12-win32-x86.msi echo abc ActiveTcl8.6.0.0b2.291226-win32-ix86-threaded.exe echo abc authenclientcp.bat echo abc authencp.bat echo abc authenejbcp.bat I put this into a batch file. By trial and error, I discovered that the results are the same if you (1) just run from a shell script on the Samba server, or (2) run it on Windows and copy the results to the Samba server. With those files in place, from a Windows box, I get the following results from issuing directory listings with a wildcard: N:\tempdir ac* Volume in drive N is data Volume Serial Number is 0160-027E Directory of N:\temp 06/10/2010 03:33 PM 6 authenejbcp.bat 06/10/2010 03:33 PM 6 ActivePython-2.6.5.12-win32-x86.msi 06/10/2010 03:33 PM 6 ActiveTcl8.6.0.0b2.291226-win32-ix86-threaded.exe 06/10/2010 03:33 PM 6 ActivePerl-5.10.1.1007-MSWin32-x86-291969.msi 4 File(s) 24 bytes 0 Dir(s) 533,019,426,816 bytes free N:\tempdir au* Volume in drive N is data Volume Serial Number is 0160-027E Directory of N:\temp 06/10/2010 03:33 PM 6 authenejbcp.bat 06/10/2010 03:33 PM 6 authencp.bat 06/10/2010 03:33 PM 6 authenclientcp.bat 3 File(s) 18 bytes 0 Dir(s) 533,019,484,160 bytes free Notice that authenejbcp.bat is included in both listings. If someone else can confirm they are seeing the same thing, I'll file a bug report. Thanks. Read the man page of smb.conf, section NAME MANGLING -- Guy Rouillier -- Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] File permissions
On Donnerstag, 3. Juni 2010 wrote Steve Wolfe: Samba 3.4.7-58.fc12, windows 7 client. I have a share where, if I right-click and chose properties, everything shows up as read only. I can un-check that, hit apply, and if I view the properties again, they are read only. Interestingly enough, I can go in and create files, modify files, rename files, delete files, etc.. However, some of the users' software checks for read-only status, and is throwing errors. Here's the smb.conf section: [Apps] path=/home/apps force user=appsuser force group=appsuser read only=no writeable=yes oplocks = False level2 oplocks = False Directory looks like this: drwxrwxr-x 94 appsuser appsuser 20K 2010-06-02 14:32 apps Files inside of it have permissions similar to these: -rwxr-xr-x1 appsuser appsuser 424K 2009-10-01 15:54 AAUTOLN.DLL -rwxr-xr-x1 appsuser appsuser 894 2008-07-23 08:37 Accounting.HSICTB Any clues? Windows is a little bit different; you should never use usergroups. Setting up a user appsuser and a group appsuser is not supported by Windows Server products and not supported by Samba Servers. -- regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problems after upgrade from 3.3.2 to 3.4.0
On Mittwoch, 26. Mai 2010 wrote Thomas Gutzler: Hi Christian, On 26/05/2010 4:44 PM, Christian PERRIER wrote: Quoting Thomas Gutzler (thomas.gutz...@gmail.com): Hi, After upgrading one of my samba servers from ubuntu jaunty (3.3.2) to karmic (3.4.0) I cannot access the shares any more. The default for passdb backend changed between these versions (from smbpasswd to tdbsam) and, as you don't explicitly set it in smb.conf, I'd gues this might be the reason for this. Try adding: passdb backend = smbpasswd Thanks for your reply. I am aware of this change but thought I wasn't affected because both smb.conf (PDC and other samba server) had passdb backend = tdbsam already set. Yet another setting not listed by testparm. Mmmh, testparm is not so bad ;-) Try this: # testparm -v -s /dev/null |grep passdb Or my favorite upgrade path: # testparm -v -s /dev/null smb.conf.default-$(smbd -V|cut -f2 -d' ') Run this before and after upgrading samba To get a small host specific file without the services: # testparm -s --section-name=global smb.conf.$HOSTNAME-$(smbd -V| cut -f2 -d' ') So you may end up with 4 files: # ls smb.conf.* smb.conf.myserver-3.0.22 smb.conf.myserver-3.4.7 smb.conf.default-3.0.22 smb.conf.default-3.4.7 Run a diff against the default files and you may see which config params has changed their default values. -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl_xattr vs acl_tdb
On Freitag, 26. März 2010 wrote Adrian Berlin: Hi! Does anyone know how many ACLs can be stored on file system (xfs) using acl_xattr module and in file file_ntacls.tdb? The docs say that xfs uses 64k. A small test gives me total other numbers :-( . xfs can store 21 to 26 ACEs. It depends on the size of gidnumber. ext3 may store 503 to 513 ACEs, also depending on the size of gidnumber. The test bed: fresh created /home partitions with: mkfs.xfs -f /dev/hda6 for xfs, and mkfs.ext3 /dev/hda6 for ext3. only one directory: rmdir /home/dir/ ;mkdir /home/dir/ and a small shell script, which add ACEs: /root/acl-test.sh: #!/bin/sh -ex G=22 #G=10 while : do G=$(( $G + 1 )) setfacl -m g:$G:rwx /home/dir done OS is Debian Lenny: debian:/# cat /etc/debian_version 5.0.4 debian:/# uname -r 2.6.26-2-amd64 getfacl setfacl has version: 2.2.47 Other extended attributes may reduce the number of avaiable ACEs. Conclusion: ext3 is a better choice then xfs, at least for Debian Lenny. I have not tested any special tuning options for ext3 or xfs. Best regards /Adrian Berlin -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Strange OpenLDAP errors w/ samba 3.4.3
On Donnerstag, 14. Januar 2010 wrote Michael Wood: 2010/1/14 Albrecht Dreß albrecht.dr...@lios-tech.com: Hi all, after an upgrade of my Ubuntu 8.04 64-bit box to a self-compiled samba 3.4.3 (Lenny backport dpkg), I see strange error messages in my OpenLDAP log: slapd[3388]: do_search: invalid dn (sambaDomainName=,sambaDomainName=domain,cn=...,dc=...,dc=.. .) Samba seems to work, though, but this message makes me somewhat nervous. Any ideas? I don't know where it comes from, but I've seen someone else mention the same thing on this list: http://lists.samba.org/archive/samba/2009-December/152339.html Also a google search turns up some more hits, including this Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557343 I believe that the user has a wrong suffix: ldap suffix = dc=bushey,dc=jamie-thompson,dc=co,dc=uk,dc=. dc=. can not be a valid domain component, because the dot is the delimeter in DNS-Syntax. -- Michael Wood esiot...@gmail.com -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Group mapping is not showing correct value
On Dienstag, 12. Januar 2010 wrote Brajesh Shrivastava: Brajesh Shrivastava wrote: Hi All I have created a group 'test' which has the following users: brajesh_01:/var/log/samba # getent group |grep test test:!:13159:brajesh,yatish,usr1 brajesh_01:/var/log/samba # I mapped this user to ntgroup user, 'Web Master': brajesh_01:/var/log/samba # net groupmap add ntgroup=We Master unixgroup=test No rid or sid specified, choosing a RID Got RID 27319 Successfully added group We Master to the mapping db as a domain group brajesh_01:/var/log/samba # Output of 'net groupmap list' command shows the correct output: brajesh_01:/var/log/samba # net groupmap list We Master (S-1-5-21-3348154469-3767538395-1505805052-27319) - test brajesh_01:/var/log/samba # But when I try to see the output of 'net rpc group members' command, it is giving an error message. Please see here: brajesh_01:/var/log/samba # net rpc group members Web Master -U administrator -d 1 Enter administrator's password: Couldn't find group Web Master [2010/01/11 10:35:33, 1] utils/net_rpc.c:run_rpc_command(181) rpc command function failed! (NT_STATUS_NONE_MAPPED) brajesh_01:/var/log/samba # I am new for group mapping feature. Please let me know where I am doing wrong. Thanks in advance!!! Please help me in resolving the above problem, in case if you know the solution. use the same group name :-) Web Master and We Master are totally different ;-) -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change Allowed Workstations with pdbedit
On Freitag, 9. Oktober 2009 wrote Harry Jede: On Donnerstag, 8. Oktober 2009 wrote Philipp Boksberger: Dear Samba Users, I have a Samba 3.2.5 Server running on Debian. I use tdbsam as a password database and wonder how I can change the Workstations value in order to control the allowed workstations for a particular user. Last year I had a configuration with ldap using the smbldap tools where it was possible to set this value. But how can I set it without LDAP just using pdbedit? In the official Samba 3.2.x HOWTO and Reference Guide in Chapter 11 Section The pdbedit Tool (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb. ht ml#pdbe ditthing) there is an example where Workstations is set to melbelle - but no explanation of how this could be done. There is also no parameter listed in the pdbedit man page. try: -m :-) pdbedit --help :-) Sorry, forget my wrong answer. : Any hints? Philipp -- Gruss Harry Jede -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change Allowed Workstations with pdbedit
On Donnerstag, 8. Oktober 2009 wrote Philipp Boksberger: Dear Samba Users, I have a Samba 3.2.5 Server running on Debian. I use tdbsam as a password database and wonder how I can change the Workstations value in order to control the allowed workstations for a particular user. Last year I had a configuration with ldap using the smbldap tools where it was possible to set this value. But how can I set it without LDAP just using pdbedit? In the official Samba 3.2.x HOWTO and Reference Guide in Chapter 11 Section The pdbedit Tool (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.ht ml#pdbe ditthing) there is an example where Workstations is set to melbelle - but no explanation of how this could be done. There is also no parameter listed in the pdbedit man page. try: -m :-) pdbedit --help :-) Any hints? Philipp -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to bulk add machine accounts during PDC hardware refresh?
On Montag, 5. Oktober 2009 wrote Eero Volotinen: Michael Lueck kirjoitti: John Drescher wrote: I would not remove the old entries. If you are using ldap replicate the openldap first. If you are using tdbsam copy the /var/lib/samba folder. Sorry, I forgot to mention that no LDAP or anything fancy is involved. So Samba has made entries in /etc/passwd and /etc/group, and that is what I am interested in moving properly. just copy and paste entries to /etc/passwd and /etc/group ? Sounds usable, but do not do this. You may get massiv problems :-( . You need passwd AND shadow for the users, but normaly NOT the hole file. The system accounts may be different on your new system, so identify the min and max uidnumber for regular users and copy only these users. Do the same with the shadow file. AND make backups. Same thing with groups. Identify your min and max gidnumber and copy only these groups. Maybe you need to transform some uid/gid-numbers :-) . -- Eero -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Computers leaving samba domain
On Donnerstag, 1. Oktober 2009 wrote sgm...@mail.bloomfield.k12.mo.us: sgm...@mail.bloomfield.k12.mo.us wrote: I am not sure if this is where I need to ask this or not, but I am lost to where to start even. I had 7 computers in one lab that would not login. It gave the standard computer account password bad or domain not found. I had another 9 computer in my other lab do the same thing. It seems that they have suddenly started losing the domain. I can add them to a workgroup and then re-add them back to the domain and they are fine. I am just scared that they are going to lose the domain again. I cannot spend all of my time going around removing computers and adding them back to the domain each day. Any ideas of what could cause this? Client issue? Samba issue? ldap issue? The clients are all Windows XP service pack 3 and the server is a Fedora 10 server running samba and ldap. Usually the only time that I have this happen is if I accidentally add another computer to the domain with the same name. I understand that, but I have not done that on any of these. One lab has brand new computers. The other lab just got imaged day before yesterday. I'll go ahead and get them all added back in, but I need to find what to be looking for if they keep doing this. Thanks. This may be an ldap question. Maybe you have wrong acl statements in your LDAP-Server :-( . I was looking at the machines info and I checked on about 5 of them. For some reason it is showing that the sambaPwdLastSet has changed in the last couple of days. Is this supposed to ever change for machines if you do not remove them from a domain and then add them back in? I would think it would always stay the same. No, Windows machines will change their password on a regulare time interval. I do not remember the exact days. You must allow them to change the password field an one other. Search this list or look into the good samba documentation :-) Machines are added by samba with smbldap-useradd -w %u. Thanks. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon? -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Computers leaving samba domain
On Donnerstag, 1. Oktober 2009 wrote sgm...@mail.bloomfield.k12.mo.us: Harry Jede wrote: I was looking at the machines info and I checked on about 5 of them. For some reason it is showing that the sambaPwdLastSet has changed in the last couple of days. Is this supposed to ever change for machines if you do not remove them from a domain and then add them back in? I would think it would always stay the same. No, Windows machines will change their password on a regulare time interval. I do not remember the exact days. You must allow them to change the password field an one other. Search this list or look into the good samba documentation :-) That is strange then. I have software on my XP clients that will not let anything get changed. If there are changes made then once you reboot the computer, it will be back to the way it was when you started. If the client is recording this change also then it would not be saved on a reboot. I would think that was the problem, but I have had this software running for a few years now and I have not had this problem before. You may apply a registry patch, so that the client will NOT change the machine password :-) , before you lock the client image. Thanks for the info. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon? -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP errors with v3.0.34 using the LDAP schema file with Sun DS 5.2
On Montag, 24. August 2009 wrote Rob Mottishaw: The format of the sambaDomainName object in the DIT (I've masked the sensitive information, don't let the ?'s and #'s throw you): Distinguished Name: sambaDomainName=,??=???,??=??? ObjectClasses sambaDomain Attributes sambaAlgorithmicRidBase 1000 sambaDomainName sambaNextUserRid 1000 sambaSID #-#-#-##-##-#-## The attributes sambapwdhistorylength, sambalockoutthreshold, sambamaxpwdage are not included in the definition of the sambaDomainName object. Any ideas? The searching I've done indicates the attributes sambapwdhistorylength, sambalockoutthreshold, sambamaxpwdage should be included, in our case, they are not. The schema is attached. It comes from a samba 3.2x debian lenny package. You may try it, if you want. Thanks for any assistance, Rob Mottishaw -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 'inherit owner' doesn't play nice with 'force directory mode'
On Dienstag, 18. August 2009 wrote jw: Hello I am trying to create a 'dropbox' share, using the sticky bit and 'inherit owner'. By themselves they work, but when a directory is created in this share, its permissions are not quite what I need. Therefore, I try to use 'force directory mode' or 'inherit permissions'. However, whenever I do that, the owner on the newly-created directory is no longer correct w/regard to 'inherit owner'. Is this correct behavior, or a bug? You should try posix acls. Read the man pages: getfacl setfacl acl or search this list archiv. Look for default acl. ... Thanks, John -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba with ldap PDC cannot join my windows to domain?
On Mittwoch, 12. August 2009 wrote Alberto Moreno: Hi people. I have been working with samba+ldap = PDC in my test netwwork. I had follow the good tutorial: Samba By Example, chapter 5, I had done all the test the book say and no issues. I have 2 issues: 1; I cannot see my domain at my windows browser. 2; I cannot add my windows xp pro to my domain. I have been trying to see if I could find the solution but nothing yet, there is the reason I send this email. My server is Centos 5.3 latest one all the packages are the current from centos. Ldap looks that is working, because all my test from the book pass, and the same with samba. Went I try to add one Winbox to the domain I receive this: The following error occurred attempting to join the domain MyDomain The network path as not found Maybe, it helps: Try the domain RMAI. My smb.conf is this: [global] dos charset = 850 unix charset = ISO8859-1 display charset = ISO8859-1 workgroup = RMAI Thanks for your time!!! -- LIving the dream... -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ubuntu Jaunty samba 3.3.2 print$ no write rights even though I do; -)
On Thursday, 2. Juli 2009 wrote Glenn T. Arnold: I just made my print$ share settings to match my print drivers share which should work same This is what you believe. and I still cannot create folders or files on the print$ share, but I can all day on the print drivers share. Would someone explain why this is happening? Here is my share settings. [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\print$] path=/var/lib/samba/printers comment=Printer Drivers read only=no [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\printer drivers] path=/var/lib/samba/printers read only=no Why are you doing this? I think you should reread the excellent Samba docu again. Thanks -Glenn - Original Message - From: Glenn T. Arnold garn...@unrealsolutions.com To: samba samba@lists.samba.org Sent: Thursday, July 2, 2009 3:29:29 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Ubuntu Jaunty samba 3.3.2 print$ no write rights even though I do;-) Harry, You did give me an idea though. For grins I just set rights to 0777 even on the extended acls and I still get access denied when trying to upload print drivers. Here is the updated rights on /var/lib/samba/printers. You make your own changes. That's really fine. -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ubuntu Jaunty samba 3.3.2 print$ no write rights even though I do; -)
On Friday, 3. Juli 2009 wrote Ray Anderson: Glenn T. Arnold wrote: Harry, You did give me an idea though. For grins I just set rights to 0777 even on the extended acls and I still get access denied when trying to upload print drivers. Here is the updated rights on /var/lib/samba/printers. Harry, Check your apparmor setttings: /etc/apparmor.d/abstractions/samba I am using GNU/Linux. There is no apllication called apparmor. BTW I donn't have any problems with samba, Glenn has the problems. -- Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ubuntu Jaunty samba 3.3.2 print$ no write rights even though I do; -)
On Donnerstag, 2. Juli 2009 wrote Glenn T. Arnold: Here is the rights on the /var/lib/samba/printers directory r...@server01:/var/lib/samba# getfacl printers -R # file: printers # owner: root # group: Domain\040Admins user::rwx group::r-x # grant Domain\040Admins write access group::rwx group:Domain\040Admins:rwx mask::rwx other::r-x default:user::rwx default:group::r-x default:group:Domain\040Admins:rwx default:mask::rwx default:other::r-x -- Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Surprising/Unexpected result after deleting and re-adding a user on our Samba domain
Am Montag, 18. Mai 2009 22:12 schrieb William Marshall: I don't want to call this a security problem. Since it isn't a code exploit, but, many people might have this problem. The other day a user was removed from our SLES samba-3.0.28-0.6 domain due to inactivity, but he still needed his account, so I recreated it. I didn't try to restore the LDAP data, so he got a new SID, etc. I was amazed to find that once his userid was created, he was already (still) in the groups that he had been in before. It would be possible for you to delete a userid who is in Domain Admins, and then have someone else request that userid days or weeks later. That userid would probably be a member of the Domain Admins upon creation. After digging into what happened, as a Linux admin, this makes sense to me, but as a Windows admin, this blows me away. I had assumed that SIDs were used in most places, but with a LDAP backend, group membership is stored by name, not by SID. And in openlap there is an other group model. If you use this, instead of posix and sids, then there may be a (easy) solution. - use DN based group entries - use the nss_schema switch in libnss-ldap.conf - use the refint overlay in slapd.conf, see man slapo-refint If you now rename or delete an account, the account-DN is modified or deleted in all groups. In the smb.conf we are not using the smbldap-tools tools anymore and we have set: ldapsam:editposix = yes passdb backend = ldapsam:ldap://127.0.0.1; A solution to this problem might be for Samba to remove a user from all the groups before the account it deleted. (I will probably code this into our account cleanup scripts) This also means renaming an ID would be more involved than I (given a windows background) had assumed. We don't do it, but I had assumed that an account rename from usermanager would work. thanks, Bill Marshall -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: Samba does not change UNIX password after OpenLDAP server upgraded
Am Samstag, 2. Mai 2009 05:31 schrieb John Du:
David Markey wrote:
...
My thanks to David and all who have responded to my questions. I
have identified where and what the problem is but I am not sure it is
a Samba problem or OpenLDAP problem.
I am trying to give you a clear picture.
1. unix passwd sync works perfectly.
I replaced ldap passwd sync = Yes with:
unix password sync = Yes
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
passwd chat = Changing UNIX password for*\nNew password* %n\n
*Retype new password* %n\n
No changes on the OpenLDAP side. Users can change their Windows and
LDAP password correctly all the time.
2. ldap passwd sync = Yes does not change the LDAP password but it
changes the Windows password OK.
2.1 OpenLDAP with some ACLs defined.
When the OpenLDAP server has some ACLs defined, the samba server
logs the following:
2009/04/30 23:38:42, 2]
passdb/pdb_ldap.c:ldapsam_modify_entry(1590) ldap password change
requested, but LDAP server does not support it -- ignoring
The LDAP password is not changed.
2.2 When no ACLs are defined in slapd.conf.
[2009/04/30 23:43:03, 10]
lib/smbldap.c:smbldap_extended_operation(1525) Extended operation
failed with error: 80 (Internal (implementation specific) error)
(password hash failed)
[2009/04/30 23:43:03, 0]
passdb/pdb_ldap.c:ldapsam_modify_entry(1651) ldapsam_modify_entry:
LDAP Password could not be changed for user johndu: Internal
(implementation specific) error
password hash failed
Hash is defined in slapd.conf as follows:
password-hash {CRYPT}
password-crypt-salt-format $1$%.2s
# if crypt, then with MD5
password-crypt-salt-format '$1$%.8s'
The Windows user will get a the user name or old password is
incorrect message in this case.
The LDAP root DN is used all the time everywhere.
I can mail the complete log files to you if they can help you to
determine the cause of the problem. There seems to be some
compatibility issues between the LDAP server and the Samba server.
Logically I think if the IDEALX tool works the samba server's
internal LDAP functions should work as well.
Let me know if you any further information from me.
Wish you all to have a good weekend!
John
--
Gruss
Harry Jede
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba ACL and Office 2007
Am Montag, 27. April 2009 15:33 schrieb David Vaz: I am using samba 3.3.2-1 in a debian squeze installation, using ext3 with acl support. The problem I am experiencing is easy to replicate as I have tried it in different machines. In a given share, user A is the owner of the folder test, inside this folder there is a office file test.doc for example. User B has write privileges over file test.doc but not over test. When user B tries to save the office document (using office 2007) an error appears Access Denied. Contact your administrator. # file: test # owner: A # group: G user::rwx group::r-x other::--- # file: test.doc # owner: A # group: G user::rwx user:B:rwx group::r-x mask::rwx other::--- Notice that if the user copy the file to his desktop, modifies it and later overwrites the original there is no problem. That's normal with Office 2007. Thanks to M$. They create a NEW file, when the user saves the old one, delete the old one, then rename the new file to the old name. So, your users are able to update files with office 2007, only when they have write permissons on the directory. Search this list archive for a more detailed explanation. This error is similar in some ways to this https://bugzilla.samba.org/show_bug.cgi?id=6160, but i suppose now the lock over the folder. -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: pdbedit dosen't send the sambaSID to the ldap
Am Dienstag, 24. März 2009 12:56 schrieb LiPi -: The question was exactly the same than the one that was in the link I wrote :p http://www.mail-archive.com/samba@lists.samba.org/msg99530.html But now, 1h later it's time to answer myself: If somebody needs to solve the mentionated problem, it only must be two things: apt-get install libnss-ldap libpam-ldap emacs /etc/ldap.conf and fill it with (according to their params): Which version of Debian do you use? This setup is outdated for years. Read the man pages and the docs for this two packages. --start ldap.conf host 127.0.0.1 base dc=ctest uri ldap://127.0.0.1 ldap_version 3 rootbinddn cn=admin,dc=ctest port 389 nss_base_passwd ou=Users,dc=ctest?one nss_base_passwd ou=Computers,dc=ctest?one nss_base_shadow ou=Users,dc=ctest?one You really like to poll your shadow file over an unprotected network? Remember, it contains the passwords. If you do this ONLY on the loopback network, it may be OK. nss_base_group ou=Groups,dc=ctest?one --end ldap.conf and /etc/nsswitch.conf: --start nsswitch.conf passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis ---end nsswitch.conf Then, getent passwd and getent group must show ldap entries, and then joining to a domain and the creation of automatic machine samba accounts is well done. Thank you all! -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Something weird about pdbedit.
Am Donnerstag, 12. März 2009 11:15 schrieb BOURIAUD:
On Wednesday 11 March 2009 16:44:48 Harry Jede wrote:
Am Mittwoch, 11. März 2009 15:38 schrieb BOURIAUD:
Hello again !
You can only have ONE group with ONE gidNumber.
BAD SETUP begin:
dn: cn=cdti,ou=Group,BASEDN
objectClass: posixGroup
objectClass: top
cn: cdti
userPassword: {crypt}x
gidNumber: 666
Here is how the samba group is defined :
dn: cn=CDTI,ou=Groups,BASEDN
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: CDTI
description::
Q2VudHJlIGTDqXBhcnRlbWVudGFsIGRlIHRyYWl0ZW1lbnQgZGUgbCdpbmZvcm
1hdGlvbg==
sambaGroupType: 2
memberUid: david
gidNumber: 666
sambaSID: S-1-5-21-215069222-2822928016-2390355089-666
BAD SETUP end:
Combine these in a way, that you have only one group with the name
cdti.
Thanks for your clear explanations. I see now where my mistake is and
I'll try to correct them.
There seems to be something somehow cloudy in my mind about all that.
Since I'm working on a server that serves all our users, I can't
afford to put it down or to break everything while people are
working.
Hmmh...
common praxis is this not. Almost all admins use test systems. May be
some virtual systems.
So, I just make few tries, and if it's wrong, I go back.
Here is what I've tried : I just changed CDTI gid from 666 to 10666.
Since my account was linked to 666 group, I changed the value of my
gidNumber to 10666. Everything went then find according to pdbedit.
No error occured when I did a pdbedit -v on my username. But after
that, I couldn't access files on the samba shares. I got a
NT_STATUS_PERMISSION_DENIED.
May be you have a caching daemon like nscd on your system. If so, you
must invalidate the group cache.
nscd -i group
will do this normaly.
for example:
delete cn=cdti,ou=Group,BASEDN
and it may be fine.
So, I then went back to the original settings, and as you suggested,
deleted the cdti entry.
With this setup, I have a group called CDTI, with gid 666 and
sambaSID = SSID-666.
My user has group gid set to 666. So this should be fine.
But, once again when I try a pdbedit -v user, I get, among other
things the following :
lookup_global_sam_rid: looking up RID 666.
smbldap_search_ext: base = [BASEDN], filter =
[((sambaSID=S-1-5-21-215069222-2822928016-2390355089-666)
(objectclass=sambaSamAccount))], scope = [2]
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-215069222-2822928016-2390355089-666] count=0
smbldap_search_ext: base = [ou=Groups,BASEDN], filter =
[((objectClass=sambaGroupMapping)
(sambaSID=S-1-5-21-215069222-2822928016-2390355089-666))], scope =
[2] init_group_from_ldap: Entry found for group: 666
lookup_rids: CDTI:2
Is the Unable to locate SID normal ?
Yes, it is. Samba is searching for a user (objectclass=sambaSamAccount)
with this rid.
So you see, you MUST also have uniq RIDs. You cannot have a user and a
group with identical SID/RID. This comes from the M$-World, I
believe :-( .
And why the hell does pdbedit find two rids for CDTI since I deleted
all that refered to the group I deleted ?
Has samba really found 2 groups with the same RID, or has samba found 2
groups with the same name, ctdi and CTDI?
Try a ldapsearch:
ldapsearch -x -LLL -b BASEDN -s sub sambasid=*-666
ldapsearch -x -LLL -b BASEDN -s sub '(|(cn=ctdi)(uid=ctdi))' dn
By the way, ldap is case insensitive.
There are so many things I don't understand about all this.
If one can explain to me, that would be great. Thanks in advance for
any help or any link to a comprehensive doc one would give me.
I've read many a doc, but all the one I've read take it plain that
the reader knows at least many things about how to setup a samba pdc
controller with ldap, which is not my case.
I prefere to read the original documentation first. Even if its more
work.
I really wish I hadn't any windows machine on my network, things
would be easier for me.
No way, our users like this kind of programms :-( .
You should not have different groups with the same name, even if
one is in uppercase and the other in lowercase letters.
I really thought that a lowercase and an uppercase name was not the
same, thanks for this.
In reality it is surely not the same. But do all programs, tools and
their developer know this?
And thanks again for your answer, I understand
things more clearly now, even if it's not perfect.
Gruss
Harry Jede
--
Gruss
Harry Jede
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Something weird about pdbedit.
Am Mittwoch, 11. März 2009 13:30 schrieb BOURIAUD:
On Wednesday 11 February 2009 10:39:10 BOURIAUD wrote:
Hi !
I'm running a samba domain controler under rhel 5. It's version
3.0.33-3.7.el5.
I've also installed a ldap server to store users and groups and so
on. When I try a pdbedit -v david, I get the following :
Unix username:david
NT username: david
Account Flags:[U ]
User SID: S-1-5-21-215069222-2822928016-2390355089-1016
Finding user david
Trying _Get_Pwnam(), username as lowercase is david
Get_Pwnam_internals did find user [david]!
smbldap_search_ext: base = [ou=Groups,ou=ia27,dc=ac-rouen,dc=fr],
filter = [((objectClass=sambaGroupMapping)(gidNumber=666))],
scope = [2] init_group_from_ldap: Entry found for group: 666
lookup_global_sam_rid: looking up RID 666.
smbldap_search_ext: base = [ou=ia27,dc=ac-rouen,dc=fr], filter =
[((sambaSID=S-1-5-21-215069222-2822928016-2390355089-666)
(objectclass=sambaSamAccount))], scope = [2]
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-215069222-2822928016-2390355089-666] count=0
smbldap_search_ext: base = [ou=Groups,ou=ia27,dc=ac-rouen,dc=fr],
filter = [((objectClass=sambaGroupMapping)
(sambaSID=S-1-5-21-215069222-2822928016-2390355089-666))], scope =
[2] init_group_from_ldap: Entry found for group: 666
lookup_rids: CDTI:2
Primary Group SID:S-1-5-21-215069222-2822928016-2390355089-666
Full Name:david
The weird thing is ldapsam_getsampwsid: Unable to locate SID
I think I made a mistake when creating both unix groups and samba
groups. Here is how the unix group is defined :
dn: cn=cdti,ou=Group,BASEDN
objectClass: posixGroup
objectClass: top
cn: cdti
userPassword: {crypt}x
gidNumber: 666
Here is how the samba group is defined :
dn: cn=CDTI,ou=Groups,BASEDN
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: CDTI
description::
Q2VudHJlIGTDqXBhcnRlbWVudGFsIGRlIHRyYWl0ZW1lbnQgZGUgbCdpbmZvcm
1hdGlvbg== sambaGroupType: 2
memberUid: david
gidNumber: 666
sambaSID: S-1-5-21-215069222-2822928016-2390355089-666
And here is what the user's definition :
dn: uid=david,ou=SambaUsers,BASEDN
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: david
sn: david
givenName: david
uid: david
uidNumber: 1016
homeDirectory: /smbhome/users/david/samba
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: david
sambaLogonScript: logon.bat
sambaProfilePath: \\DOMAIN_SERVER\profiles\david
sambaHomePath: \\DOMAIN_SERVER\david
sambaHomeDrive: P:
sambaLMPassword: PLOP
sambaNTPassword: PLOP
sambaPasswordHistory:
00 00
sambaPwdLastSet: 1228486572
userPassword: {SSHA}PLOP
sambaAcctFlags: [U ]
sambaSID: S-1-5-21-215069222-2822928016-2390355089-1016
gidNumber: 666
sambaPrimaryGroupSID: S-1-5-21-215069222-2822928016-2390355089-666
Of course, I've obfuscated what I found that has not point with my
problem !
I think that the problem comes from the groups, both the unix one
and the samba one, but I don't know how to fix it.
If anyone could tell me what I could to to correct this, that would
be great ! I hope I've given enough informations, but if you think
I should give more, fell free to ask. I'd really like to get rid of
this anoying message. Thanks in advance !
UP ! Noone to help me with that ?
First things first: Read the f... manual
- you should not have 2 groups with the same gidNumber
- sambaLMPassword sambaNTPassword do not hold the password in ascii,
both must contain password hashes
Go back, and take some time to read the docs
--
Gruss
Harry Jede
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Something weird about pdbedit.
Am Mittwoch, 11. März 2009 15:38 schrieb BOURIAUD:
On Wednesday 11 March 2009 14:51:25 Harry Jede wrote:
Hello !
First of all, thanks for your answer, even if it doesn't help much.
First things first: Read the f... manual
That's what I did, after I made my mistake.
- you should not have 2 groups with the same gidNumber
Forgive me if my question was not asked correctly. So I will try to
make it clearer : which gid should I change then ? The one from the
unix group or the one of the samba group ? Are there rules to do so
(I mean reserved numbers, limits for the gid, things like this) ?
You can only have ONE group with ONE gidNumber.
BAD SETUP begin:
dn: cn=cdti,ou=Group,BASEDN
objectClass: posixGroup
objectClass: top
cn: cdti
userPassword: {crypt}x
gidNumber: 666
Here is how the samba group is defined :
dn: cn=CDTI,ou=Groups,BASEDN
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: CDTI
description::
Q2VudHJlIGTDqXBhcnRlbWVudGFsIGRlIHRyYWl0ZW1lbnQgZGUgbCdpbmZvcm
1hdGlvbg==
sambaGroupType: 2
memberUid: david
gidNumber: 666
sambaSID: S-1-5-21-215069222-2822928016-2390355089-666
BAD SETUP end:
Combine these in a way, that you have only one group with the name cdti.
for example:
delete cn=cdti,ou=Group,BASEDN
and it may be fine.
You should not have different groups with the same name, even if one is
in uppercase and the other in lowercase letters.
You should not have identical names in your LDAP database across the
following fields: cn, uid and displayName for more then one record.
Example:
dn: uid=john,ou=...
uid=john
displayname=john
That is OK
##
dn: uid=john,ou=A,ou...
uid=john
displayname=john
dn: uid=john,ou=B,ou=...
uid=johnB
displayname=john
That's bad.
##
dn: uid=john,ou=A,ou...
uid=john
displayname=john
dn: cn=john,ou=groups,ou...
cn=john
That's also bad.
- sambaLMPassword sambaNTPassword do not hold the password in
ascii, both must contain password hashes
I hope you were joking. I said I obfuscated what had no point with
the question, and password hashes were replaced with PLOP in my
previous mail ;-)
Sorry,
I do not now PLOP.
Go back, and take some time to read the docs
That's what I keep doing, anyway.
Thanks for your answer and have a nice day.
--
Gruss
Harry Jede
--
Gruss
Harry Jede
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.3.x vfs_acl_xattr support
Am Montag, 9. März 2009 03:12 schrieb John Drescher: Starting with version 3.3.1, the source code package now contains a man page for vfs_acl_xattr: This is what I have on 3.3.1. To me this documentation seriously needs expanded. It should be enough to add a SEE ALSO section. NAME vfs_acl_xattr - Save NTFS-ACLs in Extended Attributes (EAs) SYNOPSIS vfs objects = acl_xattr DESCRIPTION This VFS module is part of the samba(7) suite. The vfs_acl_xattr VFS module stores NTFS Access Control Lists (ACLs) in Extended Attributes (EAs). This enables the full mapping of Windows ACLs on Samba servers. The ACLs are stored in the Extended Attribute security.NTACL of a file or directory. This Attribute is not listed by getfattr -d filename. To show the current value, the name of the EA must be specified (e.g. getfattr -n security.NTACL filename ). Please note that this module is experimental! This module is stackable. OPTIONS There are no options for vfs_acl_xattr. SEE ALSO getfattr(1), setfattr(1), attr_get(3), attr_set(3), attr_multi(3), attr_remove(3), attr(5), and xfsdump(8). AUTHOR The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Extended ACL stealing ownership on 3.2.7
Hi Gavin, Hi all, After setting permissions on a file. If anyone authorised to open the file writes to it, the ACL gets deleted and that person becomes the owner of the file and the group is reset to the default. That may be OK, because some apps create a .tmp file before saving, then delete the original file and last rename the .tmp file to the orinial filename. And what permissions have you set on the share? For example, whenever a certain user opens and changes a file in the problem folder he becomes the owner and another gets kicked of the list: More clearly, lee was the last one to write to this spreadsheet: getfac example.xls # file: example.xls # owner: joe # group: testgroup user::rwx user:graham:r-x user:julia:r-x user:lee:rwx user:paul:r-x group::r-- mask::rwx other::r-- How do I keep rwx on all the additional users, as they all aren't part of the testgroup group. Try this: Create a group for the Users who should write to this directory: name: mygroup member: graham, julia, paul !!! parent directory !!!: # owner: root # group: testgroup user::rwx group::r-- mask::rwx other::r-- group:domainadmins:rwx group:mygroup:rwx default:user::rwx default:group::r-- default:group:domainadmins:rwx default:group:mygroup:rwx default:mask::rwx default:other::r-- And now create a file in this directory or share and check the effective rights from a Windows XP Client I have not testet this setup. But I am shure you get the right direction. The acl entries beginning with default are the rights for new created directories and files. Avoid setting rights in the share definition, at least for testing this. Thanks. -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mv errors.
Am Samstag, 31. Januar 2009 03:06 schrieb Athunye: Günter Kukkukk-2 wrote: that's what i've expected. These cifs vfs bugs have been fixed in a later kernel release. I was able to test that on a (somewhat more recent kernel than yours) 2.6.22.18-0.2, which was shipped with cifs vfs version 1.49. The 'mv' and 'cp -p' problems are fixed in there. Btw - you can also expect cp -p errors, when ACLs are used and the remote samba server is exporting a share on a *file system* which does not support ACLs - or is not configured to do so. (e.g. ext3 can be mounted with the acl,user_xattr option). On the cifs client side one can use the cifs mount option noacl to disable acls. So i can only recommend to update the kernels on your linux clients. Good luck! :-) We use Fluxbox with Rox-filer in the machines. I tried to install Gnome and with Nautilus it seems that the cp/mv warnings won't show up. I'll follow your tips about ACLs and mount options. I'm not sure whether I'm going to upgrade the kernel or not. (I'd have to upgrade Etch to Lenny.) Try the etchnhalf Kernel 2.6.24+* first. I believe this kernel is in etch-proposed-updates Repository Thanks a lot for your help, time and patience. (everyone) -- View this message in context: http://www.nabble.com/mv-errors.-tp21712791p21759003.html Sent from the Samba - General mailing list archive at Nabble.com. -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] domain power users
Am Mittwoch, 28. Januar 2009 23:45 schrieb charles: Hello: I have an nt domain comprised of a samba/openldap pdc with windows xp sp2 clients. *samba 3.0.28a-1 slapd 2.4.9-0 smbldap-tools 0.9.4-1 Ubuntu 8.04 Server LTS Windows Xp SP2 * I have two problems which I think are related. - using gpresult from an xp client on the domain, the user is not shown as being a Power Users, even with their primary group (-g) set to Power Users - I cannot add a local security group from the ldap server, I can't see any of the groups, I can see and add users however *dn: cn=Power Users,ou=Groups,dc=*,dc=bz objectClass: top,posixGroup,sambaGroupMapping cn: Power Users gidNumber: 547 sambaGroupType: 5 Local groups must have sambaGroupType: 4 It is a bug in smbldap-tools. Search the archiv for the patch, and edit your existing groups manually. displayName: Power Users sambaSID: S-1-5-32-547 * I need the Power Users groups for Quickbooks. I would be useful if the Power Users privilliges were inheritted from the domain. I'd settle for adding the Domain Power Users group as a local security group. Thanks. -- Charles Burrell Belmopan, Belize University of Belize Alma Mater -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind and samba 3.2.7
/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p -a %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon drive = L: logon path = \\%L\Profiles\%U logon home = \\%L\%U domain logons = Yes domain master = Yes local master = yes preferred master =yes os level = 254 wins support = Yes ldap admin dn = cn=admin,dc=schule,dc=xx ldap delete dn = Yes ldap machine suffix = ou=ARBEITSSTATIONEN,o=SCHULE ldap passwd sync = Yes ldap suffix = dc=schule,dc=xx ldap user suffix = ou=SCHUELER,o=SCHULE ldap group suffix = o=SCHULE ldap machine suffix = ou=ARBEITSSTATIONEN,o=SCHULE ldap debug level = 160 panic action = /usr/share/samba/panic-action %d idmap domains = ALLE idmap config ALLE:backend = ldap idmap config ALLE:default = yes idmap config ALLE:ldap_base_dn = ou=idmaps,o=SYSTEM,dc=schule,dc=xx idmap config ALLE:ldap_url = ldap://localhost/ winbind nested groups = yes winbind separator = / template shell = /bin/bash template homedir = /home/%g/%U ea support = Yes store dos attributes = Yes -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba / ldap problem with cpu load
Am Freitag, 9. Januar 2009 23:57 schrieb franck molle: First of all, I am french. My english is not very good and i am sorry for this ;). One month ago, I have upgrade my server in debian Etch (it was in debian sarge). So now, samba is in 3.0.24 version. My server use samba and ldap. Since this upgrade, i have some problems with cpu loading when the users log on the samba domain (smbd and slapd services). I have take a look at samba log but i don't see anything. After that, i have take a look on the ldap logs in debug level 256. I can see the problem in the logs but i can't explain it, i hope you can help me about it. In the log file, i have this entry thousand of time (2 entry) base=ou=Groups,ou=clg-hugo-gisors,ou=ac-rouen,ou=education,o=gouv,c= fr scope=2 deref=0 filter=((objectClass=sambaGroupMapping)(gidNumber=0)) Reconfigure the package libnss-ldap, so that libnss use an anonymous bind. Or manually disable the rootdn statement in /etc/libnss-ldap.conf and restart nscd. Maybe, you must invalidate the cache with nscd -i group nscd -i passwd thanks for your help, bye -- ~~ Franck MOLLE Animateur de Secteur Relais assistance Tice, Louviers-Vernon ~~ -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problems with Privileges
Hi all, I am using samba 3.2.6 on Debian lenny I can create user and groups with the UserManger for NT. It is also possible to add users to groups. But if I then try to open the group again with the UserManger for NT, I get an ACCESS DENIED ERROR. However the user has all rights, which I am able to set: net rpc rights list ytom SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege tail -f /var/log/samba/log.ytom [2008/12/31 17:42:54, 2] rpc_server/srv_samr_nt.c:_samr_LookupDomain(3571) Returning domain sid for domain SCHULE - S-1-5-21-2462391502-1360153102-2655098952 [2008/12/31 17:42:54, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344) init_group_from_ldap: Entry found for group: 9018 [2008/12/31 17:42:54, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344) init_group_from_ldap: Entry found for group: 9018 [2008/12/31 17:42:54, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344) init_group_from_ldap: Entry found for group: 9018 [2008/12/31 17:42:55, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(246) _samr__LookupRids: ACCESS DENIED (granted: 0x000d067a; required: 0x0100) cat /etc/samba/smb.conf [global] unix charset = LOCALE workgroup = SCHULE netbios name = SERVER-1 server string = %h server interfaces = 192.168.231.48/24, 127.0.0.1/8 bind interfaces only = Yes security = user name resolve order = wins bcast host passdb backend = ldapsam lanman auth = Yes syslog = 0 max log size = 1000 log level = 2 log file = /var/log/samba/log.%m log file = /var/log/samba/log.%U add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p -a %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon script = logon.bat logon drive = L: logon path = \\%L\Profiles\%U logon home = \\%L\%U domain logons = Yes domain master = Yes local master = yes preferred master =yes os level = 254 wins support = Yes ldap admin dn = cn=admin,dc=schule,dc=xx ldap delete dn = Yes ldap machine suffix = ou=ARBEITSSTATIONEN,o=SCHULE ldap passwd sync = Yes ldap suffix = dc=schule,dc=xx ldap debug level = 160 panic action = /usr/share/samba/panic-action %d template shell = /bin/bash template homedir = /home/%g/%U ea support = Yes store dos attributes = Yes [IPC$] path = /var/log/samba/tmp [homes] comment = Home Directories read only = No create mask = 0755 browseable = No [Profiles] path = /home/samba/Profiles create mask = 0600 directory mask = 0700 nt acl support = no read only = no [netlogon] comment = Network Logon Service path = /home/samba/netlogon admin users = @domainadmins guest ok = Yes read only = Yes -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Nested Groups
Hi all, I'm not able to create localgroups as described in docs/man/Samba-HOWTO-Collection/groupmapping.html I have tested Samba 3.2.5 and 3.2.6 on Debian lenny. As usual I am using openldap as backend. First I have tested with smbldap-tools, then I have switched to ldapsam:editposix = yes ldapsam:trusted = yes and removed all the script entries from smb.conf. The result is always the same: Localgroups are created with: objectClass: sambaSidEntry objectClass: sambaGroupMapping sambaGroupType: 4 Globalgroups are created with: objectClass: posixGroup objectClass: sambaGroupMapping sambaGroupType: 2 The very ugly result is, that getent is not able to resolve any local group, as stated in groupmapping.html. A solution may be, that the code that create the localgroups, share the code which create global groups ??? Any Ideas? PS Even if I manually create a localgroup with the objectclasses from rfc2307, like so: objectClass: top objectClass: sambaSidEntry objectClass: posixGroup objectClass: sambaGroupMapping objectClass: extensibleObject cn: ab38 gidNumber: 6005 sambaSID: S-1-5-21-2462391502-1360153102-2655098952-5080 sambaGroupType: 4 displayName: ab38 memberUid: domadmins sambaSIDList: S-1-5-21-2462391502-1360153102-2655098952-512 is the reult the same. net rpc group members will list all members of nested groups, getent will not :-( if I switch sambaGroupType to 2, both will work -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Nested Groups
Am Donnerstag, 25. Dezember 2008 19:19 schrieb Harry Jede: Sorry for this mistake: if I switch sambaGroupType to 2, both will work both will NOT work -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
