[Samba] ANNOUNCE: cifs-utils release 6.2 ready for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Again, nothing earth-shattering in this release. Mostly some minor
bugfixes and cleanups. Some highlights:

- - setcifsacl can now work without a plugin

- - systemd-ask-password is found using $PATH now

- - cifs.upcall now works with KEYRING: credcaches 

Go forth and download!

webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 6.2:

commit 8919d8c6437aabb69a53c251e8ff6a8163ca227b
Author: Jeff Layton jlay...@samba.org
Date:   Mon Jul 8 09:06:46 2013 -0400

autoconf: set version to 6.1.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit 9fd9f71afc8a849df97973764227d6a13f2768f3
Author: Jeff Layton jlay...@samba.org
Date:   Mon Jul 8 09:08:01 2013 -0400

manpage: fix nouser_xattr description

The manpage erroneously states that nouser_xattr is the default, when
it's actually the reverse.

Reported-by: Dome do...@tiscali.it
Signed-off-by: Jeff Layton jlay...@samba.org

commit fe230e5ecaed98d3bb70292b60d44c3c7c47c720
Author: Jeff Layton jlay...@samba.org
Date:   Thu Jul 18 10:08:27 2013 -0400

setcifsacl: add fallback for when plugin can't be loaded

Allow setcifsacl to function even in the case where the plugin can't
be initialized. ID mapping of course won't work, but we can still allow
it to accept raw SID strings.

Signed-off-by: Jeff Layton jlay...@samba.org

commit e18d42adddbea9178d93b6051132f9cdee4cc9e0
Author: Jeff Layton jlay...@samba.org
Date:   Thu Jul 18 10:14:21 2013 -0400

cifs-utils: fix some sparse warnings

Signed-off-by: Jeff Layton jlay...@samba.org

commit 3ec619fce9abaa37edd4540840913682d48c5359

Fixes: https://bugzilla.samba.org/show_bug.cgi?id=10054
Signed-off-by: Michał Górny mgo...@gentoo.org

commit 92262eafa12b4e11fca1d6f3647cfdeff2f4281c
Author: Steve French smfre...@gmail.com
Date:   Mon Sep 9 09:55:46 2013 -0500

autoconf: add another suggested package name for krb5 headers

Added an alternate package name for krb5 headers.

Noticed the following suggestion asks for the wrong package (at least
wrong for FC17)

checking krb5.h presence... no
checking for krb5.h... no
checking krb5/krb5.h usability... no
checking krb5/krb5.h presence... no
checking for krb5/krb5.h... no
configure: WARNING: krb5.h not found, consider installing
krb5-libs-devel. Disabling cifs.upcall.

[sfrench@w500smf cifs-utils]$ sudo yum install krb5-libs-devel
Loaded plugins: langpacks, presto, refresh-packagekit
No package krb5-libs-devel available.
Error: Nothing to do
[sfrench@w500smf cifs-utils]$ sudo yum install krb5-devel

(installing krb5-devel worked, but not krb5-libs-devel for this version)

Signed-off-by: Steve French smfre...@gmail.com

commit f03c51c5169fdf9431afd1f30f372531a6be
Author: Jeff Layton jlay...@samba.org
Date:   Tue Sep 17 11:39:13 2013 -0400

cifs.upcall: try to use default credcache if we didn't find one

Fedora is in the process of moving to KEYRING: credcaches which are not
currently handled by cifs.upcall. We could try to detect when they're in
use, but it's simpler and more robust to just try to use the default
credcache whenever we don't find a FILE: or DIR: cache.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 2f832e350ec472ea974c82133734c640bc02e869
Author: Jeff Layton jlay...@samba.org
Date:   Fri Oct 4 07:12:32 2013 -0400

autoconf: update configure.ac a'la autoupdate

Signed-off-by: Jeff Layton jlay...@samba.org

commit 1ad2f127b150b32325b9858639f5f4f2ae949f82
Author: Jeff Layton jlay...@samba.org
Date:   Fri Oct 4 06:56:41 2013 -0400

autoconf: set version to 6.2

Signed-off-by: Jeff Layton jlay...@samba.org

- -- 
Jeff Layton jlay...@samba.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAEBAgAGBQJSTqn0AAoJEAAOaEEZVoIVgZcQANHmJUU6kQisv4KaDHf6T1VW
YeFJEEFuoa3mvYil3k/lKJxuZV/KVnpEtjCK5Q52UWWxF/TBmK5S1VXOAGXiq/O8
589ip/XTqWe8dJgqrNN4mn6/sI481ADmWdPi6RRQ5knJV5+I00RvrSdW3MNSNMnC
cMD9+oFoaJwLcZB9+5Ep94U891HzB0VIh0LuxWfYYjziOoKVel51L3V4N8ZBCEAD
0wDs4XxuGqX0Cdk+qhy4s+7Pa0yMckzwvmAmEC8z6SgJPBQNuayD4FGjnYY2E4KO
iTVvcBdXIhl2FGyPh4Rwra4Dqn1WVQ6fdFFvl1ByAO2HwFTg/C605f1eFO8pJtQl
IIGL5UMXGmYgTlbwpCIwkwLQ9AHBrW2USQRjWOBliMrC7UDkCPYSYfgKbdWZ8TEj
ZYDg2h+Yr8o7LN0B6znKrMV+5OjlK2ajoTDn5K4u/FtsvMbD+9ufgJ393ilhHcBl
5Hhl+zhqsv+vj19kWWdWmV+bzs2GcbqOTaAqV85IzInrsToFsEyUYmDRvzCdafxg
WoRj39FFQEC6CgwC/9RJHFzWLDTHXZYpjA2eB3lRQ6tP7dpCTomOjWaUwdAxfFTQ
OVZY18Wk3K4CJyKyV1xSD9vKHXDdJQDT2UysM6a0f8y6p4ItuodkwOYHd0lz4y6B
GAT2slbEkY8N6VYOOPDE
=m1ow
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions

Re: [Samba] Speed differences for windows clients

[Jeff Layton]

On Mon, 12 Aug 2013 10:00:18 +0200
Philipp Lies philipp.l...@cin.uni-tuebingen.de wrote:

 Hi,
 
 we have a strange phenomenon with the transfer speed between windows 
 clients and samba servers. Here's the setup:
 
 server 1: centos 6.3 with samba 3.5.10
 server 2: centos 6.4 with samba 3.6.9
 both servers are configured as BDC and have - aside from netbios name - 
 identical smb.conf which contains ldapsam as backend and all other 
 parameters are not set (i.e. default)
 
 When I mount a share from a linux client, the transfer speed is 
 ~112MB/sec to either server from any linux client. However, when I mount 
 a share from Windows clients, the speed to server 1 is ~95MB/s and to 
 server 2 ~85MB/s. We tested this with several windows clients (all 
 running Windows 7 with all updates).
 
 The speed difference between linux client and windows client is not 
 what's confusing me but that server 2 is always slower than server 1.
 
 Any ideas what could cause this?
 
 Philipp


The speed difference between Linux and Windows clients is most likely
explained by the fact that Linux clients will almost always negotiate
POSIX extensions with the server. At that point, they're allowed to
bump up the rsize/wsize values to much larger values. Newer kernels
will default to 1M for both. That greatly increases throughput.

As far as the difference between the two servers from windows clients,
it'll be difficult to be sure without doing some more legwork to track
down the cause.

-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[SCM] Samba Website Repository - branch master updated

[Jeff Layton]

The branch, master has been updated
   via  2388470 Update team page listing for Jeff Layton
  from  5f760ab Announce Samba 4.1.0rc2.

http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -
commit 2388470d2fbe940fe36f5521d35e2ebc5cd37880
Author: Jeff Layton jlay...@redhat.com
Date:   Fri Aug 9 09:57:11 2013 -0400

Update team page listing for Jeff Layton

Signed-off-by: Jeff Layton jlay...@redhat.com

---

Summary of changes:
 team/index.html |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/team/index.html b/team/index.html
index ee7634d..fe7d443 100755
--- a/team/index.html
+++ b/team/index.html
@@ -66,7 +66,7 @@ mailing list/a and start contributing to the development of 
Samba./p
 lia href=http://www.j3e.de/;Bjouml;rn Jacke/a/li
 lia href=mailto:mkap...@samba.org;Marc Kaplan/a/li
 lia href=mailto:ku...@samba.org;Guuml;nter Kukkukk/a/li
-lia href=mailto:jlay...@samba.org;Jeff Layton/a/li
+lia href=http://www.samba.org/~jlayton/jlayton_resume.html;Jeff 
Layton/a/li
 lia href=mailto:vlen...@samba.org;Volker Lendecke/a/li
 lia href=mailto:h...@samba.org;Herb Lewis/a/li
 /ul


-- 
Samba Website Repository

[Samba] ANNOUNCE: cifs-utils release 6.0 ready for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

It has been a few months since the last cifs-utils release. There
hasn't been much activity, but there are a few bugfixes that we ought
to get into a release.

So, nothing much earth-shattering here, mostly just bugfixes and
documentation updates. With this release too, support for NFS-style
devicenames has now been removed (as previously announced via a warning
at mount time):

Go forth and download!

webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 5.9:

commit 9c988b1e39c5abe88e795bb3fb9285ee6c4b80fc
Author: Jeff Layton jlay...@samba.org
Date:   Mon Jan 7 10:23:09 2013 -0500

autoconf: set release to 5.9.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit 739289ad3ce915e1ee2705ecd7ac4e907cd91405
Author: Jeff Layton jlay...@samba.org
Date:   Mon Jan 7 10:25:30 2013 -0500

cifsidmap: clean up comments on API description

...typo and grammatical fixes, mostly.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 1a01f7c4b90695211d12291d7a24bec05b1f2922
Author: Jeff Layton jlay...@samba.org
Date:   Sat Jan 12 22:02:01 2013 -0500

mount.cifs: set parsed_info-got_user when a cred file supplies a username

commit 85d18a1ed introduced a regression when using a credentials file.
It set the username in the parsed mount info properly, but didn't set
the got_user flag in it.

Also, fix an incorrect strlcpy length specifier in open_cred_file.

Reported-by: Mantas M. graw...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit fba9d20495719f3fa323401b087ebef60a0d
Author: Jeff Layton jlay...@samba.org
Date:   Mon Jan 28 21:38:12 2013 -0500

setcifsacl: fix infinite loop in getnumcaces

Jian pointed out that this loop can cycle infinitely when the string
contains a ','.

Also, fix typo in manpage that shows a trailing ',' in one example.

Reported-by: Jian Li ji...@redhat.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 653a6c66312382da381a2d44f8018d3222cadbdf
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jan 29 07:08:48 2013 -0500

setcifsacl: fix offset calculation in set code

Previously the code assumed that the ACE that was copied was of a
fixed size. Save off the return value from copy_ace and ensure that
we apply it correctly to the size and offset.

Reported-by: Jian Li ji...@redhat.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit d1d96fafe50b04395ff3ee4590777452e6612e02
Author: Jeff Layton jlay...@samba.org
Date:   Fri Feb 1 12:41:57 2013 -0500

cifs-utils: add autoconf test to make sure that libwbclient is usable

The idmapwb plugin requires a usable wbcSidsToUnixIds() function. Check
to ensure that the wbclient library provides that symbol, and handle
it appropriately if it doesn't.

If someone were so inclined they probably could fix idmapwb to fall
back to the older mapping functions if that symbol doesn't exist,
but for now this patch just makes it refuse to build the plugin.

Reported-by: Shirish Pargaonkar shirishpargaon...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 257c119e79feee8f4aed38b54bd1f8bbe5b5f3b9
Author: Jeff Layton jlay...@samba.org
Date:   Sat Mar 16 21:28:18 2013 -0400

manpage: document the mount.cifs vers= option

Thanks to Tom Talpey for clarifying some of the info here.

Cc: Tom Talpey ttal...@microsoft.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit fa6c3ca6e032ff6cb0caba97b46bfc1cffc401b5
Author: Jeff Layton jlay...@samba.org
Date:   Tue Mar 19 11:00:49 2013 -0400

manpage: better document the default sec= mount option

The default changed in mainline kernel v3.8.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 8ef14ea81773310a439a70e419f33dcc1c76f1eb
Author: Jeff Layton jlay...@samba.org
Date:   Fri Mar 22 06:43:46 2013 -0400

mount.cifs: remove support for NFS syntax

...as promised for version 6.0.

Cc: Scott Lovenberg scott.lovenb...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 00cb36de848a52a5aaa510a46a5bdd40a7417692
Author: Jeff Layton jlay...@samba.org
Date:   Fri Mar 22 06:18:19 2013 -0400

autoconf: set version to 6.0

Signed-off-by: Jeff Layton jlay...@samba.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAEBAgAGBQJRUGhDAAoJEAAOaEEZVoIVD5cQAMfcS6HdSP0ll5xqEekNwpCm
VMU6Kh9sIDGIAk3IQ/mYe94uZ69qldBv/BQsj5SmeGhAIvYngLUNf3y2d78m6pIM
ldHojLcUSZgwaJu1tE5VN6XoukS3PrhIq55cHopW/5+ty0a3XYvVLab7xPqgECpP
0nZpv5Lo0yW9gKVM9qbk9zlY9zsztBjTA9dgdq/TAgfAasdSaZO70Gi0Fje8fJwF
Qxj+oKZmIhT+sfJkcRzAnfsuQENFPZyM5mqD7+53MlZLBPNFY/x6GL5oG5BPUwBJ

Re: [Samba] smbclient using smb2 protocol linux-2-linux share

[Jeff Layton]

On Sat, 16 Mar 2013 09:21:53 -0700
Jeremy Allison j...@samba.org wrote:

 On Wed, Feb 06, 2013 at 01:41:56PM -0800, rmarquez wrote:
  Trying to get a linux samba file server using samba 4.0.3 (compiled on the
  machine) running on ubuntu 3.8rc6 kernel to share out and negotiate with a
  linux client running the same kernel and smbd compiled from 4.0.3 samba
  source. 
  Using wireshark to view the negotiations, I only see NT LM 0.12 (SMB v. 1).
  
  Tried forcing the file server via min protocol = SMB2 in the
  /usr/local/samba/etc/smb.conf and keep getting this error:
  mount error(95): Operation not supported
  I try to mount that share in Windows 7 and it works, even negotiates at
  SMB2.1.
  
  How can I get a linux client to mount a linux samba share using protocol
  SMB2.1?
 
 This is not yet supported in CIFSFS although the Team is working
 on it.
 
 It's also not supported in smbclient either, again it's something
 we're working on (we have all the underlying plumbing for this).
 

Mounting with cifs.ko should work in current mainline kernels (3.8 and
up?), but it's still pretty new and some things may not work exactly
right. Try mounting with -o vers=2.1.

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Logging denied connections from outside LAN

[Jeff Boyce]

Greetings -

I have an interesting issue that I am trying to understand.  This may not be 
a direct Samba related issue, but the results of the issue are showing up in 
the Samba log, so I thought I would start here.  Please direct me elsewhere 
if there is a better forum for this question.  I have spent some time 
Googling and have a small understanding of what is going on, but now my 
Google-fu is exhausted and I still don't have a complete understanding of 
the issue and whether I need to make some configuration changes in my 
network.


Issue:
I am seeing in my samba log file denied connections from IP addresses that 
are outside my network.  Since I believe that I have my network firewalled 
and access adequately restricted from outside, I am trying to understand how 
the access attempts are only showing up in my Samba logs.


/var/log/samba/samba.log
[2013/01/22 21:24:34.477896,  0] lib/util_sock.c:1514(matchname)
 matchname: host name/address mismatch: :::14.132.17.44 != 
14-132-17-44.aichiwest1.commufa.jp

[2013/01/22 21:24:34.479447,  0] lib/util_sock.c:1635(get_peer_name)
 Matchname failed on 14-132-17-44.aichiwest1.commufa.jp :::14.132.17.44
[2013/01/22 21:24:34.479723,  0] lib/access.c:413(check_access)
 Denied connection from UNKNOWN (:::14.132.17.44)
[2013/01/22 21:24:34.479961,  1] smbd/process.c:2299(smbd_process)
 Connection denied from :::14.132.17.44

Logwatch
- samba Begin  
Connections Denied:

smbd/process.c:2299(smbd_process) :::109.72.49.42 : 1 Time(s)
smbd/process.c:2299(smbd_process) :::111.254.232.135 : 1 Time(s)
smbd/process.c:2299(smbd_process) :::114.46.201.200 : 1 Time(s)
smbd/process.c:2299(smbd_process) :::121.67.7.193 : 1 Time(s)
smbd/process.c:2299(smbd_process) :::121.67.7.200 : 1 Time(s)
smbd/process.c:2299(smbd_process) :::124.11.241.39 : 1 Time(s)
smbd/process.c:2299(smbd_process) :::14.132.17.44 : 1 Time(s)
-- samba End - 


Background  Network Information:
1.  The server in which Samba is running (a KVM guest, CentOS 6) does have a 
public IP address.
2.  The firewall rules on this server has ports open for SSH, OpenVPN, 
Webmin, and Samba.  The bottom rule on the input chain deny's all.
3.  On the Server: HostDeny = all, and HostAllow = 192.168.112 (internal 
lan), 10.9.8. (OpenVPN lan), and loopback

4.  Samba config: hosts allow = 127. 192.168.112. 10.9.8.

What I think I understand at this point:
1.  Google research indicates that the Host Name/Address mismatch portion of 
the log file refers to IPV6 name resolution not working.  There are some 
suggestions for fixing that, but it isn't really the issue I am trying to 
understand.
2.  The firewall may not be denying access to Samba because the Samba ports 
are open to make Samba available over our remote access.


What I don't understand:
1.  If the Server OS configuration is restricting access to only the 
internal lan addresses and the OpenVPN lan addresses, then how are the 
access attempts from external addresses getting to Samba where they are 
being logged.


If someone can give me some insight as to what is going on here I would 
appreciate it.  Then I can figure out what I might need to change in my 
network or server.  Thanks.


Also, I am only receiving the Daily Digest of the mailing list, so would 
appreciate any responses CC'ing me directly also.


Jeff Boyce
Meridian Environmental
www.meridianenv.com 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 5.9 ready for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

With the merge of the new plugin interface, it's probably a good time
for a new cifs-utils release. Distro packagers should take special note
of the changes with the new plugin interface since it has implications
for how the tools are packaged. In particular, it's necessary to set a
symlink to the plugin in the correct location
(/etc/cifs-utils/idmap-plugin by default).

Here are the main highlights:

* There is a new plugin architecture for the ID mapping tools. This
  encapsulates the winbind interfaces inside a plugin and allows the
  writing of others.

* The DOMAIN\username@password format for username= arguments have been
  deprecated. The discrete mount options for each of those values
  should be used instead.

* Full RELRO (vs. partial) is now enabled on all binaries by default

Go forth and download!

webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 5.8:

commit 92e12ecc28ac1a41eb48f693837be0ba070dc8af
Author: Jeff Layton jlay...@samba.org
Date:   Thu Nov 15 15:22:13 2012 -0500

autoconf: set version to 5.8.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit 8b6e0cc242fc62436b0dd073e393bbdd62f39a83
Author: Jeff Layton jlay...@samba.org
Date:   Sun Nov 18 20:38:38 2012 -0500

mount.cifs: treat uid=,gid=,cruid= options as name before assuming they're 
a number

Sergio Conrad reported a problem trying to set up an autofs map to do
a krb5 mount. In his environment, many users have usernames that are
comprised entirely of numbers. While that's a bit odd, POSIX apparently
allows for it.

The current code assumes that when a numeric argument is passed to one
of the above options, that it's a uid or gid. Instead, try to treat the
argument as a user or group name first, and only try to treat it as a
number if that fails.

Signed-off-by: Jeff Layton jlay...@samba.org

commit de299f69392c18dc71d207482566f38abc909837
Author: Jeff Layton jlay...@samba.org
Date:   Wed Nov 28 15:17:44 2012 -0500

mount.cifs: don't pass flag options to the kernel

When certain options are passed to the mount helper, we want to turn
them into mountflags for the mount() syscall. There's no need to copy
them to the options string in that case though.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 7e3149fe1529f0043f4fdf60082ea359ae8d656f
Author: Jeff Layton jlay...@samba.org
Date:   Mon Dec 3 11:03:19 2012 -0500

autotools: remove unnecessary files from distro

Having them in the distro prevents autoreconf -i from installing the latest
copies.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 7dacd96a24edf9ab2e3d7ed798bd28bba5425349
Author: Jeff Layton jlay...@samba.org
Date:   Mon Dec 3 13:41:12 2012 -0500

getcifsacl: use size instead of reconverting original field to host endian

Signed-off-by: Jeff Layton jlay...@samba.org

commit c1fd5753a3f996203e4b39158e360f4b799a3254
Author: Jeff Layton jlay...@samba.org
Date:   Tue Dec 4 06:12:13 2012 -0500

getcifsacl: free strings returned by wbcLookupSid

Signed-off-by: Jeff Layton jlay...@samba.org

commit bacbbf7c0994bdeaf49234abd07d840673d37e95
Author: Jeff Layton jlay...@samba.org
Date:   Tue Dec 4 06:21:06 2012 -0500

getcifsacl: ensure that we don't overrun the wbcDomainSid when converting

If we get a SID that contains more than 15 subauthorities, we'll end up
overrunning the struct wbcDomainSid. Just ignore any past 15.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 2584e62c06dbea59bbd6a001040d7780959c8358
Author: Jeff Layton jlay...@samba.org
Date:   Thu Dec 6 06:45:57 2012 -0500

autoconf: enable full RELRO in cifs-utils binaries

This is safer since it also protects the GOT from getting clobbered.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 53894f4e2cb4d15fedf0612e9a4bd47a537284b3
Author: Jeff Layton jlay...@samba.org
Date:   Thu Dec 6 07:17:17 2012 -0500

cifs-utils: only link in -lrt to binaries that need it

...which is really only mount.cifs.

Cc:  Björn Jacke b...@sernet.de
Signed-off-by: Jeff Layton jlay...@samba.org

commit fac79a1425a1474f0daf0795900d227307ec5db3
Author: Jeff Layton jlay...@samba.org
Date:   Fri Dec 7 08:39:16 2012 -0500

getcifsacl: remove unneeded openlog() call

getcifsacl doesn't log to syslog, so there's no need to open a channel
to it. Also, remove the unneeded prog global variable since only
the usage() function needs it.

Signed-off-by: Jeff Layton jlay...@samba.org

commit b4dc50798e6baf026d6101ff3775ffc0c3a0e2f2
Author: Jeff Layton jlay...@samba.org
Date:   Fri Dec 7 12:07:23 2012 -0500

setcifsacl

[Samba] ANNOUNCE: cifs-utils release 5.8 is ready for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Time for another cifs-utils release!

Most of the patches in this release are for cifs.idmap, getcifsacl and
setcifsacl. There were many bugs in those tools, so anyone that's
deploying or using them is highly encouraged to upgrade.

Highlights:

* NFS-style device names are being deprecated in 6.0. Anyone using that
  sort of device name should move to the UNC-style syntax that the manpage
  has always documented.

* Many bugs in cifs.idmap, getcifsacl and setcifsacl have been fixed.
  These tools should also be more efficient now and work correctly on
  big-endian architectures.

webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 5.8:

commit 819018e34696b0fb9bf1b386304b5dce39ae0e6d
Author: Jeff Layton jlay...@samba.org
Date:   Fri Oct 12 13:28:37 2012 -0400

autoconf: set release to 5.7.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit 679fbebb5a656b4eb1a8988fb0d8697a5f919794
Author: Scott Lovenberg scott.lovenb...@gmail.com
Date:   Tue Oct 23 15:37:03 2012 -0400

mount.cifs: add warning that NFS syntax is deprecated and will be
removed in cifs-utils-6.0.

[jlayton: Added newline to end of warning]
Signed-off-by: Scott Lovenberg scott.lovenb...@gmail.com

commit 60bca663f94e27436ed1afe1e673a8afa3342e1d
Author: Jeff Layton jlay...@samba.org
Date:   Mon Oct 29 15:45:37 2012 -0400

cifs.idmap: make sure cifsacl structs are packed

The kernel equivalent definitions are defined with
__attribute__((packed)), and the code seems to assume the userspace and
kernel ones will be properly aligned. Fix the userspace definitions in a
similar fashion.

Given the way these structs are, there is probably not any padding
between fields on most arches, but it's best to be safe here.

Reviewed-by: Shirish Pargaonkar shirishpargaon...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 1a0523fbc469e34560bec0f06ce4622bb7db7b04
Author: Jeff Layton jlay...@samba.org
Date:   Mon Oct 29 15:45:37 2012 -0400

cifs.idmap: get rid of useless strcmp prior to idmapping

The code copies off the key description and then ensures that it's
prefixed with cifs.idmap. What's the point of that?

Presumably request-key would never have called this otherwise. There's
little harm in going ahead and doing the idmapping if this is called
with the wrong string.

Also, the error handling here is wrong. If the prefix doesn't match
the code will exit 0 without doing any mapping. Just remove it.

Reviewed-by: Shirish Pargaonkar shirishpargaon...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit d9b876bc5b047682854123aed082c1004b995b69
Author: Jeff Layton jlay...@samba.org
Date:   Mon Oct 29 15:45:37 2012 -0400

cifs.idmap: add an options struct to handle long options

...since the manpage advertises them.

Reviewed-by: Shirish Pargaonkar shirishpargaon...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 035f69a9b5fe3c72df73bbbda2d7e570891f971e
Author: Jeff Layton jlay...@samba.org
Date:   Mon Oct 29 15:45:37 2012 -0400

cifs.idmap: clean up strget and avoid memory allocation

Don't do a strlen() call if strstr() isn't going to match anyway.

There's no need to duplicate the string here. None of the callers modify
it, so just return a pointer into the original string.

Reviewed-by: Shirish Pargaonkar shirishpargaon...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 803feff6aa66c0bb0f0a703eb2404477889a56d5
Author: Jeff Layton jlay...@samba.org
Date:   Mon Oct 29 15:45:37 2012 -0400

cifs.idmap: don't use atoi to convert unsigned int to number

atoi() is for signed integers, and is deprecated in any case. Use
strtoul() instead and check the result carefully before using it.

Also add a log message when the string(s) can't be converted and
fix the signedness of the types in other log messages.

Reviewed-by: Shirish Pargaonkar shirishpargaon...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 0454be8978815b90baae7652b0717d0c0696e295
Author: Jeff Layton jlay...@samba.org
Date:   Mon Oct 29 15:45:37 2012 -0400

cifs.idmap: set a timeout on keys that it instantiates

...and add a command-line option to allow the admin to tune that value.
I think this is a better way to handle this instead of trying to set the
timeouts in kernel space.

Reviewed-by: Shirish Pargaonkar shirishpargaon...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit c49a6767051979368eea1087c9724a2c2994bd56
Author: Jeff Layton jlay...@samba.org
Date:   Mon Oct 29 15:45:37 2012

Re: [Samba] Scenario with CIFS

[Jeff Layton]

On Mon, 29 Oct 2012 22:13:34 +
Alumno Etsii todos.somos...@gmail.com wrote:

 Hi all!
 
 I'm trying to get samba working with CIFS, mounting a share on a client and
 keeping the original file/dir permissions. The problem is that after I
 (successfully) mount that share by CIFS, I can't write anything in it,
 because I get a 'Permission denied' error. smbd version is 6.3.6.
 
 My testparm is:
 
 root@samba:~# testparm
 Load smb config files from /etc/samba/smb.conf
 rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
 Processing section [shared]
 Loaded services file OK.
 Server role: ROLE_STANDALONE
 Press enter to see a dump of your service definitions
 
 [global]
 workgroup = SMB
 server string = %h server (Samba, Ubuntu)
 map to guest = Bad User
 obey pam restrictions = Yes
 pam password change = Yes
 passwd program = /usr/bin/passwd %u
 passwd chat = *Enter\snew\s*\spassword:* %n\n
 *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 unix password sync = Yes
 syslog = 0
 log file = /var/log/samba/log.%m
 max log size = 1000
 load printers = No
 printcap name = /dev/null
 disable spoolss = Yes
 show add printer wizard = No
 dns proxy = No
 panic action = /usr/share/samba/panic-action %d
 idmap config * : backend = tdb
 hosts allow = 127.0.0.1, 192.168.0.
 hosts deny = 0.0.0.0/0
 printing = bsd
 print command = lpr -r -P'%p' %s
 lpq command = lpq -P'%p'
 lprm command = lprm -P'%p' %j
 
 [shared]
 comment = Shared documents
 path = /shared
 valid users = myuser
 admin users = admin
 read only = No
 create mask = 0700
 force create mode = 0700
 directory mask = 0700
 browseable = No
 
 ///
 
 Mounting command is:
 # mount -t cifs //192.168.0.99/shared ./mount -o
 uid=localuser,gid=localuser,iocharset=utf8,credentials=/tmp/credentials,nosetuids,noperm
 
 File /tmp/credentials contains username myuser and its password.
 
 I successfully mount that share, I can list, cd, etc. but not write:
 
 root@monitor:/mnt/mount/archiveupload# ll
 total 40
 drwxrwxr-x 4 localuser localuser 0 oct 29 21:25 ./
 drwxr-xr-x 3 localuser localuser 0 oct 29 17:30 ../
 -rw-rw-r-- 1 localuser localuser  9129 oct 29 19:41 action.php
 drwxrwxr-x 2 localuser localuser 0 may 21  2009 conf/
 -rw-rw-r-- 1 localuser localuser 17992 may 21  2009 COPYING
 drwxrwxr-x 4 localuser localuser 0 may 21  2009 lang/
 -rw-rw-r-- 1 localuser localuser   241 may 21  2009 README
 -rw-rw-r-- 1 localuser localuser11 may 21  2009 VERSION
 root@monitor:/mnt/mount/archiveupload# touch a
 touch: no se puede efectuar `touch' sobre «a»: Permiso denegado
 
 'localuser' exists in both server and client. My goal is to make that any
 newly created file gets server's 'localuser' permissions.

Then that won't work. You're connecting to the share as myuser. Any
files you create will be created as myuser, not localuser.

 I added a
 'smbpasswd -a' for myuser. I wonder why can't I write on this share from
 the client, since I think permissions and mount options are ok.
 
 I'll be very grateful for any idea!
 
 Regards.

Ok, so the file isn't created at all when you touch?

Does myuser have permission to write to /shared on the server?

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Disabling Roaming Profile Support

[Jeff Dickens]

I have logon drive = in smb.conf but testparm does not report that.

Does it on your system, Marcio?

ex:

root@grackle:~# grep logon /etc/samba/smb.conf
   domain logons = yes
   logon drive =
   logon home =
   logon path =
[netlogon]
   path = /home/samba/netlogon
root@grackle:~#
root@grackle:~# testparm | grep logon
Load smb config files from /etc/samba/smb.conf
...snip...
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

logon path =
logon home =
domain logons = Yes
[netlogon]
path = /home/samba/netlogon
root@grackle:~#

On Tue, Oct 30, 2012 at 5:10 PM, Jeff Dickens j...@seamanpaper.com wrote:

 From
 http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html:

 Disabling Roaming Profile Support

 The question often asked is, “How may I enforce use of local profiles?”
 or “How do I disable roaming profiles?”

 There are three ways of doing this:
 In smb.conf

 Affect the following settings and ALL clients will be forced to use a
 local profile: logon home =
 http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#LOGONHOMEand
  logon
 path =
 http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#LOGONPATH

 The arguments to these parameters must be left blank. It is necessary to
 include the = sign to specifically assign the empty value.


 This apparently no longer works, or at least it doesn't work properly with
 an LDAP server.

 Can anyone comment on why? I'm running Samba 3.6.3-2 on Ubuntu 12.04.



 --
 * Jeff Dickens*
  IT Manager  978-632-1513





-- 
* Jeff Dickens*
 IT Manager  978-632-1513
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Disabling Roaming Profile Support

[Jeff Dickens]

Well on my setup unless I manually set the profile to local or set a
registry setting to allow only local profiles, it always fails to create a
local profile.  I can't figure out why.


On Wed, Oct 31, 2012 at 9:45 AM, Jeff Dickens j...@seamanpaper.com wrote:

 I have logon drive = in smb.conf but testparm does not report that.

 Does it on your system, Marcio?

 ex:

 root@grackle:~# grep logon /etc/samba/smb.conf
domain logons = yes
logon drive =
logon home =
logon path =
 [netlogon]
path = /home/samba/netlogon
 root@grackle:~#
 root@grackle:~# testparm | grep logon
 Load smb config files from /etc/samba/smb.conf
 ...snip...
 Loaded services file OK.
 Server role: ROLE_DOMAIN_PDC
 Press enter to see a dump of your service definitions

 logon path =
 logon home =
 domain logons = Yes
 [netlogon]
 path = /home/samba/netlogon
 root@grackle:~#

 On Tue, Oct 30, 2012 at 5:10 PM, Jeff Dickens j...@seamanpaper.comwrote:

 From
 http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html:

 Disabling Roaming Profile Support

 The question often asked is, “How may I enforce use of local profiles?”
 or “How do I disable roaming profiles?”

 There are three ways of doing this:
 In smb.conf

 Affect the following settings and ALL clients will be forced to use a
 local profile: logon home =
 http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#LOGONHOMEand
  logon
 path =
 http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#LOGONPATH

 The arguments to these parameters must be left blank. It is necessary to
 include the = sign to specifically assign the empty value.


 This apparently no longer works, or at least it doesn't work properly
 with an LDAP server.

 Can anyone comment on why? I'm running Samba 3.6.3-2 on Ubuntu 12.04.



 --
 * Jeff Dickens*
  IT Manager  978-632-1513





 --
 * Jeff Dickens*
  IT Manager  978-632-1513





-- 
* Jeff Dickens*
 IT Manager  978-632-1513
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Disabling Roaming Profile Support

[Jeff Dickens]

From
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html:

Disabling Roaming Profile Support

The question often asked is, “How may I enforce use of local profiles?” or “How
do I disable roaming profiles?”

There are three ways of doing this:
In smb.conf

Affect the following settings and ALL clients will be forced to use a local
profile: logon home =
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#LOGONHOMEand
logon
path =
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#LOGONPATH

The arguments to these parameters must be left blank. It is necessary to
include the = sign to specifically assign the empty value.


This apparently no longer works, or at least it doesn't work properly with
an LDAP server.

Can anyone comment on why? I'm running Samba 3.6.3-2 on Ubuntu 12.04.



-- 
* Jeff Dickens*
 IT Manager  978-632-1513
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs

[Jeff Layton]

On Tue, 23 Oct 2012 18:47:37 +0200
steve st...@steve-ss.com wrote:

 On 10/23/2012 05:56 PM, Scott Lovenberg wrote:
  On 10/18/2012 2:07 PM, scott.lovenb...@gmail.com wrote:
  no one has objected (or really said anything).  Can we merge this patch?
  --
 Hi
 I'm just trying to represent users. Can we take this to user level by 
 giving an example of what will work and what will not work after the patch?
 
 For example, the Linux automounter.
 
 Currently, we have this map:
 * -fstype=cifs,rw,sec=krb5 ://myserver/myshare/
 

Does that really work? What purpose does the ':' serve there? That
should probably be removed. I doubt we'd end up breaking that syntax,
but I can't be certain.

 Are you talking about the difference between that and this:
 * -fstype=cifs,rw,sec=krb5 myserver:/myshare/

Right, the above syntax would no longer work after the change.

 
 Question: will I need to change anything due to this patch?
 

For this patch, you don't need to do anything. It just adds a warning.
Eventually though, nfs-style devicenames would no longer work for
cifs mounts. For your map above, you probably want something like:

* -fstype=cifs,rw,sec=krb5 //myserver/myshare/

(i.e. get rid of the extraneous ':').
-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs

[Jeff Layton]

On Tue, 23 Oct 2012 19:22:32 +0200
steve st...@steve-ss.com wrote:

 On 10/23/2012 07:02 PM, Jeff Layton wrote:
  On Tue, 23 Oct 2012 18:47:37 +0200
  steve st...@steve-ss.com wrote:
 
  On 10/23/2012 05:56 PM, Scott Lovenberg wrote:
  Currently, we have this map: * -fstype=cifs,rw,sec=krb5 
  ://myserver/myshare/ 
  Does that really work? What purpose does the ':' serve there?
 Yes. They always put a ':' before the mount except for the default NFS. 
 I took a look at the example /etc/auto.misc which comes (commented out) 
 with openSUSE. They always put a ':'.

Ok, I see now. From autofs(5):

If the filesystem to be mounted begins with a / (such as local /dev
entries or smbfs shares) a : needs to be prefixed (e.g.  :/dev/sda1).

...I guess it's necessary for the autofs parser. I assume that the ':'
doesn't get passed to the actual mount invocation though, so that
should continue to work just fine.

  That
  should probably be removed. I doubt we'd end up breaking that syntax,
  but I can't be certain.
 
 Just to say that this is a seemingly innocuous patch, but one which may 
 lead to confusion.

Well, better confusion now than confusion when it breaks. cifs really
is just too loose about the syntax of things that it accepts, which
sounds great until you have to test all of the different variations...

-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [PATCH] Add warning that NFS syntax is deprecated and will be removed in cifs-utils-6.0.

[Jeff Layton]

On Thu, 18 Oct 2012 14:07:49 -0400
scott.lovenb...@gmail.com wrote:

 From: Scott Lovenberg scott.lovenb...@gmail.com
 
 Signed-off-by: Scott Lovenberg scott.lovenb...@gmail.com
 ---
  mount.cifs.c |4 
  1 files changed, 4 insertions(+), 0 deletions(-)
 
 diff --git a/mount.cifs.c b/mount.cifs.c
 index 756fce2..061ce32 100644
 --- a/mount.cifs.c
 +++ b/mount.cifs.c
 @@ -1335,6 +1335,7 @@ static int parse_unc(const char *unc_name, struct 
 parsed_mount_info *parsed_info
   }
  
   /* Set up host and share pointers based on UNC format. */
 + /* TODO: Remove support for NFS syntax as of cifs-utils-6.0. */
   if (strncmp(unc_name, //, 2)  strncmp(unc_name, , 2)) {
   /*
* check for nfs syntax (server:/share/prepath)
 @@ -1351,6 +1352,9 @@ static int parse_unc(const char *unc_name, struct 
 parsed_mount_info *parsed_info
   share++;
   if (*share == '/')
   ++share;
 + fprintf(stderr, WARNING: using NFS syntax for mounting CIFS 
 + shares is deprecated and will be removed in cifs-utils
 + -6.0. Please migrate to UNC syntax.);
   } else {
   host = unc_name + 2;
   hostlen = strcspn(host, /\\);

Merged (with addition of a newline to the end of warning message)...
-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Unusual behavior when two users have different shares with the same name

[Jeff Read]

Hi,

In our global smb.conf we have the line:

include = /etc/smb/smb.%U.conf

which allows us to provide a different set of available shares to each user who 
connects. Notably, two users might have shares with the same name, but which 
point to different locations. And if both those users attempt to mount their 
own homonymous shares from the same machine, they each see their own share. But 
this breaks down if one of the users has already mounted something:

* Mount share foo as user A

* Mount share bar as user B

* Mount share bar as user A

* Observe that user A sees user B's version of bar

There is a workaround, which has inconsistent success:

* Unmount, then remount share bar as user A

* Observe that user A sees its own version of bar, as it should be

It seems to be related to the fact that the CIFS VFS layer only uses one TCP 
connection for all the mounts; when we tried examining these shares with three 
separate connections (using the smbclient tool), the users saw their own 
versions of all the shares.

This was observed on samba 3.4.2 and 3.6.3, with mount.cifs up through version 
5.6.

Is this a bug? Is it a use case which is simply beyond samba's scope? Any 
clarifications would be much appreciated.

Regards,

--Jeff
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] mount.cifs: regular freezes with s3fs

[Jeff Layton]

On Thu, 18 Oct 2012 10:18:05 +0200
steve st...@steve-ss.com wrote:

 cifs-utils-5.6
 samba Version 4.0.0rc3
 openSUSE 12.2
 LAN of XP, w7 and Linux clients under Samba4 DC and s3fs fileserver
 
 Hi
 I am testing the possibility of migrating from nfs to cifs to serve our 
 Linux clients.
 
 Currently we mount the samba shares, e.g. the home directory, using nfs.
 
 The test setup is that instead of:
 mount -t nfs hh1:/home2 /home2 -osec=rw,krb5
 I changed to:
 mount -t cifs //hh1/home2 /home2 -osec=rw,sec=krb5,multiuser
 
 This works fine for console logins, but is very slow (unusable) for 
 graphical logins to either LXDE or XFCE.
 
 The login sometimes works:
 Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.41:57380 for 
 krbtgt/hh3.s...@hh3.site
 Kerberos: Client sent patypes: 149
 Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site
 Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site
 Kerberos: No preauth found, returning PREAUTH-REQUIRED -- ste...@hh3.site
 Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.41:41237 for 
 krbtgt/hh3.s...@hh3.site
 Kerberos: Client sent patypes: encrypted-timestamp, 149
 Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site
 Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site
 Kerberos: ENC-TS Pre-authentication succeeded -- ste...@hh3.site using 
 arcfour-hmac-md5
 Kerberos: AS-REQ authtime: 2012-10-18T09:57:33 starttime: unset endtime: 
 2012-10-18T19:57:33 renew till: 2012-10-19T09:55:48
 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
 aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using 
 arcfour-hmac-md5/arcfour-hmac-md5
 Kerberos: Requested flags: renewable, forwardable
 Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:50790 for 
 host/hh7.hh3.s...@hh3.site [canonicalize, renewable, forwardable]
 Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime: 
 2012-10-18T09:57:33 endtime: 2012-10-18T10:02:33 renew till: 
 2012-10-19T09:55:48
 Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:44350 for 
 cifs/h...@hh3.site [canonicalize, renewable, forwardable]
 Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime: 
 2012-10-18T09:57:33 endtime: 2012-10-18T19:57:33 renew till: 
 2012-10-19T09:55:48
 
 But then as soon as we open the file manager (or do anything else) it 
 freezes for as long as 5 minutes, before it makes another cifs request 
 and comes alive for a while:
 
 Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() 
 - NT_STATUS_CONNECTION_DISCONNECTED'
 single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - 
 NT_STATUS_CONNECTION_DISCONNECTED]
 Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:58872 for 
 cifs/h...@hh3.site [canonicalize, renewable, forwardable]
 Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime: 
 2012-10-18T09:59:58 endtime: 2012-10-18T19:57:33 renew till: 
 2012-10-19T09:55:48
 
 It is then OK for a few minutes more until it freezes again until the 
 next cifs request etc etc. . .
 
 This sometimes occurs in the samba log but with different files each time:
 usr/local/samba/sbin/smbd: Oplock break failed for file 
 home/steve3/.cache/openbox/openbox.log -- replying anyway
 
 Here is the test smb.conf:
 
 # Global parameters
 [global]
  workgroup = MARINA
  realm = hh3.site
  netbios name = HH1
  server role = active directory domain controller
  dns forwarder = 192.168.1.1
  idmap_ldb:use rfc2307 = Yes
  unix extensions = Yes
  panic action = /home/steve/samba-master/selftest/gdb_backtrace %d
 
 [netlogon]
  path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
  read only = No
 
 [sysvol]
  path = /usr/local/samba/var/locks/sysvol
  read only = No
 
 [home2]
  path = /home2
  read only = No
 
 Here is the wireshark of a login and a 'cifs freeze'.
 https://dl.dropbox.com/u/45150875/cifs-freeze
 
 Please note that this works fine for the same user and data with both 
 nfs3 and nfs4.
 

I think you probably want send this sort of thing to
linux-c...@vger.kernel.org (cc'ed here), and not to me directly.

What kernel is the client running here?

-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] mount.cifs: regular freezes with s3fs

[Jeff Layton]

On Thu, 18 Oct 2012 13:21:39 +0200
steve st...@steve-ss.com wrote:

 On 18/10/12 11:48, Jeff Layton wrote:
  On Thu, 18 Oct 2012 10:18:05 +0200
  steve st...@steve-ss.com wrote:
 
  cifs-utils-5.6
  samba Version 4.0.0rc3
  openSUSE 12.2
  LAN of XP, w7 and Linux clients under Samba4 DC and s3fs fileserver
 
  Hi
  I am testing the possibility of migrating from nfs to cifs to serve our
  Linux clients.
 
  Currently we mount the samba shares, e.g. the home directory, using nfs.
 
  The test setup is that instead of:
  mount -t nfs hh1:/home2 /home2 -osec=rw,krb5
  I changed to:
  mount -t cifs //hh1/home2 /home2 -osec=rw,sec=krb5,multiuser
 
  This works fine for console logins, but is very slow (unusable) for
  graphical logins to either LXDE or XFCE.
 
  The login sometimes works:
  Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.41:57380 for
  krbtgt/hh3.s...@hh3.site
  Kerberos: Client sent patypes: 149
  Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site
  Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- ste...@hh3.site
  Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.41:41237 for
  krbtgt/hh3.s...@hh3.site
  Kerberos: Client sent patypes: encrypted-timestamp, 149
  Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site
  Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site
  Kerberos: ENC-TS Pre-authentication succeeded -- ste...@hh3.site using
  arcfour-hmac-md5
  Kerberos: AS-REQ authtime: 2012-10-18T09:57:33 starttime: unset endtime:
  2012-10-18T19:57:33 renew till: 2012-10-19T09:55:48
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
  aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
  arcfour-hmac-md5/arcfour-hmac-md5
  Kerberos: Requested flags: renewable, forwardable
  Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:50790 for
  host/hh7.hh3.s...@hh3.site [canonicalize, renewable, forwardable]
  Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime:
  2012-10-18T09:57:33 endtime: 2012-10-18T10:02:33 renew till:
  2012-10-19T09:55:48
  Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:44350 for
  cifs/h...@hh3.site [canonicalize, renewable, forwardable]
  Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime:
  2012-10-18T09:57:33 endtime: 2012-10-18T19:57:33 renew till:
  2012-10-19T09:55:48
 
  But then as soon as we open the file manager (or do anything else) it
  freezes for as long as 5 minutes, before it makes another cifs request
  and comes alive for a while:
 
  Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
  - NT_STATUS_CONNECTION_DISCONNECTED'
  single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
  NT_STATUS_CONNECTION_DISCONNECTED]
  Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:58872 for
  cifs/h...@hh3.site [canonicalize, renewable, forwardable]
  Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime:
  2012-10-18T09:59:58 endtime: 2012-10-18T19:57:33 renew till:
  2012-10-19T09:55:48
 
  It is then OK for a few minutes more until it freezes again until the
  next cifs request etc etc. . .
 
  This sometimes occurs in the samba log but with different files each time:
  usr/local/samba/sbin/smbd: Oplock break failed for file
  home/steve3/.cache/openbox/openbox.log -- replying anyway
 
  Here is the test smb.conf:
 
  # Global parameters
  [global]
workgroup = MARINA
realm = hh3.site
netbios name = HH1
server role = active directory domain controller
dns forwarder = 192.168.1.1
idmap_ldb:use rfc2307 = Yes
unix extensions = Yes
panic action = /home/steve/samba-master/selftest/gdb_backtrace %d
 
  [netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
 
  [sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
 
  [home2]
path = /home2
read only = No
 
  Here is the wireshark of a login and a 'cifs freeze'.
  https://dl.dropbox.com/u/45150875/cifs-freeze
 
  Please note that this works fine for the same user and data with both
  nfs3 and nfs4.
 
 
  I think you probably want send this sort of thing to
  linux-c...@vger.kernel.org (cc'ed here), and not to me directly.
 
 Sorry, I'll join the list.
 
 
  What kernel is the client running here?
 
 3.4.6-2.10-desktop
 

The capture is not complete, since it doesn't contain the TCP
connection setup. Thus, I can't offer any root causes for the hang...

Everything seems to be swimming along just fine until frame 835. At
that point the server issues an oplock break for FID 0x8b11 to which
the client does not respond. This happens just after a call to unlink
/home/steve3/.cache/openbox/openbox.log. Most likely the client had
that file open and oplocked so the server issued this prior to allowing
the unlink to proceed. The client never

Re: [Samba] mount.cifs: regular freezes with s3fs

[Jeff Layton]

On Thu, 18 Oct 2012 18:34:07 +0200
steve st...@steve-ss.com wrote:

 On 18/10/12 18:28, John Drescher wrote:
  through user login, freeze (twice) and user logout until the login prompt
  returned:
  https://dl.dropbox.com/u/45150875/cifs-freeze2
 
 
  When I click the above link I get:
 
  We can't find the page you're looking for. Check out our Help Center
  and forums for help, or head back to home.
 
  John
 
 
 Sorry, It hadn't synced. It's there now.
 Cheers,
 Steve
 

In this one, I don't see any issues with oplock breaks. I also don't
see any calls that are taking longer than expected. I do see a bunch of
page-sized reads in the capture for what appear to be sequential reads.
Reads also seem to be serialized, which is makes me think its falling
into the readpage codepath.

There were some fixes to rsize handling in later kernels, so it's
probably worthwhile to test those before you do too much debugging.

-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] temporary profiles problem - don't want roaming profiles

[Jeff Dickens]

Apparently my problem is a bad combination of mystifying and uninteresting
:-) since I've not had a reply.

Can anyone maybe suggest how to debug this? How can I find out what name
it's looking for when it gets The network name cannot be found ?

Is it true that I should be able to have a Samba-3 Domain without roaming
profiles by just specifying


logon path =
logon home =


in smb.conf and not providing any *sambaProfilePath* attribute in LDAP ?




On Fri, Oct 5, 2012 at 5:42 PM, Jeff Dickens j...@seamanpaper.com wrote:

 I have a Samba PDC (Ubuntu 12, OpenLDAP 2.4.28, Samba 3.6.3), and at two
 remote sites, I have some Samba BDCs.

 For now I've manually entered the DCs as WINS servers on the workstations
 I'm using for testing.   At the remote sites, I can log in with an account
 that has no logon path or logon home specified, and it works perfectly.
  But at the main site, when I try to log on to one of these accounts I get
 first get the can't find the server copy of the roaming profile and then
 can't find the local profile logging you in with a temporary profile
 errors.  I can't figure this one out.  I'm using the same account, and the
 samba setups are nearly identical - just one is a BDC and one a PDC.

 This is smb.conf on the PDC:

 [global]
 workgroup = SEAMANPAPER
 server string = %h server (Samba, Ubuntu)
 map to guest = Bad User
 obey pam restrictions = Yes
 passdb backend = ldapsam:ldap://localhost
 syslog = 0
 log file = /var/log/samba/log.%m
 max log size = 1000
 smb ports = 137 138 139 445
 name resolve order = wins bcast hosts
 load printers = No
 printcap name = /dev/null
 disable spoolss = Yes
 rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
 delete user script = /usr/sbin/smbldap-userdel '%u'
 add group script = /usr/sbin/smbldap-groupadd -p '%g'
 delete group script = /usr/sbin/smbldap-groupdel '%g'
 add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
 delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
 '%g'
 set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
 add machine script = /usr/sbin/smbldap-useradd -W '%u' -t 1
 logon path =
 logon home =
 domain logons = Yes
 os level = 65
 domain master = Yes
 dns proxy = No
 wins support = Yes
 ldap admin dn = cn=admin,dc=intranet,dc=seamanpaper,dc=com
 ldap group suffix = ou=Groups
 ldap idmap suffix = ou=Idmap
 ldap machine suffix = ou=Computers
 ldap passwd sync = yes
 ldap suffix = dc=intranet,dc=seamanpaper,dc=com
 ldap ssl = no
 ldap user suffix = ou=People
 panic action = /usr/share/samba/panic-action %d
 idmap config * : range = 100-199
 idmap config * : backend = ldap
 printing = bsd
 print command = lpr -r -P'%p' %s
 lpq command = lpq -P'%p'
 lprm command = lprm -P'%p' %j

 [profiles]
 comment = Windows Profiles
 path = /home/samba/profiles
 read only = No
 create mask = 0600
 directory mask = 0700
 store dos attributes = Yes
 browseable = No
 csc policy = disable

 [netlogon]
 comment = Network Logon Service
 path = /home/samba/netlogon
 guest ok = Yes

 [homes]
 comment = Home Directories
 valid users = %S
 read only = No
 browseable = No

 and on the BDC:


 [global]
 workgroup = SEAMANPAPER
 server string = %h server (Samba, Ubuntu)
 map to guest = Bad User
 obey pam restrictions = Yes
 passdb backend = ldapsam:ldap://localhost
 syslog = 0
 log file = /var/log/samba/log.%m
 max log size = 1000
 smb ports = 137 138 139 445
 name resolve order = wins bcast hosts
 load printers = No
 printcap name = /dev/null
 disable spoolss = Yes
 rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
 delete user script = /usr/sbin/smbldap-userdel '%u'
 add group script = /usr/sbin/smbldap-groupadd -p '%g'
 delete group script = /usr/sbin/smbldap-groupdel '%g'
 add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
 delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
 '%g'
 set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
 add machine script = /usr/sbin/smbldap-useradd -W '%u' -t 1
 logon path =
 logon home =
 domain logons = Yes
 os level = 65
 domain master = No
 dns proxy = No
 wins proxy = Yes
 wins server = 192.168.10.127
 ldap admin dn = cn=admin,dc=intranet,dc=seamanpaper,dc=com
 ldap group suffix = ou

[Samba] ANNOUNCE: cifs-utils release 5.6 is ready for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Time for another cifs-utils release!

Nothing terribly earth shattering here. Some distros (like Fedora) are
moving krb5 credcaches out of /tmp by default. Users of these distros
will definitely want to upgrade.

Highlights:

* Fixes for mounting with '/' in usernames with sec=krb5 

* Support for DIR: type krb5 ccaches

* support for nofail option in mount.cifs

webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 5.6:

commit 692842e34c1f2fcc84b6b64136f5e28dd7062f46
Author: Jeff Layton jlay...@samba.org
Date:   Tue Aug 7 11:06:41 2012 -0400

autoconf: set version to 5.6.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit 569cfcb3a467dfdf967a36ed6f7896559edab2ba
Author: Jeff Layton jlay...@samba.org
Date:   Tue Aug 7 11:11:26 2012 -0400

mount.cifs: deprecate the DOMAIN/username%password username syntax

mount.cifs has in the past allowed users to specify a username using
the above syntax, which would populate the domain and password fields
with the different pieces.

Unfortunately, there are cases where it is legit to have a '/' in a
username. krb5 SPNs generally contain a '/' and we have no clear way
to distinguish between the two.

I don't see any real value in keeping that syntax allowed. It's no
easier than specifying pass= and domain= on the command line. Ditto
for credential files.

Begin the transition away from that syntax by adding a warning message
that support for it will be removed in 5.9.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 3a965467611637ca05bcd55460ff69fec6ad8be7
Author: Jeff Layton jlay...@samba.org
Date:   Tue Aug 7 11:52:15 2012 -0400

mount.cifs: handle username= differently depending on sec= option

This patch is intended as a temporary workaround for krb5 users that need
to specify usernames with '/' in them. I intend to remove this hack from
mount.cifs once the legacy username handling code is removed.

The idea here is to save off the raw username string while we're parsing
options. If the mount options specify sec=krb5 or sec=krb5i then
we'll not do the legacy username parsing and will instead just pass in
the username string as-is.

Obviously, this is a nasty hack and we don't really want to carry this
in perpetuity, so this can go away once the legacy username parsing
has gone away.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 377898e63a8689b0e8c5c656ce9cfa98223cf74b
Author: Jeff Layton jlay...@samba.org
Date:   Tue Aug 21 15:18:54 2012 -0400

cifs-utils: fix up references to getcifsacl and setcifsacl files

When I moved the manpages for this to section 1, I missed some references
to them. Also, get rid of the unneeded clean-local-aclprogs makefile target.

Signed-off-by: Jeff Layton jlay...@samba.org

commit d006986221b7f1aad50e894851dc573650b7611c
Author: Nalin Dahyabhai na...@redhat.com
Date:   Thu Aug 23 11:14:45 2012 -0400

cifs.upcall: also consider DIR:-type ccaches

If we encounter a subdirectory while scanning a directory for a user's
ccache, check if it's a DIR ccache.  Otherwise, continue as before,
checking if it's a FILE ccache if it looks like a regular file.

commit ca0894e40480a9115c6bad670149b075646ead2c
Author: Nalin Dahyabhai na...@redhat.com
Date:   Thu Aug 23 11:14:56 2012 -0400

cifs.upcall: scan /run/user/${UID} for ccaches, too

When scanning for credential caches, check the user's directory under
/run/user first, then fall back to /tmp as we have previously.  Because
we now call find_krb5_cc() twice (once for each directory), we move its
state to be outside of the function.  We also add a substitution
mechanism to make the process of resolving the location of the user's
home directory before searching it a bit more explicable.

commit 72bce53289d939c3539b7d3cb957b748a4b1d2ec
Author: Jeff Layton jlay...@samba.org
Date:   Thu Aug 23 07:46:40 2012 -0400

cifs.upcall: use strncmp in scandir filter function

We want to require that the filename begins with the correct string,
not just that it contains it somewhere.

Signed-off-by: Jeff Layton jlay...@samba.org

commit a0bf123541ec6fd53948f41f17c9dba5d6a43648
Author: Jeff Layton jlay...@samba.org
Date:   Thu Aug 23 10:18:02 2012 -0400

mount.cifs: silence compiler warnings about ignoring return code

In this case we explicitly don't care what these functions return, so
declare a couple of unused variables to catch the results.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 82f93c44343f281ce61f547ff8f9e5f79945cb20
Author: Jeff Layton jlay

Re: [Samba] ANNOUNCE: cifs-utils release *5.7* is ready for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 9 Oct 2012 20:51:21 -0400
Jeff Layton jlay...@samba.org wrote:

 Hash: SHA1
 
 Time for another cifs-utils release!
 
 Nothing terribly earth shattering here. Some distros (like Fedora) are
 moving krb5 credcaches out of /tmp by default. Users of these distros
 will definitely want to upgrade.
 
 Highlights:
 
 * Fixes for mounting with '/' in usernames with sec=krb5 
 
 * Support for DIR: type krb5 ccaches
 
 * support for nofail option in mount.cifs
 
 webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils
 tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
 git:git://git.samba.org/cifs-utils.git
 gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary
 
 Detailed list of changes since 5.6:
 
 commit 692842e34c1f2fcc84b6b64136f5e28dd7062f46
 Author: Jeff Layton jlay...@samba.org
 Date:   Tue Aug 7 11:06:41 2012 -0400
 
 autoconf: set version to 5.6.1 for interim builds
 
 Signed-off-by: Jeff Layton jlay...@samba.org
 
 commit 569cfcb3a467dfdf967a36ed6f7896559edab2ba
 Author: Jeff Layton jlay...@samba.org
 Date:   Tue Aug 7 11:11:26 2012 -0400
 
 mount.cifs: deprecate the DOMAIN/username%password username syntax
 
 mount.cifs has in the past allowed users to specify a username using
 the above syntax, which would populate the domain and password fields
 with the different pieces.
 
 Unfortunately, there are cases where it is legit to have a '/' in a
 username. krb5 SPNs generally contain a '/' and we have no clear way
 to distinguish between the two.
 
 I don't see any real value in keeping that syntax allowed. It's no
 easier than specifying pass= and domain= on the command line. Ditto
 for credential files.
 
 Begin the transition away from that syntax by adding a warning message
 that support for it will be removed in 5.9.
 
 Signed-off-by: Jeff Layton jlay...@samba.org
 
 commit 3a965467611637ca05bcd55460ff69fec6ad8be7
 Author: Jeff Layton jlay...@samba.org
 Date:   Tue Aug 7 11:52:15 2012 -0400
 
 mount.cifs: handle username= differently depending on sec= option
 
 This patch is intended as a temporary workaround for krb5 users that need
 to specify usernames with '/' in them. I intend to remove this hack from
 mount.cifs once the legacy username handling code is removed.
 
 The idea here is to save off the raw username string while we're parsing
 options. If the mount options specify sec=krb5 or sec=krb5i then
 we'll not do the legacy username parsing and will instead just pass in
 the username string as-is.
 
 Obviously, this is a nasty hack and we don't really want to carry this
 in perpetuity, so this can go away once the legacy username parsing
 has gone away.
 
 Signed-off-by: Jeff Layton jlay...@samba.org
 
 commit 377898e63a8689b0e8c5c656ce9cfa98223cf74b
 Author: Jeff Layton jlay...@samba.org
 Date:   Tue Aug 21 15:18:54 2012 -0400
 
 cifs-utils: fix up references to getcifsacl and setcifsacl files
 
 When I moved the manpages for this to section 1, I missed some references
 to them. Also, get rid of the unneeded clean-local-aclprogs makefile 
 target.
 
 Signed-off-by: Jeff Layton jlay...@samba.org
 
 commit d006986221b7f1aad50e894851dc573650b7611c
 Author: Nalin Dahyabhai na...@redhat.com
 Date:   Thu Aug 23 11:14:45 2012 -0400
 
 cifs.upcall: also consider DIR:-type ccaches
 
 If we encounter a subdirectory while scanning a directory for a user's
 ccache, check if it's a DIR ccache.  Otherwise, continue as before,
 checking if it's a FILE ccache if it looks like a regular file.
 
 commit ca0894e40480a9115c6bad670149b075646ead2c
 Author: Nalin Dahyabhai na...@redhat.com
 Date:   Thu Aug 23 11:14:56 2012 -0400
 
 cifs.upcall: scan /run/user/${UID} for ccaches, too
 
 When scanning for credential caches, check the user's directory under
 /run/user first, then fall back to /tmp as we have previously.  Because
 we now call find_krb5_cc() twice (once for each directory), we move its
 state to be outside of the function.  We also add a substitution
 mechanism to make the process of resolving the location of the user's
 home directory before searching it a bit more explicable.
 
 commit 72bce53289d939c3539b7d3cb957b748a4b1d2ec
 Author: Jeff Layton jlay...@samba.org
 Date:   Thu Aug 23 07:46:40 2012 -0400
 
 cifs.upcall: use strncmp in scandir filter function
 
 We want to require that the filename begins with the correct string,
 not just that it contains it somewhere.
 
 Signed-off-by: Jeff Layton jlay...@samba.org
 
 commit a0bf123541ec6fd53948f41f17c9dba5d6a43648
 Author: Jeff Layton jlay...@samba.org
 Date:   Thu Aug 23 10:18:02 2012 -0400
 
 mount.cifs: silence compiler warnings about ignoring return code
 
 In this case we explicitly don't care what

Re: [Samba] temporary profiles problem - don't want roaming profiles

[Jeff Dickens]

\Microsoft
Shared\Windows Live\WLIDSVC.EXE) has opened key
\REGISTRY\USER\S-1-5-21-3331739098-3736223119-3628203672-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1396 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDSVC.EXE) has opened key
\REGISTRY\USER\S-1-5-21-3331739098-3736223119-3628203672-500\Software\Microsoft\SystemCertificates\Disallowed
Process 1396 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDSVC.EXE) has opened key
\REGISTRY\USER\S-1-5-21-3331739098-3736223119-3628203672-500\Software\Policies\Microsoft\SystemCertificates
Process 1396 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDSVC.EXE) has opened key
\REGISTRY\USER\S-1-5-21-3331739098-3736223119-3628203672-500\Software\Policies\Microsoft\SystemCertificates
Process 1396 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDSVC.EXE) has opened key
\REGISTRY\USER\S-1-5-21-3331739098-3736223119-3628203672-500\Software\Policies\Microsoft\SystemCertificates
Process 1396 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDSVC.EXE) has opened key
\REGISTRY\USER\S-1-5-21-3331739098-3736223119-3628203672-500\Software\Policies\Microsoft\SystemCertificates
Process 1396 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDSVC.EXE) has opened key
\REGISTRY\USER\S-1-5-21-3331739098-3736223119-3628203672-500\Software\Microsoft\SystemCertificates\My
Process 1396 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDSVC.EXE) has opened key
\REGISTRY\USER\S-1-5-21-3331739098-3736223119-3628203672-500\Software\Microsoft\SystemCertificates\CA
Process 1396 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDSVC.EXE) has opened key
\REGISTRY\USER\S-1-5-21-3331739098-3736223119-3628203672-500\Software\Microsoft\SystemCertificates\trust
Process 1396 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDSVC.EXE) has opened key
\REGISTRY\USER\S-1-5-21-3331739098-3736223119-3628203672-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1396 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDSVC.EXE) has opened key
\REGISTRY\USER\S-1-5-21-3331739098-3736223119-3628203672-500\Software\Microsoft\SystemCertificates\Root

Error10/8/2012 4:27:43 PMMicrosoft-Windows-User Profiles Service
1511NoneWindows cannot find the local profile and is logging you on
with a temporary profile. Changes you make to this profile will be lost
when you log off.
Error10/8/2012 4:27:43 PMMicrosoft-Windows-User Profiles Service
1521NoneWindows cannot locate the server copy of your roaming
profile and is attempting to log you on with your local profile. Changes to
the profile will not be copied to the server when you log off. This error
may be caused by network problems or insufficient security rights.

 DETAIL - The network name cannot be found.

Warning10/8/2012 4:28:17 PMMicrosoft-Windows-User Profiles
Service1530NoneWindows detected your registry file is still in
use by other applications or services. The file will be unloaded now. The
applications or services that hold your registry file may not function
properly afterwards.

 DETAIL -
 1 user registry handles leaked from
\Registry\User\S-1-5-21-947950628-2177205791-3689072656-513:
Process 10400 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has
opened key \REGISTRY\USER\S-1-5-21-947950628-2177205791-3689072656-513



On Fri, Oct 5, 2012 at 5:42 PM, Jeff Dickens j...@seamanpaper.com wrote:

 I have a Samba PDC (Ubuntu 12, OpenLDAP 2.4.28, Samba 3.6.3), and at two
 remote sites, I have some Samba BDCs.

 For now I've manually entered the DCs as WINS servers on the workstations
 I'm using for testing.   At the remote sites, I can log in with an account
 that has no logon path or logon home specified, and it works perfectly.
  But at the main site, when I try to log on to one of these accounts I get
 first get the can't find the server copy of the roaming profile and then
 can't find the local profile logging you in with a temporary profile
 errors.  I can't figure this one out.  I'm using the same account, and the
 samba setups are nearly identical - just one is a BDC and one a PDC.

 This is smb.conf on the PDC:

 [global]
 workgroup = SEAMANPAPER
 server string = %h server (Samba, Ubuntu)
 map to guest = Bad User
 obey pam restrictions = Yes
 passdb backend = ldapsam:ldap://localhost
 syslog = 0
 log file = /var/log/samba/log.%m
 max log size = 1000
 smb ports = 137 138 139 445
 name resolve order = wins bcast hosts
 load printers = No
 printcap name = /dev/null
 disable spoolss = Yes
 rename user script

[Samba] temporary profiles problem - don't want roaming profiles

[Jeff Dickens]

 = 0600
directory mask = 0700
store dos attributes = Yes
browseable = No
csc policy = disable

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = Yes

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No


Also notice that my account (which has a roaming profile and works fine at
all sites) has a sambaProfilePath attribute and the boris and rpoole
accounts don't.  This should make them no-roaming-profile accounts but it
doesn't work consistently.  It works at the two satellite sites but not at
my main site.

root@grackle:~# ldapsearch -W -D cn=admin,dc=intranet,dc=seamanpaper,dc=com
-H ldap://grackle.intranet.seamanpaper.com -b
dc=intranet,dc=seamanpaper,dc=com (uid=*jeff*) | grep Path
Enter LDAP Password:
sambaHomePath: \\wilkins1\home
*sambaProfilePath: \\wilkins1\home\.winProfile*
root@grackle:~#

root@grackle:~# ldapsearch -W -D cn=admin,dc=intranet,dc=seamanpaper,dc=com
-H ldap://grackle.intranet.seamanpaper.com -b
dc=intranet,dc=seamanpaper,dc=com (uid=*boris*) | grep Path
Enter LDAP Password:
sambaHomePath: \\wilkins1\home

root@grackle:~# ldapsearch -W -D cn=admin,dc=intranet,dc=seamanpaper,dc=com
-H ldap://grackle.intranet.seamanpaper.com -b
dc=intranet,dc=seamanpaper,dc=com (uid=*rpoole*) | grep Path
Enter LDAP Password:
sambaHomePath: \\wilkins1\home



-- 
* Jeff Dickens*
 IT Manager  978-632-1513
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4, DHCP, BIND DLZ

[Jeff]

Hello,

I have recently compiled, installed and configured samba4 to run on a FreeBSD 
server.

samba -V reports the version to be Version 4.1.0pre1-GIT-57990cb.

The server has working BIND 9.9 and ISC-DHCP services running on it.  

I have provisioned samba 4 to use the BIND_DLZ DNS backend.  

On the whole things seem to be working.  local names are being resolved.  
phpLDAPAdmin shows the new AD.

I need to resolve a couple of things though.

(1) log.samba has a lot of

[2012/09/20 15:41:08,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful
[2012/09/20 15:41:08,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful
[2012/09/20 15:41:08,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful
[2012/09/20 15:41:08,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful
[2012/09/20 15:41:09,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful
[2012/09/20 15:41:09,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful

What does it mean and how do I fix it??


(2) I need to ensure that DHCP is playing nicely with samba4.  How are DNS 
updates from the DHCP server propagated to samba4??  I've changed my BIND so 
that it no longer uses zone files for the local domain. Instead it uses the 
bind9 dlz driver that came with samba4.  If I understand correctly, this means 
that bind will now pass queries about the local domain off to samba.  So samba 
must be updated whenever a new DHCP lease is granted by the dhcp server.  Does 
the DLZ driver handle this, or does the DHCP server need to be configured to 
cause these updates to go directly to samba??


Thanks,
Jeff



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4, DHCP, BIND DLZ

[Jeff]

Hello,

I have recently compiled, installed and configured samba4 to run on a FreeBSD 
server.

samba -V reports the version to be Version 4.1.0pre1-GIT-57990cb.

The server has working BIND 9.9 and ISC-DHCP services running on it.  

I have provisioned samba 4 to use the BIND_DLZ DNS backend.  

On the whole things seem to be working.  local names are being resolved.  
phpLDAPAdmin shows the new AD.

I need to resolve a couple of things though.

(1) log.samba has a lot of

[2012/09/20 15:41:08,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
 /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful
[2012/09/20 15:41:08,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
 /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful
[2012/09/20 15:41:08,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
 /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful
[2012/09/20 15:41:08,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
 /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful
[2012/09/20 15:41:09,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
 /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful
[2012/09/20 15:41:09,  0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
 /usr/local/samba/sbin/samba_dnsupdate: response to GSS-TSIG query was 
unsuccessful

What does it mean and how do I fix it??


(2) I need to ensure that DHCP is playing nicely with samba4.  How are DNS 
updates from the DHCP server propagated to samba4??  I've changed my BIND so 
that it no longer uses zone files for the local domain.  Instead it uses the 
bind9 dlz driver that came with samba4.  If I understand correctly, this means 
that bind will now pass queries about the local domain off to samba.  So samba 
must be updated whenever a new DHCP lease is granted by the dhcp server.  Does 
the DLZ driver handle this, or does the DHCP server need to be configured to 
cause these updates to go directly to samba??


Thanks,
Jeff



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] mount.cifs ms dfs and failover

[Jeff Layton]

On Wed, 18 Jul 2012 17:31:28 +1000
Sam Abed samsa...@hotmail.com wrote:

 
 Hello,
   I can't find any reference on if linux understands multiple targets when it 
 mounts a MS dfs share, specifically if it can failover.
 I can mount a MS dfs share fine, however if the server picked is shutdow 
 the mount hangs. I tried it on a recent ubuntu to discount the enterprise 
 lag.
 
 am I missing something or is it not working
 

(cc'ing linux-cifs)

No, there's currently no support for failover with Linux CIFS DFS code.
Once it picks the server, it stays with it.

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] CIFS mount intermitte​ntly unavailabl​e: cifs_mount failed w/return code = -5

[Jeff Layton]

On Mon, 27 Aug 2012 08:48:42 -0400
Jeff Layton jlay...@samba.org wrote:

 On Thu, 16 Aug 2012 19:57:27 +1000
 Robert S robert.spam.me.sensel...@gmail.com wrote:
 
  I have a debian machine called debian and a windows XP machine
  called server.  I have a permanent mounted read-only share called
  \\server\doc.  My /etc/fstab looks like this:
  
  //server/doc/opt/chroot/mnt/server cifs
  credentials=/root/.smbmount,username=medical,uid=medical,file_mode=0755,dir_mode=0755,noserverino
  0 0
  
  This works well most of the time but at times I get a input/output
  error when I try to access this share.  My syslog shows the following:
  
  Aug 16 15:36:35 debian kernel: [1289131.676869] Status code returned
  0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED
  Aug 16 15:36:35 debian kernel: [1289131.676875]  CIFS VFS: Send error
  in SessSetup = -5
  Aug 16 15:36:35 debian kernel: [1289131.676899]  CIFS VFS: cifs_mount
  failed w/return code = -5
  Aug 16 15:36:46 debian kernel: [1289142.653770] Status code returned
  0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED
  Aug 16 15:36:46 debian kernel: [1289142.653775]  CIFS VFS: Send error
  in SessSetup = -5
  Aug 16 15:36:46 debian kernel: [1289142.653799]  CIFS VFS: cifs_mount
  failed w/return code = -5
  Aug 16 15:37:01 debian kernel: [1289158.491697] Status code returned
  0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED
  Aug 16 15:37:01 debian kernel: [1289158.491703]  CIFS VFS: Send error
  in SessSetup = -5
  Aug 16 15:37:01 debian kernel: [1289158.491727]  CIFS VFS: cifs_mount
  failed w/return code = -5
  
  Does anyone have any suggestions?  Can somebody explain what return
  code -5 means?
  
  I have tried replacing server with its fixed IP address
  (192.168.0.32), but this does not help.  I have even moved all the
  files to another location on the Windows box and recreated the share,
  but it still occurs.
 
 (cc'ing linux-cifs ml)
 
 -5 is -EIO which is the generic error that we map stuff to when there's
 not a better mapping. We don't have a standard mapping for
 NT_STATUS_REQUEST_NOT_ACCEPTED, so that's why you get -EIO back.
 
 The bigger question is why your server is returning that error. You may
 need to check the logs on the server side to see why it's not accepting
 these requests.
 

...and interestingly, the description of this error in the MS-CIFS doc
from microsoft says: No resources currently available for this SMB
request., which sounds like you're occasionally hitting some sort of
resource limit on the server...

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] CIFS mount intermitte​ntly unavailabl​e: cifs_mount failed w/return code = -5

[Jeff Layton]

On Thu, 16 Aug 2012 19:57:27 +1000
Robert S robert.spam.me.sensel...@gmail.com wrote:

 I have a debian machine called debian and a windows XP machine
 called server.  I have a permanent mounted read-only share called
 \\server\doc.  My /etc/fstab looks like this:
 
 //server/doc/opt/chroot/mnt/server cifs
 credentials=/root/.smbmount,username=medical,uid=medical,file_mode=0755,dir_mode=0755,noserverino
 0 0
 
 This works well most of the time but at times I get a input/output
 error when I try to access this share.  My syslog shows the following:
 
 Aug 16 15:36:35 debian kernel: [1289131.676869] Status code returned
 0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED
 Aug 16 15:36:35 debian kernel: [1289131.676875]  CIFS VFS: Send error
 in SessSetup = -5
 Aug 16 15:36:35 debian kernel: [1289131.676899]  CIFS VFS: cifs_mount
 failed w/return code = -5
 Aug 16 15:36:46 debian kernel: [1289142.653770] Status code returned
 0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED
 Aug 16 15:36:46 debian kernel: [1289142.653775]  CIFS VFS: Send error
 in SessSetup = -5
 Aug 16 15:36:46 debian kernel: [1289142.653799]  CIFS VFS: cifs_mount
 failed w/return code = -5
 Aug 16 15:37:01 debian kernel: [1289158.491697] Status code returned
 0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED
 Aug 16 15:37:01 debian kernel: [1289158.491703]  CIFS VFS: Send error
 in SessSetup = -5
 Aug 16 15:37:01 debian kernel: [1289158.491727]  CIFS VFS: cifs_mount
 failed w/return code = -5
 
 Does anyone have any suggestions?  Can somebody explain what return
 code -5 means?
 
 I have tried replacing server with its fixed IP address
 (192.168.0.32), but this does not help.  I have even moved all the
 files to another location on the Windows box and recreated the share,
 but it still occurs.

(cc'ing linux-cifs ml)

-5 is -EIO which is the generic error that we map stuff to when there's
not a better mapping. We don't have a standard mapping for
NT_STATUS_REQUEST_NOT_ACCEPTED, so that's why you get -EIO back.

The bigger question is why your server is returning that error. You may
need to check the logs on the server side to see why it's not accepting
these requests.

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 5.6 is ready for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Time for another cifs-utils release!

Highlights:

* binaries are now built by default with PIE and RELRO support for
  better protection against exploits

* better debugging and warnings for cifs.upcall and cifscreds

* better integration with systemd by having mount.cifs use
  systemd-ask-password if it's appropriate and available


webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 5.5:

commit df561d40947e0b520deb48e1a4749afe9787949a
Author: Jeff Layton jlay...@samba.org
Date:   Fri Jun 1 13:56:21 2012 -0400

autoconf: set version to 5.5.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit 74edf24d9780900f3ce15d2403c6e331b031d454
Author: Jeff Layton jlay...@samba.org
Date:   Thu Jun 14 10:59:18 2012 -0400

automake: revert -Werror by default

I think in hindsight, that adding -Werror by default was a mistake.
cifs-utils is built in a wide range of environments and tools, and it's
very difficult to eliminate all of the possible warnings.

Let's go ahead and remove it and reduce the steady trickle of patches
that are simply to silence obscure warnings.

Cc: Suresh Jayaraman sjayara...@suse.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 0eb3daa4b17ee64b464594f1a5d413ecb364957c
Author: Jeff Layton jlay...@samba.org
Date:   Thu Jun 14 10:59:18 2012 -0400

mount.cifs: set rc to 0 in libcap toggle_dac_capability

Thus spake Jochen:

The mount.cifs program from the cifs-utils package 5.5 did not work on
my Linux system. It just exited without an error message and did not
mount anything.

[...]

I think, when this variable rc is now used in this function, it has also
to be properly initialized there.

Reported-by: Jochen Roderburg roderb...@uni-koeln.de
Signed-off-by: Jeff Layton jlay...@samba.org

commit b7bea5254443cb121b0cf03a64b123b85d7f9fbb
Author: Jeff Layton jlay...@samba.org
Date:   Thu Jun 14 11:05:43 2012 -0400

cifs.upcall: more debug logging for krb5 upcalls

While helping to track down a configuration problem, I found this
little bit of extra debug logging to be helpful. Might as well
make it part of the stock binary.

Signed-off-by: Jeff Layton jlay...@samba.org

commit a8611e25d44211cd57a91dce4fe7d7a7ad7534d4
Author: Jeff Layton jlay...@samba.org
Date:   Fri Jul 6 11:48:18 2012 -0400

replace: remove bzero() redefinition from replace.h

I borrowed replace.h from samba when I split off the package, and we
have a ton of definitions in there that we don't really need.  This is
one of them and it causes a warning when we build on RHEL5.

Reported-by: Andreas Schneider a...@samba.org
Signed-off-by: Jeff Layton jlay...@samba.org

commit 233e17db8ef7edba1fea660e076a03a56b0117d2
Author: Jeff Layton jlay...@samba.org
Date:   Mon Jul 9 14:12:33 2012 -0400

autoconf: add --enable-pie and --enable-relro

-pie and -fpie enable the building of position-independent executables,
and -Wl,-z,relro turns on read-only relocation support in gcc. These
options are important for security purposes to guard against possible
buffer overflows that lead to exploits.

Follow the example of samba here and enable these by default, but add
configure options that allow people to turn them off at build-time if
necessary.

We may also want to eventually add checks to ensure that the compiler
and linker understand these options, but I'll wait until we have some
evidence that it's needed before I expend the effort.

Reported-by: Andreas Schneider a...@samba.org
Signed-off-by: Jeff Layton jlay...@samba.org

commit ced19dedc0fa7b36087b8eaeef6a6a9dc76aa55e
Author: Andreas Schneider a...@cryptomilk.org
Date:   Mon Jul 9 22:21:04 2012 -0400

autoconf: Fix building with autoconf version older than 2.60.

AC_PROG_SED is only avaliable in recent autoconf versions.
Use AC_CHECK_PROG instead if AC_PROG_SED is not present.

Signed-off-by: Andreas Schneider a...@cryptomilk.org

commit 4e264031d0da7d3f2a287337e86b623e814f5c56
Author: Ankit Jain jan...@suse.de
Date:   Wed Jul 18 06:47:07 2012 -0400

mount.cifs: Use systemd's mechanism for getting password, if present.

If systemd is running and /bin/systemd-ask-password if available,
then use that else fallback on getpass(..).

And add a --enable-systemd configure option, which defaults to yes.

Signed-off-by: Ankit Jain jan...@suse.com

commit 877701f3cc23df3cb2a293c060bdbf05a87bff6a
Author: Luk Claes l...@debian.org
Date:   Thu Jul 19 09:27:01 2012 -0400

mount.cifs: Use errno instead of having unknown error

[Samba] ANNOUNCE: cifs-utils release 5.5 is ready for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nothing terribly earth-shattering in this release. We had a number of
reports of build-breaking problems in version 5.4, mostly due to the
fact that we now turn on -Werror by default, and a number of patches to
fix them.

I'm starting to have doubts as to whether it's a good idea to keep
- -Werror in the default CFLAGS. This is built in a large range of
environments and with a large range of different tool versions.
Catching all of the warnings can be difficult.

I've left that flag in place for now, but if it's causing significant
pain for anyone then please speak up, and we might remove it in a later
release.

Highlights:

 * a bunch of fixes for compile time warnings and build breaks

 * some fixes in the libcap capabilities dropping code 

 * remove unneeded mount.smb2 multicall code and other prep work for
   smb2 support

 * manpage updates for kernel-level behavior changes 

webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 5.4:

commit 676f0386df51b36df42d8b6b815b7d9d8b6934dc
Author: Jeff Layton jlay...@samba.org
Date:   Thu Apr 19 07:29:33 2012 -0400

autoconf: set version to 5.4.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit 8c6268cbbd4202631e5c4b30297adc0088a1d568
Author: Jeff Layton jlay...@samba.org
Date:   Thu Apr 19 07:29:46 2012 -0400

mount.cifs: fix up some -D_FORTIFY_SOURCE=2 warnings

...and add -D_FORTIFY_SOURCE=2 to the default $CFLAGS.

Acked-by: Acked-by: Suresh Jayaraman sjayara...@suse.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit be5b954e35858c09dfaeee33bf06bb0dc76a86f9
Author: Lars Mueller lmue...@suse.com
Date:   Fri Apr 20 07:58:54 2012 -0400

mount.cifs: uninitialized variables in mount.cifs

older gcc versions (4.3 in the case of SUSE Linux Enterprise 11 SP 1 and
SP 2) complain about uninitialized variables in the recent 5.4 release.

The attached patch makes the build process a bit quieter.

Acked-by: Suresh Jayaraman sjayara...@suse.com
Signed-off-by: Lars Mueller lmue...@suse.com

commit e5f124c10fa8e582c5df61017d6f6c2b10c397dc
Author: Lars Mueller lmue...@suse.com
Date:   Fri Apr 20 07:59:06 2012 -0400

cifs.upcall: missing prototype for krb5_auth_con_set_req_cksumtype in MIT
krb5  1.7


products coming with MIT krb5  1.7 (like SUSE Linux Enterprise 11 SP 1
or SP 2) suffer from the same issue as described by
https://bugzilla.samba.org/show_bug.cgi?id=6918

The declaration of krb5_auth_con_set_req_cksumtype is missing.

Inspiration: https://bugzilla.samba.org/show_bug.cgi?id=6918

Acked-by: Suresh Jayaraman sjayara...@suse.com
Signed-off-by: Lars Mueller lmue...@suse.com

commit 0aa12de5c1565d56a240d7b0dd814316f4ea81f3
Author: Lars Mueller lmue...@suse.com
Date:   Fri Apr 20 07:59:15 2012 -0400

mount.cifs: toggle_dac_capability() stores return code

the build process of the cifs-utils for Mandriva 2011 made me notice of
the unused variable rc in toggle_dac_capability() of mount.cifs.c.

A bit up in the code we store the return value and do not make use of it
while calling return.

The attached patch intends to fix this.

The failing build result is still visible at

https://build.opensuse.org/package/live_build_log?arch=x86_64package=cifs-utilsproject=network%3Asamba%3ASTABLErepository=Mandriva_2011

Acked-by: Suresh Jayaraman sjayara...@suse.com
Signed-off-by: Lars Mueller lmue...@suse.com

commit a91fb0671273e4ef9079ee7860574c460aa94a51
Author: Jeff Layton jlay...@samba.org
Date:   Fri Apr 20 07:59:17 2012 -0400

mount.cifs: remove unnecessary getuid() check in libcap version of 
toggle_dac_capability

I'm not sure what I was thinking when I added that check in, but it's
been there since the inception. We shouldn't care at all what the
real uid is when we call toggle_dac_capability and indeed we don't
care with the libcap-ng version. Remove that check.

Signed-off-by: Jeff Layton jlay...@samba.org

commit bab572a89bd0d989bd761e8cea926dfcf48b938d
Author: Jeff Layton jlay...@samba.org
Date:   Wed May 2 14:25:28 2012 -0400

mount.cifs: don't pass credentials= option to the kernel

We handle this option in userspace, so there's little value in also
passing it to the kernel.

Also fix minor double-comma nit in the options string.

Reported-by: Ronald ronald...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 9410c776a3bd69a8434e5f01174bc59f08e7e62a
Author: Jeff Layton jlay...@samba.org
Date:   Mon May 14 06:41:29 2012 -0400

doc: update mailing list

Signed-off-by: Luk Claes l...@debian.org

commit

Re: [Samba] mount.cifs Is it possible to have a file owned by the user who creates the file?

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 17 May 2012 14:37:00 +0200
steve st...@steve-ss.com wrote:

 On 05/17/2012 02:34 AM, Jeff Layton wrote:
  On Wed, 16 May 2012 17:30:23 +0200
  stevest...@steve-ss.com  wrote:
 
  On 05/16/2012 02:56 PM, steve wrote:
  Hi
  e.g.
  mount.cifs //192.168.1.6/reports /mnt -o rw,setuids,nodev,user=steve2
 
  Any file created in the share is always owned by steve2 (or the person
  who mounted the share).
 
  According to man cifs(8), the setuids overrides this but doesn't seem
  to work for us. We'd like it to be the same behavior as nfs if that's
  possible.
 
  Version 4.0.0alpha21-GIT-46a41d0 with s3fs
 
  Cheers,
  Steve
 
 
  CORRECTION:
  It _looks_ as though it's owned by the person specified as user _when in
  the share_ but the actual file (the unmounted file) is always owned by 
  root.
  Steve
  Sadly, permissions enforcement and handling in cifs.ko are badly
  broken by default.
 
  The only way to do this properly is to switch to using multiuser
  mounts. Have a look at the multiuser option in mount.cifs(8) and
  cifscreds(1).
 
  Cheers,
 Hi Jeff
 Thanks for the confirmation. Strangely, I found by accident that using 
 the .gvfs smb:// mount in Nautilus does actually create user owned 
 files. I'm sure that there must be a catch there somewhere though:
 

AFAIK, the .gvfs stuff uses a libsmbclient fuse-based fs. Apples and
oranges here...

 kinit Administrator
 mount.cifs -o rw,uid=308,sec=krb5 //server/share /somewhere
 

Calling mount.cifs directly isn't recommended. It's a mount helper
that's intended to only be called from /bin/mount.

 produces uid 308 files no matter who accesses the share. Leaving off 
 the uid= creates files as uid=root. Maybe the .gvfs is doing what you 
 described on a who-ever-is-logged-in-and-access's-it basis?
 

That's correct behavior. If you've specified uid= which tells the
client to forcibly override all of the uids in the inodes with the
value you provided.

It can't do that on the server however. All the server sees is a call
to create a file that came from the client by Administrator. That
probably doesn't match up to uid 308 on the server, which is why
you see the mismatch.

What you may want to do is to instead use -o sec=krb5,multiuser,
which will make cifs.ko switch to multiuser mode. In that mode, each
uid on the client that accesses the mount will do so using their own
credentials and (most importantly) the client won't try to enforce
permissions locally.

It does mean that every user who accesses the mount will need a krb5
ticket however instead of every user sharing the same set of
credentials.

- -- 
Jeff Layton jlay...@samba.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.18 (GNU/Linux)

iQIcBAEBAgAGBQJPvhjQAAoJEAAOaEEZVoIVyq4P/j7te66su6d4RkZJ6DOPELae
v89mjwfn79ro4JBRnrdj8M2Qo7vO3a4Y/F7x0VhO2mVmU5P8JPmzunCuS/z31G+k
7hHUCTbl1sME2tePHk18SybW/zbrKINPJjK+pzkyoDfWLRZjDF0yeJv2rSFjI2ET
tAd71oZ2gyOtPJemZwAkeGrqDIEENS0D5m1U0HNKkOyqd7VJxxvu+C6Z8bD2jYKR
ByO63Fe6D7YM+ldGPCR+XLgGj7aBTzeWTdrvzPXWPMEl09btG7Yy6kktlLanae3T
a6LZ2p2r66/18OfFgZpR9Mifgd4diZx/bNTKaM59joh1DUyrPOT8o7xs7Pdi2XW6
E+NUCbDoZZ4zo7mfdZDRHYTVDw6Z6LhXE6O+gvpzBvMeDVWx4ciW+64c2ml6GdIv
NS1wX74joA7Hwb9Mnnr5mhUUjnZXpviSDFFY6DESEI4okJFY7bxGv6+rllnPrbji
GKqW4xhR0Bl9/TzXnKY4yvJMcL94wbuLo+c1TGKcC6Q+ObNEHrcny3LMe+wYb2fo
rCwPrZ3essw6J8j6/u42eol0pC4BjWgfMr1ex/HTyHiMycCTKd+rVL2cO94751at
spGZ15HZ9hMJZow0S9A41/JG+5enHSz+PX4DfnFAIKd+rpIbqX2N1bkZsyyIup/s
Yc32hr1g5iphc5g9hueH
=R+2L
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04)

[Jeff Layton]

On Tue, 22 May 2012 15:24:56 +0200
Michael Wood esiot...@gmail.com wrote:

 On 21 May 2012 17:44, Jeff Layton jlay...@samba.org wrote:
  On Mon, 21 May 2012 09:59:44 -0500
  scott_purc...@dell.com wrote:
 
  Early responses are not encouraging.  It sounds like this was not an 
  accidently happening, but they *intend* to obscure the root level of the 
  share.
 
  Might it work to try to downgrade my Samba installation to a version prior 
  to the introduction of this bug?  If so, do you know which version would 
  be the latest to still work?
 
 
  No, it was not intentional, just not simple to fix.
 
 I think you misinterpreted Scott's message :)
 
 I read it to mean that the people who set up his NAS intended for the
 root of the share to be obscured.  Not that the cifsfs developers
 intended to break things.
 

Yes, he mailed that to me privately later. He also asked whether
downgrading the client's kernel might help here. It might, but you'll
need to go pretty far back -- pre-3.0 or so...

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04)

[Jeff Layton]

On Mon, 21 May 2012 09:59:44 -0500
scott_purc...@dell.com wrote:

 Early responses are not encouraging.  It sounds like this was not an 
 accidently happening, but they *intend* to obscure the root level of the 
 share.
 
 Might it work to try to downgrade my Samba installation to a version prior to 
 the introduction of this bug?  If so, do you know which version would be the 
 latest to still work?
 

No, it was not intentional, just not simple to fix.

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04)

[Jeff Layton]

On Fri, 18 May 2012 16:32:29 -0500
scott_purc...@dell.com wrote:

 Yes, I think that has been the normal behavior since our data was moved to 
 this device.  I assumed it was due to filesystem permissions -- that I don't 
 have read access to the root level of the share, but do have r/w access to 
 the /training/ directory below it.
 
 Using smbclient, get NT_STATUS_ACCESS_DENIED when I try:
 
   ls 
   ls training
   ls /training
   ls /training/
 
 but if I cd to training, I can list its contents.
 
 BTW, 
 
 I've tried appending the path in my mount command as well and mount.cifs 
 still doesn't handle it:
 
 

Known problem since the superblock sharing patches went in. cifs.ko
needs to establish a dentry and inode for the root of the share and
then walks down to the prefixpath for the mount. Unfortunately if you
don't have access to any point along that path, the mount will fail.

There have been a couple of proposals to fix it, but they've had their
own problems. What probably needs to happen is to do something like
what NFS does in its superblock sharing model. Allow several trees of
dentries within a superblock and only connect them later if we happen
to stumble across the right entry. See commit 54ceac45159 for an
explanation of the model NFS uses for this.

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Edit security/permissions of Windows share from Linux client?

[Jeff Layton]

On Thu, 17 May 2012 04:54:14 -0700
Jack Bates v1t...@nottheoilrig.com wrote:

 Is there a way to edit the security/permissions of a Windows share from 
 a Linux client?
 
 The Windows share belongs to a Windows Server 2008 server. From a 
 Windows client I can go to the Security tab of the Properties dialog 
 and edit the permissions. I want to do effectively the same thing, but 
 from my Linux client
 
 Is there any way?

Recent cifs-utils versions contain the getcifsacl and setcifsacl
programs that allow you to query and set ACLs directly. That does
require a relatively recent kernel (2.6.37 or so).

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] mount.cifs Is it possible to have a file owned by the user who creates the file?

[Jeff Layton]

On Wed, 16 May 2012 17:30:23 +0200
steve st...@steve-ss.com wrote:

 On 05/16/2012 02:56 PM, steve wrote:
  Hi
  e.g.
  mount.cifs //192.168.1.6/reports /mnt -o rw,setuids,nodev,user=steve2
 
  Any file created in the share is always owned by steve2 (or the person 
  who mounted the share).
 
  According to man cifs(8), the setuids overrides this but doesn't seem 
  to work for us. We'd like it to be the same behavior as nfs if that's 
  possible.
 
  Version 4.0.0alpha21-GIT-46a41d0 with s3fs
 
  Cheers,
  Steve
 
 
 CORRECTION:
 It _looks_ as though it's owned by the person specified as user _when in 
 the share_ but the actual file (the unmounted file) is always owned by root.
 Steve

Sadly, permissions enforcement and handling in cifs.ko are badly
broken by default.

The only way to do this properly is to switch to using multiuser
mounts. Have a look at the multiuser option in mount.cifs(8) and
cifscreds(1).

Cheers,
-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] SMBD not running

[Jeff Zeilmann]

All,

I cloned a machine running AIX 5.3 (TL11) and it had Samba 3.0.29 on it.  
Everything is working fine with the exception of Samba.  When I start Samba, 
nmbd starts, but smbd does not.  I checked under /var/log/samba and there is no 
log file there.  All looks correct in the inetd.conf file, and as far as I can 
tell, the services file is correct.  I have several ports that I have been 
checking, but I am not sure which one is key.

My records show these as being ports that are used:
TCP port 445
UDP 137, 138
TCP 137, 139
TCP 901

I even tried upgrading to the latest Samba (3.6) hoping that it was just one of 
the files being corrupted, but still the same thing.  In inetd.conf, I have the 
following lines:
netbios-ssn stream tcp nowait root /opt/pware/sbin/smbd smbd
netbios-ns dgram upd wait root /opt/pware/sbin/nmbd nmbd

What could it be?

Please email me directly, as I am not currently not joined on the list.

Any help you can offer would be greatly appreciated.

Thanks,
Jeff
jeff.zeilm...@clientservices.commailto:jeff.zeilm...@clientservices.com



This message, and any attachment(s), contains CONFIDENTIAL information.
This transmission is intended to be for the sole use of the individual(s) or 
entity(ies) named on the e-mail transmission message. If you are not the 
intended recipient, you are hereby advised that any review, disclosure, 
copying, distribution or use of the information, contents and/or attachments of 
this e-mail message is prohibited. If you have received this transmission in 
error, please immediately delete this message and notify us of this error by 
telephone at (800) 521-3867. Thank you.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] SMBD not running

[Jeff Zeilmann]

All,
 
I cloned a P5 machine running AIX 5.3 TL7 and it had Samba
3.0.29 on it.  The machine I cloned it to is a P7 running AIX 5.3 TL11.  
Everything is working fine with the exception of
Samba.  When I start Samba, nmbd starts, but smbd does not.  I
checked under /var/log/samba and there is no log file there.  All looks
correct in the inetd.conf file, and as far as I can tell, the services file is
correct.  I am using my original smb.conf file, and there is no active 
directory integration.  I have several ports that I have been checking, but I 
am not
sure which one is key.
My records show these as being ports that are used:
TCP port 445
UDP 137, 138 
TCP 137, 139
TCP 901
I even tried upgrading to the latest Samba (3.6) hoping that
it was just one of the files being corrupted, but still the same thing. 
In inetd.conf, I have the following lines:
netbios-ssn stream tcp nowait root /opt/pware/sbin/smbd smbd
netbios-ns dgram upd wait root /opt/pware/sbin/nmbd nmbd
What could it be?
 
Any help you can offer would be greatly appreciated.
 
Thanks,
 
Joe
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 5.4 is ready for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Since we now have a fix of sorts for CVE-2012-1586, it seems like as
good a time as any to do a new release. Go forth, download and build
cifs-utils-5.4.

Highlights:

 * the rootsbindir can now be specified at configure time

 * mount.cifs now supports the -s option by passing sloppy to the
   kernel in the options string

 * cifs.upcall now properly respects the domain_realm section in
   krb5.conf

 * unprivileged users can no longer mount onto dirs into which they
   can't chdir (fixes CVE-2012-1586) 

webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 5.3:

commit 9d74366169305bd3ea3c4bac036bfc982aa15648
Author: Jeff Layton jlay...@samba.org
Date:   Sun Feb 12 07:32:27 2012 -0500

autoconf: set release to 5.3.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit f9524f772c62bbfd7c190b8249ed66990ed3227a
Author: Jeff Layton jlay...@samba.org
Date:   Sun Feb 12 07:33:01 2012 -0500

autoconf: set release to 5.3.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit c753cfe5491cfb1f1f74ca41444706383ab9f0e3
Author: Jeff Layton jlay...@samba.org
Date:   Sun Feb 12 07:33:05 2012 -0500

cifs-utils: allow specifying rootsbindir at configure time

...via the $ROOTSBINDIR environment variable, and AC_ARG_VAR macro.
The default is to use /sbin for this value, which only currently
affects the installation location of mount.cifs.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 1c2f85a6aecffa7260709e5a44d77335bcade13f
Author: Jeff Layton jlay...@samba.org
Date:   Mon Feb 20 09:02:54 2012 -0500

manpage: update wsize= entry to account for change in default wsize

Signed-off-by: Jeff Layton jlay...@samba.org

commit f6384b4fe1ffdeebee3e9d73dd533a4fbf83b6d8
Author: Jeff Layton jlay...@samba.org
Date:   Thu Feb 23 10:42:09 2012 -0500

mount.cifs: fix tests for strtoul success

The current test just looks to see if errno was 0 after the conversion
but we need to do a bit more. According to the strtoul manpage:

If there were no digits at all, strtoul() stores the original value
of nptr in *endptr (and returns 0).

So, if you pass in a string of letters, strtoul will return 0, but
won't actually have converted anything. Luckily, in most cases, /bin/mount
papers over this bug by doing uid/gid conversions itself before calling
mount.cifs.

Fix this by also checking to ensure that strtoul() converted the entire
string in addition to checking that it didn't set errno. While we're at
it, fix the test in backupuid/backupgid options as well which don't
currently check whether errno got set.

Reported-by: Kyle Squizzato ksqui...@redhat.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit b0bc3861bfc7b258045d1d456cf2ef4a43ea9562
Author: Jeff Layton jlay...@samba.org
Date:   Tue Mar 6 10:54:28 2012 -0500

mount.cifs: add support for -s option

autofs generally calls mount helpers with '-s'. Handle that the same
way we do for NFS -- append ,sloppy option to the mount options.

The kernel can look for that option to decide whether to ignore
unknown mount options, warn, or error out.

Signed-off-by: Jeff Layton jlay...@samba.org

commit c5dcf26c0d87d9e8342d2c946e039066de29d30a
Author: Jeff Layton jlay...@samba.org
Date:   Thu Mar 29 09:11:29 2012 -0400

cifs.upcall: use krb5_sname_to_principal to construct principal name

Currently, we build the string by hand then then construct the
principal name with krb5_parse_name. That bypasses the domain_realm
section in krb5.conf however.

Switch the code to use krb5_sname_to_principal instead which is more
suited to this task. In order for that to work, we change a couple of
calling functions to pass down a hostname instead of a principal
name, and then pass in cifs as the service name.

Reported-and-Tested-by: Nirupama Karandikar nkara...@redhat.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit fd31a7c0ba7f1282d2d81193d4d100fdc926b99b
Author: Jeff Layton jlay...@samba.org
Date:   Mon Apr 2 15:28:56 2012 -0400

mount.cifs: don't allow unprivileged users to mount onto dirs to which they
can't chdir

If mount.cifs is installed as a setuid root program, then a user can
use it to gather information about files and directories to which he
does not have access.

One of the first things that mount.cifs does is to chdir() into the
mountpoint and then proceeds to perform the mount onto .. A malicious
user could exploit this fact to determine information about directories
to which he does not have access

Re: [Samba] Transfer speed

[Jeff Layton]

On Tue, 10 Apr 2012 15:43:53 +0200
Emmanuel Florac eflo...@intellique.com wrote:

 Le Tue, 10 Apr 2012 08:26:48 -0500
 Chris Weiss cwe...@gmail.com écrivait:
 
  that's dramatic!  what needs done (from a user POV) to get this
  backported into Stable distro kernels?  suggestions?
 
 Most distros have recent kernels available in their repositories AFAIK.
 I personnally prefer to compile my own kernels from vanilla unpatched
 source.
 
 BTW I've tested with 3.1.10 too, and it falls in between 2.6.35 and
 3.2 : writes fast at 100 MB/s like 3.2 but reads slowly at 35 MB/s
 like 2.6.35. 
 

That's because async write support went in first (3.0?) and then async
read support went into 3.2 or 3.3.

3.4 will get async write support for strictcache writes (when the client
doesn't have an oplock and is writing around the cache).

I'm currently working on a set of patches to do async reads around the
cache as well when we don't have an oplock, and at that point I'll
propose to make strictcache the default (as the protocol mandates).

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Transfer speed

[Jeff Layton]

On Tue, 10 Apr 2012 16:36:56 +0200
Volker Lendecke volker.lende...@sernet.de wrote:

 On Tue, Apr 10, 2012 at 08:55:14AM -0500, Chris Weiss wrote:
  On Tue, Apr 10, 2012 at 8:53 AM, Volker Lendecke
  volker.lende...@sernet.de wrote:
   On Tue, Apr 10, 2012 at 08:26:48AM -0500, Chris Weiss wrote:
   that's dramatic!  what needs done (from a user POV) to get this
   backported into Stable distro kernels?  suggestions?
  
   Wait until the next major releases pick it up.
  
  that's a really crappy option.  in certain cases that
  could be 4 years from now.
 
 Well, if you are an important enough RH customer you might
 be able to apply pressure. But that's a LOT of money
 probably. Same for SuSE. Debian will likely be very
 resistant against that kind of bribery^Wincentive.
 

The patches involved here are pretty invasive. Backporting them is not
for the faint-of-heart.

Async write support went into RHEL 6.2. So far, no one has piped up to
request async read support in RHEL6 yet, but we may backport it there
at some point if someone requests it.

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] system freeze with message CIFS VFS: Unexpected lookup error -88

[Jeff Layton]

On Thu, 23 Feb 2012 15:31:40 +0100
Denis Cardon denis.car...@tranquil-it-systems.fr wrote:

 Hi everyone,
 
 I have had a few system freezes in the recent months (debian squeeze 
 with vmlinuz-2.6.32-5-686-bigmem), with the following message in dmesg :
 
 CIFS VFS: Unexpected lookup error -88
 CIFS VFS: Send error in SessSetup = -88
 
 It is the same symptoms as in the redhat bugzilla :
 
 https://bugzilla.redhat.com/show_bug.cgi?id=711400
 
 It it mentionned that it is patched in redhat kernel 
 kernel-2.6.32-170.el6, but I have not found any information if that 
 patch was sent upstream, and if yes, in which cifs module version.
 
 If anyone has information on this one, I'd be glad to hear.
 
 Cheers,
 
 Denis Cardon

It's upstream commit 7fdbaa1b.

Cheers,
-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Does Samba affect leap second?

[Jeff Sadowski]

On Wed, Feb 22, 2012 at 6:23 PM, ITPFS oota t-o...@dh.jp.nec.com wrote:
 At 2012-06-30, leap second will be introduced.

 ftp://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat

 Does Samba affect leap second?

I pretty sure this would be taken care of by ntp.

 --
 --- Oota Toshiya ---  t-oota at dh.jp.nec.com
 NEC Systems Software Operations Unit      Shiba,Minato,Tokyo
 IT Platform Solutions Division            Japan,Earth,Solar system
 (samba-jp/ldap-jp Staff,mutt-j/samba-jp postmaster)
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] mount.cifs gives error 13 after changing servers -- hidden cache??

[Jeff Layton]

On Wed, 15 Feb 2012 13:23:06 -0600
Digit Ijit digiti...@gmail.com wrote:

 A sysadmin moved a share from one Windows server to another.  I am now
 getting error 13 when trying to mount the share from the new server.
 
 The following worked before the server was replaced:
 
 mount.cifs //ipaddress1/share1$ /mnt/share1 -o
 credientials/home/whatever/.smbcredentials,rw
 mount.cifs //ipaddress2/share2$ /mnt/share2 -o
 credientials/home/whatever/.smbcredentials,ro
 
 Change: server ipaddress2 was replaced with server ipaddress3 and share2$
 was created on that server.
 
 mount.cifs //ipaddress1/share1$ /mnt/share1 -o
 credientials/home/whatever/.smbcredentials,rw
 Still works!
 mount.cifs //ipaddress3/share2$ /mnt/share2 -o
 credientials/home/whatever/.smbcredentials,ro
 FAILS with mount error(13): Permission denied
 
 However, I can browse to //ipaddress3/share2$ using nautilus, and it is
 also accessible from any Windows box on the network!  This problem looks
 similar to
 lists.samba.org/archive/samba/2011-June/162704.html.  Clearly, mount.cifs
 seems to cache information somewhere.  I have looked through /etc, /lib,
 /var and /proc for any evidence that ipaddress2 was cached, but cannot find
 anything.  Any tips on how to solve this problem?
 
 Thanks!

No, mount.cifs doesn't cache anything. It's more likely that the server
is just rejecting the authentication for some reason. mount.cifs
generally just passes the username and password to the kernel, so the
problem is likely there...

What kernel are you using on the client here, and what version of
cifs-utils do you have?

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 5.3 is ready for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

With the overhaul of the cifscreds utility, I figured this would be a
good time to do a new release.

Highlights:

* admins can now tell cifs.upcall to use an alternate krb5.conf file

* on remount, mount.cifs no longer adds a duplicate mtab entry

* the cifscreds utility has seen a major overhaul to allow for
  multiuser mounts without krb5 auth 

webpage:https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 5.1:

commit c3fff275e873fd9b9639124e993dd4ad737614db
Author: Jeff Layton jlay...@samba.org
Date:   Fri Dec 9 21:36:00 2011 -0500

autoconf: bump release to 5.2.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit 2a9738cefaf8a9496ff0683e18357b3548da0b28
Author: Jeff Layton jlay...@samba.org
Date:   Sat Dec 10 06:49:33 2011 -0500

contrib: add a set of sample /etc/request-key.d files

Add a contrib directory, a set of sample /etc/request-key.d files and
a README that explains what they're for. This version sets the path
to the upcall programs based on the configure options.

Signed-off-by: Jeff Layton jlay...@samba.org

commit cee919c2f3fb7b96518b800680664a15a6551d93
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jan 10 18:30:56 2012 -0500

get/setcifsacl: don't link in -lkeyutils

These binaries don't use keys API at all. There's no need to link in
the keys library.

Reported-by: Frédéric L. W. Meunier  fred...@fredlwm.net
Signed-off-by: Jeff Layton jlay...@samba.org
Acked-by: Shirish Pargaonkar shirishpargaon...@gmail.com

commit 80682b216fed9ea52e1498890eb248567aba2a06
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jan 10 18:34:43 2012 -0500

cifs.upcall: allow admins to specify an alternate krb5.conf file

This was actually requested by the Red Hat QA group, who sometimes work
with multiple krb5.conf files when testing.

Requested-by: Marko Myllynen mylly...@redhat.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit f46dd7661cfb87257c95081fc2071c934bfbbb16
Author: Carlos Maiolino cmaiol...@redhat.com
Date:   Mon Jan 16 12:29:49 2012 -0500

mount.cifs: Properly update mtab during remount

During a remount of a cifs filesystem, the mtab file is not properly
updated, which leads to a doubled entry of the same filesystem in the
/etc/mtab file.  This patch adds a new function del_mtab() which is
called before the add_mtab() in case the fs is being remounted.

The del_mtab() function will delete from the mtab, the old entry from
the filesystem which is being remounted, and then, calls add_mtab() to
add an updated entry to the mtab file.

Signed-off-by: Carlos Maiolino cmaiol...@redhat.com

commit 92be8b6775958814d39fb19247ff85947a2e4f9e
Author: Jeff Layton jlay...@samba.org
Date:   Mon Jan 16 13:22:28 2012 -0500

mount.cifs: handle errors from rename() in del_mtab

The new del_mtab code ignored errors from rename(). Make it handle that
error as well like it does other errors.

Cc: Carlos Maiolino cmaiol...@redhat.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 9da16c91477293e7b367127b0bdec92d9613440f
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jan 17 14:43:23 2012 -0500

util: move getusername to util.c

Signed-off-by: Jeff Layton jlay...@samba.org

commit 0c84231d1a735c10cad94b47a4a5e5eb560d1cdb
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jan 17 14:43:23 2012 -0500

cifscreds: add unused attribute to argv parm in cifscreds_clearall

...to eliminate this warning:

cifscreds.c: In function ‘cifscreds_clearall’:
cifscreds.c:422:47: warning: unused parameter ‘argv’

Signed-off-by: Jeff Layton jlay...@samba.org

commit 57881972fa03c3624ea06f3245e1ba6c84cc2d68
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jan 17 14:43:23 2012 -0500

cifscreds: eliminate domain parm from most functions

Eventually we'll add this back in a different way. The domain and
address should be exclusive of one another. IOW, we want the kernel to
be able to find credentials for a specific address or for the domain of
which the server is a member.

Signed-off-by: Jeff Layton jlay...@samba.org

commit d8b906abc655726079aaff753b3dfa7517b19067
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jan 17 14:43:24 2012 -0500

cifscreds: remove user parameter from create_description

The username should be part of the key payload and not part of
the description. Also, prefix the address with an a: in the
description. Eventually we'll also need a domain key variant.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 1578af7afadf0c9cb132ea9224c877dced1f0114
Author: Jeff

[Samba] unable to access swat with password on Unix server running AIX

[Larocque, Jeff]

I get this error and the only way around it is to use option -a

[2011/12/21 15:25:55, 0] auth/pampass.c:smb_pam_passcheck(810)
  smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User root !

All the information I found out about this issue is for linux. AIX is not setup 
on this server to use pam and it does not have a /etc/pam.d file


I downloaded three versions of samba from pware. The newest for 32 and 64 bit 
and an older version with the same problem with all three.

Everything works except accessing swat using a password.

I think it has something to do with AIX 6.1 because I am running samba on 
another server that is running AIX 5.3 without this issue

I am still researching but if anyone has seen this before I would like to hear 
from you

Thanks


This electronic mail and any attached documents is intended solely for the 
named addressee(s) and contains confidential information.  If you are not an 
addressee, or responsible for delivering this email to an addressee, you have 
received this email in error and are notified that reading, copying, or 
disclosing this email is prohibited. If you received this email in error, 
immediately reply to the sender and delete the message completely from your 
computer system.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 5.2 available for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Things have been relatively quiet lately. Time for a release!

Highlights:

* A lot of manpage updates, additions and corrections

* cifs.idmap can now map uid/gid to SID in addition to the other way around

* getcifsacl/setcifsacl are now installed by default in /usr/bin
  instead of /usr/sbin. The manpages are now in section 1.

* cifs.upcall has a new scheme for picking the SPN on krb5 mounts. The
  hostname is now always lowercased. If we fail to get a ticket using
  an unqualified name, it now attempts to guess the domain name.

webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 5.1:

commit 62a1005814793dd7fa5e819d6619065ae8edf240
Author: Jeff Layton jlay...@samba.org
Date:   Fri Sep 23 14:00:14 2011 -0400

autoconf: bump version to 5.1.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit f9df5f8e629176db7a1812f7914a45e2977c3e4c
Author: Jeff Layton jlay...@samba.org
Date:   Sat Sep 24 08:01:16 2011 -0400

acltools: install them in $bindir, not $sbindir

Move the manpages to section 1 since getcifsacl and setcifsacl are user,
not sysadmin tools. Get rid of the useless sed calls on the manpages.
They don't have any explicit paths in them that need replacing.

Also get rid of the 4.0 in the footers of all the manpages.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 814a5e1868e8a557cbff8181a480fb84b45abae7
Author: Jeff Layton jlay...@samba.org
Date:   Tue Oct 18 07:35:21 2011 -0400

manpage: move SEE ALSO section in setcifsacl.1 nearer to bottom

The convention is to have that close to the bottom of the manpage. In
this case, we want it after the EXAMPLES section.

Signed-off-by: Jeff Layton jlay...@samba.org

commit ca20bbff426d3b84c23df1df71d7a227206e
Author: Suresh Jayaraman sjayara...@suse.de
Date:   Tue Oct 18 08:01:21 2011 -0400

cifs-utils: mention the kernel version that introduced setcifsacl

Reviewed-by: Shirish Pargaonkar shirishpargaon...@gmail.com
Signed-off-by: Suresh Jayaraman sjayara...@suse.de

commit d9c1bf93015e6939d16a319411566de1563a93ca
Author: Suresh Jayaraman sjayara...@suse.de
Date:   Tue Oct 18 08:01:26 2011 -0400

cifs-utils: manpage: mention the kernel version that introduced getcifsacl

Reviewed-by: Shirish Pargaonkar shirishpargaon...@gmail.com
Signed-off-by: Suresh Jayaraman sjayara...@suse.de

commit a31ff1481f4dc633d2f32d1e0772d1da9b5dee46
Author: Suresh Jayaraman sjayara...@suse.de
Date:   Tue Oct 18 08:01:30 2011 -0400

cifs-utils: manpage: mention the required kernel version to make cifs.idmap 
work

Cc: Shirish Pargaonkar shirishpargaon...@gmail.com
Signed-off-by: Suresh Jayaraman sjayara...@suse.de

commit c55ad41d1a11e897b4db166f800d4abd71d86652
Author: Shirish Pargaonkar shirishpargaon...@gmail.com
Date:   Wed Oct 19 14:18:07 2011 -0400

mount.cifs: Add mount options for backup intent and their manpages (try #8)

Add mount options backupuid and backugid and their manpage contents.
Check for either a valid uid/gid or valid user/group name.

Signed-off-by: Shirish Pargaonkar shirishpargaon...@gmail.com

commit e92709981e5d3e927a0ba823d7c94d7cf0940897
Author: Jeff Layton jlay...@samba.org
Date:   Wed Oct 19 14:18:12 2011 -0400

manpage: cleanups to new backupuid/gid sections

Minor cleanups and consistency fixes...

Cc: Shirish Pargaonkar shirishpargaon...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 71c358b25c9bcd9b030a8f6844eecd42488e6724
Author: Shirish Pargaonkar shirishpargaon...@gmail.com
Date:   Wed Oct 19 14:18:12 2011 -0400

cifs.idmap: Add uid/gid to SID mapping functions (try #3)

Add functions to map a uid and gid to a SID.  These functions are
similar to SID to uid and gid mapping functions. A SID is what is
returned to the cifs module.

Signed-off-by: Shirish Pargaonkar shirishpargaon...@gmail.com

commit b6eb2f2f9f5ce0c64c57e2f59ef2ce80932decca
Author: Jeff Layton jlay...@samba.org
Date:   Wed Oct 19 14:25:31 2011 -0400

manpage: document new rsize= behavior

With the addition of async readpages in 3.2 kernels, the behavior of
the rsize= option has changed.

Signed-off-by: Jeff Layton jlay...@samba.org

commit fa488d9fd2a0d722cfcccea6c84599366b58b0de
Author: Jeff Layton jlay...@samba.org
Date:   Sat Nov 12 09:58:02 2011 -0500

cifs.upcall: silence unused parameter warning

cifs.upcall.c: In function ‘cifs_krb5_principal_get_realm’:
cifs.upcall.c:80:57: warning: unused parameter ‘context’ 
[-Wunused-parameter]

Signed-off-by: Jeff Layton jlay...@samba.org

commit d540fe20e3943293f493a80529da012d00782ebe
Author: Jeff

[Samba] passing ip address to pdf printing script?

[Jeff Sadowski]

I have a samba printer entry that goes to script as follows

[pdf_printer]
   comment = Print to create PDF
   printing = LPRNG
   path = /tmp/
   printable = yes
   print command = /usr/local/bin/printpdf %s %u %H %J
   guest ok = yes

I was looking at the documentation and all I see are


   -

   *%s, %f* the path to the spool file name.
   -

   *%p* the appropriate printer name.
   -

   *%J* the job name as transmitted by the client.
   -

   *%c* the number of printed pages of the spooled job (if known).
   -

   *%z* the size of the spooled print job (in bytes).


as options. I want to know if there is a way to pass the ip of the computer
sending the print job to my script?

I'd like to have my script place the pdf back on their machines.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 5.1 available for download

[Jeff Layton]

We've had a number of changes since the last release, and we have some
other upcoming kernel changes that might require corresponding
cifs-utils changes. So it's probably as good a time as any for a new
release.

Highlights:

+ fix for a minor security issue that can corrupt the mtab

+ new getcifsacl/setcifsacl tools that allow you to fetch and set raw
  Windows ACLs via an xattr.

+ a lot of manpage patches

webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 5.0:

commit 2c9e666011c352605a019ee82f39eefb53cc6ad8
Author: Jeff Layton jlay...@samba.org
Date:   Fri Jul 8 09:59:26 2011 -0400

autoconf: bump release number to 5.0.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit 775610358cb4cff8a6f322d0e8d5fade078f6f54
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jul 12 07:30:57 2011 -0400

manpage: add some missing options to mount.cifs.8

Clarify servernetbiosname parameter name, add mention of ignorecase, and
add a section on noposixpaths.

Signed-off-by: Jeff Layton jlay...@samba.org

commit f6eae44a3d05b6515a59651e6bed8b6dde689aec
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jul 12 08:19:33 2011 -0400

mtab: handle ENOSPC/EFBIG condition properly when altering mtab

It's possible that when mount.cifs goes to append the mtab that there
won't be enough space to do so, and the mntent won't be appended to the
file in its entirety.

Add a my_endmntent routine that will fflush and then fsync the FILE if
that succeeds. If either fails then it will truncate the file back to
its provided size. It will then call endmntent unconditionally.

Have add_mtab call fstat on the opened mtab file in order to get the
size of the file before it has been appended. Assuming that that
succeeds, use my_endmntent to ensure that the file is not corrupted
before closing it. It's possible that we'll have a small race window
where the mtab is incorrect, but it should be quickly corrected.

This was reported some time ago as CVE-2011-1678:

http://openwall.com/lists/oss-security/2011/03/04/9

...and it seems to fix the reproducer that I was able to come up with.

Signed-off-by: Jeff Layton jlay...@samba.org
Reviewed-by: Suresh Jayaraman sjayara...@suse.de

commit aa442e80e754f2952b0d90dbdbf2cb2807816ed2
Author: Shirish Pargaonkar shirishpargaon...@gmail.com
Date:   Mon Jul 18 12:06:03 2011 -0400

manpages: add contents for mount option cifsacl (try #3)

Manpage contents for cifs mount option cifsacl

Signed-off-by: Shirish Pargaonkar shirishpargaon...@gmail.com

commit d791892d901adde0dfb9e8d1099488f078704c73
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jul 19 08:12:13 2011 -0400

manpage: corrections and cleanups to the cifsacl option sections

..also update the part that describes what kernel version this manpage
is accurate against.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 861824f588a870da7c110b6f199eb5ce7d4dc476
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jul 19 14:53:47 2011 -0400

cifs-utils: add a note about inclusion of keys.dns_resolver program in 
keyutils

As of version 1.5, the keyutils package is shipping a generic
dns_resolver upcall. Add a note to the cifs.upcall manpage that mentions
this and recommends the use of that program over cifs.upcall.

Eventually, we may want to be able to conditionally compile out the
dns_resolver part of the upcall, but it's already pretty small and
wouldn't save us very much.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 1e7a32924b22d1f786b6f490ce8590656f578f91
Author: Jeff Layton jlay...@samba.org
Date:   Fri Jul 29 07:12:48 2011 -0400

mount.cifs: check_newline returns EX_USAGE on error, not -1

Reported-by: Jan Lieskovsky jlies...@redhat.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit e0bb4418f79cb8670d06170fcd33c286839d258e
Author: Jeff Layton jlay...@samba.org
Date:   Tue Aug 23 09:02:11 2011 -0400

autoconf: fix help message for --enable-cifsidmap

It currently says no is the default, but it should be yes.

Reported-by: Elias Pipping pipp...@lavabit.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 86ec330e309af06459f8e64aad7899fd3fb7a9bf
Author: Shirish Pargaonkar shirishpargaon...@gmail.com
Date:   Thu Aug 25 14:16:23 2011 -0400

cifsacl: Add file cifsacl.h (try #2)


Add defines and structures related to security descriptor, ACL,
ACE, various fields within an ACE, and SID.
Also define various file permissions and acess types.


Signed-off-by: Shirish Pargaonkar shirishpargaon...@gmail.com

commit

Re: [Samba] Clearcase, Samba, and mnode values

[Jeff Layton]

On Thu, 8 Sep 2011 10:14:47 -0700
Kathy banshee...@gmail.com wrote:

 That's possible and yesterday I was looking at possibly using Valgrind
 to see if I could dig further into that idea.  I've never used it
 before, though, so not sure if there is an easier method to detect
 kernel memory leaks.
 
 And about static things in swap, I agree.  I have noticed on our old
 Clearcase/Samba server, that it consumes all the memory down to about
 150M plus 72k of swap and just sits there like that.  Seems to be fine
 and can run for 2 months or longer like that.  That server, though,
 has only 4 gigs of memory and so I was assuming that it did that
 because it didn't have a lot of memory.  However, this new Clearcase
 server, which has 32 GB of memory appears to perhaps want to do the
 same thing.  So I began to wonder if that is just normal behavior --
 i.e., it caches all its memory.  But I think it's a problem because
 people started to report Clearcase running really really slow when it
 got down to almost nothing left and it just seems odd that it would
 consume all 32 GB of memory in less than 12 hours.
 

That's normal. Linux will use up as much free RAM as it can to cache
file data, based on the principle that free RAM is wasted RAM. What
really matters is not free RAM, so much as *reclaimable* RAM.

If the memory is clean (meaning that it doesn't have data that needs to
be written back out), then the kernel can just free it on a
least-recently-used basis when the need arises. If not, then the kernel
will require more active participation to free up memory, which is
comparatively slow.

I think you'll probably need to step back and determine what the
application is doing when it becomes slow. It may very well be that
there is a problem with memory allocation at that time that's causing
the slowdown. But, you can't really assume that or you might end up down
a rabbit hole that has nothing to do with the real problem. Determining
that will probably require help from IBM as only they have real insight
into clearcase -- it's a closed source program, after all.

Either way, it's highly doubtful that this has anything to do with
samba.

-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] mount.cifs - Unisys MCP Mainframe -- Linux touch command setting times of `testfile.txt': Permission denied

[Jeff Layton]

On Wed, 31 Aug 2011 14:55:26 -0400
Tim Lank timl...@timlank.com wrote:

 the mount.cifs is from (cifs-utils-4.8.1-2.el6.x86_64)
 
 
 On Tue, Aug 30, 2011 at 8:05 PM, Tim Lank timl...@timlank.com wrote:
 
  I've got a share from a Unisys MCP Mainframe mounted with mount.cifs from
  RHEL 6.1 (samba-common-3.5.6-86.el6.x86_64).
 
  when I try to touch a file, it creates the file, but reports an error -
  setting times of `testfile.txt': Permission denied
 
  strace on the touch command shows that it is erroring out on the
  utimensat() call
 
  utimensat(0, NULL, NULL, 0) = -1 EACCES (Permission denied)
 
  Documentation from the Unisys Mainframe can be found here
 
  http://public.support.unisys.com/aseries/docs/clearpath-mcp-12.0/pdf/70118328-103.pdf
  Pages:  C-2 and C3 show what POSIX functions are/not supported
  utime() and utimensat() are not among the supported functions listed there.
 
 
  Is there any combination of parameters to mount.cifs that can be used that
  would prevent touch from reporting this error?
 
 
 

(cc'ing linux-cifs ml)

Most likely, this is a local (unix) permissions issue. CIFS has a rather
unintuitive permissions model. It attempts to enforce permissions
locally, but doesn't really have enough information to do so properly.
This leads to these sorts of problems.

When you create files as a particular user, then they end up being
owned by the default file owner on the mount rather than the user
that just created the file. Then when you go to set the time, the
kernel tries to enforce the permissions on the file and denies you
access to do so. This varies somewhat depending on whether CIFS posix
extensions are in force, but it's a common problem.

The best scheme is to switch the mount to being multiuser, but that
requires a kerberized setup at the moment.

Another workaround is to mount with '-o noperm' which disables local
permissions checking entirely. This will however allow any process on
the box to read and write to the server using the mount credentials.

Another idea is to get creative with the uid=,gid=,file_mode=, and
dir_mode= options. See the mount.cifs manpage. If you're careful, you
can craft a set of options that will allow the users you want to have
proper access without opening everything up.

My SambaXP talk from last year covers a lot of this in detail if you're
interested

http://sambaxp.org/index.php?id=38

Good luck!
-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] mount.cifs - Unisys MCP Mainframe -- Linux touch command setting times of `testfile.txt': Permission denied

[Jeff Layton]

On Wed, 31 Aug 2011 17:35:39 -0400
Tim Lank timl...@timlank.com wrote:

 On Wed, Aug 31, 2011 at 3:41 PM, Jeff Layton jlay...@redhat.com wrote:
 
  On Wed, 31 Aug 2011 14:55:26 -0400
  Tim Lank timl...@timlank.com wrote:
 
   the mount.cifs is from (cifs-utils-4.8.1-2.el6.x86_64)
  
  
   On Tue, Aug 30, 2011 at 8:05 PM, Tim Lank timl...@timlank.com wrote:
  
I've got a share from a Unisys MCP Mainframe mounted with mount.cifs
  from
RHEL 6.1 (samba-common-3.5.6-86.el6.x86_64).
   
when I try to touch a file, it creates the file, but reports an error -
setting times of `testfile.txt': Permission denied
   
strace on the touch command shows that it is erroring out on the
utimensat() call
   
utimensat(0, NULL, NULL, 0) = -1 EACCES (Permission denied)
   
Documentation from the Unisys Mainframe can be found here
   
   
  http://public.support.unisys.com/aseries/docs/clearpath-mcp-12.0/pdf/70118328-103.pdf
Pages:  C-2 and C3 show what POSIX functions are/not supported
utime() and utimensat() are not among the supported functions listed
  there.
   
   
Is there any combination of parameters to mount.cifs that can be used
  that
would prevent touch from reporting this error?
   
   
   
 
  (cc'ing linux-cifs ml)
 
  Most likely, this is a local (unix) permissions issue. CIFS has a rather
  unintuitive permissions model. It attempts to enforce permissions
  locally, but doesn't really have enough information to do so properly.
  This leads to these sorts of problems.
 
  When you create files as a particular user, then they end up being
  owned by the default file owner on the mount rather than the user
  that just created the file. Then when you go to set the time, the
  kernel tries to enforce the permissions on the file and denies you
  access to do so. This varies somewhat depending on whether CIFS posix
  extensions are in force, but it's a common problem.
 
  The best scheme is to switch the mount to being multiuser, but that
  requires a kerberized setup at the moment.
 
  Another workaround is to mount with '-o noperm' which disables local
  permissions checking entirely. This will however allow any process on
  the box to read and write to the server using the mount credentials.
 
  Another idea is to get creative with the uid=,gid=,file_mode=, and
  dir_mode= options. See the mount.cifs manpage. If you're careful, you
  can craft a set of options that will allow the users you want to have
  proper access without opening everything up.
 
  My SambaXP talk from last year covers a lot of this in detail if you're
  interested
 
 http://sambaxp.org/index.php?id=38
 
  Good luck!
  --
  Jeff Layton jlay...@redhat.com
 
 
 Jeff,
 
 Thanks for all the info.
 
 A wireshark analysis shows that the Mainframe here is returning a frame that
 shows that the file is created and granted exclusive open for writing.  The
 file actually gets created on the Mainframe (presumably because of the
 combination of my uid=,gid=,file_mode=, and
 dir_mode= options) and I can modify it from all users on the mount.cifs
 box.  The next request is from the mount.cifs box to modify Created, Last
 Access, Last Write, and Change timestamp attributes for the (already)
 opened file.  The response frame from the Mainframe is a basic Access
 Denied message which I suppose the touch command turns into a setting
 times of ... Permission Denied message being returned.
 

In that case, none of what I said above applies :)

This sounds like a server implementation issue. If the server doesn't
support this call, then there's not much you can do other than report
it to them as a bug and plan to ignore it.

 I'd like to try and get a kerberized setup going with mount.cifs.  I see the
 sec=krb5 option, but is there a series of other config steps that I need to
 perform (modifying /etc/krb5.conf for example).  Supposedly the Mainframe
 already has kerberos mapping setup for all the users on our mount.cifs
 system.
 
 Any references (besides the mount.cifs manpage) that you can provide that
 walk through the kerberized setup would be appreciated.
 

There isn't much, mostly you need to set up krb5 on the client, and
then set up cifs.upcall to be called when the kernel requests a key
(see the cifs.upcall manpage for details on that). After that it should
just work.

That said, it's not likely to help this specific problem...

-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] win98se logon

[Jeff Savastano]

Hi all,

hope someone can help me out with this.   out of the blue all of my win98 
machines (4 of them) cant access my domain.  I know they should be upgraded to 
a 
XP, but the app that we use on them only runs on 98.  the error i get on logon 
is:

the domain password you supplied is not correct, or access to your logon server 
has been denied.

at first i was thinking that it was the win98 machine, only one of them was 
having a problem, but they all now have the problem.  this problem first 
started 
on monday.  i finally got the machine to logon on after i dleted all of the 
network info and reinstalled.  but the next day the same problem, and the 
reinstall didnt work.  


does any one have any ideas

smb.conf

[global] 
 workgroup = COZY
 netbios name = COZY_SRV  
 server string = Cozy Samba Server
 passdb backend = tdbsam 
 security = user  
 client ntlmv2 auth = yes
 wins support = Yes
 wins proxy = No
 lanman auth = yes
 ntlm auth = Yes
 
 
 add user script = /usr/sbin/useradd -m %u 
 delete user script = /usr/sbin/userdel -r %u 
 add group script = /usr/sbin/groupadd %g  
 delete group script = /usr/sbin/groupdel %g  
 add user to group script = /usr/sbin/usermod -G %g %u 
 add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null  -g machines 
%u 

 
 # The following specifies the default logon script  
 # Per user logon scripts can be specified in the user 
 # account using pdbedit logon script = logon.bat 
 # This sets the default profile path. 
 # Set per user paths with pdbedit 
 logon drive = H: 
 logon script = logon.bat 
 domain logons = Yes 
 os level = 35 
 preferred master = Yes 
 domain master = Yes 
 logon path =
  logon home =

[homes] 
 comment = Home Directories 
 valid users = %S 
 read only = No  
[netlogon]  
 comment = Network Logon Service 
 path = /data/scripts
# path = /var/lib/samba/netlogons/scripts 
 browseable = No  
 read only = No
# For profiles to work, create a user directory under the 
# path shown. 
# mkdir -p /var/lib/samba/profiles/john 
[Profiles] 
 comment = Roaming Profile Share 
 path = /home
 read only = No 
 browseable = No 
 guest ok = Yes
 create mask = 0600
 drectory mask = 0700
 writable = yes
 profile acls = Yes  
[data]
 path = /data
 writeable = yes
 browseable = yes
 guest ok = yes
    directory mask = 0777
    create mask = 0777
 valid users = @sambausers
[vol1]
 path = /data/vol1
 writeable = yes
 browseable = yes
 guest ok = yes
    directory mask = 0777
    create mask = 0777
 valid users = @sambausers
[vol2]
 path = /data/vol2
 writeable = yes
 browseable = yes
 force group = sambausers
 guest ok = yes
 read only = no
    directory mask = 0777
    create mask = 0777
 valid users = @sambausers
[software]
 path = /data/software
 writeable = yes
 browseable = yes
 guest ok = yes
    directory mask = 0777
    create mask = 0777
 valid users = @sambausers
[quick_p]
 path = /data/embroidery/Quick_P_Outputs
 writeable = yes
 browseable = yes
 guest ok = yes
    directory mask = 0777
    create mask = 0777
 valid users = @sambausers
[ethos]
 path = /data/embroidery/ethos
 writeable = yes
 browseable = yes
 guest ok = yes
    directory mask = 0777
    create mask = 0777
 valid users = @sambausers
[temp]
 path = /data/embroidery/DST/TEMP
 writeable = yes
 browseable = yes
 guest ok = yes
 directory mask = 0775
    directory mask = 0777
    create mask = 0777
 valid users = @sambausers
[dst]
 path = /data/embroidery/DST
 writeable = yes
 browseable = yes
 guest ok = yes
    directory mask = 0777
    create mask = 0777
 valid users = @sambausers
[chenille]
 path = /data/embroidery/Chenille
 writeable = yes
 browseable = yes
 guest ok = yes
    directory mask = 0777
    create mask = 0777
 valid users = @sambausers
[embroidery]
 path = /data/embroidery
 writeable = yes
 browseable = yes
 guest ok = yes
    directory mask = 0777
    create mask = 0777
 valid users = @sambausers
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 5.0 available for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

It's been a while since our last release and Shirish's new cifs.idmap
utility has now been merged. The last release was 4.9, so I've been a
bit torn -- should I call this one 4.10 or 5.0?

Then I figured...when in doubt, copy Linus. Since he just bumped the
major version number of the kernel, this is now version 5.0.

The main changes:

- - mount.cifs always uses the original device string to ensure that umounts
  by unprivileged users are not problematic

- - there is a new cifs.idmap program for handling idmapping upcalls

- - a lot of manpage patches

webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog since 4.9:

commit 201e3fcc8fd2437990d061b29283de256a7f37fd
Author: Jeff Layton jlay...@samba.org
Date:   Tue Mar 15 13:30:37 2011 -0400

autoconf: bump version to 4.9.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit bc2bb65950525081457575a833251355c61b6599
Author: Pavel Shilovsky pias...@etersoft.ru
Date:   Tue Mar 15 13:30:44 2011 -0400

manpage: add entry for strictcache option

Signed-off-by: Pavel Shilovsky pias...@etersoft.ru

commit ffac601c45b167a1af1d35561f1c01ab0813cc14
Author: Luk Claes l...@debian.org
Date:   Fri Apr 8 14:13:35 2011 -0400

mount.cifs: Use original device string all the way

Don't construct a device name, but use the original device string
to mount so the device name in /proc/mounts matches the one in
/etc/fstab.

Signed-off-by: Luk Claes l...@debian.org

commit 00e7fcbe9f519a8251707321eadd34cf156447e5
Author: Jeff Layton jlay...@samba.org
Date:   Fri Apr 15 07:49:51 2011 -0400

mount.cifs: fix test for strtoul failure in mount.cifs

It currently test to see if errno == -EINVAL and whether the endptr
is '\0'. That's not correct however. What we really want it to do is
check to see if any error occurred by setting errno to 0 before the
conversion. If one did, then try to treat the value as a name.

Also fix a bogus compiler warning about cruid being uninitialized.

Reported-by: Jian Li ji...@redhat.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit a6c23f4421ae02de9f01bb6264a03ede9970cb19
Author: Pavel Shilovsky pias...@etersoft.ru
Date:   Fri May 20 07:36:33 2011 -0400

manpage: make serverino and noserverino option descriptions clear

Signed-off-by: Pavel Shilovsky pias...@etersoft.ru

commit f699e959d2afadffc6a4db96b57f873f7dd5e9d9
Author: Shirish Pargaonkar shirishpargaon...@gmail.com
Date:   Tue May 24 14:49:56 2011 -0400

cifs-utils: Create new binary cifs.idmap for sid to uid/gid mapping (try #4)

Handle cifs.idmap type of key. Extract a SID string from the description
and map it to either an uid or gid using winbind APIs.
If that fails (e.g. because winbind is not installed/running or winbind
returns an error), kernel assigns uid and gid (from mount superblock).

Enable including winbind header files and idmapping code conditional
to winbind devel rpms (header and library).

An entry such as this

create  cifs.idmap   *   *   /usr/sbin/cifs.idmap %k

is needed in the file /etc/request-key.conf.

[Note: Modified to not build new tool by default, and to fix up some
   whitespace munging]

Modified-by: Jeff Layton jlay...@redhat.com
Signed-off-by: Shirish Pargaonkar shirishpargaon...@gmail.com

commit 0a32d6990e67c48753435e986c7073876cafe7f3
Author: Jeff Layton jlay...@samba.org
Date:   Tue May 24 14:49:58 2011 -0400

cifs.idmap: remove 2 unused variables

cifs.idmap.c: In function ‘cifs_idmap’:
cifs.idmap.c:85:16: warning: unused variable ‘gr’ [-Wunused-variable]
cifs.idmap.c:84:17: warning: unused variable ‘pw’ [-Wunused-variable]

Signed-off-by: Jeff Layton jlay...@samba.org

commit fd6405b059d3d066ecdff90a4b0024d28795948e
Author: Jeff Layton jlay...@samba.org
Date:   Tue May 24 14:50:00 2011 -0400

cifs.upcall: don't syslog usage message

Signed-off-by: Jeff Layton jlay...@samba.org

commit 3a2a7fc40d98389766c82435a5b5332ab2272838
Author: Jeff Layton jlay...@samba.org
Date:   Thu May 26 14:56:37 2011 -0400

manpage: update the description of the wsize= option

...to account for the changes in the async write patchset.

Signed-off-by: Jeff Layton jlay...@samba.org

commit a669fb3bb4411e4f4d95de1a1a2ec9cccfe14873
Author: Pavel Shilovsky pias...@etersoft.ru
Date:   Mon May 30 20:02:19 2011 -0400

manpage: add decription about matching superblock to wsize= option

...according to shared superblock capability merged into cifs-2.6
git tree recently.

Signed-off-by: Pavel Shilovsky pias...@etersoft.ru

commit

Re: [Samba] Cant get authenticated readwrite and guest readonly configured properly

[Jeff W]

On 11-05-05 5:15 AM, Jeff W wrote:
 I should add, I've been going through The Samba Checklist,
 http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html
 to try and figure out what's wrong, but so far all it's helped me figure
 out is that there is a problem, the checklist suggests no fixes for the
 error messsage that I'm seeing, which is this;

 shmee:~# smbclient //SHMEE/porn -Uchris
 Enter chris's password:
 Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.2.5]
 Server not using user level security and no password supplied.
 Server requested LANMAN password (share-level security) but 'client
 lanman auth' is disabled
 tree connect failed: SUCCESS - 0

 I've googled for what these error messages mean but the only pages that
 come up are concerning bugs from back around 2003 and Ubuntu pages which
 are painfully unhelpful (I have this problem, and the next post is
 Nevermind, fixed it with no explenation of how or why it failed). Any
 insight into why it's failing?
 The username and password used are both valid on the unix system, I can
 ssh in with them.
 Thanks for any suggestions in advance.

I ended up figuring it out with the help of this page, for anyone who
ran into the same problems that I did. 
https://wiki.samba.org/index.php/Frequently_Asked_Questions#guest_access
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Cant get authenticated readwrite and guest readonly configured properly

[Jeff W]

Hi, I've spent the past 4 and a half hours trying to figure out how to
configure Samba the way I want, and I'm starting to wonder if what I
want to do is impossible. I've read the man page for smb.conf trying to
figure out what magic combination of options will work, and have scoured
as much Samba documentation as I can find looking for the right recipe,
but I'm having no luck. I'm hoping someone here can help enlighten me.

What I want is pretty simple, or so I thought.

Share 1 - media
read only as guest
read write if authenticated

Share 2 - porn
read write if authenticated
no guest access

In my tweaking of the settings it seems like I keep going back and forth
not able to find the right balance.  At one point I was able to read and
write, but wasn't able to get in without a password, and at other times
I've managed to configure it for guest access but it won't let me
authenticate successfully.

My present situation, is that I have guest access, but it will not
authenticate my username and password.
I have run smbpasswd for the samba user.

I'm running Samba Version 3.2.5 on Debian.

Here is my smb.conf file, with the comments stripped.
Any help is appreciated :)
Thanks.



[global]


   workgroup = WORKGROUP

   server string = Fileserver on %h

;   wins support = yes

;   wins server = w.x.y.z

   dns proxy = yes

;   name resolve order = lmhosts host wins bcast


;   interfaces = 127.0.0.0/8 eth0

;   bind interfaces only = yes




   log file = /var/log/samba/log.%m

   max log size = 1000

   syslog only = no

   syslog = 1
   log level = 2

   panic action = /usr/share/samba/panic-action %d



   security = share

   encrypt passwords = true

   passdb backend = tdbsam

   obey pam restrictions = yes

   unix password sync = yes

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes


;   domain logons = yes
;   logon path = \\%N\profiles\%U

;   logon drive = H:

;   logon script = logon.cmd

; add user script = /usr/sbin/adduser --quiet --disabled-password
--gecos  %u

; add machine script  = /usr/sbin/useradd -g machines -c %u machine
account -d /var/lib/samba -s /bin/false %u

; add group script = /usr/sbin/addgroup --force-badname %g



;   printing = bsd
;   printcap name = /etc/printcap

;   printing = cups
;   printcap name = cups


;   include = /home/samba/etc/smb.conf.%m


;   message command = /bin/sh -c '/usr/bin/linpopup %f %m %s; rm %s' 


;   idmap uid = 1-2
;   idmap gid = 1-2
;   template shell = /bin/bash

;   winbind enum groups = yes
;   winbind enum users = yes


;   usershare max shares = 100


[media]
   comment = Movies and shows and stuffs
   path = /mnt2/media
   browseable = yes
   guest ok = yes
   read only = no
   users = chris

[porn]
  comment= Does not contain pictures of puppies
  path = /mnt5/porn
  browseable = yes
  guest ok = no
  read only = no
  users = chris

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Cant get authenticated readwrite and guest readonly configured properly

[Jeff W]

I should add, I've been going through The Samba Checklist,
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html
to try and figure out what's wrong, but so far all it's helped me figure
out is that there is a problem, the checklist suggests no fixes for the
error messsage that I'm seeing, which is this;

shmee:~# smbclient //SHMEE/porn -Uchris
Enter chris's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.2.5]
Server not using user level security and no password supplied.
Server requested LANMAN password (share-level security) but 'client
lanman auth' is disabled
tree connect failed: SUCCESS - 0

I've googled for what these error messages mean but the only pages that
come up are concerning bugs from back around 2003 and Ubuntu pages which
are painfully unhelpful (I have this problem, and the next post is
Nevermind, fixed it with no explenation of how or why it failed). Any
insight into why it's failing?
The username and password used are both valid on the unix system, I can
ssh in with them.
Thanks for any suggestions in advance.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] windows 7 logon problem

[Jeff Savastano]

hi,

i am able to join my domain with windows 7.  when i reboot i get a Unkown 
error 
has occurred.  when i check my event log i see that there is a netlogon 3210 
error:

This computer could not authenticate with samba server, a Windows domain 
controller for domain domain name, and therefore this computer might deny 
logon requests. This inability to authenticate might be caused by another 
computer on the same network using the same name or the password for this 
computer account is not recognized. If this message appears again, contact your 
system administrator.

i am able to logon on to the domain from windows xp proffesional so i would 
assume a its a windows 7 problem, but no windows forums are of any use.

my samba version is 3.5.4

i have made the changes to registry:

   HKLM\System\CCS\Services\Netlogon\Parameters
   DWORD  RequireSignOrSeal = 1
   DWORD  RequireStrongKey = 1
   DWORD  DisablePasswordChange = 1

any ideas how to fix this?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] windows 7 logon problem

[Jeff Savastano]

hi,


i am able to join my domain with windows 7.  when i reboot i get a Unkown 
error 
has occurred.  when i check my event log i see that there is a netlogon 3210 
error:

This computer could not authenticate with samba server, a Windows domain 
controller for domain domain name, and therefore this computer might deny 
logon requests. This inability to authenticate might be caused by another 
computer on the same network using the same name or the password for this 
computer account is not recognized. If this message appears again, contact your 
system administrator.

i am able to logon on to the domain from windows xp proffesional so i would 
assume a its a windows 7 problem, but no windows forums are of any use.

my samba version is 3.5.4

i  have made the changes to registry:

   HKLM\System\CCS\Services\Netlogon\Parameters
   DWORD  RequireSignOrSeal = 1
   DWORD  RequireStrongKey = 1
   DWORD  DisablePasswordChange = 1

any ideas how to fix this?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] windows 7 logon problem

[Jeff Savastano]

That did it thanks

--
Sent from my Verizon Wireless mobile phone

--Original Message--
From: John Drescher dresche...@gmail.com
To: Jeff Savastano savastano.j...@yahoo.com
Cc: samba@lists.samba.org
Date: Thu, Apr 14, 10:42 AM -0400
Subject: Re: [Samba] windows 7 logon problem

On Thu, Apr 14, 2011 at 10:29 AM, Jeff Savastano
savastano.j...@yahoo.com wrote:
 hi,


 i am able to join my domain with windows 7.  when i reboot i get a Unkown 
 error
 has occurred.  when i check my event log i see that there is a netlogon 3210
 error:

 This computer could not authenticate with samba server, a Windows domain
 controller for domain domain name, and therefore this computer might deny
 logon requests. This inability to authenticate might be caused by another
 computer on the same network using the same name or the password for this
 computer account is not recognized. If this message appears again, contact 
 your
 system administrator.

 i am able to logon on to the domain from windows xp proffesional so i would
 assume a its a windows 7 problem, but no windows forums are of any use.

 my samba version is 3.5.4

 i  have made the changes to registry:

   HKLM\System\CCS\Services\Netlogon\Parameters
           DWORD  RequireSignOrSeal = 1
           DWORD  RequireStrongKey = 1
           DWORD  DisablePasswordChange = 1

 any ideas how to fix this?

This is what I have:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
DNSNameResolutionRequired=dword:
DomainCompatibilityMode=dword:0001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
Update=no
DisablePasswordChange=dword:0001
MaximumPasswordAge=dword:0010
RequireSignOrSeal=dword:0001
RequireStrongKey=dword:0001
SealSecureChannel=dword:0001
SignSecureChannel=dword:0001

John

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] CIFS mount with non-ascii (UTF8) password is not working

[Jeff Layton]

On Fri, 25 Mar 2011 10:44:42 +
Moray Henderson moray.hender...@ict-software.org wrote:

 Katariya Rahul wrote:
  I have French CIFS server.
  
  If I try to map a share from any windows machine with non-ascii (UTF-8,
  french characters are part of password) password, it is successful.
  
  But If I try from linux machine, it fails.
  
  mount -t cifs //MACHINE/DatasetFIGS_ùÉÀÊÚÎÏŒÄÑ£₣€nbsp; /tmp/rahul -o
  user=ùù,password=ùù,domain=eKKDr
  mount error 13 = Permission denied
  Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
  nbsp;
  
  Does CIFS supports non-ascii password?
 
 On the Linux machine, what output does the locale command give you?
 
 If you type the password at the Linux prompt where you can see it, do you get 
 the right characters?  If the keyboard isn't set right in Linux, it won't 
 work.  To see exactly how the password is being encoded, use echo password 
 | xxd (although obviously don't post the output for a real password here).
 
 Was the password set from Windows or from Linux?  If from Windows, then I 
 would expect the encoding to be in either UTF-16 or the Windows locale 8-bit 
 encoding, not UTF-8.  For example, Latin Small Letter E With Acute is 
 encoded as 0xE9 in the Windows Western encoding, 0xE900 in UTF-16, and 0xC3A9 
 in UTF-8.
 
 Does it work any better if you use Samba's own mount.cifs program directly 
 rather than going through mount?
 
 I do not know what (if any) character encoding translation the cifs module 
 does.  Check whether the locale and testparm -vs | grep char on your CIFS 
 server match the settings on the Linux machine you are doing the mapping from.
 
 

Linux CIFS generally treats passwords as an opaque series of bytes. It
does no translation of that piece.

-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 4.9 available for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The last release (4.8.1) was back in January. Things have been pretty
quiet but we've had a few bugs fixed since then, so it's probably time
for another release. Not a lot of major changes with this one -- mostly
just bugfixes.

The main changes since 4.8.1 are:

* Some distros (namely Fedora) are moving to having /etc/mtab be a symlink to
  /proc/mounts. We automatically skip trying to alter the mtab if it's
  a symlink. 

* fix for a bug that could prevent root from mounting onto a directory to
  which he did not have explicit execute permission.

* fix for a bug that caused the mount helper to pass in a corrupt address
  when someone specified an IPv6 address with a scopeid.

* mount.cifs bugfix for an uninitialized variable that could cause a
  segfault

webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog:

commit 51e3999b5fcd76502e05325174f34e0428c4742e
Author: Jeff Layton jlay...@samba.org
Date:   Mon Jan 31 11:54:44 2011 -0500

autoconf: bump release to 4.8.2 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit fba28cfe2f13dd8bdae3cec76178f42b001a40ca
Author: Jeff Layton jlay...@samba.org
Date:   Mon Jan 31 15:04:35 2011 -0500

mount.cifs: don't try to alter mtab if it's a symlink

Some distros replace /etc/mtab with a symlink to /proc/mounts. In that
situation, mount.cifs will hang for a while trying to lock the mtab.
/bin/mount checks to see if the mtab is a symlink. If it is or if a
stat() call on it fails, it doesn't try to to update the mtab. Have
mount.cifs do the same.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 24093bef78e1e4ea5d541716ebba63e8d4e15c58
Author: Jeff Layton jlay...@samba.org
Date:   Tue Feb 1 14:24:30 2011 -0500

mount.cifs: fix possible use of uninitialized variable

It's possible to goto return_i in this function at several points
before line_buf is set. At that point, the NULL pointer check won't
work correctly and we can end up with a SIGSEGV.

Signed-off-by: Jeff Layton jlay...@samba.org

commit b6d2d91df012f965f29ba26489aca009712a230c
Author: Jeff Layton jlay...@samba.org
Date:   Tue Feb 8 15:33:09 2011 -0500

mount.cifs: reacquire CAP_DAC_READ_SEARCH before calling mount(2)

It's possible that the user is trying to mount onto a directory to which
he doesn't have execute perms. If that's the case then the mount will
currently fail. Fix this by reenabling CAP_DAC_READ_SEARCH before
calling mount(2). That will ensure that the kernel's permissions check
for this is bypassed.

Reported-by: Erik Logtenberg e...@logtenberg.eu
Signed-off-by: Jeff Layton jlay...@samba.org
Reviewed-by: Steve French sfre...@us.ibm.com

commit 38eaab88a08a66adb535d0e5cdcaea9859131c5b
Author: Jeff Layton jlay...@samba.org
Date:   Tue Feb 15 13:30:47 2011 -0500

mount.cifs: fix handling of scopeid in resolve_host

We get a pointer to the end of the address string (ipaddr), but the call
snprintf and pass in tmpbuf which is a pointer to the beginning of the
address string. If someone passes in an address with a scopeid then we
end up overwriting the entire address string.

Reported-by: Björn JACKE b...@sernet.de
Signed-off-by: Jeff Layton jlay...@samba.org

commit cf7d6d481a84fdfc8272e38a6eb49c8a52fa201f
Author: Jeff Layton jlay...@samba.org
Date:   Fri Mar 4 14:54:18 2011 -0500

autoconf: bump release to 4.9

Signed-off-by: Jeff Layton jlay...@samba.org

- -- 
Jeff Layton jlay...@samba.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (GNU/Linux)

iEYEARECAAYFAk1xSmcACgkQyP0gxQMdzIBRfwCeOuyPL9QXOAbxHJdt+KIZ+jzR
fkMAn1/lD47v9CwYsOZ+GLilIfpcgJ8q
=RlVa
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Running and testing SMB2 under RHEL 5 and RHEL 6

[Jeff Layton]

On Sat, 19 Feb 2011 19:04:35 -0500
Nico Kadel-Garcia nka...@gmail.com wrote:

 Does RHEL 5 or RHEL 6, or the current versions of cifs-utils available
 for either, actually support SMB2? I don't see a mount.smb2 binary
 in the packages, though I see it mentioned in the docs, and I'd like
 to really hammer the SMB2 server for performance comparisons. But it's
 meaningless if if it's not actually mounting as SMB2.

smb2fs is still under development upstream and neither RHEL5 or 6
include client-side support in the kernel. I'm not clear on whether
server-side support is being shipped in either though (the folks that
maintain that piece would need to comment).

-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] User submitted job

[Jeff Ross]

On 02/18/11 14:14, Christ Schlacta wrote:

On 2/18/2011 05:49, Robert Moskowitz wrote:

Is there a way for a user to run a job on the server?

In particular, I want to implement a 'one click' backup using rsync.  
An icon on the desktop would do something (in a batch script maybe or 
some canned program) that would run a job under their ID that would 
rsync their home directory to a backup directory.




magic files.


In my experience, if you leave backups to users you're in big trouble 
because it doesn't matter how easy you make the backup it isn't going to 
get done.


DeltaCopy is what you are after:

http://www.aboutmyip.com/AboutMyXApp/DeltaCopy.jsp

--

Jeff Ross
Wyoming Children's Action Alliance

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 4.8.1 available for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

It turns out that the 4.8 release had some mis-generated autoconf
files. In particular, the aclocal files for libcap-ng were not properly
included. This would lead to mount.cifs not being built with support
for dropping capabilities via libcap-ng.

This minor release fixes that and only that.

People who install mount.cifs as a setuid root program should
consider upgrading (unless they did an autoreconf or similar at build
time).

webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog:

commit eb0f1cad7ed85e9d98fef4f8dfbecdac67477e76
Author: Jeff Layton jlay...@samba.org
Date:   Wed Jan 19 21:04:14 2011 -0500

autoconf: bump release to 4.8.1

The 4.8 release had mis-generated autoconf files (they didn't include
the libcap-ng autoconf goop). 4.8.1 will have that fixed.

Signed-off-by: Jeff Layton jlay...@samba.org

- -- 
Jeff Layton jlay...@samba.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (GNU/Linux)

iEYEARECAAYFAk05210ACgkQyP0gxQMdzIBtQwCeLWGJYotDqXgUw0awG2/Bd84Z
rloAn0Kk2MIFLfKGwJsTAStxriKZK9r5
=HZ7F
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 4.8 available for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The last release (4.7) was back in October. We've had a number of good
fixes committed in the last few weeks, so it's a good time to cut a new
release. 

Also, note that I've transplanted the cifs-utils manpage to the Samba
Wiki. The old URL still works and redirects browsers to the new page.

o hardcoded paths in the cifs.upcall manpage are rewritten at build time

o a cifs.upcall pathset from Stefan Metzmacher to add GSSAPI checksums to
  the SPNEGO blob. This is necessary for interoperability with certain
  krb5 implementations (EMC's specifically)

o cifs.upcall can now use the system-default keytab for automatic mounts

o mount.cifs handles the cruid= option in a similar fashion to the uid=
  mount option. The kernel will gain support for this in 2.6.38 and in
  earlier stable releases.

...plus the usual assortment of bugfixes and manpage updates.

webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog:

commit 4154422a9e58c2fe7009312f45543fedc20d1ffd
Author: Jeff Layton jlay...@samba.org
Date:   Thu Dec 9 09:30:03 2010 -0500

cifs-utils: bump version number to 4.7.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

commit 0f588214bc07682b522ac14814b4d97a9b6455d4
Author: Suresh Jayaraman sjayara...@suse.de
Date:   Thu Dec 9 09:37:52 2010 -0500

mount.cifs: manpage: add entry for actimeo option

Signed-off-by: Suresh Jayaraman sjayara...@suse.de
Signed-off-by: Jeff Layton jlay...@samba.org

commit 68691e68937ab9dc7f2d570da7e38659f25d41c1
Author: Jeff Layton jlay...@samba.org
Date:   Thu Dec 9 09:37:52 2010 -0500

cifs-utils: rewrite hardcoded paths in manpages

Currently the manpages (particularly cifs.upcall.8) have hardcoded
paths in them that need to be manually adjusted. Replace those
paths with @sbindir@ and add a makefile target that will use sed
to replace those paths with the ones set by autoconf.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 3e15450d879a42598a2596f2f1f535e95d423057
Author: Jeff Layton jlay...@samba.org
Date:   Tue Dec 14 12:05:04 2010 -0500

cifs-utils: fixes for manpage pathname replacement scheme

Fix up some small problems with pathname replacement:

1) replace the bare 'sed' with $(SED)

2) '\@' is apparently not portable, so we need to use a different scheme
   in case we end up using a non-typical sed binary.

3) do the sed conversion to a new file and then move it into place. If
   sed falls down halfway through the conversion we could end up with
   a half-baked manpage.

4) use the $@ construct for brevity and maintainability

5) add a comment so that the rationale behind this is explained

Many thanks to several folks inside Red Hat who pointed out these
issues.

Signed-off-by: Jeff Layton jlay...@samba.org

commit e3c9b40fbe124bda174753785772e56344c68968
Author: Stefan Metzmacher me...@samba.org
Date:   Tue Dec 28 14:21:26 2010 -0500

cifs.upcall: fix memory and call krb5_auth_con_free()

Signed-off-by: Stefan Metzmacher me...@samba.org

commit 1d8859b4111a363d30bd3256660e77a216e82a83
Author: Stefan Metzmacher me...@samba.org
Date:   Tue Dec 28 14:21:31 2010 -0500

cifs.upcall: use krb5_auth_con_init() to create an explicit auth_context

Signed-off-by: Stefan Metzmacher me...@samba.org

commit 99dfd04655aab3a8e6ea03184a32e360f23df9ad
Author: Stefan Metzmacher me...@samba.org
Date:   Tue Dec 28 14:21:34 2010 -0500

cifs.upcall: use krb5_auth_con_set_req_cksumtype() and pass a GSSAPI 
checksum (bug #7890)

Some closed source SMB servers doesn't support all checksum types,
so we should try to match windows clients.

This is almost the same logic which is used by Samba.

Signed-off-by: Stefan Metzmacher me...@samba.org

commit f240ebe98b881f3daadf229bb24501829d3731ac
Author: Pavel Shilovsky piastr...@gmail.com
Date:   Wed Jan 5 07:23:37 2011 -0500

manpage: change port option description

Provide changes according to new ip/port connection logic in CIFS.

Signed-off-by: Pavel Shilovsky piastr...@gmail.com

commit 7075a466159e59a46575739cc89b8d8a8c3ea3bc
Author: Jeff Layton jlay...@samba.org
Date:   Wed Jan 5 10:52:19 2011 -0500

cifs.upcall: add 'l' to getopt_long string

Reported-by: Stefan Walter walte...@inf.ethz.ch
Signed-off-by: Jeff Layton jlay...@samba.org
Reviewed-by: Shirish Pargaonkar shirishpargaon...@gmail.com

commit 5979d6dfe7fde7ab05f6bc02e771b4c05d994213
Author: Jeff Layton jlay...@samba.org
Date:   Wed Jan 5 10:52:19 2011 -0500

cifs.upcall: fix crash when trying to free uninitialized var

If cifs.upcall is passed an invalid argument then it will goto

[Samba] What PAM service is used when compiled --with-pam ?

[Jeff Blaine]

What PAM 'service' is used when using --with-pam?  For example, sshd
with PAM support uses the 'sshd' PAM service/configuration in /etc/
pam.d/sshd (Linux).

I can't find mention of it anywhere.

Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 3.5.6 with Win7 failure (XP works)

[Jeff Blaine]

Hi all,

We're testing 3.5.6 as an upgrade to our old 3.0.x instance.

Our XP boxes can see our Samba 3.5.6 shares fine.

Our Win7 boxes cannot.

   The specified network name is no longer available.

Relevant config portion is as follows:

   log level = 20
   workgroup = OURCOMP
   security = ads
   encrypt passwords = yes
   realm = OURCOMP.ORG
   password server = DC1.OURCOMP.ORG
   client signing = mandatory

I've also tried client signing = auto to no avail.

Thanks for ANY advice!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3.5.6 with Win7 failure (XP works)

[Jeff Blaine]

On 1/4/2011 4:35 PM, Gaiseric Vandal wrote:

this may be of help

http://wiki.samba.org/index.php/Windows7


Thanks Gaiseric.  FWIW, I *did* look at the wiki first, but
completely ignored the Developer section where this is
linked from.  IMO, it is not in the right section :)

At any rate, my problem isn't related to joining a Win7
box to a Samba-served domain, as far as I can tell.  I
am having trouble accessing a Samba share from Windows 7.

I tried the recommended registry modifications from the
wiki and rebooted. No luck.

However ...

I can get things to work if I disable Communications Signing
on the win7 box.  This is not acceptable to our corporate
information security folks though.

That at least pinpoints the problem.  Now I just need to get
Samba to accept communications signing from the client.
I don't see that I am doing anything wrong.

client signing = mandatory


On 01/04/2011 04:32 PM, Jeff Blaine wrote:

Hi all,

We're testing 3.5.6 as an upgrade to our old 3.0.x instance.

Our XP boxes can see our Samba 3.5.6 shares fine.

Our Win7 boxes cannot.

The specified network name is no longer available.

Relevant config portion is as follows:

log level = 20
workgroup = OURCOMP
security = ads
encrypt passwords = yes
realm = OURCOMP.ORG
password server = DC1.OURCOMP.ORG
client signing = mandatory

I've also tried client signing = auto to no avail.

Thanks for ANY advice!



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] log level = 20 not showing auth, etc...

[Jeff Blaine]

Samba 3.5.6

I must be really misunderstanding 'log level' somehow.  I have
tried all of the following and cannot get my logs to show
anything related to authentication or share accesses at all:

log level = 20

log level = all:20

log lovel = 3 auth:20

If I access one of the server's shares successfully, not a
single thing shows up in the log.  Yes, I am looking at the
right log, and yes other things do get written to the log
from smbd :)

Any help would be very welcome.

Jeff Blaine
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] log level = 20 not showing auth, etc...

[Jeff Blaine]

It was worth a try, but I've just changed it to 10 and restarted
the service.  Same thing.  I get the initial daemon startup
messages and then nothing additional while I try the shares from
Windows boxes, use them, etc.

I even tried one of the examples from the man page:

log level = 3 passdb:5 auth:10 winbind:2

On 1/4/2011 5:30 PM, Hoover, Tony wrote:

I believe that the max log level is 10 (e.g. you are setting an invalid
value).  Someone will correct me if I'm wrong, I'm sure.


--
Tony Hoover, Network Administrator
KSU - Salina, College of Technology and Aviation
(785) 826-2660

Don't Blend in...
--

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Jeff Blaine
Sent: Tuesday, January 04, 2011 4:04 PM
To: samba@lists.samba.org
Subject: [Samba] log level = 20 not showing auth, etc...

Samba 3.5.6

I must be really misunderstanding 'log level' somehow.  I have tried all of
the following and cannot get my logs to show anything related to
authentication or share accesses at all:

  log level = 20

  log level = all:20

  log lovel = 3 auth:20

If I access one of the server's shares successfully, not a single thing
shows up in the log.  Yes, I am looking at the right log, and yes other
things do get written to the log from smbd :)

Any help would be very welcome.

Jeff Blaine
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3.5.6 with Win7 failure (XP works)

[Jeff Blaine]

Figured it out.

server signing = auto


I can get things to work if I disable Communications Signing
on the win7 box. This is not acceptable to our corporate
information security folks though.

That at least pinpoints the problem. Now I just need to get
Samba to accept communications signing from the client.
I don't see that I am doing anything wrong.

client signing = mandatory


^ doesn't help a Windows 7 box with mandatory signing
  connect to this Samba server :)
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] cifs and Netapp DFS-shares problems

[Jeff Layton]

On Fri, 10 Dec 2010 11:25:46 +0100
Marcus li...@localguru.de wrote:

 Hi,
 
 Am Donnerstag, den 09.12.2010, 01:37 +0100 schrieb Marcus:
  
  are there any known issues with cifs and DFS-shares on Netapp file
  servers? We have a Netapp file sever with DFS on the user's home shares.
  The home shares can successfully mounted with
  
mount -t cifs //sever/home/username /mnt/ -o user=username,domain=AD
  
  but the connection hangs in the moment a directory listing is started.
  The strange thing is that only shares with activated DFS show this
  problem. I'm not maintaining the Netapp file server therefore a can't
  post more information about that system. On client side I'm using Ubuntu
  LTS 10.04.1.
 
 This error only comes up, if DFS is activated on a share on the NetApp
 Server. Here is a kernel log:
 
 Dec 10 11:10:37 lebowski kernel: [ 3586.471662] Bad SMB: : dump of 48
 bytes of data at 0xe44e5c00
 Dec 10 11:10:37 lebowski kernel: [ 3586.471675]  009a 424d53ff
 0032 80018800 . . . . ÿ S M B 2 . . . . . . .
 Dec 10 11:10:37 lebowski kernel: [ 3586.471688]   
  26420040 . . . . . . . . . . . . @ . B 
 Dec 10 11:10:37 lebowski kernel: [ 3586.471701]  001a0800 720a
 0200 3800 . . . . . . . p . . . . . 8 . .
 Dec 10 11:11:03 lebowski kernel: [ 3612.832108]  CIFS VFS: server not
 responding
 Dec 10 11:11:03 lebowski kernel: [ 3612.832125]  CIFS VFS: No response
 for cmd 50 mid 26
 Dec 10 11:11:05 lebowski kernel: [ 3614.656937]  CIFS VFS: RFC1001 size
 154 bigger than SMB for Mid=30
 Dec 10 11:11:05 lebowski kernel: [ 3614.656953] Bad SMB: : dump of 48
 bytes of data at 0xe44e5c00
 Dec 10 11:11:05 lebowski kernel: [ 3614.656967]  009a 424d53ff
 0032 80018800 . . . . ÿ S M B 2 . . . . . . .
 Dec 10 11:11:05 lebowski kernel: [ 3614.656979]   
  26420040 . . . . . . . . . . . . @ . B 
 Dec 10 11:11:05 lebowski kernel: [ 3614.656994]  001e0800 720a
 0200 3800 . . . . . . . p . . . . . 8 . .
 Dec 10 11:11:33 lebowski kernel: [ 3642.832284]  CIFS VFS: server not
 responding
 Dec 10 11:11:33 lebowski kernel: [ 3642.832299]  CIFS VFS: No response
 for cmd 50 mid 30
 Dec 10 11:11:40 lebowski kernel: [ 3649.895000]  CIFS VFS: RFC1001 size
 154 bigger than SMB for Mid=34
 Dec 10 11:11:40 lebowski kernel: [ 3649.895017] Bad SMB: : dump of 48
 bytes of data at 0xe44e5c00
 Dec 10 11:11:40 lebowski kernel: [ 3649.895030]  009a 424d53ff
 0032 80018800 . . . . ÿ S M B 2 . . . . . . .
 Dec 10 11:11:40 lebowski kernel: [ 3649.895043]   
  26420040 . . . . . . . . . . . . @ . B 
 Dec 10 11:11:40 lebowski kernel: [ 3649.895056]  00220800 720a
 0200 3800 . .  . . . . p . . . . . 8 . .
 --
 
 umounting is impossible and gives the following error:
 
 --
 unmount error 16 = Device or resource busy
 Refer to the umount.cifs(8) manual page (man 8 umount.cifs)
 unmount error 16 = Device or resource busy
 Refer to the umount.cifs(8) manual page (man 8 umount.cifs)
 --
 
 Any ideas? Seems to be an error of the NetApp Fileserver acting not RFC
 conform.
 
 Is this the right list to discuss or should I post on linux-cifs-client
 list?
 
(cc'ing linux-cifs mailing list)

Probably because the ls is hung and is holding references to the mount...

I've successfully tested against netapp's CIFS implementation in the
past, but there are significant bugs in it. The errors you're seeing
look like an alignment problem of some sort -- i.e. the server is
sending packets that have incorrect length fields in them. This isn't
the first such problem I've seen with OnTap.

You're welcome to open a bug at bugzilla.samba.org, cc me, and I'll
take a look when I have time. Gathering wire captures during one of
these events and attaching them to the bug would help to track down the
problem. It's likely to be Netapp's bug however...

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] mount.cifs and Umlaut in share name

[Jeff Layton]

On Tue, 23 Nov 2010 08:39:56 -0500
Jeff Layton jlay...@samba.org wrote:

 On Tue, 23 Nov 2010 10:33:31 +0100
 Andreas Heinlein aheinl...@gmx.com wrote:
 
  Hello,
  
  I need to mount a CIFS share (in the end via fstab, for now manually
  from terminal) which has both a space and a german umlaut in its name. I
  cannot get mount.cifs to mount it, it always complains it cannot find it.
  
  I managed to get around the space problem in fstab with the \040 trick,
  but I cannot find a way to correctly encode the umlaut. When looking at
  the output of mount.cifs --verbose '//server/Täst Freigabe' /mnt, it
  looks like it is accessing the correct share, but it does not work.
  
  I also got a hint here
  (https://bugs.launchpad.net/ubuntu/+source/gnome-vfs/+bug/414865) to
  pipe the share name through iconv, but mount.cifs $(echo //server/Täst
  Freigabe | iconv -t850) /mnt also does not work.
  
  What can I do? Changing the share name is currently not an option, there
  are just too many users with links/bookmarks to it.
  
  Thanks,
  Andreas
 
 Seems like something we ought to be able to fix. Could you open a bug
 at bugzilla.samba.org, cc me on it, and then post the output of
 mount.cifs --verbose '//server/Täst Freigabe' /mnt to it?
 
 Thanks,

Following up here in case others see this problem...

Andreas opened bug 7822:

https://bugzilla.samba.org/show_bug.cgi?id=7822

The problem seems to be related to the default NLS codepage setting in
Ubuntu's kernel.

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] mount.cifs and Umlaut in share name

[Jeff Layton]

On Tue, 23 Nov 2010 10:33:31 +0100
Andreas Heinlein aheinl...@gmx.com wrote:

 Hello,
 
 I need to mount a CIFS share (in the end via fstab, for now manually
 from terminal) which has both a space and a german umlaut in its name. I
 cannot get mount.cifs to mount it, it always complains it cannot find it.
 
 I managed to get around the space problem in fstab with the \040 trick,
 but I cannot find a way to correctly encode the umlaut. When looking at
 the output of mount.cifs --verbose '//server/Täst Freigabe' /mnt, it
 looks like it is accessing the correct share, but it does not work.
 
 I also got a hint here
 (https://bugs.launchpad.net/ubuntu/+source/gnome-vfs/+bug/414865) to
 pipe the share name through iconv, but mount.cifs $(echo //server/Täst
 Freigabe | iconv -t850) /mnt also does not work.
 
 What can I do? Changing the share name is currently not an option, there
 are just too many users with links/bookmarks to it.
 
 Thanks,
 Andreas

Seems like something we ought to be able to fix. Could you open a bug
at bugzilla.samba.org, cc me on it, and then post the output of
mount.cifs --verbose '//server/Täst Freigabe' /mnt to it?

Thanks,
-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 4.7 available for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The last cifs-utils release (4.6) was on July 30th, so it's probably a
good time to go ahead and release a new one with kernel 2.6.36 shipping
soon. Major highlights:

- - new cifscreds program has been added. This will eventually allow for
  stashing of username/password in the kernel's keyring for use by
  cifs. Kernel code for this is not in place yet, and the program is
  not yet built by default. Configuring with --enable-cifscreds=yes
  will enable it.

- - timeouts for things like mtab locking now use monotonic time and
  should no longer have problems if the clock jumps

...plus the usual assortment of minor bugfixes and manpage updates.

webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog:

commit 6739b667677b28740b87ede94e53dfc500718acb
Author: Jeff Layton jlay...@samba.org
Date:   Tue Oct 19 14:59:49 2010 -0400

autoconf: bump release to 4.7

Signed-off-by: Jeff Layton jlay...@samba.org

commit 202f4b43209da32afc7ce5445a8f561c354c8f82
Author: Jeff Layton jlay...@samba.org
Date:   Fri Oct 8 15:11:58 2010 -0400

manpage: add mount.cifs manpage entry for multiuser option

Signed-off-by: Jeff Layton jlay...@samba.org

commit d90691a283d0f2ed928476fc96970b1ef2a28662
Author: Jeff Layton jlay...@samba.org
Date:   Fri Oct 8 15:11:57 2010 -0400

mount.cifs: reinstate ip= as an override for address resolution

The manpage says:

   ip=arg
   sets the destination IP address. This option is set automatically
   if the server name portion of the requested UNC name can be
   resolved so rarely needs to be specified by the user.

...but recent changes have made it not work anymore as an override if
someone specifies an ip= option as part of the mount options. Reinstate
that behavior by copying the ip= option verbatim into the addrlist of
the parsed options struct and then skipping the name resolution. That
should allow the ip= option to pass unadulterated to the kernel.

Signed-off-by: Jeff Layton jlay...@samba.org

commit f2daa2a08bf8706f90e1154272c5bfe6279895cd
Author: Björn Jacke b...@sernet.de
Date:   Tue Aug 24 13:30:05 2010 -0400

mount.cifs: use monotonic time for timeouts

this is especially important during the boot process, where the clock is 
often
being set initially and clock jumps are more common.

commit 79774488814b0f5267644628e31c07c7ac380a65
Author: Björn Jacke b...@sernet.de
Date:   Tue Aug 24 13:29:59 2010 -0400

autoconf: add checks for clock_gettime

commit 909c1bac5eb3b1fc677ef0d4de011cb68e999d15
Author: Igor Druzhinin jaxbr...@gmail.com
Date:   Fri Aug 20 14:53:38 2010 -0400

cifs-utils: infrastructure for stashing passwords in keyring

It is a userspace part of a new infrastructure for stashing passwords
in kernel keyring per user basis. The patch adds the cifscreds
utility for management keys with credentials. Assembling of the utility
from the distribution is possible with --enable-cifscreds=yes option of
configure script.

Signed-off-by: Igor Druzhinin jaxbr...@gmail.com

commit c546d8d786f70204968fbc78d276bc2c8d2eb670
Author: Igor Druzhinin jaxbr...@gmail.com
Date:   Fri Aug 20 14:53:05 2010 -0400

cifs-utils: moving resolve_host into separate file

The resolve_host routine from mount.cifs is carried out in
separate file and appropriate corrections are made.

Signed-off-by: Igor Druzhinin jaxbr...@gmail.com

commit 2b2ce5830fec4317e0c264115cf93e64344b1417
Author: Suresh Jayaraman sjayara...@suse.de
Date:   Wed Aug 4 07:55:54 2010 -0400

mount.cifs: remove redundant error assignment

Avoid setting error code twice by moving error handling out of add_mtab_exit
block. We already set error code and report error in other places.

Signed-off-by: Suresh Jayaraman sjayara...@suse.de

commit 796c714569f5a2d1563f284d94333f2971217417
Author: Jeff Layton jlay...@samba.org
Date:   Wed Aug 4 06:35:24 2010 -0400

autoconf: bump version number to 4.6.1 for non-release builds

Signed-off-by: Jeff Layton jlay...@samba.org

- -- 
Jeff Layton jlay...@samba.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (GNU/Linux)

iEYEARECAAYFAky98dYACgkQyP0gxQMdzIDiFQCfclgv5NgozZUEYsdKHFSTUNZI
wm0AoKsqHk1FT1Wzz32KqSxr3Psr9ZEq
=Q3yq
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] question about CIFS client glitches

[Jeff Layton]

On Fri, 17 Sep 2010 19:38:21 -0400
starli...@binnacle.cx wrote:

 At 05:50 PM 9/16/2010 -0500, Steve French wrote:
 On Thu, Sep 16, 2010 at 4:39 PM,  starli...@binnacle.cx wrote:
  Trying out a CIFS mount of a W2K8 x64 file system from CentOS
  5.5 and running into problems, and trying to figure out how to
  proceed.
 ...
 
 This is quite old kernel, but perhaps it was updated to include more
 recent fixes - can you view the version information on the file, ie
 the cifs.ko module (you can do this by running modinfo on cifs.ko)
 
 
 Tried the RHEL6 beta 2 and it behaves the same as RHEL 5.5.
 'modinfo' output for both attached.  'cifs.ko' versions are
 1.60RH and 1.63.
 
 In both versions it seems like hard-links work and symbolic
 links fail with
 
ln: creating symbolic link `': Operation not supported
 

That's expected. The core cifs protocol as implemented in windows
doesn't support symlinks. You need unix extensions for that, or you may
want to play with the mfsymlinks patches that Metze proposed recently.

 And it appears that a 'pax -r' extraction followed by 'rm' for
 selected files has some difficulty with CIFS 1.6x rendered
 hard link in the mix.
 
 I'm probably giving up on the idea for now, but thanks
 for your help.

What sort of difficulty is it having?
-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] question about CIFS client glitches

[Jeff Layton]

On Thu, 16 Sep 2010 18:49:49 -0400
starli...@binnacle.cx wrote:

 At 05:39 PM 9/16/2010 -0400, starli...@binnacle.cx wrote:
 Trying out a CIFS mount of a W2K8 x64 file system from CentOS 
 5.5 and running into problems, and trying to figure out how to 
 proceed.
 
 Oops.  I see the problem is that CIFS, at least in the older 
 stable versions, does not support hard links.  The extracted 
 archives have a few of these and so the resulting tree is not a 
 synchronized copy of the original.
 
 Oh well, so much for that.
 

Ok, good to know. There were patches that went to mainline to make CIFS
support server inode numbers correctly, which is sort of a requirement
for proper hardlink support. Those were really too invasive for a minor
RHEL release however.

-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] question about CIFS client glitches

[Jeff Layton]

On Thu, 16 Sep 2010 20:00:14 -0400
starli...@binnacle.cx wrote:

 At 05:50 PM 9/16/2010 -0500, Steve French wrote:
 On Thu, Sep 16, 2010 at 4:39 PM,  starli...@binnacle.cx wrote:
  Trying out a CIFS mount of a W2K8 x64 file system from CentOS
  5.5 and running into problems, and trying to figure out how to
  proceed.
 ...
 
 This is quite old kernel, but perhaps it was updated to include more
 recent fixes - can you view the version information on the file, ie
 the cifs.ko module (you can do this by running modinfo on 
 cifs.ko)
 
 
 Thank you for the follow-up.  Per my last message this was my 
 being a clueless in regards to the lack of hard/soft link 
 support in the old version.  'modinfo' pegs it as 1.60RH.
 
 Hopefully RHEL6 will include CIFS file links as it might work 
 better to compile on Linux from a Windows share rather than 
 vice-versa.  'makedepend' runs painfully slow from Windows over
 a Samba share unless IPoIB is used for transport.
 
 Perhaps I'll try it under Fedora, though in general I find 
 wrestling with the constant change of the moving-target distro 
 too much.
 
 It is quite encouraging to see CIFS work in general.  Last time 
 I tried three or four years ago the system crashed shortly after 
 issuing the mount command.
 

RHEL6 is fairly current with mainline code (at least as of this past
spring or so). If it works OK on Fedora, it should be OK in RHEL6.

-- 
Jeff Layton jlay...@redhat.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 4.6 available for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

It has been a while since I've cut a new release for cifs-utils. This
one has more visible changes than were in the last few releases. Major
highlights:

- - documentation additions for the fsc option

- - mount.cifs deals with _netdev, mand and nomand options correctly now

- - a change in how mount.cifs handles the MS_MANDLOCK flag. It used to
  set it by default and you had to specify nolock or nobrl to turn
  it off. Now, it's off by default and you need to specify the mand
  option to turn it on. This is more in line with how other filesystems
  deal with mandatory locking. In practice, we hardly ever want the
  kernel to enforce mandatory locking -- the server deals with that.

- - cifs.upcall will now preferentially use the creduid= upcall option
  rather than uid=. This makes mounting with krb5 work more as expected.
  The credcache is now always expected to be owned by the real uid
  of the mount process, rather than the value in the uid= option. A
  command-line option is provided for those who need legacy behavior.


webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog:

commit 0540777249f7673499c6d53b59b56815b0df2935
Author: Jeff Layton jlay...@samba.org
Date:   Fri Jul 30 08:17:01 2010 -0400

autoconf: bump version to 4.6

Signed-off-by: Jeff Layton jlay...@samba.org

commit cbf27473d6e8e45fb9525aea61f6391d7cdc93e8
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jul 27 15:24:04 2010 -0400

data_blob: change for loop indices to a unsigned int

To silence these warnings:

data_blob.c: In function ‘data_blob_hex_string_lower’:
data_blob.c:155:16: warning: comparison between signed and unsigned integer
expressions
data_blob.c: In function ‘data_blob_hex_string_upper’:
data_blob.c:172:16: warning: comparison between signed and unsigned integer
expressions

Signed-off-by: Jeff Layton jlay...@samba.org

commit 986923d1317faf82253996079ddab5d43ae44d29
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jul 27 15:20:44 2010 -0400

cifs.upcall: swap c99 initializers for memset calls

gcc says:

cifs.upcall.c: In function ‘cifs_krb5_get_req’:
cifs.upcall.c:261:2: warning: missing initializer
cifs.upcall.c:261:2: warning: (near initialization for ‘in_creds.client’)
cifs.upcall.c: In function ‘main’:
cifs.upcall.c:622:9: warning: missing initializer
cifs.upcall.c:622:9: warning: (near initialization for ‘arg.ver’)

...this is probably just gcc being balky, but we can silence the
warning. It may also be a micro optimization in an error condition
if we delay zeroing out the struct until it's needed.

Signed-off-by: Jeff Layton jlay...@samba.org

commit fb5d150aec004111a838a015bdc1309a6e539925
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jul 27 15:09:27 2010 -0400

mtab: add __attribute__((unused)) to unused variables

...to silence -Wextra warnings.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 62369ecb38316bb285c5cc2f5af25aaa11cea15c
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jul 27 15:09:23 2010 -0400

automake: add -Wextra to CFLAGS

...for extra warning goodness.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 20a845ba996f709a87dd879d55e1b662dd316144
Author: Suresh Jayaraman sjayara...@suse.de
Date:   Tue Jul 27 13:35:59 2010 -0400

mount.cifs: document the 'fsc' mount option

Changes since last post:
- added the information about the kernel CONFIG option
- also added the information that caching is currently enabled for 
files opened as read-only

Document the newly added local caching feature using FS-Cache. This patch
could be queued and considered once the local caching patches gets merged
upstream.

Signed-off-by: Suresh Jayaraman sjayara...@suse.de

commit 434a5945e607084a6f8f6ea1ed41ca4559eb0df8
Author: Suresh Jayaraman sjayara...@suse.de
Date:   Tue Jul 27 12:52:44 2010 -0400

mount.cifs: clarify 'fsc' mount option

Changes since last post:
- added the information about the kernel CONFIG option
- also added the information that caching is currently enabled for 
files opened as read-only

Document the newly added local caching feature using FS-Cache. This patch
could be queued and considered once the local caching patches gets merged
upstream.

Signed-off-by: Suresh Jayaraman sjayara...@suse.de

commit cdbb6556d8394618bdb81cf2c0eaaebd58e9f1cd
Author: Jeff Layton jlay...@samba.org
Date:   Tue Jul 27 12:33:33 2010 -0400

autoconf: bump version to 4.5.2

Signed-off-by: Jeff Layton jlay...@samba.org

commit 87a8a4491cc27bc8e99b4de85c3e0a2abbd4
Author: Suresh Jayaraman

Re: [Samba] Encryption

[Jeff Layton]

On Fri, 25 Jun 2010 12:20:41 -0700
Jeremy Allison j...@samba.org wrote:

 On Fri, Jun 25, 2010 at 06:54:08PM +, Dan Lenski wrote:
  On Sun, 18 Apr 2010 10:29:38 -0400, simo wrote:
  
   On Sun, 2010-04-18 at 10:05 -0400, Nico Kadel-Garcia wrote:
   
   Reviewing the docs, this tool requires Samba 3.2 or later on both the
   client and server sides. I'm therefore assuming that it's not
   compatible with a contemporary Windows fileserver: can you confirm
   this? Does anyone know if NetApp supports such encryption?
   
   It is an extension created by the Samba Team as part of unix extensions,
   and at the moment the only client that implements it is smbclient. Not
   even the in kernel cifs driver implements it. And we have no knowledge
   of any other implementer adopting it yet.
  
  Does anyone know a time-frame for inclusion of transport encryption in 
  the kernel CIFS driver?  I'm really looking forward to this feature!
 
 Steve, Jeff ping ? :-)
 

Sadly, there are enough bugs in this area that it may be a bit before
we get around to adding new features. I know Shirish was poking around
in here a while back, but I think he's working on other stuff now.

I think before we can reasonably add that we really need to move all of
the cifs crypto to use the kernel's standard crypto libs rather than the
homegrown routines they use now. There are some definite problems wrt
to unicode in there (not directly related to crypto, but it needs
fixing). NTLMSSP auth is also busted which is a rather important item.
-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ARGH... once again samba causes permission errors. SOLVED

[Jeff Wiegley]

Ok, I was able to fix both of my problems and they are both related
to SELinux problems

First: I am assuming that you are like me and that you have an excellent
background in systems administration (I teach it at a university for a
living.) So you've configured chmod permissions and chown user and
group ownerships on directories and files to correctly allow the desired
access. You have configured samba to force a reasonable user or group
or you have logged in with reasonable user credentials.

But you're still not able to create file/folder or maybe you can't map
certain paths. You've probably been frustrated by the endless
posts and suggestions telling you to fix the fundamental things described
in the previous paragraph.

If you have taken care of the fundamental permission items but\
you are seeing either of the following:
   A) You can map a share but whenever you try to create a new
folder or file windows pops up an error dialog (Try again).
   B) You can map certain paths but now others (particularly a path
equivalent to a mount point (XFS/Raid5 filesystem in my case.

Well, I'm running CentOS 5.5 and it has SELinux enabled by default
but the context on the share path is probably not allowing samba.

you can check the context of the path with the -Z switch ls:

[r...@nas samba]# ls -ldZ /mnt
drwxr-xr-x  root root system_u:object_r:mnt_t  /mnt

In this case the context is mnt_t, you need to change the
context to samba_share_t

[r...@nas samba]# chcon -t samba_share_t /mnt/nas
[r...@nas samba]# ls -adZ /mnt/nas
drwxr-x---  nas nas system_u:object_r:samba_share_t  /mnt/nas

Now your share should both mount and allow the creation/deletion
of folders/files.

Warning: I am old, I learned system administration and practiced
it for a decade in industry before SELinux was even invented. I do
not pretend to begin to understand this [possibly overly] complicated
security system.


- Jeff


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ARGH... once again samba causes permission errors.

[Jeff Wiegley]

I've been doing unix sys. admin for nearly 20 years and yet EVERY single
time I have to setup samba I have configuration problems.

Before we start let's clear up some common misunderstandings: I have
googled for the answer. I have spent the last six hours doing so and trying
various suggestions. Most of these suggestions point to solutions
involving chown or chmod.  These are not the problems (or I will be
very surprised).

# cat /etc/samba/smb.conf
[global]
workgroup = CYTE.COM
server string = CyteNAS
netbios name = NAS
hosts allow = 127., 10.0.10.

[nas]
comment = NAS
path = /mnt/nas
force user = nas
force group = nas
read only = No

# cat /etc/samba/smbpasswd
nas:500:75891A0CAAF2F9828AE88C0FE87091EF:E8C4E8E10FEE888764D18AD4A0AC61F5:[U  
]:LCT-4C00625E:


# grep nas /etc/passwd
nas:x:500:500::/mnt/nas:/bin/bash

# grep nas /etc/group
nas:x:500:

# ls -al /mnt/nas
total 16
drwxrwxrwx 2 nas  nas  4096 May 28 17:01 .
drwxrwxrwx 3 root root 4096 May 28 15:04 ..

So before you tell me about permission problems please note the following
  1) The permissions on all the files is 777... EVERYBODY can do anything.
  2) samba IS configured to force the user and group to the owner of 
the share

  path anyways.
  3) The group and user exist and they have their passwords configured
   correctly.

I can map the share on my Windows 7 workstation. But any attempt to
create anything yields a pop-up window that says:

You need permission to perform this action
  nas(\\NAS)
  Space free: 89.7 GB
  Total size: 97.0 GB

Why am I getting ANY permission problems??? Frankly. I don't think it is
a permission problem. (I set log level to 10; the output is long so I won't
include it because I looked through it and didn't see any errors reported
or any mention of permission denied.)

GRRR!

It gets worse. a 90GB NAS storage is pretty useless. The NAS is actually
a 6TB Raid5 array with an XFS filesystem. But if I actually mount it

# /etc/init.d/smb stop
# mount /mnt/nas
# ls -al /mnt/nas
total 8
drwxrwxrwx 2 nas  nas 6 May 28 18:11 .
drwxrwxrwx 3 root root 4096 May 28 15:04 ..

see... no difference in permissions or ownership but now it is a mount
point.

Now I can't even map the samba share at all. All I get is a window
that says:

   Attemping to connect to \\NAS\nas
  (Cancel)

And it never seems to go away.

and yes, under both cases I can simply login as the user nas via
ssh and touch/mkdir or do anything I want and the files get created
just fine. Frankly I think this is another case of Windows presenting
the user with a misleading diagnostic Permission problem when
something much more fundamental is going wrong with Samba.

Please help.

- Jeff

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 4.5 available for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The rate of incoming patches has been pretty low lately, so it's
probably a good time to do a new stable release and get what's queued
up into people's hands...

This release consists of a couple of bugfixes and some (hopefully)
non-user-visible cleanups to the mount.cifs code.

webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog:

commit a90771d63e85b514bc5d2101eb8a52587eca1195
Author: Jeff Layton jlay...@samba.org
Date:   Fri May 21 16:04:14 2010 -0400

cifs-utils: bump version number to 4.5

Signed-off-by: Jeff Layton jlay...@samba.org

commit 3439ca0527f103ad79e840092d06a461a36e9d72
Author: Scott Lovenberg scott.lovenb...@gmail.com
Date:   Fri May 14 19:34:26 2010 -0400

mount.cifs: cosmetic alignment patch

Align CRED_ macro values to keep style consistent with last patch.

Signed-off-by: Scott Lovenberg scott.lovenb...@gmail.com

commit 268079992cf85bfb9954b6fd4abb3eebf911a9d3
Author: Scott Lovenberg scott.lovenb...@gmail.com
Date:   Fri May 14 19:32:05 2010 -0400

mount.cifs: clean up option parsing

Moved option string parsing to function parse_opt_token(char*).  Main
loop in parse_options(const char*, struct parsed_mount_info*)
transplanted to a switch block.

The parsing function folds common options to a single macro:
1.) 'unc','target', and 'path' - 'OPT_UNC'
2.) 'dom*' and 'workg*' - 'OPT_DOM'
3.) 'nobrl' and 'nolock' - 'OPT_NO_LOCK'

Kept 'fmask' and 'dmask' (OPT_FMASK, OPT_DMASK), which fall through to
'file_mode' and 'dir_mode' in the main loop.

Signed-off-by: Scott Lovenberg scott.lovenb...@gmail.com

commit 2fcf89a2077d3ddf203b73d72985aa68c6402693
Author: Steve French smfre...@gmail.com
Date:   Fri May 14 15:30:07 2010 -0400

mount.cifs: unitialized variable in cred parsing error path

Signed-off-by: Steve French smfre...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 3f794556e3ec633dc6250ce12f76d6ba79c192a9
Author: Steve French smfre...@gmail.com
Date:   Tue May 11 09:32:34 2010 -0400

mount.cifs: turn into a multicall binary for smb2

mount.smb2 has different help (many fewer mount options) and different
fsname, but otherwise can reuse all of the good work Jeff did on
mount.cifs.  This patch allow mount.cifs to detect if run as mount.smb2
(to display different help and fsname).

Signed-off-by: Steve French smfre...@gmail.com

commit 400ebcb3bea6f21678b9e656d930a14bbd71fe7a
Author: Scott Lovenberg scott.lovenb...@gmail.com
Date:   Tue May 11 09:32:34 2010 -0400

mount.cifs: removed magic number for max username in parse_options

Replaced max username in parse_options with the sum of its potential
parts for domain/user%password formatted values. Note that forward
slashes still expand to a double back slash in the parse_username
function, though.

Signed-off-by: Scott Lovenberg scott.lovenb...@gmail.com

commit e5d3ceb9958437ef50510a578b0274615a37bcf7
Author: Jeff Layton jlay...@samba.org
Date:   Sun May 2 06:32:34 2010 -0400

mount.cifs: strip leading delimiter off of prefixpath option

...the kernel doesn't expect to see it and it causes a regression
when mounting some UNCs.

Reported-by: Ales Zelinka azeli...@redhat.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 373146ceda319fb7585439d74f216b8a94b9525b
Author: Jeff Layton jlay...@samba.org
Date:   Sun May 2 06:32:30 2010 -0400

cifs-utils: bump version number to 4.4.1 for interim builds

Signed-off-by: Jeff Layton jlay...@samba.org

- -- 
Jeff Layton jlay...@samba.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAkv26UUACgkQyP0gxQMdzIA5awCfb0nFV4qb5sOtx3KvO6xrgIFZ
SOwAoJZsCPmyTTQU/LleFWtqAvUCOf/n
=YZyG
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smbclient -k works; mount -t cifs does not

[Jeff Layton]

On Mon, 03 May 2010 23:25:13 -0400
Mike Leone tur...@mike-leone.com wrote:

 I am confused (nothing new there ...). I have 2 Ubuntu 9.10 Samba
 servers. I am trying to mount a share from the other (i.e., workhorse
 is trying to mount a share on dual-booter). If I specify a smbmount
 command with a -k option, I can mount the share:
 
 tur...@workhorse:~$ klist
 Ticket cache: FILE:/tmp/krb5cc_1000
 Default principal: tur...@dacrib.local
 
 Valid starting ExpiresService principal
 05/03/10 18:55:31  05/04/10 04:55:31  krbtgt/dacrib.lo...@dacrib.local
   renew until 05/09/10 22:56:03
 05/03/10 23:07:07  05/04/10 04:55:31
 cifs/dual-booter.dacrib.lo...@dacrib.local
   renew until 05/09/10 22:56:03
 
 
 tur...@workhorse:~$ smbclient //dual-booter/TestShare /mnt -k
 Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
 smb: \ ls
   .  D0  Sat May  1 19:27:48 2010
   .. D0  Mon May  3 19:58:00 2010
   TestFile0  Sat May  1 19:27:48 2010
 
   37555 blocks of size 524288. 22379 blocks available
 
 However, I can't seem to mount it using mount -t cifs:
 
 $ sudo mount -t cifs //dual-booter/TestShare /mnt -o username=DACRIB+turgon
 [sudo] password for turgon:
 Password:
 mount error(13): Permission denied
 Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
 
 What I'd like to do is to set this in /etc/fstab. But there seems to be
 no way to use Kerberos to authenticate the mounting, and it's only
 Kerberos (and smbmount) that seems to work. And using the -o sec=krb5
 options on mount doesn't seem to work, either.
 
 $ sudo mount -t cifs //dual-booter/TestShare /mnt -o sec=krb5
 mount error(2): No such file or directory
 Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
 

Try using the FQDN of the server in the UNC. For instance:

   //dual-booter.dacrib.local/TestShare

 Anyone? I really don't want to have to make a script that uses smbmount
 -k, running on login, rather than in /etc/fstab.
 
 Thanks


-- 
Jeff Layton jlay...@poochiereds.net
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Printer Admin Difficulties

[Jeff Hardy]

On 04/01/2010 05:39 PM, Jeff Hardy wrote:

I have been trying to setup a new print server on Fedora 12 based around
samba-3.4.7-58.fc12.x86_64 and cups-1.4.2-28.fc12.x86_64. All looks good
except for the ability for printer administrators to manage printers.
Whether I specify users in a system group using the deprecated printer
admin option, or specifically using net rpc rights and the
SePrinterOperatorPrivilege, it does not matter. This is against an NT4
domain on samba-3.4.2.


After a tdb wipe, I ended up with no users who can manage printers. 
This at least made the behavior consistently broken.  I ended up trying 
samba 3.3 and 3.2 seeking some way to manage printers.  Only by going 
back to samba-3.2.15 built from a Fedora 10 source RPM was I able to 
restore functionality by way of the printer admin option.  The 
SePrinterOperatorPrivilege did not seem to work in any version no matter 
what I did.  Surely other folks are managing printers with sambas later 
than 3.2.x I would think.  Anyone have any experience like this?


-Jeff

--
Jeffrey M Hardy
Systems Analyst
hard...@potsdam.edu
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Cannot mount Windows 7 share with CIFS Error 112 Host is down

[Jeff Layton]

On Fri, 30 Apr 2010 15:33:23 + (UTC)
iancs...@comcast.net wrote:

 Hi. I just got a new Windows 7 Home Edition computer and am unable to mount 
 its shares on my Linux system. 
 I'm running Fedora 11, samba 3.4.7 
 I have no trouble mounting shares from XP systems on the network using the 
 mount command below. 
 I can access the Windows 7 share with no problems using smbclient on Linux. 
 The Windows 7 share is accessible from the XP systems. 
 Here is the mount command: 
 
 mount.cifs //pirin/c /mnt -o 
 user=yanko,uid=500,gid=100,file_mode=0666,dir_mode=0777,noperm,iocharset=utf8,directio,ip=192.168.1.12
  
 Password: 
 mount error(112): Host is down 
 Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) 
 
 The dmesg log has: 
 
 CIFS VFS: No response for cmd 114 mid 1 
 CIFS VFS: cifs_mount failed w/return code = -112 
 

Your client sent an SMB_COM_NEGOTIATE request and the server never
responded.

 I have not found any errors logged in Windows 7 but perhaps I don't know 
 where to look. 
 I can access the Windows 7 share with no problems using smbclient on Linux. 
 Any ideas will be very much appreciated. 

Probably a client kernel bug. Might want to post some info about what
you're using.


-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 4.4 available for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This release is primarily bugfixes in mount.cifs:

- - acquire capabilities before a couple of operations

- - fix a segfault that could occur when parsing the address list

- - autoconf/automake problem that could cause compilation to fail

- - cleanup/overhaul of credential file parsing and help ensure that
  passwords aren't left in memory

webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog:

commit b046d4196855294d57bf57a5b31fbfab41125d4b
Author: Jeff Layton jlay...@samba.org
Date:   Wed Apr 28 07:13:17 2010 -0400

mount.cifs: fix parsing of password in parse_username

Signed-off-by: Jeff Layton jlay...@samba.org

commit 6c917ebf360b3dbbc4c7ad9af3e106170528aa3c
Author: Scott Lovenberg scott.lovenb...@gmail.com
Date:   Sun Apr 25 09:35:13 2010 -0400

mount.cifs: continued cleanup of open_cred_file and zero out buffer

The parsing for values has been moved to its own function and is a bit
cleaner. Temporary buffers are zeroed out before being freed to ensure
passwords/credentials aren't left in released memory.

Signed-off-by: Scott Lovenberg scott.lovenb...@gmail.com
Signed-off-by: Jeff Layton jlay...@samba.org

commit 605412558bc4b368ee656e75f80bc41d3966e1e5
Author: Scott Lovenberg scott.lovenb...@gmail.com
Date:   Fri Apr 23 06:50:34 2010 -0400

mount.cifs: clean up credential file parsing

Remove magic numbers, redundant code and extra variables from 
open_cred_file().
Remove check for domain length since strlcpy is safe from buffer overflows.

Signed-off-by: Scott Lovenberg scott.lovenb...@gmail.com

commit 72dd35b2ed2fd17e8ce2b03607c9ac942d96ff5d
Author: Jeff Layton jlay...@samba.org
Date:   Sat Apr 17 06:21:02 2010 -0400

mount.cifs: remove unneeded newline in verbose output

Signed-off-by: Jeff Layton jlay...@samba.org

commit 1876123958c3afd44becce0427755257ddf87db9
Author: Jeff Layton jlay...@samba.org
Date:   Wed Apr 14 14:11:37 2010 -0400

mount.cifs: check for NULL pointer before calling strchr()

mount.cifs calls strchr on currentaddress, which may be a NULL pointer.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 9eb040343a5917c08c80d43ef3123d796f88bf6e
Author: Jeff Layton jlay...@samba.org
Date:   Tue Apr 13 10:18:13 2010 -0400

automake: don't use @foo@ constructs in Makefile.am

...use $(foo) instead. That doesn't rely on an explicit AC_SUBST().

Reported-by: Lars Müller l...@samba.org
Signed-off-by: Jeff Layton jlay...@samba.org

commit 310ae910b548e232cc86b34896bd7010c3b1cad2
Author: Jeff Layton jlay...@samba.org
Date:   Mon Apr 12 06:55:24 2010 -0400

cifs: enable CAP_DAC_READ_SEARCH before chdir() and realpath() calls

It's possible that root won't have privileges to chdir or evaluate the
paths without that capability.

Signed-off-by: Jeff Layton jlay...@samba.org

- -- 
Jeff Layton jlay...@samba.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAkvYHpoACgkQyP0gxQMdzICiRgCfcQrHQ0k3DToY/EUvYn11FOGn
ogAAnA31wMKshao9ttY7AMAlbwf8BgW6
=LzEl
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] How to stop mount.cifs remembering password

[Jeff Layton]

On Thu, 1 Apr 2010 09:44:04 +0200
Andy Gibbs andyg1...@hotmail.co.uk wrote:

 Dear all,
 
 I'm fairly new to Samba and CIFS and, for that matter, Linux in general.
 I'm having a problem with mount.cifs as provided with Debian 5.  I'm
 afraid I cannot say what version of mount.cifs I have since doing
 mount.cifs -V does not (contrary to the message it shows when I do this)
 actually show the version, but rather how to use the program.
 
 The problem I have is that having successfully logged into a Windows shared
 folder, I can subsequently log in *without* the correct password.
 
 So...
 
 mount.cifs \\192.168.1.0\folder /mnt -o user=joebloggs,pass=correct
 umount /mnt
 mount.cifs \\192.168.1.0\folder /mnt -o user=joebloggs,pass=incorrect
 
 At this point it has remounted and given me full access, even though I've
 got my password wrong the second time (and each subsequent time).  I can
 even do -o user=user,guest.  If I change user, then I must get the
 password right at least once, but then once I have got it right, I then no
 longer need to get it right.  The problem is that anyone using the computer
 after someone has accessed the Windows share, can also then access it
 without knowing the password.
 
 As far as I can see, and I'm no expert, this is not a Windows problem since
 in Windows, connecting to the folder requires the correct password every
 time.
 
 Is there any way I can force mount.cifs to forget the correct password so
 that it requires it to be correct each time?
 
 I'm sorry if I have not provided the correct information: I will happily do
 so if told what to provide!  I have tried the Samba website and Google for
 answers, but haven't found the right search phrase.  If I've missed
 something, I'll happily just receive a link to the right page.
 
 Thanks for any help!
 
 Andy
 

The Linux cifs client aggressively shares connections to the server,
and isn't very careful about making sure that the mount options for new
mounts are considered when matching existing connections to the server.

This is a kernel bug, but not one that's trivial to fix. It's also
another good reason why it's not prudent to allow unprivileged users to
mount shares not listed in /etc/fstab.

You'll probably get more response from these sorts of questions on the
linux-cifs-cli...@samba.org mailing list. Fixing this will likely mean
significant design changes in how CIFS deals with connections to the
server.

Cheers,
-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 4.3 available for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This release is primarily to fix a few bugs that were introduced with
the mount.cifs overhaul in the last release. Most of the problems were
issues with the handling of capabilities that prevented credential files
from being accessed when mount.cifs was run by root.

There are a few other changes:

- - credential files accept parameter names consistent with mount options

- - some problems with linking are fixed

- - libcap-ng is used if it's available -- in the future, I may remove
  the older libcap code as it's far more difficult to work with. Distros
  should consider making their cifs-utils packages depend on libcap-ng
  and building against that.

- - the capability bounding set is zeroed out for greater security

- - CAP_DAC_OVERRIDE is only enabled when updating the mtab

webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog:

commit e4593787a6488573fbec99e5ee604a2e25bc1e5c
Author: Jeff Layton jlay...@samba.org
Date:   Fri Apr 9 09:08:08 2010 -0400

cifs-utils: bump version number to 4.3

Signed-off-by: Jeff Layton jlay...@samba.org

commit 8d08f2b352e3521674465c21bbbd2a2a991781bd
Author: Jeff Layton jlay...@samba.org
Date:   Fri Apr 9 08:47:11 2010 -0400

autoconf: remove explicit check for prctl

...it's already checked in AC_LIBCAP

Signed-off-by: Jeff Layton jlay...@samba.org

commit c3fb3cb1376065734f1b238843d9614d1b9631f0
Author: Jeff Layton jlay...@samba.org
Date:   Tue Apr 6 15:45:00 2010 -0400

autotools: add --with-libcap autoconf option

...it's rather confusing since we can compile against libcap or libcap-ng
but this is helpful for testing.

Signed-off-by: Jeff Layton jlay...@redhat.com

commit cad70a330c0f8db02af112d42be0b645b0ceaba2
Author: Jeff Layton jlay...@samba.org
Date:   Tue Apr 6 15:22:05 2010 -0400

mount.cifs: fix capability issues when libcap isn't present

...some #defines are missing in that case. This fixes the build for
all possible libcap/libcap-ng availability scenarios.

Signed-off-by: Jeff Layton jlay...@redhat.com

commit aeba78abbe4f25ae77328e4ca6a67360dd4ea344
Author: Scott Lovenberg scott.lovenb...@gmail.com
Date:   Tue Apr 6 14:52:07 2010 -0400

mount.cifs: make credentials file parameters consistent with mount options

This patch makes the mount.cifs credentials file parameters consistent with
the command line parameters to remove ambiguity between the command line
parameter format and the credentials file format. That is, it parses for
both short and long form of the 'username', 'password', and 'domain'
parameters.  This patch is against the current cifs-utils-4.2.

I'm also thinking of adding a second patch that allows for parsing a
domain/user, domain%user and domain/user%password formats as allowed
from the command line.

Signed-off-by: Scott Lovenberg scott.lovenb...@gmail.com

commit 2a78385bbf879c16c538b0c78ff4e939724fafd4
Author: Jeff Layton jlay...@samba.org
Date:   Mon Apr 5 11:23:37 2010 -0400

mount.cifs: restrict capabilities further

Only the parent process will ever need CAP_DAC_OVERRIDE. The child can
get by with CAP_DAC_READ_SEARCH.

Signed-off-by: Jeff Layton jlay...@samba.org

commit da77c1b3ae934e29025d05b50eebecdbf569bfa4
Author: Jeff Layton jlay...@samba.org
Date:   Mon Apr 5 11:23:32 2010 -0400

mount.cifs: properly prune the capabilities bounding set

...libcap-ng does this in a much easier fashion. If that's not
available, then we have to do it manually.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 4b52d2fdea00107f3c23388891467bbb7f2711eb
Author: Jeff Layton jlay...@samba.org
Date:   Sun Apr 4 10:09:38 2010 -0400

mount.cifs: use libcap-ng to manage capabilities

...in preference to libcap if it's available.

Signed-off-by: Jeff Layton jlay...@samba.org

commit 0c287aa5ce5def56d901716e58943f3e9825e3a3
Author: Jeff Layton jlay...@samba.org
Date:   Sun Apr 4 09:51:31 2010 -0400

autotools: don't link mount.cifs against krb5 library

mount.cifs is being linked against the krb5 library. Fix it so that
that doesn't happen.

Signed-off-by: Jeff Layton jlay...@redhat.com

commit 16c29a1920e48e7480595edd0ae96094d6e220c8
Author: Jeff Layton jlay...@samba.org
Date:   Sat Apr 3 07:12:06 2010 -0400

mount.cifs: fix toggle_cap_dac_override

...it clears the capability set completely, which it shouldn't do. It
also doesn't call cap_set_proc to make the new capability set active.

Signed-off-by: Jeff Layton jlay...@redhat.com

commit 55c00c67ced28102209e640fd50bcab9d0332a7f
Author: Jeff Layton jlay...@samba.org
Date:   Sat Apr 3 06:49:43 2010 -0400

mount.cifs

Re: [Samba] how to mount shares as a user without mount.cifs setuid

[Jeff Layton]

On Thu, 8 Apr 2010 00:45:20 -0400
Chris Smith smb...@chrissmith.org wrote:

 On Wed, Apr 7, 2010 at 9:39 PM, Jeff Layton jlay...@samba.org wrote:
  Yes, we added a patch a while back to make it such that mount.cifs
  would not allow itself to run as a setuid root program unless it that
  check was compiled out.
 
  This was done due to a rather constant stream of security issues that
  were brought about when people installed mount.cifs setuid root. Since
  it had never been vetted for security, we really had no other choice to
  communicate that installing it setuid root was unsafe.
 
 Not the place for it so the inquiry is only rhetorical.
 How can you equate adding a patch preventing a sysadmin from using an
 app as designed to communicating? Communication is one thing,
 handcuffs are another.
 

Our hand was forced. After repeatedly telling people who were
installing it setuid root don't do that, we continued to get CVE's
reported from people who continued to use it that way and expected us
to treat the problem as a security issue.

Our fix was somewhat heavy-handed, but we absolutely had to make it
clear that it wasn't safe to install mount.cifs in that fashion. The
patch to remove that check was trivial (simply change one #define in
the code), but required the person building the program to
consciously override our warnings. The Debian package maintainer
wisely chose not to do so.

In any case, the point is somewhat moot now. The current mount.cifs
that ships in cifs-utils no longer prevents installation as a setuid
root program.

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] how to mount shares as a user without mount.cifs setuid

[Jeff Layton]

On Thu, 08 Apr 2010 00:37:30 -0400
Gary Dale garyd...@rogers.com wrote:

 Jeff Layton wrote:
  On Wed, 07 Apr 2010 16:44:47 -0400
  Gary Dale garyd...@rogers.com wrote:
 

  I'm running Debian/Squeeze on an AMD64 system. For some reason they have 
  recently stopped shipping mount.cifs with the setuid bit set.
  
 
  That would be because it was horribly unsecure.
 

   Now it 
  appears that they have changed the internal settings to prevent it from 
  running setuid. This means that I can't define the share in fstab with 
  user and connect from my Linux user account. Mounting smb/cifs shares 
  seems to be blocked except for root.
 
  
 
  Yes, we added a patch a while back to make it such that mount.cifs
  would not allow itself to run as a setuid root program unless it that
  check was compiled out.
 
  This was done due to a rather constant stream of security issues that
  were brought about when people installed mount.cifs setuid root. Since
  it had never been vetted for security, we really had no other choice to
  communicate that installing it setuid root was unsafe.
 

  Presumably this has been done for security reasons. However, I can't 
  currently do much with my network shares unless I'm root because the 
  shares and all the files are owned by root:root. This is despite the 
  fstab setting username=my windows account name and I get prompted for 
  the password. That only seems to be used for connecting to the share, 
  not for the permissions.
 
  My Debian box hasn't joined a domain - I'm just using local accounts. I 
  mainly have the domain for some Windows boxes used by my family.
 
  How do I mount an smb/cifs share as a normal user without running 
  mount.cifs? Or if I have to mount the share as root, how can I get 
  reasonable access to the shares?
 
  
 
  You need to set the uid=/gid= options when mounting. When it's run by a
  non-root user, /bin/mount adds these options automatically.

 Except that when I run mount as a non-root user, I get the error about 
 mount.cifs not being setuid. This is generated from the user option in 
 fstab. If I remove the user option, I am told that only root can mount 
 the share. Thus my problem that normal users cannot mount smbfs/cifs 
 shares. This appears to be reserved now only for root.
 

Sorry, I should have been more clear. The uid=/gid= options will just
fix the ownership issues if you do the mount as root. It won't allow the
mount to be performed by a non-privileged user.

  It's also worthwhile to note that I've recently re-enabled the ability
  to run mount.cifs as a setuid root program in the latest cifs-utils
  release:
 
  http://linux-cifs.samba.org/cifs-utils/
 
  ...you may want to switch to using that instead if you need the ability
  to use mount.cifs in this way.

 I would except that Debian/Squeeze has its own repositories that I'd 
 prefer to stick with. Hopefully they'll catch up shortly.
 
 While the ability to run mount.cifs setuid again is appreciated, how 
 does that fit in with the horribly unsecure reasoning that led to it 
 being removed?

The code has been substantially reworked and should be far safer than
it was previously. It does privilege separation now such that the bulk
of the mount process is performed as an unprivileged user, and if
linked against the right libs, with capabilities pruned to the minimum.

At this point, I'd say it's safe enough that we no longer need to
restrict it from being installed setuid root. As always, you should
weigh carefully whether to do so in your own environment and packages.

FWIW, I have no plans to make the Fedora cifs-utils package install
mount.cifs setuid root. Part of the reason for that is that no one has
requested it.

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] how to mount shares as a user without mount.cifs setuid

[Jeff Layton]

On Wed, 07 Apr 2010 16:44:47 -0400
Gary Dale garyd...@rogers.com wrote:

 I'm running Debian/Squeeze on an AMD64 system. For some reason they have 
 recently stopped shipping mount.cifs with the setuid bit set.

That would be because it was horribly unsecure.

  Now it 
 appears that they have changed the internal settings to prevent it from 
 running setuid. This means that I can't define the share in fstab with 
 user and connect from my Linux user account. Mounting smb/cifs shares 
 seems to be blocked except for root.
 

Yes, we added a patch a while back to make it such that mount.cifs
would not allow itself to run as a setuid root program unless it that
check was compiled out.

This was done due to a rather constant stream of security issues that
were brought about when people installed mount.cifs setuid root. Since
it had never been vetted for security, we really had no other choice to
communicate that installing it setuid root was unsafe.

 Presumably this has been done for security reasons. However, I can't 
 currently do much with my network shares unless I'm root because the 
 shares and all the files are owned by root:root. This is despite the 
 fstab setting username=my windows account name and I get prompted for 
 the password. That only seems to be used for connecting to the share, 
 not for the permissions.
 
 My Debian box hasn't joined a domain - I'm just using local accounts. I 
 mainly have the domain for some Windows boxes used by my family.
 
 How do I mount an smb/cifs share as a normal user without running 
 mount.cifs? Or if I have to mount the share as root, how can I get 
 reasonable access to the shares?
 

You need to set the uid=/gid= options when mounting. When it's run by a
non-root user, /bin/mount adds these options automatically.

It's also worthwhile to note that I've recently re-enabled the ability
to run mount.cifs as a setuid root program in the latest cifs-utils
release:

http://linux-cifs.samba.org/cifs-utils/

...you may want to switch to using that instead if you need the ability
to use mount.cifs in this way.

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] CIFS VFS: Send error in read

[Jeff Layton]

On Tue, 6 Apr 2010 19:28:32 +0530
Kaushal Shriyan kaushalshri...@gmail.com wrote:

 Hi,
 
 I get while installing windows XP on a I ball Laptop using unattended
 (http://unattended.sourceforge.net/)
 
 *** Trying mount.cifs \\ntinstall\install /z -o username=guest,ro,nocase
 CIFS VFS: No response to cmd 46 mid 13

No response to a SMB_COM_READ_ANDX request.

 CIFS VFS: Send error in read = -11

-11 is -EAGAIN. Usually means that sending a request timed out.

 
 CIFS VFS: No response to cmd 162 mid 17
 CIFS VFS: No response to cmd 162 mid 21
 CIFS VFS: No response to cmd 162 mid 25
 CIFS VFS: No response to cmd 162 mid 29
 CIFS VFS: No response to cmd 162 mid 33
 CIFS VFS: No response to cmd 162 mid 37
 CIFS VFS: No response to cmd 162 mid 41
 CIFS VFS: No response to cmd 162 mid 45
 CIFS VFS: No response to cmd 162 mid 49
 CIFS VFS: No response to cmd 162 mid 53
 CIFS VFS: No response to cmd 162 mid 57
 CIFS VFS: No response to cmd 162 mid 61
 CIFS VFS: No response to cmd 162 mid 65
 CIFS VFS: No response to cmd 162 mid 69
 

No response to a SMB_COM_NT_CREATE_ANDX request (an open call).

Looks like you have either a network connectivity or server problem.
What kernel is this?

-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] ANNOUNCE: cifs-utils release 4.2 available for download

[Jeff Layton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

This release contains a significant overhaul of mount.cifs that is
intended to make it safer to install setuid root. With this release,
setuid capability is no longer disabled by default. Among the changes
are:

- - mount.cifs now does privilege separation. It forks very early and the
child drops privileges. Most of the mount option processing is handled
by the child. The parent simply waits for the child to exit and
proceeds with the mount and mtab update based on the child's exit
status.

- - mount.cifs uses libcap if it is available to prune its capability set

- - mount.cifs is more careful about signal handling during mtab updates

This should not however be construed as a recommendation to install
mount.cifs setuid root. As always, distributions and administrators
should weigh carefully whether they should install it that way in their
own packages and environments.

There are also a couple of patches in this release that should make
cifs.upcall work with the heimdal kerberos implementation. The git tag
for this release is also annotated and signed.

Note that the webpage URL below has changed:

webpage:http://linux-cifs.samba.org/cifs-utils/
tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed changelog:

commit 9e2c2536f5a49ff7385ff17f0866ef1489bed671
Author: Jeff Layton jlay...@samba.org
Date:   Fri Apr 2 06:42:20 2010 -0400

cifs-utils: bump version to 4.2

- fix URL's and email addresses
- update copyright notices

Signed-off-by: Jeff Layton jlay...@samba.org

commit d52478ee762d88aa23db476639cdcb5379dddfa4
Author: Jeff Layton jlay...@redhat.com
Date:   Thu Apr 1 22:05:47 2010 -0400

cifs.upcall: run it through Lindent

...coding style cleanup.

Signed-off-by: Jeff Layton jlay...@redhat.com

commit d946beecf6e9cc7cf6897368bed8f43b0ec61ed1
Author: Torsten Kurbad tors...@tk-webart.de
Date:   Thu Apr 1 21:47:25 2010 -0400

cifs-upcall: krb5.h inclusion quick fix

...eventually it might be better to make autoconf set -I/usr/include/krb5
or whatever and get rid of the #ifdef's here. It's a little tricky to
figure out the include dir however, so this will do for now.

Signed-off-by: Torsten Kurbad tors...@tk-webart.de

commit f5b79b44f25cdf4ba4363c7c05892af2865ce890
Author: Torsten Kurbad tors...@tk-webart.de
Date:   Thu Apr 1 21:47:18 2010 -0400

cifs-upcall: heimdal fixes

Signed-off-by: Torsten Kurbad tors...@tk-webart.de

commit 20a5ec8bd8ea3edb943adb517f378938e31f1c41
Author: Jeff Layton jlay...@redhat.com
Date:   Thu Apr 1 15:29:59 2010 -0400

mount.cifs: re-enable setuid usage

Now that mount.cifs is safe(r) we don't need to disable setuid
capability by default.

Signed-off-by: Jeff Layton jlay...@redhat.com

commit da54228cd9e6fe144efcb2d6da87e3cbb5db5b4c
Author: Jeff Layton jlay...@redhat.com
Date:   Thu Apr 1 15:28:57 2010 -0400

mount.cifs: drop capabilities if libcap is available

Might as well be as safe as possible. Have child drop all capabilities,
and have the parent drop all but CAP_SYS_ADMIN (needed for mounting) and
CAP_DAC_OVERRIDE (needed in case mtab isn't writable by root). We might
even eventually consider being clever and dropping CAP_DAC_OVERRIDE when
root has access to the mtab.

Signed-off-by: Jeff Layton jlay...@redhat.com

commit 810f7e4e0f2dbcbee0294d9b371071cb08268200
Author: Jeff Layton jlay...@redhat.com
Date:   Thu Apr 1 15:28:54 2010 -0400

mount.cifs: guard against signals by unprivileged users

If mount.cifs is setuid root, then the unprivileged user who runs the
program can send the mount.cifs process a signal and kill it. This is
not a huge problem unless we happen to be updating the mtab at the
time, in which case the mtab lockfiles might not get cleaned up.

To remedy this, have the privileged mount.cifs process set its real
uid to the effective uid (usually, root). This prevents unprivileged
users from being able to signal the process.

While we're at it, also mask off signals while we're updating the
mtab. This leaves a SIGKILL by root as the only way to interrupt the
mtab update, but there's really nothing we can do about that.

Signed-off-by: Jeff Layton jlay...@redhat.com

commit 294215ef969ce3ecb91063fbbb8a8c075272cc8d
Author: Jeff Layton jlay...@redhat.com
Date:   Thu Apr 1 15:19:17 2010 -0400

mount.cifs: introduce privilege separation

Much of the mount option parsing and other activities can be done by an
unprivileged process. Allocate the parsed_mount_info struct as an
anonymous mmap() segment and then fork to do the actual mount option
parsing. The child can then drop root privileges before populating the
parsed_mount_info struct. The parent

[SCM] Samba Shared Repository - branch master updated

[Jeff Layton]

The branch, master has been updated
   via  68403d4... Update URL in README.cifs-utils
  from  7d692f9... s4-rpc: fixed a talloc loop in 
continue_ntlmssp_connection()

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 68403d48f8dd1061c4baa60ab23c18d15fe03557
Author: Jeff Layton jlay...@redhat.com
Date:   Fri Apr 2 06:26:09 2010 -0400

Update URL in README.cifs-utils

Signed-off-by: Jeff Layton jlay...@redhat.com

---

Summary of changes:
 README.cifs-utils |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)


Changeset truncated at 500 lines:

diff --git a/README.cifs-utils b/README.cifs-utils
index 2ea6a38..6da2ae6 100644
--- a/README.cifs-utils
+++ b/README.cifs-utils
@@ -3,5 +3,5 @@ part of the samba suite of tools and have been split off into 
their own
 project. Please see this webpage for information on how to acquire and
 build them:
 
-http://www.samba.org/linux-cifs/cifs-utils/
+http://linux-cifs.samba.org/cifs-utils/
 


-- 
Samba Shared Repository

[Samba] Printer Admin Difficulties

[Jeff Hardy]

(find_policy_by_hnd_internal)
  Found policy hnd[0] [] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
4B 01 8A    .K..

  [0010] FF 54 00 00   .T..
[2010/03/31 13:44:33,  4] rpc_server/srv_spoolss_nt.c:377(get_printer_snum)
  short name:ZZZ
[2010/03/31 13:44:33,  3] lib/access.c:362(only_ipaddrs_in_list)
  only_ipaddrs_in_list: list has non-ip address (127.)
[2010/03/31 13:44:33,  3] lib/access.c:396(check_access)
  check_access: hostnames in host allow/deny list.
[2010/03/31 13:44:33,  2] lib/access.c:406(check_access)
  Allowed connection from 127.0.0.1 (127.0.0.1)
[2010/03/31 13:44:33, 10] smbd/share_access.c:234(user_ok_token)
  user_ok_token: share ZZZ is ok for unix user denieduser
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
  se_map_generic(): mapped mask 0x20020008 to 0x00020008
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
  se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
  se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
  se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33, 10] lib/util_seaccess.c:58(se_map_generic)
  se_map_generic(): mapped mask 0x100f000c to 0x000f000c
[2010/03/31 13:44:33,  4] printing/nt_printing.c:5733(print_access_check)
  access check was FAILURE
[2010/03/31 13:44:33,  3] 
rpc_server/srv_spoolss_nt.c:1707(_spoolss_OpenPrinterEx)

  access DENIED for printer open
[2010/03/31 13:44:33,  4] 
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
  Found policy hnd[0] [] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
4B 01 8A    .K..

  [0010] FF 54 00 00   .T..
[2010/03/31 13:44:33,  4] 
rpc_server/srv_lsa_hnd.c:180(find_policy_by_hnd_internal)
  Found policy hnd[0] [] 00 00 00 00 02 00 00 00   00 00 00 00 B3 
4B 01 8A    .K..

  [0010] FF 54 00 00   .T..
[2010/03/31 13:44:33,  3] rpc_server/srv_lsa_hnd.c:218(close_policy_hnd)
  Closed policy
[2010/03/31 13:44:33,  1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
   spoolss_OpenPrinterEx: struct spoolss_OpenPrinterEx
  out: struct spoolss_OpenPrinterEx
  handle   : *
  handle: struct policy_handle
  handle_type  : 0x (0)
  uuid : 
----

  result   : WERR_ACCESS_DENIED


The only discernible difference to my eye is that for the denieduser, 
se_map_generic() is called before ultimately denying the user.


Finally, here is testparm output:


[global]
workgroup = POTSDAM
server string = Printing Server
security = DOMAIN
password server = MEGA
restrict anonymous = 2
log level = 1
log file = /var/log/samba/%m.log
max log size = 1
time server = Yes
unix extensions = No
deadtime = 5
printcap name = cups
wins server = 192.168.0.1
printer admin = @printeradmins
hosts allow = 127., 192.168.
cups options = raw
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
browsable = No

[print$]
comment = Printer Drivers for Windows
path = /usr/share/samba/print
write list = @printeradmins

[drivers]
comment = Vendor Printer Driver Paks
path = /usr/share/samba/drivers
write list = @printeradmins
create mask = 0775
directory mask = 0775


If anyone could shed light on this issue, it would be much appreciated. 
 Thank you.


-Jeff

--
Jeffrey M Hardy
Systems Analyst
hard...@potsdam.edu
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ANNOUNCE: cifs-utils release 4.1 available for download

[Jeff Layton]

On Tue, 23 Mar 2010 23:11:17 -0700
Steve Langasek vor...@debian.org wrote:

 Hi Jeff,
 
 On Tue, Mar 23, 2010 at 10:10:44AM -0400, Jeff Layton wrote:
  This release is primarily a number of small bugfixes and cleanups. I
  wanted to do a release with those prior to the coming overhaul of
  mount.cifs to allow it to more safely be installed setuid root.
 
 Could you please provide detached GPG signatures for cifs-utils on the
 download site, so we have some cryptographic assurance of the integrity of
 the tarballs as we do for the samba tarballs?
 
 Cheers,

Good point. I'm working now on getting a cifs-utils mail alias set up
that I can stuff into the key. Once I do so, I'll go back and sign all
of the tarballs and make sure they're signed on release in the future.

Thanks,
-- 
Jeff Layton jlay...@samba.org


signature.asc
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [linux-cifs-client] ANNOUNCE: cifs-utils release 4.1 available for download

[Jeff Layton]

On Wed, 24 Mar 2010 07:55:09 -0400
Jeff Layton jlay...@samba.org wrote:

 On Tue, 23 Mar 2010 23:11:17 -0700
 Steve Langasek vor...@debian.org wrote:
 
  Hi Jeff,
  
  On Tue, Mar 23, 2010 at 10:10:44AM -0400, Jeff Layton wrote:
   This release is primarily a number of small bugfixes and cleanups. I
   wanted to do a release with those prior to the coming overhaul of
   mount.cifs to allow it to more safely be installed setuid root.
  
  Could you please provide detached GPG signatures for cifs-utils on the
  download site, so we have some cryptographic assurance of the integrity of
  the tarballs as we do for the samba tarballs?
  
  Cheers,
 
 Good point. I'm working now on getting a cifs-utils mail alias set up
 that I can stuff into the key. Once I do so, I'll go back and sign all
 of the tarballs and make sure they're signed on release in the future.
 
 Thanks,

Done. A new cifs-utils signing key has been generated and the existing
tarballs are now signed with it. The public key and signatures are
available at the ftp location.

ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/

I'll update the webpage with that info soon.
-- 
Jeff Layton jlay...@samba.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba