Re: [SCM] Samba Shared Repository - branch master updated
Amitay You did not add "|| true" to the statd-callout invocation of nfsconf like you did in nfs-linux-kernel-callout. Regards, Jim On 7/27/2020 3:07 AM, Amitay Isaacs wrote: +# If NFS_HOSTNAME not set then try to pull it out of /etc/nfs.conf +if [ -z "$NFS_HOSTNAME" ] && type nfsconf >/dev/null 2>&1 ; then + NFS_HOSTNAME=$(nfsconf --get statd name) +fi
Re: [SCM] Samba Shared Repository - branch master updated
The wrong version of this patch was pushed. The argument to simpleclass_IClassFactory_CreateInstance must be ...**ppv and the value assignment must be *ppv = (...)ret; This was discussed on the list and the corrected patch was created. On 2/24/2018 9:51 AM, Andrew Bartlett wrote: -static WERROR simpleclass_IClassFactory_CreateInstance (struct IClassFactory *d, TALLOC_CTX *mem_ctx, struct IUnknown *iunk, struct GUID *iid, struct IUnknown **ppv) +static WERROR simpleclass_IClassFactory_CreateInstance(struct IClassFactory *d, + TALLOC_CTX *mem_ctx, + struct MInterfacePointer *pUnknown, + struct GUID *iid, + struct MInterfacePointer *ppv) { struct IStream *ret; /* FIXME: Check whether IID == ISTREAM_IID */ @@ -71,8 +84,8 @@ static WERROR simpleclass_IClassFactory_CreateInstance (struct IClassFactory *d, ret->vtable = _IStream_vtable; ret->object_data = NULL; - *ppv = (struct IUnknown *)ret; - + ppv = (struct MInterfacePointer *)ret; + return WERR_OK; }
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7470b9b smbc_opendir should not return EEXIST with invalid login credentials from de5e23c python: tests: Add tests for samba.posix_eadb module https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7470b9b18af282a742929d3fc90f4be5520428a1 Author: David Mulder <dmul...@suse.com> Date: Thu Nov 2 08:25:11 2017 -0600 smbc_opendir should not return EEXIST with invalid login credentials Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jim McDonough <j...@samba.org> Autobuild-User(master): Jim McDonough <j...@samba.org> Autobuild-Date(master): Thu Nov 9 01:49:06 CET 2017 on sn-devel-144 --- Summary of changes: source3/libsmb/libsmb_server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c index b0e5926..93b9e80 100644 --- a/source3/libsmb/libsmb_server.c +++ b/source3/libsmb/libsmb_server.c @@ -351,8 +351,8 @@ SMBC_server_internal(TALLOC_CTX *ctx, "?", *pp_password); if (!NT_STATUS_IS_OK(status)) { -errno = map_errno_from_nt_status(status); cli_shutdown(srv->cli); +errno = map_errno_from_nt_status(status); srv->cli = NULL; smbc_getFunctionRemoveCachedServer(context)(context, srv); @@ -562,8 +562,8 @@ SMBC_server_internal(TALLOC_CTX *ctx, status = cli_tree_connect_creds(c, share, "?", creds); if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); cli_shutdown(c); + errno = map_errno_from_nt_status(status); return NULL; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2c50bdf docs: Improve wording around 'winbind expand groups' param from 05beefd s3:winbind: unmapped Unix users must be resolved locally https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2c50bdfed06e7eff645a76dad8971eb425c3165e Author: Noel Power <noel.po...@suse.com> Date: Thu Sep 28 12:28:46 2017 +0100 docs: Improve wording around 'winbind expand groups' param Signed-off-by: Noel Power <noel.po...@suse.com> Reviewed-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jim McDonough <j...@samba.org> Autobuild-User(master): Jim McDonough <j...@samba.org> Autobuild-Date(master): Fri Sep 29 22:37:08 CEST 2017 on sn-devel-144 --- Summary of changes: docs-xml/smbdotconf/winbind/winbindexpandgroups.xml | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml index 941ba04..5a05ecf 100644 --- a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml +++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml @@ -12,16 +12,23 @@ parameter specifically applies to the membership of domain groups. +This option also affects the return of non nested +group memberships of Windows domain users. With the +new default "winbind expand groups = 0" winbind does +not query group memberships at all. + Be aware that a high value for this parameter can result in system slowdown as the main parent winbindd daemon must perform the group unrolling and will be unable to answer incoming NSS or authentication requests during this time. The default value was changed from 1 to 0 with Samba 4.2. - Some broken applications calculate the group memberships of + Some broken applications (including some implementations of + newgrp and sg) calculate the group memberships of users by traversing groups, such applications will require - "winbind expand groups = 1". But the new default makes winbindd more reliable - as it doesn't require SAMR access to domain controllers of trusted domains. + "winbind expand groups = 1". But the new default makes winbindd + more reliable as it doesn't require SAMR access to domain + controllers of trusted domains. 0 -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ca5e109 waf: Cleanup deps list for smbd via dd2367d waf: Cleanup deps list for smbregistry from 71b69b0 Revert "ctdb-common: Use SCHED_RESET_ON_FORK when setting SCHED_FIFO" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ca5e109353864371b051b79f05f97dbef751b49e Author: Andreas Schneider <a...@samba.org> Date: Tue Oct 18 19:06:13 2016 +0200 waf: Cleanup deps list for smbd Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jim McDonough <j...@samba.org> Autobuild-User(master): Jim McDonough <j...@samba.org> Autobuild-Date(master): Tue Oct 25 21:10:37 CEST 2016 on sn-devel-144 commit dd2367dc12331974411c134247bb45fa5d71c2a1 Author: Andreas Schneider <a...@samba.org> Date: Tue Oct 18 16:05:07 2016 +0200 waf: Cleanup deps list for smbregistry Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jim McDonough <j...@samba.org> --- Summary of changes: source3/wscript_build | 25 + 1 file changed, 21 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/wscript_build b/source3/wscript_build index 6918c73..1e16062 100755 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -208,9 +208,20 @@ bld.SAMBA3_LIBRARY('smbregistry', lib/cbuf.c lib/srprs.c registry/reg_init_basic.c''', - deps='''smbd_shim tdb-wrap3 NDR_SECURITY util_tdb talloc - replace util_reg samba-util samba-security - errors3 dbwrap samba3-util''', + deps=''' +smbd_shim +tdb-wrap3 +NDR_SECURITY +util_tdb +talloc +replace +util_reg +samba-util +samba-security +errors3 +dbwrap +samba3-util +''', allow_undefined_symbols=True, private_library=True) @@ -852,7 +863,13 @@ bld.SAMBA3_SUBSYSTEM('LIBLSA', bld.SAMBA3_BINARY('smbd/smbd', source='smbd/server.c smbd/smbd_cleanupd.c', - deps='smbd_base EPMD LSASD FSSD MDSSD', + deps=''' + smbd_base + EPMD + LSASD + FSSD + MDSSD + ''', install_path='${SBINDIR}') bld.SAMBA3_BINARY('nmbd/nmbd', -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3823451 nsswitch: Also set h_errnop for nss_wins functions from d8a5565 waf: Explicitly link against libnss_wins.so https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 382345126c56e26d3dbc319f1c7c1dae3c4fafc9 Author: Andreas Schneider <a...@samba.org> Date: Tue Sep 20 13:26:52 2016 +0200 nsswitch: Also set h_errnop for nss_wins functions BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jim McDonough <j...@samba.org> Autobuild-User(master): Jim McDonough <j...@samba.org> Autobuild-Date(master): Tue Sep 20 20:16:43 CEST 2016 on sn-devel-144 --- Summary of changes: nsswitch/wins.c | 9 + 1 file changed, 9 insertions(+) Changeset truncated at 500 lines: diff --git a/nsswitch/wins.c b/nsswitch/wins.c index be84f2e..dccb6dd 100644 --- a/nsswitch/wins.c +++ b/nsswitch/wins.c @@ -261,6 +261,7 @@ _nss_wins_gethostbyname_r(const char *hostname, ip = lookup_byname_backend(name); if (ip == NULL) { *errnop = EINVAL; + *h_errnop = NETDB_INTERNAL; nss_status = NSS_STATUS_NOTFOUND; goto out; } @@ -269,6 +270,7 @@ _nss_wins_gethostbyname_r(const char *hostname, wbcFreeMemory(ip); if (rc == 0) { *errnop = errno; + *h_errnop = NETDB_INTERNAL; nss_status = NSS_STATUS_TRYAGAIN; goto out; } @@ -279,6 +281,7 @@ _nss_wins_gethostbyname_r(const char *hostname, if ((he->h_name = get_static(, , namelen)) == NULL) { *errnop = EAGAIN; + *h_errnop = NETDB_INTERNAL; nss_status = NSS_STATUS_TRYAGAIN; goto out; } @@ -292,6 +295,7 @@ _nss_wins_gethostbyname_r(const char *hostname, if (get_static(, , i) == NULL) { *errnop = EAGAIN; + *h_errnop = NETDB_INTERNAL; nss_status = NSS_STATUS_TRYAGAIN; goto out; } @@ -299,6 +303,7 @@ _nss_wins_gethostbyname_r(const char *hostname, if ((he->h_addr_list = (char **)get_static( , , 2 * sizeof(char *))) == NULL) { *errnop = EAGAIN; + *h_errnop = NETDB_INTERNAL; nss_status = NSS_STATUS_TRYAGAIN; goto out; } @@ -306,6 +311,7 @@ _nss_wins_gethostbyname_r(const char *hostname, if ((he->h_addr_list[0] = get_static(, , INADDRSZ)) == NULL) { *errnop = EAGAIN; + *h_errnop = NETDB_INTERNAL; nss_status = NSS_STATUS_TRYAGAIN; goto out; } @@ -326,6 +332,7 @@ _nss_wins_gethostbyname_r(const char *hostname, if (get_static(, , i) == NULL) { *errnop = EAGAIN; + *h_errnop = NETDB_INTERNAL; nss_status = NSS_STATUS_TRYAGAIN; goto out; } @@ -333,12 +340,14 @@ _nss_wins_gethostbyname_r(const char *hostname, if ((he->h_aliases = (char **)get_static( , , sizeof(char *))) == NULL) { *errnop = EAGAIN; + *h_errnop = NETDB_INTERNAL; nss_status = NSS_STATUS_TRYAGAIN; goto out; } he->h_aliases[0] = NULL; + *h_errnop = NETDB_SUCCESS; nss_status = NSS_STATUS_SUCCESS; out: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d8a5565 waf: Explicitly link against libnss_wins.so via 124ae4e nsswitch: Add missing arguments to wins gethostbyname* from b208499 gencache: Bail out of stabilize if we can not get the allrecord lock https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d8a5565ae647352d11d622bd4e73ff4568678a7c Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 19 16:21:31 2016 +0200 waf: Explicitly link against libnss_wins.so If we do not specify replace as a depencency here, it will not link to libreplace using an rpath. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12277 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Jim McDonough <j...@samba.org> Autobuild-User(master): Jim McDonough <j...@samba.org> Autobuild-Date(master): Tue Sep 20 08:00:08 CEST 2016 on sn-devel-144 commit 124ae4e861f048fe015bff32ace4abff4d3e6c62 Author: Andreas Schneider <a...@samba.org> Date: Mon Sep 19 16:17:11 2016 +0200 nsswitch: Add missing arguments to wins gethostbyname* The errno pointer argument is missing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Jim McDonough <j...@samba.org> --- Summary of changes: nsswitch/wins.c| 51 -- nsswitch/wscript_build | 2 +- 2 files changed, 42 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/nsswitch/wins.c b/nsswitch/wins.c index fc65c03..be84f2e 100644 --- a/nsswitch/wins.c +++ b/nsswitch/wins.c @@ -39,10 +39,19 @@ static pthread_mutex_t wins_nss_mutex = PTHREAD_MUTEX_INITIALIZER; #define INADDRSZ 4 #endif -NSS_STATUS _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, - char *buffer, size_t buflen, int *h_errnop); -NSS_STATUS _nss_wins_gethostbyname2_r(const char *name, int af, struct hostent *he, - char *buffer, size_t buflen, int *h_errnop); +NSS_STATUS _nss_wins_gethostbyname_r(const char *hostname, +struct hostent *he, +char *buffer, +size_t buflen, +int *errnop, +int *h_errnop); +NSS_STATUS _nss_wins_gethostbyname2_r(const char *name, + int af, + struct hostent *he, + char *buffer, + size_t buflen, + int *errnop, + int *h_errnop); static char *lookup_byname_backend(const char *name) { @@ -225,8 +234,12 @@ gethostbyname() - we ignore any domain portion of the name and only handle names that are at most 15 characters long **/ NSS_STATUS -_nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, - char *buffer, size_t buflen, int *h_errnop) +_nss_wins_gethostbyname_r(const char *hostname, + struct hostent *he, + char *buffer, + size_t buflen, + int *errnop, + int *h_errnop) { NSS_STATUS nss_status = NSS_STATUS_SUCCESS; char *ip; @@ -247,6 +260,7 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, ip = lookup_byname_backend(name); if (ip == NULL) { + *errnop = EINVAL; nss_status = NSS_STATUS_NOTFOUND; goto out; } @@ -254,6 +268,7 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, rc = inet_pton(AF_INET, ip, ); wbcFreeMemory(ip); if (rc == 0) { + *errnop = errno; nss_status = NSS_STATUS_TRYAGAIN; goto out; } @@ -263,6 +278,7 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, namelen = strlen(name) + 1; if ((he->h_name = get_static(, , namelen)) == NULL) { + *errnop = EAGAIN; nss_status = NSS_STATUS_TRYAGAIN; goto out; } @@ -275,18 +291,21 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, i = sizeof(char*) - i; if (get_static(, , i) == NULL) { + *errnop = EAGAIN; nss_status = NSS_STATUS_TRYAGA
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 3d5ac67 Update SUSE team members with links to SUSE website from 9ff5977 Fix capitalization in the beyond samba box. http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 3d5ac67332035d16083b1c7ff00f540f1fe43fa9 Author: Jim McDonough j...@samba.org Date: Thu Jun 12 08:31:06 2014 -0400 Update SUSE team members with links to SUSE website --- Summary of changes: team/index.html |8 1 files changed, 4 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/team/index.html b/team/index.html index 0ee8571..73531ee 100755 --- a/team/index.html +++ b/team/index.html @@ -56,11 +56,11 @@ mailing list/a and start contributing to the development of Samba./p lia href=mailto:i...@samba.org;Ira Cooper/a/li lia href=http://samba.org/~sdanneman/;Steven Danneman/a/li lia href=http://samba.org/~gd;Guuml;nther Deschner/a/li -lia href=mailto:dd...@samba.org;David Disseldorp/a/li +lia href=mailto:dd...@samba.org;David Disseldorp/anbsp;(a href=https://www.suse.com/;SUSE/a)/li lia href=mailto:sfre...@samba.org;Steve French/a/li lia href=mailto:pa...@samba.org;Paul Green/a/li lia href=http://ubiqx.org/;Chris Hertel/a/li -lia href=http://samba.org/~hhetter/;Holger Hetterich/a/li +lia href=mailto:hhet...@samba.org;Holger Hetterich/anbsp;(a href=https://www.suse.com/;SUSE/a)/li lia href=http://people.su.se/~lha/;Love Houml;rnquist Aring;strand/a/li lia href=mailto:ami...@samba.org;Amitay Isaacs/a/li lia href=mailto:nivan...@samba.org;Nadezhda Ivanova/a/li @@ -76,9 +76,9 @@ mailing list/a and start contributing to the development of Samba./p td valign=top ul lia href=mailto:kame...@samba.org;Kamen Mazdrashki/a/li -lia href=mailto:j...@samba.org;Jim McDonough/a/li +lia href=mailto:j...@samba.org;Jim McDonough/anbsp;(a href=https://www.suse.com/;SUSE/a)/li lia href=mailto:me...@samba.org;Stefan Metzmacher/anbsp;(a href=http://www.sernet.de/en/;SerNet/a)/li -lia href=http://samba.org/~lmuelle/;Lars Muuml;ller/a/li +lia href=http://samba.org/~lmuelle/;Lars Muuml;ller/anbsp;(a href=https://www.suse.com/;SUSE/a)/li lia href=mailto:m...@samba.org;Matthieu Patou/a/li lia href=mailto:jpe...@samba.org;James Peach/a/li lia href=mailto:t...@samba.org;Tim Potter/a/li -- Samba Website Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1c818d6 test_smbclient_tarmode.pl: remove unneccesary arg defaults via 1424c61 test_smbclient_tarmode.pl: depend only on perl v5.10 via 2ceda6a test_smbclient_tarmode.pl: remove all ./ prefix when dealing with remote files via 7088302 test_smbclient_tarmode.pl: sanitize $DIR + whitespace via 977c26d test_smbclient_tarmode.pl: use -n flag for specifiying hostname (was ambiguous with help) via f637463 test_smbclient_tarmode.pl: enable create with exclude tests via 743593a test_smbclient_tarmode.pl: add subunit output flag via 0ebc84a test_smbclient_tarmode.pl: add test for interactive session via e236d5d test_smbclient_tarmode.pl: add extraction regex tests, verbose flag via 24067dc test_smbclient_tarmode.pl: test regex flag behaviour via 4eecb46 test_smbclient_tarmode.pl: add large file and long path tests via bd4cde8 test_smbclient_tarmode.pl: add simple wildcard test via f77f63e test_smbclient_tarmode.pl: test interactive command via 70e8053 test_smbclient_tarmode.pl: whitespace via 363601e test_smbclient_tarmode.pl: let --test run multiple tests via 45bee99 test_smbclient_tarmode.pl: sanitize input, use File::Temp instead of hardcoding temp dir via 2f30482 test_smbclient_tarmode.pl: cosmetic changes via 8540032 test_smbclient_tarmode.pl: add copyright header via 98fa4bc test_smbclient_tarmode.pl: samba 3.6.9 can print a empty attribute string via 03e1557 test_smbclient_tarmode.pl: disable failing tests for now via 97c34f3 test_smbclient_tarmode.pl: make script work on older Perl (now only need 5.14) via e879580 test_smbclient_tarmode.pl: fix a few minor typos via bfd6b7b test_smbclient_tarmode.pl: refactor, cleanup and document in POD via 60edcc7 test_smbclient_tarmode.pl: add tests for wildcard pattern (cI, cX, cF, xF). via 581d128 test_smbclient_tarmode.pl: add a first simple wildcard test via a8b1d58 test_smbclient_tarmode.pl: add a clean option to erase the local path via ea04ae3 test_smbclient_tarmode.pl: add test for xF via aaf59c9 test_smbclient_tarmode.pl: add test for creation w/ filelist via fa067e8 test_smbclient_tarmode.pl: add extraction test for I and X. via f764c39 test_smbclient_tarmode.pl: add tests for X and I. via 3a10b88 test_smbclient_tarmode.pl: add option to choose and run a single test via cb08034 test_smbclient_tarmode.pl: add first extraction test via c5ae61f test_smbclient_tarmode.pl: remove unused functions via d07d89a test_smbclient_tarmode.pl: add nested dirs test via 1624382 test_smbclient_tarmode.pl: refactored file related function to a File package via e70b6de test_smbclient_tarmode.pl: add test for newer than (`N` flag) via 2ef7909 test_smbclient_tarmode.pl: add test for reset mode via be54395 test_smbclient_tarmode.pl: improve incremental test via 947775e test_smbclient_tarmode.pl: add proper argument parsing for configuration. via f5325f5 initial commit of the new tarmode test script. from 6588215 Add regression test for bug #10229 - No access check verification on stream files. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1c818d6927549a1e0f18ea9a9810dc6de97d5cd1 Author: David Disseldorp dd...@samba.org Date: Tue Oct 29 12:08:57 2013 +0100 test_smbclient_tarmode.pl: remove unneccesary arg defaults The host, share and localpath arguments should not take default values. Check that these required arguments are specified. Signed-off-by: David Disseldorp dd...@samba.org Reviewed-by: Jim McDonough j...@samba.org Autobuild-User(master): Jim McDonough j...@samba.org Autobuild-Date(master): Tue Nov 5 16:40:20 CET 2013 on sn-devel-104 commit 1424c61a1a42abd34d71b0b48ea56be4b7fe5a9c Author: Aurélien Aptel aurelien.ap...@gmail.com Date: Mon Aug 12 16:29:41 2013 +0200 test_smbclient_tarmode.pl: depend only on perl v5.10 Signed-off-by: Aurélien Aptel aurelien.ap...@gmail.com Reviewed-by: David Disseldorp dd...@samba.org Reviewed-by: Jim McDonough j...@samba.org commit 2ceda6a730f7c9354cd6ac80f755992cc2a1d3e4 Author: Aurélien Aptel aurelien.ap...@gmail.com Date: Mon Aug 5 18:58:39 2013 +0200 test_smbclient_tarmode.pl: remove all ./ prefix when dealing with remote files Signed-off-by: Aurélien Aptel aurelien.ap...@gmail.com Reviewed-by: David Disseldorp dd...@samba.org Reviewed-by: Jim McDonough j...@samba.org commit 7088302d2469a0191f7b3e7d396575e7f688dde3 Author: Aurélien Aptel aurelien.ap...@gmail.com Date: Mon Aug 5 18:57:54 2013 +0200 test_smbclient_tarmode.pl: sanitize $DIR + whitespace Signed-off
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via c400091 Remove Google Checkout as it is being discontinued. from aa02334 Remove South Pole on request http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit c400091dbb55ea5e1e8777bac2adfe1e7860acba Author: Jim McDonough j...@samba.org Date: Fri Nov 1 10:31:55 2013 -0400 Remove Google Checkout as it is being discontinued. --- Summary of changes: donations.html | 37 + 1 files changed, 1 insertions(+), 36 deletions(-) Changeset truncated at 500 lines: diff --git a/donations.html b/donations.html index da840cd..efd39af 100755 --- a/donations.html +++ b/donations.html @@ -11,44 +11,9 @@ developing Samba./p h3How to donate/h3 -h4Google Checkout/h4 - -pThe preferred method of donating is Google Checkout, using the amount field and Donate link below./p - -script type=text/javascript -function validateAmount(amount){ - if(amount.value.match( /^[0-9]+(\.([0-9]+))?$/)){ - return true; - }else{ - alert('You must enter a valid donation.'); - amount.focus(); - return false; - } -} -/script -form action=https://checkout.google.com/cws/v2/Donations/622836985124940/checkoutForm; id=BB_BuyButtonForm method=post name=BB_BuyButtonForm onSubmit=return validateAmount(this.item_price_1) target=_top - input name=item_name_1 type=hidden value=Samba Donation via Software Freedom Conservancy, Inc./ - input name=item_description_1 type=hidden value=This donation to the Software Freedom Conservancy, Inc. will be earmarked for the Samba Project./ - input name=item_quantity_1 type=hidden value=1/ - input name=item_currency_1 type=hidden value=USD/ - input name=item_is_modifiable_1 type=hidden value=true/ - input name=item_min_price_1 type=hidden value=5.0/ - input name=item_max_price_1 type=hidden value=25000.0/ - input name=_charset_ type=hidden value=utf-8/ - table cellpadding=5 cellspacing=0 width=1% - tr - td align=right nowrap=nowrap width=1%#x24; input id=item_price_1 name=item_price_1 onfocus=this.style.color='black'; this.value=''; size=11 style=color:grey; type=text value=Enter Amount/ - /td - td align=left width=1% - input alt=Donate src=https://checkout.google.com/buttons/donateNow.gif?merchant_id=622836985124940amp;w=115amp;h=50amp;style=whiteamp;variant=textamp;loc=en_US; type=image/ - /td - /tr - /table -/form - h4PayPal/h4 -pDonations can also be made through PayPal, but the fees are higher. +pDonations can be made through PayPal. To use PayPal, click on the 'PayPal Donate' button below./p form action=https://www.paypal.com/cgi-bin/webscr; method=post -- Samba Website Repository
[Samba] (no subject)
Hey Gang, I'm stuck near the end of installing Samba 4 on a Debian Wheezy machine. I'm trying to connect to a Win2k AD. Basically I can't get getent passwd to show domain accounts. I also can't access shares using my credentials. What did I forget?! Here is what works: sudo net ads join -U DOMAINADMIN wbinfo -g //shows domain groups! wbinfo -u //shows domain users! I have setup symlinks from */lib/i386-linux-gnu/libnss_winbind.so* to * /lib/i386-linux-gnu/libnss_winbind.so * *smb.conf [global] workgroup = DOMAIN realm = DOMAIN.COM server string = %h server security = ADS map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 idmap config SHORTDOMAINNAME:range = 500-4 idmap config SHORTDOMAINNAME:schema_mode = rfc2307 idmap config SHORTDOMAINNAME:backend = ad idmap config *:range = 70001-8 idmap config * : backend = tdb store dos attributes = Yes * *Besides getent passwd failing to show domain accounts, I get this when I attempt to authenticate via a SMB client. [2013/09/27 19:03:28.678145, 3] ../auth/ntlmssp/ntlmssp_server.c:358(ntlmssp_server_preauth) Got user=[TestUser] domain=[DOMAIN] workstation=[BADASS] len1=24 len2=154 . . [2013/09/27 19:03:28.681267, 3] ../source3/auth/auth.c:177(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [**DOMAIN]\[TestUser]@[BADASS] with the new password interface [2013/09/27 19:03:28.681359, 3] ../source3/auth/auth.c:180(auth_check_ntlm_password) check_ntlm_password: mapped user is: [**DOMAIN]\[**TestUser]@[BADASS] [2013/09/27 19:03:28.691085, 3] ../source3/auth/auth_util.c:1247(check_account) Failed to find authenticated user **DOMAIN+jjenkins via getpwnam(), denying access. [2013/09/27 19:03:28.691235, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [jjenkins] - [**TestUser] FAILED with error NT_STATUS_NO_SUCH_USER [2013/09/27 19:03:28.691354, 3] ../source3/auth/auth_util.c:1593(do_map_to_guest_server_info) No such user jjenkins [**DOMAIN] - using guest account * -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] no per-connection smbd process?
I always see exactly two smbd processes (via ps -x), regardless of the number of client machines actively accessing files on my samba share. From what I've read, there should be a new smbd process per connection? I'm trying to use the truss command to trace system calls made by samba, so need to find the process id. This is Samba 3.6.9 on FreeBSD 9.1, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] no per-connection smbd process?
I always see exactly two smbd processes (via ps -x), regardless of the number of client machines actively accessing files on my samba share. From what I've read, there should be a new smbd process per connection? I'm trying to use the truss command to trace system calls made by samba, so need to find the process id. This is Samba 3.6.9 on FreeBSD 9.1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] AIX, Samba and ADS issue
public = no writeable = no guest ok = no valid users = @CINTAS+C_Acct_Alchemy_AP write list = @CINTAS+C_Acct_Alchemy_AP admin users = root [PROJECTNDEV] path = /interface_secure/Projections create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G write list = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G admin users = root [RYANDEV] path = /interface_secure/Ryan create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G write list = @CINTAS+C_MIS_Finance_G, @CINTAS+C_Acct_Cptr_App_G admin users = root krb5.conf [logging] default = /var/log/samba/krb5.log kdc = /var/log/samba/krb5.log kdc_rotate = { period = 1d version = 5 } [libdefaults] ticket_lifetime = 1d default_realm = CINTAS.FIT dns_lookup_kdc = true verify_ap_req_nofail = false default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1 clockskew = 1000 [realms] cintas.fit = { kdc = cinw08v100.cintas.fit kdc = cinw09v101.cintas.fit default_domain = cintas.fit } [domain_realm] cintas.fit = CINTAS.FIT .cintas.fit = CINTAS.FIT [appdefaults] pam = { debug = false ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 500 try_first_pass = true } /etc/pam.conf #Added for Samba authsufficientpam_winbind.so use_first_pass account sufficientpam_winbind.so use_first_pass passwordsufficientpam_winbind.so use_first_pass session optional pam_winbind.so use_first_pass /etc/security/user Changed SYSTEM= SYSTEM = compat to SYSTEM = DCE OR DCE[UNAVAIL] AND compat /usr/lib/security/methods.cfg WINDBIND: program = /opt/pware64/lib/security/WINBIND program_64 = /opt/pware64/lib/security/WINBIND options = authonly LDAP: program = /usr/lib/security/LDAP program_64 = /usr/lib/security/LDAP_64 I’ve been combing the documentation to try and figure this out, but my head is spinning right now and I just haven’t been able to put things together to get this to work. Thanks for any help… -- Jim Thompson needgod.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] About NAS versus Samba
I use a Netgear readynas1500 as a fileserver for my Samba3/ldap domain which I' ve just upgraded to AD and it works fine in both cases (lots of users, though with relatively few active connections). It runs a bog standard Samba3 + winbind member server (NT or ADS) as far as I can tell. Having said that, the 2 shortcomings I have found are with windows 7 clients... troubles doing offline files (there are bunch of tweaks, but none work perfectly) and it doesnt work too well with the libraries feature in win7 (it needs indexing o some sort that isn't povided by samba I think) BTW, would a Samba4 member server setup help with these issues? If it did, I'd upgrade even if it did invaidate warranty... cheers Jim On 11/07/2013 05:03, ferna...@lozano.eti.br wrote: Hi Cris, Hi there, Has anyone tried to configure a NAS server to authenticate users using a Samba PDC, or even a Samba4 DC (AD-compatible) or an IPA server? not in a while, but I have done a samba 3 DC This was not my question. I'm ok running samba 3 DCs. :-) Have you ever configured a NAS so it would authenticate users from your Samba DC and them serve SMB file shares (aka network drives) to Windows desktops? I'm evaluating replacing some Linux file server for a NAS product, but all them make me nervous when the vendor talks about Active Directory support and nothing else. if 3rd party support is your concern, why are you using fedora instead of RHEL? Are you trying to sell me RHEL subscriptions or help me with my question? ;-) Anything wrong about asking about Fedora on a Fedora list, or any server issue is forbidden for Fedora users? ;-) AFAIK it shouldn't matter, from a technical perspective, if the samba DC runs Fedora, Debian, Slackware, RHEL, SuSE, Ubuntu, Solaris, whatever. I am not talking about OS level FC drivers or iSCSI initiators. Either a NAS will be compatible with Samba3, Samba4, both or neither. This depends on the SMB and MSRPC features needed by the NAS, all them application level protocols, not kernel modules. If I'll need Red Hat support for managing this system is another, unrelated, question. If the NAS vendors state they suṕport RHEL, that's not que question either, as supporting RHEL could mean the RHEL linux kernel smbfs and cifsfs driver talks to the NAS, not the NAS talks to the Samba DC. Or else, RHEL support may mean just that the NAS talks NFS and so a RHEL machine can mount volumes from tne NAS. That's not what I want. Most times I see linux servers they are simply members of a MSAD domain, not the DC themselves. But mine are. All vendors I talked to assume MSAD, and don't know about Samba. :-( Anyway Fedora is my desktop system and development workstation. The DC in question runs RHEL. But if this works I can try someday using Fedora or CentOS with the same (or other) NAS. In theory, many NASes are Linux boxes running samba, so there shouldn't be a problem, except if the web admin interface won't support a samba DC setup and I won't have SSH access to configure the NAS samba myself a cheaper nas will probably use samba, but not all NASs do. there are several commercial SMB/CIFS implementation out there. At least iomega/lenovo/emc state their NAS runs Samba. And a lot of less know vendors also. I'll buy a single, cheap NAS, not a high end EMC rack full of boxes. :-) But... will any NAS you know work with a Samba DC, or else, using an IPA server? Or will they only work with Microsoft Windows Server AD? All vendors I contacted talk only about MS Active Directory. They don't even know about NT4-style domains, which would mean a Samba3 DC should work. Besides, AFAIK a Samba4 DC isn't supported by RHEL at all -- that's why I included IPA in my question -- I'd have to use Sernet packages for Samba4. Even then, Samba4 is very new, I don't know if a NAS implementation would accept it in place of a MSAD DC. Most vendors talk to me about vmware, exchange and sql server support. They offer me windows-only backup servers and the like. Some even offer me SAP R/3 agents, while my ERP is another one. They can only follow their standard script for windows shops. So I ask for the collective knowledge from the Fedora and Samba lists... can anyone tell me I tried this NAS and it worked? Or should I better forget about this and keep using cheap intel boxes as file servers? Am I the first linux sysadmin in the world who's considering to have a NAS replacing some file servers but keeping his samba DCs? []s, Fernando Lozano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Security = ADS and uidnumbers
Hi JAB I've tried this every whichway, including making ranges not overlap. It looks to me to depend on this line: idmap config BECAUSE : range = 1000-8000 If I add it, wbinfo SID-ToUID option for jingram gives a UID of 2338, but no getent passwd entry. If I remove it, getent passwd jingram gives a uidnumber in the idmap config * : range =... range. I can't replicate the state of affairs I had in the first email where one user had the correct uidnumber - no users have the correct number now. Does it make any difference that the BECAUSE domain trusts another domain? I've tried it on samba4 as well now. what goes on? Does anyone have this setup working? If anyone could send me a complete smb.conf that works for them, I could start narrowing down where the problem is here. cheers Jim On 4 June 2013 13:57, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-06-04 at 13:20 +0100, Jim Potter wrote: [SNIP] idmap config * : base_rid = 0 idmap config * : backend = tdb idmap config * : range = 1000 - 6 # idmap config BECAUSE : default = yes # idmap config BECAUSE : backend = ad # idmap config BECAUSE : schema_mode = rfc2307 # idmap config BECAUSE : range= 1000-8000 # idmap config BECAUSE : cache time = 1800 ### idmap alloc config:range = 5000- Two backends with overlapping ranges, won't work. The ranges *must* be orthogonal. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Security = ADS and uidnumbers
Hi all, I'm trying to set up a samba (3.6.6, debian wheezy 64bit) member server on a 2008R2 domain. I'd like to be able to specify the uidnumbers users get on here in AD but I'm getting really erratic results. I've tried changing various range options, and as far as I can tell it works sometimes, but not others - don't know why. I have 2 users I've specifically set up, with uidnumbers in their AD objects set: jpotter - uidnumber 2449 jingram - uidnumber 2337 Here is an excerpt from getent passwd: jingram:*:2338:2:June Ingram:/home/BECAUSE/jingram:/bin/false jpotter:*:20007:2:Jim Potter:/home/BECAUSE/jpotter:/bin/false - so it works for June but not Jim... I've tried deleting all tdb files in /var/lib/samba and /var/cache/samba and rejoined domain, and these uidnumbers seem to stick. I can't find them in AD anywhere. Does anyone know what gives here? cheers Jim Here is the smb.conf file: [global] security = ADS workgroup = because realm = BECAUSE.ORG.UK log level = 3 log file = /var/log/samba/log load printers = no idmap cache time = 1800 winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 winbind use default domain = Yes winbind refresh tickets = yes winbind normalize names = yes idmap config * : base_rid = 0 idmap config * : backend = tdb idmap config * : range = 1000 - 6 # idmap config BECAUSE : default = yes # idmap config BECAUSE : backend = ad # idmap config BECAUSE : schema_mode = rfc2307 # idmap config BECAUSE : range= 1000-8000 # idmap config BECAUSE : cache time = 1800 ### idmap alloc config:range = 5000- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ADS and uidnumbers
Hi all, I'm trying to set up a samba (3.6.6, debian wheezy 64bit) member server on a 2008R2 domain. I'd like to be able to specify the uidnumbers users get on here in AD but I'm getting really erratic results. I've tried changing various range options, and as far as I can tell it works sometimes, but not others - don't know why. I have 2 users I've specifically set up, with uidnumbers in their AD objects set: jpotter - uidnumber 2449 jingram - uidnumber 2337 Here is an excerpt from getent passwd: jingram:*:2338:2:June Ingram:/home/BECAUSE/jingram:/bin/false jpotter:*:20007:2:Jim Potter:/home/BECAUSE/jpotter:/bin/false - so it works for June but not Jim... I've tried deleting all tdb files in /var/lib/samba and /var/cache/samba and rejoined domain, and these uidnumbers seem to stick. I can't find them in AD anywhere. Does anyone know what gives here? cheers Jim Here is the smb.conf file: [global] security = ADS workgroup = because realm = BECAUSE.ORG.UK log level = 3 log file = /var/log/samba/log load printers = no idmap cache time = 1800 winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 winbind use default domain = Yes winbind refresh tickets = yes winbind normalize names = yes idmap config * : base_rid = 0 idmap config * : backend = tdb idmap config * : range = 1000 - 6 # idmap config BECAUSE : default = yes # idmap config BECAUSE : backend = ad # idmap config BECAUSE : schema_mode = rfc2307 # idmap config BECAUSE : range= 1000-8000 # idmap config BECAUSE : cache time = 1800 ### idmap alloc config:range = 5000- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Dc Winbind and uidNumbers
Hi All, Sory for late reply - I think I've got to the bottom of this... The Domain controller windbindd needs the line idmap_ldb:use rfc2307 = yes This tells it to use the uidnumber from AD. The others don't seem to make a lot of difference on a DC. but I also found this: - If the 'use rfc2307' line wasn't there when the second DC was added, that DC will make up its own uidnumbers which won't get overwritten by the ones from AD, so its not always easy to tell that its worked. My top tip for a second DC: - Set up first DC with use rfc2307 - this won't put uid/gidnumbers into AD - the DC will invent its own values - copy the uid/gidnumbers and from your default AD users and groups from your first DC (getent passwd and getent group) and put them into the uidnumber and gidnumber attributes in AD - now when you add your second DC make sure you have use rfc2307 and it will pick up these uidnumbers from AD and you'll have consistent numbers across all DCs. I've found that this is part of the problem I was having with sysvol replication too - rsync would copy files over and keep uidnumbers intact, but these mapped to different users on different servers. Does that make sense? Jim PS with samba4, why don't the different processes have nice names? I have a whole bunch of processes called 'samba', one of which is an LDAP server, one a kerberos server, DNS, winbind etc. Its a crazy idea, but why not call them 'ldap', 'dns', 'kerberos' etc? It might make things a bit easier.. On 27/03/2013 14:43, Jim Potter wrote: Thanks for the replies on this. I'm on holiday at the mo, but will try it when I get home and get back to you. cheers, Jim On Mar 27, 2013 2:21 PM, Gémes Géza g...@kzsdabas.hu mailto:g...@kzsdabas.hu wrote: Hi, On Wed, Mar 27, 2013 at 6:14 AM, Jim Potter jimchuf...@googlemail.com mailto:jimchuf...@googlemail.com wrote: Hi all, I'm trying to get the unix extensions working in AD. I'm obviously missing something, but I can't see what... I've just created user Jim (using ADUC) and added a uidnumber (using ADSIEdit). From this and what I have below, user Jim should have uidNumber of 12345 (from AD) and not be prefixed with Domain name. This isn't happening. Does anyone have any idea why not? cheers, Jim Excerpt from getent passwd: saned:x:110:117::/home/saned:/bin/false FASTFOOD\Administrator:*:0:100::/home/FASTFOOD/Administrator:/bin/false FASTFOOD\Guest:*:311:312::/home/FASTFOOD/Guest:/bin/false FASTFOOD\krbtgt:*:316:100::/home/FASTFOOD/krbtgt:/bin/false FASTFOOD\jim:*:319:100:Jim Chu:/home/FASTFOOD/jim:/bin/false smb.conf: [global] workgroup = FASTFOOD realm = FASTFOOD.LAN netbios name = CHIPSHOP server role = active directory domain controller dns forwarder = 62.24.199.13 log level = 3 algorithmic rid base = 1 idmap config * : range = 50001-6 idmap config * : backend = ad idmap config FASTFOOD : range = 1-5 idmap config FASTFOOD : backend = ad Hello Jim, Try adding these lines. If this doesn't work, I think you're being bitten by a known bug specific to this setup on an S4 DC. Andrew wrote a patch back in Nov-Dec, but it may not have made it into the codebase. Let me know if that doesn't work and I'll try to find that thread. I'm pretty sure someone came up with a work around. idmap config FASTFOOD : schema_mode = rfc2307 idmap config FASTFOOD : default = yes winbind enum users = yes winbind enum groups = yes winbind nss info = rfc2307 winbind use default domain = yes [netlogon] path = /var/lib/samba/sysvol/fastfood.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No My user from AD: dn: CN=Jim Chu,CN=Users,DC=fastfood,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Jim Chu sn: Chu givenName: Jim instanceType: 4 whenCreated: 20130317212551.0Z displayName: Jim Chu uSNCreated: 3873 name: Jim Chu objectGUID:: hXvFCY0pTUeIgltTLbnOcQ== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAUVbDu04eltc/ij6yQSUQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: jim sAMAccountType: 805306368 userPrincipalName: j...@fastfood.lan objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=fastfood,DC=lan pwdLastSet: 13008029152000 userAccountControl: 66048 uidNumber: 12345 whenChanged: 20130317212824.0Z uSNChanged: 3877 distinguishedName: CN=Jim Chu,CN=Users,DC=fastfood,DC=lan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba If you are running samba 4 as an AD DC (that is if you
Re: [Samba] Sysvol replication
Hi, Sorry about late reply... I've been baning my head againstr replication here for a while... GlusterFS - it seems to have problems with the extended attributes specifically on the point where the gluster FS is mounted. For example: I have a standard debian setup with sysvol in /var/lib/samba/ and mount a gluster sysvol partition here (with xattrs) I can set attributes within the partition fine, but I can't set the attributes on the sysvol folder itself, or they won't inherit properly... I also came unstuck on uidnumbers across DCs (see previous email), but I was just getting an error from GPMC saying permissions were all wrong (paraphrased!) My next approach (not tested yet) is to get the mount point out of the share, eg: - mount gluster FS in /srv/glusterMounts/sysvol and in here have a directory sysvol which I share as my sysvol share: [sysvol] path = /srv/glusterMounts/sysvol/sysvol How do you do it to get it to work? cheers Jim On 15/04/2013 08:25, Daniel Müller wrote: For my interest!? What are your issues about gluster not working replicating sysvol? Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Jim Potter Gesendet: Sonntag, 14. April 2013 22:34 An: samba Betreff: [Samba] Sysvol replication Hi all, Has anyone actually got sysvol replication working between 2 (or more) Samba4 DCs? I've tried gluster, inosync, csync and rsync and keep getting stuck on issues with the extended attributes. Is there a roadmap or any clues of a date when MSFRS or DFS replication will be part of Samb4? thanks again, Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sysvol replication
Hi Thomas, Does this remove GPOs when you delete them from one server though? I tried inosync with limited success (worked, but owners wrong (see previous email)) With rsync you have a master-slave setup don't you? So do you need to remember to specify which DC you want to connect to when you run GPMC, or otherwise it all gets out of sync, right? cheers, Jim On 15/04/2013 10:10, Thomas Manninger wrote: Hello, rsync with -av parameters? *Gesendet:* Sonntag, 14. April 2013 um 22:34 Uhr *Von:* Jim Potter jimchuf...@googlemail.com *An:* samba samba@lists.samba.org *Betreff:* [Samba] Sysvol replication Hi all, Has anyone actually got sysvol replication working between 2 (or more) Samba4 DCs? I've tried gluster, inosync, csync and rsync and keep getting stuck on issues with the extended attributes. Is there a roadmap or any clues of a date when MSFRS or DFS replication will be part of Samb4? thanks again, Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sysvol replication
OK I missed the selinux bit... Where is your glusterFS mounted in relation to the sysvol share? My problem seemed to be propagating permisions/xattributes across the mount point. Jim On 29/05/2013 11:30, Giedrius wrote: Hi, 5 DC's working with GlusterFS 3.4.0~qa9 You *must* mount glusterfs volume with -o acl,selinux The real filesystem can be mounted without implicitly specifying -o acl,user_xattr but others are having problems with this My setup: 5x openSUSE 12.3 x86_64 / 12.2 x86_64 btrfs for backend gluster 3.4.0~qa9-28.3 2013.04.14 23:34, Jim Potter rašė: Hi all, Has anyone actually got sysvol replication working between 2 (or more) Samba4 DCs? I've tried gluster, inosync, csync and rsync and keep getting stuck on issues with the extended attributes. Is there a roadmap or any clues of a date when MSFRS or DFS replication will be part of Samb4? thanks again, Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sysvol replication
Hi Robert, The sysvol share (or possibly AD userand and computers) is really pedantic about attributes. I've got it all working so that it looks fine (replication works by whatever means) but ADUC kicks up errors. For rsync I get permission errors (different uidnumbers for specific users and groups on different servers), but with gluster is says it can't set the permissions and dies. I haven't tried DRBD... What you are proposing looks more like 1 active DC with a failover solution rather than having multiple DCs running simultaneously, right? I hadn't really looked at that... I was just following the MS approach of 'you need multiple DCs if you are doing anything serious' model. That would be wortha look in some scenarios, but where I am I've got ~850 workstations in a school (so all log in within 5 minutes of each other at the start of each lesson) so the ability to add DCs until they can handle the load is pretty essential. cheers Jim On 29/05/2013 21:45, Sandbox wrote: Hi I thinking about HA+DRBD, you can mount the partition with acl, user_xattr settings, I using this method for shares, this should work with the sysvol directory too?! Btw,is it possible to store the PDC's *.tdb files on that kind of partition and when the PDC dies the BDC's HA mounts the shares/tdb/sysvol partitions and loads the correct smb.conf. For me it make sense, since all data is available only for the active server. Of course you have to back up the tdb files with tdbbackup. Regards, Robert 2013-05-29 09:30 keltezéssel, Jim Potter írta: Hi, Sorry about late reply... I've been baning my head againstr replication here for a while... GlusterFS - it seems to have problems with the extended attributes specifically on the point where the gluster FS is mounted. For example: I have a standard debian setup with sysvol in /var/lib/samba/ and mount a gluster sysvol partition here (with xattrs) I can set attributes within the partition fine, but I can't set the attributes on the sysvol folder itself, or they won't inherit properly... I also came unstuck on uidnumbers across DCs (see previous email), but I was just getting an error from GPMC saying permissions were all wrong (paraphrased!) My next approach (not tested yet) is to get the mount point out of the share, eg: - mount gluster FS in /srv/glusterMounts/sysvol and in here have a directory sysvol which I share as my sysvol share: [sysvol] path = /srv/glusterMounts/sysvol/sysvol How do you do it to get it to work? cheers Jim On 15/04/2013 08:25, Daniel Müller wrote: For my interest!? What are your issues about gluster not working replicating sysvol? Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Jim Potter Gesendet: Sonntag, 14. April 2013 22:34 An: samba Betreff: [Samba] Sysvol replication Hi all, Has anyone actually got sysvol replication working between 2 (or more) Samba4 DCs? I've tried gluster, inosync, csync and rsync and keep getting stuck on issues with the extended attributes. Is there a roadmap or any clues of a date when MSFRS or DFS replication will be part of Samb4? thanks again, Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error Message while joining a Domain as a DC
This looks like s kerberos error - can you kinit administrator and get a password prompt on the new DC? If not, check resolv.conf on new DC points at existing DC and check the realm details in krb5.conf Jim On 29/05/2013 20:18, Ulrich Schneider wrote: I joined an existing domain according to: https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC My var/log.samba shows the following error message ... and unfortunately ... I have no idea what that means. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:48:00, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:58:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:58:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:58:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 20:58:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database. [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last): [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: File /usr/local/samba/sbin/samba_dnsupdate, line 506, in module [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp) [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: File /usr/local/samba/sbin/samba_dnsupdate, line 119, in get_credentials [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: creds.get_named_ccache(lp, ccachename) [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for SERVERT$@GYM-FEU.LOCAL failed (Cannot contact any KDC for requested realm) [2013/05/29 21:08:01, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: ulrich@servert:/usr/local/samba$ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Sysvol replication
Hi all, Has anyone actually got sysvol replication working between 2 (or more) Samba4 DCs? I've tried gluster, inosync, csync and rsync and keep getting stuck on issues with the extended attributes. Is there a roadmap or any clues of a date when MSFRS or DFS replication will be part of Samb4? thanks again, Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Printing defaults and registry.tdb
Hi all, I'm still having problems with certain print drivers with samba displaying the defaults/preferences differently (==wrongly) from a samba share comapred with a windows share (driver in question is HP universal 32bit, but i also trouble with a load of other drivers such as all Ricoh PCL6 I've tried). I'm now pretty sure its to do with how the settings are saved in registry.tdb - comparing the tdb entries with the matching entries on a windows print server there are differences. Is there any documentation on how stuff is stored in registry.tdb? I really need to get this working. I assume its a bug in there somewhere and I'd really like to fix it, so any help would be great. Do I need to get onto the samba-technical list for this? cheers Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 28da1af winbindd: Avoid a fd leak when we can not fork from f61ee72 pylibsmb: Avoid a segfault if no credentials are passed to libsmb.Conn() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 28da1af476853e6b49765bd04a496163e8ebd448 Author: Volker Lendecke v...@samba.org Date: Tue Apr 9 16:37:29 2013 +0200 winbindd: Avoid a fd leak when we can not fork Signed-off-by: Volker Lendecke v...@samba.org Signed-off-by: Jim McDonough j...@samba.org Autobuild-User(master): Jim McDonough j...@samba.org Autobuild-Date(master): Tue Apr 9 20:27:27 CEST 2013 on sn-devel-104 --- Summary of changes: source3/winbindd/winbindd_dual.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index e1e45d4..34896d5 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -1398,6 +1398,8 @@ static bool fork_domain_child(struct winbindd_child *child) if (child-pid == -1) { DEBUG(0, (Could not fork: %s\n, strerror(errno))); + close(fdpair[0]); + close(fdpair[1]); return False; } -- Samba Shared Repository
[Samba] Samba4 Dc Winbind and uidNumbers
Hi all, I'm trying to get the unix extensions working in AD. I'm obviously missing something, but I can't see what... I've just created user Jim (using ADUC) and added a uidnumber (using ADSIEdit). From this and what I have below, user Jim should have uidNumber of 12345 (from AD) and not be prefixed with Domain name. This isn't happening. Does anyone have any idea why not? cheers, Jim Excerpt from getent passwd: saned:x:110:117::/home/saned:/bin/false FASTFOOD\Administrator:*:0:100::/home/FASTFOOD/Administrator:/bin/false FASTFOOD\Guest:*:311:312::/home/FASTFOOD/Guest:/bin/false FASTFOOD\krbtgt:*:316:100::/home/FASTFOOD/krbtgt:/bin/false FASTFOOD\jim:*:319:100:Jim Chu:/home/FASTFOOD/jim:/bin/false smb.conf: [global] workgroup = FASTFOOD realm = FASTFOOD.LAN netbios name = CHIPSHOP server role = active directory domain controller dns forwarder = 62.24.199.13 log level = 3 algorithmic rid base = 1 idmap config * : range = 50001-6 idmap config * : backend = ad idmap config FASTFOOD : range = 1-5 idmap config FASTFOOD : backend = ad winbind nss info = rfc2307 winbind use default domain = yes [netlogon] path = /var/lib/samba/sysvol/fastfood.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No My user from AD: dn: CN=Jim Chu,CN=Users,DC=fastfood,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Jim Chu sn: Chu givenName: Jim instanceType: 4 whenCreated: 20130317212551.0Z displayName: Jim Chu uSNCreated: 3873 name: Jim Chu objectGUID:: hXvFCY0pTUeIgltTLbnOcQ== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAUVbDu04eltc/ij6yQSUQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: jim sAMAccountType: 805306368 userPrincipalName: j...@fastfood.lan objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=fastfood,DC=lan pwdLastSet: 13008029152000 userAccountControl: 66048 uidNumber: 12345 whenChanged: 20130317212824.0Z uSNChanged: 3877 distinguishedName: CN=Jim Chu,CN=Users,DC=fastfood,DC=lan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 issue: roaming profile mismatch betweens W2k/XP machines due to enabled o
Hi Lucas, This is normal. when a user logs in, everything from user profile is copied to c:\docs and settings\username and when they log out everything is copied back, but nothing is deleted. As a result, you get all manner of junk building up in your profile, its not easy to delete and logins just get slower and slower as all this is copied about. I get round this by redirecting desktop to either a read only share or to a subdirectory of networked my docs folder. Also I use preexec scripts to manage user profile. Hope that helps Jim On Mar 27, 2013 12:04 PM, ?icro MEGAS microme...@mail333.com wrote: Samba 4.0.4 installed, provisioned by classicupgrade, running on Debian Squeeze: The issue is, that changes to the roaming profile is not transferred after log ins/outs between Win2K and XP machine. In example: I log into the W2k machine with my testuser and create a testdir1 and testdir2 on the Desktop. I logoff again. I check with ls -l if these directories was created on samba4 side at the file system (profiles share path). The test directories were created and the permissions + acls looks fine. Now I logon with this testuser at winXP machine. I can see testdir1 + testdir2 on the desktop. Now I delete testdir1 and create a new dir called fromxphost. So I see on the XP machine two dirs, called testdir2 + fromxphost. I logoff from the XPhost and log into the w2k machine again. Here is the issue -- I see three directories, called testdir1, testdir2 and fromxphost. When I logoff now again, these 3 directories will of course saved exactly like this onto the roaming profile. When the user logs into XP machine afterwards, he also will see these 3 directories. I have tested various user account and w2k/xp hosts. When I add/delete directories on this way to the w2k host logged on, no problem occurs. The user sees the updated directories. The problem occurs when the user switches from W2K --to--- XP host, or vice-versa. I think I have found out the reason of my problem with w2k clients and roaming profile mismatch -- samba4 uses offline caching which I cannot explain why so? In samba3 there was an option in smb.conf called csc policy or something like that. But smb.conf in samba4 doesn't seem to exist. I have realized that a Windows XP client in my samba4 domain writes warning to the event log that offline caching on the roaming profile was detected ! Unfortunately I see no way to disable that on samba4 server. Exact the same issue was mentioned by another user in February on the samba list here: http://samba.2283325.n4.nabble.com/Offline-Caching-td4357156.html With WinXP and Win7 there seems no problem as the content of the roaming profile seems to be saved/loaded correctly. Didnt realize any mismatch issues with WinXP/Win7 clients before. But on W2k clients it does NOT :( thats really a big issue in my case, cause we still have about 15-20 W2k clients in prod. environment. At luck I am not migrated yet to Samba4 on prod.env. cause I am still testing on my isolated test environment where I test with various Win2k, WinXP and Win7 clients. Under this circumstances I **CANNOT** migrate my samba3 domain to the new samba4 domain, as all my W2k clients would show this issue. Any information on developer side regarding this offline caching mechanism on samba4 ? any help, hint, info is really appreciated. Lucas (local@irc) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Dc Winbind and uidNumbers
Thanks for the replies on this. I'm on holiday at the mo, but will try it when I get home and get back to you. cheers, Jim On Mar 27, 2013 2:21 PM, Gémes Géza g...@kzsdabas.hu wrote: Hi, On Wed, Mar 27, 2013 at 6:14 AM, Jim Potter jimchuf...@googlemail.com wrote: Hi all, I'm trying to get the unix extensions working in AD. I'm obviously missing something, but I can't see what... I've just created user Jim (using ADUC) and added a uidnumber (using ADSIEdit). From this and what I have below, user Jim should have uidNumber of 12345 (from AD) and not be prefixed with Domain name. This isn't happening. Does anyone have any idea why not? cheers, Jim Excerpt from getent passwd: saned:x:110:117::/home/saned:/bin/false FASTFOOD\Administrator:*:0:100::/home/FASTFOOD/Administrator:/bin/false FASTFOOD\Guest:*:311:312::/home/FASTFOOD/Guest:/bin/false FASTFOOD\krbtgt:*:316:100::/home/FASTFOOD/krbtgt:/bin/false FASTFOOD\jim:*:319:100:Jim Chu:/home/FASTFOOD/jim:/bin/false smb.conf: [global] workgroup = FASTFOOD realm = FASTFOOD.LAN netbios name = CHIPSHOP server role = active directory domain controller dns forwarder = 62.24.199.13 log level = 3 algorithmic rid base = 1 idmap config * : range = 50001-6 idmap config * : backend = ad idmap config FASTFOOD : range = 1-5 idmap config FASTFOOD : backend = ad Hello Jim, Try adding these lines. If this doesn't work, I think you're being bitten by a known bug specific to this setup on an S4 DC. Andrew wrote a patch back in Nov-Dec, but it may not have made it into the codebase. Let me know if that doesn't work and I'll try to find that thread. I'm pretty sure someone came up with a work around. idmap config FASTFOOD : schema_mode = rfc2307 idmap config FASTFOOD : default = yes winbind enum users = yes winbind enum groups = yes winbind nss info = rfc2307 winbind use default domain = yes [netlogon] path = /var/lib/samba/sysvol/fastfood.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No My user from AD: dn: CN=Jim Chu,CN=Users,DC=fastfood,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Jim Chu sn: Chu givenName: Jim instanceType: 4 whenCreated: 20130317212551.0Z displayName: Jim Chu uSNCreated: 3873 name: Jim Chu objectGUID:: hXvFCY0pTUeIgltTLbnOcQ== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAUVbDu04eltc/ij6yQSUQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: jim sAMAccountType: 805306368 userPrincipalName: j...@fastfood.lan objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=fastfood,DC=lan pwdLastSet: 13008029152000 userAccountControl: 66048 uidNumber: 12345 whenChanged: 20130317212824.0Z uSNChanged: 3877 distinguishedName: CN=Jim Chu,CN=Users,DC=fastfood,DC=lan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba If you are running samba 4 as an AD DC (that is if you specify: server role = active directory domain controller) you will need to configure winbind inside the samba binary. The settings you have are obeyed by the winbind binary which should be run e.g. on a member server, so you need to replace them with: idmap_ldb:use rfc2307 = yes that is the only settings (it defaults to no) which can affect winbind behavior on an AD DC. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Printer drivers
Hi Fabian, Yes - here is (excerpt from) my setup. You also need to set permissions on shares so printer admins can write driver files and everybody can print. I think you need arcitecture foldres under print$ (W32X86 etc) and set SePrintOperatorPrivilege for users to set up printers. I got it all working OK (samba 3.5.6), but I do still have troubles with printer properties in some drivers. I suspect it might work better in samba3.3 and older but have not got as far as testing this. Jim [global] .. load printers = yes printing = cups printcap name = cups #show add printer wizard = no use client driver = no force printername = yes # cups options = raw [print$] comment = windows printer drivers path = /var/lib/samba/printers browseable = no guest ok = yes read only = no create mask = 0664 directory mask = 775 force group = print operators [printers] comment = all printers path = /var/spool/samba printable = yes writeable = no guest ok = no create mask = 0700 browseable = no On 18 March 2013 04:46, Fabian von Romberg fromberg...@hotmail.com wrote: Hi, is it possible to have printer driver on samba and when the user wants to use a particular printer can install the drivers automatically from samba? Thanks in advance and regards, Fabian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] There are no currently logon servers available when mappingwith net use
Just a thought - you say its an intermittent problem and you have 2 DCs, right? It isn't just going wrong when it uses one server but not the other to log on is it? Try forcing it to log on to each server individually (eg unplug ethernet on each as you log on for a moment when no-one is using network) I don't like the look of the backslash in your [netlogon] admin users either. Why not just leave the entire line out? Jim On 18 March 2013 17:56, Marcio Oli marcio.oli...@gmail.com wrote: Hi TMason, Jim and Daniel. I don't know what more to do. Follow the informations to all you help me if possible. 1) .. PDC, BDC and domain member have the same version of linux, but just the domain member has a different version of samba. pdc Linux 2.6.32-220.17.1.el6.x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux Server release 6.2 (Santiago) Samba: Version 3.5.10-116.el6_2 bdc Linux 2.6.32-220.17.1.el6.x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux Server release 6.2 (Santiago) Samba: Version 3.5.10-116.el6_2 member of domain Linux 2.6.32-220.17.1.el6.x86_64 GNU/Linux Red Hat Enterprise Linux Server release 6.2 (Santiago) Samba: Version 3.5.6-86.el6_1.4 2) .. - About windows registry (client windows7 professional) and gpedit.msc, I altered these ones: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] DomainCompatibilityMode=dword:0001 DNSNameResolutionRequired=dword: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] SlowLinkDetectEnabled=dword: DeleteRoamingCache=dword:0001 WaitForNetwork=dword:0050 CompatibleRUPSecurity=dword:0001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\System] SlowLinkDetectEnabled=dword: DeleteRoamingCache=dword:0001 WaitForNetwork=dword:0050 CompatibleRUPSecurity=dword:0001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] SyncForegroundPolicy=dword:0001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon] SyncForegroundPolicy=dword:0001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon] SyncForegroundPolicy=dword:0001 [HotKeyLocalMachine\System\CurrentControlSet\Services\Netlogon\Parameters] DWORD RequireSignOrSeal = 1 DWORD RequireStrongKey = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] “RunLogonScriptSync”=dword:0001 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters] ExpectedDialupDelay=dword:001e NegativeCachePeriod=dword:00014a78 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters] MaxPacketSize=dword:0001 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters] DisableDHCPMediaSense=dword:0001 3) .. - Dfs and dfs proxy are with default values of samba. 4) .. Yes, I use wins. My wins server is the PDC. 5) .. Look at the authentication of your member server, does the server authenticate right against your PDC/BDC? So, how do I verify this? 6) .. Sometimes, but not always, at user's log of samba appears (on the logon moment): # tail -f log.marcio.oliveira [2013/03/15 19:14:11.779186, 1] smbd/service.c:1070(make_connection_snum) pgt019874 (:::10.0.3.16) connect to service netlogon initially as user marcio.oliveira (uid=0, gid=1001) (pid 10342) [2013/03/15 19:14:13.073811, 0] passdb/pdb_ldap.c:4642(ldapuser2displayentry) sid S-1-5-21-4007841154-2593654838-2170425582-2998 does not belong to our domain [2013/03/15 19:15:06.379204, 1] smbd/service.c:1251(close_cnum) pgt019874 (:::10.0.3.16) closed connection to service netlogon Thanks, Marcio Oliveira 2013/3/18 Daniel Müller muel...@tropenklinik.de Look at the authentication of your member server, does the server authenticate right against your PDC/BDC? Which version of Samba? what about using dfs or dfs proxy on your PDC/BDC to map the share? Do you use WINS? --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel
Re: [Samba] Samba (3.6.12) - Different Home Directories for Different Users
Hi, I have a similar setup (complex home directory setup) and I use the root preexec option to do it. See the 'id $1 | grep staff' bit below to check group membership. I found that 'id auser' works much better than 'groups auser'. don't know why, but groups sometimes takes a few moments to run, and the share is not accessible until the script has finished. Hope that helps, Jim From smb.conf: [homes] comment = windows home directory path = /srv/nas/BEC/%U/home root preexec = /bin/bash /srv/scripts/home.sh %U /srv/nas/BEC read only = no browseable = no csc policy = documents hide files = /desktop.ini/$RECYCLE.BIN/recycled/ veto files = /*.bat/ vfs objects = recycle /srv/scripts/home.sh: #!/bin/bash if [ -z $2 ] then echo no repository specified exit 0 fi if [ ! -d $2/$1 ] then mkdir -p $2/$1/home/AutoBackup mkdir -p $2/$1/myDocs/Desktop mkdir $2/$1/myDocs/Downloads mkdir $2/$1/myDocs/My\ Music mkdir $2/$1/myDocs/My\ Pictures mkdir $2/$1/myDocs/My\ Videos mkdir $2/$1/myDocs/OpenOffice\ backups mkdir $2/$1/myDocs/OpenOffice\ templates mkdir -p /srv/recycled/$1 ln -ns $2/$1/myDocs $2/$1/home/myDocs ln -ns /srv/recycled/$1 /srv/users/$1/home/recycled if (id $1 | grep staff) /dev/null; then mkdir -p $2/$1/archive ln -ns /srv/recycled/$1 $2/$1/archive/recycled ln -s msdfs:personalTest\\archive $2/$1/archive fi chown -R $1:Domain admins $2/$1 /srv/recycled/$1 chmod -R 770 $2/$1 /srv/recycled/$1 chmod 570 $2/$1/home fi On 15/03/2013 20:59, TMason wrote: Hello, I am using Samba (3.6.12) with Gentoo Linux (Kernel Version 3.7.10) and I have a system integrated with Active Directory (the Microsoft Windows servers are running 2008 Enterprise Edition, Release 2). All is well on that front (I can log in, directories are created, etc.) What I would like to do now is have different /etc/skel directories for different groups. So, for example, if someone from the Finance department logs in one set of default settings are copied for that person but if someone from sales logs in another set of default settings are copied over for that user. How can I do this with Samba/Linux? Thank you for your time. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] There are no currently logon servers available when mappingwith net use
Hi, There is a setting in gpedit.msc somewhere to tell the PC to wait for network connectivity before showing the login box. (no idea where - find it yourself - sorry) Anothe option - I have one user woth a similar problem. She keeps getting 'duplicate machine name exists' popups appearing regardless of what I name her machine. The laptop caches her user details so she can log in fine, but generally has weird problems connecting to new shares. You might see the behaviour you are getting if there were machines with duplicate names - one would join the domain properly, wheras the other's trust account would fail but could log in with cached credentials and then have problems connecting to domain repated stuff. hope that helps Jim On 15/03/2013 23:26, TMason wrote: Marcio Oli wrote in message news:CANpJy9WD=CLxbB=BQhgS==1mt-rktxt0hvmi6muymz5rkxm...@mail.gmail.com... Hi people, I have a problem and I need so much of your help. I have a login script in \\server1\netlogon\script.bat (on my PDC and BDC) that runs net use commands to map some shares in time of the logon. This login tries to map share in another server (samba member of domain \\server2). So, I put the result at a log and appears these lines: System error 1311 has occurred. There are currently no logon servers available to service the logon request. This is a recurrent problem, but neither always this happens. Sometimes, everything is wonderful and works very well mapping all shares, but is unstable. Windows clients have this problem regardless of the type of PDC/BDC you have (Windows or Samba). The problem is that Windows is generally ready to let people log in before all of the network services are ready and as such people can't log in. Are your servers on static IPs? Also, what kind of DNS/DHCP server do you have? This will help in troubleshooting. TMason -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 Dc Winbind and uidNumbers
Hi all, I'm trying to get the unix extensions working in AD. I'm obviously missing something, but I can't see what... I've just created user Jim (ADUC) and added a uidnumber (ADSIEdit). From this and what I have below, user Jim should have uidNumber of 12345 (from AD) and not be prefixed with Domain name. This isn't happening. Does anyone have any idea why not? cheers, Jim Excerpt from getent passwd: saned:x:110:117::/home/saned:/bin/false FASTFOOD\Administrator:*:0:100::/home/FASTFOOD/Administrator:/bin/false FASTFOOD\Guest:*:311:312::/home/FASTFOOD/Guest:/bin/false FASTFOOD\krbtgt:*:316:100::/home/FASTFOOD/krbtgt:/bin/false FASTFOOD\jim:*:319:100:Jim Chu:/home/FASTFOOD/jim:/bin/false smb.conf: [global] workgroup = FASTFOOD realm = FASTFOOD.LAN netbios name = CHIPSHOP server role = active directory domain controller dns forwarder = 62.24.199.13 log level = 3 algorithmic rid base = 1 idmap config * : range = 50001-6 idmap config * : backend = ad idmap config FASTFOOD : range = 1-5 idmap config FASTFOOD : backend = ad winbind nss info = rfc2307 winbind use default domain = yes [netlogon] path = /var/lib/samba/sysvol/fastfood.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No My user from AD: dn: CN=Jim Chu,CN=Users,DC=fastfood,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Jim Chu sn: Chu givenName: Jim instanceType: 4 whenCreated: 20130317212551.0Z displayName: Jim Chu uSNCreated: 3873 name: Jim Chu objectGUID:: hXvFCY0pTUeIgltTLbnOcQ== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAUVbDu04eltc/ij6yQSUQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: jim sAMAccountType: 805306368 userPrincipalName: j...@fastfood.lan objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=fastfood,DC=lan pwdLastSet: 13008029152000 userAccountControl: 66048 uidNumber: 12345 whenChanged: 20130317212824.0Z uSNChanged: 3877 distinguishedName: CN=Jim Chu,CN=Users,DC=fastfood,DC=lan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Extending the schema
Hi all, I'm trying to extend the schema on my Samba4 setup by adding apple's schema. I followed the instructions from https://wiki.samba.org/index.php/Samba4/Schema_extenstions and http://blog.michael.kuron-germany.de/2011/02/active-directory-mac-os-x-mcx/ (I think this is a modified apple.schema but I haven't found the original yet) and have got it to import the schema OK (I had to remove the class rDNAttID for all the classes). I'll post my notes on it presently... My question is - how do I know this hasn't done anything disastrous? It all looks OK given 5 rigorous minutes of testing but extending schema on AD is generally considered foolhardy as far as I can see. What could go wrong in the future? And what is this about rDNAttIds? Is this a difference/potential incompatibility/something to watch out for between samba4 and MS AD? For instance, if I had a MS AD domain with apple extensions, would this cause any more problems adding a samba4 DC? thanks again, Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] vasprintf error when starting Samba
I have installed Samba 3.0.14 on a SCO unix 5.0.7 system. I installed this version as it was the only compiled version I have and I have installed it without problems on a SCO 5.0.6 system. When I run S99smbd start, I get the following error. Smbd start binder error symbol not found vasprintf I've searched the web and found nothing that was helpful. Thanks for any help you can provide. Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 AD DC as file server?
Hi all, I've been wondering about the separate Dc and fileserver setup (and the 2 winbinds) too. In my current setup (samba3/openLDAP) all my fileservers are DCs because then I don't have to worry about idmaps and winbind at all. This DC/fileserver samba4 separation can't be the recommended setup purely because the DCs don't do network browsing, surely. In my environment (a school) a browseable network neighbourhood is trouble and disabled for everyone. Except me. Am I right in thinking that a Samba3 fileserver is recommended because its more tried and tested at fileserving, and separating out the DC'ing onto a samba4 box just separates everything nicely and avoids complications? Or does a samba4 DC also acting as a fileserver have limitations of some kind? cheers Jim On 12 March 2013 09:43, Rowland Penny rpe...@f2s.com wrote: On 12/03/13 00:02, Gerry Reno wrote: On 03/11/2013 06:34 PM, Andrew Bartlett wrote: On Tue, 2013-03-12 at 01:30 +0800, d tbsky wrote: hi: I want to setup a small samba4 server with AD and file server function. I know that samba4 AD DC has no netbios browsing support. are there other missing functions, like winbindd or something else? The next release will include this patch, which avoids mistakenly creating world-writeable files in additional file shares. and if I install two samba4 instance, one to /usr/local/samba(for file server), one to /usr/local/samba-ad(for AD DC). and give them two seprate ip to bind. will it work better? No, it would need to be a different virtual machine (you can only have one winbind per machine, and the different winbind is most important difference between the operating modes). Andrew Bartlett Are you saying that it is not possible to use a Samba 4 AD DC as a file server? You can create shares on samba4 and connect to them from the cli, via smbclient for instance, you just cannot browse to them. The accepted practice seems to be, set up Samba 4 for authorisation and then set up a separate Samba3 fileserver. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows printer driver issues
Hi All, I've been running a large school network (~800 PCs/Macs) using Samba3/LDAP and like pretty much everyone on this list am too evaluating Samba4. However, today's problem is not AD related... I've set up a Samba/CUPS printer system for our school and I've got a problem - has anyone got any advice on this please? I've got it going so that all windows hosts can connect to printer share and pick up client drivers in most cases. Problems arise with speific drivers though. I've read up on this and it looks like the same problems as Samba bug 6727. - Some drivers are fine - I haven't foud a problem with CUPS, HP4700 Laser PCL6, Ricoh RPCS - All Ricoh PCL6 take ages to open and crash out every whichway - HP Universial PCL6 shows less options shared from Smaba than if shared from a Windows box Possibly I've made a strategic error and should have use CUPS drivers, but its in production environment now... I've checked this on various Debian systems and get the same result: Squeeze/Samba 3.5.6 Squeeze/Samba 3.6.8 Wheezy/Samba 4.0.3 (On DCs in each case if that makes any difference) A fix would be to downgrade samba to 3.3 - says it works here in bug report, but I'd like ot get to the bottom of this. I can post contents of enumdata if that would help? thanks in advance, Jim Potter # Global parameters [global] workgroup = TESTTHING realm = testthing.lan netbios name = GENGHIS server role = active directory domain controller ## idmap_ldb:use rfc2307 = yes idmap config * : backend = ad idmap config * : range = 1000-2000 log level = 4 load printers = yes printing = cups printcap name = cups #show add printer wizard = no use client driver = no force printername = yes # cups options = raw [print$] comment = windows printer drivers path = /var/lib/samba/printers #browseable = no #guest ok = yes read only = no #create mask = 0664 #directory mask = 775 #force group = print operators [printers] comment = all printers path = /var/spool/samba printable = yes #writeable = no #guest ok = no #create mask = 0700 browseable = no -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba question
Hi. I am not a developer, or IT person, so, I have what is probably a dumb question. I am looking for a way to connect my kindle fire to my company network through vpn. I have established a connection, but am not able to see anything on the network. I had downloaded an app from AntTek that said it connected using Samba/Window technology. The description of their app sounded like it might do what I wanted, but I haven't been able to make it work yet. I thought I would check with you before I spent any more time on it. Thanks for your help Jim Sent from my Kindle Fire HD -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via df0f59f winbind: Make the code more readable in trustdom_list_done(). from 16d725b Fix bug #9471 - SEGV when using second vfs module. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit df0f59f66cca61eee967e89dc659af4ba33f0e6f Author: Andreas Schneider a...@samba.org Date: Thu Dec 6 14:31:45 2012 +0100 winbind: Make the code more readable in trustdom_list_done(). Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Jim McDonough j...@samba.org Autobuild-User(master): Jim McDonough j...@samba.org Autobuild-Date(master): Fri Dec 7 22:38:43 CET 2012 on sn-devel-104 --- Summary of changes: source3/winbindd/winbindd_util.c | 36 1 files changed, 20 insertions(+), 16 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 6e13ca8..c32feb8 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -303,6 +303,7 @@ static void trustdom_list_done(struct tevent_req *req) struct dom_sid sid; struct winbindd_domain *domain; char *alternate_name = NULL; + bool domain_exists; alt_name = strchr(p, '\\'); if (alt_name == NULL) { @@ -336,22 +337,25 @@ static void trustdom_list_done(struct tevent_req *req) if ( !strequal( alt_name, (null) ) ) alternate_name = alt_name; - /* If we have an existing domain structure, calling - add_trusted_domain() will update the SID if - necessary. This is important because we need the - SID for sibling domains */ + /* Check if we already have a child for the domain */ + domain_exists = (find_domain_from_name_noinit(p) != NULL); - if ( find_domain_from_name_noinit(p) != NULL ) { - domain = add_trusted_domain(p, alternate_name, - cache_methods, - sid); - } else { - domain = add_trusted_domain(p, alternate_name, - cache_methods, - sid); - if (domain) { - setup_domain_child(domain); - } + /* +* We always call add_trusted_domain() cause on an existing +* domain structure, it will update the SID if necessary. +* This is important because we need the SID for sibling +* domains. +*/ + domain = add_trusted_domain(p, alternate_name, + cache_methods, + sid); + + /* +* If the domain doesn't exist yet and got correctly added, +* setup a new domain child. +*/ + if (!domain_exists domain != NULL) { + setup_domain_child(domain); } p=q; if (p != NULL) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cb0064d BUG 9436: Fix leaking sockets of SMB connections to a DC. from bc6bcee s3:vfs_gpfs: add no memory check in gpfs2smb_acl() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cb0064d35cdc60c7c625ad4561ad77739f8553c5 Author: Andreas Schneider a...@samba.org Date: Wed Nov 28 12:53:39 2012 +0100 BUG 9436: Fix leaking sockets of SMB connections to a DC. As this is a burst of 3 unbound sockets with each try to reach a DC we're running out of file descriptors pretty fast. So winbind is then mostly spinning in an accept loop failing with EMFILE. Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Jim McDonough j...@samba.org Autobuild-User(master): Jim McDonough j...@samba.org Autobuild-Date(master): Wed Nov 28 17:17:21 CET 2012 on sn-devel-104 --- Summary of changes: source3/winbindd/winbindd_cm.c |4 1 files changed, 4 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 79b5839..57027eb 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1598,6 +1598,10 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain, result = cm_prepare_connection(domain, fd, domain-dcname, new_conn-cli, retry); + if (!NT_STATUS_IS_OK(result)) { + /* Don't leak the smb connection socket */ + close(fd); + } if (!retry) break; -- Samba Shared Repository
Re: [Samba] Samba 3.4.3 and DOS read only
New info: I finally realized there are two log files for each client, one with the IP address of the client in the file name and the other with the client's hostname. I have been looking in the former, when the important info was in the latter. It appears that for the unix_mode() call, there are extra characters getting appended to the file name. For example, when I try to set readonly for a file test.c, the log entry shows: [2012/08/29 10:17:29, 3] smbd/dosmode.c:135(unix_mode) unix_mode(test.cî³°) returning 0744 [2012/08/29 10:17:29, 3] smbd/error.c:56(error_packet_set) error packet at smbd/nttrans.c(541) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_NAME_NOT_FOUND The characters did not paste correctly; they are not ASCII. The file is indeed test.c. Other files appear to get the same characters appended for this operation. Wireshark shows the client sends the name as test.c. I can open, edit and save the file without issue. What about my Windows clients could cause this? Smbclient works fine. Thanks, Jim On Sun, Aug 26, 2012 at 4:24 PM, Günter Kukkukk li...@kukkukk.com wrote: Am Sonntag, 26. August 2012, 22:46:12 schrieb Jim Gallagher: Günter, I am using the Windows file properties dialog and checking the read only box. I have tested with both Windows 2003 and Windows 7 Enterprise clients, with the same results. It seems strange to me that there is no log entry on the samba side, but I am not familiar with the log levels. Using wireshark, I definitely see traffic after selecting OK from the dialog when attempting to set RO, but I don't know enough about the protocol to decipher what's going on. Thanks, Jim On Sun, Aug 26, 2012 at 9:34 AM, Günter Kukkukk li...@kukkukk.com wrote: Hi Jim, in your smbd debug log i don't see any call where the dos attributes are modified. From what kind of client are you connecting and which commands do you use to change the readonly/readwrite dos attribute ? As Jeremy already posted, with smblient you can use setmode filename +r (or -r) Inside a windows MSDOS cmdline window you can use attrib *(to list the current attributes) attrib +r somefile (to set that file read only) attrib -r somefile (to set that file read/write) Also the windows GUI file explorer can be used. With samba log level = 4 here i get the following logged: a.) Setting read/write for file test.fil: [2012/08/26 17:40:11.977248, 3] smbd/dosmode.c:160(unix_mode) unix_mode(test.fil) returning 0644 [2012/08/26 17:40:11.977857, 3] smbd/reply.c:1390(reply_setatr) setatr name=test.fil mode=0 Result on the unix side: -rw-r--r-- 1 gk users 1 Aug 12 2011 test.fil -- b.) Setting read only for file test.fil: [2012/08/26 17:41:23.200130, 3] smbd/dosmode.c:160(unix_mode) unix_mode(test.fil) returning 0444 [2012/08/26 17:41:23.201050, 3] smbd/reply.c:1390(reply_setatr) setatr name=test.fil mode=1 Result on the unix side: -r--r--r-- 1 gk users 1 Aug 12 2011 test.fil - Cheers, Günter when you change a dos attribute, within wireshark you should see Set Information Request, Path:\yourfile Set Information Response packet pairs on the wire. The passed File Attributes can be also viewed. Haven't tried windows7 here, whether it uses a different approach. Can you try on your server itself: smbclient //localhost/test -U jim ... pw entry smb: \ setmode yourfile +r smb: \ setmode yourfile -r Cheers, Günter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.3 and DOS read only
The Windows clients should be using unicode. Does smbclient use unicode by default? Could that explain the different behavior between the Windows clients and smbclient? On Wed, Aug 29, 2012 at 10:59 AM, Jim Gallagher j...@thegallaghers.bizwrote: New info: I finally realized there are two log files for each client, one with the IP address of the client in the file name and the other with the client's hostname. I have been looking in the former, when the important info was in the latter. It appears that for the unix_mode() call, there are extra characters getting appended to the file name. For example, when I try to set readonly for a file test.c, the log entry shows: [2012/08/29 10:17:29, 3] smbd/dosmode.c:135(unix_mode) unix_mode(test.cî³°) returning 0744 [2012/08/29 10:17:29, 3] smbd/error.c:56(error_packet_set) error packet at smbd/nttrans.c(541) cmd=162 (SMBntcreateX) NT_STATUS_OBJECT_NAME_NOT_FOUND The characters did not paste correctly; they are not ASCII. The file is indeed test.c. Other files appear to get the same characters appended for this operation. Wireshark shows the client sends the name as test.c. I can open, edit and save the file without issue. What about my Windows clients could cause this? Smbclient works fine. Thanks, Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.3 and DOS read only
Günter, I am using the Windows file properties dialog and checking the read only box. I have tested with both Windows 2003 and Windows 7 Enterprise clients, with the same results. It seems strange to me that there is no log entry on the samba side, but I am not familiar with the log levels. Using wireshark, I definitely see traffic after selecting OK from the dialog when attempting to set RO, but I don't know enough about the protocol to decipher what's going on. Thanks, Jim On Sun, Aug 26, 2012 at 9:34 AM, Günter Kukkukk li...@kukkukk.com wrote: Hi Jim, in your smbd debug log i don't see any call where the dos attributes are modified. From what kind of client are you connecting and which commands do you use to change the readonly/readwrite dos attribute ? As Jeremy already posted, with smblient you can use setmode filename +r (or -r) Inside a windows MSDOS cmdline window you can use attrib *(to list the current attributes) attrib +r somefile (to set that file read only) attrib -r somefile (to set that file read/write) Also the windows GUI file explorer can be used. With samba log level = 4 here i get the following logged: a.) Setting read/write for file test.fil: [2012/08/26 17:40:11.977248, 3] smbd/dosmode.c:160(unix_mode) unix_mode(test.fil) returning 0644 [2012/08/26 17:40:11.977857, 3] smbd/reply.c:1390(reply_setatr) setatr name=test.fil mode=0 Result on the unix side: -rw-r--r-- 1 gk users 1 Aug 12 2011 test.fil -- b.) Setting read only for file test.fil: [2012/08/26 17:41:23.200130, 3] smbd/dosmode.c:160(unix_mode) unix_mode(test.fil) returning 0444 [2012/08/26 17:41:23.201050, 3] smbd/reply.c:1390(reply_setatr) setatr name=test.fil mode=1 Result on the unix side: -r--r--r-- 1 gk users 1 Aug 12 2011 test.fil - Cheers, Günter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.3 and DOS read only
IP client IPSMB Trans2 Request, GET_DFS_REFERRAL, File: \server.domain.com\test 87 2.700549client IPserver IP SMB Trans2 Response, GET_DFS_REFERRAL, Error: STATUS_NOT_FOUND 88 2.858660server IP client IPTCP ls3bcast microsoft-ds [ACK] Seq=3972 Ack=4292 Win=63374 Len=0 On Sun, Aug 26, 2012 at 4:24 PM, Günter Kukkukk li...@kukkukk.com wrote: when you change a dos attribute, within wireshark you should see Set Information Request, Path:\yourfile Set Information Response packet pairs on the wire. The passed File Attributes can be also viewed. Haven't tried windows7 here, whether it uses a different approach. Can you try on your server itself: smbclient //localhost/test -U jim ... pw entry smb: \ setmode yourfile +r smb: \ setmode yourfile -r Cheers, Günter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.3 and DOS read only
All, Sorry for not following up. Crazy week. Anyway, the username parameter should have been valid users. I just took it out, since my test share is not browseable. I also upped log level to 4. I do not get any log entry at all when trying to set the DOS RO attribute, and the unix permissions do not get changed. The log for my test session is below. Thanks, Jim [2012/08/24 14:12:09, 3] param/loadparm.c:5982(lp_load_ex) lp_load_ex: refreshing parameters Initialising global parameters [2012/08/24 14:12:09, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file /etc/opt/samba/sgpkg1/sgpkg1.conf [2012/08/24 14:12:09, 3] param/loadparm.c:4658(do_section) Processing section [global] doing parameter lock directory = /var/opt/samba/sgpkg1/locks doing parameter private dir = /var/opt/samba/sgpkg1/private doing parameter pid directory = /var/opt/samba/sgpkg1/locks doing parameter state directory = /var/opt/samba/sgpkg1/locks doing parameter cache directory = /var/opt/samba/sgpkg1/locks doing parameter include = /etc/opt/samba/sgpkg1/sgpkg1.conf.%m [2012/08/24 14:12:09, 2] param/loadparm.c:4112(handle_include) Can't find include file /etc/opt/samba/sgpkg1/sgpkg1.conf.clientip doing parameter socket address = serverip doing parameter interfaces = serverip doing parameter bind interfaces only = yes doing parameter max log size = 1000 doing parameter username map = /etc/opt/samba/sgpkg1/smbusers.map doing parameter security = domain doing parameter local master = no doing parameter password server = server list doing parameter wins server = server list doing parameter dns proxy = yes doing parameter encrypt passwords = yes doing parameter smb passwd file = /var/opt/samba/sgpkg1/private/smbpasswd doing parameter preserve case = yes doing parameter short preserve case = yes doing parameter dos filetime resolution = yes doing parameter read only = no doing parameter syslog = 0 doing parameter kernel oplocks = no doing parameter oplocks = no doing parameter level2 oplocks = no doing parameter guest account = smbguest doing parameter use mmap = no doing parameter unix extensions = no [2012/08/24 14:12:09, 2] param/loadparm.c:4675(do_section) Processing section [vob_storage] doing parameter path = /vob_storage doing parameter create mask = 0775 doing parameter directory mask = 0775 doing parameter oplocks = no doing parameter force group = group1 doing parameter map archive = no doing parameter map hidden = no [2012/08/24 14:12:09, 2] param/loadparm.c:4675(do_section) Processing section [view_storage] doing parameter path = /view_storage doing parameter create mask = 0775 doing parameter directory mask = 0775 doing parameter oplocks = no doing parameter force group = group1 doing parameter map archive = no doing parameter map hidden = no [2012/08/24 14:12:09, 2] param/loadparm.c:4675(do_section) Processing section [build_storage] doing parameter path = /build_storage doing parameter create mask = 0775 doing parameter directory mask = 0775 doing parameter oplocks = no doing parameter force group = group1 doing parameter map archive = no doing parameter map hidden = no [2012/08/24 14:12:09, 2] param/loadparm.c:4675(do_section) Processing section [developer_views] doing parameter path = /developer_views doing parameter create mask = 0775 doing parameter directory mask = 0775 doing parameter oplocks = no doing parameter force group = group1 doing parameter map archive = no doing parameter map hidden = no [2012/08/24 14:12:09, 2] param/loadparm.c:4675(do_section) Processing section [proj1data01] doing parameter path = /proj1data01 doing parameter create mask = 0775 doing parameter directory mask = 0775 doing parameter oplocks = no doing parameter map archive = no doing parameter map hidden = no [2012/08/24 14:12:09, 2] param/loadparm.c:4675(do_section) Processing section [proj1lib] doing parameter path = /proj1lib doing parameter create mask = 0775 doing parameter directory mask = 0775 doing parameter oplocks = no doing parameter map archive = no doing parameter map hidden = no [2012/08/24 14:12:09, 2] param/loadparm.c:4675(do_section) Processing section [Test] doing parameter comment = Setup to test dos RO attribute doing parameter browseable = No doing parameter path = /home/jim doing parameter writeable = yes doing parameter ea support = no doing parameter store dos attributes = no doing parameter map readonly = yes doing parameter dos filemode = yes [2012/08/24 14:12:09, 4] param/loadparm.c:6017(lp_load_ex) pm_process() returned Yes [2012/08/24 14:12:09, 3] param/loadparm.c:3119(lp_add_ipc) adding IPC service [2012/08/24 14:12:09, 3] printing/pcap.c:136(pcap_cache_reload) reloading printcap cache [2012/08/24 14:12:09, 3] printing/print_svid.c:66(sysv_cache_reload) Scheduler
Re: [Samba] Samba 3.4.3 and DOS read only
Jeremy, Thanks for the reply! Unfortunately, it did not work. Here is the global section from smb.conf and the section for the share that I tested with: [global] workgroup = AD realm = COMPANY.COM netbios name = server01 server string = server01 Samba Server log file = /var/opt/samba/server01/log.%m log level = 3 lock directory = /var/opt/samba/server01/locks private dir = /var/opt/samba/server01/private pid directory = /var/opt/samba/server01/locks state directory = /var/opt/samba/server01/locks cache directory = /var/opt/samba/server01/locks #root directory = /nothing include = /etc/opt/samba/server01/server01.conf.%m socket address = removed interfaces = removed bind interfaces only = yes max log size = 1000 username map = /etc/opt/samba/server01/smbusers.map # Security mode. Use 'ads' for configuring with W2K domain and # use Kerberos as authentication protocol. security = domain local master = no #password server = * password server = removed wins server = removed dns proxy = yes encrypt passwords = yes smb passwd file = /var/opt/samba/server01/private/smbpasswd preserve case = yes short preserve case = yes dos filetime resolution = yes read only = no syslog = 0 kernel oplocks = no oplocks = no level2 oplocks = no guest account = smbguest # mmap =no is necessary to prevent a smbd crash use mmap = no unix extensions = no [Test] comment = Setup to test dos RO attribute browseable = No path = /home/jim writeable = yes username = jim ea support = no store dos attributes = no map readonly = yes All help appreciated! Thanks, Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.3 and DOS read only
I added dos filemode = yes, but it still does not work. Rats... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.4.3 and DOS read only
Hi, Is there an easy way to get Samba v3.4.3 to respond to client requests to change the read-only attribute by setting/unsetting the unix write bits? For the shares in question, the unix permissions are not really important, but managing the RO attribute is. It appears that this was the default behavior in (very?) old Samba versions, but my server appears to simply ignore RO attribute change requests. This is a HP-UX server, using the HP repackage of Samba, based on 3.4.3. The HP build does not include support for file system extended attributes, nor does it include the vfs_xattr_tdb module. Thanks, Jim Gallagher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.6.5 and not_defined_in_RFC4178@please_ignore error
On Mon, May 21, 2012 at 12:17 PM, alex.rans...@free.fr wrote: We're having trouble joining an AD domain with 3.6.5 This message when running net join looks fishy : got principal=not_defined_in_RFC4178@please_ignore I'm sure it looks fishy, but it's not. This is normal for newer versions of windows (windows is sending it back). OS : Solaris 10 x64 Kerberos : MIT krb5 1.10.1 DC servers are running Windows 2008 The error message is : ./net join -U aranskis Enter aranskis's password: Failed to join domain: failed to lookup DC info for domain 'CORP.NET' over rpc: Logon failure ADS join did not work, falling back to RPC... Unable to find a suitable server for domain CORP Unable to find a suitable server for domain CORP with -d9, here's the hopefully relevant output : ads_dns_lookup_srv: 18 records returned in the answer section. namecache_store: storing 18 addresses for CORP.NET#1c: 10.219.244.253, [List of DCs IP follows] [..] Successfully contacted LDAP server 10.219.244.253 [..] got principal=not_defined_in_RFC4178@please_ignore [..] What's cut out here might be more helpful. However, please see below and try that first. SPNEGO login failed: Logon failure failed session setup with NT_STATUS_LOGON_FAILURE libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'CIB.NET' over rpc: Logon failure' domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE relevant configuration options : [global] realm=CORP.NET workgroup=CORP.NET Please try changing this to just CORP (or whatever the short netbios name is for the domain...not the dns name). security=ADS encrypt passwords = yes bind interfaces only = true interfaces = msusersncs Any hints on the best way to try and figure out what is wrong when trying to register in the AD ? (the same config worked with samba 3.4.x, but the DCs were running Windows 2003) -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via bb0151a Update to use conservancy's paypal account from 8a085e3 Remove itsd as the web page is unreachable http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit bb0151a9b3e951bdbff72cb771ad0a903977f432 Author: Jim McDonough j...@samba.org Date: Thu Mar 8 07:22:41 2012 -0500 Update to use conservancy's paypal account --- Summary of changes: donations.html |8 +++- 1 files changed, 3 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/donations.html b/donations.html index 703bbd5..da840cd 100755 --- a/donations.html +++ b/donations.html @@ -53,11 +53,9 @@ To use PayPal, click on the 'PayPal Donate' button below./p form action=https://www.paypal.com/cgi-bin/webscr; method=post input type=hidden name=cmd value=_s-xclick -input type=image -src=https://www.paypal.com/en_US/i/btn/x-click-but7.gif; border=0 name=submit alt=Make donation with PayPal -img alt= border=0 src=https://www.paypal.com/en_AU/i/scr/pixel.gif; width=1 height=1 -input type=hidden name=encrypted value=-BEGIN PKCS7-MIIHRwYJKoZIhvcNAQcEoIIHODCCBzQCAQExggEwMIIBLAIBADCBlDCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwDQYJKoZIhvcNAQEBBQAEgYCSKAMehpT4e8ZZoLOASzYUUbg8vl5DxTeBHFw7p/PNr5uUzk3cozQsncc53qpxwtiRas1HvXKeDVakCAO+U9ODfqbdSGQ05V/vSUFsqEq8Zjwbu89zFWvE/wMKnNspEXfoNbJCG0ml2N8rRCVzTqZIRCUOHHKEgC1aY180MxhKhDELMAkGBSsOAwIaBQAwgcQGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIcqQhGrjGAQCAgaDKfLnyH4SlbjbplNtQD35QRQofwy0j0oANApumbht3LBcRZyb9eqa1Pe1ySb0VOs9IS7pJpexrVIeFTQNZeOW+3D0NPqHoeZls+YVSpPOtVTlAec9ksioh8FqcBxgck3SbWVtiSZLSeJ4Ey0DRZ6pthHFirgoKelcftXJX+pdOgds+hi2zqoohdIGkv9XPw7s5YMbxLQC61faMc5OhwoxaoIIDhzCCA4MwggLsoAMCAQICAQAwDQYJKoZIhvcNAQEFBQAwgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLUGF5UGFsIEluYy4xEzARBgNVBAsUCmxpdmVfY2VydHMxETAPBgNVBAMUCGxpdmV fYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tMB4XDTA0MDIxMzEwMTMxNVoXDTM1MDIxMzEwMTMxNVowgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLUGF5UGFsIEluYy4xEzARBgNVBAsUCmxpdmVfY2VydHMxETAPBgNVBAMUCGxpdmVfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBR07d/ETMS1ycjtkpkvjXZe9k+6CieLuLsPumsJ7QC1odNz3sJiCbs2wC0nLE0uLGaEtXynIgRqIddYCHx88pb5HTXv4SZeuv0Rqq4+axW9PLAAATU8w04qqjaSXgbGLP3NmohqM6bV9kZZwZLR/klDaQGo1u9uDb9lr4Yn+rBQIDAQABo4HuMIHrMB0GA1UdDgQWBBSWn3y7xm8XvVk/UtcKG+wQ1mSUazCBuwYDVR0jBIGzMIGwgBSWn3y7xm8XvVk/UtcKG+wQ1mSUa6GBlKSBkTCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCBXzpWmoBa5e9fo6ujionW1hUhPkOBakTr3YCDjbYfvJEiv/2P+IobhOGJr85+XHhN0v4gUkEDI8r2/rNk1m0GA8HKddvTjyGw/XqXa+LSTlDYkqI8OwR8GEYj4efEtcRpRYBxV8KxAW93YDWz FGvruKnnLbDAF6VR5w/cCMn5hzGCAZowggGWAgEBMIGUMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMwEQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3DQEJARYNcmVAcGF5cGFsLmNvbQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYwNTE5MDQxNDQ3WjAjBgkqhkiG9w0BCQQxFgQUk31LJjuJRuSjWW5b2ZzKIv2vFGIwDQYJKoZIhvcNAQEBBQAEgYBuYfaPx5I+p5rZpzZONJ5Lnf4ZGlWIlrgtf3plmJkWgpXqDE5gHXEtfHP7bdiyZGTVYq/dnrz7oJLzKDfUZ8nryE/VspXjOeT21vDsNcYm7tG/DflS5dFozEDmBq6TGzeI5oQIkIEh4GN7fHyJu4snwT/NjZyF3bAJSZ1dPNfHjA==-END PKCS7- - +input type=hidden name=hosted_button_id value=JJCAM7BX48Z42 +input type=image src=https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif; border=0 name=submit alt=PayPal - The safer, easier way to pay online! +img alt= border=0 src=https://www.paypalobjects.com/en_US/i/scr/pixel.gif; width=1 height=1 /form h4Check/h4 -- Samba Website Repository
Re: [Samba] smb.conf 'use kerberos keytab = true'
On Sun, Jan 8, 2012 at 8:43 AM, steve st...@steve-ss.com wrote: openSUSE 12.1, Samba 3.61 joined to Samba 4 Domain /etc/samba/smb.conf on the Linux client is as follows: workgroup = CACTUS realm = HH3.SITE security = ADS use kerberos keytab = true testparm tells me it is ignoring the 'use kerberos keytab = true' entry. It should be, it's been replaced quite some time ago by kerberos keytab method. Linux users can logon fine, kinit and getent password work. The Samba 4 logs show that kerberos has authenticated the user. Users can create files under Linux with the correct permissions, which can then be edited on a Windows 7 client. Their /home folders are mounted via kerberized NFSv4. Without the 'use kerberos keytab = true' entry, there is no password prompting and the user gets access denied messages when trying to access *any* share from Samba 4, including his own, as before. Questions 1. Is the entry 'use kerberos keytab = true' is having any effect? Seems like it is based on your description, but it _shouldn't be. I'd check for stray libsmbclient so's. -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recommended configuration for AD forest with childdomains
Greetings, I have had Samba/Winbind/Kerberos single-sign-on authentication working for a few years now, for a single domain, and it works great. It pulls the RFC2307 populated attributes just like you'd expect, and people get the IDs mapped according to their attributes in AD. This works for version 3.2.7 and 3.4.3. I had to give the domain's Domain Users group a gid in the range of the idmap config range in order for it to work in 3.4.3 because for some unexplained reason, you have to be a member of domain users in order for winbind to even look at your rfc2307 attributes, but that's another complaint/bug/feature. I have tried it with 3.5x and 3.6.0, and can't get it to work no matter how I tweak smb.conf. I am in a multi-domain AD forest, in a child domain. I need to be able to give the same single sign-on access to people that live in the parent domain as well as the peer domain, and since AD has the whole transitive trust thing, there should be no trust issues. I can list all of the users in each domain and all of the groups in each domain, by issuing wbinfo -u or wbinfo -g, so Winbind, through whatever mechanism it uses, can see all of them. However, to look at the RFC2307 attributes to determine whether or not they should be enumerated with getent group or getent passwd, it appears the idmap_ad process uses LDAP lookup on the authentication server to find whether the rfc2307 attributes have been populated. I don't know if this is the problem or not, but some observations: LDAP access to AD, when done on the LDAP port 389, will automatically set the search base to the domain. This precludes any lookup of people not in that domain. The lookup that is done is done against whatever AD server answers the knock on the door, whether it has a replica of the Global Catalog or not, so if by luck of the draw your domain's Infrastructure master is used as the authentication server, there's no GC to look against, even if Winbind didn't default to port 389 and looked at port 3268 (the GC port) to do its idmap lookup. So, given those observations, exactly how would someone configure Samba/Winbind to do SSO authentication using AD RFC2307 in a multi-domain parent/child domain AD forest such that you could have people authenticating from the Samba server's domain as well as the other trusted domains in the forest? I have made sure that the GC included attributes have the necessary RFC2307 attributes included. They're not by default so you have to make sure they do get populated into the GC (at least according to the idmap_adex man page) Speaking of which, I tried using idmap_adex with 3.5x and 3.6.0, but although the users/groups enumerate just fine with wbinfo, I am not getting any idmapping through NSS. I have seen comments that idmap_adex' features were being rolled into idmap_ad (no need to have more than one idmap for a given infrastructure) but no word as to when that will happen for Samba 3, if at all, or what us poor multi-domain-forest suckers like me are supposed to do in the meantime. Thanks, Jim. You could try to switch to idmap_adex which was created explicitly to answer the multidomain forest problem. Please read http://www.samba.org/samba/docs/man/manpages-3/idmap_adex.8.ht ml before trying to deploy as it needs schema modifications for AD: Note that you must add the uidNumber, gidNumber, and uid attributes to the partial attribute set of the forest global catalog servers. This can be done using the Active Directory Schema Management MMC plugin (schmmgmt.dll).. Good Luck! Geza Geza, Thanks for the quick response, but I have already tried idmap_adex, and as I stated already, we have already added the rfc2307 attributes to the GC partial attribute set per the idmap_adex man page. It's not a schema change, by the way - the Windows 2003R2 AD schema already has the RFC2307 attributes. What has to change is that those attributes have to be included in the Global Catalog, as they are not included there by default. The Partial Attribute Set is the subset of the full set of attributes defined in the AD schema, which are populated into the GC, to reduce the sheer size and volume of data the GC holds. Anyway... That doesn't seem to help any when the LDAP lookup is using port 389 and not port 3268, and the lookup is done against the DC that has the Infrastructure role (because Winbind decided to use that DC as the auth server), and therefor no copy of the GC would be available for the IDMAP_AD or IDMAP_ADEX lookup, even if the GC port were to be used. Can anyone recommend a specific way to configure a multi-domain parent-child-domain forest using idmap_ad, where the RFC2307 attributes will be used to IDMAP the UID/GID to the user/group? I'd try
[Samba] Recommended configuration for AD forest with child domains
Greetings, I have had Samba/Winbind/Kerberos single-sign-on authentication working for a few years now, for a single domain, and it works great. It pulls the RFC2307 populated attributes just like you'd expect, and people get the IDs mapped according to their attributes in AD. This works for version 3.2.7 and 3.4.3. I had to give the domain's Domain Users group a gid in the range of the idmap config range in order for it to work in 3.4.3 because for some unexplained reason, you have to be a member of domain users in order for winbind to even look at your rfc2307 attributes, but that's another complaint/bug/feature. I have tried it with 3.5x and 3.6.0, and can't get it to work no matter how I tweak smb.conf. I am in a multi-domain AD forest, in a child domain. I need to be able to give the same single sign-on access to people that live in the parent domain as well as the peer domain, and since AD has the whole transitive trust thing, there should be no trust issues. I can list all of the users in each domain and all of the groups in each domain, by issuing wbinfo -u or wbinfo -g, so Winbind, through whatever mechanism it uses, can see all of them. However, to look at the RFC2307 attributes to determine whether or not they should be enumerated with getent group or getent passwd, it appears the idmap_ad process uses LDAP lookup on the authentication server to find whether the rfc2307 attributes have been populated. I don't know if this is the problem or not, but some observations: LDAP access to AD, when done on the LDAP port 389, will automatically set the search base to the domain. This precludes any lookup of people not in that domain. The lookup that is done is done against whatever AD server answers the knock on the door, whether it has a replica of the Global Catalog or not, so if by luck of the draw your domain's Infrastructure master is used as the authentication server, there's no GC to look against, even if Winbind didn't default to port 389 and looked at port 3268 (the GC port) to do its idmap lookup. So, given those observations, exactly how would someone configure Samba/Winbind to do SSO authentication using AD RFC2307 in a multi-domain parent/child domain AD forest such that you could have people authenticating from the Samba server's domain as well as the other trusted domains in the forest? I have made sure that the GC included attributes have the necessary RFC2307 attributes included. They're not by default so you have to make sure they do get populated into the GC (at least according to the idmap_adex man page) Speaking of which, I tried using idmap_adex with 3.5x and 3.6.0, but although the users/groups enumerate just fine with wbinfo, I am not getting any idmapping through NSS. I have seen comments that idmap_adex' features were being rolled into idmap_ad (no need to have more than one idmap for a given infrastructure) but no word as to when that will happen for Samba 3, if at all, or what us poor multi-domain-forest suckers like me are supposed to do in the meantime. Thanks, Jim. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete it. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. No employee or agent is authorized to conclude any binding agreement on behalf of Visa Lighting with another party by email without express written confirmation by an authorized representative of the Company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba on AIX 6
After installing samba on AIX 6 and setting up the shares, I am being prompted for credentials when trying to access the shares. The AIX root credentials are not working. 1) Why am I being prompted for credentials? If that is required, why is it not accepting root? Thanks in advance for any assistance. James Lapointe President - Colden Company Inc. Phone: (518) 885-2857: Office Phone: (518) 229-3962: Cell www.coldencompany.com Business Technology Solutions -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d4c30a5 Update eDirectory schema from a353b49 s4-dsdb: bypass validation when relax set http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d4c30a5ffbeab75506bf1ad5d8d5da48e3f4d41c Author: Jim McDonough j...@samba.org Date: Wed Jun 22 07:36:20 2011 -0400 Update eDirectory schema Autobuild-User: Jim McDonough j...@samba.org Autobuild-Date: Wed Jun 22 14:48:09 CEST 2011 on sn-devel-104 --- Summary of changes: examples/LDAP/samba-nds.schema | 69 +++ 1 files changed, 20 insertions(+), 49 deletions(-) Changeset truncated at 500 lines: diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema index 0b3cf66..369670b 100644 --- a/examples/LDAP/samba-nds.schema +++ b/examples/LDAP/samba-nds.schema @@ -35,7 +35,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) ## ## Password timestamps policies @@ -128,7 +128,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 en dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} ) ## ## SID, of any type @@ -137,7 +137,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Conc dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) ## ## Primary group SID, compatible with ntSid @@ -287,47 +287,13 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DES dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DESC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC 'Fully qualified name of the domain with which a trust exists' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'NetBIOS name of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' DESC 'Authentication information for the outgoing portion of a trust' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' DESC 'Authentication information for the incoming portion of a trust' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' DESC 'SID of a trusted
Re: [Samba] ubuntu, ocfs2 with cman and ctdb
On Mon, Jun 20, 2011 at 8:27 PM, Jeremy Allison j...@samba.org wrote: On Mon, Jun 20, 2011 at 03:18:02PM -0600, charles wrote: hi guys, we're evaluating the available clustering options to get ctdb up and running for a highly available file server. we've set up both gluster and ocfs2 both on seperate 2 node setups. ocfs2 seems to provide better throughput and iops to samba clients than does gluster and that is comparing a single node server to a ctdb clustered 2 node server. problem with ocfs2 is that i've been unable to configure it to utilize cman's stack to provide proper locking for ctdb. gfs2 is up next. does anyone have any pointers/tutorials/document for getting ocfs2 set up with cman on ubunutu? Jim Mcdonough and his team @ SuSE has done most of the work looking at Samba/CTDB with ocfs2. Jim, any comments ? I'm not familiar with cman. On SUSE distributions, ocfs2 uses the pacemaker stack, so I can't really comment on cman. The locking works properly with the pacemaker linux-ha stack and ocfs2. -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b58534f s3-winbind: BUG 8166 - Don't lockout users when offline. from ff47927 s4:samldb LDB module - check if the RODC group exists if creating an RODC http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b58534f1fca27e3e72f4f4107538ec05734bd42a Author: Jim McDonough j...@samba.org Date: Wed May 25 10:49:41 2011 -0400 s3-winbind: BUG 8166 - Don't lockout users when offline. Windows does not track bad password attempts when offline. We were locking users out but not honoring the lockout duration. Autobuild-User: Jim McDonough j...@samba.org Autobuild-Date: Wed May 25 18:11:10 CEST 2011 on sn-devel-104 --- Summary of changes: source3/winbindd/winbindd_pam.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index e1422e5..e5ad2e0 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -993,7 +993,10 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, } - /* User does *NOT* know the correct password, modify info3 accordingly */ + /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */ + if (domain-online == false) { + goto failed; + } /* failure of this is not critical */ result = get_max_bad_attempts_from_lockout_policy(domain, state-mem_ctx, max_allowed_bad_attempts); -- Samba Shared Repository
Re: [Samba] samba ctdb clustering with ldap backend?
On Wed, Apr 6, 2011 at 2:10 AM, Daniel Müller muel...@tropenklinik.de wrote: My both ldap server run in multi master replication mode. So I think everything should be the same on both servers all the time? So it could work anyway? No, you run the risk of collisions, because of the replication delay between servers. You need something fully synchronous, unless you're going to take care of conflicts yourself, including any files that might have been created on different nodes with the same uid by different SIDs. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: jmcdo...@gmail.com [mailto:jmcdo...@gmail.com] Im Auftrag von Jim McDonough Gesendet: Dienstag, 5. April 2011 19:01 An: muel...@tropenklinik.de Cc: samba@lists.samba.org Betreff: Re: [Samba] samba ctdb clustering with ldap backend? On Tue, Apr 5, 2011 at 3:35 AM, Daniel Müller muel...@tropenklinik.de wrote: I have two samba servers auth agains ldap, so I use: idmap backend = ldap:ldap://127.0.0.1 Is it possible to setup ctdb to run with a ldap backend? I don't see why not. The point of tdb2 was to not get different uids/gids on different nodes. However, you'd need to have only one ldap server that they all use. Your current setup would not work. I know ctdb uses: idmap backend = tdb2 -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ctdb clustering with ldap backend?
On Tue, Apr 5, 2011 at 3:35 AM, Daniel Müller muel...@tropenklinik.de wrote: I have two samba servers auth agains ldap, so I use: idmap backend = ldap:ldap://127.0.0.1 Is it possible to setup ctdb to run with a ldap backend? I don't see why not. The point of tdb2 was to not get different uids/gids on different nodes. However, you'd need to have only one ldap server that they all use. Your current setup would not work. I know ctdb uses: idmap backend = tdb2 -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba in Pacemaker-Cluster: CTDB fails to get recovery lock
On Fri, Mar 11, 2011 at 8:13 AM, Uwe Ritzschke uwe.ritzschk...@cms.hu-berlin.de wrote: I'm currently testing fail-over with a two-node active-active cluster (with node dig and node dag): Both nodes are up, one is manually killed. CTDB on the node that's still alive should perform a recovery and everything should working again. What's infrequently happening is: After killing the pacemaker-process on dag (and dag consequently being fenced), dig's CTDB tries to get the recovery lock and fails. As there is no other node online to get the recovery lock and thus finishing CTDB's recovery, dig's CTDB keeps trying to get the recovery lock until manually stopped. The only way to get CTDB back to work is to restart OCFS2's distributed lock manager. Our setting: two nodes directly connected via LAN running openSuse 11.3 and sharing a SAN-drive that is connected via two interfaces using multipath. pacemaker 1.1.2 corosync 1.2.1 cluster-glue 1.0.5-1.4 ctdb 1.0.114-2.20 ocfs2 1.4.3-1.4 multipath 0.4.8-51.3 You might want to try updated packages from the repository: http://download.opensuse.org/repositories/network:/ha-clustering/openSUSE_11.3/ This would give you newer code levels on the HA packages. -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem with Winbind/Kerberos authentication against AD 2003R2 RFC2307
. I sincerely doubt that this issue is caused by any of my config files, since I tried probably every possible combination related to winbind, nss, kerberos, ads, rfc2307, idmap, etc. in trying to figure out what's going on here, but if you'd like me to post them, I will do so. It's possible that I'm missing a new directive related to idmapping - some other functionality, setting, or whatever, that is in the post-3.0 idmap component but isn't documented in the 3.4.3 or 3.5.x or other post-3.0 man pages, yet. Anyway, besides helping me with this problem, if I might humbly suggest someone add the new (as of 3.3 anyway) requirement for idmap ad and enumeration to clearly indicate that in order to enumerate through getent passwd, the primary group now must be domain users and it must be in the idmap range for your domain, and if there's a way to turn that requirement off or to modify the source of the primary GID for a user to use the rfc2307 gidNumber instead of whatever GID is assigned to Domain Users. please also include that, so someone else doesn't have to go through what I did to get to this point. Thanks! Jim. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] help migrating from file server to NAS w/ Active Directory
hello, I'm having a problem I hope will be easy for someone to explain to me how to fix. I need to migrate from an old server to a new Cisco Smart Storage NAS, which runs some flavor of linux and is Active Directory aware. Using something like Robocopy from the AD server, or rsync or tar from the file server does not preserve user/group identities or directory date stamps (maybe rsync tar preserves the directory date stamps but robocopy doesn't). The owner defaults to the NAS admin and admin group. There also seems to be a problem with the windows security permissions on the directories/files - under Windows Explorer the permissions are listed as special and the admins can't change them. I set up a file server years ago on CentOs using Samba to serve files to Windows clients. Since then we integrated Active Directory and I had a windows whiz fix up my Samba config to use AD authentication. So the server doesn't really have linux users/groups anymore per se. To add a new user I add them via the AD server then map them in the smb.conf file - create manually a home directory for them and chown it to their username. (not sure how that works since there is no linux user by those usernames). Here is an example: [jimd] path = /home/CN/jimd valid users = CN+jimd writeable = Yes create mask = 0777 directory mask = 0777 browseable = no So the AD user is CN+jimd. One the file server though, the username that shows up on any file created by CN+jimd is actually owned by jimd (no CN+). On the NAS, any file I create with that user is owned by CN+jimd. Not sure if that is part of my problem or not. Groups are similar. [Engineering] writeable = Yes path = /home/data/engineering force group = CN+sengineer ; guest ok = Yes browseable = Yes create mask = 0770 directory mask = 0770 valid users = @CN+sengineer So the thought was to somehow map files/shares on the AD server and move them over in that environment, but having troubles mentioned above - preserving directory time stamps and owner IDs. Seems like I'm missing something really simple. The NAS does have samba and automatically writes a smb.conf file, but I don't believe there is a way to manually edit it other than GUI. Let me know if you need more info to help.. appreciate the read! cheers, JD -- Jim Dory Engineering City of Nome PO Box 281 102 Division St. Nome, AK 99762 907.443.6604 http://www.nomealaska.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] help migrating from file server to NAS w/ Active Directory
Extra info: smbd --version Version 3.0.33-0.19.el4_8.3 Win Server 2003-r2 thx, JD On 2/16/2011 10:49 AM, Jim Dory wrote: hello, I'm having a problem I hope will be easy for someone to explain to me how to fix. I need to migrate from an old server to a new Cisco Smart Storage NAS, which runs some flavor of linux and is Active Directory aware. Using something like Robocopy from the AD server, or rsync or tar from the file server does not preserve user/group identities or directory date stamps (maybe rsync tar preserves the directory date stamps but robocopy doesn't). The owner defaults to the NAS admin and admin group. There also seems to be a problem with the windows security permissions on the directories/files - under Windows Explorer the permissions are listed as special and the admins can't change them. I set up a file server years ago on CentOs using Samba to serve files to Windows clients. Since then we integrated Active Directory and I had a windows whiz fix up my Samba config to use AD authentication. So the server doesn't really have linux users/groups anymore per se. To add a new user I add them via the AD server then map them in the smb.conf file - create manually a home directory for them and chown it to their username. (not sure how that works since there is no linux user by those usernames). Here is an example: [jimd] path = /home/CN/jimd valid users = CN+jimd writeable = Yes create mask = 0777 directory mask = 0777 browseable = no So the AD user is CN+jimd. One the file server though, the username that shows up on any file created by CN+jimd is actually owned by jimd (no CN+). On the NAS, any file I create with that user is owned by CN+jimd. Not sure if that is part of my problem or not. Groups are similar. [Engineering] writeable = Yes path = /home/data/engineering force group = CN+sengineer ; guest ok = Yes browseable = Yes create mask = 0770 directory mask = 0770 valid users = @CN+sengineer So the thought was to somehow map files/shares on the AD server and move them over in that environment, but having troubles mentioned above - preserving directory time stamps and owner IDs. Seems like I'm missing something really simple. The NAS does have samba and automatically writes a smb.conf file, but I don't believe there is a way to manually edit it other than GUI. Let me know if you need more info to help.. appreciate the read! cheers, JD -- Jim Dory Engineering City of Nome PO Box 281 102 Division St. Nome, AK 99762 907.443.6604 http://www.nomealaska.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] help migrating from file server to NAS w/ Active Directory
To boil this down a bit, maybe my problem is that my domain users on the old server are for instance jimd, and on the new NAS they show up as Domain+jimd. Or in this example, CN+jimd. So if I try to move files to the NAS, it doesn't recognize those users (without the prefix CN+) as users. The getent command on the old server has users uids in the 10,000 range. On the NAS, they are in the 30,000 range, even though it got the users from the AD server. So perhaps I need a way to get things to match up? thx, Jim On 2/16/2011 10:49 AM, Jim Dory wrote: hello, I'm having a problem I hope will be easy for someone to explain to me how to fix. I need to migrate from an old server to a new Cisco Smart Storage NAS, which runs some flavor of linux and is Active Directory aware. Using something like Robocopy from the AD server, or rsync or tar from the file server does not preserve user/group identities or directory date stamps (maybe rsync tar preserves the directory date stamps but robocopy doesn't). The owner defaults to the NAS admin and admin group. There also seems to be a problem with the windows security permissions on the directories/files - under Windows Explorer the permissions are listed as special and the admins can't change them. I set up a file server years ago on CentOs using Samba to serve files to Windows clients. Since then we integrated Active Directory and I had a windows whiz fix up my Samba config to use AD authentication. So the server doesn't really have linux users/groups anymore per se. To add a new user I add them via the AD server then map them in the smb.conf file - create manually a home directory for them and chown it to their username. (not sure how that works since there is no linux user by those usernames). Here is an example: [jimd] path = /home/CN/jimd valid users = CN+jimd writeable = Yes create mask = 0777 directory mask = 0777 browseable = no So the AD user is CN+jimd. One the file server though, the username that shows up on any file created by CN+jimd is actually owned by jimd (no CN+). On the NAS, any file I create with that user is owned by CN+jimd. Not sure if that is part of my problem or not. Groups are similar. [Engineering] writeable = Yes path = /home/data/engineering force group = CN+sengineer ; guest ok = Yes browseable = Yes create mask = 0770 directory mask = 0770 valid users = @CN+sengineer So the thought was to somehow map files/shares on the AD server and move them over in that environment, but having troubles mentioned above - preserving directory time stamps and owner IDs. Seems like I'm missing something really simple. The NAS does have samba and automatically writes a smb.conf file, but I don't believe there is a way to manually edit it other than GUI. Let me know if you need more info to help.. appreciate the read! cheers, JD -- Jim Dory Engineering City of Nome PO Box 281 102 Division St. Nome, AK 99762 907.443.6604 http://www.nomealaska.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd/vfs.c:932(check_reduced_name) after upgrade
In my RHEL 6 machine I get these errors from my XP machines smbd/vfs.c:932(check_reduced_name) The article says the fix is simple. Bug 7409, but WHERE do I find that fix? Thanks Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap troubles with any version 3.30 or later
Michael, Thanks for the response. As to the other symlinks question referenced in this, please disregard. I believe I have a handle on what is causing my troubles, and have posted my theory in another thread. I believe it has something to do with libnss_winbind.so.2 (or a component thereof) looking by default for a group called Domain Users with an Unix GID, and only iterating members of said group, instead of simply looking for users with RFC2307 attributes populated as it used to do pre 3.30. If that's the case, it would have been nice to have something in a wiki or help or man page explaining that specific aspect of the change to idmap functionality, at the very least. There's still a flaw with that process regardless, which I will follow in the other thread. Thanks again, Jim. -Original Message- From: Michael Adam [mailto:ob...@samba.org] Sent: Friday, January 21, 2011 5:53 AM To: Jim Stalewski Cc: samba@lists.samba.org Subject: Re: [Samba] idmap troubles with any version 3.30 or later Hi Jim, Jim Stalewski wrote: Hello list. The issue I have is that with the changes made to the idmap functionality of winbind, as regards the enumeration of rfc2307 users and groups using getent passwd and getent group, only those AD users that are not in the domains included in the idmap config (domain) statements (the ones in trusted domains that get their ID mappings auto-assigned by the TDB backend with id's in the idmap uid / gid ranges) get enumerated. The ones that have the RFC2307 attributes defined within the idmap group (domain) range statements will return their uid/gid/homedir/shell info only if you specify getent passwd (username) but they do not enumerate with a getent passwd. Same with getent group (groupname) vs getent group. If this is a case, then it is a bug and needs fixing. There have been bugs with enumeration in the past and I need to go recheck bugzilla. Maybe such bug reappeared or there is a fix that is not yet in the versions you tested. Otherwise, we need to file a new bug. Could you be more precise and send your smb.conf file and indicate for which of the idmap configs listed, users are not enumerated? I have had to create the symlinks in /usr/lib and /usr/lib64 for the /lib/nss_winbind.so.2, /lib/nss_wins.so.2, /lib64/nss_winbind.so.2 and /lib64/nss_wins.so.2 libs manually because the installer did not create them for me, and until I did so, getent passwd and getent group only displayed the local /etc/passwd and /etc/group entries. Hm, so you compiled and installed samba manually? This can also be considered a bug. Usually, on linux, this is taken care of by the distribution packagers in the RPMs /.debs and whatnot. This may be the reason why this did not pop up prominently yet. Could provide more info about your system? OS, version, architecture, build system, ... Question - are there any other symlinks that should be created for any other aspect of the nss idmap functionality that may not have been created by the install process, that would be breaking the user / group enumeration functionality of nss_winbind.so, and if so, what libs need to be symlinked to which folders using what names? This question is too general instead. Usually each component providing nss backends should take care of installing the correct libs/symlinks in its installer itself. If you are manually installing samba, then you might have to There should Could you paste your /etc/nsswitch.conf ? Best regards, Michael I have tried version 3.3x, 3.4.3 and 3.5.4 all with the same lack of results from getent passwd and getent group but it functioned properly under 3.2.7, so it can't be Thanks in advance, Jim. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete it. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. No employee or agent is authorized to conclude any binding agreement on behalf of?Visa Lighting with another party by email without express written confirmation by?an authorized representative of the Company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete it. Please note that any views or opinions presented in this email are solely those of the author and do
Re: [Samba] Possible bug in nss_winbind with ad backend and rfc2307
More info on this topic: Without giving my AD domain's Domain Users group an Unix gid, getent passwd enumerates no AD users. With the Domain Users group having a gid in the range of the idmap config range, I do get my users enumerated with a getent passwd. In winbindd.log, for each cached user with rfc2307 information, it logs for nss_get_info_cached: result: homedir = '/home/user' shell = '/bin/bash' gecos = '(null)' (because I'm not using gecos attrib) gid = '6' but the getent passwd result is user:*:10043:12011:User Name:/home/user:/bin/bash where 12011 is the gid I gave to Domain Users. rfc2307 should have returned gid 6 as per the nss_get_info_cached result. If I do: getent passwd user the result is: user:*:10043:6:User Name:/home/user:/bin/bash as it should be. gid 6 is a local group, not an AD-defined group, so as not to depend on AD for filesystem group ownership/permissions. If getent passwd doesn't enumerate the user data with the user having the proper default group, they will not inherit the proper permissions. -Original Message- From: Jim Stalewski Sent: Thursday, January 20, 2011 7:26 PM To: samba@lists.samba.org Subject: [Samba] Possible bug in nss_winbind with ad backend and rfc2307 I ran some tests to see why getent passwd was not enumerating my domain users and discovered this: If I getent passwd username it returns the user information including the primary group defined in the Unix attributes. If I add a Unix GID in the idmap config range to the domain's Domain Users group and getent passwd, it returns all of my domain users with all of the Unix attributes as defined in AD for them, BUT it replaces the primary group GID with the GID I defined for the Domain Users group. Apparently, some genius decided that the best way to look up users in AD is by membership in Domain Users rather than iterating through the directory looking for users that have rfc2307 attributes defined, totally ignoring the rfc2307 group attribute on the user objects. The suspected bug is that it is not using the rfc2307 primary GID attribute, but rather is defaulting the Domain Users group as the primary group for all users regardless of the rfc2307 attributes. Is there a way to force Winbind not to use the Domain Users group as the primary group for the winbindd_getpwent process, so it returns the rfc2307 group attribute as it used to / should? Or do I have to redo all of my group file ownership/permissions on all of my servers to match Domain Users for some ungodly reason? Currently running Samba 3.4.3 on SLES 11.1, and authenticating against Windows 2003R2 AD, but I suspect this same bug/feature was introduced with the idmap changes in 3.30 and above so should apply to all versions above 3.30. I don't know if the same logic is being used in v4 winbind idmap process... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] idmap troubles with any version 3.30 or later
Hello list. The issue I have is that with the changes made to the idmap functionality of winbind, as regards the enumeration of rfc2307 users and groups using getent passwd and getent group, only those AD users that are not in the domains included in the idmap config (domain) statements (the ones in trusted domains that get their ID mappings auto-assigned by the TDB backend with id's in the idmap uid / gid ranges) get enumerated. The ones that have the RFC2307 attributes defined within the idmap group (domain) range statements will return their uid/gid/homedir/shell info only if you specify getent passwd (username) but they do not enumerate with a getent passwd. Same with getent group (groupname) vs getent group. I have had to create the symlinks in /usr/lib and /usr/lib64 for the /lib/nss_winbind.so.2, /lib/nss_wins.so.2, /lib64/nss_winbind.so.2 and /lib64/nss_wins.so.2 libs manually because the installer did not create them for me, and until I did so, getent passwd and getent group only displayed the local /etc/passwd and /etc/group entries. Question - are there any other symlinks that should be created for any other aspect of the nss idmap functionality that may not have been created by the install process, that would be breaking the user / group enumeration functionality of nss_winbind.so, and if so, what libs need to be symlinked to which folders using what names? I have tried version 3.3x, 3.4.3 and 3.5.4 all with the same lack of results from getent passwd and getent group but it functioned properly under 3.2.7, so it can't be Thanks in advance, Jim. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete it. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. No employee or agent is authorized to conclude any binding agreement on behalf of Visa Lighting with another party by email without express written confirmation by an authorized representative of the Company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Possible bug in nss_winbind with ad backend and rfc2307
I ran some tests to see why getent passwd was not enumerating my domain users and discovered this: If I getent passwd username it returns the user information including the primary group defined in the Unix attributes. If I add a Unix GID in the idmap config range to the domain's Domain Users group and getent passwd, it returns all of my domain users with all of the Unix attributes as defined in AD for them, BUT it replaces the primary group GID with the GID I defined for the Domain Users group. Apparently, some genius decided that the best way to look up users in AD is by membership in Domain Users rather than iterating through the directory looking for users that have rfc2307 attributes defined, totally ignoring the rfc2307 group attribute on the user objects. The suspected bug is that it is not using the rfc2307 primary GID attribute, but rather is defaulting the Domain Users group as the primary group for all users regardless of the rfc2307 attributes. Is there a way to force Winbind not to use the Domain Users group as the primary group for the winbindd_getpwent process, so it returns the rfc2307 group attribute as it used to / should? Or do I have to redo all of my group file ownership/permissions on all of my servers to match Domain Users for some ungodly reason? Currently running Samba 3.4.3 on SLES 11.1, and authenticating against Windows 2003R2 AD, but I suspect this same bug/feature was introduced with the idmap changes in 3.30 and above so should apply to all versions above 3.30. I don't know if the same logic is being used in v4 winbind idmap process... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via d2e2b00 Update addresses for Conservancy from 932dd98 Updated entries for PrimaStasys. http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit d2e2b007ca9fa7c103ba24d0a0a75702831c2912 Author: Jim McDonough j...@samba.org Date: Mon Dec 20 15:25:14 2010 -0500 Update addresses for Conservancy --- Summary of changes: donations.html |8 1 files changed, 4 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/donations.html b/donations.html index bc26511..bdeb9dd 100755 --- a/donations.html +++ b/donations.html @@ -32,9 +32,9 @@ src=https://www.paypal.com/en_US/i/btn/x-click-but21.gif; border=0 name=subm pre Samba Team - c/o The Software Freedom Conservancy - 1995 BROADWAY FL 17 - NEW YORK NY 10023-5882 + c/o Software Freedom Conservancy, Inc. + 137 Montague St Ste 380 + Brooklyn, NY 11201-3548 /pre br @@ -47,7 +47,7 @@ the USA, so donations in the USA may be tax-deductible./p pIf you would like to make a larger corporate donation then we would certainly like to discuss that. Please send a email to a -href=mailto:conserva...@softwarefreedom.org;conserva...@softwarefreedom.org/a +href=mailto:donat...@sfconservancy.org;donat...@sfconservancy.org/a or talk to any Samba Team member./p h3Why do we need money?/h3 -- Samba Website Repository
[Samba] samba - xp -ad issue
I was hoping that someone has seen a similar problem to the one I am facing. I have a samba 3 server connected to an windows domain. All connections appear correct most of the users can connect via windows xp with no issue. However there are a unlucky few whose work stations cannot connect. All xp work stations are the same (at least as well as a large company can get). The user in question have ad accounts on the Linux server. We use ad as the userid source and Kerberos authentication on the *nix machines. So user I'd and passwords are not the issue. The error received is that the network path is not available, xp takes about 5 minutes to determine that the path is not available. The issue does not appear to be location dependent. Two users seated 10 feet from each other one will have the issue the other will not. It appears as though the issue is workstation level. I have turned on level of debugging info but nothing obvious stands out. Are there an suggestions? Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2ec657b Updated french translations from Jean Delvare jdelv...@suse.de from 536622e s4:dsdb/samdb/cracknames.c - fix another memory leak http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2ec657b10eb24ec29fd7724eabdb8ee51ed132e5 Author: Holger Hetterich hhet...@novell.com Date: Sat Dec 4 11:28:12 2010 -0500 Updated french translations from Jean Delvare jdelv...@suse.de Autobuild-User: Jim McDonough j...@samba.org Autobuild-Date: Sat Dec 4 18:23:54 CET 2010 on sn-devel-104 --- Summary of changes: source3/locale/pam_winbind/fr.po | 207 ++ 1 files changed, 96 insertions(+), 111 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/locale/pam_winbind/fr.po b/source3/locale/pam_winbind/fr.po index 70c2b5c..922cbcc 100644 --- a/source3/locale/pam_winbind/fr.po +++ b/source3/locale/pam_winbind/fr.po @@ -81,19 +81,17 @@ msgid Access is denied msgstr Accès refusé #: ../../../nsswitch/pam_winbind.c:818 -#, fuzzy msgid Do you want to change your password now? -msgstr Vous devez changer votre mot de passe maintenant. +msgstr Voulez-vous changer votre mot de passe maintenant ? #: ../../../nsswitch/pam_winbind.c:902 -#, fuzzy msgid Your password expires today.\n msgstr Votre mot de passe expire aujourd'hui.\n #: ../../../nsswitch/pam_winbind.c:932 -#, fuzzy, c-format +#, c-format msgid Your password will expire in %d %s.\n -msgstr Votre mot de passe expire dans %d %s.\n +msgstr Votre mot de passe expirera dans %d %s.\n #: ../../../nsswitch/pam_winbind.c:933 msgid days @@ -106,7 +104,7 @@ msgstr jour #: ../../../nsswitch/pam_winbind.c:1169 ../../../nsswitch/pam_winbind.c:1193 #, c-format msgid Cannot convert group %s to sid, please contact your administrator to see if group %s is valid. -msgstr +msgstr Impossible de convertir le groupe %s en sid, veuillez contacter votre administrateur pour voir si le groupe %s est valide. #: ../../../nsswitch/pam_winbind.c:1387 msgid Grace login. Please change your password as soon you're online again @@ -121,6 +119,8 @@ msgid Failed to establish your Kerberos Ticket cache due time differences\n with the domain controller. Please verify the system time.\n msgstr +Impossible d'établir votre cache Kerberos Ticket en raison d'une différence\n +de temps avec le contrôleur de domaine. Veuillez vérifier l'heure système.\n #: ../../../nsswitch/pam_winbind.c:1490 msgid Your password @@ -147,7 +147,7 @@ msgstr Veuillez choisir un autre mot de passe qui satisfasse les différents cr #: ../../../nsswitch/pam_winbind.c:1553 #, c-format msgid Creating directory: %s failed: %s -msgstr +msgstr La création du répertoire %s a échoué : %s #: ../../../nsswitch/pam_winbind.c:2018 msgid Password does not meet complexity requirements @@ -158,7 +158,7 @@ msgstr Le mot de passe n'est pas suffisamment complexe. #. #: ../../../nsswitch/pam_winbind.c:2489 ../../../nsswitch/pam_winbind.c:3035 msgid Username: -msgstr +msgstr Nom d'utilisateur : #: ../../../nsswitch/pam_winbind.c:2665 msgid Password: @@ -171,7 +171,7 @@ msgstr Changement du mot de passe pour #: ../../../nsswitch/pam_winbind.c:3086 msgid (current) NT password: -msgstr mot de passe NT actuel : +msgstr Mot de passe NT actuel : #: ../../../nsswitch/pam_winbind.c:3156 msgid Enter new NT password: @@ -187,375 +187,360 @@ msgstr Confirmation du nouveau mot de passe NT : #. #: ../../../nsswitch/pam_winbind.h:128 msgid Sorry, passwords do not match -msgstr +msgstr Désolé, les mots de passe ne correspondent pas. #: ../../libsmb/nterr.c:559 msgid Undetermined error -msgstr +msgstr Erreur indéterminée #: ../../libsmb/nterr.c:560 -#, fuzzy msgid Access denied msgstr Accès refusé #: ../../libsmb/nterr.c:561 msgid Account locked out -msgstr +msgstr Compte bloqué #: ../../libsmb/nterr.c:562 -#, fuzzy msgid Must change password -msgstr Vous devez changer votre mot de passe maintenant. +msgstr Doit changer son mot de passe #: ../../libsmb/nterr.c:563 -#, fuzzy msgid Password is too short msgstr Mot de passe trop court #: ../../libsmb/nterr.c:564 -#, fuzzy msgid Password is too recent -msgstr Mot de passe trop court +msgstr Mot de passe trop récent #: ../../libsmb/nterr.c:565 -#, fuzzy msgid Password history conflict -msgstr Mot de passe trop court +msgstr Mot de passe en conflit avec l'historique #: ../../libsmb/nterr.c:567 msgid Improperly formed account name -msgstr +msgstr Nom de compte incorrectement formé #: ../../libsmb/nterr.c:568 msgid User exists -msgstr +msgstr L'utilisateur existe #: ../../libsmb/nterr.c:569 msgid No such user -msgstr +msgstr Pas de tel utilisateur #: ../../libsmb/nterr.c:570 msgid Group exists -msgstr
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via 714c6c4 Updated french translations from Jean Delvare jdelv...@suse.de from 77f1180 Fix bug #3185 - testparm exits 0 if it can read the config file regardless of errors (cherry picked from commit 3b5bd37016d794526c230f81d725c9daa238a9d7) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit 714c6c4f12e93427ab7de1669a1cabffcd28d15d Author: Holger Hetterich hhet...@novell.com Date: Sat Dec 4 11:28:12 2010 -0500 Updated french translations from Jean Delvare jdelv...@suse.de Autobuild-User: Jim McDonough j...@samba.org Autobuild-Date: Sat Dec 4 18:23:54 CET 2010 on sn-devel-104 --- Summary of changes: source3/locale/pam_winbind/fr.po | 207 ++ 1 files changed, 96 insertions(+), 111 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/locale/pam_winbind/fr.po b/source3/locale/pam_winbind/fr.po index 70c2b5c..922cbcc 100644 --- a/source3/locale/pam_winbind/fr.po +++ b/source3/locale/pam_winbind/fr.po @@ -81,19 +81,17 @@ msgid Access is denied msgstr Accès refusé #: ../../../nsswitch/pam_winbind.c:818 -#, fuzzy msgid Do you want to change your password now? -msgstr Vous devez changer votre mot de passe maintenant. +msgstr Voulez-vous changer votre mot de passe maintenant ? #: ../../../nsswitch/pam_winbind.c:902 -#, fuzzy msgid Your password expires today.\n msgstr Votre mot de passe expire aujourd'hui.\n #: ../../../nsswitch/pam_winbind.c:932 -#, fuzzy, c-format +#, c-format msgid Your password will expire in %d %s.\n -msgstr Votre mot de passe expire dans %d %s.\n +msgstr Votre mot de passe expirera dans %d %s.\n #: ../../../nsswitch/pam_winbind.c:933 msgid days @@ -106,7 +104,7 @@ msgstr jour #: ../../../nsswitch/pam_winbind.c:1169 ../../../nsswitch/pam_winbind.c:1193 #, c-format msgid Cannot convert group %s to sid, please contact your administrator to see if group %s is valid. -msgstr +msgstr Impossible de convertir le groupe %s en sid, veuillez contacter votre administrateur pour voir si le groupe %s est valide. #: ../../../nsswitch/pam_winbind.c:1387 msgid Grace login. Please change your password as soon you're online again @@ -121,6 +119,8 @@ msgid Failed to establish your Kerberos Ticket cache due time differences\n with the domain controller. Please verify the system time.\n msgstr +Impossible d'établir votre cache Kerberos Ticket en raison d'une différence\n +de temps avec le contrôleur de domaine. Veuillez vérifier l'heure système.\n #: ../../../nsswitch/pam_winbind.c:1490 msgid Your password @@ -147,7 +147,7 @@ msgstr Veuillez choisir un autre mot de passe qui satisfasse les différents cr #: ../../../nsswitch/pam_winbind.c:1553 #, c-format msgid Creating directory: %s failed: %s -msgstr +msgstr La création du répertoire %s a échoué : %s #: ../../../nsswitch/pam_winbind.c:2018 msgid Password does not meet complexity requirements @@ -158,7 +158,7 @@ msgstr Le mot de passe n'est pas suffisamment complexe. #. #: ../../../nsswitch/pam_winbind.c:2489 ../../../nsswitch/pam_winbind.c:3035 msgid Username: -msgstr +msgstr Nom d'utilisateur : #: ../../../nsswitch/pam_winbind.c:2665 msgid Password: @@ -171,7 +171,7 @@ msgstr Changement du mot de passe pour #: ../../../nsswitch/pam_winbind.c:3086 msgid (current) NT password: -msgstr mot de passe NT actuel : +msgstr Mot de passe NT actuel : #: ../../../nsswitch/pam_winbind.c:3156 msgid Enter new NT password: @@ -187,375 +187,360 @@ msgstr Confirmation du nouveau mot de passe NT : #. #: ../../../nsswitch/pam_winbind.h:128 msgid Sorry, passwords do not match -msgstr +msgstr Désolé, les mots de passe ne correspondent pas. #: ../../libsmb/nterr.c:559 msgid Undetermined error -msgstr +msgstr Erreur indéterminée #: ../../libsmb/nterr.c:560 -#, fuzzy msgid Access denied msgstr Accès refusé #: ../../libsmb/nterr.c:561 msgid Account locked out -msgstr +msgstr Compte bloqué #: ../../libsmb/nterr.c:562 -#, fuzzy msgid Must change password -msgstr Vous devez changer votre mot de passe maintenant. +msgstr Doit changer son mot de passe #: ../../libsmb/nterr.c:563 -#, fuzzy msgid Password is too short msgstr Mot de passe trop court #: ../../libsmb/nterr.c:564 -#, fuzzy msgid Password is too recent -msgstr Mot de passe trop court +msgstr Mot de passe trop récent #: ../../libsmb/nterr.c:565 -#, fuzzy msgid Password history conflict -msgstr Mot de passe trop court +msgstr Mot de passe en conflit avec l'historique #: ../../libsmb/nterr.c:567 msgid Improperly formed account name -msgstr +msgstr Nom de compte incorrectement formé #: ../../libsmb/nterr.c:568 msgid User exists -msgstr +msgstr L'utilisateur existe #: ../../libsmb/nterr.c:569 msgid
Re: [Samba] LVS and SAMBA
On Sun, Nov 21, 2010 at 4:02 PM, Ciro Iriarte cyru...@gmail.com wrote: From what I heard about the SLES+HA solution, a CTDB cluster can't act as Domain controller... Am I wrong?. I have not come up with any reason why it couldn't, nor have I heard a reason. I think a more accurate statement is that this has not been widely tested scenario for ctdb. It's had lots of testing and deployment in domain member and standalone setups. I have a customer who has been using it in a test environment for quite a while as a PDC. They've not had issues with the DC functionality. -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LVS and SAMBA
On Thu, Nov 18, 2010 at 3:56 PM, Michael Adam ob...@samba.org wrote: Ciro Iriarte wrote: 2010/11/3 Volker Lendecke volker.lende...@sernet.de: On Wed, Nov 03, 2010 at 11:03:20AM -0300, Ciro Iriarte wrote: Hi, would it be possible to run two nodes with SAMBA+LDAP and a OCFS2 filesystem, with LVS load balancing WITHOUT CTDB?. This would be relying only on OCFS2 file locking. The idea is to provide authentication, HA file service and load balancing. That would cause data corruption. As far as I know (please correct me if I'm wrong) OCFS2 does not support the full semantics required for share modes, oplocks and all the other fancy cifs features that Samba provides. That's the point of the ctdb and clustered samba combo. Volker Well, the new cool feature on OCFS2 is fcntl, apparently is not enough. With CTDB I see that nodes use the same netbios name. How would that affect domain controller feature?. I won't like to build other server pair just for PDC/BDC When you think a little about it you will agree that when serving the same folder from a cluster file system like ocfs2, as mounted on two different nodes, as samba shares from these nodes, then you will have to configure the two sambas to use the same netbios name. Not only that, but you will also have to make sure that the windows SID -- unix ID mappings are identical. (Unless, of course, you like data corruption. ;-) And so on. The typical use case for a clustered samba with ctdb is a file server that is member in a domain, but you can in principle also run samba as a clustered Domain controller on the cluster. THis will just be one DC then (since the samba's on the nodes will have to appear as one server together), but this way you could replace the PDC/BDC replication, failover and load balancing mechanism of the classical PDC/BDC scheme buy using e.g. one clustered PDC. This could even use tdbsam then (instead of ldapsm), since replication is done by CTDB then. I personally have not done such a setup. But it should not be a big problem. Be sure to use the cluster addresses variable in smb.conf here to make nmbd happy. Maybe Jim McDonough can share some of his experiences here? :-) I think you've basically covered it, Michael. This setup is supported on SLES11+HAE as described here. Ok, we're reworking the ctdb resource agent, but if you run ocfs2 under the HA stack, and ctdb outside this, it works just fine. A new resource agent is coming soon, or if you've got support on SLES11SP1+HAE, please contact Novell support. -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba for z/OS 1.10
On Sat, Nov 13, 2010 at 6:04 PM, Volker Lendecke volker.lende...@sernet.de wrote: On Wed, Nov 10, 2010 at 02:54:48PM +0100, martin.h...@helvetia.ch wrote: is there any samba version available for download, which runs on IBM MVS, i.e. IBM z/OS 1.10 ...? There used to be somthing that claimed to run on MVS ages (and I mean AGES, my rough guess would be 10 years) ago. Yep, right around 10 years ago. IIRC it was possible to build on OpenEdition MVS. That was the last time I touched it. IBM used to have an SMB server in zOS, though, so it wasn't a real priority. I have no idea if that is still available. -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0ec0095... s3-libsmbclient Convert dos error codes to NTstatus in async libsmbclient. from cbe9f87... s3-ads: Fix wrong test in if statement http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0ec0095d1a40435042b8ff9e4bc7fedbeb371e5f Author: Jim McDonough j...@samba.org Date: Thu Aug 19 08:46:59 2010 -0400 s3-libsmbclient Convert dos error codes to NTstatus in async libsmbclient. DOS error codes were being lost with the conversion to async libsmbclient. If we're passing around NTSTATUS internally, let's just convert it when we get it. DOS ACCESS_DENIED on nautilus was not prompting for other credentials, because it was not being mapped. --- Summary of changes: source3/libsmb/async_smb.c |8 +--- source3/libsmb/errormap.c |2 +- 2 files changed, 2 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/async_smb.c b/source3/libsmb/async_smb.c index 4518518..8e08d6f 100644 --- a/source3/libsmb/async_smb.c +++ b/source3/libsmb/async_smb.c @@ -120,13 +120,7 @@ NTSTATUS cli_pull_error(char *buf) return NT_STATUS(IVAL(buf, smb_rcls)); } - /* if the client uses dos errors, but there is no error, - we should return no error here, otherwise it looks - like an unknown bad NT_STATUS. jmcd */ - if (CVAL(buf, smb_rcls) == 0) - return NT_STATUS_OK; - - return NT_STATUS_DOS(CVAL(buf, smb_rcls), SVAL(buf,smb_err)); + return dos_to_ntstatus(CVAL(buf, smb_rcls), SVAL(buf,smb_err)); } /** diff --git a/source3/libsmb/errormap.c b/source3/libsmb/errormap.c index 48b3eb3..8b4ef23 100644 --- a/source3/libsmb/errormap.c +++ b/source3/libsmb/errormap.c @@ -1425,7 +1425,7 @@ convert a dos eclas/ecode to a NT status32 code NTSTATUS dos_to_ntstatus(uint8 eclass, uint32 ecode) { int i; - if (eclass == 0 ecode == 0) return NT_STATUS_OK; + if (eclass == 0) return NT_STATUS_OK; for (i=0; NT_STATUS_V(dos_to_ntstatus_map[i].ntstatus); i++) { if (eclass == dos_to_ntstatus_map[i].dos_class ecode == dos_to_ntstatus_map[i].dos_code) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via efd8229... s3-printing: fix BUG 7280 - auto printers not loading with registry config from dadcc84... s4:samdb_set_password_sid - fix comment http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit efd822982e531d82b4b95624146b90cd3334f78f Author: Jim McDonough j...@samba.org Date: Mon Aug 16 14:07:44 2010 -0400 s3-printing: fix BUG 7280 - auto printers not loading with registry config --- Summary of changes: source3/printing/load.c |4 1 files changed, 4 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/printing/load.c b/source3/printing/load.c index dd5d4ea..4f1bb88 100644 --- a/source3/printing/load.c +++ b/source3/printing/load.c @@ -32,6 +32,10 @@ static void add_auto_printers(void) char *saveptr; if (pnum 0) + if (process_registry_service(PRINTERS_NAME)) + pnum = lp_servicenumber(PRINTERS_NAME); + + if (pnum 0) return; if ((str = SMB_STRDUP(lp_auto_services())) == NULL) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via f1fed29... s3-printing: fix BUG 7280 - auto printers not loading with registry config from a21b0b2... s3:idmap: fix sid_to_unixid for builtin and own domain. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit f1fed298d80a3170f4fdec22ee06b4625a6876f9 Author: Jim McDonough j...@samba.org Date: Mon Aug 16 14:07:44 2010 -0400 s3-printing: fix BUG 7280 - auto printers not loading with registry config --- Summary of changes: source3/printing/load.c |4 1 files changed, 4 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/printing/load.c b/source3/printing/load.c index 99b5226..76265b5 100644 --- a/source3/printing/load.c +++ b/source3/printing/load.c @@ -32,6 +32,10 @@ static void add_auto_printers(void) char *saveptr; if (pnum 0) + if (process_registry_service(PRINTERS_NAME)) + pnum = lp_servicenumber(PRINTERS_NAME); + + if (pnum 0) return; if ((str = SMB_STRDUP(lp_auto_services())) == NULL) -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c67b4ed... s3-libnet: fix bug #6364: Pull realm from supplied username on libnet join from 73a69e2... s3-waf: fix the build. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c67b4ed3a406011d0fc7e1e2cbdc27ec4822e57c Author: Jim McDonough j...@samba.org Date: Thu Aug 12 17:51:02 2010 -0400 s3-libnet: fix bug #6364: Pull realm from supplied username on libnet join --- Summary of changes: source3/libnet/libnet_join.c |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index bff4e1e..c710f9e 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -113,6 +113,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, { ADS_STATUS status; ADS_STRUCT *my_ads = NULL; + char *cp; my_ads = ads_init(dns_domain_name, netbios_domain_name, @@ -124,6 +125,12 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, if (user_name) { SAFE_FREE(my_ads-auth.user_name); my_ads-auth.user_name = SMB_STRDUP(user_name); + if ((cp = strchr_m(my_ads-auth.user_name, '@'))!=0) { + *cp++ = '\0'; + SAFE_FREE(my_ads-auth.realm); + my_ads-auth.realm = smb_xstrdup(cp); + strupper_m(my_ads-auth.realm); + } } if (password) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-6-test updated
The branch, v3-6-test has been updated via a8326c6... s3-libnet: fix bug #6364: Pull realm from supplied username on libnet join from dfc1cf9... pidl:NDR: correctly handle no pointer bracket arrays with 'string' http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log - commit a8326c6dfe8186e6d9fce58ed6478d0956e6284a Author: Jim McDonough j...@samba.org Date: Thu Aug 12 17:51:02 2010 -0400 s3-libnet: fix bug #6364: Pull realm from supplied username on libnet join --- Summary of changes: source3/libnet/libnet_join.c |7 +++ 1 files changed, 7 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index bff4e1e..c710f9e 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -113,6 +113,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, { ADS_STATUS status; ADS_STRUCT *my_ads = NULL; + char *cp; my_ads = ads_init(dns_domain_name, netbios_domain_name, @@ -124,6 +125,12 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, if (user_name) { SAFE_FREE(my_ads-auth.user_name); my_ads-auth.user_name = SMB_STRDUP(user_name); + if ((cp = strchr_m(my_ads-auth.user_name, '@'))!=0) { + *cp++ = '\0'; + SAFE_FREE(my_ads-auth.realm); + my_ads-auth.realm = smb_xstrdup(cp); + strupper_m(my_ads-auth.realm); + } } if (password) { -- Samba Shared Repository
[Samba] winbind ADS getent passwd fails, getent passwd username works, getent group gives partial list
I have the following configuration: SuSE Linux Enterprise 11, X86_64 Packages installed with SLES11 or updated from SLES update repo: Samba 3.2.7-11.20.1 MIT Kerberos 5 1.6.3-133.33.1 OpenLDAP 2.4.12-7.18.1 Cyrus SASL 2.1.22-182.20.1 Have one server set up joined to AD (Win2K3 R2) domain as a member server, based primarily on scottlowe's blog instructions. Trying to get a 2nd SLES11 X86_64 server to behave the same way as the first. Using idmap backend ad with schema_mode rfc2307. Winbind enum users and enum groups both set to yes. Except for the server name, smb.conf, ldap.conf, nsswitch.conf and pam.d configurations are all the same. I am not running nscd. I am starting nmb, smb and winbind. Both servers are joined to AD. Kerberos authentication appears to work fine on both (can kinit whatever user I want in the realm.) LDAP browse of AD works fine on both servers, and the LDAP password defined in ldap.conf (and ldap.secret) for the ldap bind users is the same on both. On the first, working server: wbinfo-u and wbinfo-g enumerate all AD users and groups. getent passwd enumerates all local and all AD users. Users without UID already assigned get one assigned from the range for the idmap config for the domain getent group enumerates all local and AD groups. Groups without GID already assigned get one assigned from the range for the idmap config for the domain. On the second server, set up exactly the same way as the first: Wbinfo -u and wbinfo -g both work - enumerate all AD users and AD groups. Getent passwd only enumerates local users Getent passwd username enumerates the named AD user Getent group enumerates local users plus a few AD groups from one OU. I can sign on to the 2nd server using AD credentials, but cannot assign ACL filesystem permissions to AD users or groups. Have tried uninstalling, reinstalling, upgrading, downgrading, leave AD, join AD, all sorts of things, to no avail. Monkeyed around with kerberos keytabs, ldap config, nsswitch config, krb5 config, samba config, and have only succeeded to make things worse until I bring them back in line with the configuration of the first server. I need getent to enumerate AD users and groups so I can assign filesystem ACLs Did strace -ov getent passwd on both working and non-working systems. Everything matches up until it tries to open a socket on /tmp/.winbindd/pipe - on the working system it returns 0 and continues on to open a socket on /var/lib/samba/winbindd_privileged/pipe and then enumerate the users. On the non-working system it returns -1 ECONNREFUSED and does not continue on to the privileged pipe. Where should I be looking to resolve this issue? If you would like me to post any log entries or configuration files please let me know. I have tried upgrading the 2nd server to the latest build, binaries obtained from the OpenSUSE build service for SLES11 X86_64 but had no luck. The idmap setup has changed too much between 3.2.7 and 3.5.4 for me to make much sense of it, and since we have a multi-domain forest, losing the idmap domains directive seemed to make it a crap-shoot as to what domain it tried to enumerate using wbinfo - and getent still failed to enumerate anything. I even tried the idmap_adex module, which looked promising but appears to be on its way out for some reason, but that didn't work for me either. I just need to get what I know should work, to work on more than one server... I also tried a build of 3.4.3, again from the OpenSUSE build service, with mixed results, before falling back to 3.2.7. Thanks, Jim. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete it. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. No employee or agent is authorized to conclude any binding agreement on behalf of Visa Lighting with another party by email without express written confirmation by an authorized representative of the Company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads dns register
On Wed, May 12, 2010 at 6:59 AM, Khaled Blah khaled.b...@googlemail.com wrote: I would like to know whether it is possible to select (a) specific IP(s) for a net ads dns register call. The reason for my question is that we have setups with several interfaces, a few of which are internal interfaces but technically they're ethernet interfaces. Adding all those internal interfaces to a Windows AD server leads to the DNS server giving out the wrong IP address. Use the interfaces = parameter in smb.conf to restrict this. -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind ubuntu 9.10 crashing machine
Ack, this message got burried in my mail reader...Thanks for the reply. My entire smb.conf is included in my origional message to the list; I'll paste it again here: smb.conf [global] security = ads netbios name = casas-lin realm = CASAS.WSU.EDU workgroup = CASAS password server = ad1.casas.wsu.edu workgroup = CASAS idmap uid = 1-2 idmap gid = 1-2 idmap backend = rid:CASAS.WSU.EDU=1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%U template homedir = /net/files/home/%U template shell = /bin/bash ;client use spnego = yes domain master = no -- Thanks for the help!! BTW: I tried the ubuntu team, they just ignored me. --Jim On Fri, May 14, 2010 at 6:35 AM, Eliel slayer@gmail.com wrote: Share the smb.conf of your workstations, lets see what can be done. Did you change the limit of open files? did you saw any zombie file running in the machine? As i told before, this is something that you should ask to the ubuntu team. I'm usind winbind in Debian workstations, and just work fine. Never crashes. Its running 3 months in a row by now, and counting. Let's take a peek in what you're doing, and then try to solve your problem. Regards On Thu, May 13, 2010 at 2:12 PM, Jim Kusznir jkusz...@gmail.com wrote: Am I the only one experiencing such breaking from winbind? I'm suspicious of whether it actually works at all, and if I can't get it working better real soon now, I'm going to have to ditch it all together. I really can't afford half of my cpu resources tied up in logging messages, or my critical servers crashing once a week due to winbind. I can't believe something this bad would be turned out by the samba team; their stuff is usually top notch. Yet, I've followed all the instructions on the webiste, I've tried a few different times, I've reformatted and reinstalled my network a couple times, and I've been seeking help, asking people to point out what I'm doing wrong...and it still doesn't work. Any more suggestions? Anyone actually using winbind successfully? --Jim On Tue, May 11, 2010 at 9:10 AM, Jim Kusznir jkusz...@gmail.com wrote: Some more info: On my (working) Ubuntu 9.04 system, its often consistently at around 50% load, with winbind and syslogd using up that CPU. In /var/log/syslog, I get fairly continuous logging of: May 11 09:06:39 casas-thin-serv winbindd[11370]: rpc_api_pipe: host ad1.casas.wsu.edu, pipe \NETLOGON, fnum 0x400f returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED May 11 09:06:39 casas-thin-serv winbindd[11370]: [2010/05/11 09:06:39, 0] rpc_client/cli_pipe.c:rpc_api_pipe(914) Authentication and other details work, but this is eating up a lot of CPU and disk space (logs) for nothingand I'm suspicious that this might be connected to the issue. My AD controller (ad1.casas.wsu.edu) is a Win Serv 2008r2 box with the schema set to 2003 (IIRC...I know I did not set it to 2008, as I tried that first, and had lots of breakage). This system is around to serve mostly winbind clients, but 1-3 windows boxes... --Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind ubuntu 9.10 crashing machine
It doesn't crash the system, but it doesn't authenticate against winbind, and winbind is still very broke (large quantity of log messages, wbinfo -u don't return, etc). --Jim On Tue, May 18, 2010 at 12:07 PM, Chris Smith smb...@chrissmith.org wrote: On Thu, May 13, 2010 at 1:12 PM, Jim Kusznir jkusz...@gmail.com wrote: Any more suggestions? Anyone actually using winbind successfully? What changes if you change: /etc/nsswitch.conf - passwd: compat winbind group: compat winbind to: - passwd: compat group: compat ? Does it still crash? Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind ubuntu 9.10 crashing machine
Oh, note for the does not crash the system, there is one other modification that is required to be made at the same time: I need to remove winbind from the pam.d/* files. In order for the system to boot successfully when winbind is badly broken/crashed, I must simultaneously remove it from nsswitch.conf AND pam.d/*. Only doing one or the other still results in a hung system. Removing it from both allows the computer to be used with local accounts but does not fix winbind; it remains crashed and spews large quantities of log messages, some of which are included at the beginning of this thread. Thanks! --Jim On Tue, May 18, 2010 at 12:59 PM, Jim Kusznir jkusz...@gmail.com wrote: It doesn't crash the system, but it doesn't authenticate against winbind, and winbind is still very broke (large quantity of log messages, wbinfo -u don't return, etc). --Jim On Tue, May 18, 2010 at 12:07 PM, Chris Smith smb...@chrissmith.org wrote: On Thu, May 13, 2010 at 1:12 PM, Jim Kusznir jkusz...@gmail.com wrote: Any more suggestions? Anyone actually using winbind successfully? What changes if you change: /etc/nsswitch.conf - passwd: compat winbind group: compat winbind to: - passwd: compat group: compat ? Does it still crash? Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind ubuntu 9.10 crashing machine
Am I the only one experiencing such breaking from winbind? I'm suspicious of whether it actually works at all, and if I can't get it working better real soon now, I'm going to have to ditch it all together. I really can't afford half of my cpu resources tied up in logging messages, or my critical servers crashing once a week due to winbind. I can't believe something this bad would be turned out by the samba team; their stuff is usually top notch. Yet, I've followed all the instructions on the webiste, I've tried a few different times, I've reformatted and reinstalled my network a couple times, and I've been seeking help, asking people to point out what I'm doing wrong...and it still doesn't work. Any more suggestions? Anyone actually using winbind successfully? --Jim On Tue, May 11, 2010 at 9:10 AM, Jim Kusznir jkusz...@gmail.com wrote: Some more info: On my (working) Ubuntu 9.04 system, its often consistently at around 50% load, with winbind and syslogd using up that CPU. In /var/log/syslog, I get fairly continuous logging of: May 11 09:06:39 casas-thin-serv winbindd[11370]: rpc_api_pipe: host ad1.casas.wsu.edu, pipe \NETLOGON, fnum 0x400f returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED May 11 09:06:39 casas-thin-serv winbindd[11370]: [2010/05/11 09:06:39, 0] rpc_client/cli_pipe.c:rpc_api_pipe(914) Authentication and other details work, but this is eating up a lot of CPU and disk space (logs) for nothingand I'm suspicious that this might be connected to the issue. My AD controller (ad1.casas.wsu.edu) is a Win Serv 2008r2 box with the schema set to 2003 (IIRC...I know I did not set it to 2008, as I tried that first, and had lots of breakage). This system is around to serve mostly winbind clients, but 1-3 windows boxes... --Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind ubuntu 9.10 crashing machine
Some more info: On my (working) Ubuntu 9.04 system, its often consistently at around 50% load, with winbind and syslogd using up that CPU. In /var/log/syslog, I get fairly continuous logging of: May 11 09:06:39 casas-thin-serv winbindd[11370]: rpc_api_pipe: host ad1.casas.wsu.edu, pipe \NETLOGON, fnum 0x400f returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED May 11 09:06:39 casas-thin-serv winbindd[11370]: [2010/05/11 09:06:39, 0] rpc_client/cli_pipe.c:rpc_api_pipe(914) Authentication and other details work, but this is eating up a lot of CPU and disk space (logs) for nothingand I'm suspicious that this might be connected to the issue. My AD controller (ad1.casas.wsu.edu) is a Win Serv 2008r2 box with the schema set to 2003 (IIRC...I know I did not set it to 2008, as I tried that first, and had lots of breakage). This system is around to serve mostly winbind clients, but 1-3 windows boxes... --Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind ubuntu 9.10 crashing machine
) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: KDC reply did not match expectations [2010/05/10 09:12:26, 0] rpc_client/cli_pipe.c:687(cli_pipe_verify_schannel) cli_pipe_verify_schannel: auth_len 56. [2010/05/10 09:12:26, 1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x0721 received from host ad1.casas.wsu.edu! --- log-wb-CASAS.old (during crashed state): [2010/04/19 08:17:23, 1] libsmb/clikrb5.c:697(ads_krb5_mk_req) ads_krb5_mk_req: krb5_get_credentials failed for a...@casas (Cannot resolve network address for KDC in requested realm) [2010/04/19 08:17:23, 1] libsmb/cliconnect.c:745(cli_session_setup_kerberos) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address f or KDC in requested realm [2010/04/19 08:17:23, 0] rpc_client/cli_pipe.c:687(cli_pipe_verify_schannel) cli_pipe_verify_schannel: auth_len 56. [2010/04/19 08:17:23, 1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x0721 received from host ad1 .casas.wsu.edu! My configuration smb.conf [global] security = ads netbios name = casas-lin realm = CASAS.WSU.EDU workgroup = CASAS password server = ad1.casas.wsu.edu workgroup = CASAS idmap uid = 1-2 idmap gid = 1-2 idmap backend = rid:CASAS.WSU.EDU=1-2 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes #template homedir = /home/%U template homedir = /net/files/home/%U template shell = /bin/bash ;client use spnego = yes domain master = no -- /etc/krb5.conf - [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CASAS.WSU.EDU dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } CASAS.WSU.EDU = { kdc = ad1.casas.wsu.edu admin_server = ad1.casas.wsu.edu kdc = ad1.casas.wsu.edu } CASAS = { kdc = ad1.casas.wsu.edu admin_server = ad1.casas.wsu.edu kdc = ad1.casas.wsu.edu } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM casas.wsu.edu = CASAS.WSU.EDU .casas.wsu.edu = CASAS.WSU.EDU [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } --- /etc/pam.d/common-account --- account [success=1 new_authtok_reqd=done default=ignore]pam_unix.so account requisite pam_deny.so account requiredpam_permit.so account sufficient pam_winbind.so account requiredpam_krb5.so minimum_uid=1000 /etc/pam.d/common-auth auth[success=3 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE auth[success=2 default=ignore] pam_krb5.so minimum_uid=1000 try_first_pass auth[success=1 default=ignore] pam_unix.so nullok_secure try_first_pass authrequisite pam_deny.so authrequiredpam_permit.so /etc/pam.d/common-password passwordrequisite pam_winbind.so passwordrequisite pam_krb5.so minimum_uid=1000 use_authtok password[success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 passwordrequisite pam_deny.so passwordrequiredpam_permit.so passwordoptionalpam_gnome_keyring.so - /etc/nsswitch.conf - passwd: compat winbind group: compat winbind shadow: compat hosts: files dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis Thanks! --Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a22f03e... Display an error on net conf import failures. from 6bf4dbb... s4-smbtorture: add spoolss DriverInfo and winreg consistency test. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a22f03e02c99c78642978c8e7a06ae92f97ad41f Author: Jim McDonough j...@samba.org Date: Tue Apr 20 16:28:47 2010 -0400 Display an error on net conf import failures. When something goes wrong, such as a typo in a parameter name, we'll now display the failure instead of just returning with -1 and no message. --- Summary of changes: source3/utils/net_conf.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/utils/net_conf.c b/source3/utils/net_conf.c index 67e3c85..1fc07e1 100644 --- a/source3/utils/net_conf.c +++ b/source3/utils/net_conf.c @@ -229,6 +229,9 @@ static WERROR import_process_service(struct net_context *c, service-param_names[idx], service-param_values[idx]); if (!W_ERROR_IS_OK(werr)) { + d_printf(Error in section [%s], parameter \%s\: %s\n, +service-name, service-param_names[idx], +win_errstr(werr)); goto done; } } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 61bdffb... Fix i18n of net conf import error message. from a22f03e... Display an error on net conf import failures. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 61bdffbf8e6789e7fbac3f0432840059fe98ab17 Author: Jim McDonough j...@samba.org Date: Tue Apr 20 17:45:06 2010 -0400 Fix i18n of net conf import error message. Thanks gd --- Summary of changes: source3/utils/net_conf.c |7 --- 1 files changed, 4 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/utils/net_conf.c b/source3/utils/net_conf.c index 1fc07e1..6fc03bf 100644 --- a/source3/utils/net_conf.c +++ b/source3/utils/net_conf.c @@ -229,9 +229,10 @@ static WERROR import_process_service(struct net_context *c, service-param_names[idx], service-param_values[idx]); if (!W_ERROR_IS_OK(werr)) { - d_printf(Error in section [%s], parameter \%s\: %s\n, -service-name, service-param_names[idx], -win_errstr(werr)); + d_fprintf(stderr, + _(Error in section [%s], parameter \%s\: %s\n), + service-name, service-param_names[idx], + win_errstr(werr)); goto done; } } -- Samba Shared Repository
[Samba] Winbind home directory not resolving properly
Hi all: I've got an issue on one of my winbind-configured systems. I've got it configured per instructions found on one of ubuntu's forum sites. I've configured two 9.10 systems, one works perfectly. I've copied most of the files over to the non-working system; they are configured identically as far as I can tell. On both systems, wbinfo -u/-g, getent passwd, and ssh login work fine. On the working one, I can also log in via gdm/gnome and use ~adusername in paths in the terminal. In the non-working one, the ~adusername is unknown (although ~localuser works fine), and gnome sessions blow up in a big way (dbus errors, which I think are related to the first problem). I'm relatively familiar with the system authentication and account system, and as getent passwd shows the full, proper password file (compete with valid user homedirectories that I can cut and paste and have work fine), I don't understand why the ~aduser expansions are not working This problem has now been kicking my butt for over a week now, and I'm starting to catch some serious flack for it. Any help would be appreciated! Any ideas? --Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a0e2632... s3: vfs_smb_traffic_analyzer.c: add VFS functions for file open and close via f6ae16e... smb_traffic_analyzer.c: optimize marshalling function and document via 002193d... vfs_smb_traffic_analyzer.c: added function static char *smb_traffic_analyzer_anonymize via c1fb55c... Simplify the code a bit by creating the functions: smb_traffic_analyzer_encrypt - doing the encryption of a data block, smb_traffic_analyzer_create_header - create the protocol header, smb_traffic_analyzer_write_data - actually write the data to the socket. via 56dfc09... Update the manpage of vfs_smb_traffic_analyzer and add smbta-util. via 69d7d6c... Add the number of common data blocks to the protocol. via 4940da2... Put all the protocol stuff into a separate header file. via 5b7179d... Add smbta-util to manage the encryption key. via 6437df7... Implement AES encryption of the data block. via 3f5f2d8... Implement anonymization for protocol v2. via b745730... Make all remarks compatible to the linux kernel coding styleguide. via 81c6b87... Added an exact description of the V2 protocol. I don't think it should have it's place the man page, because this is developer information. via a45db59... Move the creation of the header. via 9702dcf... Fetch the SID of the user we are running as and send with the common data. via 654cff4... Additionally send the vfs function id with the protocol. via 27f4f51... According to the linux kernel coding styleguide, it's better to align the switch and it's case statements in the same column. This saves us one indentation level. via cdd1906... Don't use typedefs on the VFS function data structures as typedefs are evil according to the linux kernel coding styleguide. via 8cb5bac... Add read,pread,write,pwrite support to the V2 protocol. via 541fb43... Enable AES encryption of the data if a key was found in secrets.tdb. via 7bff1ea... Add rmdir, chdir, and rename as supported VFS functions via e959bdc... The format of data we are sending over the network will be flexible when sending over the network in protocol v2. To be able to do this, we create a new va-list function that is creating the buffer to send. Also it makes it easier for the receiver to parse the data; it sends an initial header containing the full length of the buffer to be send. For the individual strings, it sends sub headers containing the length of the upcoming substring to be send. With the header-data-header-data [..] structure we don't need to quote the sub strings finally enabling having all possible character sets in filenames etc.. via dcff7d3... Create structs carrying the data of individual VFS functions, and hand those over to the send function, which then casts the void pointer to the struct required by looking at the id. This allows us to return different result data depending on the VFS function that is running. Make the protocol v1 sender compatible to this. Adapt the existing VFS functions to use the new data structures. Make use of the new functionality and extend the mkdir VFS logger function to return the creation mode additionally. via 2a643ef... Introduce smb_traffic_analyzer protocol v2. from 8353aa3... s4:idl change level to type in lsa_ForestTrustRecord. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a0e2632e119c2e3e086cd485d448b44836c1499b Author: Holger Hetterich hhet...@novell.com Date: Mon Feb 15 17:47:30 2010 +0100 s3: vfs_smb_traffic_analyzer.c: add VFS functions for file open and close commit f6ae16e318145224cc38180628e542bb3fc6bb8c Author: Holger Hetterich hhet...@novell.com Date: Sun Feb 7 20:39:58 2010 +0100 smb_traffic_analyzer.c: optimize marshalling function and document Collect all data that is needed, and use only one talloc_asprintf operation to create the string of common data. This simplifies the code a bit and is most probably faster than the old method. Also, #define SMBTA_COMMON_DATA_COUNT as a complete string, speeding things up because we know the value at compile time. commit 002193d34bc9ff385a866af2d39ed713a5bef1bf Author: Holger Hetterich hhet...@novell.com Date: Sat Feb 6 11:36:14 2010 +0100 vfs_smb_traffic_analyzer.c: added function static char *smb_traffic_analyzer_anonymize This takes a lot of code out of the main functions, and makes it a bit simpler. Do the anonymization in a function. Since we already anonymized the username we don't need to do this a second time in the v2 marshalling function. commit c1fb55caa5bfc079bda6a6ef98ee591800789778 Author: Holger Hetterich hhet...@novell.com Date: Thu Feb 4 22:03:53 2010 +0100 Simplify the code a bit by
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9447f86... Don't exit(0) on error from a0e2632... s3: vfs_smb_traffic_analyzer.c: add VFS functions for file open and close http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9447f863d281809a752836da8136eeae89c00353 Author: Jim McDonough j...@samba.org Date: Tue Mar 16 09:58:34 2010 -0400 Don't exit(0) on error --- Summary of changes: source3/utils/smbta-util.c |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/utils/smbta-util.c b/source3/utils/smbta-util.c index 13686ae..8ce8fa5 100644 --- a/source3/utils/smbta-util.c +++ b/source3/utils/smbta-util.c @@ -56,7 +56,7 @@ static void create_keyfile(char *filename, char *key) keyfile = fopen(filename, w); if (keyfile == NULL) { printf(error creating the keyfile!\n); - exit(0); + exit(1); } fprintf(keyfile, %s, key); fclose(keyfile); @@ -75,13 +75,13 @@ static char *load_key_from_file(char *filename) keyfile = fopen(filename, r); if (keyfile == NULL) { printf(Error opening the keyfile!\n); - exit(0); + exit(1); } l = fscanf(keyfile, %s, key); if (strlen(key) != 16) { printf(Key file in wrong format\n); fclose(keyfile); - exit(0); + exit(1); } return key; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 287304e... Update copyright from c91afe9... security.idl - push generated code diff http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 287304e59eb4f83dd052642d35cf3a7d4e05067a Author: Jim McDonough j...@samba.org Date: Tue Mar 16 10:04:51 2010 -0400 Update copyright --- Summary of changes: source3/modules/vfs_smb_traffic_analyzer.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_smb_traffic_analyzer.c b/source3/modules/vfs_smb_traffic_analyzer.c index f454c45..0db3848 100644 --- a/source3/modules/vfs_smb_traffic_analyzer.c +++ b/source3/modules/vfs_smb_traffic_analyzer.c @@ -2,7 +2,7 @@ * traffic-analyzer VFS module. Measure the smb traffic users create * on the net. * - * Copyright (C) Holger Hetterich, 2008 + * Copyright (C) Holger Hetterich, 2008-2010 * Copyright (C) Jeremy Allison, 2008 * * This program is free software; you can redistribute it and/or modify -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f989410... Fix developer build, remove malloc from 2bdece1... kerberos - set the memory to 0s before freeing the password to prevent security issues http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f98941033ddbf79a18f24d81f44aba05366874fe Author: Andreas Schneider a...@redhat.com Date: Tue Mar 16 13:27:00 2010 -0400 Fix developer build, remove malloc --- Summary of changes: source3/utils/smbta-util.c | 18 +++--- 1 files changed, 7 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/utils/smbta-util.c b/source3/utils/smbta-util.c index 8ce8fa5..8ce87b3 100644 --- a/source3/utils/smbta-util.c +++ b/source3/utils/smbta-util.c @@ -67,10 +67,9 @@ static void create_keyfile(char *filename, char *key) * Load a key from a file. The caller has to free the * returned string. */ -static char *load_key_from_file(char *filename) +static void load_key_from_file(char *filename, char *key) { FILE *keyfile; - char *key = malloc(sizeof(char) * 17); int l; keyfile = fopen(filename, r); if (keyfile == NULL) { @@ -83,7 +82,6 @@ static char *load_key_from_file(char *filename) fclose(keyfile); exit(1); } - return key; } static void create_file_from_key(char *filename) @@ -102,9 +100,8 @@ static void create_file_from_key(char *filename) * Generate a random key. The user has to free the returned * string. */ -static char *generate_key() +static void generate_key(char *key) { - char *key = malloc(sizeof(char)*17); int f; srand( (unsigned)time( NULL ) ); for ( f = 0; f 16; f++) { @@ -112,22 +109,22 @@ static char *generate_key() } *(key+16)='\0'; printf(Random key generated.\n); - return key; } static void create_new_key_and_activate( char *filename ) { + char key[17] = {0}; + if (!secrets_init()) { printf(Error opening secrets database.); exit(1); } - char *key = generate_key(); + generate_key(key); delete_key(); secrets_store(smb_traffic_analyzer_key, key, strlen(key)+1 ); printf(Key installed, encryption activated.\n); create_file_from_key(filename); - free(key); } static void delete_key() @@ -146,10 +143,10 @@ static void delete_key() static void load_key_from_file_and_activate( char *filename) { - char *key; + char key[17] = {0}; char *akey; size_t size; - key = load_key_from_file(filename); + load_key_from_file(filename, key); printf(Loaded key from %s.\n,filename); akey = (char *) secrets_fetch(smb_traffic_analyzer_key, size); if (akey != NULL) { @@ -158,7 +155,6 @@ static void load_key_from_file_and_activate( char *filename) } printf(Installing the key from file %s\n,filename); secrets_store(smb_traffic_analyzer_key, key, strlen(key)+1); - free(key); } static void process_arguments(int argc, char **argv) -- Samba Shared Repository
Re: [Samba] Samba 3.5 slow. Help with benchmarks !
I get about 51MB/sec over my gigabit LAN, serving from Samba 3.4.0 on Ubuntu Karmic amd64 to smbclient 3.3.6 on FreeBSD 7.3-R amd64. 5tb# smbclient -I 192.168.0.20 -U user //192.168.0.20/share -c get 1G.bin Enter user's password: Domain=[BANSHEE] OS=[Unix] Server=[Samba 3.4.0] getting file \1G.bin of size 1073741824 as 1G.bin (50717.1 kb/s) (average 50717.1 kb/s) For comparison, the same transfer gets 54.8 MB/sec by FTP (using pure-ftpd on the Ubuntu Karmic machine and wget on the FreeBSD 7.2-R machine). CIFS is a lot heavier than FTP, so this probably represents as good as it's going to get on this particular network. (And your gigabit network may very well be faster than mine - mine's all cheap off-the-shelf SOHO parts.) Miguel Medalha wrote: Can you show me, how yours SAMBA work in Gigabit LAN ? What speeds ? I can't measure them right now but I can tell you that I have 2 networks consisting of Samba Domain Controllers serving only Windows clients and the network speeds are very high. One of the networks is dedicated to Desktop Publishing and the InDesign pages coming from the Linux/Samba server appear on the Windows clients' screens like a sudden explosion. Very fast indeed. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Please, when you can measure - show me results. My network is 15 linux nodes (small render farm) 1 Linux desktop, 8-10 Windows clients. (also Windows 7 - this because i use samba 3.5.1 - windows 7 domain clients can authorize on SAMBA server only with 3.5 SAMBA) I want to look what SAMBA can do. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] folder permissions with Windows client, Samba server
Hi list - I've been using Samba since 2.x in the early 2000's, and a papercut I had eight years ago still plagues me today - when anyone on a Windows client right-clicks a folder on a Samba share and tries to view or change its permissions, it doesn't work right. The folder appears to have no permissions enabled for owner, group, or world (regardless of what the permissions actually are - and in fact, the Windows user can modify the folder or files in it without difficulty). Worse, if the Windows user attempts to SET permissions on the folder, the folder will end up with a completely different (and generally completely unusable) set of permissions; chmod 700 and chown root, if I recall correctly - so then the hapless user who tried to set permissions on a folder that he or she could access just fine is locked out of that folder completely until someone shells into the Samba server and resets permissions from the command line. I have seen this exact behavior on Samba 2.x / FreeBSD 4.x, 5.x, and 6.x, both with and without ACLs enabled on the underlying filesystem, and just this week when I set up a Samba 3.4.0 server from the Ubuntu 9.10 repositories, successfully joined it to a Windows 2003 domain with Kerberos working and Winbind mapping UIDs and GIDs properly... I STILL had the problem with the Windows GUI for setting folder permissions not mapping correctly! Is this something I just have to live with, or is there something I don't understand about configuring Samba that would avoid this issue? The smb.conf for the Ubuntu server I mentioned just now is unchanged from the default conf file shipping from the repository, with these exceptions: ### Authentication ### security = ads realm = DOMAIN.LOCAL password server = 192.168.1.20 # note that workgroup is the 'short' domain name workgroup = DOMAIN # winbind separator = + idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 [smbshare] comment = root of the Samba-accessible data storage read only = no writeable = yes path = /data/smbshare guest ok = no -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba