Re[2]: [Samba] NUA + MYSQL?
At 09:01 13/04/2004, you wrote: Here is an idea.. why don't you map your users to the nobody or guest account ?? (is this possible ??) so all users are guests... dunno how to do it, but would be a nice work around.. That wont' work. However, there's a pseudo-NUA workaround: use MySQL-NSS to provide UIDs/GIDs for your user accounts (and groups too!), set shell=/bin/false. I am doing precisely the same with LDAP. No need for /etc/passwd or /etc/shadow entries at all.. and you can share the information between several machines (FileServers only -- you can't have multiple sincronized DCs with MySQL -- use LDAP for that ) Hint: you do need a home directory, which you'll probably want different for each user( something along the lines of /home/sambausers/myvirtualuser would do ), and machines too ( /home/sambamachines or /tmp will do ) John Tersptra: you might be interested in adding this (maybe a bit more elaborated) as a recipe in the SaMBa HOWTO Collection / your book. I wouldn't mind providing a more complete explanation if you think it could possibly be interesting. Regards, J.L. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Is anybody else having trouble with domain joins?
Hi all. We have a setup with a Samba PDC( Samba-3.0.0beta1, Linux Kernel 2.4.22-xfs ), LDAPSAM( OpenLDAP 2.1.22 ). Everything seems to be fine, however we are afraid we can get in trouble because of bugs which have been recently fixed in releases up to RC3, specially panics in multibyte conversion routines. Upgrading to RC2 had the undesirable effect of making every attempt to join a computer to the domain result in a could not locate user error. Downgrading to beta1 returned the behaviour to normal. Anybody else has this problem? Suggestions, comments, whatever? If the answer is no, I shall file a bug in Bugzilla, with as much info as i can provide. Thanks in advance. Best, J.L. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] RC2: Cannot join domain
We've been working with Samba for the last years. Most ( if not all ) of it has worked as documented. Stability is much better than M$ Windows' and it is roughly an order of magnitude better on the same hardware ( you can add this to you customer quotes, Jerry ;) ) We have recently upgraded to RC2 from beta2, and we found this behaviour: while the File Server functions work perfectly well ( as always ), we have lost the ability to join machines to the domain, which get rejected with username not found message. Using LDAP backend. We did a quite big test yesterday, were we joined 32 machines to the domain, and we only succeeded using smbpasswd backend. LDAP backend wouldn't let us join machines to the domain. We suspected a corrupted installation or defective hardware... A couple hours before we had upgraded our main domain controllers to RC2 and everything seemed to work fine... until this morning, when we needed to join a machine to this domain. It has all worked flawlessly for the last two months, with big sustained workloads. So.. What changed in RC2 which has to do with domain joining? Release notes do not show anything relevant ( or so it seems ) Anything needs to change in SMB.CONF and/or the LDAP DIT, or we just found a bug? Hardware: Dell 2600SC, 2xXeon 2.4GHz, 1GB ECC DDRAM, very recently purchased Software: Debian Woody base, Samba3.0.0beta2+3.0.0rc2-1 and OpenLDAP 2.1.22-1 from Sid, plus their dependencies. Clients: W2K and WXP Pro, plus some NT4 ( not relevant ) Note: we have an administrator account with UID 0, Primary group SID DOMAIN-544, member of group with SID DOMAIN-512 ( both mappings checked with net groupmap ) --8 smb.conf 8-- [global] workgroup = CNSR server string = Servidor (%h) ;netbios name = SERVIDOR load printers = no ; printing = bsd ; printcap name = /etc/printcap ; printing = cups ; printcap name = cups ; guest account = nobody invalid users = root log file = /var/log/samba/log.%m max log size = 1000 syslog only = no syslog = 0 security = user encrypt passwords = true passdb backend = ldapsam:ldap://localhost, tdbsam, guest algorithmic rid base = 1000 ldap suffix = dc=,dc=xxx ldap admin dn = uid=samba,ou=daemons,dc=recuerdo,dc=net ldap delete dn = no ldap user suffix = ou=people ldap group suffix = ou=groups ldap idmap suffix = ou=idmap,ou=samba ldap machine suffix = ou=machines ldap filter = (uid=%u) idmap only = no idmap backend = winbind ldap idmap suffix = ou=idmap,ou=samba,dc=recuerdo,dc=net winbind use default domain = yes idmap uid = 5-55000 idmap gid = 5-55000 #winbind separator = + username map = /etc/samba/smbusers ; include = /home/samba/etc/smb.conf.%m socket options = TCP_NODELAY local master = yes os level = 20 domain master = yes preferred master = auto wins support = no dns proxy = no name resolve order = lmhosts host wins bcast ; preserve case = yes ; short preserve case = yes ; unix password sync = true passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword :* %n\n . pam password change = no ; message command = /bin/sh -c '/usr/bin/linpopup %f %m %s; rm %s' obey pam restrictions = no domain logons = yes logon script = netlogon.bat logon drive = H: logon path = \\%L\Profiles\%u panic action = /usr/share/samba/panic-action %d #=== Share Definitions === [homes] comment = Home Directories browseable = no writeable = yes read only = no csc policy = disable force create mode = 0640 force directory mode = 2750 [netlogon] comment = Network Logon Service path = /profiles/netlogon guest ok = yes writable = no share modes = no [Profiles] comment = Directorio de perfiles path = /profiles browseable = no guest ok = yes writeable = yes ;nt acl support = no profile acls = yes create mask = 0600 directory mask = 0700 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: RC2: Cannot join domain (more info)
At 12:47 10/09/2003 +0200, you wrote: We have recently upgraded to RC2 from beta2, and we found this behaviour: while the File Server functions work perfectly well ( as always ), we have lost the ability to join machines to the domain, which get rejected with username not found message. Using LDAP backend. It seems it was beta1 it worked with: We managed to downgrade to beta1 ( by overwriting smbd and nmbd with the binaries from a machine with beta1-1, since we can't find the binaries for beta1 in the mirrors ). Beta1 worked joining the machines to the domain at first try. Is there any additional info i can provide so that this issue can be tracked down? Thanks in advanceagain! Regards, J.L. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with ACLs/Samba-3.0.0-beta1
I have installed Samba-3.0 beta1 and accomplished a migration from an W2k mixed mode DC. Except for some trouble with winbind, with i solved by hacking a bit in the LDAP directory ( manually assigning UIDs and GIDs ), everything is fine now. Thanks Samba Team for a good work, keep improving ;) A couple of weeks ago i asked about ACL support, and was answered that full control was given by an RWX entry in ACLs. Today, while changing permissions on a file, we have verified that the capability of giving permission to others over a file is restricted to that file's owner ( i was told otherwise ). System: Debian GNU/Linux 3.0 Woody + some packages from SID Kernel: Linux-2.4.21 + LVM1.0.7 + xfs1.2 Samba: Samba-3.0.0.beta1-2 from Debian's 'unstable' LDAP: OpenLDAP-2.1.21 from Debian's 'unstable' Additional info: setfacl and getfacl work properly, changing permissions from windows' Security Tab works provided the user changing them is the object's owner. Question 1: How can I make some user have full control over a directory or a file ( from the Windows side, if possible ) ? I can just chown from the Linux side and let the user do things, but that user won't be able to delegate full control to another user without my intervention :-| Question 2: Is there any workaround for this? Plans to implement it ? Any information on this would be much appreciated. I was told there was a patch for Samba-2.2.x that implemented full NT semantics for Samba, but it has not been ported to Samba-3 (yet?). Thanks in advance. Best, J.L. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Some rough edges with Samba-3.0.0beta1
Hi, I am testing Samba-3.0.0.beta1, which we will use to migrate our Win2000 domain ( at last ;) ) * things done: - Configured LDAP + permissions - Configured Samba. pdbedit -a already creates users in LDAP ( objectclass: account; objectclass: sambaSamAccount ) * observed problems: ( might be due to some error on my part, please explain in that case ) idmap backend = ldap:ldap://localhost makes pdbedit segfault ( with every option, especially -L ). Level 4 debugging shows it is stopping right after parsing smb.conf ( currently working with idmap backend = ) idmap backend = winbind does not work pdbedit -i tdbsam -e ldapsam -g does not export builtin groups to LDAP. Shall I create them by hand? Which objectclass shall I use? pdbedit -L -g does not list *any* group pdbedit -L -g -b tdbsam does list builtin groups. wbinfo -u times out, unable to return anything ( We did not supply -Ausername%password is that needed? in that case which user? privileges? ) We are attempting to use NUA. Can switch to POSIX users/groups in LDAP if necessary. Please, ask for any additional information needed. I will be glad to provide it and help test/debug this thing. Thanks in advance. Regards, J.L. --- Configuration: System: DELL 2600: 2 x Xeon2.4GHz, 1GB ECC DDR RAM, SCSI disks OS: Debian GNU/Linux 3.0 Woody + packages from Sid; Kernel: Linux-2.4.21-xfs Samba from Debian's package: samba-3.0.0.beta1-1, from official repository 8 smb.conf snippet - passdb backend = ldapsam:ldap://localhost, guest algorithmic rid base = 1000 ldap suffix = dc=recuerdo,dc=net ldap admin dn = uid=samba,ou=daemons,dc=recuerdo,dc=net ldap delete dn = no ldap user suffix = ou=people ldap group suffix = ou=groups ldap idmap suffix = ou=idmap,ou=samba ldap machine suffix = ou=machines ldap filter = (uid=%u) idmap only = no #idmap backend = idmap uid = 1-4 idmap gid = 1-4 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Fwd: Segfault in Samba
I have been forwarded this from one of our servers, which we have recently ( 2 days ) updated to Samba 3.0beta1 (Debian's 'unstable' package) from Samba 2.2.8a This is the second time it this happens in a period of 24h. Everything else in this server is working fine. Any comment on this? Is this a known limitation / situation ? Thanks in advance. J.L. 8 8 The Samba 'panic action' script, /usr/share/samba/panic-action, was called for pid 21241 (/usr/sbin/smbd). Below is a backtrace for this process generated with gdb, which shows the state of the program at the time the error occured. You are encouraged to submit this information as a bug report to Debian. For information about the procedure for submitting bug reports , please see http://www.debian.org/Bugs/Reporting or the reportbug(1) manpage. (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... 0x40245b89 in wait4 () from /lib/libc.so.6 #0 0x40245b89 in wait4 () from /lib/libc.so.6 #1 0x402b9000 in sys_sigabbrev () from /lib/libc.so.6 #2 0x401e8712 in strtold_l () from /lib/libc.so.6 #3 0x401e8815 in system () from /lib/libc.so.6 #4 0x0817da35 in smb_panic () #5 0x0816f256 in dbgtext () #6 0x401d29d8 in sigaction () from /lib/libc.so.6 #7 0x4021677a in mallopt () from /lib/libc.so.6 #8 0x40215467 in realloc () from /lib/libc.so.6 #9 0x0817ce91 in Realloc () #10 0x080c4ce6 in asn1_write () #11 0x080c4d62 in asn1_write_uint8 () #12 0x080c4f23 in asn1_write_OID () #13 0x080c4afd in spnego_gen_auth_response () #14 0x0809d14f in reply_getattrE () #15 0x0809d39d in reply_getattrE () #16 0x0809d709 in reply_getattrE () #17 0x0809e1b8 in reply_sesssetup_and_X () #18 0x080b535d in respond_to_all_remaining_local_messages () #19 0x080b5553 in respond_to_all_remaining_local_messages () #20 0x080b5700 in process_smb () #21 0x080b61c8 in smbd_process () #22 0x081d2043 in main () #23 0x401c1a51 in __libc_start_main () from /lib/libc.so.6 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Full wNT/w2K ACL conformance
I Hate to reply myself, but since noone answered ... We are planning to replace a quite big domain running W2K with Samba ( at the very least, the DC ). Though i'd love to have the extra security capabilities of W2K ( Kerberos ) as a DC, Samba/NT4 as PDC/BDC with ldapsam will more than suffice for now. The show-stopper right now is this: we need to be able to assign real Full Control permissions: a user who has Full control on a directory should be able to Read, Write, eXecute ( of course) [ this can be easily achieved with ACLs ] *plus* being able to give away Full Control to other users too [ being able to override inherited ACLs would be a plus, too ]. Is this feasible (remember smbd runs as root... )? Has somebody though about implementing this ? Seems like every implementation of ACL comes together with Extended Attributes support ( at least Ext2/ext3, XFS, ReiserFS ). Any exceptions ? How about using one EA to map some Windows' attributes ? Full Control, Archive ( though it can be emulated through ctime/atime/mtime ), Change Only, come in a first pass over this. I thought that maybe coding a wrapper around SecLib could achieve this. Being quite fluent in C/C++ both in Un*x as well as Win32 I don't mind coding whatever tool is needed to achieve this, provided it is indeed possible. If not, some suggestions/comments ( or even an approximate timeline for implementation! ) would be more than welcome. Any comments on this?? Thanks in advance everybody. Keep the good work, Samba Team! Kind regards, J.L. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Calculating file size.
At 17:13 18/06/2003 +0100, you wrote: Hello! As it happens I am having some real nightmares with this too. Using NETGEAR ND520 NAS devices [Yes! I know - rod for own back...] But the fact it is a Linux device sold me ahead of a W2K Appliance [snip] If those S-O-D figures are real ( I mean, W2K is not making them up ), you'd rather use ReiserFS for your Linux Samba server -- it would save you *tons* of disk Sure, I'll be obseleting these NAS soon but my plan was to build a custom Linux Samba server to handle the task. Now I'm not so sure Why ? -DG IT Manager ISV -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] which one is better samba or
At 23:50 16/06/2003 +0200, Arnold wrote: hi, do somebody tell me, where i could find information about samba restrictions compared with Windows Server. I' m trying to prepare a paper for school, which describe a comarison between samba and Windows Server. I heard for example, that 1-Samba is not adapted for great nets? Just as NT4 is. By the way, i have just had *quite a bit* of trouble with W2000 in a not-so-big network, where Active Directory got completely corrupted because of a malfunction in the domain master. Since formats and protocols in the Windoze world are mostly propietary and you only have the tools M$ thought you might need to deal with that situation, we have _no way_ to solve the problem, other to rebuild the *entire* directory: user accounts, groups, machine trust accounts, forest structure ... With Samba, however, we could have simply dumped the LDAP directory to disk, made some modifications if needed, clean the directory and reload data as if new... everything would have been fully functional back again. 2-Samba has not a system management server like windows? You need that for under Un*x ??? 3-Remote Procedure Calls (RPCs) has been not yet implemented and this make dificulties to management of Samba in Nets?? They *are* implemented for domain joining/leaving, authentication, remote printing, printer driver upload/download, ... I' m appreciated for your help arn J.L -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Full wNT/w2K ACL conformance
We are planning to replace a quite big domain running W2K with Samba ( at the very least, the DC ). Though i'd love to have the extra security capabilities of W2K ( Kerberos ) as a DC, Samba/NT4 as PDC/BDC with ldapsam will more than suffice for now. The show-stopper right now is this: we need to be able to assign real Full Control permissions: a user who has Full control on a directory should be able to Read, Write, eXecute ( of course) [ this can be easily achieved with ACLs ] *plus* being able to give away Full Control to other users too [ being able to override inherited ACLs would be a plus, too ]. Is this feasible (remember smbd runs as root... )? Has somebody though about implementing this ? I thought that maybe coding a wrapper around SecLib could achieve this. Being quite fluent in C/C++ both in Un*x as well as Win32 I don't mind coding whatever tool is needed to achieve this, provided it is indeed possible. If not, some suggestions/comments ( or even an approximate timeline for implementation! ) would be more than welcome. Thanks in advance everybody. Keep the good work, Samba Team! Kind regards, J.L. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Phasing out windows
At 18:14 19/02/2003 +, you wrote: On Wed, Feb 19, 2003 at 08:40:06AM +, pondiboy - wrote: [snip] My exchange server is my PDC and ofcourse i would like to go in for 3 Linux Boxes as my additional Domain controllers. And use my Windows PDC (Running Exchange 2000) for mails exchange. While you do that PLEASE kick Exchange out if you can. Postfix + Courier-IMAP + OpenLDAP will do exactly the same ( and it's FREE, like beer and freedom ) It you *absolutely* need the collaboration features, you can try Ximian's Connector. My company has a strength of 350 users. Could anyone out there give me clear instructions as to how to go about. Google for Postfix + MySQL + Courier-IMAP and you will find a buch of HOWTOs ( can't remember exact URLs right now ) You may be asking in the wrong place. Try http://us1.samba.org/samba/support/ Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba