Re: [Samba] What great things can a non-windows user do with Samba
Robert Heller wrote: At Thu, 11 Jul 2013 11:52:49 -0400 Steve Litt sl...@troubleshooters.com wrote: Hi all, I ask this question about once a decade. I have about 7 computers, all Linux or BSD. Are there any cool things I can do with Samba, even though I have no Windows computers? I haven't done timings against nfs for a while, but when I did, samba was notably faster than NFS... but that was back on 100Mb ether and alot has changed now. My current samba tops out at about 25% of a 20Gbit ether -- it becomes cpu bound due to the windows-design of 1 TCP connection serving all your file system requests. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 + Samba 3.5.6 = abject misery...
Stev e Holdoway wrote: The problem is that I'm descending further into the mire. Can't log on to the PC as local administrator account is disabled, can't log on in safe mode without arriving at the domain login screen, can't seem to find anything on the server side to fix this. Remembering well why I chose the dark side years ago, and losing the will to live... Can you try to use the remote net DOM feature...on the server? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 + Samba 3.5.6 = abject misery...
Chris Rowson wrote: On 19 May 2013 23:13, Steve Holdoway st...@greengecko.co.nz wrote: Can anyone help with this? I set it all up a few months ago, the samba side being standard upgrades via debian - configured as a PDC, and the windows 7 clients being clean installs, with the standard lanmanworkstation regedits done. They've been working fine since then, but have now started failing, instead raising the error message 'The trust relationship between this work station and the primary domain has failed' I had this problem alot until I told my windows computer to disable machine account password changes. I think it changes them about every 30 days or maybe less -- but it would change it's password and the server wouldn't be informed, so the shared-secret between the two of them was no longer decipherable. To be honest, it doesn't sound like the BEST way, or the most SECURE way to fix the problem, BUT, given my windows machine is on a closed internal net, practicality trumps imaginary security problems -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Practicality of fixing samba's case mangling problems?
Christopher R. Hertel wrote: Linda, If you have filed a bugzilla report, DateTitle 2011-07-27 *Bug 8325* https://bugzilla.samba.org/show_bug.cgi?id=8325 - WINS should no longer be changing 'case' on hostnames' inconsistent with domain practice 2011-08-17*Bug 8380* https://bugzilla.samba.org/show_bug.cgi?id=8380 - Samba needs to preserve casename on user/group/host to be MS-compat (all versions) 2011-08-29 *Bug 8417* https://bugzilla.samba.org/show_bug.cgi?id=8417 - Samba needs to not mess with case of domain and host names 2011-09-05 *Bug 8435* https://bugzilla.samba.org/show_bug.cgi?id=8435 - NMBD altering case of file names causes other subsystems to fail. --- I've filed a few. ... and can identify the code that needs review, that would help. Well, that's why I'm whining in public... it's a bit too much for me to handle: The files (just looked at samba3 code): ./auth/auth_builtin.c ./auth/auth_server.c ./auth/auth_util.c - ./auth/pampass.c - ./auth/pass_check.c ./client/client.c ?./client/clitar.c ./include/includes.h ./include/proto.h ./lib/afs.c -./lib/charcnv.c ./lib/eventlog/eventlog.c ./lib/substitute.c ./lib/username.c ./lib/util.c -./lib/util_str.c -./lib/util_unistr.c ./libads/ads_struct.c ./libads/dns.c ./libads/kerberos.c ./libads/kerberos_keytab.c ./libads/kerberos_verify.c ./libads/ldap.c ./libads/util.c ./libnet/libnet_join.c ./libsmb/cliconnect.c ./libsmb/clifsinfo.c ./libsmb/clirap.c ./libsmb/clirap2.c ./libsmb/dsgetdcname.c ./libsmb/namecache.c ./libsmb/namequery.c ./libsmb/namequery_dc.c ./libsmb/nmblib.c ./libsmb/nmblib.c ./libsmb/ntlmssp.c ./libsmb/trustdom_cache.c ./modules/vfs_afsacl.c ./modules/vfs_streams_depot.c ./modules/vfs_streams_xattr.c ./nmbd/nmbd_browserdb.c ./nmbd/nmbd_browsesync.c ./nmbd/nmbd_elections.c ?./nmbd/nmbd_incomingdgrams.c ./nmbd/nmbd_incomingdgrams.c ./nmbd/nmbd_incomingrequests.c ./nmbd/nmbd_namelistdb.c ./nmbd/nmbd_sendannounce.c ./nmbd/nmbd_serverlistdb.c ./nmbd/nmbd_winsserver.c ./param/loadparm.c ./passdb/lookup_sid.c ./passdb/pdb_interface.c ./passdb/pdb_ldap.c ./passdb/pdb_tdb.c ./passdb/secrets.c ./printing/lpq_parse.c ./printing/nt_printing.c ./registry/reg_util.c ./rpc_client/cli_pipe.c ./rpc_server/srv_dfs_nt.c ./rpc_server/srv_dssetup_nt.c ./rpc_server/srv_wkssvc_nt.c ./rpcclient/cmd_spoolss.c ./smbd/filename.c ./smbd/lanman.c -./smbd/mangle_hash.c ./smbd/mangle_hash2.c ./smbd/negprot.c ./smbd/password.c ./smbd/seal.c ./smbd/service.c ./smbd/service.c ./smbd/sesssetup.c ./smbd/smb2_tcon.c ./torture/masktest.c ./torture/torture.c ./utils/net_ads.c ./utils/net_conf.c ./utils/net_idmap.c ./utils/net_rpc.c ./utils/net_rpc_join.c ./utils/net_usershare.c ./utils/ntlm_auth.c ./utils/ntlm_auth_diagnostics.c ./utils/pdbedit.c ./utils/smbcontrol.c -./utils/smbpasswd.c ./winbindd/idmap_adex/gc_util.c ./winbindd/idmap_ldap.c ./winbindd/wb_fill_pwent.c ./winbindd/winbindd_ads.c ./winbindd/winbindd_cache.c ./winbindd/winbindd_cm.c ./winbindd/winbindd_pam.c ./winbindd/winbindd_util.c --- Ones with a - in front of them mention strup/lo, but don't use it for user or dom mangling. There are a few. Not really sure about how good the case mangling that is in there is... as it tries to handle unicode, w/out knowing that max UTF-8 len for current unicode (up through bit plane 17), takes 4 bytes , not 5 as a the code comments. Also this made me wonder about making modifications, as I don't know what I' might be trying to base code on... use_as_is: /* * Conversion not supported. This is actually an error, but there are so * many misconfigured iconv systems and smb.conf's out there we can't just * fail. Do a very bad conversion instead JRA. */ So not sure what one would end up with or what types of incompatibilities one might introduce if one were to try to introduce changes to code to code that passes through errors... how does one define case for erroneous charset usage? How are you at digging into the code? Not ALOT of 'endurance', easily distracted and can identify the code that needs review, that would help. Patches are even better. Last patch of mine got modified into a personal statement by someone about their bad experiences w/the security 'community'[sic]... *ahem*... The more specific details that you can provide the better able one of us will be to work with you on resolving the problems you are seeing. Chris -)- Well, I have raised the issue a few times... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Practicality of fixing samba's case mangling problems?
Samba has multiple areas of case mangling problems that cause incompatibilities when used with windows or linux clients. How viable is the idea of fixing the problems? Would the sky fall in if it preserved case, but either 'ignored it', or gave preference to matches that included the case as typed (vs. alternate case matches). The first would be fairly compatible with current Win implementation, but the 2nd would be more compatible when it comes to looking for Domain (and _likely_, machine names). I've looked at the traffic in an attempted join of workstation 'Athenae' into 'Bliss', which has had it's case mangled by samba3. Dialogue goes something like: Workstation 'Athenae' broacasts: I want a login user= to domain Bliss. (a query for a login server, I would gather. PDC 'Ishtar' (samba3 on *nix), responds this login request, there is no user here. Athenae then responses with login request for Athenae to 'Bliss' with marked as a machine /domain trust account. It doesnt' send a username, but a unicodename, as domain names can be unicode and upper/lowercase. Response from Bliss is 'Accepted/ok'. Athenae now asks for the PDC so it can create a secure channel. It gets back ISHTAR/BLISS. Win7 doesn't like that. It asked for Bliss, a Domain name, and got back BLISS, a WORKGROUP name. So it issues a weird error message in the middle of it all and fails. Similar problems happen in serving up a user's profile. under the Domain name. On linux, a path /home/BLISS, doesn't give you the same path as /home/Bliss, nor does 'x'/Domain Admins get take on linux for 'x/domain admins'... so logins don't work unless the case matches. I've tried many kludge arounds, including symlinks for the differently cased options, as well as multiple entries for the same user in /etc/passwd -- something that causes random behavior depending on how many items are in a cache, it's size and who referenced which varient when. As near as I can tell, this change started with Win2000, and use of port 445 when names larger than the Netbios len of 15 chars were allowed (beause names passed over 445, aren't required to be netbios compatible. FWIW, I've seen both BLISS and Bliss on my local net as a workgroup and a Domain and they have different icons. Since Samba started supporting port 445 speak, it seems like it also, perhaps unwittingly undertaken to support case preservation. The alternative is to keep case mangling but only speak on ports 138/139...etc, but to, which I think would work as samba was originally designed, but as soon as features of NT5 were grafted on, samba ran the risk of incompats. How can we move forward and get this fixed? Thanks, Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't find domain (but domain logins for joined WS and roaming profile works! ; -/ !
I'm trying to join a 2nd workstation to my domain -- but it can't find the domain name. It's a Win7 machine (same as 1st)...all settings are the same and wireshark shows the problem is the DC is claiming it can't find the domain name (that it is the DC for!?)... um... Lets see: wbinfo --all-domains BUILTIN BLISS wbinfo --own-domain BLISS wbinfo --verbose -D Bliss Name : BLISS Alt_Name : SID : S-1-5-21-3-7-3 Active Directory : No Native: No Primary : Yes wbinfo --ping-dc checking the NETLOGON dc connection succeeded Looks ok so far...and don't know what is really causing the problem, but the next output didn't look right: wbinfo --dsgetdcname=Bliss ISHTAR \\ISHTAR 2 ---- BLISS (null) 0x (null) (null) Is that supposed to be that way??? How do I fix/repair it? Tnx (just noticed the tdb_file lib on the perl CPAN archive is very outdated., and tdbtool is a very awkward way to make repairs, though I've used it successfully. Once. Are there any better tools for tdb editing? and better...ones that have samba specific labels??? ;-)*sigh*...maybe there's an easier way. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind nsswitch resolving names issue
Alessio Tomelleri - ARPAV Dipartimento di Belluno wrote: Is not clear to me why if I query my user, randomly it doesn't show mine Domain Local Group, only Global Group... I underline this happen randomly, it seems to me... Finally I would ask some clarification about option compat in nsswich.conf, 'cause I've not find in doc and man a clear explanation. From Manpage from nsswitch.conf: ** Interaction with +/- syntax (compat mode) Linux libc5 without NYS does not have the name service switch but does allow the user some policy control. In /etc/passwd you could have entries of the form +user or +@netgroup (include the specified user from the NIS passwd map), -user or -@netgroup (exclude the specified user), and + (include every user, except the excluded ones, from the NIS passwd map). Since most people only put a + at the end of /etc/passwd to include everything from NIS, the switch provides a faster alternative for this case (`passwd: files nis') which doesn't require the single + entry in /etc/passwd, /etc/group, and /etc/shadow. If this is not sufficient, the NSS `compat' service provides full +/- semantics. By default, the source is `nis', but this may be overridden by specifying `nisplus' as source for the pseudo-databases passwd_com‐ pat, group_compat and shadow_compat. These pseudo-databases are only available in GNU C Library. --- That's as much as I know...i.e. will likely use your /etc/passwd/group unless you have NISand GNU provides some GNU specific extensions to support similar features. As to the other prob -- random info returned...you are running samba right? Random results are a key feature! ;-) Seriously...do you have something like nscd running or some other directory service (ldap/yp/nis) that might be returning it's opinion on the information rather than it always going to wb? (I have lots of probs with wb, so anything I say should be considered with a full salt container in hand...just in case)... linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-3.4.7 access to share from win7
viktor ruhle wrote: Hello list, I have tried rather much (forums, google) and trying this as the last option. The problem is that one is not able to access group samba shares from windows 7 machines, everything ok from win-ts-2003 xp machines. Every user belongs to his primary group defined in samba+openldap pdc. If they want to access the share named according to their primary group (with permissions rwxrwx---), they only get acces denied error, I can't understand why it works from win-XP,2003 but not from win 7 other shares (homefolders - rwx-- and common shares - rwxrwxrwx) work without problem --- Lots of things changed in win7...you say 'group' access''ok.. So that means the NT clients have to know a user is in group 'x', (likely meaning it needs to be propagated from a samba acting s a domain controller). If not, how would the client know the user is in the group that has access? I.e. it would deny access before ever trying access on the net, I'd think. If you want to maintain group acccess, you might want to use 'force groupmode', instead of or in addition to the masks...the masks are bitwise-AND masks, (they can strip off stuff, but they won't turn it on). I assume each user is in their own group -- like andre is in group andre bib in group bib, helse in group helse...etc...is it set to be their primary group? (shouldn't be necessary, but another thing to try when you can't figure out why things are broken)...;-) When you look at the properties of one of those dirs from Winclient, what do you see for the property list? Does it make sense I.e. root: full, group xxx: full or what? There's only 1 place i know of to set a Win7's primary group. And that's from the User control panel -- control panel user accounts/manage user accounts...there you will see the option to set only 1 group/login. That one group, I think, gets equated to the primary group (but it's a weak association, since windows doesn't have the concept of a primary group AFAIK). The log at the end doesn't give much to go on, BUT the failure of the IPC at the very beginning might have been an attempt by windows to find out what groups the user was in -- if that failed, then it can't get those, and group access wouldn't work... Sorry, not much to go on, but maybe gives you some ideas? -l I have tried this (*) as well but still no luck ... (*) Control Panel - Administrative Tools - Local Security Policy Local Policies - Security Options Network security: LAN Manager authentication level Send LM NTLM responses Minimum session security for NTLM SSP Disable Require 128-bit encryption - samba version - samba-3.4.7 distro - ubuntu 10.04 server edition kernel - 2.6.32-28-generic relevant part from smb.conf [grupper] path = /home/grupper comment = Velg din gruppe writable = yes browseable = yes create mask = 0770 directory mask = 0770 root@samba3:/home/grupper# ls -la total 56 drwxr-xr-x 14 root root 4096 2011-04-06 16:02 . drwxr-xr-x 8 root root 4096 2011-05-25 15:42 .. drwxrwx--- 2 root andre 4096 2011-04-06 16:02 andre drwxrwx--- 2 root bib4096 2011-04-06 16:01 bib drwxrwx--- 2 root helse 4096 2011-04-06 16:02 helse drwxrwx--- 2 root ikt4096 2011-04-06 16:01 ikt drwxrwx--- 14 root kassen 4096 2011-06-27 12:00 kassen drwxrwx--- 2 root kirke 4096 2011-04-06 16:02 kirke drwxrwx--- 2 root ntk4096 2011-06-27 14:21 ntk drwxrwx--- 2 root ord4096 2011-04-06 16:02 ord drwxrwx--- 70 root pro4096 2011-06-27 22:21 pro drwxrwx--- 2 root sad4096 2011-04-06 16:01 sad drwxrwx--- 2 root sko4096 2011-04-06 16:01 sko drwxrwx--- 2 root sosial 4096 2011-04-06 16:02 sosial something from logs (hopefully relevent) when a win 7 machine tries to access one of above mentioned shares: [2011/07/08 15:52:25, 3] smbd/error.c:60(error_packet_set) error packet at smbd/ipc.c(527) cmd=37 (SMBtrans) NT_STATUS_NOT_SUPPORTED [2011/07/08 15:52:25, 3] smbd/process.c:1459(process_smb) Transaction 62 of length 88 (0 toread) [2011/07/08 15:52:25, 3] smbd/process.c:1273(switch_message) switch message SMBtrans2 (pid 1961) conn 0x7f2b102aaed0 [2011/07/08 15:52:25, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (10200, 10002) - sec_ctx_stack_ndx = 0 [2011/07/08 15:52:25, 3] smbd/trans2.c:3956(call_trans2qfilepathinfo) call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004 [2011/07/08 15:52:25, 3] smbd/vfs.c:865(check_reduced_name) reduce_name [sad] [/home/grupper] [2011/07/08 15:52:25, 3] smbd/vfs.c:974(check_reduced_name) reduce_name: sad reduced to /home/grupper/sad [2011/07/08 15:52:25, 3] smbd/trans2.c:4070(call_trans2qfilepathinfo) call_trans2qfilepathinfo sad (fnum = -1) level=1004 call=5 total_data=0 [2011/07/08 15:52:25, 3] smbd/process.c:1459(process_smb) Transaction 63 of length 88 (0 toread) [2011/07/08
[Samba] Dual interfaced computer...2 addrs for same hostname -- samba doesn't seem to like this?
To support reliability, I have 2 network connections from my win7 client to my home server. Both the server and the client have 2 **internal** 192.168.3.XXX addressses... Doing a reverse DNS lookup, on either of the interfaces will return the same hostname. Doing a forward DNS lookup on the hostname will randomly return one or the other (supposed to be able to prioritize, but when I do that, I get a message (rrset-fixed), that the feature was disabled at compile time...)...so it's doing roundrobin with the 2 addrs.. Seems like samba is alternate denying requests to 1 address, while serving to the other address. how can I get it to accept requests from either address and send back to which ever has the fewest requests enqueuedbut even if it send it back over a different number, how do I get it to not say permission denied to me half of the time? Very weird. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbd: PANIC (pid xxxxx): internal error -- ? causes?
I have a bunch of these in my log... Was wondering if anyone had seen them before and what the cause might be? Thanks... Oct 1 03:25:15 Ishtar smbd[23925]: [2011/10/01 03:25:15, 0] lib/util.c:1468(smb_panic) Oct 1 03:25:15 Ishtar smbd[23925]: PANIC (pid 23925): internal error Oct 1 03:25:15 Ishtar smbd[23925]:#1 /usr/sbin/smbd(smb_panic+0x55) [0x7f7120093134] Oct 1 03:25:15 Ishtar smbd[23926]: [2011/10/01 03:25:15, 0] lib/util.c:1468(smb_panic) Oct 1 03:25:15 Ishtar smbd[23926]: PANIC (pid 23926): internal error Oct 1 03:25:15 Ishtar smbd[23926]:#1 /usr/sbin/smbd(smb_panic+0x55) [0x7f7120093134] Oct 1 03:29:49 Ishtar smbd[23927]: [2011/10/01 03:29:49, 0] lib/util.c:1468(smb_panic) Oct 1 03:29:49 Ishtar smbd[23927]: PANIC (pid 23927): internal error Oct 1 03:29:49 Ishtar smbd[23927]:#1 /usr/sbin/smbd(smb_panic+0x55) [0x7f7120093134] Oct 1 03:29:49 Ishtar smbd[24021]: [2011/10/01 03:29:49, 0] lib/util.c:1468(smb_panic) Oct 1 03:29:49 Ishtar smbd[24021]: PANIC (pid 24021): internal error Oct 1 03:29:49 Ishtar smbd[24021]:#1 /usr/sbin/smbd(smb_panic+0x55) [0x7f7120093134] Oct 1 03:31:14 Ishtar smbd[24022]: [2011/10/01 03:31:14, 0] lib/util.c:1468(smb_panic) Oct 1 03:31:14 Ishtar smbd[24022]: PANIC (pid 24022): internal error Oct 1 03:31:14 Ishtar smbd[24022]:#1 /usr/sbin/smbd(smb_panic+0x55) [0x7f7120093134] Oct 1 03:31:14 Ishtar smbd[24164]: [2011/10/01 03:31:14, 0] lib/util.c:1468(smb_panic) Oct 1 03:31:14 Ishtar smbd[24164]: PANIC (pid 24164): internal error Oct 1 03:31:14 Ishtar smbd[24164]:#1 /usr/sbin/smbd(smb_panic+0x55) [0x7f7120093134] Oct 1 03:31:17 Ishtar smbd[24165]: [2011/10/01 03:31:17, 0] lib/util.c:1468(smb_panic) Oct 1 03:31:17 Ishtar smbd[24165]: PANIC (pid 24165): internal error Oct 1 03:31:17 Ishtar smbd[24165]:#1 /usr/sbin/smbd(smb_panic+0x55) [0x7f7120093134] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
simo wrote: On Wed, 2011-09-14 at 18:16 -0700, Linda Walsh wrote: Jeremy Allison wrote: I didn't like re-enabling the feature as it re-introduces something that was widely regarded as a security hole, People widely regarded the earth as flat and ... well sometime ago, as in some areas, as only 6000 years old... Did you know the greks (150 BC and earlier) knew perfectly well the earth was round and calculated things like the radius of the earth with decent accuracy for the means and things like the precession ? Sometimes people walk backward :) Science and reason almost always suffer in the face of 'mass (pun?) opinion' (or wide regard, as the case may be)... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
Jeremy Allison wrote: We needed to make it impossible to configure Samba insecurely. At the time this was proposed, it was posted to the list and no dissenting voices were heard. --- Not exactly true -- as soon as this feature was available for testing in a downloadable package, there were dissenting voices. Proposing patches or changes on 1 product that one is responsible for, out of the 100's to 1000's of packages (over 3600 on one machine I just checked), that people use on their machines, AND expecting any representative or informed response from those that will affected by such a patch, is provincial, at best. When people were hit by this remote-management disabling patch, in the first release that included it, there was, there was notable dissent. dissent. It improved server security in the same way that ANY disabling of remote- administration abilities will 'improve' server security -- i.e. it may or it may result in creating worse problems. The 'bug'[sic], was that a user could create a symlink in their home dir to point to /etc/passwd. Using that, they could allow /etc/passd to be readable by anyone who had pass-through access on the user's home dir, and the ability to read /etc/passwd. However, users who have their home directory on the server, as in one some of the samba-suggested configurations where *nix security is controlled by a samba PDC, could always manage symlinks remotely via ssh. If a site expected users to be able to use directed links in specfic shares, they could turn on wide-links for the share that needs them (on which USERS may have no write access), while on user-writable shares, wide-links would not be enabled. This would be the expected way someone would manage this feature. But limiting wide links to non-user-writeable shares was considered too difficult for people to figure out. And somehow, allowing wide-links to function, ONLY on non-user-write-able shares was considered 'insecure' (how?). Even though there was an easy solution t0 the problem, the solution was server-wide disabling of wide-links on all shares, if unix extensions were enabled --- something that did more harm than good and likely *created* 'insecure samba configurations', for sites that needed that functionality by had to work around it.. Contrary to the assertion that server-wide disabling of 'wide links' (an imprecise and non descriptive term that probably led to the problem that arose in the first place!) resulted in disallowing 'insecure configurations', It created some configs that were more secure, AND some configs that were less secure. Now there is the strong possiblity of another option with another bad name being added to get around previously ill-chosen named options in order to allow 're-hardening' of security on sites that were 'made less secure' the original disabling patch. ARG!... I would like to put forth a possible alternative for consideration (perhaps a bit late in the game), though perhaps a goal for a release in the near future. Better to say someting that be accused later of saying nothing... Immediate: - Revert the original patch. - deprecate 'wide links'. - add new, descriptive term: allow symlinks outside share boundaries = (yes/no) Or, longer term solution might be to add: permitted symlink targets = ... veto symlink targets = ... e.g. permitted symlink targets = / veto symlink targets = /etc /proc /sbin /dev /root /tmp or permitted symlink targets = /home /Share /backup /bin ... (excluding /etc, thus passwd, for example). Claiming that some options are 'insecure' - when used correctly is confusing, as it leads one to wonder why is it that an option that is not insecure on linux, IS insecure on samba...are there bugs in samba that make it more insecure? Certainly, if options are unclear, then they should be renamed over time. Through a @allow_compat prev version options could be immediately deprecated, and 're-allowed' for 2-3 releases (or some fixed time). But going with descriptions that label 'useful (and used) features' as insecure, when the opposite may be true for a given site is bound to cause confusion and a desire to give multitudes of *worse* ways the samba can be be abused even though it is claimed that it is impossible to configure it insecurely... I'm sure that wouldn't be appreciated, bug some might feel a need to relate such configs, purely so that every useful samba config (or option) can be prohibited in the name of protecting us... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can't turn on wide links in homedir
Jeremy Allison wrote: I didn't like re-enabling the feature as it re-introduces something that was widely regarded as a security hole, People widely regarded the earth as flat and ... well sometime ago, as in some areas, as only 6000 years old... but recognised the need some sites have to enable it without patching the code. So naming it allow insecure widelinks is the best solution IMHO. That way people who are experimenting won't turn it on by accident and blame us (and yes, things like that *do* happen), but people who need it can do so happily. smb.conf is not a user interface, it's a configuration file. It's ok to have ugly options we don't recommend people use (as Volker said, you can set guest user = root if you really want to :-). If not, I didn't win. I feel that I failed to communicate with you. What we have here is a failure to communicate... :-) :-). (name that movie ! :-). -- *sigh*... I'm just fed up of discussing it. As you are one of the sites who vociferously requested this option back in the code (even to the extent of opening a bug and writing a patch) then let's just leave things as they are. I won't respond again on this topic, I have far too many other things to do. Oh...ok...well, ... um... thanks? I think? :-) (still wish I could help you deal with the idiots who think the world is flat...but I'm rarely if ever a good convincer of anything, even though what I say is often valid )...*sigh* I think my nick should have been Cassandra... Jeremy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't add users to well known groups...
François Legal wrote: Not sure if this is relevant, but if (first case shown down here) Domain Admins is not so much a group but a map to unix group, I'm not surprised that you can't add users to this using sambe. I would rather use /etc/group or whatever to add users to the unix group mapped Good point, 2 things: 1) My userid/login 'should' already be listed in the group, (as it IS in /etc/group), but wins doesn't return the members that SHOULD be listed in the group). 2) It is has scripts to modify users, groups and machines... (add delete), in a most primitive form, it could delete group/ re-add group w/new member list. --- It just occurred to me, that maybe it's confusing itself -- in that, currently, Samba mangles the casename of groups/users to lower case and hosts/domains to upper case. Current versions of windows don't do this -- they ignore but preserve case (unless there is some pre-existing copy of the name already in some other 'case', in which case it will convert your typed input into the 'pre-existing copy'. But unix/linux not only doesn't change case, it doesn't ignore them either, so if it took something like Domain Admins, and changed it to 'domain admins', it wouldn't match the group name when it tried to look it up. Nevertheless, the lookup problem, was definitely caused by code that in the patched files files that tells it not to deal with 'well known groups' -- regardless if they are mappings or not... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't add users to well known groups...
Harry Jede wrote: On 15:48:09 wrote Linda Walsh: I created the well known group Domain Admins pointing to a local group, but I am not able to add users to the group -- it claims I can only add users to local or global groups... But I only see local, domain ,well-known, builtin. There are no global groups unless one would include all groups that are not local (i.e. domain, well-known, and builtin) So why doesn't it want to let me add to my domain admins group when it is defined as a well known group (which it is, according to MS)... Nobody may be able to answer your questions, if you dont give us some background information! something like: which samba version which sam, ldapsam or tdbsam do you use winbind your global section of samba conf the commands you have used which well knwon groups you have cureently --- Sorry... running with latest 3.5.x: 3.5.11 as of this writing. Using Tdb winbind. Since I as having problems with Domain Admins, tried deleting it and recreating it as a domain group (so it doesn't show, below, as a 'well known group, but a domain group (even though it should be both)). -- sudo net -l groupmap list Domain Users SID : S-1-5-21-3-7-3-513 Unix gid : 513 Unix group: Domain Users Group type: Well-known Group Comment : Wellknown Unix group man SID : S-1-5-21-3-7-3-1028 Unix gid : 62 Unix group: man Group type: Domain Group Comment : Unix Group man Domain Controllers SID : S-1-5-21-3-7-3-516 Unix gid : 516 Unix group: Domain Controllers Group type: Well-known Group Comment : Wellknown Unix group Backup Operators SID : S-1-5-32-551 Unix gid : 551 Unix group: Backup Operators Group type: Well-known Group Comment : Wellknown Unix group Power Users SID : S-1-5-32-547 Unix gid : 547 Unix group: Power Users Group type: Well-known Group Comment : Wellknown Unix group Cert Publishers SID : S-1-5-21-3-7-3-517 Unix gid : 517 Unix group: Cert Publishers Group type: Well-known Group Comment : Wellknown Unix group Replicators SID : S-1-5-32-552 Unix gid : 552 Unix group: Replicators Group type: Well-known Group Comment : Wellknown Unix group Domain Admins SID : S-1-5-21-3-7-3-544 Unix gid : 512 Unix group: Domain Admins Group type: Domain Group Comment : Domain Unix group Juno SID : S-1-5-21-3-7-3-1005 Unix gid : 231 Unix group: Juno Group type: Domain Group Comment : Juno Printer Group media SID : S-1-5-21-3-7-3-1017 Unix gid : 20001 Unix group: media Group type: Domain Group Comment : Unix Group media Administrators SID : S-1-5-32-544 Unix gid : 544 Unix group: Administrators Group type: Well-known Group Comment : Wellknown Unix group Domain Guests SID : S-1-5-21-3-7-3-514 Unix gid : 514 Unix group: Domain Guests Group type: Well-known Group Comment : Wellknown Unix group Trusted Local Net Users SID : S-1-5-21-3-7-3-50002 Unix gid : 50002 Unix group: trusted_local_net_users Group type: Domain Group Comment : Trusted Local Net Users Account Operators SID : S-1-5-32-548 Unix gid : 548 Unix group: Account Operators Group type: Well-known Group Comment : Wellknown Unix group Schema Admins SID : S-1-5-21-3-7-3-518 Unix gid : 518 Unix group: Schema Admins Group type: Well-known Group Comment : Wellknown Unix group RAS Servers SID : S-1-5-32-553 Unix gid : 10123 Unix group: BUILTIN\ras servers Group type: Local Group Comment : scan SID : S-1-5-21-3-7-3-1006 Unix gid : 232 Unix group: scan Group type: Local Group Comment : Local Unix group Users SID : S-1-5-32-545 Unix gid : 1 Unix group: BUILTIN\users Group type: Local Group Comment : Domain Computers SID : S-1-5-21-3-7-3-515 Unix gid : 515 Unix group: Domain Computers Group type: Well-known Group Comment : Wellknown Unix group Domain Administrator SID : S-1-5-21-3-7-3-500 Unix gid : 500 Unix group: Domain Administrator Group type: Well-known Group Comment : Wellknown Unix group Print Operators SID : S-1-5-32-550 Unix gid : 550 Unix group: Print Operators
Re: [Samba] Can't add users to well known groups...
One of the more 'interesting commands (haven't done any tracing back yet)...' net usersidlist # net usersidlist root S-1-5-21-3-7-3-500 S-1-1-0 S-1-5-2 S-1-5-11 S-1-22-2-0 S-1-22-2-1 S-1-22-2-5 S-1-22-2-8 S-1-22-2-10 S-1-22-2-14 S-1-22-2-15 S-1-22-2-16 S-1-22-2-17 S-1-22-2-18 S-1-22-2-30 S-1-22-2-31 S-1-22-2-42 S-1-22-2-44 S-1-22-2-74 S-1-22-2-100 S-1-22-2-133 S-1-22-2-200 S-1-22-2-202 S-1-22-2-212 S-1-22-2-213 S-1-22-2-215 S-1-5-21-3-7-3-1006 S-1-22-2-237 S-1-22-2-238 S-1-5-21-3-7-3-1023 S-1-5-21-3-7-3-512 S-1-5-21-3-7-3-513 S-1-5-21-3-7-3-517 S-1-5-21-3-7-3-518 S-1-5-21-3-7-3-519 S-1-5-32-544 S-1-5-21-3-7-3-545 S-1-5-32-547 S-1-5-32-548 S-1-5-32-551 S-1-22-2-558 S-1-22-2-50001 S-1-5-21-3-7-3-50002 S-1-22-2-50003 S-1-5-32-545 ** glibc detected *** net: free(): invalid pointer: 0x7fc6489af1a0 *** === Backtrace: = /lib64/libc.so.6(+0x733b6)[0x7fc6455a23b6] /lib64/libc.so.6(cfree+0x6c)[0x7fc6455a72dc] net(+0xe86c1)[0x7fc6470736c1] net(net_usersidlist+0x133)[0x7fc64707f1d2] net(net_run_function+0x4d)[0x7fc647098d65] net(main+0x920)[0x7fc647070f64] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7fc64554dbfd] net(+0xe4749)[0x7fc64706f749] === Memory map: 7fc64000-7fc640021000 rw-p 00:00 0 7fc640021000-7fc64400 ---p 00:00 0 7fc644aa-7fc644ab5000 r-xp 08:21 34086574 /lib64/libgcc_s.so.1 7fc644ab5000-7fc644cb4000 ---p 00015000 08:21 34086574 /lib64/libgcc_s.so.1 7fc644cb4000-7fc644cb5000 r--p 00014000 08:21 34086574 /lib64/libgcc_s.so.1 7fc644cb5000-7fc644cb6000 rw-p 00015000 08:21 34086574 /lib64/libgcc_s.so.1 7fc644cb6000-7fc644cb8000 r-xp 08:26 52771937 /usr/lib64/gconv/IBM850.so 7fc644cb8000-7fc644eb7000 ---p 2000 08:26 52771937 /usr/lib64/gconv/IBM850.so 7fc644eb7000-7fc644eb8000 r--p 1000 08:26 52771937 /usr/lib64/gconv/IBM850.so 7fc644eb8000-7fc644eb9000 rw-p 2000 08:26 52771937 /usr/lib64/gconv/IBM850.so 7fc644eb9000-7fc644ebc000 r-xp 08:26 56358620 /usr/lib64/gconv/UTF-16.so 7fc644ebc000-7fc6450bb000 ---p 3000 08:26 56358620 /usr/lib64/gconv/UTF-16.so 7fc6450bb000-7fc6450bc000 r--p 2000 08:26 56358620 /usr/lib64/gconv/UTF-16.so 7fc6450bc000-7fc6450bd000 rw-p 3000 08:26 56358620 /usr/lib64/gconv/UTF-16.so 7fc6450bd000-7fc645108000 r-xp 08:21 34085636 /lib64/libncurses.so.5.7 7fc645108000-7fc645308000 ---p 0004b000 08:21 34085636 /lib64/libncurses.so.5.7 7fc645308000-7fc64530c000 r--p 0004b000 08:21 34085636 /lib64/libncurses.so.5.7 7fc64530c000-7fc645312000 rw-p 0004f000 08:21 34085636 /lib64/libncurses.so.5.7 7fc645312000-7fc645329000 r-xp 08:21 34195072 /lib64/libpthread-2.11.3.so 7fc645329000-7fc645529000 ---p 00017000 08:21 34195072 /lib64/libpthread-2.11.3.so 7fc645529000-7fc64552a000 r--p 00017000 08:21 34195072 /lib64/libpthread-2.11.3.so 7fc64552a000-7fc64552b000 rw-p 00018000 08:21 34195072 /lib64/libpthread-2.11.3.so 7fc64552b000-7fc64552f000 rw-p 00:00 0 7fc64552f000-7fc645693000 r-xp 08:21 34195045 /lib64/libc-2.11.3.so 7fc645693000-7fc645892000 ---p 00164000 08:21 34195045 /lib64/libc-2.11.3.so 7fc645892000-7fc645896000 r--p 00163000 08:21 34195045 /lib64/libc-2.11.3.so 7fc645896000-7fc645897000 rw-p 00167000 08:21 34195045 /lib64/libc-2.11.3.so 7fc645897000-7fc64589c000 rw-p 00:00 0 7fc64589c000-7fc6458b2000 r-xp 08:21 34087169 /lib64/libz.so.1.2.5 7fc6458b2000-7fc645ab2000 ---p 00016000 08:21 34087169 /lib64/libz.so.1.2.5 7fc645ab2000-7fc645ab3000 r--p 00016000 08:21 34087169 /lib64/libz.so.1.2.5 7fc645ab3000-7fc645ab4000 rw-p 00017000 08:21 34087169 /lib64/libz.so.1.2.5 7fc645ab4000-7fc645ad3000 r-xp 08:26 34626548 /usr/lib64/libwbclient.so.0 7fc645ad3000-7fc645cd2000 ---p 0001f000 08:26 34626548 /usr/lib64/libwbclient.so.0 7fc645cd2000-7fc645cd3000 r--p 0001e000 08:26 34626548 /usr/lib64/libwbclient.so.0 7fc645cd3000-7fc645cd4000 rw-p 0001f000 08:26 34626548 /usr/lib64/libwbclient.so.0 7fc645cd4000-7fc645cd5000 rw-p 00:00 0 7fc645cd5000-7fc645d12000 r-xp 08:21 34086023 /lib64/libreadline.so.6.1 7fc645d12000-7fc645f12000 ---p 0003d000 08:21 34086023 /lib64/libreadline.so.6.1 7fc645f12000-7fc645f14000 r--p 0003d000 08:21 34086023
[Samba] Bash completion file(s) for samba utils...
I was wondering if anyone already had completion files for samba utils like
'net' wbinfo...etc... I can never remember all the params, I keep wanting
to hit tab to autocomplete for options like I can on many other sys
utils.
So I started looking at examples of existing completion files and started
cobbling one together... if no one else has some (which would be great!),
I'll probably continue work on this in a spare cycle every once in a while,
or if anyone wants to add to it, I'd appreciate additions...
Other utils do host and user name lookup when the param or field being
auto-completed needs such -- similar features would be nice in this one,
but it's my first attempt at writing autocompletion for anything,
To use it, just 'source it' (i.e.: . filename or source filename).
It just has 1st level and a few 2nd level cmds at this point, so it's
pretty basic, but it's already helpful, so I thought I toss it out for
others to use/enhance/abuse.. etc.
I'm working w/samba 3.5.11 and bash 4.1, so it's may have some specifics to
those versions. It doesn't have any of the ads sub commands in it, as my
current version doesn't have ads compiled in. I don't know if
alphabetizing the compgen lists is needed (would certainly allow search
optimizations optimization if so), but am trying for alphabetizing the
response lists...(but it may be unnecessary).
---
-linda
#!/bin/bash
function _net {
COMPREPLY=();
local cur prev;
_get_comp_words_by_ref -n : cur prev;
_expand || return 0;
case $prev in
_a_dummy_)
COMPREPLY=($(compgen -W '' -- ))
return 0
;;
cache)
COMPREPLY=($(compgen -W 'add del flush get list search
stabilize' -- ))
return 0
;;
conf)
COMPREPLY=($(compgen -W 'addshare delincludes delparm
delshare drop getincludes getparm import list listshares setincludes setparm
showshare' -- ))
return 0
;;
dom)
COMPREPLY=($(compgen -W 'join renamecomputer unjoin' --
))
return 0
;;
eventlog)
COMPREPLY=($(compgen -W 'dump export import' -- ))
return 0
;;
g_lock)
COMPREPLY=($(compgen -W 'do dump locks' -- ))
return 0
;;
groupmap)
COMPREPLY=($(compgen -W 'add addmem cleanup delete
delmem list listmem memberships modify set ' -- ))
return 0
;;
groupmember)
COMPREPLY=($(compgen -W 'add delete list' -- ))
return 0
;;
idmap)
COMPREPLY=($(compgen -W 'aclmapset delete dump restore
secret setmap' -- ))
return 0
;;
registry)
COMPREPLY=($(compgen -W 'createkey deletekey
deletevalue enumerate getsd getvalue getvalueraw setvalue' --))
return 0
;;
rpc)
COMPREPLY=($(compgen -W 'audit info join oldjoin
testjoin user password group share file printer changetrustpw trustdom
abortshutdown shutdown samdump vampire getsid rights service registry shell' --
))
return 0
;;
rap)
COMPREPLY=($(compgen -W 'admin domain file group
groupmember password printq server session share user validate ' -- ))
return 0
;;
sam)
COMPREPLY=($(compgen -W 'addmem createbuiltingroup
createdomaingroup createlocalgroup deletedomaingroup deletelocalgroup delmem
list listmem mapunixgroup policy rights set show unmapunixgroup' -- ))
return 0
;;
server)
COMPREPLY=($(compgen -W 'domain name' -- ))
return 0
;;
share)
COMPREPLY=($(compgen -W 'add allowed delete list
migrate users' -- ))
return 0
;;
status)
COMPREPLY=($(compgen -W 'sessions shares' -- ))
return 0
;;
*)
esac;
case $cur in
*)
COMPREPLY=($(compgen -W 'admin ads cache changesecretpw
changetrustpw conf dom domain eventlog file getauthuser getdomainsid
getlocalsid g_lock group groupmap
Re: [Samba] Samba 3.5.11 shares and downloads with IE9 on Windows 7
Thomas Bork wrote: On 11.09.2011 01:41, Linda W wrote: This sounds like https://bugzilla.samba.org/show_bug.cgi?id=8412. I don't think, it's the same problem. I already tried without oplocks and smb2 isn't activated here. Anyway - I could test a patch for 3.5.11. Don't know if there is one -- and there was no SMB2 in 3.5.11... But I misread this one... It doesn't say it affects 3.5 or before... Dang...now which one was it!...remember reading one recently that hit 3.6 ... that I thought had to do with file access problems. .. Just your symptom sounded very similar.. I would see a file with the real name created in the target dir, then see a tmp file created and grow to the size of the file, then would get a message that the file couldn't be saved due to an access problem. In the save dir, I'd find the initial file it created @ 0 bytes. The 'tmp' file I'd find in my server's recycle dir for that dir -- and it would be the full file. (I have the vfs recycle2 option turned on for many of my shares... so the tmp files ended up in there; if you don't have that option turned on, then the files would just get deleted)... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't add users to well known groups...code patch (quick hack/commented out problem code seems to fix)...
Well, this code patch seems to fix the problem with my missing groups...
Seems like because they were declared as well known groups (Domain Admins,
Domain Users...etc.)
They weren't being listed...
Seems a bit odd for a PDC to not list well known groups... no?
It looks like the code was intended to prevent people from using
the BUILTIN groups -- which doesn't seem to make alot of sense
either.
Can someone clarify why we shouldn't be able to add/subtract from
well known or builtin groups?
MS publishes a list of well known groups that most domains would expect
to have,
but when I tried to add them to my domain, they all became unlistable
and unusable.
Color me confused?
-linda
Linda Walsh wrote:
I created the well known group Domain Admins pointing to a local group,
but I am not able to add users to the group -- it claims I can only
add users to
local or global groups...
But I only see local, domain ,well-known, builtin.
There are no global groups unless one would include all groups that are
not local (i.e. domain, well-known, and builtin)
So why doesn't it want to let me add to my domain admins group when it is
defined as a well known group (which it is, according to MS)...
--- net_sam.c 2011-08-03 11:24:05.0 -0700
+++ net_sam.c 2011-09-09 19:27:39.190245264 -0700
@@ -1208,7 +1208,7 @@
}
}
- if ((grouptype == SID_NAME_ALIAS) || (grouptype ==
SID_NAME_WKN_GRP)) {
+ if ((grouptype == SID_NAME_ALIAS) ) {
if ((membertype != SID_NAME_USER)
(membertype != SID_NAME_DOM_GRP)) {
d_fprintf(stderr, _(%s is a local group, only
users
@@ -1224,7 +1224,7 @@
with %s\n), nt_errstr(status));
return -1;
}
- } else if (grouptype == SID_NAME_DOM_GRP) {
+ } else if (grouptype == SID_NAME_DOM_GRP || grouptype ==
SID_NAME_WKN_GRP) {
uint32_t grouprid, memberrid;
sid_peek_rid(group, grouprid);
@@ -1284,8 +1284,7 @@
}
}
- if ((grouptype == SID_NAME_ALIAS) ||
- (grouptype == SID_NAME_WKN_GRP)) {
+ if (grouptype == SID_NAME_ALIAS) {
status = pdb_del_aliasmem(group, member);
if (!NT_STATUS_IS_OK(status)) {
@@ -1293,7 +1292,7 @@
with %s\n), nt_errstr(status));
return -1;
}
- } else if (grouptype == SID_NAME_DOM_GRP) {
+ } else if (grouptype == SID_NAME_DOM_GRP || SID_NAME_WKN_GRP) {
uint32_t grouprid, memberrid;
sid_peek_rid(group, grouprid);
@@ -1349,8 +1348,7 @@
return -1;
}
- if ((grouptype == SID_NAME_ALIAS) ||
- (grouptype == SID_NAME_WKN_GRP)) {
+ if (grouptype == SID_NAME_ALIAS) {
status = pdb_enum_aliasmem(group, talloc_tos(), members,
num_members);
if (!NT_STATUS_IS_OK(status)) {
--- net_groupmap.c 2011-08-03 11:24:05.0 -0700
+++ net_groupmap.c 2011-09-09 19:30:32.840929705 -0700
@@ -444,12 +444,12 @@
return -1;
}
- if (map.sid_name_use == SID_NAME_WKN_GRP) {
+ /*if (map.sid_name_use == SID_NAME_WKN_GRP) {
d_fprintf(stderr,
_(You can only change between domain and local
groups.\n));
return -1;
- }
+ }*/
map.sid_name_use=sid_type;
@@ -630,13 +630,15 @@
/* Now we have a mapping entry, update that stuff */
if ( c-opt_localgroup || c-opt_domaingroup ) {
- if (map.sid_name_use == SID_NAME_WKN_GRP) {
+ /*
+* f (map.sid_name_use == SID_NAME_WKN_GRP) {
d_fprintf(stderr,
_(Can't change type of the BUILTIN
group %s\n),
map.nt_name);
return -1;
}
+ */
}
if (c-opt_localgroup)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't add users to well known groups...
I created the well known group Domain Admins pointing to a local group, but I am not able to add users to the group -- it claims I can only add users to local or global groups... But I only see local, domain ,well-known, builtin. There are no global groups unless one would include all groups that are not local (i.e. domain, well-known, and builtin) So why doesn't it want to let me add to my domain admins group when it is defined as a well known group (which it is, according to MS)... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Not crazy...really! Domain!=DOMAIN (win7 showing both versions of my dom)...
Hah! Caught it in the act!... Filed it with a bug report talking about the problem... Shows me being offered a choice between two icon types (anyone know what those are? for 'BLISS' (the newly mangled samba name) and 'Bliss' (the original name)... https://attachments.samba.org/attachment.cgi?id=6856 Not sure why or how what went into the case name changing, but it was another source of havoc on my setup, as on linux, usernames (Bliss\user != BLISS\user,) and pathnames /home/DOMAIN/user != /home/Domain/user Still getting occasional weirdnesses ... though oddly most of my group mapping problems went away recently after upgrading to 3.5.11 (don't know if it was exactly co-incident, but that's the only thing I can think of that would have changed that could have caused such a thing). I still can't SEE most of my groups... (no builtins, and only a few domain groups, -- NO well-known groups (that are defined in my domain), like 'Domain Admins'...(though it's still in some access lists in my local Win7 workstation, I can't ADD it on any new security tab .. nor most other domain groups. Oh well... keeps one entertained I suppose... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Bug in 3.6.0 saving files.
Yes... more than one person has noticed it... I think it has to do with SMB2 keeping multiple descriptors open in, perhaps, a cache, to the same file... When Windows writes 'many' (not all), files out, it will first 'create' the 'name' of the new file to verify access in the target location, then it will write the file to a 2nd file (.tmp), and at the end of it all, do a rename. That way, if something interrupts, it, you never get a partial file left there, either all or nothin'. It's the rename that fails, win deletes the tmp. So when I saw this, I'd see ZERO length files under the name I'd saved, and I'd find deleted 'tmp' dirs with the full content in the .recycle dir of my SMB share. The exact cause I surmise, above, is _speculation_, based on a limited understanding on some differences that SMB2 seems to allow that normally help achieve faster overall performance. But I think samba, is, not seeing those locks as 'advisory', but as mandatory, so it tells windows that someone has it locked -- either that, OR Window''s request to release the lock is getting lost or perhaps, just delayed, so the rename attempts to manip a locked file (thus fail)... Obviously speculations on my part as to cause, but you are 3rd person to note the problem -- cept another noted it with files downloading w/web browsers, and I noticed it on writing out large image files from photoshop ( files in the 1-2+GB range)... -l Justin Piszcz wrote: Hi, If you open a word document on a Windows 7 PC on a samba share and attempt to save it (or ppt, etc) it will fail (SMB2 enabled). Go back to 3.5.10, it works fine (SMB2 removed obviously). Not sure if anyone has seen this but FYI. Happens with Office 2007 2010. Justin. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind wbcGetpwnam WBC_ERR_DOMAIN_NOT_FOUND
Shirish Pargaonkar wrote: A call to wbcGetpwnam() with BUILTIN\Administrators name (string) returns error 7 (WBC_ERR_DOMAIN_NOT_FOUND). I tried just Administrators and got the same error. Same error with user (string) Everyone also. I've noticed this problem as well... In fact, every one of the well-known addresses that I manually added (and are still listed, and mapped to local groups) are unavailable for use at any client.Very sad since I went to the trouble of creating all the local groups for these that Samba refuses to return them even though they are defined. Is this something else that needs a patch? *grouse*grumble*mumble*foo* This is what I see for a net groupmap list (massaged a bit...): show_samba_wellknown_gids GID |UnixGroup |NTGroup|Grp_Type |SID --- |- |-- --- | |--- 513 |Domain Users |Domain Users |Well-known|S-1-5-21-3-7-3-513 516 |Domain Controllers |Domain Controllers |Well-known|S-1-5-21-3-7-3-516 551 |Backup Operators |Backup Operators |Well-known|S-1-5-32-551 547 |Power Users|Power Users |Well-known|S-1-5-32-547 517 |Cert Publishers|Cert Publishers |Well-known|S-1-5-21-3-7-3-517 552 |Replicators|Replicators |Well-known|S-1-5-32-552 544 |Administrators |Administrators |Well-known|S-1-5-32-544 514 |Domain Guests |Domain Guests |Well-known|S-1-5-21-3-7-3-514 548 |Account Operators |Account Operators |Well-known|S-1-5-32-548 518 |Schema Admins |Schema Admins |Well-known|S-1-5-21-3-7-3-518 10123 |BUILTIN\ras servers|RAS Servers|Local |S-1-5-32-553 512 |Domain Admins |Domain Admins |Well-known|S-1-5-21-3-7-3-512 515 |Domain Computers |Domain Computers |Well-known|S-1-5-21-3-7-3-515 500 |Domain Administrator |Domain Administrator |Well-known|S-1-5-21-3-7-3-500 550 |Print Operators|Print Operators |Well-known|S-1-5-32-550 546 |Guests |Guests |Well-known|S-1-5-32-546 501 |Domain Guest |Domain Guest |Well-known|S-1-5-21-3-7-3-501 519 |Enterprise Admins |Enterprise Admins |Well-known|S-1-5-21-3-7-3-519 --- Yet clients only see 'RAS Servers' out of these groups. Before, when I had 'trusted domains only' turned on, I believe that caused a problem showing my own groups as well as the BUILTIN groups, as my domain's name is mixed case, and samba doesn't play the way Windows does with such... So (upper+lower case domain) 'Bliss' couldn't talk to 'BLISS or BUILTIN but instead looked for '*' ...which was very confusing... Started happening in 3.6 due to change in backend... continued to happen in 3.5.10, due to mangled DB... which seems like there are no tools to unmangle. Like a way to set 'user' - 'uid' - SID mappings in samba? Seems like a basic. It's there for groups (though they aren't working either)... (under what we love about the M5 and Samba probs, even though there's no off switch they both keep on going...(still resolving my SID-UID, just no usernames))...which means file serving is still working just can't do much w/changing permissions on things...). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.6.0 winbind issues
Michael Wood wrote: P.S. Sorry for the mostly off-topic post. If it's mostly not about samba, it's probably 'ok' t0 NOT cc the list..? :-) Turning off that param, BTW, did help -- some things that hadn't been working started, and then gave all sorts of new indications of problems. With that param on, and due to going to winbind as primary resolver before local hostfiles, the server and Win7 WS couldn't do name lookups, but could still do UID/SID lookups...so that's been going on since June. I tried to revert to 3.5.10, but as 3.6 had already mangled the DB, it was still mangled w/3.5x... It's been one long ongoing problem since I upgraded my server's OS -- so many pieces of new SW had compat problems w/previous versions (samba was only one, but has proven to be one of the more difficult ones to get back 'just right'... -- probably partly to do with my having a manually allocated, static TDB for the most part. ... so it turning off that param has allowed my server to be able to comminicate w/itself, and the Win7 WS now has a a happy schannel again, though some reminants of the up-cased dom/hosts still linger in some DB's -- had to make sure my /etc/lmhosts file was read BEFORE netbios (nmbd)...as also forces name-changes ... *sigh*... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC forgot it was part of domain... official (ha!) samba hack around to fix...
Michael Wood wrote: Hi On 3 August 2011 08:59, Linda Walsh sa...@tlinx.org wrote: Among various problems since I upgraded to 3.6 (none of which got answered really, -- so I backgraded to 3.5.10 and started debugging from there, considering 3.6.0 too unstable/too incompatible for 'whatever' reason... One of the probs I had was 'root' couldn't use net rpc anything -- kept getting auth failures. Was this with 3.6.0 or after you downgraded again to 3.5.10? Both .. haven't tried it since my servername started coming back together (the 'mixed case' v. forced case causing parts of server not to know who it was or similar -- (along with that param you mentioned). Wasn't the passwd, -- could reset it via smbpasswd, no prob, and my normal UID could do an rpc user, but didn't have the auth to the local files to read them (so got no results back). Steps... 1) add self to group root 2) in /var/lib/samba and /etc/samba: find . -gid 0 -print0|xargs -0 chmod g+rw find . -gid 0 -type d|xargs -0 chmod g+xs You're missing a -print0 on the second one there, but I assume that's just a copy/paste error or something. Then I noted that my 'user' could no longer auth either! Bonus! turned on -d10 on net rpc cmd, Noted, it was trying to look up '*' for a pw server, '*' doesn't resolve so well on my DNS server. What was the actual log message? Did you find out where this '*' was coming from? It had to do with the trusted domains -- Because part of the server was now upcasing everything, it thought it was a different 'server' than the mixed-case' server...so it was looking for a '*' meta server to tell it where it's old name was...(very sad! ;-))... It seems to me that finding out why there are no builtin SIDs might have been a better idea than manually adding them. But I suppose if your idmap tdb was suspect then maybe this was indeed the best thing to do. --- I am a bit impulsive @ times...but often, I *REALLY* want to get things working again, on some level, as when things are badly broken, no email, no files, no videos, no music, no programming, no homedirs no internet, no art/wall/scan work/design...basically not good; My Win7WS isn't at all setup to be useful w/o the server running. /tmp/domsid: Administrators sid=S-1-5-32-544 type=builtin Users sid=S-1-5-32-545 type=builtin Domain Controllers sid=S-1-5-32-516 type=builtin Guests sid=S-1-5-32-546 type=builtin Power Users sid=S-1-5-32-547 type=builtin Account Operators sid=S-1-5-32-552 type=builtin --- I don't think the above was entirely the 'right' thing to do, even though those are documented to be 'well known SIDS in the MS literature -- as now many of those sids no longer can be added or browsed... I'm not getting the '*' message any more, -- turning of the trusted-only and getting my methods resolutions in the right order seems to have helped, though now I'm getting new messages: Aug 17 02:12:32 Ishtar winbindd[11885]: [2011/08/17 02:12:32, 0, class=winbind] winbindd/winbindd_passdb.c:194(rids_to_names) Aug 17 02:12:32 Ishtar winbindd[11885]: Possible deadlock: Trying to lookup SID S-1-5-21-3-7-3 with passdb backend Aug 17 02:12:32 Ishtar winbindd[11885]: [2011/08/17 02:12:32, 0, class=winbind] winbindd/winbindd_passdb.c:194(rids_to_names) Aug 17 02:12:32 Ishtar winbindd[11885]: Possible deadlock: Trying to lookup SID S-1-5-21-3-7-3 with passdb backend Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32, 0, class=rpc_srv] rpc_server/srv_netlog_nt.c:475(get_md4pw) Aug 17 02:12:32 Ishtar smbd[7382]: get_md4pw: Workstation ASTARTE$: no account in domain Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32, 0, class=rpc_srv] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) Aug 17 02:12:32 Ishtar smbd[7382]: _netr_ServerAuthenticate2: failed to get machine password for account ASTARTE$: NT_STATUS_ACCESS_DENIED Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32, 0, class=rpc_srv] rpc_server/srv_netlog_nt.c:475(get_md4pw) Aug 17 02:12:32 Ishtar smbd[7382]: get_md4pw: Workstation ASTARTE$: no account in domain Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32, 0, class=rpc_srv] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) Aug 17 02:12:32 Ishtar smbd[7382]: _netr_ServerAuthenticate2: failed to get machine password for account ASTARTE$: NT_STATUS_ACCESS_DENIED These just started after I turned off that param...and some of the cases got realigned again due to changes in resolution order. the SID that it is trying to lookup is the server's SID. ASTARTE$, of course doesn't exist -- Astarte$ does. Listed that way in /etc/passwd, and I know linux doesn't ignore case. So that just means some part of some DB needs to be cleaned up after being mangled by libsmb's internal set-case code. Still limping along...but I don't sit here and bang on samba probs, I do a few things when I get ideas
Re: [Samba] PDC forgot it was part of domain... official (ha!) samba hack around to fix...
Michael Wood wrote: I didn't get the benefit of '*' added to my wbinfo... I don't understand what you mean by this. Just saw this note by Bendikt Schindler: Of course, as noted earlier, my wbinfo also doesn't seem to know about builtin SID's either .. so am having to add them... Original Message Subject:samba 3.6: autorid has no domain order Date: Fri, 12 Aug 2011 18:23:14 +0200 From: Benedikt Schindler benischind...@gmx.de To: samba@lists.samba.org [snip noting multiple future snips @ random! ] I first tried autorid with a config like this: winbind enum users = yes winbind enum groups = yes idmap backend = autorid idmap gid = 10-149 idmap gid = 10-149 allow trusted domains = yes ... then later I also read the mail about the new idmapping so i also tried these configuration: winbind enum users = yes winbind enum groups = yes allow trusted domains = yes idmap config A : backend = rid idmap config A : range = 10 - 19 idmap config A : base_rid= 1000 idmap config B : backend = rid idmap config B : range= 20 - 29 idmap config B : base_rid = 1000 - Then next note he says: if i use this config: winbind enum users = yes winbind enum groups = yes allow trusted domains = yes idmap config * : backend = tdb idmap config * : range = 7-9 idmap config A : backend = rid idmap config A : range = 10 - 19 idmap config A : base_rid= 1000 idmap config B : backend = rid idmap config B : range= 20 - 29 idmap config B : base_rid = 1000 i get folowing message from a SID of domain A: server3:~ # wbinfo -S S-1-5-21-1004336348-920026266-682003330-1113 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-1004336348-920026266-682003330-1113 to uid i change this line allow trusted domains = no server3:~ # wbinfo -S S-1-5-21-1004336348-920026266-682003330-1113 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-1004336348-920026266-682003330-1113 to uid it does not work. i change this line idmap config * : backend = rid server3:~ # wbinfo -S S-1-5-21-1004336348-920026266-682003330-1113 100113 so it works ... but getent passwd still does not show any user. so there is still a long way to go. if i delete all the idmap config * parts it won't work again. -- But also if it does work i need trusted domain support. the only config that realy works right now, is the new autorid. Alot of the error he is describing I saw as well, but I didn't see the email about the new idmapping that told about '*'...(or that it was needed. My server thought there was 2 domains due to the case-change problem -- that's why it kept looking for *, which I am guessing is supposed to be some type of domain locator addres. My DB, since I'd only ever had 1 never had entries setup for 2, but when the name got changed by NMB -- suddenly there 2 servers -- and calls coming in for Domain, were getting refused on DOMAIN That's my best explanation yet, as to what happened... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.6.0 winbind issues
` Michael Wood wrote: Hi Linda Yeah...reported this a month ago... as well as other TDB/SID backend probs: http://lists.samba.org/archive/samba-technical/2011-July/078663.html http://lists.samba.org/archive/samba-technical/2011-July/078826.html --- I wasn't sure if it was a 3.6 problem or some type of cockpit error, but both emails were ignored. If you find something that looks like a bug and nobody responds to your e-mail, perhaps you should report it via Bugzilla so that it won't get lost. I don't feel that's something many developers want -- and I know some don't. If you don't have firm evidence that it's the SW that is broken, they'll just close out the bug with Works for Me, and I've wasted my time. Too many times -- even with repeatable test cases on too many different projects.This is especially true with something like samba where when I asked for any help in tracking down this, I was asked to submit a 15-25MB samba log with debug set to 10 to the samba list -- NOT to upload it to a bug, but dump huge amounts of data to the list. I didn't feel comfortable doing that. For all I know, unencrypted passwords might be buried in that logfile and I'd never catch them -- not to mention the flack I'd get for posting something so large to the list. What were you thinking? Well so and so told me, ...you gonna jump off a cliff if he tells you to do that...etc.. Even now, I'm not sure why setup is broken. I can do a UID - SID translation and SID-UID translation on my userid, BUT, when windows tries to lookup my userid in winbind, the log spits out: [2011/08/15 08:30:02, 6, class=winbind] winbindd/winbindd.c:768(new_connection) accepted socket 28 [2011/08/15 08:30:02, 3, class=winbind] winbindd/winbindd_misc.c:352(winbindd_interface_version) [17439]: request interface version [2011/08/15 08:30:02, 3, class=winbind] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [17439]: request location of privileged pipe [2011/08/15 08:30:02, 6, class=winbind] winbindd/winbindd.c:768(new_connection) accepted socket 29 [2011/08/15 08:30:02, 6, class=winbind] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 28, client exited [2011/08/15 08:30:02, 3, class=winbind] winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) getgroups lindaw [2011/08/15 08:30:02, 7, class=winbind] winbindd/wb_gettoken.c:65(wb_gettoken_send) wb_gettoken: My domain -- rejecting getgroups() for S-1-5-21-3-7-3-80026. [2011/08/15 08:30:02, 5, class=winbind] winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv) Could not convert sid S-1-5-21-3-7-3-80026: NT_STATUS_NO_SUCH_USER [2011/08/15 08:30:02, 3, class=winbind] winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) getgroups lindaw [2011/08/15 08:30:02, 7, class=winbind] winbindd/wb_gettoken.c:65(wb_gettoken_send) wb_gettoken: My domain -- rejecting getgroups() for S-1-5-21-3-7-3-80026. [2011/08/15 08:30:02, 5, class=winbind] winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv) Could not convert sid S-1-5-21-3-7-3-80026: NT_STATUS_NO_SUCH_USER [2011/08/15 08:30:02, 3, class=winbind] winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) getgroups law [2011/08/15 08:30:02, 7, class=winbind] winbindd/wb_gettoken.c:65(wb_gettoken_send) wb_gettoken: My domain -- rejecting getgroups() for S-1-5-21-3-7-3-80026. [2011/08/15 08:30:02, 5, class=winbind] winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv) Could not convert sid S-1-5-21-3-7-3-80026: NT_STATUS_NO_SUCH_USER [2011/08/15 08:30:02, 3, class=winbind] winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) getgroups lindaw [2011/08/15 08:30:02, 7, class=winbind] winbindd/wb_gettoken.c:65(wb_gettoken_send) wb_gettoken: My domain -- rejecting getgroups() for S-1-5-21-3-7-3-80026. [2011/08/15 08:30:02, 5, class=winbind] winbindd/winbindd_getgroups.c:187(winbindd_getgroups_recv) Could not convert sid S-1-5-21-3-7-3-80026: NT_STATUS_NO_SUCH_USER - @ note, it maps the correct (historically -- what windows has seen), SID to my username, but then My Domain -- rejecting getgroups, so 'NT_STATUS_NO_SUCH_USER'. Things were 'worse. Like root couldnt' use 'net' rpc user because 'root's ID, apparently, was broken, so it got invalid password .. and a normal user -- even admin, can't do diddly...it's not governed by filed permissions, as far as I can tell, but literally a hard-coded check for 'root' (from observation -- and making all the necessary files r/w by 'group root', which put my login in. i.e. I had r/w access to all the data files, but it refused to allow me to make any changes, even though I was in the admin and dom-admin groups. Most of the builtin groups were missingetc... Hand added those back using groupmap -- but I couldn't point firmly to what caused it --
Re: [Samba] 3.6.0 winbind issues
..Michael Wood wrote: Personally, reading through and replying to a message like this takes me a lot of time. As I said I can't speak for the Samba developers, but perhaps trying to keep your messages shorter will produce better responses? --- In some cases, certainly, in other cases, doing so would only require more questions about details I'd left out and, in some cases, annoyance that I hadn't included such in the initial report. Thus I tend to put in more detail, figuring that the extra few seconds to read an addition bit of detail they didn't need, will be more than offset by the time savings to any who actually looked at the problem in understanding the problem and it's context -- as WAY too often, especially in the computer world, the context is what may allow, enable or even cause the bug to occur. Generally, I've more often found that for someone looking to uncover a problem, giving more information, on the average, is more helpful in eventual solving or finding the core of the problem. Yes, as I said it depends on the circumstances. If this message has annoyed you, I apologise. Nothing, really, bothered me until your asked the question embedded in that statement. That got me to wondering _why_ you might have cause for concern that I might be annoyed at anything you said -- you appeared to be thorough and attentive to detail, why would someone be annoyed about that? Thus, I began to look for the possibility of Nth-order messages conveyed through means other than the meanings of the words themselves. Only in looking for such did I generate possible interpretations that some might take offense to. However, as all such interpretations are generated by the receiver, based not upon what was being said but upon creative interpretation of the actual content. It's like people hearing meaning in songs played backwards when no such meaning or words were actually designed into the recording. Such is an example of the mind's automatically looking for messages against a background of noise. But it's like trying to recover information after having lost pieces of the original: you may stumble upon the original message, but given the permutations, there's usually no way to verify if the message you [re]constructed was actually the real message or if there ever had been (presuming there was a real message encoded in the fragment to begin with: that is, (i.e. it may if they have any resemblance to the orignal or given the permutations, , with enough creativity, many false interpretations can created, and it's possible that ore often than not, though, such messages really are created from the 'noise', and were not meant or actually sent by the speaker/writer/transmitter. ability to create (or discern), such that , did I realize that you'd been thorough to details, which I had appreciate, but wondered *if*, that was how I was supposed to have taken it -- i.e. that you expected most people wouldn't appreciate such and if that might not be part of that which you were subtly trying to say. I will consider that possibility, but, I've noted there can be an infinite variety of meta messages that a receiver can impart to a message the actual presence of which, is less than transparent. It is also the case, that a receiver can't, _really_, know which, if any, of such interpretations might have been intended, and which are illusory. Thus I usually try to avoid meta interpretation, as presuming that such exist, is more likely to lead to unseemly consequences, than taking the messages at face value, at least in the eyes of most people, though not considering the possibility of such can be equally, though differently, disadvantageous. Thus...more food for thought. ;-) Cheers, Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB2 weird behavior with samba 3.6 PDC
` Mark Reidenbach wrote: I tried enabling SMB2 on our network after upgrading to samba 3.6 and experienced the following problems. Commenting out Max Protocol = SMB2 makes the windows7 and vista clients happy. - [homes] Trying to open a html file in notepad fails on Windows7 Pro SP1. Opening it in Firefox (default browser) or Open Office works ok. - [homes] Mozilla Thunderbird insists on downloading all the IMAP headers each time it is launched on Vista Pro SP2. What is it supposed to do? My client checks for new headers and downloads them all on each launch. Of course what's really fun is when you get to TB3 or above and it copies all of your IMAP folders into your local roaming profile by default (and it isn't easy to disable unless you already know how to do it). Great design...down load all IMAP messages from local server, and then entire mail store gets sent back up to the server in logon (as profile is stored)... and must be synced on login... The Tbird people, apparently didn't (and still refuse to understand that IMAP is a remote file-system that's not designed to have all of it downloaded to each client you login to. Whereas pop, usually when you d/led it, it was off the server (though that later changed -- but it still doesn't keep status the way IMAP does, nor does it have the search functions of IMAP. You can have IMAP create a searchable DB of your email so larger searches are lightning fast...instead, they copied my entire 4.5G mail folder onto each local machine and account i used mozilla on. computer or a USB key to samba works ok, but Firefox and Chrome are unable to save files to the samba shares. They download files ok (e.g. file.part) but seem to be unable to rename the file when the download is complete. --- Yeah that was another problem I tried reporting and to get info on over a month ago, but never got a response. Part of my problem (maybe all of it), is they changed the idmap backend -- I was using static UID/GID mappins for the most part, when I went to 3.6, all of my GID's changed and my pwdb got very hosed. Still haven't recovered (most things work, but winbind refuses to return any info on my GUID, even though locally it knows what UID it maps to. But log is filled with GUID lookup errors for mine and random ones -- alot of S-0-0. The problem on the 'that'file is that apparently smb2 opens the file you want to save in, first, but doesn't close it -- then downloads to a .tmp file, and then does a rename over the first (or a copy, not sure which). Anyway server refuses to allow it -- as it thinks the first file is still open. If you have server 'recycle bin' turned on (the samba module), (and use savetree), you'll find the completed files in your recycle bin named with some p.xxx tmp name. Just rename the file from the server and copy it over the first. - [public] Installing programs from samba seems to partially work. Installing Itunes 10.4 for 64 bit windows 7 seemed to work but the Apple Software Update program was not installed (uninstalling, copying iTunes64Setup.exe to the desktop, and running the setup program worked). Odd, I've had a similar prob w/nvidia's sw-update prog -- but I wouldn't have though it to be samba related... Good luck --- I'm back at 3.10 -- and still have figured out how to repair my DB. Apparently the DB format got changed, and isn't backward compat (or something!) -- i.e. when looking up my domain, it tries to look for '*' first, which it then expecs to hve return the domain. I have no '*' entry in my tdb file. Top level entry that everything is under is the Domain name. So many types of lookups don't work. Had lots of performance problems with MSWin swamping my network connection really bad -- so that I couldn't play AV hosted on the server. Tried every downward tuning option available (my net was optimized for SMB1 -- 125MB writes/ 119-121MB/s reads over a 1Gbit net...(max speed, not average!) But I think that the new SMB2 code is much 'tighter in windows, so it executes more quickly so it is difficult for other traffic to get a chance. Unfortunately MS designed their file-serving protocol to be undifferentiable for setting QOS on...(i.e. it establishs 1 connection in the name of 'system', and all I/O to/from server goes through the 1 server. So no way for a user to prioritize I/O (can prioritize by port, but as all file i/o is done through 1 port, doesn't help, and by process, except that system does the I/o for file processes -- all glummed together. It's just peachy! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB2 weird behavior with samba 3.6 PDC
` Mark Reidenbach wrote: What I meant to say is that Thunderbird downloads every message every time it is launched when I have max protocol = smb2 enabled.� Without that line it checks the headers and is done.� Even if it's not efficient I don't mind it downloading and caching the message once, but having to do so on every launch takes a lot of time and a lot of bandwidth. --- But SMB2 wouldn't affect the IMAP protocol. Is your local Thunderbird dir stored on a network share? If that's the case, then it's probably the same problem that others are experience about UID's not being resolved consistently (if at all)...that would cause possible file read/write problems and it might think it needs to d/l again. I don't have a windows server to test against, but surely this isn't acceptable behavior from a windows server.� Hopefully one of the samba team members could help debug why all common browsers are unable to download files to a samba share. --- I'ts not just browsers. I was saving a large file (maybe that's the key -- a file that takes a long time to write -- was saving a 2GB image from from photoshop -- couldn't save it AT all.. Had to pull it out of the vfs_recycle to put it in place. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Large file stream extended attribute support
T L wrote: Hi list, Does Samba support large extended attributes? By this I'm referring to attributes that are alternate streams attached to a file. http://msdn.microsoft.com/en-us/library/aa364404%28v=vs.85%29.aspx Seeing a problem when the referenced stream points to large files (sometimes 3M+). Thanks for the help, - T --- I'm guessing it depends on what file system you are using and how big the extended attributes are that it supports. XFS, I think is limited to something like 64k/attr (but don't quote me on that!) of extended attributes; I've no idea if there is a combined limit. Maybe another file system supports larger. There's also a samba option to store extended attributes in a file 'somewhere' ... it's a vfs module... IT says 'experimental''...but the vfs_streams_depot, might work There are also modules 'vss_streams_xattr, to store them in extended attributes, and there's a vfs_xattr_tdb, which can store EA's in a TDB, I don't know if the modules 'stack'...but if the vfs_streams_depot doesn't work, then if you used the vfs_xattr_tdb, and stored all your attr's in a TDB (a database file), then the vfs_streams_xattr to store streams in xattrs ***might*** store the streams in the tdb... But 3M for an alternate data stream is pretty 'huge'compared to normal purposes -- generally to hold things like the file's source (internet or not, so it can give you a message about it possibly being 'unsafe' to open)little bits and pieces. It's not 'normally', AFAIK, used for general purpose data storage...i.e. 3M of data should probably be stored in a normal file, not a 'resource-fork/data stream, as those are more for metadata. Here's what the manpage for xfs-attr says about 'extended attrs': Extended attributes implement the ability for a user to attach name:value pairs to objects within the XFS filesystem. This document describes the attr command, which is mostly compatible with the IRIX command of the same name. It is thus aimed specifically at users of the XFS filesystem - for filesystem independent extended attribute manipulation, consult the getfattr(1) and setfattr(1) docu‐ mentation. Extended attributes can be used to store meta-information about the file. For example character-set=kanji could tell a document browser to use the Kanji character set when displaying that document and thumbnail=... could provide a reduced resolution overview of a high resolution graphic image. In the XFS filesystem, the names can be up to 256 bytes in length, ter‐ minated by the first 0 byte. The intent is that they be printable ASCII (or other character set) names for the attribute. The values can be up to 64KB of arbitrary binary data. (of course you 'could' have 3M of metadata, but it would be unusual...) Do you really have 3M of name=attribute strings? Good luck!... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] difference between '%u' and '%U'?
I realized in looking at my smb.conf, I'm not using these in a consistent manner, and well I just don't understand what the differences are between them. Sure I can read the smb.conf page: %U session username (the username that the client wanted, not necessarily the same as the one they got). vs. %u username of the current service, if any. --- So if I use %U, what name might I get 'instead'? For example, MS, seems to save my profile under 'user.V2'...even though my smb config has: logon path = \\%D\%U\profile logon home = \\%D\%U logon drive = i: But my 'home' is always set to /home/Domain/User, but my profile (under W7), is stored under /home/Domain/User.V2... So when my home dir is mounted, I don't see the 'appdir' of *my* profile, but the appdir of an XP login (which has caused more than a little bit of confusion over the years) Now, I 'hack' around this by mounting 'i:' manually, and setting it to '/home/Domain/User.V2'(which still feels like a 'hack', but at least my homedir contains my profile and not my XP profile! So how are %u and %U supposed to be different? Should one evaluate to 'User.V2'? Thanks for any 'enlightenment!' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] No admin privileges after upgrade from 3.5.8 to 3.6.0rc3
Hans-Peter Jansen wrote: Hi, since I was bitten badly by this today, I take the additional time to report this issue here. After upgrading from samba 3.5.8 to 3.6.0rc3, Administrator on the xp clients (yes, still xp sp3, no vista, no win7 clients here) lost its admin privileges. My Samba PDC setup evolved over about a decade now, Ditto. but since it still needs to support a small environment only (20 xp, 30 users), I kept the security = user approach, --- (only need to support 1-2 users ! ... + my many personalities! Users and admin can domain login just fine, but with 3.6.0rc3, the admin lost his privileges, simply downgrading samba to 3.5.8 fixed this. I didn't catch my problem soon enough and it corrupted my DB, so after going back to 3.5.10, I'm slowing working on ironing out the problems again. Here's my samba build: https://build.opensuse.org/package/show?package=sambaproject=home%3Afrispete%3Asamba%3ASTABLE That's linked to project network:samba:STABLE. If somebody from this project there is reading here: Doesn't the term STABLE and the project description imply stable released packages? IMHO, a release candidate doesn't match this criteria, but others might disagree. /openSUSE Build Service internals I saw the joke on the suse servers...but these are the same guys jumping to every new tech for 'stable' User releases (still haven't recovered from an 11.2-11.4 server upgrade done last april...keep finding gotcha's and collateral damage. --- FWIW, I reported 3.6 problems in the user database area on the samba tech list back a month ago...never got any feedback. http://lists.samba.org/archive/samba-technical/2011-July/078663.html My prob, is everytime I get my config 'correct', they change the definition of correct in a newer version...(sigh...what else is new...)... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC forgot it was part of domain... official (ha!) samba hack around to fix...
Among various problems since I upgraded to 3.6 (none of which got answered
really, -- so I backgraded to 3.5.10 and started debugging from there,
considering 3.6.0 too unstable/too incompatible for 'whatever' reason...
One of the probs I had was 'root' couldn't use net rpc anything --
kept getting auth failures.
Wasn't the passwd, -- could reset it via smbpasswd, no prob, and my
normal UID could do an rpc user, but didn't have the auth to the
local files to read them (so got no results back).
Steps...
1) add self to group root
2) in /var/lib/samba and /etc/samba:
find . -gid 0 -print0|xargs -0 chmod g+rw
find . -gid 0 -type d|xargs -0 chmod g+xs
Then I noted that my 'user' could no longer auth either!
Bonus!
turned on -d10 on net rpc cmd,
Noted, it was trying to look up '*' for a pw server,
'*' doesn't resolve so well on my DNS server.
My domain name does, but it was trying to contact '*' for
a pw server instead of using itself (this used to work before
I tried upgrading to 3.6, FWIW)...
Anyway, explicit hackaround:
added:
passwd server=localhost
to my smb.conf.
Now the PDC is smart enough to know to look up passwords on
itself rather than going out and looking for '*', which
wbinfo REALLY didn't like --
lots of * not found messages from wbinfo...
Along with the idmap tdb format becoming incompat, (or maybe that's
the only one involved), apparently during the 'upgrade'[sic],
I didn't get the benefit of '*' added to my wbinfo...
Of course, as noted earlier, my wbinfo also doesn't seem to know about
builtin SID's either .. so am having to add them...
(writing script ...)
/tmp/domsid perl -e 'while () {
printf net groupmap add %s,$_;
}
'
/tmp/domsid:
Administrators sid=S-1-5-32-544 type=builtin
Users sid=S-1-5-32-545 type=builtin
Domain Controllers sid=S-1-5-32-516 type=builtin
Guests sid=S-1-5-32-546 type=builtin
Power Users sid=S-1-5-32-547 type=builtin
Account Operators sid=S-1-5-32-552 type=builtin
For some reason part of the refrain to the theme from Gilligan's Island
just popped into my head...
As primitive as can be
You'd think there'd be a better way, but ...C'est la vie...
linda
(always winning friends and influencing people...*cough* (To do what?)...)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Why isn't Domain\User' = to User on PDC? Isn't it supposed to be?
When I access my PDC, via a unix service, from a Domain client with a domain login, the PDC attempts to validate Domain\User against the the authentication DB, but on a mounted file system, a user on the PDC = 'domain\user' ... (which is what I thought it should be). But if I use 'ssh Pdc', it authenticates as user 'Domain\User' Now I hacked around this for myself, by adding an entry to the /etc/passwd that dups my PDC usr, except prefixes it with the Domain name. in /etc/passwd: linda:x:1001:201:linda@localhost:/home/me:/bin/bash Domain\linda:x:1001:201:linda@Domain:/home/me:/bin/bash --- But that just seems 'wrong' Shouldn't pam_winbind, in the pam stack be 'Domain' PDC aware? Or would that just be an RFE?? How do others deal with the above issues? Or is something 'handling' them (i.e. doing the mapping?) Note, that wbinfo -u and wbinfo --domain=DOMAIN -u return identical lists. so why isn't pam_winbind treating DOMAIN\USER as USER? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] Windows 7 client not mounting 'HOME' share.
Julien Celle wrote: it appears that the logon home parameter should be set to the following value : logon home = \\%L\%U instead of the one I was using : logon home = \\%L\homes\%U I don't really understand why. Anybody could explain ? I have noticed, (I use %D instead of %L), that \\%D\homes == \\%D\%U Mounting either one will mount the home dir. 'homes' is something of a 'reserved name' among the sharenames. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind - NT_STATUS_NONE_MAPPED ( auth probs)....related?
I'm seeing this for several lookups in winbind for items that I have not explicitly added. Should I add them? Could not find domain for Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED Could not find domain for sid S-1-1-0 Could not convert sid S-1-1-0: NT_STATUS_NONE_MAPPED Could not find domain for sid S-1-5-11 Could not convert sid S-1-5-11: NT_STATUS_NONE_MAPPED Could not find domain for sid S-1-5-2 Could not convert sid S-1-5-2: NT_STATUS_NONE_MAPPED Also was seeing this for an XP machine (not seeing the messages for the Win7 machine): winbindd_getpwnam: My domain -- rejecting getpwnam() for BLISS\athena$. But machine athena was able to join the domain...so what would such a message mean? I'm able to access my server files normally from that machine as 'me', but when I have a friend over, I set them up w/an account for gaming, and they can't access the server... (fortunately the game is on the local machine)...but I made sure they have an account on the server, they are listed in wbinfo -u (as am I), But no password works for validating them and they see no shares. It's also the case that my 'root' user can't do any net rpc tasks because the password comes up 'invalid'... I've reset it with 'smbpasswd', but still net rpc user, (to list users, won't let me because it claims I'm typing in an invalid passwd.. So...is winbind needing something? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4, Windows 7, Roaming profiles and Folder redirection
John H Terpstra wrote: On 07/21/2011 10:07 AM, Tanuki uk wrote: Hello, I'm quite new to Samba administration and I've inherited a working samba setup with roaming profiles however the login and logout times for users has been growing and I'm starting to think it's time do something about it. I'm thinking redirect some folders to a samba share on the network will speed up the login and logout times. The increasing logon and logoff times are most frequently caused by people storing files on their desktops (a VERY bad practice in corporate environments) - the entire desktop is written to the server when the user logs off from a machine. This is particularly problematic when people log onto multiple machines at the same time. Additionally, the files that are stored under My Documents are also copied from the profile server to the workstation at logon and are written back to the profile server at logoff. PS: I came across one site where users had up to 120GB files in their My Documents and up to 20GB on their desktop. Needless to say, they could not afford the long logon and logoff times. :-) --- Yeppers In my Win7 setup, I have my domain user sharing some files with the local user (which was setup first), so: domainuser in their 'homedir: (along with registry, and 'appdata/roaming') is: lrwxrwxrwx 1 18 2011-02-14 17:40 Contacts - Documents/Contacts/ lrwxrwxrwx 1 17 2010-01-26 03:55 Desktop - Documents/Desktop/ lrwxrwxrwx 1 16 2010-07-08 13:59 Documents - ../law/Documents/ lrwxrwxrwx 1 19 2011-02-14 17:37 Downloads - Documents/Downloads/ lrwxrwxrwx 1 19 2011-06-27 16:19 Favorites - Documents/Favorites/ lrwxrwxrwx 1 15 2011-06-27 16:36 Links - Documents/Links/ lrwxrwxrwx 1 15 2011-07-12 04:25 Music - Documents/Music/ lrwxrwxrwx 1 18 2010-07-08 13:59 Pictures - Documents/Pictures/ The ../law (local user) has: %lrwxrwxrwx 2011-02-14 17:40 Contacts - Documents/Contacts/ %lrwxrwxrwx 2010-02-08 14:41 Cookies - Appdata/Roaming/Microsoft/Windows/Cookies/ lrwxrwxrwx 2010-04-01 22:25 Desktop - Documents/Desktop/ lrwxrwxrwx 2010-04-06 00:13 Documents - //Bliss/home/law/Documents/ lrwxrwxrwx 2011-02-14 17:37 Downloads - Documents/Downloads/ lrwxrwxrwx 2011-06-27 16:19 Favorites - Documents/Favorites/ %lrwxrwxrwx 2011-07-12 04:26 Links - Documents/Links/ lrwxrwxrwx 2011-07-12 04:27 Music - Documents/Music/ lrwxrwxrwx 2010-04-06 00:15 Pictures - Documents/Pictures/ %lrwxrwxrwx 2010-02-08 14:44 Recent - AppData/Roaming/Microsoft/Windows/Recent/ %lrwxrwxrwx 2010-02-08 14:45 SendTo - AppData/Roaming/Microsoft/Windows/SendTo/ %lrwxrwxrwx 2010-02-08 14:45 Start Menu - AppData/Roaming/Microsoft/Windows/Start Menu/ Note: the % entries were attempts to provide compat with XP, client, BUT, the XP client doesn't understand 'mklink' style symlinks... (I think the kernel doesn't understand them, so even if you created them, they wouldn't work). instead, you have ntfs hardlinks, and 'junctions', which are more limited but can be made to work -- like my 'Documents directory, is a separate Share I can mount it by //Bliss/Documents, and it will mount the user-specific share, for their doc dir, (same dir as //Bliss/home/law/Documents in above). I then can mount it at a rootdir -- something junctions seemed to have some requirement for)... Since things work 'flakey' (links are sometimes turned into files, so windows will try to access things via other means), I setup cross-user links for dirs I wanted shared -- don't share the appdirs! (it isn't that you can't, or that it won't work, but it isn't reliable, and you have to keep the apps on the different clients in sync if you don't or you have a workstation that doesn't read a profile in on login for some reason (I've had it happen more than once), but it *DOES* write the full profile out on logout), and if that workstation was recently reformatted and doesn't have all the same settings as the more current workstations, your 'unconfig'ed settings 'overwrite' your newer settings .. then when they login on the new workstations...they get settings that don't make sense or are months old or in a default config. Backups and keeping a recent lsm snapshot going in the background can allow quick recovery, it can still be a royal pain and certainly a nightmare on a larger site. The things that work well -- keeping my Desktop inside Documents, and keeping Documents on the network share -- that way it's never updated via the roaming profile. Still have some 'wayward', ill behaved apps (Adobe apps in particular, but also some personal backup SW, -- Thunderbird 3.x or above ... that download huge amounts of data into the user's local-roaming profile. (Adobe 2-3G, Backup SW .. varies, Tbird -- will download an entire network-share of email (IMAP) -- designed so network users could share 1 mail depot, into their appdir -- by default. Supposedly easy to turn off, but have had it
Re: [Samba] Win7 can't joint Samba domain?
Mike Eggleston wrote: On Fri, 01 Jul 2011, John Drescher might have said: We've been trying to get a newly loaded Win7 (64-bin) box to join our internal Samba domain. The error that keeps appearing is the win7 box can't find the domain controller and is looking for the registry keys NetpLoadParameters DNSNameResolutionRequired. We've set these registry keys before on other boxes, and have tried on this box, and stuff isn't working? Any suggestions on what to try? http://wiki.samba.org/index.php/Windows7 Also search for the samba mailing list trust issues with windows7 machines. In this you will find how to disable the machine password updates. John John (and anyone else), That link says the same registry keys we're trying to set. Attempting to join the Samba domain is still failing with an error those registry keys cannot be found. This same installation disk was used to install Win7 on another box and it worked just fine. I can't think of any changes. I don't understand why the previous box and win7 worked and this new box with win7 is failing. 1) The Wiki page, I feel is unclear. It uses CCS to stand for CurrentControlSet, i.e. put this in a .reg file and merge it from the desktop... Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters] DNSNameResolutionRequired=dword: DomainCompatibilityMode=dword:0001 Have you looked at a wireshark trace? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] idmap backend defaults to tdb... but doesn't have entries for '*'...
I think this is one of my config problems. my tdb map backend is the default tdb with manually setup accounts after provisioning a new db to get the builtins. While it works for my domain, if some app requests '*' group/user enumeration (an app running on a domain-client (machine joined, logged w/domain account), it gets 'no such domain'... But for a machine in my domain, to the pdc, the domain would be assumed, so '*' (I think) would make sense. So why isn't '*' picking up my domain? FWIW, I spent way too much time on keyboard yesterday and wrists are sore (first time in months)...but then also in trying to fix the mappings -- since the log message about *, said 'no range defined', I tried defining a range.It took me a while to realize how many things broke -- not sure if it took a while to overwrite the correct passdb.tdb or what...but by the end of the day I was chasing wild geese -- due to a corrupted database. I restored to the morning's backup and was back up, but waisted several hours trying to fix the '*' requires range error message in the log. So why isn't * picking up the domain entries that it is running as the PDC for? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] cygwin 'QueryUserInfo' fails dueto samba error. Wazup?
I made progress in tracking down a problem on cygwin that's been bothering me for a while since Win7 and domain. when I do: mkpasswd -D mkpasswd (434): [31] A device attached to the system is not functioning. A network trace shows that it's trying to get the home dir information from my main user. Wwhen it queries the info Samba returns STATUS UNSUCCESSFUL (indicated in network status of trace). in the log, I see : [2011/06/27 17:41:16.099526, 3] smbd/service.c:845(make_connection_snum) Connect path is '/var/tmp' for service [IPC$] [2011/06/27 17:41:16.099526, 3] smbd/vfs.c:102(vfs_init_default) Initialising default vfs hooks [2011/06/27 17:41:16.099526, 3] smbd/vfs.c:128(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2011/06/27 17:41:16.099526, 3] smbd/service.c:1095(make_connection_snum) athenae (192.168.3.140) connect to service IPC$ initially as user lindaw (uid=5013, gid=201) (pid 18720) [2011/06/27 17:41:16.099526, 3] smbd/msdfs.c:870(get_referred_path) get_referred_path: |home| in dfs path \Bliss\home is not a dfs root. Um...what does that mean? I'm trying to check what wbinfo thinks -- and that might hold a clue to the problem, as it's got it's own confusion. It lists the expected users and groups (with no Domain prefix in front of them -- this is right? right, for running on the DC?), it also shows: # wbinfo -p Ping to winbindd succeeded # wbinfo --all-domains BUILTIN BLISS # wbinfo --own-domain BLISS # wbinfo --trusted-domains BUILTIN BLISS # wbinfo --online-status BLISS BUILTIN : online BLISS : online # wbinfo -P checking the NETLOGON dc connection succeeded # wbinfo --getdcname BLISS Could not get dc name for BLISS ^ ^ --This is the first indication of a problemalso when I try wbinfo --dsgetdcname it just goes off and thinks about it. (don't know if it ever would come back...waited about 30 seconds, but gave up) I can map a uid to a sid: # wbinfo --uid-to-sid=5013 S-1-5-21-3-7-3-80026 but I can't ask about a user (w/ or w/o the domainname in front of it): # wbinfo -i [domain\\]username failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Ideals? about any of these? Conceivably all my bases are belong to idiot, but, 'most things work'... I've been trying some changes, but have made things worse (and then better again)...and now am a bit better than when I started, but am stumped on how to proceed... *sigh* help? Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] cygwin 'QueryUserInfo' fails dueto samba error. Wazup?
I'm also seeing messages from nmbd saying (msgs reformatted/truncated for readability). wins...request: Name refresh for name BLISS00 IP 192.168.3.12 wins...request: Name BLISS00 group bit = True does not match group \ bit in WINS for this name. wins...request: Name refresh for name BLISS00 IP 192.168.3.140 wins...request: Name BLISS00 group bit = True does not match group \ bit in WINS for this name. In monitoring logs, saw that the browse list was dumped into /var/lib/samba/browse.dat, so decided to check it out. For my server/DC, I see the following entries: BLISS c0001000 ISHTAR BLISS ISHTAR 408d9b2b Bliss on Ishtar running Samba 3.6.0rc2 BLISS BLISS 40809a2b Bliss on Ishtar running Samba 3.6.0rc2 BLISS --- --- May not be related to original problem (may be something completely different, but thought I would mention it if pertinent). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem getting Samba fully working
Moe, John wrote: Hello all, Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba 3.4.12. I'm trying to get a FreeRadius instance working for our Windows network. To do so, I need a Linux box running Samba. I've installed and configured Kerberos, Samba and FreeRadius, and can get most things to work. I can get a Kerberos key using kinit, and sudo net ads keytab list shows me tickets. I can use things like net ads user myuser -U myuser to get info about my user account. I can use sudo wbinfo -t to show the secret trust is OK, and sudo net ads testjoin works as well. I can even log on to my switch using RADIUS authentication to my AD account (using ntlm_auth). So a lot of the pieces are working correctly. [2011/06/21 07:12:21, 1] rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name! I am not sure the above messages are from your ssh... And I know nothing about configuration with Free Radius or Kerberos, so your problems may be completely different from ones I've had but... I take it you are running ssh on the Win7 workstation and trying to login to the linux samba server. if your username in the domain is 'user' (i.e. you are 'domain\user'), and your linux account is 'user', then on the ssh line, you might try 'ssh user@linux-server' instead of the normal 'ssh linux-server' If that works, then your 'sshd' server on your linux server is probably receiving 'domain\user' as the username, (not just 'user') and doesn't know what to do with that. Theoretically should be resolvable via proper pam and config files (all the file ops map my 'domain\user' = 'user' on the PDC), but, a _*hack*_ I use (but would find a better solution in a production environment) is to create a 2nd /etc/passwd /etc/shadow entry that dups my 'user' but has the username field changed to 'DOMAIN\user'. (getting the capitalization to agree with what the workstation think's it is, is important in this case; upper case is norm, so unless you've customized things in the win registry, shouldn't be a prob (not that I would have any knowledge of this, of course...) But I'd try to get 'winbind' config'ed with pam to map the username properly for a best fix (on my 'todo list') ... just hasn't been that important ... Best short term: specify the username with the hostname when using the 'ssh' (or scp, i.e. 'scp file user@remote:/tmp' ) ... In any event, using kerberos/freeradius, there should be some way to make sure that a 'domain\user' is mapped to 'user' on a PDC... Or it might be the 'ssh' client that shouldn't be prepending the windows domainname not sure. But hopefully gives you some ideas where to look... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Different permissions displayed in security tab andadvanced tab
Dale Schroeder wrote: On 06/24/2011 12:11 AM, Linda W wrote: David was trying to view and change permissions on a user that was already listed on the security tab; he was not adding a user or group. I did this just now, changed it to full control for the one listed user and group and 'Everyone'... I then told it to propagate it did, but visiting a sub folder doesn't have the 'propagated from parent' message. But the perms got changed with the exception of trying to delete 'Creator_owner and 'creator_group'...they see to not be deletable. I haven't tested the full extent of changing 'creator-owner/group', but the user and group that are listed as the creator ownergroup is changeable. If yours looks like mine, the permissions of the user and group defined as the posix owner and group are blanked out, and if you try to mark anything there, it will fail. --- They are not blanked out -- they say 'special' because they only apply to the current folder (and are not propagated). Otherwise they say 'Full control' which is what the user hasbut the user's perms can be set to 'full control' on the security and permisions page because you can set the user and group id's to have Full control that is inheritable on the subdirs and file. But right now, unix doesn't support have the 'inherited from' information set(because the acls are set on each item, whereas on NT may files can share 1 access list. Much like on linux, already, multiple names can point to the same inode. Sometimes, there will be an error window popup; other times, the checked Like you, I have the drive mounted with user_xattr and acl. --- My mount options include no user_xattr or acl options (they aren't 'options' in xfs but 'features', like unix permission bits - they don't have to be specified to be turned on). This is a long standing difference between Samba and native MS, more of an annoyance than a problem. I have read that Samba is working on full acl compatibility with MS, I think in 3.6. We'll have to wait and see if this corrects the differences. I'm currently running 3.6, so maybe that explains some of the differences we are seeing... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] filesystem of choice?
On 24/06/11 09:46 AM, John G. Heim wrote: I'm setting up a new linux fileserver and I was wondering if samba likes one filesystem more than another. I have to format a 1.8Tb partition sometime today and I'll probably do ext3 unless samba prefers something else. I would use 'xfs'. I believe samba was originally developed over xfs, so it's likely the ea-suppot and acl support has had the most testing there. Especially if your file server is setup with a UPS, then I'd strongly recommend it. If not, ext4 might be safer (with write through). It will be slower, but safer. With a UPS, XFS's default 'write-back', will give the fastest performance for large file writes (I think reads as well). It's worst performance is on removing large numbers of files, as that is pretty much a synchronous operation... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] filesystem of choice? (app-dependant, but I prefer xfs for larger files)
John Drescher wrote: � � � �I would use 'xfs'. �I believe samba was originally developed over xfs, so it's likely the ea-suppot and acl support has had the most testing there. �Especially if your file server is setup with a UPS, then I'd strongly recommend it. � If not, ext4 might be safer (with write through). � It will be slower, but safer. � � � �With a UPS, XFS's default 'write-back', will give the fastest performance for large file writes (I think reads as well). � It's worst performance is on removing large numbers of files, as that is pretty much a �synchronous operation... I would just use ext4, it does not have the ext3 large file slowness or xfs slowdown with lots of small files. John xfs doesn't have much of a slowdown with small files other than in deleting them. That said, it *was* optimized for people wanting to stream media (multiple channels) in real time... It was designed to excel with large file I/O. So it's possible benchmarks may show some small advantages in small file I/O, (outside of deletes), but most of those problems can be ameliorated or eliminated if you are on good hardware (UPS backedup, any RAID's w/battery backed up cache) -- then you might also improve performance by turning on/of write barriers depending on your HW. XFS should also be tuned for RAID stripe size for optimal performance and give a large Metadata area when creating it (128M) or 32768b (b=4k blocks); @mount time, optimal speed options that I use include defaults,noatime,swalloc,largeio,logbsize=256 (and possibly nobarriers depending on hw)... But it really depends on your HW and your usage. If you don't need fast file read/write on large files my large array with 2 striped, 6,7.2k-SATA-disk RAID5's (a 'RAID50'), gets 1GB/s read/write on large I/O's Speeds are comparable to raw device access. Usually, for large reads/writes, using *direct access*, is 15-20% faster than going through the linux-file buffers (for I/O's that exceed my system's memory size, thus making the cache effectively useless). you still get all the overhead of fs-cache management, but no benefit when moving around files larger than sysmem. That overhead may make not make much difference with a single 7.2k sata with top xfer rate of 120-140MB/s (2-3TB), but as you up the data rate, the overhead becomes more significant. I have not benched xfs against ext4, but when I benched it against ext3, it was faster in all tests except large# (500-1000 files at a time) file-deletions. BTRFS looks promising, but I, _personally_, think it not quite ready for production systems. I'm sure ext4 has improved much, and excels in some benchmarks, just as xfs excels in some -- it would depend on user usage. Of course xfs has been around since ... um...the mid 90's...so it has been fairly well tested...(though the port on linux is always 'ongoing' due to new kernel interfaces and ongoing xfs performance optimizations)... -- but that's a measurement specific to my I/O rate and somewhat on my CPUs' speeds (2x2.67MHz Xeon w/4 Core's ea). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] howto cache 'root' password for net commands?
Volker Lendecke wrote: Try to start winbind, then wbinfo --ccache-save and net --use-ccache Haven't tested that for a while, so it might not work. But it's supposed to :-) Maybe the options were removed? or maybe needs special compile options for them to be included? wbinfo --ccache-save Invalid option Usage: [OPTION...] net --use-ccache Invalid command: net Usage: -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] howto cache 'root' password for net commands?
Linda Walsh wrote: Volker Lendecke wrote: Try to start winbind, then wbinfo --ccache-save and net --use-ccach Haven't tested that for a while, so it might not work. But it's supposed to :-) Maybe the options were removed? or maybe needs special compile options for them to be included? --- Never mind...found the prob -- it takes an argfiguring it out... Thanks! Love the Samba error messages -- they come close to capturing the MS-Win spirit in helpfulness...but really, it should have just said 'error code 0x8008037' or some such... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] howto cache 'root' password for net commands?
Volker Lendecke wrote: On Tue, Jun 21, 2011 at 07:06:23PM -0700, Linda Walsh wrote: Volker Lendecke wrote: Try to start winbind, then wbinfo --ccache-save and net --use-ccache Haven't tested that for a while, so it might not work. But it's supposed to :-) Maybe the options were removed? or maybe needs special compile options for them to be included? Sorry, that's only available with Samba 3.5 and later. It was not including an arg that was the prob... (running 3.6.0-rc2 w/ 'user managed wide links' patch... :-) ) (won't be in 3.6.0 though, but maybe 3.6.1...)... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sticky bit problem
David Aldrich wrote: Hi We are building a Linux app under Centos 5.3, using gnu make 3.81 and gcc 4.12. The working directory is on a remote machine and is either a Samba share or a Windows 7 share. We find that in the case of a Windows 7 share the resulting executable has the sticky bit set in group: On Windows 7 share: -rwxrwSrwx 1 snip myapp T is the sticky bit, S is the SxID bit BUT, a cap S, means the execute bit isn't set. so theoretically, someone in the same group wouldn't be able to access any files or subdirs but they could, theoretically read the names of the files... I noticed that a group SGID bit also wasn't passed on in CIFS when trying to duplicate some bug... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Sticky bit problem
Linda Walsh wrote: David Aldrich wrote: Hi We are building a Linux app under Centos 5.3, using gnu make 3.81 and gcc 4.12. The working directory is on a remote machine and is either a Samba share or a Windows 7 share. We find that in the case of a Windows 7 share the resulting executable has the sticky bit set in group: On Windows 7 share: -rwxrwSrwx 1 snip myapp T is the sticky bit, S is the SxID bit BUT, a cap S, means the execute bit isn't set. so theoretically, someone in the same group wouldn't be able to access any files or subdirs but they could, theoretically read the names of the files... - Forget what I said above -- you said it was on an executable, not on a dir. the cap S means the execute bit isn't set. If the 'SGID' AND the execute bit are set then it's a lowercase 's' So of course, someone in whatever group shoudln't be able to execute it since the execute bit is 'off'. if the SGID bit is 'on', it should force whoever executes the file into that group (while they are running that program) (if they aren't already)you may not want that... but apparently, over CIFS, the SGID bit isn't being transmitted anywaythe permissions just look odd on the CIFS client...it shouldn't show it as group executable. What that is really saying on 'linux' is that anyone in that group can't execute it. The user can, group cannot, everyone else can -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] howto cache 'root' password for net commands?
I have a minorly complicated root password that is hard to type correctly, quicklyyet samba 'seems' to be encouraging me to create a simple one in order to do managagement on the server via 'net' I don't like to type the password more than once, the more times I type it, the more times it can be either monitored, or seen, or whatever... So am I doing something incorrectly in my server management -- because one has to run as 'root' to manage things with the net command, so you've already typed in the password -- but then it asks you to type in the password again. Even windows save credentials under your loginso why is 'net' re-asking me root's password, when it knows I am running as root? (when I don't, it says most things won't work (and they don't))...so how to cache? Or is there some setting I've munged to create this problem for myself? (certainly not inconceivable... ;-) )... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba process throttled back?
Lang, Rich wrote: Hello, We are running Samba 3.0.33 on a 2-node Linux cluster running RedHat 5.6 ES. Its primary application is to serve out a single network drive to support our business (out 350GB in size). For several years, this solution has been running flawlessly. File access was almost as fast as a local disk, so putting files on the server was never a problem. Our clients are running mostly Windows XP Pro. We have a few Windows 7 clients. Any difference in performance between the client types? Did the problems coincide with adding win7 machines to the network? Any new software on the clients (antivirus, firewall...etc?) Is something using up more memory on them? on your sockets, I up the SO_RCVBUF and SO_SNDBUF to at least 65536 each (more won't help until full smb2 support is in samba) Did you get any new windows servers on your network around the time of the problem? I notice that you have your 'os level = 0', that means for things like name resolution, your smb server will have lowest priority -- even below a win98 client, as I understand it. You mention you ran an 'strace -f' on smbd. Have you looked at a wireshark trace? That would tell you more -- like when negotiating a TCP session, if your windows client keeps reducing the RCV buffer size that would have told you why the reads were getting smaller. Maybe you are getting packet drops, or similar -- Reminds me, do you have switches or hubs, what type of ethernet speed...I take it nothing in the hardward on the clients or the server has changed? You say you are using RH. Has the SW remained static since installation and through this problem increase (I.e. an auto-update of SW might have changed some setting in the kernel, or some firewall might have been added, modifiedetc...)... Are the windows client's 'paging' more? I.e. was there any change in the VB script or the SW it's using such that now there could be a memory leak, thus increased paging? Have you set/optimized your TCP/IP params on XP? (and what little you can do on Win7... which is less configurable than XP) Have you added more clients (significant?)... On the Win clients...what SP are the XP clients running at? Many people complained when SP2 came out -- especially affected were network applications. SP3 has the best performance of the XP series (even better than the original), while SP1 was slower than 'SP0' (original), and SP2 was slower still... I don't have any specific theories...just asking for more data at this point, since there are so many possible variables...and just having the information out there would help anyone investigate the problem... Good luck! Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] RFE: Proposed fix for incompat introduced with 'unix extensions' and 'wide links'....in 3.4(?)..
After an upgrade, I got re-bitten by the 'unix-extensions and
wide links' incompat. (They used to be compat but were made
incompat in the 3.4.x timeframe due to security concerns).
At the time it was suggested I write a patch complete
with documentation to describe the fix. The below
seems to fit the bill. I was wondering what people thought
about it's inclusion in future versions...
I'd call this a proto-patch since it is against my distro's (opensuse)
source RPM for 3.5.7... First the description, and then the patch.
I think it sufficiently describes the security concerns that were
presented at the time, as well.
Sufficient?
Linda
client managed wide links (G)
This options can allow clients to manage the 'wide links'
created on a server. It enables this by permitting 'unix
extensions' and 'wide links' to be true at the same time in the
same config. Management is only enabled if 'unix extensions' is
also true, and 'wide links' only function when enabled on a
per-share basis.
This creates similar security issues as allowing the same userid
to have a local account on the server. (where they could then
create/manage wide links). As a local user, they can create
symlinks in any directory they have access to that can point to
any inode (file, dir, dev, etc...) on the server.
If your users have local accounts on the server, this option
should not cause any decrease in security, as links created
through 'unix extensions' by a client are subject to normal file
and share restrictions. This does mean, though, if a user is in
the 'Domain Admins' group on the server, they can likely manage
links on any writable share.
Default: client managed wide links = no
---
patch:
--- source3/param/loadparm.c.orig 2011-02-27 09:42:19.0 -0800
+++ source3/param/loadparm.c2011-06-09 16:53:19.192163402 -0700
@@ -334,6 +334,7 @@
bool bHostMSDfs;
bool bUseMmap;
bool bHostnameLookups;
+ bool bClientManagedWidelinks;
bool bUnixExtensions;
bool bDisableNetbios;
char * szDedicatedKeytabFile;
@@ -939,6 +940,15 @@
.flags = FLAG_ADVANCED
},
{
+ .label = client managed wide links,
+ .type = P_BOOL,
+ .p_class= P_GLOBAL,
+ .ptr= Globals.bClientManagedWidelinks,
+ .special= NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED
+ },
+ {
.label = unix charset,
.type = P_STRING,
.p_class= P_GLOBAL,
@@ -5085,6 +5095,7 @@
#else
Globals.bUseMmap = True;
#endif
+ Globals.bClientManagedWidelinks = False;
Globals.bUnixExtensions = True;
Globals.bResetOnZeroVC = False;
Globals.bCreateKrb5Conf = true;
@@ -5535,6 +5546,7 @@
FN_GLOBAL_BOOL(lp_enhanced_browsing, Globals.enhanced_browsing)
FN_GLOBAL_BOOL(lp_use_mmap, Globals.bUseMmap)
FN_GLOBAL_BOOL(lp_unix_extensions, Globals.bUnixExtensions)
+FN_GLOBAL_BOOL(lp_client_managed_widelinks, Globals.bClientManagedWidelinks)
FN_GLOBAL_BOOL(lp_use_spnego, Globals.bUseSpnego)
FN_GLOBAL_BOOL(lp_client_use_spnego, Globals.bClientUseSpnego)
FN_GLOBAL_BOOL(lp_hostname_lookups, Globals.bHostnameLookups)
@@ -9905,6 +9917,7 @@
void widelinks_warning(int snum)
{
+ if (lp_client_managed_widelinks()) return;
if (lp_unix_extensions() lp_widelinks_internal(snum)) {
DEBUG(0,(Share '%s' has wide links and unix extensions enabled.
These parameters are incompatible.
@@ -9915,10 +9928,9 @@
bool lp_widelinks(int snum)
{
- /* wide links is always incompatible with unix extensions */
- if (lp_unix_extensions()) {
- return false;
- }
- return lp_widelinks_internal(snum);
+ if (lp_client_managed_widelinks()
+ || !lp_unix_extensions()) return lp_widelinks_internal(snum);
+
+ return false;
}
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Prob found: (Re: missing symbols talloc_* (opensuse 11.4/samba 3.5.7-xxx))
Linda Walsh wrote: upgraded to opensuse 11.4. basic smbd is running mostly fine (some name res-errors, login server missing, (can't connect to Domain service). Notably nmbd won't start due to undefined symbols: /usr/sbin/nmbd: symbol lookup error: /usr/sbin/nmbd: undefined symbol: _talloc_realloc_array. ldd -r shows a bunch of similar undefined symbols (shown further below). nmbd was linking with a 'mismatched' (and unowned) libwbclient0 in /lib64 -- the real libwclient0 from the suse package is installed in /usr/lib64. So this was basically a local system config screwup were I had out-of-date, self-built libs in the wrong place that were given preference over the official system built ones. A configuration-build mistake put them in /lib64 instead of the desired /usr/lib64 *sigh* live learn. thought I'd doc the resolution incase anyone else ran into something similar. FWIW, I used ldd -r on nmbd to see what libs it was really loading. I also noted that 'readelf' showed nmbd didn't need talloc, which is what led me to start looking at the libs that nmbd was pulling in C'est la vie -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] missing symbols talloc_* (opensuse 11.4/samba 3.5.7-xxx)
simo wrote: Any ideas as to what library i'm missing? Looks like nmbd is not being linked against libtalloc. --- Sure looks like it, but shouldn't it be dynamically loaded? The libtalloc packages ARE installed. I must have something messed up for the standard distro-packages not to load/link This makes no sense though, trying to load nmbd, can't find _talloc_realloc_array, yet (FWIW, there was only libtalloc.so.2, I moved it to it's real version, lrwxrwxrwx 118 Jun 5 17:49 /usr/lib64/libtalloc.so.2 - libtalloc.so.2.0.1* -rwxr-xr-x 1 43280 Mar 1 04:21 /usr/lib64/libtalloc.so.2.0.1* and # readelf -s libtalloc.so.2|grep realloc 34: 0 FUNCGLOBAL DEFAULT UND realloc@GLIBC_2.2.5 (2) 49: 700047 FUNCGLOBAL DEFAULT 12 _talloc_realloc_array 62: 6ff0 7 FUNCGLOBAL DEFAULT 12 talloc_realloc_fn 65: 6b80 1124 FUNCGLOBAL DEFAULT 12 _talloc_realloc The library is there, the symbols are in the library. Why isn't it linking?! ARG! (going to examing build source...sigh) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] upgrade prob; extension conflict-workaround or fix yet? (widelinks unix ext)
I just upgraded my samba to my dist's version: (3.5.7) and got a message: 01234567890123456789012345678901234567890123456789012345678901234567890123456789 Ishtar smbd[8204]: Share 'IPC$' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share. This used to work, though admittedly, I think it was because I had a 'fixed' version that removed the check in anticipation of the official switch that would allow this. I **WANT** to be able to control my 'widelinks' from my windows workstation My setup is that my 'windows workstation(s)' are divided in 2, with their file system being on the smb server. So me being able to manage links from my windows workstation is an ease of use issue. It's 'sad' there's no way to define / separate user owned links from 'system' links...i.e. if the ownership on 'symlinks' wasn't so hard to change and was able to be used reliably for ones created by users vs. 'trusted' links created by 'root' That would address (I think) security concerns of this feature... But in my local case, security isn't a concern, since the linux-fs/smb-fs IS my windows-fs. It may not be the standard setup, but I know I'm not the only one who uses samba this way (from previous comments when this issue arose the first time). Perhaps a simple: allow client-managed-links (yes/no) could disable this check? Would you accept a patch? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] missing symbols talloc_* (opensuse 11.4/samba 3.5.7-xxx)
I just recently upgraded to opensuse 11.4.
basic smbd is running mostly fine (some name res-errors, login server missing,
(can't connect to Domain service). Notably nmbd won't start due
to undefined symbols:
/usr/sbin/nmbd: symbol lookup error: /usr/sbin/nmbd: undefined symbol:
_talloc_realloc_array.
ldd -r shows a bunch of similar undefined symbols (shown further below).
my samba rpm is samba-3.5.7-1.17.1.x86_64.
My package versions:
rpm -qa --qf %-40{NVR}\t%{DISTRIBUTION}\n |sort|grp 'sa?mb|cif|alloc|wbcl'
cifs-utils-4.6-3.6.1openSUSE 11.4
fusesmb-0.8.7-110.1 openSUSE 11.4
ldapsmb-1.34b-298.17.1 openSUSE 11.4
libsmbclient0-32bit-3.5.7-1.17.1openSUSE 11.4
libsmbclient0-3.5.7-1.17.1 openSUSE 11.4
libsmbios2-2.0.2-21.1 openSUSE 11.4
libsmbios-bin-2.0.2-21.1openSUSE 11.4
libtalloc2-2.0.1-2.17.1 openSUSE 11.4
libtalloc2-32bit-2.0.1-2.17.1 openSUSE 11.4
libwbclient0-32bit-3.5.7-1.17.1 openSUSE 11.4
libwbclient0-3.5.7-1.17.1 openSUSE 11.4
pam_smb-2.0.0rc6-160.1 openSUSE 11.4
pam_smb-32bit-2.0.0rc6-160.1openSUSE 11.4
python-smbc-1.0.10-4.1 openSUSE 11.4
samba-32bit-3.5.7-1.17.1openSUSE 11.4
samba-3.5.7-1.17.1 openSUSE 11.4
samba-client-32bit-3.5.7-1.17.1 openSUSE 11.4
samba-client-3.5.7-1.17.1 openSUSE 11.4
samba-doc-3.5.7-1.17.1 openSUSE 11.4
samba-krb-printing-3.5.7-1.17.1 openSUSE 11.4
samba-winbind-32bit-3.5.7-1.17.1openSUSE 11.4
samba-winbind-3.5.7-1.17.1 openSUSE 11.4
smb4k-0.10.9-3.1openSUSE 11.4
smb4k-doc-0.10.9-3.1openSUSE 11.4
smb4k-lang-0.10.9-3.1 openSUSE 11.4
xmms2-plugin-samba-0.7-14.2 openSUSE 11.4
yast2-samba-client-2.20.2-3.1 openSUSE 11.4
yast2-samba-server-2.20.2-3.1 openSUSE 11.4
The missing symbols (and libs being tried when loading nmbd):
ldd -r /usr/sbin/nmbd
linux-vdso.so.1 = (0x7fffe1bf9000)
libresolv.so.2 = /lib64/libresolv.so.2 (0x7fc6d5f9c000)
libnsl.so.1 = /lib64/libnsl.so.1 (0x7fc6d5d84000)
libdl.so.2 = /lib64/libdl.so.2 (0x7fc6d5b8)
libwbclient.so.0 = /lib64/libwbclient.so.0 (0x7fc6d5962000)
libpopt.so.0 = /lib64/libpopt.so.0 (0x7fc6d5756000)
libgssapi_krb5.so.2 = /usr/lib64/libgssapi_krb5.so.2
(0x7fc6d552)
libkrb5.so.3 = /usr/lib64/libkrb5.so.3 (0x7fc6d5255000)
libk5crypto.so.3 = /usr/lib64/libk5crypto.so.3 (0x7fc6d502d000)
libcom_err.so.2 = /lib64/libcom_err.so.2 (0x7fc6d4e29000)
libldap-2.4.so.2 = /usr/lib64/libldap-2.4.so.2 (0x7fc6d4be2000)
liblber-2.4.so.2 = /usr/lib64/liblber-2.4.so.2 (0x7fc6d49d3000)
libz.so.1 = /lib64/libz.so.1 (0x7fc6d47bb000)
libc.so.6 = /lib64/libc.so.6 (0x7fc6d444e000)
/lib64/ld-linux-x86-64.so.2 (0x7fc6d61b3000)
libkrb5support.so.0 = /usr/lib64/libkrb5support.so.0
(0x7fc6d4245000)
libkeyutils.so.1 = /lib64/libkeyutils.so.1 (0x7fc6d4042000)
libpthread.so.0 = /lib64/libpthread.so.0 (0x7fc6d3e25000)
libsasl2.so.2 = /usr/lib64/libsasl2.so.2 (0x7fc6d3c0a000)
libssl.so.1.0.0 = /lib64/libssl.so.1.0.0 (0x7fc6d39ae000)
libcrypto.so.1.0.0 = /lib64/libcrypto.so.1.0.0 (0x7fc6d35fd000)
undefined symbol: _talloc_memdup(/usr/sbin/nmbd)
undefined symbol: talloc_vasprintf (/usr/sbin/nmbd)
undefined symbol: talloc_asprintf (/usr/sbin/nmbd)
undefined symbol: talloc_strndup(/usr/sbin/nmbd)
undefined symbol: talloc_named (/usr/sbin/nmbd)
undefined symbol: _talloc_free (/usr/sbin/nmbd)
undefined symbol: _talloc_array (/usr/sbin/nmbd)
undefined symbol: _talloc_reference_loc (/usr/sbin/nmbd)
undefined symbol: talloc_pool (/usr/sbin/nmbd)
undefined symbol: talloc_init (/usr/sbin/nmbd)
undefined symbol: talloc_get_name (/usr/sbin/nmbd)
undefined symbol: talloc_strdup (/usr/sbin/nmbd)
undefined symbol: talloc_set_name (/usr/sbin/nmbd)
undefined symbol: _talloc_zero (/usr/sbin/nmbd)
undefined symbol: _talloc_steal_loc (/usr/sbin/nmbd)
undefined symbol: talloc_report_depth_cb(/usr/sbin/nmbd)
undefined symbol: talloc_asprintf_append_buffer (/usr/sbin/nmbd)
undefined symbol: talloc_reference_count(/usr/sbin/nmbd)
undefined symbol: talloc_vasprintf_append_buffer(/usr/sbin/nmbd)
undefined symbol: _talloc_realloc_array (/usr/sbin/nmbd)
undefined symbol: _talloc_zero_array(/usr/sbin/nmbd)
undefined symbol: talloc_set_name_const
Re: [Samba] Samba performance
Juan Pablo wrote: Thanks a lot for the advice. It will run these tests and try to find meaningfull information from them. I will post back results. Thanks Juan Pablo What type of speeds are you expecting? With a GB network, your limit is 125MB/s. I get that with writes, but max out @around 119MB/s on reads due to the not being able to have 'overlapping reads'...;-)... I found to get max performance, I had to adjust the network params in both linux and windows. If I'm totally missing some point, I don't get it. I notice you are trying to use network bonding. I had problems getting network bonding to work correctly. have you tried sniffing with 'wireshark'? Maybe look for duplicate packets or retries? To get optimal speeds you need '0 dups' and '0 retries'... I've only been able to optimize a single Gb ethernet connection. A bonded pair -- even direct from server to Win7 of matched Intel dual-port G-Pro cards gave lower performance than a single wire. It's odd though, with smbclient -- I'd think that would use 'lo0' (no?) I'd think that would get better. I noticed in the test below use of 8MB files. 70MB/s would be a good speed for reading those over the net. My best raw speeds were using 16-256MB on multi-gig files. But opening single files ... I'd try opening them all first, then sending the data, so you are measuring data perf. My maximum write perf was done to a file (from windows) using: CF=notrunc,nocreat; OF=direct dd if=/dev/zero of='file' bs=16M count=128 oflag=$OF conv=$CF Optimizing the network settings on both the linux server and win7 client gave me another ~20-30%. I wouldn't trust my testing now, though, as I recently upgraded, and can't even get nmbd to run...(sigh)... 1 step forward, 3 steps back! Test typeLocal (dd) Local (smbclient) Window 7 Case1161 101 63 Case2122 119 68 Case1: Read 1000 files 8 MByte each Case2: 4 processes each reading 1000 files of 8 MByte each Any idea how can I debug where the bottleneck is or why I get so low numbers when reading from Windows? strace the smbd process with strace -ttT. Network trace. Look at netstat -nt while the test is running. Send/Recv queues full? Run top, is the CPU fully busy? There's no silver bullet for performance tuning unfortunately, sorry. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba performance
Alan Hodgson wrote: On Wed, May 25, 2011 at 08:02:56PM -0700, Juan Pablo wrote: - 4 Intel Gigagit ethernet NIC ports with 802.3ad bonding connected to a switch configured tu use 802.3ad - 8 2TB 7.2 krpm SATA disks with hardware RAID5 (RAID stripe size 1024 bytes, controller and disk cache enabled, readahead enabled) - XFS filesystem (created with the following parameters: size=64k -d su=1024k,sw=7) - Average file size in the share: 8 MByte - Gigabit network composed by Cat5E certified cabling and DLink DGS-3427 gigabit switch. The way Linux does 803.ad is not really how you might expect. ... It's still not great though. You'd really be better off with a 10Gb/s interface out to your switch if you need to guarantee multiple 1Gb/s connections over a small number of simultaneous connections. Given my experience with bonded ethernet, I'd have to agree. I'm 'just' waiting for the 10Gb prices to come down. Still a bit out of reach for a home network setup. BTW... su=1024k?!? What raid controller are you using? Usually 64K is usually recommended for max performance. But then above you say RAID strip size is 1024bytes? There is a difference, no? Which is it? Either way: a bit off from optimal. You want to set your log size to 32768b (not 64k; note: 32768b=128k). For mount options, I have 'swalloc,largeio,logbsize=256k,nobarrier'. Note, for nobarrier, you *should* have your system on a UPS, and a battery backup on the RAID controller's cache (LSI controllers have this, others may as well). Note, some perf-related options(from my smb.conf) (with host networking tuned as well), I have: aio read size = 65546 aio write size = 65536 max xmit = 66576 min receivefile size = 65536 map acl inherit = Yes server schannel = no socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=4194304 SO_RCVBUF=4194304 use sendfile = yes Note: I'm not sure why my max xmit is 64k, I probably had a reason when I set it up -- not even sure if 64k is legal, it might explain why my read rates are 6MB/s slower than my writes (119MB/s vs. 125MB/s) over Gb lan. Those are MAX rates to a linear file -- NOT random small reads/writes, BTW Though I'll regularly see 50MB in random, with 100MB for large files. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Tuning to increase Throughput
vijay vijay wrote: Hi All, I have gone through threads related to throughput issue in this list. Found few similar issue, but could not get the solution. So looking for some advice from group. I am trying to use the samba to access a USB disk connected to our evaluation board which has xtensa core running at 400 MHz. Samba 3.5.x is running on the board. We are getting below throughput as tested with the colasoft capsa software on the client PC. Read:27.9 mbps Write : 24.5 mbps I was trying to find the where the bottleneck is? Initially thought issue could be at the USB, But when we tested only USB (without samba) throughput it was coming Read:162.5 mbps Write : 80 mbps So with this it appears that some bottleneck is because of the use of samba. When I tried to access same USB disk with Linux using samba, throughput was more. Read:157.9 mbps Write : 134.5 mbps So it appears that samba is not correctly configured on my board . Any pointers what we should investigate in this? Any help would be highly appreciated? With samba you are getting a read speed of 157.9mbps and the disk is only capable of 162.5mpbs, while with samba you can write at 134.5mpbs and the disk is only capable of 80mpbs? Seems like you have a problem on the client, as with samba you say your read speed is 97% the maximum offered by the USB disk and the write speed is 68% faster using 'samba' than when you write to it directly (not quite sure how samba accomplishes that, but it IS great software, I guess!) Can you elaborate further as to the problem? As it seems you are saying you have some client running at 400Mhz, (about 1/7th the speed of a modern PC, and are only getting about 1/7th the throughput). Seems like the client might be a bit underpowered, or what are you saying? FWIW -- if you need to optimize speed on a fast connection, (1Gbps), you need to increase your TCP buffers on the linux computer and increase the TCP window size on most windows clients -- though I note that you didn't say what windows client you have running on this 400MHz computer, Windows 98? XP? Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba howto: sticky bit on directories
Daniel Müller wrote: On Mon, 28 Mar 2011 19:24:17 -0700, Linda Walsh sa...@tlinx.org wrote: Daniel MCller wrote: This is working with samba sernet newest release: This is setting the bit for the group even with msoffice-files correctly directory mask=2770 force directory mode=2770 create mask = 2770 force create mode=2770 force security mode=2770 force directory security mode=2770 Unfortunately, I don't think the 'local linux' version allows the setUID functionality to work on directories. SetGID and allowing the propagation of the GID _does_ work. I'd guess on the reasoning: on any linux I've run on, users can't give away files to other users. Allowing this 'bit' to work would effectively do the same thing. Hm!! but I do it on centos 5.5 , it is working -- You do what? You mean you, for example: mkdir ~/suid-test-dir chmod 777 ~/suid-test-dir sudo chown daemon.daemon ~/suid-test-dir sudo chmod u+s,g+s ~/suid-test-dir touch ~/suid-test-dir/file Now what are the user and group set on the file? I see the file's user still set to me (i.e. setuid on dir didn't work), though the files group is set to 'daemon' (i.e. setgid on dir does work). You are saying that on centos, both the user and group of 'file' are *both* set to 'daemon'? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba howto: sticky bit on directories
Daniel MCller wrote: This is working with samba sernet newest release: This is setting the bit for the group even with msoffice-files correctly directory mask=2770 force directory mode=2770 create mask = 2770 force create mode=2770 force security mode=2770 force directory security mode=2770 Unfortunately, I don't think the 'local linux' version allows the setUID functionality to work on directories. SetGID and allowing the propagation of the GID _does_ work. I'd guess on the reasoning: on any linux I've run on, users can't give away files to other users. Allowing this 'bit' to work would effectively do the same thing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] pam_winbind([sshd|su|...]:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
I've been getting these in my log for some time and was wondering what I had to do to get 'pam_winbind' to 'work' with my samba 'DC'? In looking around the net, others w/this error message were having a problem with blocking login's and password changes, completely. In my case, I have the 'pam_winbind.so' module in '/etc/pam.d/common-passwd' setup with 'password sufficient', instead of 'password required', and have other modules (like pam_unix2) that can continue the authorization should pam_winbind fail. So the above error doesn't seem to prevent any valid operation from succeeding, BUT I'm wondering why I am getting the error. I.e. 1) is it a mistake for samba (or winbind, or whoever) to have configured winbind to be in the pam-authorization chain *at-all*? OR 2) Since I am trying to run my samba server as a DC (my local Win7 Workstation is joined to the domain), I *should* have this module in the stack, but somehow it isn't configured correctly (this is what I believe to be the case). In the case of 2, the errors seem to occur only on authorizations occurring on the DC (i.e. the main machine running samba in DC mode). So somehow, winbind isn't setup to correct process 'unix' validations through my samba DC. Is this type of 'unix' verification supported against a 3.5.4 Samba DC, or is this only supported for testing against a windows DC? I.e. if it is the later, then I shouldn't try to use winbind at all(?) :-(. If it is supported, any idea where I might look to see why winbind isn't supporting 'local' Samba DC validation? I could just take the route of 'disabling' any attempt at using winbind for my unix validation attempts as an 'easy way out' to get rid of these messages, but I'd prefer to fix the problem rather than bury it, **IF POSSIBLE**... So, is this a lost cause, or an arcane misconfiguration? If the latter, any idea where to look for the break? I have a feeling it has something to do with local login's having no Domain name attached to them (i.e., because they are 'local', and it not realizing that 'local' = 'Domain'... but that's a pure guess on my part... Ideas? Thanks... Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pam_winbind([sshd|su|...]:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
Bob Miller wrote: ... lotsa stuff... tnx, will have to do a bit of investigation at this point Thanks for the 'encouragement' (i.e. it works for you!) Gives me something to go on ... (though may take a while to verify all the nuts bolts...). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Share Access Delay !
Supriya Kher wrote: windows machine writes to \\Linux IPAddress\output. It has been observed consistently that accessing the shared folder from windows using UNC as \\LinuxIpAddress\output takes a very long time. Each access takes around 45 to 50 seconds ! though there are no network issues. Any directions on how to get around this problem ? Can it controlled via specific share level/global settings in smb.conf ? --- I had something *like* this, but not quite this bad -- it was very persistent -- no matter what program I ran, my max xfer speed was about 2MB/s (read write). Nothing I tried fixed it -- until I rebooted. Then it went mysteriously away (back to full speed of 119M/125MB read/write). I looked at the the wireshark traces for the bad-case -- the only odd thing I saw (which wouldn't explain the whole thing) was that my max window size had dropped to under 64k (normal is 1M). It hasn't repeated. It _sorta_, *looked* like something was inserting itself to look at the packets in and out and doing a really bad job of being 'transparent'. But since it hasn't re-occurred, I haven't thought much about it. In my case, it *appeared* to affect all network traffic (I kept checking the sync rate on the line, figuring it had to be syncing at 10Mb and not 1Gb, but wasn't the case). You might try a 'wireshark' trace? Try to see who is doing the 'lagging' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How to net group add 'group' (I scrod myself...can't figure out how descrod)
I have: interfaces = lo0, eth2 and: socket address = 192.168.3.1 socket address = 127.0.0.l in my smb.conf, but when I try to net group add anything (on server running samba 3.5.2, as a DC): asks for current log'ed in users's password mypwd Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED So what am I missing? Shouldn't interfaces=lo0 and the second socket addr line w/ 127.0.0.1 be all that is needed? Thanks for any descrodding help! :-) -linda Full smb.conf follows: [global] display charset = UTF-8 workgroup = BLISS unix extensions = yes # realm = ISHTAR.SC.TLINX.ORG netbios name = BLISS netbios aliases = web-proxy, clock server string = Bliss on %h running Samba %v interfaces = lo0, eth2 bind interfaces only = Yes server schannel = No passdb backend = tdbsam:/etc/samba/.internals/passwd.tdb guest account = guest passwd program = /usr/bin/passwd '%u' username map = /etc/samba/smbusers unix password sync = Yes log level = 2 log file = /var/log/samba/log-%m(%...@%d) max log size = 4096 debug class = Yes min receivefile size = 65536 max xmit = 66576 name resolve order = wins lmhosts host time server = Yes enable asu support = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=4194304 SO_RCVBUF=4194304 show add printer wizard = No add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g set primary group script = /usr/sbin/usermod -g '%g' '%u' add machine script = /usr/sbin/useradd -g machines -c Machine -d /dev/null -s /bin/false %u logon path = \\%D\%U\profile logon drive = h: logon home = \\%D\%U domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes wins hook = /home/law/bin/wins_hook socket address = 192.168.3.1 socket address = 127.0.0.1 usershare max shares = 100 idmap alloc backend = tdb idmap uid = 15000-2 idmap gid = 1-14999 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind trusted domains only = Yes recycle: keeptree = true read only = No acl group control = Yes create mask = 03755 guest ok = Yes aio read size = 65536 aio write size = 65536 ea support = Yes map acl inherit = Yes block size = 4096 use sendfile = Yes printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j acl group control = yes wide links = Yes [netlogon] path = /home/%D/%U write list = @Administrators, root, law csc policy = disable [public] comment = public include files path = /home/public read only = Yes [profiles] comment = Network Profiles Service path = /home/%D/profiles/%U profile acls = Yes vfs objects = recycle recycle: keeptree = true [homes] acl group control = yes comment = DomUser Roaming Home Dir (Generic Homes, u=%u, U=%U, s=%S, d=%D, w=%w) path = /home/%D/%U create mask = 0751 vfs objects = recycle, readahead, shadow_copy2 recycle: keeptree = true shadow:snapdir = /home/snapdir shadow:basedir = /home [servhome] acl group control = yes comment = Server Home Dir (Generic Homes, u=%u, U=%U, s=%S, d=%D, w=%w) path = /home/%U create mask = 0751 vfs objects = recycle, readahead, shadow_copy2 recycle: keeptree = true shadow:snapdir = /home/snapdir shadow:basedir = /home [scans] comment = Juno scans path = /home/scan valid users = @trusted_local_net_users write list = law, Juno [home] comment = /home (allhomes) path = /home valid users = @trusted_local_net_users vfs objects = recycle, readahead, shadow_copy2 recycle: keeptree = true shadow:snapdir = /home/snapdir shadow:basedir = /home [Documents] comment = Dom User Documents path = /home/%D/%U/Documents valid users = %D\%U, Administrators vfs objects = recycle, readahead, shadow_copy2 recycle: keeptree = true shadow:snapdir = /home/snapdir shadow:basedir = /home [ADMIN$] comment = C:\Windows (Athenae in /home/C:Windows) path = /home/C:Windows read list = law, @wheel, root, @admins, @nt_admins, @domain_admins read only = Yes create mask = 0751
Re: [Samba] question difference of roaming profile between WinXP and Win7
John Drescher wrote: Also. They can NOT point to the same path. That was the point of having a .v2. Vista+ and XP profiles are not compatible with each other. What part is incompatible? Or is it known? This this is something that I ran into as well, but didn't have time to chase down. But I was disturbed to see my different clients now using different profiles when before I could share the same home dir. Now, files that once were insync in the different profiles are growing out of sync. Most changes I make in one profile, I want to show up in my other profile. This used to be 'automatic'. Now they are out of sync with each other... Anyway to resync them? For common subdirs, I might be able to use a widelinked dir out of either profile to the shared subdirs, but for individual files...would be a pain to symlink each to a single source on the server, not to mention unwieldy. Wondered why MS insisted on making my home shares named user.V2 when that wasn't their real name, and user had worked fine before. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] shadow_copy2 prob? FSCTL..GET..DATA: max_data_count(114) too small (118) bytes needed!
I have /home as a logical volume. I have snapshots: LV VG Attr LSize Origin Snap% Move Log Copy% Convert 2010.02.05-01.26.19 Home swi-ao 10.00G lvol0 39.81 2010.02.06-02.37.52 Home swi-ao 5.00G lvol00.25 lvol0 Home owi-ao 1.00T and they are mounted: /dev/mapper/Home-2010.02.05--01.26.19 on /home/snapdir/@GMT-2010.02.05-01.26.19 type xfs (ro,nouuid) /dev/mapper/Home-2010.02.06--02.37.52 on /home/snapdir/@GMT-2010.02.06-02.37.52 type xfs (ro,nouuid) My 'home's definitions (I have 3 shares that all resided on /home partition': 'ServHome' (home of user on the server) 'home' (share of the root of the share) and '/homes'(the per-user in Domain share) where their profiles go Each has: vfs objects = recycle readahead shadow_copy2 recycle: keeptree=true shadow:snapdir = /home/snapdir shadow:basedir = /home 01234567890123456789012345678901234567890123456789012345678901234567890123456789 Yet when I go look at files that that have been modified on the 6th, I see no previous versions. In /var/log/samba/clientname.log, I see: linw opened file mail/bind read=Yes write=No (numopen=3) [2010/02/06 03:23:41, 0] smbd/nttrans.c:1970(call_nt_transact_ioctl) FSCTL_GET_SHADOW_COPY_DATA: max_data_count(114) too small (118) bytes needed! [2010/02/06 03:23:57, 2] smbd/close.c:612(close_normal_file) linw closed file mail/bind (numopen=2) NT_STATUS_OK Is the max data count too small the problem? Is there a bug in this version of samba? Is this relevant? Or is there something else wrong I don't see? linux 2.6.27.29 on suse 11.1 samba 3.4.3-12.1 Any insight appreciated Thanks, Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] shadow_copy2 prob? FSCTL..GET..DATA: max_data_count(114) too small (118) bytes needed!
Volker Lendecke wrote: On Sat, Feb 06, 2010 at 03:37:28AM -0800, Linda Walsh wrote: linw opened file mail/bind read=Yes write=No (numopen=3) [2010/02/06 03:23:41, 0] smbd/nttrans.c:1970(call_nt_transact_ioctl) FSCTL_GET_SHADOW_COPY_DATA: max_data_count(114) too small (118) bytes needed! [2010/02/06 03:23:57, 2] smbd/close.c:612(close_normal_file) linw closed file mail/bind (numopen=2) NT_STATUS_OK Is the max data count too small the problem? Is there a bug in this version of samba? Is this relevant? Or is there something else wrong I don't see? linux 2.6.27.29 on suse 11.1 samba 3.4.3-12.1 Looks like samba bug 6850, fixed in 3.4.4. Volker Bingo! Thanks! We got previous versions! Yeay! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] shadow_copy script example leads to system hang?
I don't know if this was present (maybe not?) when the script was written, but the script for taking a snapshot in the instructions for shadow_copy: that looks like this: xfs_freeze -f /home/ lvcreate -L10M -s -n $SNAPNAME /dev/Home/lvol0 xfs_freeze -u /home/ mkdir /home/shadow_share/@GMT-$SNAPNAME mount /dev/Home/$SNAPNAME \ /home/shadow_share/@GMT-$SNAPNAME -onouuid,ro Causes an, apparently, well-known system hang when you do the lvcreate. The workaround is to NOT use xfs_freeze. I don't know if this is a kernel bug -- haven't gotten things tracked down far enough yet, but I can confirm that the above does cause a hard hang that eventually requires rebooting the system to unwedge everything. kernel = 2.6.27.29 from OpenSuse 11.1 Samba = 3.4.3-12 lvcreate from lvm2-2.02.39-8 The notes I read inidicated a problem in the kernel or maybe, more specifically the xfs in the kernel. Will have to check with xfs folks to see if they've heard of this... Have yet to sub to the lvm list...(TODO(byme): sub lvm list) -linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] single stream performance issue, Win2K, WinXP, Samba 3.2.5-4lenny7 (Debian Lenny)
Stan Hoeppner wrote: For raw bandwidth maximization, what port and protocol are used won't make much difference, if any. In fact it shouldn't make _any_ difference in raw b/w. Communications between the Samba server and Win2K client appear to be exclusively over TCP 139 at this point according to netstat, instead I'm misreading or looking in the wrong place. --- I haven't read the rest of the thread yet, so forgive me if I am covering things that have already been covered. 139 AFAIK, uses UDP, that means one packet up, it gets ACKED, (packet send back to sender) then another packet goes up. 445 uses TCP, which can have multiple packets sent without waiting for an ACK. Suppose round trip for an 'empty packet is 2 ms. For round numbers use 1000B/packet. So you send 1000B on a 1MB/s line (yeah, it's an odd flaver of ethernet). But for each 1000 bytes sent, it takes 1000/10^6(B/s) = 1ms. So it would take 2 seconds to send. Now the other side could wait for the response to come back and that would take another 1ms for an empty packet (which can include an 'ACK'. So round trip time for 1000 bytes would be 3m. Now your 1MB line has dropped to 1000B / 3ms. Instead of nearly 1000 packets/second, you only see a throughput of 300k on our 1MB line : 33%. Yuck! Now tcp doesn't require nearly the overhead for single packets. Opening the TCP connection takes extra long -- maybe in our example it would take 5ms. But then further packets can be sent with .05ms overhead instead of 1ms. (these figures are illustrative, not accurate!) But now you send 30 packets at 1ms+.5 each, and they all travel and are received in 30.30 ms. The ack back takes another .5 (as it's within the TCP stream, where you only need send packet# and ack -- no addressing or port or security info. That 'intro stuff' is only done once at the begining of each stream open (which in Samba is only once/ session -- not once/connection). Additonally, the Ack back takes place AS the next packet is being sent. Most implementations will allow the next one-to-several packets to be sent WITHOUT having heard back. That's important. So the total wait time -- is 1.5*30 or 45ms+ + the last ack has to waited for -- so 45.5 ms. to send your 30,000 bytes. Now we're talking 659k on our 1MB line. Not perfect, but maybe as perfect as less than ideal hardware allows due to overhead (or maybe OS overhead/packet...whatever). But in this *bogus*, (but representative in a relative sense) example TCP bought over 100% more throughput. In real life, might add 10-30%. Depends on hardward and OS implementation. Do you see why TCP=better? (for large packet sizes). For small, sparse amounts of data, UDP might be better. The penalty of per-packet overhead RTT times goes *up* with the faster networking equipment you use. At 1GB, 1ms is a loss of a million bits! That make sense? So a UDP connection is much more inefficient and may show as busy but some of that is spent constructing/sending headers while other parts are waiting on ACKS. -linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] single stream performance issue, Win2K, WinXP, Samba 3.2.5-4lenny7 (Debian Lenny)
Igor wrote: I don't find it strange at all. Your computer is acting as a traffic proxy between two samba servers. If you have 100Mb network interface your bandwidth should split exactly in two. But he said he doesn't get a split in two when a win2k server is used (he gets 11Mbps).I.e. Two network streams in two different directions should NOT halve throughput, _unless_ something is operating in half-duplex mode. 100Mbps, full duplex should, _easily_, allow two 8 MBps streams if they are going in opposite directions. Stan wrote: Interestingly, if I launch a file copy with the SH source file being on one smb share on the server, and the destination being SH another smb share (separate filesystem) on the server, the combined throughput SH is also 8MB/s, 4 up and 4 down, which is very strange as this should be two SH distinct streams. --- I agree. Is it possible your network device isn't running in FULL duplex? Other things to check (to optimize speed compared to ftp): 1) Ensure your communications are using TCP (port 445) and not UDP (port 139). 2) Ensure encryption (Sealing) is off. 3) Ensure packet Signing is off. The overhead of 2 3 contribute to around a 15% performance hit according to 1 MS source. (Obviously turning such things off presumes you are on a 'safe' network consistent with FTP usage, vs. SCP/SSH). You need to make sure that, at least, one side has each of Sign and Seal turned off and the other side has it set to 'no' or 'auto'. If one side has 'require' set for the feature, and the other has the same feature turned off, it will prohibit communications. Linda (who's been bummed by the huge drop in networking and disk performance in windows 7). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Win7 can and cannot join domain; speed issues? (tests to /dev/zero /dev/null?)
I've made some pseudo progress .. I deleted my DNS domain name from my client -- after that, I was able to get a message (Welcome to Bliss Domain) -- followed by 'Domain join failed, you will not be in the Domain. Reboot now to activate your new domain name. Upon reboot, it thinks I am in Bliss domain, BUT it acts completely unjoined -- no domain groups in group list selections, Shares won't work -- says I need permission from 'Domain\me', or the funniest (if I it wasn't also sad), was when I connected to the share as ClientWorkstation\me, it then told me I couldn't alter files w/o permission from Athena\me. Um...I am me?...and I'm on my workstation, but it thinks I need permission from me? What's up with that! Anyways, back to workgroup Bliss, and file sharing is normal again. Also have an ongoing oddity -- read/write speed to a network share. I can't figure out why it's so slow. Writes are faster than reads. My tests are a bit weird. To test out write, I write to /dev/null on the target sys, and to test read, I'm reading from /dev/zero. Locally, these copies return instantaneously. But over the network I get about 34MB/s read, and 39MB/s write. But oddly smbd is nearly 100% cpu bound. I was using 'dd' with a 1GB block size. So shouldn't 'smbd' usually have been asleep awaiting I/O completion (which is near instantaneous). I'd expect to be getting more along the lines of 60-70MB/s R+W (Gigabit network with large packet (9014) enabled. It's a bit faster than standard packets by about 10%. But that's not real exciting... Shouldn't tests to a remote /dev/zero and /dev/null be valid for testing a no-filesystem load raw transfer rate? -linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 0 length domain name SCHANNEL can't be used to fetch trust account password?
I have a few errors I'm trying to chase down in an effort to get a Win7 client in my domain. WinXP works -- tested unjoining and rejoining today, and it can still join. I have the registry adds for DNSNameResolutionRequired=0 under LanmanServerClient/Params (put it in both places in attempt to get things working), as well as a DomainCompatibilityMode=1 I've tried moving to winbind for some flexibility, and it led me down an interesting path with some log messages on startup: initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2010/01/13 15:46:06, 2] winbindd/winbindd_util.c:235(add_trusted_domain) Added domain BUILTIN S-1-5-32 [2010/01/13 15:46:06, 2] winbindd/winbindd_util.c:235(add_trusted_domain) Added domain BLISS S-1-5-21-3-7-3 [2010/01/13 15:46:08, 0] libsmb/namequery.c:75(saf_store) saf_store: refusing to store 0 length domain or servername! [2010/01/13 15:46:08, 1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pd u) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR receiv ed from host ISHTAR! Anyone seen an error about 0 length names before? The OP_RNG error led me to try some ops with net rpc on ishtar. I tried a net rpc samdump and got: get_schannel_session_key: could not fetch trust account password for domain 'BLISS' cli_rpc_pipe_open_schannel: failed to get schannel session key from server 127.0.0.1 for domain BLISS. Could not initialise schannel netlogon pipe. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO I presume this isn't just a 'noise level' problem? How can I re-initialize the schannel session key for Bliss? I even tried changing the trustpassword to see if that would reset the the schannel key. It failed due to an inability to get the schannel session key. Also, maybe it's unimportant, but with winbind running, I tried to fetch the DC name for my domain with wbinfo --getdcname 'Bliss', but it returned Could not get dc name for Bliss. Should this work with samba 3.4.3 ? The Windows client goes from getting 'Domain name can't be found to Access Denied depending on combinations of the Sign/Seal level of security and NTLM/LM/NTLMv2 params (trying various combinations. Note: I've tried the identical settings of the XP client without success). Anyone solved these problems or seen them before? Thanks, Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Issue Joining Win7 to Samba Domain (tried wiki instructions)
Moray Henderson wrote: The server string is Ishtar, but that is not the server name; you need to set netbios name for that. Wouldn't the hostname take care of that? That's the name of the machine. I don't recall ever adding that param before (remember, this does work on an XP machine, and _did_ work on Win7 at 'one point'...but Win7 lost it's trust relationship with the Server. At one point, I was trying to add a 2nd interface to each box (servers clients) over which I could use 9k packets instead of the standard 1500 byte packets. I added a 2nd interface on each client that could participate in the 9k network, and created a 2nd ip network at 192.168.5.x, paralleling their 1.5k 192.168.3.x network addr. It was during this time that I lost the network trust relationship. So I thought it had to do with that. But now, having expunged from the configs and setups all traces of the 192.168.5. network, there's been no change. The SMB server seemed confused by seeing a 2nd addr for itself. I saw traffic and log messages that made me think that the server thought its other interface addr was a separate server trying to be the DOMAIN MASTER for the same domain. But with the Win7 client getting trust probs, and then not able to join, I decide to go back to basics, and only use the 1.5k size until I could get all the kinks out again. Your domain is Bliss, but you also have a netbios alias for Bliss; could that be confusing something? I've tried multiple ways (including w/o it), this smb.conf is merely my current/latest attempt. :-) My setup has server signing = No, and I don't know the recycle option. --- Tried it both ways, but since Win7 expects it, and the default for servers is on, I thought I'd go with compatible in this iteration. Do you see anything useful in /var/log/samba/log.smbd or log.athenae if you bump up the debug level? --- Nothing useful up to debug level 4. Could something have changed on your server between the successful join a few weeks ago and the attempt to rejoin after reinstalling? --- Much -- especially considering the many things I tried before asking on here. I found out that my internal DNS wasn't even functioning and my internal host resolution was being done completely through 'nmb' for my win clients. Do you have other Win7 clients that do work? --- Just the one win7 (and one winxp). Only have 1 SMB server right now. Could there be another server on your network intercepting domain requests? --- I'm on an isolated internal net, so no connections outside this network (except through a proxy/email gateway). nmblookup BLISS#1C should list the IP address of the Domain Controllers of Bliss. --- And it's loopback address. Those are the two I get. You said you had used Wireshark; have you also tried tcpdump at the server end? --- I use wireshark on the server end (it's running linux). --- Win XP had a command line utility called nbtstat; does Win7 still have it? If so, try something like nbtstat -a Ishtar nbtstat -c --- Win7 doesn't have that command and I don't know what it's equivalent is. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Issue Joining Win7 to Samba Domain ( tried wiki instructions)
David Southwell wrote: Just want to ask the obvious questions as I did not see it mentioned.. what version of Windows 7 is the client machine? --- Sorry, meant to include this... 64-bit, Final Release, Complete [marketed under buzzword 'Ultimate']. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Issue Joining Win7 to Samba Domain (tried wiki instructions)
Moray Henderson wrote: Something to do with the name of the machine? --- SMB server name is 'ishtar', Domain 'Bliss' (Ha!, wishful thinking... it's a goal!)), and Win7 client is 'athenae'. All are in DNS domain 'sc.tlinx.org' (an internal domain name). Theoretically straightforward. You said you had to reinstall this machine - if Samba thinks it already is a member of the domain, and Windows is trying to rejoin, that could confuse it. Are there any characters besides alphanumeric in the name? Well, I 'sorta' unjoined from the domain before I reinstalled, but I don't know if it 'took'. It didn't pause a bit like it was talking to the PDC, and the reason I unjoined is I got a 'failure of trust relationship with PDC'. So I wanted to try unjoining and rejoining to see if that would fix it. I unjoined, and never was able to rejoin before the machine got rebuilt. I unjoined on another machine and had problems joining for a bit due to some network testing I was doing -- but after I restored the config, the XP machine was able to rejoin the network. The win7 machine is still out in the cold, so to speak. I even tried joining using the net dom join syntax (using -S /-U for the machine and user on the win7 machine that had perms to join) -- the PDC, did talk to the machine, as if I specified a non-existant or bad password for the user on the client machine, I got not authorized or user not found message, but when I had a correct user/pw for the client machine, I got same message on the SMB PDC The Name cannot be found'. It sounds like it can't find the PDC Domain name Domain...what else is the name? It knows the client machine name. The client machine name was still in /etc/passwd (I just tried it with the userid deleted -- same same). One odd thing, but it should make no difference, is the win7 client is the only all-uppercase machine in the 'net sam list workstations' .. all the rest are all lower case with a '$' after them. The Win7's name is all uppercase w/$. I tried unjoining, as well, from the PDC, and got message that the unjoin couldn't be done because the join had failed. ---my smb.conf is below: [global] acl group control = yes add user script = /usr/sbin/useradd -m %u add group script = /usr/sbin/groupadd %g add machine script = /usr/sbin/useradd -g machines -c Machine -d /dev/null -s /bin/false %u #aio read size = 65536 #aio write size = 65536 bind interfaces only = Yes block size = 4096 browseable = Yes create mask = 3755 delete user script = /usr/sbin/userdel %u delete group script = /usr/sbin/groupdel %g display charset = UTF8 dns proxy = yes domain logons = Yes domain master = Yes ea support = yes enable asu support = yes guest account = guest guest ok = Yes #include= /etc/samba/dhcp.conf interfaces = 127.0.0.1/32 192.168.3.0/24 log file = /var/log/samba/log.%m log level = 2 logon home = \\%D\%U logon path = \\%D\%U # unused; relative to netlogon(w9x) logon script = scripts\%U.bat map acl inherit = yes max log size = 4096 # max xmit = 66576 # min receivefile size = 65536 name resolve order = wins lmhosts host netbios aliases = web-proxy clock socks-proxy Bliss #netbios name = Bliss os level = 65 passdb backend = tdbsam:/etc/samba/.internals/passwd.tdb passwd program = /usr/bin/passwd '%u' printing = bsd read only = No recycle: keeptree = true set primary group script = /usr/sbin/usermod -g '%g' '%u' server signing = auto server string = Ishtar security = user show add printer wizard = no smb ports = 139 time server = Yes unix password sync = yes use sendfile = true recycle: keeptree=true username map = /etc/samba/smbusers wins support = Yes workgroup = Bliss [public] comment = public include files path = /home/public read only = Yes browseable = Yes guest ok = yes [profiles] comment = Network Profiles Service path = /home/profiles read only = No browseable = Yes profile acls = Yes vfs objects = recycle recycle: keeptree=true [homes] browseable=no comment = Home Dir (Generic Homes, u=%u, U=%U, s=%S, d=%D, w=%w) path = /home/%U valid users = %S, %D%w%S read only = No create mask = 0750 vfs objects = recycle readahead recycle: keeptree=true [home] comment = /home (allhomes) path = /home valid users = @trusted_local_net_users read only = No browseable = yes vfs objects = recycle recycle: keeptree=true [root$] comment
Re: [Samba] Issue Joining Win7 to Samba Domain (tried wiki instructions)
Moray Henderson wrote: Last time I saw something like this, it was because the client (Win XP) did not have a WINS server set, and couldn’t find the domain. Can you ping the server from the problem client - by IP address and by name? Is its firewall blocking any SMB ports? --- FWIW, I checked my Win7 client. It still has its win server set to the Samba PDC. The PDC has 'smb ports = 139' set to attempt to use the %m macro in the config file. The win7 client currently has firewall set to disabled, as it's located on a isolated subnet. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 won't authenticate
mickey harvey wrote: I am trying to access a samba share from windows 7. The samba version is 3.3.3 on FreeBSD 7.2, The samba daemons are running and I can see the server in my Network Places on the Windows client. When I try to login using the username spacebizall and password (the same as the account on the server) I receive an unknown username or password error. I installed the registry patch here http://wiki.samba.org/index.php/Windows7. Attached are the samba log file and config. Test is the share I am trying to connect to. Also one of the packets caught my attention, it appears as if my username being sent is including my hostname for some reason: Code: 28 0.491330192.168.137.1 192.168.137.2 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: MICKEY-PC\spacebizall I have Win7 and samba problems as well, in your case it almost looks like your win7 box is acting like a Domain controller = to itself. I wonder if this is what the 'home network' feature is supposed to look like. I'm not familiar with it. But it has the idea of home network servers and clients -- I wonder if it uses it's hostname as a domain name? Do you have the home networking feature turned on? (It's on be default). Don't know if that's anything to do with your problem. Just a thought. -linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem Joining Win7 to Samba Domain (tried wiki instructions)
Ryan Casey wrote: I'm trying to join a Windows 7 client to a samba domain. We're running samba 3.3.9 from SerNet. I've changed the registry settings on the Win7 client per the wiki page (http://wiki.samba.org/index.php/Windows7). Unfortunately, I'm still getting: The following error occurred attempting to join the domain because the following error has occurred: The specified domain either does not exist or could not be contacted. Ditto. While the wiki *did* work a few weeks ago, I had to reinstall Win7 after a 'System-Restore' deleted most files on the disk. (There wasn't much on it except for program installations). I am able to join with a XP client -- unjoined, rejoined, rejoiced. But the Win7 is giving nothing in the log (level 4) concerning the problem and in Wireshk, I'm seeing attempts at Net LOGON both with blank names and with the machine name (machine$), and the Samba (3.4.3) DC says name doesn't exist.I do have the dword entries as mentioned in the wiki -- and that did work last time, but this time, nada. Not sure what debugging step to try next. Ideas? *sigh*...one step forward, two steps back... -l -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.4.2-1: ERROR! Out of file structures
Justin Piszcz wrote: When performing a lot of file I/O on a samba share, I see the following: Nov 15 16:01:47 l1 smbd[31472]: ERROR! Out of file structures Is the proper fix to, e.g.: ulimit -n 32768 before starting samba? Or is there a samba-specific option that should be used instead? Justin. - I have a 'ditto' here, also running 3.4.2-1 (64-bit). I've seen it with a win7 client -- the client throws an exception claiming it's lost the connection to the server when this happens.I usually have to reopen the share it happens on from the root when this happens -- it's like it loses it's place in a large tree of files. Seems Windows 7 might be using more file descriptors. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.2.15 is working with Winows 7 !!!
Daniel M|ller wrote: After a lot of trying this is the solution for all with samba 3.2.15 installed. My Windows 7 client machine joins the domain on the fly with this registry hack. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Para meters] DomainCompatibilityMode=dword:0001 DNSNameResolutionRequired=dword: These were key for me. The other ones were already in my registry, but these 'values', added under the Parameters 'key', worked like a charm. Thanks! Not sure what the DomainCompatibilityMode refers to, but I can understand the DNS name resolution issue being a problem, since my local domain name isn't really part of my DNS chain. Interesting, them making that a requirement -- guess they are trying to get rid of that irregularity. A good heads-up for me with future Windows versions...*sigh*. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba assignment of privileges
Even though Samba doesn't use all of the NT privileges, does it allow assigning them to domain users or groups? I.e. this list: |Group Policy Name|Constant Name| |Access this computer from the network|SeNetworkLogonRight | |Access Credential Manager as a trusted |SeTrustedCredManAccessPrivilege | |caller | | |Act as part of the operating system |SeTcbPrivilege | |Add workstations to domain |SeMachineAccountPrivilege| |Adjust memory quotas for a process |SeIncreaseQuotaPrivilege | |Allow log on locally |SeInteractiveLogonRight | |Allow log on through Terminal Services |SeRemoteInteractiveLogonRight| |Back up files and directories|SeBackupPrivilege| |Bypass traverse checking |SeChangeNotifyPrivilege | |Change the system time |SeSystemtimePrivilege| |Change the time zone |SeTimeZonePrivilege | |Create a pagefile|SeCreatePagefilePrivilege| |Create a token object|SeCreateTokenPrivilege | |Create global objects|SeCreateGlobalPrivilege | |Create permanent shared objects |SeCreatePermanentPrivilege | |Create Symbolic Links|SeCreateSymbolicLinkPrivilege| |Debug programs |SeDebugPrivilege | |Deny access to this computer from the|SeDenyNetworkLogonRight | |network | | |Deny access to this computer from the|SeDenyBatchLogonRight| |network | | |Deny log on as a service |SeDenyServiceLogonRight | |Deny log on locally |SeDenyInteractiveLogonRight | |Deny log on through Terminal Services|SeDenyRemoteInteractiveLogonRight| |Enable computer and user accounts to be |SeEnableDelegationPrivilege | |trusted for delegation | | |Force shutdown from a remote system |SeRemoteShutdownPrivilege| |Generate security audits |SeAuditPrivilege | |Impersonate a client after authentication|SeImpersonatePrivilege | |Increase a process working set |SeIncreaseWorkingSetPrivilege| |Increase scheduling priority |SeIncreaseBasePriorityPrivilege | |Load and unload device drivers |SeLoadDriverPrivilege| |Lock pages in memory |SeLockMemoryPrivilege| |Log on as a batch job|SeBatchLogonRight| |Log on as a service |SeServiceLogonRight | |Manage auditing and security log |SeSecurityPrivilege | |Modify an object label |SeRelabelPrivilege | |Modify firmware environment values |SeSystemEnvironmentPrivilege | |Perform volume maintenance tasks |SeManageVolumePrivilege | |Profile single process |SeProfileSingleProcessPrivilege | |Profile system performance |SeSystemProfilePrivilege | |Remove computer from docking station |SeUndockPrivilege| |Replace a process level token|SeAssignPrimaryTokenPrivilege| |Restore files and directories|SeRestorePrivilege | |Shut down the system |SeShutdownPrivilege | |Synchronize directory service data |SeSyncAgentPrivilege | |Take ownership of files or other objects |SeTakeOwnershipPrivilege | When I look at the net sam rights command -- I see no way to assign the privilege, but for Samba to act as a PDC, shouldn't it be able to manage all of the rights/priviledges even if it doesn't use them itself? How difficult would it be to manipulate the bits if the actual privs system is already in place? Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] how does one edit a domain group
After I mapped a local group to a domain group, I'm not longer able edit it with 'net sam'. Is there another tool I should use? How do I add users on other computers, in the domain to the group? I don't see a tool on a client station for allowing editing of domain groups?? I tried a NT4-compat remote domain management tool, but it just crashed when I tried to connect it to samba...(oops/sigh)... -linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] progress! (just good news...no problems this post)!
Thanks to various inputs (and lots of reading/rereading of my books/manpages) and lots of experimentation...(and light bulbs turning on). I now have windows ACLS/permissions working on my samba shares and they are being automatically stored in the XFS xattrs. (I checked that they are being added on the server with the xattr cmd). Yippie! (yeah, big whoop to you ol' timers, but...baby steps). This was my happiest accomplishment! Other smaller steps: Converted to tdbsam (from smbpasswd) (at least until I get ldap working). and have domain users/groups working (again! -- they were working a few years ago, but during some upgrade, they stopped. Any wonder why I tremble at server upgrades?) Even am trying out the equivalent of the 'trashcan' (too bad it's not integrated in windows with undo and with the trashcon-icon functionality...). Now I wonder if I can get the windows system-restore service to start keeping state on some of those drives:-). Just thought I'd buck the normal trend and post some positive stuff about things I've gotten working over the past few weeks... -linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smb.conf(5) format meaning question
In the smb.conf manpage, there is a notation used, (G) or (S) for global or share. Does (S) mean it can only be used in a Share section (i.e. - will be ignored in the global section), or is that they *can* be applied at the share level, and, possibly set a default in the 'G'lobal section? example: ea support = yes Seems like that could mean that extended attrs are supported globally, though, as it is marked with an (S), I'm not sure if that's a valid interpretation. I didn't see, or missed the section before the first use of the notation that tells me if (S) means will only have an effect in a 'S'hare section or if it means it can be used in either place. I've sorta got it in my head that most (S) switch that could make sense globally, could be used/set in the global section as a 'default' for all shares, but I don't find that documented in the manpage, so I'm questioning...?? thanks.. -linda (maybe the manpage could be more clear (if its the case that I don't need reading glasses and missed it...;^) ). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb.conf(5) format meaning question
Michael Wood wrote: S means it can be used in a share definition and also in the Global section: I've sorta got it in my head that most (S) switch that could make sense globally, could be used/set in the global section as a 'default' for all shares, but I don't find that documented in the manpage, so I'm questioning...?? It's in the PARAMETERS section. Thanks for pointing to the right paragraph. I think I glossed over it because I didn't see the same notation in the definition, as used in the successive text. There are some notational conventions used in the documentation that I feel could use some improvement, but I know, in some cases, that the underlying source is based on DocBook, and I don't know if some of those conventions are enforced by DB, or can be adjusted with a style sheet. But until I think or come up with a better concrete solution, I'll keep my mouth shut and just thank you for pointing me at the correct section...:-) Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Domain SID vs. Local SID on Domain Controller SID requirements
IF a samba server is setup to be a domain controller, should it's local SID = the domain SID? Also, what are the requirements of a SID? I usually see S-1-5-21-x-y-z, where x,y,z = 10 digits, but could x,y,z be 1,2,3 (for example)? I.e. do they have to be 10 digit numbers or can they be shorter? If I have a simple setup, and want a sid I can remember can I just make it 'short'? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain SID vs. Local SID on Domain Controller SID requirements
simo wrote: On Tue, 2009-09-15 at 11:42 -0700, Linda Walsh wrote: IF a samba server is setup to be a domain controller, should it's local SID = the domain SID? yes the PDC exports the local SAM as the domain SAM (the SAM is the DB where user information is stored including SIDs) excellent! If I have a simple setup, and want a sid I can remember can I just make it 'short'? No, users SID are composed of Domain SID + RID, the Domain SID part is identical for all domain user and is generated once by the PDC at installation time. Sorry -- my fault -- I wasn't clear, I meant setting the the Domain SID (Net setdomainsid S-1-5-21-1-2-3). Sounds like the answer is yes...it can be any 32-bit int in those fields. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] doc examples bug regarding 'xattr' special switch need
This may already be fixed, but various places talk about the need for a 'user_xattr' switch on mounts to use extended attributes. I've never known 'xfs' to have such a switch -- if they are enabled in the kernel, they just work -- I tried it. I also tried adding the switch and verified it is not an accepted switch for XFS. Is the documentation referring to some newer filesystem that has incompatible options (regarding external attributes)? I'm running a stock SuSE kernel and they are enabled by default (and fully available to non-root users). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] How to get Default builtins added?
I recently decided to upgrade to the tdbsam: backend, but I'm missing the built-security principles. Do I need to go back to the smbpasswd backend, and add them in the file *first* before converting? I had them there at one point, but I think I think I deleted them because they weren't working. Cygwin's mkgroup command couldn't seem to pull in the groups from my samba server). But, by default, files I create through the 'gui' get created with group '513' (Domain User). Any scripts to add the default principles to a newly converted TDBSAM? Thanks for any help...been hitting the Samba-3 howto book and the pdf updates and man pages to no avail, and my fingers are falling off (sigh). linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to get Default builtins added?
FYI -- I tried adding then with pdbedit but it said they don't exist in /etc/passwd -- but they 'do'...just with not the same exact names. I was going to use the 'map' command to map the names from the tdbsam to the unix side, but I have to get them into the tdb sam first. Also, I really wasn't clear about how I am to add the principles -- I know the form of the sids, but isn't a large part of it to be filled in by the samba-server when I add the user? tnx -l -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: nmbd: broadcast packet send FAILURE: Invalid argument.
Previously I wrote (abbreviated msg summary):
nmbd: become_domain_master_browser_bcast: Attempting to become dom mast \
browser, wrkgrp BLISS, subnet 192.168.3.1; nmbd/nmbd_become_dmb.c: \
become_domain_master_browser_bcast(304)
become_dom_master_browser_bcast: querying subnet 192.168.3.1 for \
dom mastr brwsr on wrkgrp BLISS
2 x {
libsmb/nmblib.c:send_udp(839); Packet send failed to 192.168.3.255(137) \
ERRNO=Invalid argument; nmbd/nmbd_packets.c:send_netbios_packet(160) }
}
send_netbios_packet: send_packet() to IP 192.168.3.255 port 137 failed
nmbd/nmbd_namequery.c:query_name(244); query_name: Failed to send \
pckt trying to query name BLISS1d
Looking at traffic from the originating machine, on port 137, I see:
Source Dest. Proto Info
4 x { #Note: ISHTAR=primary hostname, others are aliases
for $HOSTNAME$ in ISHTAR, WEB-PROXY, CLOCK, WPAD; see {
Ishtar bcast NBNSRegistration NB $HOSTNAME$20
Ishtar bcast NBNSRegistration NB $HOSTNAME$03
Ishtar bcast NBNSRegistration NB $HOSTNAME$00
}
Then 3 lines for $HOSTNAME$=BLISS (domain name), but with
suffix values of:
00, 1e, 1c
}
About 31 seconds later, I see some client interaction with some valid
and an 'invalid' (or potentially misleading) response(?):
Source Dest. Proto Info
Athena Ishtar NBNSName query NB BLISS1c
Ishtar Athena NBNSName query response NB 192.168.3.1
Athena Ishtar NBNSName query NB BLISS1b
Ishtar Athena NBNSName query response NB 127.0.0.2
At about 608.2 second intervals, there were 4 repetitions of the above
4 lines (when I terminated monitoring).
1st Observation -- There is nothing on the line indicating what the
parameter ERROR is that is being returned in the log
2) Should NMBD be 'advertising' to other hosts that it is a master
browser for 127.0.0.2? It seems it should limit that information
to any 'clients' on the host, but not broadcast that to other
hosts, as their 'localnet', if it had more than one host (i.e.
virtual hosts) would be 'local' to those other hosts -- i.e. I'm
not sure it would be a global NBNS for other host's local subnets
(which would be virtual 'vmnets', I believe...no?)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] why is my nmbd confused about network interfaces?
The only thing related to 'addresses' in my /etc/samba/smb.conf file is a hosts allow: hosts allow = 192.168.3.0/24 127.1 I'm going to ignore the 'local hosts case, as if I solve the other, the localhost case may get solved by inference. I thought the 'hosts allow' would allow any host on the local 192.168.3.0/24 subnet. The hosts have no problems that I'm aware of, but 'nmbd' is issuing confused messages in the log. Upon starting it tries (and successfully) becomes the For the local subnet, it starts out trying to become master on subnet '192.168.3.1', but isn't the subnet 192.168.3.0? The it gets further errors and eventually fails: nmbd: become_domain_master_browser_bcast: nmbd: Attempting to become domain master browser on workgroup BLISS \ on subnet 192.168.3.1 nmbd: nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(304) nmbd: become_domain_master_browser_bcast: querying subnet 192.168.3.1 \ for domain master browser on workgroup BLISS nmbd: libsmb/nmblib.c:send_udp(839) nmbd: Packet send failed to 192.168.3.255(137) ERRNO=Invalid argument nmbd: nmbd/nmbd_packets.c:send_netbios_packet(160) nmbd: libsmb/nmblib.c:send_udp(839) nmbd: Packet send failed to 192.168.3.255(137) ERRNO=Invalid argument nmbd: nmbd/nmbd_packets.c:send_netbios_packet(160) nmbd: send_netbios_packet: send_packet() to IP 192.168.3.255 port 137 failed nmbd: nmbd/nmbd_namequery.c:query_name(244) nmbd: query_name: Failed to send packet trying to query name BLISS1d My local 'ifconfig for eth0' shows my inet params as: inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 So it would 'seem' to be in order. Any ideas why I am getting this repetitive failure? If nmbd successfully becomes the master-browser, will it stop retrying every 5 minutes (*crossing fingers*)? Thanks, Linda -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: 1MB/s gigabit transfers on dell poweredge
John Drescher wrote: On Sat, Mar 14, 2009 at 1:52 PM, Ian McDonald i...@st-andrews.ac.uk wrote: Raid 5 is not a good setup for performance... Its not good for database performance and random small writes but it shines in large file operations. Either way a 3 disk raid5 (software or hardware) should be able to generate 100MB/s sustained on linux so this probably is not an issue. - Especially since John Terpstra's home setup uses a 4-disk RAID and gets up to 90MB xfers over CIFS. (Is that with standard size network/TCP packetsizes? Or anything non-default for tuning on that?) :-) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] RFE: manpage smb.conf`
Under log level (debuglevel)
there is nothing to indicate what the numbers mean, there is only the
enumeration of debug-sections.
While I wouldn't need what each number does in each debug area,
I did note the following helpful behavior regarding use of numbers
only (which I presume would be equal to specifying that number for 'all',
or listing out all sections).
0 = nothing
1 = session/workstation logins, filesystem attaches
(i.e. ~1 cluster of msgs/workstation login)
2 = per-file open close ( other)...
3 = ~11 times output in '2'...
maybe sufficient ---
--
'1' and maybe '2' would be useful to document as useful 'features'.
And, the fact that '3' expands logging by such a large amount (well
beyond 'normal needs' by nearly any measure).
Reason(s):
For my 'debug' purposes (at one point), '2' would have been
what I was looking for. Instead, I chose '3', not realizing, until
recently, *how much* extra* logging info, that generated ... ;^}
- For _my_ normal usage, maybe '1' would be reasonably what I'd
like as it gives me an idea that things are working w/basic session
connect info, but should have little impact on performance security,
whereas,
- '2, gives, at least, 1-2 hits per-file in the log (open,close ???).
- As for '3'(or above): OMG! ...
(I don't remember 3 being so verbose at some, perhaps, distant, point
in the past...)
Things keep changing, I know, but hard to keep even 1 finger on the pulses
of every program used.
I like the (new?) name debuglevel over log level.
It indicates more clearly that it's pretty much limited to debug,
and only coincidentally has some informational 'session-only'
log entries for hosts (at =1), and, similarly,
has (at least) open/close entries for every file access, per-host (at =2)
Might be nice to have those levels of functionality {
(1) Session login filesystem attaches, and
(2) per-file-audit operations
} specified apart from debug, but that's just a 'polish' detail that
I've no idea anyone would want or need apart from a debug context
(where the levels are not documented for someone who only wanted
to turn on such basic logging levels).
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Re: 1MB/s gigabit transfers on dell poweredge
John H Terpstra - Samba Team wrote: Linda Walsh wrote: Especially since John Terpstra's home setup uses a 4-disk RAID and gets up to 90MB xfers over CIFS. (Is that with standard size network/TCP packetsizes? Or anything non-default for tuning on that?) :-) My TCP/IP is at default settings - no tuning at all. It works well enough that I can't be bothered with tuning. --- I can see why. At 90MB over a 1GB line, tuning would be an unneeded luxury. (I'm lucky to get a sustained 700Mb for any xfer over my 1GB-ether, but my fileserver isn't running raid and is running with P-III's) Cheers, Linda W. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Accent problem
use UTF-8 on your samba server (delete both the unix and display charset). Might check to see that your server is setup in UTF-8 as well, but I think this is the default in SuSE these days. (see /etc/sysconfig/language and related variables and manpages). That should pass through file-name support that will have the files looking the same on your linux box and windows box... Linda Cédric MARCOUX wrote: Hi! I just wonder how to setup samba to correctly handling accentued caracter. At this moment, if i write Cédric thrue windows network, Cédric appear correctly thrue the windows share however Cédric is written as C?dric on the linux server thus I cannot write back C?dric to a windows machine thrue smbmount because ? is not accepted for writing on remote FAT32. Does anybody have the magic number? For the moment hera are my configuration: Samba 3.02a on SuSE 9.1 using unix charset = ISO8859-15 display charset = ISO8859-15 I have tried to mount remote windows share with cifs, different iocharset and codepage but ever able to copy C?dric (that is normal) So the only thing I want to know is how to setup Samba for write Cédric on the server and not C?dric. Regards, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
