Re: [Samba] ldapsam:editposix
Sent this direct to the poster again, and not to the list. Here it is for the list. On 12/10/2008, at 3:53 AM, Norberto Bensa wrote: Hello list, I'm trying to setup Samba to use: ldapsam:editposix = yes but I'm having problems to add users via smbpasswd -a. It seems smbpasswd tries to modify an existing entry (and falling of course) instead of adding a new entry. Is that a bug, a configuration problem, or intended behavior? Do I need to create a postixaccount entry prior to use smbpasswd -a? Yes, you do. Or, at least, that's the way I've always had to do it. I have a small script with an LDAP template that makes the minimal entries in the ldap for a posixAccount and shadowAccount for the user, then create the samba account. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Server Migration Problem
Gidday I am in the process of finishing a server migration (to a new server), and am having problems with samba on the new server. The old server was running samba 3.0.22-r3 on a Gentoo machine, and the new server is running Samba 3.0.25a on a Solaris 10 machine. I have copied the files across OK, I have copied the samba configuration OK, samba runs fine, connects to the ldap backend fine, seems to check passwords fine, and even lets me connect to the file shares just fine. The problem is that the clients don't recognise the new server as their domain controller. Attempts to log in with a username that is not already cached on the client returns a The domain DOMAIN is not available error. If I remove the computer from the domain, and then try reconnect it, it brings up the error saying A domain controller for domain DOMAIN could not be contacted, and an advanced info button seems to indicate that I should check that my domain is registered properly in WINS. Doing a smbclient -L //NEWSERVERNAME/ gives me: Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.25a] Sharename Type Comment - --- tempDisk testDisk c Disk blah Disk stuff Disk IPC$IPC IPC Service (Allstaff Fileserver) someuserDisk Home Directories Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.25a] Server Comment ---- BROTHER-COLOUR BROTHER1 BROTHER2 OLDSERVERNAME Fileserver NEWSERVERNAME New Fileserver WorkgroupMaster ---- DOMAIN OLDSERVERNAME (I've changed the names here to protect the innocent, but I think I've kept it unambiguous). If I log onto the clients, (using a username whose password is cached by the client) I notice that the environment variable LOGONSERVER is still set to the name of the old server. That may just be part of the caching, however - I'm not sure. Any ideas on what I should do? Do I need to change the sambaSID entry in the sambaDomainName=DOMAIN,LDAPBASE entry of my ldap server? Included here is a copy of my smb.conf, if that helps. [global] workgroup = DOMAIN realm = DOMAIN server string = Fileserver map to guest = Bad User # smb passwd file = /etc/samba/private/smbpasswd passdb backend = ldapsam:ldap://ldap.dns.domain/ socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = logon.cmd logon path = \\%N\profiles\%U logon drive = H: logon home = \\fileserver\%U domain logons = Yes os level = 255 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=IT_Administrator,LDAP SUFFIX ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers,ou=Users ldap suffix = LDAP SUFFIX #ldap ssl = start tls ldap user suffix = ou=People,ou=Users template homedir = /dev/null nt acl support = Yes ea support = Yes map acl inherit = Yes print command = /usr/bin/lp -d '%p' %s; rm %s lpq command = /usr/bin/lpstat -o '%p' lprm command = /usr/bin/cancel '%p-%j' lppause command = lp -i '%p-%j' -H hold lpresume command = lp -i '%p-%j' -H resume queuepause command = /usr/bin/disable '%p' queueresume command = /usr/bin/enable '%p' hide files = /thumbs.db/Thumbs.db/ Thanks in advance. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Server Migration Problem
Oops - I accidently sent this reply direct to Helmut, isntead of to the list. Here it is for the list. My most humble apologies to you Helmut - I neglected to check which address the reply was going to. On 02/10/2008, at 7:02 PM, Helmut Hullen wrote: Hallo, Matt, Gidday, and thankyou for your reply. Have you transferred the localsid from the old to the new server? I just tried this then, and it didn't seem to make a difference. The old server has two SID's ... Here's the output [EMAIL PROTECTED] ~ $ sudo net getlocalsid SID for domain CORWIN2 is: S-1-5-21-2514297305-1808913229-953362460 [EMAIL PROTECTED] ~ $ sudo net getlocalsid ALLSTAFF SID for domain ALLSTAFF is: S-1-5-21-3463326904-3566436207-4149259612 (I'm not going to bother hiding the domain and computer names anymore). ALLSTAFF is the name of the samba domain. CORWIN2 is the name of the old server. The name of the new server is INFRASTRUCTURE. The localsid on INFRASTRUCTURE used to be S-1-5-21-1308997507-3478987709-343013683 I tried using net setlocalsid to change the SID on the new server, and tried both of the SID's above form CORWIN2, but the clients still did not see the domain controller in either case. I have the following entries in my ldap database for the domains (from a ldapsearch sambaDomainName=* ): # INFRASTRUCTURE, Allstaff Recruitment, Hamilton, NSW, AU dn: sambaDomainName=INFRASTRUCTURE,o=Allstaff Recruitment,l=Hamilton,st=NSW,c= AU sambaDomainName: INFRASTRUCTURE sambaSID: S-1-5-21-1308997507-3478987709-343013683 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 1000 sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 # ALLSTAFF, Allstaff Recruitment, Hamilton, NSW, AU dn: sambaDomainName=ALLSTAFF,o=Allstaff Recruitment,l=Hamilton,st=NSW,c=AU sambaDomainName: ALLSTAFF sambaSID: S-1-5-21-3463326904-3566436207-4149259612 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 1000 sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 Should I try and set the sambaSID entry for the ALLSTAFF domain to be the SID for INFRASTRUCTURE? Sometimes that helps: change domain logon to workgroup; new start change workgroup to domain logon; new start Sometimes you may need to change the computername too. But that leeds to problems with the profile ... The background may be some information about the old server is stored somewhere in the client's registry. Yes, I've been trying this , and it's not working :(. ... I'm just about at the stage where I'm going to set the NETBIOS name of the new server to be the same as the old server ;) -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Server Migration Problem
Problem solved! Apparently the SID for the domain doesn't matter when there's an LDAP server, as samba reads the sid from the LDAP entry for the domain (it does a search for sambaDomainName=DOMAIN). My problem was rather patheticly simple. Turns out that solaris seperates out the nmbd and smbd process. I had turned on samba (smbd) but not wins (nmbd). I've enabled wins, and everything's fine now - except that I feel dreadfully embarrassed ;) On 02/10/2008, at 6:26 PM, Matt Skerritt wrote: Gidday I am in the process of finishing a server migration (to a new server), and am having problems with samba on the new server. The old server was running samba 3.0.22-r3 on a Gentoo machine, and the new server is running Samba 3.0.25a on a Solaris 10 machine. I have copied the files across OK, I have copied the samba configuration OK, samba runs fine, connects to the ldap backend fine, seems to check passwords fine, and even lets me connect to the file shares just fine. snip -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as nonroot
Oops, I accidently sent this to Michael's own email, not to the list. Here it is again in the right place. On 14/05/2008, at 9:48 AM, Michael Heydon wrote: [EMAIL PROTECTED] wrote: Hi, Im trying to run samba as a non-root user and I was wondering if this is even possible No, it's not. and if not what is preventing it from being ran as a normal user?? You couldn't bind to privileged ports would be the big one. You might be able to modify the source so it runs on different ports (although that would mean windows systems couldn't connect, you might be able to coax another samba machine into it), you would then have issues with permissions (you couldn't suid/sgid to the connecting user). Also, I think samba needs to be able to fork and execute. It ought to be possible on Solaris 10 using privileges - I intend to test this myself in the next few weeks. (I currently have a DHCP server running successfully as a non-root user, binding to privileged ports etc etc). I'll report my findings if anybody is actually curious. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows Vista roaming profiles access denied forcedlocalprofile (samba PDC), but Windows XP OK
Haven't had a look at the log file yet, but are your machines able to make new files on the profiles share? ... Vista when I tested it a month or so back made a new profile directory for vista in the profiles share called username.V2 (So any user that logged onto vista had two roaming profiles - one for vista and one for XP). Hope that helps you a bit. On 17/02/2007, at 10:32 PM, Elliot Mackenzie wrote: Urgh. The log file is here: www.adixein.com/smbdlog.tar.gz. M. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Elliot Mackenzie Sent: 17 February 2007 11:25 To: samba@lists.samba.org Subject: RE: [Samba] Windows Vista roaming profiles access denied forcedlocalprofile (samba PDC), but Windows XP OK Second part of the log. M. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Should samba be split between client server
On 30/01/2007, at 8:48 AM, Jason Baker wrote: I am just wondering what issues we will all face with the coming of Windows Vista. Once I start purchasing client machines with Vista pre-installed, how will this impact making that new machine a member of a SAMBA controlled domain? Well, since I insisted on buying all my Windows XP licenses with Software Assurance, I have gotten to download and use Vista free of charge. As such I did so and chose one of our laptops to be rebuilt with Vista and to be a test machine. Vista joined my Samba NT domain without any issue at all. One thing I noticed is that Vista has a different profile to Windows XP. So for user joeblogs, windows XP goes looking for \\servernamer \profileshare\joeblogs, and windows Vista goes looking for (and creates if it is not there) \\servernamer\profileshare \joeblogs.V2. I did not try saving a default profile as Default User.V2 and see if a new user got those defaults when their new profile was created :(. However, the big gotcha I found, and the one that is going to stop me even thinking of testing vista as a serious desktop replacement for my machines here, is that it did not apply the system policies from \ \servername\netlogon\ntconfig.pol. I don't even know if it will do system policy. I have a gut feeling that once I get around to asking microsoft if I can use NT System Policies with Vista, they're going to tell me no, and to go get a windows server with group policy. Although I hope it's just something simple like having an ntconfig.pol.V2 or something (similar to the profiles). We'll see Since then more important things have cropped up and I stopped experimenting. The laptop in question was rebuilt again, as a standalone machine (not on the domain) with Windows Vista still. The actual end users of the laptop have said they very much like the new windows and have found it easy to use. shrug It looked like an improvement to me, but nothing greatly different in terms of operation. Still, s'long as they're happy :) -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passwd chat for samba-kerberos passwd-sync
On 01/02/2007, at 12:23 AM, Torsten Becker wrote: Hello! I tried to run a samba3 server as pdc for windowsXP clients with ldap backend and kerberos authentication. I stuck with these two possibilities: 1. Samba is pdc, winxp is domain-member, users are autheticated against smbpasswords within ldapsam. If the kerberos password of the korresponding principal has the same password, the users get a ticket from the kdc after windows logon. But I have two password databases: ldapsam and kerberos I currently have this setup at my place of work. The only catch is I have to use that I have to install the Mit Kerberos for Windows release in order to get the kerberos tickets from the KDC at login - and not all kerberised windows apps know about the Mit kerberos libraries for windows :( (fortunately the postgres ODBC drivers, mozilla firefox and thunderbird, and putty are so aware). Is this what you had in mind, or do you actually have a way to convince Windows XP itself to get a ticket from the KDC after login to the Samba domain? I would be very interested if you did. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain logons and client IP broadcasts
I had a very similar problem (without the worm) not too long ago. My current setup has the following in the dhcp server: option netbios-node-type 2; option netbios-name-servers a.b.c.d; (where a.b.c.d is the actually IP address of my PDC). This tells the windows clients to use peer-peer mode (only uses WINS, doesn't use broadcast) and tells them where the WINS server is. This is working quite well, and previously unknown (and uncached) users have no problems logging onto the workstations. You also need to have wins support = yes in your smb.conf, of course. (Which, I notice, you say you already have). I did have a couple of teething problems with this setup still exhibiting the same problems, but they went away. I think you might need to be sure that the samba server is, indeed the master browser - by starting it up before any other clients on the windows network, but that's just a wild guess. Hope this helps. On 31/01/2007, at 7:14 AM, Sherwood Botsford wrote: Ok, I'm stumped. Last week domain logons worked. Now when I try to logon, I get a message, You could not logon because the SJSA domain is not available. I've had this happen before when the trust account between the client and server was out of sync (restored a disk image that had a different trust account password) To fix this, it has been sufficient to quit the domain, reset the password for the machine account, and rejoin the domain. If I do this, I get a new message: The specified domain either does not exist or could not be contacted If I log in as a local user, I can map network shares with no problem. *** Had an idea to test, and now have some more info. I've recently had problems with a network worm. Part of my plan is to minimize broadcast traffic, and create a situation where the clients can't see each other at all. To this effect I used f-secure to block all tcp traffic to 192.168.1.2 to 192.168.1.239, which corresponds to my client space. This part seems to work. The rule that got me was I tried to block 192.168.1.255 -- the broadcast address, thinking that if the clients couldn't do broadcasts, they wouldn't be able to find each other. My server is set up with wins support = yes with name resolution order of lmhosts (which has the names of my servers) dns hosts, but no broadcast. At first I thought that without broadcast, it couldn't send arp requests, but arps are ether broadcasts, not tcp. And if the profile was cached, then logons worked, and browsing worked. So finally my questions: 1. Why does stopping ip broadcasts break domain logons, but not browsing shares? 2. What changes can I make to my setup to further inhibit client to client communication? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Remote Registry Changes
Heyho. I'm trying to add registry entries to my workstations remotely from my server. I can currently do this remotely from any other workstation, using the standard Windows regedt32, but I'd like to do it form the server. .. The server is Samba 3.0.22-r3 on a Gentoo server. I've been digging around for a while now, and have managed to find docs for samba-tng which seem to allow this (which is useless to me as I'm not using samba-tng :) ), and a couple of sites that suggest that the command 'regcreatekey' should be usable with the rpcclient command. (One example is from http://www.linuxtopia.org/online_books/ network_administration_guides/using_samba_book/appd_01_00.html). Actually, I even seem to find a reference to them in the patch file here: (http://lists.samba.org/archive/samba-cvs/2005-February/ 054808.html) Anyway, there is no documentation of this (or any similar) commands in the rpcclient man page, or help text, nor the net command's man page or help text, and no attempts to find them or get them to work have worked. So ... has this been removed or something? More importantly, it actually possible to do what I want? Thanks -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Accessing Samba Shares from Windows
On 21/12/2006, at 7:39 AM, Mirceac Ionescu wrote: Hello Jerry, I completely agree with you! But I can't change this. Why does this sound like it' sbeen a management type decision? :) All I may be able to do is to figure out how our Windows XP user(using a Windows 2003 DC) can access samba share on a Solaris machine with server authentication. I'm still unable to figure out why is working just fine in samba 2.2.8a and not at all in samba 3.0.21b. One thought I just had ... have you actually created samba accounts on the Solaris machine correctly? ... If the passwords match on the AD, and the two samba servers, then they should connect just fine. But you need to have separate accounts for them on each machine if you're not going to join the machine to AD. I just reread your initial email and you say that We are authenticated by DC which is why I thought you were connecting the samba machines to the AD. ... So do you know exactly what authentication method youor two samba servers are using? ... Perhaps you should post a copy of your smb.conf files (with any sensitive data masked, of course) and that might give us a clue. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Accessing Samba Shares from Windows
On 19/12/2006, at 2:21 PM, Mirceac Ionescu wrote: So after I will recompile Samba with MIT Kerberos will it work without actually joining the machine into active directory. The Samba 2.2.8a are working this way… Still don’t figure out why samba 3.x are not working… Could be that the older Samba was compiled using Kerberos? I will check this. Hmmm, I don't know about that, sorry. I misread your initial email. As far as I know (and I don't know very much about how samba interracts with AD, I'm sorry) Samba can't authenticate against an AD without actually joining it to the domain. So I'm quite surprised to hear that that Samba 2.2.8a is managing it, but don't know how it works. I just happened to know that Solaris didn't have the kerberos abilities built in. Is joining samba to the AD so awful? Thank you! No troubles. I'm happy to pass on what little information I have. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Accessing Samba Shares from Windows
Heyho Are you using the samba binaries that came with Solaris? If so then Sun, for reasons I do not understand, have neglected to compile it with Kerberos support (at least that's the case when I looked into it with Solaris Express 6 months ago). Since AD uses Kerberos this will be a problem for you. I believe the solution is to download, compile and install the mit or heimdial kerberos libraries (they'll happily live alongside the Sun ones on a Solaris machine), and then to download and compile Samba against the aforementioned kerberos librarires. It seemed like a bit of a pain, so I never bothered to do it myself (well, I have kept putting it off ... even to this day). A google search for samba solaris 10 kerberos or something similar should net you some guides on what, precisely, to do. On 19/12/2006, at 1:24 AM, Mircea Ionescu wrote: Hello, We are using machines with Solaris and Windows XP. The XP machines are joined in a domain(windows 2003) and the Solaris machines are not joined to any domain. With Samba 2.2.8a running on Solaris 9 there are no problems to access them form Windows XP. We are authenticated by DC. On other machines we have Solaris 10 with Samba 3.0.21b and here we are NOT authenticated anymore by DC. So we have to use user authentication so every time the password is changed on XP we have to change it also on Solaris. This is done for 100 users so it is not nice... Can you, please, help me? Wy can't I have the same authentication on Samba 3.x like in Samba 2.x? Thank you very much! mirciulicai -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with LDAP groups and associated file permissions
Check the file permissions on the folder and files in question. If the folder is setup with world execute permissions, anybody can change into it - and any files created by the user in question will probably be owned by them - and so they'll still have access if they can change into the containing directory. At least, that'd be the first thing I would look at. Also try running commands like groups user to make sure that your unix backend agrees that they are no longer in the group. On 15/12/2006, at 2:38 AM, Manuel Graumann wrote: Hi folks! Our smb with LDAP PDC now seems to be nearly completed. Just now we found out something very mysterious. We organized some directorys to be used by specific domain groups. If we put a user into a group the user is allowed to access the associated share. So far this works pretty nice. If we remove the user from the domain group the user seems to keep all his rights he got from his group membership we removed - even after loggin off and on again and restarting smb and nmb. This seems to me a very strange behaviour. Any ideas where we have to look? Client OS: XP Pro SP 2 Server: openSuse 10.1 64 bit, Samba 3.0.22-13.18, openldap2 2.3.19-18.10, smbldap-tools 0.9.1-11 Any hint would be nice. Regards Manuel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Medisoft
On 12/12/2006, at 3:46 AM, Scott Swaim wrote: I am looking at putting the medisoft application on a samba share. I was wondering if there is currently anyone using this configuration and if so then what are some of the problems that I might encounter. The app is currently being hosted on a Winxp pro machine and I need to move it to a server. Any help would be greatly appreciated. You may need to disable oplocks for certain data files. I have a setup that uses access files as a back-end database (sadly, I'm serious here - and no it's definitely not my creation), and we needed to veto the oplocks on those files to ensure usability. Check out the veto oplocks configuration option for samba. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help with Samba+JFS
Hmmm ... I'd have a look at your network card first - I've seen those delayed write errors caused by the network giving out in some form or another during the file transfer. In one case I had a very similar problem caused by a power dip that happened whilst a workstation was writing to the share. I've also had them when a flaky network card was being used in a server. Next time it happens, do a ps aux (or whatever the equivalent is on your platform), and see if any of your processes are in the D state (uninterruptable sleep) - if so, then that's why you have to reboot to get access to the folder again. Also you may want to try using ssh or ftp or somesuch to see how the transfer speeds to your machine work (ie, test how it works without samba). I'd recommend small and large files for the test. On 10/12/2006, at 6:00 AM, Will Constable wrote: I have a network server running FC5, with a hardware raid 3 card using 5 drives, as one large (1.2TB) partition in JFS. I chose JFS because of a recommendation for performance from a MythTV tutorial, but I don't really know much about file systems and am suspecting JFS to be causing my problems. I run samba, apache and MythTV on this machine, and there is essentially only one problem as far as I know. If I write to my server from the network (only tested from windows XP pc's using samba), I often get either an error in windows (Delayed Write Failed), or windows freezes while writing. On the server side, I generally get kernel messages from JFS that are completely meaningless to me, just a bunch of cryptic numbers and function calls. After one of these problems, I can't access the directory that was being written to, or my prompt freezes. Rebooting seems to be the only fix- jfs does some replaying and then the filesystem is perfect again. This sounds a lot like a cut and dry problem with JFS. except that MythTV does quite a lot of high intensity writing to the array and never has trouble like this, yet it happens frequently when being written to from samba. First of all, is there any known problem with using JFS with samba? Aside from that, I sort of figure maybe there is a samba configuration option that is to blame. Possibly something to do with buffering or with maximum throughput allowed. I am just guessing, but can anyone help? Thanks a lot! Will [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba file security
On 07/12/2006, at 12:42 AM, Naveen C Joshi wrote: I have created the read list and write list, but I want that write list members also can not delete the files once they upload it on samba server. While the read list members can only read the files but can not upload files on the samba server. Hmmm ... do you want to them to be able to be able to change the contents of the files, but not delete them? If so then I think it's impossible for a filesystem that uses the posix rwx file permission bits. It may be possible if you're using solaris with zfs, I'm not sure - I'll check on my server later but your initial email said you were using Redhat so I guess it doesn't matter. If you want the users to only be able to add new files (but never change or delete old files) then just set the file create mask to make sure that newly created files don't get write permissions, like Cleber P. de Souza suggested in the other email. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and Heimdal Kerberos V Authentication
On 05/12/2006, at 8:53 PM, Ludek Finstrle wrote: I answer myself: http://sial.org/howto/kerberos/windows/ BTW still I see no way to authenticate Samba PDC againist Kerberos without AD. It's also in that very document, if I understand it correctly ... you can do it with the use kerberos keytab = yes option and Security=ADS also see http://lists.samba.org/archive/samba-technical/2005-March/ 040114.html I'm yet to try this, but I'm keen to see how well it works. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] restrict what users can log onto each workstation
On 05/12/2006, at 11:12 PM, Toni Casueps wrote: I've tried it with users and it works, but now I can't set it for groups. I've created a Unix group with the denied users and I've written in /etc/samba/smbusers: denied = @denied also in smb.conf I've set username map = /etc/samba/smbusers but I still can't see that group in the Select user or group dialog on Windows I use Samba 3.0.13 Oh yes, with an LDAP backend (which I use) you need to give your groups a Samba SID so that windows can see them - otherwise they're just Unix groups ... (and I had a very similar problem with windows being unable to see most of the groups). Now if I can only remember how I did this again. And I just notice that you don't mention LDAP anywhere, ... OH yes, I remember now (after I checked my scripts) the command net groupmap add ntgroup=NT Group Name unixgroup=unix group name type=d set's the mapping up for you. I think that'll work for any backend database. and the command net groupmap list will show you the current mappings between unix groups and windows groups. Anyway, that isn't so important. Thanks very much. You're welcome. I'm happy to help :) -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Does Samba/Winbind not follow nested groups in AD?!?
On 06/12/2006, at 3:46 AM, James A. Dinkel wrote: Here's the situation: We have users who are members of groups and those groups are sometimes members of a 2nd level of groups. If a folder has permissions assigned to a 2nd level group, then the user can not access the share. Doing a getent group | grep user | grep 2nd_level_group also returns nothing. Samba seems to not be recognizing that a user is a member of a group under another group. Is there any way to enable Samba, or Winbind, to follow down the group hierarchy? There is an option in smb.conf called winbind nested groups ... and the help text from swat says: winbind nested groups (G) If set to yes, this parameter activates the support for nested groups. Nested groups are also called local groups or aliases. They work like their counterparts in Windows: Nested groups are defined locally on any machine (they are shared between DC's through their SAM) and can contain users and global groups from any trusted SAM. To be able to use nested groups, you need to run nss_winbind. Please note that per 3.0.3 this is a new feature, so handle with care. Default: winbind nested groups = no So I'm guessing that you want to set winbind nested groups = yes in your smb.conf. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP, checkpwnam and PDC
On 05/12/2006, at 4:28 AM, Ben Wheare wrote: Hiya, I'm trying to set up a Samba PDC with an LDAP backend. I experienced problems joining machines to domains, the machine account was created, but Windows said user name cannot be found. I resolved this by adding ldap to /etc/nsswitch.conf, but this has the side effect of allowing ldap users to login to the server via SSH. Whilst I can understand the need for LDAP users to be accessible to the system, i.e. checkpwnam etc for permisisons, I don't want users to be able to login to anywhere except the client Windows 2000/XP boxes. People (only 3) who can login via SSH already have real user accounts in /etc/passwd etc. Do these people have multiple user accounts? (one for samba and one for their real one?) ... I would consider it a bad idea to do so (IMHO). Is there a way to stop this being allowed? The way I achieve this (since in my setup I'm the only person who is allowed to log into the linux boxes) is to make sure all other users have no password entry in the ldap database (note: they have the samba passowrd entries, just not the posix one), and to make sure their home folder is /dev/null and their login shell is /bin/false. I think if there's also probably a shadow option that disables the posix account (haven't checked yet) - since my method may be able to be bypassed by a user executing a given command at the ssh command line - actually I'll look into that as soon as I get into work today. I'm not sure if doing that would actually prevent samba from using the account for SMB purposes. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] restrict what users can log onto each workstation
On 04/12/2006, at 9:56 PM, Toni Casueps wrote: I have a Samba server with Windows XP clients, and roaming profiles for every user. At this moment everyone can log onto any workstation, but it shouldn't be like that: there are some workstations where anyone can log into, but three of them should be restricted to some specific users. I thought about making local users for them, but we need all users to have roaming profiles, I can't make local users expect for the Administrator account. Can this be done with Samba? OK, it sounds like your samba server is a PDC, so I'll assume it is. This solution won't work if it's not (I don't think). If I understand you correctly, you want these specific users to be able to log into any machine on the network (including the 3 restricted ones), right? And you want everybody else to be able to log into all the machines except the 3 restricted ones? I'd probably do this by making a group which the specific users are all a member of (and nobody else), then go into the local security policies of the restricted workstations (Control Panel - Administratrative Tools - Local Security Policy), and modifyf the entries Log on Locally and Deny logon locally to suit (which will involve putting your new group into the log on locally policy, and removing users from it, and probably a few others as well). Note: I haven't tested this method, it's just the way I'd try going about it if I was in your shoes. You can probably even set hte local security policies through System Policy if you use that - but you'll likely have to custom write your own policy template. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ntlm authentication
Heyho. My apologies if this mail arrives twice. The first time I sent it my email address didn't correspond to the one I signed onto the list with (one was an alias for the other). I'm not sure if the original will eventually make it through or not. I have a NT Domain which is run by my samba server (v3.0.22-r3 on Gentoo Linux). Everything works well, and the backend database is an ldap directory which is also the authentication directory for my 3 odd linux servers. All users have a posix account as well as a samba account, however in most cases the posix account is disabled (homedir is /dev/null, shell is /bin/false and null password), and is only there because samba requires it. As I said - this setup has worked really well for about 2 or 3 years now. I also have a kerberos domain running from a MIT Kerberos server. Passwords are not automatically synced between the two realms - but tickets are automatically gotten at login on the Windows clients (all XP) if the passwords happen to be the same between the samba domain and the kerberos domain - this also works fairly well. Password synchronisation is somehting I'll look into later and isn't in the scope of this email. What I am trying to do is to get my squid proxy to start authenticating users so I can keep better track at who's doing what web-wise. Now since the users don't have an a posix password, I can't do an ldap lookup for this. Further than this, I'd really like the cache authentication to be done transparently by the browsers. So this leaves me with either NTLM authentication, or negotiated gssapi authentication. The latter is my preferred method but seems to be out of the question at the moment (unforunately) because Internet Explorer doesn't see the kerberos tickets gotten by the MIT Kerberos for windows tickets (although Firefox - the default browser on the network does), and because there doesn't seem to be a helper program for squid that does gssapi authehntication to a non-microsoft kerberos domain. However, that's a squid problem and not a samba problem, so is not really relevant here apart from background. So this brings me to NTLM authentication. All the documentation I've found so far is based around the idea that one uses the ntlm_auth program that comes with samba. The ntlm_auth manpage states that winbindd must be running for ntlm_auth to work. And winbindd seems to be used for joining a unix machine to a NT PDC. My problem (or maybe confusion) is that my linux machine *is* my PDC. So it seems that I would need to connect samba to itself, and would potentially have multiple UID's for the same user - one from their legitimate posix account, and one from the idmap they get for their DOMAIN/user account from winbind. So is there any way to do ntlm authentication in a way similar to ntlm_auth --helper-protocol=squid-2.5-ntlmssp against the samba backend database (instead of going to another PDC). Is there an ntlm_auth option that I missed that let's me do this? Or do I just have to use net rpc join to join winbind to the samba domain running on the same machine? I suppose I could use the code from apache mod_kerberos to write a helper app for the negotiated gssapi case, but I'd like to get something intermediate happening sooner than that. Can somebody help here please? I imagine I'm not the first person with this setup. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ntlm authentication
Heyho. I have a NT Domain which is run by my samba server (v3.0.22-r3 on Gentoo Linux). Everything works well, and the backend database is an ldap directory which is also the authentication directory for my 3 odd linux servers. All users have a posix account as well as a samba account, however in most cases the posix account is disabled (homedir is /dev/null, shell is /bin/false and null password), and is only there because samba requires it. As I said - this setup has worked really well for about 2 or 3 years now. I also have a kerberos domain running from a MIT Kerberos server. Passwords are not automatically synced between the two realms - but tickets are automatically gotten at login on the Windows clients (all XP) if the passwords happen to be the same between the samba domain and the kerberos domain - this also works fairly well. Password synchronisation is somehting I'll look into later and isn't in the scope of this email. What I am trying to do is to get my squid proxy to start authenticating users so I can keep better track at who's doing what web-wise. Now since the users don't have an a posix password, I can't do an ldap lookup for this. Further than this, I'd really like the cache authentication to be done transparently by the browsers. So this leaves me with either NTLM authentication, or negotiated gssapi authentication. The latter is my preferred method but seems to be out of the question at the moment (unforunately) because Internet Explorer doesn't see the kerberos tickets gotten by the MIT Kerberos for windows tickets (although Firefox - the default browser on the network does), and because there doesn't seem to be a helper program for squid that does gssapi authehntication to a non-microsoft kerberos domain. However, that's a squid problem and not a samba problem, so is not really relevant here apart from background. So this brings me to NTLM authentication. All the documentation I've found so far is based around the idea that one uses the ntlm_auth program that comes with samba. The ntlm_auth manpage states that winbindd must be running for ntlm_auth to work. And winbindd seems to be used for joining a unix machine to a NT PDC. My problem (or maybe confusion) is that my linux machine *is* my PDC. So it seems that I would need to connect samba to itself, and would potentially have multiple UID's for the same user - one from their legitimate posix account, and one from the idmap they get for their DOMAIN/user account from winbind. So is there any way to do ntlm authentication in a way similar to ntlm_auth --helper-protocol=squid-2.5-ntlmssp against the samba backend database (instead of going to another PDC). Is there an ntlm_auth option that I missed that let's me do this? Or do I just have to use net rpc join to join winbind to the samba domain running on the same machine? I suppose I could use the code from apache mod_kerberos to write a helper app for the negotiated gssapi case, but I'd like to get something intermediate happening sooner than that. Can somebody help here please? I imagine I'm not the first person with this setup. -- Matt Skerritt [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba