Re: [Samba] how to prevent copying programs on local harddisk from samba share
How can I prevent copying programs from samba shares to a local drives and run it from there? It is any possibility to secure programs and run it from samba shares only ? This would need to be implemented on the client. As far as samba is concerned there is no difference between copying a file and running it. I've never used it myself, but Windows can be locked down to only run specific programs. Out of curiosity, what does the program do that your users want to be able to write to it? Michael Heydon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] local admin rights for roaming profiles
... The another reason is to i dont wanna give local admin privileges to all the users! (some users are extremly dangerous with local admin permissions). how can i provide that admin privileges only to access the app shared on \\SAMBASERVER\shared . CPAU might do what you want, but it isn't terrific from a security point of view. I had a similar problem and in the end the simplest solution was to create a domain group called Local Admins and then add that to the local administrators group on each PC. -- Michael Heydon IT Administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba to update DDNS
On 15/06/2010 3:57 PM, Andreas Moroder wrote: is it possible to let samba update the DNS entries in our bind DNS server whenever a windows PC connects to the network ? Why not do it from the DHCP server? That is the normal approach. You could probably make something using the preexec settings if you really wanted to. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] subfolder level restriction
Daniel Müller wrote: Look at the issue dont descend in the [mrt] config. Daniel dont descend affects the share regardless of who connects to it. To create different views for different users would require creating several shares with different dont descend values. when u1 logs in mrt it should view all the contents inside mrt (including contents of its subfolderand all) and when u2 logs into mrt it should view mrt1 and restrict mrt2 and in same way when u3 logs into mrt ,it could access mrt2 and restrict mrt I think unix permissions would be the obvious solution. Create groups called g1 and g2, add u1 to both groups, u2 to g1 and u3 to g2. Then chown root.g1 mrt1 , chown root.g2 mrt2 and chmod them both to 770 (or 750). If you want more flexibility, you can use ACLs (assuming your FS and OS support them). *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrating an NT4 domain to a Samba PDC - How to limit users access to only certain machines?
we need to limit certain users to have permission only to log in to their specific workstation. I'm not familiar with ClearOS, but if it uses an LDAP backend (and maybe even if it doesn't) the sambaUserWorkstations property should do what you want. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] One way Samba
wino_pilot wrote: in the smb.conf below. Is this your actual config file? or the output of some utility or something? If it is your actual config you seem to have a lot of redundant and in some cases conflicting lines. Why don't you try something simpler. E.g. : [global] netbios name = Mercury1 server string = Samba file and print server workgroup = MNET security = user map to guest = bad user -- one of the few settings that your config file didn't already have :) guest account = smbguest-- Does this account actually exist? log file = /var/log/samba/samba.log max log size = 1000 unix password sync = yes name resolve order = wins lmhosts bcast wins support = yes follow symlinks = no passwd chat timeout = 120 username map = /etc/samba/smbusers smb passwd file = /etc/samba/smbpasswd passwd program = /usr/bin/passwd '%u' passwd chat = *New*password* %n\n *ReType*new*password* %n\n *passwd*changed*\n add user script = /usr/sbin/useradd -d /dev/null -c 'Samba User Account' -s /dev/null '%u' add user to group script = /usr/sbin/useradd -d /dev/null -c 'Samba User Account' -s /dev/null -g '%g' '%u' add group script = /usr/sbin/groupadd '%g' delete user script = /usr/sbin/userdel '%u' delete user from group script = /usr/sbin/userdel '%u' '%g' delete group script = /usr/sbin/groupdel '%g' add machine script = /usr/sbin/useradd -d /dev/null -g sambamachines -c 'Samba Machine Account' -s /dev/null -M '%u' machine password timeout = 120 [homes] comment = Home Directories path = /home writable = yes public = no [printers] comment = All Printers path = /var/spool/samba public = no printable = yes [pdf-documents] path = /home/pdf-documents comment = Converted PDF Documents writeable = yes guest ok = yes [pdf-printer] path = /tmp comment = PDF Printer Service printable = yes guest ok = yes use client driver = yes printing = bsd print command = /usr/bin/gadmin-samba-pdf %s %u lpq command = lprm command = [Book] path = /media/FreeAgent/Drive/Book comment = Book Chapters valid users = jon admin users = jon writable = yes [Photos] path = /media/FreeAgent/Drive/Photos comment = All Photos valid users = jon admin users = jon writable = yes I would have trimmed it down a little more (e.g. password and account management script settings), but I am giving some lines the benefit of the doubt and assuming you have them there for a reason (that may not have been the best assumption). I was going to go through and explain why I trimmed out each line, but there were too many of them, if there are any particular lines that you want to know why I considered them superfluous then just ask. *Michael Heydon* micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User permissions on other users home directory
On 3/09/2009 3:58 AM, Adam Del Vecchio wrote: However, when user1 edits a file in his home directory, user2 can no longer edit it, even though both users are in the office group. ... # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. directory mask = 0700 Change those. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password-less share, for certain users.
On 3/09/2009 8:24 AM, JDE wrote: Here's what I got. I want to allow a 'password-less' log-in that will allow only user1 and user2 to access share_zero, can this be done? I know that I can make it public, but that's not really an option as I need to restrict access to just a hand full of users. Can this be done? I've searched everywhere and all I can find is setting share to public, or something similar. If a user is connecting without a password then they are a guest and they do not have a username. What you are trying to do isn't possible because it is pointless. Usernames aren't private, if I can guess (or ask for) someones username then I could bypass your restrictions. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password-less share, for certain users.
On 3/09/2009 7:44 AM, Miguel Medalha wrote: Make those users part of the group defined with guest account and then use guest ok = yes. guest account defines the unix account that is used to access the file system when a guest connection is used. It doesn't determine who can use the guest account. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password-less share, for certain users.
On 3/09/2009 11:04 AM, Jamrock wrote: Try the valid users option in the smb.conf. If I remember correctly, you can set this to a group. That way only the members of the group should have access to the share. valid users = @accounts If they connect as a guest, then there is nothing to compare against the valid users setting. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password-less share, for certain users.
On 3/09/2009 8:43 AM, Miguel Medalha wrote: guest account defines the unix account This user must exist in the password file that is used to access the file system This is a username which will be used for access to services... when a guest connection is used. ...which are specified as guest ok *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question regarding access to shares from LOCAL administrator account
On 3/09/2009 11:26 AM, Jobst Schmalenbach wrote: How do I give access to shares from the LOCAL administrator account to a share(s) on the samba server? (workstation is domain member, without the need to specify a password). I don't believe this is possible. The local administrator does not necessarily have a fixed username or password and I don't think the domain controller can see the SIDs used on the client for local users. I can do it the other way around i.e. mapping a local group to a group on the server, but for one share only I need to have access for the local administrator to the share on the server. Are you sure you can't do it the normal way? Create a domain user and add them to the local administrators group on each PC? They wouldn't have to be domain admins if you didn't want to. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] FAT32 format HDD recognizes as NTFS
4.Open the mapped network drive, can see NTFS file system on the left details. It shows the wrong info, could anybody help me? Thanks in advance!! My theory is that it has to do with the capabilities of the file system. Samba is presenting a FS that has ownership and permission capabilities, Windows only knows of one FS that supports those capabilities, therefore it must be NTFS. I doubt it has any real effect, it's not like Windows will try to run chkdsk on it or anything. Samba allows a directory your Linux box to appear to be an NTFS volume. That is its purpose. It really doesn't matter what the original filesystem is: you can export an ext3 filesystem, ext4, xfs, FAT32... whatever the original filesystem is, the Samba clients (for example your XP machine) will see it as an NTFS volume. The client should really see it as a SMB or CIFS volume rather than NTFS. This isn't really all that different (in my opinion) from the way that NFS will make directories appear as NFS volumes. It didn't matter what the original filesystem was in that case either. I would have said it was closer to exporting an ext3 FS over NFS and the client reporting that it is reiser. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Antwort: Re: central PDC + remote BDCs: LDAP strategy, my lack of comprehension
sven.eh...@comdok.de wrote: Thanks Michael, this did advance my progress. With “domain master = no”, “password server” set to the central server and “passdb backend” pointing to the local LDAP replica, my XP client now contacts the central SAMBA server when joining the domain. But now it is always logging on to the central server and not using the other, remote samba server at all (which honestly is in the same LAN in my testing environment). This is unwanted, partly because the logon script resides on the remote system and to reduce network traffic between client and central server (which would be fragile WAN traffic once rolled out). Is there any way I can influence to which server the client logs on to? Windows will log on using what it considers the closest server. The only way I know of to influence how close a server is considered is to move it to another subnet. My question is: When the remote SAMBA server only talks to its own local, read-only LDAP slave, how is it going to change user/machine passwords or add machine accounts (when joining the domain)? In my test setup an XP client inisisted on trying to join the BDC, failing because a) smbldap-tools is not installed or b) it could not write to the slave LDAP directory. Your read only slave should be able to return a referral to the master when it gets a write request (at least that is how I remember it, it has been a while since I have had to touch my LDAP setup). *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Enforcing local profile doesn't let Home Directory mapping
Avinash Rao wrote: Also, is there a way i can control the file permission on the clients local harddrive from samba. For example, If a user A logs in to the samba domain, he will not have any access to the local hard drive, can we give permission from the samba, probably make that domain user a part of power users on the client machine. Not directly, I use cpau in the login scripts to escalate to a domain admin and as that user run a script which does things like add certain domain groups to the local admins group. Just remember group membership is worked out before the login scripts are run, so the user will have to log out and back in for any changes to take affect. It is a security risk (cpau doesn't encrypt the credentials, it uses some secret encoding) so it isn't suitable for everyone, but it works well for us. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Enforcing local profile doesn't let Home Directory mapping
**Avinash Rao wrote: Am sorry i forgot to mention that i am not able to list #net rpc group list -Uroot%not24get Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED I'm guessing here, but this is probably related to the use of interfaces and bind interfaces only. Try adding your loopback interface to the list. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Enforcing local profile doesn't let Home Directory mapping
Avinash Rao wrote: You mean in smb.conf file? i have added host allow = 127. Allowing hosts wont do any good if samba isn't listening on the interface that those hosts are connected to. If you want to allow connections from localhost you need to listen on loopback. The thing is i don't have any windows server in the network, I have one Ubuntu Server and samba is configured as PDC. I'm not sure what you are getting at here. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Enforcing local profile doesn't let Home Directory mapping
Avinash Rao wrote: Sorry if the question is a bit unclear. What i meant is the net rpc commands are meant to manage trusts between a samba domain and Window NT domain or ADS. But in my case, I have only one samba server configured as a PDC. RPC is remote procedure call, it can be used to issue various requests to SMB servers over the network. It doesn't have to be related to trusts, doesn't have to be windows. The group list command you used is a perfect example. You mentioned about loopback, where should i check this? Also, I have used samba but not so much in depth. I am learning these options as the users in the network are increasing. In your smb.conf, you have interfaces and bind interfaces only set. Read up on these options in the man page. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] This is happening during config
Chris Lavin wrote: configure: WARNING: sys/mount.h: check for missing prerequisite headers Did you do this? Your other message also mentions missing headers. You probably need to install various header/development packages. Do you really need to be compiling from source? Using your distro's packages is much simpler and less likely to cause problems down the track. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba using Server 2k3 DC for auth and ACL permissions
Blotto wrote: only users listed in the smb.conf file for that share have access regardless of the acl permissions set Maybe I'm not reading this right, but I think that is how it is supposed to work. When you define which users can access a share that is checked when they attempt to connect, file system ACLs will only come in to play after the user has been granted access to the share. [Admin] path = /media/Shared/ read only = no create mode = 0700 directory mode = 0700 nt acl support = yes acl map full control = yes admin users = @MY+fileserveradmin valid users = @MY+Domain Users browseable = true So are you trying to grant Fred (for example) access to the files, even though he isn't a member of MY\Domain Users (probably a bad example since all users are likely to be in that group)? *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] System Wide recycle bin
Is there a way to get the recycle bin to be one directory rather than one per share? Even better would be /recyclebin/sharename I've got this in my global section: vfs objects = recycle recycle:keeptree = yes recycle:versions = yes recycle:touch = yes recycle:repository = /.recycle/current/%u/%P which appears to do the trick. I haven't tried, but I imagine the share name substitutions would probably work *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] valid users VS users in conf
DNK wrote: Why would this happen? No idea... Is there any disadvantage or security concern by using the users = @group style? Yes, the users option does something completely different to the valid users option. While there may be some similarities in the end result, they are not the same. The most obvious issue is where two users happen to have the same password, they will both authenticate as the first user in the list. Can you paste your smb.conf? *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Moving premises, new server at new building
Adam Williams wrote: I'd just have your current samba server as the master ldap server and PDC, and have the server at the other location be a BDC, and it can either be a slave ldap server, master/master ldap configuration, or just connect to the master ldap server directly for queries. i have a few remote sites on dsl or t-1 and they just query the LDAP server directly. also, with ldap you can specify the roaming profile location so just have the users at the remote site load their roaming profiles from the remote servers. Sorry, that's not quite what I meant. We are moving everyone to the new premises but the people in charge want a fully functioning system at the new location before the PCs are moved over. The old site (along with the current PDC and all our other servers) will be shut down after the move is complete. The other thing I should probably have mentioned is that we also have a remote office which is running as an LDAP slave+BDC. The remote office can suffer some down time during the move without too much trouble but obviously they need to be up and running with what ever we use at the new site. We aren't using roaming profiles. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Moving premises, new server at new building
Hi all, Our company is looking at moving premises some time next year, the plan at the moment is to have a new server room with all new servers set up at the new building prior to moving the workstations over. I'm wondering if anyone has done anything like this and what the best way to proceed is. We are using an LDAP backend. I am not completely averse to unix UIDs changing (although I would rather they didn't), I *REALLY* don't want to have to manually rejoin everyone to the domain though. We have two internet connections at the old building, one is slow and cheap, the other is faster and relatively expensive. The connection at the new building will be fast and cheap. So it would be possible to sync data between systems in the lead up to the change over as long as it wasn't too much data. The options I have come up with are: 1) Set up new office as BDC and LDAP slave, upgrade to PDC and LDAP master as part of the move. 2) Set up new office as new domain, bring over old server (or create a BDC for the old domain) with logon script that migrates machines when they are first powered on at the new premises (This gets a little messy when it comes to user profiles and such but I believe it should be manageable). 3) Find something like ADMT for samba? At the moment the first option is looking like the way to go but I would be interested to hear of any other options and people's opinions. I would also be very happy if anyone can point out any possible pitfalls we are likely to face. Thanks, -- *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba share of a NFS mount
Tim Boyer wrote: The easiest way to do so is to NFS mount the directory on my Samba server, and export the directory as a Samba share. It's been a while and I don't remember the specifics, but there are problems relating to locking when you do this. From memory it is OK as long as the samba server is the only NFS client accessing that share, but as soon as you have an NFS client accessing files that the samba clients have open things start to get messy. The proper way to do it is to run a samba server on the NFS server itself. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User friendly URLs to shares
Jorgen Lundman wrote: possibly save this to desktop and double click. vbscript, although a lot of mail servers will block it. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba with legacy LDAP
Jorgen Lundman wrote: Standard ISP hosting with virtual users here. So we already have an existing system setup, based around OpenLDAP data for customer information. Currently for WWW hosting, users have FTP access. But FTP seems to be a hurdle for certain users, so I was thinking about also offering SMB access in parallel with FTP, so they could just MAP a drive letter to their WWW area. Connecting to SMB/CIFS over the internet tends to be extremely slow. I'm not sure why that should be the case, but having played with direct access over the internet vs over a VPN, the internet one is substantially slower (to the point of being practically unusable). That might be less of an issue if you are their ISP. Mapping a drive could also cause problems. In the past I have had issues with very long delays opening My Computer when network drives are slow to respond. I've just tried to replicate this issue and it doesn't appear to be a problem in Vista but I have certainly seen it with some versions of XP. Currently the LDAP has user data in qmail and POSIX style schema, which seems to be fairly common. (uidNumber, gidNumber, gecos, homeDirectory etc). Currently passwords are stored in plain-text. I hesitate to say that storing passwords in plain-text is good, but in this case it will greatly simplify things. You will need to add the samba schema. 1) Can I make Samba lookup uid,gid,homeDirectory from LDAP directly? The new privacy-laws do not allow us to use PAM for the customers as a whole. I expected to be able to specify LDAP search filter, and a map between our LDAP attributes and those Samba expects (which appear to mostly overlap though). But this appears to have been removed? Samba is able to talk to LDAP directly and fully understands the fields in the POSIX schema, there are plenty of OSs supported by Samba that don't use PAM (Slackware, AIX, probably the various BSDs). 2) Can I use the plain-text passwords directly, and avoid having to store nt and lm passwords? Not without having to make changes to how the client PCs will authenticate, so pretty much no. However since you have the passwords in plaintext it isn't too much of a hassle to generate the hashes. Since with FTP you login as ftpu...@example.com with appropriate password, I was hoping that users could connect to our samba server, authenticating as ftpu...@example.com and same password. It would then set the share path to the users homeDirectory (/export/cust14/com/e/x/example/ftpuser/) and use their uid, gid. Sounds reasonably straight forward. Are there other reasons why this could not be done? Anyone already done something similar? Any pit-falls? I'm not certain that it is a good idea, but it's not impossible. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba with legacy LDAP
Jorgen Lundman wrote: There is no way around adding Samba schema? Not that is a big deal, but curious. Can I perhaps ask samba to merely query a script for authentication and retrieval of uid/gid/homeDirectory? If so, I could (temporarily) work around the schema. Other than your suggestion of trying it out with smbpasswd rather than LDAP, not really. As well as the username and password there are other attributes that need to be stored (Domain SID, user SIDs, password aging, etc), in your situation they probably aren't going to be used much but I think samba still expects them to be present. Ok so it will get the attributes without PAM, but the schema and attribute-names are hard-coded. I believe so, I vaguely recall seeing something about using a different field for the username or something (I think they were using a different or outdated schema) but it certainly isn't a common practice. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] error 1310 when installing to a Samba share
Gary Dale wrote: I'm trying to install some income tax software to a Samba (Debian 3.2.5 i386) share and I'm getting the above error. Does it work correctly installing over the network to a windows host? *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Tunneling over SSH
Kevin Bailey wrote: Also, we had trouble setting up a VPN from his house - can't remember the details apart from the fact that it was BT's fault! Was this using OpenVPN or PPTP? OpenVPN is much more flexible than PPTP and will happily work across all but the most stubborn connections (also it doesn't rely on GRE which is what has caused me the most VPN headaches). I haven't used Sage before, but if it is opening the data files directly off a share (which would seem to be the case) then you may run into issues using it remotely. I have had users insist on running MYOB and Quicken over VPNs, if they are lucky it is almost unusable and they give up, a couple have had issues with file corruption. Have you considered RDP? This would allow quick and easy access from most connections without any setup, it would be faster than pulling a large access file over a VPN and would be immune to corruption as a result of interrupted connections. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cannot login from windows
I am using Samba 3.0.33 on Linux as the server, and have Linux, windows XP, and Windows Vista clients. I would suggest that until you have a basic working setup that you test using a Linux client (smbclient), it doesn't have all of the fancy stuff (cached credentials, etc) that will just confuse things. Are the XP and Vista clients home/pro/business/ultimate/etc? Home is a bit quirky under some circumstances. I have added user 'brandon003' with smbpasswd, I try logging in with that username and the correct password but I get a message in Windows saying that I do not have permissions. What do you mean logging in? Does the Windows machine have a user with the same name and password as the samba box? or are you prompted for credentials when browsing to the share? My smb.conf file is a bit messy since I have been trying many different variations, but here it is: [global] Yuck, trim this back to basics. You have a lot of junk in there that you really don't need and which will just confuse matters. I just put this config file onto one of my 3.0.23 machines (yeah it's a bit outdated): [global] workgroup = foo [homes] comment = Home Directories browseable = no writable = yes [tmp] comment = Temporary file space path = /tmp read only = no public = no and then ran smbpasswd -a mike (where mike is a user that exists on my Vista box), set the password the same as my vista logon and it works fine. Once you have the basics, make a backup and then add things one at a time until you have all the functionality you require. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] shell changed from root@ to administrator@
supha...@gmx.com wrote: here is my /etc/nsswitch.conf file::: OK, it is missing the bit I was thinking of (the passwd line), I'm more familiar with slackware than centos so I don't know where to go from here. I think your best bet would be to ask on a centos list. Good luck. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] shell changed from root@ to administrator@
Can any one help me why my server always automatically changed from [r...@abc] to [administra...@abc]? I found out that when I repeat this command ,it will change back to [r...@abc] [administra...@abc] authconfig-tui If it is anything like my system, root is a local user (defined in /etc/passwd) while administrator is defined in ldap with the same UID. It sounds like your system is using LDAP to resolve the username before passwd. What does your /etc/nsswitch.conf look like? I suspect that the Redhat/Centos support people might be more knowledgeable about this stuff, as far as I can see your problem has nothing to do with samba. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP local policy vs Samba pdbedit?
Scott R. Ehrlich wrote: how will the local XP policies differ from any changes I make to pdbedit on the Samba side? Which takes priority/preference? Are you referring to password complexity requirements? That is the only area that I can think of where the functionality of XP policies and pdbedit will overlap. If that is that case, then the domain controller settings apply to domain accounts and local settings apply to local accounts. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] time sync issue
Is that the only solution? No, you could use the admin login script or WPKG mentioned in your other thread, you could use psexec to run net time as an administrator, or you could fix your NTP setup. How is it that the workstations can sync time from the Windows AD controllers, but not samba? Samba3 isn't an AD DC there are several things that Windows can do that samba can't. I believe that SBS has net time in the default login script, obviously that would run into the same problem of users not being admins. So I guess most people probably use NTP. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] time sync issue
I like the idea of fixing my NTP setup. It worked with the Windows DC, how can I find out why it doesn't work with Samba? Just to clarify, do you actually have an NTP setup? Samba isn't an NTP server and NTP has absolutely nothing to do with samba/domains/etc. The net time command uses an SMB query to find the time at the remote host, Samba is responsible for answering this query however this is only used by net time. When you set a machine to sync it's time with another machine (via the Time and Date/Internet Time settings) it uses NTP. If you don't already have it, you will need to install/configure ntpd on your server and have it sync with a lower stratum host (you can make it sync to itself if it doesn't have internet access but that isn't ideal). Once it has had time to stabilise your clients should happily sync to it. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] logon script question
I use cpau, there is an associated security risk, but we decided it was acceptable. You could possibly also use WPKG, depending on what you are trying to achieve. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au wes wrote: If there a way to configure samba to have a logon script run with administrator privileges upon login? thanks, -wes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Do I need a WINS server if I want to browse?
Uriel Avalos wrote: So why do you not recommend UPD broadcasting? too much extra network traffic? but for a small network (max 5 computers) isn't that extra traffic insignificant The extra traffic is insignificant even in a much larger network (50-100 machines) assuming a 100mbit network. Broadcast resolution is unreliable. With just 5 machines which don't get rebooted much you might never notice it, but then again maybe you will. I run WINS on my home network of 3 machines, maybe it's not necessary but it takes a whole 2 lines in config files to make it work (In the time it took to ask if it was necessary you could have set it up several times over). Why not do it properly now rather than risk things breaking later? *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] replace winbind with ldap
I am not migrating for interest but want to free server running windows active directory. Group Policy has not been implemented in our enviroment. Samba 3.x with LDAP is not active directory, it is simply an NT4 style domain controller which happens to store it's user information in LDAP. I believe vampire is the tool you are after. *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Any possibility to apply policies on WinXP machines using samba 3.2.3 ?
hamacker wrote: Any possibility to apply policies on WinXP machines using samba 3.2.3 ? I was create a local policies using gpedit.msc and I would like to apply to entire network. All versions of samba prior to 4 (which is still in testing) implement an NT4 style domain. NT4 does not have support for active directory style group policies, but it does support older poledit policies. Grab a copy of Poledit from MS, get some templates (either from admin packs from MS or from one of several websites around the place) and make an NTConfig.POL file, save it to your netlogon share and you are done. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Specifying proxy server per user
Bryan Payne wrote: Was wondering if it's possible to assign specific users a proxy server for web browsing. Is this possible via samba or netlogon? Using login scripts you can change pretty much change anything you like, write a vbscript to edit the appropriate registry entries and you're away. The other option is to use nt4 style policies (NTconfig.pol) however since Vista doesn't support these they are pretty much a dead end, might as well go with the vbscript from the start. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] BDC/LDAP Question
When using samba/ldap with a PDC/Master BDC/Slave configuration, Can i make the BDC read only that password changes etc. will only be done on the PDC as the BDC has only read access to the slave LDAP server? It's been a while since I played with this stuff, but from memory you should point your BDC to your LDAP slave, and set the LDAP slave to issue a redirect to the LDAP master when it gets a write request. Assuming the BDC can talk to the LDAP master everything should just work. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Print only server
Matthew Daubenspeck wrote: Basically can't get queue listings. I have the printer being displayed properly on an XP client, but once the printer is installed and opened I get a printer on server Access denied, unable to connect. I can still print just fine, but I cannot list jobs, pause printing, or purge documents. Have you loaded the drivers onto the server or just set up the printer on the client and loaded the drivers there? If you load the drivers onto the client then the client will try to talk to the printer slightly differently than if it pulls the drivers from the server, the result is something like what you describe. The quick solution is use client drivers = yes, the proper solution is to load the drivers onto the server. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Print only server
So, I decided to move to IPP printing served at linux. XP and even windows 98 (with patch, original windows 98 do not support IPP) could print without any problem, easily. The problem with this sort of setup is that drivers need to be loaded on individual machines, which can be rather time consuming, and that IPP printers are considered local by NT which means that only admins can install/delete them. SMB printers (as long as the drivers are loaded or the server is trusted) can be added/removed by normal users. Is there no easy way to have an open ended system but still have the ability to upload drivers to the samba server? I'm not quite sure what the procedure is for uploading drivers to a server with share mode security, but I am sure it can be done. The other options are: Switch to user security temporarily, upload the drivers and switch back. Obviously this is a hack and no good for day to day operations. Switch to user level security permanently. To be honest, I can't see why anyone would want to run with share level security, it is a remnant of windows 9x that I would be happy to forget. Guest level access is easy to configure under user security and works perfectly. This also paves the way for easy administration of security should you decide to implement it down the road. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Outlook and roaming profiles?
Ong Chin Kiat wrote: I need the following features - Roaming profiles - LDAP based user administration / authentication My question is - can it be done without Exchange (ie using PST files)? Officially, it can't be done because officially you can't put PST files on network drives. In practice, you can do it, although depending on your setup it may be a really REALLY bad idea. I have inherited a site that has several dozen users storing their PST files on a samba server, it has it's share of problems but with an otherwise stable setup they are not insurmountable. If you have half a dozen workstations with gigabit links to a modern server, then you might get away with it (maybe). If you have a a few hundred users on thinnet, then forget it. Since you are using IMAP you might find other mail clients would make life much simpler. You should be able to exclude any local mail store from roaming and just let it populate everything from IMAP at first logon. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] files to trash
test test wrote: Hi, I setup trash in samba, it working well but people can avoid it when they delete files/folder using key combination ( Shift+Del ) in Windows XP. Is possible to prevent hard delete? I don't exactly have a solution to your problem (in fact, I'm kind of surprised that you can do that), but have a look at rsync + hardlink backups. Our systems here run a backup every hour (during business hours), each evening we grab the most recent hourly sync and put it away (we keep 5 days worth of these), each friday we grab the most recent daily and keep that (for 4 weeks). All up, I can just back to any given hour for the past day, and given day for the past week, or any week for the past month, and it uses approx 1.5x the storage space of the original data (obviously that number will increase if you have less static data). This is my intermediate step, between the recycled module and the tape backups, but to be honest, since this has been up and running I hardly ever look at the recycled stuff. If someone wants something recovered it is far simpler to grab it from the rsync copy. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Access Denied to Printers / Same thing here - SOLVED once (*almost)
Using a Windoze client, accessing a printer I receive the friendly Access denied, unable to connect. Checking the Samba logs, I find: Alrighty then... I think I got it... almost (*) changed in smb.conf section : [print$] path = /usr/share/cups/drivers # path = /var/lib/samba/printers You are getting close :) It is a driver related issue, you can either install windows drivers onto the samba server. This has the benefit of when ever you add the printer to a client the drivers will be installed automagically. If you are just after a quick fix, just add use client driver = yes to your global section. This will get rid of the error, which is pretty much harmless anyway. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Getting a list of users mapped to IP addresses they are logged in from
Didster wrote: We also have a company Wiki remove the need to manually login to the Wiki. Does any one know of a better way? NTLM auth module for apache. Assuming you are using an apache web server. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] how to setup an open share?
I want to create a universally writeable, browseable share. If you're on the network, you can use it. No passwords, any user. Easy. [global] snip guest ok = yes browseable = yes These two lines apply to individual shares, don't put them in the global section. Add a map to guest line, probably map to guest = bad user. [storage] snip public = yes guest ok = yes These mean the same thing, get rid of one of them. Is the problem it's in /home/video? move it to /opt?? The specific location on the filesystem isn't important as long as your guest user has rwx permissions in the relevant location. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Question about switching from Windows 2k Server to SAMBA 3 under Centos
My understanding is that vampire will NOT work with a Windows 2k server, only an NT4 server... That's my understanding too. Samba (3.x) can't act as a AD domain server. It can be a member of an AD domain, thou. I've never actually tried this myself, so take it with a grain of salt, but isn't 2k capable or running in two different modes? One where it is pure AD and one where it is compatible with NT4? If it was in NT4 mode then might not vampire have a chance? Or am I thinking of some 2k-2k3 change maybe? *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Create user home directory or user-own folder on samba server on first login to samba
Русаков Денис wrote:
I'd like to create user home directory or user-own folder on samba server on
first login to samba without using PAM
I use this along with a root preexec (and preexec close) setting on
the homes share.
*Michael Heydon - IT Administrator *
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
/*
* Program Name: smbmkhome
* Version: 1.0
* Author: Michael Heydon
* Purpose: This program is designed to be run by samba prior to a user
* accessing their home directory. Since the users are set up in LDAP
* it is possible (probable) that their home directory was not created
* when their account was. This program will create the user's home
* directory and fix ownership and permissions if necessary.
*
* The program should be called with 1 parameter
*
* smbmkhome username
*
* username is the user to create/fix the home directory for.
*
* smbmkhome will return: 0 - success
* 1 - incorrect parameters
* 2 - invalid user
* 3 - home exists but is not a directory
* 4 - mkdir/chown failed
*
* Notes: compile with gcc -o smbmkhome smbmkhome.c
* tested under slackware linux 10.2
* requires cpio to copy skel when creating a directory
*/
#include stdio.h
#include stdlib.h
#include strings.h
#include sys/types.h
#include sys/stat.h
#include unistd.h
#include pwd.h
void printUsage(char* argv0);
int createHomeDir(struct passwd* user, char* skel);
void fixPerms(struct passwd* user);
int main (int argc, char* argv[]) {
char* skel = /etc/skel;
struct passwd* userpw = 0;
struct stat dirstat;
char* homedir = 0;
int returnval = 0;
if ( argc != 2 ) {
printUsage(argv[0]);
returnval = 1;
} else {
userpw = getpwnam(argv[1]);
if ( userpw != 0 ) {
homedir = userpw-pw_dir;
} else {
// Since this is unlikely to occur if the program is being called by
// samba as I intended we will allow a little bit of user interaction
// here.
printf (%s: User does not exist.\n, argv[0]);
returnval = 2;
}
}
if ( returnval == 0 )
if ( stat(homedir, dirstat) == 0 ) {
if ( (dirstat.st_mode S_IFMT) == S_IFDIR ) {
// Make sure the user and the users primary group are the owners of the
// home directory and make sure at least the user has RWX permissions.
//
// The last comparison isn't terrible intuitive it just happens that
// the bitmask S_IRWXU is exactly equal to the bits we want set. Rather
// than or'ing together the bits for RWX to get exactly the same value
// I decided to use the mask itself.
if ( (dirstat.st_uid != userpw-pw_uid) || \
(dirstat.st_gid != userpw-pw_gid) || \
( (dirstat.st_mode S_IRWXU) != S_IRWXU) )
fixPerms(userpw);
} else {
// stat returned, meaning the home directory exists on the FS, but
// the st_mode variable indicates that its not a directory. Oops :/
// We won't try and force things because this could be used by admins
// to stop a particular user from having a home directory (guest users
// etc).
returnval = 3;
}
} else {
// home directory does not exist at all, try and create it and chown it
// to the user and their primary group. copy skel to the new home dir if
// possible but dont worry if that bit fails.
if ( ! createHomeDir(userpw, skel) == 0 )
returnval=4;
}
return returnval;
}
void printUsage (char* argv0) {
printf (Usage: %s username\n\n, argv0);
printf (Create/fix a user's home directory (prior to accessing via
samba).\n);
}
int createHomeDir(struct passwd* user, char* skel) {
int returnval=0;
char command[255];
if ( (mkdir(user-pw_dir, 0755) == 0) ) {
returnval=chown(user-pw_dir, user-pw_uid, user-pw_gid);
} else {
returnval=1;
}
if ( returnval == 0 ) {
// Don't worry if this fails, the directory exists and is owned by the user
// this is really just a courtesy.
sprintf(command, cd %s find . -print | cpio -pd %s 21 /dev/null
,skel, user-pw_dir);
system(command);
sprintf(command, chown -R %s. %s, user-pw_name, user-pw_dir);
system(command);
}
return returnval;
}
void fixPerms(struct passwd* user) {
// We don't return anything here, since the directory already exists its
// possible that who ever created the directory set things up in such a way
// that this function fails but the share works the way they want, we don't
// want to tell samba to drop the user's connection just because their admin
// is being wierd :)
if ( (chmod(user-pw_dir, 0755) == 0) ) {
chown(user-pw_dir, user-pw_uid, user-pw_gid
Re: [Samba] How does the guest account param work?
Kyle wrote: Thanks to all who responded. A combination of mails helped answer most questions. I had _completely_ missed the 'map to guest' param. So now I can log on to a share as a guest with no passwd. However, I have to know the share I want to log onto. I am still unable to browse the WORKGROUP itself. Am I wrong in this? Theoretically this should all just happen automatically, in the real world the broadcast method of finding hosts and workgroups is pretty flakey. MS worked around this by creating WINS, which is sort of like DNS for SMB. All MS servers since way back when have handed out WINS settings via DHCP out of the box. Under *nix, you need to tell your DHCP server to hand out a WINS server (or specify it on each machine manually). On an unrelated note, your smb.conf is overly complex, you are specifying a lot of settings where the defaults are most likely entirely suitable. You might find it easier in the long term to start over again with the standard config that ships with samba and only add settings that you actually need. (e.g. messing with buffer settings has been depreciated for quite some years). *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How does the guest account param work?
Kyle wrote: smb.conf states This user must exist in the passwd file, but does not require a valid login What exactly does this mean? It means exactly what it says, the specified user must exist in the passwd file (as in the list of valid unix users), but does not require a valid login (as in a samba login). As I understand it, adding a user with 'smbpasswd -a nobody' automatically gives it a valid login. Correct, so don't do that. I couldn't browse the workgroup, but could log on to the samba host directly via UNC. E.g. \\samba-host with user:'nobody' - pass: empty This isn't how the guest account works. The guest account is the account used to access files when map to guest is triggered. e.g. I have an XP machine with the username fred, I try to connect to a samba host which has map to guest = bad user and *does not have an account called fred* I will be granted access to guest shares and all of my reads and writes will be performed using the unix id nobody. Only problem with that is that a home dir appeared for 'nobody' which happened to be the '/' (root) dir. NOT good! This is because you aren't connecting as a guest user, you are connecting as a normal user who happens to have the same UID as the guest user. So then I tried with 'guest account = guest' Deleted the 'nobody' user from passdb.tdb I created a /home/guest dir and added and enabled 'guest' to the passdb.tdb. This then lets me only log on to the [public] share. However, if I click the 'Up' button on the XP host's file manager (Explorer), I can get back up to the root of the host directly (i.e. \\samba-host ) and suddenly see both the [public] share and the guest home dir. If there are 'guest ok = Yes' defined shares, then I would expect to still be able to browse the workgroup and see available shares on the samba host, albeit only those 'guest ok' defined shares. And I certainly wouldn't expect to see any home dir for a limited user. This is entirely expected behaviour. You aren't a limited user if you authenticate with valid credentials. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How does the guest account param work?
Oops, lets bring the list back in on this... Jeffrey Hathaway wrote: You can totally fix this by setting up your home drive to DENY guest, and thereofr ya root see the / partition anymore. TRY this [homes] comment = Home Directories read only = No browseable = No invalid users = nobody guest ok = no Then in your smbusers, set this up. # Unix_name = SMB_name1 SMB_name2 ... root = administrator admin nobody = guest pcguest smbguest and go ahead and setup the username nobody up in samba with no pass, and you should be all set. What benefits does this offer over the normal samba guest access? As far as I can see it is more complicated (you are creating accounts that aren't needed, generating a share for it, and then denying access to the share) and less user friendly (users have to login rather than letting map to guest sort things out). *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: WG: [Samba] Strange!!! Clients only log on to samba bdc
Daniel Müller wrote: Suddenly all clients log on to my BDC not longer to the PDC. What happens if the BDC is unavailable (You could simulate this by setting up iptables rules to drop all traffic from a given workstation)? The way I understand it, workstations will use what ever DC is closest to them. If the PDC is taking longer to respond or something then they may consider the BDC to be the best choice. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba and ssl certificates?
Mike Eggleston wrote: Is there a way I can use samba, or maybe the logon.bat file, to install this root certificate on my workstations? This has been on my TODO list for a while. MS have a program called certutil which should do the trick. I haven't progressed past downloading a copy so I can't tell you how to use it, but there should be plenty of docs around. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba VFS recyclebin hide
I place a symlink in the root directory of all my shares pointing to a dedicated /recycle directory which is NOT shared. Result is that all deleted files end up under this /recycle directory, where they can be recovered by me. Presumably you have disabled symlink following otherwise the users could just go into the linked directory. Why not just set repository = /some/path/that/isnt/shared/recycle (note the absolute path), same effect, no messing with symlinks. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Inexistant file displayed by samba
Oops, I should probably cc the list :( You should look on your Samba server to see if there are funny looking three letter files named con or com or such. It's not necessarily three letters, anything with a : or \ in it's name will do the same thing. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + LDAP issue
ganeshs wrote: My Issue is I don't know how to integrate samba PDC LDAP Is the LDAP server going to to become the PDC? or do you want to migrate the existing PDC? In either case, you need to extract your current user data and insert it into the LDAP server, setup NSS, and tell samba to use the new backend. Linux Client PC(Ubuntu) into domain using samba since I can use centralised username and password for Windows and Linux PC. Unix systems need to be setup to do NSS and possibly PAM lookups through LDAP. The PADL *_ldap modules are the most popular way of doing that. where can i find document? Samba by example at samba.org should get you up and running. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] speed limit
Drunix wrote: Hello, Does anybody know how to limit ul/dl speed for shares? Thanks in advance. Samba doesn't do this, you would need to implement bandwidth shaping using what ever tools are appropriate for your OS. Please don't send duplicate messages. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] speed limit
could you please tell me at least one tool to do this? I need to limit speed not for all tcp trafik, only samba. Under linux, a mixture of tc and iptables should do the trick, but it's not for the faint of heart ;) -- *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap.conf
Thomas Vito wrote: I finally get it working just by adding the base dc and binddn stuff in ldap.conf I guess it is mandatory as i couldn't get samba working without it. MY question is: how come doesn't it figure in the documentation, it might be useful for beginners. This has relatively little to do with samba, it is an NSS configuration file. I've had a quick flick through the docs and I can't see any explicit instructions on how to set up NSS, only things saying that is needs to be done and that PADL nss_ldap is the preferred way of doing it. Presumable PADL have their own docs. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap.conf
Michael Heydon wrote: I've had a quick flick through the docs and I can't see any explicit instructions on how to set up NSS I stand corrected, it is in chapter 5 of Samba by Example. It has a samba ldap.conf for NSS_LDAP. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] UPPER letters for machine accounts
Helmut Hullen wrote: Hallo, in many expamples it is proposed to take UPPER letters for machine accounts. Making machine accounts is related to useradd, and in some distributions (p.e. Mandriva, slackware) this program doesn't allow UPPER letters (the problem is related to some terminal programs. p.e. agetty). Is it necessary to take UPPER letters for machine accounts? Viele Gruesse! Helmut Nope, I'm using lowercase. I think it is just so you can see at a glance what is user and what is machine. I have OUs for that so I don't care about case. Have a good weekend :) *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Vista [SOLVED]
Steve Blackwell wrote: snip Somewhere under the covers, Vista thinks that user Kellie is user User even though Control Panel (Classic View)-User Accounts shows only one user called Kellie. Whatever... Steve. This is what happens when you rename a user, it is the same in XP and probably 2k as well. The only way that I know of to really change a username rather than just change the name that is shown, is to create a new user, migrate the profile and delete the old account (of course this can introduce it's own problems). *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Rename to open file doesn't work, why?
Wilhelm Meier wrote: snip On a local linux filesystem like ext2/3 one can rename a file to an existing, already open file. But this doesn't work on a cifs-mounted samba-share snip The reason this works with ext2 is that as long as you hold an open file descriptor a deleted file is still accessible (rename is essentially a delete and then a move). While it might be theoretically possible for this to work unix to unix, Windows doesn't deal with deleted files the same way (it prevents you from deleting files as long as they are open), and so it's quite possible that SMB/CIFS doesn't understand the concept of having a deleted file open. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] start server script after logon
andreas moroder wrote: Is there a way to start a script after the logon script on the client ended ? How about having the last command of the logon script access \\server\logoncomplete and put your preexec on that? A little bit hackish, but probably the simplest reliable option. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Create masks set to 770 yet new files created as 750
Jeff L wrote: snip The masks on each share is : browseable = yes writeable = yes create mask = 2770 security mask = 2770 directory mask = 2770 directory security mask = 2770 I've also performed a chmod -R 2770 on the entire share dir. if I add force create mode = 2770 force directory mode = 2770 to each share the new files are created as 770. Is this nessesary? I thought the create masks would be sufficient. snip Yes it is. From the smb.conf man page: [The] resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. **Any bit not set here will be removed from the modes set on a file when it is created.** So the masks define which bits CAN be set, the force modes define which bits WILL be set. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Hostname not visible across 2 subnets
L.P.H. van Belle wrote: Hi, this is not samba but routing info you need. if possible to add a second lan ip on the Wireless router, add ip 10.0.0.99 for example. then router has access to modem, and client2 is able to connect to wireless modem. Louis This isn't quite right, he said that he could ping admin from client2 by ip but not by name which means he does have routing up and running between the two networks but no name resolution on the second network. Hi, I have the following network: -- |Internet| -- | - |Wireless Modem |- ))((- |'admin' on DHCP | | on 10.0.0.* || - | -- | -(( |'client1' on DHCP | |wired -- | |Wireless Router |-- | on 192.168.0.* |- ))((- |'client2' on DHCP | -- I hope the above diagram is not TOO mangles... For example, if 'admin' has been allocated the ip 10.0.0.6. I can ping 10.0.0.6 from both 'client1' and 'client2' I can ping 'admin' from 'client1' but 'client2' says 'could not find host' In other words, the hostname 'admin' only gets resolved on the 10.0.0.* subnet. The fact that you have any name resolution at all using ping means you already have a functioning DNS server (assuming the machine isn't in a hosts file somewhere). Any computer on the 192.168.0.* subnet can 'see' 'admin's' ip, but not the hostname 'admin'. The Admin computer is running Ubuntu Hardy, The Clients are running XP. Can I remedy this through Samba with WINS? Or do I need to set up a DNS on the 'admin' machine? Simplest option, of course would be set set up 'admin' as a static ip A static IP wouldn't actually solve the problem unless you then go put it in each client's hosts file (which gets annoying quite quickly). If you only want samba too work and don't care about being able to ping/ssh/telnet/http to a name then WINS will be fine. If you want an all round solution you need DNS. The upside is that you already have DNS (as mentioned above) so you can point client2 at the DNS server on the admin network, you might be able to set the DHCP server on the client2 network to do this automatically. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange Samba permissions on vfat (fat32) volume
Tomas Mackevicius wrote: I'm running Samba on Ubuntu server. I know, perhaps it is not related with Ubuntu Server 8.04, but rather with Samba itself, but I thought perhaps someone has similar experience... Actually I don't think it has much to do with samba either. I have a couple of shares on Samba on a vfat (fat32) volume. As everybody knows Linux permissions does not work on vfat, except on mount folder where vfat partition is mounted. I though that is really not a minus, but a plus if you want to create share for 10-15 users, because then it's not necessary to mess with all those permissions. You could achieve the same thing under a fully functional fs and wouldn't run into problems like this :) snip Normal file: -rwxrwxrwx 1 root server1 6158201 1999-05-05 21:36 Alex Gopher - Super Disco.mp3 Bad file: -r-xr-xr-x 1 root server1 2568192 2001-10-04 16:52 Bjork - All Is Full Of Love.mp3 I think this is your problem. I realized that some of the bad files where copied to vfat partition from CD drive (when this HDD was still on a windows PC). So the logical thinking would suggest, that those files have Read Only mark (which is usually given to all files that are copied from CD). Knowing this I tried to play with smb.conf options: delete readonly = Yes map readonly = No / Yes That isn't how it works, the map read only maps the client's read only value to the server's unix permissions, what you are interested in is how the unix permissions are mapped to the file system's read only flag. I didn't get any results. I tried to change other map options but with no results either. Permissions were not intact. My Only idea is that somehow Samba is interpreting Read-Only flag and that affects the file permissions. It isn't samba as you demonstrated with your ls output above, it is occuring at the file system level. I would really appreciate any comments or ideas. Here are the settings of my share: available = Yes Default value. browseable = Yes Default value. read only = No follow symlinks = No Symlinks can't exist on a fat fs. hide dot files = Yes Default value. delete readonly = Yes case sensitive = No Default value. preserve case = Yes Default value. map archive = Yes Tries to change unix permissions, which wont work on a fat fs. map system = No Tries to change unix permissions, which wont work on a fat fs. map hidden = No Tries to change unix permissions, which wont work on a fat fs. map readonly = No Tries to change unix permissions, which wont work on a fat fs. guest ok = No Default value. oplocks = No level2 oplocks = No Thanks to all. None of that should have any effect on the problem at hand, but it is kind of pointless to define a heap of options to their default value. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba auth against imap?
dnk wrote: I had a VP in our company ask today if it was possible to use the same id's and passwords as our mail server. Now if it was LDA based, no problem. snip The short answer is no. The longer answer is: you could possibly hack something up but it would require disabling encrypted passwords, which requires changes on each client and reduces security. Sounds like a good time to ask for money to develop an LDAP based system :) *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Some kind of weird setup ...
Jan Patrick Lübbert wrote: snip This machine than shares this (mounted) share again to other machines (linux and windows) via Samba. Don't speak about performance and how silly this is, but at the moment I don't see other ways to do what I need. snip What do you need? Could you use DFS? *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and XP
Vo Dai Chuyen wrote: What for ? I think that most people that talk about this are interested in making XP into a domain controller. Which generally means they are a Windows user who doesn't want to spend money, or a *nix zealot who objects in principle to a proper windows server, either way it tends to be bad news. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb signing is incompatible with share level security !
I would guess the problem is exactly what it says, smb signing is incompatible with share level security. So either stop using share level security (my personal preference) or stop telling it to use smb signing. Javier Ruiz wrote: snip Nov 20 16:24:37 dell01 smbd[6199]: reply_nt1: smb signing is incompatible with share level security ! snip security = share snip server signing = Auto snip *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] limit user connections to PDC
This has been discussed on the list a few times before, try searching the archives for multiple user / multiple logon. I don't think there was a single perfect solution but there were a few hacks that mostly solved the problem. Christopher Perry wrote: i work in a lab environment, and we'd like to prevent users from logging into 5 machines at once. I've looked through the smb.conf man page pretty thoroughly, but nothing appears to address this problem. Anyone have any ideas, how you can limit the amount of logins a user can have to teh domain? Thanks, Chris *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] CVE-2008-1105
Volker Lendecke wrote: Yet the actual CVE [1] has Versions: Samba 3.0.0 - 3.0.29 (inclusive) The CVE suggests that the version 3.0.4 would not be affected, my confused! I'm not a native english speaker, but I wonder from what term in the CVE you read that 3.0.4 is not affected I think this comes from the fact that 0.4 0.29 I know I have had issues in the past trying to explain that it isn't a decimal point and that version 1.10 is later than 1.9 despite the fact that mathematically 1.9 is greater. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] do i need posix users/groups in ldap
Collen Blijenberg wrote: in order to use the ldap backend, you need to insert the posix users in ldap as well ?? there is no way to get it work, with the normal basic setup (passwd shadow group ect. files) that's odd ?! It isn't completely impossible, if you really wanted to have two seperate user dbs I'm sure you could hack something together, but it would completely eliminate the main advantage of LDAP. If you aren't interested in the benefits of having a single db, why are you using LDAP? Why not use one of the other simpler backends? *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Home Lan computer browser(s)
Skip Guenter wrote: snip */1) //Should I have more than one computer browser on my lan /*/(~16 machines)/*/?/* I'd read someplace that I should have 1 primary and 1 backup computer browser for up to 32 computers and then another backup browser for each additional 32 computers. snip Do you know where you heard this? I've never heard of it and it seems wrong. As I understand it there is only the master browser role there is no concept of a backup, in the event that the master goes down there is a new election and a new master is chosen. In any case 32 users is ridiculous there are people out there supporting thousands of users, I can guarantee they don't have one server per 32 users. os level = nnn (0 to 255) preferred master = yes/no domain master = yes/no local master = yes/no All of these are fairly well explained in the man page. OS level should be higher for the more reliable/important machine *IF* you have a reason to change it, the defaults will be fine for 99% of cases. Preferred master use this if it is important that one machine is the master (i.e. if you have a domain) don't set it on more than one machine. Domain master is only needed if your network spreads across multiple subnets. You should only have one per workgroup/domain. Local master this is only really needed if you have a machine that you definitely don't want to be in charge of anything, otherwise the default of yes is fine. snip *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] windows share vs. linux share access
Jason Gerfen wrote: snip My problem is if I try to mount the samba share from a linux client I receive errors. What errors? The full output from the client would be useful. Is there anything special about linux commands such as: % mount -t smbfs -o username=USERNAME //server/share /mnt/samba-share smb is depreciated, use cifs if possible. According to the logs my authentication is failing for linux clients: [ 7066]: pam auth crap domain: [DOMAIN] user: username That doesn't look like a failure to me. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Nessus test issues with open shares
I think something went wrong here (at least I hope you don't have 4 global sections). Joseph P Villa wrote: snip ... [global] ... [global] ... [global] ... [global] ... Joseph P Villa, IT Services USGS Mounds View, MN snip Also this doesn't mention LOGS$ or ARCSERV$. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] printer drivers - Add Printer Wizard disabled
Joshua Swink wrote: * Add the name of the user as printer admin = username in smb.conf. However, testparm told me that printer admin was deprecated. Also it didn't work. From the smb.conf man page: printer admin (S) ... This parameter has been marked deprecated in favor of using the SePrintOperatorPrivilege and individual print security descrip- tors. It will be removed in a future release. You can use the net command to grant SePrintOperatorPrivilege to your user. *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Somewhat bizzare share issue
ScottZ wrote: snip I'm running smbd -D -d2 and the client log file isn't throwing any errors when I try to connect to export. Anything else to look at for this one? That is rather odd, do you mean the *server* log doesn't have errors? You don't have a user called export by any chance do you? *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] permissions
solarflow99 wrote: Hi, snip My question is since I am using LDAP as the backend, root can't easily be used; does anyone have any recommendations on how this can be done? Why don't you create an Administrator user in ldap that has uid 0? *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [Fwd: File Locking and Permissions Issue]
Jack Lauman wrote: snip I compared the open files with one computer in Lacerte vs. two computers in Lacerte and noticed one thing peculiar: when one computer is using Lacerte, all files are opened with exclusive+batch oplocks including Data1i07.dbf, however when 2 computers are running Lacerte, a few files open without oplocks, notably data1i07.dbf. I'm assuming that both users need to write to these files? Maybe I'm missing something but this seems to be entirely expected behaviour. Oplocks allow a client to cache data rather than having to constantly sync to the server, obviously if there is more than one client doing this things break. You could use fake oplocks to grant oplocks to all clients, but unless the application is designed for it (which I doubt it is) you will just wind up corrupting your data. If the application is regularly opening and closing files (and therefore possibly being granted oplocks and then having them broken) you might find that performance improves by disabling oplocks altogether (well, performance for multiple users, performance for a single user would suffer). snip I've attached both files to this message. Any help in resolving this matter would be greatly appreciated. I think the list strips non-text attachments, so no excel file. Not that I think it's terribly important since it sounds like your system is working exactly as it should. Thanks, Jack Lauman *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] creating a master share
sharif islam wrote: On Tue, May 13, 2008 at 6:52 PM, Michael Heydon [EMAIL PROTECTED] wrote: [] snip Or you can use the above force group option to access the files as a group that does have access. Well, the problem is, each folder (such as /www/share1, /www/share2) already has a group associated with it. If I change the linux permission in the /www/ level, that would create problems for the rest of the groups. --s I guess that brings you back to You can use ACLs. *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] monitoring file access levels?
Charles Marcus wrote: I sure would like to find a *reliable* way to disable ONLY USB STORAGE devices, but allow things like keyboards and mice... What have you tried that is unreliable? There are alot of write ups on various ways of disabling the usbstor driver, I haven't tried them myself but I have heard of people using them successfully. Also I believe Vista has some new stuff related to disabling usb storage, although I think it relies on AD GPOs. *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] monitoring file access levels?
Sorry, missed the list. There is already an audit VFS module. I don't think it will do quite what you want, but I think it would be a better place to start than the standard log files. You aren't going to prevent access once they reach some limit are you? you are just going to email the boss or something? (I would hate to be working on some big project, hit the limit and find myself unable to save all my work). Also, things like Windows' search for words in a file tool will basically transfer everything to the client machine, so just remind him that monitoring traffic alone is a poor indicator of what is going on. Would it be possible to disable USB storage devices and CD/DVD burners so they can't get the data onto removable media instead? Carl Brewer wrote: I've got a paranoid client who has a samba server on a small LAN who wants to know if and when any of his employees 'transfer' (read, copy off etc) any more than a certain threshold of data a day from the server, I think he's worried that some employee may grab a lot of stuff off the server and then share it with his competition. I tried to explain that this wasn't a very good solution to that problem, but to no avail. So I'm going to try and give him what he wants. The only way I can think to do it is to knock up some script that parses smb log files and reports on them by file access and username. Before I do it, has it already been done? I don't want to re-invent a wheel if I can avoid it? Thankyou Carl *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] HowTo clear a share using smbclient ?
This seems a bit Rube Goldberg to me, you have direct access to the file system, why not use it? If you are really worried that rm -rf /full/path/to/directory might somehow morph into rm -rf / you could do something like: su nobody -c rm -rf /full/path/to/directory In the event that it did try to delete / it would be limited to files writable by nobody. I understand being cautious around rm -rf especially when running as root, but I think testing and being careful are a better solution than using samba to limit access. Jon Wilson wrote: Good Evening, I was wondering if anyone knows how to clear a share on a server using a command line interface ? Basically I have a [public] share that I would like cleared down every night, I've worked out that smbclient //apps-srv/public -N -c del * /var/log/samba_public_delete.log 21 seems to go most of the way to doing what I want - however it doesn't delete subdirectories. Is there any easy way to accomplish this ? I prefer the idea of running this rather than a 'rm -rf' from the command line as I can script this and as it's a public share the possibility of deleting anything else is pretty minimal. I've seen a few examples of wayward rm command in crons to be wary of doing that ! Any ideas how I could accomplish this ? Many Thanks Jon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as nonroot
[EMAIL PROTECTED] wrote: Hi, Im trying to run samba as a non-root user and I was wondering if this is even possible No, it's not. and if not what is preventing it from being ran as a normal user?? You couldn't bind to privileged ports would be the big one. You might be able to modify the source so it runs on different ports (although that would mean windows systems couldn't connect, you might be able to coax another samba machine into it), you would then have issues with permissions (you couldn't suid/sgid to the connecting user). *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] creating a master share
sharif islam wrote: snip I tried this but gave read-only access. Also in the linux level, I don't have this master group as the owner. Any idea? If the users don't have write access at the unix level, they won't get write access through samba. You can use ACLs to grant them write access. [master share] comment = All of WWW read/write access path = /www valid users = @DOMAIN\My master group write list = @DOMAIN\My master group force group = My Master group Or you can use the above force group option to access the files as a group that does have access. read only = No create mask = 0775 directory mask = 0775 *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] File Printer Sharing With Windows98
Bill Diehl wrote: I have been looking for clear guidance on setting up Samba on home network to share files and printers for nearly a year and just don't understand how to apply the information. snip Thanks, Bill Have a look at samba by example, since you are using win98 you won't want anything fancy, you should be able to make a working config in less than 10 lines (more if you add more shares obviously). The first chapter has a 7 line example that should be enough to get you up and running. *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: using samba as nfs server replacement?
Helmut Hullen wrote: Hallo, Michael, snip If we assume that cifs unix extensions can be made to work, I could bring in my laptop which contains a SUID root binary and mount it to my workstation. But (regarding my error correction): ypu always can set the SUID flag on your laptop's mount.cifs! The server has to decide wether it will accept the mount try. Sorry, maybe I wasn't clear. If I bring in my laptop that is setup as a samba server, then I could, for example, put a copy of bash on a share on my laptop and make the bash binary SUID root (because of course, I have root on my laptop). If I can then get my workstation to mount a share from my laptop, I can run that copy of bash from the network share and gain full root access to the workstation. Sudo would probably offer a way around this. Viele Gruesse! Helmut *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] question, pdc bdc on diferent subnet
Maximo Mosalvo wrote: Hi, is posible to configure a samba pdc server on a central office and 3 bdc on branches office united by vpn one conection with openvpn , and in4 different subnet What is your password backend? I am doing this using LDAP, I put an LDAP slave on the BDC and it works fine. I'm not sure how other backends would handle synchronisation and lost communication between servers. saludos Maximo Monsalvo *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: using samba as nfs server replacement?
Pakorn Chutinimitkul wrote: Hi again, I updated Samba on both client and server to 3.0.28a. Client is openSuSE 10.2. Server is Debian Lenny. I noticed that newly created file's ownership will be changed to username that is used when mounting CIFS volume (under -o username=xxx,password=xxx) and the permission will be changed to what specified under samba configuration. Anyone who can log into the client can see the contents of fstab (and therefore your passwords), consider using a credentials file chmod'ed to 600. Here's my config [global] snip socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 Unless you have a good reason to be messing with the buffer sizes, don't. Modern OS's have perfectly good defaults, don't cripple them by using custom settings that were good 5 (10?) years ago. snip [testvolume1] comment = CIFS Mount path = /mnt/disk1 valid users = @users admin users = @root write list = @users read only = No hosts allow = 192.168.0.0/255.255.255.0 This is OK-ish. The write list is pointless since the share is not read only. Do you really need the admin users setting? I'm sure there are situations where it is required, but I have never seen one personally and I can think of situations where it would cause problems. All in all, there doesn't seem to be too much wrong with this setup. snip Now for every file created by users logged into that machine, the ownership is changed to machine1 automatically. Is there any way to solve this problem? Thank you very much! Pakorn snip Can you send the output of mount (with the password removed if you so wish)? *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: using samba as nfs server replacement?
Helmut Hullen wrote: Hallo, Pakorn, snip You may set the SUID flag for mount,cifs and umount.cifs on the server. That could be a security hazard. If we assume that cifs unix extensions can be made to work, I could bring in my laptop which contains a SUID root binary and mount it to my workstation. Viele Gruesse! Helmut The mount output looks OK to me. How old is the client's kernel (sorry, I'm not familar with distro version numbers/names)? Does it have CIFS Posix support built in (or the relevant modules loaded)? *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] using samba as nfs server replacement?
Pakorn Chutinimitkul wrote: Hi, snip 1. How to make Samba stores the ownership of the file? Afaik Samba changes ownership of the file to the connected user. Our storage relies on uid/gid a lot. 2. Can Samba obey umask settings? Apart from changing values in create mask ? Recent versions of samba will automatically figure out that they are talking to a unix client (as long as the client is recent as well) and enable the CIFS unix extensions. Permissions, ownership, symlinks, etc should Just Work(tm). If anyone could point me to any resource, that would be greatly appreciated. Thank you! Pakorn *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows shortcuts and permissions
Toni Casueps wrote: I have lots of LNK files in a Samba share, which users have been creating for some time. Now we have set different permissions to folders and some of the shortcuts don't work because of that. I have read that mount --bind can be used to give access to a forbidden folder to someone, but this can only be done by root and in the command-line. Is there a way to accomplish this with a graphical tool or something like that? mount --bind can be used to mount a directory to another location. I guess it might be possible to use it to work around your security problems, but it is rather hackish. If someone needs access to a directory, but can't get it because they don't have access to the parent then either they should have access to the parent, or the subdirectory is in the wrong place. In the long run you would be far better of reorganising things so that each directory is in the right place and people have the correct permissions rather than creating binds all over the place to work around a poor file system layout. -- Michael Heydon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] OT: Vista NTConfig.POL
This isn't technically a samba question, but I figure there will be other samba users out there in the same boat. I have just setup the first Vista box on our samba domain and I am having some trouble with policies (they don't get applied). I have had a look around and there is alot of talk about the adm-admx change, etc but I haven't seen anyone say that anything needs to change in NTConfig.POL. Infact, there has been relatively little mention of NTConfig at all. Does Vista still support NT4 style policies? If not, what have others done to work around this? I guess I could push out .reg files through login scripts but I believe that might trigger UAC, any other suggestions? -- *Michael Heydon - IT Administratorr * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] profiles limited to certain hosts
Andreas Moroder wrote: Hello, according to the official howto, it is only possibly to enable or disable the profiles for all clients. Does anyone know what happens if I enable the profiles, but limit the hosts that can access this share with hosts allow ? Could this be a soultion ? Thanks Andreas The user will be logged in with a temporary profile, any changes to the profile will be lost when they log out. Are some of the hosts off site or something? *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba / LDAP / Idmap
Anand Kumria wrote: Hi Adam, On Mon, 14 Apr 2008 08:32:31 -0500, Adam Williams wrote: snip Here is what I have (on one Linux server): - OpenLDAP - Samba 3.0, user data stored in LDAP - local Unix users / groups resolved via LDAP I have added another Linux machine and local Unix users / groups are resolved via LDAP. I now want to have Samba on this additional machine also reference the existing directory information. Should I be running winbindd in this situation? Not really, winbind is used for things like a samba server authenticating against a Windows server and NTLM authentication. You can just make the second box look at the ldap server on the first, or if you like, run an ldap slave on the second machine for redundancy and have samba look at that. Thanks, Anand *Michael Heydon - IT Administrator * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
