Re: [Samba] [3.6.8] XP fails with error 1326
Here's the official wiki page: http://wiki.samba.org/index.php/Public_Samba_Server It looks like you've done what the page says. If that is the case, then you will have to look for some other oddity. Dale On 10/08/2013 6:09 AM, Winfried wrote: By editing log level to 2, log.smbd nows says Authentication for user [fred] - FAILED with error NT_STATUS_NO_SUCH_USER. I read that Samba is able to share files with anonymous users, where all users will be treated as nobody: If this indeed possible, what do I need to do? Here's my smb.conf at this point: === [global] workgroup = WORKGROUP encrypt passwords = yes ;wins support = yes log level = 2 ;max log size = 1000 ;read only = no guest account = nobody security = user map to guest = Bad User ;[homes] ;browsable = no ;map archive = yes [test] path = /tmp browsable = yes read only = yes guest ok = yes ;Still get ERR 5 ;public = yes ;Err 6118: List of servers for workgroup not currently available force user = nobody === Thank you. -- View this message in context: http://samba.2283325.n4.nabble.com/3-6-8-XP-fails-with-error-1326-tp4654631p4654676.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help troubleshooting find_domain_master_name_query_fail on SMB v4?
Several things you could try. 1. Set in [global] domain master = yes 2. Use either wins support or wins server, but not both. Based on what you have in interfaces, if this system is to be the wins server, then use wins support = yes and eliminate the wins server parameter. 3. Check for firewall / selinux / apparmor issues. Also it is no longer recommended to use the socket options directive. For a standalone server, you do not need any of the idmap or logon parameters. There are probably other you could eliminate, but these are the most obvious. Dale On 09/07/2013 6:35 PM, d...@sent.com wrote: I'm running smbd -V Version 4.1.0rc2-3.1-3075-SUSE-oS12.3-x86_64 This is a standalone server, and the only SMB/CIFS instance on my LAN. On launch, I see the following find_domain_master_name_query_fail error in logs. I can't track down what I've managed to do wrong; pointers appreciated. == log.nmbd == [2013/09/07 16:21:41, 2] ../source3/nmbd/nmbd_elections.c:42(send_election_dgram) send_election_dgram: Sending election packet for workgroup WORKGROUP on subnet 192.168.1.202 [2013/09/07 16:21:41, 2] ../source3/nmbd/nmbd_elections.c:205(run_elections) run_elections: Won election for workgroup WORKGROUP on subnet 192.168.1.202 [2013/09/07 16:21:41, 2] ../source3/nmbd/nmbd_become_lmb.c:538(become_local_master_browser) become_local_master_browser: Starting to become a master browser for workgroup WORKGROUP on subnet 192.168.1.202 [2013/09/07 16:21:49, 0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2) * Samba name server test is now a local master browser for workgroup WORKGROUP on subnet 192.168.1.202 * [2013/09/07 16:21:49, 0] ../source3/nmbd/nmbd_browsesync.c:354(find_domain_master_name_query_fail) find_domain_master_name_query_fail: Unable to find the Domain Master Browser name WORKGROUP1b for the workgroup WORKGROUP. Unable to sync browse lists in this workgroup. Checking smbclient -N -L test Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.0rc2-3.1-3075-SUSE-oS12.3-x86_64] Sharename Type Comment - --- testSHARE Disk IPC$IPC IPC Service (Samba 4.1.0rc2-3.1-3075-SUSE-oS12.3-x86_64) Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.0rc2-3.1-3075-SUSE-oS12.3-x86_64] Server Comment ---- test Samba 4.1.0rc2-3.1-3075-SUSE-oS12.3-x86_64 WorkgroupMaster ---- WORKGROUP test My smb conf is cat /etc/samba/smb.conf [global] interfaces = 192.168.1.202/255.255.252.0 smb ports = 137 138 139 445 bind interfaces only = yes hosts allow = 192.168.1. 127.0.0.1 localhost hosts deny = all max connections = 5 max xmit = 32767 strict sync = no sync always = no strict locking = no keepalive = 300 wide links = yes getwd cache = yes use sendfile = true netbios name = test workgroup = WORKGROUP *wins support = yes wins server = 192.168.1.202* local master = yes preferred master = yes os level = 65 name resolve order = wins bcast security = user encrypt passwords = yes passdb backend = tdbsam map to guest = Bad User username map = /etc/samba/username_map.conf *idmap config * : backend = tdb2 idmap config * : range = 100-200 logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P:* usershare allow guests = no load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes printcap cache time = 0 log file = /var/log
Re: [Samba] samba 4 and roaming profiles
Jerry Carter provided this example long ago when Vista first started the v2 profile. It might still be viable in Samba4. https://lists.samba.org/archive/samba-technical/2007-April/053054.html Dale On 08/13/2013 9:09 AM, L.P.H. van Belle wrote: Hai, Profiles of XP and Win7(8) are different and should NOT be in the same folder. This is why you have a V2 profile folder and this is NOT the username folder. You can redirect desktop / documents / userhome to the same point. but not the profile folder. -Oorspronkelijk bericht- Van: i...@antonellofacchetti.it [mailto:samba-boun...@lists.samba.org] Namens antonello Verzonden: dinsdag 13 augustus 2013 14:33 Aan: samba@lists.samba.org Onderwerp: [Samba] samba 4 and roaming profiles I've just setup a samba4 system (zentyal) to act as authentication and file server in a mixed lan (windows and linux clients). The problem is that my linux pcs and windows winxp clients point to a username folder on the server, while the windows7 clients point to a username.V2 folder. This is an issue due to the different types of roaming profiles in different windows versions (xp 7). So I need a workaround to make the windows7 cliients point to username folders. TIA Antonello -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Suggestions testing Samba 4 on same subnet as Standalone Samba 3 Server
On 30/07/13 04:27 PM, Mike wrote: My network currently has the following server running Samba 3 as a standalone server to 50 client boxes: Linux a1 2.6.35.7 #3 SMP Samba Version 3.5.6. Currently, no true NT Domain Controller, in Windows speak - it's a Workgroup only. I have another server that I want to configure to use Samba 4 as an Active Directory Domain Controller and file server: Linux a10 3.7.10-gentoo-r1 #1 SMP Samba Version 4.0.4. I only have one subnet and cannot disrupt the users, but have read the following concerns on the Samba wiki: Make sure you thoroughly test your conversion and how your clients react before you activate your new server in your production environment! Once a Windows client finds and connects to the new server, it is not possible to go back! Also, it is necessary to do testing on a separate network so that the old and new domain controllers don't clash. The issues with having both domains 'live' at the same time are: The databases are not syncronised after the initial migration Even if no changes are made to the DB, clients which see an AD DC will no longer honour NT4 system policies The new Samba4 PDC and the old DC will both claim to hold the #1b name as the netbios domain master The paths to certain files and directories for your Samba3 installation are often distribution specific (for example, /var/lib/samba vs. /etc/samba). Please be sure to verify and if necessary, modify paths used in examples appropriately. - - - - - - Has anyone dealt with only having one subnet upon which to configure and test a new Samba 4 server in the presence of a currently active Samba 3 server? I was thinking maybe the simplest way would be to make an iptables firewall on the Samba 4 server -- allowing connections from only one particular address on the subnet and use that one address for a client box to test on. Possible iptables rule (allowing one client address, blocking all others on subnet): iptables -t filter -A INPUT -i eth0 -s 192.168.1.200 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i eth0 ! -s 192.168.1.200 -j DROP Would this be adequate to separate the Samba 4 server from others on the LAN? You're way overthinking this. Just give the new server an IP address that is on a different subnet. e.g. if your current server is 192.168,.1.10/24, give your new server 192.168.2.10/24. Secondly, since you don't have an NT domain, the differences between it and AD are not relevant. What you will find is the difference between a workgroup and a domain. This involves the logins and roaming profiles. What really doesn't change much are the file shares, although you can now simplify them by setting sharing according to domain group rather than individual ids. An even simpler way is to simply NOT use a separate subdomain. Set up the new server as the domain controller for the group. Leave the files printers on the old server. Once all the clients have been switched from the workgroup to the domain, move the files and printers over to the new server, shut down the old one, then create an alias for the old server on the new one. This way, there are no more changes required on the clients. If a problem is identified, you can simply remove the alias and bring the old server back. Of course, you can convert the individual workstations to use the new server name at your leisure so that you can eventually remove the alias. However this is not necessary. In fact, if you later replace the new server, the replacement can assume the old name so that the alias isn't needed any more. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to connect to Samba server, but it shows on the network
Being Fedora, 1st check selinux configuration: https://wiki.samba.org/index.php/Samba_Troubleshooting Dale On 07/11/2013 9:47 PM, renito73 Михаил wrote: Hello friends I am trying to setup Samba on my Fedora 19 installation, but it does not work... although smbclient -L myserver shows my shares, I can't access any of them from other computers and even from the same server, it returns an error that could not connect to to the server... My very simple configuration is this (my computer has fixed IP) [global] workgroup = MYGROUPNAME server string = Samba Server Version %v # log files split per-machine: log file = /var/log/samba/log.%m # maximum size of 50KB per log file, then rotate: max log size = 50 security = user passdb backend = tdbsam load printers = yes cups options = raw [tmp] comment = temporal files path = /tmp public = yes writable = yes printable = no [mp3] comment = my data files path = /mydatafiles public = yes writable = no printable = no I start the service by running # smbd -D # nmbd -D then the logs show: log.nmbd: - [2013/07/11 21:11:47, 0] ../source3/nmbd/nmbd.c:883(main) nmbd version 4.0.7 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 [2013/07/11 21:12:20, 0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2) * Samba name server MYSERVER is now a local master browser for workgroup MYGROUPNAME on subnet 192.168.1.20 * log.smbd: -[2013/07/11 21:11:45, 0] ../source3/smbd/server.c:1200(main) smbd version 4.0.7 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 When I try: # smbclient -L myserver (the name of my computer) Anonymous login successful Domain=[MYGROUPNAME] OS=[Unix] Server=[Samba 4.0.7] Sharename Type Comment - --- tmp Disk temporal files mp3 Disk mp3 music IPC$IPC IPC Service (Samba Server Version 4.0.7) Anonymous login successful Domain=[SORCERY] OS=[Unix] Server=[Samba 4.0.7] Server Comment ---- MYSERVER Samba Server Version 4.0.7 WorkgroupMaster ---- MYGROUPNAME MYSERVER From windows computers, it shows on the network, from Linux (dolphin browser) it does not show but calling 'smbclient -L myserver' it shows the shared directories... how can I allow other computers to connect? and how can I allow my local computer see its own shares? Thanks for your help -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
Being a Debian user, I don't have to deal with selinux; I've got a whole different set of problems. That being said, the 1st topic under troubleshooting in the Samba wiki is selinux. https://wiki.samba.org/index.php/Samba_Troubleshooting Hopefully, you'll find something in there to help you. On 07/03/2013 1:50 PM, Mark Galeck wrote: how do I check this? On Wed, Jul 3, 2013 at 7:18 AM, Dale Schroeder d...@briannassaladdressing.com wrote: This being a Red Hat derivative, is selinux configured to allow this? On 07/02/2013 2:54 PM, Mark Galeck wrote: Fedora release 17 (Beefy Miracle) On Tue, Jul 2, 2013 at 12:16 PM, Ricky Nance ricky.na...@gmail.com wrote: Mark, which distro are you running? On Tue, Jul 2, 2013 at 2:00 PM, Mark Galeck m...@xpliant.com wrote: Can you log into the linux machine with the user mark and write files to /home/mark without issue? Certainly. I don't know Samba, but I do know Unix/Linux and as far as I can tell, everything on Linux is working fine, as well as on the Windows 8 side. What is the output of smbclient //localhost/homes -Umark -d5 (then at a smb:\ do ls) ?? Command not found - I can't execute this on Linux. I use /bin/systemctl status smb.service to get status On Tue, Jul 2, 2013 at 11:52 AM, Ricky Nance ricky.na...@gmail.com wrote: Can you log into the linux machine with the user mark and write files to /home/mark without issue? What is the output of smbclient //localhost/homes -Umark -d5 (then at a smb:\ do ls). Just a couple of things I would look at\try. Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
This being a Red Hat derivative, is selinux configured to allow this? On 07/02/2013 2:54 PM, Mark Galeck wrote: Fedora release 17 (Beefy Miracle) On Tue, Jul 2, 2013 at 12:16 PM, Ricky Nance ricky.na...@gmail.com wrote: Mark, which distro are you running? On Tue, Jul 2, 2013 at 2:00 PM, Mark Galeck m...@xpliant.com wrote: Can you log into the linux machine with the user mark and write files to /home/mark without issue? Certainly. I don't know Samba, but I do know Unix/Linux and as far as I can tell, everything on Linux is working fine, as well as on the Windows 8 side. What is the output of smbclient //localhost/homes -Umark -d5 (then at a smb:\ do ls) ?? Command not found - I can't execute this on Linux. I use /bin/systemctl status smb.service to get status On Tue, Jul 2, 2013 at 11:52 AM, Ricky Nance ricky.na...@gmail.comwrote: Can you log into the linux machine with the user mark and write files to /home/mark without issue? What is the output of smbclient //localhost/homes -Umark -d5 (then at a smb:\ do ls). Just a couple of things I would look at\try. Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win8 account sees its home share, but does not have permissions to access
Mark, First verify that the posix permissions are good for your home directory: ls -lA /home/mark If those are good, then I would try removing the hosts allow parameter in [global]. If that doesn't work, checking the Samba logs is always a good idea. Dale On 06/28/2013 6:03 PM, Mark Galeck wrote: Hello, I am a beginner to Samba and I RTFMd carefully but cannot get started. I want to access my user account mark home directory on Linux, with the same account name on Windows 8. The user mark has the same password on Linux and Windows 8. In addition I did this on Linux smbpasswd -a mark and gave the same password. Following the manuals on samba website I edited the samba configuration smb.conf file so: [global] hosts allow = ALL client signing = no # log files split per-machine: log file = /var/log/samba/log.%m # maximum size of 50KB per log file, then rotate: max log size = 50 security = user [homes] valid users = %S read only = No and successfully started the samba service. I can then see mark share on that Linux machine from Windows, I can map it to a drive letter in Windows Explorer, and I also see this: [root@v64-sw-dev003-mark /]# smbstatus Samba version 3.6.12-1.fc17 PID Username Group Machine --- 14678 mark mark mark-pc (192.168.221.76) Service pid machine Connected at --- mark 14678 mark-pc Fri Jun 28 15:56:39 2013 No locked files This all looks very good to me, as Samba server sees my client with the correct username, Windows machine name and IP address. YET, when I actually try to double-click on the share in the Windows Explorer, I get an error dialog: Windows cannot access \\192.168.221.32\mark You do not have permission to access \\192.168.221.32\mark\. Contact your network administrator to request access. 192.168.221.32 is the Linux machine address. Please, what am I doing wrong?? Thank you, Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] cifs mounts fail after kernel upgrade [SOLVED]
Louis, Thank you very much. That fixed it. I'd also like to ask if you have any insight or workarounds on this problem for which I've not received a reply: https://lists.samba.org/archive/samba/2013-June/173763.html Dale On 06/24/2013 6:25 AM, L.P.H. van Belle wrote: try adding the following. in the fstab, add, sec=ntlmv2 and try again. Louis -Oorspronkelijk bericht- Van: d...@briannassaladdressing.com [mailto:samba-boun...@lists.samba.org] Namens Dale Schroeder Verzonden: vrijdag 21 juni 2013 22:14 Aan: Samba Onderwerp: [Samba] cifs mounts fail after kernel upgrade Upgrading Debian testing's linux-image from 3.2.46-1 to 3.9.6-1 causes cifs mounts via fstab or command line to fail with return code -38 function not implemented. Reverting back to the old kernel yields working cifs mounts. The only option I use is a credentials file. Attempting the mount without this option does not work either. Has anyone else seen this? Thanks, Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] cifs mounts fail after kernel upgrade
Upgrading Debian testing's linux-image from 3.2.46-1 to 3.9.6-1 causes cifs mounts via fstab or command line to fail with return code -38 function not implemented. Reverting back to the old kernel yields working cifs mounts. The only option I use is a credentials file. Attempting the mount without this option does not work either. Has anyone else seen this? Thanks, Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as Domain Member
I believe you need to add in [global]
winbind enum users = Yes
winbind enum groups = Yes
Dale
On 06/17/2013 9:41 AM, Zane Zakraisek wrote:
I have Samba 4.6.6 running as an ADDC and all is working great. I have a
Samba 3.6.9 File Server that I want to join to the domain. I have gone
through the steps but am having issues.
In my smb.conf file I have added the following
realm = my.domain
security = ads
encrypt passwords = yes
I edited my Kerberos file
[libdefaults]
default_realm = MY.DOMAIN
dns_lookup_kdc = true
[realms]
ZAKRAISEK.COM = {
kdc = server.my.domain
}
[domain_realms]
.kerberos.server = MY.DOMAIN
I installed winbind and edited my nsswitch.conf to add winbind options.
The book that I went off to set this up says to use the idmap uid and idmap
gid options, but to my knowledge these were deprecated a while ago so I did
not include them.
I did net join -U administrator, and it joined fine. If I look in Active
Directory Users and Computers, I can see a computer account created for the
Linux machine.
I ran net ads testjoin, all is good here, no errors
I ran wbinfo -p, all is good here, no errors
I ran wbinfo -t, all is good here, no errors
lastly I ran wbinfo -a MY.DOMAIN\user, typed the password, and everything
worked successfully
The samba book I'm using then says to run getent passwd My.DOMAIN\user
Here is where the error is. I can not seem to get any domain accounts to
work with this command. If I run getent passwd by itself, it displays a
list of all my local accounts on the machine, but no domain ones. Did I
miss a step
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba bug 9615
I reverted back to 3.6.6 and everything works again. So, rewording my original question, is winbind authentication against a Windows 2000 DC deprecated and no longer supported by Samba? Please note that the reporter of the bug has proposed a patch to get this working again. Thank you for your time. Dale On 05/23/2013 11:58 AM, Dale Schroeder wrote: Debian testing recently released a large version jump update to Samba (3.6.6 to 3.6.15). After the upgrade, winbind no longer works which, according to the information in the bug report, is due to authentication again a Windows 2000 DC. https://bugzilla.samba.org/show_bug.cgi?id=9615 Are there any plans to patch this bug, or is winbind against a W2K DC forever a nonviable combination? cli_rpc_pipe_open_schannel_with_key failed: NT_STATUS_UNSUCCESSFUL msrpc_sid_to_name: failed to looKup sids: NT_STATUS_UNSUCCESSFUL Thanks, Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba bug 9615
Debian testing recently released a large version jump update to Samba (3.6.6 to 3.6.15). After the upgrade, winbind no longer works which, according to the information in the bug report, is due to authentication again a Windows 2000 DC. https://bugzilla.samba.org/show_bug.cgi?id=9615 Are there any plans to patch this bug, or is winbind against a W2K DC forever a nonviable combination? cli_rpc_pipe_open_schannel_with_key failed: NT_STATUS_UNSUCCESSFUL msrpc_sid_to_name: failed to looKup sids: NT_STATUS_UNSUCCESSFUL Thanks, Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (force) default security mask
For your situation, would some combination of the inherit parameters shown below work better for you than the mode/mask parameters? Dale inherit acls (S) This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a new file or subdirectory in these parent directories. The default behavior is to use the unix mode specified when creating the directory. Enabling this option sets the unix mode to 0777, thus guaranteeing that default directory acls are propagated. Note that using the VFS modules acl_xattr or acl_tdb which store native Windows as meta-data will automatically turn this option on for any share for which they are loaded, as they require this option to emulate Windows ACLs correctly. Default: //|inherit acls|/ = |no| / inherit owner (S) The ownership of new files and directories is normally governed by effective uid of the connected user. This option allows the Samba administrator to specify that the ownership for new files and directories should be controlled by the ownership of the parent directory. Common scenarios where this behavior is useful is in implementing drop-boxes where users can create and edit files but not delete them and to ensure that newly create files in a user's roaming profile directory are actually owner by the user. Default: //|inherit owner|/ = |no| / inherit permissions (S) The permissions on new files and directories are normally governed by create mask http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#CREATEMASK, directory mask http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#DIRECTORYMASK, force create mode http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#FORCECREATEMODE and force directory mode http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#FORCEDIRECTORYMODE but the boolean inherit permissions parameter overrides this. New directories inherit the mode of the parent directory, including bits such as setgid. New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by map archive http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#MAPARCHIVE, map hidden http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#MAPHIDDEN and map system http://debpdc.delsoldeb.com:901/swat/help/manpages/smb.conf.5.html#MAPSYSTEM as usual. Note that the setuid bit is /never/ set via inheritance (the code explicitly prohibits this). This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user. Default: //|inherit permissions|/ = |no| / On 05/20/2013 3:24 PM, ?icro MEGAS wrote: That was a type error in my previous post, the line in my smb.conf is of course: read only = No Вск 19 Май 2013 14:58:39 +0400, ?icro MEGAS написал: Hello folks, Samba 3.5.6 running and I have following share: [public] path = /data/public read onlyXSSCleaned= No create mask = 0777 directory mask = 0777 directory security mask = 0750 vfs object = acl_xattr nt acl support = yes dos filemode = yes My filesystem ext4 which is mounted to /data supports acl,user_xattr and setfacl/getfacl works fine. ls -ld /data/public shows unix mode 0755 with owner=admin and group=Domain Users All users have full access to the share \\samba\public and therefore are allowed to create,modify,delete directories and files. My aim is that I want to have a directory called special which is in /data/public/special. Only restricted users and groups are allowed full access to this directory, the Domain Users should only be able to have read/execute rights, but no write/delete rights on this directory+subdirs. /data/public has no ACL set. Here's an output of my ACL I have set manually with setfacl on this special directory. Only user john and doe and group foobar have full access to this special directory, and Domain Users or other should only have read rights. root@samba:/data/public# getfacl special # file: special/ # owner: admin # group: Domain\040Users user::rwx user:john:rwx user:doe:rwx group::r-x group:foobar:rwx mask::rwx other::--- default:user::rwx default:user:john:rwx default:user:doe:rwx default:group::r-x default:group:foobar:rwx default:mask::rwx default:other::--- When user john, doe or anyone of group foobar creates a new directory inside the special dir, it has following modes: root@samba:/data/public/special ls -l drwxrwx-wx+ 2 john Domain Users 4096 19. Mai 12:43 newdir == This corresponds to unix mode 0773. The ACL mode looks like that: # file: newdir # owner: john # group: Domain\040Users user::rwx user:john:rwx
Re: [Samba] guest share on a security = user server
Andreas, This is the place to start: http://wiki.samba.org/index.php/Frequently_Asked_Questions#guest_access Dale On 05/02/2013 7:37 AM, Andreas Moroder wrote: Hello, our samba server runs in security = user mode. Now I need a share people can connect to, even if they are not in the domain. I tried this configuration [open] comment = Fuer Scripte die via Mcafee gestartet werden guest only = yes #security = share path = /san/san-lacie/abteilungen/allgemein/mcafee read only = no writable = no printable = no Browseable = No but it does not work. Windows pops up the the logon window or , when I try to start a script from the console it tells me ( translated from german ) unkonwn user or worng passowrd smbclient asks for a pwd too, but accepts a empty one. What is wrong in my configuration ? Thanks Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fedora 18/ Windows 7 setup issues
Dave, Perhaps provide the [global] section and posix permissions of /share. I don't see any clues here. Dale On 04/26/2013 8:23 AM, Dave Pawson wrote: I'm having fun getting this pair to talk sweetly together. So many setup pages around, I'm quite confused. A new install of samba, clean, just added a [shares] section path = /share read only = no browseable = yes valid users = @users create mask = 0660 directory mask = 0771 Not even sure which site I followed for the win7 (64 bit) setup. I've had it working ... booted and now it fails to connect, pc client to server (linux). Currently working my way through http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html So far so good. I note the samba.org docs are 3.0 focused, I'm using the most recent, not sure if there are any changes which might impact the setup. All I want is a simple (easy) transfer of files from the win box to the linux box (either way would suffice). Which is the easiest windows 64 setup page please? Or how to test? Log isn't currently telling me much. # tail -F /var/log/samba/log.smbd [2013/04/26 11:40:32, 0] ../source3/smbd/server.c:1200(main) smbd version 4.0.5 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 [2013/04/26 11:40:32.035048, 0] ../source3/smbd/server.c:1280(main) standard input is not a socket, assuming -D option [2013/04/26 12:09:26, 0] ../source3/smbd/server.c:1200(main) smbd version 4.0.5 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 [2013/04/26 12:09:26.697060, 0] ../source3/smbd/server.c:1280(main) standard input is not a socket, assuming -D option [2013/04/26 13:43:27.053862, 0] ../lib/util/pidfile.c:153(pidfile_unlink) Failed to delete pidfile /run/smbd.pid. Error was No such file or directory [2013/04/26 13:43:27, 0] ../source3/smbd/server.c:1200(main) smbd version 4.0.5 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 [2013/04/26 13:43:27.084381, 0] ../source3/smbd/server.c:1280(main) standard input is not a socket, assuming -D option Any suggestions please? remove / re-install samba and start again? TiA -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Desperate plea for help with printer share
On 01/04/13 07:55 PM, Mark LaPierre wrote: On 03/30/2013 11:45 PM, Gary Dale wrote: On 30/03/13 08:38 PM, Mark LaPierre wrote: Hey Y'all, I've been trying for months to get samba to share my printer with my wife's Win XP machine. I've RTFM, and spent hours on google to no avail. I can't see the printer from Windows so I can't mount it up. Nothing appears in the logs. The file shares work just fine. It looks like I've got Samba 3.6.9 on this machine: [mlapier@mushroom samba]$ rpm -qa | grep samba samba-swat-3.6.9-151.el6.i686 samba-doc-3.6.9-151.el6.i686 samba-client-3.6.9-151.el6.i686 samba-winbind-clients-3.6.9-151.el6.i686 samba-3.6.9-151.el6.i686 samba-common-3.6.9-151.el6.i686 samba-winbind-devel-3.6.9-151.el6.i686 samba-winbind-krb5-locator-3.6.9-151.el6.i686 samba-domainjoin-gui-3.6.9-151.el6.i686 samba-winbind-3.6.9-151.el6.i686 samba4-libs-4.0.0-55.el6.rc4.i686 [mlapier@mushroom samba]$ name CentOS release 6.4 (Final) Linux mushroom.patch 2.6.32-358.2.1.el6.i686 #1 SMP Tue Mar 12 21:42:46 UTC 2013 i686 i686 i386 GNU/Linux [mlapier@mushroom samba]$ testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [printers] Processing section [pictures] Processing section [budget] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 printcap name = cups idmap config * : backend = tdb [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes print ok = Yes browseable = No [pictures] comment = Pictures path = /home/pictures read only = No guest ok = Yes [budget] comment = Budget path = /home/budget valid users = nllapie, mlapier read only = No [mlapier@mushroom ~]$ Is there anything else I can share with you that will help you to diagnose my problem? Have you checked the CUPS printer sharing? Sure enough. The printer shared check box is checked so that's not the problem. That's not good enough. Has the cups configuration been set to allow users to connect from the LAN? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Desperate plea for help with printer share
On 03/04/13 09:09 PM, Mark LaPierre wrote: On 04/03/2013 09:02 AM, Gary Dale wrote: On 01/04/13 07:55 PM, Mark LaPierre wrote: On 03/30/2013 11:45 PM, Gary Dale wrote: On 30/03/13 08:38 PM, Mark LaPierre wrote: Hey Y'all, I've been trying for months to get samba to share my printer with my wife's Win XP machine. I've RTFM, and spent hours on google to no avail. I can't see the printer from Windows so I can't mount it up. Nothing appears in the logs. The file shares work just fine. It looks like I've got Samba 3.6.9 on this machine: [mlapier@mushroom samba]$ rpm -qa | grep samba samba-swat-3.6.9-151.el6.i686 samba-doc-3.6.9-151.el6.i686 samba-client-3.6.9-151.el6.i686 samba-winbind-clients-3.6.9-151.el6.i686 samba-3.6.9-151.el6.i686 samba-common-3.6.9-151.el6.i686 samba-winbind-devel-3.6.9-151.el6.i686 samba-winbind-krb5-locator-3.6.9-151.el6.i686 samba-domainjoin-gui-3.6.9-151.el6.i686 samba-winbind-3.6.9-151.el6.i686 samba4-libs-4.0.0-55.el6.rc4.i686 [mlapier@mushroom samba]$ name CentOS release 6.4 (Final) Linux mushroom.patch 2.6.32-358.2.1.el6.i686 #1 SMP Tue Mar 12 21:42:46 UTC 2013 i686 i686 i386 GNU/Linux [mlapier@mushroom samba]$ testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [printers] Processing section [pictures] Processing section [budget] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 printcap name = cups idmap config * : backend = tdb [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes print ok = Yes browseable = No [pictures] comment = Pictures path = /home/pictures read only = No guest ok = Yes [budget] comment = Budget path = /home/budget valid users = nllapie, mlapier read only = No [mlapier@mushroom ~]$ Is there anything else I can share with you that will help you to diagnose my problem? Have you checked the CUPS printer sharing? Sure enough. The printer shared check box is checked so that's not the problem. That's not good enough. Has the cups configuration been set to allow users to connect from the LAN? How might you suggest that I check that setting? Read the CUPS documentation on the various configuration files it uses. The one you probably want is /etc/cups/cupsd.conf. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba on Windows?
On 01/04/13 04:18 PM, fromsamba.bitbucke...@spamgourmet.com wrote: When trying to copy files to/from a Windows file server from/to another Windows machine, at times the Windows Explorer application will just hang. This could be due the server being less than responsive, or some other reason. It ends up being really annoying as Explorer just stops responding due to, presumably, being stuck waiting for a response from the remote server. There are times when just clicking a file will then cause Explorer to hang, as though its requesting info for the file and not getting a response. Every time I run into this, I think, why wouldn't this all be threaded? Why would a background thread do all the network communications asynchronously so that the UI didn't freeze up like this? Then I think, why not just write a simple CIFS/SMB client which is asynchronous and which doesn't hang due to the remote server not responding. Also, something that doesn't send any unnecessary requests. i.e., give me the list of files, let me pick which ones to copy, and copy. Don't request any additional info about the files (as I think happens when you right-click a file). But why write a CIFS/SMB client, when Samba has already done it? I know Samba is intended for Linux, allowing Linux users to interoperate with Windows. But has anyone ever attempted building/using the Samba code on Windows? Could Samba be used to do the protocol stuff in a Windows application? Seems like there's no reason to re-invent the wheel and dig through the MS protocol documentation, if Samba could be re-used for this purpose. Does this seem feasible? Or is this ill-advised? :) Why not just replace your Windows server and switch your client(s) to Linux? It's probably a lot less work. If you have a program that you must use that only runs on Windows, try wine or a virtual machine. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Desperate plea for help with printer share
On 30/03/13 08:38 PM, Mark LaPierre wrote: Hey Y'all, I've been trying for months to get samba to share my printer with my wife's Win XP machine. I've RTFM, and spent hours on google to no avail. I can't see the printer from Windows so I can't mount it up. Nothing appears in the logs. The file shares work just fine. It looks like I've got Samba 3.6.9 on this machine: [mlapier@mushroom samba]$ rpm -qa | grep samba samba-swat-3.6.9-151.el6.i686 samba-doc-3.6.9-151.el6.i686 samba-client-3.6.9-151.el6.i686 samba-winbind-clients-3.6.9-151.el6.i686 samba-3.6.9-151.el6.i686 samba-common-3.6.9-151.el6.i686 samba-winbind-devel-3.6.9-151.el6.i686 samba-winbind-krb5-locator-3.6.9-151.el6.i686 samba-domainjoin-gui-3.6.9-151.el6.i686 samba-winbind-3.6.9-151.el6.i686 samba4-libs-4.0.0-55.el6.rc4.i686 [mlapier@mushroom samba]$ name CentOS release 6.4 (Final) Linux mushroom.patch 2.6.32-358.2.1.el6.i686 #1 SMP Tue Mar 12 21:42:46 UTC 2013 i686 i686 i386 GNU/Linux [mlapier@mushroom samba]$ testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [printers] Processing section [pictures] Processing section [budget] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 printcap name = cups idmap config * : backend = tdb [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes print ok = Yes browseable = No [pictures] comment = Pictures path = /home/pictures read only = No guest ok = Yes [budget] comment = Budget path = /home/budget valid users = nllapie, mlapier read only = No [mlapier@mushroom ~]$ Is there anything else I can share with you that will help you to diagnose my problem? Have you checked the CUPS printer sharing? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] helppp! security = user + public share
The wiki explains it this way: http://wiki.samba.org/index.php/Frequently_Asked_Questions#guest_access HTH, Dale On 03/18/2013 6:00 PM, Benjamin Huntsman wrote: This is Samba 3.6.10, BTW. After further debugging, I can't get it to work under any circumstances with XP, but I can get it to allow guest shares with the following: security = USER encrypt passwords = Yes map to guest = Bad User However, I really need encrypt passwors = No. That apparently is the culprit however. Does anyone know how to allow guest access while sending unencrypted credentials? I'm guessing it fails because the user exists in the UNIX passwd file. Many thanks in advance! -Ben From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] on behalf of Benjamin Huntsman [bhunts...@mail2.cu-portland.edu] Sent: Monday, March 18, 2013 2:30 PM To: samba@lists.samba.org Subject: [Samba] helppp! security = user + public share I'm getting killed this morning, since we did a Samba upgrade to one of our production servers this weekend and didn't expect this one. I have one share that I need unauthenticated access to from a few named workstations. Here's the config: # Samba config file created using SWAT # from UNKNOWN (x.x.x.x) # Date: 2013/03/18 14:25:33 [global] encrypt passwords = No map to guest = Bad User guest account = pcguest log level = 3 os level = 8 local master = No domain master = No idmap config * : range = idmap config * : backend = tdb [pubshare] path = /doclink read only = No guest ok = Yes hosts allow = x.x.x.x So, from the host that is named on the pubshare share, I should just be able to go to Start -- run, and enter \\server\pubshare and be in, regardless of who I'm logged in as. I also added the pcguest account into the passdb backend using 'smbpasswd -an pcguest'. And yet, it's still prompting for a password. I need this to work because several automated processes rely on the share. It works just fine if I flip it back to security = SHARE, but that breaks all the shares on the system for Windows XP clients. Anyway, huge thanks to anyone who might be able to assist!! -Ben -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PROPOSAL: Remove SWAT in Samba 4.1
On 02/17/2013 6:02 PM, Andrew Bartlett wrote: As most of you would have noticed, we have now had 3 CVE-nominated security issues for SWAT in the past couple of years. At the same time, while I know many of our users use SWAT, we just don't have anybody to maintain it inside the Samba Team. Kai has made a valiant effort to at least apply the XSS and CSRF guidelines when folks make security reports, but by his own admission he isn't a web developer - none of us are! There are many other parts of Samba that have not been substantially maintained in years, but few have the level of security exposure that SWAT does (most are bits of library and utility code that we apply elsewhere, but which just quietly does it's own job). The issue isn't that we can't write secure code, but that writing secure Web code where we can't trust the authenticated actions of our user's browser is a very different modal to writing secure system code. Frankly it just isn't our area. Therefore, it was suggested on a private list that we just drop SWAT. I want to start a public discussion on that point, prompted by http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700729 which reminds us why we didn't apply the specific CSRF hardening we applied in 4.0.2 to SWAT in the first place. Thanks, Andrew Bartlett I have yet to make the jump to Samba4, so I have not seen the version of SWAT designed for it. For me, the primary benefit of SWAT in Samba3 was the ability to use the help link for any parameter to see what that parameter did, what the default was, and what its proper syntax was. For reference, I ran man smb.conf. Viewing full screen, I pressed the Page Down key 34 times and was still in the 1st third of the alphabetical listing of parameters. It's no small wonder that I never used man smb.conf to configure Samba. SWAT was my friend. So, if Samba4 has anywhere near the number of parameters as Samba3, I would be greatly disappointed to see SWAT go away entirely. An html version of the samba-doc package that contained all parameters with links to their definitions/descriptions would be a welcome and suitable replacement. Thanks, Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] can't connect to home share after renaming Windows user
I just went through the ordeal of renaming a Windows user account (from the previous incumbent's name to the position title, so I won't have to repeat this). Everything went smoothly. The account has access to the programs and files that it previously did. The roaming profile is being updated when the user logs out. The C:\user\president folder is accessing and storing the local documents properly. The only thing not working right is the home share isn't being mounted as drive m:. They do map to drive m: for other user accounts so it's not a samba smb.conf setting. The old windows user has the same sid as the new one and the old unix user has the same user number as the new one. I also checked /etc/group and changed any extra group memberships for that user number. I can see \\server\president in the Windows Explorer network but can't open the folder. I get a Windows cannot access error in Windows Explorer. I get a similar thing when I manually map drive m: to \\server\president. When I log onto the same machine using another account, the drive maps as expected and I can open that account's home folder in the network section in Windows Explorer. The only thing I can think of is that a Samba .tdb database must have something or be missing something related to that user account's home share. Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [RESOLVED] Re: can't connect to home share after renaming Windows user
On 14/02/13 06:52 PM, Gary Dale wrote: I just went through the ordeal of renaming a Windows user account (from the previous incumbent's name to the position title, so I won't have to repeat this). Everything went smoothly. The account has access to the programs and files that it previously did. The roaming profile is being updated when the user logs out. The C:\user\president folder is accessing and storing the local documents properly. The only thing not working right is the home share isn't being mounted as drive m:. They do map to drive m: for other user accounts so it's not a samba smb.conf setting. The old windows user has the same sid as the new one and the old unix user has the same user number as the new one. I also checked /etc/group and changed any extra group memberships for that user number. I can see \\server\president in the Windows Explorer network but can't open the folder. I get a Windows cannot access error in Windows Explorer. I get a similar thing when I manually map drive m: to \\server\president. When I log onto the same machine using another account, the drive maps as expected and I can open that account's home folder in the network section in Windows Explorer. The only thing I can think of is that a Samba .tdb database must have something or be missing something related to that user account's home share. Any ideas? Nevermind. I'd missed changing the /etc/passwd home directory entry. All is working now. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] upgrade from 3.5 - 3.6, now I have no backend defined for idmap
On 02/05/2013 12:08 AM, Jobst Schmalenbach wrote: Hi Dale that worked, thanks. Just to clarify the * means everything else, right? That's how I understand it. On the sites I visited while gathering this information, no one seemed to know why it is required, only that everything started working after it was added. Cause now I am getting (only once) [2013/02/04 07:50:48.519114, 1] winbindd/idmap.c:288(idmap_init_named_domain) no backend defined for idmap config BUILTIN I have that line, too and also a lot of other lines regarding BUILTIN. Everything is working, so I haven't put any effort into finding out why. If you run cat against your Samba logs and grep for BUILTIN, you'll see what I mean. One strange side effect ... I have never had to reboot a machine because of a change to the samba daemon(s), a restart always worked. For a couple of days after the change I still was getting the message until I rebooted ... now I do not get the messages, weird. On rare occasions, I've had to do the same thing. It's something I would try when all else failed. Sorry that I don't have any concrete reasons as to the why of any of these things. Dale Jobst On Tue, Jan 29, 2013 at 01:17:52PM -0600, Dale Schroeder (d...@briannassaladdressing.com) wrote: Jobst, The following works for me in 3.6.x. Modify to match your criteria. idmap config * : backend= tdb idmap config * : range = low - high idmap config DOMAIN : default = Yes idmap config DOMAIN : backend = idmap backend idmap config DOMAIN : range = different low - different high Dale On 01/28/2013 10:51 PM, Jobst Schmalenbach wrote: Hi. I am getting loads of errors no backend defined for idmap config MYDOMAIN after I upgraded from 3.5 - 3.6 a couple of days ago. I read http://wiki.samba.org/index.php/Samba_3.6_Features_added/changed and did what man smb.conf suggested: idmap config MYDOMAIN : backend = tdb idmap config MYDOMAIN : range = 500-199 yet I still receive those errors. I used to have idmap uid = 500-1000 idmap gid = 500-1000 and I had no errors while running 3.5.10. I am not sure what I am doing wrong, help please. Jobst -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] upgrade from 3.5 - 3.6, now I have no backend defined for idmap
Jobst, The following works for me in 3.6.x. Modify to match your criteria. idmap config * : backend= tdb idmap config * : range = low - high idmap config DOMAIN : default = Yes idmap config DOMAIN : backend = idmap backend idmap config DOMAIN : range = different low - different high Dale On 01/28/2013 10:51 PM, Jobst Schmalenbach wrote: Hi. I am getting loads of errors no backend defined for idmap config MYDOMAIN after I upgraded from 3.5 - 3.6 a couple of days ago. I read http://wiki.samba.org/index.php/Samba_3.6_Features_added/changed and did what man smb.conf suggested: idmap config MYDOMAIN : backend = tdb idmap config MYDOMAIN : range = 500-199 yet I still receive those errors. I used to have idmap uid = 500-1000 idmap gid = 500-1000 and I had no errors while running 3.5.10. I am not sure what I am doing wrong, help please. Jobst -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 Easy Transfer
I've installed Windows 7 64/Pro on a former XP/Pro workstation connected to Samba domain (Debian/Squeeze - v3.5.6). Prior to doing this, I saved the settings using the Windows Easy Transfer tool to create a 13G file on a USB stick. I completed the install of Windows 7 and joined the workstation to the domain. I can log in with a Domain Admin account, and I note that the Domain Admins are in the local Administrators group. However when I run the Easy Transfer tool to restore whatever settings it can, I get Windows easy transfer can't log on to your domain account. I've seen some other complaints about Easy Transfer having some problems with Domains, but I'm wondering if there are any known problems with Samba domains? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba AD Auth Stops After Patches
It could be several things. idmap syntax changed again in 3.6.x. I've
put an example of that in your [global] section below. 3.6.x introduced
some problems with winbind -
https://bugzilla.samba.org/show_bug.cgi?id=8676 specifically got me, but
there are others documented also.
Dale
On 01/16/2013 3:30 PM, Popp, Casey A SGT USARMY NG NEARNG (US) wrote:
Hello, I have an issue that I can't sort out.
Issue: Just applied the latest round of patches that brought me up to this
Samba version and
suddenly end-users are being prompted for authentication when attempting to
access shares
on this CentOS box from their Windows Vista, 7x86, and 7x64 workstations.
Problem: I am new to Samba and seem to not be connecting the dots
Layer 1: I can ping local host, Samba server name and IP from the Samaba
Server and from a Win7x64 client
Here is my research and observations:
1. cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.9 (Tikanga)
---
2. smbstatus
Samba version 3.6.6-0.129.el5
---
3. There are no permission problems on the shared directories nor the parent
chain
---
4. (Symptom) There is an apparent group ownership problem on the shares.
Where it used to resolve the
active directory security group, now there is only a numerical string.
Attempting to reassign the
proper group ownsership fails as follows:
4a. ll | grep 12345
drwxrwxrwx 4 comp 1488701 4096 Jan 31 2006 12345
4b. chown -R comp:orrfo12345 12345
chown: `comp:orrfo12345': invalid group
4e. Ok, this is a big problem but what is causing it?
---
5. From the server hosting Samba, I looked to see if it could resolve the
groups. (A Factor) One concern
regarding this process is that we collapsed into a much larger domain
about a year ago. As a result,
what is retrieved for a data set is rather large. Also, it takes some
time. That is why I grep in the
following:
5a. wbinfo -g | grep -i ORRFO
5b. getent group OR+ORRFO12345 | awk -F: '{print $4}' | sed 's/OR+//g' | sed
's/,/\n/g'
5c. Both commands return a valid list after several seconds
---
6. Checking the winbind user:
6a. net help getauthuser
6b. The command returns the credentails of a active directory account that
is present, unlocked, and set
with the correct password.
---
7. Checking if it can resolve the domain controller
7a. wbinfo -I IPAddrOfDC
7b. It resolves correctly
---
8. Check to see if can get sid of windbind user
8a. wbinfo -n OR+linux.samba.svc
8b. The command returns the SID
---
9. Checked on services
9a. wbinfo -p
Ping to winbindd succeeded
9b. wbinfo -t
checking the trust secret for domain OR via RPC calls succeeded
9c. service --status-all | egrep winbindd|nmbd|smbd
nmbd (pid 15246) is running...
smbd (pid 28397 26486 21186 20942 20941 20940 20939 20938 20937
20936 20935 20934 20933 20930 20929 20927 20926 20925 20924 20923
20922 20921 20920 20917 20916 18027 14885 14878 6418) is running...
winbindd (pid 9208 9187 9185 9184 9182) is running...
9d. wbinfo --online-status
BUILTIN : online
OR-CENTSAMBA-01 : online
OR : online
9e. (Problem) Not sure if it is an issue but nmbd was not started initially.
The results above come after having started it.
---
10. Verifying smb.conf. I cut out all but one of the shares to keep it
simple. The allow connections section
was also trimmed but all were ok.
10a. testparm /etc/samba/smb.conf MyWorkstationName MyWorkstationIP
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The idmap backend option is deprecated
WARNING: The idmap uid option is deprecated
WARNING: The idmap gid option is deprecated
Processing section [12345]
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the
'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
'winbind separator = +' might cause problems with group membership.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER
Allow connection from MyWorkstationName (MyWorkstationIP) to 12345
10b. (Don't Know) I am not sure if these warnings had been on the system
before or
if they are the result of patching.
---
11. I created a new user on the Samba server and added it to smbusers. An
identically
named account exists on another CentOS server that rides the backbone. I
am able to
access the directories from that server using without being prompted for
auth:
11a. smb://OR-CENTSAMBA-01
---
12. I checked the time on the DC against that on the Samba server and they
are within seconds.
---
13. I refreshed the Kerberos ticket. It is good.
---
14. (Problem) Here is one I can't explain. I came accross this as a check
but never found what to
do if this didn't work.
14a
Re: [Samba] Roaming Profiles - WinXP and Win7
On 14/12/12 04:29 PM, Aaron Wood wrote: Hello All, Today I was able to implement Samba4 as a DC with AD in a test environment. I eventually got it all working and was able to join the domain from two different virtual machines. I was also able to set up a roaming profile share and configure a user to utilize this share. My issue is that when I first logged into the domain after setting up the roaming profiles I did so from a Windows XP machine. the user's roaming directory was correctly created an all profile data stored. However, when I logged out of the Windows XP machine and logged back in from a Windows 7 machine another (totally separate) user profile directory was created with a .V2 appended to it. The two profiles do not talk to one another and exist on their own. In my opinion this cripples the roaming profile functionality unless your enter network is make up of computers using the same OS. Is this a bug, or is there a solution to this behavior. Thanks for any insight. You get the same problem in Linux - trying to share a home folder for an account where they are running different versions of the same window manager or different versions of Linux. The various resource files are not always compatible so you are out of luck trying to share everything. I wouldn't even try to get it to work. Just accept that Windows 7 profiles are different from Windows XP profiles. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help pls. -- Samba permission question
If you want the CIFS permissions to be set correctly, use the Samba/CIFS tools to set them (ie. set them from the client. Don't set them using Unix permissions on the server). Your example shows you setting the group to managegroup but your smb.conf forces the group to management. Which is it? The last line in your server commands I believe should be chmod, not chowm. On 12/12/12 12:21 PM, J Gao wrote: Hi, All, I'm having a problem with my samba server(v3.6.9) setup. I have a share on the server: #cd / #mkdir managment #chown -R root:managegroup management #chowm -R 2770 management When I test this I found out: the managegroup member can create new file/dir with the correct permission: -rwxrws--- or drwxrws--- BUT, when the client copy a file or dir to the share from his local drive, then some file/dir will have different the permission when it coiped to the Samba share. (for example, drwxrwxr-x) We have both Windows and Ubuntu client. Ubuntu client use cifs.mount to access the Samba share. Here is my smb.conf file. Please help me. All I want is when and file and/or dir end up on the samba share, it should have 770 permission. Thanks. Gao my smb.conf: [global] workgroup = WORKGROUP server string = My File Server interfaces = lo bond0 192.168.1.2/24 hosts allow = 127. 192.168.1. log file = /var/log/samba/log.%m max log size = 1000 security = user passdb backend = tdbsam guest account = nobody map to guest = Bad User wins support = yes dns proxy = no map acl inherit = yes nt acl support = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes create mask = 0770 force security mode = 0770 force create mode = 0770 directory mask = 0770 force directory mode = 0770 [Management] comment = path = /management browsable = yes public = no writable = yes read only = no force group = management valid users = @management -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help pls. -- Samba permission question
On 12/12/12 02:07 PM, J Gao wrote:
Thank you Gary for the help.
On 12-12-12 09:45 AM, Gary Dale wrote:
If you want the CIFS permissions to be set correctly, use the Samba/CIFS
tools to set them (ie. set them from the client. Don't set them using
Unix permissions on the server).
I don't know if I'm doing it correct. I'm using a bash script to help
user mount the CIFS share like this:
sudo mount.cifs //fileserver/management/ ${HOME}/fileserver/management
-o user=${USER},password=$userPass,uid=$UID,rw,mand
Could you give me an example on using Samba/CIFS tools?
That line mounts the share using the credentials you gave it but that
doesn't set the permissions. If you right-click on the share's folder,
you should be able to set the CIFS permissions.
Your example shows you setting the group to managegroup but your
smb.conf forces the group to management. Which is it?
my typo. I want make clear so I change the group name to managegroup.
The actual group name it the same managment which I think may cause
confusion when I post my question. Sorry.
Bets Regards.
Gao
So is your user a member of management? Rather than forcing the group to
management, you could just add members to the group.
Also, when you set the Unix ownership and permissions too tightly, you
may prevent Samba from accessing the share properly. Since the share
directories and files are to be accessed only through CIFS/Samba, the
Unix permissions can and should be very loose. My shares all have Unix
permissions with everyone having rwx access.
The last line in your server commands I believe should be chmod, not
chowm.
On 12/12/12 12:21 PM, J Gao wrote:
Hi, All,
I'm having a problem with my samba server(v3.6.9) setup. I have a
share on the server:
#cd /
#mkdir managment
#chown -R root:managegroup management
#chowm -R 2770 management
When I test this I found out:
the managegroup member can create new file/dir with the correct
permission: -rwxrws--- or drwxrws---
BUT, when the client copy a file or dir to the share from his local
drive, then some file/dir will have different the permission when it
coiped to the Samba share. (for example, drwxrwxr-x)
We have both Windows and Ubuntu client. Ubuntu client use cifs.mount
to access the Samba share.
Here is my smb.conf file. Please help me. All I want is when and file
and/or dir end up on the samba share, it should have 770 permission.
Thanks.
Gao
my smb.conf:
[global]
workgroup = WORKGROUP
server string = My File Server
interfaces = lo bond0 192.168.1.2/24
hosts allow = 127. 192.168.1.
log file = /var/log/samba/log.%m
max log size = 1000
security = user
passdb backend = tdbsam
guest account = nobody
map to guest = Bad User
wins support = yes
dns proxy = no
map acl inherit = yes
nt acl support = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
create mask = 0770
force security mode = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770
[Management]
comment =
path = /management
browsable = yes
public = no
writable = yes
read only = no
force group = management
valid users = @management
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help pls. -- Samba permission question
On 12/12/12 05:18 PM, J Gao wrote:
On 12-12-12 12:52 PM, Gary Dale wrote:
On 12/12/12 02:07 PM, J Gao wrote:
Thank you Gary for the help.
On 12-12-12 09:45 AM, Gary Dale wrote:
If you want the CIFS permissions to be set correctly, use the
Samba/CIFS
tools to set them (ie. set them from the client. Don't set them using
Unix permissions on the server).
I don't know if I'm doing it correct. I'm using a bash script to help
user mount the CIFS share like this:
sudo mount.cifs //fileserver/management/ ${HOME}/fileserver/management
-o user=${USER},password=$userPass,uid=$UID,rw,mand
Could you give me an example on using Samba/CIFS tools?
That line mounts the share using the credentials you gave it but that
doesn't set the permissions. If you right-click on the share's folder,
you should be able to set the CIFS permissions.
OK, right-click in natilus works. But how can I set this up by
default. I mean once the share mounted, it will set the correct
permission to 770 if the user copy files on the share?
I read man page for the cifs.mount but I couldn't figure it out myself.
Here are more info:
1. The management group has gid=1018 on the server.
2. Once the share mounted on the Ubuntu client, the share's group ID
set to numeric 1018. (there isn't a local gid 1018)
3. When copy a file, for example:
-rwxr--r-- 1 gao gao14429 Nov 20 09:56 test
to the mounted share, the permission appears to be:
-rwxrwxr-- 1 gao 1018 14429 Nov 20 09:56 test
And I check it on the Samba server:
-rwxrwxr-- 1 gao management 14429 Nov 20 09:56 test
So the permission changed to 774, not 770. I think somehow it combined
the permission here.
Just like you said, I can change it to 770 from the right-click. But I
prefer to do it automatically.
Please help.
Thanks a lot.
Gao
If you have the domain created correctly, the Samba database keeps the
CIFS permissions. The Unix permissions aren't needed. Keep in mind that
the two sets of permissions are distinct. If you set the CIFS
permissions they are remembered. Checking the Unix permissions to see
what the CIFS permissions are doesn't work.
Having a Unix group called management isn't helpful unless it maps to a
CIFS group. For example, most Samba users map the CIFS Domain Users to
the Unix users. This is in the Samba documentation. The 1018 simply
shows that there is no CIFS group recognized for 1018 (don't forget, you
are forcing the group - probably not what you really want to do).
You really want to set up a CIFS group called management and add CIFS
users to it.
Samba maps CIFS users to Unix users if the name is the same.
Have you tried using SWAT to manage your users and shares? It makes
things easier if you don't have a Windows client to work from.
Your example shows you setting the group to managegroup but your
smb.conf forces the group to management. Which is it?
my typo. I want make clear so I change the group name to managegroup.
The actual group name it the same managment which I think may cause
confusion when I post my question. Sorry.
Bets Regards.
Gao
So is your user a member of management? Rather than forcing the group to
management, you could just add members to the group.
Also, when you set the Unix ownership and permissions too tightly, you
may prevent Samba from accessing the share properly. Since the share
directories and files are to be accessed only through CIFS/Samba, the
Unix permissions can and should be very loose. My shares all have Unix
permissions with everyone having rwx access.
The last line in your server commands I believe should be chmod, not
chowm.
On 12/12/12 12:21 PM, J Gao wrote:
Hi, All,
I'm having a problem with my samba server(v3.6.9) setup. I have a
share on the server:
#cd /
#mkdir managment
#chown -R root:managegroup management
#chowm -R 2770 management
When I test this I found out:
the managegroup member can create new file/dir with the correct
permission: -rwxrws--- or drwxrws---
BUT, when the client copy a file or dir to the share from his local
drive, then some file/dir will have different the permission when it
coiped to the Samba share. (for example, drwxrwxr-x)
We have both Windows and Ubuntu client. Ubuntu client use cifs.mount
to access the Samba share.
Here is my smb.conf file. Please help me. All I want is when and file
and/or dir end up on the samba share, it should have 770 permission.
Thanks.
Gao
my smb.conf:
[global]
workgroup = WORKGROUP
server string = My File Server
interfaces = lo bond0 192.168.1.2/24
hosts allow = 127. 192.168.1.
log file = /var/log/samba/log.%m
max log size = 1000
security = user
passdb backend = tdbsam
guest account = nobody
map to guest = Bad User
wins support = yes
dns proxy = no
map acl inherit = yes
nt acl support = yes
load printers
Re: [Samba] Help pls. -- Samba permission question
On 12/12/12 08:01 PM, J Gao wrote:
On 12-12-12 03:02 PM, Gary Dale wrote:
On 12/12/12 05:18 PM, J Gao wrote:
On 12-12-12 12:52 PM, Gary Dale wrote:
On 12/12/12 02:07 PM, J Gao wrote:
Thank you Gary for the help.
On 12-12-12 09:45 AM, Gary Dale wrote:
If you want the CIFS permissions to be set correctly, use the
Samba/CIFS
tools to set them (ie. set them from the client. Don't set them
using
Unix permissions on the server).
I don't know if I'm doing it correct. I'm using a bash script to help
user mount the CIFS share like this:
sudo mount.cifs //fileserver/management/
${HOME}/fileserver/management
-o user=${USER},password=$userPass,uid=$UID,rw,mand
Could you give me an example on using Samba/CIFS tools?
That line mounts the share using the credentials you gave it but that
doesn't set the permissions. If you right-click on the share's folder,
you should be able to set the CIFS permissions.
OK, right-click in natilus works. But how can I set this up by
default. I mean once the share mounted, it will set the correct
permission to 770 if the user copy files on the share?
I read man page for the cifs.mount but I couldn't figure it out myself.
Here are more info:
1. The management group has gid=1018 on the server.
2. Once the share mounted on the Ubuntu client, the share's group ID
set to numeric 1018. (there isn't a local gid 1018)
3. When copy a file, for example:
-rwxr--r-- 1 gao gao14429 Nov 20 09:56 test
to the mounted share, the permission appears to be:
-rwxrwxr-- 1 gao 1018 14429 Nov 20 09:56 test
And I check it on the Samba server:
-rwxrwxr-- 1 gao management 14429 Nov 20 09:56 test
So the permission changed to 774, not 770. I think somehow it combined
the permission here.
Just like you said, I can change it to 770 from the right-click. But I
prefer to do it automatically.
Please help.
Thanks a lot.
Gao
If you have the domain created correctly, the Samba database keeps the
CIFS permissions. The Unix permissions aren't needed. Keep in mind that
the two sets of permissions are distinct. If you set the CIFS
permissions they are remembered. Checking the Unix permissions to see
what the CIFS permissions are doesn't work.
Having a Unix group called management isn't helpful unless it maps to a
CIFS group. For example, most Samba users map the CIFS Domain Users to
the Unix users. This is in the Samba documentation. The 1018 simply
shows that there is no CIFS group recognized for 1018 (don't forget, you
are forcing the group - probably not what you really want to do).
You really want to set up a CIFS group called management and add CIFS
users to it.
Samba maps CIFS users to Unix users if the name is the same.
Have you tried using SWAT to manage your users and shares? It makes
things easier if you don't have a Windows client to work from.
Looks like I need more reading. I googled for CIFS group and got
lots oracle/silaris but not much for linux. WHen you say CIFS group,
do you mean a local group on the client PC?
Also I quickly installed SWAT and I can't find anywhere about CIFS group.
Gao
That's a Windows Domain group in M$ parlance. The group is recognized on
the member server because it comes from the Domain. That's why I used
the example of Domain Users as a CIFS group, as distinct from the Unix
group users.
Windows provides graphical tools for managing groups and users on the
Domain Controller, but you can also do it from the command line in
Linux. Something like net rpc group ADD groupname should work.
Once the group is created, you can populate it with users.
The essential point is that the Windows Domain model is different from
the Unix security model. When you are using Samba, use Samba and the
Windows way of handling things. Don't try to use Unix tools. You're not
in Unix-land anymore.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User is invalid on this system
Kevin, 3.6.x has had several issues with idmap rid. I was hit with this one: https://bugzilla.samba.org/show_bug.cgi?id=8676 . Searching for idmap rid issues with 3.6.x will reveal others as well. Someone indicated that rejoining the domain would fix this issue. As it so happened, I had to rebuild one of the servers. After joining the rebuilt system to the domain, it has worked flawlessly ever since. So, it appears the problem with rid and some of the other idmap backends is somehow related to upgrading, as newly joined systems work as expected. Dale On 11/29/2012 6:51 PM, Kevin Elliott wrote: Hello all. We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients: Here's an example from my workstation (logging verbosity set at 10): [2012/11/29 15:23:58.120087, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 2517) conn 0x0 [2012/11/29 15:23:58.120212, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2012/11/29 15:23:58.120258, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/29 15:23:58.120353, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2012/11/29 15:23:58.120409, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2012/11/29 15:23:58.120498, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 1680 [2012/11/29 15:23:58.124198, 3] libads/authdata.c:332(decode_pac_data) Found account name from PAC: kevin_elliott [Kevin Elliott] [2012/11/29 15:23:58.124309, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [kevin_elliott@CBJ.LOCAL] [2012/11/29 15:23:58.124710, 1] auth/user_krb5.c:162(get_user_from_kerberos_info) Username CBJ_NT+kevin_elliott is invalid on this system [2012/11/29 15:23:58.124780, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2012/11/29 15:24:12.583839, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 199.58.52.25 read error = NT_STATUS_CONNECTION_RESET. [2012/11/29 15:24:12.584072, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) However, I can successfully return login information with winbind: # wbinfo -i kevin_elliott kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false 'getent passwd' will only return the local users from /etc/passwd. And the relevant section of smb.conf: [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 192.0.2.87/32, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes password server = 192.0.2.25, 192.0.2.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 3 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 192.0.2.25 ldap ssl = no panic action = /usr/share/samba/panic-action %d winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config LIBRARY:range = 65535-7 idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:backend = rid idmap config * : range = 1-65533 idmap config * : base_rid = 0 idmap config * : backend = rid admin users = @CBJ_NT+admin veto files = /.*/ [ftp] comment = FTP directory path = /var/ftp/pub/ valid users = @CBJ_NT+domain users read only = No create mask = 0775 directory mask = 0775 hide unreadable = Yes Any ideas? Anyone else see this? --- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User is invalid on this system
With what I've read and what I've seen with the rebuilds, there's a good chance the rejoin could fix your problem. That being said, there are no guarantees with winbind. It's the part of the Samba suite that has given me the most problems over the years, breaking existing configs almost every time its internal workings are changed. I wish you good luck! Dale On 11/30/2012 12:57 PM, Kevin Elliott wrote: Dale, I was afraid of that. We we're forced to upgrade from 3.5.x because of a reoccurring Winbind issue but I'm a bit disappointed to see that 3.6.x introduces a idmap/rid issues. I guess we just traded one for another. Do you think un-joining and then re-joining the existing system could fix this? Thanks. --- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Friday, November 30, 2012 9:38 AM To: Kevin Elliott Cc: 'samba@lists.samba.org' Subject: Re: [Samba] User is invalid on this system Kevin, 3.6.x has had several issues with idmap rid. I was hit with this one: https://bugzilla.samba.org/show_bug.cgi?id=8676 . Searching for idmap rid issues with 3.6.x will reveal others as well. Someone indicated that rejoining the domain would fix this issue. As it so happened, I had to rebuild one of the servers. After joining the rebuilt system to the domain, it has worked flawlessly ever since. So, it appears the problem with rid and some of the other idmap backends is somehow related to upgrading, as newly joined systems work as expected. Dale On 11/29/2012 6:51 PM, Kevin Elliott wrote: Hello all. We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients: Here's an example from my workstation (logging verbosity set at 10): [2012/11/29 15:23:58.120087, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 2517) conn 0x0 [2012/11/29 15:23:58.120212, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2012/11/29 15:23:58.120258, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/29 15:23:58.120353, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2012/11/29 15:23:58.120409, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2012/11/29 15:23:58.120498, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 1680 [2012/11/29 15:23:58.124198, 3] libads/authdata.c:332(decode_pac_data) Found account name from PAC: kevin_elliott [Kevin Elliott] [2012/11/29 15:23:58.124309, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [kevin_elliott@CBJ.LOCAL] [2012/11/29 15:23:58.124710, 1] auth/user_krb5.c:162(get_user_from_kerberos_info) Username CBJ_NT+kevin_elliott is invalid on this system [2012/11/29 15:23:58.124780, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2012/11/29 15:24:12.583839, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 199.58.52.25 read error = NT_STATUS_CONNECTION_RESET. [2012/11/29 15:24:12.584072, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) However, I can successfully return login information with winbind: # wbinfo -i kevin_elliott kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false 'getent passwd' will only return the local users from /etc/passwd. And the relevant section of smb.conf: [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 192.0.2.87/32, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes password server = 192.0.2.25, 192.0.2.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 3 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 192.0.2.25 ldap ssl = no panic action = /usr/share/samba/panic-action %d winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config LIBRARY:range = 65535-7 idmap config LIBRARY:base_rid
Re: [Samba] cannot modify files on client
When you are using samba to connect, the user, group and file permission get passed through it. Rather than trying to force a particular user, try mapping the Windows (samba) user to the local (server) user tommy. On 25/11/12 10:10 AM, Dietrich Hentschel wrote: Hi, I want connect a linux client to linux server to modify files. On my server: password file: tommy:x:1002:100:Tommy:/home/tommy:/bin/sh smb.conf: [global] workgroup=WORKGROUP security=share [bilder] path=/var/lib/export force user=tommy force group=users valid users=tommy write list=tommy On client: mount.cifs //DESKTOP/bilder /home/dih/tommy/ -o user=tommy I see the files on root: -rwxr-xr-x 1 1002 users 628 Nov 11 19:15 configure.sh -rw-r--r-- 1 1002 users 0 Nov 25 11:33 d -rw-r--r-- 1 1002 users 0 Nov 25 12:49 dd -rwxr--r-- 1 1002 users 753647 Nov 22 19:48 p6140385.jpg -rwxr-xr-x 1 1002 users 720 Nov 19 14:29 photo-ma I can touch x without trouble and have uid 1002: -rw-r--r-- 1 1002 users 0 Nov 25 16:02 x I have no user on uid 1002. I want modify the files not on root but have wrong permissions. Can someone help me. With regards Dietrich -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Root cannot delete files through samba share
What does the [global] config look like? On 11/14/2012 8:55 AM, Amanda Gomes wrote: David, thanks again. As previously mentioned, I can not allow the file owner erase what he created in the folder, so I apply the create mask = 0555 in the first option. Dale, thanks for the response. I tried to use this option you suggested - admin users, but even so, I can not do that only users in the group that I want to be able to delete the files. I can not understand whether it is a samba problem, but the root can delete through samba, only when the file owner has full permission on it. Configuration is not valid for my environment. Below, I'll put the full configuration of my environment: Settings on the Shared Folder: / mnt / storage / MEDIA - Chmod 777 / mnt / storage / MEDIA / - Chown Master_User supervisors / mnt / storage / MEDIA / SAMBA settings: [MEDIA] path = / mnt / storage / MEDIA browseable = yes writable = yes group = force supervisors admin users = Master_User, @ supervisors create mask = 0575 force create mode = 0575 When a file is created by the user user1, this is with the following settings within the folder: -r-xrwxr-x 1 user1 supervisors 0 Nov 14 12:36 File.txt OK ... Only the group has full permissions on the file! That is, theoretically also master_User (master_user belongs to supervisors). But neither master_user or root can delete trhough samba. I know someone explain why neither the root can not delete trhough samba independent of any configuration? Guys, thank you once again for your help. Hugs. 2012/11/13 Dale Schroeder d...@briannassaladdressing.com mailto:d...@briannassaladdressing.com Amanda, You can elevate a user's privileges by using the admin users parameter, e.g., admin users = user1, @group2 Also, I believe the syntax in your second option should be == force group = supervisors if you wish to go that route. Dale On 11/12/2012 3:44 PM, Amanda Gomes wrote: Dear, We are integrating Samba with Active Directory in the company. The goal is to provide a samba share to users of AD. In this case, we need all users to write on the share, but nobody modify or delete any files. Even the user who owns it. With this, we would create only one AD user, if necessary with root powers, which could erase everything. For this, we test several lines, such as the samba permissions, acls, sticky bit, but nothing met our needs. I am now trying to make that an AD user has the same root privileges. Working with the following configuration: [MEDIA] path = / mnt / storage / MEDIA browseable = yes writable = yes create mask = 0555 After writing the share, no one can erase. But not even the root logging via samba, can erase. Only the machine itself. Anyone can explain why? Another option would be: [MEDIA] path = / mnt / storage / MEDIA browseable = yes writable = yes group = force supervisors create mask = 0570 With this setting, the goal would be that users write in the share and the files were to become the group supervisors, and only users belonging to this group be able to erase. But this setup also failed. Does anyone know how I could implement this? The why these settings do not work out? Thank you! Amanda Gomes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Root cannot delete files through samba share
Amanda, You can elevate a user's privileges by using the admin users parameter, e.g., admin users = user1, @group2 Also, I believe the syntax in your second option should be == force group = supervisors if you wish to go that route. Dale On 11/12/2012 3:44 PM, Amanda Gomes wrote: Dear, We are integrating Samba with Active Directory in the company. The goal is to provide a samba share to users of AD. In this case, we need all users to write on the share, but nobody modify or delete any files. Even the user who owns it. With this, we would create only one AD user, if necessary with root powers, which could erase everything. For this, we test several lines, such as the samba permissions, acls, sticky bit, but nothing met our needs. I am now trying to make that an AD user has the same root privileges. Working with the following configuration: [MEDIA] path = / mnt / storage / MEDIA browseable = yes writable = yes create mask = 0555 After writing the share, no one can erase. But not even the root logging via samba, can erase. Only the machine itself. Anyone can explain why? Another option would be: [MEDIA] path = / mnt / storage / MEDIA browseable = yes writable = yes group = force supervisors create mask = 0570 With this setting, the goal would be that users write in the share and the files were to become the group supervisors, and only users belonging to this group be able to erase. But this setup also failed. Does anyone know how I could implement this? The why these settings do not work out? Thank you! Amanda Gomes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win2k auth on named share fails on mixed Windows network.
There was a problem with Debian Squeeze in early 2010 while still in testing, but it was fixed before being released as stable, so may not be the exact same problem. The problem was related to libkrb5-3. For me, it affected both w2k and xp systems - there were no Vista/Win7 systems here at that time. Check to see if this is relevant to you: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977 'smbcontrol [all/smbd/nmbd/winbindd] reload-config' might be the graceful restart for which you are looking. Dale On 10/17/2012 9:06 AM, G.W. Haywood wrote: Hi there, Background: Samba 3.6.6 compiled from source on Debian Squeeze using the Debian- installed Kerberos (1.8.3) libraries. Running in an Active directory domain with mixed Win2k Server and Win2k3 Server DCs. Yes, I've been trying to persuade them. Both WINS and DNS name resolution work on the system. Samba uses the DCs for WINS, and the DCs are also name servers with an additional forwarder (dnsmasq) running on a firewall. Under normal circumstances, Windows 7 Pro and XP Pro clients have no problems (although a power failure does generally throw a spanner in the works for several hours - may be the subject of another thread). With the appropriate credentials, 'smbclient' running on the Linux server can connect to shares, but using the same credentials Windows 2000 Pro client workstations can access shares only by IP, not name. Searching the archives, this seems to be a very common problem which has sometimes been solved and sometimes not. I've tried setting kerberos method = secrets and keytab in smb.conf and KB833708, both to no avail. 8-- c:\net view palatine System error 5 has occurred. Access is denied. c:\net view 192.168.0.250 Shared resources at 192.168.0.250 Samba server Share name ... 8-- Samba logs show in this case: [2012/10/17 12:07:02.607012, 3] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Encryption type not permitted which indicates that the Kerberos libraries are not permitting the encryption type, either because it is not available in the libraries or because it's restricted by the config. I believe the encryption type to be available in these libraries, so my guess is that it is not being permitted for some reason. I postulate that it's considered a weak type, so I propose to permit weak encryption types. Questions: 1. If for example I were to make a change in /etc/krb5.conf to permit less secure encryption types by setting [libdefaults] allow_weak_crypto = 1 do I have to restart Samba for the change to take effect? The reason for the question is that restarting Samba in this situation causes a good deal of grief for the users, so I'd rather not have to do it. 2. Is there a way to ask Samba what encryption types will be allowed and what types will not be allowed? 3. Is there a definitive list of the encryption types and the integers used to refer to them in the Samba logs? 4. Is there some kind of 'graceful' Samba restart which users wouldn't dislike so much? :) I've been R-ing the FM and searching archives for a couple of weeks solid now and it's starting to hurt, so any pointers to bits of the FM to R will be more than welcome. -- 73, Ged. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Regarding samba add with AD
http://www.enterprisenetworkingplanet.com/netos/article.php/3487081/Join-Samba-3-to-Your--Active-Directory-Domain.htm http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm Simplest howto I've seen. Dale On 10/16/2012 4:24 AM, Dinakar wrote: Dear team, kindly send to me steps(config file edit and all other steps) for add Samba system into AD if you having video send me thats also Thanking you Regards, *Dhinakaran* *kilpauk ,chennai * *Mob: +91-9176472187* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] using samba similar to windows shares
On 09/10/12 04:17 PM, 鱼 wrote: Hi, I would like to share a main folder (main) with everyone but have different access rights to a subfolder of main (subfolder) with 2 groups. Is it possible that this can be done with samba? Regards LC You do it the same way that you do it on a Windows server. Share the main folder then use Windows Explorer to set up ACLs for the subfolder. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Share working with IP not with hostname
On 10/09/12 01:52 PM, Nitin Thakur wrote: hi guys I managed to setup the share. I am able to access the share with IP address, but as soon as I try to do it via hostname, I get a user name and password pop up, which always fail to authenticate. Any setting I am missing? Thanks nitin I'm guessing you have a recent Windows client. Try the settings at http://technet.microsoft.com/en-us/library/ee681622%28v=ws.10%29.aspx (there's also a similar thing on the Samba.org site but I can't find it right now). However, I do remember that there are two registry keys that need to be set/changed with Windows 7. After that, everything works. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Phantom Domain Master Browser
Robert, Assuming one of the files you found was wins.dat, is there an entry for the offending IP with a corresponding hostname? Knowing the source should surely help with troubleshooting. Dale On 08/29/2012 10:08 AM, Robert Adkins II wrote: Nevermind. I found them. I also performed the below suggestions and the phantom IP address is still there, fighting for control of the network. -- Regards, Robert Adkins -Original Message- From: Robert Adkins II [mailto:radk...@impelind.com] Sent: Wednesday, August 29, 2012 10:54 AM To: 'gaiseric.van...@gmail.com'; 'samba@lists.samba.org' Subject: RE: [Samba] Phantom Domain Master Browser There is no wins.dat or browse.dat anywhere on my server. I am surprised to find this to be the case. I do not have a machine on my network with the IP Address in question. Regards, Robert -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Tuesday, July 31, 2012 9:46 AM To: samba@lists.samba.org Subject: Re: [Samba] Phantom Domain Master Browser In the /var/samba/locks directory you may have browse.dat file or wins.* (if this is a WINS server) files that have incorrect info. You should be able to name/backup these files and restart nmbd. Is the phantom master browser a samba server or a Windows machine? the Samba DC normally should win browser elections but it is not always the case. On 07/20/12 09:08, Robert Adkins II wrote: I brought up the old server and have been reviewing the log files. There is no indication of the phantom master browser existing in the old log files. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II Sent: Friday, July 20, 2012 8:50 AM To: samba@lists.samba.org Subject: [Samba] Phantom Domain Master Browser There's a phantom domain master browser showing up in my Samba nmbd.log file. I keep thinking that maybe it is left over in one of the files that I transferred over from the old server to the new server and it isn't clearing itself out. Is there a way to clear that and is it possible to have a phantom browser fighting over the Domain from a copied over file? I transferred all of the Samba files found in /etc/samba to the new server. This was also an upgrade from Samba 3.2.7 to Samba 3.6.3 I have noticed some additional files in the /var/log/Samba directory as well as some additional files in the /etc/samba directory on the new server. -- Regards, Robert Adkins II IT Manager/Buyer Impel Industries, Inc. 586-254-5800 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrate samba to new server
Alejandro, There are far too many changes between those two versions to cover here - added parameters, deleted parameters, and default value changes. However, a listing of changes by version can be found here: https://wiki.samba.org/index.php/Samba_Features_added/changed_%28by_release%29 Following are two somewhat aged upgrade manuals: http://www.samba.org/samba/docs/man/Samba-Guide/upgrades.html http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/migration.html Be sure to run testparm on the old version and save its output for comparing with the new version. Good luck. Dale On 08/28/2012 4:45 PM, Alejandro Rodriguez Luna wrote: Hi, i have a really old server running samba 3.0.11 (PDC, tdbsam backend) and i'd like to update my server and start using samba 3.6.7 from sernet, my question here is. What files do i need to migrate from one version to another, do i need to make some changes on my current conf file? Do i need to join all clients again to the domain? -- Alejandro Rodriguez Luna E-mail: el_alexl...@yahoo.com.mx -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.0.14a works with ldapsam backend but not 3.5.10-125.el6
If you add to [global] map untrusted to domain = Yes, does it work then? From 3.4.0 release notes: Authentication Changes == Previously, when Samba was a domain member and a client was connecting using an untrusted domain name, such as BOGUS\user smbd would remap the untrusted domain to the primary domain smbd was a member of and attempt authentication using that DOMAIN\user name. This differed from how a Windows member server would behave. Now, smbd will replace the BOGUS name with it's SAM name. In the case where smbd is acting as a PDC this will be DOMAIN\user. In the case where smbd is acting as a domain member server this will be WORKSTATION\user. Thus, smbd will never assume that an incoming user name which is not qualified with the same primary domain, is part of smbd's primary domain. While this behavior matches Windows, it may break some workflows which depended on smbd to always pass through bogus names to the DC for verification. A new parameter map untrusted to domain can be enabled to revert to the legacy behavior. Dale On 08/22/2012 8:42 AM, Qing Chang wrote: On 21/08/2012 11:59 AM, TAKAHASHI Motonobu wrote: Have you explicitly set the RHEL box's SID same as Solaris box's? You will do this with get|set localsid command. they are different. net setlocalsid fails: [root@smb3 samba]# net setlocalsid S-1-5-21-1197990898-71428884-4196996049 [2012/08/22 09:02:13.228237, 0] lib/interface.c:542(load_interfaces) WARNING: no network interfaces found The point here is that 3.0.14a never bothered to check if a user'd SID belongs to the domain. It just simply sees the user and report: init_sam_from_ldap: Entry found for user: qchang On the other hand, 3.5.10-125.el6 insist that what ever SID a user has does not belong to its domain, although I only set it up as a STANDALONE server: sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca If I understand right, as a STANDALONE server, Samba should only care about finding and authenticating againt a matching uid to Windows username on the samba server (which uses LDAP), and then using the uid and gid(s) to provide shared resources, which is the behavior observed with 3.0.14a, but not with 3.5.10-125.el6. In fact, SID never matters with 3.0.14a, I have populated all users with the same SIDs and 3.0.14a has been serving shares for years. From: Qing Changqch...@sri.utoronto.ca Date: Mon, 20 Aug 2012 13:23:17 -0400 we are migrating our standalone Samba sever (3.0.14a) on a Solaris 10 box to an RHEL 6.3 box. Testing shows that on Solaris 3.0.14a works with both the OpenLDAP server we are currently using and the IPA2.2 server as LDAP backend. But 3.5.10-125.el6 on a RHEL 6.3 box does not work with either. (snip) pdbedit -L has different output: = 3.0.14a = Trying to load: ldapsam:ldap://ipa1.sri.utoronto.ca Attempting to find an passdb backend to match ldapsam:ldap://ipa1.sri.utoronto.ca (ldapsam) Found pdb backend ldapsam Searching for:[((objectClass=sambaDomain)(sambaDomainName=OCTANE))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server ldap_connect_system: LDAP server does support paged results pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init ldapsam_setsampwent: 1507 entries in the base dc=sri,dc=utoronto,dc=ca init_sam_from_ldap: Entry found for user: qchang = = 3.5.10-125.el6 = smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init smbldap_search_paged: base = [dc=sri,dc=utoronto,dc=ca], filter = [((uid=*)(objectclass=sambaSamAccount))],scope = [2], pagesize = [1024] smbldap_search_paged: search was successful sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca = --- TAKAHASHI Motonobumo...@monyo.com Qing -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND
On 07/10/2012 12:56 PM, Kevin Elliott wrote: Hello all, I recently upgraded from Samba 3.5.6 (the version contained in Debian Stable) to Samba 3.6.5 (the version from Debian Backports) in an effort to closer track the current development to try and chase some long standing bugs out. I think I've resolved one problem but introduced another. I'm getting the WBC_ERR_DOMAIN_NOT_FOUND when I try to perform a SID to UID lookup much like so: city-liza-lnx:/var/log/samba# wbinfo -t checking the trust secret for domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba# wbinfo -n CBJ_NT+kevin_elliott S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1) city-liza-lnx:/var/log/samba# wbinfo -s S-1-5-21-505306839-1977890393-20515302-14949 CBJ_NT+kevin_elliott 1 city-liza-lnx:/var/log/samba# wbinfo -S S-1-5-21-505306839-1977890393-20515302-14949 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-505306839-1977890393-20515302-14949 to uid This looks like it has all the markings of following bugreport: https://bugzilla.samba.org/show_bug.cgi?id=8371#c5 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 Before I follow this upstream can someone sanity check my configs for me? I understand that much has changed between 3.5 and 3.6 regarding the idmaping. [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 199.58.55.87/22, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes passdb backend = tdbsam password server = 199.58.55.25, 199.58.55.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 10 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 199.58.55.25 ldap ssl = no winbind enum users = Yes winbind enum groups = Yes panic action = /usr/share/samba/panic-action %d idmap config CBJ_NT:backend = rid idmap config CBJ_NT:base_rid = 0 idmap config CBJ_NT:range = 1-65533 idmap config LIBRARY:backend = rid idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:range = 65535-7 winbind separator = + winbind use default domain = Yes [ftp] comment = FTP directory path = /var/ftp/pub/ valid users = @CBJ_NT+domain users read only = No create mask = 0775 directory mask = 0775 hide unreadable = Yes Thank you for your consideration. Kevin, With idmap rid, it could also be this one: https://bugzilla.samba.org/show_bug.cgi?id=8676 This bug has been in every version of 3.6. For me, a reboot of the system usually will fix the problem until the next samba/winbind restart is required; others have not been so fortunate. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
http://lists.samba.org/archive/samba/2006-February/117184.html On 07/10/2012 2:53 PM, Felix Miata wrote: ... [2012/07/10 14:57:42.225332, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2012/07/10 14:57:42.228331, 0] printing/print_cups.c:487(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2012/07/10 15:00:35.503126, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2012/07/10 15:00:35.505125, 0] printing/print_cups.c:487(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2012/07/10 15:02:31.449204, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2012/07/10 15:02:31.452203, 0] printing/print_cups.c:487(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2012/07/10 15:03:46.462854, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2012/07/10 15:03:46.465853, 0] printing/print_cups.c:487(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2012/07/10 15:16:47.175386, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2012/07/10 15:16:47.177386, 0] printing/print_cups.c:487(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2012/07/10 15:29:47.951909, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2012/07/10 15:29:47.953909, 0] printing/print_cups.c:487(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2012/07/10 15:38:14.843530, 0] printing/print_cups.c:110(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2012/07/10 15:38:14.846530, 0] printing/print_cups.c:487(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Can whatever is causing smbd to attempt these two processes be made not to, and stop the recurring resource waste? My only printer is an IP printer, so AFAICT, Samba is never involved with printing from any machine on my local network, and I expect it never to be. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind: disable UDP/137 broadcasts
On 06/20/2012 3:29 PM, Tom Noonan II wrote: I have a samba winbind server which is operating properly. I have the firewall configured to DROP outbound traffic on UDP/137 and 139. The broadcast traffic on these ports will not reach any pertinent machines due to subnetting, and is unwanted traffic. The server is working without this traffic hitting the network. However, Winbindd is constantly trying to broadcast and logging that it can't. I have disable netbios = yes in my smb.conf file. How do I stop winbind from sending traffic to the broadcast address? What about smb ports = 445? Does that help, or is winbind immune to that setting? Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
A few questions that might narrow things - Which version of Samba are you using? What does the idmap backend configuration for winbind look like? Does testparm yield any errors? Do getent group and wbinfo -g return the expected results? Are nsswitch.conf and PAM configured for authentication? http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm On 05/22/2012 1:01 PM, Newman, John W wrote: Thanks.. Unfortunately neither suggestion worked chgrp still just says invalid group valid users = @DOMAIN\\My Group behaves the same as I described in the OP. Valid credentials = access denied ; invalid credentials = invalid name or bad password. I already tried all sorts of things in valid users, but nothing is the magic string I need. Any other ideas? Thanks for the help so far, much appreciated!! -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Tuesday, May 22, 2012 04:59 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 21/05/12 23:36, Dale Schroeder wrote: On 05/21/2012 3:42 PM, Newman, John W wrote: Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' My Group is a windows AD group, not a local linux group. The machine is joined to the windows domain through net ads join, but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that. chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? Hi Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read: chgrp MYDAOMAIN\\My\ Group /media/share Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
On 05/22/2012 3:17 PM, Newman, John W wrote: Which version of Samba are you using? Samba version 3.5.11 What does the idmap backend configuration for winbind look like? Well.. I'm not really sure what that is (I inherited this project). In smb.conf all he has here is: idmap uid = 1-2 idmap gid=1-2 I don't see idmap backend = set at all in here. That is probably a big part of the problem isn't it? It would be using the default tdb backend. You could do a testparm -sv and grep for idmap and winbind to see all the parameters that are available. Better still, if you have SWAT and samba-doc installed, you can easily see the options available for each parameter. Does testparm yield any errors? ERROR: the 'winbind separator' parameter must be a single character.Hmm.. I just changed that to a single \ , and our existing authentication service still works fine, but the share behaves no differently. The extra \ was probably in error from this file being edited with sed. Do getent group and wbinfo -g return the expected results? getent group shows all of the local linux groups on this machine - no AD groups. Is that expected? If you have winbind enum groups = Yes, then they should show, otherwise not. Domains with large numbers of users usually leave this as No (also winbind enum users). wbinfo -g shows the windows groups fine, the only thing that's odd is is all of the groups on this domain show in lower case. That's normal for winbind. They may or may not be that way in their AD, I can't see for sure. (We are forcing a linux machine into someones windows network ) Are nsswitch.conf and PAM configured for authentication? For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched from the defaults. In nsswitch.conf, you will need to add winbind to the passwd and group entries. The article I previously linked (below) has an example PAM config (/etc/pam.d/login) for winbind. For completeness, you might also want to look at this: http://www.enterprisenetworkingplanet.com/netos/article.php/3487081/Join-Samba-3-to-Your--Active-Directory-Domain.htm All that has really been setup so far is an apache service that uses mod_auth_ntlm_winbind to authenticate users of a webpage to their DC. We are now trying to expand that samba/winbind stack over into sharing a folder. So, we probably do need to look at modifying those files, and id mapping, to have a samba share authenticate against the DC. Right? For some reason I figured this part would just work since the join already happened. A domain can be joined without winbind, but there are steps to take to actually use it. Thanks again! -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Tuesday, May 22, 2012 14:51 To: Newman, John W Cc: samba@lists.samba.org Subject: Re:[Samba] Grant only one AD group to samba share ? A few questions that might narrow things - Which version of Samba are you using? What does the idmap backend configuration for winbind look like? Does testparm yield any errors? Do getent group and wbinfo -g return the expected results? Are nsswitch.conf and PAM configured for authentication? http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm On 05/22/2012 1:01 PM, Newman, John W wrote: Thanks.. Unfortunately neither suggestion worked chgrp still just says invalid group valid users = @DOMAIN\\My Group behaves the same as I described in the OP. Valid credentials = access denied ; invalid credentials = invalid name or bad password. I already tried all sorts of things in valid users, but nothing is the magic string I need. Any other ideas? Thanks for the help so far, much appreciated!! -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Tuesday, May 22, 2012 04:59 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 21/05/12 23:36, Dale Schroeder wrote: On 05/21/2012 3:42 PM, Newman, John W wrote: Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' My Group is a windows AD group, not a local linux group. The machine is joined to the windows domain through net ads join, but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that. chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? Hi Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read: chgrp MYDAOMAIN\\My\ Group /media/share Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from
Re: [Samba] Grant only one AD group to samba share ?
On 05/21/2012 3:42 PM, Newman, John W wrote: OK, I definitely am missing something. the group IDs do seem to work somewhat, but perhaps I just have the wrong syntax. I keep going back to these two lines that he put there a long time ago: winbind separator = \\ If this separator is in effect, then valid users = @MYDOMAIN\\My Group Or change to winbind separator = \ Dale winbind use default domain = yes I see others using or % or @ ... wbinfo -Y $(wbinfo -n `wbinfo -g | grep Group` | cut -d -f 1) 10005 so the SID mapping is somehow happening. It's weird though as each time I call that with a different group name, the 1 number just goes up by one. Like it is making up the unix IDs as it goes and perhaps something isn't set right. Shouldn't all of the AD groups be tied to a unix ID automatically, and not just making them up one at a time? Anyway, I'm not sure if that relates to my real problem here or not. I understand the nix security model pretty well ... windows not so much .. and bringing windows permissions into a nix machine, not at all!! :D This was all set up by another dev who is no longer in our department, I am trying to make sense of it and enhance it. Steve's suggestion below is probably correct to set the permissions on the share how I need, but what am I missing to get that chgrp command to work right? Thanks -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Newman, John W Sent: Monday, May 21, 2012 15:43 To: 'steve'; samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' My Group is a windows AD group, not a local linux group. The machine is joined to the windows domain through net ads join, but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that.chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Monday, May 21, 2012 11:57 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 05/21/2012 05:20 PM, Newman, John W wrote: All, On my ubuntu linux machine here, I already have samba set up and configured with winbind to perform authentication against the local windows domain controller. Thankfully that part is all working fine - that was supposed to be the hard part. The issue I have now is: I need to grant members of a certain AD group access to share (this was supposed to be easy, but is not working) sanity check of winbind (sample output): $ wbinfo -g MYDOMAIN\domain admins MYDOMAIN\domain users MYDOMAIN\my group MYDOMAIN\my group2 Looks good. I need to grant all users in my group access to the share, all others shouldn't even see it. [share] comment = Testing path = /media/share guest ok = no read only = yes valid users = @MYDOMAIN\My Group browseable = no locking = no If I put guest ok = yes, everything works fine. If I turn it to no, I get an authentication prompt. Answering it with invalid credentials comes back with invalid user name or bad password, vs valid credentials says access denied. So I know that the authentication with the domain controller is working fine, but limiting access to that group only is not. The group name has a space in it which probably isn't helping. I have tried many different combinations, but nothing seems to work. What is the proper syntax for this? We have winbind separator=\ earlier in tthinkhe config file -- is that part of the problem maybe? valid users = @MYDOMAIN\My Group valid users = @MYDOMAIN\My Group valid users = MYDOMAIN\My Group etc nothing seems to work. My methodology for testing this is fine as soon as i put guest ok =yes, the share still works. What's the right syntax for valid users= My Domain\My Group?Any thoughts? Thanks, John Hi You don't really need smb.conf to get group only entry. Just have smb.conf with: [share] comment = Testing path = /media/share read only = No chgrp My\ Group /media/share chmod 0770 /media/share chmod g+s /media/share setfacl -d -Rm g::rw /media/share Now, only members of My Group can get into the share, no matter what you have in smb.conf. Once inside, any files created therein become group rw for My Group members. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go
Re: [Samba] idmap_ad partially stopped working after upgrading Samba from 3.4.3 to 3.6.3
On 05/15/2012 1:12 AM, Javier Conti wrote: On 14 May 2012 18:58, David Disseldorpdd...@suse.de wrote: Hi Javier, On Mon, 14 May 2012 17:48:09 +0200 Javier Contijavier.co...@gmail.com wrote: upgrading from SLES11 SP1 to SLES11 SP2, I upgraded Samba from 3.4.3 to 3.6.3. I was successfully using idmap_ad to authenticate users but after the upgrade it stopped working and users are not seen by the OS. Obviously the users I want to see on the Linux server have all RFC2307 attributes populated and are seen by all other SLES11 SP1 servers. I checked everything (I know) from the Samba point of view, and it almost seems ok, but wbinfo -i fails as follows: # wbinfo -i myuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user myuser Thanks for your report. As this version of Samba is vendor supported, I'd encourage you to raise this issue at bugzilla.novell.com. Do you also encounter this error with winbind use default domain = no configured, running wbinfo -i MYDOMAIN\\myuser? Hi David, as you suggested, I filed a bug there. I also tried configuring winbind use default domain = no but all the symptoms seems the same (I obviously restarted winbindd). Thanks, Javier Cheers, David Javier, It is possible that you are seeing this: https://bugzilla.samba.org/show_bug.cgi?id=8676 I can confirm that it is still present in 3.6.5. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] requesting help setting share permissions
On 05/10/2012 11:21 AM, Mike Eggleston wrote: Hi, I have a share I'm trying to lock down to a specific group and I'm not hold my mouth right. I want this share available to a single group. I want this share to have directory permissions 0770 when a directory is created and file permissions 0660. I want the users accessing this share to never be able to change these permissions. When a file or directory is created, I want the group to be the controlling group and nothing else. I currently have: [sales] comment = Sales files path = /opt/group/sales valid users = @GRP\sales force group = sales read only = No create mask = 0660 force create mode = 0660 security mask = 0660 directory mask = 0770 force directory mode = 0770 directory security mask = 0770 msdfs root = Yes What am I doing wrong? I'm testing by copying a file in windows over to this share, then checking the resulting permissions in unix. Mike Fedora Core 5 Samba 3.3.3 Mike, You never mentioned what your results were or how they were wrong, so I'm making a few assumptions. chown your_user : your_group /opt/group/sales chmod 2770 /opt/group/sales In your share, modify 1st two and add the 3rd directive: directory mask = 2770 force directory mode = 2770 nt acl support = No # makes the Security tab inaccessible in Windows. This is my best guess of what you want. See if this works for you. If not, please clarify. Good luck. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] requesting help setting share permissions
On 05/10/2012 1:32 PM, Mike Eggleston wrote: On Thu, 10 May 2012, Chris Smith might have said: This: chgrp GRP\sales /opt/group/sales chmod 0770 /opt/group/sales if you already have a bunch of directories and files use find with xargs to properly set the permissions With this: [sales] comment = Sales files path = /opt/group/sales valid users = @GRP\sales force group = GRP\sales create mask = 0660 directory mask = 0770 nt acl support = No inherit permissions = No Works fine in Samba 3.6.5, don't know about possible behavior changes with that old 3.3.3. Or you can use SGID as Dale suggested instead of force group. Chris Chris and Dale, Following Dales suggestion I have set sgid for all directiories in the /opt/group/sales directory and below. Now when a file is placed by windows into this sales share the file has the right group permissions. The file is still appearing as 0666 rather than 0660. What should I try next? Mike Mike, I'm not sure what could be overriding your force create mode parameter. :-\ Comparing my working share to yours, I have not used the force group, or the msdfs root parameters. You might try disabling one or both to see if that corrects the problem. I did notice that the documentation says the Windows systems have to be rebooted to work properly after a Samba msdfs root change, if that applies. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] transfer users after samba upgrade to new server
On 05/06/2012 10:14 AM, Bill Szkotnicki wrote: Hi, I want to transfer all of my users from an older version of samba to a new one here. The old version is 3.0.28 and the file with user passwords is /etc/samba/smbpasswd and the new version is 3.6.5 and there does not seem to be that file anymore. I think the user info is now in /var/lib/samba/private/passdb.tdb /var/lib/samba/private/secrets.tdb My question is how to transport my users to my new system? i.e. How to convert /etc/samba/smbpasswd -- /var/lib/samba/private/passdb.tdb Any suggestions would be greatly appreciated. Bill Bill, The smbpasswd backend is still available; it's just no longer the default. You must explicitly state passdb backend = smbpasswd in smb.conf. To convert, copy the smbpasswd file from the old machine to the new one, then follow the example in the Samba HowTo under Account Import/Export found at http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbeditthing Good luck. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.4 on Solaris - groups for user inconsistent
Toby, This may or may not be relevant for you == There are some winbind issues in 3.6.x. The one affecting me can be found here: https://bugzilla.samba.org/show_bug.cgi?id=8676 Maybe something there will look familiar to you. idmap_ad issue from last week in 3.6.x: http://lists-archives.com/samba/63876-resolved-ctdb-and-pacemaker-last-mile-ctdb-complains-cluster-ip-is-not-a-public-address.html Good luck, Dale On 04/12/2012 8:41 PM, Toby Riddell wrote: I'd like to avoid adding a group mapping if possible. groups triddel returns 6 groups. The strange this is that with version Samba 3.5.8 everything was working fine... On 12 April 2012 22:00, Gaiseric Vandalgaiseric.van...@gmail.com wrote: Can you add a group mapping for your unix group to a Windows group? (net groupmap add ) If you do a groups triddel on the unix command line, how many groups are you in?Unix groups mapped to Windows groups get double-counted, which can push you over 16 groups.My environment is Samba 3.x. PDC's so not the same as yours. FYI The latest (as of a few months back) Solaris 10 kernels finally let you set ngroups_max=1024. 147441-10 (x86_84) 147440-10 (sparc) Most previous ones allowed ngroups_max=32. Except 147441-09 /147441-09 actually rolled it back to ngroups_max=16. On 04/12/12 13:21, Toby Riddell wrote: Hi all, I'm having an issue with Samba 3.6.4 on Solaris using Active Directory with a Windows Server 2008 domain controller. I should state early on that I do not believe this is a manifestation of the Solaris 16 group limit - the number of groups is well below 16. Winbind seems to be working fine - I can use wbinfo -r to check the groups that a user is a member of, it returns the list of Active Directory groups that the userid belongs to: # /opt/samba/bin/wbinfo -r triddel 5000 10501 1 10586 20001 (You'll note that the above list differs from the lists below - this is because some of the groups have no NIS domain defined in AD.) What I see is smbd panicking when initialising groups for a user, it seems to be trying (and failing) to set one of the groups to -1: [2012/04/12 18:01:20.950498, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 10017 Primary group is 5000 and contains 11 supplementary groups Group[ 0]: 5000 Group[ 1]: -1 Group[ 2]: 10501 Group[ 3]: 1 Group[ 4]: 10586 Group[ 5]: 10590 Group[ 6]: 10505 Group[ 7]: 20002 Group[ 8]: 20003 Group[ 9]: 20004 Group[ 10]: 20001 The corresponding truss output looks like this: 6114: setgroups(11, 0x08933B50) Err#22 EINVAL 6114: 5000-1 10501 1 10586 10590 10505 20002 20003 20004 6114:20001 The group with gid -1 corresponds to a group defined in /etc/group, the rest come from Active Directory. Occasionally smbd works correctly, and I see this in the log: [2012/04/12 17:57:58.790716, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 10017 Primary group is 5000 and contains 10 supplementary groups Group[ 0]: 5000 Group[ 1]: 10501 Group[ 2]: 1 Group[ 3]: 10586 Group[ 4]: 10590 Group[ 5]: 10505 Group[ 6]: 20002 Group[ 7]: 20003 Group[ 8]: 20004 Group[ 9]: 20001 This may not be relevant, but I also see the list of groups being shuffled: [2012/04/12 18:01:17.915485, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 10017 Primary group is 5000 and contains 11 supplementary groups Group[ 0]: 5000 Group[ 1]: 10501 Group[ 2]: 1 Group[ 3]: 10586 Group[ 4]: -1 Group[ 5]: 10590 Group[ 6]: 10505 Group[ 7]: 20002 Group[ 8]: 20003 Group[ 9]: 20004 Group[ 10]: 20001 The Samba config. looks like this: [global] disable spoolss = Yes disable netbios = yes show add printer wizard = No security = ADS log level = 10 realm = FOO.BAR.COM password server = * kerberos method = system keytab workgroup = INTRA client lanman auth = no client ntlmv2 auth = yes max protocol = SMB2 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = yes winbind nss info = rfc2307 winbind refresh tickets = yes winbind cache time = 15 idmap config * : range = 2-3 idmap config * : backend = tdb idmap config INTRA : backend = ad idmap config INTRA : range = 1000-2 idmap config INTRA : schema_mode = rfc3207 [foo] path = /live/home/triddel read only = no force create mode = 0600 force directory mode = 2700 browsable = no Can anyone shed any light on this? Thanks. Toby -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RESOLVED CTDB and Pacemaker - last mile!!! - CTDB complains cluster IP is not a public address
On 04/05/2012 5:13 PM, Errol Neal wrote: Errol Neal wrote: This project has been on my bucket list for a long time with a higher priority than say visiting Japan :) For the last several days, I've been knee deep in XCP, OCFS2, Samba, CTDB and Pacemaker; trying to get all these technologies to coalesce into one solution, and I think I'm at the last mile. I finally have two debian squeeze VMs (BIM AND BAM) on XCP 1.0 that are running Samba 3.6 in an HA configuration! But I have one small problem.. when I connect to a share on the cluster IP (pacemaker IPaddr2 resource), I get an access denied and an error in log.ctdb: SNIP The problem was my smb.conf file. I changed my idmap config to be idmap config * versus FOO and my idmap config backend to be tdb. The symptoms were that wbinfo -u and -g were returning groups and users, but getent wasn't and wbinfo -i wasn't working either.. Hope this helps someone in the future. Errol, Your listed symptoms regarding the results of wbinfo and getent are quite similar to this: https://bugzilla.samba.org/show_bug.cgi?id=8676 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 The idmap_ad backend has not been previously mentioned, and you're using ctdb, still I can't help but wonder if you are seeing another manifestation of this bug. Do you think that's a reasonable possibility? Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] IDMAP dump and restore for second server.
Johan,
The tdb backend will not yield the same id's across multiple servers;
however, the rid backend does.
When using rid, locate winbindd_cache.tdb and run tdbdump on that file
to see the info stored by rid.
Dale
On 03/23/2012 5:51 AM, Johan Hendriks wrote:
Thanks for the reply.
probably my lack of understanding the whole thing is making it a little
confusing for me.
Is there a way to get the same id's on a second server.
Now i have the same config on both servers, only the id numbers are different.
Must i change
idmap config DOMAIN1 : backend = rid
idmap config DOMAIN1 : base_rid = 500
idmap config DOMAIN1 : range = 1 - 2
idmap config DOMAIN2 : backend = rid
idmap config DOMAIN2 : base_rid = 500
idmap config DOMAIN2 : range = 3 - 4
TO
idmap config DOMAIN1 : backend = tdb
idmap config DOMAIN1 : base_rid = 500
idmap config DOMAIN1 : range = 1 - 2
idmap config DOMAIN2 : backend = tdb
idmap config DOMAIN2 : base_rid = 500
idmap config DOMAIN2 : range = 3 - 4
thanks again.
regards
Johan Hendriks
Hi,
everything is fine:
You are using the rid backend for your domains (DOMAIN1 and DOMAIN2). This is a
purely algorithmical method for doing id mappings. These mappings are not
stored in databases but calculated each time (at least when the cache entries
expire).
The default backend tdb is only used for anything but
DOMAIN1 and DOMAIN2. Apparently you don't have a third real domain around,
which is why there are so few mappings in the db and hence in the dump.
Hope this helps.
Cheers - Michael
Johan Hendriks wrote:
Hello all.
I use Samba 3.6.3 on FreeBSD in combination with ZFS, and it all works fine.
I use zfs send to receive my store on a backup machine and i want the users id
to be the same as on the master server so to say.
Keeps my backups easy accessable with samba!
Now i know i can dump the IDMAP database using the following: net idmap dump.
I expect a whole bunch of lines,but i get the following, we around 70
users
filer01 ~ # net idmap dump
dumping id mapping from /var/db/samba/winbindd_idmap.tdb GID 150004
S-1-5-11 GID 150005 S-1-5-32-546 USER HWM 15 GID 150002 S-1-1-0
GID 150003 S-1-5-2 GROUP HWM 150006
filer01 ~ #
Also a tdbdump /var/db/samba/winbind_idmap.tdb gives me a small amount of Lines.
tdbdump /var/db/samba/winbindd_idmap.tdb {
key(11) = GID 150002\00
data(8) = S-1-1-0\00
}
{
key(9) = S-1-5-11\00
data(11) = GID 150004\00
}
{
key(13) = S-1-5-32-546\00
data(11) = GID 150005\00
}
{
key(11) = GID 150005\00
data(13) = S-1-5-32-546\00
}
{
key(11) = GID 150003\00
data(8) = S-1-5-2\00
}
{
key(9) = USER HWM\00
data(4) = \F0I\02\00
}
{
key(8) = S-1-1-0\00
data(11) = GID 150002\00
}
{
key(11) = GID 150004\00
data(9) = S-1-5-11\00
}
{
key(8) = S-1-5-2\00
data(11) = GID 150003\00
}
{
key(10) = GROUP HWM\00
data(4) = \F6I\02\00
}
{
key(14) = IDMAP_VERSION\00
data(4) = \02\00\00\00
}
wbinfo -u and wbinfo -g as id username all works fine.
The relevant config part (as far as i know)
template homedir = /sanstorage/sambashare/home/%U winbind use default
domain = yes winbind cache time = 3600 winbind nested groups = yes
winbind separator = | winbind offline logon = yes winbind enum users =
yes winbind enum groups = yes winbind refresh tickets = yes allow
trusted domains = yes
idmap config * : backend = tdb
idmap config * : range = 1-8
idmap config DOMAIN1 : backend = rid
idmap config DOMAIN1 : base_rid = 500
idmap config DOMAIN1 : range = 1 - 2
idmap config DOMAIN2 : backend = rid
idmap config DOMAIN2 : base_rid = 500
idmap config DOMAIN2 : range = 3 - 4
Is there a problem , or am i missing something.
I have been googling a lot, but could not find something related.
Thanks for your time
Regards
Johan Hendriks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba wbinfo error message Could not get info for user xxxxxx
What error messages are you getting in the logs, and which idmap backend are you using? Dale On 03/14/2012 12:33 PM, kartheek katakam wrote: Thanks Bernd, but it was helpfull, I restarted the winbind service I still see the same issue. On Wed, Mar 14, 2012 at 1:06 PM, Bernd Markgraf bernd.markg...@med.ovgu.dewrote: Hi, I've seen the same error today. Had to restart winbindd (after running for like 200days). That made things work nicely again. Bernd On Wed, 2012-03-14 at 12:28 -0400, kartheek katakam wrote: Hi Everyone, I am running into this issue, when I integrated linux host to AD using samba. when I run wbinfo -u it is listing all AD users. but when I pick any one of the user from o/p of previous command and ran webinfo -i for the user I am getting this error message, any idea ?? #wbinfo -i xx Could not get info for user xx # rpm -qa | grep samba samba-3.5.10-114.el6.x86_64 samba-common-3.5.10-114.el6.x86_64 samba-client-3.5.10-114.el6.x86_64 samba-winbind-clients-3.5.10-114.el6.x86_64 samba-winbind-3.5.10-114.el6.x86_64 # Thanks, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem for joining the domain.
On 03/06/2012 9:10 AM, Rajeev R. Veedu wrote:
I am having a problem to join one of my machine, to the 2003 AD. I have used
the same config on another machine and it works fine. I am not able to figure
out where I am going wrong. I would appreciates if you could help. My samba
version is 3.6.3-44 on Centos 6
This is what I get
[root@scan_srv2 tmp]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DOMAIN
Joined 'SCAN_SRV2' to realm 'DOMAIN.com'
DNS Update for scan_srv2.DOMAIN.com failed: ERROR_DNS_INVALID_NAME
For DNS, underscores _ are not a valid character in the hostname;
changing to a hyphen - should stop that error message.
Android phones are notorious for causing this error with DHCP/DNS.
More info:
http://networkadminkb.com/KB/a156/windows-2003-dns-and-the-underscore.aspx
Dale
DNS update failed!
My smb.config is
workgroup = DOMAIN
admin users = Administrator
realm = DOMAIN.COM
server string = Linux Samba File Server
security = ADS
encrypt passwords = yes
preferred master = no
template shell = /bin/false
template homedir = /home/%D/%U
idmap uid = 1-2
idmap gid = 1-2
enhanced browsing = no
winbind use default domain = yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = /
server string = scan_srv2
netbios name = scan_srv2
password server = 192.168.1.223
debuglevel = 10
[Data]
comment = P drive and T drive
path = /Data/Data-01/
writable = yes
guestok = yes
nt acl support = yes
#inherit acls = yes
#inherit permissions = yes
My krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[realms]
DOMAIN.COM = {
kdc = projects01.DOMAIN.com
admin_server = 192.168.1.223
default_domain = DOMAIN.com
}
[domain_realm]
.kerberos.server = DOMAIN.COM
.DOMAIN.com = DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain users are loosing there groups after some time.
On 03/02/2012 5:39 AM, Benedikt Schindler wrote: Samba version : 3.6.3 Filesystem :BTRFS Clients : XP, Win7 Log Level : 5 When we start our samba server everything works fine. After a few days, some of our users are not allowed to connect to shares anymore. When we restart the clients they can connect for a short time and then say have the same problem again. When we restart the server everything works fine for a few days again. We set the winbind offline logon = yes and it slowed down the process, but didn't stop it. After a long search i think i found the problem. The user has 401217 as mapped ID, and should be in the groups 400513 401612 401609 401611 But samba just put him into 400513 401612 401611 So samba lost one group. And thats the reason the user is not allowed to connect to the share, because only the group 401609 has a read permisson. Any ideas how that could happen? Here is a log of a failed login: [2012/03/02 11:37:52.842978, 5] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (15): SID[ 0]: S-1-5-21-1004336348-920026266-682003330-1217 SID[ 1]: S-1-5-21-1004336348-920026266-682003330-513 SID[ 2]: S-1-5-21-1004336348-920026266-682003330-1612 SID[ 3]: S-1-5-21-1004336348-920026266-682003330-1609 SID[ 4]: S-1-5-21-1004336348-920026266-682003330-1611 SID[ 5]: S-1-1-0 SID[ 6]: S-1-5-2 SID[ 7]: S-1-5-11 SID[ 8]: S-1-22-1-401217 SID[ 9]: S-1-22-2-400513 SID[ 10]: S-1-22-2-401612 SID[ 11]: S-1-22-2-401611 SID[ 12]: S-1-22-2-7 SID[ 13]: S-1-22-2-70002 SID[ 14]: S-1-22-2-70011 Privileges (0x 0): Rights (0x 0): [2012/03/02 11:37:52.843247, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 401217 Primary group is 400513 and contains 6 supplementary groups Group[ 0]: 400513 Group[ 1]: 401612 Group[ 2]: 401611 Group[ 3]: 7 Group[ 4]: 70002 Group[ 5]: 70011 [2012/03/02 11:37:52.843372, 5] smbd/uid.c:317(change_to_user_internal) Impersonated user: uid=(0,401217), gid=(0,400513) [2012/03/02 11:37:52.843408, 4] smbd/vfs.c:780(vfs_ChDir) vfs_ChDir to /home/data [2012/03/02 11:37:52.843443, 4] smbd/vfs.c:780(vfs_ChDir) vfs_ChDir to /home/data [2012/03/02 11:37:52.843476, 3] smbd/service.c:190(set_current_service) chdir (/home/data) failed, reason: Keine Berechtigung [2012/03/02 11:37:52.843509, 3] smbd/error.c:81(error_packet_set) error packet at smbd/process.c(1558) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED Configuration parts that are maybe interresting: smb.conf: security = ADS socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY nt acl support = yes vfs objects = acl_xattr winbind enum users = yes winbind enum groups = yes winbind offline logon = yes allow trusted domains = yes idmap config * : backend = rid idmap config * : range = 7-9 idmap config * : base_rid= 0 idmap config A : backend = rid idmap config A : range = 40-49 idmap config A : base_rid= 0 idmap config B : backend = rid idmap config B : range= 30-39 idmap config B : base_rid = 0 Benedikt, Check this bug - https://bugzilla.samba.org/show_bug.cgi?id=8676 - to see if any of these symptoms match those of your systems when the group loss happens. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] rid/autorid issues 3.6.2
On 02/23/2012 5:59 PM, dack wrote: I'm having issues with idmap autorid and rid on 3.6.2. If I use tdb backend, it works fine. If I do wbinfo -i testuser when using rid/autorid, I get this: failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user testuser The same command with tdb returns the info as expected. wbinfo -u and wbinfo -g work fine under all configurations. I could not find anything relevant on bugzilla either. Anyone have any ideas? Here's my settings: #with tdb (this works perfectly) idmap config MYDOMAIN : range = 2 - 2000 idmap config MYDOMAIN : backend = tdb #with rid (does not work) idmap config MYDOMAIN : range = 2 - 2000 idmap config MYDOMAIN : backend = rid You're probably seeing this: https://bugzilla.samba.org/show_bug.cgi?id=8676 For me, started with 3.5 to 3.6 upgrade. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login from Windows xp
On 01/24/2012 8:46 PM, Craig Ham wrote: So I've got Ubuntu and Samba servers up and running. I create a user in linux and on samba, both same username and password. I then follow the steps to create a share for that user. From a WinXp SP3 workstation I double click the Ubuntu server name, I see the share, I double click and get a login prompt. I enter the samba/linux username and password but it fails to log me in. What should I check or do? You should probably provide your samba version and smb.conf for the list to review. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error while display user info using wbinfo command
On 01/20/2012 10:25 AM, kartheek katakam wrote: Dale, The installed version of Samba is 3.5.10-114.e16. samba.x86_64 3.5.10-114.el6 @base -- and I noticed error messages aswell on /var/log/samba/log.smbd [2012/01/20 10:12:42.741585, 0] printing/print_cups.c:109(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2012/01/20 10:12:42.742071, 0] printing/print_cups.c:468(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2012/01/20 10:12:42.742413, 0] smbd/server.c:281(remove_child_pid) Could not find child 6579 -- ignoring Any idea, Thanks, Kartheek, Then you should probably supply the [global] section of your smb.conf to the list. Someone with experience with idmap ad (of which I have none) might be able to help you. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error while display user info using wbinfo command
On 01/17/2012 7:35 PM, kartheek katakam wrote: Hello, I was trying to integrate AD to Cent OS 6 server. As part of it I was running into these error, listed below. Authentication is successful against the AD server using wbinfo, but cant able to list user information using wbinfo. Not sure what might be the issue. error message: [2012/01/17 15:12:49.472876, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) Could not get unix ID [root@HOSTNAME1V ~]# wbinfo -a z5073%Car108 plaintext password authentication succeeded challenge/response password authentication succeeded [root@HOSTNAME1V ~]# wbinfo -i z5073 Could not get info for user z5073 [root@HOSTNAME1V ~]# Thanks Regards, You didn't state the Samba version you are using, but if it's 3.6.x, then it may be related to this bug: https://bugzilla.samba.org/show_bug.cgi?id=8676 Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6 problems with idmap rid
On 01/15/2012 12:35 PM, Jakov Sosic wrote: Hi! I am using mainly Samba 3.5 on CentOS, and I was very pleased with idmap_rid backend for SID-to-RID mappings. But on Solaris 10, I can only use 3.6 because OpenCSW ships only 3.6. Problem is, things are changed and are not working as expected... Here is my config on RHEL Samba 3.5: [global] workgroup = WINDOMAIN realm = WINDOMAIN.LOCAL server string = localserver (Samba ver. %v) security = ADS allow trusted domains = No password server = someserver.windomain.local log file = /var/log/samba/log.%m load printers = No local master = No domain master = No idmap backend = idmap_rid:WINDOMAIN=1-4 idmap uid = 1-4 idmap gid = 1-4 winbind use default domain = Yes cups options = raw And it works like a charm. On a version 3.6: [global] workgroup = WINDOMAIN realm = WINDOMAIN.LOCAL server string = localserver (Samba ver. %v) security = ADS allow trusted domains = No username map = /etc/opt/csw/samba/smbusers syslog = 0 log file = /var/opt/csw/samba/log/%m.log max log size = 500 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No local master = No domain master = No winbind use default domain = Yes idmap config * : range = 1-4 idmap config * : backend = rid : WINDOMAIN=1-4 Now, on a 3.6 I have the following problem: # net ads testjoin Join is OK # net rpc testjoin Join to 'WINDOMAIN' is OK # net getlocalsid SID for domain LOCALSERVER is: S-1-5-21-1414315435-1886595200-1013317001 # wbinfo -u | grep jakov.sosic jakov.sosic # wbinfo -i jakov.sosic failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user jakov.sosic Where am I wrong? Why can't I get rid mappings for domain users? Jakov, That looks similar to what Robert LeBlanc posted with Samba Bug 8676 (Debian Bug 652679). Compare his findings to what you see. https://bugzilla.samba.org/show_bug.cgi?id=8676 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 On my test systems using RID, I see similar, but not identical symptoms to his HASH backend. For me, a reboot will restore connectivity until I need to restart Samba or winbind. Then nothing but another reboot will get winbind working again. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] issues with printing
On 01/05/2012 9:23 AM, Tom Ryan wrote: On 1/5/12 9:31 AM, Tom Ryantomr...@camlaw.rutgers.edu wrote: [2012/01/05 09:18:54.928729, 3] auth/auth_util.c:1028(check_account) Failed to find authenticated user DOMAIN\machinename$ via getpwnam(), denying access. [2012/01/05 09:18:54.929709, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [machinename$] - [machinename$] FAILED with error NT_STATUS_NO_SUCH_USER [2012/01/05 09:18:54.929807, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE You might recall that we don't use winbind so I'm at a loss as to why this happens sporadically and what I can do (short of editing the code) to work around it. Thoughts? Ok, so I have found out if I put DOMAIN\machinename$ And machinename$ In /etc/passwd Then everything works.. However, that really isn't acceptable. Does anyone have a solution?? Tom, As you've probably noticed, printing problems don't get a lot of responses. I'm uncertain as to why. I don't know what you've already checked, so I'll give a few generalities. Samba 3.6 had a rewrite of the printing code. If you haven't already, you can read about it here: http://www.samba.org/samba/history/samba-3.6.0.html There is at least 1 known printing bug, and I've experienced it. It is found here: https://bugzilla.samba.org/show_bug.cgi?id=8384 Would guest access to the printing shares fix your problem? guest ok = Yes If these suggestions are all strikeouts, perhaps post the global and printing sections of your smb.conf. Someone else may see something there. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Folder Permissions
Stefan, I'm not certain as to the cause of your problem, but as a test, try adding to [global] == map untrusted to domain = Yes to see if there is any improvement. Do you need force group = users? If uncertain, try turning it off. To satisfy my curiosity, what is the output of getfacl /home/groups? Dale On 01/03/2012 11:43 AM, Stefan Horning wrote: Hi Aaron, thanks for your reply. I already have the /home Partition mounted with ACL enabled. However I don't use ACL permissions for the described folders. If I would set permissions with setfacl I would just give the same permissions then with unix rights. I only need one group to have rwx access, nothing more. In other samba setups I used, that was never a problem, but those were no Domain setups... Stefan Am 03.01.2012 17:31, schrieb Aaron E.: Check your extended ACL permissions and verify that they are enabled for your kernel.. On 01/03/2012 09:05 AM, Stefan Horning wrote: Hello list members, my name is Stefan, this is my first post to this Mailinglist, so please bear with me. ;) I am working as a Network Administrator of a small Office Network. We use Debian Server as Samba PDC and Fileserver. The Domain runs pretty well with all the Windows 7 Clients. I have just one thing that bugs me. In the groupshare we set up, users can only access folders that are world readable, for some reason. As a temporary fix I put all users into the Domain Admin group, so they can at least use the groupshare. But first of all you probably want to know the details. The Samba Version is 3.5.6 This is my smb.conf: - [global] netbios name = SCM-SRV-01 server string = Domain Server (%h) workgroup = SCM interfaces = eth1 eth2 eth3 bind interfaces only = yes security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . local master = yes preferred master = yes os level = 200 domain master = yes domain logons = yes logon path = \\%L\%U\profile logon drive = h: logon script = login.bat profile acls = yes hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/AppData/profile.V2/ hide dot files = yes wins support = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d socket options = TCP_NODELAY #=== Share Definitions === [homes] comment = Home Directories browseable = no valid users = %S writeable = yes create mode = 0600 directory mode = 0700 [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes writeable = no share modes = no [groups] writable = yes path = /home/groups force group = users comment = All group folders create mode = 660 directory mode = 770 --- Output of net groupmap list: Domain Users (S-1-5-21-2431676908-1022338963-3230702413-513) - users Domain Guests (S-1-5-21-2431676908-1022338963-3230702413-514) - guests Domain Admins (S-1-5-21-2431676908-1022338963-3230702413-512) - domainadmin --- Like I said everyting works well, except the permissions in the share [groups]. All linux (and therefore domain) users are in the primary group users. All the employees are in the group 'mitarbeiter'. So if I set /home/groups to drwxr-x-- 11 root users 4096 2. Jan 13:08 groups/ the share is not accessible. Eventhough alle users are in the group users and should therefore be able to read that folder. If I put users into the domainadmin group, group permissions work as expected. All employees can access subfolders of groups which are readable to mitarbeiter (but not others they have no permissions for) and can also read the content of /home/groups. So the mapping of unix groups from Windows7 works without problems. Folder permission in Samba can only be realized if I make folders world readable, which is not what I want for all folders. After extensive internet research I could not figure out what I am doing wrong. I also had similar samba setups where unix group permissions always where correctly used in samba. I suspect it being a problem with domain groups and there mapping. I also tried to create some samba Domain Groups and map them to the local unix groups, which didn't make a difference either. So I hope anybody on this list knows what the problem is. I am happy to give more information as needed! Thanks, Stefan Horning -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
David, thanks for the help, but I'm afraid that workaround does not work
for me either.
Robert, thanks for furnishing all that useful info to bugzilla.
Jeremy, thanks for for the update on
https://bugzilla.samba.org/show_bug.cgi?id=8384.
I feel like I'm at the Academy Awards.
Merry Christmas to all. [];o{P
Dale
On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
I tried to add idmap config DOMAIN : default = yes and it does not
help. I'm using hash. I've found some interesting things that I've
included in bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.
Robert
On Wed, Dec 21, 2011 at 5:33 PM, David Roid datar...@gmail.com
mailto:datar...@gmail.com wrote:
Been there, you can try to add either idmap config DOMAIN :
default = yes, or use old-fashion idmap backend = ... + idmap
uid = ... + idmap gid = ... to replace idmap config * : ...,
I don't know which one actually fixed it.
2011/12/22 Dale Schroeder d...@briannassaladdressing.com
mailto:d...@briannassaladdressing.com
Originally filed by Robert LeBlanc as Debian Bug # 652679 -
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679
Quote
Package: winbind
Version: 2:3.6.1-3
Severity: important
Dear Maintainer,
After upgrading to 3.6.1 I am no longer able to login to
Debian using my Active Directory account.
'winbind -u', 'winbind -g', 'winbind -t' and many others work
fine, but 'winbind -i user' returns
'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could
not get info for user user'. Changing
the verbosity of the logs, I find
'winbindd/winbindd_dual.c:1306 (fork_domain_child)
fork_domain_child
called without domain.'. The previous wbint_Sid2Uid struct
printout shows that dom_name is NULL,
but has the correct domain SID. I believe the problem may
exist around there. I did upgrade the
'idmap backend = hash' to the new format 'idmap config * :
backend = hash' as specifed in the man
page without any luck. Name to SID and SID to name works along
with user-domgroups, but user-groups
does not work. 'wbinifo --group-info=group' fails with a
similar error as 'wbinfo -i user'. I'm
going to try to get back to 3.5.11.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages winbind depends on:
ii adduser 3.113
ii libc6 2.13-21
ii libcap2 1:2.22-1
ii libcomerr21.42-1
ii libgssapi-krb5-2 1.10+dfsg~alpha1-6
ii libk5crypto3 1.10+dfsg~alpha1-6
ii libkrb5-3 1.10+dfsg~alpha1-6
ii libldap-2.4-2 2.4.25-4+b1
ii libpam0g 1.1.3-6
ii libpopt0 1.16-1
ii libtalloc22.0.7-3
ii libtdb1 1.2.9-4+b1
ii libwbclient0 2:3.6.1-3
ii lsb-base 3.2-28
ii samba-common 2:3.6.1-3
ii zlib1g1:1.2.3.4.dfsg-3
Versions of packages winbind recommends:
ii libpam-winbind 2:3.6.1-3
winbind suggests no packages.
-- no debconf information
/Quote
I also have this error, and reported as follows:
Robert,
Same problem here, and I have not seen anyone mention this on
the Samba
list. Systems are fully updated and testparm does not return any
errors. idmap backend is rid notated in the new format. All
deprecated
parameters have been removed.
On my systems, I have found that full functionality returns
after a
reboot; however, if samba/winbind processes are restarted for any
reason, AD authentication again no longer works. As with you,
wbinfo
-u/-g continues to work, as does getent passwd. getent group only
returns linux groups. Another reboot will return winbind once
again to
full functionality.
Even at log level 10, error messages have been hard to find
among the
many winbind logs. At the time of failure, the one I
consistently find
is in syslog:
winbindd[4186]: ads_ranged_search failed with: Time limit
exceeded.
--
This morning, I recreated the error by restarting
Samba/winbind at 07:47.
The only suspicious level 10 log entries found from that
timeframe are:
syslog
Dec 21 07:47:25 debinsp3200 winbindd[3489
[Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
config * : range = 100 - 2000 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 1000 - 9 template homedir =/home/domain/%U template shell = /bin/bash winbind cache time = 10 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind offline logon = Yes # printing = cups print command = lpq command = %p lprm command = veto oplock files = /*.doc/*.xls/*.mdb/ map archive = No map readonly = no store dos attributes = Yes ea support = Yes admin users = root, @domain admins I have seen numerous 3.6.x winbind problems reported, but do not recall seeing this one. Does this look like a Samba bug or is it Debian-specific? winbind fixing itself after a reboot is particularly puzzling. Any and all suggestions appreciated. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Logging in to a Samba 3.5.6 domain from Windows 7 takes more than 2 minutes.
On 12/20/2011 5:38 AM, steve wrote On 12/20/2011 11:23 AM, pradip mondal wrote: dear all, i am also face the same problem. any body give us solution to fast login in samba pdc by win7 client. regards Pradip Mondal 9831626957 --- On Tue, 20/12/11, Daniel Hedblomdaniel.hedb...@solleftea.se wrote: From: Daniel Hedblomdaniel.hedb...@solleftea.se Subject: [Samba] Logging in to a Samba 3.5.6 domain from Windows 7 takes more than 2 minutes. To: samba@lists.samba.org Date: Tuesday, 20 December, 2011, 2:46 PM Hi, are about to roll out Samba to 2600 users and 1500+ machines and have a slight problem. Server: Samba 3.4.9 running on ubuntu 10.04 Client: Windows 7, 32 and 64 bit on various hardware The problem is that logging in takes time and much of it seems to be the Windows 7 client just waiting. While 2 minutes may sound pretty ok this is without any roaming profiles or GPO applied. The logs shows nothing interesting ,on Windows i see error 6005 and 6006 but thats just a standard logging when things take a long time, can be anything. On a wireshark trace nothing in perticulat comes up before the long to the stick timeouts. Anyone else who has seen this problem after applying the various remedies on this mailing list and from other places on the internet? Thankful for any input. //danielh Don't allow solid colour desktop backgrounds. Leave the win 7 background as the stock jpg. Halves the logon time. Samba 3.6, openSUSE. HTH Steve Also see the GPO setting from this thread: http://lists.samba.org/archive/samba/2010-February/153585.html Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] question regarding samba permissions
On 12/14/2011 4:35 PM, skull wrote: woudln't work because all the users are in one group anyway. and i am not allowed to to give read rights do any (i.e. 755) but theres really no option in smb.conf like read only users = or something like that? read list = user1 user2 Am 13.12.2011 17:56, schrieb Raffael Sahli: On Tue, 13 Dec 2011 16:38:41 +0100, skullskul...@gmx.ch wrote: I want to make a subfolder read only for certain users. for example: /data/pool is public rwx for all users. and now i would like to make a /data/pool/subfolder only rwx for user1 and grant read only permissions to user2 and user3 how do i do this? any links or direct tips on that? You have to change the permission on the filesystem and not with Samba. set the owner user1 and a group with all other users. After that change the dir mod (chmod 0750) my suggestion would be something like this, but as you can imagine it didn't work: # The general datapool where everyone may rwx [pool] comment = Datapool path = /data/pool force directory mode = 700 force create mode = 770 create mode = 770 directory mode = 770 public = yes writable = yes printable = no valid users = user1 user2 user3 #My new Protected Subfolder [Write Protected Subfolder] comment = Write Protected Subfolder path = /data/pool/subfolder force directory mode = 700 force create mode = 770 create mode = 770 directory mode = 770 public = yes writable = yes printable = no valid users = user1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba shares and MS Office 2010 locking
On 12/14/2011 1:00 PM, Jason Voorhees wrote: Hi people: I'm using Samba 3.5.11 with some sharing settings like these: [global] workgroup = MARKETING netbios name = SMBSERVER server string = Samba, OpenLDAP Server obey pam restrictions = Yes passdb backend = ldapsam:ldap://localhost; passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* client lanman auth = Yes log level = 2 log file = /var/log/samba/samba.log time server = Yes printcap name = cups add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u logon path = logon home = domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=admin,dc=marketing-alterno,dc=com ldap delete dn = Yes ldap group suffix = ou=groups ldap idmap suffix = ou=people ldap machine suffix = ou=machines ldap passwd sync = yes ldap suffix = dc=marketing-alterno,dc=com ldap ssl = no ldap user suffix = ou=people [sharing] path = /var/samba/sharing valid users = @accounting, @Domain Admins admin users = @Domain Admins read only = No inherit permissions = Yes vfs objects = recycle recycle:exclude = *.tmp|*.TMP|*.temp|*.o|*.obj|~$*|*.~??|*.log|*.trace recycle:versions = yes recycle:keeptree = yes recycle:repository = .trash Many times when a user open, modifies and then close a Office 2010 document (Word, Excel, Power Point), the file keeps locked. A different user tries to open the file and gets a error message related to locking, read only permissions or something similar. After a unknown amount of time (it could be seconds, minutes, i'm not sure how long) the locking seems to dissapear. I tried some options settings related to file locking without success. There are so many options that using the right combination of them to achieve the expected result is difficult to me. Does anybody has experimented and solved this issue? I hope someone can help me. Thanks Jason, No Office 2007/2010 here, but for Office 2000/XP/2003, I have had good luck with veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/ etc., for all the different office extensions. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Upgraded samba, mostly still works, but have one issue
this will be DOMAIN\user. In the case where smbd is acting as a domain member server or a standalone server this will be WORKSTATION\user. In previous versions of Samba (pre 3.4), if smbd was acting as a domain member server, the BOGUS domain name would instead be replaced by the primary domain which smbd was a member of. In this case authentication would be deferred off to a DC using the credentials DOMAIN\user. When this parameter is set to |yes| smbd provides the legacy behavior of mapping untrusted domain names to the primary domain. When smbd is not acting as a domain member server, this parameter has no effect. Default: //|map untrusted to domain|/ = |no| / Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Upgraded samba, mostly still works, but have one issue
On 12/12/2011 1:25 PM, Mark Casey wrote:
Dale,
That fixed it. Thanks very much for your time in looking at this
issue! That leads to another question though. I don't get why 'winbind
use default domain' did not cover the issue, since I have it set to
yes. I assumed I could leave off the DOMAIN\ portion and it would
add it for me...but more specifically, even using DOMAIN\camera
wouldn't work. I should clarify though that nowhere in my config am I
actually typing DOMAIN\; I'm only swapping that in on the mailing
list as a redaction. When I tried the fully qualified user account in
the IP camera's config the domain matched the one that this samba
server is joined to.
I did note this part in smb.conf's man page about 'winbind use default
domain':
*While this does not benifit Windows users, it makes SSH, FTP and
e-mail function in a way much closer to the way they would in a native
unix system.*
This would all make more sense if that line means that 'winbind use
default domain' excludes not only Windows users but *all* smb/cifs
authentication attempts. Then, it wouldn't apply the the IP cameras at
all. However even if that were the case I still can't explain the
failure when I tried the user DOMAIN\camera.
Would you (or anyone) be able to provide any insight? Regardless,
thanks again for your help thus far as I can now get this out of the
urgent section of my list!
Thank you,
Mark
I don't know that I can explain it sufficiently, but I'll try.
Essentially, map untrusted to domain was a new parameter to make Samba
perform as it did prior to 3.4. winbind use default name refers to
something completely different. As the man page indicates, I can ssh
into the system as valid_user instead of DOMAIN\valid_user. This
applies to a valid user on a domain host. On the other hand, since the
cameras are not able to join the domain, the new parameter maps
HOSTNAME\camera to DOMAIN\camera.
Others have explained winbind use default domain this way:
http://wiki.samba.org/index.php/Samba__Active_Directory
|winbind use default domain = Yes| removes the domain prefix from
usernames, so you can login as /Username/ instead of /DOMAIN\Username/
or in some cases /DOMAIN+Username/ (see next explanation).
http://www.justlinux.com/forum/archive/index.php/t-118512.html
This winbind parameter eliminates the need to use the domain name with
the user/group name. The domain name plus the separator will
automatically be prepended to the user name.
Not perfect, but I hope it helps.
Dale
On 12/12/2011 12:23 PM, Dale Schroeder wrote:
On 12/12/2011 10:14 AM, Mark Casey wrote:
Hello list,
I recently upgraded an Ubuntu 8.04 LTS samba server to 10.04 LTS
which took the installed version of samba from version 3.0.28a to
version 3.4.7. The server is an AD member using idmap-rid. I have
updated the idmap directives in the config and it mostly worked
(winbind works, Windows users can get to their shares with their
correct permissions, etc.). The only thing that got broken is the
ability of our IP security cameras to store data directly to the
server through samba. I believe this may have been caused by a
change to a default setting, such as the allowed authentication
methods or possibly something like 'allow trusted domains', since
these cameras are not capable of actually joining the domain. I've
looked at some of the in-between release notes but no changes have
jumped out at me.
The cameras are configured to connect to the given smb/cifs server
and share (which exists and can be mapped from Windows if you use
the right user). The share ('camshare') has share-level permissions
set such that DOMAIN\camera should have full access. I have winbind
set to use the default domain so the cameras are configured to
connect as 'camera' instead of 'DOMAIN\camera' (but I've tried both
anyway, to no avail). I have checked the password on the 'camera'
account repeatedly.
However you can see that something isn't right when the cameras try
to mount the share:
root@server:~# tail -f /var/log/samba/log.smbd | grep camera
check_ntlm_password: Authentication for user [camera] -
[camera] FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] -
[camera] FAILED with error NT_STATUS_NO_SUCH_USER
check_ntlm_password: Authentication for user [camera] -
[camera] FAILED with error NT_STATUS_NO_SUCH_USER
If I use that username with the password when mapping the share from
Win7, it works and the correct permissions are there.
Here is the smb.conf:
[global]
server string = File Server
workgroup = DOMAIN
realm = DOMAIN.COM
security = ADS
password server = *
#password server = dc1.domain.com
username map = /etc/samba/smbusers
obey pam restrictions = Yes
enable privileges = Yes
map to guest = Bad User
client NTLMv2 auth = Yes
log level = 2, vfs:1
Re: [Samba] bind errors for latest samba 4 checkout
On 12/09/2011 12:05 AM, steve wrote: Hi Dale, hi everyone. Thanks. I now have the managed keys cleared: Dec 9 06:57:33 hh3 named[3125]: managed-keys-zone ./IN: loaded serial 0 Stop bind and see if /var/run/named/named.pid remains. You may have a stale pid that needs removing manually. I had a go at that: rm /var/run/named/named.pid rm: cannot remove `/var/run/named/named.pid': Too many levels of symbolic links This looks promising http://www.whitemiceconsulting.com/2011_10_01_archive.html I have: lrwxrwxrwx 1 root root14 Dec 9 05:36 named - /var/run/named Removing /var/run/named clears the error but it returns on restarting named. Also the: Dec 9 06:57:33 hh3 named[3125]: command channel listening on 127.0.0.1#953 Dec 9 06:57:33 hh3 named[3125]: couldn't add command channel ::1#953: address not available See if this is applicable to your situation. https://lists.isc.org/pipermail/bind-users/2005-March/055877.html Dale remains As I say, dns is working fine. I'd just like to clear the errors. Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] bind errors for latest samba 4 checkout
On 12/07/2011 1:28 PM, steve wrote: Hi everyone openSUSE 12.1 After a recent Samba 4 pull I have these errors: Dec 7 19:53:37 hh3 named[3121]: command channel listening on 127.0.0.1#953 Dec 7 19:53:37 hh3 named[3121]: the working directory is not writable Dec 7 19:53:37 hh3 named[3121]: managed-keys-zone ./IN: loading from master file /var/lib/named/dyn//managed-keys.bind failed: file not found Dec 7 19:53:37 hh3 named[3121]: managed-keys-zone ./IN: loaded serial 0 Dec 7 19:53:37 hh3 named[3093]: Starting name server BIND - Warning: /var/run/named/named.pid exists! ..done Dec 7 19:53:37 hh3 named[3121]: running Bind was recently updated in openSUSE. Setting /var/lib/named to named:named got rid of the first error. Is that OK? But then: rm /var/run/named/named.pid rm: cannot remove `/var/run/named/named.pid': Too many levels of symbolic links rm -r /var/run/named/ and restarting bind gives the same error. I can't find much about the managed keys. I've asked here before abou this and on the openSUSE list. managed-keys.bind is related to dnssec, as is /etc/bind/bind.keys. dnssec was enabled by default starting with bind 9.5. zytrax.com has excellent dns reference information; e.g. see http://www.zytrax.com/books/dns/ch7/security.html The only change to the /etc/named.conf supplied by the distro is including: /usr/local/samba/private/named.conf Apart from this, bind and kebreros, pass all the tests as specified in the samba 4 howto. If I: touch /var/lib/named/dyn//managed-keys.bind and restart named, it's almost clean: Dec 7 20:23:13 hh3 named[3302]: command channel listening on 127.0.0.1#953 Dec 7 20:23:13 hh3 named[3302]: couldn't add command channel ::1#953: address not available Dec 7 20:23:13 hh3 named[3302]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42 Dec 7 20:23:13 hh3 named[3302]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 42 Dec 7 20:23:13 hh3 named[3302]: zone localhost/IN: loaded serial 42 Dec 7 20:23:13 hh3 named[3302]: managed-keys-zone ./IN: loaded serial 0 Dec 7 20:23:13 hh3 named[3275]: Starting name server BIND - Warning: /var/run/named/named.pid exists! ..done Dec 7 20:23:13 hh3 named[3302]: running Stop bind and see if /var/run/named/named.pid remains. You may have a stale pid that needs removing manually. Dale Before I can test and draw conclusions about the latest checkout I must know if these errors are significant. Any ideas anyone? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cannot access a share outside a share after upgrade
Jobst, As part of a security fix, you now need to disable unix extensions if you wish to use wide links. unix extensions = No Dale On 11/29/2011 7:16 PM, Jobst Schmalenbach wrote: Hi. I have a share that I can only access as root that has a few symlinks in it to make it easy for me to access files/dirs. I used to be able to access before upgrade to [root] #smbd -V Version 3.5.4-0.83.el5_7.2 Now it simply displays an error Access denied I have in the smb.conf file the following: [SHARE_NAME_MASKED] path = /THIS_IS_MY_PATH valid users = @domadmins admin users = root read only = No create mask = 0660 force create mode = 0770 directory mask = 0770 force directory mode = 06770 browseable = No follow symlinks = yes wide links = yes and in /etc/group domadmins:x:GROUPID_MASKED:root I have not changed any other setting after upgrade of samba, nor have I changed file/directory permissions. Any ideas anyone? Jobst -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ham, Slow login to Samba domain
On 11/15/2011 5:10 AM, Dermot wrote: Hi, I have noticed that the Windows 7 machines that I have recently installed and joined to our domain take about 40 seconds on average to go from sign in to the desktop displaying. I can't find any explanation for the delay. When the machine are in a work group they login very quickly and the XP machines login at a normal rate. I have searched and not found any articles that are relevant. Does anyone else experience this? Does anyone have any tips on how to work out what Windows 7 is doing during this time? Thanks in advance, Dermot Dermot, See if Marc Cain's solution in the link below can help you. It worked for me. http://lists.samba.org/archive/samba/2010-February/153585.html Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind auth, specifying shell
On 11/08/2011 11:35 AM, Eddy Sturg wrote: On Thu, Nov 3, 2011 at 10:22 AM, Eddy Sturgtride2...@gmail.com wrote: Hey folks, I'm using winbind authentication against MS Active Directory, and it's working great. Because of template shell = /bin/bash in smb.conf, new users are getting assigned the bash shell, which is great in most cases. Some users, however, prefer a different shell (tcsh). How can I specify, on a user by user basis, the preferred shell? I'm guessing this is an attribute in AD somewhere, but what's the best way to get at that? (Windows AD 2008) Thanks, Eddy I think I've determined that the user's shell is not stored in AD. Can winbind / samba provide different shells to different users when using winbind / AD integrated authentication? Eddy, I found this. Hopefully, it's still accurate. http://serverfault.com/questions/224340/override-template-shell-on-linux-system-in-active-directory-domain Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Permissions in printer share
On 11/07/2011 2:13 PM, Orlando Irrazabal wrote: Hi everyone, I'm trying to migrate my print server to Samba. All is working well except security. In my domain, some groups are able to print to certain printers and others to other printers. I tried with write list = @group but it doesn't worked. How do I configure the permissions on samba's printers, for a user group can print to only certain printers? Here is my smb.conf file: [global] workgroup = MYDOMAIN server string = Samba Server security = DOMAIN password server = PASS1 PASS2 log file = /var/log/samba/log.%m max log size = 50 idmap uid = 15000-2 idmap gid = 15000-2 template homedir = /homes/%D/%U template shell = /sbin/nologin winbind separator = + winbind enum users = Yes winbind enum groups = Yes hosts allow = 127., 192.168.23. cups options = raw [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [prnhpp3015] comment = HP LaserJet P3015 path = /var/spool/samba/rcprnhpp3015 write list = @group1 printable = Yes Try replacing write list = @group1 with valid users = @group1 Dale Thanks in advance Orlando -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Bulk] parent folder rX - child file in it rwx = child file from windows read only????
There are two ways to influence newly created directory and file permissions. The default is to use the mask/mode options. You can see your current settings with testparm -sv | grep mask ( also grep for mode and force). Or you can use the different inherit options instead. testparm -sv | grep inherit Whichever way you choose, learn what these options do, and you should be able to set a combination that works for you. Dale On 11/01/2011 9:42 AM, lejeczek wrote: apologies for being vague, to me it seems that everything depends on what's parent looks like, and goals are: have a file within a 750 folder that would be 770, meaning a client can write to the file have samba/win clients acknowledge folder of 750 within a folder of 770, meaning that if a winuser creates a folder(750) within a folder(770) samba respects it and other user should have no write permission to this newly created user's folder at this moment my samba lets users delete a folder with group (to which both users belong) permissions equals to rX, I'd have to make a folder 700 in order to protect it from deletion by non-owners and the smb.conf is pretty basic what am I missing??? On 11/01/2011 01:25 PM, lejeczek wrote: dear everybody samba is 3.5.11-79.fc14 is this weird or my logic fails, I was hoping that if a file has unix 770 then Win clients should be able to write to it even if parent folder is 750 also if a folder is 770 and a Win client creates a new folder in it, its unix permissions get set to 755, and yet! another(different) Win user can just delete this newly created folder. with what settings one can achieve above goals? many thanks for all help Pawel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Upgrade Samba 3.0.28 to 3.6.0 problems
Louis, There are numerous changes (adds, deletes, and defaults) to smb.conf between the two versions you have listed. The one that may be causing your smbpasswd problem is the default passdb backend has changed. If you wish to continue using smbpasswd instead of the default tdb, you have to explicitly declare passdb backend = smbpasswd Check here for changelogs: http://www.samba.org/samba/history/ Dale On 10/06/2011 10:36 PM, Louis Kabo wrote: Hello, having a problem upgrading a samba installation version 3.0.28 on a FreeBSD 7.x server. I use samba as a PDC with roaming profiles and user shares. I have to upgrade it to allow Windows 7 Pro workstations to join the domain. I was able to build the binaries sucessfully and install them, everything ran OK, but I noticed that my smbpasswd file had I guess been relocated and I had to readd the PC's and users to the smbpasswd file (smbpasswd -a username, smbpassword -ma machinename), etc. I noticed that I had to have the PC's un-join and re-join the domain in order for them to work. I noticed that none of the local profiles loaded, instead creating a new roaming profile username.V2 in the profiles directory. (windows XP workstation continued to complain about using a local profile as the server copy was unavailable) In addition to this on the Windows 7 workstation I could not access the user share that I was logged into. So I undid my changes and went back to Samba 3.0.28 until I can figure these problems out.I have to figure out how not to have to re-add all of my users and PC's into smbpasswd, why roaming profiles wont work and what the access denined problem was about. My smb.conf file did seem to translate OK because all of my shares were available. What am I missing, did the smbpasswd directory change? is the old smbpasswd file from 3.0.28 not compatible with 3.6.0? what can I do? I dont want everyone to have to recreate their roaming profiles... there are about 50 users... permissions problem? build/source/binary location problem? any suggestions welcome. help please, Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: Win 7 Pro
Perhaps the global section of your smb.conf has some clues. Are you able to share it with us? Is there anything pertinent in the logs of your PDC? Dale On 10/03/2011 12:32 PM, sa...@printflow.eu wrote: On 2011-10-03 9:26, Marcel de Reuver wrote: 2011/10/2 sa...@printflow.eu mailto:sa...@printflow.eu On 2011-09-30 15:01, sa...@printflow.eu mailto:sa...@printflow.eu wrote: Hello, I use Samba 3.5.11 from debian. I'm trying to add new Win7Pro to domain, but I still get error: The specified domain either does not exist or could not be contacted. I tried http://wiki.samba.org/index.php/Windows7. Can you help me? Anything to test ? Windows7 needs two tweaks to work with Samba 3: Regedit: HKLM\System\CCS\Services\LanmanWorkstation\Parameters Add: DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 Control Panel - Administrative Tools - Local Security Policy: Security Settings Local Policies Security Options Network security: LAN Manager authentication level Send LM NTLM - use NTLMv2 session security if negotiated Google on Windows7 and Samba for the details Both done, (as I wrote I tried http://wiki.samba.org/index.php/Windows7, where registry changing is mentioned, I also found LM NTLM settings on web as well as disable 'require 128 bit encryption'. After all this I wrote this email. Is there anything else I may try ? BR, Marcel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Slow Directory Access after upgrade to 3.5.6
On 09/26/2011 11:05 AM, Mike wrote: On Sun, Sep 25, 2011 at 5:44 PM, sghaidasaddam.abugha...@gmail.com wrote: hello, why do you use samba as preferred master ?? . it seems that you are using samba only for shares security=user so you can set preferred master = no and remove the OS entries since it only helps in master election, and regarding the wins (nmblookup) you need to run the nmb service. and to clarify the problem in more understandable way. can you dump the output of testparam -vv Hi Saddam, Thank you very much for your reply. A long time ago when I first set up the server, I thought I read the preferred master parameter was necessary for clients, but it appears I am wrong in this understanding. I will research this in the samba documentation. If you wish for your Samba system to be the domain master browser, then use domain master = Yes preferred master = Yes local master = Yes os level = 99# (65 or higher) That might solve your master browser error messages. See http://lists.samba.org/archive/samba-technical/2000-June/008259.html Another suggestion here: http://www.mail-archive.com/samba@lists.samba.org/msg61180.html Otherwise, you can do as Saddam suggests. Dale I am currently running the nmbd process, but I get the feeling perhaps running an nmb service may be something different. I have enclosed the testparm -vv dump below. The server role is stated as: ROLE_STANDALONE Thanks again for taking the time to respond; very much appreciated. Here's the other output: [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = MW netbios name = A1 netbios aliases = netbios scope = server string = A1 Server interfaces = bind interfaces only = No security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes map to guest = Never null passwords = No obey pam restrictions = No password server = * smb passwd file = /etc/samba/private/smbpasswd private dir = /etc/samba/private passdb backend = tdbsam algorithmic rid base = 1000 root directory = guest account = nobody enable privileges = Yes pam password change = No passwd program = passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No passwd chat timeout = 2 check password script = username map = password level = 0 username level = 0 unix password sync = No restrict anonymous = 0 lanman auth = No ntlm auth = Yes client NTLMv2 auth = No client lanman auth = No client plaintext auth = No preload modules = dedicated keytab file = kerberos method = default map untrusted to domain = No log level = 3 syslog = 1 syslog only = No log file = /var/log/samba.%m max log size = 500 debug timestamp = Yes debug prefix timestamp = No debug hires timestamp = Yes debug pid = No debug uid = No debug class = No enable core files = Yes smb ports = 445 139 large readwrite = Yes max protocol = NT1 min protocol = CORE min receivefile size = 0 read raw = Yes write raw = Yes disable netbios = No reset on zero vc = No acl compatibility = auto defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 16644 name resolve order = lmhosts wins host bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = Yes unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego = Yes client ldap sasl wrapping = plain enable asu support = No svcctl list = deadtime = 0 getwd cache = Yes keepalive = 300 lpq cache time = 30 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 16384 socket options = TCP_NODELAY use mmap = Yes hostname lookups = No name cache timeout = 660 ctdbd socket = cluster addresses = clustering = No ctdb timeout = 0 load printers = Yes printcap cache time = 750 printcap name = cups server = cups encrypt = No cups connection timeout = 30 iprint server = disable spoolss = No addport command = enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = mangling method = hash2 mangle prefix = 1 max stat cache size = 256 stat cache = Yes machine password timeout = 604800 add user script = rename user script = delete user script
Re: [Samba] Samba (CentOS) + Windows 7 Ultimate 64 = no login
On 09/06/2011 2:09 PM, phpMagpie wrote: Update: I tried the following tutorial http://www.samba.org/samba/docs/man/Samba-Guide/simple.html#id2550946 *I changed my smb.conf to:* [global] workgroup = WEBBEDIT security = SHARE [HTML] path = /var/www/html read only = No guest ok = Yes Shortened version of what I use with 3.5.11 on Debian: [global] workgroup = WEBBEDIT security = User map to guest = Bad User unix passwd sync = Yes [html] path = /var/www/html read only = No valid users = your_login admin users = your_login Ensure that your Win7, linux, and samba username and password combinations are identical. If this config works, you can fine tune with other parameters as needed. Dale The first validation step is to run 'smbclient -L localhost -U%'. *It should have returned something like:* Sharename Type Comment - --- Plans Disk IPC$ IPC IPC Service (Samba 3.0.20) ADMIN$ IPC IPC Service (Samba 3.0.20) ServerComment - --- webbedit.lan Samba 3.0.20 Workgroup Master - WEBBEDIT SERVER *Mine returned this:* Domain=[WEBBEDIT] OS=[Unix] Server=[Samba 3.5.4-68.el6_0.2] Sharename Type Comment - --- HTML Disk IPC$IPC IPC Service (Samba 3.5.4-68.el6_0.2) Domain=[WEBBEDIT] OS=[Unix] Server=[Samba 3.5.4-68.el6_0.2] Server Comment ---- WorkgroupMaster ---- Now the tutorial is on an earlier version so some changes may be required, but it's clear to see from my output that a domain is being set rather than a Workgroup. Any ideas? Paul. -- View this message in context: http://samba.2283325.n4.nabble.com/Samba-CentOS-Windows-7-Ultimate-64-no-login-tp3793880p3794292.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.5.6 : WINBINDD: cli_negprot failed: NT_STATUS_ACCESS_DENIED with Active Directory
On 09/07/2011 4:45 AM, David Touzeau wrote: Dear Have connected SAMBA to an Active Directory server The getent did not show any user and winbindd claim : [2011/09/07 11:33:29.417355, 1] libsmb/cliconnect.c:1769(cli_negprot_done) cli_negprot: SMB signing is mandatory and the server doesn't support it. [2011/09/07 11:33:29.417444, 1] winbindd/winbindd_cm.c:856(cm_prepare_connection) cli_negprot failed: NT_STATUS_ACCESS_DENIED [2011/09/07 11:33:29.696520, 1] libsmb/cliconnect.c:1769(cli_negprot_done) cli_negprot: SMB signing is mandatory and the server doesn't support it. [2011/09/07 11:33:29.696599, 1] winbindd/winbindd_cm.c:856(cm_prepare_connection) cli_negprot failed: NT_STATUS_ACCESS_DENIED [2011/09/07 11:33:30.068625, 1] libsmb/cliconnect.c:1769(cli_negprot_done) cli_negprot: SMB signing is mandatory and the server doesn't support it. [2011/09/07 11:33:30.068706, 1] winbindd/winbindd_cm.c:856(cm_prepare_connection) cli_negprot failed: NT_STATUS_ACCESS_DENIED How can i fix this issue ? If I'm reading this error message correctly, you either need to turn on server signing on the AD machine, or turn off server signing on the Samba machine. server signing = Disabled Dale here it is the smb.conf [global] workgroup = USGPEOPLEFR netbios name = onesys-samba server string = %h server disable netbios =no strict allocate = No strict locking = Auto sync always = No getwd cache = Yes max protocol = NT1 name resolve order =host lmhosts wins bcast dns proxy = No wins support = Yes min protocol = NT1 remote announce = 10.7.61.255/USGPEOPLEFR syslog = 3 log level = 1 log file = /var/log/samba/log.%m debug timestamp = yes follow symlinks = yes wide links = yes unix extensions = no usershare allow guests = no usershare max shares = 100 usershare owner only = true usershare path=/var/lib/samba/usershares/data guest account = nobody map to guest = Bad Password template homedir = /home/%U template shell = /bin/false enable privileges = yes os level = 40 ldap passwd sync = no security = ADS realm = USGPEOPLEFR.INT idmap config USGPEOPLEFR:backend= rid idmap config USGPEOPLEFR:read only= yes idmap config USGPEOPLEFR:range = 10 - 19 idmap config USGPEOPLEFR:base_rid = 0 idmap gid = 7 - 9 idmap uid = 7 - 9 encrypt passwords = Yes client ntlmv2 auth = Yes client lanman auth = No winbind normalize names = Yes winbind separator = / winbind use default domain = No winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes winbind nss info = rfc2307 winbind offline logon = true winbind cache time = 5 winbind refresh tickets = true kerberos method = system keytab allow trusted domains = Yes *server signing = mandatory* client signing = mandatory lm announce = No ntlm auth = No lanman auth = No preferred master = No printing = bsd nt acl support=yes map acl inherit=yes acl check permissions=yes inherit permissions=no inherit acls=yes acl map full control=yes dos filemode=yes force unknown acl user = no # LDAP settings --- ldap delete dn = no passdb backend = ldapsam:ldap://127.0.0.1:389 ldap admin dn = cn=admin,dc=usgpeoplefr,dc=int ldap suffix = dc=usgpeoplefr,dc=int ldap group suffix = dc=organizations ldap user suffix = dc=organizations ldap machine suffix = ou=Computer,dc=samba,dc=organizations ldap delete dn = yes ldap ssl = off ldap idmap suffix = ou=idmap,dc=samba,dc=organizations,dc=usgpeoplefr,dc=int logon path = logon home = logon drive = socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 case sensitive = No default case = lower preserve case = yes short preserve case = yes wins support = Yes time server = yes msdfs root = no host msdfs = no -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba not accepting AD users
On 09/01/2011 5:27 AM, Bruno Martins wrote: On 09/01/2011 11:11 AM, David Roid wrote: Check out what does /var/log/samba/log say about logon failure? Also do you enable ntlm auth? -David 2011/9/1 Bruno Martinsbmomart...@gmail.com On 08/31/2011 06:57 PM, Dale Schroeder wrote: Bruno, This is not a valid option: idmap backend = 192.168.0.2 The default is tdb, but there is also rid, ad, and ldap. Dale On 08/31/2011 5:57 AM, Bruno Martins wrote: Hello everyone. I am setting up a Debian-based file and print server and I am not being able to authenticate with AD credentials. I think the error message is this one: joe@sputnik:~$ tail /var/log/samba/log.___192.168.0.101 [2011/08/31 11:19:54.415130, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\bmartins is invalid on this system More information about the system: joe@sputnik:~$ uname -r 2.6.32-5-686 joe@sputnik:~$ wbinfo -g domain guests domain users domain computers group policy creator owners cert publishers domain controllers exchange domain servers domain admins (...) joe@sputnik:~$ wbinfo -u SPUTNIK\nobody SPUTNIK\root a230w sqlexecutivecmdexec ghelpdesk pbernardo (...) My smb.conf: http://pastebin.com/5vMg5X82 ... and my krb5.conf: http://pastebin.com/SE9Pmt0Y ... also my nsswitch.conf: http://pastebin.com/psL9SksW Can anyone please help me? Best regards, Bruno Martins Good morning, I have changed that parameter to 'idmap backend = tdb' and even 'idmap backend = ad' but didn't work. I keep getting this error: root@sputnik:/home/joe# smbclient -L //localhost -U bmartins Enter bmartins's password: session setup failed: NT_STATUS_LOGON_FAILURE Also, 'testparm' doesn't show me that line, but that may be normal. And, by the way, when I do a 'getent passwd', the output just show me local users, not domain ones. Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Hello David, Thanks for your help. Let me show you the output of some commands that may ask your second question: http://pastebin.com/Rj3Shbeu Regarding to logs, I have noticed a strange thing: http://pastebin.com/yMaQek0h Is this a normal behaviour? Apparently so because I have seen those messages on working winbind systems. Compare your setup to the following to see if you might have missed anything. http://www.enterprisenetworkingplanet.com/netos/article.php/3487081/Join-Samba-3-to-Your--Active-Directory-Domain.htm http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm Dale Best regards, Bruno Martins . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] special permission on directories
On 08/31/2011 5:55 PM, Old Eduardo wrote: hello list, im trying to configure samba, no pdc, just samba for share directories with linux users. my problem is: i have users and groups diretory1 diretory2 at directory1 group own is x at directory2 group own is y i make chmod 775 at directory1 and chmod +t, after i make chown root.x same in directory2, just change chown to root.y my problem: when user make directory and other user make one file at this directory, owner and others users can delete files. I need same as chmod +t when users create new directory, but dont work with me. Thanks in advance And sorry for bad english. Maybe adding this to share works for you == [share] inherit owner = Yes Dale inherit owner (S) The ownership of new files and directories is normally governed by effective uid of the connected user. This option allows the Samba administrator to specify that the ownership for new files and directories should be controlled by the ownership of the parent directory. Common scenarios where this behavior is useful is in implementing drop-boxes where users can create and edit files but not delete them and to ensure that newly create files in a user's roaming profile directory are actually owner by the user. Default: //|inherit owner|/ = |no| / -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba not accepting AD users
Bruno, This is not a valid option: idmap backend = 192.168.0.2 The default is tdb, but there is also rid, ad, and ldap. Dale On 08/31/2011 5:57 AM, Bruno Martins wrote: Hello everyone. I am setting up a Debian-based file and print server and I am not being able to authenticate with AD credentials. I think the error message is this one: joe@sputnik:~$ tail /var/log/samba/log.___192.168.0.101 [2011/08/31 11:19:54.415130, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) Username GALILEU-F\bmartins is invalid on this system More information about the system: joe@sputnik:~$ uname -r 2.6.32-5-686 joe@sputnik:~$ wbinfo -g domain guests domain users domain computers group policy creator owners cert publishers domain controllers exchange domain servers domain admins (...) joe@sputnik:~$ wbinfo -u SPUTNIK\nobody SPUTNIK\root a230w sqlexecutivecmdexec ghelpdesk pbernardo (...) My smb.conf: http://pastebin.com/5vMg5X82 ... and my krb5.conf: http://pastebin.com/SE9Pmt0Y ... also my nsswitch.conf: http://pastebin.com/psL9SksW Can anyone please help me? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba Digest, Vol 104, Issue 30
Thiago, You could use scripting. find /path/to/data -type f -size +10M would find all files 10 megabytes or larger in your data share. For more details == man find Dale On 08/31/2011 6:44 AM, Thiago Ferreira wrote: Does anyone know any software that search in the network shares the files types that take up more space? I'd like to delete some files, my storage space is finishing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to find the Domain Master Browser - novice experience
On 08/26/2011 9:08 AM, J. Echter wrote: Am 26.08.2011 12:57, schrieb Steve Nash: Bottom-line: this is now working for me. # /etc/samba/smb.conf # # Modifications made 1108260839 steve.n...@theiet.org # #=== Global Settings === [global] log file = /var/log/samba/log.%m guest account = Family load printers = no #1 read prediction = yes map to guest = bad user null passwords = yes encrypt passwords = true #1 winbind trusted domains only = yes #1 winbind use default domain = yes wins support = true #1 available = no netbios name = NashFS browseable = yes server string = %h (Samba, Ubuntu) #1 winbind enum users = no default = Storage workgroup = NASH os level = 20 #1 winbind enum groups = no security = user preferred master = yes #1 domain master = yes local master = yes #1 usershare allow guests = yes max log size = 1000 [Storage] browseable = yes writeable = yes delete readonly = yes path = /Storage force group = sambashare force user = Family comment = Storage for Windows public = yes available = yes ENVIRONMENT I set up a Ubuntu 10.04 host (NashFS) to be a central file-server for Home network used by about 10 various MSWindows machines. My objective was to create just a storage area that any of the family can use. But I was finding that the view of the Network from MSWindows was not consistent or reliable. . I have no MS Domain as far as I know. . Just a workgroup. . I have tried to avoid Win7 Homegroups because I cannot find any explanation of what they do! Eventually got round to checking /var/log/syslog on NashFS Found messages saying: Unable to find the Domain Master Browser name NASH1b for the workgroup NASH I use Webmin to configure the services on this machine. Webmin Servers Samba Windows File Sharing Global Configuration Windows Networking showed Master Browser? as Automatic. My first change was here, to set this to Yes. What took me a while to figure out is the restarting the Samba daemon smbd is not enough. Looking at /etc/samba/smb.conf showed me what I wanted to see, but restarting smbd was having no effect. I needed to restart nmbd also, but this is not visible from Webmin, so: sudo service nmbd restart NOTES As far as I can figure out I do not need winbind. It is part of the Webmin display of Samba. At some point, in setting up Samba, it had become active and was putting other messages into syslog. The file shown above includes lines related to winbind that I just recently commented out. I have now rid myself of winbind with: sudo apt-get purge winbind There are other commented lines that I have left in this copy just in case you see them too and want to know that it works for me without them. There are several other lines in there that are meaningless to me, so do not rely on my expertise J. If this little doc is useful to you please let me know steve.n...@theiet.org hi, i have this option in my smb.conf too -- domain logons = yes greets juergen Juergen, He indicated that he's not running a domain, only a workgroup, so he preferably should not use domain logons = yes. However, he might want to bump up the os level, so that the samba system wins all the master browser elections. os level = 65 Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] question about groups
On 8/3/2011 6:19 AM, Andrea Lanza wrote: At last I succeded in trying your solution... Perfect ! Excellent! No need to do anything other apart what you said. create mask = 2770 Do you intend for all files to have the execute bit set? If not, then create mask = 2660 force create mode = 2660 directory mask = 2770 force directory mode = 2770 inherit acls = Yes when listing the dir in linux I can read: rwxrws--- I think that s means the inheritance of group-acl flagged on... That is correct. Dale Thank you very much again, Andrea -Messaggio originale- Da: Dale Schroeder [mailto:d...@briannassaladdressing.com] Inviato: venerdì 29 luglio 2011 19:31 A: Andrea Lanza Cc: 'samba@lists.samba.org' Oggetto: Re: [Samba] question about groups Andrea, How about doing 'chmod 2770 /path/to/share' and also on all existing subfolders of /path/to/share. In the share definition, you could also add directory mask = 2770 force directory mode = 2770 Dale On 07/29/2011 6:03 AM, Andrea Lanza wrote: Hi all, I have a (simple?) question about groups. this is my scenario: Windows Active directory domain Samba file server ADS integrated 2 shares on this last server (share1, share2) 2 groups on the AD (group1 and group2) First share is only fully available to group1: this is easily done second share is fully available to group2 --- Then I have some users belonging to both group1 and group2; anyway group1 is the principal group. when a user of this kind create a folder or a file on the share2, the file is created as userxxx and group1, so beiing unaccessible to user on the group2. (permission:770, so if one user is in group2 cannot access this file belonging to group1) I tried several combination of inherit acl, possible user and so on, but no hope to make it works. How can I achieve this result ? And sorry if it was already answered elsewhere: I found a lot of discussion (also very old, 2003 and so on) but no one helped me. I am running samba : 3.5.xxx on opensuse 11.4 thanks in advance, Andrea -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] question about groups
Andrea, How about doing 'chmod 2770 /path/to/share' and also on all existing subfolders of /path/to/share. In the share definition, you could also add directory mask = 2770 force directory mode = 2770 Dale On 07/29/2011 6:03 AM, Andrea Lanza wrote: Hi all, I have a (simple?) question about groups. this is my scenario: Windows Active directory domain Samba file server ADS integrated 2 shares on this last server (share1, share2) 2 groups on the AD (group1 and group2) First share is only fully available to group1: this is easily done second share is fully available to group2 --- Then I have some users belonging to both group1 and group2; anyway group1 is the principal group. when a user of this kind create a folder or a file on the share2, the file is created as userxxx and group1, so beiing unaccessible to user on the group2. (permission:770, so if one user is in group2 cannot access this file belonging to group1) I tried several combination of inherit acl, possible user and so on, but no hope to make it works. How can I achieve this result ? And sorry if it was already answered elsewhere: I found a lot of discussion (also very old, 2003 and so on) but no one helped me. I am running samba : 3.5.xxx on opensuse 11.4 thanks in advance, Andrea -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Integrate Samba with Active Directory
On 07/19/2011 4:49 PM, Bruno Martins wrote: On Tue, 2011-07-19 at 13:11 -0500, Dale Schroeder wrote: On 07/19/2011 10:05 AM, Bruno Martins - GALILEU LISBOA wrote: Hello guys, I am setting up a Samba server (based on CentOS 5.6) on my company which will act as a print and file server. Also, it has dropbox installed. I have set up everything regarding to CUPS and Samba itself, but I'm not being able to integrate my shares with Active Directory. All I want is that access control to Samba shares is made through Active Directory users and their respective passwords, and not through Unix-style users and groups. Is this possible? Some configuration files: /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G Bruno, To start, change this: passwd: files ldap shadow: files winbind group: files winbind To this: passwd: files winbind ldap (Are you using ldap for anything?) shadow: files group: files winbind kinit administra...@galileu-f.galileu.pt This should return nothing after entering the password. Is the join OK? net ads testjoin Try wbinfo -u and wbinfo -g to see if you get AD users and groups. If using PAM, is it configured for winbind? http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm Dale /etc/samba/smb.conf - http://pastebin.com/9uffAyjV /etc/krb5.conf - http://pastebin.com/9zJFQR6J Can someone please give me some lights on this? If you need more information, just tell me. ;-) Thanks for your cooperation. Best regards, Bruno Martins Hello Dale, Files have been corrected. How do you make 'net ads testjoin' as a certain user? I believe you have to do this as root. I did this, to see if it helps you: http://paste2.org/p/1529126 By the way, also take a look at kinit's result: http://paste2.org/p/1529128 That looks OK. Do you get a listing of your AD users and groups with wbinfo -u and wbinfo -g? As others have suggested, consider upgrading to a newer version. For completeness, verify that the times are in sync between the samba server and the DC. Dale I don't know if I'm using, but I'll take a look into that article as well. Thanks for your cooperation on this. Best regards, Bruno Martins . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Integrate Samba with Active Directory
On 07/19/2011 10:05 AM, Bruno Martins - GALILEU LISBOA wrote: Hello guys, I am setting up a Samba server (based on CentOS 5.6) on my company which will act as a print and file server. Also, it has dropbox installed. I have set up everything regarding to CUPS and Samba itself, but I'm not being able to integrate my shares with Active Directory. All I want is that access control to Samba shares is made through Active Directory users and their respective passwords, and not through Unix-style users and groups. Is this possible? Some configuration files: /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G Bruno, To start, change this: 1. passwd: files ldap 2. shadow: files winbind 3. group: files winbind To this: passwd: files winbind ldap (Are you using ldap for anything?) shadow: files group: files winbind kinit administra...@galileu-f.galileu.pt This should return nothing after entering the password. Is the join OK? net ads testjoin Try wbinfo -u and wbinfo -g to see if you get AD users and groups. If using PAM, is it configured for winbind? http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm Dale /etc/samba/smb.conf - http://pastebin.com/9uffAyjV /etc/krb5.conf - http://pastebin.com/9zJFQR6J Can someone please give me some lights on this? If you need more information, just tell me. ;-) Thanks for your cooperation. Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Help! permission denied when accessing folder
Group ownership shows to be studemp, but you are giving share permissions to studempl. Is that a typo, or is that the source of your problem? Dale On 07/11/2011 11:15 AM, Daulton_Theodore wrote: Hi all, Running samba 3.5.5 in a Solaris non-global zone. I have created a folder (StudentJobApplications) on a share which I want to make accessible only to members of a Unix group (studempl). I have added myself to the group but when I or other group members try to access the folder via Windows Explorer I get the following: I:\StudentJobApplications is not accessible Access is denied Here are some of the particulars: The folder: # ls -ld /departments/common/StudentJobApplications drwxrwx--- 2 root studemp2 Jul 11 08:34 /departments/common/StudentJobApplications The group (etc/group): studempl::2018:mylogin,otheruserlogin. The share definition in smb.conf: # -- # shared directory for ALL staff # -- [libshare] comment = Library staff shared directory path= /path browseable = yes writeable = yes create mask = 0777 force create mode = 0777 directory mask = 0777 valid users = +group1 +group2 +group3 +group4 +group 5 +group6 +group7 +group8+group17 +studempl invalid users = +circdesk Note: I am a member of one of the groups defined in valid users above. I have not restarted the samba server but I don't think that would be necessary. Actually I would like to set the permissions on the folder to be -rwxrws--- but just being able to access it would be a start. I would appreciate ang comments or suggestions. Thank you. Daulton Theodore Carleton University Library, Systems Department Vmail: (613) 520-2600, ext. 8352 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem getting Samba fully working
On 06/28/2011 4:35 PM, Moe, John wrote: Sorry, it's been pointed out that the list strips attachments. Here's my smb.conf, in case it helps someone. A few options I've never used, but overall looks fairly standard. There are numerous howto's for this sort of thing all over the web, and trying to keep track of which bits are needed for a given setup is difficult. Maybe in all my reading, I came away with some bad assumptions, and I need to check them. Let's take FreeRadius out of the picture for the moment; I only mentioned it in case it was interfering/interacting with Samba. Basically, I'm trying to get a virtual machine on my network, with a Gentoo Linux OS, to be able to allow logins based on AD accounts, so the other network admins can administer this server, and for ntlm_auth to return success or failure of a user's authentication request (which will be needed for step 2: FreeRadius). I don't need shares, although it'd be handy so I can transfer files to and from the box. 1) To get this to work, I assumed from my reading I needed Kerberos. I always have since that's the MS AD way. I have never set the kerberos method option. Don't know how that affects things. 2) I also assumed that best practice would be for this server to join the domain. I agree. 3) I assumed that tdb was the correct backend for this setup, not LDAP. That's relative to a particular preference or need. I have multiple member servers and prefer to keep uid's and gid's in sync, so I use rid for the idmap. Can anyone speak to these assumptions? Perhaps look at pam config again. I have had default pam configs from Debian that would not work out of the box with winbind. When that happened, I always reverted to something simple like the example given here: (modify to suit Gentoo, of course) http://www.enterprisenetworkingplanet.com/netos/article.php/3502441 If simple works, you can always add other options back until it breaks. Dale --- [global] add user script = /usr/local/bin/addsambauser %u client lanman auth = no client ntlmv2 auth = yes client use spnego = yes disable netbios = yes domain master = no encrypt passwords = yes idmap alloc backend = tdb # Defaults to tdb idmap backend = tdb idmap gid = 1 - 9 idmap uid = 1 - 9 lanman auth = no kerberos method = system keytab netbios name = MYSERVERNAME ntlm auth = yes # Defaults to tdbsam passdb backend = tdbsam password server = mygc.my.domain.name, mygc2.my.domain.name preferred master = no realm = MY.DOMAIN.NAME security = ads server string = %h (Samba) template homedir = /home/%D/%U template shell = /bin/bash use spnego = yes winbind enum groups = yes winbind enum users = yes winbind expand groups = yes winbind nested groups = yes winbind refresh tickets = yes winbind use default domain = yes workgroup = NTDOMAINNAME [tmp] comment = temporary files path = /tmp read only = yes --- John H. Moe Network Support - Hatch IT HATCH Tel: +61 (7) 3166 Direct: +61 (7) 3166 7684 Fax: +61 (7) 3368 3754 Mobile: +61 438 772 425 61 Petrie Terrace, Brisbane, Queensland Australia 4011 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of Moe, John Sent: Tuesday, 28 June 2011 7:26 AM To: Samba mailing list Subject: Re: [Samba] Problem getting Samba fully working -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Tuesday, 28 June 2011 4:42 AM To: Moe, John Cc: Samba mailing list Subject: Re: [Samba] Problem getting Samba fully working On 06/26/2011 7:14 PM, Moe, John wrote: -Original Message- From: Linda Walsh [mailto:sa...@tlinx.org] Sent: Saturday, 25 June 2011 8:02 PM To: Moe, John Cc: Samba mailing list Subject: Re: Problem getting Samba fully working Moe, John wrote: Hello all, Relevant info up front: Gentoo PC, using 2.6.38 kernel and Samba 3.4.12. I'm trying to get a FreeRadius instance working for our Windows network. To do so, I need a Linux box running Samba. I've installed and configured Kerberos, Samba and FreeRadius, and can get most things to work. I can get a Kerberos key using kinit, and sudo net ads keytab list shows me tickets. I can use things like net ads user myuser - U myuser to get info about my user account. I can use sudo wbinfo - t to show the secret trust is OK, and sudo net ads testjoin works as well. I can even log on to my switch using RADIUS authentication to my AD account (using ntlm_auth). So a lot of the pieces are working correctly. [2011/06/21 07:12:21, 1] rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name! I
Re: [Samba] Problem getting Samba fully working
; no such user And the same two lines in /var/log/samba/log.wb-DOMAINNAME: [2011/06/27 10:03:39, 1] rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_ACCESS_DENIED received from host MYGC.my.domain.name! Logging in via console (as 'user', 'domain/user' and 'u...@my.domain.name') gives the same output in the Samba log, and a slightly different set of errors in /var/log/messages: Jun 27 10:06:44 servername login[1707]: pam_tally2(login:auth): pam_get_uid; no such user Jun 27 10:06:47 servername login[1707]: pam_unix(login:auth): check pass; user unknown Jun 27 10:06:47 servername login[1707]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost= Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth): getting password (0x0090) Jun 27 10:06:47 servername login[1707]: pam_winbind(login:auth): pam_get_item returned a password Jun 27 10:06:51 servername login[1707]: FAILED LOGIN (3) on '/dev/tty2' FOR 'UNKNOWN', Authentication failure Does this add any useful info? John H. Moe Network Support - Hatch IT What options have you set in pam? Either in /etc/pam.d/sshd or /etc/pam.d/common-*, you can place something like the following (assuming Gentoo directory structure is like Debian): authsufficientpam_winbind.so accountsufficientpam_winbind.so If you have already done so, then does getent passwd, getent group or wbinfo -u, wbinfo -g return all of your AD users? If not, what do your winbind config options in smb.conf look like? Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] filesystem of choice?
On 24/06/11 09:46 AM, John G. Heim wrote: I'm setting up a new linux fileserver and I was wondering if samba likes one filesystem more than another. I have to format a 1.8Tb partition sometime today and I'll probably do ext3 unless samba prefers something else. We have a lot more linux users than Windows users but the Windows users have more problems with slow access. I use ext4 on mine without any issues. Since you're unlikely to change the file system once it's set up, why not go for the more modern version? It's stable and will probably receive better support over the long run. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
