Re: [Samba] Problem with Samba and Windows Terminal Server 2008

[Eric Roseme]

Ron Daniel wrote:

Hello all,

We have a Windows 2008 Terminal Server which people connect into to 
run their programs. We are getting upwards of 60 people connecting in 
at any time. We are seeing error messages from the application 
complaining that it can't access one of the files on one of the 
shares.  I have read that this problem is likely to be due to the fact 
that we run one machine as a terminal server and there is only one 
netbios host being used by mutliple people. The paper I have read from 
HP refers to registry key called MultiUserEnabled on earlier 
versions of windows terminal server needs to be set to 1 in order for 
the father smbd process to recognise different sessions connecting 
from the one host.


The paper is at 
http://www.docs.hp.com/en/12131/Samba-TerminalServer_106.pdf




I'll look around this afternoon and see if there are any clues that 2008 
has a newly-named mulit-user parm.


Eric Roseme

Ron - I cannot find any evidence that 
MultiUserEnabled/EnableMultiUser/MultipleUsersOnConnection has been 
rolled forward into Windows 2008.  It's possible that the functionality 
was embedded in 2008 - but very unlikely.  Can you verify that your 60 
TS users are being serviced from one Samba smbd?  If you do not have any 
non-TS users connecting, then that is easy enough by doing a ps -ef | 
grep smbd and seeing if there are 61 processes or 2.  In the 
whitepaper, there are several workarounds suggested.


I'll see if I can find out from MS what the story is about 2008, but for 
2000 and 2003 it was a 3-year delay each time, as I recall.


Eric Roseme



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem with Samba and Windows Terminal Server 2008

[Eric Roseme]

Ron Daniel wrote:

Hello all,

We have a Windows 2008 Terminal Server which people connect into to run their programs. 
We are getting upwards of 60 people connecting in at any time. We are seeing error 
messages from the application complaining that it can't access one of the files on one of 
the shares.  I have read that this problem is likely to be due to the fact that we run 
one machine as a terminal server and there is only one netbios host being used by 
mutliple people. The paper I have read from HP refers to registry key called 
MultiUserEnabled on earlier versions of windows terminal server needs to be 
set to 1 in order for the father smbd process to recognise different sessions connecting 
from the one host.

The paper is at http://www.docs.hp.com/en/12131/Samba-TerminalServer_106.pdf

Oops - that's my paper.  Sorry, I have not looked at 2008 for the 
parameter yet.  FYI - for both 2000 and 2003 Microsoft delayed rolling 
it forward for a few years.  Many customers were left hanging both 
times.  So it is possible that the parm is not on 2008 - I did a quick 
google and did not get any hits, but they have changed the name for each 
release, so that is not definitive.


I'll look around this afternoon and see if there are any clues that 2008 
has a newly-named mulit-user parm.


Eric Roseme

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] sambaRefuseMachinePwdChange policy

[Eric Roseme]

Frank wrote:

Hi,
we have a couple of Linux RHEL 5 samba servers in a domain, one as PDC 
and the other as BDC, and both with LDAP backends

samba version is 3.0.28-1
We want pc clients can't change their machine password using 
sambaRefuseMachinePwdChange policy, so we set it to 1 in LDAP
But pc clients still can change their passwords, and we don't see any 
acces to sambaRefuseMachinePwdChange attribute on LDAP logs.

Is it not used in this version yet? Must we do something special to use it?


I saw the same thing in August of 2007:

http://marc.info/?l=sambam=118772246625319w=2

Which was never replied to.

Eric Roseme


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba Password Question.

[Eric Roseme]

mpars...@uk.ey.com wrote:
Hi David, 

Its Samba Release 3 on an HP-UX 11.11 machine. We are allowing users to 
map folders from the unix box as shares on their windows laptops. 


Mark - I posted this on ITRC too:

I assume that you have a Samba PDC (security = user) with a passdb 
backend of tdbsam or ldapsam.  If so, then you set domain policies with 
pdbedit.  I believe that you have to set the user must change password 
attribute *and* the password age attribute to 0 (for each user) to 
make it happen at the next logon.


Have you already tried this and it did not work?

http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#pdbeditthing

I think it's:

pdbedit -P maximum password age -C value
pdbedit -u user --pwd-must-change-time 0


Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Mapped Network Drive Error

[Eric Roseme]

Mike - your Samba server cannot contact a domain controller.  From your 
additional detail on the ITRC users group, it appears that you have 
changed from security = user to security = domain without actually 
joining the domain.  So you need to net rpc join.


Eric Roseme

mpars...@uk.ey.com wrote:
Hi, 

I'm getting the following error: 

The mapped network drive could not be created because the following error 
has occured - there are currently no logon servers available to service 
the logon request 

Any ideas? 

Kind Regards, 


Mark Parsons.




Ernst  Young is proud to bring you Entrepreneur Of The Year - the prestigious 
global business awards for entrepreneurs. www.eoy.co.uk

This e-mail and any attachment are confidential and contain proprietary 
information, some or all of which may be legally privileged.  It is intended 
solely for the use of the individual or entity to which it is addressed.  If 
you are not the intended recipient, please notify the author immediately by 
telephone or by replying to this e-mail, and then delete all copies of the 
e-mail on your system.  If you are not the intended recipient, you must not 
use, disclose, distribute, copy, print or rely on this e-mail.

Whilst we have taken reasonable precautions to ensure that this e-mail and any 
attachment has been checked for viruses, we cannot guarantee that they are 
virus free and we cannot accept liability for any damage sustained as a result 
of software viruses.  We would advise that you carry out your own virus checks, 
especially before opening an attachment.

Ernst  Young refers to the global organization of member firms of Ernst  Young 
Global Limited, each of which is a separate legal entity. Ernst  Young Global Limited, 
a UK company limited by guarantee, does not provide services to clients.

The UK firm Ernst  Young LLP is a limited liability partnership registered in England and Wales with registered number OC31 and is a member practice of Ernst  Young Global.  A list of members' names is available for inspection at 1 More London Place, London, SE1 2AF, the firm's principal place of business and its registered office. 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Host with multiple names

[Eric Roseme]

 I have been able to do this by using ADSIEdit to add the alias service 
principal to the server computer object in the AD.  In my case, I was 
using the same IP for hostname and alias.


I could not get Samba to create a keytab entry for the alias SP, though. 
 I could add a keytab SP with net ads keytab create, but the client 
could not authenticate using the SP.


For non-keytab authentication the alias worked.

Eric Roseme

Kums wrote:

Imho, you can join/authenticate to AD only via single name that is specified
in the netbios parameter in smb.conf. If you do not specify anything, the
default netbios name of the node is going to be your hostname.

If a host has multiple IP address/eth interfaces, then you can access the
share using multiple IP addresses (with sinigle host name) unless you did
not bind ur SMBD to a particular IP address in smb.conf using interfaces
option.

Cheers,
-Kums

On Wed, Jan 14, 2009 at 12:47 PM, Avron Gray ag...@aeso.ca wrote:


I should add the following:
The host has been joined to ADS with the actual hostname
The host is sharing fine via this hostname/IP

Attempting to connect via the host's alias / alternate IP address
results in the following error message:
The trust relationship between this workstation and the primary domain
failed.

Cheers,

- Avron

-Original Message-
From: samba-bounces+agray=aeso...@lists.samba.org
[mailto:samba-bounces+agray samba-bounces%2Bagray=aeso.ca@
lists.samba.org] On Behalf Of Avron
Gray
Sent: Wednesday, January 14, 2009 12:38 PM
To: samba@lists.samba.org
Subject: [Samba] Host with multiple names

Hi folks,

I'm running samba 3.0.33 on Solaris 9 hosts.

I have a host that has two hostnames (actual + alias). I would like to
be able to connect to this host via either hostname and be able to
access this samba data.

Note: I would prefer not to run multiple samba instances...

Has anyone else experienced this sort of issue, and have you been able
to resolve it?

- Avron
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] sync always, strict sync, cache question

[Eric Roseme]

Chris Fanning wrote:

snip

But I am worried about the cache that Samba makes use of. We would
like samba to write to disk immediately.
We've found these two options for smb.conf

sync always = yes
strict sync = yes

I can't quiet see the difference between the two in my case.
If I set 'sync always = yes' _or_ 'strict sync = yes', I can copy
files at 70MB/s (similar to NFS using async).
If I set both options, file transfer speed drops to about 20MB/s

Does that mean that I do need to set both options to ensure the cache
is written to disk before the server returns the ok to the client?
How could I test this?

And now while I'm here ;) , does anyone have any other recommendations
for this kind of setup?

Thanks,
Chris.
Hi Chris,  I did an investigation on this in 2003.  Here are the 
results.  Not sure if things have changed since then.

---


Samba defaults to asynchronous writes.  smbd writes to memory buffer, 
then returns to processing.  Buffer is flushed to disk later. This is 
the most efficient behavior.


Windows CreateFile API has the FILE_FLAG_WRITE_THROUGH flag, which 
requests synchronous writes.  smbd writes to memory buffer, blocks until 
buffer contents are written to disk, which results in poor performance, 
but better data integrity.


When strict sync = yes (default = no) Samba honors the 
FILE_FLAG_WRITE_THROUGH flag, and results in synchronous writes when 
called by the CreateFile API.


When sync always = yes (default = no) Samba executes all writes 
synchronously. This requires that “strict sync = yes”.


StrictSync  SyncAlways  ff_write_through   Sync-Writes
no  no nono
yes no nono
yes no yes   Yes (slow)
no  yesyes   no
yes yesyes/noyes (very slow)

Eric Roseme

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] HPUX and Samba 3.023 question

[Eric Roseme]

Casey Dearcorn wrote:

I am sorry if this sounds dumb, but I am sort of a newbie with samba.

 


We have upgraded our active directory domain servers to 2008 and samba
3.07 will not bind to the directory anymore.  I have been told that I
need to upgrade past 3.022 in order to make it work?  First of all is
this true?  Second, when I went to install it and run it there is an
error that it can not find libldap-2.2.so.  I am assuming this is for
the HPUX IXOPENLDAP, but I am not sure.  In either case I can not find
this version to install.  I don't want to mess my box up, but I would
like to get my samba running correctly again.  Can anyone give me any
advice or information?


Hi Casey,

Are you using HP CIFS Server or Opensource Samba?  I am guessing from 
the library error that you were using CIFS Server and then tried to 
install and run Opensource.  What HP-UX version are you on?


If you are compiling/using Opensource, then you need to update past 
3.0.28, so you might as well get 3.0.31.  You will also need to install 
OpenLDAP to get the libraries.  Go here and read the README: 
http://us1.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.23a/README


If you are using HP CIFS Server, then the latest version is based upon 
Samba 3.0.22a with fixes ported in from later versions up to 3.0.25a. 
So it does not have the fix for joining a W2008 domain with security = 
ads.  You can join W2008 with security = domain, though.


Eric Roseme
Hewlett-Packard
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] HPUX and Samba 3.023 question

[Eric Roseme]

Ryan Novosielski wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Eric Roseme wrote:

Casey Dearcorn wrote:

I am sorry if this sounds dumb, but I am sort of a newbie with samba.

 


We have upgraded our active directory domain servers to 2008 and samba
3.07 will not bind to the directory anymore.  I have been told that I
need to upgrade past 3.022 in order to make it work?  First of all is
this true?  Second, when I went to install it and run it there is an
error that it can not find libldap-2.2.so.  I am assuming this is for
the HPUX IXOPENLDAP, but I am not sure.  In either case I can not find
this version to install.  I don't want to mess my box up, but I would
like to get my samba running correctly again.  Can anyone give me any
advice or information?


Hi Casey,

Are you using HP CIFS Server or Opensource Samba?  I am guessing from
the library error that you were using CIFS Server and then tried to
install and run Opensource.  What HP-UX version are you on?

If you are compiling/using Opensource, then you need to update past
3.0.28, so you might as well get 3.0.31.  You will also need to install
OpenLDAP to get the libraries.  Go here and read the README:
http://us1.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.23a/README

If you are using HP CIFS Server, then the latest version is based upon
Samba 3.0.22a with fixes ported in from later versions up to 3.0.25a. So
it does not have the fix for joining a W2008 domain with security =
ads.  You can join W2008 with security = domain, though.

Eric Roseme
Hewlett-Packard


Eric,

Is that also true of A.02.03.04? Looks like it is somewhat newer, but
I'm not 100% sure how that affects the domain stuff.

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA

You probably know better than I, being from HP, but I've spent an
inordinate amount of time on this recently, so I have the release notes
memorized. :-P

PS: utmp = yes causes PANIC's on A.02.03.03 and A.02.03.04.



Hi Ryan,

Yes - unfortunately, it also holds true of A.02.03.04.  Sorry that you 
spent so much time on it.


I can send you a tool that will allow you to write the CIFS/Samba 
computer object to the W2008 AD and generate a keytab file on the 
CIFS/Samba server.  When you start CIFS/Samba with use kerberos keytab 
= yes, your users can authenticate to and mount CIFS/Samba shares, but 
any of the net commands that require auth-n will fail (including join). 
 winbind will not start either.  Still working on this as a W/A.  I do 
not have a timeframe for 3.0.28 (or .31) for CIFS yet.


PS - the tool is unsupported.

Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba / AD integration

[Eric Roseme]

Check out this paper:

http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf

I wrote it about 3 years ago, so the Samba version was 3.0.7.  Things 
may have changed.  It refers to HP-UX CIFS Server but at the time held 
true for Opensource too.


Eric Roseme

Brian Foddy wrote:
I have a quick question on hooking Samba to a large AD domain.  
Following the excellent recipe at:


http://wiki.samba.org/index.php/Samba__Active_Directory

I see it states about half way down to join the machine to AD

Now to join your machine to the active directory. You will need the 
user-name and password to a Domain Administrator account to do this. The 
command you need to join the domain is net ads join -U sadwrn. This 
should then ask you for a password, and print a domain join notice.


Is this required to use a Domain Administrator account, or can any 
normal user AD account be used?  I know AD doesn't allow anonymous 
browsing, but can a normal non-admin account be used?  As I read through 
it, I don't see any other special admin access required other the root 
on the Linux machine.



My goal is this...  We have a very large AD system, 80.000+ users, and 
we want to activate Samba on two servers for a very small user group 
(maybe 12 users) but validate userid/passwords against AD.  If Samba can 
be setup with little or no AD changes, or involvement from the AD 
administrators, but with some simple config from the UNIX admins, then 
we have a much better chance of getting this approved.  But if it 
requires a lot of heavy involvement of the AD support group, ongoing 
maintenance, etc, then the odds are slim.  Largely political, the UNIX 
admins are much more open to open source solutions than the Windows side 
of the fence.  So if this can be sold as just another AD client app 
not requiring any special AD domain permissions, we have a chance.


Thanks for any help/advice.
Brian


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Slow Samba writes over NFS

[Eric Roseme]

Helmut Hullen wrote:

Hallo, ashis.v.purbhoo,

Du (ashis.v.purbhoo) meintest am 17.07.08:



Currently in the process of upgrading Samba v2.0.10 to Samba v3.0.x,
while conducting some minimal testing, it turns-out that Samba v3.0.x
is performing slower than Samba v2.0.10.



Set-ups:
A. Samba v3.0.x --
Same PC client is accessing the samba share running on Red Hat 4.5
(64bit, HP DL380) which in turn has an NFS mount coming from another
SAN attached Red Hat 4.5 (64bit, HP DL380).



B. Samba v2.0.x --
Same PC client is accessing the samba share running on Red Hat 4.5
(32bit, Dell T7400) which in turn has an NFS mount coming from
another SAN attached Red Hat 4.5 (64bit, HP DL380).


Maybe a change to cifs instead of nfs helps - I have seen that in a  
school in the neighnourhood.


Viele Gruesse!
Helmut
Samba 2.* default was strict locking = no, and 3.* is strict locking 
= yes.  If you have strict locking set over an NFS mount, it will be 
very slow.


Eric Roseme
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Administrator Maps winbind GID to 100 (sys)

[Eric Roseme]

Samba 3.0.22a (with backports from up to 3.0.25) on HP-UX 11iv3 (HP CIFS 
Server), security=ADS to W2003R2 domain, winbind running with idmap 
backend = rid:, and root = DOMAIN+Administrator in username.map.


From Administrator on a domain Vista client, using Explore to map a 
share and then set an ACL from Properties/Security/Permissions, I choose 
a Windows group from the list to add to the directory ACL.  The winbind 
GID is 12011.  The correct groupname is displayed in the Explorer 
window, but when doing a getacl from unix, the GID is 100, or sys - the 
Administrator home group.


So I went to /var/opt/samba/locks and deleted all of the cache files and 
restarted - same result.


If I set the directory to a different owner, and add the same GID with a 
different client user, then the correct winbind GID is added to the ACL.


Any idea why Administrator=root maps the sys GID to a winbind group 
name?  Log entry and smb.conf below.  Thanks,


Eric Roseme

[2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1318)
  local_sid_to_gid: Fall back to algorithmic mapping
[2008/05/14 09:57:02, 10] passdb/passdb.c:local_sid_to_gid(1325)
  local_sid_to_gid: mapping: 
S-1-5-21-463747597-202940698-2940076759-1201 - 100

[2008/05/14 09:57:02, 10] passdb/lookup_sid.c:sid_to_gid(1245)
  sid_to_gid: S-1-5-21-463747597-202940698-2940076759-1201 - 100
[2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1453)
  create_canon_ace_lists: adding dir ACL:
  canon_ace index 0. Type = allow SID = 
S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S

MB_ACL_GROUP perms r-x
[2008/05/14 09:57:02, 10] smbd/posix_acls.c:create_canon_ace_lists(1511)
  create_canon_ace_lists: adding file ACL:
  canon_ace index 0. Type = allow SID = 
S-1-5-21-463747597-202940698-2940076759-1201 gid 100 (100) S

MB_ACL_GROUP perms r-x




# Samba config file created using SWAT
# from 16.93.45.222 (16.93.45.222)
# Date: 2006/04/28 10:10:56

# Global parameters
[global]
workgroup = SNSLATC
realm = SNSLATC.HP.COM
server string = Samba Server
interfaces = xx.xxx.xxx.xx
bind interfaces only = Yes
netbios name = SERVER14   
security = ADS 
client schannel = No
server schannel = No
password server = SNSLATC-DC.SNSLATC.HP.COM
log level = 10
log file = /var/opt/samba/log.%m
username map = /etc/opt/samba/username.map
max log size = 1000
machine password timeout = 300
local master = No
wins server = xx.xxx.xxx.xx
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
idmap backend = rid:SNSLATC=1-2
template homedir = /home/%U
template shell = /usr/bin/sh
winbind separator = +
winbind use default domain = yes
allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
read only = No
short preserve case = No
dos filetime resolution = Yes
#use kerberos keytab = yes

[homes]
comment = Home Directories
valid users = %S
browseable = No

[tmp]
comment = Temporary file space
path = /tmp

[sbx_interface]
  path = /home/sbx_interface

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] (no subject)

[Eric Roseme]

Hi Sudheer,

Although your particular case is fixed already, I'll reply here for 
completeness to the list.


HP-UX requires a special tweak to the /etc/krb5.conf file in order to 
create a keytab file - the addition of the WRFILE parameter.  This is 
fully explained in the HP CIFS Server and Kerberos whitepaper, located 
here:


http://www.docs.hp.com/en/7213/HPCIFSKerberosV103.pdf

Eric Roseme


Radhakrishnan, Sudheer Kumar K. wrote:

Hello Samba,

 


We are using Samba/CIFS hp-ux server connecting to Windows ADS and try
to create keytab file using 

 


net ads create keytab -u Administrator ,but it is unable to create
keytab file in the /etc/directory.

 


Please see the attached output file for your reference.

 


Appreciate your help!!

 


Sudheer Radhakrishnan / Capgemini
North America PC / East Business Unit
Unix Support / Hosting
Mobile: 508 769 2371  http://www.capgemini.com/
http://www.capgemini.com/ 
Fax: 508.229.2013
45 Bartlett Street /  Marlborough, Ma 01752 
Together: the Collaborative Business Experience


 








This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is 
intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to 
read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message 
in error, please notify the sender immediately and delete all copies of this message.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] krb5.conf file in /var/lib/samba/smb_krb5; Samba 3.0.27a

[Eric Roseme]

Hi Alex,

The reason that I was looking at this was because although I had MD5 
configured in /etc/krb5.conf, Wireshark showed that the AS-REQ/REP, 
TGS-REQ/REP, and the SMB Session Setup AndX Request and Response were 
all in RC4.  I could not figure out why until I found the Samba 
krb5.conf.  So it appears that Samba supersedes the /etc/krb5.conf 
enctype and uses RC4.


Eric

Alex de Vaal wrote:

Hello Eric,

Thnx for your answer, now I know I couldn't find anything about the
subject... ;-)
Before I asked the question about the krb5.conf file in
/var/lib/samba/smb_krb5 I searched all Samba documentation and googled
around, but I didn't find an answer that satisfied me.
I already noticed that this file has a link with the gencache.tdb file, I
played around with this in my test environment (remove the files and start
the daemons and look what is in it with a binary editor).

I'd like to understand what the file does, because my Samba domain members
in the live environment have no DC's in the same IP net, they are all behind
routers. So I want to know how this works, before I use Samba 3.0.27a in my
live AD environment.

BTW; you can see with netstat -na | grep 445 to which DC the Samba server
is talking to...

Regards,
Alex.



On Wed, Feb 27, 2008 at 5:52 PM, Eric Roseme [EMAIL PROTECTED]
wrote:


I asked a co-worker who attended the Samba workshop last September to
pose the following question.  The answer follows (maybe it will help):

Q1.   Will the new (3.0.25b) krb5 code (that creates a
Samba-specific krb5.conf file) be documented somewhere?


A1.  Samba does not have documentation about the Samba-specific
krb5.conf that is placed in locking directory. And also, after running
kinit to obtain Kerberos ticket, Samba stores the ticket into memory
tdb, probbaly gencache.tdb. But Samba doesn't provide a tool to allow
users to see which DC Samba is talking to. Currently, we can use klist
to see which domain is being used by Samba.

Obviously this does not answer your question about how it works, but it
might get you closer.

Eric Roseme


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] krb5.conf file in /var/lib/samba/smb_krb5; Samba 3.0.27a

[Eric Roseme]

I asked a co-worker who attended the Samba workshop last September to 
pose the following question.  The answer follows (maybe it will help):


Q1.   Will the new (3.0.25b) krb5 code (that creates a 
Samba-specific krb5.conf file) be documented somewhere?



A1.  Samba does not have documentation about the Samba-specific 
krb5.conf that is placed in locking directory. And also, after running 
kinit to obtain Kerberos ticket, Samba stores the ticket into memory 
tdb, probbaly gencache.tdb. But Samba doesn't provide a tool to allow 
users to see which DC Samba is talking to. Currently, we can use klist 
to see which domain is being used by Samba.


Obviously this does not answer your question about how it works, but it 
might get you closer.


Eric Roseme


Alex de Vaal wrote:

Hello list,

I've upgraded from Samba 3.0.14a to 3.0.27a (Samba is a domain member of a
W2k3 native AD) and I see that in the /var/lib/samba/smb_krb5 directory a
krb5.conf file is created.
Is this krb5.conf file extracted from my original /etc/krb5.conf? Or is this
file created from the password server = entry in my smb.conf file?
My original /etc/krb5.conf contains the DC's in DNS name and the
krb5.conffile in /var/lib/samba/smb_krb5 contains DC's on IP address.

I noticed also that the krb5.conf file in /var/lib/samba/smb_krb5 is only
renewed if /var/lib/samba/gencache.tdb is deleted before winbind is
restarted and it also uses the DC that is configured as primary DC in Sites
and Services in the Active Directory.

Can anyone shed a light how this work?

Thnx,
Alex.

Some info:

/etc/samba/smb.conf
===

password server = adm02.test.com, adm03.test.com


/etc/krb5.conf
==

[libdefaults]
 default_realm = TEST.COM

[realms]
 TEST.COM = {
  kdc = adm02.test.com:88
  kdc = adm03.test.com:88
  kdc = adm01.test.com:88


/etc/hosts


192.168.100.100adm01.test.com
10.0.0.100adm02.test.com
192.168.100.110 nhadm03.test.com


/var/lib/samba/smb_krb5/krb5.conf.TEST
=

[libdefaults]
default_realm = TEST.COM

[realms]
TEST.COM = {
kdc = 192.168.100.110
kdc = 10.0.0.100
}

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA ADS integration - windows user account rights

[Eric Roseme]

Bert Verhaeghe wrote:

Hi all,

first of all is it possible to join a Linux machine to AD using a
windows user account that is not a member of the group Domain Admins?
Cause when I do this I get the following error while executing `net ads
join -d 3 -U syncuser`: 



#net ads join -d 3 -U  syncuser
[2007/12/11 13:47:12, 3] param/loadparm.c:lp_load(4953)  lp_load:
refreshing parameters
[2007/12/11 13:47:12, 3] param/loadparm.c:init_globals(1418)
Initialising global parameters 
[2007/12/11 13:47:12, 3] param/params.c:pm_process(572)

params.c:pm_process() - Processing configuration file
/etc/samba/smb.conf
[2007/12/11 13:47:12, 3] param/loadparm.c:do_section(3695) Processing
section [global] 
[2007/12/11 13:47:12, 2] lib/interface.c:add_interface(81) added
interface ip=10.0.0.3 bcast=10.0.0.255 nmask=255.255.255.0 
octopussync's password: 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:get_dc_list(1426)

get_dc_list: preferred server list: , DC
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_lmhosts(939)
resolve_lmhosts: Attempting lmhosts lookup for name DC0x20 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(836)

resolve_wins: Attempting wins lookup for name DC0x20
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_wins(839)
resolve_wins: WINS server resolution selected and no WINS servers
listed. 
[2007/12/11 13:47:17, 3] libsmb/namequery.c:resolve_hosts(1002)

resolve_hosts: Attempting host lookup for name DC0x20
[2007/12/11 13:47:17, 3] libads/ldap.c:ads_connect(287) Connected to
LDAP server 10.0.0.1
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)

ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(210)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 
[2007/12/11 13:47:17, 3] libads/sasl.c:ads_sasl_spnego_bind(219)

ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED]
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_krb5_mk_req(552)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found) 
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)

ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Tue, 11 Dec 2007 23:47:05 UTC
[2007/12/11 13:47:17, 3] libsmb/cliconnect.c:cli_start_connection(1426)
Connecting to host= DC.domain.local
[2007/12/11 13:47:17, 3] lib/util_sock.c:open_socket_out(874) Connecting
to 10.0.0.1 at port 445
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(721) Doing spnego session
setup (blob length=107) 
[2007/12/11 13:47:17, 3]

libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 48018
1 2 2
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
1 2 2
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 2 840 113554
1 2 2 3 
[2007/12/11 13:47:17, 3]

libsmb/cliconnect.c:cli_session_setup_spnego(746) got OID=1 3 6 1 4 1
311 2 2 10
[2007/12/11 13:47:17, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(754) got principal=dc
[EMAIL PROTECTED]
[2007/12/11 13:47:17, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos
session setup
[2007/12/11 13:47:17, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Tue, 11 Dec 2007 23:47:05 UTC 
[2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)

rpc_pipe_bind: Remote machine DC.domain.local pipe \lsarpc fnum 0x400c
bind request returned ok.
[2007/12/11 13:47:17, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
lsa_io_sec_qos: length c does not match size 8 
[2007/12/11 13:47:17, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)

rpc_pipe_bind: Remote machine DC.domain.local pipe \samr fnum 0x400a
bind request returned ok.
Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) 
Failed to join domain!

[2007/12/11 13:47:17, 2] utils/net.c:main(988) return code = -1


But when the user is added to the Domain Admins group, the join is
successful.

And if the latter is possible, which permissions should the windows user
account have? 


Thx in advance

bert



Hi Bert,

I do not know about the Domain Admins group angle, but if you want to 
know what the minimal user rights necessary for a net ads join are, 
then this whitepaper explains it.  It says HP CIFS Server, but holds 
true for Opensource Samba as well.


http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf

Eric Roseme
Hewlett-Packard


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Installation problem of SAMBA 3.0.23a on HP-UX 11.23

[Eric Roseme]

Ryan is correct for both topics.  Go here to get the correct compiler 
(4.2.2):


http://hpux.cs.utah.edu/hppd/hpux/Gnu/gcc-4.2.2/

Also, if you are attempting to compile and install 3.0.23a, you should 
consider using HP CIFS Server 3.0h, which is Samba 3.0.22 plus fixes 
from each release through 3.0.25.  It's free for HP-UX:


http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA

This is an easy download, install and configure.

Eric Roseme
Hewlett-Packard

Ryan Novosielski wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

A compile of Samba requires HP's AnsiC (non-bundled) compiler, or GCC.
At least, I'm pretty sure that's the case.

Anyhow, CIFS/9000 is pretty up-to-date these days. You might consider
not bothering and just installing that from HP.

=R

Béland wrote:

To whom it concern,
 
 
There was no problem at all with the installation of the Depot.
 
Before running the ./configure command I'm setting the following variables like this (as it's mentionned in the README file) :
 
export CFLAGS=-O -DWITH_SYSLOG -DGUEST_ACCOUNT=\\\smbnull\\\

export CPPFLAGS=-I/opt/iexpress/openldap/include
export LDFLAGS=-L/opt/iexpress/openldap/lib
 
Here is the 'configure' command that I'm using (as it's mentionned in the README file) 
 
./configure \

--sbindir=\${BINDIR} \
--with-krb5  \
--with-ldap \
--with-ldapsam \
--with-ads \
--with-libiconv=/usr/local \
--with-quotas   \
--prefix=/usr/local/samba \
--with-acl-support \
--with-winbind \
--with-pam \
--with-sendfile-support \
--with-shared-modules=idmap_rid \
--disable-pie \
--with-aio-support

And here is the output of that command :
 
SAMBA VERSION: 3.0.23a

checking for gcc... no
checking for cc... cc
checking for C compiler default output file name... configure: error: C compiler
 cannot create executables
See `config.log' for more details.
 
 
And here is the output of the config.log :
 
This file contains any messages produced by compilers while

running configure, to aid debugging if configure makes a mistake.
 
It was created by configure, which was

generated by GNU Autoconf 2.59.  Invocation command line was
 
  $ ./configure --sbindir=${BINDIR} --with-krb5 --with-ldap --with-ldapsam --wit

h-ads --with-libiconv=/usr/local --with-quotas --prefix=/usr/local/samba --with-
acl-support --with-winbind --with-pam --with-sendfile-support --with-shared-modu
les=idmap_rid --disable-pie --with-aio-support
 
## - ##

## Platform. ##
## - ##
 
hostname = trsoracle01

uname -m = ia64
uname -r = B.11.23
uname -s = HP-UX
uname -v = U
 
/usr/bin/uname -p = unknown

/bin/uname -X = unknown
 
/bin/arch  = unknown

/usr/bin/arch -k   = unknown
/usr/convex/getsysinfo = unknown
hostinfo   = unknown
/bin/machine   = unknown
/usr/bin/oslevel   = unknown
/bin/universe  = unknown
 
PATH: /usr/bin

PATH: /usr/sbin
PATH: /sbin
 


## --- ##
## Core tests. ##
## --- ##
 
configure:1901: checking for gcc

configure:1930: result: no
configure:1981: checking for cc
configure:1997: found /usr/bin/cc
configure:2007: result: cc
configure:2171: checking for C compiler version
configure:2174: cc --version /dev/null 5
(Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003]
configure:2177: $? = 0
configure:2179: cc -v /dev/null 5
configure:2182: $? = 0
configure:2184: cc -V /dev/null 5
(Bundled) cc: HP aC++/ANSI C B3910B A.05.50 [May 15 2003]
configure:2187: $? = 0
configure:2210: checking for C compiler default output file name
configure:2213: cc -O -DWITH_SYSLOG -DGUEST_ACCOUNT=\smbnull\ -D_SAMBA_BUILD_
-I/opt/iexpress/openldap/include -L/opt/iexpress/openldap/lib conftest.c  5
(Bundled) cc: warning 922: -O is unsupported in the bundled compiler, ignored.
Error 100: command line, line 0 # String and character constants cannot span
 lines.
configure:2216: $? = 2
configure: failed program was:
| /* confdefs.h.  */
|
| #define PACKAGE_NAME 
| #define PACKAGE_TARNAME 
| #define PACKAGE_VERSION 
| #define PACKAGE_STRING 
| #define PACKAGE_BUGREPORT 
| /* end confdefs.h.  */
|
| int
| main ()
| {
|
|   ;
|   return 0;
| }
configure:2254: error: C compiler cannot create executables
See `config.log' for more details.
 
##  ##

## Cache variables. ##
##  ##
 
ac_cv_env_CC_set=''

ac_cv_env_CC_value=''
ac_cv_env_CFLAGS_set=set
ac_cv_env_CFLAGS_value='-O -DWITH_SYSLOG -DGUEST_ACCOUNT=\smbnull\'
ac_cv_env_CPPFLAGS_set=set
ac_cv_env_CPPFLAGS_value=-I/opt/iexpress/openldap/include
ac_cv_env_CPP_set=''
ac_cv_env_CPP_value=''
ac_cv_env_LDFLAGS_set=set
ac_cv_env_LDFLAGS_value=-L/opt/iexpress/openldap/lib
ac_cv_env_build_alias_set=''
ac_cv_env_build_alias_value=''
ac_cv_env_host_alias_set=''
ac_cv_env_host_alias_value=''
ac_cv_env_target_alias_set=''
ac_cv_env_target_alias_value=''
ac_cv_prog_ac_ct_CC=cc
libc_cv_fpie=no
 
## - ##

## Output variables. ##
## - ##
 
ACL_LIBS=''

AR=''
AUTH_LIBS=''
AUTH_MODULES

Re: [Samba] net ads join must use AD Administrator account ?

[Eric Roseme]

Jeff Lee wrote:

Hi all,

I want to configure a samba server (3.0.25b) with krb5-1.6.2, 
openldap-2.3.37 and db-4.6.18 for single sign-on purpose. I have some 
questions.


1. Is the AD Administrator account for Samba to kinit and net join the 
AD only ?
2. Can I use a common user with Create Computer Objects permission to 
kinit and net join AD ?
3. I got Failed to join domain: Strong(er) authentication required 
error message when I run net ads join using non-administrator user 
account. Is it the error message of using non-administrator account to 
net ads join ?


Can anyone help ?

Thanks,
Jeff


Read this:

http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf

I wrote it for HP CIFS Server, but it's the same for Opensource Samba.

Eric Roseme
Hewlett-Packard
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] smbd process per user ( Samba 3 + Terminal server )

[Eric Roseme]

I would have asked if you tested on NT4 or W2000, but another Samba 
lists reader emailed me directly that EnableMultipleUsers is now 
implemented on W2003.  So I configured it on my W2003 PDC (I no longer 
have any NT4 or W2000) and it works (see below).  Both sessions 
originate from the same Terminal Server, and they start individual smbd 
daemons on the Samba server.  So maybe you do not have the hotfix or 
servicepack or something.  Here is the url to the W2003 instructions:


http://support.microsoft.com/kb/913835

I'll edit my paper to include W2003 and re-post it.

Eric Roseme
Hewlett-Packard


emonster-smbstatus

Samba version 3.0.22 based HP CIFS Server A.02.03
PID Username  Group Machine
---
 1441   administ  Domain U  xx.xxx.208.126 (xx.xxx.208.126)
 1369   eroseme   Domain U  xx.xxx.208.126 (xx.xxx.208.126)

Service  pid machine   Connected at
---
eroseme  1369   xx.xxx.208.126  Tue Oct  9 08:59:34 2007
backup   1441   xx.xxx.208.126  Tue Oct  9 09:21:51 2007

Locked files:
Pid  DenyMode   Access  R/WOplock 
SharePath   Name


1441 DENY_NONE  0x11RDONLY NONE /backup 
  .   Tue Oct  9 09:22:04 2007
1441 DENY_NONE  0x11RDONLY NONE /backup 
  .   Tue Oct  9 09:22:04 2007
1369 DENY_NONE  0x11RDONLY NONE 
/home/eroseme   .   Tue Oct  9 08:59:48 2007
1369 DENY_NONE  0x11RDONLY NONE 
/home/eroseme   .   Tue Oct  9 08:59:48 2007


Stas wrote:

Terminal server already configured with EnableMultiUser=1 , but all
sessions from Terminal server appears under same PID :

file-srv:~ # net status sessions
PID Username  Group Machine
---
 8742   DOMAIN\user1  DOMAIN\domain users  10.163.128.42 (10.163.128.42)
 8742   DOMAIN\user2  DOMAIN\domain users  10.163.128.42 (10.163.128.42)
 8742   DOMAIN\terminal$  DOMAIN\domain computers  10.163.128.42 (10.163.128.42)

So , if i kill PID 8742 all files opened by terminal server users will
be closed .
Thanks.



On 10/8/07, Eric Roseme [EMAIL PROTECTED] wrote:

Depends upon your terminal server.  NT4 and W2000 - yes.  W2003 - no
(unless they added the EnableMultipleUsers parameter from W2000).  I
wrote a kind of wordy paper about this:
http://www.docs.hp.com/en/5015/Samba-TerminalServer_104Final.pdf.  This
paper version does not include the W2000 fix, which is the above
parameter and hotfix Q818528.  I have not looked to see if Microsoft
ever fixed this on W2003.  I can send you the whitepaper with the W2000
fix incorporated, if you want it (i never posted the updated version).

Eric Roseme
Hewlett-Packard

Stas wrote:

Hello all.
It is possible to force Samba 3 server to create smbd process for
each user that open file from Terminal Server ?
Sometimes I need close files , but can't do that by kill PID since
 it should close all files that opened by terminal server users ..
It any flexible way to manage open files on Samba ?

Thanks .

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] smbd process per user ( Samba 3 + Terminal server )

[Eric Roseme]

Depends upon your terminal server.  NT4 and W2000 - yes.  W2003 - no 
(unless they added the EnableMultipleUsers parameter from W2000).  I 
wrote a kind of wordy paper about this: 
http://www.docs.hp.com/en/5015/Samba-TerminalServer_104Final.pdf.  This 
paper version does not include the W2000 fix, which is the above 
parameter and hotfix Q818528.  I have not looked to see if Microsoft 
ever fixed this on W2003.  I can send you the whitepaper with the W2000 
fix incorporated, if you want it (i never posted the updated version).


Eric Roseme
Hewlett-Packard

Stas wrote:

Hello all.
It is possible to force Samba 3 server to create smbd process for
each user that open file from Terminal Server ?
Sometimes I need close files , but can't do that by kill PID since
 it should close all files that opened by terminal server users ..
It any flexible way to manage open files on Samba ?

Thanks .

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] kinit works, net join ads fails

[eric roseme]

I know this sounds a little strange, but I was having the same problem 
on 3.0.25c, but adding the password to the command line solved it.  I 
have no idea why:


net ads join -U administrator%password

Eric Roseme

Peter Baumgartner wrote:

I running 3.0.25c on OpenSolaris. I can succesfully do a kinit and see
the ticket via klist, but am unable to join the domain.

/usr/sfw/sbin/net -d 5 ads join -U [EMAIL PROTECTED]

gives the following error...

[2007/08/29 15:49:24, 3] libsmb/clikrb5.c:(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
file found)
[2007/08/29 15:49:24, 0] libads/kerberos.c:(228)
  kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication
failed
[2007/08/29 15:49:24, 1] utils/net_ads.c:(1470)
  error on ads_startup: Preauthentication failed
Failed to join domain: Logon failure
[2007/08/29 15:49:24, 2] utils/net.c:(1032)

I have synced the time on the Samba box with my domain controller. Any
thoughts on what is wrong?


On 9/3/07, Necos Secon [EMAIL PROTECTED] wrote:

So, just a few things to check:

1.) Typo's in the realm name.
2.) Typo's in the krb5.conf file (I use heimdal)
3.) Try running the net ads join with the administrator account (if you're
using another account).
4.) Checking the the AD server to make sure that you don't have an old
machine account for the Samba machine.


I've tried all this and still am having no luck. I don't believe it is
an issue in krb5.conf because kinit and smbclient work properly. I
just can't join it to the domain. Any other thoughts?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] sambaDomain Policies Implemented?

[eric roseme]

Are the sambaDomain account policies sambaLogonToChgPwd and 
sambaRefuseMachinePwdChange implemented on 3.0.22 to 3.0.25b?


First, even with passdb backend = ldapsam:ldap://; pdbedit actually 
edits account_policy.tdb for these two attributes.


Second, despite the attribute value (0, 1, or 2 using ldapmodify), XP 
client (also smbclient) logon behavior is unchanged.  I looked
through the code in account_pol.c and it does not appear that Samba 
tests the values for these attributes - like they are not implemented. I 
am not a coder so I got a second opinion from someone who is.


Thanks,

Eric Roseme
Hewlett-Packard

System stuff:
HP-UX 11.11 and HP-UX 11.23
Samba 3.0.22 and Samba Opensource 3.0.25b
Red Hat Directory Server 7.1

smb.conf

[global]
workgroup = SAMBAATC
netbios name = SAMBAPDC
server string = Samba Server
interfaces = xx.xx.xx.xxx, 127.0.0.1
bind interfaces only = yes
encrypt passwords = Yes
passdb backend = ldapsam:ldap://SAMBAPDC.rose.hp.com
log level = 10
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
domain logons = Yes
preferred master = Yes
domain master = Yes
ldap server = SAMBAPDC.rose.hp.com
ldap suffix = dc=rose,dc=hp,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap admin dn = cn=Directory Manager
read only = No
short preserve case = No
dos filetime resolution = Yes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] sambaDomain Policies Implemented?

[eric roseme]

Are the sambaDomain account policies sambaLogonToChgPwd and 
sambaRefuseMachinePwdChange implemented on 3.0.22 to 3.0.25b?


First, even with passdb backend = ldapsam:ldap://; pdbedit actually 
edits account_policy.tdb for these two attributes.


Second, despite the attribute value (0, 1, or 2 using ldapmodify), XP 
client (also smbclient) logon behavior is unchanged.  I looked
through account_pol.c and it does not appear that Samba tests the values 
for these attributes - like they are not implemented. I double-checked 
with someone who is much better with the code than I am.


HP-UX 11.11 and 11.23
Samba 3.0.22 and (Opensource) 3.0.25b
Red Hat Directory Server 7.1 backend

smb.conf

[global]
workgroup = SAMBAATC
netbios name = SAMBAPDC
server string = Samba Server
interfaces = xx.xx.xx.xxx, 127.0.0.1
bind interfaces only = yes
encrypt passwords = Yes
passdb backend = ldapsam:ldap://sambapdc.rose.hp.com
log level = 10
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
domain logons = Yes
preferred master = Yes
domain master = Yes
ldap server = sambapdc.rose.hp.com
ldap suffix = dc=rose,dc=hp,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap admin dn = cn=Directory Manager
read only = No
short preserve case = No
dos filetime resolution = Yes

Thanks,

Eric Roseme
Hewlett-Packard
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba errors - No buffer space available

[eric roseme]

Ryan Novosielski wrote:

Allen, Bill wrote:


I am new to Samba, having just taken over management of a HPUX system in
a mainly Windows environment.  The system is running Samba 3.0.7.  I am
getting the following errors, repeatedly, in my log.smbd.  What does it
mean?  Is this actually a problem or normal chatter for Samba?  If it is
a problem, what should I do to correct it?

 
[2006/05/03 07:41:38, 0] lib/util_sock.c:set_socket_options(202)

  Failed to set socket option SO_KEEPALIVE (Error Invalid argument)
[2006/05/03 07:41:38, 0] lib/util_sock.c:set_socket_options(202)
  Failed to set socket option TCP_NODELAY (Error Invalid argument)
[2006/05/03 07:41:38, 0] lib/util_sock.c:get_peer_addr(1000)
  getpeername failed. Error was Invalid argument
[2006/05/03 07:41:39, 0] smbd/server.c:open_sockets_smbd(382)
  open_sockets_smbd: accept: No buffer space available

 Thanks for any help or advice,

Bill

 
  


When you find out, let me know. :) It's been that way for ages on my 
system. The two socket option messages are related to header related 
problems, if I'm not mistaken, but it's really not a big deal. Do you 
have either of those defined in smb.conf?


As far as the buffer thing... this concerned me for along time. I can't 
remember whether this got any better or worse, but there's a lot wrong 
with 3.0.7 on HP-UX. I would not run anything earlier than 3.0.14 on an 
HP-UX system.


Are you running Opensource Samba or HP CIFS Server?  For HP CIFS, you 
should not see the socket option errors, but the buffer space log entry 
could be any number of things.  Ryan is correct - you should be up on 
3.0.14 (HP CIFS Server A.02.02.01).


Make sure that you have your nfiles, nflocks, and nprocs set correctly - 
see the most recent Admin Guide on page 258 
(http://docs.hp.com/en/B8725-90101/B8725-90101.pdf).  We may have 
located a locking problem (!) that could cause the entry, but it is at a 
site that connects with smbclient.  Also, if your users are connecting 
and disconnecting often (like at a school - everybody disconnects and 
connects on the hour) then that could do it too.


I have not seen a case where the buffer space log entry has accompanied 
a problem on the server.  I enquire about this from every site that 
reports it, but so far, no one has seen a problem.  If you see it 
differently, then please let me know.


Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] NT logon ok but XP logon very slow

[eric roseme]

Hi Roel,

Try Googling Loading your personal settings.  Looks like there is a 
lot of stuff to try on the client side, and the problem appears to be 
common regardless of server platform.


I am concerned about your No buffer space available log, though.  Can 
you email me the entire logfile?


Eric Roseme
Hewlett-Packard

Roel Slegers wrote:

Hi,

Our environment: HP-UX 11.00 server / Samba 3.0.21a as PDC / OpenLDAP backend

We're developping a migration from AS/U to a Samba PDC.
Currently we have following problem: logging onto an NT4 workstation
is almost instantaneous, but when logging onto an XP workstation, this
happens:
(1) We type the user and password in Windows logon.
(2) Windows logon immediately accepts user and password, so far so good.
(3) Windows says Please wait... Loading your personal settings...
and we have to wait about one to two minutes. This is our problem.
(4) After these on to two minutes, logon continuous  normally, and
everything seems fine.

Furthermore, during the time that XP locks up, the corresponding smbd
process eats up the server's CPU at almost 100%!

These are the log.smbd messages during the locking up of XP and smbd:

[Fri Apr 21 15:25:29 2006
, 0] rpc_server/srv_netlog_nt.c:_net_sam_logon(665)
  _net_sam_logon: creds_server_step failed. Rejecting auth request
from client RSL4 machine account RSL4$
[Fri Apr 21 15:26:47 2006
, 0] smbd/server.c:open_sockets_smbd(394)
  open_sockets_smbd: accept: No buffer space available
[Fri Apr 21 15:26:50 2006
, 1] smbd/service.c:make_connection_snum(666)
  rsl4 (10.5.71.168) connect to service netlogon initially as user veron004 (uid
=517, gid=20) (pid 11053)


And as I already said: logging onto NT works fine.
Any ideas?



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] configure can't find ldap_initialize on HP-UX 11i

[eric roseme]

Michael Langas wrote:

I'm basically using the instructions found in the HP-UX readme with the
exception that I am trying to use the version of openldap that is in
iexpress instead of the one from hpux.cs.utah.edu.

 


The recommendations listed in the doc are:

 


HP-UX 11.00 and 11.11:
OpenLdap 2.1.3  (http://hpux.cs.utah.edu)
OpenSSL  0.9.7d (http://hpux.cs.utah.edu)
 
  HP-UX 11.23 only:

ixOpenLdapA.04.00-2.2.15.003  (http://software.hp.com
http://software.hp.com/ )
 
 
I would prefer to use ixOpenLdap from HP if possible.  The errors I get

from configure are:
 
configure:32100: checking for ldap_initialize

configure:32157: gcc -o conftest -O -DWITH_SYSLOG
-DGUEST_ACCOUNT=\smbnull\ -D
_SAMBA_BUILD_ -I/opt/iexpress/openldap/include -D_HPUX_SOURCE
-D_POSIX_SOURCE -D
_LARGEFILE64_SOURCE -D_ALIGNMENT_REQUIRED=1 -D_MAX_ALIGNMENT=4
-DMAX_POSITIVE_LO
CK_OFFSET=0x1ffLL -DLDAP_DEPRECATED -L/opt/iexpress/openldap/lib
conftes
t.c -lldap  -lsec -lnsl  5
ld: Unsatisfied symbol ldap_initialize in file /var/tmp//ccAi63yk.o
1 errors.
collect2: ld returned 1 exit status
configure:32163: $? = 1
configure: failed program was:
| /* confdefs.h.  */
 
As you can see, the include file location is correct, and

ldap_initialize is found in ldap.h so I'm not sure what is causing the
unsatisfied symbol error.
 
Any suggestions?
 
Thanks,
 
ML



Can you give me a summary of what you are trying to do?  It looks like:

1.  Pull HP-UX binaries from samba.org
2.  Install the .depot, and ignore the pre-compiled binaries
3.  untar the source files, and compile your own Samba version
4.  Your email topiuc says 11i, but it looks like you want to use the 
11iv2 (11.23) IExpress OpenLDAP.
5.  In any case - that IE OpenLDAP version you refer to is very old. 
Try loading the new IE OpenLDAP:


11iv1: 
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP


11iv2: 
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1123


Eric Roseme
Hewlett-Packard


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Problems Compiling samba on HP-UX 11.00

[eric roseme]

Hi Tony,

Sorry for the confusion about the library dependencies.  I have edited 
the README a couple of times, and I have finally gotten it right (the 
build changed), but it will not get posted until the next version.  I'll 
send you the new README directly.  Anyway, although the referenced 
libraries on the website do not specifically indicate 11.0 support, the 
11.11 versions work for 11.0.This is exactly opposite of how the 
Samba binaries indicate 11.0 support, but they also work for 11.11.


So you will be able to use the posted Opensource pre-compiled binaries 
on 11.0, if they meet your needs.


I decided to just paste the new README at the bottom of this post - just 
scroll down to the bottom.  Read it carefully.


See you later,

Eric Roseme
Hewlett-Packard

Tony Delov wrote:

Eric,
I have seen thos pre-compiled version, however the dependencies that are
listed in the README are not available for 11.00 anywhere?
I would be quite happy to use the pre-compiled ones otherwise.
I tried downloading the source, however, I think there may be a bug in
the code (well at least a developer that also works with me thinks).
We managed to get it compiled without ldap and with a few minor changes
to the auth_script.c file.
It now seems to run, however we are still experiencing some problems
with domain authentication.


So far this is the part of the config file that isn't working as
expected.

[global]
workgroup = MELIMAGE
security = DOMAIN
password server = melpdc,melbdc
log level = 3
log file = /var/adm/samba/log.%m
preferred master = No
local master = No
domain master = No
wins server = 192.168.5.1
idmap uid = 1-2
idmap gid = 1-2
printing = sysv
print command = lp -c -nb -d %p %s
lpq command = lpstat %p

[labwiztst]
path = /mnt/labwiz
valid users = +MELIMAGE\Domain Users
read only = No
create mask = 0766



On Wed, 2006-02-01 at 09:26 -0800, eric roseme wrote:

Sorry, can't help with the compile error.  But did you know that we have 
 pre-compiled 11.0 binaries for 3.0.21a on samba.org?  Look at the 
README for compile options.  If that does not meet your needs, check out 
the compile data and see if that gives you a clue to your problem.


Eric Roseme
Hewlett-Packard

Tony Delov wrote:


Problems Compiling samba (samba-3.0.21a) on HP-UX 11.00

We have been experiencing some problems compiling samba with the config
options below.

When compiling the auth_script.c make fails. 
As a fix, we removed the conditional if/else/endif statements on lines

143/149/155 and it now seems to compile.

Has anyone else had any similar problem when compiling without the ldap
features or similar configure options? 



$ ./configure --without-ldap --with-winbind --without-ads
--without-pam_smbpass --with-included-popt --without-aio-support
--with-pam


The make error I get




Linking bin/smbd
/usr/bin/ld: Unsatisfied symbols:
 auth_script_init (first referenced in auth/auth.o) (code)
collect2: ld returned 1 exit status
*** Error exit code 1


Regards
Tony D





Attention:
The information contained in this message and or attachments is intended only 
for the person or entity to which it is addressed and may contain confidential 
and/or privileged material.  Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by persons 
or entities other than the intended recipient is prohibited. If you received 
this in error, please contact the sender and delete the material from any 
system and destroy any copies.

Any views expressed in this message are those of the individual sender and may 
not necessarily reflect the views of The Gribbles Group.

Thank You.

Whilst every effort has been made to ensure that this e-mail message and any 
attachments are free from viruses, you should scan this message and any 
attachments.
Under no circumstances do we accept liability for any loss or damage which may 
result from your receipt of this message or any attachment.

++=
==
README: Samba 3.0.21a
samba_3.0.21a_B.11.00_9000_01_12_06.depot.gz (valid depot for HP-UX 11.0 and
  11iv1 (11.11))

Build system: HPUX_B.11.00_9000
Build date: 01_12_06
=
1.  Required libraries.

  All OS versions:
LibIconv 1.9.2  (http://hpux.cs.utah.edu)
Note:  The above library version may indicate 11.11 on the 
hpux.cd.utah.edu web
   page, but they are valid for 11.0 and 11.11 (11iv1). 



  HP-UX 11.00 only:
J5849AA PAM Kerberos and KRB5 Dev Tools B.11.00.12 
(http://software.hp.com)


  HP-UX 11.00 and 11.11

Re: [Samba] Problems Compiling samba on HP-UX 11.00

[eric roseme]

Sorry, can't help with the compile error.  But did you know that we have 
 pre-compiled 11.0 binaries for 3.0.21a on samba.org?  Look at the 
README for compile options.  If that does not meet your needs, check out 
the compile data and see if that gives you a clue to your problem.


Eric Roseme
Hewlett-Packard

Tony Delov wrote:

Problems Compiling samba (samba-3.0.21a) on HP-UX 11.00

We have been experiencing some problems compiling samba with the config
options below.

When compiling the auth_script.c make fails. 
As a fix, we removed the conditional if/else/endif statements on lines

143/149/155 and it now seems to compile.

Has anyone else had any similar problem when compiling without the ldap
features or similar configure options? 



$ ./configure --without-ldap --with-winbind --without-ads
--without-pam_smbpass --with-included-popt --without-aio-support
--with-pam


The make error I get



Linking bin/smbd
/usr/bin/ld: Unsatisfied symbols:
  auth_script_init (first referenced in auth/auth.o) (code)
collect2: ld returned 1 exit status
*** Error exit code 1




Regards
Tony D






Attention:
The information contained in this message and or attachments is intended only 
for the person or entity to which it is addressed and may contain confidential 
and/or privileged material.  Any review, retransmission, dissemination or other 
use of, or taking of any action in reliance upon, this information by persons 
or entities other than the intended recipient is prohibited. If you received 
this in error, please contact the sender and delete the material from any 
system and destroy any copies.

Any views expressed in this message are those of the individual sender and may 
not necessarily reflect the views of The Gribbles Group.

Thank You.

Whilst every effort has been made to ensure that this e-mail message and any 
attachments are free from viruses, you should scan this message and any 
attachments.
Under no circumstances do we accept liability for any loss or damage which may 
result from your receipt of this message or any attachment.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba - joining TO THE DOMAIN

[eric roseme]

First, this should go to samba@lists.samba.org - not technical.

Second - with net join, you are probably in security = domain.  So 
you need to add the computer to the domain using the Users and Computers 
MMC on the domain controller.



Eric Roseme
Hewlett-Packard


Nagendra KV wrote:

HI

 


Help is required!

 


I get following error when joining the domain Samba used: 3.0.10 on
HP-UX 11i

 

 


# net join -I a.b.c.d -U user_name

[2006/01/25 20:00:57, 0]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(256)

  cli_nt_setup_creds: request challenge failed

Password:

[2006/01/25 20:01:21, 0]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(256)

  cli_nt_setup_creds: request challenge failed

[2006/01/25 20:01:21, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(319)

  Error domain join verification (reused connection):
NT_STATUS_INVALID_COMPUTER_NAME

 


Unable to join domain domain_name

 


Please help me out to resolve this issue.

 

 


Thanks

Regards

Nagendra KV

 

 

 


Nagendra KV | Technology (STS) | M P H A S I S  Architecting Value | IT
SERVICES
#139/1, Hosur Road, Koramangala, Bangalore - 560095, | Tel: (80)
25522713/14 Ext-1016| Fax: (80) 25522719| www.mphasis.com
http://www.mphasis.com/ 


Information transmitted by this e-mail is proprietary to MphasiS and/ or
its Customers and is intended for use only by the individual or entity
to which it is addressed, and may contain information that is
privileged, confidential or exempt from disclosure under applicable law.
If you are not the intended recipient or it appears that this mail has
been forwarded to you without proper authority, you are notified that
any use or dissemination of this information in any manner is strictly
prohibited. In such cases, please notify us immediately at
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]  and delete this
mail from your records

 




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Must you net join for the Samba machine to become a domain member?

[eric roseme]

Karnowski, David wrote:

When you manually add the server to the domain, the problem is that
Samba doesn't know what the password is.  You can set one with the
'net' command I think, however it's much easier to delete the manually
added computer and run 'net join', that way Samba does the adding and
you're guaranteed that it will know the machine account credentials.


...


It'd strongly recommend doing a 'net join', as the Samba configuration
will be metaphorically held together with sticky tape if you don't, and
I wouldn't be at all surprised if it failed at a later date for
seemingly no reason.



Thanks for your help again Adam. The problem on our side is that the
Windows world and Unix world are administered by separate departments.
They're not going to be sharing administrative passwords with each other.
I am still doing that net join but using my own domain account (which
is not an administrator) and it seems to be OK provided someone manually
added the machine account on the Windows side. I was hoping to have it 
totally automated (on the Unix side at least) with no hard-coded passwords,
but I guess it can't work this way. I'll keep my open for that failing at 
a later date for seemingly no reason thing :-)


thanks again,
David

David - check this thread out for how to do a net ads join with 
minumum permissions.  Doing it this way bypasses the need to manually 
add the computer with the UsersComputers MMC.


http://marc.theaimsgroup.com/?l=sambam=112681698521084w=2

Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] 64 bit installable samba for HP-UX 11.11

[eric roseme]

Shashidhar, SR wrote:

Hello All,

 Happy New Year 2006 !

Currently we are using TAS as an interop tool to access the UNIX file
systems on to windows platforms. For some performance/licenses issues,
we would like to migrate to SAMBA now.

Our Unix file system is available on HP N-class server running HP-UX
11.11 and our requirement is to install samba on this OS with 64bit
support. I searched on samba site and also at other sites as well, and
couldn't find the SAMBA installable for this OS. Is anyone using 64bit
samba on HP-UX ?

Can anyone help me on this issue pl.

With Kind Regards,
Shashi.

CIFS/Samba for HP-UX is compiled for 64-bit compatibility, but it is not 
instrumented for 64-bit.  You can go to:



http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA

and download the latest HP CIFS Server (Samba 3.0.14a) for 11iv1 64-bit 
(for free).  Or you can go to samba.org and download the pre-compiled 
Opensource binaries for 3.0.20a.


If you have any questions about this, email me off-list.

Eric Roseme
Hewlett-Packard


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Share Access for SAMBA 2.2.8a on HP-UX 11.11

[eric roseme]

Michalek, Tom S wrote:

Security=server
Username map=/etc/opt/samba/username.map

All NT ids are mapped to the same unix id via username.map.  Some NT
id's don't see all the SHARES when they access SAMBA...Not sure why this
would be if all NT ids are being translated to the same unix id.


Is it just browsing?  Can the users mount the unseen shares? If yes, 
does a net view \\server from the affect client(s) display all shares?


A.  Is this opensource Samba or HP CIFS Server?
B.  Either way, you should be on Samba 3 for 11i (2.2 is okay for 11.0)
C.  You should try to use security = domain - server is not 
recommended.


If you would like to discuss Samba/CIFS versions at Boeing, I am fairly 
clued-in about that.  We can discuss it offline.



Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Why not using the windows configuration wizard (joining a domain) with Samba-3?

[Eric Roseme]

John H Terpstra wrote:


On Monday 12 December 2005 02:22, Michael Billerbeck wrote:
 


Hi,

On Monday 12 Decemver 2005 09:46, John H Terpstra wrote:
   


On Sunday 11 December 2005 15:51, Michael Billerbeck wrote:
 


Hello,

in the Samba How-to I've read not to use the configuration wizard with
samba-3 when joining a domain.
Why that? Is there a problem?

Thanks,
Michael
   

Please point me at the specific reference in the HOWTO. I need to 
understand what causes you concern.


Please help me to understand your concern. If the documentation is
inadequate
 


I must correct of extend it.

Thanks.
 


In chapter 8.2.2 Joining a domain: Windows 2000/XP Professional (on page
131) point 4 says:
Click the computer name tab. [...] Clicking the Network ID button will
launch the configuration wizard. Do not use this with Samba-3.
I was asking this because I used it also with Samba-3 and I would like to
know if there are some side effects when using it or why it is explicitly
mentioned.
   



Joining through use of this tool did not work with early releases of Samba-3.
Try it. Let me know if it works now.

PS: If you try the NetworkID Wizard, and it fails, reboot the Windows PC 
before attempting to use the Change button. In the past, a failure when 
usign the NetworkID wizard would hose up the Windows client so that it then 
count not resolve the netbios name of the domain controller.


- John T.
 

Using the Users and Computers MMC adds the Samba computer object with a 
different UserAccountControl attribute value than when you use net ads 
join.  It used to be that the (apparent) default value of 4128 would 
not allow auth-n with MD5.  I just tested this (W2003SP1 and 3.0.14a) 
and it now works with MD5.  In other words, using the MMC to add the 
computer object, then doing a net ads join (Modifying Existing 
Object), now results in successful client auth-n - at least in this test 
case.  I have heard the same testimony from other sources.  I would 
still recommend adding the object with the net ads join, and the 
resulting UserAccountControl attribute value of 2166784.


Eric Roseme
Hewlett-Packard
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Q: concerning user nobody and Samba 3

[Eric Roseme]

Frank Schifferstein wrote:


hi,

we are running several HP-UX 11.23 servers with Samba 2.2.x and are
starting a migration to Samba 3 and encounter several problems. 



As far as I understand this passage: (chapter 24, Upgrading from
Samba-2.x to Samba-3.0.20)

The following issues are known changes in behavior between Samba-2.2
and Samba-3 that may affect certain installations of Samba. 


When operating as a member of a Windows domain, Samba-2.2 would map any
users authenticated by the remote DC to the guest account if a UID
could not be obtained via the getpwnam() call. Samba-3 rejects the
connection with the error message NT_STATUS_LOGON_FAILURE. There is no
current workaround to re-establish the Samba-2.2 behavior. 


the user nobody is not used anymore, and there is a need having unixuser
account for every windowsuser account. I know, this is a general need,
but for differerent purposes we configured guest ok = yes in some
shares to allow the guest access to shares where the unixaccount is
missung. Is my interpretation of the passage correct ? In case it is,
does it refer to security = domain/ads only or is it valid for security
= server as well (I know, security = server is not the preferred
configuration).


regards Frank Schifferstein
 


Hi Frank,

Are you using Opensource Samba or HP CIFS Server? 

HP CIFS Server adds a unix user called smbnull (replacing nobody), and 
by default guest account = smbnull.  You should not have any problem 
using map to guest = as John suggested.


If you are using HP CIFS Server, then there is some support-related 
information that we should discuss (offline).


Eric Roseme
Hewlett-Packard



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba smbd version 2.2.12 HP CIFS Server A.01.11.04 does hang if start in a HP serviceguard configuration

[Eric Roseme]

Belgardt, Wolfgang wrote:


Hello all,

can somebody  say me if it is supported to locate the secrets.tbd on a NFS 
share, please?
I have smbd version 2.2.12 based HP CIFS Server A.01.11.04 in HP ServiceGuard 
Configuration.
If the secrets.tbd is on a local path samba smbd start and run fine, but when 
secrets.tbd file is locate in
a path which is a NFS share smbd hangs. 
I have traced the samba startup with tusc. 
Here are the last line:

...
...
..

1126617678.351198 [9241] write(6, m a x   c o n n e c t i o n .., 34) = 34
1126617678.351357 [9241] getrlimit64(RLIMIT_NOFILE, 0x7f7f0ca0) = 0
1126617678.351488 [9241] setrlimit64(RLIMIT_NOFILE, 0x7f7f0ca0) = 0
1126617678.351596 [9241] setrlimit64(RLIMIT_NOFILE, 0x7f7f0ca0) = 0
1126617678.351677 [9241] getrlimit64(RLIMIT_NOFILE, 0x7f7f0ca0) = 0
1126617678.352612 [9241] open(/disks/usrd20/samba/secrets.tdb, 
O_RDWR|O_CREAT|O_LARGEFILE, 0600) = 8
1126617678.352778 [9241] sched_yield() ... = 0
1126617692.906166 [9241] fcntl(8, 0xa, 2139034384) ... [sleeping]

Thanks in advance

Regards 



Wolfgang


_
Wolfgang Belgardt
Systemberater Corporate Account Services
Technology Solution Group


Hewlett-Packard GmbH
Berliner Str. 111
D-40880 Ratingen
Phone:  +49 (0)2102 90-8469
Fax:  +49 (0)2102 90-6300
Mobil:   +49 (0) 171 3357 256
E-mail:  [EMAIL PROTECTED]
http://www.hp.com/de
_ 
- Registrieren Sie sich im ITRC und eröffnen und monitoren Sie Ihre Cases online. 
	http://europe.itrc.hp.com/service/mcm/homepageRequest.do
- Informationen zu dem Case können Sie mir auch gerne per eMail senden.  
	mailto:[EMAIL PROTECTED]@hp.com
- Besuchen Sie das IT Resource Center und die Foren 
	http://europe.itrc.hp.com

http://forums.itrc.hp.com
- HP Software Depot 
	http://software.hp.com
- Handbücher/Dokumentationen 
	http://docs.hp.com
- Instant Support Enterprise Edition (ISEE) bietet Fernüberwachung, Diagnose + Fehlersuche 
	http://www.hp.com/hps/hardware/hw_downloads.html

_
Hewlett-Packard GmbH, Herrenberger Str. 140, 71034 Böblingen
Geschäftsführer: Hans Ulrich Holdenried (Vorsitzender), Edgar Aschenbrenner, Heiko Meyer, Ernst Reichart, 
Matthias Schmidt, Regine Stachelhaus, Stephan Wippermann

Vorsitzender des Aufsichtsrats: Jörg Menno Harms
Sitz der Gesellschaft: Böblingen, Amtsgericht Böblingen HRB 4081


 

Wolfgang - I am out of the office until Tuesday.  Can you look at the 
log.smbd and see if there is a locking error?  (64bit vs 32bit , or 
something).


I am cc-ing this to samba - that's where it should go (not technical).

Thanks,

Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Group mapping giving incorrect GIDs

[Eric Roseme]

Gerald (Jerry) Carter wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Eric Roseme wrote:
 


[EMAIL PROTECTED] wrote:

   


Hi,

I think I've narrowed down my problem to the fact that the group
mapping is
not giving me the same GID for all 'equivalent' groups, as seen here:

$ net groupmap list
DOMAIN\Group1 (S-1-5-21-620321403-24207062-1845911597-172256) - unixgrp1

$ getent group unixgrp1
unixgrp1:x:203:

$ getent group DOMAIN\\Group1
DOMAIN\Group1:x:10001:DOMAIN\User1

This means that the GID of unixgrp1 is 203, however the GID of
DOMAIN\Group1
is completely different!  Given the group mapping, I was expecting
that both
groups would be returned with a GID of 203, so that according to the
Linux
box both those groups are the same.
 



group mapping on domain members is mutually exclusive with running
winbindd.  Usually that is.

If you do not define a idmap uid and idmap gid ranges, then winbindd
should fall back to using the group mapping. and you better have
mappings for all domain groups.  It's an all or none decision.



 

Jerry - just to be clear: you mean that winbindd must not be running (as 
opposed to just not defining idmap uid/gid ranges).  Testing shows that 
without winbindd running groupmap behaves just like you say - mapped 
UNIX groups work for domain user access on ugo permissions, and for 
valid users.  With no idmap uid/gid winbindd will not start.


JHT - this would be useful in chapter 11 of the howto.  I read that 
chapter about 5 times looking for what I was missing when I could not 
make groupmapping work with security = ads and winbindd.  And I just 
bought my Second Edition.  Boo Hoo. 

My purpose for testing this was to answer an earlier post about group 
name length limitations on valid user.  Our UNIX group name would only 
work up to 32 chars, but Windows allows 64 chars.  Also the Windows 
group had special characters that UNIX did not like. I thought I could 
work around this by mapping the long Windows group to a short Unix group 
(with security=ads).  But it did not work, due to winbindd (as you 
pointed out). 

Adam - can you describe your intended use of group mapping? I re-read 
your original post, and am wondering why you can't just add the 
winbind-mapped group directly to the folder (directory) ACL (as opposed 
to mapping a *ix group to the winbind-mapped group, then adding the *ix 
group to the ACL)?


Eric Roseme
Hewlett-Packard


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Group mapping giving incorrect GIDs

[Eric Roseme]

[EMAIL PROTECTED] wrote:


Hi,

I think I've narrowed down my problem to the fact that the group mapping is
not giving me the same GID for all 'equivalent' groups, as seen here:

$ net groupmap list
DOMAIN\Group1 (S-1-5-21-620321403-24207062-1845911597-172256) - unixgrp1

$ getent group unixgrp1
unixgrp1:x:203:

$ getent group DOMAIN\\Group1
DOMAIN\Group1:x:10001:DOMAIN\User1

This means that the GID of unixgrp1 is 203, however the GID of DOMAIN\Group1
is completely different!  Given the group mapping, I was expecting that both
groups would be returned with a GID of 203, so that according to the Linux
box both those groups are the same.

As it stands now, when DOMAIN\User1 connects, it's using a GID of 10001
which has no access to the filesystem.  It should be connecting as GID 203,
which has the correct filesystem permissions.

Is what I'm trying to do even possible?

Thanks,
Adam.
 


Hi Adam,

Just so you do not feel abandoned - I have gotten the same results when 
trying a similar operation.  In my case, I was trying to use a mapped 
group on valid users = @mapped.  That does not work at all.  I also 
could not make it work with ACLs.  A co-worked did some additional 
testing and could get mapped groups to work on ugo permissions, but only 
with security = user, not security = ads.


If my co-worker and I can characterize the behavior more accurately, 
I'll write up what we find for posterity.


Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ADS Join and Insufficient Access

[Eric Roseme]

M Maki wrote:


My agency is moving all users and computers to a new domain. Our current domain 
uses AD and the new domain will use AD. My current samba servers are running 
3.0.20a with ADS security with winbind on Debian Stable (Sarge) with no 
problems.

I set up a test samba server using 3.0.20b, the new krb5.conf and smb.conf.

kinit works fine. (Authenticated to Kerberos v5)

I prestage the server by adding it to my OU with rights to add it to the domain 
as I have always done.

When I go to add it to the domain with
 net ads join -U [EMAIL PROTECTED]
and enter my password

I get
 ads_add_machine_acct: Host account for smbtest already exists - modifying old 
account
(which is normal for prestaged machines)
 ads_join_realm: ads_add_machine_acct failed (smbtest): Insufficient access
 ads_join_realm: Insufficient access

I have no problem adding Windows workstations with the same account, it's just 
adding the samba server.

What could I be missing?

Thanks,
Mike

Here is my smb.conf:
[global]
  netbios name = smbtest
  workgroup = NEW
  realm = NEW.DOMAIN.NET
  security = ADS
  password server = 10.0.1.1
  log file = /usr/local/samba/var/%m.log
  preferred master = No
  local master = No
  domain master = No
  idmap uid = 1-4
  idmap gid = 1-4
  # winbind use default domain = Yes
  winbind enum users = No
  winbind enum groups = No
  winbind nested groups = Yes
  socket options = TCP_NODELAY
  socket options = SO_RCVBUF=8192

[test]
  path = /home
  read only = No
  admin users = NEW\mmaki
 


I posted this on 11/01/05 (for the second time), see if it helps:

http://marc.theaimsgroup.com/?l=sambam=112681698521084w=2

Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Join ADS domain - Insufficient Access

[eric roseme]

http://marc.theaimsgroup.com/?l=sambam=112681698521084w=2

Eric Roseme

Mark F wrote:


SLES 9 SP2
samba-3.0.14a-0.4
heimdal-lib-0.6.1rc3-55.15
samba-winbind-3.0.14a-0.4
pam-modules-9-18.10
pam_krb5-1.3-201.7

I've been searching for days for a concrete answer to this question:

Is it possible to join an ADS domain from a Linux Samba server without 
having Administrator privileges? Yes or No.


If so exactly what are the minimal requirements for joining the Linux 
box to the domain.


I can get a Kerberos ticket, no problem

However when I try to join the domain I get:

app1:~ # net ads join -S servername -d 3 -w domain -U tester%password
[2005/11/01 07:44:58, 3] param/loadparm.c:lp_load(3907)
  lp_load: refreshing parameters
[2005/11/01 07:44:58, 3] param/loadparm.c:init_globals(1321)
  Initialising global parameters
[2005/11/01 07:44:58, 3] param/params.c:pm_process(573)
  params.c:pm_process() - Processing configuration file 
/etc/samba/smb.conf

[2005/11/01 07:44:58, 3] param/loadparm.c:do_section(3409)
  Processing section [global]
[2005/11/01 07:44:58, 2] lib/interface.c:add_interface(81)
  added interface ip=IPADDRESS bcast=IPADDRESS nmask=255.255.255.0
[2005/11/01 07:44:58, 3] libads/ldap.c:ads_connect(285)
  Connected to LDAP server LDAPIPADDRESS
[2005/11/01 07:44:58, 3] libads/ldap.c:ads_server_info(2469)
  got ldap server name [EMAIL PROTECTED], using bind path: 
dc=SERVER,dc=DOMAIN,dc=GOV

[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2005/11/01 07:44:58, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
  ads_sasl_spnego_bind: got server principal name [EMAIL PROTECTED]
[2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_krb5_mk_req(381)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
[2005/11/01 07:44:58, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(318)
  Ticket in ccache[MEMORY:net_ads] expiration Tue, 01 Nov 2005 17:46:24 GMT
[2005/11/01 07:44:58, 0] libads/ldap.c:ads_add_machine_acct(1405)
  ads_add_machine_acct: Host account for app1 already exists - modifying 
old account

[2005/11/01 07:44:58, 0] libads/ldap.c:ads_join_realm(1763)
  ads_join_realm: ads_add_machine_acct failed (app1): Insufficient access
ads_join_realm: Insufficient access
[2005/11/01 07:44:58, 2] utils/net.c:main(902)
  return code = -1

---
I have no access to the domain but the Domain admin has assured me he 
has set it up exactly as he would to allow a Windows client to join.  Is 
this correct?


Thanks,
-Mark



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba-3.0.14a binaries for HP-UX-11.0

[eric roseme]

Okay, the 11i libraries work for 11.0 with our Opensource 3.0.14a 
binaries on Samba.org.  These are the current versions:


 OpenLdap 2.2.27  (http://hpux.cs.utah.edu)
 OpenSSL  0.9.8a  (http://hpux.cs.utah.edu)
 LibIconv 1.10(http://hpux.cs.utah.edu)

My text for re-linking is actually for 11i, and thus uses Internet 
Express and not the libraries above.  So you will just need to either cp 
or mv the files from the new libraries appropriately (ie liblber to 
liblber.sl.2).


Eric Roseme
Hewlett-Packard

eric roseme wrote:


Sorry for the belated reply (out of the office).

Use the packages at the listed urls.  The 11i versions will work for 
11.0.  I have installed and tested the listed version numbers on 11.0, 
however all of the versions have since been rolled.  In addition, my 
11.0 system has been retired, so I cannot verify the results (from last 
April).  So, I'll reinstall everything and re-verify.  If you want to 
wait, I'll post my results here, but not until Tuesday 10/25 at the 
earlist.


Also, if you have installed HP CIFS Server on the system, you'll need to 
re-link some stuff.  I added the following text to the README of our 
opensource distribution (on samba.org), but I do not think it made the 
most recent build.  So here is the new text:


6.  If your system has HP CIFS Server previously installed, several 
libraries

that are used by Samba may require re-linking.

  a. if /usr/local/samba/bin/smbd -V
/usr/lib/dld.sl: Can't open shared library: 
/usr/local/lib/libiconv.sl

/usr/lib/dld.sl: No such file or directory
Abort(coredump)
 then
cp /opt/samba/lib/libiconv.sl /usr/local/lib/

  b. if
/usr/local/samba/bin/smbd -V
/usr/lib/dld.sl: Can't open shared library: 
/usr/local/lib/liblber.sl.2

/usr/lib/dld.sl: No such file or directory
Abort(coredump)
 then
ln -s /opt/iexpress/openldap/lib/liblber-2.2.sl 
/usr/local/lib/liblber.sl.2


  c. if
/usr/local/samba/bin/smbd -V
/usr/lib/dld.sl: Can't open shared library: 
/usr/local/lib/libldap.sl.2

/usr/lib/dld.sl: No such file or directory
Abort(coredump)
  then
ln -s /opt/iexpress/openldap/lib/libldap-2.2.sl 
/usr/local/lib/libldap.sl.2


Eric Roseme
Hewlett-Packard

Gerald (Jerry) Carter wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark Proehl wrote:
| Hi,
|
| im looking for a binary package of samba with a libnss_winbind.1
| for HP-UX-11.0
|
| The depot files in
|
|   http://de.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.14a
|
| look good, but there are these three requierements:
|
|   OpenLdap 2.1.3  (http://hpux.cs.utah.edu)
|   OpenSSL  0.9.7d (http://hpux.cs.utah.edu)
|   LibIconv 1.9.2  (http://hpux.cs.utah.edu)
|
| I was unable to locate this Packages on the HP site.
|
| Can anybody point me to a location, where I can
| find these required files?

Eric, Hate to lean on you again, but do you know of a URL
for these packages?  If you don't know off the top of
your head, I'll ping someone someone in the CIFS/9000
group in Cupertino.






cheers, jerry
=
Alleviating the pain of Windows(tm)  --- http://www.samba.org
GnuPG Key- http://www.plainjoe.org/gpg_public.asc
There's an anonymous coward in all of us.   --anonymous
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDWRfXIR7qMdg1EfYRAh2YAKDjZ77g34qwx50vtuuFY7getDgFgACeNRBZ
GpOhi9AnUqK9MwCO42krjII=
=Khue
-END PGP SIGNATURE-





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Which Samba (CIFS ?) For HPUX 11.00 ?

[eric roseme]

Hi Nick,

This topic should be on samba@lists.samba.org - not technical.  I'll 
give you a brief overview, and any followup send to me directly.


HP-CIFS Server for 11.0 is based upon Samba 2.2.12.  Support for 11.0 
ends there - at 2.2.12.  Go to:


http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA

If you want to continue on 11.0, HP posts 3.0.14a Opensource binaries to 
Samba.org, but they are not supported by HP.  The Opensource binaries 
will eventually be upgraded to 3.0.20a, but  we do not guarantee when. 
Of course, you are free to build your own. Samba binaries for HP-UX can 
also be loaded from:


http://hpux.cs.utah.edu.

There was a topic earlier today and last week about 11.0, 3.0.14a, and 
prerequisite Opensource libraries.  See:


http://marc.theaimsgroup.com/?l=sambam=113025750223530w=2

HP-UX 11iv1 and 11iv2 are a different story.  Email me directly (from cc 
list) for more information.


Eric Roseme
Hewlett-Packard

Boyce, Nick wrote:


[Sorry to bother everyone with this - it just seemed like I probably
need to reach any HP staff we have here on the list - everybody else
just press Delete]

I've just inherited the sysadmin role for an HPUX 11.00 / PA-RISC
machine, which is running Samba 2.2.8a (!) but not very well - they want
me to sort Samba out  and I'm wondering:  which is the best Samba
for such a system ?

The last time I admin'd HPUX was at 10.20, but I'm aware that HP were
going to create an official supported product for HPUX 11.x, based on
Samba and called CIFS.  I've surfed around *.hp.com but all I can find
are highly general product descriptions, and faqs - nothing definite
about CIFS, or what Samba version it might be based on.

I note that http://us4.samba.org/samba/ftp/Binary_Packages/hp/ only has
3.0.14a as the latest binary, and I know you guys have fixed an ocean of
things since then.

Is CIFS the best Samba for HPUX, or would a vanilla 3.0.20b be better
?
If best=CIFS, where can I get it ?
Is there a downloadable CIFS that keeps up-to-date with the latest Samba
V3 ?

Thanks - sorry for the interruption - reply off-list if this is too OT
... or tell me I should use [EMAIL PROTECTED] instead


Nick Boyce
EDS Central  Ireland ADU (UKIA)







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba-3.0.14a binaries for HP-UX-11.0

[eric roseme]

Sorry for the belated reply (out of the office).

Use the packages at the listed urls.  The 11i versions will work for 
11.0.  I have installed and tested the listed version numbers on 11.0, 
however all of the versions have since been rolled.  In addition, my 
11.0 system has been retired, so I cannot verify the results (from last 
April).  So, I'll reinstall everything and re-verify.  If you want to 
wait, I'll post my results here, but not until Tuesday 10/25 at the earlist.


Also, if you have installed HP CIFS Server on the system, you'll need to 
re-link some stuff.  I added the following text to the README of our 
opensource distribution (on samba.org), but I do not think it made the 
most recent build.  So here is the new text:


6.  If your system has HP CIFS Server previously installed, several 
libraries

that are used by Samba may require re-linking.

  a. if /usr/local/samba/bin/smbd -V
/usr/lib/dld.sl: Can't open shared library: 
/usr/local/lib/libiconv.sl

/usr/lib/dld.sl: No such file or directory
Abort(coredump)
 then
cp /opt/samba/lib/libiconv.sl /usr/local/lib/

  b. if
/usr/local/samba/bin/smbd -V
/usr/lib/dld.sl: Can't open shared library: 
/usr/local/lib/liblber.sl.2

/usr/lib/dld.sl: No such file or directory
Abort(coredump)
 then
ln -s /opt/iexpress/openldap/lib/liblber-2.2.sl 
/usr/local/lib/liblber.sl.2


  c. if
/usr/local/samba/bin/smbd -V
/usr/lib/dld.sl: Can't open shared library: 
/usr/local/lib/libldap.sl.2

/usr/lib/dld.sl: No such file or directory
Abort(coredump)
  then
ln -s /opt/iexpress/openldap/lib/libldap-2.2.sl 
/usr/local/lib/libldap.sl.2


Eric Roseme
Hewlett-Packard

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark Proehl wrote:
| Hi,
|
| im looking for a binary package of samba with a libnss_winbind.1
| for HP-UX-11.0
|
| The depot files in
|
|   http://de.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.14a
|
| look good, but there are these three requierements:
|
|   OpenLdap 2.1.3  (http://hpux.cs.utah.edu)
|   OpenSSL  0.9.7d (http://hpux.cs.utah.edu)
|   LibIconv 1.9.2  (http://hpux.cs.utah.edu)
|
| I was unable to locate this Packages on the HP site.
|
| Can anybody point me to a location, where I can
| find these required files?

Eric, Hate to lean on you again, but do you know of a URL
for these packages?  If you don't know off the top of
your head, I'll ping someone someone in the CIFS/9000
group in Cupertino.






cheers, jerry
=
Alleviating the pain of Windows(tm)  --- http://www.samba.org
GnuPG Key- http://www.plainjoe.org/gpg_public.asc
There's an anonymous coward in all of us.   --anonymous
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDWRfXIR7qMdg1EfYRAh2YAKDjZ77g34qwx50vtuuFY7getDgFgACeNRBZ
GpOhi9AnUqK9MwCO42krjII=
=Khue
-END PGP SIGNATURE-


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: SOLVED [Samba] problems with samba 3 and termnal server

[eric roseme]

JHT -

Would this topic be worthy of addition to the Howto?  I think I sent you 
a lengthy whitepaper about TS, along with all of the workarounds.  You 
could pull out pertinent passages like the MS Q-article and hotfix 
verbiage.  (if you want to)


Eric Roseme
Hewlett-Packard

Lorenzo Pilotti wrote:

thanks fellows,
the M$ patch seems to work fine... 


ya guruz! ;-)

loris



It's possible to set a registry setting that causes TS to open a new
SMB connection for every logged on user, this should help if the problem
is requests getting stuck in smbd's single threaded queue. The TS client
has some multi-threaded synchronisation problems that Microsoft could only
solve by going back to the (sensible) multi-connection model. They only
changed to single-connection to screw Samba over in a big account anyway
(the honest and sad truth :-).
Jeremy.




__
Accesso Internet Gratis per utenti Excite! Attivalo subito!
http://www.excite.it/hitech/accesso

Il Mio Excite. Personalizza la tua Home page Excite come vuoi tu!
http://www.excite.it

AAA/Relazioni. Sfoglia gli annunci e trova la tua anima gemella
http://www.excite.it/relazioni





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Minimum User Rights For net ads join

[eric roseme]

I have seen a number of cases where unix/linux administrators do not 
have access to Windows Administrator rights to execute net ads join. 
Here is the result of testing that I have done to determine what the 
minimum set of user rights is.


Case 1:  Adding the object to the domain and joining the domain with 
net ads join


In this case, an ordinary user member of Domain Users can add and join 
 by having an Administrator assign the user special rights to the 
Computers container (or equivalent).  This is done by:

1.  Users and Computers MMC, Advanced Features View
2.  Right click Computers container and select Properties
3.  Choose Security tab, add a new user to the container
4.  Click Advanced, select the new user, click Edit
5.  Clear all rights, add back only Create Computer Objects
6.  OK to exit out

The user can now add and join the computer object using net ads join -U 
 username.



Case 2:  Add object using Users and Computers MMC, join using net ads 
join.


This method is required when a custom schema is used and net ads join 
cannot find the correct container to add the computer.  Note that 
sometimes the UseraccountControl attribute will populate with a value 
that denies krb5 authentication, and the attribute must be populated 
manually.

1.  Users and Computers MMC, Advanced Features View
2.  Add the computer object using the MMC.  Do not select Windows
2000 compatible.
3.  Right click on the new computer object (note that this is
different from the container in Case 1)and select Properties.
4.  Click Advanced, then Add, and add the user to Security Settings.
5.  Highlight the username, then select Edit.
7.  Select Full Control - this will autoselect all Permissions.
8.  Unselect those that we do not need:
Full Control
Create All Child Objects
Delete All Child Objects
(all items thru)
Delete All Shared Folder Ob
9.  OK to exit out.

The user can now join and modify the existing computer object using net 
ads join -U username.



Caveats:

1.  net ads leave -U username does not work, even with Administrator.
2.  Several other net ads commands do not work.
3.  The ntSecurityDescriptor is not correctly processed (ldap.c accounts
for this and adds the object anyway, and issues a warning)

JT - I have written a user's guide for this process.  Let me know if you 
would like to use it however you see fit.



Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Domain Member Server: Group Membership Updates

[eric roseme]

Hi Thilo,

I cannot duplicate your problem on 11i v1 CIFS A.02.01.01.  Can you stop 
winbind and run it manualy with -n to verify that it bypasses the cache?


Eric Roseme
Hewlett-Packard

[EMAIL PROTECTED] wrote:


Hi all,

I have a problem with my Samba on HPUX (based on Samba 3.07):

There is a Windows 2003 Server (DC). The HPUX-Fileserver is configured as a 
Member of this Domain. I am Using Winbind to map users and groups. Everything 
works fine, the Users can access there files on the shares on the samba server. 
The Permissions are set in smb.conf by the domain group names.

Now I have a new Group, addes Users to that group and set a new share with 
permissions for that group. All members of this group cant access the share:

# ./wbinfo -g
BUILTIN\System Operators
BUILTIN\Replicators
BUILTIN\Guests
BUILTIN\Power Users
BUILTIN\Print Operators
BUILTIN\Administrators
BUILTIN\Account Operators
BUILTIN\Backup Operators
BUILTIN\Users
[...]
Testgroup

Wbinfo lists the group testgroup

I created a folder and set permissions to that group:

# ls -lad testshare
drwxrwx---   2 AdministratTestgroup   96 Aug 23 11:26 testshare

gid seems to be 20022:

# ls -land testshare
drwxrwx---   2 2  20022   96 Aug 23 11:26 testshare

But the User t.rees, who is a member of this group on the domain-controller, is 
not known to be a member of this group by winbind:

# /opt/samba/bin/wbinfo -r t.rees
2
20011
20013

Any suggestions?

Kind Regards: Thilo Rees









--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: RE [Samba] SFU required ?

[eric roseme]

Gerald (Jerry) Carter wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:


Hi,

No, for samba ADS member you must just use winbind and 
idmap mapping.  I suggest you to read the

samba-howto-collection and the samba by-example
book available on samba website.




Just as a heads up, Samba 3.0.20 will have support to
utilize the SFU schema for winbindd if you want to.
It's a new idmap plugin (idmap backend = ad).  And you will
be able to pull the home directory and shell information
as well (winbind nss support = sfu).


Another heads up - it looks like W2003 R2 (beta) has the POSIX
attributes already integrated into the schema.  What is even more
noteable, is that my R2 beta version uses the actual RFC 2307 attribute
names, as opposed to msSFU-30-XX.  So there is good (finally
using the correct attributes) and bad (they changed their schema).

Eric Roseme
Hewlett-Packard



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Mapping HPUX to Windows Shared Directories

[eric roseme]

Hi Tony,

I am not sure that I understand your question, but it may be that you 
have a share on your W2003 server that you want to map from your HP-UX 
system.  If this is true, then you need to use the HP CIFS Client.  If 
you need help with the CIFS Client, email me off-list and I'll help you 
out.  If I mis-understood your question, then re-state the question to 
help me out.


Thanks,

Eric Roseme
Hewlett-Packard

Tony Gardner wrote:

I need to know what the command would be to map an HPUX directory to a Windows 
shared directory.

I am running Samba 3.0.7 on HPUX 11i and have Windows Server 2003.

Any help would be greatly appreciated.

Regards,

Tony Gardner
UNIX Contractor
Haas Automation, Inc.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] libnss_winbind.so or nss_winbind.1 for HPUX

[eric roseme]

What HP-UX version?  Please describe the problem with nss and trusted 
system.  Also indicate if the problem is with winbind only or other 
modules too.


Eric Roseme
Hewlett-Packard

Mauro wrote:

I was able to produce libnss_windbind.1 object but nss system still has
problem with trusted mode system.

RGDS

Mauro
- Original Message - 
From: Mauro [EMAIL PROTECTED]

To: [EMAIL PROTECTED]
Sent: Monday, August 01, 2005 2:31 PM
Subject: [Samba] libnss_winbind.so or nss_winbind.1 for HPUX


I was not able to find in 3.0.14a package for HPUX libraries needed by
nsswitch to use winbind.
Please could you help me to find them or to compile them directly from
sources?
In sources I found:

/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_linux.h
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_wins.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_misc.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_hpux.h
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_cm.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss.h
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_ads.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_nss.h
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_config.h
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_util.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_user.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_client.h
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_rpc.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_dual.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd.h
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_freebsd.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_irix.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_solaris.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_group.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_irix.h
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_solaris.h
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_aix.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_passdb.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_cache.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/pam_winbind.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_acct.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbind_nss_linux.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_pam.c
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/pam_winbind.h
/usr/local/samba/src/samba-3.0.14a/source/nsswitch/winbindd_sid.c
/usr/local/samba/src/samba-3.0.14a/testsuite/nsswitch/pam_winbind_syms.exp
/usr/local/samba/src/samba-3.0.14a/testsuite/nsswitch/pam_winbind_syms.c
/usr/local/samba/src/samba-3.0.14a/testsuite/nsswitch/nss_winbind_syms.exp
/usr/local/samba/src/samba-3.0.14a/testsuite/nsswitch/nss_winbind_syms.c
/usr/local/samba/src/samba-3.0.14a/examples/nss/nss_winbind.h
/usr/local/samba/src/samba-3.0.14a/examples/nss/nss_winbind.c


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba 2.2.8a

[eric roseme]

Sorry for the late reply - I was out last week.

You need to increase your nfile and nproc parms  (see Admin Guide pg 258 
[http://www.docs.hp.com/en/B8725-90074/B8725-90074.pdf]).


I delivered a tuning presentation at HPWorld in 2003.  If you want a 
copy, email me off list and I'll send it to you.


Also, the version you are running is not supported.  You should pull 
down either the current 3.0 CIFS version, or the supported 2.2 version from:


http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA

Eric Roseme
Hewlett-Packard

david lawrance wrote:


Hello
 
We are facing a problem in samba server running in hpux11.11. version of samba is

version: 2.2.8a based HP CIFS Server A.01.10.
we are not able to connect more than 18 users concurrently. when we map drive for 19th 
user it gives me a error network connection not found ,after  killing one 
user it starts mapping.
Is there any user restriction or need for kernel parameter change.
 




Regards, 
Davidlawrance.A




-
Discover Yahoo!
 Get on-the-go sports scores, stock quotes, news  more. Check it out!


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] liblber.sl.2 For HP-UX 11

[eric roseme]

Are you pulling the pre-compiled binaries from:

http://us1.samba.org/samba/ftp/Binary_Packages/hp/samba-3.0.14a/ ?

The 11.0 depot works for 11i too.  The README says to install OpenLDAP 
and OpenSSL from http://hpux.cs.utah.edu.  However, you can download 
OpenLDAP for free off the HP Internet Express site at:


https://payment.ecommerce.hp.com/portal/swdepot/try.do?productNumber=HPUXIEXP

You need OpenSLL too:

https://payment.ecommerce.hp.com/portal/swdepot/try.do?productNumber=OPENSSL11I

I have written a new README that describes the link changes you need if 
you have had HP CIFS Server installed previously, but it is not posted 
to the site yet.  Let me know if you need those instructions.


In any case, the libraries will be there if you install OpenLDAP and 
OpenSLL from the HP site.


Eric Roseme
Hewlett-Packard

Joseph Madrinkian wrote:


Hello All,

When I try to start SAMBA I get an error message saying i'm missing the 
liblber.sl.2
It says that if I download the libraries for OPENLDAP, this library 
should be included. But it does not get installed and I cannot find it anywhere.

	Does anyone have any suggestions. 


I'm on a HP-UX11 box.

Thanks


Notice: This transmission is for the sole use of the intended recipient(s) and 
may contain information that is confidential and/or privileged.  If you are not 
the intended recipient, please delete this transmission and any attachments and 
notify the sender by return email immediately.  Any unauthorized review, use, 
disclosure or distribution is prohibited.





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] CIFS/ACLs

[eric roseme]

For the no buffer space, verify that you have increased nfile and 
nproc (see Admin Guid pg 258 
[http://www.docs.hp.com/en/B8725-90074/B8725-90074.pdf]).  You need 
1.2MB memory per client at connect time, in addition to whatever else 
your system needs.


For ACLs, verify that you are using JFS (VxFS) 3.3 or later, and layout 4:

rmonster-bdf
Filesystem  kbytesused   avail %used Mounted on
/dev/vg00/lvol32097152   77264 20041204% /
/dev/vg00/lvol11014648   28336  8848403% /stand
/dev/vg00/lvol85242880  182064 50217763% /var
/dev/vg00/lvol75242880 1147952 4063024   22% /usr
/dev/vg00/lvol62097152  228432 1854184   11% /tmp
/dev/vg00/lvol55242880  505264 4700864   10% /opt
/dev/vg00/lvol45242880   18008 51841120% /home
rmonster-fstyp -v /dev/vg00/lvol4
vxfs
version: 4
f_bsize: 8192
f_frsize: 8192
f_blocks: 655360
f_bfree: 653109
f_bavail: 648263
f_files: 155616
f_ffree: 163264
f_favail: 163264
f_fsid: 1073741828
f_basetype: vxfs
f_namemax: 254
f_magic: a501fcf5
f_featurebits: 0
f_flag: 16
f_fsindex: 5
f_size: 655360
rmonster-

The symptoms that you describe are common for a file system that is not 
POSIX ACL enabled.  Also, the Windows Explorer security screen will be 
adding windows groups to the ACL, but you have mapped those with net 
groupmap to your POSIX groups, which display on the getacl.  See below 
(edited for brevity).


rmonster-getacl jardin.mpg
# file: motocross.mpg
# owner: SNSLATC+eroseme
# group: SNSLATC+Domain Users
user::rwx
group::r--
group:vamps:rwx
group:scoobs:r-x
class:rwx
other:r--
rmonster-net groupmap list
vampires (S-1-5-21-1681019172-2179928069-728536373-1122) - vamps
Domain Users (S-1-5-21-1681019172-2179928069-728536373-513) - -1
scoobies (S-1-5-21-1681019172-2179928069-728536373-1121) - scoobs
Users (S-1-5-32-545) - -1
rmonster-wbinfo -g
BUILTIN+Users
SNSLATC+Domain Admins
SNSLATC+Domain Users
SNSLATC+Domain Guests
SNSLATC+scoobies
SNSLATC+vampires
SNSLATC+demons
SNSLATC+mars
SNSLATC+neptune
rmonster-

If this does not help, email me off-list.

Eric Roseme
Hewlett-Packard

Thilo Rees, Continum wrote:


Hi,

I am using CIFS 2.01.01 on HPUX11V2. CIFS is running in ADS 
security-mode. Winbind is used to map the userers from the W2K3-Domain 
(german) to an tdb-file. The user mapping works fine, but I have 
problems with the ACLS: setting the ACLS to a file or folder from 
windows leads in access denied. I'm the owner of the object and have 
full access. The really crazy thing is, that it works sometimes, but 
later the ACLs are gone (showing standard permissions) and I can't 
modify them (Access denied). getacls form Unix side displays the 
formerly configured ACLS 

The logfile (loglevel=2) shows:

log.smbd:
open_sockets_smbd: accept: No buffer space available

host.log
[2005/05/30 11:22:29, 1] smbd/service.c:make_connection_snum(648)
192.168.200.11 (192.168.200.11) connect to service tmp initially as user 
FRHAWIN\Administrator (uid=1, gid=1) (pid 9429)

[2005/05/30 11:29:37, 1] smbd/service.c:close_cnum(835)
192.168.200.11 (192.168.200.11) closed connection to service tmp
[2005/05/30 11:30:17, 2] smbd/server.c:main(893)
Changed root to /
[2005/05/30 11:30:17, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.

[2005/05/30 11:30:19, 1] smbd/service.c:make_connection_snum(648)
192.168.200.11 (192.168.200.11) connect to service tmp initially as user 
FRHAWIN\Administrator (uid=1, gid=1) (pid 9553)

[2005/05/30 11:30:36, 2] smbd/posix_acls.c:set_canon_ace_list(2422)
set_canon_ace_list: sys_acl_set_file type file failed for file ACLStest 
(Invalid argument).


my smb.conf is simple:

[global]
  display charset = UTF-8
  workgroup = FRHAWIN
  realm = Y.Y.YYY
  netbios name = FSERV0
  server string = CIFS_HP_UX
  security = ADS
  password server = .x..xxx
  log level = 2
  log file = /var/opt/samba/log.%m
  max log size = 1000
  host msdfs = Yes
  idmap uid = 1-2
  idmap gid = 1-2
  winbind use default domain = Yes

[tmp]
  comment = Temporary file space
  path = /tmp
  read only = No

Any suggestions?

Regards: Thilo




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba server suddenly started asking for authentication of the us ers

[eric roseme]

There is not enough information to make a guess.  Send me (off-list) 
your smb.conf.  Also, set your log level to 5 and log file = 
/var/opt/samba/log.%m, then attempt the share mount, and send me the 
log file (log.machine name).

Whatever the outcome, you will need to upgrade your Samba version.  If 
you are using HP CIFS Server, you can stay on 2.2 - we still supply and 
support 2.2.12.  You can also upgrade to 3.0.8.  If you are using 
opensource, then you should go to 3.0.14a.

Eric Roseme
Hewlett-Packard
[EMAIL PROTECTED]
Majid Chavoshi wrote:
Samba Server Name: hamilton
Samba Server OS: HP-UX 11.11
Samba Version: 2.2.3.a
Hi All,
I have the same version of Samba running on many of our HP servers with almost 
identical smb.conf file and configured the same way. No other Samba server seem to be 
having any problems except this one (hamilton). When a legitimate user tries to access 
a Samba share from a Windows client, it asks for his/her User name  password, and 
it won't accept the user's current network id  password.
Can anyone advise as to what might be the problem and how to fix it. Many 
thanks in advance.
Regards,
Majid Chavoshi
Unix Systems Administrator
Belkin Corporation
Information Services
310-604-2098 Office
310-604-2022 Fax
310-877-1428 Mobile
[EMAIL PROTECTED]
www.belkin.com
Confidential
This e-mail and any files transmitted with it are the property
of Belkin Corporation and/or its affiliates, are confidential,
and are intended solely for the use of the individual or
entity to whom this e-mail is addressed.  If you are not one
of the named recipients or otherwise have reason to believe
that you have received this e-mail in error, please notify the
sender and delete this message immediately from your computer.
Any other use, retention, dissemination, forwarding, printing
or copying of this e-mail is strictly prohibited.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] high network traffic

[eric roseme]

I tested W2000 and XP-SP2 on 3.0.8 on HP-UX 11i v1 (HP CIFS Server). 
All writes from 50KB file-save (notepad) were at MTU size, Samba was 
actually a little more efficient (than 2003) using about 40 fewer 
packets for the exchange.  Try testing a different app (notepad), to see 
if it is app-specific.

The file size reporting is also unknown (JFS 3.3 layout 4).  My server 
correctly lists file size over a share with XP-SP2.

An easy test is to install HP CIFS Server (it can co-exist with 
Opensource Samba) and either test it, or smbd -b and see how the build 
differs from yours (and smb.conf defaults).

Eric Roseme
Hewlett-Packard
Thierry ITTY wrote:
hello
I'm experiencing problems with samba (2.2.7a on linux  3.0.15 on hp-ux)
with windows xp (sp2) clients
to make it short, an application reads and writes files on a share
when the share is on a windows (2003) server, the network traffic is normal
when the share is on a samba server, the network traffic is very high and
the application response time increases very badly
I took some traces (tcpdump, ethereal...) and I see that
- when the file is on a windows share, the file is read or written with big
blocks sizes (say 1000 bytes), and thus for a 50 KB file I get ca. 100
network frames
- when the file is on a samba share, the blocks are as small as 5 bytes
(yes, the trace shows read andx 5 bytes at offset 0, then 5 bytes at
offset 5, and so on), and the amount of network frames goes up to 20,000
for the same file, with obvious performance degradation
I tried various configuration changes (oplocks, raw io, case sensitiveness,
and so on), but nothing really helps
and more the open process looks the same with both server types : I checked
each value and flag in the open request and answer, and only saw that one
had the archive flag not set, and that allocation size differs (true file
size for windows = 50 K, 1 MB size for hp-ux, may look as some hp
filesystem allocation block ???), and I also saw that in both cases an
oplock was granted.
I have no more idea about what to do and I'd really appreciate any help
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] PANIC: internal error

[eric roseme]

Hi Mike,
You are actually running an unsupported version of HP CIFS Server 
(Samba).  You can upgrade to the current supported version for free from:

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B8725AA
There were definitely winbind problems in the preview version that you 
are running.  If the problem persists after upgrading, email me directly 
and we'll get to work on solving it.

Eric Roseme
Hewlett-Packard
[EMAIL PROTECTED]
Cheatham, Mike Mr KRS wrote:
HP UX11i
 

My SA is off island and I am in unfamiliar territory.  We are getting an
error when trying to start winbindd.
 

  ===
[Thu Apr 28 12:04:49 2005
, 0] lib/util.c:smb_panic2(1398)
  PANIC: internal error
[Thu Apr 28 13:07:20 2005
, 1] nsswitch/winbindd.c:main(843)
  winbindd version 3.0.5 based HP CIFS Server T.30.PV.02 started.
  Copyright The Samba Team 2000-2004
[Thu Apr 28 13:07:20 2005
, 1] lib/util_unistr.c:load_case_tables(63)
  creating lame upcase table
[Thu Apr 28 13:07:20 2005
, 1] lib/util_unistr.c:load_case_tables(78)
  creating lame lowcase table
[Thu Apr 28 13:07:20 2005
, 1] nsswitch/winbindd_util.c:add_trusted_domain(178)
  Added domain SMDCK  S-0-0
/usr/lib/dld.sl: Unresolved symbol: sasl_client_init (code)  from
/usr/lib/libld
ap.sl
[Thu Apr 28 13:07:20 2005
, 0] lib/fault.c:fault_report(36)
  ===
[Thu Apr 28 13:07:20 2005
, 0] lib/fault.c:fault_report(37)
  INTERNAL ERROR: Signal 6 in pid 26250 (3.0.5 based HP CIFS Server
T.30.PV.02)
  Please read the appendix Bugs of the Samba HOWTO collection
[Thu Apr 28 13:07:20 2005
, 0] lib/fault.c:fault_report(39)
  ===
[Thu Apr 28 13:07:20 2005
, 0] lib/util.c:smb_panic2(1398)
  PANIC: internal error
 

 

I am unable to find the appendix Bugs of the Samba HOWTO collection
 

Mike Cheatham
Information Systems and Technology
Systems Support Manager
Kwajalein Range Services, LLC
Kwajalein Marshall Islands (GMT+12)
805-355-2446 Pager 712
 

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Commercially supported Samba

[eric roseme]

Greathouse, Sheri L wrote:
Does anyone know of a commercially provided and supported version of Samba
in the  United States?
Sheri Greathouse
EDS - Software Services - AIX Capabilities
MS 2o
1075 W. Entrance Drive
Auburn Hills, MI 48326
 
+ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
Hewlett-Packard supports Samba (as HP product HP CIFS Server) on HP-UX 
11i v1 and v2, with full Response Center, Expert Center, and factory lab 
support.

I have worked with EDS on HP-UX CIFS-Samba sites in the past.
Eric Roseme
Hewlett-Packard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Does SAMBA ever work with 2003 Server native mode ADS?

[eric roseme]

Dave Rutlidge wrote:
I posted a query re a problem I was having getting SAMBA to authenticate
using a Windows 2003 Server ADS and got no reply. Also, I've searched
the web (before posting) and no one else had a reply to any similar
question.
Does SAMBA actually work with 2003 ADS at all or am I flogging a dead
horse?
Getting no reply is a real bummer.  At least getting forget it! means
I don't waste more time looking for the issue.
Has ANYONE got SAMBA to work with 2003 Server in native mode? How?
Yes, I just tested it in a 2003 native mode domain.  I can net ads 
join, and auth-n a user using krb5 with MD5.
If it doesn't work using Kerberos, is there another way?
I recommend to new users to start by configuring Samba with 
security=domain, to ensure that they get Samba itself working 
correctly before going to Kerberos.  Yes - Samba will work using NTLM in 
native mode.  You might have to change your domain security policy to 
accept NTLM.  You can also just \\ipaddress\sharename when 
security=ads and it should fall back to NTLM.  Assuming your domain 
add worked okay.
Thanks in advance for any pointers.
Sorry I will not be around to help, leaving for vacation for 10 days.
One very struggling SAMBA mewbie :((
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba - CPU and memory usage - Proposed solution(?)

[eric roseme]

Mike,
  Are shortnames still too common to make them optional? It's unfortunate
  that you incur the overhead of shortname support on all clients when
  only a small number of scenarios require them.
They've been optional in Samba3 for a while (via the mangled names
boolean option). Unfortunately disabling them is really just a
benchmark hack for now, as the few users of them are quite
important. Making cmd.exe not work on a WinXP client would be a pretty
serious functionality loss :-)
At Microsoft Tech-Ed 2004 they recommended disabling 8.3 name creation 
for NTFS file server performance.  I was quite surprised.

Eric Roseme
Hewlett-Packard
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Mapping Windows groups to Unix ones on Samba 2.2

[eric roseme]

Is this Samba Opensource 2.2.12 or HP CIFS Server 2.2.12 (A.01.11.03)?
groupname map is not a real Samba feature, I believe.  See Jerry's 
response at:

http://marc.theaimsgroup.com/?l=sambam=104302387220719w=2
HP CIFS Server at 2.2 was not enabled for winbind, thus there is no way 
to do what you want.  If you go to HP CIFS Server A.02.01 (3.0.7 and 
3.0.8) you get winbind and net groupmap - not the same syntax as below 
but you can map AD groups.

Eric Roseme
Hewlett-Packard
Laurent Blume wrote:
Hi all,
Now that I've got Samba 2.2.12 running correctly on that HP-UX box, I 
need to allow write access to a given AD domain group.

What is the right way to do it on Samba 2.2?
I added a group.map file in smb.conf, and a line inside that said:
unixgroup = AD Domain Group
Then in smb.conf, I put in [global]:
groupname map = /etc/opt/samba/group.map
And in the correct share, I put the following:
valid users = @unixgroup
read list = @unixgroup
write list = @unixgroup
I did not restart Samba, but from what I understand, the config file was 
automatically reloaded. SWAT did display the new values.

The users' login were already mapped in the user.map file, and that 
works fine.

However, after doing that, the persons in the AD group still had no access.
Putting the unix users directly in the unix group does work, but of 
course, is a much less clean solution.

Any hint or pointer to documentation? I was only able to find some for 
the 3.0 version, which is quite different for that :-/

TIA!
Laurent

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] No locking available. Running Samba would be unsafe

[eric roseme]

1.  What version of HP-UX?
2.  What version of Samba (or HP CIFS Server)?
3.  What is nflocks set to?
4.  Do a testparm | grep lock and send in the results.
Eric Roseme
Hewlett-Packard
Bill S wrote:
Hello Samba folks,
 
A couple years ago I installed Samba 2.2.0 on our HP9000 running hpux
10.20.
I am now trying to install it on a customer's HP9000 and am getting the
error 
No locking available. Running Samba would be unsafe while executing the
configure command. I got that error a couple years ago and resolved it by
linking /usr/bin/cc and /opt/ansic/bin/cc but that is not working this time.
I also
tried linking /usr/bin/cc and /usr/ccs/bin/cc but that did not work either.
Any
ideas?
 
- Bill
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] No locking available. Running Samba would be unsafe

[eric roseme]

Hi Bill,
I am not sure if this is your problem, but 2.2 will take about 20 locks 
per client connection, so you will run out of locks at 10 connections 
with nflocks set at 200.  You will need to bump that up, along with 
nfiles and nproc.

Of course, you should not be on 10.20, or 2.2.0, but I suppose you know 
that.

Eric Roseme
Hewlett-Packard
Bill S wrote:
Eric,
Thanks for your response. Here are some answers to your questions.
1- HPUX 10.20
2- Samba 2.2.0
3- nflocks = 200
4- There is no testparm command. I checked samba's source/bin
   directory and the only command there was .cvsignore. On my
   system the testparm and other commands, like smbd,nmbd and
   smbclient, were in the bin directory. 

- Bill
-Original Message-
From: eric roseme [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 14, 2004 8:27 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [Samba] No locking available. Running Samba would be unsafe

1.  What version of HP-UX?
2.  What version of Samba (or HP CIFS Server)?
3.  What is nflocks set to?
4.  Do a testparm | grep lock and send in the results.
Eric Roseme
Hewlett-Packard
Bill S wrote:
Hello Samba folks,
   A couple years ago I installed Samba 2.2.0 on our HP9000 running 
hpux 10.20.
I am now trying to install it on a customer's HP9000 and am getting 
the error No locking available. Running Samba would be unsafe while 
executing the configure command. I got that error a couple years ago 
and resolved it by linking /usr/bin/cc and /opt/ansic/bin/cc but that 
is not working this time.
I also
tried linking /usr/bin/cc and /usr/ccs/bin/cc but that did not work
either.
Any
ideas?
- Bill

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Performance of samba in linux vs windows

[eric roseme]

Hi Tim,
Just as a sanity check.
I did some testing earlier this year to characterize performance 
differences btw 2.2.8a and 3.0.2a.  I tested simple copies of one .5 GB 
file, and also a directory with 5000 files (with very long names 
including upper and lower case).  As long as I was testing the version 
deltas, I also compared the tests to a Windows 2003 Server.

I do not want to specify the exact results and hardware (since I work 
for a vendor), but for the single-big-file test Windows 2003 ftp was 
slower than Samba by a factor of 3.  ftp on HP-UX was just slightly 
faster than Samba.  For the 5000-files test, reading from the server was 
about the same for all SMB server platforms (XP from W2003, 2.2.8a, 
3.0.2a).  For the 5000-files test, writing to the server was 
significantly slower on Samba versus Windows.  This is well-known 
behavior for large directories due to name mangling and case sensitivity.

I also tested extensively versus NFS (but this was on 2.0.6 - quite a 
while ago) and the total throughput numbers (MB/s) were almost the same 
for SMB vs NFS.  These were 8-way 4-GbE boxes, though.

I cannot claim these results as benchmarks - maybe someday if we get a 
CIFS benchmark like SPEC then we'll have a level playing field.  The 
point is, that results vary all over the place by environment.  (also - 
turn off strict locking and test again).

Go Mustangs! (c/o '80  '88)
Eric Roseme
Hewlett-Packard
Tim Harvey wrote:
I'm doing some performance tests on a samba NAS server and I've found some
interesting statistics:
I'm doing my performance tests in linux using:
  # time dd if=somelargefileovershare of=/dev/null bs=1M count=100
Then calculating the bandwidth
For windows I'm low-tech: stopwatch plus drag-n-drop of a large file (any
recommendations on a 'simple' windows program that will tell you how long it
took to copy a file, or even calc the BW for you?)
Here are my bandwidth results:
nfs via linux: 10MB/s
smb via linux: 5MB/s
smb via win: 8MB/s
Questions:
  - why would I be getting half the performance via nfs vs smb?  Is there a
lot more overhead with smb vs nfs?
  - why the large difference between using smb from a linux box vs smb from
windows?  The windows transfers are much faster... almost 2X
I'm just trying to understand my results better.  The samba server I'm
mounting to is running on a 1.2GHz Celeron, 256MB SDRAM, using a raid5 array
with an XFS filesystem on ATA drives with a 100mbps nic.  The bottleneck
here is the 100mbps nic, which theoretically will give me a max throughput
from the server of 12.5MB/sec, so I'm fairly satisfied to see 10MB/sec from
the nfs test.
Thanks for any assistance in understanding these results,
Tim
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] strict locking = yes 3.X Default?

[eric roseme]

On 3.0.2a and 3.0.5 it appears that strict locking = yes is the 
default, even though SWAT help says it is strict locking = no, and 2.2 
 was no.  Is this true, and if so, is it intentional?

Thanks,
Eric Roseme
Hewlett-Packard
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba performance issue

[eric roseme]

Hi Xiaoqin,
First, if TCP_NODELAY is not being set, that could be your performance 
problem right there.  I have no idea what the problem is with setting 
your socket options.  I guess that you compile your own Samba version, 
so maybe it's time to start investigating your build.

My version of HP CIFS Server on 3.0.5 does not exhibit any of the 
symptoms as seen in your logs.  You can pull down the latest build of 
CIFS 3.0.5 (for testing only) from:

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=CIFSTP3
On 2.2 CIFS and Opensource can co-exist on the same system (only one can 
run), but I have not tested this on 3.0 yet.  So you could test with 
CIFS for the socket options to see if you have a build problem.

Second, if you are running opensource, then you are probably calling 
pread/pwrite.  If you are doing that, then you need phlk_28512.  That 
can slow down reads/writes too.

Eric Roseme
Hewlett-Packard
[EMAIL PROTECTED] wrote:
Hi,
In the last a couple of weeks, Eric helped me fixed a couple of my new samba 3.0.5 running on HP-UX 11i hang issues. Right now, people still experience slowness when they run some applications on the samba shares OR recursive list directories on the samba shares. 

There was not a lot of errors in the individual log files. However,there are some 
errors in log.smbd and log.0.0.0.0 file.
1) what is log.0.0.0.0 file? Is it a problem that it exists?
2) In log.smbd file, I saw the following type of errors:
[2004/09/08 09:23:51, 0] lib/util_sock.c:get_peer_addr(978)
  getpeername failed. Error was Invalid argument
[2004/09/08 09:27:52, 0] smbd/server.c:open_sockets_smbd(382)
  open_sockets_smbd: accept: No buffer space available
[2004/09/08 09:30:15, 0] smbd/server.c:open_sockets_smbd(382)
  open_sockets_smbd: accept: No buffer space available
[2004/09/08 09:31:17, 0] lib/util_sock.c:set_socket_options(185)
  Failed to set socket option SO_KEEPALIVE (Error Invalid argument)
[2004/09/08 09:31:17, 0] lib/util_sock.c:set_socket_options(185)
  Failed to set socket option TCP_NODELAY (Error Invalid argument)
[2004/09/08 09:31:17, 0] lib/util_sock.c:get_peer_addr(978)
  getpeername failed. Error was Invalid argument
[2004/09/08 09:33:08, 0] smbd/server.c:open_sockets_smbd(382)
  open_sockets_smbd: accept: No buffer space available
3) In log.0.0.0.0 file, I saw the following type of errors:
[2004/09/08 15:54:22, 0] lib/util_sock.c:get_peer_addr(978)
  getpeername failed. Error was Invalid argument
[2004/09/08 15:54:22, 0] lib/access.c:check_access(326)
[2004/09/08 15:54:22, 0] lib/util_sock.c:get_peer_addr(978)
  getpeername failed. Error was Invalid argument
  Denied connection from  (0.0.0.0)
[2004/09/08 15:54:22, 1] smbd/process.c:process_smb(883)
[2004/09/08 15:54:22, 0] lib/util_sock.c:get_peer_addr(978)
  getpeername failed. Error was Invalid argument
  Connection denied from 0.0.0.0
[2004/09/08 15:54:22, 0] lib/util_sock.c:write_socket_data(413)
  write_socket_data: write failure. Error = Broken pipe
[2004/09/08 15:54:22, 0] lib/util_sock.c:write_socket(437)
  write_socket: Error writing 5 bytes to socket 23: ERRNO = Broken pipe
[2004/09/08 15:54:22, 0] lib/util_sock.c:send_smb(629)
  Error writing 5 bytes to client. -1. (Broken pipe)
Are these real problems and how to get rid of them?
BTW, we have the following configuration in smb.conf file:
  socket options = TCP_NODELAY
Thank you very much for your help!
Xiaoqin Qiu
Agilent Technologies, Inc.
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SAMBA Server and Domain Mismatch Problem

[eric roseme]

Hi Emil,
Two things:
1.  If you want to use HP CIFS server with POSIX ACLs, then you will 
need JFS 3.3 or later with file system layout 4 for your shared directories.

2.  On CIFS 2.2.X when you try to add a domain user to the ACL it will 
not work, because you are trying to add a Windows SID to a POSIX file 
descriptor.  That will not work.  Your users must add hostname\username 
because that is a UID that *can* be added to the POSIX file descriptor. 
 This is all explained in HP CIFS Server Administrator's Guide:

http://www.docs.hp.com/hpux/pdf/B8725-90073.pdf
Go to page 59 for NT clients, 68 for 2000/XP clients.  The instructions 
are pretty good.

The symptom that you are seeing is the same for attempting to add an SID 
to the POSIC ACL, or for adding a UID to a filesystem that does not 
support ACLs.

Eric Roseme
Hewlett-Packard
Emil P. Henry wrote:
Hello!
   We are running SAMBA 2.2.8a from HP (CIFS) on a HP-UX (11i) 
server. It is running great and all that. The only issue is that the 
users would like to be able to share there shares to other users that 
they specify through the Windows clients. The problem is that when they 
look at properties they see the hostname\username under the Group or 
user name - which is themselves. When we try to do the domain\username 
it  accepts it as valid, but disappears when we try to apply.

  Please advice.
  Thanks in advance.
Regards,
Emil
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Winbindd can't find ldap server

[eric roseme]

Are you actually storing your mappings on the ADS (instead of default 
tdb).  If so, I am interested to see your ADS schema modifications.  I 
have been wondering if anyone has tried that yet.

Otherwise, with security = ads, you do not need the idmap parm, it 
stores the mappings in the winbindd_idmap.tdb (or the cache).

PS - I think it's idmap backend, not idmap_backend.
Eric Roseme
Hewlett-Packard
Tom Skeren wrote:
Winbindd is erroring out with can't find ldap server.  LDAP is ADS W2K, 
the samba server is 3.0.5 and net join ads succeded.  I have
idmap_backend = ldap:ldap://ldap.mydomain.com.  What am I missing.


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos issue

[eric roseme]

Hi Mark,
As a start, you can get the new updated version based upon 3.0.5 at:
http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=CIFSTP3
We had some problems with the net command on 3.0.2 when doing the net 
ads join. It works fine with a W2000 KDC, and a W2003 KDC if you do 
some extra stuff with enctypes.

Eric Roseme
Hewlett-Packard
Rommel, Mark wrote:
I am looking for any assistance on a issue I am currently experience
with Samba and Kerberos.   

We have kerberos and LDAP client software on UNIX (HPUX 11.11), which
authenticates with AD (Windows 2000) using SFU 3.0. All samba users are
stored on Active Directory.  The HP newest version of samba I do believe
is 3.0.2 which from HP is a beta version.   I have worked with HP for
several weeks to get this to work.   Basically I can't map any drives to
any of our Windows 2000 workstation using the AD for login
authentication.  Get several different messages with no success every
time HP wants me to try something different. 

Is anyone out having a similar problem and if how did you resolve it.
HP has been somewhat helpful so I am looking for any suggestions from
others.  


CONFIDENTIALITY NOTICE: This message (including any attachments) may contain Molex confidential information, protected by law.  If this message is confidential, forwarding it to individuals, other than those with a need to know, without the permission of the sender, is prohibited. 
 
This message is also intended for a specific individual.  If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message or taking of any action based upon it, is strictly prohibited.

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Exclusive oplock left by process

[eric roseme]

There are several things to look into:
1.  You updated from 2.0.7 to 3.0.5 (quite a jump!).  Samba 2.2 and 
newer use many more locks than 2.0.  Make sure that your kernel settings 
are correct.  See 
http://marc.theaimsgroup.com/?l=sambam=109335467118507w=2

2.  My versions of 3.0 actually default to strict locking = yes.  Make 
sure that you have strict locking = no (do a testparm).

3.  I interpret your earlier message to mean that your Samba server is 
an NFS client, and you are sharing NFS mounts.  If your application is 
doing byte range locking (propagating locks over NFS) and strict locking 
over a WAN, it could be very slow.

4.  From your description, it appears that you start an application, 
then disconnect the share.  Look at the log file and make sure that the 
locks are being cleaned up prior to the disconnect and close.  It should 
say something like posix_locking_close_file: file filename has no 
outstanding locks.

I understand that you want to focus on what changed in 3.0.5.  A lot has 
changed since 2.0.7, and it may take some troubleshooting to track it 
down.  You can install HP CIFS Server 2.2.10 and see if you encounter 
the same behavior.  If you do, then you can enter a Response Center call 
and have them troubleshoot it for you.

Eric Roseme
Hewlett-Packard
[EMAIL PROTECTED] wrote:
Hi Eric,
Thank you for your response. I made changes in smb.conf file to disable oplocks. And 
use default for blocking locks. Now the exlusive oplock left by process error is gone.
However, I am still experiencing the same problem that when people try to copy files 
from directories which were mounted through WAN or running some applications using 
files under these directories, the windows explorer/application kind of hang and 
became very slow.
And I saw some processes left running on samba server even after user already disconnected the 
samba shares from windows explorer. The command smbstatus shows the process left 
running still locks some files, such as:
23933  DENY_NONE  0x20089 RDONLY NONE 
/disk1/samba/sr/cadence/cadence.log   Thu Aug 26 17:33:37 2004
My procedure to produce this problem is that: I removed locking.tdb file after I 
stopped samba server. Then I start samba server and connect from Windows machine to 
the share, then tried to click on the file which located in directory mounted through 
WAN, then run into super slow. Then I disconnected share once I got control of windows 
explore. But there was/were process(processes) left running on samba server owned by 
me and they still held locks.
In the meantime, the average round-trip ping time for 64 byte packets from the samba 
server to the NFS server through WAN is 15ms.
Is it some kind of bug or is there still some configurations that I can change to make 
it work?
Thank you very much for your help!
Xiaoqin Qiu
IT Infrastructure Services Organization
Agilent Technologies, Inc.
[EMAIL PROTECTED]
-Original Message-
From: eric roseme [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 26, 2004 9:04 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [Samba] Exclusive oplock left by process
I don't think that blocking locks is your problem.
Jeremy just answered the question about releasing locks by clearing the 
lock files (tdbs), although again, I don't think it will affect your 
operation.  His reply is at:

http://marc.theaimsgroup.com/?l=sambam=109270256108878w=2
Eric Roseme
Hewlett-Packard
[EMAIL PROTECTED] wrote:
Hi Eric,
Thank you for your response. I will read the white paper that you wrote.
I forgot to mention that in my smb.conf file for SAMBA 3.0.5, I have blocking locks = no. 
Should I set this? Or should I use the default blocking locks = yes?
I also curious about if it is safe to remove all files(including locking.tdb, 
brlok.tdb, etc.) under /var/.../locks directory after I stop samba server?
I can see your point to disable oplocks, however, I am still wondering how this 
upgrade from 2.0.7 (nmbd -V showed 2.0.7, smbd -V showed 2.0.9, NOT 2.2.7) to 3.0.5 
introduced oplock problem since we use the default settings for both versions of samba.
Thank you very much for your help!
Xiaoqin Qiu
IT Infrastructure Services Organization
Agilent Technologies, Inc.
[EMAIL PROTECTED]
-Original Message-
From: eric roseme [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 25, 2004 3:46 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [Samba] Exclusive oplock left by process
Hi Xiaoqin,
It appears to me that oplock break wait time = 0 is the default on 
both 2.2 (2.2.10 for me) and 3.0 (3.0.2a for me).

Unless you have a good reason for using oplocks, I suggest turning them 
off altogether (oplocks = no, level2 oplocks = no - so testparm does 
not complain that level2 is on when oplocks are off).  Also, if you have 
NFS users accessing the same files that are being oplocked, you could 
have some data integrity problems.

You can look at a whitepaper I did about oplocks at:
http

Re: [Samba] Exclusive oplock left by process

[eric roseme]

I don't think that blocking locks is your problem.
Jeremy just answered the question about releasing locks by clearing the 
lock files (tdbs), although again, I don't think it will affect your 
operation.  His reply is at:

http://marc.theaimsgroup.com/?l=sambam=109270256108878w=2
Eric Roseme
Hewlett-Packard
[EMAIL PROTECTED] wrote:
Hi Eric,
Thank you for your response. I will read the white paper that you wrote.
I forgot to mention that in my smb.conf file for SAMBA 3.0.5, I have blocking locks = no. 
Should I set this? Or should I use the default blocking locks = yes?
I also curious about if it is safe to remove all files(including locking.tdb, 
brlok.tdb, etc.) under /var/.../locks directory after I stop samba server?
I can see your point to disable oplocks, however, I am still wondering how this 
upgrade from 2.0.7 (nmbd -V showed 2.0.7, smbd -V showed 2.0.9, NOT 2.2.7) to 3.0.5 
introduced oplock problem since we use the default settings for both versions of samba.
Thank you very much for your help!
Xiaoqin Qiu
IT Infrastructure Services Organization
Agilent Technologies, Inc.
[EMAIL PROTECTED]
-Original Message-
From: eric roseme [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 25, 2004 3:46 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [Samba] Exclusive oplock left by process
Hi Xiaoqin,
It appears to me that oplock break wait time = 0 is the default on 
both 2.2 (2.2.10 for me) and 3.0 (3.0.2a for me).

Unless you have a good reason for using oplocks, I suggest turning them 
off altogether (oplocks = no, level2 oplocks = no - so testparm does 
not complain that level2 is on when oplocks are off).  Also, if you have 
NFS users accessing the same files that are being oplocked, you could 
have some data integrity problems.

You can look at a whitepaper I did about oplocks at:
http://www.docs.hp.com/hpux/onlinedocs/4501/CIFS_Oplock_Guideline.pdf
Eric Roseme
Hewlett-Packard
[EMAIL PROTECTED] wrote:

Hi all,
We have a HP-UX 11i server running as a samba server. Users use Windows 2000 boxes 
with Service Pack 4 to connect to the samba server. Several days ago, we upgraded 
samba server from 2.0.7 to 3.0.5, and we started to experience the following problem:
The general connection and access to the samba server is ok. However, under the samba 
share there have been some directories mounted from some other HP-UX 11i servers 
through WAN. When people try to copy files from these directories or running some 
applications using files under these directories, the windows explorer/application 
kind of hang and became very slow. But this type of tasks were successful using samba 
version 2.0.7. The problem only happened after the upgrade.
I looked at the samba log file and found the following errors:
[2004/08/24 18:07:51, 0] smbd/oplock.c:request_oplock_break(1023)
 request_oplock_break: no response received to oplock break request to pid 27458 on 
port 54926 for dev = 430016a8, inode = 3310429, file_id = 24
[2004/08/24 18:07:51, 0] smbd/open.c:open_mode_check(680)
 open_mode_check: exlusive oplock left by process 27458 after break ! For file 
hped/sr/osclib_encode_def.atf, dev = 430016a8, inode = 3310429. Deleting it to 
continue...
[2004/08/24 18:07:51, 0] smbd/open.c:open_mode_check(684)
 open_mode_check: Existent process 27458 left active oplock.
Our WAN connection is pretty fast although it is a lot slower than LAN. And in the 
meantime, we had no problem accessing these directories using NFS.
I read man pages and search the internet. Although there are sevel posts on the internet describing similar problem, I 
havn't found any solution. From the man page, parameter oplock break wait time caught my eyes. We have 
been using default value for both 2.0.7 and 3.0.5. However, the default value for this parameter seems getting changed 
from 10 to 0 (if that was not a typo). And we use default values for all oplock related 
parameters.
Can I change this paramter to 10? The man page kind of made me be afraid of change 
this value. Will this help? And any suggestion about our problem?
Thank you very much for your help!
Xiaoqin Qiu
IT Infrastructure Services Organization
Agilent Technologies, Inc.
[EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Exclusive oplock left by process

[eric roseme]

Hi Xiaoqin,
It appears to me that oplock break wait time = 0 is the default on 
both 2.2 (2.2.10 for me) and 3.0 (3.0.2a for me).

Unless you have a good reason for using oplocks, I suggest turning them 
off altogether (oplocks = no, level2 oplocks = no - so testparm does 
not complain that level2 is on when oplocks are off).  Also, if you have 
NFS users accessing the same files that are being oplocked, you could 
have some data integrity problems.

You can look at a whitepaper I did about oplocks at:
http://www.docs.hp.com/hpux/onlinedocs/4501/CIFS_Oplock_Guideline.pdf
Eric Roseme
Hewlett-Packard
[EMAIL PROTECTED] wrote:
Hi all,
We have a HP-UX 11i server running as a samba server. Users use Windows 2000 boxes 
with Service Pack 4 to connect to the samba server. Several days ago, we upgraded 
samba server from 2.0.7 to 3.0.5, and we started to experience the following problem:
The general connection and access to the samba server is ok. However, under the samba 
share there have been some directories mounted from some other HP-UX 11i servers 
through WAN. When people try to copy files from these directories or running some 
applications using files under these directories, the windows explorer/application 
kind of hang and became very slow. But this type of tasks were successful using samba 
version 2.0.7. The problem only happened after the upgrade.
I looked at the samba log file and found the following errors:
[2004/08/24 18:07:51, 0] smbd/oplock.c:request_oplock_break(1023)
  request_oplock_break: no response received to oplock break request to pid 27458 on 
port 54926 for dev = 430016a8, inode = 3310429, file_id = 24
[2004/08/24 18:07:51, 0] smbd/open.c:open_mode_check(680)
  open_mode_check: exlusive oplock left by process 27458 after break ! For file 
hped/sr/osclib_encode_def.atf, dev = 430016a8, inode = 3310429. Deleting it to 
continue...
[2004/08/24 18:07:51, 0] smbd/open.c:open_mode_check(684)
  open_mode_check: Existent process 27458 left active oplock.
Our WAN connection is pretty fast although it is a lot slower than LAN. And in the 
meantime, we had no problem accessing these directories using NFS.
I read man pages and search the internet. Although there are sevel posts on the internet describing similar problem, I 
havn't found any solution. From the man page, parameter oplock break wait time caught my eyes. We have 
been using default value for both 2.0.7 and 3.0.5. However, the default value for this parameter seems getting changed 
from 10 to 0 (if that was not a typo). And we use default values for all oplock related 
parameters.
Can I change this paramter to 10? The man page kind of made me be afraid of change 
this value. Will this help? And any suggestion about our problem?
Thank you very much for your help!
Xiaoqin Qiu
IT Infrastructure Services Organization
Agilent Technologies, Inc.
[EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] CIFS Server 2.2j Pb with locking : No locks available

[eric roseme]

You probably did not tune nflocks for Samba.  The default kernel 
variable will be exhausted quickly with Samba due to the extensive tdb 
locking.

As long as you are doing nflocks, you might as well do the other stuff too:
 nflocks
 (10*maximum smbd)+(other apps + system)
 example 1000 connected clients and baseline NFS system
 (10*1000)+(2048) = 12048
 nfile
 ((23+opens_per_smbd)*maximum smbd)+(other apps+system))
 example 1000 connected clients and baseline NFS system
 ((23+7)*1000)+(8192)=38192
 nproc
 (maximum smbd)+(other apps+system)
 example 1000 connected clients and baseline NFS system
 (1000)+(1024)=2024
Eric Roseme
Hewlett-Packard
Bernard Sagnol wrote:
I 've installed Samba on my Hp-Ux station and can access the files with
my Windows clients (a hundred client)...but one hour or more later i
face a problem :
Actual user : oK.
New access : Ko.
---
Error message in the client logfile
2004/08/23 14:15:39, 0] tdb/tdbutil.c:(531)
  tdb(/var/opt/samba/locks/connections.tdb): tdb_lock failed on list 91
ltype=2
(No locks available)
---
Environnment
HP Product :  HP CIFS Server 2.2j downloaded from Hp web site.
B8725AA   A.01.11.02 HP CIFS Server
on HP-UX 11.00
--
-
Smb conf :
[global]
   security = share
[public]
   browseable = yes
   path = /public
   public = yes
   only guest = yes
   writable = yes
   printable = no
   create mask = 777
---
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Windows 2003 AD/Kerberos Ticket error

[eric roseme]

If you google for this you'll find a bunch of posts that pretty much 
explain everything.

In short, W2003 krb defaults to rc4-hmac, and does not allow enctypes. 
So take your enctypes out of krb5.conf and let it do rc4-hmac, or you 
can read Q833708 and get the hotfix to recognize enctypes.

I forget why the kinit works but the client logon does not.
Eric Roseme
Hewlett-Packard
Warbeck, Mark wrote:
I'm attempting to configure Samba 3.0.4 to work with Windows 2003 Active
Directory, mapping users' home directories automatically. Currently we
use this method in production with Windows 2000 but wish to migrate to
2003. The problem seems to be Kerberos related. I was able to join the
Linux box (RedHat 9) to the AD. I can do a kinit username
successfully. Klist shows a valid ticket. When logging on to the W2K3
domain controller the mapping of the drive fails and the Samba log shows
the following:
smbd/sesssetup.c:reply_spnego_kerberos(174)
  Failed to verify incoming ticket!
This is my smb.conf file (I've removed comments):
Begin File
#=== Global Settings 
[global]
   workgroup = w2k3
   netbios name = file-svr
   server string = Samba Server

   log file = /var/log/samba/smbd.log
   max log size = 50
   security = ads
   realm = W2K3.TEST
   client signing = Yes
   server signing = Yes
   client use spnego = Yes
   use spnego = Yes
  encrypt passwords = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   local master = no
   dns proxy = no 

# Share Definitions 
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

End File
This is the krb5.conf (again, comments removed):
Begin File
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 ticket_lifetime = 24000
  default_realm = W2K3.TEST
  default_tgs_enctypes = des-cbc-crc des-cbc-md5
  default_tkt_enctypes = des-cbc-crc des-cbc-md5
  forwardable = true
  proxiable = true
[realms]
 W2K3.TEST = {
  kdc = test-dc.w2k3.test
  admin_server = test-dc.w2k3.test
  default_domain = w2k3.test
 }
[domain_realm]
 .w2k3.test = W2K3.TEST
 w2k3.test = W2K3.TEST
End File
The following packages are installed:
samba-3.0.4-1
krb5-libs-1.2.7-14
krb5-workstation-1.2.7-14
krb5-devel-1.60-1
pam_krb5-1.60-1
The DNS servers are Windows 2000 SP4.
Thanks for any suggestions. I've set this at maximum points since I
really need to get it working.
Mark
--
Mark Warbeck
Systems Engineer
Engineering Science and Mechanics
Virginia Tech
323A Norris Hall
Mail Code 0219
Blacksburg, VA 24061
540.231.7489 
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.2 on HPUX 11i with winbind; Get_Pwnam_internals didn't find user + NT_STATUS_NO_SUCH_USER

[eric roseme]

Hi artin,
The version that you have does not currently support winbind.  I am 
working on that right now.

Eric Roseme
Hewlett-Packard
[EMAIL PROTECTED] wrote:
Hey,
I've troubles with a samba-installation ( version 3.0.2, HP-CIFS-Technologie
Preview ) on HPUX 11i. I want to setup a fileserver within a
customerenvironment connecting into a windows 2000 domain, which contains a
lot of trusted domains. I have joined the domain already and wbinfo brings
me the list of users and groups. Also within the winbind_imap.tdb I see some
entrys which seems to map some windows-ids to unix ids. But when I try to
connect to the share I always gets asked for a password and even with the
correct pw entered the connection fails. Here are some outputs from the logs
Log.%m
[Tue Jul 13 16:00:44 2004, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals didn't find user [q904700]!
[Tue Jul 13 16:00:44 2004, 0] auth/auth_util.c:make_server_info_info3(1100)
  make_server_info_info3: pdb_init_sam failed!
[Tue Jul 13 16:00:44 2004, 5] auth/auth.c:check_ntlm_password(270)
  check_ntlm_password: winbind authentication for user [q904700] FAILED with
error NT_STATUS_NO_SUCH_USER
[Tue Jul 13 16:00:44 2004, 2] auth/auth.c:check_ntlm_password(310)
  check_ntlm_password:  Authentication for user [q904700] - [q904700]
FAILED with error NT_STATUS_NO_SUCH_USER
log.winbindd
[Tue Jul 13 16:00:44 2004, 5]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(454)
  NTLM CRAP authentication for user [AUSTRIA]\[q904700] returned
NT_STATUS_OK (PAM: 0)
[Tue Jul 13 16:00:44 2004, 3]
nsswitch/winbindd_acct.c:winbindd_create_user(875)
  [24834]: create_user: user=(q904700), group=()
[Tue Jul 13 16:00:44 2004, 5] nsswitch/winbindd_acct.c:wb_getgrnam(521)
  wb_getgrnam: Did not find group (nobody)
[Tue Jul 13 16:00:44 2004, 5] nsswitch/winbindd.c:winbind_client_read(463)
  read failed on sock 28, pid 24834: EOF
I also found some errors within log.smbd, but that errors are moving from
smbd to winbindd, depending which daemon is started first, the second one
has that:
[Tue Jul 13 16:00:44 2004, 5] tdb/tdbutil.c:tdb_log(724)
  tdb(unnamed): tdb_brlock failed (fd=14) at offset 4 rw_type=2 lck_type=6:
Permission denied
Configuration:
[global]
workgroup = Domainname
netbios name = CIFSTEST1
server string = Samba Test server
security = DOMAIN
encrypt passwords = Yes
password server = *
log file = /var/opt/samba/log.%m
max log size = 20480
load printers = No
dns proxy = No
wins server = 10.1.20.1
winbind separator = +
idmap uid= 5000-65000
idmap gid = 5000-65000
winbind enum users = yes
winbind enum groups = yes
template shell = /usr/bin/sh
guest account = pcguest
[shares]
Valid users is in format DOMAIN+USERNAME or @DOMAIN+GROUPNAME
Is there anybody who has seen this error and knows how to solve it? I also
have the complete logs in debug-level 5 and 10 available, if they are
usefull.
Thx  br
Martin Schretzmeier
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba-W3K-ADS

[eric roseme]

My testing has shown that when using security = ads and specifying 
\\ipaddress\share, Kerberos fails with PRINCIPAL_UNKNOWN and auth then 
falls through (in my case, either NTLMv1 or NTLMv2 - I have tested with 
both).  So maybe you should try it with your hostname, or hostname.FQDN, 
and check out what happens with ethereal.  Maybe your fall-through 
auth-n is failing (easy to do with NTLMv2).

Of course, these results are specific to my test environment, so maybe 
this is not pervasive behavior.

Eric Roseme
Hewlett-Packard
Ben Schmaus wrote:
Versions:
OS: Redhat ES Linux 3.0
Windows OS: Windows 2003  Active Directory
Samba: samba-3.0.5rc1-2_rh9.i386.rpm
Kerberos: krb5-1.3.4-i686-pc-linux-gnu.tar
Using Windbind: Yes
Objective:
Allow Samba/Linux server to authenticate off of active directory to access
Samba shares.
Problem:
I can get to some shares, but not to the user home shares.  When trying to
access a user home share I get prompted for a password even though I have
already connected to other shares with the same user name.  And even if I
enter the username and password, access is denied.  I am currently trying
this by doing a 'net use * \\ip address\home share'.
Smb.conf
[global] 
workgroup = DOMAIN 
netbios name = RCRH03 
server string = RCRH03
security = ADS
realm = DOMAIN.COM 
password server = 10.1.1.28
wins server = 10.1.1.28
client use spnego = yes
client signing = yes
encrypt passwords = yes
printcap name = cups 
disable spoolss = Yes 
show add printer wizard = No 
idmap uid = 15000-2 
idmap gid = 15000-2 
winbind separator = + 
winbind use default domain = Yes 
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
use sendfile = Yes 
printing = cups 
ldap suffix = dc=domain, dc=com
winbind cache time = 0
log level = 10
log file = /var/log/samba.log
max log size = 500
debug timestamp = yes

[homes] 
comment = Home Directories 
valid users = %U 
path = /home/%D/%U
public = Yes 
read only = No 
browseable = No 

[apps] 
comment = OSCAR 
path = /apps 
valid users = @dev, @REDHAT
admin users = @dev, @REDHAT
read only = No
browseable = Yes 
 
[printers] 
comment = All Printers 
path = /var/spool/samba 
printer admin = root 
create mask = 0600 
guest ok = Yes 
printable = Yes 
use client driver = Yes 
browseable = No 

[public]
comment = test
path = /spare
read only = No
browseable = Yes
_
This message has been checked for all known viruses by the MessageLabs Virus Scanning 
Service for Chronimed, Inc.
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba problem on HP-UX

[eric roseme]

You probably have the default HP-UX kernal values for nfiles and 
nflocks. You need to increase these for connecting more than 10 users. 
Here are formulas:

nflocks
(10*maximum smbd)+(other apps + system)
example 1000 connected clients and baseline NFS system
(10*1000)+(2048) = 12048
nfile
((23+opens_per_smbd)*maximum smbd)+(other apps+system))
example 1000 connected clients and baseline NFS system
((23+7)*1000)+(8192)=38192
Eric Roseme
Hewlett-Packard
[EMAIL PROTECTED] wrote:

Hi All,
I am using samba 2.2.8a on HP-UX 11.11 server.
The problem i am facing is that after making 10-12 shares, it does not
allow new mappings. While trying from smbclient it is saying
 SMBSERVER failed  .
Kindly let me know any config options needs to be set in smb.conf
Regds/Lalit Kapoor
DISCLAIMER: This message is proprietary to Hughes Software Systems Limited
(HSS) and is intended solely for the use of the individual to whom it is
addressed. It may contain  privileged or confidential information and
should not be circulated or used for any purpose other than for what it is
intended. If you have received this message in error, please notify the
originator immediately. If you are not the intended recipient, you are
notified that you are strictly prohibited from using, copying, altering, or
disclosing the contents of this message. HSS accepts no responsibility for
loss or damage arising from the use of the information transmitted by this
email including damage from virus.
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Tested: W2000 Hotfix (Q818528) with Terminal Server and Samba

[eric roseme]

I tested the Windows 2000 hotfix from Q818528 with Terminal Server and 
Samba.  The hotfix adds the MultiUserEnabled registry parm which, when 
set to 1, essentially restores the MultipleUsersOnConnection behavior 
from NT4.  With MultiUserEnabled on the Windows 2000 Terminal Server, 
Windows will start a new TCP session for each Terminal Server user, and 
Samba will start a new smbd for each TS user that mounts 1 or more Samba 
shares.  It works as expected.

The hotfix does not install on Windows 2003 Servers, though.  Don't know 
about the plans for a 2003 hotfix.

Eric Roseme
Hewlett-Packard
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Terminal server problem

[Eric Roseme]

I could not duplicate this behavior with W2003 Terminal Server and Samba 
2.2.8a.  Try reading the whitepaper about the differences of Terminal 
Server on NT4 versus W2000 and 2003, and how Samba is affected.  The 
paper is at:

http://swflug.org/modules.php?name=Downloadsd_op=viewdownloadcid=4

Eric Roseme
Hewlett-Packard
Vadim Fattakhov wrote:

Hello
We use samba 2.0.7 on Solaris 2.6.
After upgrade domain from NT4 to 2003 AD we start to get problem on our terminal 
server windows 2000. First user connect to samba server and other cannot do it.
I tried to use samba 2.2.8 - same problem.
Any suggestions?
Best regards,
Vadim Fattakhov
Frontline PCB SolutionsSystem  Network Manager
Phone: +972-8-9322183 (ext. 130), fax: +972-8-9322186
 



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba and Terminal Server Whitepaper

[Eric Roseme]

Sorry about the Terminal Server Whitepaper attachment fiasco.  HP will 
host both the Samba and the HP CIFS Server  versions at www.docs.hp.com 
on January 30th.  I'll post the actual url here.  The versions are 
identical except for the nomenclature (hope I spelled that right).  One 
of the list members will host it too - probably sooner.  He will send 
out an announcement.

Eric Roseme
Hewlett-Packard
Tim Potter wrote:

On Sat, Jan 24, 2004 at 12:40:00PM -0800, Eric Roseme wrote:

 

Attached is a 500KB read-only .doc file with a Samba and Terminal Server 
whitepaper.  I have tried to hit every known issue and all available 
workarounds.  If anyone has comments or suggestions, let me know.  JT 
has it, so it should end up in the next How-To.  Sorry about the file 
format, but the .pdf was 2.5MB, which I thought was too big to post.
   

Whoops - the attachment was stripped by mailman.  Eric, can you post a 
link to the document?  700KB (base64) is a little bit on the large side
for the list.

Tim.
 



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] W2K-TERMINAL SERVICES VS SAMBA 3

[Eric Roseme]

I have written a wordy whitepaper about Samba and Terminal Server.   
I'll post it to the list in a separate message.

Eric Roseme
Hewlett-Packard
Andrew Bartlett wrote:

On Fri, 2004-01-23 at 03:13, Luis Alberto Reyes R. wrote:
 

At the samba lists, we have found several old questions about problems wit
W2K-Terminal Services vs Samba (dated in December 2000). But we can´t get
actual information about HOW TODAY (January 2004) the problem is fixed. We
have this situacion and we need solve it.
   

There are three main issues to consider regarding terminal services:

- As a DC of terminal-services member servers we failed to store the
required information.  This is fixed for tdbsam and ldapsam in currently
rc 3.0.2.
- MAX_CONNECTIONS.  The issue was that we would only allow 128
connections from a single terminal server.  We now allow an unlimited
number of shares to be connected, in currently rc 3.0.2
- All connections on the same TCP/IP connection.  This is the worst
issue, as far as terminal-server users are concerned.  Unlike on client
PCs, each and every session on a terminal server uses the same
connection to Samba.  This means that Samba slows down, as it switches
between users, and as other delays in the system cause the entire scheme
to block.
Both problems can be worked around, by making the win2k server think
that the samba server has multiple identities.  For example, an lmhosts
file, or wins-server hacks, can give each user their own 'profile
server', for loading their roaming profile and home server from.  It's
still the same server, but win2k doesn't know that.  (you then need to
modify each users properties).
Andrew Bartlett

 



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba locking database errors : V 2.2.8 a on HP-UX 11i

[Eric Roseme]

HP-UX defaults nflocks at 200.  At the default, you will run out of 
locks at about 20 client connections.  You will need to bump nflocks and 
nfiles before trying to run at average usage levels.

Eric Roseme
Hewlett-Packard
Jérôme Fenal wrote:

Foster, Ian (LogicaCMG) wrote:

We are in the process of commissioning a new HP server (on HP-UX 11i) 
and
have installed Samba which we have configured and used extensively 
before
without major problems (though not this version - 2.2.8.a). Samba ran OK
initially, but now we are getting failures with messages of 'smbd[pid]
Cannot initialize locking database' and 'no locks available' logged 
to the
syslog and no new connections can be established (can not even browse 
- get
message 'Network name could not be found'). This can only be cleared by
restarting the daemons.

I have checked our smb.conf file with the testparm utility and this 
looks
ok, and checked the parameters (including the defaults) against the 
smb.conf
man page at samba.org in an attempt to identify any bad config. I 
have also
verified the obvious - that the lock directory exists and the 
permissions
are correct (if they didn't I guess it would fall over straight away).

I have attached a dump of our global definitions for inspection.

Has anybody any ideas what may be causing this ? I have checked the 
Samba
web pages without success.
Is there a bad locking option here - or some other samba / kernel 
threshold
we are hitting ?
If I can't resolve this the filestore is going to NT !

Any help very gratefully recieved. 


Hi,

could you send the real smb.conf, since RTF encoded testparm output is 
bit clumsy to read...?

I read in the testparm dump that you are in 'security=server' mode. Do 
you really need it? Does your server participate in a domain? 2.2.8a 
can happily participate in a NT4 or an NT4 compat on ADS domain.

And could you check with Sam the limits of the HP-UX kernel (number of 
processes for the system, by user, max number of open files, etc.)?

I'll check tomorrow on HP-UX server at work what kernel parameters 
could  hit Samba.

Could you also set 'log level=' to a bit more than 1 to see more 
output in the logs? That would help.

Regards,

J.



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba opens many files.

[Eric Roseme]

I agree that it's a silly way to organize things, but there are many CAD 
customers serving legacy NFS design environments that are experiencing 
this issue daily.  This single problem will cause more migrations from 
Samba to Windows that any other I have seen - at least for big iron.  I 
have been trying to find ways to mitigate the effect - and certainly 
turning off mangling helps (I have seen VERYlongFILEname1234.PARTname - 
and 12,000 of these).  Also setting case sensitive = yes helps a 
little bit.  But we can't get past doing what appears to be multiple 
stats for each object.  Any creative suggestions are welcome.

Jeremy Allison wrote:

On Tue, Nov 18, 2003 at 04:26:19PM +0100, Markus Wenke wrote:
 

Hi,

I have a dir with more than 16000 files in it.
If I klick with MS-Explorer on this Dir to see which files are in it,
smbd opens every file and so it takes some seconds to show this Dir!
(and CPU usage is at 100%).
the logfile says smbd do this for every file:

[2003/11/18 16:06:58, 2] smbd/open.c:open_file(246)
USERX opened file /path/to/file.txt  read=Yes write=No (numopen=1)
Is this behavior normal?
   

Yes. Explorer is reading each file for thumbnail etc. info.

 

Can I avoid this with conf-settings?
   

No. Don't have a directory with more than 16000 files. That's a
silly way to organise things.
Jeremy.
 



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] netdom secure channel reset

[Eric Roseme]

I have been playing with the Windows netdom command to reset the Samba 
secure channel to the Windows DC:

netdom reset sambaserver /domain:windowsdomain

Traces and logs show that it sends a bunch of lsarpcs 
(LSA_QUERYINFOPOLICY) to the Samba server, but I cannot determine what 
it is actually doing (I assume that it would read or write to 
secrets.tdb).  Has anyone tried this before?

Thanks,

Eric Roseme



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: SV: [Samba] Samba-Citrix compatability

[Eric Roseme]

John and/or Andrew,

I created some slides diagraming this issue in simplistic terms for 
Microsoft management when I was attempting to persuede them to uncomment 
the MultipleUsersOnConnection code from the W2000 redirector (to no 
avail).  If you think that they could be useful for officially 
documenting the issue, I can email you the pdf directly (I do not want 
to dump a big file in everyone's inbox).

Eric Roseme

John H Terpstra wrote:

On Tue, 4 Nov 2003 [EMAIL PROTECTED] wrote:

 

I have searched for some FAQ/HOWTO regarding Citrix/Metaframe to no
avail.  (Like this one
http://samba.org/~jht/HOWTO/Samba-HOWTO-Collection.pdf )
What I would like to see in such a FAQ/HOWTO:
   

Are you willing to help write this? You too can make a difference you
know!
 

- Compilation issues regarding Citrix/metaframe
- - ie the need to increase the MAX_CONNECTION setting before
compilation
- - ie how to compile samba to a 64 bit application to get more
available file descriptors (problem for solaris)
- the need to tweak the /etc/system settings (ie set rlim_fd_max =
number)
- oplocks settings in smb.conf
- the single smbd process issue and workaround(s) (wins and
DNS-proxy/netbios names?)
- the home-share issue and problem
All these issues, and probably more, I feel are related to
Citrix/metaframe vs. Samba.  If I am wrong and somewhere there is a FAQ
regarding this then all the better.  Just need to find it. ;-)  If not
then it is most neeeded.
   

Good points! Will you contribute some text that we can add to the HOWTO?

Information like this gets documented when someone with your kind of
passion writes some basic guidelines and contributes it to the HOWTO.
Please do not leave this to others, while the needs are fresh in your mind
please write a few paragraphs on each and send them to me for inclusion.
Cheers,
John T.
 

And Samba4?  What is this? :-) Due 2005?

Kind regards
Per Kjetil Grotnes
Some governmental department in Norway
   

Andrew Bartlett
Sendt: 4. november 2003 02:20
On Tue, Nov 04, 2003 at 11:55:25AM +1100, DAVIES Rob wrote:  G'day, 
 

We are having problems when connecting to our Solaris 8 server Zeus
from our Windows 2000 Terminal Servers.
   

I think you might be hitting two of the nastiest bugs with
that combination.
Firstly, there are issues with Solaris 8, and TDB locks, for
which there is a solaris kernel patch (it's an fcntl issue).
But more importantly, there is an issue caused by the way
Windows Terminal Server clients connect - they all use the
same smbd.  This causes all their operations to be
serialised, even worse if something blocks.
The best solution is to call your system by as many names as
possible. For example, call it by one name per user,
particularly for roaming profiles.  (So make a user's profile
path/homedir \\zeus-username\username or the like).  Use DNS
(with a samba wins server set to 'dns proxy') or fixed
entires in your wins.dat, or an lmhosts file, to force the
multiple names.  Samba doesn't mind what it gets called.
 

   

 



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba and MC/Service Guard

[Eric Roseme]

I believe that the HP Response Center has taken calls from Wal-Mart on 
CIFS/9000 Server (HP's supported version of Samba), so I think that at 
least some Wal-Mart sites are running CIFS/9000.

In any case, CIFS/9000 Server has MCSG scripts (.cntl,.conf,.mon) in 
/opt/samba/HA/ under active_active or active_standby.  In addition, 
there are detailed instructions on how to configure MCSG with the 
relocatable IP address and NetBIOS alias in the README file.  The same 
instructions are available in the CIFS/9000 Server manual.

You can get a copy of the manual at 
http://www.docs.hp.com/hpux/netcom/index.html#CIFS/9000.  You can 
download CIFS/9000 Server for free from
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B8725AA.

Eric Roseme
Hewlett-Packard

Dan Doffermyre wrote:

Samba friends,

I work in Wal-Mart's IT department, specifically with Unix Servers of 
various flavors, but HP-UX is predominant in our Home Office 
environment. 

I recently built an two node HA cluster on HP 11.11 boxes.  I want to 
be able to have Samba use the virtual name of my cluster.  Currently 
Samba is configured to use the hardcoded box name, however if the box 
happens to go down, we have to go in and reconfigure the clients to 
point to the secondary box name.  Sure would be nice to point 
everything to the virtual name.  So I was wondering if you have any 
documents that explain how you would go about setting up Samba with 
HP's MC/Service Guard?

Thanks,
Dan Doffermyre
[EMAIL PROTECTED]
805 Moberly Ln.
Bentonville, AR 72716
(479)277-3942



**
This email and any files transmitted with it are confidential
and intended solely for the individual or entity to
whom they are addressed. If you have received this email
in error destroy it immediately.
**
Wal-Mart Stores, Inc. Confidential
**



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Any good how tos to configure samba on HPUX?

[Eric Roseme]

I have written a brief summary of winbind and a simple cookbook 
installation guide for winbind on HP-UX 11.  
This is limited to the pre-compiled binaries that are supplied on 
samba.org for HP-UX.  

http://us1.samba.org/samba/ftp/Binary_Packages/hp/

Currently available are 2.2.5 and 2.2.7, with and without winbind.  If 
you would like the winbind document,
email me at [EMAIL PROTECTED]  From your post it is not clear if you 
also would like a Samba-on-HPUX
configuation guide.  There are installation manuals for CIFS/9000 Server 
(Samba bundled with HP-UX) at:

http://www.docs.hp.com/hpux/netcom/index.html#CIFS/9000

Eric Roseme
Hewlett-Packard

Jennifer Fountain wrote:

Does anyone know where I can find a good how to to configure winbind and
samba on a HPUX box?

Thanks
 



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba Citrix

[Eric Roseme]

I pasted this in from a reply I did on 8/3/2002. It's in the archives:

Your problem may be related to the Windows 2000 Terminal Servers.

Samba does not work well under heavy loads with Terminal Server on
Windows 2000. Microsoft commented out the MultipleUsersOnConnection
code from their Windows 2000 redirector. On NT 4.0 Terminal Server,
the MultipleUsersOnConnection registry parameter was used to establish
a separate VC (TCP connect) for every TS user who opened a share from
the TS to a particular Samba server. On Windows 2000 TS - without
the MultipleUsersOnConnection registry parameter - only one TCP VC
gets established from the TS to a Samba server. Thus, all TS users
who mount a Samba share will use the same TCP connection, and thus
the same smbd. If you have multiple users from one Windows 2000 TS
writing to the Samba server via one smbd, I could see how problems
might arise.

If you have access to a NT4.0 Terminal Server, you could try testing
it with the MultipleUsersOnConnection parameter enabled (see Q190162).
Also, you could try testing your DB application against the Samba
server without the Terminal Server.


Eric Roseme
Hewlett-Packard

Rory D. Hudson wrote:


Hello Everybody,

I hope everybody is doing well and that you can help me out as I am 
approaching my wits end. I am running a Citrix server on a Windows 
2000 SP 3 server. One of my published applications on this server 
needs to access samba for multiple users. So basically every user who 
logs on to the Citrix server needs to have access to their home 
directory on our Unix server. Sometimes this works fine and other 
times it errors out. Once it errors out it does not seem to want to 
allow access back in for quite some time. Looking at the log for the 
machine I get this.

[2002/11/26 12:23:37, 0] passdb/pdb_smbpasswd.c:(1367)

unable to open passdb database.

[2002/11/26 12:24:10, 0] passdb/pdb_smbpasswd.c:(1367)

unable to open passdb database.

[2002/11/26 12:24:10, 0] passdb/pdb_smbpasswd.c:(1367)

unable to open passdb database.

[2002/11/26 12:24:41, 0] passdb/pdb_smbpasswd.c:(1367)

unable to open passdb database.

[2002/11/26 12:24:41, 0] passdb/pdb_smbpasswd.c:(1367)

unable to open passdb database.

Any clues as to what might be happening would be greatly appreciated. 
Thanks for the help

Rory Hudson

Information Systems

Zumiez, Inc.



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] MSVC TerminalServer Speed

[Eric Roseme]

As long as I am replying to the other guy about Terminal Server, I'll 
paste the same
replay here.  If your Terminal Server is on NT4, set 
MultipleUsersOnConnection.
Here is what I pasted from an earlier post in the archives (8/03/2002):

Your problem may be related to the Windows 2000 Terminal Servers.

Samba does not work well under heavy loads with Terminal Server on
Windows 2000.  Microsoft commented out the MultipleUsersOnConnection
code from their Windows 2000 redirector.  On NT 4.0 Terminal Server,
the MultipleUsersOnConnection registry parameter was used to establish
a separate VC (TCP connect) for every TS user who opened a share from
the TS to a particular Samba server.  On Windows 2000 TS - without
the MultipleUsersOnConnection registry parameter - only one TCP VC
gets established from the TS to a Samba server.  Thus, all TS users
who mount a Samba share will use the same TCP connection, and thus
the same smbd.  If you have multiple users from one Windows 2000 TS
writing to the Samba server via one smbd, I could see how problems
might arise.

If you have access to a NT4.0 Terminal Server, you could try testing
it with the MultipleUsersOnConnection parameter enabled (see Q190162).
Also, you could try testing your DB application against the Samba
server without the Terminal Server.


Eric Roseme
Hewlett-Packard

Marris, Dunstan wrote:

Hi,

Back in 1997 the list was full of tips on making Microsoft Visual C++ Studio
(v6) use files over Samba (v2.2.2 on Solaris). Could someone please point me
to the definitive answers... (beyond speed.txt?) and their current status.

We have an added complication of having 5 developers using each NT4 box over
citrix/Terminalserver. Some days we are fine, but some days we slow to a
crawl of over a minute to open each small text file... Meanwhile the NT box
has minimal CPU used, the file server is large, fast and happy, and the
number of Samba cached files is reasonably low.

Thanks for any help you can suggest,
Dunstan

 



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Oplock Usage Recommendations Whitepaper

[Eric Roseme]

I have written a whitepaper for CIFS/9000 Server (Samba on HP-UX) that
discusses some rudimentry usage recommendations for oplocks.  Due to 
the recent discussion about oplocks on the list, I have edited the paper
to be more generic for Samba on HP-UX and converted it to plain text.
It's still 7 pages long, so it may be inappropriate to paste into an
email.  If there is any interest in it, I can distribute it to the list,
either as embedded text, an attachment, or maybe on the website.

Let me know what method is best (if any).


Eric Roseme
Hewlett-Packard
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Oplocks Usage Recommendations Whitepaper (with attachment)

[Eric Roseme]

Here is Oplocks Usage Recommendations Whitepaper for Samba on HP-UX
(originally was written for CIFS/9000 Server on HP-UX).

Note that the intended audience is/are HP-UX customers who have
questions
and concerns about when to configure oplocks.  This is intended as a
rudimentry guide to help avoid the most obvious oplock pitfalls.

Hopefully the plain text alignments hold up well for most editors.  Word
messes things up.

Thanks,

Eric Roseme
Hewlett-Packard
HP-UX Samba Opportunistic Locking Usage Recommendations

Eric Roseme, Hewlett-Packard
October, 2002

  



Contents

Legal Notices  2
Chapter 1   Introduction   4
Chapter 2   Opportunistic Locking Overview 5
Chapter 3   Samba Oplock Configuration 7
Chapter 4   Opportunistic Locking Recommendations  9
4.1 Exclusively Accessed Shares9
4.2 Multiple-Accessed Shares or Files  9
4.3 Unix or NFS Client Accessed Files  10
4.4 Slow and/or Unreliable Networks10
4.5 Multi-User Databases   10
4.6 PDM Data Shares10
4.7 Force User 10
4.8 Advanced Samba Opportunistic Locking Parameters11
4.9 Mission Critical High Availability 11
Chapter 5   Summary12
 




Chapter 1 Introduction

Samba on HP-UX manages file access among Windows clients with Windows 
style file locking.  It applies a very effective set of file locking 
features that are managed by the user-space client processes on the 
server, and provides excellent data security and integrity in a 
multi-user environment.  Samba also integrates some Windows locking 
protocols with the underlying HP-UX operating system locking protocols,
and therefore provides some interoperability with UNIX and NFS style 
file locking.  

Opportunistic Locking is a unique Windows file locking feature.  It is
not really file locking, but is included in most discussions of Windows
file locking, so is considered a defacto locking feature.  
Opportunistic Locking is actually part of the Windows client file 
caching mechanism.  It is not a particularly robust or reliable feature
when implemented on the variety of customized networks that exist in 
enterprise computing, but can be effective in providing modest 
perceived performance optimization.

Like Windows, Samba implements Opportunistic Locking as a server-side 
component of the client caching mechanism.  Because of the lightweight 
nature of the Windows feature design, effective configuration of 
Opportunistic Locking requires a good understanding of its limitations,
and then applying that understanding when configuring data access for 
each particular customized network and client usage state.



Chapter 2 Opportunistic Locking Overview

OPPORTUNISTIC LOCKING (Oplocks) is invoked by the Windows file system 
(as opposed to an API) via registry entries (on the server AND client)
for the purpose of enhancing network performance when accessing a file 
residing on a server. Performance is enhanced by caching the file 
locally on the client which allows:

Read-ahead: The client reads the local copy of the 
file, eliminating network latency
Write caching:  The client writes to the local copy of the 
file, eliminating network latency
Lock caching:   The client caches application locks 
locally, eliminating network latency

The performance enhancement of oplocks is due to the opportunity of 
exclusive access to the file - even if it is opened with deny-none - 
because Windows monitors the file's status for concurrent access from 
other processes.
  

Windows defines 4 kinds of Oplocks:

Level1 Oplock - The redirector sees that the file was opened with deny 
none (allowing concurrent access), verifies that no 
other process is accessing the file, checks that 
oplocks are enabled, then grants deny-all/read-write/ex-
clusive access to the file.  The client now performs 
operations on the cached local file.  

If a second process attempts to open the file, the open
is deferred while the redirector breaks the original 
oplock.  The oplock break signals the caching client to
write the local file back to the server, flush the 
local locks, and discard read-ahead data.  The break is
then complete, the deferred open is granted

Oplocks Usage Recommendations Whitepaper (with attachment)

[Eric Roseme]

Here is Oplocks Usage Recommendations Whitepaper for Samba on HP-UX
(originally was written for CIFS/9000 Server on HP-UX).

Note that the intended audience is/are HP-UX customers who have
questions
and concerns about when to configure oplocks.  This is intended as a
rudimentry guide to help avoid the most obvious oplock pitfalls.

Hopefully the plain text alignments hold up well for most editors.  Word
messes things up.

Thanks,

Eric Roseme
Hewlett-Packard
HP-UX Samba Opportunistic Locking Usage Recommendations

Eric Roseme, Hewlett-Packard
October, 2002

  



Contents

Legal Notices  2
Chapter 1   Introduction   4
Chapter 2   Opportunistic Locking Overview 5
Chapter 3   Samba Oplock Configuration 7
Chapter 4   Opportunistic Locking Recommendations  9
4.1 Exclusively Accessed Shares9
4.2 Multiple-Accessed Shares or Files  9
4.3 Unix or NFS Client Accessed Files  10
4.4 Slow and/or Unreliable Networks10
4.5 Multi-User Databases   10
4.6 PDM Data Shares10
4.7 Force User 10
4.8 Advanced Samba Opportunistic Locking Parameters11
4.9 Mission Critical High Availability 11
Chapter 5   Summary12
 




Chapter 1 Introduction

Samba on HP-UX manages file access among Windows clients with Windows 
style file locking.  It applies a very effective set of file locking 
features that are managed by the user-space client processes on the 
server, and provides excellent data security and integrity in a 
multi-user environment.  Samba also integrates some Windows locking 
protocols with the underlying HP-UX operating system locking protocols,
and therefore provides some interoperability with UNIX and NFS style 
file locking.  

Opportunistic Locking is a unique Windows file locking feature.  It is
not really file locking, but is included in most discussions of Windows
file locking, so is considered a defacto locking feature.  
Opportunistic Locking is actually part of the Windows client file 
caching mechanism.  It is not a particularly robust or reliable feature
when implemented on the variety of customized networks that exist in 
enterprise computing, but can be effective in providing modest 
perceived performance optimization.

Like Windows, Samba implements Opportunistic Locking as a server-side 
component of the client caching mechanism.  Because of the lightweight 
nature of the Windows feature design, effective configuration of 
Opportunistic Locking requires a good understanding of its limitations,
and then applying that understanding when configuring data access for 
each particular customized network and client usage state.



Chapter 2 Opportunistic Locking Overview

OPPORTUNISTIC LOCKING (Oplocks) is invoked by the Windows file system 
(as opposed to an API) via registry entries (on the server AND client)
for the purpose of enhancing network performance when accessing a file 
residing on a server. Performance is enhanced by caching the file 
locally on the client which allows:

Read-ahead: The client reads the local copy of the 
file, eliminating network latency
Write caching:  The client writes to the local copy of the 
file, eliminating network latency
Lock caching:   The client caches application locks 
locally, eliminating network latency

The performance enhancement of oplocks is due to the opportunity of 
exclusive access to the file - even if it is opened with deny-none - 
because Windows monitors the file's status for concurrent access from 
other processes.
  

Windows defines 4 kinds of Oplocks:

Level1 Oplock - The redirector sees that the file was opened with deny 
none (allowing concurrent access), verifies that no 
other process is accessing the file, checks that 
oplocks are enabled, then grants deny-all/read-write/ex-
clusive access to the file.  The client now performs 
operations on the cached local file.  

If a second process attempts to open the file, the open
is deferred while the redirector breaks the original 
oplock.  The oplock break signals the caching client to
write the local file back to the server, flush the 
local locks, and discard read-ahead data.  The break is
then complete, the deferred open is granted

Re: [Samba] Tuning SaMBa in HP/UX 10.20 (200 Users)...

[Eric Roseme]

Our tests with CIFS/9000 Server on HP-UX 11.x have shown that on 2.2.3a
an smbd is allocated about 1Mb at start-up.  Extensive name mangling can
cause memory usage to increase to 2.5Mb per smbd if the connection is 
active for an extended period of time.

Also, with 2.2.3a you should adjust your HP-UX kernel variables NFILES
and NFLOCKS.  Do a search in the archive to see previous messages about
these parms.

Eric Roseme

Info - Demerson wrote:
 
 Hullo All,
 
 I'm planning to build a SaMBa Server in HP/UX 10.20,
 just for sharing some
 stuff to at least 200 users.
 Well, I have SaMBa running in HP/UX machines and
 according to top, each
 SaMBa process (smbd) takes about 2,1Mb of total
 memory.
 I wonder if there's some clue to reduce the amount
 of memory per smbd...
 Anybody knows that?
 
 Thanks in advance...
 
 __
 Demerson Zounar
 Analista de Suporte
 [EMAIL PROTECTED]
 
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Secondary WINS Enhancement

[Eric Roseme]

Did the secondary WINS server config enhancement go into 3.0?
The original was submitted by Dave Olker of HP about 2 years
ago, then Chris Hertel picked it up and was re-designing it.
What is the current status?

Note that this is *not* redundant WINS or WINS sync.  This is
to be able to configure a secondary MS WINS server in smb.conf.

Thanks,

Eric Roseme
Hewlett-Packard