Re: [Samba] winbind: only domains option/patch
Thanks Volker! I would like to add my voice to those requesting this enhancement! We have a highly distributed number of domains that all trust each other, but member servers only have access to their local domain controllers. Having the ability to restrict the number of domains that the Samba server tries to contact will be a *very* useful addition. Regards JR From: Volker Lendecke volker.lende...@sernet.de To: Julian Regel julian.re...@yahoo.co.uk Cc: samba@lists.samba.org Sent: Fri, 5 February, 2010 19:30:58 Subject: Re: [Samba] winbind: only domains option/patch On Fri, Feb 05, 2010 at 09:26:20AM -0800, Julian Regel wrote: In January 2009 a patch was sent to this list that introduced the winbind: only domains option to smb.conf (http://lists.samba.org/archive/samba-technical/2009-January/062706.html). This provides the inverse of winbind: ignore domains and the creator of the patch explained that this was more useful (to him) that having to explicitly exclude domains. Can anyone confirm if this patch was accepted, and if so, what version of Samba supports winbind: only domains? If the patch has not been accepted, is there a particular reason why not? Nobody so far has asked loudly enough, that's probably the only real reason. It's in my inbox now again. I had to do a similar patch for an ancient Samba version for a customer recently, but did not get around to put this upstream. So there seems to be real need for it :-) Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem with file ownerships on domain member server
Hi I'm possibly missing something obvious, but I'm struggling with ownership permissions on a Samba server. I have a Solaris 10 server running Samba 3.0.33. The server has been joined to the Active Directory domain (CSS). Every user has both a Unix login (served by NIS) and a Windows Domain login account. I can connect to the Samba share and create files without any problems. The Samba install is successfully mapping domain user jsmith to the Unix user jsmith. However, when I check the ownership of the file from within Windows, I see that the file is owned by jsmith (Unix User\jsmith) and not jsmith (CSS\jsmith). Is it possible to configure Samba so that files are created with the DOMAIN\username instead of Unix User\username? This is my smb.conf file: [global] workgroup = CSS realm = CSS.AD.EXAMPLE.COM server string = Solaris Samba Server security = ADS password server = mancssdc01, mancssdc02, mancssdc03 log file = /var/samba/log/log.%m max log size = 50 load printers = No preferred master = No dns proxy = No ldap ssl = no winbind use default domain = Yes [Users] comment = User documents path = /fileserver/Users/%u read only = No guest ok = No preserve case = Yes oplocks = yes [Profiles] comment = Roaming Profiles path = /fileserver/Profiles/%u read only = No guest ok = No preserve case = Yes oplocks = yes create mask = 0600 directory mask = 0700 Thanks for any help. JR -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind issue connecting to trusted domain controllers
So, is there a way I can specify that winbind only uses the CSS domain and does not try and connect to the other trusted domains? allow trusted domains = no Thanks for the suggestion, but this didn't make a difference. However, I've managed to find the answer / workaround: The following needs to be set in smb.conf: winbind:ignore domains = MAT LPS LAB MMSC GRP IMCR UPGRADE CENTRAL MISE 4THFLOOR AD CSSDEV NAS In case it's not obvious, the list is the names of all the trusted domains I want Winbind to ignore. I did see a patch that performs the inverse of this (so you specify the domains you *want* to search) but as this is not part of the mainline code I decided to avoid it as I don't want to be maintaining different versions. Thanks Julian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind issue connecting to trusted domain controllers
Hi I'm following up my original message with more information, but unfortunately no real progress. I've updated to Samba 3.4.0 and winbindd -V now reports: Version 3.4.0-SerNet-RedHat I've also tried setting password server = 10.1.10.120 which is the IP address of one of my local domain controllers. However, following the logs, I'm still watching Winbind cycle through the list of all trusted domains and the domain controllers within those domains (as detailed below), even when my Samba server is unable to connect to those servers. I can't believe we are the only organisation to want to use Samba in a site with links to other, trusted domains, but my Google skills are failing me. Is this a configuration problem with the Samba server, or a configuration problem with Active Directory itself? I'm now stuck and don't know how to progress this, so would really appreciate some input from the gurus on this list. Many thanks in anticipation. Julian From: jrmailgate-sa...@yahoo.co.uk jrmailgate-sa...@yahoo.co.uk To: samba@lists.samba.org Sent: Thursday, 23 July, 2009 13:12:37 Subject: [Samba] Winbind issue connecting to trusted domain controllers Hi. The quick question: Is there a way of forcing a Samba server that is an Active Directory member server to limit lookups to it's local domain only and not all trusted domains? The question in more detail: I have a Samba server that is joined to my local AD domain (css.ad.example.com). There are other domains under ad.example.com such as lps.ad.example.com and mat.ad.example.com within the same forest, and additional trusts setup to external domains. The problem I have is that authentication works some of the time and then fails for seemingly random amounts of time before working again. I've managed to reproduce this behaviour through running wbinfo numerous times in succession and monitoring the output. Running wbinfo -t returns the following: checking the trust secret via RPC calls succeeded However, running wbinfo -u returns: Error looking up domain users Having done some debugging with the Samba debug level set to 10, and performing packet captures with tcpdump/wireshark, I believe the following is happening: Winbind is obtaining a list of of trusted domains and is adding them to a list using add_trusted_domain. [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172) Added domain CSS CSS.AD.EXAMPLE.COM S-1-5-21-2722945677-2571981173-1559263515 [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172) Added domain CENTRAL central.ad.example.com S-1-5-21-1546731521-1604605983-311576647 [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172) Added domain GRP grp.ad.example.com S-1-5-21-4165802252-723863699-2563104143 [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172) Added domain MMSC mmsc-example.com S-1-5-21-3925889671-1378681824-3250279791 [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172) Added domain LPS lps.ad.example.com S-1-5-21-3593956825-942678665-1239839976 [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172) Added domain MAT mat.ad.example.com S-1-5-21-227787951-1760200910-3128242332 The last added entry MAT mat.ad.example.com is then set as the domain(?): [2009/07/23 12:09:41, 4] libsmb/namequery_dc.c:ads_dc_name(73) ads_dc_name: domain=MAT Winbind then attempts to get a list of all the domain controllers: [2009/07/23 12:09:41, 3] libsmb/namequery.c:get_dc_list(1495) get_dc_list: preferred server list: , * Winbind attempts to locate the LDAP server in the MAT domain, but fails: [2009/07/23 12:10:01, 3] libads/dns.c:dns_send_req(303) ads_dns_lookup_srv: Failed to resolve _ldap._tcp.dc._msdcs.mat.ad.example.com (Connection timed out) [2009/07/23 12:10:01, 3] libads/dns.c:ads_dns_lookup_srv(363) ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT) [2009/07/23 12:10:01, 4] libsmb/namequery.c:get_dc_list(1522) get_dc_list: no servers found Having failed to obtain the LDAP address by DNS, Winbind then tries to resolve the address using lmhosts and WINS. Both fail because although the trusts are in place, the Samba server does not have network access to the MAT domain. After Winbind exhausts the various options of resolving the MAT domain, it then attempts the same with the LPS domain. LPS was the entry added immediately before MAT so it appears to be traversing the list of trusted : [2009/07/23 12:10:24, 4] libsmb/namequery_dc.c:ads_dc_name(73) ads_dc_name: domain=LPS [2009/07/23 12:10:24, 3] libsmb/namequery.c:get_dc_list(1495) get_dc_list: preferred server list: , * [2009/07/23 12:10:24, 4] libsmb/namequery.c:get_dc_list(1605) get_dc_list: returning 21 ip addresses in an ordered list
Re: [Samba] Sharing same directory with Samba and NFS
I'm running a single RHEL5 server that is currently serving out home directories and a public share via Samba. My Linux desktop clients would like to access these same shares via NFS. So, the age-old question, is it possible or am I looking at a lifetime of pain and corrupted data? I will eventually be running a cluster of 3 servers, one running Samba, one running NFS and one as a standby. I've read that it's possible but. nothing really specific. Hi. I can only speak anecdotally, but we've been using Samba to serve filesystems to Windows clients from a Solaris server while simultaneously sharing the same filesystems to other Solaris, AIX and Linux boxes using NFS for over ten years without any issues. JR -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
