Re: [Samba] ldap user suffix
On Wed, 20 Oct 2010 11:19:12 +0530, vishesh kumar wrote: > Dear friends > My domain users in two diffrent OU, one OU is TEMP_USERS and other OU > is PEOPLE. > What i should mention in smb.conf ? > If i mention > ldap user suffix = ou=PEOPLE, then > users of ou TEMP_USERS is not able to authenticate. > > Please guide me. > > Thanks > -- > http://linuxinterviews.blogspot.com Hi, is it possible to put the two OU into a specific OU that you could mention in your smb.conf ?? I had a similar problem, i solved it this way. Olivier --- Le domaine famille-fontes.net est auto hébergé à mon domicile. Contactez moi si vous souhaitez faire de même. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldap user suffix
Dear friends My domain users in two diffrent OU, one OU is TEMP_USERS and other OU is PEOPLE. What i should mention in smb.conf ? If i mention ldap user suffix = ou=PEOPLE, then users of ou TEMP_USERS is not able to authenticate. Please guide me. Thanks -- http://linuxinterviews.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba+ldap setup, users info in two OU
Dear friends My domain users in two diffrent OU, one OU is TEMP_USERS and other OU is PEOPLE. What i should mention in smb.conf ? If i mention ldap user suffix = ou=PEOPLE, then users of ou TEMP_USERS is not able to authenticate. Please guide me. Thanks -- http://linuxinterviews.blogspot.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting samba subfolder acl changes to admin users
On Tue, Oct 19, 2010 at 09:19:00AM -0400, suresh.kanduk...@emc.com wrote: > > Jeremy did you get a chance to look at this . can you please pass your > comments on this.? Just wanted to let you know I haven't forgotten this, just haven't had time to get to it yet. Keep pinging me until I respond :-). Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Highly-available file server question..
On Tue, 2010-10-19 at 16:52 -0700, Jeremy Allison wrote: > On Wed, Oct 20, 2010 at 10:19:36AM +1030, Indexer wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > > > On 20/10/2010, at 4:31 AM, john_deli...@ceridian.ca wrote: > > > > > I wasn't sure DFS was a good fit, my understanding of DFS is limited > > > (reading up today..). > > > > As i understood it, Samba does not support DFS? Am i wrong? I have done > > some googling into this and cant find any results about it. > > Yes you are wrong. Samba supports DFS. Samba supports the DFS mechanism but I think that some Windows Admins tend to also imply the related File Replication when they say DFS. We do not support the File Replication Protocol, yet. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Highly-available file server question..
On Wed, Oct 20, 2010 at 10:19:36AM +1030, Indexer wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > On 20/10/2010, at 4:31 AM, john_deli...@ceridian.ca wrote: > > > I wasn't sure DFS was a good fit, my understanding of DFS is limited > > (reading up today..). > > As i understood it, Samba does not support DFS? Am i wrong? I have done some > googling into this and cant find any results about it. Yes you are wrong. Samba supports DFS. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Highly-available file server question..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/10/2010, at 4:31 AM, john_deli...@ceridian.ca wrote: > I wasn't sure DFS was a good fit, my understanding of DFS is limited > (reading up today..). As i understood it, Samba does not support DFS? Am i wrong? I have done some googling into this and cant find any results about it. Is this replicating DFS, or is this using a windows server as the DFS root, and then pooling them with samba as a "dumb" client? > > From what I've read it seems I'd need to host the DFS root on a > highly-available server, and have links from there to my three single > hosts (all with shared SAN access). Unfortunately, I only have these > three servers to work with. > > Is there a way I can use DFS with just the three nodes to create a highly > available DFS configuration? Sorry if my terminology is off a little, I'm > pretty new to DFS. DFS is just a distributed filesystem. It can either replicate between X nodes to keep them in sync, or it can merge 3 shares into one über share. In your case you likely want the merged shares, and just all the three servers export the same allocation of SAN (since the files will all be consistent). If your servers were all on separate SAN allocations, you would want replication as well to keep these synchronised. > _ > William Brown pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iQIcBAEBAgAGBQJMvi6UAAoJEHF16AnLoz6J+2UQAKcqRQ2kV1uG3TqLbaY70m+m 6IEpS8SeKW0xlSbzBz4D605mIv4NctWMV9r89pXSKpH1OL+22OOKv2iVlSdlbFM3 pn5lZCrMgG1il/5MYxTIjvfK+uHikU9aC0LcRxSnfM1BjYu+i287/NBFWLa3BBDK cbj0ukgYxHpmE7I/55rWPRlUVhioJjzt4IEu44Jsai1VKlUJQgWVKJDZiXhwCQUZ 414lrMhifflUvXelOwxgEnAPXwEK4VpNEJTyDvcYKbGv/Id409s7+edYyFyGjLIm UWNDoWM3HQF8kwyaRSAH/YS3UyGzReU2T8Ag1kqO1W8dxRi3ziHEgVraevChYEDD ClpL+MtOBmoxiejZOvie90GQBJnxOAuq/UkuKewO8RhkifdkPHLAUqJjPkv13qkH S7wbBS6iDDbLe9gXAJFO4O7ca2iaOhUtg6WY/EwUxohAK/9lgofOTChqSW+kqgNu yC2XZGcG0h+7RKvzZNgcQBJmxPxpNaIbIUXQnIuMTQAa5a8TkQkX2/deYP6DgwDf yFfXFejTdVi89MiPvXtBz4niSjn8eCD+KA0zkFR1DgCMmdQbWoT2yMr3jOPWWNWI mHzFgWoSk0XgvRbZioHghnGXinC4BrHupvt1E8xypDIfcLd/i9Y7yW6LTGY0kXKE 0doXs+15DhnPy+e8/cSh =NGpD -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind on Samba 3.5.5 (centos5)
W dniu 19.10.2010 16:50, Adrian Graham pisze: > Folks, > > Having some fun with winbind on Samba 3.5.5 on RHEL5 and/or Centos5. > I’ve got it working so ssh logins work correctly and file permissions > are seemingly correct with created files etc. Backend authentication > is from a Win2K3R2 box running RFC2372 extensions (ie not SFU) and all > UIDs etc are assigned for the users who need them. > > However, wbinfo returns some interesting things. We’re in a reasonably > sized AD forest and there seems to be some ID mashing going on. If I > do wbinfo –u it will sniff out the entire forest and return anything > its allowed to as well as the local domain, obviously this can be > filtered by using --domain=DOMAIN which sometimes works well, groups > also. > > Things that don’t work: > > wbinfo -i returns ‘could not get info for user’ > wbinfo -r returns ‘could not get groups for user’ > wbinfo -Y returns ‘could not convert sid’ > wbinfo --user-sidinfo returns ‘couldn’t get info for user’ > wbinfo --user-sids also returns failure. > > Things that do: > > wbinfo -S my-username-SID correctly returns my UID of 666 > wbinfo -s my-username-SID correctly returns DOMAIN+Username > getent group > getent passwd > > Wish I could remember what I changed, but at some point wbinfo -u > username DID work but returned a UID of 147, no idea where it got that > from as I even deleted the idmap cache files etc. Also if I browse to > a share and create a file it ends up with the UID/GID of a user in a > completely different domain! > > Current smb.conf: > > [global] > > workgroup = CAM > realm = CAM.CW.LOCAL > server string = test-samba server (CentOS 5) > interfaces = 127.0.0.1, eth0 > bind interfaces only = Yes > security = ADS > map to guest = Bad User > password server = 172.31.134.30 > log level = 100 > log file = /var/log/samba/%m.log > printcap name = cups > wins server = 172.31.134.30 > idmap uid = 1-2 > idmap gid = 1-2 > template shell = /bin/bash > winbind separator = + > winbind cache time = 5 > winbind use default domain = Yes > winbind trusted domains only = Yes > idmap config CAM: range = 100- > idmap config CAM: backend = ad > idmap config CAM: schema_mode = rfc2307 > idmap config CAM: default = yes > > [homes] > comment = Home Directories > read only = No > create mask = 0664 > directory mask = 0775 > browseable = No > > [docs] > path = /usr/share/doc/samba3/htmldocs > guest ok = Yes > > Anyone? Kerberos seems to be acting ok too, otherwise SSH logins wouldn't > work? > Winbind in samba 3.5 is something broken. I try samba 3.5.3, 3.5.4 and the latest 3.5.6 and i have problems. For example: I connect to samba share (samba are member of AD) from Windows 7 x86_64 and when i create file, root is the owner, but it shuld be me (user, that connect to this share). For me it is messy. Again i switch back to samba 3.4.9 to use winbind Samba 3.5.6 have broken acls to - when i try to change and populate acl trough the directories i have error: bad argument and operation stopped. So many hours spend with it. I.Piasecki -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Upgrading Samba-LDAP
> I am looking to upgrade my Samba server to Samba 3.5.x from Samba 3.0.20 and > openldap from 2.2.13 to 2.3.43. > Is there anyway to do this and still keep my current domain intact? > The interest in upgrading is so that we can suppport Win 7 systems. > Of course you can keep your current domain intact. Do you have more than 1 ldap server? I highly recommend that. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Upgrading Samba-LDAP
I am looking to upgrade my Samba server to Samba 3.5.x from Samba 3.0.20 and openldap from 2.2.13 to 2.3.43. Is there anyway to do this and still keep my current domain intact? The interest in upgrading is so that we can suppport Win 7 systems. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ANNOUNCE: cifs-utils release 4.7 available for download
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The last cifs-utils release (4.6) was on July 30th, so it's probably a good time to go ahead and release a new one with kernel 2.6.36 shipping soon. Major highlights: - - new cifscreds program has been added. This will eventually allow for stashing of username/password in the kernel's keyring for use by cifs. Kernel code for this is not in place yet, and the program is not yet built by default. Configuring with --enable-cifscreds=yes will enable it. - - timeouts for things like mtab locking now use monotonic time and should no longer have problems if the clock jumps ...plus the usual assortment of minor bugfixes and manpage updates. webpage:http://linux-cifs.samba.org/cifs-utils/ tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/ git:git://git.samba.org/cifs-utils.git gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary Detailed changelog: commit 6739b667677b28740b87ede94e53dfc500718acb Author: Jeff Layton Date: Tue Oct 19 14:59:49 2010 -0400 autoconf: bump release to 4.7 Signed-off-by: Jeff Layton commit 202f4b43209da32afc7ce5445a8f561c354c8f82 Author: Jeff Layton Date: Fri Oct 8 15:11:58 2010 -0400 manpage: add mount.cifs manpage entry for "multiuser" option Signed-off-by: Jeff Layton commit d90691a283d0f2ed928476fc96970b1ef2a28662 Author: Jeff Layton Date: Fri Oct 8 15:11:57 2010 -0400 mount.cifs: reinstate ip= as an override for address resolution The manpage says: ip=arg sets the destination IP address. This option is set automatically if the server name portion of the requested UNC name can be resolved so rarely needs to be specified by the user. ...but recent changes have made it not work anymore as an override if someone specifies an ip= option as part of the mount options. Reinstate that behavior by copying the ip= option verbatim into the addrlist of the parsed options struct and then skipping the name resolution. That should allow the ip= option to pass unadulterated to the kernel. Signed-off-by: Jeff Layton commit f2daa2a08bf8706f90e1154272c5bfe6279895cd Author: Björn Jacke Date: Tue Aug 24 13:30:05 2010 -0400 mount.cifs: use monotonic time for timeouts this is especially important during the boot process, where the clock is often being set initially and clock jumps are more common. commit 79774488814b0f5267644628e31c07c7ac380a65 Author: Björn Jacke Date: Tue Aug 24 13:29:59 2010 -0400 autoconf: add checks for clock_gettime commit 909c1bac5eb3b1fc677ef0d4de011cb68e999d15 Author: Igor Druzhinin Date: Fri Aug 20 14:53:38 2010 -0400 cifs-utils: infrastructure for stashing passwords in keyring It is a userspace part of a new infrastructure for stashing passwords in kernel keyring per user basis. The patch adds the "cifscreds" utility for management keys with credentials. Assembling of the utility from the distribution is possible with --enable-cifscreds=yes option of configure script. Signed-off-by: Igor Druzhinin commit c546d8d786f70204968fbc78d276bc2c8d2eb670 Author: Igor Druzhinin Date: Fri Aug 20 14:53:05 2010 -0400 cifs-utils: moving resolve_host into separate file The resolve_host routine from mount.cifs is carried out in separate file and appropriate corrections are made. Signed-off-by: Igor Druzhinin commit 2b2ce5830fec4317e0c264115cf93e64344b1417 Author: Suresh Jayaraman Date: Wed Aug 4 07:55:54 2010 -0400 mount.cifs: remove redundant error assignment Avoid setting error code twice by moving error handling out of add_mtab_exit block. We already set error code and report error in other places. Signed-off-by: Suresh Jayaraman commit 796c714569f5a2d1563f284d94333f2971217417 Author: Jeff Layton Date: Wed Aug 4 06:35:24 2010 -0400 autoconf: bump version number to 4.6.1 for non-release builds Signed-off-by: Jeff Layton - -- Jeff Layton -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAky98dYACgkQyP0gxQMdzIDiFQCfclgv5NgozZUEYsdKHFSTUNZI wm0AoKsqHk1FT1Wzz32KqSxr3Psr9ZEq =Q3yq -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and sleep
On Tue, Oct 19, 2010 at 08:54:38PM +0200, Olivier Arnaud wrote: > I built a home network storage using a dedicated computer running a Debian > distro with Samba. > Since I don't need it always up, I activated the sleep mode feature on > Debian. > My problem is that this computer is going to sleep mode, even if Samba is > connected. > > Does anybody here have an idea on: > - how I can forbid my computer sleep mode when Samba is connected ? I guess you could check smbstatus, although then the question is: Does anyone being logged in to a share mean no sleep allowed or should that only be the case if file accesses are actually happening? > - how I can allow it back when it is disconnected? How would it know a client wants to connect later? Really, servers don't sleep. Simple as that. Sleep is for client machines that only care about when a human wants them to respond. -- Len Sorensen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and sleep
Hello, I built a home network storage using a dedicated computer running a Debian distro with Samba. Since I don't need it always up, I activated the sleep mode feature on Debian. My problem is that this computer is going to sleep mode, even if Samba is connected. Does anybody here have an idea on: - how I can forbid my computer sleep mode when Samba is connected ? - how I can allow it back when it is disconnected? Thx, br, Olive -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Highly-available file server question..
I wasn't sure DFS was a good fit, my understanding of DFS is limited (reading up today..). From what I've read it seems I'd need to host the DFS root on a highly-available server, and have links from there to my three single hosts (all with shared SAN access). Unfortunately, I only have these three servers to work with. Is there a way I can use DFS with just the three nodes to create a highly available DFS configuration? Sorry if my terminology is off a little, I'm pretty new to DFS. _ John Delisle | Business Analyst | Ceridian Canada Ltd. | ceridian.ca 400 ? 125 Garry Street | Winnipeg, MB R3C 3P2 | p: 204-975-5909 | john_deli...@ceridian.ca Chris Weiss 2010/10/19 12:55 PM To john_deli...@ceridian.ca, samba cc Subject Re: [Samba] Highly-available file server question.. On Tue, Oct 19, 2010 at 12:34 PM, wrote: > We multiple (3) servers with access to SAN storage using Oracle OCFS2 > (clustered filesystem, allows each of the 3 nodes to simultaneously access > to the same SAN disk). We need to somehow provide Windows clients with > access to a location on this shared SAN disk, using Samba. OS is RHEL > 5.5. have you looked into DFS? This communication is intended to be received only by the individual[s] or entity[s] to whom or to which it is addressed, and contains information which is confidential, privileged and subject to copyright. Any unauthorized use, copying, review or disclosure is prohibited. Please notify the sender immediately if you have received this communication in error [by calling collect, if necessary] so that we can arrange for its return at our expense. Thank you in advance for your anticipated assistance and cooperation. Cette communication est destinée uniquement à la personne ou à la personne morale à qui elle est adressée. Elle contient de l’information confidentielle, protégée par le secret professionnel et sujette à des droits d'auteurs. Toute utilisation, reproduction, consultation ou divulgation non autorisées sont interdites. Nous vous prions d’aviser immédiatement l’expéditeur si vous avez reçu cette communication par erreur (en appelant à frais virés, si nécessaire), afin que nous puissions prendre des dispositions pour en assurer le renvoi à nos frais. Nous vous remercions à l’avance de votre coopération. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Highly-available file server question..
On Tue, Oct 19, 2010 at 12:34 PM, wrote: > We multiple (3) servers with access to SAN storage using Oracle OCFS2 > (clustered filesystem, allows each of the 3 nodes to simultaneously access > to the same SAN disk). We need to somehow provide Windows clients with > access to a location on this shared SAN disk, using Samba. OS is RHEL > 5.5. have you looked into DFS? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Highly-available file server question..
I'm working on a project which requires a highly-available Samba service in a hurry. We multiple (3) servers with access to SAN storage using Oracle OCFS2 (clustered filesystem, allows each of the 3 nodes to simultaneously access to the same SAN disk). We need to somehow provide Windows clients with access to a location on this shared SAN disk, using Samba. OS is RHEL 5.5. I can run samba on any/all of the 3 nodes, and have Cisco ACE's at our disposal too if that helps. We don't have clustering software to use for the Samba service itself, and need to either run it on some or all of the nodes and somehow direct clients to one of them. Ideally, windows clients will be provided with one UNC to access the share, and ideally will be able to use this regardless of which node is actively servicing their request. At first, I was hoping we could use something like RHEL clustering for the Samba service. This isn't possible due to cost and other issues. I thought maybe we could go with DNS round-robin, pointing at the 3 Samba servers.. This is better than nothing, but doesn't handle a down node very gracefully (some clients will resolve to a down server). Has anyone used ACE's to load-balance Samba? Can anyone recommended configuration for something like this, or maybe suggest a better way to do it? I'm open to ideas! _ John Delisle | Business Analyst | Ceridian Canada Ltd. | ceridian.ca 400 ? 125 Garry Street | Winnipeg, MB R3C 3P2 | p: 204-975-5909 | john_deli...@ceridian.ca This communication is intended to be received only by the individual[s] or entity[s] to whom or to which it is addressed, and contains information which is confidential, privileged and subject to copyright. Any unauthorized use, copying, review or disclosure is prohibited. Please notify the sender immediately if you have received this communication in error [by calling collect, if necessary] so that we can arrange for its return at our expense. Thank you in advance for your anticipated assistance and cooperation. Cette communication est destinée uniquement à la personne ou à la personne morale à qui elle est adressée. Elle contient de l’information confidentielle, protégée par le secret professionnel et sujette à des droits d'auteurs. Toute utilisation, reproduction, consultation ou divulgation non autorisées sont interdites. Nous vous prions d’aviser immédiatement l’expéditeur si vous avez reçu cette communication par erreur (en appelant à frais virés, si nécessaire), afin que nous puissions prendre des dispositions pour en assurer le renvoi à nos frais. Nous vous remercions à l’avance de votre coopération. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problems with login and browsing on 3.5.4 LDAP PDC
Maybe I missed it- but do you have problems if the client and server are on the same network segment? Are all the local WINS servers samba servers or something else? On 10/19/2010 12:45 PM, Eric A. Hall wrote: On 10/19/2010 9:47 AM, Gaiseric Vandal wrote: Is your samba server also a WINS server? That may help browsing issues. The nodes don't have any problems finding or communicating with the server, the server just does not want to provide data. I have three distinct networks that are interconnected by routers. Each segment has a local DHCP/DNS/WINS/etc server that assigns H-Node WINS options to the local clients, and in addition the broadcasts on 137/138 are also forwarded from each segment to the WINS servers on the other segments. What this means is clients try to resolve a name by asking the local server, then will broadcast a query which is forwarded to the other servers, which they answer. If a TCP session is required (such as fetching a browse list via port 139) then that also happens as expected, once the client knows the server to contact. This works for local and remote nodes alike. From a client on network A that is trying to browse Windows 2003 domain on network B, I can see the TCP session established, the challenge and response negotiation, the Tree Connect AndX Request and Response, the LANMAN server enumeration exchange, and orderly shutdown. When using the same client to browse the Samba domain on network C, I can see the TCP session established, the challenge and response negotiation, the Tree Connect AndX Request and Response, but then the client shuts down the session without trying to enumerate the LANMAN servers. This cycle repeats 4 times for every failed browse attempt indicating that the client believes it should be able to get an answer from the server. Both responses show STATUS_SUCCESS in the SMB message. The only potential difference that I can see between them is that the Samba response shows "Security signatures are not supported" in the reply message. Perhaps this is preventing the client from following up with the LANMAN request to enumerate the servers? Also I have long since set the registry options needed for signatures, and this same configuration was working before the upgrade. Did something about this change recently? Do you have "smb ports" defined in smb.conf? I don't have it defined and am using the defaults. It does not seem to be causing any problems. wiki.samba.org should have the registry settings required to let Windows 7 machines join on a Samba domain. I have already made those changes and like I said I am able to join the Win7 client to the domain and can view \\SERVER shares, but cannot browse the domain or login to the server. I would concentrate on the XP machines first since they don't need the registry changes. Yes that is what I'm doing. I have XP/SP3, Windows Server 2003 (and R2), and Windows 7, but am focusing on XP/SP3. Also, make sure that you do have correct group mappings for the key well know windows groups (including Administrators, Domain Admins, Users) # net groupmap list [ 12:39:47 -- bulldog:/root/ ] [ root# ] net groupmap list Domain Admins (S-1-5-21-[...]-512) -> Domain Admins Domain Users (S-1-5-21-[...]-513) -> Domain Users Domain Guests (S-1-5-21-[...]-514) -> Domain Guests Domain Computers (S-1-5-21-[...]-515) -> Domain Computers Local Admins (S-1-5-32-544) -> Local Admins Local Users (S-1-5-32-545) -> users Local Guests (S-1-5-32-546) -> nobody For a while I thought it might be related to guest/nobody mapping but I have exhausted all of the permutations there. I have tried smbusers mapping, putting guest into LDAP, etc., and none of it seems to make much any difference in the logs or with the problem at hand. Also, the windows diagnostic tools (netdiag, dcdiag, nbtstat ?) may help you determine which domain controller and master browser the client is using. nbtstat is able to display remote data but it does not use the SMB/LANMAN enumeration over IPC$ which is where the problem seems to lie. Local utilities on the Samba server also seem to express normally although I am happy to try specific things if somebody will name them. I am able to use USRMGR.EXE to connect to the server and view/modify user accounts successfully. I have not looked at the others yet. Thanks for the help On 10/19/2010 02:02 AM, Eric A. Hall wrote: I was running 3.0.25c (I think) LDAP PDC for a couple of years and just tried swapping in a new 3.5.4 setup. I had some problems so I wiped all the entries and *.tdb files, and started from scratch. Problem in a nutshell: I can't browse the domain normally, nor can I logon to the domain. However I can access the server shares fine if I point to the server specifically. SOMETIMES this will then cause browsing to succeed as well. Normally I can see the domain in network neighborhood but if I c
Re: [Samba] problems with login and browsing on 3.5.4 LDAP PDC
On 10/19/2010 12:45 PM, Eric A. Hall wrote: > Both responses show STATUS_SUCCESS in the SMB message. The only potential > difference that I can see between them is that the Samba response shows > "Security signatures are not supported" in the reply message. Perhaps this > is preventing the client from following up with the LANMAN request to > enumerate the servers? Also I have long since set the registry options > needed for signatures, and this same configuration was working before the > upgrade. Did something about this change recently? Yes, yes it did. The old install had "server signing = auto" but this seems to break the new one. Setting the following options fixes it: server signing = disabled smb encrypt = disabled Is there a paper discussing these options in detail? Is there something I should add to my group policy files to make this work better? -- Eric A. Hall http://www.eric-a-hall.com/ Network Technology Research Grouphttp://www.ntrg.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problems with login and browsing on 3.5.4 LDAP PDC
On 10/19/2010 9:47 AM, Gaiseric Vandal wrote: > Is your samba server also a WINS server? That may help browsing issues. The nodes don't have any problems finding or communicating with the server, the server just does not want to provide data. I have three distinct networks that are interconnected by routers. Each segment has a local DHCP/DNS/WINS/etc server that assigns H-Node WINS options to the local clients, and in addition the broadcasts on 137/138 are also forwarded from each segment to the WINS servers on the other segments. What this means is clients try to resolve a name by asking the local server, then will broadcast a query which is forwarded to the other servers, which they answer. If a TCP session is required (such as fetching a browse list via port 139) then that also happens as expected, once the client knows the server to contact. This works for local and remote nodes alike. >From a client on network A that is trying to browse Windows 2003 domain on network B, I can see the TCP session established, the challenge and response negotiation, the Tree Connect AndX Request and Response, the LANMAN server enumeration exchange, and orderly shutdown. When using the same client to browse the Samba domain on network C, I can see the TCP session established, the challenge and response negotiation, the Tree Connect AndX Request and Response, but then the client shuts down the session without trying to enumerate the LANMAN servers. This cycle repeats 4 times for every failed browse attempt indicating that the client believes it should be able to get an answer from the server. Both responses show STATUS_SUCCESS in the SMB message. The only potential difference that I can see between them is that the Samba response shows "Security signatures are not supported" in the reply message. Perhaps this is preventing the client from following up with the LANMAN request to enumerate the servers? Also I have long since set the registry options needed for signatures, and this same configuration was working before the upgrade. Did something about this change recently? > Do you have "smb ports" defined in smb.conf? I don't have it defined and am using the defaults. It does not seem to be causing any problems. > wiki.samba.org should have the registry settings required to let Windows > 7 machines join on a Samba domain. I have already made those changes and like I said I am able to join the Win7 client to the domain and can view \\SERVER shares, but cannot browse the domain or login to the server. > I would concentrate on the XP machines first since they don't need the > registry changes. Yes that is what I'm doing. I have XP/SP3, Windows Server 2003 (and R2), and Windows 7, but am focusing on XP/SP3. > Also, make sure that you do have correct group mappings for the key well > know windows groups (including Administrators, Domain Admins, Users) > # net groupmap list [ 12:39:47 -- bulldog:/root/ ] [ root# ] net groupmap list Domain Admins (S-1-5-21-[...]-512) -> Domain Admins Domain Users (S-1-5-21-[...]-513) -> Domain Users Domain Guests (S-1-5-21-[...]-514) -> Domain Guests Domain Computers (S-1-5-21-[...]-515) -> Domain Computers Local Admins (S-1-5-32-544) -> Local Admins Local Users (S-1-5-32-545) -> users Local Guests (S-1-5-32-546) -> nobody For a while I thought it might be related to guest/nobody mapping but I have exhausted all of the permutations there. I have tried smbusers mapping, putting guest into LDAP, etc., and none of it seems to make much any difference in the logs or with the problem at hand. > Also, the windows diagnostic tools (netdiag, dcdiag, nbtstat ?) may > help you determine which domain controller and master browser the client > is using. nbtstat is able to display remote data but it does not use the SMB/LANMAN enumeration over IPC$ which is where the problem seems to lie. Local utilities on the Samba server also seem to express normally although I am happy to try specific things if somebody will name them. I am able to use USRMGR.EXE to connect to the server and view/modify user accounts successfully. I have not looked at the others yet. Thanks for the help > On 10/19/2010 02:02 AM, Eric A. Hall wrote: >> I was running 3.0.25c (I think) LDAP PDC for a couple of years and just >> tried swapping in a new 3.5.4 setup. I had some problems so I wiped all >> the entries and *.tdb files, and started from scratch. >> >> Problem in a nutshell: I can't browse the domain normally, nor can I logon >> to the domain. However I can access the server shares fine if I point to >> the server specifically. SOMETIMES this will then cause browsing to >> succeed as well. >> >> Normally I can see the domain in network neighborhood but if I click on I >> get the "domain is not accessible error". From a command prompt "net view >> /domain:DOMAIN" also typically produces an error 59. However if I "net >> view \\SERVER" then that works fine, and THEN I am sometimes able to >> successful
Re: [Samba] Our success story with samba4
On 10/19/2010 03:53 PM, Ludek Finstrle wrote: Hi Ludek, Hi, Tue, Oct 19, 2010 at 10:12:16AM +0100, Lukasz Zalewski napsal(a): This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. it's nice to know it. How you cooperate with other systems required LDAP accounts and some additional data? As I know there is no complete support for external LDAP server which is stopper for us. Do you mirror user's account to external LDAP or you don't need it at all? Yeah we still maintain openldap backend (which provides core functionality for the school) - the way i see it is that samba account information has moved from openldap to s4. AFAICT (but would like to be proven wrong) s4 allows the storage of posix account attributes, but i do not think you can add custom schemas to it. I suspect this behaviour is probably no different to real AD Regards Luk Best regards, Luf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Our success story with samba4
Hi, Tue, Oct 19, 2010 at 10:12:16AM +0100, Lukasz Zalewski napsal(a): > This message is a testament to the great work samba team has done, but > its also an encouragement to those of you that still not sure if samba4 > will work in your environment. it's nice to know it. How you cooperate with other systems required LDAP accounts and some additional data? As I know there is no complete support for external LDAP server which is stopper for us. Do you mirror user's account to external LDAP or you don't need it at all? Best regards, Luf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind on Samba 3.5.5 (centos5)
Folks, Having some fun with winbind on Samba 3.5.5 on RHEL5 and/or Centos5. I’ve got it working so ssh logins work correctly and file permissions are seemingly correct with created files etc. Backend authentication is from a Win2K3R2 box running RFC2372 extensions (ie not SFU) and all UIDs etc are assigned for the users who need them. However, wbinfo returns some interesting things. We’re in a reasonably sized AD forest and there seems to be some ID mashing going on. If I do wbinfo –u it will sniff out the entire forest and return anything its allowed to as well as the local domain, obviously this can be filtered by using --domain=DOMAIN which sometimes works well, groups also. Things that don’t work: wbinfo -i returns ‘could not get info for user’ wbinfo -r returns ‘could not get groups for user’ wbinfo -Y returns ‘could not convert sid’ wbinfo --user-sidinfo returns ‘couldn’t get info for user’ wbinfo --user-sids also returns failure. Things that do: wbinfo -S my-username-SID correctly returns my UID of 666 wbinfo -s my-username-SID correctly returns DOMAIN+Username getent group getent passwd Wish I could remember what I changed, but at some point wbinfo -u username DID work but returned a UID of 147, no idea where it got that from as I even deleted the idmap cache files etc. Also if I browse to a share and create a file it ends up with the UID/GID of a user in a completely different domain! Current smb.conf: [global] workgroup = CAM realm = CAM.CW.LOCAL server string = test-samba server (CentOS 5) interfaces = 127.0.0.1, eth0 bind interfaces only = Yes security = ADS map to guest = Bad User password server = 172.31.134.30 log level = 100 log file = /var/log/samba/%m.log printcap name = cups wins server = 172.31.134.30 idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + winbind cache time = 5 winbind use default domain = Yes winbind trusted domains only = Yes idmap config CAM: range = 100- idmap config CAM: backend = ad idmap config CAM: schema_mode = rfc2307 idmap config CAM: default = yes [homes] comment = Home Directories read only = No create mask = 0664 directory mask = 0775 browseable = No [docs] path = /usr/share/doc/samba3/htmldocs guest ok = Yes Anyone? Kerberos seems to be acting ok too, otherwise SSH logins wouldn't work? -- adrian/witchy Owner of Binary Dinosaurs, the UK's biggest home computer collection? www.binarydinosaurs.co.uk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] CTDB starting statd without -n gfs -H /etc/ctdb/statd-callout
Hello, First and foremost, thanks *very* much for ctdb. It's a joy to use after banging around with other HA solutions. We're planning to use it to export Samba and NFS shares throughout campus. I'm having one problem with the NFS part though. When ctdbd first starts statd (we're using CTDB_MANAGES_NFS=yes), it does so without appending the stuff in the STATD_HOSTNAME variable in /etc/sysconfig/nfs, which is where the statd-callout script is passed to statd. In our case, this means that statd is running as rpc.statd -p 662 -o 2020 instead of rpc.statd -n gfs -H /etc/ctdb/statd-callout -p 662 -o 2020 I could be wrong, but it looks to me that ctdb is using the nfslock init script to start statd. This script doesn't use $STATD_HOSTNAME at all, so it follows that the statd-callout script isn't passed to statd. If I kill statd and let ctdb start the 60.nfs script restart it when it monitors, then statd is run with the correct statd-callout script, since 60.nfs does append the $STATD_HOSTNAME variable when rpc.statd is invoked. And the same is true if I change the nfslock init script so that it appends the $STATD_HOSTNAME. This is an up-to-date CentOS 5.5 OS, with CTDB pulled from the git repository last week. One quick unrelated question about CTDB -- the documentation states that the CTDB_NODES IP addresses should live on a "private non-routable subnet which is only used for internal cluster traffic". This this a requirement? I have our cluster nodes on one part of a /24 (which is routable to our organization, but not to the internet), and the CTDB_PUBLIC_ADDRESSES on another part. This seems to be working fine, but I wanted to check that I wasn't doing something that would bite us later. Thanks again for CTDB and Samba! Best, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to compile Samba 3.5.6 on Solaris 9 - more winbind issues
Greetings, Just for completeness I am seeing the same problem building Samba 3.5.6 under Solaris 10: Had to manually add "-lintl" to the LIBS option in the Makefile. ... Linking shared library bin/pam_winbind.so Undefined first referenced symbol in file libintl_bindtextdomain ../nsswitch/pam_winbind.o libintl_dgettext../nsswitch/pam_winbind.o ld: fatal: Symbol referencing errors. No output written to bin/pam_winbind.so collect2: ld returned 1 exit status make: *** [bin/pam_winbind.so] Error 1 On 10/18/2010 10:01 AM, Robert M. Martel - CSU wrote: Greetings, No helpful hints have been offered to my winbind issues with Samba 3.4.9 and Solaris 9 I started trying to build Samba 3.5.6. Using gcc 3.4.6. I added "-lintl" to the LIBS option in the Makefile which cleared some earlier linker errors involving libintl_gettext, libintl_textdomain and libintl_bindtextdomain being undefined, except with winbind: Linking shared library bin/pam_winbind.so Undefined first referenced symbol in file libintl_bindtextdomain ../nsswitch/pam_winbind.o libintl_dgettext ../nsswitch/pam_winbind.o ld: fatal: Symbol referencing errors. No output written to bin/pam_winbind.so collect2: ld returned 1 exit status make: *** [bin/pam_winbind.so] Error 1 I have not been able to get any version of Samba beyond 3.2.15 to build on Solaris 9 with support for Active Directory. Any later 3.2 version I see run-time errors with winbind which is why I decided to give 3.5 a try. -- *** Robert M. Martel I met someone who looks a lot like you System Administrator She does the things you do Levin College of Urban Affairs But she is an IBM Cleveland State University -Jeff Lynne (216) 687-2214 r.mar...@csuohio.edu *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5.6 - configure creates Makefile with errors on Solaris 10
Greetings, I was able to get 3.4.9 to build on my Solaris 10 boxes - but nothing later. I've been building my own samba from source for far longer than I care to admit (because I should know more about samba by now than I do.) I've never had so many problems building the source has I have had the past several months. I am going to look into the points that Gaiseric Vandal has brought up. I am already using Sunfreeware's gcc. I got past my latest "make" issue by using Sunfreeware's version of Make rather then the one found in /usr/ccs/bin (which has never been a problem in the past.) Following a tip I found at http://forums.sun.com/thread.jspa?threadID=5445706 I added "-lintl" to the LIBS option in the Makefile. Line 25 That got me as far as linking winbind: - ... Linking shared library bin/pam_winbind.so Undefined first referenced symbol in file libintl_bindtextdomain ../nsswitch/pam_winbind.o libintl_dgettext../nsswitch/pam_winbind.o ld: fatal: Symbol referencing errors. No output written to bin/pam_winbind.so collect2: ld returned 1 exit status make: *** [bin/pam_winbind.so] Error 1 - Which has me now stopped at the same place on both my Solaris 9 and Solaris 10 builds. On Solaris 9 I have not been able to get a FULLY working version of Samba with AD support past version 3.2.15. -Bob On 10/18/2010 02:25 PM, Joe Cammisa wrote: i've had no problem compiling up to 3.4.8 on several solaris10 boxes at varying patch levels; but for some reason i can't get anywhere with 3.5.x. has anyone else been successful in this regard? any tips appreciated--thanks all in advance... -joe On Mon, Oct 18, 2010 at 2:13 PM, Gaiseric Vandal wrote: Have you tried the precompiled samba version from sunfreeware.com? It is only 3.4.2 but should have AD support. It won't have ZFS support (an issue for Solaris 10 but Solaris 9.) the winbind nsswitch stuff may be require a little work to setup. -- *** Robert M. Martel I met someone who looks a lot like you System Administrator She does the things you do Levin College of Urban Affairs But she is an IBM Cleveland State University -Jeff Lynne (216) 687-2214 r.mar...@csuohio.edu *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problems with login and browsing on 3.5.4 LDAP PDC
Is your samba server also a WINS server? That may help browsing issues. Do you have "smb ports" defined in smb.conf? The default is smb ports = 445 139 I found if I set smb ports = 139 some clients would have trouble locating shares or authenticating to servers. wiki.samba.org should have the registry settings required to let Windows 7 machines join on a Samba domain. Also, make sure that you do have correct group mappings for the key well know windows groups (including Administrators, Domain Admins, Users) # net groupmap list I would concentrate on the XP machines first since they don't need the registry changes. Also, the windows diagnostic tools (netdiag, dcdiag, nbtstat ?) may help you determine which domain controller and master browser the client is using. On 10/19/2010 02:02 AM, Eric A. Hall wrote: I was running 3.0.25c (I think) LDAP PDC for a couple of years and just tried swapping in a new 3.5.4 setup. I had some problems so I wiped all the entries and *.tdb files, and started from scratch. Problem in a nutshell: I can't browse the domain normally, nor can I logon to the domain. However I can access the server shares fine if I point to the server specifically. SOMETIMES this will then cause browsing to succeed as well. Normally I can see the domain in network neighborhood but if I click on I get the "domain is not accessible error". From a command prompt "net view /domain:DOMAIN" also typically produces an error 59. However if I "net view \\SERVER" then that works fine, and THEN I am sometimes able to successfully view the domain (about half the time sometimes more). I am able to successfully join machines to the domain (they show up in LDAP) but am unable to login to the domain from any of them. On XP/SP3 boxes the error is "the system cannot log you on now because the domain DOMAIN is not available", while Windows 7 says "there are currently no logon servers available to service the logon request" I have looked at the smb/nmb/winbind logs at level 3 and near as I can tell everything is operating correctly although something seems to be crashing a lot--there are many entries about brl and lock database after unclean shutdown. I don't know SMB protocol very well but from watching some wireshark traces and reading the corresponding logs it looks like the nodes are negotiating IPC$ connection but not getting data. Client asks for copy 4, server offers copy 1, client negotiates TCP/IP session then closes, and everything starts over again. Perhaps once they authenticate (enough to view \\SERVER shares) the negotiation is reused and this is what works? Are there security permissions on IPC$ that need to be set? Where should I be looking and what should I be looking for? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error was Transport endpoint is not connected
The following may help "explain" the error: http://wiki.samba.org/index.php/Samba_Myths So if you copy the file it is OK, but if the backup job runs an integrity check first it fails? What is involved in the integrity check? Is it somehow opening a connection to the server before starting the integrity check? On 10/19/2010 03:05 AM, robert.gehr wrote: I tried it with "smb ports 139" to no avail. Same problem. The backup job takes that long because the windows box first runs an integrity check. If I just copy the file manually it takes a couple of minutes. As already mentioned the other samba server 3.4.7 works without any problems. What does that error message actually mean? Does it mean a network error has occurred, the server has run into a timeout, the server can no longer resolve the name of the client or what? Ideas are welcome. Rob On Fri, 2010-10-15 at 14:57 +0200, Gaiseric Vandal wrote: Did you try changing smb.conf on the NAS to be port 139 only? Also, it seems that 55 GB should not take one hour to copy (55 GBytes is 440 Gbit, and at 1 Gbit/sec and 60 secs / min, the transfer sohuld take about minutes- at least in theory.) I am guessing it is dropping because it tries to reestablish a connection part way through the transfer. On 10/15/2010 07:12 AM, robert.gehr wrote: Nice try. The backup fails exactly the moment the message appears in the log. So I would say it is something to worry about. Has really no one any ideas why this all of a sudden comes up. Thanks for any hints Rob On Tue, 2010-10-12 at 08:41 +0200, Daniel Müller wrote: This message only says: I established to one of the ports 139 or 445 and dropped the other. It is nothing to trouble about. --- EDV Daniel Mller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tbingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Gaiseric Vandal Gesendet: Montag, 11. Oktober 2010 16:48 An: samba@lists.samba.org Betreff: Re: [Samba] Error was Transport endpoint is not connected By default samba listens on two TCP ports- 445 and 139. You can specify this in smb.conf smb ports = 445 139 445 is the newer smb over tcp.139 is the older smb over netbios over tcp/ip. 445 was for Windows 2000 and newer clients.. I am not sure why samba enables 445 by default since as far as I know it does not support smb-over-tcp (without the NBT/netbios over tcp stuff.)If you set "smb ports = 139" in your smb.conf you should see endpoint messages disappear. I think what happens is Win 2000 (and newer) clients will initially try to connect on port 445, find it isn't really compatible, and then "dump down" to NBT on port 139. So your NAS may be occasionally connecting on port 139 without problems and occasionally connecting on port 445, and which point it fails. OR- the "endpoint" errors may be completely unrelated, but you just don't look for when when the NAS is working. Is the NAS part of the domain? Is it a windows or linux/samba based device? My samba server is a PDC. XP clients in the domain connect with no problems regardless of if smb ports is 139 only or 139 + 445. XP/Win7 clients NOT in the domain can't connect to shares if 445 is disabled, which indicates they are connecting to 445 1st. On 10/11/2010 08:57 AM, robert.gehr wrote: Hello All I used to back up a Mssql database (about 55GB) to a samba share without any problems. The samba server "Server-A" was running version 3.4.7 We just got one of those "Netgear ReadyNas3200" things and I tried to backup up to a share there which sometimes works and sometimes not in wich case I get the following error: snip--- [2010/10/08 21:32:26.937834, 0] lib/util_sock.c:474(read_fd_with_timeout) [2010/10/08 21:32:26.966404, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. ---snap- The samba version on the ReadyNas is 3.5.4 On the windows side nothing has changed apart form the destination to the new share. The ReadyNas performs pretty well and I do not get any network errors or otherwise. To rule out some network problem I exported a nfs share on the ReadyNas which I mounted on "Server-A", created a share on "Server-A" that points to the nfs-mount and ran a backup. No problems and no errors. Any ideas which buttons to push in order to get a reliable backup going again? From what I read this usually points to a problem on the client side but nothing has changed there. I could of course use the "Server-A:smb->nf
Re: [Samba] Restricting samba subfolder acl changes to admin users
Jeremy did you get a chance to look at this . can you please pass your comments on this.? Thanks Suresh -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Monday, October 18, 2010 1:16 PM To: Kandukuru, Suresh Cc: j...@samba.org Subject: Re: [Samba] Restricting samba subfolder acl changes to admin users On Mon, Oct 18, 2010 at 12:12:55AM -0400, suresh.kanduk...@emc.com wrote: > Thanks Jeremy and Volker. Clarified some of points.still little bit > confusion for me. > so, in summary if a user can change ACL, if he has write acess on the share > and the ownership on subfolders / files inside it. > > here is is my test. > > 1) created share "test" , given write access to it for "admin", "user1" users. > > 2) connected to share with admin user and created sub folder "test_subfldr" > in it. and given read access to user1 user > . > output of getfacl > > r...@storage:/mnt/soho_storage/samba/shares/SP0/test# getfacl test_subfldr/ > # file: test_subfldr/ > # owner: admin > # group: users > user::rwx > user:user1:r-x > group::rwx > mask::rwx > other::rwx > default:user::rwx > default:user:user1:r-x > default:group::--- > default:mask::rwx > default:other::--- > > r...@storage:/mnt/soho_storage/samba/shares/SP0/test# > -- > 4) connected to test share with user1 , could not write into test_subfldr. > and user1 has changed acl settings on test_subfldr to write access . > why samba is allowing this? Though user1 has write access to share , he is > not the owner of test_subfldr/.(admin is the owner for this) . user1 > effectivly has read access on the test_subfldr. This might actually be a bug. Maybe Samba believes the user has write permissions due to the group having the w permission? Which group is the user member of? Jeremy, can this be a mis-mapping of Posix permissions to NTFS ACLs in the "dos filemode" permission check? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Missing files on cifs-mount
I have a cifs-mount on an ubuntu 10.04 client which do not show all files. On other machines I can see all 58,000 files in a folder but on this special machine I see only 122 files. The server is an brave old smbd "Version 3.0.20b-3.5-SUSE" serving a big network since years without anny troubles. I can see this files on the server as well as on windows-clients. The client making troubles is an ubuntu 10.04 server with a cifs client: "mount.cifs version: 1.12-3.4.7" the config from the server: - [global] workgroup = netbios name = map to guest = Bad User username map = /etc/samba/smbusers log level = 1 vfs:2 unix extensions = No printcap name = cups add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ logon path = \\%L\profiles\.msprofile logon drive = P: logon home = \\%L\%U\.9xprofile os level = 64 preferred master = Yes domain master = No ldap ssl = no cups options = raw include = /etc/samba/dhcp.conf ... ... [dataN] path = /var/share/dataN force group = users read only = No create mask = 0666 force create mode = 0660 directory mask = 0777 force directory mode = 0770 ... ... -- There is a real device mounted at " /var/share/dataN" (no link or symbolic link) and there are NO smb-entries below this mount-point. With other words: The whole tree is exportet and no subtree is accessed separately. Config at the client: if /etc/fstab: -- ... ... //xx.xx.xx.xx/dataN /mnt/xxx cifs rw,workgroup=,credentials=/root/xxx.cifs,nounix,iocharset=utf8,uid=1000,gid=1000 0 0 ... ... -- For example at one folder at the server there are 58,000 files and at the client I can only see the file 1 to 122. Thank you in advance for any help! -- Mit freundlichen Grüßen / best regards Ing. Rainer Pietsch -- PCS - Pichler Computer Systeme Inh. Claudia Pichler-Pietsch Hauptplatz 10 A-2751 Steinabrückl -- mail: r.piet...@pcs-at.com web: http://www.pcs-at.com tel.: +43 (2622) 420 19 / 15 mobil: +43 (676) 31 242 69 fax: +43 (2622) 420 19 / 20 -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 Offline Files (CSC) not syncing from Samba 3.4.0 PDC
Hi All, I've been running a Samba 3.4.0 on Ubuntu 9.10 for over a year at a friend's office and it has been extremely stable. But I've suddenly hit a scenario where Windows 7 clients can no longer properly sync the main share as 'Offline Files' I found it highly unreliable under Vista Business, then Win7Pro seemed to work much better; but suddenly I am finding that the sync is succeeding but the files are not actually available offline. Here are the scenarios I am seeing: 1) A user updates an offline copy of an Open Office document or presentation. When the user sync's, the updated copy is sent to the server, but the local copy gets trashed and ceases to be available offline regardless of how many time it 'successfully' syncs. 2) I reformatted the offline files cache on a Win7Pro host today and started a fresh sync relationship with the folder. The first attempt to sync failed ~6600 out of ~6900 files claiming they were in use by another user/process - this was nonsense and smbstatus showed only one file open which was correct. I restarted smbd and then the sync completed with *NO ERRORS* - However as soon as the host was taken away from the network, almost all the offline files had crosses through them to indicate that they weren't available. Until 2-3 weeks ago, offline files appeared to be working reasonably well so I'm struggling to understand what has changed. I can find little information about the combination of Windows 7 Offline Files with a Samba PDC - Has anyone ever made this work reliably (or at least seen the same problem)?? Can anyone offer me any assistance with diagnosing the offline files cache on the windows side, or advise on what logging to set up on the Samba side to analyse this problem (or an alternative product that just works better!)? I've attached my smb.conf I do understand that this is the Samba list and not a Windows support list, but M$ aren't interested in helping Samba users ;-) Notes: - I've updated the registry to round up write times as documented on http://blogs.technet.com/b/filecab/archive/2007/03/16/using-offline-files-with-samba-emc-servers-nas-devices.aspx - I follows the Samba wiki to enable Domain Compatibility Mode to join Windows 7 to the domain. - There are two users on Windows XP Home which access the Shared files without being domain members. No users Domain/Non-Domain have any problems accessing files while online in the office. Any help/advice/suggestions would be much appreciated :-) Regards Jonathan -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 Offline Files (CSC) not syncing from Samba 3.4.0 PDC
Hi All, I've been running a Samba 3.4.0 on Ubuntu 9.10 for over a year at a friend's office and it has been extremely stable. But I've suddenly hit a scenario where Windows 7 clients can no longer properly sync the main share as 'Offline Files' I found it highly unreliable under Vista Business, then Win7Pro seemed to work much better; but suddenly I am finding that the sync is succeeding but the files are not actually available offline. Here are the scenarios I am seeing: 1) A user updates an offline copy of an Open Office document or presentation. When the user sync's, the updated copy is sent to the server, but the local copy gets trashed and ceases to be available offline regardless of how many time it 'successfully' syncs. 2) I reformatted the offline files cache on a Win7Pro host today and started a fresh sync relationship with the folder. The first attempt to sync failed ~6600 out of ~6900 files claiming they were in use by another user/process - this was nonsense and smbstatus showed only one file open which was correct. I restarted smbd and then the sync completed with *NO ERRORS* - However as soon as the host was taken away from the network, almost all the offline files had crosses through them to indicate that they weren't available. Until 2-3 weeks ago, offline files appeared to be working reasonably well so I'm struggling to understand what has changed. I can find little information about the combination of Windows 7 Offline Files with a Samba PDC - Has anyone ever made this work reliably (or at least seen the same problem)?? Can anyone offer me any assistance with diagnosing the offline files cache on the windows side, or advise on what logging to set up on the Samba side to analyse this problem (or an alternative product that just works better!)? I've attached my smb.conf I do understand that this is the Samba list and not a Windows support list, but M$ aren't interested in helping Samba users ;-) Notes: - I've updated the registry to round up write times as documented on http://blogs.technet.com/b/filecab/archive/2007/03/16/using-offline-files-with-samba-emc-servers-nas-devices.aspx - I follows the Samba wiki to enable Domain Compatibility Mode to join Windows 7 to the domain. - There are two users on Windows XP Home which access the Shared files without being domain members. No users Domain/Non-Domain have any problems accessing files while online in the office. Any help/advice/suggestions would be much appreciated :-) Regards Jonathan -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Our success story with samba4
Hi all, This message is a testament to the great work samba team has done, but its also an encouragement to those of you that still not sure if samba4 will work in your environment. This semester we have moved from samba 3.0.X DC to samba4 DC for students, and things are working great The move was predominantly driven by switching from Windows XP to Windows 7 desktop platform (but also by a need for proper group policy). Our setup is quite simple and includes: One samba4 DC (running on centos 5.5 x64) with nsd dns backend Two samba 3.3.8 domain members (running on centos 5.5 x64) providing file services and printing We also have Windows Server 2003 domain member ~340 Windows 7 x64 Workstations ~1900 users, that were imported from our previous samba3 domain with ldap back-end. Note that we did not move entire domain, but decided to start afresh, and existing users (and computers) were ported to the new domain. We use group policy to deploy various settings, user profiles, software and printers. So, please grab samba4, start using it, report the bugs, make it even better than it is :) Regards Luk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Setting up Samba4 - lots of implementation questions esp re. PKI and SSO
Hi On 19 October 2010 01:48, Paul Bradley wrote: > I have a LOT of questions!!! This may take a while. I know some of this > stuff is at the edge of what Samba4 is just becoming able to do, so if > anyone who knows feels this is better posted on samba-technical I'd > appreciate a cross-post from someone in a position to know for sure - I did > consider posting it there straight away but I figured it's a dev list and I > could at least get _some_ of my questions answered here first maybe. Well, the Samba4 HOWTO still says to post to samba-technical. I think some of the stuff you're asking about might also be appropriate for the heimdal mailing list. Anyway, I've copied the samba-technical list. > I am setting up Samba4 for SSO on a home lan with VPN access. My needs are > therefore relatively modest in terms of the more enterprise level features > of S4 (awesome stuff by the way guys - what a project), but I do want to do > some stuff like use a PKI structure with smartcards, manage group policy for > the windows clients, use kerberos for single sign on and that sort of thing. > We have a few PCs/Laptops/VMs and are setting up a VPN, so although it's not > really enterprise level stuff I am doing a few things that are "business > like" if you want to put it that way. I have mainly windows clients (Win7, > WinXP VMs) but there are one or two linux VMs that I'd also like to get the > benefits of samba4 with. I'm strongly getting the impression from reading > over the past couple of days that samba4 has just recently reached the point > of doing basically everything I need. > > Servers are linux and linux-like, applications are filesharing, ssh, vpn > (probably going to be IPSEC/L2TP - haven't set that up yet, it's waiting on > the PKI, and on the kerberos for authenticating sessions to services once > the VPN connection is made), apache for a Joomla CMS and probably a couple > of other bits and pieces that I've forgotten all about. > > My questions are: > > > - I am a little confused about the PKI implementation. Especially as regards > the particular details of how I should set up the X509 information in the > certificates. I found this: > http://middleware.internet2.edu/pki07/proceedings/slides/10-kornievskaia-pkinit-interop.pdf > which > seems quite detailed and covers quite a bit, in particular it mentions > this: > > ---QUOTE-- > CLIENT IDENTITY > - Kerberos principal name encoded in X509 SAN > - Mapping facility at the KDC > - Must have X509 EKU fields > /QUOTE-- > > So to handle those one at a time, principal name for a user would just be > their username on the domain, or would it be the full CN like > p...@mydomain.com ? The principal would be u...@realm. > Then for a service (I've read > http://technet.microsoft.com/en-us/library/cc961723.aspx) is the principal > name something like smb/192.168.0.1/:139/fileserver which would specify a > smb service on 192.168.0.1 on port 139 called fileserver, then fileserver > would be the name that resolved to 192.168.0.1 in the DNS? What happens with > multiple services on one server - do they all need separate keys and > certificates since they each need a different service principal name? As far as I understand, yes, each service needs its own SPN. > Perhaps it is enough to have more than one certificate each specifying a > different SPN, but all using the same key, or if I did that would there be a > security implication, since this might mean one service could masquerade as > another? How do I specify when creating the certificates with OpenSSL what > the SAN should be? > > As to the second part - "Mapping facility at the KDC". I understand the KDC > needs to map the user certificate onto a username on the domain (or perhaps > more accurately some sort of GUID for the user) but how is this set up when > using PKI - do I use the Microsoft domain administration tools to connect to > Samba and bind the user certificates to the users? What about servers - > presumably their keys (now stored on disk rather than on tokens/smartcards) > also need to be in the directory so they can be mapped to the object in the > directory and participate in the kerberos or indeed do PKINIT for eg. cron > jobs which require connecting to other services? > > For the third part (X509 EKU fields) - are these the "key usage" fields? The Yes, I think it's "extended key usage" or something like that. > stuff like "signing" "encryption" etc. etc.? How do I set these in OpenSSL > when creating the certificates and what should I set them too? > > Also, is there much in particular I should be aware of when creating my CA? > LDAP and X509 are probably my weakest points in understanding all this - can > someone point me to a guide or give me some more information that can guide > me in deciding how to name and structure things so as to avoid potential > futur
Re: [Samba] Error was Transport endpoint is not connected
I tried it with "smb ports 139" to no avail. Same problem. The backup job takes that long because the windows box first runs an integrity check. If I just copy the file manually it takes a couple of minutes. As already mentioned the other samba server 3.4.7 works without any problems. What does that error message actually mean? Does it mean a network error has occurred, the server has run into a timeout, the server can no longer resolve the name of the client or what? Ideas are welcome. Rob On Fri, 2010-10-15 at 14:57 +0200, Gaiseric Vandal wrote: > Did you try changing smb.conf on the NAS to be port 139 only? > > Also, it seems that 55 GB should not take one hour to copy (55 GBytes is > 440 Gbit, and at 1 Gbit/sec and 60 secs / min, the transfer sohuld take > about minutes- at least in theory.) > > I am guessing it is dropping because it tries to reestablish a > connection part way through the transfer. > > > > > > On 10/15/2010 07:12 AM, robert.gehr wrote: > > Nice try. The backup fails exactly the moment the message appears in the > > log. So I would say it is something to worry about. > > > > Has really no one any ideas why this all of a sudden comes up. > > > > Thanks for any hints > > > > Rob > > > > > > On Tue, 2010-10-12 at 08:41 +0200, Daniel Müller wrote: > > > >> This message only says: I established to one of the ports 139 or 445 > >> and dropped the other. > >> It is nothing to trouble about. > >> > >> --- > >> EDV Daniel Mller > >> > >> Leitung EDV > >> Tropenklinik Paul-Lechler-Krankenhaus > >> Paul-Lechler-Str. 24 > >> 72076 Tbingen > >> > >> Tel.: 07071/206-463, Fax: 07071/206-499 > >> eMail: muel...@tropenklinik.de > >> Internet: www.tropenklinik.de > >> --- > >> > >> -Ursprngliche Nachricht- > >> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] > >> Im > >> Auftrag von Gaiseric Vandal > >> Gesendet: Montag, 11. Oktober 2010 16:48 > >> An: samba@lists.samba.org > >> Betreff: Re: [Samba] Error was Transport endpoint is not connected > >> > >> By default samba listens on two TCP ports- 445 and 139. You can > >> specify this in smb.conf > >> > >> smb ports = 445 139 > >> > >> > >> 445 is the newer smb over tcp.139 is the older smb over netbios > >> over tcp/ip. 445 was for Windows 2000 and newer clients.. I am > >> not sure why samba enables 445 by default since as far as I know it does > >> not support smb-over-tcp (without the NBT/netbios over tcp stuff.)If > >> you set "smb ports = 139" in your smb.conf you should see endpoint > >> messages disappear. > >> > >> I think what happens is Win 2000 (and newer) clients will initially try > >> to connect on port 445, find it isn't really compatible, and then "dump > >> down" to NBT on port 139. > >> > >> So your NAS may be occasionally connecting on port 139 without problems > >> and occasionally connecting on port 445, and which point it fails. > >> > >> OR- the "endpoint" errors may be completely unrelated, but you just > >> don't look for when when the NAS is working. > >> > >> > >> Is the NAS part of the domain? Is it a windows or linux/samba based > >> device? > >> > >> My samba server is a PDC. XP clients in the domain connect with no > >> problems regardless of if smb ports is 139 only or 139 + 445. XP/Win7 > >> clients NOT in the domain can't connect to shares if 445 is disabled, > >> which indicates they are connecting to 445 1st. > >> > >> > >> > >> On 10/11/2010 08:57 AM, robert.gehr wrote: > >> > >>> Hello All > >>> > >>> I used to back up a Mssql database (about 55GB) to a samba share without > >>> any problems. The samba server "Server-A" was running version 3.4.7 > >>> We just got one of those "Netgear ReadyNas3200" things and I tried to > >>> backup up to a share there which sometimes works and sometimes not in > >>> wich case I get the following error: > >>> > >>> snip--- > >>> > >>> [2010/10/08 21:32:26.937834, 0] > >>> lib/util_sock.c:474(read_fd_with_timeout) > >>> [2010/10/08 21:32:26.966404, 0] > >>> lib/util_sock.c:1432(get_peer_addr_internal) > >>> getpeername failed. Error was Transport endpoint is not connected > >>> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by > >>> peer. > >>> > >>> ---snap- > >>> > >>> The samba version on the ReadyNas is 3.5.4 > >>> > >>> On the windows side nothing has changed apart form the destination to > >>> the new share. The ReadyNas performs pretty well and I do not get any > >>> network errors or otherwise. To rule out some network problem I exported > >>> a nfs share on the ReadyNas which I mounted on "Server-A", created a > >>> share on "Server-A" that points to the nfs-mount and ran a backup. No > >>> problems and no errors. > >>> > >>> Any ideas which buttons to push in order to get a reliable backup going > >>> aga
[Samba] problems with login and browsing on 3.5.4 LDAP PDC
I was running 3.0.25c (I think) LDAP PDC for a couple of years and just tried swapping in a new 3.5.4 setup. I had some problems so I wiped all the entries and *.tdb files, and started from scratch. Problem in a nutshell: I can't browse the domain normally, nor can I logon to the domain. However I can access the server shares fine if I point to the server specifically. SOMETIMES this will then cause browsing to succeed as well. Normally I can see the domain in network neighborhood but if I click on I get the "domain is not accessible error". From a command prompt "net view /domain:DOMAIN" also typically produces an error 59. However if I "net view \\SERVER" then that works fine, and THEN I am sometimes able to successfully view the domain (about half the time sometimes more). I am able to successfully join machines to the domain (they show up in LDAP) but am unable to login to the domain from any of them. On XP/SP3 boxes the error is "the system cannot log you on now because the domain DOMAIN is not available", while Windows 7 says "there are currently no logon servers available to service the logon request" I have looked at the smb/nmb/winbind logs at level 3 and near as I can tell everything is operating correctly although something seems to be crashing a lot--there are many entries about brl and lock database after unclean shutdown. I don't know SMB protocol very well but from watching some wireshark traces and reading the corresponding logs it looks like the nodes are negotiating IPC$ connection but not getting data. Client asks for copy 4, server offers copy 1, client negotiates TCP/IP session then closes, and everything starts over again. Perhaps once they authenticate (enough to view \\SERVER shares) the negotiation is reused and this is what works? Are there security permissions on IPC$ that need to be set? Where should I be looking and what should I be looking for? Thanks -- Eric A. Hall http://www.eric-a-hall.com/ Network Technology Research Grouphttp://www.ntrg.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
