Re: [Samba] %localappdata%\google\drive get lost

[Jochen Eggemann]

Hi Alex,

a local user and a domain user with the same name are two different 
users. Different SIDs!


Jochen

Am 09.08.2012 15:25, schrieb Alexander Busam:

Hello!

I use samba 3.6.7 as PDC for Windows 7.

For Google Drive the config files are stored in 
%localappdata%\google\drive. These files are needed for logon and 
syncronisation.


As a local user all works fine. When I logout and logon to Windows as 
domain user the %localappdata%\google folder disappeared.


Is this a Windows, Google or samba problem ?

Any ideas? Thx!

Alex


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] make install fails, can't link libreplace.inst.so [SOLVED]

[Pekka L.J. Jalkanen]

For the record: Stupid, really, but I simply didn't have enough memory.
I had a small virtual test box, with merely 256 MiB of RAM. When I
increased that to 512, make install ran without a fuzz.

It took me several days to solve. Only, when I finally in my desperation
(after testing all possible library combinations) attempted to run make
test, I got an error that clearly informed me that no more memory could
be allocated.


Pekka

On 30.7.2012 20:32, Pekka L.J. Jalkanen wrote:
 I can compile Samba4 beta 4, but can't install it:
 
 
 root@samba4dc:/usr/src/samba-4.0.0beta4# ./configure.developer
 
 snip
 
 'configure' finished successfully (49.871s)
 root@samba4dc:/usr/src/samba-4.0.0beta4# make
 WAF_MAKE=1 ./buildtools/bin/waf build
 
 snip
 
 Waf: Leaving directory `/usr/src/samba-4.0.0beta4/bin'
 'build' finished successfully (13m25.444s)
 root@samba4dc:/usr/src/samba-4.0.0beta4# make install
 WAF_MAKE=1 ./buildtools/bin/waf install
 Waf: Entering directory `/usr/src/samba-4.0.0beta4/bin'
 * creating /usr/local/samba/etc
 * creating /usr/local/samba/private
 * creating /usr/local/samba/var
 * creating /usr/local/samba/private
 * creating /usr/local/samba/var/lib
 * creating /usr/local/samba/var/locks
 * creating /usr/local/samba/var/cache
 * creating /usr/local/samba/var/lock
 * creating /usr/local/samba/var/run
 * creating /usr/local/samba/var/run
   Selected embedded Heimdal build
 Checking project rules ...
 Project rules pass
 [ 129/4246] Linking default/lib/replace/libreplace.inst.so
 Waf: Leaving directory `/usr/src/samba-4.0.0beta4/bin'
 Build failed:  - task failed (err #-1):
   {task: cc_link replace_2.o,getpass_2.o - libreplace.inst.so}
 make: *** [install] Error 1
 
 
 Could anybody help me to figure out how to diagnose this problem?
 
 The example above is from a tarball source, but the same first happened
 with git source (git checkout samba-4.0.0beta4).
 
 
 Pekka L.J. Jalkanen


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 install fails, no matter what I do [SOLVED]

[Pekka L.J. Jalkanen]

This was a simple memory allocation problem, and entirely my own
fallacy. For details, see
https://lists.samba.org/archive/samba/2012-August/168709.html


Pekka

On 31.7.2012 15:32, Pekka L.J. Jalkanen wrote:
 I can't install Samba 4 in practically any fashion.
 
 I've tried Debian packages without much success (see
 https://lists.samba.org/archive/samba-technical/2012-July/085301.html)
 I later on figured out that it is not possible to use those packages
 without using ntvfs (see
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=679678).
 
 I've attempted to compile it from source under Debian Squeeze, but while
 it indeed compiles, make install doesn't succeed (see the message I
 posted on this list yesterday:
 https://lists.samba.org/archive/samba/2012-July/168490.html)
 
 I've now installed a new VM from scratch running Debian Wheezy to test
 S4 under that, but make install didn't succeed that way either. I've
 now attached to this message a complete log of everything that I've done
 in hope that somebody could help me understand why on earth it doesn't
 work. Surely Samba 4 should be at least installable under Debian; it's
 not, after all, an alpha release any more...
 
 
 Pekka L.J. Jalkanen

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems connecting win7 client to new Samba PDC

[Gaiseric Vandal]

The Domain Users group should have automatically been added to the local
users group when you joined the domain. 

When I upgraded from Samba 3.0.x to 3.5.x I had a error in the group
mappings on one of the DC's that cause problems for a while.   I also
had to explicitly add a mapping for the nobody user and group.

I think I may have  explicitly granted the domain administrator the
privileged to add machines to the domain

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html#rp-privs

But I think I only had to do that because the administrator was not
recognized as being a domain admin (or local admin) because the group
mapping was broken.

If you add a network user to the local admin group, and login works,
then there is definitely a local security issue.My guess is that the
OS creates the new user local profile directory but then has problems
assigning file permissions/ownership for the network user. 


On XP , if you right click My Computer and look at profiles, you could
see if the profile for a user was local, roaming or temporary.  Win 7
should have the same option.




On 08/09/12 18:03, Brandon wrote:
 Are your group mappings correct?   I ask because it may be that the
 Domain Users is not properly recognized as a member of the Users
 group on the PC.  Can you login as the domain (or local) admins and
 explicitly add domain users and domain groups to a local group?

 An update to this: I was able to add domain users after a reboot.  So
 I've added MYWORKGROUP\myadmin to my Users group on the local machine.

 I was also able to search my domain for users, and came up with a list
 of my users, a nobody user, and a Domain Admins group.  I've added
 MYWORKGROUP\myadmin (user) and MYWORKGROUP\Domain Admins (group) to
 the User group on the local machine.  I am still getting the same
 errors when logging on though.

 It seems to me like it's trying to pull a roaming profile when I have
 roaming profiles disabled (or I thought I did), and/or windows doesn't
 actually know the netbios name, based on the series of these events:

 Windows cannot copy file \\?\C:\Users\Default\Documents to location
 \\?\C:\Users\TEMP.MYWORKGROUP\Documents. This error may be caused by
 network problems or insufficient security rights.




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] LDAP - Samba password synchronization

[Nico Kadel-Garcia]

On Thu, Aug 9, 2012 at 10:17 AM, Gaiseric Vandal
gaiseric.van...@gmail.com wrote:
 The best approach is to configure samba to change the ldap password when
 a samba password changes.  See the smb.conf man page and password sync
 and password chat options.

LDAP doesn't usually actually have the password information. In most
modern setups, *Kerberos* has the passwords and provides the
authentication, and LDAP provides other account information,
integrated with Kerberos.

It turns out to be easy to switch from using local passwords to
Kerberos authentication on Linux and many UNIX systems.  The exact
commands very, but on RHEL 6 with DNS properly configured to use Samba
or AD Kerberos authentication:

   sudo authconfig --enablekrb5 --krb5realm=[name of realm]
--enablekrb5kdcdns --test
   sudo authconfig --enablekrb5 --krb5realm=[name of realm]
--enablekrb5kdcdns --update

Configure the local UNIX passwords to have locked passwords which do
not expire, and you can rely on the Kerberos for account expiration,
instead.

  sudo -s -H # do this first in case you're locking your own account
  usermod -p '!!' username # lock local password thoroughly
  chage -l username # check settings
  chage -M -1 -E -1 username # disable password obsolescence and
non-Kerberos expiration
  chage -l username # verify settings

Do the 'sudo -s -H' becuase chage gets a bit weird when run as a
non-root user through sudo.

The end result is to enable the kerberized authentication, and disable
local passwords entirely. Passwords should then be updateable with the
kpasswd command, and tools like recent versions of SSH and Apache
can manage Kerberos tickets for genuine single-sign-on, as well as
relying on the Kerberos authentication instead of local passwords.

 Samba and Unix use different password hash mechanisms so you have to
 have separate password fields. The only other secure way may be to
 configure Windows clients to use kerberos authentication-  but that is a
 much bigger project.

See above. If you're using various Samba configurations that rely on
Kerberos for authentication, such as ads, then this can save a lot
of password management trouble.



 On 08/09/12 09:55, RAKESH PRITMANI wrote:
 Is there a way to syncronize SambaLmPassword   NTLMpassword from LDAP
 password. ldap passwd sync allows to sync ldap passwd from samba, I
 need the other way. I already have external LDAP server with CRYPT
 passwords and need to set SambaLMPasswd with these LDAP passwords.


 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] CIFS proxy with samba4

[Ced T]

Nobody ? No idea?

Ced T

Le 08/08/2012 11:40, Ced T a écrit :

Hi.
Yesterday i compiled samba4 (beta6) to try the CIFS proxy functionnality.
Here is my smb.conf:

# Global parameters
[global]
workgroup = myworkgroup
realm = mysociety.fr
netbios name = LINBUNTU
;server role = active directory domain controller
server role = member server
passdb backend = samba4

[netlogon]
path = /usr/local/samba/var/locks/sysvol/inist.fr/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0744
   create mode = 0744
   directory mask = 0755
   directory mode = 0755

[seeida]
   ntvfs handler = cifs
   cifs:server = ida
   cifs:share = see
   cifs:domain = mydomain
   cifs:user = user
   cifs:password = password

But when i start samba (/usr/local/samba/sbin/samba) it does not work
In my logs file (log.smbd) I can see this warning:

[2012/08/08 10:05:37.546915,  0] 
../source3/param/loadparm.c:2340(service_ok)

  WARNING: No path in service seeida - making it unavailable!

Same kind of messages when I run testparm:
WARNING: No path in service seeida - making it unavailable!
NOTE: Service seeida is flagged unavailable.


Any ideas?

Thanks in advance for your help.

Ced T






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Remove non-existing DC from Samba4 Domain

[Caleb O'Connell]

I've tried to use the ntdsutil on windows vista and I can't get it to 
list the domains.  Is there a way, using samba-tool or other that I can 
remove an old DC from the domain and all it's metadata?

Thanks in advance.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samber server in openvz container - venet oder veth0?

[Birgit Berger (UV Wien)]

sorry, to bother you again.

I cannot join win7 or winXP clients to my samba domain sever located on a
debian server in a VE (openvz) unless I set up the server and clients to
use WINS. But the recommendation is not to use WINS. openvz natively uses
venet. venet makes broadcasting impossible.

I guess DNS is sufficient for name-IP resolution but not for NetBios
name-IP resolution (it doesn' know name types and maybe that's why it
cannot find DMB and logon server?) and that's why my win7 and winXP
clients cannot join the domain.

So given my virtual server setup with openvz, do you rather suggest to use
WINS or to set up veth so I can use normal broadcasting?
Or are there other ways to do name resolution with a samba server
installed in a VE container which I oversaw.

I'm a newbie and netbios name resolution is hard to understand. so I would
be very happy to get any suggestions from people already using samba
server in an open vz container do you guys use venet or veth or do you
just activate WINS?

birgit 





===

thank you Johannes. no, I don't really need WINS but it was the only way I
could join clients to the domain so far. so I activated it. DNS should be
available and working too.

/etc/nsswitch.conf looks like this:
hosts: files dns

Can I use venet with samba or should I change to veth? 

regards, birgit



Johannes Truschnigg johan...@truschnigg.info schreibt:
Hi Birgit,

On Tue, Aug 07, 2012 at 01:38:32PM +0200, Birgit Berger (UV Wien) wrote:
 I'm new to the list. hopefully my question is correctly placed here...
 
 I'd installed my samba server 3.5.6 on debian squeeze in a openvz
 container that uses venet. I'd love to keep it that way but I'm not sure
 if that is ok. Do you use samba server with venet or do I have to change
 to veth?
 
 I already read http://wiki.openvz.org/Differences_between_venet_and_veth
 and I don't want to intall shorewall in every container (VE). Also venet
 seems easier to administrate and is faster.
 
 I read

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html
 and nmblookup (chapters 4,5,6 and 10) doesn't work. This is because of
 venet, I suppose. Because with venet broadcasting doesn't work. But do I
 really need it for the Samba server or can I just use DNS (on other
 servers than the samba server) and WINS server (on the samba server)?
Can
 I stick to venet or should I use veth?

Do you have clients on the network that you know absolutely require WINS
for
resolving names? (I'd actually have a hard time believing that, but who
knows...) Other than that, not having WINS but DNS as its modern and
sensible
replacement in working condition should be perfectly sufficient for your
day
to day Samba (and other networking) needs. I've been running Samba without
nmbd enabled for a few years now (with Windows XP, Windows 7 and
GNU/Linux as
clients) and did not run into any problems becasue of that.

Grüße aus und nach Wien ;)

-- 
with best regards:
- Johannes Truschnigg ( johan...@truschnigg.info )

www:   http://johannes.truschnigg.info/
phone: +43 650 2 17
xmpp:  johan...@truschnigg.info

Please do not bother me with HTML-email or attachments. Thank you.



Johannes Truschnigg johan...@truschnigg.info schreibt:
Hello again,

On Tue, Aug 07, 2012 at 02:28:24PM +0200, Birgit Berger (UV Wien) wrote:
 thank you Johannes. no, I don't really need WINS but it was the only
way I
 could join clients to the domain so far. so I activated it. DNS should
be
 available and working too.
 
 /etc/nsswitch.conf looks like this:
 hosts: files dns

That's fine - you don't want anything reagrding winbind or WINS in there,
since you don't have proper name resolution set up over that kind of
protocol/service.

 Can I use venet with samba or should I change to veth?

Just stick with what you got - vnet will be fine.

Have a nice day!

-- 
with best regards:
- Johannes Truschnigg ( johan...@truschnigg.info )

www:   http://johannes.truschnigg.info/
phone: +43 650 2 17
xmpp:  johan...@truschnigg.info

Please do not bother me with HTML-email or attachments. Thank you.



Birgit Berger

EDV-Administratorin an der ÖH Uni Wien

http://www.oeh.univie.ac.at/arbeitsbereiche/edv.html

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Add machines for join a domain

[rodrigo tavares]

Hello !

I configured samba and ldap, when I join the domain, come this error: not 
possible locate the name of user.

Search about this error, I search in Google, and the solution is create  the 
name machines in Linux System. 

But I have 50 machines, and create all machine users is very bad.

Have Another solution ?

Thanks

Rodrigo Faria  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Add machines for join a domain

[Gaiseric Vandal]

Do you mean when you join a Linux machine to the domain?  Or do you mean
when you join a Windows machine to the domain.

You do need a unix account for all machines that will be in the
domain.  You can configure samba to automatically create the LDAP
accounts for machines when they are added.  I haven't done this. The
procedure is somewhere in the documentation.I just created machine
accounts as need as I added the machines.   

On 08/10/12 14:56, rodrigo tavares wrote:
 Hello !

 I configured samba and ldap, when I join the domain, come this error: not 
 possible locate the name of user.

 Search about this error, I search in Google, and the solution is create  the 
 name machines in Linux System. 

 But I have 50 machines, and create all machine users is very bad.

 Have Another solution ?

 Thanks

 Rodrigo Faria  


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samber server in openvz container - venet oder veth0?

[Gaiseric Vandal]

If you don't use WINS, and you are trying to log into the domain, the
client will broadcast for a DC server.   This normally works OK if
everything is on the same LAN.   If broadcast doesn't work, the using
WINS helps find the DC's-  since the WINS database on the WINS server
includes name-to-ip entries for DC's as well as hosts.



For simpler things like connecting to network shares , Windows clients
can use dns to find machine names.   So if you want to map a user drive
(e.g. net use R: \\someserver\someshare) this should work fine with
out wins.  Afterall, the client is doing all the name resolution.  This
is supposing of course that the servers IP name and netbios name are the
same.


however, in practice there does seem to be a server side issue.I
have several samba servers and I ran into the following problem:

from a VPN client, I could use net use \\server1_hostname and net use
\\server2_hostname to connect to shared resources.  I could NOT use
net use \\server3_hostname.  VPN clients did not use WINS, and NETBIOS
broadcasts were blocked for VPN clients, even tho the VPN client
appeared to be on the same subnet.VPN clients could resolve host
names via DNS.  They could even connect with  net use
\\server3_IP_address.  Packet captures showed that the clients were in
fact reaching server3_hostname but that server3  would not respond.
The server should NOT be attempting to resolve the client names but, for
some reason, it was.  






On 08/10/12 14:44, Birgit Berger (UV Wien) wrote:
 sorry, to bother you again.

 I cannot join win7 or winXP clients to my samba domain sever located on a
 debian server in a VE (openvz) unless I set up the server and clients to
 use WINS. But the recommendation is not to use WINS. openvz natively uses
 venet. venet makes broadcasting impossible.

 I guess DNS is sufficient for name-IP resolution but not for NetBios
 name-IP resolution (it doesn' know name types and maybe that's why it
 cannot find DMB and logon server?) and that's why my win7 and winXP
 clients cannot join the domain.

 So given my virtual server setup with openvz, do you rather suggest to use
 WINS or to set up veth so I can use normal broadcasting?
 Or are there other ways to do name resolution with a samba server
 installed in a VE container which I oversaw.

 I'm a newbie and netbios name resolution is hard to understand. so I would
 be very happy to get any suggestions from people already using samba
 server in an open vz container do you guys use venet or veth or do you
 just activate WINS?

 birgit 





 ===

 thank you Johannes. no, I don't really need WINS but it was the only way I
 could join clients to the domain so far. so I activated it. DNS should be
 available and working too.

 /etc/nsswitch.conf looks like this:
 hosts: files dns

 Can I use venet with samba or should I change to veth? 

 regards, birgit



 Johannes Truschnigg johan...@truschnigg.info schreibt:
 Hi Birgit,

 On Tue, Aug 07, 2012 at 01:38:32PM +0200, Birgit Berger (UV Wien) wrote:
 I'm new to the list. hopefully my question is correctly placed here...

 I'd installed my samba server 3.5.6 on debian squeeze in a openvz
 container that uses venet. I'd love to keep it that way but I'm not sure
 if that is ok. Do you use samba server with venet or do I have to change
 to veth?

 I already read http://wiki.openvz.org/Differences_between_venet_and_veth
 and I don't want to intall shorewall in every container (VE). Also venet
 seems easier to administrate and is faster.

 I read

 http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html
 and nmblookup (chapters 4,5,6 and 10) doesn't work. This is because of
 venet, I suppose. Because with venet broadcasting doesn't work. But do I
 really need it for the Samba server or can I just use DNS (on other
 servers than the samba server) and WINS server (on the samba server)?
 Can
 I stick to venet or should I use veth?
 Do you have clients on the network that you know absolutely require WINS
 for
 resolving names? (I'd actually have a hard time believing that, but who
 knows...) Other than that, not having WINS but DNS as its modern and
 sensible
 replacement in working condition should be perfectly sufficient for your
 day
 to day Samba (and other networking) needs. I've been running Samba without
 nmbd enabled for a few years now (with Windows XP, Windows 7 and
 GNU/Linux as
 clients) and did not run into any problems becasue of that.

 Grüße aus und nach Wien ;)

 -- 
 with best regards:
 - Johannes Truschnigg ( johan...@truschnigg.info )

 www:   http://johannes.truschnigg.info/
 phone: +43 650 2 17
 xmpp:  johan...@truschnigg.info

 Please do not bother me with HTML-email or attachments. Thank you.


 Johannes Truschnigg johan...@truschnigg.info schreibt:
 Hello again,

 On Tue, Aug 07, 2012 at 02:28:24PM +0200, Birgit Berger (UV Wien) wrote:
 thank you Johannes. no, I don't really need WINS but it was the only
 

Re: [Samba] samber server in openvz container - venet oder veth0?

[Birgit Berger (UV Wien)]

thank you for your responses! 

gaiseric.van...@gmail.com schreibt:

If you don't use WINS, and you are trying to log into the domain, the
client will broadcast for a DC server.   This normally works OK if
everything is on the same LAN.   If broadcast doesn't work, the using
WINS helps find the DC's-  since the WINS database on the WINS server
includes name-to-ip entries for DC's as well as hosts.

everything is on the same subnet. with WINS everything works fine as I
already wrote. I just got the recommendation to not use WINS in the former
answers to this thread. I'd love to hear from a guy or woman who has the
same setup as I have what they do. My setup, that is samba 3.5.6 server in
an openvz container (virtual machine) on a debian squeeze host system. the
openvz container uses venet which means broadcasting doesn't work in
venet. Do you guys use WINS too (indicate it in very windows client in
TCP/IP settings?) or do you use veth instead of venet (so not to use WINS)
or what do you guys and girls do? 


For simpler things like connecting to network shares , Windows clients
can use dns to find machine names.   So if you want to map a user drive
(e.g. net use R: \\someserver\someshare) this should work fine with
out wins.  Afterall, the client is doing all the name resolution.  This
is supposing of course that the servers IP name and netbios name are the
same.

exactly. it does.



however, in practice there does seem to be a server side issue.I
have several samba servers and I ran into the following problem:
from a VPN client, I could use net use \\server1_hostname and net use
\\server2_hostname to connect to shared resources.  I could NOT use
net use \\server3_hostname.  VPN clients did not use WINS, and NETBIOS
broadcasts were blocked for VPN clients, even tho the VPN client
appeared to be on the same subnet.VPN clients could resolve host
names via DNS.  They could even connect with  net use
\\server3_IP_address.  Packet captures showed that the clients were in
fact reaching server3_hostname but that server3  would not respond.
The server should NOT be attempting to resolve the client names but, for
some reason, it was.  

I don't use VPN, so this doesn't concern my setup.







On 08/10/12 14:44, Birgit Berger (UV Wien) wrote:
 sorry, to bother you again.

 I cannot join win7 or winXP clients to my samba domain sever located on
a
 debian server in a VE (openvz) unless I set up the server and clients to
 use WINS. But the recommendation is not to use WINS. openvz natively
uses
 venet. venet makes broadcasting impossible.

 I guess DNS is sufficient for name-IP resolution but not for NetBios
 name-IP resolution (it doesn' know name types and maybe that's why it
 cannot find DMB and logon server?) and that's why my win7 and winXP
 clients cannot join the domain.

 So given my virtual server setup with openvz, do you rather suggest to
use
 WINS or to set up veth so I can use normal broadcasting?
 Or are there other ways to do name resolution with a samba server
 installed in a VE container which I oversaw.

 I'm a newbie and netbios name resolution is hard to understand. so I
would
 be very happy to get any suggestions from people already using samba
 server in an open vz container do you guys use venet or veth or do
you
 just activate WINS?

 birgit 





 ===

 thank you Johannes. no, I don't really need WINS but it was the only
way I
 could join clients to the domain so far. so I activated it. DNS should
be
 available and working too.

 /etc/nsswitch.conf looks like this:
 hosts: files dns

 Can I use venet with samba or should I change to veth? 

 regards, birgit



 Johannes Truschnigg johan...@truschnigg.info schreibt:
 Hi Birgit,

 On Tue, Aug 07, 2012 at 01:38:32PM +0200, Birgit Berger (UV Wien)
wrote:
 I'm new to the list. hopefully my question is correctly placed here...

 I'd installed my samba server 3.5.6 on debian squeeze in a openvz
 container that uses venet. I'd love to keep it that way but I'm not
sure
 if that is ok. Do you use samba server with venet or do I have to
change
 to veth?

 I already read
http://wiki.openvz.org/Differences_between_venet_and_veth
 and I don't want to intall shorewall in every container (VE). Also
venet
 seems easier to administrate and is faster.

 I read


http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html
 and nmblookup (chapters 4,5,6 and 10) doesn't work. This is because of
 venet, I suppose. Because with venet broadcasting doesn't work. But
do I
 really need it for the Samba server or can I just use DNS (on other
 servers than the samba server) and WINS server (on the samba server)?
 Can
 I stick to venet or should I use veth?
 Do you have clients on the network that you know absolutely require
WINS
 for
 resolving names? (I'd actually have a hard time believing that, but who
 knows...) Other than that, not having WINS but DNS as its modern and
 sensible
 replacement in working 

[Samba] samba4+sssd+centos6

[Steve Thompson]

In need of some help here. I hope I haven't trimmed this too much.

As I mentioned before, I have a CentOS 6.3 system using SSSD (only) bound 
to the samba4 DC as an LDAP server using the following in sssd.conf:


[domain/SAMBA]
ldap_default_bind_dn = CN=Administrator,CN=Users,DC=...
ldap_default_authtok = supersecret
ldap_default_authtok_type = password
...

and everything works as expected (dns, kinit, passwd, etc are all good). 
Samba is not in use on the client. There are no Windows servers.


To avoid the need to embded the admin password, I have proceeded as 
follows:


* Joined the client to the  domain, creating an appropriate UPN (client is
  using Samba 3.5.10):

# kinit Administrator
# net ads join domain createupn=host/client@REALM -k

  where client is the (short) client hostname, and REALM is of course
  the uppercase kerberos realm name. This succeeds. I can see the
  appropriate CN=client,CN=Computers,... entry appear in the DC
  database, and the userPrincipalName entry therein is correct.

* On the DC, extract the keytab:

# samba-tool domain exportkeytab client.keytab --princ=host/client@REALM

  and this also works. The client.keytab is transferred to the client and
  installed as /etc/krb5.keytab with the proper ownership and permissions.

* On the client, verify the keytab:

# klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal

--
   1 host/client@REALM
   1 host/client@REALM
   1 host/client@REALM

* On the client, change the three ldap_default_ lines to:

ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/client@REALM

  and restart sssd.

The result: nothing. I can no longer (getent passwd user) see any users 
or groups; basically nothing works. I get this in /var/log/messages:


Aug 10 15:58:47 client sssd_be: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Server not found in Kerberos
database)

and I really do not know what this is trying to tell me, as so far as I 
know the kerberos database is fine. Please, someone give me a clue! TIA,


Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] NAS howto using Samba, CTDB, NFS, VSFTP on CentOS

[Errol Neal]

Any thoughts or comments?


http://www.ha-guru.com/ultimate-nas-howto/


Thanks,

-Errol
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[SCM] Samba Shared Repository - branch master updated

[Björn Jacke]

The branch, master has been updated
   via  13f8674 build: rename security → samba-security
  from  51a7154 nsswitch: add ABI checking and symbol versions to 
libwbclient

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 13f8674a15a30816ea7d00eed333f18bcf59e4d4
Author: Björn Jacke b...@sernet.de
Date:   Fri Aug 10 11:37:28 2012 +0200

build: rename security → samba-security

there is a libsecurity on OSF1 which clasheѕ with our security lib. see bug 
#9023.

Signed-off-by: Stefan Metzmacher me...@samba.org

Autobuild-User(master): Björn Jacke b...@sernet.de
Autobuild-Date(master): Fri Aug 10 14:22:21 CEST 2012 on sn-devel-104

---

Summary of changes:
 auth/credentials/wscript_build |2 +-
 auth/wscript_build |2 +-
 lib/ldb-samba/wscript_build|2 +-
 libcli/security/wscript_build  |4 ++--
 librpc/wscript_build   |2 +-
 source3/wscript_build  |4 ++--
 source4/auth/ntlm/wscript_build|2 +-
 source4/auth/wscript_build |2 +-
 source4/dsdb/samdb/ldb_modules/wscript_build   |2 +-
 .../dsdb/samdb/ldb_modules/wscript_build_server|   16 
 source4/libcli/wscript_build   |6 +++---
 source4/rpc_server/wscript_build   |4 ++--
 12 files changed, 24 insertions(+), 24 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
index 0b2aec2..06d58a7 100755
--- a/auth/credentials/wscript_build
+++ b/auth/credentials/wscript_build
@@ -5,7 +5,7 @@ bld.SAMBA_LIBRARY('samba-credentials',
autoproto='credentials_proto.h',
public_headers='credentials.h',
pc_files='samba-credentials.pc',
-   deps='LIBCRYPTO errors events LIBCLI_AUTH security CREDENTIALS_SECRETS 
CREDENTIALS_KRB5',
+   deps='LIBCRYPTO errors events LIBCLI_AUTH samba-security 
CREDENTIALS_SECRETS CREDENTIALS_KRB5',
vnum='0.0.1'
)
 
diff --git a/auth/wscript_build b/auth/wscript_build
index 0194815..57f1270 100644
--- a/auth/wscript_build
+++ b/auth/wscript_build
@@ -2,7 +2,7 @@
 
 bld.SAMBA_LIBRARY('auth_sam_reply',
   source='auth_sam_reply.c',
-  deps='talloc security samba-util',
+  deps='talloc samba-security samba-util',
   autoproto='auth_sam_reply.h',
   private_library=True
   )
diff --git a/lib/ldb-samba/wscript_build b/lib/ldb-samba/wscript_build
index b0d2dca..63ff5b1 100644
--- a/lib/ldb-samba/wscript_build
+++ b/lib/ldb-samba/wscript_build
@@ -8,7 +8,7 @@ bld.SAMBA_LIBRARY('ldbsamba',
   source='ldif_handlers.c',
   autoproto='ldif_handlers_proto.h',
   public_deps='ldb',
-  deps='security ndr NDR_DRSBLOBS NDR_DNSP ldbwrap 
samdb-common SAMDB_SCHEMA tdb pyldb-util errors',
+  deps='samba-security ndr NDR_DRSBLOBS NDR_DNSP ldbwrap 
samdb-common SAMDB_SCHEMA tdb pyldb-util errors',
   private_library=True
   )
 
diff --git a/libcli/security/wscript_build b/libcli/security/wscript_build
index f3b654e..b529ec8 100644
--- a/libcli/security/wscript_build
+++ b/libcli/security/wscript_build
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 
-bld.SAMBA_LIBRARY('security',
+bld.SAMBA_LIBRARY('samba-security',
   source='dom_sid.c display_sec.c secace.c secacl.c 
security_descriptor.c sddl.c privileges.c security_token.c access_check.c 
object_tree.c create_descriptor.c util_sid.c session.c secdesc.c',
   private_library=True,
   deps='talloc ndr NDR_SECURITY'
@@ -9,6 +9,6 @@ bld.SAMBA_LIBRARY('security',
 
 bld.SAMBA_PYTHON('pysecurity',
  source='pysecurity.c',
- deps='security pytalloc-util',
+ deps='samba-security pytalloc-util',
  realname='samba/security.so'
  )
diff --git a/librpc/wscript_build b/librpc/wscript_build
index fbe0223..1dd755e 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -234,7 +234,7 @@ bld.SAMBA_SUBSYSTEM('NDR_LSA',
 
 bld.SAMBA_SUBSYSTEM('NDR_SECURITY',
 source='gen_ndr/ndr_security.c ndr/ndr_sec_helper.c',
-deps='ndr security',
+deps='ndr samba-security',
 public_headers='gen_ndr/security.h',
 header_path='gen_ndr'
 )
diff --git a/source3/wscript_build b/source3/wscript_build
index 2b00a16..9c6c5aa 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -749,7 +749,7 @@ bld.SAMBA3_SUBSYSTEM('REG_API_REGF',
 bld.SAMBA3_LIBRARY('smbregistry',

[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
   via  8defcb8 Revert s3:smbd: include smbXsrv.h before smbd/proto.h to 
have the smbXsrv_ structs available
   via  0e76bbc Revert s3:smbd: Include smbXsrv.h before vfs.h (in smbd.h) 
so that the smbXsrv structures are available
   via  2cbfdd4 Revert s3:smb: include smbXsrv.h before vfs.h
   via  205185e s3:smbXsrv.idl: remove smbXsrv_*0 defines
   via  2b41f37 s3:param: fix compiler warnings with 
FN_GLOBAL_CONST_STRING()
  from  13f8674 build: rename security → samba-security

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 8defcb8bd1292376c2c00f1d432fe751c207f872
Author: Stefan Metzmacher me...@samba.org
Date:   Fri Aug 10 11:58:39 2012 +0200

Revert s3:smbd: include smbXsrv.h before smbd/proto.h to have the smbXsrv_ 
structs available

This reverts commit 98ccca8dca70b87d04a93c8ef5232a071ab7c2af.

Autobuild-User(master): Stefan Metzmacher me...@samba.org
Autobuild-Date(master): Fri Aug 10 17:35:38 CEST 2012 on sn-devel-104

commit 0e76bbc520b0052f1fed6bbd17fe8737249e8e68
Author: Stefan Metzmacher me...@samba.org
Date:   Fri Aug 10 11:56:21 2012 +0200

Revert s3:smbd: Include smbXsrv.h before vfs.h (in smbd.h) so that the 
smbXsrv structures are available

This reverts commit e332bfaff51e54638bd37cd1fe08e57608e16e86.

commit 2cbfdd433e208a53bc8d8b959fbe23303fc60492
Author: Stefan Metzmacher me...@samba.org
Date:   Fri Aug 10 11:58:28 2012 +0200

Revert s3:smb: include smbXsrv.h before vfs.h

This reverts commit db0c233624e633b3cc1a6e0e44dccc09aaa121f2.

commit 205185e88c8724e672675f893b386a57f2b8547d
Author: Stefan Metzmacher me...@samba.org
Date:   Fri Aug 10 11:55:13 2012 +0200

s3:smbXsrv.idl: remove smbXsrv_*0 defines

This makes ctags more usable.

metze

commit 2b41f3702fd7f46696bf6eaf96ad1a58b797ec07
Author: Stefan Metzmacher me...@samba.org
Date:   Fri Aug 10 12:05:15 2012 +0200

s3:param: fix compiler warnings with FN_GLOBAL_CONST_STRING()

metze

---

Summary of changes:
 source3/include/smb.h  |6 ---
 source3/librpc/idl/smbXsrv.idl |   84 
 source3/param/loadparm.c   |2 +-
 source3/smbd/smbd.h|1 -
 4 files changed, 43 insertions(+), 50 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/smb.h b/source3/include/smb.h
index c6e6fb3..2aa2ab3 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -154,12 +154,6 @@ struct sys_notify_context {
 /* Include VFS stuff */
 
 #include smb_acls.h
-/*
- * smbXsrv.h: currently needed for vfs.h, as long as
- * the smbXsrv structures are still referenced as a
- * backling from files_struct and connection_struct.
- */
-#include librpc/gen_ndr/smbXsrv.h
 #include vfs.h
 
 struct current_user {
diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl
index 9111b3d..b3f2250 100644
--- a/source3/librpc/idl/smbXsrv.idl
+++ b/source3/librpc/idl/smbXsrv.idl
@@ -4,42 +4,6 @@ import server_id.idl;
 import security.idl;
 import auth.idl;
 
-/*
- * The main server code should just work with
- * 'struct smbXsrv_session' and never use
- * smbXsrv_session0, smbXsrv_sessionU
- * and smbXsrv_sessionB directly.
- *
- * If we need to change the smbXsrv_session,
- * we can just point it to smbXsrv_session1
- * and could implement transparent mapping.
- */
-cpp_quote(#define smbXsrv_session smbXsrv_session0)
-
-/*
- * The main server code should just work with
- * 'struct smbXsrv_tcon' and never use
- * smbXsrv_tcon0, smbXsrv_tconU
- * and smbXsrv_tconB directly.
- *
- * If we need to change the smbXsrv_tcon,
- * we can just point it to smbXsrv_tcon1
- * and could implement transparent mapping.
- */
-cpp_quote(#define smbXsrv_tcon smbXsrv_tcon0)
-
-/*
- * The main server code should just work with
- * 'struct smbXsrv_open' and never use
- * smbXsrv_open0, smbXsrv_openU
- * and smbXsrv_openB directly.
- *
- * If we need to change the smbXsrv_open,
- * we can just point it to smbXsrv_open1
- * and could implement transparent mapping.
- */
-cpp_quote(#define smbXsrv_open smbXsrv_open0)
-
 [
uuid(07408340-ae31-11e1-97dc-539f7fddc06f),
version(0.0),
@@ -161,6 +125,18 @@ interface smbXsrv
[in] smbXsrv_session_globalB blob
);
 
+   /*
+* The main server code should just work with
+* 'struct smbXsrv_session' and never use
+* smbXsrv_session0, smbXsrv_sessionU
+* and smbXsrv_sessionB directly.
+*
+* If we need to change the smbXsrv_session,
+* we can just rename smbXsrv_session
+* to smbXsrv_session0 and add a new
+* smbXsrv_session for version 1
+* and could implement transparent mapping.
+*/
typedef struct {
 

[SCM] Samba Shared Repository - branch master updated

[Björn Jacke]

The branch, master has been updated
   via  1f50b6c tdb/test: fix build on OSF/1
  from  8defcb8 Revert s3:smbd: include smbXsrv.h before smbd/proto.h to 
have the smbXsrv_ structs available

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 1f50b6c3aefe9a7ac64641b1e9c23e014459647f
Author: Björn Jacke b...@sernet.de
Date:   Fri Aug 10 21:50:22 2012 +0200

tdb/test: fix build on OSF/1

Autobuild-User(master): Björn Jacke b...@sernet.de
Autobuild-Date(master): Fri Aug 10 23:33:20 CEST 2012 on sn-devel-104

---

Summary of changes:
 lib/tdb/test/lock-tracking.c |   30 +++---
 1 files changed, 15 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/tdb/test/lock-tracking.c b/lib/tdb/test/lock-tracking.c
index b6f1cc2..90a07f8 100644
--- a/lib/tdb/test/lock-tracking.c
+++ b/lib/tdb/test/lock-tracking.c
@@ -7,13 +7,13 @@
 #include tap-interface.h
 #include lock-tracking.h
 
-struct lock {
-   struct lock *next;
+struct testlock {
+   struct testlock *next;
unsigned int off;
unsigned int len;
int type;
 };
-static struct lock *locks;
+static struct testlock *testlocks;
 int locking_errors = 0;
 bool suppress_lockcheck = false;
 bool nonblocking_locks;
@@ -52,10 +52,10 @@ int fcntl_with_lockcheck(int fd, int cmd, ... /* arg */ )
}
 
if (fl-l_type == F_UNLCK) {
-   struct lock **l;
-   struct lock *old = NULL;
+   struct testlock **l;
+   struct testlock *old = NULL;
 
-   for (l = locks; *l; l = (*l)-next) {
+   for (l = testlocks; *l; l = (*l)-next) {
if ((*l)-off == fl-l_start
 (*l)-len == fl-l_len) {
if (ret == 0) {
@@ -72,13 +72,13 @@ int fcntl_with_lockcheck(int fd, int cmd, ... /* arg */ )
locking_errors++;
}
} else {
-   struct lock *new, *i;
+   struct testlock *new, *i;
unsigned int fl_end = fl-l_start + fl-l_len;
if (fl-l_len == 0)
fl_end = (unsigned int)-1;
 
/* Check for overlaps: we shouldn't do this. */
-   for (i = locks; i; i = i-next) {
+   for (i = testlocks; i; i = i-next) {
unsigned int i_end = i-off + i-len;
if (i-len == 0)
i_end = (unsigned int)-1;
@@ -110,7 +110,7 @@ int fcntl_with_lockcheck(int fd, int cmd, ... /* arg */ )
goto done;
}
if (!suppress_lockcheck) {
-   diag(%s lock %u@%u overlaps %u@%u,
+   diag(%s testlock %u@%u overlaps %u@%u,
 fl-l_type == F_WRLCK ? write : read,
 (int)fl-l_len, (int)fl-l_start,
 i-len, (int)i-off);
@@ -123,8 +123,8 @@ int fcntl_with_lockcheck(int fd, int cmd, ... /* arg */ )
new-off = fl-l_start;
new-len = fl-l_len;
new-type = fl-l_type;
-   new-next = locks;
-   locks = new;
+   new-next = testlocks;
+   testlocks = new;
}
}
 done:
@@ -136,10 +136,10 @@ done:
 unsigned int forget_locking(void)
 {
unsigned int num = 0;
-   while (locks) {
-   struct lock *next = locks-next;
-   free(locks);
-   locks = next;
+   while (testlocks) {
+   struct testlock *next = testlocks-next;
+   free(testlocks);
+   testlocks = next;
num++;
}
return num;


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

[Jeremy Allison]

The branch, master has been updated
   via  f36e28d s3-nfs4acls: Remove lookup_sid and sidmap from NFSv4 ACL 
mapping and check gid first
   via  c991ac0 s3-smbd: Merge ACE entries based on mapped UID/GID not SID
   via  d3188a0 s3-smbd: Convert posix_acls.c to use struct unixid 
internally
   via  1c3c5e2 s3-smbd: Create a shortcut for building the token of a user 
by SID for posix_acls
   via  d7515b6 torture: Reproducer for 64c0367
  from  1f50b6c tdb/test: fix build on OSF/1

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit f36e28d1316bc0bd210933bbdb77241376fe3500
Author: Andrew Bartlett abart...@samba.org
Date:   Mon May 7 08:48:24 2012 +1000

s3-nfs4acls: Remove lookup_sid and sidmap from NFSv4 ACL mapping and check 
gid first

By checking just the IDMAP, and by removing the sidmap and lookup_sid 
calls, we support
IDMAP_BOTH.  This is because by checking for a mapping to a GID first, we 
can rely on
the fact that IDMAP_BOTH will resolve to a GID.

If the sidmap idea is valued - it allows multiple SIDs to map to a single 
unix ID, this should
be done in the IDMAP layer.

Andrew Bartlett

Signed-off-by: Jeremy Allison j...@samba.org

Autobuild-User(master): Jeremy Allison j...@samba.org
Autobuild-Date(master): Sat Aug 11 01:17:36 CEST 2012 on sn-devel-104

commit c991ac0ebf13bf7832b33dffca388f6f14755fbb
Author: Andrew Bartlett abart...@samba.org
Date:   Tue Aug 7 12:11:50 2012 +1000

s3-smbd: Merge ACE entries based on mapped UID/GID not SID

As the test for a valid posix ACL is based on the unix uid/gid only 
appearing once in the ACL
the merge process also needs to be UID/GID based.

This is a problem when we have multiple builtin groups mapped to the same 
POSIX group
as happens in a Samba4 provision.

Andrew Bartlett

Signed-off-by: Jeremy Allison j...@samba.org

commit d3188a0480e067ecd8c7ac65ebd9dfc5f2132b41
Author: Andrew Bartlett abart...@samba.org
Date:   Tue Aug 7 12:02:49 2012 +1000

s3-smbd: Convert posix_acls.c to use struct unixid internally

This is consistent with the rest of Samba which uses this structure to 
represent
a unix uid or gid.

World values remain represented by the owner_type being WORLD_ACE in the 
containing
structure.  A -1 value is filled in to the unixid.id in the same way the 
.world value
was initialised in the union.

Andrew Bartlett

Signed-off-by: Jeremy Allison j...@samba.org

commit 1c3c5e2156d9096f60bd53a96b88c2f1001d898a
Author: Andrew Bartlett abart...@samba.org
Date:   Thu May 10 09:19:46 2012 +1000

s3-smbd: Create a shortcut for building the token of a user by SID for 
posix_acls

When a user owns a file, but does not have specific permissions on that 
file, we need to
make up the user permissions.  This change ensures that the first thing 
that we do
is to look up the SID, and confirm it is a user.  Then, we avoid the 
getpwnam()
and directly create the token via the SID.

Andrew Bartlett

Signed-off-by: Jeremy Allison j...@samba.org

commit d7515b6a8886b282995a2ed433db92835783c393
Author: Volker Lendecke v...@samba.org
Date:   Tue Aug 7 17:12:19 2012 +0200

torture: Reproducer for 64c0367

Signed-off-by: Jeremy Allison j...@samba.org

---

Summary of changes:
 source3/auth/proto.h|1 +
 source3/auth/token_util.c   |  189 ---
 source3/modules/nfs4_acls.c |  128 +++--
 source3/smbd/posix_acls.c   |  149 ++
 source4/torture/raw/lock.c  |   20 +
 5 files changed, 254 insertions(+), 233 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index e2f5a57..5b229f9 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -204,6 +204,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, 
const char *username,
char **found_username,
struct security_token **token);
 bool user_in_group_sid(const char *username, const struct dom_sid *group_sid);
+bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid 
*group_sid);
 bool user_in_group(const char *username, const char *groupname);
 struct passwd;
 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index 59295fd..aad34cb 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -536,11 +536,7 @@ void debug_unix_user_token(int dbg_class, int dbg_lev, 
uid_t uid, gid_t gid,
 }
 
 /*
- * Create an artificial NT token given just a username. (Initially intended
- * for